Skip to content
Security Operations Analyst
SC-200 Intermediate

Become a Microsoft Security Operations Analyst

Master Microsoft Sentinel, Defender XDR, and security operations workflows for the SC-200 certification.

Start Learning Hands-on labs + SC-200 exam prep
About

About This Course

The SC-200 is the certification for security analysts working in Microsoft environments. This course covers the full security operations lifecycle — from deploying Microsoft Sentinel and connecting data sources, to investigating incidents in Defender XDR, to building automated response playbooks. At 15 hours, this is one of the most complete courses in the catalog because security operations demands depth.

You will deploy a Sentinel workspace, configure data connectors for Azure AD, Microsoft 365, and third-party sources, then build analytics rules that generate incidents from real threat patterns. The Defender XDR sections cover incident investigation across endpoints, identity, email, and cloud apps — using the unified security portal to correlate alerts and track attack chains. The course dedicates significant time to KQL because you cannot do effective threat hunting without it.

Automation is a major focus. You will build Logic App playbooks that trigger on Sentinel incidents, enrich alerts with threat intelligence, and execute response actions like isolating devices or disabling accounts. This is what separates a reactive SOC from a proactive one, and the SC-200 expects you to know how to build it.

Outcomes

What You'll Learn

01

Deploy and configure Microsoft Sentinel with data connectors, analytics rules, and automation

02

Investigate incidents across Defender for Endpoint, Identity, Office 365, and Cloud Apps

03

Write KQL queries for threat hunting and custom detection rules

04

Build SOAR playbooks with Logic Apps for automated incident response

Before You Start

Prerequisites

  • Familiarity with KQL basics and Microsoft 365 security concepts is helpful but not required
  • An Azure subscription for the Sentinel hands-on labs — a free trial works
Audience

Who Is This Course For

This course is for SOC analysts, security engineers, and IT professionals who investigate and respond to security incidents in Microsoft environments. If you work with Sentinel, Defender XDR, or are building a security operations practice on Microsoft tooling, the SC-200 validates your ability to detect, investigate, and respond to threats. Familiarity with KQL basics and Microsoft 365 security concepts is helpful but not required.

Curriculum

What's Inside

01

Microsoft Sentinel Deployment

  • Workspace architecture and data connector configuration
  • Analytics rules — scheduled, Microsoft security, and fusion
  • Watchlists, threat intelligence indicators, and entity mapping
  • Workbooks and dashboards for SOC visibility
02

Microsoft Defender XDR

  • Unified incident queue and alert correlation
  • Defender for Endpoint investigation and response actions
  • Defender for Identity and lateral movement detection
  • Defender for Office 365 and Cloud Apps integration
03

Threat Hunting and KQL

  • KQL fundamentals for security analysis
  • Advanced hunting queries across Defender and Sentinel
  • Custom detection rules and bookmarks
  • Threat hunting hypotheses and techniques
04

Automation and SOAR

  • Logic App playbooks for incident response
  • Automation rules and playbook triggers
  • Enrichment workflows with threat intelligence
  • Automated containment and notification actions