This article will share with you how to prepare and pass the SC-200: Microsoft Security Operations Analyst certification exam successfully.
Updated – 06/07/2021 – ZDNet has compiled a collection of the best Microsoft certifications that will protect your job and boost your income as we head toward 2022 in a business world that is speeding towards digital transformation. The good news is, the SC-200 Microsoft Security Operations Analyst was one of the best technical certifications. You can read more about it here.
In This Article
Microsoft is keeping evolving its learning programs to help you and your career keep pace with today’s demanding IT environments. The new updated role-based certifications will help you to keep pace with today’s business requirements. Microsoft Learning is constantly evolving its learning program to better offer what you need to skill up, prove your expertise to employers and peers, and get the recognition—and opportunities you’ve earned.
In February 2021, Microsoft announced new certifications exams that focus on Security, Compliance, and Identity (SCI) solutions which are available across the Azure platform (Azure Defender), as well as Microsoft 365 (Microsoft 365 Defender).
|SC-200||Microsoft Security Operations Analyst|
|SC-300||Microsoft Identity and Access Administrator|
|SC-400||Microsoft Information Protection Administrator|
|SC-900||Microsoft Security, Compliance, and Identity Fundamentals|
The Security Operations Analyst Associate certification can help demonstrate knowledge of threat mitigation using Microsoft SCI Solutions, as well as performing proactive threat hunting activities using:
For people in identity roles, Identity & Access Administrator Associate certification can help prove knowledge of core identity governance principles and ensure a proper identity life cycle.
- Azure Active Directory (AAD)
- Azure AD Connect
- Azure Multifactor Authentication (MFA)
- Privileged Identity Management (PIM)
- Conditional Access
- Identity Governance
Please check the following guide to learn more on how to prepare for the SC-300: Microsoft Identity and Access Administrator certification exam successfully.
For people in compliance administrator roles, Information Protection Administrator Associate certification can help prove knowledge of core data concepts and how they’re implemented using Azure data services.
- Information Protection
- Data Loss Prevention
- Information Governance
Please check the following guide to learn more on how to prepare for the SC-400: Microsoft Information Protection Administrator certification exam successfully.
The Security, Compliance, and Identity Fundamentals certification are for people looking to familiarize themselves with the fundamentals of SCI across cloud-based and related Microsoft services, developed for a broad audience that may include business stakeholders, students starting in IT, or existing IT pros that have an interest in Microsoft SCI Solutions.
- Security, compliance, and identity
- Microsoft identity and access management solutions
- Microsoft security solutions
- Microsoft compliance solutions
Please check the following guide to learn more on how to prepare for the SC-900: Microsoft Security, Compliance, and Identity Fundamentals certification exam successfully.
While preparing to take this exam myself, I would like to share with you how to prepare and pass the SC-200: Microsoft Security Operations Analyst certification exam successfully based on my own experience.
Updated on 10/06/2021 – In this exam, I got around 40 questions in total with 2 case studies, and the total time for this exam is 130 minutes (2.10 hours). The questions do pretty much match the list of skills measured below.
Updated on 03/03/2021 – In this exam, I got around 51 questions in total with 2 case studies, and the total time for this exam is 120 minutes (2 hours). The questions do pretty much match the list of skills measured below.
At the time of this writing, this exam is out of the Beta phase and its Public.
Beta exams are not scored immediately because Microsoft is gathering data on the quality of the questions and the exam. I will update this article as soon as I get the exam results from Microsoft.
I am so happy and grateful now that I received the final report for the SC-200 Microsoft Security Operations Analyst with a high passing score!
Exam Target Audience
The Microsoft Security Operations Analyst collaborates with organizational stakeholders to secure information technology systems for the organization. Their goal is to reduce organizational risk by rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organizational policies to appropriate stakeholders.
Responsibilities include threat management, monitoring, and response by using a variety of security solutions across their environment. The role primarily investigates, responds to, and hunts for threats using Microsoft Azure Sentinel, Azure Defender, Microsoft 365 Defender, and third-party security products. Since the security operations analyst consumes the operational output of these tools, they are also a critical stakeholder in the configuration and deployment of these technologies.
