Professional Documents
Culture Documents
Skills Measured
This exam will be updated on July 23, 2021. Following the current exam guide, we have
included a version of the exam guide with Track Changes set to “On,” showing the
changes that will be made to the exam on that date.
Audience Profile
The Microsoft Security Operations Analyst collaborates with organizational stakeholders to
secure information technology systems for the organization. Their goal is to reduce
organizational risk by rapidly remediating active attacks in the environment, advising on
improvements to threat protection practices, and referring violations of organizational policies
to appropriate stakeholders.
Skills Measured
NOTE: The bullets that appear below each of the skills measured are intended to illustrate how
we are assessing that skill. This list is not definitive or exhaustive.
NOTE: Most questions cover features that are General Availability (GA). The exam may contain
questions on Preview features if those features are commonly used.
detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for
Business threats
detect, investigate, respond, remediate threats to email by using Defender for Office 365
manage data loss prevention policy alerts
assess and recommend sensitivity labels
assess and recommend insider risk policies
Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender
for Endpoint
Plan and implement the use of data connectors for ingestion of data sources in Azure
Defender
identify data sources to be ingested for Azure Defender
configure Automated Onboarding for Azure resources
connect non-Azure machine onboarding
connect AWS cloud resources
connect GCP cloud resources
configure data collection
Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure
Sentinel
The exam guide below shows the changes that will be implemented on July 23, 2021.
Audience Profile
The Microsoft Security Operations Analyst collaborates with organizational stakeholders to
secure information technology systems for the organization. Their goal is to reduce
organizational risk by rapidly remediating active attacks in the environment, advising on
improvements to threat protection practices, and referring violations of organizational policies
to appropriate stakeholders.
Skills Measured
NOTE: The bullets that appear below each of the skills measured are intended to illustrate how
we are assessing that skill. This list is not definitive or exhaustive.
NOTE: Most questions cover features that are General Availability (GA). The exam may contain
questions on Preview features if those features are commonly used.
detect, investigate, respond, remediate Microsoft Teams, SharePoint, and OneDrive for
Business threats
detect, investigate, respond, remediate threats to email by using Defender for Office 365
manage data loss prevention policy alerts
assess and recommend sensitivity labels
assess and recommend insider risk policies
Detect, investigate, respond, and remediate endpoint threats by using Microsoft Defender
for Endpoint
identify, investigate, and remediate security risks by using Microsoft Cloud Application
Security (MCAS)
configure MCAS to generate alerts and reports to detect threats
plan and configure an Azure Defender settings, including selecting target subscriptions
and workspace
configure Azure Defender roles
configure data retention policies
assess and recommend cloud workload protection
Plan and implement the use of data connectors for ingestion of data sources in Azure
Defender
identify data sources to be ingested for Azure Defender
configure Automated Onboarding for Azure resources
connect non-Azure machine onboarding on-premises computers
connect AWS cloud resources
connect GCP cloud resources
configure data collection
Plan and Implement the use of Data Connectors for Ingestion of Data Sources in Azure
Sentinel