SC-200 Study Guide

Microsoft Security Operations Analyst

260 study sessions ☕ Support
Associate Security
📅 Generate a Study Plan

Exam Quick Facts

DetailValue
Exam CodeSC-200
TitleMicrosoft Security Operations Analyst
LevelAssociate
Pass Score700 / 1000
Duration100 minutes
Questions~40–60 (multiple choice, case studies, labs)
Cost$165 USD (varies by region)
SchedulingPearson VUE
Skills UpdatedApril 16, 2026

Official Learning Paths

  1. 📘 Mitigate threats using Microsoft Defender XDR — Defender for Endpoint, Office 365, Identity, Cloud Apps
  2. 📘 Mitigate threats using Microsoft Defender for Cloud — Cloud workload protection, security posture
  3. 📘 Create detections and perform investigations using Microsoft Sentinel — KQL, analytics rules, workbooks, automation
  4. 📘 Perform threat hunting in Microsoft Sentinel — Hunting queries, notebooks, MITRE ATT&CK

📖 Study Resources

ResourceLink
📝 Official Exam PageMicrosoft Learn — SC-200
📖 Official Study GuideMicrosoft Study Guide
🎯 Free Practice AssessmentStart Practice Assessment
🖥️ Exam SandboxTry the exam interface
🎬 Exam Readiness ZoneVideo prep series
📄 Microsoft Sentinel DocsSentinel documentation

Skills at a Glance

Skill AreaWeight
Manage a security operations environment40–45%
Respond to security incidents35–40%
Perform threat hunting20–25%

Who is this exam for?

The SC-200 is for security operations analysts — the people who monitor, investigate, and respond to security threats across an organisation’s multi-cloud and on-premises environment. Your daily tools are Microsoft Defender XDR, Microsoft Sentinel, and KQL (Kusto Query Language).

This exam was significantly updated on April 16, 2026 with major restructuring — several domains were merged, “Copilot for Security” became embedded throughout (rather than a standalone section), and the threat hunting domain was expanded. Make sure your study materials are current.

💡 Tip: KQL is essential for this exam. If you’re not comfortable writing KQL queries, start with the KQL learning path before diving into the other content.

Skills Measured — with Microsoft Learn Links

Manage a security operations environment (40–45%)

This is the largest domain — nearly half the exam. It covers configuring the Defender XDR and Sentinel platforms, ingesting data from various sources, and creating detection rules. You need to know how to set up the SOC environment, not just respond to alerts.

Configure automation for Microsoft Defender XDR and Microsoft Sentinel

This sub-area covers configuring notifications, alert tuning, automated investigation and response (AIR), attack disruption, and Sentinel automation rules and playbooks. It’s about making your SOC more efficient through automation.

Configure the Microsoft Sentinel SIEM and platform

Setting up Sentinel correctly is fundamental. You need to know the roles, data retention tiers (Analytics, Data Lake, XDR), workbook creation, and SOC optimisation recommendations.

Ingest data into the Microsoft Sentinel SIEM and platform

Sentinel is only as good as the data it receives. This sub-area covers connecting data sources — Windows Security Events via AMA, Syslog/CEF connectors, Azure Activity logs, and custom log tables. You also need to know how to ingest threat intelligence.

Configure detections

Detection rules are how Sentinel identifies threats. Scheduled rules run KQL queries at regular intervals, NRT (near-real-time) rules detect threats within minutes, and machine learning rules use anomaly detection. You also need to map your detections to the MITRE ATT&CK framework.

Respond to security incidents (35–40%)

This domain covers the core SOC workflow: an alert fires, you triage it, investigate, and respond. You need to investigate across multiple Defender products, handle complex multi-stage attacks, manage incidents with case management, and use Copilot for Security as an embedded investigation tool.

Respond to alerts and incidents in Microsoft Defender XDR

Respond to alerts and incidents in Microsoft Defender for Endpoint

When a device is compromised, you need to dig into the device timeline, run live response commands, collect investigation packages, and work with automatic attack disruption. This is very hands-on.

Investigate Microsoft 365 activities to identify threats

Beyond Defender alerts, you can use Microsoft Purview Audit, Content Search, and Microsoft Graph activity logs to investigate suspicious activity across the M365 tenant.

