ExamworthyExamworthy
Open the appStart free

Microsoft study guide

How to pass Microsoft Security Operations Analyst (SC-200)

20 min read3 domains coveredFree practice, no sign-up

Microsoft Security Operations Analyst (SC-200) tests whether you can run a security operations centre on Microsoft Sentinel and Microsoft Defender XDR to a stated requirement, not just describe what each blade does. It is an associate exam, so the questions stop asking what a feature is and start asking which capability, signal source, and scope exactly meet a constraint with the least administrative effort. The work is configuration, triage, and hunting: you pick the right analytics rule type, the right Defender workload, the correct response action, or the precise KQL operator that satisfies every word of the scenario.

It suits SOC analysts, threat hunters, and incident responders who already live in the Microsoft Sentinel and Microsoft Defender portals and now need to prove they can detect, investigate, and remediate across email, identity, endpoint, and cloud. The exam expects working familiarity with Microsoft Sentinel and Microsoft Defender XDR, KQL, and the Defender for Endpoint, Identity, Office 365, and Cloud Apps workloads, so it is not a first certification. If you have never written a scheduled analytics rule, isolated a device, or run an Advanced Hunting query, build that hands-on time before sitting it.

Note the 16 April 2026 outline refresh, which collapsed the previous four functional groups into three: Manage a Security Operations Environment, Respond to Security Incidents, and Perform Threat Hunting. The configuration and automation content now sits inside the management domain, and threat hunting stands alone. If your study materials still list four groups, they predate the refresh and the weighting will be wrong.

The exam is pass-or-fail on choosing the one correct mechanism among several that are all genuine Microsoft capabilities. A typical stem hands you a constraint-rich scenario, and three of the four options are real Sentinel or Defender features that almost fit; only one honours every constraint, such as real-time versus scheduled, automatic versus manual, or the correct telemetry table. The skill being graded is matching a described need to the precise capability while rejecting the near-neighbours, so drilling the discriminators between similar tools beats memorising feature lists.

SC-200 is a run-the-SOC exam: nearly every question hands you a constrained Microsoft Sentinel or Microsoft Defender XDR scenario and asks for the single capability that meets it with the least admin effort, the correct signal source, and the right scope, and the traps are real features that fit all but one constraint.

Difficulty

Intermediate

Best for

SOC analysts, threat hunters, and incident responders who already work in Microsoft Sentinel and Microsoft Defender XDR and need to prove they can configure detections and automation, triage and remediate incidents across Defender for Endpoint, Identity, Office 365, Cloud Apps and Cloud, and hunt with KQL end to end.

Prerequisites

Working Microsoft Sentinel and Microsoft Defender XDR familiarity is expected. You should have hands-on time writing KQL, building at least one analytics rule, triaging an incident in the Defender portal, and running an Advanced Hunting query. This is not a first certification; SC-900 or equivalent security grounding helps, and real SOC exposure helps more.

Typically 40 to 60 questions
Questions
100 min
Time allowed
700 / 1000
Pass mark
$165
Exam cost (USD)
284
Practice questions

How this exam thinks

One habit decides this exam: read the full requirement, then pick the single Microsoft Sentinel or Microsoft Defender XDR capability that satisfies every constraint with the least administrative effort, the correct signal source, and the right scope. The questions are scenarios, so the work is selection and configuration, not recall of definitions. Several options will be genuine capabilities, but only one fits all the stated constraints, and the others are near-neighbours placed there to catch a vague memory.

The default move is to map the described job to the capability that owns it. A scheduled analytics rule owns recurring KQL detection in Microsoft Sentinel; a near-real-time rule owns sub-minute latency for a single source; a Microsoft Defender XDR custom detection owns recurring detection over Advanced Hunting tables; an automation rule owns incident triage and orchestration while a playbook owns the Logic App actions it calls. When a stem says measure impact before enforcing, think ASR Audit mode; when it says least effort across current and future resources, think Azure Policy deployIfNotExists; when it says even, gap-filled time series for beaconing, think make-series.

