RoleMath Study Track for Microsoft Security Operations Analyst Associate (SC-200) (SC-200)
A free study companion keyed to the officially published exam domains of Microsoft Security Operations Analyst Associate (SC-200) (SC-200): what each domain covers in plain language, clearly labeled free resources, a guided lab outline for every domain, and interactive self-checks from our own question bank. Microsoft SC-200 study guide
A free, source-cited study companion built on Microsoft's published SC-200 study guide, for independent study only. It is not official training, is not affiliated with or endorsed by Microsoft, and is not a pass guarantee. SC-200 is an ASSOCIATE-level exam, not a first certification: it assumes the SC-900 and AZ-900 fundamentals and some Azure and security-operations familiarity, so start there if security operations is brand new to you. The hands-on labs run only on your OWN free Azure subscription using the Microsoft Sentinel free trial (never a work or school tenant), with a strict billing boundary - attach no large data source and delete the workspace before the trial ends - or on public sample data that needs no tenant at all. Verify the current objectives on the official study guide before your exam.
A complete free Microsoft SC-200 program pinned to the currently published study guide and sequenced the way the tasks build - stand up and configure the security operations environment first (Microsoft Sentinel as a SIEM, data ingestion, and detections mapped to MITRE ATT&CK), then respond to incidents across Microsoft Defender XDR, Sentinel, and the embedded Security Copilot agentic-AI assistant, then hunt with KQL in Defender XDR Advanced Hunting and Microsoft Sentinel - with an integrated end-to-end capstone that deploys a Sentinel lab, hunts with KQL, investigates and closes a simulated incident, and tears the lab down. Every hands-on activity runs on the learner's OWN free Azure subscription using the Microsoft Sentinel 30-day free trial (never a work or school tenant), inside a hard billing boundary - attach no large data source and delete the Log Analytics workspace before the trial ends - or on public sample data that needs no tenant. SC-200 is an ASSOCIATE-level exam, NOT a first certification: it assumes the SC-900 and AZ-900 fundamentals and some Azure and security-operations background, so this program's diagnostic routes learners who are new to those prerequisites back to the fundamentals first, and completion is not certification, professional experience, or a job.
This draft exposes RoleMath’s authored sequence and evidence plan. The current labs are guided outlines, not yet a fully fixture-backed course, and objective-leaf coverage has not passed the gold-standard gate. Completion does not predict an exam result.
Modules
3
Labs
3
Concept checks
7
Resource mix
12 official / 1 community
Choose an outcome
Three routes through the same evidence
Choose provisionally. Change routes when the work tells you something new about fit, time, or readiness.
Certification-focused
Learners with the SC-900 and AZ-900 fundamentals and some Azure or security-operations background who want one current, dependency-ordered SC-200 sequence across all three domains, with each hands-on lab run in a free Azure trial they own (or on public sample data) and a recheck of the official study guide before scheduling.
Completion emphasis: Complete every module in the environment-first study order, finish each domain's hands-on lab in a trial you own (or documentation-only), correct every missed check, finish the integrated end-to-end capstone, and diff the current study guide before booking the exam - never inferring a score from coverage, and understanding SC-200 is an Associate credential that assumes the fundamentals.
Required phases: Manage a security operations environment, Respond to security incidents, Perform threat hunting, then the integrated capstone
SOC-analyst skills first
Career changers or IT staff moving toward a security-operations role who want reviewable evidence that they can configure Microsoft Sentinel, investigate and close an incident across Defender XDR, and hunt with KQL, whether or not they sit the exam soon.
Completion emphasis: Retain a labeled artifact per domain - a deployed Sentinel Training Lab checklist, an incident-triage worksheet driven to a defensible close, and a two-tier KQL hunting log - each produced in a trial you own or on public sample data, plus the integrated end-to-end capstone, with every billing boundary respected and the workspace deleted before trial end.
Required phases: Manage a security operations environment, Respond to security incidents, Perform threat hunting, then the integrated capstone
Career-fit sprint
Learners deciding whether security-operations analyst work - running a SIEM, responding to incidents, and hunting threats in the Microsoft ecosystem - is a direction worth deeper investment before committing to the full associate-level certification, given it assumes the SC-900 and AZ-900 fundamentals first.
Completion emphasis: Complete the diagnostic, the security-operations-environment phase, and the incident-response phase with their labs, then choose a next step (deepen toward the full SC-200, branch to a related Microsoft security path, or shore up the SC-900/AZ-900 fundamentals if the prerequisites felt thin) rather than inferring job readiness or a pass from partial coverage.
Required phases: Manage a security operations environment, Respond to security incidents
Start safely
Prerequisite diagnostic
Confirm you have the fundamentals SC-200 assumes and can spin up a free Azure trial you own before the hands-on labs; this diagnostic is not a Microsoft prerequisite gate, a cost promise, or an exam prediction, but SC-200 is an ASSOCIATE exam - if the SC-900 or AZ-900 material below is entirely new, do that fundamentals study first.
Do you have the SC-900 (security, compliance, and identity fundamentals) and AZ-900 (Azure fundamentals) background - or equivalent - since SC-200 is associate-level and assumes you already understand Zero Trust, Microsoft Entra identity, the Defender product family, and basic Azure concepts?
Ready when: Yes, you hold or could pass SC-900 and AZ-900, or you have equivalent hands-on Azure and security familiarity.
If not yet: Do the free RoleMath SC-900 and AZ-900 study tracks first (fundamentals-to-associate ladder); SC-200 will be far more approachable once Zero Trust, Entra, the Defenders, and Azure basics are in place.
Can you create a free Azure subscription YOU own (an Azure free account) and use the Microsoft Sentinel 30-day free trial for the hands-on labs, understanding you must never use a work or school tenant, must attach no large data source, and must delete the workspace before the trial ends?
Ready when: Yes, with a free Azure subscription you own and a plan to respect the billing boundary and delete the workspace before trial expiry, OR you will complete the tenant labs documentation-only, which is fully supported.
If not yet: Complete the Domain 1 and Domain 2 labs documentation-only from the Microsoft Learn paths and the Training Lab README, and do the Domain 3 KQL practice on public sample data (Kusto Detective Agency), which needs no tenant at all.
