Study guide for Exam SC-200: Microsoft Security Operations Analyst
Purpose of this document
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
| Useful links | Description |
|---|---|
| Review the skills measured as of July 24, 2024 | This list represents the skills measured AFTER the date provided. Study this list if you plan to take the exam AFTER that date. |
| Review the skills measured prior to July 24, 2024 | Study this list of skills if you take your exam PRIOR to the date provided. |
| Change log | You can go directly to the change log if you want to see the changes that will be made on the date provided. |
| How to earn the certification | Some certifications only require passing one exam, while others require passing multiple exams. |
| Certification renewal | Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn. |
| Your Microsoft Learn profile | Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates. |
| Exam scoring and score reports | A score of 700 or greater is required to pass. |
| Exam sandbox | You can explore the exam environment by visiting our exam sandbox. |
| Request accommodations | If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation. |
| Take a free Practice Assessment | Test your skills with practice questions to help you prepare for the exam. |
Updates to the exam
Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.
We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. While Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.
Note
The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
Note
Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.
Skills measured as of July 24, 2024
Audience profile
As a candidate for this exam, you’re a Microsoft security operations analyst who reduces organizational risk by:
Rapidly remediating active attacks in cloud and on-premises environments.
Advising on improvements to threat protection practices.
Identifying violations of organizational policies.
As a security operations analyst, you:
Perform triage.
Respond to incidents.
Manage vulnerabilities.
Hunt for threats.
Evaluate logs.
Analyze threat intelligence.
You also monitor, identify, investigate, and respond to threats in cloud and on-premises environments by using:
Microsoft Sentinel
Microsoft Defender for Cloud
Microsoft Defender XDR
Third-party security solutions
In this role, you use Kusto Query Language (KQL) for reporting, detections, and investigations. You collaborate with business stakeholders, architects, cloud administrators, endpoint administrators, identity administrators, compliance administrators, and security engineers to secure the digital enterprise.
As a candidate, you should be familiar with:
Microsoft 365
Azure cloud services
Windows and Linux operating systems
Skills at a glance
Manage a security operations environment (20–25%)
Configure protections and detections (15–20%)
Manage incident response (35–40%)
Perform threat hunting (15–20%)
Manage a security operations environment (20–25%)
Configure settings in Microsoft Defender XDR
Configure a connection from Defender XDR to a Sentinel workspace
Configure alert and vulnerability notification rules
Configure Microsoft Defender for Endpoint advanced features
Configure endpoint rules settings, including indicators and web content filtering
Manage automated investigation and response capabilities in Microsoft Defender XDR
Configure automatic attack disruption in Microsoft Defender XDR
Manage assets and environments
Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
Manage resources by using Azure Arc
Connect environments to Microsoft Defender for Cloud (by using multi-cloud management)
Discover and remediate unprotected resources by using Defender for Cloud
Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
Design and configure a Microsoft Sentinel workspace
Plan a Microsoft Sentinel workspace
Configure Microsoft Sentinel roles
Specify Azure RBAC roles for Microsoft Sentinel configuration
Design and configure Microsoft Sentinel data storage, including log types and log retention
Manage multiple workspaces by using workspace manager and Azure Lighthouse
Ingest data sources in Microsoft Sentinel
Identify data sources to be ingested for Microsoft Sentinel
Implement and use Content hub solutions
Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
Plan and configure Syslog and Common Event Format (CEF) event collections
Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
Create custom log tables in the workspace to store ingested data
Configure protections and detections (15–20%)
Configure protections in Microsoft Defender security technologies
Configure policies for Microsoft Defender for Cloud Apps
Configure policies for Microsoft Defender for Office 365
Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
Configure cloud workload protections in Microsoft Defender for Cloud
Configure detection in Microsoft Defender XDR
Configure and manage custom detections
Configure alert tuning
Configure deception rules in Microsoft Defender XDR
Configure detections in Microsoft Sentinel
Classify and analyze data by using entities
Configure scheduled query rules, including KQL
Configure near-real-time (NRT) query rules, including KQL
Manage analytics rules from Content hub
Configure anomaly detection analytics rules
Configure the Fusion rule
Query Microsoft Sentinel data by using ASIM parsers
Manage and use threat indicators
Manage incident response (35–40%)
Respond to alerts and incidents in Microsoft Defender XDR
Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
Investigate and remediate threats in email by using Microsoft Defender for Office 365
Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
Investigate and remediate threats identified by Microsoft Purview insider risk policies
Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
Investigate and remediate compromised identities in Microsoft Entra ID
Investigate and remediate security alerts from Microsoft Defender for Identity
Manage actions and submissions in the Microsoft Defender portal
Respond to alerts and incidents identified by Microsoft Defender for Endpoint
Investigate timeline of compromised devices
Perform actions on the device, including live response and collecting investigation packages
Perform evidence and entity investigation
Enrich investigations by using other Microsoft tools
Investigate threats by using unified audit log
Investigate threats by using Content Search
Perform threat hunting by using Microsoft Graph activity logs
Manage incidents in Microsoft Sentinel
Triage incidents in Microsoft Sentinel
Investigate incidents in Microsoft Sentinel
Respond to incidents in Microsoft Sentinel
Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel
Create and configure automation rules
Create and configure Microsoft Sentinel playbooks
Configure analytic rules to trigger automation
Trigger playbooks manually from alerts and incidents
Run playbooks on on-premises resources
Perform threat hunting (15–20%)
Hunt for threats by using KQL
Identify threats by using Kusto Query Language (KQL)
Interpret threat analytics in the Microsoft Defender portal
Create custom hunting queries by using KQL
Hunt for threats by using Microsoft Sentinel
Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
Customize content gallery hunting queries
Use hunting bookmarks for data investigations
Monitor hunting queries by using livestream
Retrieve and manage archived log data
Create and manage search jobs
Analyze and interpret data by using workbooks
Activate and customize Microsoft Sentinel workbook templates
Create custom workbooks that include KQL
Configure visualizations
Study resources
We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.
| Study resources | Links to learning and documentation |
|---|---|
| Get trained | Choose from self-paced learning paths and modules or take an instructor-led course |
| Find documentation | Microsoft security documentation Microsoft 365 Defender documentation Microsoft Defender for Cloud documentation Microsoft Sentinel documentation |
| Ask a question | Microsoft Q&A | Microsoft Docs |
| Get community support | Security, compliance, and identity community hub |
| Follow Microsoft Learn | Microsoft Learn - Microsoft Tech Community |
| Find a video | Exam Readiness Zone Browse other Microsoft Learn shows |
Change log
Key to understanding the table: The topic groups (also known as functional groups) are in bold typeface followed by the objectives within each group. The table is a comparison between the two versions of the exam skills measured and the third column describes the extent of the changes.
| Skill area prior to July 24, 2024 | Skill area as of July 24, 2024 | Change |
|---|---|---|
| Audience profile | No change | |
| Manage a security operations environment | Manage a security operations environment | No change |
| Configure settings in Microsoft Defender XDR | Configure settings in Microsoft Defender XDR | No change |
| Manage assets and environments | Manage assets and environments | Minor |
| Design and configure a Microsoft Sentinel workspace | Design and configure a Microsoft Sentinel workspace | Minor |
| Ingest data sources in Microsoft Sentinel | Ingest data sources in Microsoft Sentinel | No change |
| Configure protections and detections | Configure protections and detections | No change |
| Configure protections in Microsoft Defender security technologies | Configure protections in Microsoft Defender security technologies | Minor |
| Configure detection in Microsoft Defender XDR | Configure detection in Microsoft Defender XDR | No change |
| Configure detections in Microsoft Sentinel | Configure detections in Microsoft Sentinel | No change |
| Manage incident response | Manage incident response | No change |
| Respond to alerts and incidents in Microsoft Defender XDR | Respond to alerts and incidents in Microsoft Defender XDR | Minor |
| Respond to alerts and incidents identified by Microsoft Defender for Endpoint | Respond to alerts and incidents identified by Microsoft Defender for Endpoint | No change |
| Enrich investigations by using other Microsoft tools | Enrich investigations by using other Microsoft tools | No change |
| Manage incidents in Microsoft Sentinel | Manage incidents in Microsoft Sentinel | No change |
| Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel | Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel | Minor |
| Perform threat hunting | Perform threat hunting | No change |
| Hunt for threats by using KQL | Hunt for threats by using KQL | No change |
| Hunt for threats by using Microsoft Sentinel | Hunt for threats by using Microsoft Sentinel | Minor |
| Analyze and interpret data by using workbooks | Analyze and interpret data by using workbooks | No change |
Skills measured prior to July 24, 2024
Audience profile
As a candidate for this exam, you’re a Microsoft security operations analyst who reduces organizational risk by:
Rapidly remediating active attacks in cloud and on-premises environments.
Advising on improvements to threat protection practices.
Identifying violations of organizational policies.
As a security operations analyst, you:
Perform triage.
Respond to incidents.
Manage vulnerabilities.
Hunt for threats.
Evaluate logs.
