SC-200 cheat sheet

A one-page reference for the Microsoft Security Operations Analyst exam: the format, how the domains are weighted, and the glossary terms for this exam.

Exam at a glance

Vendor
Microsoft
Level
Associate
Questions
60
Time
100 min
Mock pass mark
70%
Domains
3
Practice Qs
190
Code
SC-200

Domain weightings

How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.

Key terms

Microsoft Sentinel
Microsoft Sentinel is a cloud-native SIEM and SOAR platform for collecting, detecting, investigating, and responding to threats at scale. SC-200 centers on operating Sentinel across all three exam domains.
Microsoft Defender XDR
Microsoft Defender XDR is an extended detection and response suite that unifies signals across endpoints, identities, email, and cloud apps. SC-200 covers responding to XDR alerts and incidents.
KQL
KQL (Kusto Query Language) is the query language used to search and analyze data in Microsoft Sentinel and Defender Advanced Hunting. SC-200 requires writing KQL for detections and threat hunting.
Advanced Hunting
Advanced Hunting is a query-based threat-hunting tool in Microsoft Defender XDR that runs KQL against raw event tables. SC-200 covers creating Advanced Hunting queries and custom detection rules.
Defender for Endpoint
Microsoft Defender for Endpoint is an endpoint detection and response service for detecting, investigating, and responding to device threats. SC-200 covers configuring its features, ASR rules, and device response.
Attack surface reduction
Attack surface reduction (ASR) is a set of Defender for Endpoint rules that block risky behaviors used by malware. SC-200 covers configuring ASR rules in security policies.
Analytics rule
An analytics rule in Microsoft Sentinel defines the logic that generates alerts and incidents from ingested data. SC-200 covers scheduled, near-real-time, threat-intelligence, and machine-learning analytics rules.
Data connector
A data connector in Microsoft Sentinel ingests logs and events from a source such as Windows security events, Syslog, or Azure activity. SC-200 covers selecting and configuring connectors.
Playbook
A playbook in Microsoft Sentinel is an automated response workflow built on Azure Logic Apps, triggered by alerts or incidents. SC-200 covers creating playbooks and automation rules.
Automation rule
An automation rule in Microsoft Sentinel orchestrates incident handling — assigning, tagging, and running playbooks. SC-200 covers configuring automation rules for security operations.
Automatic attack disruption
Automatic attack disruption is a Microsoft Defender XDR capability that contains an in-progress attack by automatically isolating assets or accounts. SC-200 covers configuring and responding to it.
MITRE ATT&CK
MITRE ATT&CK is a knowledge base of adversary tactics and techniques used to map detection coverage. SC-200 covers analyzing attack-vector coverage with the MITRE ATT&CK matrix.
Security Copilot
Microsoft Security Copilot is an AI assistant that helps analysts investigate and respond to incidents using natural language. SC-200 covers investigating incidents using embedded, agentic Security Copilot.