Microsoft Security Operations Analyst Associate Quick Facts (2025)

Exam Domain Breakdown

Domain 1: Manage a security operations environment (26% of the exam)

Configure settings in Microsoft Defender XDR

• Configure alert and vulnerability notification rules
• Configure Microsoft Defender for Endpoint advanced features
• Configure endpoint rules settings
• Manage automated investigation and response capabilities in Microsoft Defender XDR
• Configure automatic attack disruption in Microsoft Defender XDR

Summary: In this section, you will gain skills in configuring the foundational settings that drive proactive threat response in Defender XDR. From advanced feature configuration to automated investigation and response, the objective is to establish an optimized and highly responsive threat defense posture. You will learn to streamline how alerts are generated and handled while incorporating automation to maintain consistency and efficiency.

Beyond setup, the section encourages you to strengthen the environment with automatic attack disruption capabilities that help stop threats in progress. This ensures you can leverage technology to scale defenses and maintain operational readiness at all times.

Manage assets and environments

• Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint
• Identify unmanaged devices in Microsoft Defender for Endpoint
• Discover unprotected resources by using Defender for Cloud
• Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management
• Mitigate risk by using Exposure Management in Microsoft Defender XDR

Summary: This section focuses on managing assets and discovery to ensure every endpoint and resource is protected under Defender for Endpoint and Defender for Cloud. You will explore how to group devices, assign appropriate permissions, and configure automation levels so resources are kept safe and maintain compliance with organizational policies.

Additionally, this section introduces tools to identify unmanaged or high-risk devices and remediate vulnerabilities before they impact operations. By using vulnerability and exposure management, you create a dynamic approach to protect and secure environments, strengthening resilience across your ecosystem.

Design and configure a Microsoft Sentinel workspace

• Plan a Microsoft Sentinel workspace
• Configure Microsoft Sentinel roles
• Specify Azure RBAC roles for Microsoft Sentinel configuration
• Design and configure Microsoft Sentinel data storage, including log types and log retention

Summary: Here you focus on building and configuring the structural foundation of Microsoft Sentinel. By planning a workspace and defining roles, you establish governance and access controls that ensure monitoring processes are both secure and efficient. Learning how Sentinel integrates with Azure RBAC unlocks flexible and precise permissions management for operational teams.

This section also emphasizes storage strategies for logs and data collection. You will learn to plan retention policies appropriate to compliance and organizational requirements, ensuring the Sentinel workspace not only captures vital security insights but also maintains optimal performance at scale.

Ingest data sources in Microsoft Sentinel

• Identify data sources to be ingested for Microsoft Sentinel
• Implement and use Content hub solutions
• Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings
• Plan and configure Syslog and Common Event Format (CEF) event collections
• Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)
• Create custom log tables in the workspace to store ingested data
• Monitor and optimize data ingestion

Summary: Data ingestion is at the heart of Microsoft Sentinel, and this section ensures you understand how to bring the right information into the system using a structured and well-monitored approach. You will explore native connectors, Content hub, Windows event configurations, and custom log collection to build a comprehensive data picture across environments.

Alongside ingestion, this section covers performance optimization and monitoring strategies to maximize data flow while managing associated costs. With these skills, you will ensure Sentinel receives rich, actionable data sources that strengthen visibility and empower powerful analytics rules.

Domain 2: Configure protections and detections (21% of the exam)

Configure protections in Microsoft Defender security technologies

• Configure policies for Microsoft Defender for Cloud Apps
• Configure policies for Microsoft Defender for Office 365
• Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules
• Configure cloud workload protections in Microsoft Defender for Cloud

Summary: This section enables you to put protective systems in place across Defender solutions. You will learn to configure policies for safeguarding emails, documents, apps, and cloud environments in a unified and efficient manner. By working with capabilities such as attack surface reduction rules, you directly contribute to reducing exposure before threats can take hold.

Additionally, configuring protections across workloads and cloud applications ensures security coverage extends seamlessly across user activity, data storage, and endpoints. By securing modern hybrid environments, you create stronger baselines of protection that integrate across the entire Microsoft ecosystem.

Configure detections in Microsoft Defender XDR

• Configure and manage custom detection rules
• Manage alerts, including tuning, suppression, and correlation
• Configure deception rules in Microsoft Defender XDR

Summary: Moving beyond prevention, this section gives you tools to detect threats as they emerge. By customizing detections, tuning alerts, and using suppression and correlation effectively, you prioritize alerts most relevant to your environment. These skills foster actionable and high-fidelity signals, reducing noise and improving analyst efficiency.

You will also explore deception-based detection techniques, which help identify adversaries quickly by exposing hidden threats. With enhanced customization and detection rules, you create defenses that adapt to evolving attacker behaviors.

Configure detections in Microsoft Sentinel

• Classify and analyze data by using entities
• Configure and manage analytics rules
• Query Microsoft Sentinel data by using ASIM parsers
• Implement behavioral analytics

Summary: This section focuses on Sentinel’s ability to detect suspicious activities by classifying and analyzing data through entities. You will configure analytics rules leveraging both basic conditions and advanced behavioral indicators to detect anomalies across logs and events.

Furthermore, you will refine analytics by harnessing ASIM parsers and advanced queries, which enable precise investigation and detection. These capabilities strengthen Sentinel’s ability to identify unusual activity, empowering faster, more confident responses to emerging threats.

