Microsoft Security Operations Analyst
225 practice questions
Last reviewed: April 2026
Personal notes and resource links for your study journey
Filter by Certification
Microsoft Security Operations Analyst (SC-200) is an associate-level role-based exam that validates hands-on skills for SOC analysts who hunt threats, triage alerts, and respond to incidents using Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Defender for Cloud. The audience is working SOC analysts and incident responders β not generalists β and the exam reflects that with scenario-heavy questions on KQL queries, analytics rules, automation playbooks, attack-surface reduction, and cross-product investigation across endpoint, identity, email, and cloud workloads. SC-200 is the standard Microsoft-stack credential for Tier 1β2 analysts and is increasingly listed as preferred or required in enterprise SOC job postings.
Configuring Microsoft Sentinel (workspaces, data connectors, watchlists, threat intelligence) and Defender XDR (role-based access, alert and incident settings, custom detections). About 25% of the exam. Expect specifics on which connector ingests what data and how Sentinel and Defender XDR integrate via the unified portal.
Tuning detections in Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Defender for Cloud. Custom analytics rules in Sentinel (scheduled, NRT, Fusion, ML-based). Around 20% of the exam β the most heavily KQL-flavored domain.
Largest domain (30%). Triage and investigation across Defender XDR and Sentinel, automation with playbooks (Logic Apps), Microsoft Security Copilot for SOC workflows, and the end-to-end incident lifecycle from alert correlation to closure and post-incident review.
Threat hunting with KQL across the advanced hunting schema, proactive hunts using built-in queries and bookmarks, MITRE ATT&CK mapping, and threat intelligence integration. About 25% of the exam.
Services you'll encounter on the exam and why each one matters.
Cloud-native SIEM and SOAR built on Azure that ingests telemetry across the estate, hunts threats with KQL, and orchestrates response via automation rules and playbooks.
Why it's on the exam: Domain 1 (Manage a security operations environment) anchors on Sentinel as the SIEM/SOAR β expect data-connector, workspace, and content-hub questions.
Unified pre- and post-breach defense suite that correlates signals across endpoints, identities, email, cloud apps, and data into a single incident queue and graph.
Why it's on the exam: Domain 3 (Manage incident response) hinges on Defender XDR as the cross-workload incident-investigation surface β incident merging, evidence, and graph hunting.
Enterprise EDR with attack-surface reduction, next-gen antimalware, automated investigation, live response, and advanced hunting across Windows, macOS, Linux, iOS, Android.
Why it's on the exam: Domain 4 (Manage security threats) names Defender for Endpoint as the EDR layer for device-resident threat detection, isolation, and forensic collection.
CNAPP that provides security posture management (CSPM) and workload protection (CWP) across Azure, AWS, and GCP, surfacing recommendations and runtime alerts into Defender XDR.
Why it's on the exam: Domain 2 (Configure protections and detections) tests CWP plan enablement and CSPM remediation β Defender for Cloud is the named control for multicloud workload alerts.
Protection for Microsoft 365 mailboxes, Teams, SharePoint, and OneDrive against phishing, BEC, and malicious attachments via Safe Links, Safe Attachments, and Attack Simulation Training.
Why it's on the exam: Domain 2 + Domain 4 cover email/collab threats β Defender for Office 365 supplies the Threat Explorer queries and policy controls SOC analysts triage.
On-premises Active Directory threat detection that surfaces reconnaissance, lateral movement, Kerberos abuse, and domain dominance from domain-controller traffic.
Why it's on the exam: Domain 4 covers hybrid identity threats β Defender for Identity is the named AD-focused detection layer feeding incidents into Defender XDR.
Cloud access security broker (CASB) that discovers shadow IT, applies session controls via reverse proxy, and protects sanctioned SaaS with API connectors and policy engines.
Why it's on the exam: Domain 2 frames SaaS threat scenarios β Defender for Cloud Apps is the named control for shadow-IT discovery and Conditional Access App Control.
Agentless OT/IoT network monitoring (formerly CyberX) plus device-builder agents that detect anomalous behavior on industrial and enterprise IoT segments.
Why it's on the exam: Domain 4 covers OT/IoT threat scenarios β Defender for IoT is the named platform for purdue-model visibility and ICS-aware detections.
