Hands-on Lab — SC-200 Microsoft Security Operations Analyst

Last reviewed: May 2026

Build the AWS services on the SC-200 exam with plain Terraform — one block at a time, each tied back to an exam domain. The same code works on OpenTofu.

Overview

By the end of this lab you'll have provisioned, with plain Terraform, the SC-200 SOC reference substrate — a Log Analytics workspace as the data plane, Microsoft Sentinel onboarded onto that workspace, a scheduled analytic rule that triggers an incident on a sample KQL pattern, and an automation rule that runs every time an incident is created. This is the substrate every SC-200 hunting + response workflow runs on.

Drop the snippets into a single main.tf, run terraform init, then terraform apply step-by-step.

Prerequisites

Terraform >= 1.5 or OpenTofu >= 1.6.
An Azure subscription with permissions to create Log Analytics, Sentinel, and Logic Apps resources.
Azure CLI authenticated (az login).
Sentinel onboarding is one-way for the workspace — once a Log Analytics workspace has Sentinel enabled, you can disable Sentinel but the workspace data plane still exists. For lab cleanup, destroy works correctly via Terraform.

Cost note

Sentinel pricing is the main cost story:

Microsoft Sentinel: pay-per-GB ingested. The first 5 GB/month on the workspace is free (under Log Analytics' free tier), but Sentinel adds +$2/GB on top. Lab volume is kilobytes.
Log Analytics workspace: 5 GB/month free; ~$2.30/GB after.
Logic App (Consumption tier): pay-per-action; lab usage is fractions of a cent.
Sentinel analytic rules: free; rule executions don't bill.

~$0/month at lab volume. Sentinel becomes expensive at scale — onboarding a multi-server CloudTrail-equivalent (Defender XDR connectors, M365 connectors) easily hits $10K/month for a real org.

Steps

1.Provider, Resource Group, naming

Standard Azure opener.

terraform {
  required_version = ">= 1.5"

  required_providers {
    azurerm = { source = "hashicorp/azurerm", version = "~> 4.0" }
  }
}

provider "azurerm" {
  features {}
}

locals {
  tags = {
    Project   = "certlabpro-sc-200"
    ManagedBy = "terraform"
  }
}

resource "azurerm_resource_group" "main" {
  name     = "certlabpro-sc-200-rg"
  location = "eastus"
  tags     = local.tags
}

2.Stand up the Log Analytics workspace + onboard Sentinel
Provisions:
- Azure Monitor
- Microsoft Sentinel
Microsoft Sentinel is a layer on top of a Log Analytics workspace — it doesn't have its own data plane. SC-200's Manage a Microsoft Sentinel environment domain hammers on this dependency: every Sentinel feature reads/writes from the workspace, every data connector lands data into it, every analytic rule runs KQL against it.

We provision the workspace at PerGB2018 SKU + the azurerm_sentinel_log_analytics_workspace_onboarding resource to attach Sentinel. After this, you'd connect data sources (Azure Activity, Microsoft Entra ID sign-ins, Defender XDR connectors) via the portal — they're surface-area-heavy and easier through the GUI than Terraform.
```
resource "azurerm_log_analytics_workspace" "main" {
  name                = "log-sc200"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  sku                 = "PerGB2018"
  retention_in_days   = 30

  tags = local.tags
}

resource "azurerm_sentinel_log_analytics_workspace_onboarding" "main" {
  workspace_id = azurerm_log_analytics_workspace.main.id
}
```

3.Create a scheduled analytic rule that triggers on a KQL pattern

Provisions:

Microsoft Sentinel

Analytic rules are how Sentinel turns raw log events into incidents. SC-200 tests rule-type recognition: Scheduled (KQL-based, the most common), Microsoft incident (forwards Defender XDR alerts), Anomaly (ML-based), Threat intelligence (TI matching).

We create a scheduled rule with a stub KQL query (every 5 minutes, looking back 5 minutes — the SC-200 near-real-time shape). The query here is a placeholder (SecurityEvent | take 1); in production the KQL is the rule's actual logic — testing for impossible-travel logins, password-spray patterns, unusual privilege escalations, etc.

