πŸ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided SC-200 Domain 3
Domain 3 β€” Module 6 of 6 100%
28 of 28 overall

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server

SC-200 Study Guide

Domain 1: Manage a Security Operations Environment

  • Sentinel Workspace: Roles & Retention
  • Get Windows Events Into Sentinel
  • Syslog, CEF & Azure Data Ingestion
  • Defender for Endpoint: Core Setup
  • Attack Surface Reduction & Security Policies
  • Defender XDR: Tune Your Alerts
  • Automated Investigation & Attack Disruption
  • Sentinel Automation: Rules & Playbooks
  • Custom Detections in Defender XDR
  • Sentinel Analytics & Threat Intelligence
  • MITRE ATT&CK & Anomaly Detection
  • Detection Engineering: Putting It All Together

Domain 2: Respond to Security Incidents

  • Incident Triage: From Alert to Verdict Free
  • Purview & Defender for Cloud Threats
  • Identity Threats: Entra & Defender for Identity
  • Cloud App Security: Investigate Shadow IT
  • Sentinel Incident Response
  • Copilot for Security: Your AI Analyst
  • Complex Attacks & Lateral Movement
  • Endpoint: Timeline & Live Response
  • Endpoint: Evidence & Entity Investigation
  • M365 Investigations: Audit, Search & Graph

Domain 3: Perform Threat Hunting

  • KQL Foundations for Threat Hunters Free
  • Advanced Hunting in Defender XDR Free
  • Sentinel Hunting: Build & Monitor Queries
  • Threat Analytics & Hunting Graphs
  • Data Lake: KQL Jobs & Summary Rules
  • Notebooks & the Sentinel MCP Server
Domain 3: Perform Threat Hunting Premium ⏱ ~10 min read

Notebooks & the Sentinel MCP Server

For advanced hunting, step beyond KQL. Learn how to use Jupyter notebooks in Sentinel for complex analysis and connect to the Sentinel MCP Server for AI-assisted hunting.

Beyond KQL: when notebooks shine

β˜• Simple explanation

KQL is your everyday tool. Notebooks are your power tool.

Sometimes a hunt requires more than KQL can offer: machine learning on entity behaviour, statistical analysis across months of data, integration with external threat intel APIs, or custom visualisations that go beyond Sentinel’s built-in charts.

Jupyter notebooks in Sentinel let you combine KQL queries with Python code, creating advanced investigation and hunting workflows. The Sentinel MCP Server (Model Context Protocol) takes this further β€” it lets AI tools (like Copilot) connect directly to your Sentinel data for AI-assisted hunting.

Sentinel notebooks are Jupyter notebooks that run in Azure Machine Learning compute, with built-in connectors to query Sentinel data using KQL. They support Python, allowing analysts to combine structured queries with machine learning, statistical analysis, and external API integration.

The Sentinel MCP Server (Model Context Protocol) exposes Sentinel’s data and capabilities to external AI tools via a standardised protocol. It enables AI assistants to query Sentinel data, run hunting queries, and analyse results β€” extending the AI-powered hunting experience beyond the Sentinel portal.

Sentinel notebooks

What notebooks add over KQL

CapabilityKQL AloneKQL + Notebook
Statistical analysisBasic (percentile, variance)Full Python stats (scipy, numpy)
Machine learningLimited (anomaly rules)Scikit-learn, custom models
VisualisationBasic chartsMatplotlib, Plotly, interactive maps
External APIsNot supportedCall VirusTotal, Shodan, AbuseIPDB
Data manipulationKQL operatorsPandas DataFrames for complex transforms
Workflow automationRun query, get resultsMulti-step investigation with conditional logic

Common notebook use cases

Use CaseWhat the Notebook Does
Entity behaviour profilingQuery 90 days of sign-in data, build a statistical profile of β€œnormal” for each user, flag deviations
Threat intel enrichmentTake IP addresses from an incident, query VirusTotal and Shodan APIs, merge results with Sentinel data
Geospatial analysisMap IP addresses to locations, visualise attack origins on an interactive world map
Timeline reconstructionQuery multiple tables, merge into a unified timeline, render as an interactive visualisation
Anomaly scoringApply machine learning models to identify entities with unusual behaviour patterns

How notebooks work in Sentinel

  1. Launch from the Sentinel Notebooks page or from an incident
  2. Connect to your Sentinel workspace using the msticpy library
  3. Query data using KQL through the notebook connector
  4. Analyse with Python β€” transform, enrich, model
  5. Visualise results with charts, graphs, and maps
  6. Document findings in the notebook (code + output + markdown = reproducible investigation)
πŸ’‘ Scenario: Zoe helps Tyler with a notebook investigation

Tyler at CipherStack suspects a slow-and-low data exfiltration over DNS. KQL finds long DNS queries, but Tyler needs to determine if the domain patterns are truly encoded data or just legitimate CDN subdomains.