Skills measured on this exam
This exam measures your ability to accomplish the technical topics listed below based on the latest update from Microsoft.
Links to relevant reading from the official Microsoft documentation for each skill tested are listed below to help you prepare:
Mitigate threats using Microsoft 365 Defender (25-30%)
Detect, investigate, respond, and remediate threats to the production environment by using Microsoft Defender for Office 365
- Detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for Business threats
- Detect, investigate, respond, remediate threats to email by using Defender for Office 365
- Manage data loss prevention policy alerts
- Assess and recommend sensitivity labels
- Assess and recommend insider risk policies
Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint
- Manage data retention, alert notification, and advanced features
- Configure device attack surface reduction rules
- Configure and manage custom detections and alerts
- Respond to incidents and alerts
- Manage automated investigations and remediations Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using Microsoft’s Threat and Vulnerability Management solution.
- Manage Microsoft Defender for Endpoint threat indicators
- Analyze Microsoft Defender for Endpoint threat analytics
Detect, investigate, respond, and remediate identity threats
- Identify and remediate security risks related to sign-in risk policies
- Identify and remediate security risks related to Conditional Access events
- Identify and remediate security risks related to Azure Active Directory
- Identify and remediate security risks using Secure Score
- Identify, investigate, and remediate security risks related to privileged identities
- Configure detection alerts in Azure AD Identity Protection
- Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
- Identify, investigate, and remediate security risks by using Microsoft Cloud Application Security (MCAS)
- Configure MCAS to generate alerts and reports to detect threats
Manage cross-domain investigations in Microsoft 365 Defender Portal
- Manage incidents across Microsoft 365 Defender products
- Manage actions pending approval across products
- Perform advanced threat hunting
Learning Path: Mitigate threats using Microsoft 365 Defender
- Microsoft Defender for Endpoint
- Interactive Learning: Mitigate threats using Microsoft Defender for Endpoint
- Video: Microsoft Defender for Endpoint
- Video: Architecture of Microsoft Defender for Endpoint
- Video: Threat and Vulnerability Management explained
- Video: Attack Surface Reduction explained
- Video: Automated investigations
- Interactive Guide: Threat and Vulnerability Management
- Interactive Guide: Investigate and remediate threats with Microsoft Defender for Endpoint
- Video: Microsoft Defender for Endpoint – Onboarding clients
- Video: Microsoft Defender for Endpoint – Role-based access control
- Video: Microsoft Defender for Endpoint – Attack surface reduction
- Video: Microsoft Defender for Endpoint – Incident Investigation
- Video: Microsoft Defender for Endpoint – Using the new alert experience
- Video: Microsoft Defender for Endpoint – Automated investigations
- Video: Microsoft Defender for Endpoint – Advanced hunting
- Video: Microsoft Defender for Endpoint – Microsoft Threat Experts
- Video: Microsoft Defender for Endpoint – EDR in block mode
- Video: Microsoft Defender for Endpoint – Live response
- Video: Microsoft Defender for Endpoint – Deep analysis
- Video: Microsoft Defender for Endpoint – Conditional access
- Video: Microsoft Defender for Endpoint – Unified Indicator of compromise (IoCs)
- Video: Microsoft Defender for Endpoint – Threat and vulnerability management (discovery & remediation)
- Interactive Guide: Threat and Vulnerability Management
- Microsoft Defender for Office 365
- Interactive Learning: Mitigate threats using Microsoft 365 Defender
- Interactive Guide: Microsoft 365 Defender
- Video: Microsoft 365 Defender – Threat Protection (Incident management)
- Interactive Guide: Microsoft Defender for Office 365
- Interactive Guide: Microsoft Defender for Identity
- Interactive Guide: Investigate and respond to attacks with Microsoft Defender for Identity
- Video: Microsoft Cloud App Security – comprehensive demo
- Video: Threat detection and alerts management with Microsoft Cloud App Security