Read-only query language for Log Analytics, Sentinel, and Defender advanced hunting β pipe-and-filter syntax over schematized event tables for ad-hoc and scheduled investigation.
Why it's on the exam: Every domain assumes KQL fluency β Domain 3 incident investigation and Domain 4 threat hunting expect candidates to read and author KQL queries.
Scheduled, NRT, Microsoft, ML behavioral, and Fusion rule types that turn KQL queries and built-in templates into alerts and incidents inside Sentinel.
Why it's on the exam: Domain 2 explicitly tests analytics-rule types, severity tuning, and incident grouping logic when configuring detections.
Logic Apps workflows triggered by incidents, alerts, or analyst actions β automate enrichment, ticket creation, account disablement, and host containment.
Why it's on the exam: Domain 3 covers SOAR automation; Playbooks are the named answer for automated response and human-in-the-loop approvals tied to automation rules.
Customizable dashboards built on Azure Monitor Workbooks that visualize Sentinel data, MITRE coverage, and analyst KPIs across one or many workspaces.
Why it's on the exam: Domain 1 tests SOC reporting and MITRE coverage visualization β Workbooks supply the named telemetry surface for analyst and lead-level reporting.
Curated reference data (VIP users, terminated employees, IOC feeds, asset tiers) joined into analytics rules and hunting queries via the _GetWatchlist KQL operator.
Why it's on the exam: Domain 2 cites Watchlists when scoping detections to specific assets or excluding noise from baseline rules.
Threat-intelligence portal (formerly RiskIQ) that maps adversary infrastructure, indicators, and articles into Defender XDR and Sentinel via TI connectors.
Why it's on the exam: Domain 4 tests IOC ingestion and adversary attribution β Defender TI is the named source for curated indicator feeds and threat-actor profiles.
Continuously discovers internet-exposed assets (domains, hosts, certificates, IP blocks) attributable to the organization and surfaces externally observable risks.
Why it's on the exam: Domain 4 covers external attack surface scenarios β Defender EASM is the named tool for shadow-asset discovery beyond the managed estate.
Risk-based vulnerability assessment for Defender for Endpoint estates, with CVE inventory, security baseline scoring, software inventory, and remediation request workflows.
Why it's on the exam: Domain 4 frames vulnerability prioritization and remediation tracking β Defender VM is the named workload integrated with Intune for ticketing.
Cloud identity provider that authenticates users and workloads and emits the sign-in, audit, and identity-protection signals Sentinel and Defender XDR correlate during incidents.
Why it's on the exam: Domain 3 incident scoping repeatedly pivots on user, sign-in, and risk signals from Entra ID β analysts need to read those logs and apply containment actions like password reset / revoke sessions.
Telemetry pipeline and KQL-backed Log Analytics workspace that Sentinel runs on top of β data collection rules, custom logs, and retention policies all flow through this layer.
Why it's on the exam: Domain 1 tests workspace architecture, log ingestion, and data residency β Sentinel-specific knobs sit on top of Azure Monitor / Log Analytics fundamentals.
Cross-tenant management plane that lets an MSSP or central SOC manage Sentinel workspaces, Defender for Cloud, and Azure resources across customer tenants with delegated RBAC.
Why it's on the exam: Domain 1 covers multi-tenant SOC scenarios β Lighthouse is the named platform for MSSP-style cross-tenant Sentinel access.
Built-in compliance posture engine inside Defender for Cloud that maps recommendations to frameworks (CIS, ISO 27001, NIST 800-53, PCI DSS) and tracks remediation over time.
Why it's on the exam: Domain 1 surfaces compliance posture as a SOC manager responsibility β Defender for Cloud Regulatory Compliance is the named dashboard analysts and leads reference.
$85kβ$120kβ$165k USD annual
Range covers US-based SOC analyst, detection-engineering, and Sentinel-focused roles. Tier 1 analysts and non-coastal markets trend lower; senior detection engineers and threat hunters at large enterprises or MSSPs trend higher. SC-200 alone does not move the number β demonstrated KQL fluency and prior incident-response experience are the bigger drivers.
Source: U.S. BLS OEWS May 2024 (15-1212 information security analysts, median ~$120k), levels.fyi 2025β2026 security-engineering and SOC roles, (ISC)Β² Cybersecurity Workforce Study 2024. Figures are approximate; actual compensation depends on role, region, and experience.
