SC-200 Exam Study Guide (Microsoft Security Operations Analyst)

SC-200 Microsoft Security Operations Analyst Cert. Study Guide

SC-200 Preparation Details

Preparing for the SC-200 Microsoft Security Operations Analyst exam? Don’t know where to start? This post is the SC-200 Certificate Study Guide (with links to each exam objective).

I have curated a list of articles from Microsoft documentation for each objective of the SC-200 exam. Please share the post within your circles so it helps them to prepare for the exam.

Exam Voucher for SC-200 with 1 Retake

Get 40% OFF with the combo

SC-200 Microsoft Security Operations Analyst

Udemy Introduction to Cloud Security with Microsoft
Pluralsight Managing Security Operations in Azure
LinkedIn Learning (Free trial) Manage Microsoft security operations

SC-200 Microsoft Security Analyst Practice Test

Whizlabs Exam QuestionsMicrosoft Security Analyst Practice Test
Udemy Practice Tests Security Operations Analyst Test
Amazon e-book (PDF) Microsoft Azure Security Infrastructure

Looking for SC-200 Dumps? Read This!

Using sc-200 exam dumps can get you permanently banned from taking any future Microsoft certificate exam. Read the FAQ page for more information. However, I strongly suggest you validate your understanding with practice questions.

Check out all the other Azure certificate study guides

Full Disclosure: Some of the links in this post are affiliate links. I receive a commission when you purchase through them.

Mitigate Threats Using Microsoft 365 Defender (25-30%)

Detect, Investigate, Respond, and Remediate Threats to the Productivity Environment by Using Microsoft Defender for Office 365

Detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for Business threats

Threat Explorer and Real-time detections

Threat investigation and response

Threat intelligence to protect, detect & respond to threats

Remediate malicious email delivered in Office 365

Detect, investigate, respond, remediate threats to email by using Defender for Office 365

Threat Explorer and Real-time detections

Automated investigation & response in Defender for Office 365

AIR in Microsoft Defender for Office 365

Remediation actions in Microsoft Defender for Office 365

Manage data loss prevention policy alerts

Review and manage Microsoft DLP alerts

Configure and view alerts for DLP policies

Assess and recommend sensitivity labels

Use sensitivity labels to prioritize incident response

Assess and recommend insider risk policies

Insider risk management policies

Azure certification Frequently Asked Questions

Detect, Investigate, Respond, and Remediate Endpoint Threats by Using Microsoft Defender for Endpoint

Manage data retention, alert notification, and advanced features

Configure device attack surface reduction rules

Enable attack surface reduction rules

Use attack surface reduction rules to prevent malware infection

Configure and manage custom detections and alerts

Custom detections overview

Create custom detection rules

Review alerts in Microsoft Defender for Endpoint

Respond to incidents and alerts

Take response actions on a device

Manage automated investigations and remediations

Overview of automated investigations

Configure automated investigation & remediation capabilities

Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using Microsoft’s Threat and Vulnerability Management solution

Microsoft’s Threat & Vulnerability Management

Threat and vulnerability management

Remediate vulnerabilities with threat & vulnerability management

Manage Microsoft Defender for Endpoint threat indicators

Manage indicators

Analyze Microsoft Defender for Endpoint threat analytics

Understand the analyst report in threat analytics

Detect, Investigate, Respond, and Remediate Identity Threats

Identify and remediate security risks related to sign-in risk policies

Unblocking based on sign-in risk

Identify and remediate security risks related to Conditional Access events

Configure Conditional Access in Microsoft Defender

Identify and remediate security risks related to Azure Active Directory

Remediate risks in Azure AD

Remediate users flagged for risk in Azure AD

Identify and remediate security risks using Secure Score

Remediate recommendations in Azure Security Center

Identify, investigate, and remediate security risks related to privileged identities