- Interactive Guide: Minimize internal risks with insider risk management in Microsoft 365
Mitigate threats using Azure Defender (25-30%)
Design and configure an Azure Defender implementation
- Plan and configure an Azure Defender workspace
- Configure Azure Defender roles
- Configure data retention policies
- Assess and recommend cloud workload protection
Plan and implement the use of data connectors for ingestion of data sources in Azure Defender
- Identify data sources to be ingested for Azure Defender
- Configure Automated Onboarding for Azure resources
- Connect non-Azure machine onboarding
- Connect AWS cloud resources
- Connect GCP cloud resources
- Configure data collection
Manage Azure Defender alert rules
- Validate alert configuration
- Setup email notifications
- Create and manage alert suppression rules
Configure automation and remediation
- Configure automated responses in Azure Security Center
- Design and configure playbook in Azure Defender
- Remediate incidents by using Azure Defender recommendations
- Create an automatic response using an Azure Resource Manager template
Investigate Azure Defender alerts and incidents
- Describe alert types for Azure workloads
- Manage security alerts
- Manage security incidents
- Analyze Azure Defender threat intelligence
- Respond to Azure Defender for Key Vault alerts
- Manage user data discovered during an investigation
Learning Path: Mitigate threats using Azure Defender
- Interactive Learning: Mitigate threats using Azure Defender (Azure Security Center)
- Interactive Guide: Protect your hybrid cloud with Azure Defender
Mitigate threats using Azure Sentinel (40-45%)
Design and configure an Azure Sentinel workspace
- Plan an Azure Sentinel workspace
- Configure Azure Sentinel roles
- Design Azure Sentinel data storage
- Configure Azure Sentinel service security
Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
- Identify data sources to be ingested for Azure Sentinel
- Identify the prerequisites for a data connector
- Configure and use Azure Sentinel data connectors
- Design Syslog and CEF collections
- Design and Configure Windows Events collections
- Configure custom threat intelligence connectors
- Create custom logs in Azure Log Analytics to store custom data
Manage Azure Sentinel analytics rules
- Design and configure analytics rules
- Create custom analytics rules to detect threats
- Activate Microsoft security analytical rules
- Configure connector provided scheduled queries
- Configure custom scheduled queries
- Define incident creation logic
Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel
- Create Azure Sentinel playbooks
- Configure rules and incidents to trigger playbooks
- Use playbooks to remediate threats
- Use playbooks to manage incidents
- Use playbooks across Microsoft Defender solutions
Manage Azure Sentinel Incidents
- Investigate incidents in Azure Sentinel
- Triage incidents in Azure Sentinel
- Respond to incidents in Azure Sentinel
- Investigate multi-workspace incidents
- Identify advanced threats with User and Entity Behavior Analytics (UEBA)
Use Azure Sentinel workbooks to analyze and interpret data
- Activate and customize Azure Sentinel workbook templates
- Create custom workbooks
- Configure advanced visualizations
- View and analyze Azure Sentinel data using workbooks
- Track incident metrics using the security operations efficiency workbook
Hunt for threats using the Azure Sentinel portal
- Create custom hunting queries
- Run hunting queries manually
- Monitor hunting queries by using Livestream
- Perform advanced hunting with notebooks
- Track query results with bookmarks
- Use hunting bookmarks for data investigations
- Convert a hunting query to an analytical rule
Learning Path: Mitigate threats using Azure Sentinel
- Interactive Learning: Create queries for Azure Sentinel using Kusto Query Language (KQL)
- Interactive Learning: Configure your Azure Sentinel environment
- Interactive Learning: Connect logs to Azure Sentinel
- Interactive Learning: Create detections and perform investigations using Azure Sentinel
- Interactive Learning: Perform threat hunting in Azure Sentinel
MS-500 | Microsoft 365 Certified: Security Administrator Associate
I have included the MS-500 older exam here as an example of the overall skills measured in this exam. You can see that it measures your skills on a broad range of security solutions compared to the new exams which are more specific.