The rest is a set of clean distinctions the exam leans on, each driven by the wording: real-time versus scheduled, automatic versus manual, a detection rule versus a hunting query, one workload's signal versus another, least-privilege role versus broad role. When two answers both sound plausible, the deciding detail is in the requirement itself, so re-read the stem for the one constraint that only one option honours, then answer the vendor's way.

What each domain tests and how to study it

The SC-200 blueprint is split across 3 domains. Weights are the official share of the exam; see the official exam guide for the authoritative breakdown.

  1. Manage a Security Operations Environment

    41% of exam

    What you must be able to do. Choose and configure the correct Microsoft Sentinel or Microsoft Defender XDR detection, automation, data-ingestion, role, or platform mechanism that meets a stated operations requirement with the least administrative effort.

    In one sentenceThe backbone layer: analytics and custom detection rules, automation rules and playbooks, ASR and Defender for Endpoint features, data connectors and ingestion, roles, retention, and ATT&CK mapping.

    Recall check: answer these from memory first
    • Which attack surface reduction rule mode lets the action proceed while logging a DeviceEvents entry so you can measure impact for two weeks before enforcing?
    • What two outputs must an Advanced Hunting query return before it can be saved as a Microsoft Defender XDR custom detection rule?
    • Which approach streams resource diagnostic logs to the Microsoft Sentinel workspace across current and future resources with the least ongoing effort?
    • Which built-in Microsoft Sentinel role is the least privilege that can author and tune analytics rules and workbooks at workspace scope?

    What it tests. Whether you can stand up and tune the detection and automation backbone of the SOC: configuring Microsoft Defender XDR alert and email notifications with tuning, suppression, and correlation; setting Microsoft Defender for Endpoint advanced features, attack surface reduction rules, custom data collection, and device groups; managing automated investigation and response, automatic attack disruption, Microsoft Sentinel automation rules, and playbooks; configuring the Microsoft Sentinel platform with roles, retention tiers, workbooks, and SOC optimization; selecting data connectors for Windows security events, Syslog, and CEF; ingesting Azure activity, threat indicators, and custom logs; building Microsoft Defender XDR custom detection rules from Advanced Hunting; and authoring Microsoft Sentinel analytics rules and anomalies mapped to the MITRE ATT&CK matrix.

    How to study it. Work in the Microsoft Sentinel and Microsoft Defender portals rather than reading. Set an attack surface reduction rule to Audit and watch the would-be blocks land in DeviceEvents. Build a scheduled analytics rule, then a near-real-time rule, and compare their latency and source limits. Save an Advanced Hunting query as a Microsoft Defender XDR custom detection and confirm it requires a Timestamp and an impacted entity column. Create an automation rule that runs a playbook on incident creation. Assign a Microsoft Sentinel Contributor role at workspace scope and trace what it can and cannot do. Configure an Azure Policy deployIfNotExists assignment to stream diagnostic logs to the workspace, and contrast it with a per-resource diagnostic setting and the Azure Activity connector.

    Easy to confuse

    • Microsoft Sentinel analytics rule versus Microsoft Defender XDR custom detection rule. A Sentinel analytics rule runs KQL against the Log Analytics workspace tables and raises Sentinel incidents; a Defender XDR custom detection runs KQL over the Advanced Hunting schema in the Defender portal and raises Defender alerts with built-in response actions on the impacted entities. If the requirement is detect over Defender endpoint or identity tables with device or user response actions, it is a custom detection.
    • Automation rule versus playbook. An automation rule is the Microsoft Sentinel trigger-and-condition layer that decides when to act on an incident or alert and can change status, assign owner, or call a playbook; a playbook is the Logic App that performs the external actions such as posting to a channel or blocking an account. If the requirement is the orchestration logic and ordering, it is an automation rule; if it is the action being run, it is a playbook.
    • Scheduled analytics rule versus near-real-time (NRT) analytics rule. A scheduled rule runs its KQL on a defined interval and look-back window and can join and aggregate broadly; an NRT rule evaluates one source nearly as events arrive for sub-minute latency but is limited to a single table and no joins. If the requirement is lowest possible detection latency on one source, it is NRT; if it needs aggregation across tables, it is scheduled.

