CertLabProMicrosoft Security Operations Analyst
225 questions de pratique
Dernière révision : April 2026
Notes personnelles et liens de ressources pour votre parcours d'étude
Filtrer par Certification
Microsoft Security Operations Analyst (SC-200) is an associate-level role-based exam that validates hands-on skills for SOC analysts who hunt threats, triage alerts, and respond to incidents using Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Defender for Cloud. The audience is working SOC analysts and incident responders — not generalists — and the exam reflects that with scenario-heavy questions on KQL queries, analytics rules, automation playbooks, attack-surface reduction, and cross-product investigation across endpoint, identity, email, and cloud workloads. SC-200 is the standard Microsoft-stack credential for Tier 1–2 analysts and is increasingly listed as preferred or required in enterprise SOC job postings.
Configuring Microsoft Sentinel (workspaces, data connectors, watchlists, threat intelligence) and Defender XDR (role-based access, alert and incident settings, custom detections). About 25% of the exam. Expect specifics on which connector ingests what data and how Sentinel and Defender XDR integrate via the unified portal.
Tuning detections in Defender for Endpoint, Defender for Office 365, Defender for Identity, Defender for Cloud Apps, and Defender for Cloud. Custom analytics rules in Sentinel (scheduled, NRT, Fusion, ML-based). Around 20% of the exam — the most heavily KQL-flavored domain.
Largest domain (30%). Triage and investigation across Defender XDR and Sentinel, automation with playbooks (Logic Apps), Microsoft Security Copilot for SOC workflows, and the end-to-end incident lifecycle from alert correlation to closure and post-incident review.
Threat hunting with KQL across the advanced hunting schema, proactive hunts using built-in queries and bookmarks, MITRE ATT&CK mapping, and threat intelligence integration. About 25% of the exam.
$85k–$120k–$165k USD annual
Range covers US-based SOC analyst, detection-engineering, and Sentinel-focused roles. Tier 1 analysts and non-coastal markets trend lower; senior detection engineers and threat hunters at large enterprises or MSSPs trend higher. SC-200 alone does not move the number — demonstrated KQL fluency and prior incident-response experience are the bigger drivers.
Source: U.S. BLS OEWS May 2024 (15-1212 information security analysts, median ~$120k), levels.fyi 2025–2026 security-engineering and SOC roles, (ISC)² Cybersecurity Workforce Study 2024. Figures are approximate; actual compensation depends on role, region, and experience.
Microsoft Sentinel and Defender XDR are deployed across a large share of mid-market and enterprise SOCs because they fit naturally on top of an existing Microsoft 365 and Azure footprint, and that has made SC-200 one of the most widely-recognized SOC-analyst certifications. Recruiters use it as a screening signal for Tier 1 and Tier 2 analyst, detection-engineering, and Sentinel-implementation roles, and MSSPs frequently list it as a preferred credential for engineers running Sentinel as a managed service. (ISC)² workforce data shows persistent unfilled demand for security-operations talent through 2024–2026, which keeps SC-200 holders attractive even at the early-career end. Pairing SC-200 with AZ-500 or SC-300 makes the resume noticeably stronger for senior SOC and identity-focused detection roles.
There are no enforced prerequisites, but Microsoft positions SC-200 as a role-based exam that assumes working experience as a security operations analyst — meaning real exposure to alert triage, KQL queries, and at least one of Microsoft Sentinel, Defender XDR, or Defender for Cloud in a production tenant. Candidates with no SOC experience routinely fail on first attempt.
The recommended prep path is SC-900 first (for shared vocabulary across the Microsoft security stack), then 3–6 months of hands-on time in a Sentinel workspace and Defender portal — even a personal lab built on a Microsoft 365 developer tenant plus an Azure free account is enough to practice connector setup, analytics rules, and KQL hunting. Microsoft Learn provides a free 18–25 hour learning path with embedded labs that closely mirror exam scenarios; pairing it with the official practice assessment and a third-party question bank for KQL pattern recognition is the most efficient route.
SC-200 is moderate by Microsoft associate standards — harder than AZ-500 in KQL specificity, easier than SC-100 in scope. Plan for 60–100 hours of study over 6–10 weeks if you have some SOC exposure, or 100–150 hours if you are coming in cold. The exam runs 100–120 minutes with roughly 40–60 questions including multiple-choice, multiple-response, drag-and-drop, and case-study formats; passing score is 700/1000 on Microsoft's scaled model.
The two stumbling blocks are KQL fluency and product breadth. KQL queries appear directly on the exam — you need to read and reason about queries against Sentinel and Defender advanced-hunting schemas, not just recognize keywords. Product breadth bites because the Defender family spans endpoint, identity, Office 365, cloud apps, and cloud workloads, each with its own portal nuances and integration story with Sentinel. Candidates who skip hands-on labs and rely on video courses alone tend to hit a wall on the case studies.
General availability April 2021. Objectives have been refreshed several times to reflect the Defender consolidation into Defender XDR, the Azure AD → Entra ID rename, the addition of Microsoft Security Copilot, and the unified Defender + Sentinel portal experience. Role-based credentials expire one year after passing; renewal is free via an unproctored online assessment on Microsoft Learn.
SC-200 (Microsoft Security Operations Analyst) is a a moderately difficult exam expecting practical hands-on experience plus solid understanding of best practices Associate-level exam. Most candidates need 80–150 hours of study spread over 6–12 weeks for associate-level exams. Most candidates who score consistently above the passing threshold on practice exams pass on their first attempt.