Tyler asks Zoe (data scientist) to help:

Zoe creates a notebook that:

  1. Queries 30 days of DNS events from Sentinel
  2. Extracts subdomain strings from each query
  3. Calculates entropy of each subdomain (encoded data has higher entropy than normal names)
  4. Uses a machine learning classifier trained on known DNS tunnelling patterns
  5. Scores each domain on a 0-1 scale of tunnelling probability

Results: 4 domains score above 0.9 β€” confirmed DNS tunnelling from a compromised developer machine. The notebook evidence is saved and attached to the incident.

The Sentinel MCP Server

What is MCP?

Model Context Protocol (MCP) is a standardised protocol that allows AI tools to connect to data sources. The Sentinel MCP Server exposes your Sentinel workspace to AI assistants, enabling them to:

  • Run KQL queries against your data
  • List available tables and schemas
  • Execute hunting queries
  • Retrieve incident and entity information
  • Analyse results using AI reasoning

Why MCP matters for hunting

Without MCPWith MCP
AI tools cannot access your security dataAI tools query Sentinel directly
You copy-paste data between toolsAI assistants work with live data
Investigation is manual and slowAI chains multiple queries automatically
Each analyst works in isolationAI can surface patterns across the team’s data

Connecting to the Sentinel MCP Server

  1. Enable the MCP Server in your Sentinel workspace settings
  2. Configure access permissions (which AI tools can connect, with what scope)
  3. Connect from an AI assistant (e.g., Copilot, a custom agent) using the MCP endpoint
  4. The AI can now query your Sentinel data as part of its reasoning process
πŸ’‘ Exam tip: MCP is new but tested

The Sentinel MCP Server is a recent addition to the exam (April 2026 update). The exam tests:

  • What it is β€” a protocol for AI tools to connect to Sentinel data
  • What it enables β€” AI-assisted hunting, automated query execution, live data access
  • Where it connects β€” to Jupyter notebooks and external AI assistants

You do NOT need to know MCP protocol details. Focus on the use case: enabling AI tools to hunt in your Sentinel data.

Course complete: Domain 3 summary

You have completed all three domains of SC-200:

DomainWeightModulesKey Skills
1. Manage a Security Operations Environment40-45%12Sentinel workspace, data connectors, MDE, automation, detections, MITRE
2. Respond to Security Incidents35-40%10Triage, investigation across Defender products, Copilot, complex attacks, endpoint response
3. Perform Threat Hunting20-25%6KQL, Advanced Hunting, Sentinel hunting, threat analytics, Data lake, notebooks
πŸ’‘ Exam strategy: final review checklist

Before the exam, ensure you can:

  • Write KQL β€” table selection, operators, cross-table joins
  • Choose the right detection type β€” NRT vs scheduled vs TI vs anomaly
  • Trace an attack chain β€” initial access through exfiltration
  • Know role boundaries β€” Reader vs Responder vs Contributor vs Playbook Operator
  • Distinguish products β€” which product detects which threat (Entra vs MDI vs MDCA vs MDE)
  • Understand automation levels β€” Full vs Semi vs No automation
  • Use the right investigation tool β€” timeline vs live response vs investigation package
  • Handle Data lake β€” search jobs for historical queries, summary rules for ongoing aggregation

Good luck with SC-200!

Question

When should you use a Sentinel notebook instead of a KQL query?

Click or press Enter to reveal answer

Answer

Use notebooks when you need: machine learning (anomaly scoring, classification), external API enrichment (VirusTotal, Shodan), advanced visualisations (interactive maps, complex charts), statistical analysis (entropy calculation, profiling), or multi-step automated investigation workflows.

Click to flip back
Question

What is the Sentinel MCP Server?

Click or press Enter to reveal answer

Answer

A Model Context Protocol server that exposes your Sentinel workspace to AI tools. It allows AI assistants (like Copilot) to run KQL queries, list tables, retrieve incidents, and analyse results using live Sentinel data. It enables AI-assisted hunting without manual data transfer.

Click to flip back
Question

What Python library does Sentinel use for notebook integration?

Click or press Enter to reveal answer

Answer

msticpy β€” Microsoft Threat Intelligence Python Security Tools. It provides connectors to query Sentinel data, entity enrichment functions, visualisation helpers, and integration with external threat intelligence APIs.

Click to flip back
Knowledge Check

Tyler wants to determine if long DNS queries from a developer machine are DNS tunnelling or legitimate CDN traffic. KQL alone cannot make this distinction. What tool should he use?
Knowledge Check

An AI assistant needs to query Pacific Meridian's Sentinel workspace to assist with hunting. What Sentinel feature enables this?

🎬 Video coming soon

Congratulations! You have completed all 28 modules of the SC-200 study guide. Time to practise with exam-style questions and review any areas where you felt less confident. Good luck with your certification!

← Previous

Data Lake: KQL Jobs & Summary Rules

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.