    Worked example from the SC-200 bank

    Free sampleManage a Security Operations Environmentmedium

    Your organisation wants to enable the attack surface reduction rule that blocks executable content from email clients and webmail across all onboarded Windows devices. Security operations is concerned that a small number of line-of-business workflows might rely on this behaviour, and they must measure the real-world impact for two weeks before any block takes effect, while still generating telemetry the team can hunt over. How should the rule be configured for this initial rollout?

    • ASet the rule to Block, then add per-application exclusions for any line-of-business tool that breaks, so the rule enforces immediately while the discovered exceptions keep the workflows running during the trial.
    • BSet the rule to Warn, which prompts the user with a dismissible message each time the rule triggers, so end users decide whether to proceed while the team reviews how often the prompt is dismissed.
    • CSet the rule to Audit, which lets the offending action proceed but records a DeviceEvents entry each time the rule would have triggered, so the team can measure impact for two weeks before switching it to Block. Correct
    • DSet the rule to Not configured, then rely on Microsoft Defender for Endpoint device discovery to passively report which devices use email-borne executables, so impact is gauged without enabling the rule at all.
    Use ASR rule Audit mode to log would-be blocks to DeviceEvents and measure impact before promoting a rule to Block enforcement. An attack surface reduction rule set to Audit still evaluates the rule logic but allows the action to complete, writing an event to the DeviceEvents table each time the rule would have blocked. This produces measurable, huntable telemetry across the fleet during a pilot, so the team can size the line-of-business impact and build exclusions before switching the same rule to Block.

    Why A is wrong: Block enforces straight away, which is exactly what the requirement forbids during the measurement window, and chasing breakages with exclusions reacts after disruption has already occurred rather than measuring impact safely first.

    Why B is wrong: Warn does surface the rule and can be bypassed by the user, but it already disrupts the workflow with a prompt and is not the non-intrusive measurement mode the requirement calls for during a silent two-week impact assessment.

    Why C is correct: Audit mode evaluates the rule and logs every would-be block to DeviceEvents without stopping the action, giving the exact telemetry needed to gauge impact over the trial before promoting the rule to Block enforcement.

    Why D is wrong: Not configured leaves the rule inactive so it produces no ASR evaluation telemetry, and device discovery inventories unmanaged devices on the network rather than recording which workflows the rule would have blocked.

  2. Respond to Security Incidents

    37% of exam

    What you must be able to do. Select the correct Microsoft Defender or Microsoft Sentinel investigation view, verdict, or response action that contains and remediates a stated threat across the right workload.

    In one sentenceThe response layer: cross-workload incident correlation, device timelines and live response, identity and cloud app verdicts, Purview investigation, and automatic attack disruption.

    Recall check: answer these from memory first
    • Which part of the Microsoft Defender XDR incident view shows correlated alerts, affected entities, and their relationships as one connected attack timeline?
    • Which live response command executes a pre-approved script already uploaded to the live response library on the target device?
    • In Microsoft Entra ID Protection, which action records a true-positive verdict, raises risk to high, and feeds the detection model?
    • Which Microsoft Purview capability places a legal hold and supports defensible search and export for a formal legal matter?

    What it tests. Whether you can triage and remediate real attacks across the Microsoft Defender workloads and Microsoft Sentinel: investigating and remediating threats in Microsoft Defender for Office 365, Microsoft Purview, and Microsoft Defender for Cloud; investigating identity and cloud app risk with Microsoft Defender for Cloud Apps, Microsoft Entra ID, and Microsoft Defender for Identity; managing Microsoft Sentinel incidents with agentic AI, embedded Copilot for Security, and case management; investigating multi-stage, multi-domain, and lateral-movement attacks; reading Microsoft Defender for Endpoint device timelines, evidence, and entities; performing device response actions including live response and automatic attack disruption; and investigating Microsoft 365 activity with Microsoft Purview Audit, Content Search, and Microsoft Graph activity logs.