The tactics field maps the rule to the MITRE ATT&CK framework — required for Defender XDR integration and for hunting workflows that pivot by tactic.

resource "azurerm_sentinel_alert_rule_scheduled" "stub" {
  name                       = "certlabpro-sc-200-stub-rule"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
  display_name               = "Stub rule — lab demonstration"
  description                = "Sample scheduled analytic rule for the SC-200 lab. Replace KQL with a real hunting pattern."
  severity                   = "Medium"
  enabled                    = true

  query                      = "SecurityEvent | take 1"
  query_frequency            = "PT5M" # run every 5 minutes
  query_period               = "PT5M" # look back 5 minutes

  trigger_operator           = "GreaterThan"
  trigger_threshold          = 0

  tactics    = ["InitialAccess"]
  techniques = ["T1078"] # Valid Accounts (MITRE ATT&CK)

  incident {
    create_incident_enabled = true

    grouping {
      enabled = true
    }
  }

  depends_on = [azurerm_sentinel_log_analytics_workspace_onboarding.main]
}

4.Wire an automation rule for incident response
Provisions:
- Microsoft Sentinel
Automation rules are SC-200's Configure your Microsoft Sentinel environment for incident management primitive — they trigger when an incident is created, updated, or closed, and run a set of actions: assign the incident to a user, change its severity, add tags, or invoke a Logic App playbook.

We create a rule that runs every time any incident is created. The example action just changes severity to High and tags the incident — in production you'd invoke a Logic App playbook here that posts to Teams, creates a Jira ticket, enriches with threat-intel, or triggers a remediation runbook. SC-200 tests this triggered automation shape as the standard L1 SOC pattern.
```
resource "azurerm_sentinel_automation_rule" "tag_and_escalate" {
  name                       = "0e84e57b-8b8a-4c8b-a0a8-1d3f3e6f9a01" # GUID required
  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
  display_name               = "Tag-and-escalate every new incident"
  order                      = 1
  enabled                    = true

  triggers_on  = "Incidents"
  triggers_when = "Created"

  action_incident {
    order    = 1
    severity = "High"
  }

  action_incident {
    order  = 2
    labels = ["lab-auto-tagged"]
  }

  depends_on = [azurerm_sentinel_log_analytics_workspace_onboarding.main]
}
```

Cleanup

terraform destroy tears down everything. Sentinel onboarding detaches from the workspace; the workspace remains until destroyed separately (Terraform handles both correctly). Analytic rule executions stop immediately. Logic App playbooks (not provisioned in this lab) would need to be destroyed separately if you added them.

What this lab doesn't cover

SC-200 covers more SecOps surfaces this lab can't fit — Microsoft Defender for Endpoint (the endpoint EDR), Defender for Identity (on-prem AD threats), Defender for Office 365 (mail-flow protection), Defender for Cloud Apps (CASB), the full Defender XDR unified portal, KQL hunting at depth, Microsoft Sentinel data connectors (Azure Activity, M365, AWS CloudTrail, GCP Audit, third-party connectors), Sentinel Workbooks for dashboarding, Threat Intelligence indicators, Watchlists, User and Entity Behavior Analytics (UEBA), Notebooks for advanced hunting, and Logic App playbooks for response orchestration.

We stick to the workspace + Sentinel + scheduled rule + automation rule because they're the substrate every SC-200 pattern composes on. Data connectors land data into the workspace; analytic rules query the data; automation rules respond to incidents; playbooks (Logic Apps) extend automation rules. Get the base right; layer on per data source.

For the surfaces above, see the Browse, Playbook, and Editorial sections of this cert page.

← Back to SC-200 hub

Overview

Drop the snippets into a single main.tf, run terraform init, then terraform apply step-by-step.

Prerequisites

Terraform >= 1.5 or OpenTofu >= 1.6.
An Azure subscription with permissions to create Log Analytics, Sentinel, and Logic Apps resources.
Azure CLI authenticated (az login).
Sentinel onboarding is one-way for the workspace — once a Log Analytics workspace has Sentinel enabled, you can disable Sentinel but the workspace data plane still exists. For lab cleanup, destroy works correctly via Terraform.

Cost note

Sentinel pricing is the main cost story:

Microsoft Sentinel: pay-per-GB ingested. The first 5 GB/month on the workspace is free (under Log Analytics' free tier), but Sentinel adds +$2/GB on top. Lab volume is kilobytes.
Log Analytics workspace: 5 GB/month free; ~$2.30/GB after.
Logic App (Consumption tier): pay-per-action; lab usage is fractions of a cent.
Sentinel analytic rules: free; rule executions don't bill.

~$0/month at lab volume. Sentinel becomes expensive at scale — onboarding a multi-server CloudTrail-equivalent (Defender XDR connectors, M365 connectors) easily hits $10K/month for a real org.

