top of page
Search

SC-200 Study Guide: 7 Things You Need to Know to Pass the Microsoft Security Operations Analyst Exam

If you want to become a Microsoft Certified Security Operations Analyst, you need to pass the SC-200 exam. This is not a conceptual exam. It does not ask you to describe what Microsoft Sentinel is or explain the difference between XDR and SIEM at a high level. It tests whether you can operate these tools, configure analytics rules, write KQL queries to hunt for specific threats, build Sentinel playbooks, and make the right call during an active incident.


SC-200 (Associate) Badge
SC-200 (Associate) Badge

What is the SC-200 certification?

The SC-200 exam earns you the Microsoft Certified: Security Operations Analyst Associate certification. It validates your ability to reduce organisational risk by investigating, responding to, and hunting for threats using Microsoft Sentinel, Microsoft Defender XDR, Microsoft Defender for Cloud, and Security Copilot.

The exam was updated in January 2026 with minor changes to the Sentinel data ingestion section and a terminology update around Security Copilot.


Who needs the SC-200?

Security operations analysts, people who work in a SOC, triage alerts, investigate incidents, and respond to threats in Microsoft environments. If your day-to-day work involves Sentinel dashboards, Defender XDR incidents, or cloud security alerts, this serves certification.


The SC-200 also sits as a prerequisite pathway into the SC-100 (Cybersecurity Architect Expert), making it a natural stepping stone if you are planning to move into security architecture.


Self-directed learning or instructor-led training?

The official SC-200T00 course material is available for free on Microsoft Learn and covers all four exam domains. Self-study is a realistic option if you already have hands-on experience working in the Microsoft security portals day to day.


If you are newer to the tools, or if your experience is concentrated in one product area (say Defender for Endpoint but not Sentinel), instructor-led training is the more reliable path. The course runs over four days with labs throughout. The lab work matters specifically for the SC-200 because KQL and Sentinel configuration are skills you build through doing, not through reading about doing.


The exam includes questions that require you to read a KQL query and explain what it returns, or identify which KQL operator achieves a specific hunting goal. Neither of those can be learned by memorising a list of operators in isolation.


Is e-learning from third parties worth it?

There are SC-200 courses on Udemy and Pluralsight. These are useful supplementary materials once you have your foundational knowledge in place, particularly for KQL practice. The Kusto Detective Agency, a free gamified KQL training tool from Microsoft, is one of the best resources available for building practical query skills before the exam. Practice tests from MeasureUp (the Microsoft-endorsed provider) are worth the investment in the final preparation phase.


What skills does the SC-200 test, and what is the weighting?

The exam currently covers four areas:

  • Manage a security operations environment — 20–25%

  • Configure protections and detections — 15–20%

  • Manage incident response — 25–30%

  • Manage security threats — 15–20%


Incident response is the largest single area. It covers the full investigation and remediation lifecycle across Defender XDR, Defender for Endpoint, Microsoft Purview, Entra ID, Defender for Identity, and Sentinel. The breadth is significant: a question might ask about investigating a DLP policy violation in Microsoft Purview, then the next question asks about isolating a device using Defender for Endpoint live response. Both sit under the same domain.


The security operations environment domain, which covers Sentinel workspace design, data connectors, log retention, and data collection rules, accounts for up to a quarter of the exam and is consistently underestimated by candidates who focus their preparation on incident response and threat hunting.


How hard is the SC-200?

The SC-200 is scenario-driven throughout. You are given a configuration state, a business requirement, or an active incident, and you must identify the correct action or the root cause. It is not asking you to recall definitions.


KQL runs through every domain. You do not need to write complex queries from memory. Still, you need to read a query and understand what it produces, whether that is counting failed sign-in attempts per device, joining two tables to correlate events, or using the summarise and make-series operators to detect anomalies over time.


What types of questions will you get?

  • Case studies: Extended company scenarios followed by several questions. The case gives you configuration details, existing setup, and business requirements. Read the whole case before attempting any questions; the answer to question three is often in the configuration details you might skim past in a rush.

  • Drag-and-drop sequencing: Common in the incident response and Sentinel setup sections. You arrange the correct steps for responding to a specific attack type or configuring a specific Sentinel capability. Sequence matters; getting the steps right but out of order scores zero.

