Study guide for Exam SC-200: Microsoft Security Operations Analyst

  • Article

Purpose of this document

This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.

Useful links Description
Review the skills measured as of March 4, 2024 This list represents the skills measured AFTER the date provided. Study this list if you plan to take the exam AFTER that date.
Review the skills measured prior to March 4, 2024 Study this list of skills if you take your exam PRIOR to the date provided.
Change log You can go directly to the change log if you want to see the changes that will be made on the date provided.
How to earn the certification Some certifications only require passing one exam, while others require passing multiple exams.
Certification renewal Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn.
Your Microsoft Learn profile Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates.
Exam scoring and score reports A score of 700 or greater is required to pass.
Exam sandbox You can explore the exam environment by visiting our exam sandbox.
Request accommodations If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation.
Take a free Practice Assessment Test your skills with practice questions to help you prepare for the exam.

Updates to the exam

Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.

We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. While Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.

Note

The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.

Note

Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Skills measured as of March 4, 2024

Audience profile

As a candidate for this exam, you’re a Microsoft security operations analyst who reduces organizational risk by:

  • Rapidly remediating active attacks in cloud and on-premises environments.

  • Advising on improvements to threat protection practices.

  • Identifying violations of organizational policies.

As a security operations analyst, you:

  • Perform triage.

  • Respond to incidents.

  • Manage vulnerabilities.

  • Hunt for threats.

  • Evaluate logs.

  • Analyze threat intelligence.

You also monitor, identify, investigate, and respond to threats in cloud and on-premises environments by using:

  • Microsoft Sentinel

  • Microsoft Defender for Cloud

  • Microsoft Defender XDR

  • Third-party security solutions

In this role, you use Kusto Query Language (KQL) for reporting, detections, and investigations. You collaborate with business stakeholders, architects, cloud administrators, endpoint administrators, identity administrators, compliance administrators, and security engineers to secure the digital enterprise.

As a candidate, you should be familiar with:

  • Microsoft 365

  • Azure cloud services

  • Windows and Linux operating systems

Skills at a glance

  • Manage a security operations environment (25–30%)

  • Configure protections and detections (15–20%)

  • Manage incident response (35–40%)

  • Perform threat hunting (15–20%)

Manage a security operations environment (25–30%)

Configure settings in Microsoft Defender XDR

  • Configure a connection from Defender XDR to a Sentinel workspace

  • Configure alert and vulnerability notification rules

  • Configure Microsoft Defender for Endpoint advanced features

  • Configure endpoint rules settings, including indicators and web content filtering

  • Manage automated investigation and response capabilities in Microsoft Defender XDR

  • Configure automatic attack disruption in Microsoft Defender XDR

Manage assets and environments

  • Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint

  • Identify and remediate unmanaged devices in Microsoft Defender for Endpoint

  • Manage resources by using Azure Arc

  • Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)

  • Discover and remediate unprotected resources by using Defender for Cloud

  • Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management

Design and configure a Microsoft Sentinel workspace

  • Plan a Microsoft Sentinel workspace

  • Configure Microsoft Sentinel roles

  • Specify Azure RBAC roles for Microsoft Sentinel configuration

  • Design and configure Microsoft Sentinel data storage, including log types and log retention

  • Manage multiple workspaces by using Workspace manager and Azure Lighthouse

Ingest data sources in Microsoft Sentinel

  • Identify data sources to be ingested for Microsoft Sentinel

  • Implement and use Content hub solutions

  • Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings

  • Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR

  • Plan and configure Syslog and Common Event Format (CEF) event collections

  • Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)

  • Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP

  • Create custom log tables in the workspace to store ingested data

Configure protections and detections (15–20%)

Configure protections in Microsoft Defender security technologies

  • Configure policies for Microsoft Defender for Cloud Apps

  • Configure policies for Microsoft Defender for Office

  • Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules

  • Configure cloud workload protections in Microsoft Defender for Cloud

Configure detection in Microsoft Defender XDR

  • Configure and manage custom detections

  • Configure alert tuning

  • Configure deception rules in Microsoft Defender XDR

Configure detections in Microsoft Sentinel

  • Classify and analyze data by using entities

  • Configure scheduled query rules, including KQL

  • Configure near-real-time (NRT) query rules, including KQL

  • Manage analytics rules from Content hub

  • Configure anomaly detection analytics rules

  • Configure the Fusion rule

  • Query Microsoft Sentinel data by using ASIM parsers

  • Manage and use threat indicators

Manage incident response (35–40%)

