Microsoft Certified: Security Operations Analyst Associate (SC 200)

The SC-200 certification course equips learners with the practical knowledge and hands-on skills required to protect modern enterprise environments using Microsoft’s powerful security suite. Designed for security analysts and IT professionals, this course teaches how to monitor, detect, investigate, and respond to threats using tools such as Microsoft Sentinel, Microsoft Defender for Cloud, and Microsoft 365 Defender. Gain the expertise required to strengthen your organization’s security posture and prepare confidently for the SC-200 exam.

This course provides a deep dive into Microsoft’s integrated security technologies, focusing on how to leverage them to identify threats, investigate incidents, and automate response actions. Learners will gain hands-on experience building analytics rules, hunting threats with KQL, managing incidents, and implementing best-practice security processes. By the end of the course, candidates will be prepared to operate as effective Security Operations Analysts and pass the SC-200 certification exam.

SC-200: Microsoft Security Operations Analyst – Course Outline with Labs

Module 1: Introduction to Microsoft Security Operations

• Role of a Security Operations Analyst
• SOC processes: monitoring, detection, investigation, response
• Microsoft Security ecosystem overview
• Zero Trust principles

Lab 1: Explore the Microsoft 365 Defender Portal

• Navigate Microsoft 365 Defender
• Review incidents, alerts, and threat analytics
• Examine Secure Score and device inventory

Module 2: Microsoft Sentinel – Deployment & Configuration

• Microsoft Sentinel architecture
• Log Analytics workspace setup
• Data connectors (Azure AD, M365, Syslog, Threat Intelligence)
• Workbooks and dashboards overview

Lab 2: Deploy Sentinel & Connect Data Sources

• Create a Sentinel instance
• Configure core data connectors
• Deploy built-in workbooks to visualize data

Module 3: Kusto Query Language (KQL) for Detection & Hunting

• KQL basics: operators, filters, sorting
• Aggregations, joins, parsing data
• Writing queries for security investigations
• Reusable functions and advanced query design

Lab 3: Build KQL Queries for Log Analysis

• Query Azure AD, security, and endpoint logs
• Use joins to correlate identity and device activity
• Create a custom hunting query

Module 4: Using Microsoft Sentinel for Incident Investigation

• Understanding alerts, incidents, and entities
• Using the Investigation Graph
• Drill-down analysis of suspicious activity
• UEBA (User & Entity Behavior Analytics)

Lab 4: Investigate an Incident in Sentinel

• Analyze a generated alert
• Track attacker movement using the Investigation Graph
• Assign, escalate, and resolve incidents

Module 5: Automation with Sentinel (SOAR)

• Logic Apps fundamentals
• Automation rules & playbooks
• Automated threat responses
• Enrichment workflows and conditional logic

Lab 5: Create an Automated Response Playbook

• Build and test a Logic App
• Apply playbook to an analytics rule
• Automate email alerting and user/device containment

Module 6: Microsoft 365 Defender – Detection, Investigation & Response

Defender for Endpoint

• Endpoint detection & response (EDR)
• Device timeline and attack surface reduction

Defender for Identity

• Detecting identity-based attacks
• Lateral movement and compromised credentials

Defender for Office 365

• Email threat protection
• Phishing investigation and remediation

Defender for Cloud Apps (MDA)

• Shadow IT discovery
• Monitoring risky cloud apps

Lab 6: Investigate a Multi-Domain Incident

• Review cross-domain incidents
• Use advanced hunting (KQL) in M365 Defender
• Contain attacker activity across services

Module 7: Microsoft Defender for Cloud (Azure Security)

• Cloud security posture management
• Workload protection across Azure, AWS, GCP
• Alerts, recommendations, and compliance tools

Lab 7: Protect Cloud Resources

• Enable Defender for Cloud
• Review resource security recommendations
• Investigate alerts on virtual machines, apps, and databases

Module 8: Threat Hunting Strategies

• Threat hunting methodologies
• Using MITRE ATT&CK framework
• Leveraging threat intelligence
• Indicators of compromise (IOCs) and attacker behaviors

Lab 8: Execute a Complete Threat Hunt

• Hunt for malicious identity behavior
• Correlate endpoint and cloud signals
• Produce a threat-hunting report

Module 9: Incident Response & Reporting

• Incident management lifecycle
• SOC documentation and reporting standards
• Lessons learned and playbook updates
• Integrating Microsoft tools with SIEM/SOAR systems

Lab 9: End-to-End Incident Response Simulation

• Detect → Investigate → Contain → Recover
• Work through a simulated enterprise attack
• Document findings for SOC reporting

Module 10: SC-200 Exam Preparation

• Exam domain coverage
• Practice questions
• Hands-on scenario-based review
• Certification tips & readiness assessment