1. Home
  2. Microsoft
  3. SC-200 Exam Syllabus

Microsoft SC-200 Exam Syllabus

Start Free SC-200 Exam Practice After Reviewing the Topics

Before starting your SC-200 exam preparation, it is recommended to review the complete Microsoft Security Operations Analyst exam syllabus and carefully go through the exam objectives listed below. Once you understand the exam structure and objectives, you should practice using our free SC-200 questions. We also provide premium SC-200 practice test, fully updated according to the latest exam objectives, to help you accurately assess your preparedness for the actual exam.

Microsoft
Vendor
SC-200
Exam Code
391
Total Questions
3
Total Exam Domains

START FREE SC-200 EXAM PRACTICE

NO SIGNUP REQUIRED  •  100% FREE TO START

SC-200 EXAM QUESTIONS

Microsoft SC-200 Exam Objectives

Section 1: Manage a security operations environment
Weight:
40-45%
Configure automation for Microsoft Defender XDR and Microsoft Sentinel
  • Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics
  • Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation
  • Configure Microsoft Defender for Endpoint advanced features
  • Configure rules settings in Microsoft Defender for Endpoint
  • Configure custom data collection in Microsoft Defender for Endpoint
  • Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
  • Manage automated investigation and response capabilities in Microsoft Defender XDR
  • Configure automatic attack disruption in Microsoft Defender XDR
  • Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
  • Create and configure automation rules in Microsoft Sentinel
  • Create and configure Microsoft Sentinel playbooks
Configure the Microsoft Sentinel SIEM and platform
  • Specify Microsoft Sentinel roles
  • Manage data retention for XDR and Microsoft Sentinel tables, including Analytics, Data lake, and XDR tiers
  • Create and configure Microsoft Sentinel workbooks
  • Optimize the Microsoft Sentinel platform, including SOC optimization recommendations
Ingest data into the Microsoft Sentinel SIEM and platform
  • Select data connectors based on data source requirements, including Windows logs and security events
  • Configure collection of Windows Security events by using Windows Security Events via AMA, including data collection rules
  • Plan and configure collection of Windows Security events by using Windows Event Forwarding (WEF)
  • Plan and configure Syslog via AMA and Common Event Format (CEF) via AMA connectors
  • Configure collection of Azure activities by using Azure Policy and resource diagnostic settings
  • Ingest threat indicators into Microsoft Sentinel
  • Create custom log tables in the workspace to store ingested data
Configure detections
  • Create custom detection rules by using Advanced Hunting in Microsoft Defender XDR
  • Manage custom detection rules in Microsoft Defender XDR
  • Configure and manage analytics rules in Microsoft Sentinel SIEM, including scheduled, near-real time (NRT), threat intelligence, and machine learning
  • Analyze attack vector coverage by using the MITRE ATT&CK matrix
  • Configure anomalies in Microsoft Sentinel
Section 2: Respond to security incidents
Weight:
35-40%
Respond to alerts and incidents in Microsoft Defender XDR
  • Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption
  • Investigate and remediate threats or compromised entities identified by Microsoft Purview
  • Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
  • Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
  • Investigate and remediate compromised identities that are identified by Microsoft Entra ID
  • Investigate and remediate security alerts from Microsoft Defender for Identity
  • Investigate and remediate alerts and incidents identified by Microsoft Sentinel
  • Investigate incidents by using agentic AI, including embedded Microsoft Security Copilot
  • Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement
  • Manage security incidents by using case management
Respond to alerts and incidents in Microsoft Defender for Endpoint
  • Investigate device timelines
  • Perform actions on the device, including live response and collecting investigation packages
  • Perform evidence and entity investigation
  • Investigate and remediate incidents identified by automatic attack disruption
Investigate Microsoft 365 activities to identify threats
  • Investigate threats by using Microsoft Purview Audit
  • Investigate threats by using Content search in Microsoft Purview eDiscovery
  • Investigate threats by using Microsoft Graph activity logs
Section 3: Perform threat hunting
Weight:
20-25%
Detect threats by using Microsoft Defender XDR
  • Identify the appropriate table to use in a KQL query
  • Identify threats by using Kusto Query Language (KQL)
  • Create Advanced Hunting queries
  • Interpret threat analytics in Microsoft Defender XDR
  • Create hunting graphs, including blast radius
  • Analyze relationships between entities by using Sentinel Graph
Detect threats by using the Microsoft Sentinel platform
  • Create and monitor hunting queries
  • Create and manage KQL jobs in Data lake
  • Create and manage Summary rule tables for querying
  • Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server
Info