    How to study it. Open a correlated incident in Microsoft Defender XDR and study the incident graph and attack story across email, identity, and endpoint. Drill into a device page and use the Incidents and alerts tab and the Timeline tab so you know which answers which question. In a live response session, practise the run, putfile, getfile, and library commands and learn how they differ. In Microsoft Entra ID Protection, confirm a user compromised and contrast it with dismiss, block, and reset password. In Microsoft Purview, compare eDiscovery (Premium) holds and defensible export against Content Search and Audit (Premium). Read how automatic attack disruption contains an in-progress attack without an analyst.

    Easy to confuse

    • Automatic attack disruption versus automated investigation and response (AIR) versus live response. Automatic attack disruption contains a high-confidence in-progress attack in near real time by disabling accounts or isolating devices without an analyst; AIR runs an automated playbook of investigation and remediation on alerts and may need approval; live response is a hands-on remote shell where an analyst runs commands on one device. If the requirement is autonomous containment of an active attack, it is automatic attack disruption.
    • Microsoft Purview eDiscovery (Premium) versus Content Search versus Audit (Premium). eDiscovery (Premium) opens a case, places legal holds so content cannot be altered or deleted, and supports defensible review and export; Content Search finds and exports items but cannot place a hold; Audit (Premium) records who did what with extended retention but preserves no content. If the requirement is preserve against alteration then produce for a legal matter, it is eDiscovery (Premium).
    • Device page Incidents and alerts tab versus Timeline tab. The Incidents and alerts tab is a device-scoped filter of the alerts queue showing each alert's severity, status, classification, and investigation state; the Timeline tab is the chronological stream of process, file, registry, and network events on the device. If the requirement is count active detections on one machine, it is Incidents and alerts; if it is reconstruct what happened event by event, it is Timeline.

    Worked example from the SC-200 bank

    Free sampleRespond to Security Incidentshard

    A security operations team is investigating an incident in Microsoft Defender XDR that began with a phishing email, progressed to a malicious sign-in, and then to suspicious process execution on a server. The analysts want to see how these alerts from Microsoft Defender for Office 365, Microsoft Entra ID, and Microsoft Defender for Endpoint were correlated into a single attack, including the timeline and the relationships between the involved entities. Which part of the Microsoft Defender XDR incident view should the analysts open to see this correlated end-to-end picture?

    • AThe Microsoft Defender vulnerability management dashboard, which ranks exposed devices by their weaknesses so the team can see which assets the attacker most likely targeted during the campaign.
    • BThe advanced hunting schema reference, which documents the available tables and columns so analysts can build a custom query that reconstructs the sequence of events for the incident.
    • CThe threat analytics report for the relevant campaign, which describes the actor techniques and supplies recommended mitigations the team should apply to reduce the impact of the attack.
    • DThe incident graph and attack story, which lay out the correlated alerts, affected assets, and entity relationships across the workloads as a connected timeline of how the attack unfolded. Correct
    Use the Microsoft Defender XDR incident graph and attack story to understand how cross-workload alerts correlate into a single multi-stage attack. Microsoft Defender XDR automatically correlates related alerts from across its workloads into a single incident. The incident graph and attack story render those alerts, the affected entities, and their relationships as a connected timeline, so analysts can trace how an attack moved from email to identity to endpoint without manually piecing the stages together.

    Why A is wrong: Vulnerability management surfaces device exposure and misconfigurations to drive proactive hardening, which is tempting when assessing attacker reach; it does not correlate alerts or render an incident timeline, so it cannot show how the stages connected.

    Why B is wrong: The schema reference helps an analyst write hunting queries and could be used to rebuild a sequence manually, but it is documentation rather than the built-in correlated view; the incident already provides the joined attack story without query effort.

