Forum Discussion
How to practice SC-200 content on an empty tenant
Hello,
I am following the SC 200 course on Microsoft Learn. It is great and everything but my m365 business tenant is empty. I don't have VMs, logs, user activity or anything. I learned some KQL and microsoft provides some datasets for practice. Are there any such data I can load on my tenant for threat hunting and other SC-200 related practices or is there an isolated simulation environment I can use for learning?
1 Reply
hi Batuhaan​ That's a great question - it's a common challenge when preparing for SC-200 (Microsoft Security Operations Analyst) because a blank tenant won't generate the telemetry you need for hunting and investigation. A few options you can try:
Microsoft Learn Sandboxes
Many SC-200 modules include interactive sandboxes with pre-populated sample data. These are temporary environments but are very useful for practicing KQL queries and hunting scenarios.
Sample Data in Microsoft Sentinel
In your own tenant, you can connect Microsoft Sentinel and use the "Add sample data" feature. This loads built-in datasets (sign-ins, alerts, security events) that are perfect for practicing queries and detections.
Docs: Add sample data in Sentinel
Simulated Labs
Microsoft provides hands-on labs through Microsoft Learn and Microsoft Security Virtual Training Days, which spin up pre-configured environments with activity logs and incidents.
Community & GitHub Resources
The community has published KQL practice queries and simulated log sources (via GitHub) that you can connect to your tenant for additional data variety.
Unfortunately, there's no built-in way to "auto-populate" your own tenant with rich user/attack activity - the usual approach is to use Sentinel sample data or rely on the official sandbox/lab environments for end-to-end practice.
