Study guide for Exam SC-200: Microsoft Security Operations Analyst

Purpose of this document

This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.

Updates to the exam

Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.

We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. While Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.

Note

The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.

Note

Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Skills measured as of April 16, 2026

Audience profile

As a candidate for this exam, you’re a security operations analyst who reduces organizational risk by performing triage, responding to incidents, hunting for threats, and engineering detections.

As a security operations analyst, you monitor, identify, investigate, and respond to threats in multi-cloud and on-premises environments by using Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud workload protections. You perform hunting by using KQL and Sentinel Graph and automate responses to threats.

You collaborate with business and security leadership to define security standards for the organization. You work with other roles across the digital enterprise to implement the standards, to enhance the security posture of an organization, and to raise security awareness.

As a candidate, you should be familiar with:

• Microsoft security, compliance, and identity solutions

• Microsoft 365

• Azure cloud services

• AI agents and Copilots

• Windows, Linux, and mobile operating systems.

Skills at a glance

• Manage a security operations environment (40–45%)

• Respond to security incidents (35–40%)

• Perform threat hunting (20–25%)

Manage a security operations environment (40–45%)

Configure automation for Microsoft Defender XDR and Microsoft Sentinel

• Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics

• Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation

• Configure Microsoft Defender for Endpoint advanced features

• Configure rules settings in Microsoft Defender for Endpoint

• Configure custom data collection in Microsoft Defender for Endpoint

• Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules

• Manage automated investigation and response capabilities in Microsoft Defender XDR

• Configure automatic attack disruption in Microsoft Defender XDR

• Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint

• Create and configure automation rules in Microsoft Sentinel

• Create and configure Microsoft Sentinel playbooks

Configure the Microsoft Sentinel SIEM and platform

• Specify Microsoft Sentinel roles

• Manage data retention for XDR and Microsoft Sentinel tables, including Analytics, Data lake, and XDR tiers

• Create and configure Microsoft Sentinel workbooks

• Optimize the Microsoft Sentinel platform, including SOC optimization recommendations

Ingest data into the Microsoft Sentinel SIEM and platform

• Select data connectors based on data source requirements, including Windows logs and security events

• Configure collection of Windows Security events by using Windows Security Events via AMA, including data collection rules

• Plan and configure collection of Windows Security events by using Windows Event Forwarding (WEF)

• Plan and configure Syslog via AMA and Common Event Format (CEF) via AMA connectors

• Configure collection of Azure activities by using Azure Policy and resource diagnostic settings

• Ingest threat indicators into Microsoft Sentinel

• Create custom log tables in the workspace to store ingested data

Configure detections

• Create custom detection rules by using Advanced Hunting in Microsoft Defender XDR

• Manage custom detection rules in Microsoft Defender XDR

• Configure and manage analytics rules in Microsoft Sentinel SIEM, including scheduled, near-real time (NRT), threat intelligence, and machine learning

• Analyze attack vector coverage by using the MITRE ATT&CK matrix

• Configure anomalies in Microsoft Sentinel

Respond to security incidents (35–40%)

Respond to alerts and incidents in Microsoft Defender XDR

• Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption

• Investigate and remediate threats or compromised entities identified by Microsoft Purview

• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections

• Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps

• Investigate and remediate compromised identities that are identified by Microsoft Entra ID

• Investigate and remediate security alerts from Microsoft Defender for Identity

• Investigate and remediate alerts and incidents identified by Microsoft Sentinel

• Investigate incidents by using agentic AI, including embedded Copilot for Security

• Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement

• Manage security incidents by using case management

Respond to alerts and incidents in Microsoft Defender for Endpoint

• Investigate device timelines

• Perform actions on the device, including live response and collecting investigation packages

• Perform evidence and entity investigation

• Investigate and remediate incidents identified by automatic attack disruption

Investigate Microsoft 365 activities to identify threats

• Investigate threats by using Audit from Microsoft Purview

• Investigate threats by using Content Search in Microsoft Purview

• Investigate threats by using Microsoft Graph activity logs

Perform threat hunting (20–25%)

Detect threats by using Microsoft Defender XDR

• Identify the appropriate table to use in a KQL query

• Identify threats by using Kusto Query Language (KQL)

• Create Advanced Hunting queries

• Interpret threat analytics in Microsoft Defender XDR

• Create hunting graphs, including blast radius

• Analyze relationships between entities by using Sentinel Graph

Detect threats by using the Microsoft Sentinel platform

• Create and monitor hunting queries

• Create and manage KQL jobs in Data lake

• Create and manage Summary rule tables for querying

• Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server

Study resources

We recommend that you train and get hands-on experience before you take the exam. We offer self-study options and classroom training as well as links to documentation, community sites, and videos.

Change log

The table below summarizes the changes between the current and previous version of the skills measured. The functional groups are in bold typeface followed by the objectives within each group. The table is a comparison between the previous and current version of the exam skills measured and the third column describes the extent of the changes.