  • Hotspot and dropdown: You are shown a partially completed configuration or query and must select the correct values. These appear heavily in the KQL section.

  • Series questions: A scenario followed by multiple independent solutions. You cannot go back once you have answered; take your time on each one.

You have 100 minutes for between 40 and 60 questions. The pass mark is 700 out of 1000.


Does the exam come with instructor-led training?

No. The exam is booked separately through Pearson VUE at pearsonvue.com/microsoft. Training and assessment are separated across all Microsoft certifications.


The 7 things you need to know to pass the SC-200

1. Microsoft Sentinel and Microsoft Defender

This is the most fundamental confusion in the SC-200, and the exam exploits it consistently. Microsoft Defender XDR is an extended detection and response platform; it correlates signals from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into unified incidents. It is where you investigate threats to endpoints, identities, email, and cloud applications. Microsoft Sentinel is a cloud-native SIEM and SOAR; it ingests data from a much wider range of sources (including Defender XDR alerts as one input), and it is where you build custom analytics rules, run threat hunting queries, manage long-term log retention, and automate incident response via playbooks.


A question will describe a requirement and ask which tool to use. If the requirement is hunting for a specific suspicious process across all endpoints using a custom KQL query against historical log data, the answer is Sentinel. If the requirement is investigating an active alert that correlates an endpoint compromise with a suspicious email attachment, the answer is Defender XDR. Candidates who treat them as interchangeable will pick the wrong one on several questions throughout the exam.


2. Automation rules and playbooks in Sentinel

Automation rules and playbooks both enable automated responses in Sentinel, and the exam tests when to use each and in what order. An automation rule runs logic directly; it can assign incidents, change their status, add tags, or close them without needing a playbook. A playbook is a Logic App that runs more complex actions, such as sending a Teams notification, querying an external API, or isolating a device via the Defender for Endpoint connector. A playbook must be called by an automation rule or triggered from an analytics rule.

The distinction the exam tests most sharply: if the requirement is to automatically close an incident when it is generated by a specific analytics rule and the affected entity is a known service account, that is an automation rule with no playbook required. If the requirement is to automatically isolate the device associated with a high-severity incident and notify the SOC team in Teams, that requires a playbook, which is then called by an automation rule with an incident trigger. Candidates who reach for a playbook in every automation scenario will get these questions wrong, as will candidates who try to configure complex response actions directly inside an automation rule without a playbook.


3. KQL is not optional

The exam includes questions where you are shown a KQL query and asked what it does, questions where you complete a partial query by selecting the correct operators from a dropdown, and questions where you identify which query achieves a specific hunting or detection goal. You need to be comfortable with the core operators: where, summarise, project, join, extend, parse, make-series, and count. You also need to understand table names such as SecurityEvent, SigninLogs, DeviceProcessEvents, and OfficeActivity, and what data each one contains.


A representative question type: you are shown a query that counts failed sign-in attempts grouped by account and filtered to the last 24 hours, with a threshold condition. You are asked whether this query would detect a password spray attack or a brute force attack against a single account. The difference is in the grouping. Password spray spreads attempts across many accounts; brute force concentrates them on one. If you cannot read the query quickly, you cannot answer reliably. Practising KQL in a live Sentinel environment is the only preparation that makes this feel straightforward under exam conditions.


4. The Sentinel workspace design

The exam tests Sentinel workspace architecture, not just portal functions, but the decisions that precede deployment.


You need to know the trade-offs between a single centralised workspace and multiple workspaces for multi-tenant or data residency scenarios, how RBAC roles map to Sentinel functions (the difference between Microsoft Sentinel Reader, Responder, and Contributor, and when to use each), and how log retention works across the two main tiers: the Analytics tier for primary security data that needs to be available for real-time queries and analytics rules, and the data lake tier for secondary or high-volume data retained at lower cost for longer periods. You also need to know how data collection rules and Windows Event Forwarding are configured for on-premises Windows Security event collection.


A question pattern that appears in the case study format: a company has strict data residency requirements for its European operations. It needs to ensure that certain log data never leaves the EU region. The question asks how to architect the Sentinel deployment. The answer involves deploying a separate workspace in an EU region, not filtering data within a single workspace. Candidates who have only ever worked in a single-tenant environment tend to suggest the filtering approach, which does not satisfy data residency requirements.