Microsoft Sentinel and Defender XDR are deployed across a large share of mid-market and enterprise SOCs because they fit naturally on top of an existing Microsoft 365 and Azure footprint, and that has made SC-200 one of the most widely-recognized SOC-analyst certifications. Recruiters use it as a screening signal for Tier 1 and Tier 2 analyst, detection-engineering, and Sentinel-implementation roles, and MSSPs frequently list it as a preferred credential for engineers running Sentinel as a managed service. (ISC)Β² workforce data shows persistent unfilled demand for security-operations talent through 2024β2026, which keeps SC-200 holders attractive even at the early-career end. Pairing SC-200 with AZ-500 or SC-300 makes the resume noticeably stronger for senior SOC and identity-focused detection roles.
There are no enforced prerequisites, but Microsoft positions SC-200 as a role-based exam that assumes working experience as a security operations analyst β meaning real exposure to alert triage, KQL queries, and at least one of Microsoft Sentinel, Defender XDR, or Defender for Cloud in a production tenant. Candidates with no SOC experience routinely fail on first attempt.
The recommended prep path is SC-900 first (for shared vocabulary across the Microsoft security stack), then 3β6 months of hands-on time in a Sentinel workspace and Defender portal β even a personal lab built on a Microsoft 365 developer tenant plus an Azure free account is enough to practice connector setup, analytics rules, and KQL hunting. Microsoft Learn provides a free 18β25 hour learning path with embedded labs that closely mirror exam scenarios; pairing it with the official practice assessment and a third-party question bank for KQL pattern recognition is the most efficient route.
SC-200 is moderate by Microsoft associate standards β harder than AZ-500 in KQL specificity, easier than SC-100 in scope. Plan for 60β100 hours of study over 6β10 weeks if you have some SOC exposure, or 100β150 hours if you are coming in cold. The exam runs 100β120 minutes with roughly 40β60 questions including multiple-choice, multiple-response, drag-and-drop, and case-study formats; passing score is 700/1000 on Microsoft's scaled model.
The two stumbling blocks are KQL fluency and product breadth. KQL queries appear directly on the exam β you need to read and reason about queries against Sentinel and Defender advanced-hunting schemas, not just recognize keywords. Product breadth bites because the Defender family spans endpoint, identity, Office 365, cloud apps, and cloud workloads, each with its own portal nuances and integration story with Sentinel. Candidates who skip hands-on labs and rely on video courses alone tend to hit a wall on the case studies.
General availability April 2021. Objectives have been refreshed several times to reflect the Defender consolidation into Defender XDR, the Azure AD β Entra ID rename, the addition of Microsoft Security Copilot, and the unified Defender + Sentinel portal experience. Role-based credentials expire one year after passing; renewal is free via an unproctored online assessment on Microsoft Learn.
SC-200 (Microsoft Security Operations Analyst) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.
Most candidates need 80β150 hours of study spread over 6β12 weeks for associate-level exams. Time-to-pass varies widely by prior experience. Engineers with hands-on production experience in the underlying technology typically need less; candidates new to the platform should plan toward the upper end of that range.
SC-200 is a recognized credential in the Microsoft ecosystem and signals validated knowledge to employers, recruiters, and clients. Whether it is worth the time and fee for you depends on your role and goals β it tends to pay off most for cloud engineers, architects, and consultants who work with Microsoft day-to-day or want to move into roles that do.
The passing score for SC-200 is 700 / 1000. The exam contains 50 questions and lasts 2 hr.
The SC-200 exam fee is $165 USD. Fees are set by Microsoft and may vary by region; always confirm the current price on the official Microsoft certification page before booking.
Microsoft role-based certifications expire after 1 year but can be renewed for free via an unproctored online assessment on Microsoft Learn, starting 6 months before expiration.
Yes. You can take the exam online (proctored via the provider's secure browser, available 24/7 in most regions) or at an in-person Pearson VUE test center during business hours. Both formats use the same questions, time limit, and passing score.
CertLabPro provides 15 study modes across the practice question bank for SC-200. The exam-simulation mode mirrors the real exam: 50 questions in 2 hr, with the same passing threshold of 700 / 1000. Browse mode lets you read every Q&A statically.