This article will share how I successfully prepared for and passed the SC-200: Microsoft Security Operations Analyst certification exam.
It has been two years since I wrote this article, and since then, I’ve passed (just) the SC-200 Microsoft security Operations analyst exam. During that time, I’ve also renewed my award via the Micorosft Certification Renewal program, which you can find out more about here.
Microsoft Certification Renewal | Microsoft Learn
This article is one of my most asked about, and I thought about when I should update it. So, in addition to updating the article below about passing the exam, I also touch on what it takes to recertify your SC-200 Microsoft security operations analyst award.
Introduction
Table Of Contents
- Introduction
- SC-200 Exam Overview
- Who is the SC-200 Target Audience
- My Exam Preparation
- Books
- Skills measured on this exam
- Training Labs
- Lessons Learned
- Validateing your skills
- Schedule SC-200 Exam
- The SC-200 renewal
- The SC-200 renewal
Microsoft is continually updating its role-based certifications to keep up with the evolving business requirements and products that they are rolling out. The Microsoft Learn platform, a goldmine of information, is constantly being developed, as seen in the two changes already made, to better offer what to skill up and prove your knowledge and skills to your employers…or as I prove to myself, I can do it.
In February 2021, Microsoft launched a new set of training paths and exams that focus on Security, Compliance, and Identity (SCI) solutions, mainly on the Microsoft Azure and Microsoft 365 cloud platforms. This is a clear indication of Microsoft’s importance in its security function.
These updates emphasise the importance of cloud security in protecting organisational data and systems.
The Security & Compliance Exams/pathways
SC-100 – Microsoft Cybersecurity Architect
SC-200 – Microsoft Security Operations Analyst
SC-300 – Microsoft Identity and Access Administrator
SC-400 – Microsoft Information Protection Administrator
SC-900 – Microsoft Security, Compliance, and Identity Fundamentals
These exams are designed to ensure security compliance across various Microsoft platforms and services. However, there are plenty of other certifications out there that are also worth doing that are not security-specific. Lots of these may be more beneficial to your own circumstances.
SC-200 Exam Overview
The Security Operations Analyst Associate certification is a course and exam to help you demonstrate knowledge of threat mitigation using Microsoft Security, Compliance and Identity Solutions, as well as performing proactive threat-hunting using:
- Microsoft 365 Defender
- Microsoft Defender For Cloud (old Azure Security Center)
- Microsoft (Azure) Sentinel
Unsurprisingly, a security operations analyst focuses on the operational output of security tools such as Microsoft Sentinel, Microsoft Defender XDR, Microsoft Defender for Cloud, Microsoft Sentinel, Microsoft Defender suite, and Microsoft 365 Defender, making them critical stakeholders in security monitoring and the configuration and deployment of these technologies.
The Microsoft Security Operations Analyst examination (SC-200) exam fee is $165 /£113/€165. However, you can often get free exam vouchers by doing the Cloud Skills Challenges here.
For the Microsoft Security Operations Analyst exam questions, there will be between 40-60 questions, and you will have roughly 120 minutes to complete them. The exam is available in English and Spanish at present. With more in the pipeline, I am hearing. The exam is available in loads of languages such as English, Japanese, Chinese (Simplified), Korean, French, German, Spanish, Portuguese (Brazil), Chinese (Traditional), Italian
Like most Microsoft exams, the passing mark for Microsoft Security Operations Analyst is 700 on a scale of 1-1000. This doesn’t mean it’s 70%, as some questions are weighted more than others, but in my experience, it’s not far off.
- Lastly, the SC-200 exam format is multiple choice and multiple response questions.
Who is the SC-200 Target Audience
The Microsoft Security Operations Analyst is aimed at those who work to secure information technology systems for an organisation. These could be SOC Analysts or Cyber Security analysts. Their goal is to help reduce an organisation’s risks by remediating active attacks in their environment, advising on improvements to threat protection practices, and referring violations of organisational policies to appropriate stakeholders.
Responsibilities of a Microsoft Security Operations Analyst include threat management, monitoring, incident response, and using a range of security solutions and processes in their environment. A SOC Analyst’s primary role is to investigate, respond to, and hunt for threats using Microsoft Azure Sentinel, Microsoft Defender for Cloud, Microsoft 365 Defender, and, if needed, other third-party security products. Since the security operations analyst manages the operational output of the Security tools, they should also be considered a critical stakeholder in the configuration and deployment of these technologies.
