Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Purpose of this document
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
| Useful links | Description |
|---|---|
| Certification renewal | Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn. |
| Your Microsoft Learn profile | Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates. |
| Exam scoring and score reports | A score of 700 or greater is required to pass. |
| Exam sandbox | You can explore the exam environment by visiting our exam sandbox. |
| Request accommodations | If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation. |
| Take a free Practice Assessment | Test your skills with practice questions to help you prepare for the exam. |
Updates to the exam
Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.
We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. While Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
Note
Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.
Skills measured as of July 28, 2026
Audience profile
As a candidate for this exam, you’re a security operations analyst who reduces organizational risk by performing triage, responding to incidents, hunting for threats, and engineering detections.
As a security operations analyst, you monitor, identify, investigate, and respond to threats in multi-cloud and on-premises environments by using Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud workload protections. You perform hunting by using KQL and automate responses to threats.
You collaborate with business and security leadership to define security standards for the organization. You work with other roles across the digital enterprise to implement the standards, to enhance the security posture of an organization, and to raise security awareness.
As a candidate, you should be familiar with:
Microsoft security, compliance, and identity solutions
Microsoft 365
Azure cloud services
AI agents and Copilots
Windows, Linux, and mobile operating systems.
Skills at a glance
Manage a security operations environment (40–45%)
Respond to security incidents (35–40%)
Perform threat hunting (20–25%)
Manage a security operations environment (40–45%)
Configure automation for Microsoft Defender XDR and Microsoft Sentinel
Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics
Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation
Configure Microsoft Defender for Endpoint advanced features
Configure rules settings in Microsoft Defender for Endpoint
Configure custom data collection in Microsoft Defender for Endpoint
Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
Manage automated investigation and response capabilities in Microsoft Defender XDR
Configure automatic attack disruption in Microsoft Defender XDR
Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
Create and configure automation rules in Microsoft Sentinel
Create and configure Microsoft Sentinel playbooks
Configure the Microsoft Sentinel SIEM and platform
Specify Microsoft Sentinel roles
Manage data retention for XDR and Microsoft Sentinel tables, including Analytics, Data lake, and XDR tiers
Create and configure Microsoft Sentinel workbooks
Optimize the Microsoft Sentinel platform, including SOC optimization recommendations
Ingest data into the Microsoft Sentinel SIEM and platform
Select data connectors based on data source requirements, including Windows logs and security events
Configure collection of Windows Security events by using Windows Security Events via AMA, including data collection rules
Plan and configure collection of Windows Security events by using Windows Event Forwarding (WEF)
Plan and configure Syslog via AMA and Common Event Format (CEF) via AMA connectors
Configure collection of Azure activities by using Azure Policy and resource diagnostic settings
Ingest threat indicators into Microsoft Sentinel
Create custom log tables in the workspace to store ingested data
Configure detections
Create custom detection rules by using Advanced Hunting in Microsoft Defender XDR
Manage custom detection rules in Microsoft Defender XDR
Configure and manage analytics rules in Microsoft Sentinel SIEM, including scheduled, near-real time (NRT), threat intelligence, and machine learning
Analyze attack vector coverage by using the MITRE ATT&CK matrix
Configure anomalies in Microsoft Sentinel
Respond to security incidents (35–40%)
Respond to alerts and incidents in Microsoft Defender XDR
Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption
Investigate and remediate threats or compromised entities identified by Microsoft Purview
Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
Investigate and remediate compromised identities that are identified by Microsoft Entra ID
Investigate and remediate security alerts from Microsoft Defender for Identity
Investigate and remediate alerts and incidents identified by Microsoft Sentinel
Investigate incidents by using agentic AI, including embedded Microsoft Security Copilot
Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement
Manage security incidents by using case management
Respond to alerts and incidents in Microsoft Defender for Endpoint
Investigate device timelines
Perform actions on the device, including live response and collecting investigation packages
Perform evidence and entity investigation
Investigate and remediate incidents identified by automatic attack disruption
Investigate Microsoft 365 activities to identify threats
Investigate threats by using Microsoft Purview Audit
Investigate threats by using Content search in Microsoft Purview eDiscovery
Investigate threats by using Microsoft Graph activity logs
Perform threat hunting (20–25%)
Detect threats by using Microsoft Defender XDR
Identify the appropriate table to use in a KQL query
Identify threats by using Kusto Query Language (KQL)
Create Advanced Hunting queries
Interpret threat analytics in Microsoft Defender XDR
Create hunting graphs, including blast radius
Analyze relationships between entities by using Sentinel Graph
Detect threats by using the Microsoft Sentinel platform
Create and monitor hunting queries
Create and manage KQL jobs in Data lake
Create and manage Summary rule tables for querying
Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server
Study resources
We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.
| Study resources | Links to learning and documentation |
|---|---|
| Get trained | Choose from self-paced learning paths and modules or take an instructor-led course |
| Find documentation | Microsoft security documentation Microsoft 365 Defender documentation Microsoft Defender for Cloud documentation Microsoft Sentinel documentation |
| Ask a question | Microsoft Q&A | Microsoft Docs |
| Get community support | Security, compliance, and identity community hub |
| Follow Microsoft Learn | Microsoft Learn - Microsoft Tech Community |
| Find a video | Exam Readiness Zone Browse other Microsoft Learn shows |
Change log
The table below summarizes the changes between the current and previous version of the skills measured. The functional groups are in bold typeface followed by the objectives within each group. The table is a comparison between the previous and current version of the exam skills measured and the third column describes the extent of the changes.
| Skill area prior to July 28, 2026 | Skill area as of July 28, 2026 | Change |
|---|---|---|
| Audience profile | Minor | |
| Respond to security incidents | Respond to security incidents | No change |
| Respond to alerts and incidents in Microsoft Defender XDR | Respond to alerts and incidents in Microsoft Defender XDR | Minor |
| Respond to alerts and incidents in Microsoft Defender for Endpoint | Respond to alerts and incidents in Microsoft Defender for Endpoint | Minor |
| Investigate Microsoft 365 activities to identify threats | Investigate Microsoft 365 activities to identify threats | Minor |