Lower exposure of privileged accounts

Configure detection alerts in Azure AD Identity Protection

Detect risks with Azure AD Identity Protection policies

Azure Active Directory Identity Protection notifications

Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity

Investigate a domain

Microsoft Defender for Identity FAQs

Identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)

Investigate cloud app risks & suspicious activity

Configure MCAS to generate alerts and reports to detect threats

Manage alerts

Generate data management reports

Manage Cross-domain Investigations in Microsoft 365 Defender Portal

Manage incidents across Microsoft 365 Defender products

Manage incidents in Microsoft 365 Defender

Manage actions pending approval across products

The Action center

View and manage actions in the Action center

Perform advanced threat hunting

Hunt threats with advanced hunting in Microsoft 365 Defender

Proactively hunt for threats with advanced hunting

Mitigate Threats Using Azure Defender (25-30%)

Design and Configure an Azure Defender Implementation

Plan and configure an Azure Defender workspace

Enable Azure Defender

Configure Azure Defender roles

Create & manage roles for role-based access control

Manage portal access using RBAC

Configure data retention policies

Microsoft’s data retention policy

Assess and recommend cloud workload protection

Introduction to Azure Defender

Cloud Workload Security

Plan and Implement the Use of Data Connectors for Ingestion of Data Sources in Azure Defender

Identify data sources to be ingested for Azure Defender

Categorize Microsoft alerts across data sources

Configure Automated Onboarding for Azure resources

Automate onboarding

Automate onboarding of Azure Security Center

Connect non-Azure machine onboarding

Connect non-Azure machines

Connect AWS cloud resources

Connect your AWS accounts

Connect your AWS accounts to Azure Security Center

Connect GCP cloud resources

Connect your GCP accounts

Connect your GCP accounts to Azure Security Center

Configure data collection

Enable data collection

SC-200 Microsoft Operations Security Analyst

Amazon link (affiliate)

Manage Azure Defender Alert Rules

Validate alert configuration

Validating Azure Defender for DNS alerts

Alert validation in Azure Security Center

Setup email notifications

Configure email notifications for security alerts

Create and manage alert suppression rules

Suppress alerts from Azure Defender

Manage suppression rules

Configure Automation and Remediation

Configure automated responses in Azure Security Center

Automate responses to Security Center triggers

Design and configure playbook in Azure Defender

Reconnaissance playbook

Remediate incidents by using Azure Defender recommendations

Remediate recommendations in Azure Security Center

Create an automatic response using an Azure Resource Manager template

Create an automatic response using an ARM template

Investigate Azure Defender Alerts and Incidents

Describe alert types for Azure workloads

Security alerts – a reference guide

Manage security alerts

What are security alerts?

Manage security incidents

Incidents in Azure Security Center

Analyze Azure Defender threat intelligence

Threat intelligence

Azure Defender powered by Microsoft threat intelligence

Respond to Azure Defender for Key Vault alerts

Respond to Azure Defender for Key Vault alerts

Manage user data discovered during an investigation

How does Azure Security Center helps analyze attacks using Investigation?

Mitigate Threats Using Azure Sentinel (40-45%)

Design and Configure an Azure Sentinel Workspace

Plan an Azure Sentinel workspace

Plan for the Azure Sentinel workspace

Configure Azure Sentinel roles

Permissions in Azure Sentinel

Design Azure Sentinel data storage

Move Azure Sentinel logs to long-term storage

Use Azure Data Explorer for retention of Azure Sentinel logs

Configure Azure Sentinel service security

Azure security baseline for Azure Sentinel

Plan and Implement the Use of Data Connectors for Ingestion of Data Sources in Azure Sentinel