My Exam Preparation
I started preparing for this as part of the Microsoft Inspire conference (which I’d highly recommend going to) back in March 2021. As part of this conference, there was a Cloud Skills challenge. If you go through all of the free online training, you get a free exam voucher (They are running another cloud skills challenge at the minute here ). However, due to a combination of moving jobs, not having access to my old work email and general procrastination, I lost out on the free exam (which must be used within 90 days).
Understanding security best practices is crucial for successfully passing the SC-200 exam. Therefore I repeated the cloud Skills Challenge in November 2021. This was a great refresher, and in addition to the labs (below) actually using the tech helped immensely.
I found this training, which I have links to below, a handy starting point and then added in a few other things that I found helpful.
Books
At the time of my doing the SC-200 exam, there was only 1 book directly related to this exam.
The Microsoft Security Operations Analyst Exam Ref SC-200
This was the first book, written by Yuri Diogenes, Jake Mowrer & Sarah Young, published by Microsoft, about the SC-200 Exam. It’s essentially a collection of how-to and re-written articles from the Docs. Microsoft repository. However, I found it (and still do) helpful as a reference book that I can quickly flick through rather than googling.
I also used, mainly as I use it every day, the
Microsoft Sentinel in Action 2nd Edition
This is an excellent book that I am continually thumbing through to find out more info or answer questions that I may have. I highly recommend this book to anyone who is using Sentinel. While I bought the paperback book from Amazon, you can also subscribe to Packts subscription service and digitally access all of their books. The authors are highly experienced and both heavily involved in the community. I recommend giving Gary Bushy & Richard Diver a follow on LinkedIn.
Since completing the exam myself, I have since received a copy of the
Microsoft SC-200 Exam Guide from Packt
This book is written by two very experienced guys from Microsoft (Trevor Stuart & Joe Anich). This book is written from their experience and is not as restrained as the official Microsoft book. The authors have used their knowledge to write about real-world situations and how to deal with them. I’ve really enjoyed reading this, and it sits on my desk at hand’s reach.
Although not a “proper” book, this GitHub repository is possibly the most important book to read on this list, at least from my own experience of the exam. A large percentage of the questions I got had at least some related or relied on KQL to work out.
Online Platforms
While Microsoft provides a vast range of online learning materials, such as videos and labs. I like to watch people and see their work through this, and I found these videos Useful.
Microsoft SC-200 CERT Exam prep – Mark Grimes
This video gives an excellent overview of the topics that need to be covered and some insights.
Microsoft Security Operations Analyst Training Day 1
Microsoft Security Operations Analyst Training Day 2
Microsoft Security Operations Analyst Training Day 3
Microsoft Security Operations Analyst Training Day 4
These appear to be official training days that have been produced by Microsoft and published on this channel.
Skills measured on this exam
As a SOC Analyst, this exam measures your ability to understand the technical topics below based on the latest updates from Microsoft, focusing on security operations. A key responsibility is rapidly remediating active attacks in the environment, advising on improvements to threat protection practices, and referring violations of organisational policies to appropriate stakeholders.
I have added the links to relevant reading from the official Microsoft Learn site for each skill to help you prepare:
Mitigate threats using Microsoft 365 Defender (25-30%)
Detect, investigate, respond, and remediate threats to the production environment by using Microsoft Defender for Office 365
- Detect, investigate, respond, and remediate Microsoft Teams, SharePoint, and OneDrive for Business threats
- Detect, investigate, respond, and remediate threats to email by using Defender for Office 365
- Manage data loss prevention policy alerts
- Assess and recommend sensitivity labels
- Assess and recommend insider risk policies
Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender for Endpoint
- Manage data retention, alert notification, and advanced features
- Configure device attack surface reduction rules
- Configure and manage custom detections and alerts
- Respond to incidents and alerts
- Manage automated investigations and remediations. Assess and recommend endpoint configurations to reduce and remediate vulnerabilities using Microsoft’s Threat and Vulnerability Management solution.
- Manage Microsoft Defender for Endpoint threat indicators
- Analyze Microsoft Defender for Endpoint threat analytics
Detect, investigate, respond, and remediate identity threats
- Identify and remediate security risks related to sign-in risk policies.
- Identify and remediate security risks pertaining to Conditional Access events.
- Identify and remediate security risks associated with Azure Active Directory.