Analyze threat intelligence.
You also monitor, identify, investigate, and respond to threats in cloud and on-premises environments by using:
Microsoft Sentinel
Microsoft Defender for Cloud
Microsoft Defender XDR
Third-party security solutions
In this role, you use Kusto Query Language (KQL) for reporting, detections, and investigations. You collaborate with business stakeholders, architects, cloud administrators, endpoint administrators, identity administrators, compliance administrators, and security engineers to secure the digital enterprise.
As a candidate, you should be familiar with:
Microsoft 365
Azure cloud services
Windows and Linux operating systems
Skills at a glance
Manage a security operations environment (25–30%)
Configure protections and detections (15–20%)
Manage incident response (35–40%)
Perform threat hunting (15–20%)
Manage a security operations environment (25–30%)
Configure settings in Microsoft Defender XDR
Configure a connection from Defender XDR to a Sentinel workspace
Configure alert and vulnerability notification rules
Configure Microsoft Defender for Endpoint advanced features
Configure endpoint rules settings, including indicators and web content filtering
Manage automated investigation and response capabilities in Microsoft Defender XDR
Configure automatic attack disruption in Microsoft Defender XDR
Manage assets and environments
Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
Identify and remediate unmanaged devices in Microsoft Defender for Endpoint
Manage resources by using Azure Arc
Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)
Discover and remediate unprotected resources by using Defender for Cloud
Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
Design and configure a Microsoft Sentinel workspace
Plan a Microsoft Sentinel workspace
Configure Microsoft Sentinel roles
Specify Azure RBAC roles for Microsoft Sentinel configuration
Design and configure Microsoft Sentinel data storage, including log types and log retention
Manage multiple workspaces by using Workspace manager and Azure Lighthouse
Ingest data sources in Microsoft Sentinel
Identify data sources to be ingested for Microsoft Sentinel
Implement and use Content hub solutions
Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
Plan and configure Syslog and Common Event Format (CEF) event collections
Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP
Create custom log tables in the workspace to store ingested data
Configure protections and detections (15–20%)
Configure protections in Microsoft Defender security technologies
Configure policies for Microsoft Defender for Cloud Apps
Configure policies for Microsoft Defender for Office
Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
Configure cloud workload protections in Microsoft Defender for Cloud
Configure detection in Microsoft Defender XDR
Configure and manage custom detections
Configure alert tuning
Configure deception rules in Microsoft Defender XDR
Configure detections in Microsoft Sentinel
Classify and analyze data by using entities
Configure scheduled query rules, including KQL
Configure near-real-time (NRT) query rules, including KQL
Manage analytics rules from Content hub
Configure anomaly detection analytics rules
Configure the Fusion rule
Query Microsoft Sentinel data by using ASIM parsers
Manage and use threat indicators
Manage incident response (35–40%)
Respond to alerts and incidents in Microsoft Defender XDR
Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
Investigate and remediate threats in email by using Microsoft Defender for Office
Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
Investigate and remediate threats identified by Microsoft Purview insider risk policies
Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud
Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
Investigate and remediate compromised identities in Microsoft Entra ID
Investigate and remediate security alerts from Microsoft Defender for Identity
Manage actions and submissions in the Microsoft Defender portal
Respond to alerts and incidents identified by Microsoft Defender for Endpoint
Investigate timeline of compromised devices
Perform actions on the device, including live response and collecting investigation packages
Perform evidence and entity investigation
Enrich investigations by using other Microsoft tools
Investigate threats by using unified audit Log
Investigate threats by using Content Search
Perform threat hunting by using Microsoft Graph activity logs
Manage incidents in Microsoft Sentinel
Triage incidents in Microsoft Sentinel
Investigate incidents in Microsoft Sentinel
Respond to incidents in Microsoft Sentinel
Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel
Create and configure automation rules
Create and configure Microsoft Sentinel playbooks
Configure analytic rules to trigger automation
Trigger playbooks manually from alerts and incidents
Run playbooks on On-premises resources
Perform threat hunting (15–20%)
Hunt for threats by using KQL
Identify threats by using Kusto Query Language (KQL)
Interpret threat analytics in the Microsoft Defender portal
Create custom hunting queries by using KQL
Hunt for threats by using Microsoft Sentinel
Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel
Customize content gallery hunting queries
Use hunting bookmarks for data investigations
Monitor hunting queries by using Livestream
Retrieve and manage archived log data
Create and manage search jobs
Analyze and interpret data by using workbooks
Activate and customize Microsoft Sentinel workbook templates
Create custom workbooks that include KQL
Configure visualizations