Manage SecOps Environment
40-45%of exam
Respond to Incidents
35-40%of exam
XDR InvestigationEndpoint ActionsCopilot for SecurityDefender WorkloadsM365 ActivitiesCase Management
Perform Threat Hunting
20-25%of exam
Quick Facts
- Exam
- SC-200
- Credential
- Security Operations Analyst
- Time
- 100 min
- Questions
- 40-60
- Pass
- 700/1000
- Fee
- $165 USD
- Level
- Associate
- Blueprint
- Apr 16 2026
Analytics Rule Types
Scheduled NRT Security TI ML
Scheduled: KQLNRT: ~1 minSecurity: promoteTI: IOCML: anomaly
Analytics vs Automation Rule
Analytics Rule
- Detects threats
- Creates alerts
- KQL/ML logic
Automation Rule
- Triggers on incident
- Assigns/tags/closes
- Calls playbooks
Detect vs orchestrate
Which Sentinel Rule
- Custom KQL logic→Scheduled rule(Interval)
- Lowest latency alert→NRT rule(~1 min)
- Promote Defender alerts→Microsoft security rule(Built-in)
- Match IOC feed→Threat intelligence rule(Indicators)
- Multi-stage correlation→Fusion(ML built-in)
- Behavior baseline→Anomaly rule(ML/UEBA)
- Pre-aggregate big data→Summary rule(Data lake)
XDR Automation
- AIR
- Automated investigation response
- Attack disruption
- Auto-contain in-progress attack
- Automation level
- Full vs semi remediation
- ASR rules
- Block risky behaviors
- Email notifications
- Incident/threat alerts
- Alert tuning
- Suppress/correlate alerts
- Device groups
- Scope automation/RBAC
- Live response
- Remote device shell
Sentinel Tiers
Analytics -> Data lake -> XDR
Analytics: hotData lake: cheapXDR: Defender tables
Playbook vs Automation Rule
Playbook
- Logic App workflow
- External actions
- Reusable steps
Automation Rule
- Native conditions
- Sequences playbooks
- No-code routing
Workflow vs router
Which Data Connector
- Windows security events→Security Events AMA(DCR scoped)
- No agent allowed→WEF(Event forwarding)
- Linux logs→Syslog via AMA(RFC syslog)
- Firewall/appliance→CEF via AMA(Common format)
- Azure resource logs→Diagnostic settings(Activity)
- External IOC feed→TI connector(TAXII/API)
- Custom app data→Custom log table(Ingestion API)
Sentinel Platform
- Workspace
- Log Analytics backing
- Analytics tier
- Hot interactive queries
- Data lake tier
- Cheap long retention
- XDR tier
- Defender table retention
- Sentinel roles
- Reader/Responder/Contributor
- Workbooks
- Visualization dashboards
- SOC optimization
- Coverage/cost tuning
- Watchlists
- Reference enrichment data
Domain Order
Manage 40-45 Respond 35-40 Hunt 20-25
Manage: buildRespond: actHunt: search
Defender XDR vs Sentinel
Defender XDR
- Microsoft-only signals
- Native correlation
- Auto remediation
Sentinel
- Any source SIEM
- Custom KQL rules
- SOAR + workbooks
XDR vs SIEM
Data Connectors
- AMA
- Azure Monitor Agent
- Security Events AMA
- Windows security events
- WEF
- Windows Event Forwarding
- Syslog via AMA
- Linux/network logs
- CEF via AMA
- Appliance common format
- DCR
- Data collection rule
- Azure activity
- Diagnostic settings
- Custom log tables
- Bespoke ingestion
NRT vs Scheduled Rule
NRT
- ~1 min latency
- One table only
- No lookback join
Scheduled
- Interval cadence
- Complex joins
- Lookback window
Speed vs flexibility
Analytics Rule Types
- Scheduled
- KQL on interval
- NRT
- Near-real-time, ~1 min
- Microsoft security
- Promote Defender alerts
- Threat intelligence
- Match IOC indicators
- Anomaly
- ML baseline deviation
- Fusion
- Multi-stage correlation
- Entity mapping
- Tie rows to entities
- Incident grouping
- Alerts into incident
Threat Intelligence
- Indicator (IOC)
- IP/URL/hash/domain
- TI connector
- TAXII or upload API
- ThreatIntelligenceIndicator
- Sentinel IOC table
- TI analytics rule
- Match logs to IOC
- MITRE ATT&CK
- Tactic/technique mapping
- Threat analytics
- XDR campaign reports
- UEBA
- Behavior anomaly scoring
- Custom detection
- Hunting query to rule
Endpoint Actions
Isolate Collect Live Restrict
Isolate: containCollect: forensicsLive: shellRestrict: allowlist
Incident vs Alert
Alert
- Single detection
- One signal
- Rule output
Incident
- Grouped alerts
- Full attack story
- Investigation unit
Signal vs case
Which Defender Product
- Endpoint malware→Defender for Endpoint(EDR)
- Phishing email→Defender for Office 365(Email)
- On-prem AD attack→Defender for Identity(Lateral move)
- Risky SaaS app→Defender for Cloud Apps(CASB)
- Risky sign-in→Entra ID Protection(Identity risk)
- VM/container threat→Defender for Cloud(Workload)
- Data exfil/audit→Purview(Compliance)
- Cross-product attack→Defender XDR(Correlation)
Defender XDR Products
- Defender XDR
- Unified portal correlation
- Defender Endpoint
- Device EDR
- Defender Identity
- On-prem AD signals
- Defender Office 365