Respond to alerts and incidents in Microsoft Defender XDR

  • Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive

  • Investigate and remediate threats in email by using Microsoft Defender for Office

  • Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption

  • Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies

  • Investigate and remediate threats identified by Microsoft Purview insider risk policies

  • Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud

  • Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps

  • Investigate and remediate compromised identities in Microsoft Entra ID

  • Investigate and remediate security alerts from Microsoft Defender for Identity

  • Manage actions and submissions in the Microsoft Defender portal

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

  • Investigate timeline of compromised devices

  • Perform actions on the device, including live response and collecting investigation packages

  • Perform evidence and entity investigation

Enrich investigations by using other Microsoft tools

  • Investigate threats by using unified audit Log

  • Investigate threats by using Content Search

  • Perform threat hunting by using Microsoft Graph activity logs

Manage incidents in Microsoft Sentinel

  • Triage incidents in Microsoft Sentinel

  • Investigate incidents in Microsoft Sentinel

  • Respond to incidents in Microsoft Sentinel

Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel

  • Create and configure automation rules

  • Create and configure Microsoft Sentinel playbooks

  • Configure analytic rules to trigger automation

  • Trigger playbooks manually from alerts and incidents

  • Run playbooks on On-premises resources

Perform threat hunting (15–20%)

Hunt for threats by using KQL

  • Identify threats by using Kusto Query Language (KQL)

  • Interpret threat analytics in the Microsoft Defender portal

  • Create custom hunting queries by using KQL

Hunt for threats by using Microsoft Sentinel

  • Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel

  • Customize content gallery hunting queries

  • Use hunting bookmarks for data investigations

  • Monitor hunting queries by using Livestream

  • Retrieve and manage archived log data

  • Create and manage search jobs

Analyze and interpret data by using workbooks

  • Activate and customize Microsoft Sentinel workbook templates

  • Create custom workbooks that include KQL

  • Configure visualizations

Study resources

We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.

Study resources Links to learning and documentation
Get trained Choose from self-paced learning paths and modules or take an instructor-led course
Find documentation Microsoft security documentation
Microsoft 365 Defender documentation
Microsoft Defender for Cloud documentation
Microsoft Sentinel documentation
Ask a question Microsoft Q&A | Microsoft Docs
Get community support Security, compliance, and identity community hub
Follow Microsoft Learn Microsoft Learn - Microsoft Tech Community
Find a video Exam Readiness Zone
Browse other Microsoft Learn shows

Change log

Key to understanding the table: The topic groups (also known as functional groups) are in bold typeface followed by the objectives within each group. The table is a comparison between the two versions of the exam skills measured and the third column describes the extent of the changes.