Are you willing to learn KQL (the Kusto Query Language), since threat hunting and Sentinel analytics rules depend on it - understanding that a SQL background helps but is not required and the Kusto Detective Agency game teaches KQL from zero on public data?
Ready when: Yes, and you know Tier A of the hunting lab builds KQL from scratch on public sample data before you apply it in a real workspace.
If not yet: Spend a session on the Kusto Detective Agency and the free Microsoft Learn KQL resources before the analytics-rule and hunting work; KQL is the connective tissue of the whole exam.
Do you understand the hard billing boundary for the tenant labs - free Azure subscription you own only, the Sentinel 30-day free trial, no large data connectors, and a calendar reminder to DELETE the Log Analytics workspace before the trial expires so no ingestion or retention charges accrue?
Ready when: Yes, and you will set a delete reminder, attach no large data source, and confirm in Cost Management that nothing bills after cleanup.
If not yet: Re-read each lab's billing-boundary safety section before deploying, or stay on the documentation-only and public-sample-data routes where no billing is possible at all.
Have you chosen a pace whose weekly hours you can realistically protect across roughly 54 to 80 total hours - heavier than a fundamentals exam because SC-200 is associate-level and genuinely hands-on?
Ready when: Yes, with a pace selected and the study-guide recheck, the lab billing-boundary steps, and the integrated capstone left uncompressed.
If not yet: Pick the steady pace and spread the three domains and the capstone across six to eight weeks; never compress the own-subscription-only, no-large-data-source, delete-before-expiry, or synthetic-entity-only safety steps to save time.
Plan, then adapt
Pace options
Steady
7 weeks 8-11 hours/week
A planning estimate of roughly 60-77 hours for a learner with the SC-900/AZ-900 fundamentals and some Azure familiarity: the heavy environment domain across two-plus weeks, then incident response, then threat hunting, each with its hands-on lab in a trial you own (or documentation-only / public sample data), plus the integrated end-to-end capstone and a study-guide recheck before scheduling.
Standard
6 weeks 9-12 hours/week
A planning estimate for a learner comfortable in Azure and security operations that pairs the Microsoft-cited domain study with one retained lab artifact per domain and preserves the integrated capstone, the missed-check corrections, and a study-guide diff before any exam logistics. Budget toward the upper end if KQL is new.
Intensive
5 weeks 11-15 hours/week
Roughly 55-75 hours compressed for a focused learner who already works around Azure and a SOC; do not compress the own-subscription-only boundary, the no-large-data-source and delete-before-trial-end billing rules, the synthetic-entity-only incident work, or the capstone. A learner still building the SC-900/AZ-900 fundamentals should shore those up first and prefer the steady pace.
Evidence-gated sequence
Program roadmap
1
Manage a security operations environment
Stand up and configure the SOC's tooling: automation across Defender XDR and Sentinel, Microsoft Sentinel as a SIEM (workspace, roles, retention, workbooks, SOC optimization), data ingestion via connectors (AMA, Syslog/CEF, threat intelligence, custom tables), and detections and analytics rules mapped to MITRE ATT&CK (Domain 1, 40-45%) - made concrete by deploying the Microsoft Sentinel Training Lab in a free Azure trial you own.
Complete the Domain 1 lab: deploy the Sentinel Training Lab in a free Azure subscription you own (or documentation-only), record two connector types and the retention setting, describe a workbook, distinguish scheduled from near-real-time analytics rules with one rule's MITRE ATT&CK mapping, and record the incident queue - with a delete reminder set for before the trial ends.
Complete the fundamentals-background, free-Azure-trial, KQL-readiness, billing-boundary, and study-time diagnostics, choose a pace you can protect, and be able to explain how ingestion choices set the ceiling on detection and hunting.
Attempt every authored security-operations-environment check and correct each miss against its cited source before moving to incident response.
2
Respond to security incidents
Do the analyst's daily work: investigate and remediate across Microsoft Defender XDR (endpoint, identity, email, cloud apps, and cloud), Microsoft Purview investigation, the embedded Security Copilot agentic-AI assistant, and Microsoft Sentinel incidents, with sound case management and defensible classification (Domain 2, 35-40%) - made concrete by driving a Training Lab incident to a close in the same trial workspace you own.
Complete the Domain 2 lab in the workspace you own (or documentation-only): triage an incident with a severity decision, follow the investigation graph and pivot on an entity, map each entity type to the Defender product that owns it, manage the case (comment, task, assignment) with an optional Security Copilot comparison, and classify and close the incident with a justification - acting only on synthetic training entities.
Retain the incident-triage worksheet and be able to explain when to reach for Defender XDR versus Microsoft Sentinel and where Security Copilot accelerates response while a human still governs the decision to contain, remediate, or close.
Attempt every authored incident-response check and correct each miss against its cited source before moving to threat hunting.
3
Perform threat hunting, then the integrated capstone
Hunt proactively with KQL in Microsoft Defender XDR Advanced Hunting and Microsoft Sentinel (hunting queries, Sentinel Graph entity relationships, saved queries, and the path from a hunt to a detection) (Domain 3, 20-25%), made concrete by a two-tier KQL lab - then run the integrated end-to-end capstone that deploys a Sentinel lab, hunts with KQL, investigates and closes a simulated incident, and tears the lab down.
Complete the Domain 3 two-tier KQL lab: practice core operators on public sample data with no tenant (Kusto Detective Agency), then run a SecurityEvent failed-logon hunt, tour Advanced Hunting, note Sentinel Graph entity relationships, and save a Sentinel hunting query in a workspace you own (or documentation-only).
Complete the integrated end-to-end capstone (deploy the Sentinel lab, hunt with KQL, investigate and close a simulated incident, tear the lab down) and produce the capstone evidence packet.
Retain the hunting log and the capstone artifacts, crosswalk every artifact to the three SC-200 domain IDs, diff the current SC-200 study guide, record remaining gaps, and choose a continue, practice, defer, or exam-scheduling next decision rather than inferring a pass from coverage.
