Microsoft Security Operations Analyst (SC-200)

The Microsoft Security Operations Analyst (SC-200) validates the skills a working SOC analyst uses every day: triaging Microsoft Defender XDR incidents, tuning Microsoft Sentinel analytics, hunting for threats with KQL, automating response with playbooks, and improving the organization's security posture from inside Microsoft Defender for Cloud.

This practice test gives you 250 scenario-style multiple-choice questions with detailed, multi-sentence explanations. Where AZ-500 covers the security engineer's build-time view, SC-200 is the run-time view: live incidents, signal correlation, hunting, response. Questions follow the latest SC-200 curriculum and match the official exam-blueprint weighting.

What the SC-200 exam covers

• Mitigate threats by using Microsoft Defender XDR (50–55%) — Microsoft Defender for Endpoint (onboarding, device groups, attack surface reduction rules, EDR, automated investigation, live response, advanced hunting on the device schema, antivirus / Defender Antivirus configuration via Intune / GPO, exclusions, custom indicators), Microsoft Defender for Office 365 (Safe Links and Safe Attachments policies, anti-phishing impersonation protection, Threat Explorer, attack simulation training, Submissions and the user-reported-message workflow), Microsoft Defender for Identity (sensor deployment on domain controllers, sensitive accounts and honeytokens, detecting Pass-the-Hash, Pass-the-Ticket, Golden Ticket, DCSync, lateral movement paths), Microsoft Defender for Cloud Apps (cloud discovery, app connectors, OAuth app governance, conditional access app control reverse proxy, session policies, file policies, Defender for Cloud Apps + Entra ID Protection signal correlation), Microsoft Entra ID Protection signals fed into XDR, unified Defender XDR incident triage in the unified portal (security.microsoft.com), cross-product investigation, KQL advanced hunting across the Defender schema (DeviceLogonEvents, DeviceProcessEvents, EmailEvents, IdentityLogonEvents, CloudAppEvents, AADSignInEventsBeta).
• Mitigate threats by using Microsoft Defender for Cloud (25–30%) — Defender for Cloud plans (Defender for Servers Plan 1 and Plan 2, Defender for SQL, Storage, Containers, App Service, Key Vault, Resource Manager, DNS, APIs, Cosmos DB, Open-Source Relational DBs), CSPM (foundational and Defender CSPM with attack path analysis, agentless scanning, governance rules, regulatory compliance), Secure Score management, recommendations and remediation, just-in-time VM access, adaptive application controls, file integrity monitoring, security alerts and incidents in Defender for Cloud, multicloud onboarding for AWS and GCP, environment settings, security policies and regulatory initiatives (NIST 800-53, ISO 27001, PCI DSS, HIPAA, FedRAMP, CIS, SOC 2), Microsoft Cloud Security Benchmark.
• Mitigate threats by using Microsoft Sentinel (20–25%) — Microsoft Sentinel workspace design and data residency, data connectors (Microsoft sources, AWS, GCP, syslog / CEF, Codeless Connector Platform), analytics rule types (scheduled, near-real-time, Microsoft security, Fusion, anomaly, ML behavior analytics), entity mapping and incident triage workflow, watchlists, UEBA, threat intelligence (TI ingest via TAXII / STIX, Threat Intelligence Workbook, TI matching analytics rule), MITRE ATT&CK navigator and coverage workbook, advanced hunting and bookmarks, notebooks, livestream, automation rules and playbooks (Logic Apps with Microsoft Sentinel triggers), incident management lifecycle, content hub solutions, ingestion cost management (Basic Logs vs Analytics Logs, Auxiliary Logs, commitment tiers), cross-workspace queries, Microsoft Sentinel multi-tenant management via Lighthouse.

Exam format on Microsoft Learn

The live SC-200 has 40–60 questions over roughly 120 minutes of seat time (about 150 minutes total including instructions). It uses multiple-choice, multiple-response, drag-and-drop ordering, hot-area, and case studies (a long SOC scenario followed by linked questions). Passing score is 700 / 1000 (~70%). The exam is available in English, Japanese, Simplified Chinese, Korean, German, French, Spanish, Portuguese, Italian, Arabic, Indonesian, and Russian, at Pearson VUE test centers or online proctored. Recertification is annual via free renewal assessment on Microsoft Learn.

Who should take this?

Working SOC analysts, threat hunters, security engineers, and incident responders who use Microsoft Sentinel and the Defender XDR family in their day job. Microsoft recommends fluency with Microsoft 365, Azure, Microsoft Entra ID, and basic KQL. Many candidates pair SC-200 with SC-100 (Cybersecurity Architect Expert) for architecture-tier breadth, SC-300 (Identity and Access Administrator) for IAM depth, AZ-500 (Azure Security Engineer) for the engineering-side view, and MS-500 (M365 Security Administrator, now retired but the content lives on inside SC-200 / SC-400). SC-200 is also a common stepping stone toward CompTIA CySA+, GIAC GCFA, and the SANS SOC analyst track.

Free to attempt with a TestsWorld account. No card required.