SC-200 Study Guide: Microsoft Security Operations Analyst Exam

What SC-200 actually tests

SC-200 (Microsoft Security Operations Analyst) focuses on Microsoft Sentinel, Microsoft Defender XDR (covering Endpoint, Identity, Office 365, and Cloud Apps), and Microsoft Defender for Cloud. Unlike SC-300 (which is identity-focused) or AZ-500 (which is architecture-focused), SC-200 is a SOC analyst exam — you're expected to know how to investigate alerts, write KQL queries, build analytics rules, and respond to incidents. The pass mark is 700/1000.

Domain breakdown

• Mitigate threats using Microsoft Defender XDR (25–30%) — Microsoft Defender for Endpoint (onboarding, investigation, automated response), Microsoft Defender for Identity (lateral movement, pass-the-hash, Kerberoasting detection), Defender for Office 365 (safe links, safe attachments, threat explorer), Defender for Cloud Apps (CASB, session policies, anomaly detection)
• Mitigate threats using Microsoft Sentinel (50–55%) — Workspace setup, data connectors, analytics rules, watchlists, automation (Logic Apps / Playbooks), hunting queries, notebooks, entity mapping
• Mitigate threats using Microsoft Defender for Cloud (15–20%) — Security posture (Secure Score), regulatory compliance, workload protections, just-in-time VM access, adaptive application controls

KQL: the skill that separates pass from fail

You need functional KQL for SC-200. The exam includes questions where you must identify the correct query to achieve a specific result. Core operators to master:

• | where — filter rows
• | project — select columns
• | extend — add computed columns
• | summarize count() by — aggregate
• | join kind=inner — join two tables
• | order by TimeGenerated desc — sort
• | top 10 by — limit results

Common exam scenario: "Write a query that finds all failed sign-ins from the same IP in the last hour." Answer: SigninLogs | where TimeGenerated > ago(1h) | where ResultType != "0" | summarize FailedAttempts = count() by IPAddress | where FailedAttempts > 10. Practice 2–3 KQL queries per day in a free Azure trial workspace.

Microsoft Sentinel deep dive

Analytics rules: Scheduled (run on a schedule, custom KQL), NRT (near real-time, run every minute), Microsoft Security (import alerts from Defender products), Fusion (ML-based multi-signal correlation), Anomaly (ML-based behavioural baselines). Know when to use each — Scheduled for custom detections, NRT for time-sensitive alerts.

Incident investigation: Sentinel aggregates alerts into incidents. The investigation graph shows entity relationships (accounts, hosts, IPs, URLs). Entity pages show the full timeline for a user or host. Bookmarks save specific events during an investigation. Hunting queries proactively search for threats before they trigger alerts.

Automation: Automation rules run immediately when an incident is created — change status, assign, add tags, or trigger a playbook. Playbooks are Logic Apps that can take external actions (send Teams message, create Jira ticket, block IP in firewall). The exam tests: automation rules for immediate simple actions, playbooks for complex multi-step responses.

Defender for Endpoint deep dive

Device onboarding methods: local script (testing), Group Policy, MECM/Intune (production). Investigation package: memory dump, registry hives, network connections. Automated investigation: Defender AIR (Automated Investigation and Response) runs automatically for high/medium alerts and can auto-remediate. Exam point: AIR only auto-remediates if the device is in a group where remediation level is set to "Full" or "Semi-automatic".

Advanced Hunting in the Microsoft 365 Defender portal uses the same KQL as Sentinel but queries different tables: DeviceEvents, DeviceProcessEvents, DeviceNetworkEvents, EmailEvents, IdentityLogonEvents.

The InterviUni SC-200 course covers all three domains with interactive scenarios and a scored final exam. Pair it with a free Microsoft Sentinel workspace in Azure to practise KQL hands-on.