Before a lab
Environment, access, and safety
Required and optional setup
Required
A web browser plus text or spreadsheet tools for the Microsoft-cited SC-200 study guide, the free Microsoft Learn learning paths, and for recording each lab's answers in your own words
The three RoleMath-owned worksheets under data/assets/lab_fixtures/microsoft-security-operations-analyst-associate/ - a Sentinel Training Lab deploy checklist, an incident-triage worksheet, and a two-tier KQL threat-hunting log
For the KQL fundamentals: the Kusto Detective Agency and the Azure Data Explorer sample playground, which run on public sample data with no tenant and no cost
A record, for each hands-on lab, that any tenant work used only a free Azure subscription you own, attached no large data source, acted only on synthetic entities, and that the Log Analytics workspace was deleted before the trial ended
Optional
A free Azure subscription (an Azure free account) that YOU own, used with the Microsoft Sentinel 30-day free trial to deploy the Training Lab and run the incident and hunting labs - never a work or school tenant, no large data source attached, workspace deleted before trial end
The Microsoft SC-200 official free practice assessment as a readiness check across all three domains (the pool is finite and recycles)
John Savill's free SC-200 study content as a fast visual review after the official Microsoft Learn paths (it may lag the July 28, 2026 additions - the embedded Security Copilot and Sentinel Graph content - so reconcile it against the official study guide)
Accounts and accessibility routes
Accounts
The KQL fundamentals (Tier A of the hunting lab) require no account: the Kusto Detective Agency and the ADX sample playground run on public sample data at no cost.
The Sentinel deploy, incident-response, and Tier-B hunting labs need a free Azure subscription you own with the Sentinel 30-day free trial; a free Azure account may ask for a card for identity verification even though this program is designed to spend nothing when the billing boundary is respected.
No lab requires a paid subscription; every tenant lab can be completed documentation-only from the Microsoft Learn paths and the Training Lab README, and if any resource ever moves a needed exercise behind a paywall, rely on the study guide and the documentation-only route instead.
Equivalent routes
When deploying or working a live workspace is impractical for account, device, billing-boundary, memory, motor, or visual reasons, complete the tenant labs documentation-only: read the objective's free Microsoft Learn path and the Training Lab README, answer each field from the documentation labelled documentation-only, and complete the KQL fundamentals on the public no-tenant sample data, reaching the same understanding and the same worksheet evidence.
Every worksheet is text-driven and keyboard-operable, with plain-text answers a screen reader can read; the deploy checklist, incident-triage worksheet, and KQL hunting log are plain Markdown with labeled headings and fields, and the Azure, Defender, Sentinel, and Kusto query editors expose keyboard-navigable, labeled controls and text inputs.
In low-bandwidth conditions use the documentation-only and public-sample-data routes, which avoid the heavy Azure and Defender portal UIs; the Microsoft Learn pages and the worksheet files are lightweight text.
Safety baseline
Run every tenant lab ONLY in a free Azure subscription YOU own using the Microsoft Sentinel free trial - never a work, school, employer, or client tenant.
Respect the billing boundary: attach no large or production data connectors during the trial, and set a calendar reminder to DELETE the Log Analytics workspace (or resource group) before the 30-day trial ends so no ingestion or retention charges accrue; confirm in Cost Management that nothing continues to bill.
In the incident-response lab, take remediation actions only against the synthetic training entities, never a real device, user, mailbox, or resource; where a full Defender action is unavailable in a training workspace, record what you would do and why.
Use only public sample data (KQL Tier A) and the synthetic training data in your own workspace; enter no real organization's data, credentials, tenant IDs, or personal information into any worksheet, and do not share screenshots containing real data.
This program grants no authorization to configure, query, or act on any system you do not own; the documentation-only and public-sample-data routes are always available and reach the same evidence.
Show your work
Module evidence and missed-check protocol
Module exit evidence
A labeled artifact per domain tied to its module: a deployed Sentinel Training Lab checklist; an incident-triage worksheet driven to a defensible close; or a two-tier KQL hunting log - each produced in a free Azure trial you own, on public sample data, or documentation-only.
A plain-language explanation of the domain's key tasks - how the SIEM is configured and detections mapped to MITRE ATT&CK, how an incident is investigated and closed across the Defender products with Security Copilot as an accelerant, or how a KQL hunt is written and promoted to a detection - and the boundary the work stayed inside (own subscription, public sample data, or documentation, with any workspace deleted).
All authored checks for the domain attempted, with each miss corrected against its cited source and re-applied to a fresh scenario, plus a note that any tenant work used a subscription you own, attached no large data source, and was cleaned up before trial end.
After a missed check
Identify whether the question tests managing the security operations environment, responding to security incidents, or performing threat hunting before reviewing the answer.
Write why the distractor was plausible and which principle - the connector or analytics-rule choice, the Defender product that owns an entity's signal, or the right hunting surface and KQL operator - distinguishes the correct answer, framing it as what an analyst would configure or do rather than a feature recited from memory.
Change one scenario detail - the data source being ingested, the entity type in the incident, or the hunting hypothesis - and explain whether the correct answer changes.
Completing this policy demonstrates current-study-guide SC-200 coverage and hands-on practice inside RoleMath against Microsoft's documentation and a free Azure trial you own (or public sample data); it does not predict an exam score, establish professional security-operations experience, confer any authorization to configure, query, or act on systems you do not own, or serve as a RoleMath credential.
Integrated practice
Integrated SC-200 end-to-end: deploy a SIEM, hunt with KQL, investigate and close an incident, tear it down
Run one continuous exercise that spans all three SC-200 domains in a free Azure trial you own: deploy the Microsoft Sentinel Training Lab, hunt across its data with KQL, investigate and close one of its simulated incidents, then tear the lab down inside the billing boundary - producing one reviewable evidence packet that shows the full security-operations analyst loop from environment to hunt to response to cleanup.
Workflow
Deploy or reuse the Microsoft Sentinel Training Lab in a free Azure subscription you own, confirm Sentinel is enabled and the simulated data is loaded, and record the connectors, retention, and at least one analytics rule with its MITRE ATT&CK mapping (Domain 1).
Hunt across the lab data with KQL: run at least one Advanced Hunting or SecurityEvent query, note how Sentinel Graph or an entity pivot could extend it into an attack chain, and save one Sentinel hunting query with its hypothesis (Domain 3).
