SC-200: Microsoft Security Operations Analyst Exam Resource Guide (April 2025 Update)

SC-200 just received an update to reflect the name change of Microsoft Copilot for Security to Microsoft Security Copilot. Due to the changes being minimal this time round, I’ve kept the details in this post about the changes that were introduced in the October update.

Back in October, the exam received a major update, including weighting changes, new topics being added, including a section on Copilot for Security, as well as some topics being removed. Along with this there was some restructuring, merging some sections and consolidating topics

Let’s start by taking a look at the new sections and weightings.

October 2024

• Manage a security operations environment (20–25%)
• Configure protections and detections (15–20%)
• Manage incident response (25–30%)
• Manage security threats (15–20%)

July 2024

• Manage a security operations environment (25–30%)
• Configure protections and detections (15–20%)
• Manage incident response (35–40%)
• Perform threat hunting (15–20%)

The thing to notice here is that the update reduces the weighting for the first and third objective domains, and there seems to be an issue because the maximum total only adds up to 95%. I guess this is something we will see corrected at some point soon.

If we take a look at what’s been added to the exam, you will notice that the majority of them are related to Copilot for Security, which is a new section that has been added to the exam.

• Mitigate risk by using Exposure Management in Microsoft Defender XDR
• Monitor and optimize data ingestion
• Implement behavioral analytics
• Create and use promptbooks
• Manage sources for Copilot for Security, including plugins and files
• Integrate Copilot for Security by implementing connectors
• Manage permissions and roles in Copilot for Security
• Monitor Copilot for Security capacity and cost
• Identify threats and risks by using Copilot for Security
• Investigate incidents by using Copilot for Security
• Create and manage hunts

This isn’t a comprehensive list of what’s been removed, and I use the word removed loosely because most of these topics could still be included as parts of some of the other topics. This is a common phenomenon in exams, and the best way to understand it is that the baseline knowledge expectations change over time, so some items don’t need to listed specifically. I’ve moved any of the links from previous exam resource guides into other topics that they align with.

• Manage multiple workspaces by using workspace manager and Azure Lighthouse
• Manage resources by using Azure Arc
• Connect environments to Microsoft Defender for Cloud (by using multi-cloud management)
• Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR
• Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive
• Manage actions and submissions in the Microsoft Defender portal
• Hunting topics consolidation

All up, if we look at everything else the exam still includes, this exam description update is definitely a major restructure, but not necessarily a major change to the skills the exam expects you to have.

This is one my favorite exams to recommend for someone who wants to get into Microsoft cybersecurity technologies and exams, due the Defender and Sentinel skills you need to pass the exam. If you’ve already passed MS-500 (now retired) and AZ-500, this is an excellent choice as your next exam, because there will be some overlap in the technologies, but expect this exam to go deeper into understanding the Defender family of technologies, and it also goes deeper into Sentinel than you will have seen on previous exams. You will definitely need to spend time with Kusto and Log Analytics, not just for the Microsoft Sentinel questions in the exam, but Microsoft Defender XDR as well.

Manage a security operations environment (20–25%)

Configure settings in Microsoft Defender XDR

• Configure alert and vulnerability notification rules
  • Configure alert notifications
• Configure Microsoft Defender for Endpoint advanced features
  • Configure advanced features
• Configure endpoint rules settings
  • Create indicators
• Manage automated investigation and response capabilities in Microsoft Defender XDR
  • Incident alerts
  • Manage incidents in Microsoft 365 Defender
  • View and organize the Incidents queue
  • View and organize the Alerts queue
• Configure automatic attack disruption in Microsoft Defender XDR
  • Configure automatic attack disruption capabilities in Microsoft Defender XDR

Manage assets and environments

• Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
  • Create and manage device groups in Microsoft Defender for Endpoint
• Identify unmanaged devices in Microsoft Defender for Endpoint
  • Configure device discovery
• Discover unprotected resources by using Defender for Cloud
  • Review security recommendations
  • Remediate recommendations
  • Connect non-Azure machines
  • Connect AWS accounts
  • Connect GCP accounts
  • Plan agents, extensions, and Azure Arc for Defender for Servers
• Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
  • What is Microsoft Defender Vulnerability Management
• Mitigate risk by using Exposure Management in Microsoft Defender XDR
  • What is Microsoft Security Exposure Management?