- Identify and remediate security risks using Secure Score.
- Identify, investigate, and remediate security risks associated with privileged identities.
- Configure detection alerts in Azure AD Identity Protection
- Identify and remediate security risks associated with Active Directory Domain Services using Microsoft Defender for Identity.
- Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps (old MCAS)
- Configure MDCA to generate alerts and reports to detect threats
Manage cross-domain investigations in Microsoft 365 Defender Portal
- Manage incidents across Microsoft 365 Defender products
- Manage actions pending approval across products
- Perform advanced threat hunting
Learning Path: Mitigate threats using Microsoft 365 Defender
- Microsoft Defender for Endpoint
- Interactive Learning: Mitigate threats using Microsoft Defender for Endpoint
- Video: Microsoft Defender for Endpoint
- Video: Architecture of Microsoft Defender for Endpoint
- Video: Threat and Vulnerability Management explained
- Video: Attack Surface Reduction explained
- Video: Automated investigations
- Interactive Guide: Threat and Vulnerability Management
- Interactive Guide: Investigate and remediate threats with Microsoft Defender for Endpoint
- Video: Microsoft Defender for Endpoint – Onboarding clients
- Video: Microsoft Defender for Endpoint – Role-based access control
- Video: Microsoft Defender for Endpoint – Attack surface reduction
- Video: Microsoft Defender for Endpoint – Incident Investigation
- Video: Microsoft Defender for Endpoint – Using the new alert experience
- Video: Microsoft Defender for Endpoint – Automated investigations
- Video: Microsoft Defender for Endpoint – Advanced hunting
- Video: Microsoft Defender for Endpoint – Microsoft Threat Experts
- Video: Microsoft Defender for Endpoint – EDR in block mode
- Video: Microsoft Defender for Endpoint – Live response
- Video: Microsoft Defender for Endpoint – Deep analysis
- Video: Microsoft Defender for Endpoint – Conditional access
- Video: Microsoft Defender for Endpoint – Unified Indicator of compromise (IoCs)
- Video: Microsoft Defender for Endpoint – Threat and vulnerability management (discovery & remediation)
- Interactive Guide: Threat and Vulnerability Management
- Microsoft Defender for Office 365
- Interactive Learning: Mitigate threats using Microsoft 365 Defender
- Interactive Guide: Microsoft 365 Defender
- Video: Microsoft 365 Defender – Threat Protection (Incident management)
- Interactive Guide: Microsoft Defender for Office 365
- Interactive Guide: Microsoft Defender for Identity
- Interactive Guide: Investigate and respond to attacks with Microsoft Defender for Identity
- Video: Microsoft Defender for Cloud App – comprehensive demo
- Video: Threat detection and alerts management with Microsoft Cloud App Security
- Interactive Guide: Minimize internal risks with insider risk management in Microsoft 365
Mitigate threats using Microsoft Defender for Cloud (25-30%)
Design and configure a Microsoft Defender for Cloud implementation
- Plan and configure a Microsoft Defender for Cloud workspace
- Configure Microsoft Defender for Cloud roles
- Configure data retention policies
- Assess and recommend cloud workload protection
Plan and implement the use of data connectors for ingestion of data sources in Microsoft Defender For Cloud
- Identify data sources to be ingested for Microsoft Defender for Cloud
- Configure Automated Onboarding for Azure resources
- Connect non-Azure machine onboarding
- Connect AWS cloud resources
- Connect GCP cloud resources
- Configure data collection
Manage Microsoft Defender For Cloud alert rules
- Validate alert configuration
- Setup email notifications
- Create and manage alert suppression rules
Configure automation and remediation
- Configure automated responses in Az
- Design and configure playbook in Azure Defender
- Remediate incidents by using Azure Defender recommendations
- Create an automatic response using an Azure Resource Manager template
Investigate Azure Defender alerts and incidents
- Describe alert types for Azure workloads
- Manage security alerts
- Manage security incidents
- Analyze Azure Defender threat intelligence
- Respond to Azure Defender for Key Vault alerts
- Manage user data discovered during an investigation
Learning Path: Mitigate threats using Azure Defender
- Interactive Learning: Mitigate threats using Azure Defender (Azure Security Center)
- Interactive Guide: Protect your hybrid cloud with Azure Defender