    Why C is wrong: Threat analytics gives intelligence on actors and techniques with mitigation guidance, which feels relevant to a campaign; it is generic reporting and does not display this specific incident's correlated alerts, entities, or timeline.

    Why D is correct: The incident graph and attack story are purpose-built to visualise how alerts from different Defender workloads were stitched into one incident, showing the entity relationships and the chronological progression an analyst needs to understand a multi-stage, multi-domain attack.

  3. Perform Threat Hunting

    22% of exam

    What you must be able to do. Pick the correct Advanced Hunting table, KQL operator, hunting artefact, or notebook capability that answers a proactive hunting requirement with the right telemetry and result shape.

    In one sentenceThe hunting layer: choosing the right Advanced Hunting table and KQL operator, working bookmarks into cases, data lake KQL jobs and summary rules, and Notebooks with MSTICPy and the MCP Server.

    Recall check: answer these from memory first
    • Which Advanced Hunting table records one row per process creation with both the child and the initiating-parent command lines?
    • Which KQL operator builds an evenly spaced, gap-filled time series so periodic beaconing stands out, where summarize with bin would skip empty buckets?
    • How does a threat hunter get a Microsoft Sentinel bookmark investigated in a case without authoring an analytics rule?
    • How does the Microsoft Sentinel MCP Server authenticate clients so actions inherit the signed-in user's workspace permissions?

    What it tests. Whether you can hunt proactively across Microsoft Defender XDR and Microsoft Sentinel: detecting threats by selecting the right Advanced Hunting table and writing KQL; interpreting threat analytics and analysing entity relationships with hunting graphs and Sentinel Graph; creating and managing Microsoft Sentinel hunting queries, bookmarks, KQL jobs in the data lake, and summary rule tables; and hunting with Notebooks in Microsoft Sentinel including connection to the Microsoft Sentinel MCP Server. The KQL focus is real: you must know which table carries which telemetry, and which operator produces the shape of result the hunt needs.

    How to study it. Write KQL against the real Advanced Hunting schema. Learn that DeviceProcessEvents carries both child and initiating-parent command lines while DeviceEvents is the general endpoint table, and that DeviceNetworkEvents holds outbound connections. Build a make-series query to spot beaconing and prove that summarize with bin drops empty intervals. Capture a hunting bookmark in Microsoft Sentinel, annotate it with MITRE ATT&CK tactics, and add it to an incident without authoring an analytics rule. Stand up a Jupyter Notebook with MSTICPy for multi-provider enrichment and an interactive map. Read how the Microsoft Sentinel MCP Server authenticates each user through Microsoft Entra ID so actions inherit that user's workspace permissions.

    Easy to confuse

    • DeviceProcessEvents versus DeviceEvents. DeviceProcessEvents is the dedicated process-creation table pairing the spawned process FileName and ProcessCommandLine with the InitiatingProcess parent fields, so it carries full lineage from one table; DeviceEvents is the general catch-all endpoint table for assorted actions such as ASR triggers and is not the right source for parent and child command lines. If the requirement is reconstruct a process chain, it is DeviceProcessEvents.
    • make-series versus summarize with bin. make-series aggregates a metric over a fixed step across an explicit from-to range and fills empty intervals with a default, producing a continuous series; summarize with bin groups counts per interval but omits any bucket with no events, so gaps disappear and a periodic pattern is hard to see. If the requirement is an even, gap-filled timeline for beaconing, it is make-series.
    • Hunting bookmark added to an incident versus converting a hunting query to an analytics rule. Adding a bookmark to a new or existing incident links the captured evidence into a case for the SOC to investigate without creating any detection; converting the query to a scheduled analytics rule makes it generate its own incidents on each run. If the requirement is investigate this one finding in a case and explicitly not author a rule, it is add the bookmark to an incident.

