Exam SC-200: Microsoft Security Operations Analyst
Proctored Microsoft certification exam focused on threat detection, investigation, response, and security operations tasks.
- Type
- Written
- Duration
- 100 min
Exam sections
Manage a security operations environment
This section focuses on configuring automation and response within Microsoft Defender XDR and Microsoft Sentinel. It covers setting up notifications, managing automated investigations, creating playbooks, defining roles, retaining data, building workbooks, and ingesting various log types like Syslog and threat indicators.
Question notes
May include case studies and interactive items such as drag-and-drop or hot area questions.
Preparation tips
Practice configuring data connectors and analytics rules in a Microsoft Sentinel trial environment.
Respond to security incidents
This section involves investigating and remediating threats across the Microsoft security stack, including Purview, Defender for Cloud, and Entra ID. Candidates must demonstrate proficiency in using AI Copilot, managing case workflows, performing device timeline analysis, and executing live response actions.
Question notes
This section typically involves multi-step incident response scenarios and may feature interactive lab simulations.
Preparation tips
Review the incident response workflows in the Microsoft Defender portal and practice using KQL for investigation.
Perform threat hunting
This section focuses on proactive threat hunting using Microsoft Defender XDR and Sentinel. It requires writing Advanced Hunting queries in KQL, interpreting threat analytics, building hunting graphs, analyzing entity relationships, and managing KQL jobs to uncover hidden adversary activities across the environment.
Question notes
Expect a heavy focus on Kusto Query Language (KQL) syntax and interpreting query results.
Preparation tips
Master Kusto Query Language (KQL) and explore the 'Advanced Hunting' schema in Microsoft Defender XDR.