Pick one incident the lab generated and drive it to a close: triage and set severity, follow the investigation graph and pivot on an entity, map entities to the owning Defender products, manage the case (comment, task, assignment), optionally compare a Security Copilot summary to your own read, and classify and close it with a justification, acting only on synthetic entities (Domain 2).
Feed the loop back on itself: note what you would change in a detection or automation rule so this class of incident is caught or auto-handled next time, tying the response back to the environment you configured.
Map every artifact you produced to the three SC-200 domain IDs (environment, respond, hunt) in a short crosswalk table, so the packet demonstrably covers all three domains rather than implying it.
Tear the lab down inside the billing boundary: delete the Log Analytics workspace (or resource group) before the Sentinel trial ends and confirm in Cost Management that nothing continues to bill.
Write a one-paragraph reflection per domain in your own words on how the environment, the hunt, and the response connected, and answer one end-to-end scenario naming the products and KQL you would use.
Diff the current SC-200 study guide against your packet, flag any topic not represented as an explicit gap, confirm the workspace was deleted and nothing bills, and record the next decision - continue, practice more, defer, or schedule the exam - rather than inferring a pass from coverage.
Retained artifacts
A deployed-and-torn-down Sentinel Training Lab record: the environment configured (connectors, retention, one analytics rule with its MITRE ATT&CK mapping) and confirmation the workspace was deleted before trial end
A KQL hunting artifact: at least one query run against the lab data and one saved Sentinel hunting query with its hypothesis, plus a note on how Sentinel Graph or an entity pivot extends a hunt into an attack chain
An incident driven to a defensible close: triage and severity, an entity pivot and entity-to-product mapping, case-management notes with an optional Security Copilot comparison, and a classify-and-close justification on synthetic entities
A one-paragraph-per-domain reflection in your own words plus an answer to one end-to-end scenario naming the products and KQL
A study-guide diff with any uncovered topics flagged as gaps, a confirmation the workspace was deleted with nothing billing, and a recorded next decision
Review checklist
The exercise covers all three SC-200 domains - environment, response, and hunting - in one continuous loop in a subscription the learner owns.
Every tenant action stayed in a free Azure subscription the learner owns, attached no large data source, acted only on synthetic entities, and touched no work or school tenant.
The billing boundary was respected: the Log Analytics workspace was deleted before the Sentinel trial ended and Cost Management confirms nothing continues to bill.
The KQL hunt is real (a query was run and a hunting query saved), the incident was classified and closed with a justification, and the detection-feedback loop is explained.
Each domain has a your-words reflection, and the end-to-end scenario names the correct products and KQL with a short justification.
The current SC-200 study guide was rechecked and any changed domain, weight range, or skills-measured date invalidates the affected part of the packet.
All three current SC-200 domains map to a step and an artifact in the packet; uncovered topics remain explicit gaps rather than implied completion.
The packet uses only synthetic or public sample data and publishes no real tenant, incident, credential, or organization data.
The artifact does not claim exam success, official Microsoft approval or training beyond linked sources, professional security-operations experience, any authorization to configure or act on systems the learner does not own, or a RoleMath credential.
Safety boundary: Build the capstone in a free Azure subscription you own using the Microsoft Sentinel free trial - never a work, school, employer, or client tenant. Attach no large data source, act only on the lab's synthetic entities, and DELETE the Log Analytics workspace before the trial ends, confirming in Cost Management that nothing continues to bill. Use only synthetic or public sample data and publish no real data. This program grants no authorization to configure, query, or act on any system you do not own; documentation-only completion of the tenant steps is fully supported.
Finish honestly
Completion, portfolio, and maintenance
Completion evidence
All three current SC-200 domain modules have been covered and checked against the official Microsoft SC-200 study guide, including a recheck of the current study guide before any exam scheduling.
Every domain lab has been completed in a free Azure trial the learner owns, on public sample data, or documentation-only, with no work or school tenant touched, no large data source attached, only synthetic entities acted on, and the workspace deleted before trial end.
Every authored knowledge check has been attempted and each miss has a cited correction plus a fresh scenario.
The official Microsoft Learn free paths, the Sentinel Training Lab, the Kusto Detective Agency, the free practice assessment, and any optional community resource (John Savill's SC-200 content) have been used within their current free-access terms, with any community video reconciled to the official study guide.
The integrated end-to-end capstone passes its three-domain coverage, billing-boundary and teardown, synthetic-data, and study-guide-diff review, with the workspace deleted and nothing billing.
The learner has recorded remaining objective gaps and a next study or exam-scheduling decision; completion is not represented as an exam result, a credential, job readiness, or professional security-operations experience.
Portfolio candidates
A Sentinel environment record: the deployed Training Lab with connectors, retention, and at least one analytics rule mapped to MITRE ATT&CK, plus confirmation the workspace was deleted before trial end
An incident-response record: a training incident triaged, investigated across the Defender XDR entity graph, managed as a case (with an optional Security Copilot comparison), and classified and closed with a justification
A KQL hunting record: core operators practiced on public sample data, a SecurityEvent failed-logon hunt, an Advanced Hunting schema tour, a Sentinel Graph note, and a saved Sentinel hunting query
A crosswalk table linking every artifact to at least one of the three SC-200 domain IDs (environment, respond, hunt), confirming full-domain coverage rather than implied completion
The integrated end-to-end capstone packet with the deploy-hunt-respond-teardown loop, the per-domain reflections, the end-to-end scenario answer, and a study-guide diff plus next decision
Present the packet as self-directed SC-200 study done against Microsoft's public documentation and a free Azure trial you own (or public sample data). Do not call it real-world security operations, Microsoft approval, professional security-operations experience, authorization to configure or act on any system you do not own, or a RoleMath credential, and never publish real tenant, subscription, incident, credential, or organization data.
Freshness controls
Objective source checked 2026-07-11. Recheck objectives every 30 days and resources every 90 days.
Stop and re-verify when
Microsoft revises the SC-200 study guide, domain set, domain names or weight ranges, exam code, passing score, fee, duration, or Associate level.
The staged skills-measured update (effective July 28, 2026) turns out to change a domain name or weight range rather than only adding sub-skills (agentic AI / embedded Security Copilot to Respond, Sentinel Graph to Hunt), or a later update changes a name or weight.