- Email/collab threats
- Defender Cloud Apps
- SaaS/CASB control
- Entra ID Protection
- Risky users/sign-ins
- Defender for Cloud
- Workload protection
- Purview
- Data/audit signals
Pick Response Action
- Active C2 device→Isolate device(Contain)
- Need forensics→Collect package(Evidence)
- Hands-on triage→Live response(Remote shell)
- Unknown binary→Restrict app exec(Allowlist)
- Compromised mailbox→Disable user + reset(Identity)
- Malicious email→Soft delete(O365 action)
- Repetitive triage→Automation rule(SOAR)
Response Actions
- Isolate device
- Cut network access
- Live response
- Remote investigation shell
- Collect package
- Investigation forensic bundle
- Restrict app exec
- Allow signed only
- Soft delete email
- Office 365 remediation
- Disable user
- Block Entra identity
- Confirm compromised
- Raise user risk
- Case management
- Track incident lifecycle
Defender for Cloud
- Secure score
- Posture percentage
- Recommendation
- Hardening action
- Defender plan
- Workload protection toggle
- Servers plan
- VM EDR + alerts
- Containers plan
- AKS/registry threats
- JIT VM access
- Time-boxed port open
- FIM
- File integrity monitoring
- Exemption
- Waive recommendation
Copilot for Security
- Embedded experience
- Inside Defender portal
- Standalone portal
- securitycopilot.microsoft.com
- Agentic AI
- Autonomous investigation steps
- Incident summary
- Auto narrative writeup
- Promptbook
- Reusable prompt sequence
- Plugins
- Connect data sources
- SCU
- Security compute unit
- SC-5006
- Applied Skills credential
KQL Pipeline
Where -> Project -> Summarize -> Join
where: filterproject: columnssummarize: aggregatejoin: combine
Workbook vs Hunting Query
Workbook
- Visual dashboard
- Monitor trends
- Shared view
Hunting Query
- Proactive search
- Find unknown threats
- Bookmark evidence
Visualize vs search
KQL Operators
- where
- Filter rows
- project
- Select/rename columns
- extend
- Add computed column
- summarize
- Aggregate by group
- join
- Combine two tables
- union
- Stack multiple tables
- ago()
- Relative time window
- bin()
- Bucket timestamps
- evaluate
- Plugin (parse, bag)
- let
- Reusable variable
Analytics vs Data Lake
Analytics tier
- Hot interactive
- Real-time rules
- Higher cost
Data lake tier
- Cheap retention
- KQL jobs/batch
- Long-term hunt
Hot vs cold
Advanced Hunting Tables
- DeviceEvents
- Endpoint activity
- DeviceProcessEvents
- Process creation
- DeviceNetworkEvents
- Endpoint connections
- EmailEvents
- Office 365 mail flow
- IdentityLogonEvents
- On-prem AD logons
- SigninLogs
- Entra ID sign-ins
- AlertEvidence
- Alert-linked entities
- SecurityIncident
- Sentinel incidents
Sentinel Hunting
- Hunting query
- Proactive saved KQL
- Bookmark
- Save hunt evidence
- Livestream
- Active query session
- Sentinel Graph
- Entity relationship map
- Blast radius
- Impact spread view
- KQL jobs
- Data lake batch query
- Summary rules
- Pre-aggregate tables
- Notebooks + MCP
- Sentinel MCP Server hunt
Common Traps
Detect vs orchestrate
Analytics rule detects ≠ Automation rule responds
Workflow vs router
Playbook runs steps ≠ Automation rule sequences
Signal vs case
Alert is one signal ≠ Incident groups alerts
XDR vs SIEM
XDR Microsoft sources ≠ Sentinel any source
Speed vs flexibility
NRT one table ≠ Scheduled joins/lookback
Hot vs cold
Analytics interactive ≠ Data lake batch jobs
Identity owner
Defender Identity on-prem ≠ Entra Protection cloud
Last Minute
- 1.Weights: 40-45 / 35-40 / 20-25
- 2.Analytics = detect; Automation = respond
- 3.Playbook = Logic App workflow
- 4.NRT = ~1 min, one table
- 5.Alert = signal; Incident = case
- 6.XDR = Microsoft; Sentinel = any source
- 7.Isolate device = contain C2
- 8.Defender Identity = on-prem AD
- 9.Data lake = cheap long retention
- 10.TI rule matches IOC indicators
- 11.Sentinel Graph = entity relationships
- 12.Copilot embedded in Defender portal
Buy on Amazon
Take courses on UdemySame family resources
Explore More Microsoft Certifications
Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.
More From This Family
Videos and articles for deeper review.
VideoSC-200 2026: Microsoft SOC Workflow Study GuideThis examVideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoPL-300 Power BI Data Analyst Exam Guide 2026 (FREE)ArticleSC-200 2026: Microsoft SOC Workflow Study Guide8 min readArticleFREE DP-600 Exam Guide 2026: Pass Microsoft Fabric Analytics Engineer (Direct Lake, DAX, Semantic Models)27 min readArticleFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)24 min readArticleFREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator (Entra, Defender XDR, Purview)24 min read