Design and configure a Microsoft Sentinel workspace

• Plan a Microsoft Sentinel workspace
  • Design your Microsoft Sentinel workspace architecture
  • Create a Log Analytics workspace in the Azure portal
  • Design a workspace deployment
  • Security baseline
  • Microsoft Defender XDR integration with Microsoft Sentinel
  • Verify data storage location and update data retention settings
  • Work with incidents in multiple workspaces
  • Manage Microsoft Sentinel workspaces at scale
• Configure Microsoft Sentinel roles
  • Roles and permissions
• Specify Azure RBAC roles for Microsoft Sentinel configuration
  • Azure RBAC
• Design and configure Microsoft Sentinel data storage, including log types and log retention
  • Log data usage and costs

Ingest data sources in Microsoft Sentinel

• Identify data sources to be ingested for Microsoft Sentinel
  • Connect data sources
• Implement and use Content hub solutions
  • Content hub catalog
• Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
  • Azure Policy
  • Connect data sources
  • Create a custom connector
• Plan and configure Syslog and Common Event Format (CEF) event collections
  • Collect data from Linux-based sources using Syslog
  • CEF over Syslog sources
• Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
  • Windows security events
• Create custom log tables in the workspace to store ingested data
  • Design a workspace deployment
• Monitor and optimize data ingestion
  • Monitor costs
  • Reduce costs
  • Optimize costs with pre-purchase plan
  • Use SOC optimizations programmatically

Configure protections and detections (15–20%)

Configure protections in Microsoft Defender security technologies

• Configure policies for Microsoft Defender for Cloud Apps
  • Create snapshot Cloud Discovery reports
  • Investigate risky users
  • Detect suspicious user activity with UEBA
  • Investigate risky OAuth apps
  • Manage alerts
• Configure policies for Microsoft Defender for Office 365
  • Set up steps for the Standard or Strict preset security policies in Microsoft Defender for Office 365
  • Security policies and settings
• Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
  • Learn about attack surface reduction rules
  • Configure attack surface reduction capabilities
  • Security operations dashboard
  • Manage security baselines
• Configure cloud workload protections in Microsoft Defender for Cloud
  • Reference list of recommendations
  • Feature coverage for Azure PaaS resources
  • Coverage by OS, machine type, and cloud
  • Integrate security solutions and data sources
  • Organize management groups and subscriptions
  • Export to a Log Analytics workspace
  • Change the data retention period
  • User roles and permissions
  • Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
  • Select a Defender for Servers plan
  • Protect servers with Defender for Servers
  • Connect GitHub repositories
  • Connect Azure DevOps repositories
  • Configure the Microsoft Security DevOps GitHub action
  • Configure the Microsoft Security DevOps Azure DevOps extension
  • Deploying the Defender EASM Azure resource

Configure detection in Microsoft Defender XDR

• Configure and manage custom detection rules
  • Create & manage detection rules
• Manage alerts, including tuning, suppression, and correlation
  • Manage alerts
• Configure deception rules in Microsoft Defender XDR
  • Configure the deception capability in Microsoft Defender XDR

Configure detections in Microsoft Sentinel

• Classify and analyze data by using entities
  • Classifying data with entities
  • Investigate entities with entity pages
• Configure and manage analytics rules
  • Create a custom analytics rule with a scheduled query
  • Create a rule
  • Use built-in rules
  • Create near-real-time (NRT) analytics rules
  • Content hub catalog
  • Manage custom content with repositories
  • Useful resources
  • Anomaly detection rules
  • Configure multistage attack (Fusion) rules
• Query Microsoft Sentinel data by using ASIM parsers
  • ASIM parsers
  • ASIM schemas
• Implement behavioral analytics
  • Enable User and Entity Behavior Analytics (UEBA)
  • Common UEBA investigation methods

Manage incident response (25–30%)