Skill area prior to March 4, 2024 Skill area as of March 4, 2024 Change
Audience profile Minor
Mitigate threats by using Microsoft 365 Defender Deleted
Manage a security operations environment New
Mitigate threats to the Microsoft 365 environment by using Microsoft 365 Defender Removed
Configure settings in Microsoft Defender XDR New
Mitigate endpoint threats by using Microsoft Defender for Endpoint Deleted
Manage assets and environments New
Mitigate identity threats Deleted
Design and configure a Microsoft Sentinel workspace Added
Manage extended detection and response (XDR) in Microsoft 365 Defender Removed
Ingest data sources in Microsoft Sentinel Added
Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview Removed
Mitigate threats by using Microsoft Defender for Cloud Deleted
Configure protections and detections New
Implement and maintain cloud security posture management Deleted
Configure protections in Microsoft Defender security technologies New
Configure environment settings in Defender for Cloud Deleted
Configure detection in Microsoft Defender XDR New
Respond to alerts and incidents in Defender for Cloud Deleted
Configure detection in Microsoft Sentinel Added
Mitigate threats by using Microsoft Sentinel Deleted
Manage incident response New
Design and configure a Microsoft Sentinel workspace Removed
Respond to alerts and incidents in Microsoft Defender XDR Added
Plan and implement the use of data connectors for ingestion of data sources in Microsoft Sentinel Removed
Respond to alerts and incidents identified by Microsoft Defender for Endpoint Added
Manage Microsoft Sentinel analytics rules Removed
Enrich investigations by using other Microsoft tools Added
Perform data classification and normalization Removed
Manage incidents in Microsoft Sentinel Added
Configure Security Orchestration, Automation, and Response (SOAR) in Microsoft Sentinel Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel Minor
Manage Microsoft Sentinel incidents Removed
Use Microsoft Sentinel workbooks to analyze and interpret data Removed
Hunt for threats by using Microsoft Sentinel Removed
Manage threats by using entity behavior analytics Deleted
Perform threat hunting New
Hunt for threats by using KQL Added
Hunt for threats by using Microsoft Sentinel Added
Analyze and interpret data by using workbooks Added

Skills measured prior to March 4, 2024

Audience profile

As a Microsoft security operations analyst, you reduce organizational risk by:

  • Rapidly remediating active attacks in the environment.

  • Advising on improvements to threat protection practices.

  • Referring violations of organizational policies to appropriate stakeholders.

You perform:

  • Triage.

  • Incident response.

  • Vulnerability management.

  • Threat hunting.

  • Cyber threat intelligence analysis.

As a Microsoft security operations analyst, you monitor, identify, investigate, and respond to threats in multicloud environments by using:

  • Microsoft Sentinel

  • Microsoft Defender for Cloud

  • Microsoft 365 Defender

  • Third-party security solutions

In this role, you collaborate with business stakeholders, architects, identity administrators, Azure administrators, and endpoint administrators to secure IT systems for the organization.

As a candidate, you should be familiar with:

  • Microsoft 365

  • Azure cloud services

  • Windows and Linux operating systems

Skills at a glance

  • Mitigate threats by using Microsoft 365 Defender (25–30%)

  • Mitigate threats by using Defender for Cloud (15–20%)

  • Mitigate threats by using Microsoft Sentinel (50–55%)

Mitigate threats by using Microsoft 365 Defender (25–30%)

Mitigate threats to the Microsoft 365 environment by using Microsoft 365 Defender

  • Investigate, respond, and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive

  • Investigate, respond, and remediate threats to email by using Microsoft Defender for Office 365

  • Investigate and respond to alerts generated by data loss prevention (DLP) policies

  • Investigate and respond to alerts generated by insider risk policies

  • Discover and manage apps by using Microsoft Defender for Cloud Apps

  • Identify, investigate, and remediate security risks by using Defender for Cloud Apps

Mitigate endpoint threats by using Microsoft Defender for Endpoint

  • Manage data retention, alert notification, and advanced features

  • Recommend attack surface reduction (ASR) for devices

  • Respond to incidents and alerts

  • Configure and manage device groups

  • Identify devices at risk by using the Microsoft Defender Vulnerability Management

  • Manage endpoint threat indicators

  • Identify unmanaged devices by using device discovery

Mitigate identity threats

  • Mitigate security risks related to events for Microsoft Entra ID

  • Mitigate security risks related to Microsoft Entra Identity Protection events

  • Mitigate security risks related to Active Directory Domain Services (AD DS) by using Microsoft Defender for Identity

Manage extended detection and response (XDR) in Microsoft 365 Defender

  • Manage incidents and automated investigations in the Microsoft 365 Defender portal

  • Manage actions and submissions in the Microsoft 365 Defender portal

  • Identify threats by using Kusto Query Language (KQL)

  • Identify and remediate security risks by using Microsoft Secure Score

  • Analyze threat analytics in the Microsoft 365 Defender portal

  • Configure and manage custom detections and alerts

Investigate threats by using audit features in Microsoft 365 Defender and Microsoft Purview

  • Perform threat hunting by using unified audit log

  • Perform threat hunting by using Content Search

  • Use the guided hunting mode in Microsoft 365 Defender

  • Use the advanced hunting mode in Microsoft 365 Defender

Mitigate threats by using Defender for Cloud (15–20%)

Implement and maintain cloud security posture management

  • Assign and manage regulatory compliance policies, including Microsoft cloud security benchmark (MCSB)

  • Improve the Microsoft Defender for Cloud secure score by applying recommended remediations

  • Configure plans and agents for Microsoft Defender for Servers

  • Configure and manage Microsoft Defender for DevOps

  • Configure and manage Microsoft Defender External Attack Surface Management (EASM)

Configure environment settings in Microsoft Defender for Cloud

  • Plan and configure Microsoft Defender for Cloud settings, including selecting target subscriptions and workspaces

  • Configure Microsoft Defender for Cloud roles

  • Assess and recommend cloud workload protection

  • Enable plans for Microsoft Defender for Cloud

  • Configure automated onboarding of Azure resources

  • Connect compute resources by using Azure Arc

  • Connect multi-cloud resources by using Environment settings

Respond to alerts and incidents in Microsoft Defender for Cloud

  • Set up email notifications

  • Create and manage alert suppression rules

  • Design and configure workflow automation in Microsoft Defender for Cloud

  • Remediate alerts and incidents by using Microsoft Defender for Cloud recommendations

  • Manage security alerts and incidents

  • Analyze Microsoft Defender for Cloud threat intelligence reports

Mitigate threats by using Microsoft Sentinel (50–55%)

Design and configure a Microsoft Sentinel workspace

  • Plan a Microsoft Sentinel workspace

  • Configure Microsoft Sentinel roles

  • Design and configure Microsoft Sentinel data storage, including log types and log retention

Plan and implement the use of data connectors for ingestion of data sources in Microsoft Sentinel

  • Identify data sources to be ingested for Microsoft Sentinel

  • Configure and use Microsoft Sentinel connectors for Azure resources, including Azure Policy and diagnostic settings

  • Configure Microsoft Sentinel connectors for Microsoft 365 Defender and Defender for Cloud

  • Design and configure Syslog and Common Event Format (CEF) event collections

  • Design and configure Windows security event collections

  • Configure threat intelligence connectors

  • Create custom log tables in the workspace to store ingested data

Manage Microsoft Sentinel analytics rules

  • Configure the Fusion rule

  • Configure Microsoft security analytics rules

  • Configure built-in scheduled query rules

  • Configure custom scheduled query rules

  • Configure near-real-time (NRT) analytics rules

  • Manage analytics rules from Content hub

  • Manage and use watchlists

  • Manage and use threat indicators

Perform data classification and normalization

  • Classify and analyze data by using entities

  • Query Microsoft Sentinel data by using Advanced Security Information Model (ASIM) parsers

  • Develop and manage ASIM parsers

Configure security orchestration automated response (SOAR) in Microsoft Sentinel

  • Create and configure automation rules

  • Create and configure Microsoft Sentinel playbooks

  • Configure analytic rules to trigger automation rules

  • Trigger playbooks from alerts and incidents

Manage Microsoft Sentinel incidents

  • Configure an incident generation

  • Triage incidents in Microsoft Sentinel

  • Investigate incidents in Microsoft Sentinel

  • Respond to incidents in Microsoft Sentinel

  • Investigate multi-workspace incidents

Use Microsoft Sentinel workbooks to analyze and interpret data

  • Activate and customize Microsoft Sentinel workbook templates

  • Create custom workbooks

  • Configure advanced visualizations

Hunt for threats by using Microsoft Sentinel

  • Analyze attack vector coverage by using MITRE ATT&CK in Microsoft Sentinel

  • Customize content gallery hunting queries

  • Create custom hunting queries

  • Use hunting bookmarks for data investigations

  • Monitor hunting queries by using Livestream

  • Retrieve and manage archived log data

  • Create and manage search jobs

Manage threats by using User and Entity Behavior Analytics

  • Configure User and Entity Behavior Analytics settings

  • Investigate threats by using entity pages

  • Configure anomaly detection analytics rules