SC-200 Study Guide 2026: Complete Security Operations Analyst Exam Prep
Everything you need to pass the SC-200 Microsoft Security Operations Analyst exam — all domains, a study plan, and what actually shows up on test day.
Quick Summary
- • SC-200 is an Associate-level exam with 40–60 questions, 120 minutes, 700/1000 passing score
- • Covers 3 domains: Microsoft 365 Defender, Microsoft Defender for Cloud, Microsoft Sentinel
- • Microsoft Sentinel accounts for roughly 50% of the exam
- • Exam cost: $165 USD
What is the SC-200 Exam?
SC-200 is the Microsoft Security Operations Analyst Associate certification. It validates that you can reduce organizational risk by rapidly remediating active attacks, advising on threat protection improvements, and reporting violations of organizational policies using Microsoft security tools — primarily Microsoft Sentinel, Microsoft 365 Defender, and Microsoft Defender for Cloud.
Passing SC-200 earns the Microsoft Certified: Security Operations Analyst Associate credential. It is widely regarded as one of the most practically valuable security certifications for SOC analysts, threat hunters, and incident responders who work in Microsoft-heavy environments.
SC-200 is heavily Sentinel-focused. Microsoft Sentinel (SIEM+SOAR) accounts for approximately half the exam content. Candidates who invest deeply in Sentinel — including KQL query writing — consistently perform significantly better on this exam.
| Detail | Information |
|---|---|
| Exam Code | SC-200 |
| Credential Earned | Security Operations Analyst Associate |
| Number of Questions | 40–60 questions |
| Time Limit | 120 minutes |
| Passing Score | 700 out of 1000 |
| Exam Price | $165 USD |
| Exam Level | Associate |
| Prerequisites | None (SC-900 or security experience recommended) |
SC-200 Exam Domains & Weightings
SC-200 covers three domains. Microsoft Sentinel dominates — plan to spend at least half your study time on it.
Domain 1: Mitigate Threats Using Microsoft 365 Defender
25–30%- • Microsoft Defender XDR — unified incident management, automated investigation and response (AIR)
- • Microsoft Defender for Endpoint — device onboarding, alert triage, endpoint detection and response (EDR)
- • Microsoft Defender for Office 365 — email threat investigation, Safe Links, Safe Attachments, anti-phishing
- • Microsoft Defender for Identity — AD threat detection, lateral movement alerts, identity timeline
- • Microsoft Defender for Cloud Apps — cloud app discovery, anomaly detection, session policies
- • Advanced Hunting — KQL queries in Microsoft 365 Defender portal across all workloads
Study tip: Know the incident investigation workflow in Microsoft 365 Defender portal — how alerts correlate into incidents, and what automated remediation actions are available.
Domain 2: Mitigate Threats Using Microsoft Defender for Cloud
15–20%- • Cloud security posture management (CSPM) — Secure Score, security recommendations
- • Defender for Cloud workload protection plans — Defender for Servers, Containers, SQL, Storage, Key Vault
- • Just-in-time VM access — reducing attack surface on Azure VMs
- • Security alerts — alert investigation, threat intelligence, alert suppression
- • Regulatory compliance dashboard — compliance assessments and remediation
- • Defender for Cloud integration with Microsoft Sentinel (connector)
Domain 3: Mitigate Threats Using Microsoft Sentinel
50–55%The dominant domain. Microsoft Sentinel is a cloud-native SIEM and SOAR platform:
- • Workspace setup — Log Analytics workspace, Sentinel enablement, data retention
- • Data connectors — connecting Microsoft 365 Defender, Azure, Syslog, CEF, and third-party sources
- • Analytics rules — scheduled query rules, Microsoft security rules, near-real-time (NRT) rules, anomaly rules
- • Incidents — incident investigation, entity mapping, investigation graph
- • Workbooks — built-in and custom workbooks for visualization and monitoring
- • Threat hunting — Hunting queries, bookmarks, Livestream
- • Automation — Playbooks (Logic Apps), automation rules, SOAR workflows
- • KQL for Sentinel — writing and tuning detection queries, parsing, summarization
- • MITRE ATT&CK framework — mapping detections and incidents to ATT&CK tactics/techniques
- • Watchlists, User and Entity Behavior Analytics (UEBA), Threat Intelligence integration
Study tip: KQL is tested directly. You need to understand basic query patterns: filtering, summarization, joins, time-based queries. You don't need to memorize syntax, but you need to recognize correct vs. incorrect queries.
Ready to test yourself?
Try 40 Free SC-200 Practice Questions
Scenario-based questions with detailed explanations. No credit card required.
Start Free Practice →How Hard is SC-200?
SC-200 is one of the harder Associate-level exams in the Microsoft security portfolio. The depth of Sentinel knowledge required — including KQL query writing and end-to-end detection engineering — sets it apart from more conceptual security certifications. Candidates who work in SOC environments regularly find it achievable; those without operational security experience find it significantly more challenging.