Respond to alerts and incidents in the Microsoft Defender portal

• Investigate and remediate threats by using Microsoft Defender for Office 365
  • AIR overview
  • Safe Attachments in Defender for Office 365
  • Remediation actions
• Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
  • Configure automatic attack disruption capabilities in Microsoft Defender XDR
• Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
  • Investigate data loss prevention alerts with Microsoft 365 Defender
• Investigate and remediate threats identified by Microsoft Purview insider risk policies
  • Plan for insider risk management
• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
  • Security alerts and incidents
  • How are alerts classified?
  • Set up email notifications
  • Create and manage alerts suppression rules
  • Automate responses to recommendations
  • What is a security recommendation?
  • Automate responses to alerts
  • Investigate and respond to security alerts
  • Manage security incidents
  • Generate threat intelligence reports
  • Access and track your secure score
• Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
  • Investigate cloud app risks and suspicious activity
• Investigate and remediate compromised identities that are identified by Microsoft Entra ID
  • Identity secure score
  • Configure notifications
• Investigate and remediate security alerts from Microsoft Defender for Identity
  • Microsoft Defender for Identity Security Alerts

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

• Investigate device timelines
  • Microsoft Defender for Endpoint device timeline
• Perform actions on the device, including live response and collecting investigation packages
  • Investigate entities on devices using live response
• Perform evidence and entity investigation
  • Investigate incidents in Microsoft Defender for Endpoint

Investigate Microsoft 365 activities

• Investigate threats by using unified audit Log
  • Search the audit log
• Investigate threats by using Content Search
  • Get started with Content search
• Investigate threats by using Microsoft Graph activity logs
  • security: runHuntingQuery

Respond to incidents in Microsoft Sentinel

• Investigate and remediate incidents in Microsoft Sentinel
  • Investigate incidents
  • Manage your SOC with incident metrics
• Create and configure automation rules
  • Automation rules
  • Use automation to respond to threats
• Create and configure Microsoft Sentinel playbooks
  • Steps for creating a playbook
  • How to run a playbook
  • Use triggers and actions in playbooks
  • Migrate alert playbooks to automation rules
• Run playbooks on on-premises resources
  • Customize playbooks from templates

Implement and use Microsoft Security Copilot

• Create and use promptbooks
  • Build your own promptbook
• Manage sources for Security Copilot, including plugins and files
  • Manage plugins
  • Upload a file 
• Integrate Security Copilot by implementing connectors
  • Connectors overview
• Manage permissions and roles in Security Copilot
  • Prepare your environment for Copilot for Security
  • Configure owner settings
• Monitor Security Copilot capacity and cost
  • Manage usage
• Identify threats and risks by using Security Copilot
  • Create effective prompts
• Investigate incidents by using Security Copilot
  • Triage incidents with enriched threat intelligence

Manage security threats (15–20%)

Hunt for threats by using Microsoft Defender XDR

• Identify threats by using Kusto Query Language (KQL)
  • Threat hunting
  • Hunt for ransomware
  • Hunt across devices, emails, apps, and identities
  • Get started with guided hunting mode
  • Get started with advanced hunting mode
• Interpret threat analytics in the Microsoft Defender portal
  • Threat analytics overview
• Create custom hunting queries by using KQL
  • Create KQL queries

Hunt for threats by using Microsoft Sentinel

• Analyze attack vector coverage by using the MITRE ATT&CK matrix
  • MITRE ATT&CK coverage
• Manage and use threat indicators
  • Work with threat indicators
  • Connect threat intelligence
  • Create a custom connector
• Create and manage hunts
  • Conduct end-to-end hunts
• Create and monitor hunting queries
  • Threat hunting
  • Hunt with livestream
• Use hunting bookmarks for data investigations
  • Hunt with bookmarks
• Retrieve and manage archived log data
  • Configure data retention and archive
  • Restore archived logs from search
• Create and manage search jobs
  • Search large datasets

Create and configure Microsoft Sentinel workbooks

• Activate and customize workbook templates
  • Use built-in workbooks
  • Security operations efficiency workbook
• Create custom workbooks that include KQL
  • Create new workbook
  • Use Azure Monitor workbooks
• Configure visualizations
  • Visualize collected data