Steps

1.Provider, Resource Group, naming

Standard Azure opener.

terraform {
  required_version = ">= 1.5"

  required_providers {
    azurerm = { source = "hashicorp/azurerm", version = "~> 4.0" }
  }
}

provider "azurerm" {
  features {}
}

locals {
  tags = {
    Project   = "certlabpro-sc-200"
    ManagedBy = "terraform"
  }
}

resource "azurerm_resource_group" "main" {
  name     = "certlabpro-sc-200-rg"
  location = "eastus"
  tags     = local.tags
}

2.Stand up the Log Analytics workspace + onboard Sentinel

Provisions:

Azure Monitor
Microsoft Sentinel

Microsoft Sentinel is a layer on top of a Log Analytics workspace — it doesn't have its own data plane. SC-200's Manage a Microsoft Sentinel environment domain hammers on this dependency: every Sentinel feature reads/writes from the workspace, every data connector lands data into it, every analytic rule runs KQL against it.

We provision the workspace at PerGB2018 SKU + the azurerm_sentinel_log_analytics_workspace_onboarding resource to attach Sentinel. After this, you'd connect data sources (Azure Activity, Microsoft Entra ID sign-ins, Defender XDR connectors) via the portal — they're surface-area-heavy and easier through the GUI than Terraform.

resource "azurerm_log_analytics_workspace" "main" {
  name                = "log-sc200"
  resource_group_name = azurerm_resource_group.main.name
  location            = azurerm_resource_group.main.location
  sku                 = "PerGB2018"
  retention_in_days   = 30

  tags = local.tags
}

resource "azurerm_sentinel_log_analytics_workspace_onboarding" "main" {
  workspace_id = azurerm_log_analytics_workspace.main.id
}

3.Create a scheduled analytic rule that triggers on a KQL pattern

Provisions:

Microsoft Sentinel

The tactics field maps the rule to the MITRE ATT&CK framework — required for Defender XDR integration and for hunting workflows that pivot by tactic.

resource "azurerm_sentinel_alert_rule_scheduled" "stub" {
  name                       = "certlabpro-sc-200-stub-rule"
  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
  display_name               = "Stub rule — lab demonstration"
  description                = "Sample scheduled analytic rule for the SC-200 lab. Replace KQL with a real hunting pattern."
  severity                   = "Medium"
  enabled                    = true

  query                      = "SecurityEvent | take 1"
  query_frequency            = "PT5M" # run every 5 minutes
  query_period               = "PT5M" # look back 5 minutes

  trigger_operator           = "GreaterThan"
  trigger_threshold          = 0

  tactics    = ["InitialAccess"]
  techniques = ["T1078"] # Valid Accounts (MITRE ATT&CK)

  incident {
    create_incident_enabled = true

    grouping {
      enabled = true
    }
  }

  depends_on = [azurerm_sentinel_log_analytics_workspace_onboarding.main]
}

4.Wire an automation rule for incident response

Provisions:

Microsoft Sentinel

Automation rules are SC-200's Configure your Microsoft Sentinel environment for incident management primitive — they trigger when an incident is created, updated, or closed, and run a set of actions: assign the incident to a user, change its severity, add tags, or invoke a Logic App playbook.

We create a rule that runs every time any incident is created. The example action just changes severity to High and tags the incident — in production you'd invoke a Logic App playbook here that posts to Teams, creates a Jira ticket, enriches with threat-intel, or triggers a remediation runbook. SC-200 tests this triggered automation shape as the standard L1 SOC pattern.

resource "azurerm_sentinel_automation_rule" "tag_and_escalate" {
  name                       = "0e84e57b-8b8a-4c8b-a0a8-1d3f3e6f9a01" # GUID required
  log_analytics_workspace_id = azurerm_log_analytics_workspace.main.id
  display_name               = "Tag-and-escalate every new incident"
  order                      = 1
  enabled                    = true

  triggers_on  = "Incidents"
  triggers_when = "Created"

  action_incident {
    order    = 1
    severity = "High"
  }

  action_incident {
    order  = 2
    labels = ["lab-auto-tagged"]
  }

  depends_on = [azurerm_sentinel_log_analytics_workspace_onboarding.main]
}

Cleanup

What this lab doesn't cover

For the surfaces above, see the Browse, Playbook, and Editorial sections of this cert page.

Hands-on Lab — SC-200 Microsoft Security Operations Analyst

Overview

Prerequisites

💰Cost note

Steps

Cleanup

What this lab doesn't cover

Hands-on Lab — SC-200 Microsoft Security Operations Analyst

Overview

Prerequisites

💰Cost note

Steps

Cleanup

What this lab doesn't cover

Cost note

Cost note