Become a Microsoft Security Operations Analyst

The SC-200 is the certification for security analysts working in Microsoft environments. This course covers the full security operations lifecycle — from deploying Microsoft Sentinel and connecting data sources, to investigating incidents in Defender XDR, to building automated response playbooks. At 15 hours, this is one of the most comprehensive courses in the catalog because security operations demands depth.

You will deploy a Sentinel workspace, configure data connectors for Azure AD, Microsoft 365, and third-party sources, then build analytics rules that generate incidents from real threat patterns. The Defender XDR sections cover incident investigation across endpoints, identity, email, and cloud apps — using the unified security portal to correlate alerts and track attack chains. The course dedicates significant time to KQL because you cannot do effective threat hunting without it.

Automation is a major focus. You will build Logic App playbooks that trigger on Sentinel incidents, enrich alerts with threat intelligence, and execute response actions like isolating devices or disabling accounts. This is what separates a reactive SOC from a proactive one, and the SC-200 expects you to know how to build it.

Curriculum

Microsoft Sentinel Deployment

• Workspace architecture and data connector configuration
• Analytics rules — scheduled, Microsoft security, and fusion
• Watchlists, threat intelligence indicators, and entity mapping
• Workbooks and dashboards for SOC visibility

Microsoft Defender XDR

• Unified incident queue and alert correlation
• Defender for Endpoint investigation and response actions
• Defender for Identity and lateral movement detection
• Defender for Office 365 and Cloud Apps integration

Threat Hunting and KQL

• KQL fundamentals for security analysis
• Advanced hunting queries across Defender and Sentinel
• Custom detection rules and bookmarks
• Threat hunting hypotheses and techniques

Automation and SOAR

• Logic App playbooks for incident response
• Automation rules and playbook triggers
• Enrichment workflows with threat intelligence
• Automated containment and notification actions

Who Is This For

This course is for SOC analysts, security engineers, and IT professionals who investigate and respond to security incidents in Microsoft environments. If you work with Sentinel, Defender XDR, or are building a security operations practice on Microsoft tooling, the SC-200 validates your ability to detect, investigate, and respond to threats. Familiarity with KQL basics and Microsoft 365 security concepts is helpful but not required.