A free Microsoft Learn SC-200 learning path, the official free practice assessment, the Microsoft Sentinel Training Lab, or the Kusto Detective Agency changes URL, availability, or free-access terms.
A product referenced in the labs (Microsoft Sentinel, Microsoft Defender XDR and its component Defenders, Microsoft Defender for Cloud, Microsoft Purview, Microsoft Security Copilot, or Azure Data Explorer / KQL) is renamed, restructured, or changes its free-versus-paid boundary or the Sentinel free-trial terms.
The free Azure account or the Microsoft Sentinel 30-day free trial used for the tenant labs changes its availability, free tier, or billing terms, or a lab can no longer be completed documentation-only or on public sample data.
Any module, lab, check, phase, capstone step, account instruction, billing-boundary guardrail, or study-guide diff fails technical, source, prerequisite, safety, authorization, privacy, accessibility, currency, or claims review.
Skills measured
The official objective domains and their exam weight — titles & weights only, straight from the vendor’s exam objectives. Microsoft SC-200 study guide
For SC-200 the exam's own numbering already matches how the skills build, so we follow it: Manage a security operations environment (Domain 1, 40-45%), then Respond to security incidents (Domain 2, 35-40%), then Perform threat hunting (Domain 3, 20-25%). We open with Domain 1 because it is both the heaviest slice and the scaffolding for everything else: you cannot triage incidents or hunt across data you have not first ingested, normalized, and wired into detections. This domain is where you stand up Microsoft Sentinel as a SIEM, connect data sources, configure the workspace, and author analytics rules mapped to MITRE ATT&CK - the plumbing the rest of the job runs on, so building it first means the later domains have real data to work with. We go to Domain 2 second because responding to incidents is the daily work of a security operations analyst and it draws directly on the environment you just configured: an analyst investigates and remediates across Microsoft Defender XDR (endpoint, identity, email, cloud apps, and cloud), across Microsoft Sentinel incidents, and increasingly with an embedded Security Copilot agentic-AI assistant, so it makes sense to learn response once the detections that generate those incidents are in place. We close with Domain 3, threat hunting, because it is the smallest slice by weight and the most naturally studied last: proactive KQL hunting in Defender XDR Advanced Hunting and in Microsoft Sentinel is most meaningful once you already understand the data sources (Domain 1) and what a real incident looks like (Domain 2), so your hunts are grounded in context rather than practiced in a vacuum. A note on how to study: SC-200 is hands-on and scenario-based - it asks what you would configure or do as an analyst, not whether you can recite a feature list - so time in a real Sentinel/Defender workspace and real KQL matters more than memorization, and this order gives each hands-on lab the data and context it needs. This is sequencing advice based on the published weight ranges and how the tasks depend on each other, not a claim about the science of learning; if a different order fits how you think, use it.
Study this first. At 40-45% it is the heaviest domain, and it is the scaffolding for everything else: you cannot triage incidents or hunt across data you have not first ingested, normalized, and wired into detections. This is where you stand up Microsoft Sentinel, connect data sources, and author analytics rules.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-200 study guide
This is the 'stand up and run the SOC's tooling' domain, and Microsoft weights it at 40-45% - by far the heaviest slice of SC-200. It is the plumbing the whole job depends on: before an analyst can respond to an incident or hunt for a threat, someone has to ingest the data, normalize it, wire up detections, and keep the platform healthy. Because it is both the largest domain and the foundation the other two build on, we study it first and give it the most time. Unlike the fundamentals exams, this is genuinely hands-on: the skills are configuring Microsoft Sentinel and Microsoft Defender XDR, not describing them, so plan to spend real time in a workspace you own.
Automation across Microsoft Defender XDR and Microsoft Sentinel is the efficiency layer, and the exam expects you to reason about it. In Microsoft Sentinel, automation rules govern how incidents are handled at scale - assigning owners, setting severity, suppressing noise, or triggering a playbook - while playbooks (built on Azure Logic Apps) carry out the actual response steps such as enriching an alert, opening a ticket, or notifying a channel. In Defender XDR, automated investigation and response can triage and remediate common alerts without human effort. The through-line the exam rewards is knowing when to let automation handle a repeatable, high-confidence reaction and when a human analyst must stay in the loop, so that the SOC scales without acting blindly.
Configuring Microsoft Sentinel as a SIEM is the domain's centerpiece. Sentinel is Microsoft's cloud-native SIEM and SOAR platform, and this domain covers the operational setup: creating and configuring the Log Analytics workspace it runs on, managing roles and permissions so the right people can read, respond, and administer, setting data retention to balance investigation needs against cost, and using workbooks to visualize the estate. SOC optimization recommendations help you tune coverage and spend over time. The mental model to carry is that Sentinel centralizes signals from across the environment so a pattern invisible in any single source becomes visible - and that this power depends entirely on how well you configure the workspace, connectors, and analytics beneath it.
Data ingestion is where a SIEM lives or dies, and the exam probes the connector landscape in depth. Data connectors bring signals in: native connectors for Microsoft and major cloud services, and agent-based collection for the rest - the Azure Monitor Agent (AMA) gathering Windows and Linux events, and Syslog and Common Event Format (CEF) for network devices, firewalls, and third-party appliances. You should also recognize threat-intelligence connectors that import indicators of compromise, and the ability to define custom tables and transform data at ingestion so it lands in a usable, cost-aware shape. The recurring skill is matching a data source to the right connector and understanding that what you ingest - and how you normalize it - sets the ceiling on what you can later detect and hunt.
Detections and analytics rules turn raw data into incidents, and this is the domain's analytical heart. Scheduled analytics rules run KQL queries on a cadence to spot known-bad patterns; near-real-time (NRT) rules fire with minimal delay for time-sensitive conditions; and Microsoft-provided rule templates and the content hub give you a running start. Crucially, the exam expects you to think about detections in terms of the MITRE ATT&CK framework: mapping your analytics rules to ATT&CK tactics and techniques lets a SOC measure and close coverage gaps rather than guessing whether it can see a given adversary behavior. When a rule fires, it produces an alert that groups into an incident - the object Domain 2 then investigates - so this domain quite literally manufactures the work the rest of the exam handles.
