Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-200Study Guide

Microsoft · 2026 Edition

SC-200 Study Guide — How to Pass Microsoft Security Operations Analyst

A complete preparation guide written by Microsoft-certified engineers. Covers the exam format,all 6 blueprint domains, a week-by-week study plan, and proven tips for passing first time.

2–3 months

Prep time

Intermediate

Difficulty

50

Exam questions

700/1000

Pass mark

Exam OverviewPractice TestExam DomainsSample QuestionsStudy Guide

On this page

  1. 1. SC-200 Exam at a Glance
  2. 2. Why Earn the SC-200?
  3. 3. Exam Domains & Weights
  4. 4. Study Plan
  5. 5. Exam Tips
  6. 6. Practice Questions

SC-200 Exam at a Glance

Exam code

SC-200

Full name

Microsoft Security Operations Analyst

Vendor

Microsoft

Duration

120 minutes

Questions

50 items

Passing score

700/1000 (scaled)

Domains covered

6 blueprint domains

Recommended experience

Familiarity with Microsoft 365 and Azure security services; Security+ or equivalent recommended

Typical prep time

2–3 months

Why Earn the SC-200?

SC-200 earns the Microsoft Security Operations Analyst Associate certification. It validates skills to reduce organisational risk using the Microsoft Defender suite and Microsoft Sentinel — skills in very high demand at enterprise SOC teams.

Job roles this opens

SOC AnalystSecurity Operations AnalystIncident ResponderThreat HunterSecurity Engineer

SC-200 Exam Domains

Domain percentage weights are not currently available for this exam. The checklist below is still useful for planning your study.

Manage a security operations environment
Respond to security incidents
Perform threat hunting
Mitigate threats using Microsoft Defender XDR
Mitigate threats using Microsoft Defender for Cloud
Mitigate threats using Microsoft Sentinel

Detailed domain breakdown with subtopics →

SC-200 Study Plan

Weeks 1–3

Microsoft Defender XDR: Defender for Endpoint, Office 365, Identity, Cloud Apps

Tip: Defender for Endpoint onboarding methods vary by OS and scale: Group Policy, Intune/MEM, Configuration Manager, and local script (testing only — not production at scale). Know which method is appropriate for which environment size.

Weeks 4–5

Microsoft Defender for Cloud: security posture, workload protection, regulatory compliance

Tip: Defender for Cloud alert types and what they indicate: brute force on SSH/RDP, unusual process execution, lateral movement, data exfiltration. These alerts are categorised by severity and MITRE ATT&CK tactic.

Weeks 6–9

Microsoft Sentinel: data connectors, analytics rules, incidents, Kusto Query Language (KQL)

Tip: KQL is tested on SC-200. Know the core operators: where, project, extend, summarize, count, bin, join, union. Analytics rules use KQL to define when an incident is created — you need to read and interpret KQL queries in exam questions.

Weeks 10–12

Threat hunting, UEBA, watchlists, workbooks, and automation playbooks

Tip: Know the difference between a hunting query (proactive investigation using KQL) and an analytics rule (automated alert generation). Both use KQL but serve different operational purposes.

SC-200 Exam Tips

KQL is the most important skill to develop for SC-200. Practice with the Log Analytics Demo environment (available free in the Azure portal) — write queries against real security event data before your exam.

Defender for Identity monitors Active Directory for attack patterns: pass-the-hash, Kerberoasting, DCSync, and lateral movement between domain controllers. Know what each attack technique does and how Defender for Identity detects it.

Microsoft Sentinel playbooks are Azure Logic Apps triggered by analytics rule alerts. Common automated responses: isolate a device, send a Teams notification, open a ServiceNow ticket, reset a user password. Know the correct automation trigger for each.

MITRE ATT&CK appears throughout SC-200. Know the high-level tactics: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, Impact.

Defender for Cloud Apps (MCAS) policy types tested on SC-200: activity policies (alert on suspicious actions), file policies (DLP for cloud storage), session policies (real-time control), and anomaly detection policies.

Ready to practice SC-200?

Apply everything in this guide with adaptive practice questions, detailed answer explanations, and domain analytics.

Free Practice TestStart Practising

SC-200 concept guides

Deep-dive explanations of the key topics tested on SC-200 — with exam key points and common misconceptions.

SC-200 Security Ops

SC-200 is Microsoft's Security Operations Analyst certification.

Related Study Guides

AZ-500

Azure Security Engineer

SC-900

Security Fundamentals

CS0-003

CompTIA CySA+