Identify data sources to be ingested for Azure Sentinel

Connect data sources

Identify the prerequisites for a data connector

On-board Azure Sentinel

Configure and use Azure Sentinel data connectors

Connect data to Azure Sentinel using data connectors

Design Syslog and CEF collections

Collect data from Linux-based sources using Syslog

Connect your external solution using Common Event Format

Best Practices for CEF collection in Azure Sentinel

Design and Configure Windows Events collections

Connect Windows security events

Configure custom threat intelligence connectors

Connect data from threat intelligence providers

Create custom logs in Azure Log Analytics to store custom data

Collect custom logs with Log Analytics agent

Manage Azure Sentinel Analytics Rules

Design and configure analytics rules

Define rule query logic & configure settings

Create custom analytics rules to detect threats

Create a custom analytics rule with a scheduled query

Activate Microsoft security analytical rules

Using Microsoft Security incident creation analytics rules

Configure connector provided scheduled queries

Azure Sentinel: The connectors grand

Operationalize Azure Sentinel: From log ingestion to incident detection

Configure custom scheduled queries

Create a custom analytics rule with a scheduled query

Define incident creation logic

Configure the incident creation settings

Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel

Create Azure Sentinel playbooks

Use playbooks with automation rules in Azure Sentinel

Configure rules and incidents to trigger playbooks

Choose the trigger

Automate threat response with playbooks in Azure Sentinel

Use playbooks to remediate threats

Use playbooks with automation rules in Azure Sentinel

Use playbooks to manage incidents

Configure security playbook in Azure Sentinel

Use playbooks across Microsoft Defender solutions

Security automation & orchestration

Azure Sentinel Microsoft Defender ATP

Manage Azure Sentinel Incidents

Investigate incidents in Azure Sentinel

Investigate incidents with Azure Sentinel

Triage incidents in Azure Sentinel

Triage security alerts

Respond to incidents in Azure Sentinel

Respond to a security alert

Investigate multi-workspace incidents

Work with incidents in many workspaces at once

Cross workspace Hunting is now available

Identify advanced threats with User and Entity Behavior Analytics (UEBA)

Identify advanced threats with UEBA in Azure Sentinel

Use Azure Sentinel Workbooks to Analyze and Interpret Data

Activate and customize Azure Sentinel workbook templates

Workbooks vs. workbook templates

ARM template for deploying a workbook template

Create custom workbooks

Create new workbooks

Configure advanced visualizations

Query and visualize data with Azure Sentinel Workbooks

View and analyze Azure Sentinel data using workbooks

Visualize and monitor your data

Visualize data in Azure Sentinel

Track incident metrics using the security operations efficiency workbook

Manage your SOC better with incident metrics

Hunt for Threats Using the Azure Sentinel Portal

Create custom hunting queries

Create custom queries to refine threat hunting

Creating custom Azure Sentinel Hunting queries

Run hunting queries manually

Hunt for threats by using Azure Sentinel

Monitor hunting queries by using Livestream

Manage hunting and Livestream queries in Azure Sentinel

Perform advanced hunting with notebooks

Use Jupyter Notebook to hunt for security threats

Hunt for threats using notebooks in Azure Sentinel

Track query results with bookmarks

Track query results

Use hunting bookmarks for data investigations

Explore bookmarks in the investigation graph

Convert a hunting query to an analytical rule

Turning Hunting queries into Analytics Rules

Threat hunting vs Analytics rule

This brings us to the end of the SC-200 Microsoft Security Operations Analyst exam study guide.

What do you think? Let me know in the comments section if I have missed out on anything. Also, I love to hear from you how your SC-200 exam preparation is going on!

In case you are preparing for other Azure certification exams, check out the Azure study guide for those exams.

Follow Me to Receive Updates on SC-200 Exam


Want to be notified as soon as I post? Subscribe to the RSS feed / leave your email address in the subscribe section. Share the article to your social networks with the below links so it can benefit others.

Share the SC-200 Study Guide in Your Network

You may also like

1 Comment

  1. Hi,

    This looks like a great study guide. I am preparing for the SC-200 Exam. I quickly looked over the topics/links. Do you have any recommendations for labs to build hands-on skills with Defender and Sentinel?

    Thanks!