Use this quick start guide to collect all the information about Microsoft Security Operations Analyst (SC-200) Certification exam. This study guide provides a list of objectives and resources that will help you prepare for items on the SC-200 Microsoft Security Operations Analyst exam. The Sample Questions will help you identify the type and difficulty level of the questions and the Practice Exams will make you familiar with the format and environment of an exam. You should refer this guide carefully before attempting your actual Microsoft MCA Security Operations Analyst certification exam.
The Microsoft Security Operations Analyst certification is mainly targeted to those candidates who want to build their career in Microsoft Azure domain. The Microsoft Certified - Security Operations Analyst Associate exam verifies that the candidate possesses the fundamental knowledge and proven skills in the area of Microsoft MCA Security Operations Analyst.
Microsoft Security Operations Analyst Exam Summary:
| Exam Name | Microsoft Certified - Security Operations Analyst Associate |
| Exam Code | SC-200 |
| Exam Price | $165 (USD) |
| Duration | 120 mins |
| Number of Questions | 40-60 |
| Passing Score | 700 / 1000 |
| Books / Training | SC-200T00-A: Defend against cyberthreats with Microsoft's security operations platform |
| Schedule Exam | Pearson VUE |
| Sample Questions | Microsoft Security Operations Analyst Sample Questions |
| Practice Exam | Microsoft SC-200 Certification Practice Exam |
Microsoft SC-200 Exam Syllabus Topics:
| Topic | Details |
|---|---|
Manage a security operations environment (40-45%) |
|
| Configure automation for Microsoft Defender XDR and Microsoft Sentinel |
- Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics - Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation - Configure Microsoft Defender for Endpoint advanced features - Configure rules settings in Microsoft Defender for Endpoint - Configure custom data collection in Microsoft Defender for Endpoint - Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules - Manage automated investigation and response capabilities in Microsoft Defender XDR - Configure automatic attack disruption in Microsoft Defender XDR - Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint - Create and configure automation rules in Microsoft Sentinel - Create and configure Microsoft Sentinel playbooks |
| Configure the Microsoft Sentinel SIEM and platform |
- Specify Microsoft Sentinel roles - Manage data retention for XDR and Microsoft Sentinel tables, including Analytics, Data lake, and XDR tiers - Create and configure Microsoft Sentinel workbooks - Optimize the Microsoft Sentinel platform, including SOC optimization recommendations |
| Ingest data into the Microsoft Sentinel SIEM and platform |
- Select data connectors based on data source requirements, including Windows logs and security events - Configure collection of Windows Security events by using Windows Security Events via AMA, including data collection rules - Plan and configure collection of Windows Security events by using Windows Event Forwarding (WEF) - Plan and configure Syslog via AMA and Common Event Format (CEF) via AMA connectors - Configure collection of Azure activities by using Azure Policy and resource diagnostic settings - Ingest threat indicators into Microsoft Sentinel - Create custom log tables in the workspace to store ingested data |
| Configure detections |
- Create custom detection rules by using Advanced Hunting in Microsoft Defender XDR - Manage custom detection rules in Microsoft Defender XDR - Configure and manage analytics rules in Microsoft Sentinel SIEM, including scheduled, near-real time (NRT), threat intelligence, and machine learning - Analyze attack vector coverage by using the MITRE ATT&CK matrix - Configure anomalies in Microsoft Sentinel |
Respond to security incidents (35-40%) |
|
| Respond to alerts and incidents in Microsoft Defender XDR |
- Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption - Investigate and remediate threats or compromised entities identified by Microsoft Purview - Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections - Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps - Investigate and remediate compromised identities that are identified by Microsoft Entra ID - Investigate and remediate security alerts from Microsoft Defender for Identity - Investigate and remediate alerts and incidents identified by Microsoft Sentinel - Investigate incidents by using agentic AI, including embedded Copilot for Security - Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement - Manage security incidents by using case management |
| Respond to alerts and incidents in Microsoft Defender for Endpoint |
- Investigate device timelines - Perform actions on the device, including live response and collecting investigation packages - Perform evidence and entity investigation - Investigate and remediate incidents identified by automatic attack disruption |
| Investigate Microsoft 365 activities to identify threats |
- Investigate threats by using Audit from Microsoft Purview - Investigate threats by using Content Search in Microsoft Purview - Investigate threats by using Microsoft Graph activity logs |
Perform threat hunting (20–25%) |
|
| Detect threats by using Microsoft Defender XDR |
- Identify the appropriate table to use in a KQL query - Identify threats by using Kusto Query Language (KQL) - Create Advanced Hunting queries - Interpret threat analytics in Microsoft Defender XDR - Create hunting graphs, including blast radius - Analyze relationships between entities by using Sentinel Graph |
| Detect threats by using the Microsoft Sentinel platform |
- Create and monitor hunting queries - Create and manage KQL jobs in Data lake - Create and manage Summary rule tables for querying - Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server |
To ensure success in Microsoft MCA Security Operations Analyst certification exam, we recommend authorized training course, practice test and hands-on experience to prepare for Microsoft Security Operations Analyst (SC-200) exam.