Study this domain by standing up a real, safe SIEM and touching every layer of it, because SC-200 rewards configuration skill over recall. The lab below deploys the Microsoft-published Sentinel Training Lab into a free Azure subscription you own using the Sentinel 30-day free trial: you enable Sentinel on a Log Analytics workspace, load the lab's simulated attack data, then tour the connectors, workspace retention, workbooks, analytics rules (scheduled versus NRT, with their MITRE ATT&CK mapping), and the incident queue - recording what you built in your own words. A hard billing boundary applies: use only a subscription you own, attach no large data source, and delete the workspace before the trial ends. As always, read the official SC-200 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
Learn it free
Official · Official exam objectives
Microsoft SC-200 study guideThe exam's own topic list for this domain - read its security-operations-environment section directly rather than relying on any summary, including ours. (captured 2026-07-11)
Microsoft Sentinel Training Lab (official, deploy-it-yourself)The Microsoft-published Sentinel Training Lab with simulated attack data, deployed into a free Azure trial you own; the hands-on ground for this domain - mind the billing boundary and delete the workspace before the trial ends. (captured 2026-07-11)
Sc200 Sentinel Environment Lab
Deploy the Microsoft Sentinel Training Lab in a free Azure subscription you own and load its simulated attack data Tour and record the connectors, retention, workbooks, scheduled-versus-NRT analytics rules with their MITRE ATT&CK mapping, and the incident queue
Free tools
Azure portal (portal.azure.com)
Microsoft Sentinel on a Log Analytics workspace
A web browser
A plain-text or Markdown editor
Steps
Read the checklist's billing boundary, then in a free Azure subscription you own create a resource group and Log Analytics workspace, enable Microsoft Sentinel, deploy the Sentinel Training Lab, and record the deployment details in Part A.
Fill Part B (two connector types, the retention setting, one workbook) and Part C (scheduled versus NRT analytics rules, one rule's MITRE ATT&CK mapping, and how a rule becomes an incident), summarizing in your own words.
Open the incident queue and fill Part D (incident count and per-incident fields), then save the checklist with the confirmation that you used a subscription you own, attached no large data source, and set a delete reminder.
What you should see
Confirm the checklist records a Sentinel-enabled workspace with the Training Lab loaded, two connector types and the retention setting, a workbook, the scheduled-versus-NRT distinction with a rule's MITRE ATT&CK mapping, the incident queue, and a billing-boundary confirmation.
Practice evidence maps to exam_domain_microsoft_security_operations_analyst_associate_sc_200_01
Stay safe & legal: Deploy and explore ONLY a free Azure subscription you own; never a work, school, employer, or client tenant. The Microsoft Sentinel 30-day free trial covers this lab's small simulated dataset, but you must attach no large or production data source during the trial and must set a reminder to DELETE the Log Analytics workspace before the trial expires so no ingestion or retention charges accrue; this lab grants no authorization to configure any system you do not own. Account required: yes; payment required: no; maximum designed cost: $0.
Check yourself
3RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 2 of 3 · domain 2 · 35-40% of the exam
Respond to security incidents
Study this second. At 35-40% it is the second-heaviest domain and the analyst's daily work: investigating and remediating across Microsoft Defender XDR (endpoint, identity, email, cloud apps, and cloud), across Sentinel incidents, and increasingly with an embedded Security Copilot agentic-AI assistant.
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-200 study guide
This is the 'do the analyst's job' domain, and Microsoft weights it at 35-40% - the second-largest slice of SC-200. Where Domain 1 built the SIEM, this domain is about working the incidents that SIEM produces: triaging them, investigating across every layer of the Microsoft security portfolio, taking remediation actions, and closing cases defensibly. It is the most tool-diverse domain on the exam, because a real incident rarely stays in one product - a single attack can touch an endpoint, an identity, a mailbox, a cloud app, and a cloud workload at once - so the skill it tests is investigating a correlated incident across all of them rather than juggling separate consoles.
Responding across Microsoft Defender XDR is the domain's backbone, and you should be able to work each component in an incident. Defender for Endpoint handles device detection and response - timelines, live response sessions, investigation packages, and attack-disruption actions; Defender for Office 365 handles email and collaboration threats; Defender for Identity surfaces on-premises Active Directory attack signals; Defender for Cloud Apps governs SaaS visibility and control; Microsoft Entra ID Protection contributes risky-user and risky-sign-in signals; and Defender for Cloud brings cloud-workload alerts and posture findings into the picture. Microsoft Purview adds the data-security and investigation surface - Audit, eDiscovery, and activity signals. The exam skill is mapping an entity in an incident to the product that owns its deepest signal and knowing what response action each product offers.
The unified incident experience is what ties the portfolio together, and it is heavily tested. Microsoft Defender XDR correlates alerts from across endpoints, identities, email, and cloud apps into a single incident with one investigation graph, so an analyst reasons about one coordinated attack rather than a scatter of alerts. You should be fluent in the incident queue: reviewing entities and evidence, following the investigation graph, pivoting from one entity to its related activity, assigning severity and ownership, and understanding how multi-stage attacks are stitched together. Attack disruption - automatically containing an in-progress attack by isolating a device or suspending an account - is a capability to recognize. The clean idea to carry is that XDR turns many alerts into one investigable incident, and your job is to drive that incident to a decision.
Case management and the newest capability - agentic AI with an embedded Security Copilot - are where this domain has grown, and the July 2026 update makes them examinable. Sound case management means documenting your work as you go: adding comments and tasks, assigning owners, and classifying and closing an incident as a true positive, benign positive, or false positive with a justification the next analyst can trust. Layered on top, Microsoft Security Copilot brings generative and increasingly agentic AI into the investigation - summarizing an incident, suggesting next steps, and running embedded investigation experiences inside the Defender and Sentinel portals. The judgment the exam rewards is treating the AI assistant as an accelerant that drafts and enriches, while a human analyst still governs the decision to contain, remediate, or close - the AI proposes, the analyst disposes.
