Exam tips: SC-200

Microsoft has recently announced a new series of certifications, the SC series which are the following :

SC-200Microsoft Security Operations Analyst
SC-300Microsoft Identity and Access Administrator
SC-400Microsoft Information Protection Administrator
SC-900Microsoft Security, Compliance, and Identity Fundamentals

The above certifications are focusing on Microsoft Security products.In this article we are going to review the SC-200 exam, I will share with you my experience and some useful tips.

Skills Measured

Microsoft Security Operations Analyst exam is about :

Microsoft 365 Defender25-30%
Azure Defender 25-30%
Azure Sentinel40-45%

Microsoft 365 Defender

It contains all Microsoft 365 Defender products and some more security products and services like:

  • Defender for endpoint
  • Defender for Identity
  • Defender for Office 365
  • Cloud App Security
  • Identity Protection
  • Data Loss Prevention

For each one of those you have to know how to deploy and configure them.You also have to know the whole cycle of detect,investigate,respond and remediate the alerts.Be very familiar with the portals,available options and the integration between them.

Some examples:

  • Differences between risk policies
  • Alerts configuration
  • Threat investigation steps
  • Creating Policies
  • Log Analytics Tables
  • Security event types

Azure Defender

It contains all the functions of Azure Security Center.You have to know how to deploy and configure it.You also have to know the types of resources that can be on-boarded and the remediation steps for the alerts.

Some examples:

  • Alert settings
  • Auto-remediation
  • Multi-Cloud environments
  • Data sources
  • Key vault alerts

Azure Sentinel

This part have the higher number of questions.You have to know how to deploy and configure the workspace,collecting logs and manage data connectors.You also have to know every component of Sentinel,how to create rules and alerts,create incidents,manage and investigate them.Off course KQL (Kusto Query Language) is a requirement, it does not demand expert knowledge of the language but you will need the basic operators.

Some examples:

  • Multiple Workspaces
  • On-premise logs
  • Playbooks
  • KQL Queries (sum,bin,top,extend)
  • Bookmarks creation
  • Understanding workbooks and notebooks

Very Important

Because it is a Security exam you have to keep in mind all the security principles for all your answers.Least privilege to every solution is one of them so it is mandatory to know the different roles that these products have.


All of the above are including in the exam skills outline.The only material that I used was from Microsoft Learn.The SC-200 Learning path contains all the necessary theory that you need.

You can find the exam skills outline and the learning path here .


In my personal opinion you must have hands-on experience in order to take this exam.It is very difficult to answer all these questions without hands-on.So, if you do not have hands-on experience at all the products try at least to gain some through a lab environment.

This was all about my experience for this exam.I hope that the above information will help you!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: