How to practice SC-200 content on an empty tenant

hi Batuhaan​  That's a great question - it's a common challenge when preparing for SC-200 (Microsoft Security Operations Analyst) because a blank tenant won't generate the telemetry you need for hunting and investigation. A few options you can try:

Microsoft Learn Sandboxes

Many SC-200 modules include interactive sandboxes with pre-populated sample data. These are temporary environments but are very useful for practicing KQL queries and hunting scenarios.

Sample Data in Microsoft Sentinel

In your own tenant, you can connect Microsoft Sentinel and use the "Add sample data" feature. This loads built-in datasets (sign-ins, alerts, security events) that are perfect for practicing queries and detections.

Docs: Add sample data in Sentinel

Simulated Labs

Microsoft provides hands-on labs through Microsoft Learn and Microsoft Security Virtual Training Days, which spin up pre-configured environments with activity logs and incidents.

Community & GitHub Resources

The community has published KQL practice queries and simulated log sources (via GitHub) that you can connect to your tenant for additional data variety.

Unfortunately, there's no built-in way to "auto-populate" your own tenant with rich user/attack activity - the usual approach is to use Sentinel sample data or rely on the official sandbox/lab environments for end-to-end practice.