Microsoft Sentinel incidents and cross-signal investigation round out the domain and connect it back to Domain 1. When your Sentinel analytics rules fire, they produce incidents in Sentinel's own queue, and responding there means investigating entities, running playbooks and automation rules for consistent enrichment and response, and correlating Sentinel's broad, multi-source view with the deep, endpoint-and-identity-rich view Defender XDR provides. The recurring skill is knowing which console to reach for: Defender XDR for a deep, correlated first-party incident, and Microsoft Sentinel for a wide-angle view that folds in third-party and custom data. A capable analyst moves fluidly between them and standardizes the routine parts of response with automation so their attention goes to the judgment calls.
Study this domain by driving a real incident from the queue to a defensible close, because SC-200 tests what you would do, not what you can name. The lab below takes one of the incidents the Sentinel Training Lab generated in the same free trial workspace you own and runs it through the RoleMath incident-triage worksheet: you triage and set severity, follow the investigation graph and pivot on entities, map each entity type to the Defender product that owns it, add comments and tasks, optionally compare a Security Copilot summary to your own read, then classify and close with a justification and note what you would feed back into detections. All actions are taken only against the synthetic lab entities, never a real system, and the trial's billing boundary still applies. As always, read the official SC-200 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
Learn it free
Official · Official exam objectives
Microsoft SC-200 study guideThe authoritative topic list for this domain's incident-response coverage - read it directly rather than relying on any summary, including ours. (captured 2026-07-11)
SC-200: Mitigate threats using Microsoft Security Copilot (free learning path)Microsoft's own free path on the embedded Security Copilot agentic-AI assistant added to the response domain in the July 2026 update; verify the free label before relying on it, and reconcile it against the current study guide. (captured 2026-07-11)
Sc200 Incident Response Lab
Triage and investigate a training incident across the Defender XDR entity graph and map each entity type to the product that owns it Manage the case, optionally compare a Security Copilot summary to your own read, and classify and close the incident with a justification
Free tools
Microsoft Defender portal (security.microsoft.com)
Microsoft Sentinel incidents on a workspace you own
A web browser
A plain-text or Markdown editor
Steps
Read the worksheet's safety boundary, pick one Training Lab incident, and fill Part A: record its title, severity, and correlated alerts, form a first hypothesis, and decide whether to keep or change the severity.
Fill Part B (investigation graph, entity pivot, and the entity-to-Defender-product mapping) and Part C (a comment, a task, an assignment, and an optional Security Copilot summary comparison or a docs note on where AI helps and where human judgment governs).
Fill Part D (remediation action(s) marked runnable or would-do, and a classify-and-close decision with a justification and a detection-feedback note), then save the worksheet with the own-workspace, synthetic-entity, delete-before-expiry confirmation.
What you should see
Confirm the worksheet records a triaged incident with a severity decision, an investigation-graph entity pivot and an entity-to-product mapping, case-management notes with an optional Security Copilot comparison, a remediation plan, and a classify-and-close decision with a justification.
Practice evidence maps to exam_domain_microsoft_security_operations_analyst_associate_sc_200_02
Stay safe & legal: Respond ONLY in the free Sentinel/Defender workspace you own from the Domain 1 lab; never a work, school, employer, or client tenant. These are simulated training incidents - take any remediation action only against the lab's synthetic entities, never a real device, user, or mailbox, and where a full action is unavailable record it as 'would-do'. The Sentinel trial's billing boundary still applies: delete the workspace before it expires. This lab grants no authorization to act on any system you do not own. Account required: yes; payment required: no; maximum designed cost: $0.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Module 3 of 3 · domain 3 · 20-25% of the exam
Perform threat hunting
Study this last. At 20-25% it is the smallest slice by weight and the most naturally studied last: proactive KQL hunting in Defender XDR Advanced Hunting and in Microsoft Sentinel is most meaningful once you already understand the data sources (Domain 1) and what a real incident looks like (Domain 2).
What this domain actually covers
Plain-language explanation in our own words — paraphrased from, and checked against, the official objectives. Microsoft SC-200 study guide
This is the 'go find what the detections missed' domain, and Microsoft weights it at 20-25% - the smallest slice of SC-200, but the one that most distinguishes a proactive analyst from a reactive one. Where Domain 2 responds to incidents that fired, threat hunting starts from a hypothesis - a threat report, an ATT&CK technique, an anomaly - and queries the raw telemetry to confirm or refute it before an alert ever exists. We study it last because a good hunt is grounded in the data sources you configured in Domain 1 and the incident patterns you learned in Domain 2; hunting in a vacuum, without that context, teaches syntax but not judgment. The skill the exam rewards is fluent KQL applied with a clear question in mind.
KQL threat hunting in Microsoft Defender XDR Advanced Hunting is the domain's first pillar. Advanced Hunting exposes a rich schema of tables - device process and network events, identity logon events, email events, and more - that you query with the Kusto Query Language to find rare or suspicious behavior across the estate. You should be comfortable scoping a query to the right table, filtering and projecting the fields that matter, summarizing to surface outliers, and joining tables to follow an entity across signal types. Threat analytics reports give you Microsoft-curated context on active threats to hunt for, and a strong hunt can be promoted into a custom detection so the finding is caught automatically next time. The recurring idea is that Advanced Hunting turns 'I wonder if we were affected by X' into a concrete, answerable query.
Sentinel Graph and entity relationships - new in the July 2026 update - are the domain's newest capability, and worth recognizing. Beyond querying a single table, Sentinel Graph lets you traverse the relationships between entities: a user to the devices they signed into, those devices to the processes they ran, those processes to the network destinations they reached. Reasoning over that graph surfaces attack chains that a table-by-table query would miss, because the signal is in how the entities connect, not in any one row. The exam skill here is conceptual as much as syntactic: understanding that a graph view of entity relationships is a different and complementary way to hunt, letting an analyst follow an adversary's path rather than inspecting isolated events.
Threat hunting in Microsoft Sentinel is the domain's second pillar and pulls together the broad, multi-source view. Sentinel provides purpose-built hunting queries you can run and customize, bookmarks to save interesting results as you go, and the ability to run KQL jobs against larger data - including data in a data lake or archive tier - so cost-effective retrospective hunts over long time ranges become possible. Summary rules pre-aggregate high-volume data to make hunting and detection cheaper, and notebooks (with the supporting tooling and, increasingly, MCP-server integration) let advanced analysts hunt with the full power of a data-science environment. The clean distinction to carry is that Defender XDR Advanced Hunting is deep on first-party endpoint and identity signal, while Sentinel hunting spans the wide, multi-source estate and scales to long-horizon, large-data hunts.
