SC-200 cheat sheet
A one-page reference for the Microsoft Security Operations Analyst exam: the format, how the domains are weighted, and the glossary terms for this exam.
Exam at a glance
Vendor
Microsoft
Level
Associate
Questions
60
Time
100 min
Mock pass mark
70%
Domains
3
Practice Qs
190
Code
SC-200
Domain weightings
How much of the exam each domain covers. Spend your study time in proportion — the heavier the domain, the more questions you'll see.
Key terms
- Microsoft Sentinel
- Microsoft Sentinel is a cloud-native SIEM and SOAR platform for collecting, detecting, investigating, and responding to threats at scale. SC-200 centers on operating Sentinel across all three exam domains.
- Microsoft Defender XDR
- Microsoft Defender XDR is an extended detection and response suite that unifies signals across endpoints, identities, email, and cloud apps. SC-200 covers responding to XDR alerts and incidents.
- KQL
- KQL (Kusto Query Language) is the query language used to search and analyze data in Microsoft Sentinel and Defender Advanced Hunting. SC-200 requires writing KQL for detections and threat hunting.
- Advanced Hunting
- Advanced Hunting is a query-based threat-hunting tool in Microsoft Defender XDR that runs KQL against raw event tables. SC-200 covers creating Advanced Hunting queries and custom detection rules.
- Defender for Endpoint
- Microsoft Defender for Endpoint is an endpoint detection and response service for detecting, investigating, and responding to device threats. SC-200 covers configuring its features, ASR rules, and device response.
- Attack surface reduction
- Attack surface reduction (ASR) is a set of Defender for Endpoint rules that block risky behaviors used by malware. SC-200 covers configuring ASR rules in security policies.
- Analytics rule
- An analytics rule in Microsoft Sentinel defines the logic that generates alerts and incidents from ingested data. SC-200 covers scheduled, near-real-time, threat-intelligence, and machine-learning analytics rules.
- Data connector
- A data connector in Microsoft Sentinel ingests logs and events from a source such as Windows security events, Syslog, or Azure activity. SC-200 covers selecting and configuring connectors.
- Playbook
- A playbook in Microsoft Sentinel is an automated response workflow built on Azure Logic Apps, triggered by alerts or incidents. SC-200 covers creating playbooks and automation rules.
- Automation rule
- An automation rule in Microsoft Sentinel orchestrates incident handling — assigning, tagging, and running playbooks. SC-200 covers configuring automation rules for security operations.
- Automatic attack disruption
- Automatic attack disruption is a Microsoft Defender XDR capability that contains an in-progress attack by automatically isolating assets or accounts. SC-200 covers configuring and responding to it.
- MITRE ATT&CK
- MITRE ATT&CK is a knowledge base of adversary tactics and techniques used to map detection coverage. SC-200 covers analyzing attack-vector coverage with the MITRE ATT&CK matrix.
- Security Copilot
- Microsoft Security Copilot is an AI assistant that helps analysts investigate and respond to incidents using natural language. SC-200 covers investigating incidents using embedded, agentic Security Copilot.