5. ASIM parsers are tested

ASIM, the Advanced Security Information Model, is a normalisation framework in Sentinel that lets you write queries against a consistent schema regardless of the underlying data source.


The exam tests it specifically. You need to know that ASIM parsers come in two levels: source-agnostic parsers, which work across all sources that provide a given event type, and source-specific parsers, which are optimised for a particular data source. Using ASIM parsers reduces query maintenance overhead because the same query works against multiple log sources without modification.


A question will describe a scenario where an organisation wants to minimise the overhead of maintaining hunting queries as new data sources are added. The answer involves using source-agnostic ASIM parsers. Candidates who have not specifically studied ASIM will reach for custom analytics rules or workbook queries. Neither addresses the maintenance overhead requirement; they just replicate the problem at a different layer.


6. Defender for Endpoint automation levels directly control what automated investigation can do

Defender for Endpoint has five automation levels for device groups, ranging from No automated response through to Full (remediate threats automatically). The exam tests what each level does in practice, not just what it is called. At Full, the automated investigation remediates detected threats without waiting for approval. With no automated response, automated investigation does not run at all on the devices in that group; no remediation actions are taken or logged. The three Semi levels each apply different approval requirements depending on where the file or executable is located (all folders, core OS folders, or non-temporary folders).


A scenario: an organisation has been experiencing false positives from automated remediations on a group of production servers, and the SOC team wants to review all proposed remediations before they execute.


The question asks which automation level to configure for that device group. The answer is Semi, requires approval for any remediation, not Full (which remediates without approval) and not No automated response (which stops automated investigation entirely). Candidates who conflate No automated response with a cautious semi-automated mode, imagining it still investigates but just asks for approval, will pick the wrong answer.


7. Deception rules in Defender XDR

Deception rules are a feature that deploys decoy assets into your environment to detect lateral movement. When an attacker interacts with a decoy account, device, or file, a high-fidelity alert is generated immediately.


The exam tests the configuration: you enable deception, the system automatically creates decoy entities, and any interaction with those decoys generates an alert treated as a strong indicator of compromise rather than a noisy signal requiring triage.


The reason this catches candidates is straightforward: deception technology is not widely deployed in most organisations, so many analysts know it exists but have never configured it. A question will describe an organisation that wants high-confidence early warning of lateral movement without generating large volumes of false positives from standard detection rules. The answer is to configure deception rules in Defender XDR. Candidates unfamiliar with the feature will look at analytics rules or custom detection rules. Both generate alerts based on observed behaviour; neither provides the specific capability of synthetic decoy assets that produce near-zero false positives by design.


What to do after you pass

Your certification badge appears in your Microsoft Learn account within a few days and links to Credly for LinkedIn sharing. The SC-200 renews annually through a free online assessment on Microsoft Learn; set a reminder, as the renewal covers the current exam objectives and is not the same content as the original exam.

The SC-200 is also one of the prerequisite pathways into the SC-100 (Cybersecurity Architect Expert). If you are planning to progress further in the Microsoft security certification track, this is where that journey begins.


Our SC-200 instructor-led course runs over four days on Microsoft Teams with live lab access to the Microsoft security portals throughout. Small groups only. https://www.d365training.com/instructor-led/security-certifications

Subscribe to our newsletter to receive our articles in your inbox, invites to our free training webinars and special offers for our training courses.

 
 
 

Comments

Viscontis Limited

Canada Street

SE16 6BH, London, UK

Company Registered in England and Wales 

© 2026 by Viscontis Limited. All rights Reserved

Terms of Service

Privacy Policy

  • LinkedIn
microsoft-cloud-t.png

Legal Notice: D365 Training is a Trademark of Viscontis Limited, a Microsoft Training Services Partner; all rights reserved.

This website is neither owned nor sponsored by Microsoft©. Any reference to Microsoft, Dynamics365, Microsoft Teams, Microsoft Business Central, Azure or any other Microsoft software is purely for illustration, training and demo purposes.

 

You must perform due diligence before purchasing, implementing and setting up any technology mentioned on this website. By navigating this website, you acknowledge that we owe no responsibility if your business experiences losses, disruption or loss of data following the implementation of suggestions, guides or training material accessed from or mentioned on this website.

bottom of page