- Implement and manage identity and access
- Implement and manage threat protection
- Implement and manage information protection
- Manage governance and compliance features in Microsoft 365
If you are interested in taking the MS-500 exam, please check my step-by-step guide on preparing and passing the MS-500 exam successfully.
Check the following step-by-step hands-on labs developed that will help you to gain more practical experience. At the time of this writing, these labs are still new and they will evolve:
- LAB-01-EX1: Deploy Microsoft Defender for Endpoint
- LAB-01-EX2: Mitigate Attacks with Microsoft Defender for Endpoint
- LAB-02-EX1: Explore Microsoft 365 Defender
- LAB-03-EX1: Enable Azure Defender
- LAB-03-EX2: Mitigate threats using Azure Defender
- LAB-04-EX1: Create queries for Azure Sentinel using Kusto Query Language (KQL)
- LAB-05-EX1: Configure your Azure Sentinel environment
- LAB-06-EX1: Connect data to Azure Sentinel using data connectors
- LAB-06-EX2: Connect Windows devices to Azure Sentinel using data connectors
- LAB-06-EX3: Connect Linux hosts to Azure Sentinel using data connectors
- LAB-06-EX4: Connect Threat intelligence to Azure Sentinel using data connectors
- LAB-07-EX1: Activate a Microsoft Security rule in Azure Sentinel
- LAB-07-EX2: Create a Playbook in Azure Sentinel
- LAB-07-EX3: Create a Scheduled Query in Azure Sentinel
- LAB-07-EX4: Understand Detection Modeling in Azure Sentinel
- LAB-07-EX5: Conduct attacks with Azure Sentinel
- LAB-07-EX6: Create Detections in Azure Sentinel
- LAB-07-EX7: Investigate Incidents in Azure Sentinel
- LAB-07-EX8: Create Workbooks in Azure Sentinel
- LAB-08-EX1: Perform Threat Hunting in Azure Sentinel
- LAB-08-EX2: Threat Hunting using Notebooks with Azure Sentinel
At the time of this writing, there is one book that you can use to prepare for this exam.
Microsoft is preparing to release the Exam Reference SC-200 Book – Microsoft Security Operations Analyst by October 2021, you can place the pre-order today here. I highly recommend this book to prepare and pass this exam.
Practice, practice, and read… I cannot stress enough that hands-on experience and understanding all the security concepts in Microsoft 365 Defender and Azure Defender will help you to pass this exam. The key success to pass this exam is to work with Azure Security services daily, and especially Azure Sentinel and Microsoft 365 Defender.
As announced by Microsoft Worldwide learning due to the pandemic situation, it appears they have suspended performance-based lab questions given their need to reserve Azure capacity for paying customers. So you better get your exams registered as soon as possible to take advantage of this situation. The biggest subject areas that I saw on the SC-200 exam are the following:
- Azure Active Directory (Azure AD)
- Conditional Access
- Azure Information Protection
- Azure Sentinel (a lot of questions, a lot)
- KQL queries
- Logic Apps
- Common Event Format (CEF)
- Analytics rules
- Microsoft 365 Defender
- Microsoft Cloud App Security (MCAS)
- Microsoft Defender for Endpoint
- KQL queries
- Azure Security Center
- Secure Score
- Security Alerts
- Workflow automation
- Cloud connectors
- Email notifications
Overall, I think Microsoft Worldwide Learning is doing a good job of gradually shaping these exams to reflect real-world Azure security best practice scenarios. The SC-200 exam is logically organized and focused solely on Microsoft 365 Defender, Azure Sentinel, and Azure Security Center / Azure Defender.
Schedule SC-200 Exam
At the time of this writing, Microsoft launched the SC-200 exam in beta mode, if you would like to take the beta exam and receive the 80% discount*, use the code below when prompted for payment: SC200WATERLOO. You must register for the exam on or before March 15, 2021. The seats are offered on a first-come, first-served basis.
Once you are ready, click Schedule exam here and take it online from the comfort of your home/office with proctor supervision.
If you are planning to take this exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.