Perform threat hunting (20–25%)

Threat hunting is proactive — you go looking for threats that haven’t triggered any alerts. KQL is your primary tool. This domain covers writing Advanced Hunting queries in Defender XDR and hunting queries in Sentinel, including the new Sentinel MCP Server integration and Data Lake queries.

Detect threats by using Microsoft Defender XDR

Detect threats by using the Microsoft Sentinel platform

Skills Measured

Manage a security operations environment (40–45%)

Configure automation for Microsoft Defender XDR and Microsoft Sentinel

  • Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics
  • Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation
  • Configure Microsoft Defender for Endpoint advanced features
  • Configure rules settings in Microsoft Defender for Endpoint
  • Configure custom data collection in Microsoft Defender for Endpoint
  • Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
  • Manage automated investigation and response capabilities in Microsoft Defender XDR
  • Configure automatic attack disruption in Microsoft Defender XDR
  • Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
  • Create and configure automation rules in Microsoft Sentinel
  • Create and configure Microsoft Sentinel playbooks

Configure the Microsoft Sentinel SIEM and platform

  • Specify Microsoft Sentinel roles
  • Manage data retention for XDR and Microsoft Sentinel tables, including Analytics, Data lake, and XDR tiers
  • Create and configure Microsoft Sentinel workbooks
  • Optimize the Microsoft Sentinel platform, including SOC optimization recommendations

Ingest data into the Microsoft Sentinel SIEM and platform

  • Select data connectors based on data source requirements, including Windows logs and security events
  • Configure collection of Windows Security events by using Windows Security Events via AMA, including data collection rules
  • Plan and configure collection of Windows Security events by using Windows Event Forwarding (WEF)
  • Plan and configure Syslog via AMA and Common Event Format (CEF) via AMA connectors
  • Configure collection of Azure activities by using Azure Policy and resource diagnostic settings
  • Ingest threat indicators into Microsoft Sentinel
  • Create custom log tables in the workspace to store ingested data

Configure detections

  • Create custom detection rules by using Advanced Hunting in Microsoft Defender XDR
  • Manage custom detection rules in Microsoft Defender XDR
  • Configure and manage analytics rules in Microsoft Sentinel SIEM, including scheduled, near-real time (NRT), threat intelligence, and machine learning
  • Analyze attack vector coverage by using the MITRE ATT&CK matrix
  • Configure anomalies in Microsoft Sentinel

Respond to security incidents (35–40%)

Respond to alerts and incidents in Microsoft Defender XDR

  • Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption
  • Investigate and remediate threats or compromised entities identified by Microsoft Purview
  • Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
  • Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
  • Investigate and remediate compromised identities that are identified by Microsoft Entra ID
  • Investigate and remediate security alerts from Microsoft Defender for Identity
  • Investigate and remediate alerts and incidents identified by Microsoft Sentinel
  • Investigate incidents by using agentic AI, including embedded Copilot for Security
  • Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement
  • Manage security incidents by using case management

Respond to alerts and incidents in Microsoft Defender for Endpoint

  • Investigate device timelines
  • Perform actions on the device, including live response and collecting investigation packages
  • Perform evidence and entity investigation
  • Investigate and remediate incidents identified by automatic attack disruption

Investigate Microsoft 365 activities to identify threats

  • Investigate threats by using Audit from Microsoft Purview
  • Investigate threats by using Content Search in Microsoft Purview
  • Investigate threats by using Microsoft Graph activity logs

Perform threat hunting (20–25%)

Detect threats by using Microsoft Defender XDR

  • Identify the appropriate table to use in a KQL query
  • Identify threats by using Kusto Query Language (KQL)
  • Create Advanced Hunting queries
  • Interpret threat analytics in Microsoft Defender XDR
  • Create hunting graphs, including blast radius
  • Analyze relationships between entities by using Sentinel Graph

Detect threats by using the Microsoft Sentinel platform

  • Create and monitor hunting queries
  • Create and manage KQL jobs in Data lake
  • Create and manage Summary rule tables for querying
  • Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server

🧭 How does SC-200 compare across AWS & Google Cloud?

See closest matches, skill overlap, and cost comparison with our Multi-Cloud Cert Compass.

Open Cert Compass →
💬