Domain 3: Manage incident response (32% of the exam)

Respond to alerts and incidents in the Microsoft Defender portal

• Investigate and remediate threats by using Microsoft Defender for Office 365
• Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption
• Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies
• Investigate and remediate threats identified by Microsoft Purview insider risk policies
• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud workload protections
• Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps
• Investigate and remediate compromised identities that are identified by Microsoft Entra ID
• Investigate and remediate security alerts from Microsoft Defender for Identity

Summary: In this section, you will apply investigative skills to respond effectively to a wide variety of incidents across Microsoft Defender and Purview solutions. This includes everything from business email compromise to insider risks, ransomware events, and identity risks. A primary focus will be on using the Defender portal to orchestrate efficient investigations across workloads and identities.

By honing these skills, you will also practice consistent remediation workflows that reduce exposure times and limit damage. The emphasis on proactive and prompt handling of incidents ensures your security operations remain resilient and responsive.

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

• Investigate device timelines
• Perform actions on the device, including live response and collecting investigation packages
• Perform evidence and entity investigation

Summary: Device investigation is a central element of endpoint response, and this section equips you to explore timelines and identify suspicious behaviors across devices. You will perform proactive actions such as isolating, investigating, and running live responses directly on endpoints.

You will also enhance your ability to collect and analyze investigation packages, enabling deeper forensic insight into threats. These capabilities empower you to contain risks at the device level and prevent reoccurrence by closing potential gaps.

Investigate Microsoft 365 activities

• Investigate threats by using the unified audit log
• Investigate threats by using Content Search
• Investigate threats by using Microsoft Graph activity logs

Summary: This section provides vital skills for investigating threats across Microsoft 365 environments. The unified audit log offers a wide lens view of activities, and Content Search complements this by enabling targeted investigations of sensitive data or suspicious usage.

Additionally, Microsoft Graph activity logs deliver deep insights into identity-specific behaviors for even more precise investigations. By mastering these tools, you will streamline the investigative process while ensuring all user and application activity is accounted for.

Respond to incidents in Microsoft Sentinel

• Investigate and remediate incidents in Microsoft Sentinel
• Create and configure automation rules
• Create and configure Microsoft Sentinel playbooks
• Run playbooks on on-premises resources

Summary: Sentinel’s ability to coordinate response comes to life here as you explore incident investigation and playbook automation. You will build automated processes through playbooks, using them to remediate threats efficiently and consistently while reducing analyst burden.

By running automation rules both in the cloud and on-premises, Sentinel becomes a central hub of orchestrated response. These practices help create a streamlined SOC that responds quickly and at scale.

Implement and use Microsoft Security Copilot

• Create and use promptbooks
• Manage sources for Security Copilot, including plugins and files
• Integrate Security Copilot by implementing connectors
• Manage permissions and roles in Security Copilot
• Monitor Security Copilot capacity and cost
• Identify threats and risks by using Security Copilot
• Investigate incidents by using Security Copilot

Summary: This section equips you to embrace AI-powered investigation and remediation through Microsoft Security Copilot. You will learn to use tools such as promptbooks, plugins, and connectors to integrate Copilot deeply with security workflows. This integration enhances situational intelligence and accelerates decision-making across incidents.

Expanding beyond configuration, the section covers permissions, monitoring capacity, and cost considerations of Security Copilot. By learning to operationalize Copilot effectively, you gain the ability to leverage advanced AI insights to uncover risks faster and strengthen defense postures.

Domain 4: Manage security threats (21% of the exam)

Hunt for threats by using Microsoft Defender XDR

• Identify threats by using Kusto Query Language (KQL)
• Interpret threat analytics in the Microsoft Defender portal
• Create custom hunting queries by using KQL

Summary: Threat hunting in Defender XDR combines powerful analytics with custom querying using KQL. This section will show you how to interpret threat analytics and design hunting queries to proactively identify malicious activity within your environment.

With strong KQL proficiency, you unlock the ability to enhance visibility and build strategies for identifying anomalies long before automated systems raise alerts. This proactive mindset positions you as a proactive hunter rather than a purely reactive responder.

Hunt for threats by using Microsoft Sentinel

• Analyze attack vector coverage by using the MITRE ATT&CK matrix
• Manage and use threat indicators
• Create and manage hunts
• Create and monitor hunting queries
• Use hunting bookmarks for data investigations
• Retrieve and manage archived log data
• Create and manage search jobs

Summary: This section deepens your hunting capabilities with Microsoft Sentinel through frameworks like the MITRE ATT&CK matrix, which guide analysis of adversary tactics. You will learn to implement hunting queries, manage indicators, and track activities systematically within Sentinel.

Managing hunts, bookmarks, and archived data ensures visibility extends across historic logs, enabling retroactive identification of threats. These practices allow SOC teams to continuously improve threat hunting capabilities and response effectiveness.

Create and configure Microsoft Sentinel workbooks

• Activate and customize workbook templates
• Create custom workbooks that include KQL
• Configure visualizations

Summary: Visualization is essential to security monitoring, and this section equips you to use Sentinel workbooks effectively. By customizing templates and creating new workbooks with KQL-driven queries, you transform raw security data into meaningful dashboards.

You will also experiment with visualizations that highlight trends and insights in ways that enhance decision-making. In doing so, you elevate Sentinel into a powerful tool for storytelling with data, enhancing collaboration between analysts, responders, and executives.