    Worked example from the SC-200 bank

    Free samplePerform Threat Huntinghard

    During an Advanced Hunting investigation in Microsoft Defender XDR, you must reconstruct a suspected malware execution chain on a single workstation by listing every process that was launched, together with its full command line and its initiating parent process, so that you can trace the lineage from the original loader. Which table should the Kusto Query Language (KQL) query target to obtain the parent and child process command lines directly?

    // Goal: child process, its command line, and its parent process command line
<Table>
| where DeviceName == "FIN-WKS-014"
| project Timestamp, FileName, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine
    • ADeviceProcessEvents, because it records one row per process creation with the child FileName and ProcessCommandLine alongside the InitiatingProcess fields for the parent, giving the full lineage on the device. Correct
    • BDeviceEvents, because it is the general endpoint event table and therefore records every action a device takes, including each process that is created along with its parent and child command lines.
    • CDeviceImageLoadEvents, because the loader and every subsequently launched binary must be mapped into memory, so the image load records reveal the parent and child process command lines for the chain.
    • DDeviceFileEvents, because the loader writes the child executables to disk before running them, so the file create and modify records carry the process command lines for each stage of the chain.
    Use DeviceProcessEvents in Advanced Hunting for process creation telemetry, as it carries both the child and initiating-parent command lines. DeviceProcessEvents is the schema table dedicated to process creation in Microsoft Defender for Endpoint telemetry. Each row pairs the spawned process FileName and ProcessCommandLine with the InitiatingProcessFileName and InitiatingProcessCommandLine of its parent, which lets an analyst pivot up and down the chain from a single table rather than joining across general event tables.

    Why A is correct: DeviceProcessEvents is purpose-built for process creation telemetry, exposing the spawned process command line and the InitiatingProcess parent fields in the same row, which is exactly what is needed to walk a malware execution chain on one host.

    Why B is wrong: DeviceEvents is a catch-all table for miscellaneous security and audit events such as protection toggles and ASR triggers; it does not provide a dedicated row per process creation with both the child and initiating-parent command lines, so the lineage reconstruction would be incomplete.

    Why C is wrong: DeviceImageLoadEvents tracks DLL and module loads into a process, not process creation, so it lacks a per-spawn child command line and is the wrong surface for reconstructing parent-to-child execution lineage.

    Why D is wrong: DeviceFileEvents captures file create, modify, rename, and delete activity, which is useful for tracking dropped payloads, but it does not record process command lines or parent-child execution, so it cannot reconstruct the run chain on its own.

A study plan that works

  1. Read the refreshed blueprint and book a date

    Day 1

    Read the three domains from the 16 April 2026 refresh and note that Manage a Security Operations Environment is the largest, Respond to Security Incidents is close behind, and Perform Threat Hunting is the smallest. Book a provisional date now to turn open-ended study into a plan, and make sure you have a Microsoft Sentinel workspace and a Microsoft Defender XDR tenant you can configure, because this exam rewards hands-on practice over reading.

  2. Build the detection and automation backbone

    Week 1

    In the Microsoft Sentinel and Microsoft Defender portals, set an attack surface reduction rule to Audit and watch DeviceEvents, build a scheduled analytics rule and a near-real-time rule side by side, and save an Advanced Hunting query as a Microsoft Defender XDR custom detection. Wire an automation rule to call a playbook on incident creation, assign a Microsoft Sentinel Contributor role at workspace scope, and configure an Azure Policy deployIfNotExists assignment for diagnostic logs.

  3. Master data connectors and ingestion

    Week 1 to 2

    Configure connectors for Windows security events, Syslog, and CEF, and trace how each lands in the workspace tables. Enable the Azure Activity connector, ingest threat indicators, and add a custom log source, then contrast a per-resource diagnostic setting against the policy-driven approach so you can answer least-effort-at-scale questions. Map a handful of analytics rules to MITRE ATT&CK and read SOC optimization recommendations and retention tiers.