Study this domain by building the KQL muscle safely and then applying it where the data lives, because SC-200 tests hunting you can actually perform. The lab below is two-tier: Tier A uses the Kusto Detective Agency game and the Azure Data Explorer sample playground to practice core KQL operators - where, project, summarize, extend, join, let, and time-binning - on public sample data with NO tenant, no account, and no cost; Tier B applies that KQL in the same free Sentinel/Defender workspace you own, running a SecurityEvent failed-logon hunt, touring the Advanced Hunting schema, noting how Sentinel Graph traverses entity relationships, and saving a Sentinel hunting query - all read-only except the query you save in your own workspace, and inside the trial's billing boundary. As always, read the official SC-200 study guide for Microsoft's authoritative topic list; this explanation paraphrases its scope in our own words rather than reproducing it.
Learn it free
Official · Official exam objectives
Microsoft SC-200 study guideThe authoritative topic list for this domain's threat-hunting coverage - read it directly rather than relying on any summary, including ours. (captured 2026-07-11)
Official · Free official hands-on practice
Kusto Detective Agency (official KQL practice game, no tenant needed)Microsoft's free KQL game on public sample data - the safest, no-cost way to build the query muscle threat hunting depends on before you touch a real workspace; no account or tenant required. (captured 2026-07-11)
Official · Free official practice questions
Microsoft SC-200 practice assessment (official, free)Microsoft's own free interactive practice assessment for SC-200, useful across all three domains to check familiarity with the question style; the pool is finite and recycles, so treat it as a readiness check rather than a coverage guarantee. (captured 2026-07-11)
Sc200 Threat Hunting Kql Lab
Practice core KQL operators on public sample data with no tenant using Kusto Detective Agency and the ADX playground Run a SecurityEvent failed-logon hunt, tour Advanced Hunting and Sentinel Graph, and save a Sentinel hunting query in a workspace you own
Free tools
Kusto Detective Agency and the Azure Data Explorer sample playground (public, no tenant)
Microsoft Defender XDR Advanced Hunting and Microsoft Sentinel on a workspace you own
A web browser
A plain-text or Markdown editor
Steps
Read the log's safety boundary, then complete Tier A on public sample data (Kusto Detective Agency and/or the ADX playground): for each KQL operator (where, project, summarize, extend, join, let, bin over time) write what it does and a tiny query you ran.
In the free workspace you own, run the SecurityEvent failed-logon hunt (EventID 4625 summarized by account and count), tour Advanced Hunting (three tables and a hunting question each), and note how Sentinel Graph traverses entity relationships (from your workspace or the docs).
Save your failed-logon query as a Sentinel hunting query (or bookmark a result), record its name and hypothesis and when a repeatable hunt should become a scheduled analytics rule, then save the log with the Tier A public-data / Tier B own-workspace confirmation.
What you should see
Confirm the log records the Tier A KQL operators with real queries on public sample data, a Tier B SecurityEvent failed-logon hunt with its result, three Advanced Hunting tables, a Sentinel Graph entity-relationship note, and a saved Sentinel hunting query with its hypothesis.
Practice evidence maps to exam_domain_microsoft_security_operations_analyst_associate_sc_200_03
Stay safe & legal: Tier A runs on public Microsoft sample data only and touches no tenant. Tier B runs ONLY in the free Sentinel/Defender workspace you own from the Domain 1 lab; never a work, school, employer, or client tenant. Tier B queries are read-only and you create nothing except a saved hunting query in your own workspace, and the Sentinel trial's billing boundary still applies - delete the workspace before it expires. This lab grants no authorization to query any system you do not own. Account required: optional; payment required: no; maximum designed cost: $0.
Check yourself
2RoleMath-original concept checks for this domain — written by us against cited public sources, never taken from any exam. They confirm understanding; they don’t predict a pass.
Skills you’ll build
Studying Microsoft Security Operations Analyst Associate (SC-200)builds transferable skills that carry across employers and platforms, not just toward this one exam. Each has a free, source-cited RoleMath primer — what it is, a step-by-step free learning path, clearly labeled free resources, and a safe hands-on exercise:
Work through the modules above, then get a personalized read on where you stand: the readiness check maps your background against these same published domains and suggests what to study first — no score, no pass prediction.
Exam registration fee: Approximately $165 USD for the United States. Microsoft's exam page does not print a dollar figure - it states the price depends on the country or region where the exam is proctored - so treat the roughly $165 figure as a third-party-reported US number, not a first-party printed price, and confirm the exact fee for your location at checkout when you schedule with the delivery provider. Official Microsoft SC-200 exam page (region-priced; no figure printed)
Duration and level: About 100 minutes of exam time; SC-200 is an Associate-level certification aimed at security operations analysts, delivered via Pearson VUE or online proctoring. It is not an entry-level exam - Microsoft recommends the SC-900 and AZ-900 fundamentals and some Azure and security-operations background first. Official Microsoft SC-200 exam page
Version currency: The skills measured on the study guide are noted as effective July 28, 2026 - a staged minor update that keeps the same three domains and the same weight ranges but adds agentic-AI and embedded Security Copilot content to the response domain and Sentinel Graph entity relationships to the hunting domain. Always diff the current study guide before you schedule. Official Microsoft SC-200 study guide
A free, source-cited study companion built on Microsoft's published SC-200 study guide, for independent study only. It is not official training, is not affiliated with or endorsed by Microsoft, and is not a pass guarantee. SC-200 is an ASSOCIATE-level exam, not a first certification: it assumes the SC-900 and AZ-900 fundamentals and some Azure and security-operations familiarity, so start there if security operations is brand new to you. The hands-on labs run only on your OWN free Azure subscription using the Microsoft Sentinel free trial (never a work or school tenant), with a strict billing boundary - attach no large data source and delete the workspace before the trial ends - or on public sample data that needs no tenant at all. Verify the current objectives on the official study guide before your exam.
Certification and vendor names are used only to identify the program this independent study companion refers to. RoleMath is not affiliated with, endorsed by, or sponsored by Microsoft.