CheapestExamDumps!

Microsoft Exam Syllabus

SC-200 syllabus, skills measured, and exam topics

The SC-200 exam measures Manage a security operations environment, Respond to security incidents, and Perform threat hunting. Use this page to review the current official syllabus, major domains, and source links before exam day.

Open the practice page

Skills measured by domain

Use the weighting table to decide where to spend the most study time.

Domain Weight
Manage a security operations environment 40–45%
Respond to security incidents 35–40%
Perform threat hunting 20–25%

What to know before you study

These sections explain the role, audience, and exam framing behind the outline.

Purpose of this document

  • This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.
  • Useful links: Description
  • How to earn the certification: Some certifications only require passing one exam, while others require passing multiple exams.
  • Certification renewal: Microsoft associate, expert, and specialty certifications expire annually. You can renew by passing a free online assessment on Microsoft Learn.
  • Your Microsoft Learn profile: Connecting your certification profile to Microsoft Learn allows you to schedule and renew exams and share and print certificates.
  • Exam scoring and score reports: A score of 700 or greater is required to pass.
  • Exam sandbox: You can explore the exam environment by visiting our exam sandbox.
  • Request accommodations: If you use assistive devices, require extra time, or need modification to any part of the exam experience, you can request an accommodation.
  • Take a free Practice Assessment: Test your skills with practice questions to help you prepare for the exam.

Updates to the exam

  • Our exams are updated periodically to reflect skills that are required to perform a role. We have included two versions of the Skills Measured objectives depending on when you are taking the exam.
  • We always update the English language version of the exam first. Some exams are localized into other languages, and those are updated approximately eight weeks after the English version is updated. While Microsoft makes every effort to update localized versions as noted, there may be times when the localized versions of an exam are not updated on this schedule. Other available languages are listed in the Schedule Exam section of the Exam Details webpage. If the exam isn't available in your preferred language, you can request an additional 30 minutes to complete the exam.
  • The bullets that follow each of the skills measured are intended to illustrate how we are assessing that skill. Related topics may be covered in the exam.
  • Most questions cover features that are general availability (GA). The exam may contain questions on Preview features if those features are commonly used.

Audience profile

  • As a candidate for this exam, you’re a security operations analyst who reduces organizational risk by performing triage, responding to incidents, hunting for threats, and engineering detections.
  • As a security operations analyst, you monitor, identify, investigate, and respond to threats in multi-cloud and on-premises environments by using Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud workload protections. You perform hunting by using KQL and Sentinel Graph and automate responses to threats.
  • You collaborate with business and security leadership to define security standards for the organization. You work with other roles across the digital enterprise to implement the standards, to enhance the security posture of an organization, and to raise security awareness.
  • As a candidate, you should be familiar with:
  • Microsoft security, compliance, and identity solutions
  • Microsoft 365
  • Azure cloud services
  • AI agents and Copilots
  • Windows, Linux, and mobile operating systems.

Detailed outline

Scan each section as a working study checklist instead of one long wall of text.

Manage a security operations environment (40–45%)

  • Configure email notifications in Microsoft Defender XDR, including incidents, actions, and threat analytics
  • Configure alert notifications in Microsoft Defender XDR, including tuning, suppression, and correlation
  • Configure Microsoft Defender for Endpoint advanced features
  • Configure rules settings in Microsoft Defender for Endpoint
  • Configure custom data collection in Microsoft Defender for Endpoint
  • Configure security policies for Microsoft Defender for Endpoint, including attack surface reduction (ASR) rules
  • Manage automated investigation and response capabilities in Microsoft Defender XDR
  • Configure automatic attack disruption in Microsoft Defender XDR
  • Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
  • Create and configure automation rules in Microsoft Sentinel
  • Create and configure Microsoft Sentinel playbooks
  • Specify Microsoft Sentinel roles

Respond to security incidents (35–40%)

  • Investigate and remediate threats by using Microsoft Defender for Office 365, including automatic attack disruption
  • Investigate and remediate threats or compromised entities identified by Microsoft Purview
  • Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
  • Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
  • Investigate and remediate compromised identities that are identified by Microsoft Entra ID
  • Investigate and remediate security alerts from Microsoft Defender for Identity
  • Investigate and remediate alerts and incidents identified by Microsoft Sentinel
  • Investigate incidents by using agentic AI, including embedded Copilot for Security
  • Investigate complex attacks, such as multi-stage, multi-domain, and lateral movement
  • Manage security incidents by using case management
  • Investigate device timelines
  • Perform actions on the device, including live response and collecting investigation packages

Perform threat hunting (20–25%)

  • Identify the appropriate table to use in a KQL query
  • Identify threats by using Kusto Query Language (KQL)
  • Create Advanced Hunting queries
  • Interpret threat analytics in Microsoft Defender XDR
  • Create hunting graphs, including blast radius
  • Analyze relationships between entities by using Sentinel Graph
  • Create and monitor hunting queries
  • Create and manage KQL jobs in Data lake
  • Create and manage Summary rule tables for querying
  • Hunt for threats by using Notebooks, including connection to the Sentinel MCP Server