Mitigate threats using Azure Sentinel (40-45%)
Design and configure an Azure Sentinel workspace
- Plan an Azure Sentinel workspace
- Configure Azure Sentinel roles
- Design Azure Sentinel data storage
- Configure Azure Sentinel service security
Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure Sentinel
- Identify data sources to be ingested for Azure Sentinel
- Identify the prerequisites for a data connector
- Configure and use Azure Sentinel data connectors
- Design Syslog and CEF collections
- Design and Configure Windows Events collections
- Configure custom threat intelligence connectors
- Create custom logs in Azure Log Analytics to store custom data
Manage Azure Sentinel analytics rules
- Design and configure analytics rules
- Create custom analytics rules to detect threats
- Activate Microsoft security analytical rules
- Configure connector provided scheduled queries
- Configure custom scheduled queries
- Define incident creation logic
Configure Security Orchestration Automation and Remediation (SOAR) in Azure Sentinel
- Create Azure Sentinel playbooks
- Configure rules and incidents to trigger playbooks
- Use playbooks to remediate threats
- Use playbooks to manage incidents
- Use playbooks across Microsoft Defender solutions
Manage Azure Sentinel Incidents
- Investigate incidents in Azure Sentinel
- Triage incidents in Azure Sentinel
- Respond to incidents in Azure Sentinel
- Investigate multi-workspace incidents
- Identify advanced threats with User and Entity Behavior Analytics (UEBA)
Use Azure Sentinel workbooks to analyze and interpret data
- Activate and customize Azure Sentinel workbook templates
- Create custom workbooks
- Configure advanced visualizations
- View and analyze Azure Sentinel data using workbooks
- Track incident metrics using the security operations efficiency workbook
Hunt for threats using the Azure Sentinel portal
- Create custom hunting queries
- Run hunting queries manually
- Monitor hunting queries by using Livestream
- Perform advanced hunting with notebooks
- Track query results with bookmarks
- Use hunting bookmarks for data investigations
- Convert a hunting query to an analytical rule
Learning Path: Mitigate threats using Azure Sentinel
- Interactive Learning: Create queries for Azure Sentinel using Kusto Query Language (KQL)
- Interactive Learning: Configure your Azure Sentinel environment
- Interactive Learning: Connect logs to Azure Sentinel
- Interactive Learning: Create detections and perform investigations using Azure Sentinel
- Interactive Learning: Perform threat hunting in Azure Sentinel
Training Labs
Microsoft has uploaded the following hands-on labs that will guide you step by step in various areas to gain more practical experience. They are continually being updated (so if a link is broken, let me know):
- LAB-01-EX1: Deploy Microsoft Defender for Endpoint
- LAB-01-EX2: Mitigate Attacks with Microsoft Defender for Endpoint
- LAB-02-EX1: Explore Microsoft 365 Defender
- LAB-03-EX1: Enable Microsoft Defender for Cloud
- LAB-03-EX2: Mitigate threats using Microsoft Defender for Cloud
- LAB-04-EX1: Create queries for Azure Sentinel using Kusto Query Language (KQL)
- LAB-05-EX1: Configure your Azure Sentinel environment
- LAB-06-EX1: Connect data to Azure Sentinel using data connectors
- LAB-06-EX2: Connect Windows devices to Azure Sentinel using data connectors
- LAB-06-EX3: Connect Linux hosts to Azure Sentinel using data connectors
- LAB-06-EX4: Connect Threat intelligence to Azure Sentinel using data connectors
- LAB-07-EX1: Activate a Microsoft Security rule in Azure Sentinel
- LAB-07-EX2: Create a Playbook in Azure Sentinel
- LAB-07-EX3: Create a Scheduled Query in Azure Sentinel
- LAB-07-EX4: Understand Detection Modeling in Azure Sentinel
- LAB-07-EX5: Conduct attacks with Azure Sentinel
- LAB-07-EX6: Create Detections in Azure Sentinel
- LAB-07-EX7: Investigate Incidents in Azure Sentinel
- LAB-07-EX8: Create Workbooks in Azure Sentinel
- LAB-08-EX1: Perform Threat Hunting in Azure Sentinel
- LAB-08-EX2: Threat Hunting using Notebooks with Azure Sentinel
Lessons Learned
Practice, practice, and read… I don’t think I can stress enough that hands-on experience and understanding of all the security concepts in Microsoft 365 Defender, Microsoft Sentinel and Microsoft Defender for Cloud will help you pass this exam. The critical success of passing this exam is working with Azure Security services daily, especially Microsoft Sentinel, Microsoft 365 Defender, and KQL.
