How to pass the Microsoft Security Operations Analyst Exam Certification — SC-200

It’s mostly about Sentinel

Alright, this exam, wow.

It doesn't seem that way from the succinct exam description:

• Mitigate threats using Microsoft 365 Defender (25–30%)
• Mitigate threats using Microsoft Defender for Cloud (25–30%)
• Mitigate threats using Microsoft Sentinel (40–45%)

But in fact each of these sections include a raft of content on multiple solutions from holistic security for users (XDR and EPP), to holistic cloud security (CSPM and CWPP) leading up to threat hunting and incident response (SIEM and SOAR). It’s definitely the right exam for security engineers.

And the depth on each one of these is quite good too for the student, way beyond overviews and use cases — gets down to architecture decisions, implementation and querying analysis. Just look at the amount of content for this exam in Microsoft Learn, it’s the longest course for the SC-associate series (SC-200/300/400) with about 30 hours required to go through all of that content.

Starting with the first section on Microsoft 365 Defender, it includes topics such as:

• Defender for Endpoint, and
• Microsoft 365 Defender — using KQL queries and understanding what kind of visibility it adds to the blue team’s toolset.

As for the second section, Microsoft Defender for Cloud it’s about:

• Connecting your workloads to MDC, including on-prem — wonder how to have visibility and monitoring of your on-prem servers through Azure? Well, you got the answer for that here…
• Utilizing the tool for threat protection by means of the workloads’ threat alerts.

Finally, the last section on Microsoft Sentinel is the most comprehensive one. It covers Sentinel from top to bottom:

• how it works,
• how to feed data into it,
• how to make use of that data — in details! As a matter of fact, I was surprised with the amount of KQL querying questions that were in the exam — but I shouldn’t have been surprised, the writing was on the wall, there’s a dedicated Microsoft Learn just on KQL in the exam’s curriculum.

With so much in it, how to start studying?

Well, here are the resources I’ve used (nothing on 365 defender):

1. For all topics:

• Microsoft Learn, of course.
• This amazing curated list by a seasoned trainer on Microsoft Cloud technologies.

2. For KQL:

• The Must Learn KQL series by Rod Trent from Microsoft. It contains all you need to know about the subject for the exam (though not directly created for it). Plus you can get a nice Certificate after taking an Assessment, nice!

3. For Sentinel

• It’s a bit outdated, but I learned a few things from this webinar.

4. For Defender for Cloud

• Microsoft’s public and free, Ninja training, amazing content and guides on how to configure protection and visibility.

Well, that’s it for now, HTH! Celebrate when you pass!

Follow me on linkedin.

Learn more about my Cloud and Security Projects on the Web, Podcast , Youtube.

Thank you for reading and leave your thoughts/comments!

./references

Scattered throughout the document.