  4. Work through cross-workload incident response

    Week 2 to 3

    Open a correlated Microsoft Defender XDR incident and study the incident graph and attack story. Drill into a device page and separate the Incidents and alerts tab from the Timeline tab. Practise live response run, putfile, getfile, and library commands. In Microsoft Entra ID Protection, confirm a user compromised; in Microsoft Purview, compare eDiscovery (Premium), Content Search, and Audit (Premium); and read how automatic attack disruption contains an active attack autonomously.

  5. Drill KQL and threat hunting

    Week 3

    Write Advanced Hunting KQL daily. Learn the table map: DeviceProcessEvents for process lineage, DeviceNetworkEvents for connections, DeviceEvents as the general table. Build make-series for beaconing and prove summarize with bin drops empty buckets. Capture a hunting bookmark, tag it with ATT&CK, and add it to an incident. Run a Jupyter Notebook with MSTICPy and read how the Microsoft Sentinel MCP Server authenticates through Microsoft Entra ID.

  6. Drill weak domains and space the review

    Week 4

    Use your per-domain accuracy on practice questions to attack the domains dragging you down rather than re-reading what you already know. Revisit each domain's recall prompts after a few days and again a week later, because spacing roughly doubles what sticks compared with cramming. Pay extra attention to the management domain, since it is the heaviest weighted.

  7. Sit a timed mock and calibrate

    Week 4 to 5

    Take at least one full timed practice run to rehearse pacing and the flag-and-return habit. Treat the score as a per-domain readiness signal rather than one number, and review every missed question, naming the constraint in the stem you misread such as real-time versus scheduled or the wrong telemetry table, before you book or sit.

Know when you're ready

Readiness for SC-200 is a measured score on practice questions you have not seen before, across more than one session, not a feeling that the blade names are familiar. The exam tests whether you can map a fresh, constraint-rich scenario to the one correct Microsoft Sentinel or Microsoft Defender XDR capability while rejecting the near-neighbours placed beside it, and that skill only shows up on unseen items.

The honest test is this: read a new scenario, name the capability that owns the job, pick the exact rule type, table, verdict, or response action inside it, and explain why each other option violates a constraint in the stem such as wrong latency, wrong signal source, wrong scope, or too much privilege. If you can do that consistently on unseen questions across all three domains, and you can read and reason about KQL without a reference open, you are ready. If you can only nod along when the explanation is revealed, you are not there yet.

Set the bar at clearing every domain comfortably on unseen questions, not scraping a single pass. The management domain carries the most weight and the hunting domain the least, but a weak run in any one of them can sink the result, so do not call yourself ready until all three are solid together.

Ready to put this into practice?

Free SC-200 questions with worked explanations. No sign-up.

Practise SC-200 free

Exam-day tips

  • Name the owning capability first. Decide whether the stem is about a Sentinel analytics rule, a Defender XDR custom detection, an automation rule, a playbook, a device response action, or a hunting artefact before you read the options, so you narrow the field before comparing details.
  • Separate real-time from scheduled and automatic from manual. If the stem demands sub-minute latency on one source it is a near-real-time rule; if it demands autonomous containment of an active attack it is automatic attack disruption; if it demands recurring aggregation across tables it is a scheduled analytics rule.
  • Pick the right telemetry table in KQL. Process lineage with parent and child command lines is DeviceProcessEvents, not DeviceEvents; outbound connections are DeviceNetworkEvents; reach for make-series, not summarize with bin, when you need an even gap-filled time series for beaconing.
  • Choose the least-privilege, lowest-effort option. When more than one configuration would technically work, the exam wants the narrowest scope and the fewest manual steps, such as Microsoft Sentinel Contributor over a subscription role, or an Azure Policy deployIfNotExists over per-resource diagnostic settings.
  • Match the verdict to the workload. In Microsoft Entra ID Protection use Confirm user compromised to record a true positive; in Microsoft Purview use eDiscovery (Premium) for holds and defensible export; on a device use the live response run command to execute a pre-approved library script.
  • Use the incident graph and attack story for correlation questions. When a stem asks how cross-workload alerts connect into one multi-stage attack, the answer is the incident graph and attack story, not threat analytics, vulnerability management, or the schema reference.
  • Flag and move on. With a fixed time limit, answer every clear question first and return to the few that need more thought, so a straightforward question late in the paper is never left unanswered.