Why candidates fail SC-200
- • Underestimating Sentinel's weight: 50–55% of the exam is Sentinel. Candidates who study all three domains equally miss too many Sentinel questions
- • Weak KQL skills: KQL query questions appear in both Sentinel and Advanced Hunting sections — candidates who skip KQL practice consistently underperform
- • Not understanding automation: Playbooks (Logic Apps) and automation rules have different triggers and capabilities — confusing them costs marks
- • Sentinel vs. Defender for Cloud confusion: Both can ingest security data and generate alerts — knowing which tool handles which scenario is critical
6-Week SC-200 Study Plan
This plan allocates the most time to Sentinel given its 50–55% exam weighting. A free Microsoft Sentinel trial or developer tenant is highly recommended for hands-on labs.
Week 1: Microsoft 365 Defender
- Days 1–2: Microsoft 365 Defender portal — unified incidents, alert correlation, AIR actions
- Days 3–4: Defender for Endpoint — onboarding methods, EDR alerts, device timeline, Live Response
- Days 5–6: Defender for Identity, Office 365, Cloud Apps — alert types and investigation steps
- Day 7: Advanced Hunting — KQL basics in M365 Defender portal, practice sample queries
Week 2: Microsoft Defender for Cloud
- Days 1–2: Defender for Cloud overview — CSPM, Secure Score, recommendations, compliance dashboard
- Days 3–4: Workload protection plans — Defender for Servers, Containers, SQL — what each detects
- Days 5–6: JIT VM access, security alert investigation, integration with Sentinel
- Day 7: Domain 2 practice questions — review all incorrect answers
Weeks 3–5: Microsoft Sentinel (3 Weeks)
- Week 3: Sentinel setup, data connectors, analytics rules (scheduled, NRT, anomaly), incident management
- Week 4: KQL fundamentals — where, project, extend, summarize, join, parse operators; write detection queries
- Week 5: Threat hunting, playbooks, automation rules, UEBA, watchlists, MITRE ATT&CK mapping, workbooks
Week 6: Mock Exams & Review
- Days 1–2: Review Sentinel weak spots — analytics rules, automation, KQL patterns
- Day 3: Full 120-minute timed mock exam
- Days 4–5: Targeted review of any domain below 70%
- Day 6: Second full mock exam — aim for 80%+
- Day 7: Light review only. Book exam if consistently 80%+.
Best SC-200 Study Resources
1. Microsoft Learn SC-200 Learning Path (Free)
The official learning path covers all three domains. The Sentinel modules include hands-on sandbox labs for analytics rules, playbooks, and KQL queries. Complete every lab — the Sentinel hands-on exercises are the closest free resource to the exam experience.
2. Microsoft Sentinel GitHub Repository
The official Microsoft Sentinel GitHub repository contains hundreds of real detection queries, playbook templates, and workbook examples. Reading and understanding these real-world KQL queries is one of the best ways to build the query comprehension needed for the exam.
3. MSCertQuiz Practice Tests
500 SC-200 practice questions with detailed explanations. Strong KQL scenario coverage and deep Sentinel operations content. Particularly effective for identifying gaps in analytics rule configuration, playbook logic, and MITRE ATT&CK mapping.
Start free SC-200 practice →4. KQL Query Language Documentation
Invest dedicated time in the official KQL documentation. Focus on: filtering operators (where, search), projection (project, extend), aggregation (summarize, count, sum), time functions (ago, between), and string parsing (parse, extract, split). These are the most commonly tested operators.
SC-200 Exam Day Tips
Do
- • For KQL questions: identify the table first, then the operators — wrong table selection invalidates the whole query
- • Distinguish automation rules (Sentinel-native, fast, simple) from playbooks (Logic Apps, complex, flexible)
- • For incident response questions: Sentinel handles correlation and investigation; Defender XDR handles product-specific remediation
- • MITRE ATT&CK questions: know the difference between tactics (why) and techniques (how)
Don't
- • Don't confuse data connectors (ingestion) with analytics rules (detection) — they serve different purposes
- • Don't assume Defender for Cloud and Sentinel overlap — Sentinel is your SIEM; Defender for Cloud is posture + workload protection
- • Don't skip the hunting section — bookmarks and Livestream questions appear regularly
- • Don't neglect UEBA — User and Entity Behavior Analytics has grown in exam weighting
Ready to Practice SC-200?
500 scenario-based questions across all 3 domains. Practice mode with explanations + timed exam simulation.
Start Free Practice →Frequently Asked Questions
Do I need SC-900 before SC-200?
No, SC-900 is not a prerequisite. However, if you are new to Microsoft security products, completing SC-900 first gives you conceptual grounding that makes SC-200 study more efficient. If you already work in IT security, you can skip SC-900 entirely.
How much KQL do I need to know for SC-200?
More than most candidates expect. You need to recognize and write basic query patterns using where, project, summarize, extend, and join operators. You also need to understand time-based filtering (ago(), between()) and string parsing (parse, extract). You don't need expert-level KQL, but you cannot pass by skipping it.
Is SC-200 harder than SC-300?
They are comparable in difficulty but different in nature. SC-300 tests configuration depth across Entra ID governance features. SC-200 tests operational security analysis skills with heavy KQL and Sentinel content. Most candidates find SC-200 harder if they lack SOC or threat hunting experience.
What comes after SC-200?
SC-200 is a strong foundation for advanced security roles. Complementary certifications include SC-300 (Identity and Access Administrator) and AZ-500 (Azure Security Engineer). The combination of SC-200 + SC-300 covers most enterprise Microsoft security operations roles comprehensively.