The most extensive subject areas that I saw on the SC-200 exam are the following:
Azure Active Directory (Azure AD)Entra ID- Conditional Access
- Azure Information Protection
AzureSentinel (a lot of questions, a lot)- KQL queries
- Logic Apps
- Common Event Format (CEF)
- Notebooks
- Hunting
- Analytics rules
- Microsoft 365 Defender
- Microsoft Cloud App Security (MCAS)
- Microsoft Defender for Endpoint
- KQL queries
Azure Security CenterMicrosoft Defender For Cloud- Secure Score
- Security Alerts
- Workflow automation
- Cloud connectors
- Email notifications
Overall, I think Microsoft Learn is doing an excellent job of continually developing these exams to reflect real-world security scenarios that you will come across using the Microsoft Security Tech stack. The SC-200 exam, I felt, was logically organized and focused primarily on Microsoft 365 Defender, Microsoft Sentinel, and Microsoft Defender for Cloud.
Validateing your skills
If you are looking to validate your skills and knowledge before taking the actual exam, I highly encourage you to do a practice test such as:
SC-200: Microsoft Security Operations Analyst Microsoft Official Practice Test.
The Whizzlabs SC-200 Practise Exam – Free 20 questions
Udemy SC-200 exam Practice Tests
Cloud Academy Becoming and Microsoft Sentinel Expert
All of these SC-200 Practise exams are designed to help you prep for and pass the Microsoft SC-200 exam.
The sc-200 exam is aimed at Security Operations Analysts who want to validate their skills, although there is nothing to stop prospective SOC analysts from doing the exam. You should know how to investigate, respond, and hunt for threats to the organization’s information technology systems. They reduce organizational risk, advise improving threat protection practices and refer to violations of policies.
Schedule SC-200 Exam
Once you are ready, click Schedule exam here and take it online from the comfort of your home/office with proctor supervision.
The SC-200 renewal
In 2002, Microsoft launched the Renewal program. This was a move away from having to organise a proctored renewal exam at a test centre, which was struggling due to COVID restrictions and a lack of staffing at the time.
The renewals are free, also a welcome bonus, and carried out online at your convenience. Like all exams, they have time limits and a passing mark, which is 60%, but like the main exams, the questions appear to be weighted.
In the five attempts I have made (yes, I didn’t pass the first two attempts, and then this year, I took two attempts to pass), it’s a very tricky exam. While multiple-choice is the main exam, they have written the questions so that at least two could be, and that gets you second-guessing yourself—or is that just me?
What I found was covered in the SC-200 Renewal
The exams were heavily weighted to sentinel with Questions around
- Connecting services to Microsoft Sentinel
- Using Microsoft Sentinel for threat analytics
- Microsoft Sentinel Incident Management
However, I also had a couple about Microsoft Purview.
The vast majority of the questions revolve around how to use the tools and where things are in the current setup. Unfortunately, I struggled because I was not in the tools every day. To help with this, I spun up some home labs and also used some interactive labs from GitHub.
The SC-200 renewal
In 2002, Microsoft launched the Renewal program. This was a move away from having to organise a proctored renewal exam at a test centre, which was struggling due to COVID restrictions and a lack of staffing at the time.
The renewals are free, also a welcome bonus, and carried out online at your convenience. Like all exams, they have time limits and a passing mark, which is 60%, but like the main exams, the questions appear to be weighted.
In the five attempts I have made (yes, I didn’t pass the first two attempts, and then this year, I took two attempts to pass), it’s a very tricky exam. While multiple-choice is the main exam, they have written the questions so that at least two could be, and that gets you second-guessing yourself—or is that just me?
What I found was covered in the SC-200 Renewal
The exams were heavily weighted to sentinel with Questions around
- Connecting services to Microsoft Sentinel
- Using Microsoft Sentinel for threat analytics
- Microsoft Sentinel Incident Management
However, I also had a couple about Microsoft Purview.
The vast majority of the questions revolve around how to use the tools and where things are in the current setup. Unfortunately, I struggled because I was not in the tools every day. To help with this, I spun up some home labs and also used some interactive labs from GitHub.
If you are planning to take this exam… I wish you all the best and good luck.
Thank you for reading NI Cyber Guys Blogs.
If you have any questions or feedback on this article, please get in touch
NI Cyber Guy