Frequently asked questions

Is SC-200 hard?

It is an associate-level exam, so it is harder than a fundamentals exam: it asks you to choose and configure the right capability, not just describe what a feature does. The difficulty is in distinguishing genuine Microsoft Sentinel and Microsoft Defender XDR features that almost fit from the one that honours every constraint, which is why hands-on practice and drilling discriminators matter more than reading.

Do I need hands-on experience before sitting it?

Yes. SC-200 expects working Microsoft Sentinel and Microsoft Defender XDR familiarity. You should have written KQL, built at least one analytics rule, triaged an incident in the Defender portal, and run an Advanced Hunting query. The scenarios assume you have seen these blades and tables, so build that experience in a workspace and tenant before booking.

What changed in the 16 April 2026 outline refresh?

The refresh collapsed the previous four functional groups into three: Manage a Security Operations Environment, Respond to Security Incidents, and Perform Threat Hunting. Configuration and automation content moved into the management domain, and threat hunting now stands alone. If your study materials still list four groups, they are out of date and the weighting will be wrong.

How much KQL do I need to know?

Enough to read, reason about, and write Advanced Hunting and Microsoft Sentinel queries without a reference open. You need the table map, where DeviceProcessEvents carries process lineage and DeviceNetworkEvents carries connections, and the common operators, including knowing make-series fills empty time buckets while summarize with bin does not. The hunting domain leans on this directly, and response and detection questions assume it too.

How long should I study for SC-200?

Most candidates who already work in a SOC with Microsoft Sentinel and Microsoft Defender XDR are ready in four to six weeks of steady, hands-on study. Spread your time across all three domains, weight slightly toward the management domain since it is the largest, and spend extra on whichever domains your practice scores flag as weak.

Which domain carries the most weight?

Manage a Security Operations Environment is the heaviest, Respond to Security Incidents is close behind, and Perform Threat Hunting is the smallest. None can be neglected: a weak run in any single domain can fail the exam, so you need detection and automation, cross-workload response, and KQL hunting all solid rather than excelling in one.

How do Microsoft Sentinel analytics rules differ from Microsoft Defender XDR custom detections?

A Sentinel analytics rule runs KQL against the Log Analytics workspace and raises Sentinel incidents; a Defender XDR custom detection runs KQL over the Advanced Hunting schema in the Defender portal, requires a Timestamp and at least one impacted entity column, and raises Defender alerts with built-in response actions on those entities. Picking the right one for the stated tables and response is a recurring trap.

Does the exam test how to configure these services or just describe them?

It tests configuration, triage, and hunting. Every domain asks you to manage, respond, or hunt to meet a requirement, so the questions hand you a constrained scenario and ask which capability, table, verdict, or action fits. Recognition of names is not enough; you need to know the settings, signal sources, and their effects.

Is the Microsoft Security Operations Analyst certification worth it?

SC-200 is worth it for security analysts and SOC engineers who work with Microsoft Sentinel and Microsoft Defender XDR, or who are moving into those roles from a general IT background. The certification covers detection configuration, incident response across Defender workloads, and threat hunting with KQL, which are directly applicable skills in a Microsoft-centric security operations environment. It is also a sensible associate-level step toward the SC-100 expert credential for those aiming at a security architect role.

Related certifications

Other Security certifications with a study guide.

Browse all certifications
Practise SC-200 freeSC-200 one-page cheat sheetSC-200 practice questions and domains

Examworthy is not affiliated with or endorsed by Microsoft. This guide is original study material based on the public exam blueprint. We never reproduce live exam items. SC-200 and related marks belong to their respective owners.