SC-200 Changed: Study The 2026 SOC Workflow, Not Last Year's Domain Map
Microsoft SC-200 is the exam for the Microsoft Certified: Security Operations Analyst Associate credential. In 2026, the best SC-200 prep starts with one fact many older guides miss: Microsoft lists the current skills measured as of April 16, 2026 with three domains, not the older four-domain outline. The current study guide weights are Manage a security operations environment at 40-45%, Respond to security incidents at 35-40%, and Perform threat hunting at 20-25%.
That change matters. SC-200 is no longer best approached as a loose tour of Sentinel, Defender, and KQL. It is a workflow exam: configure the SOC environment, respond to incidents across Microsoft security products, then hunt for threats using Defender XDR, Microsoft Sentinel, KQL, Sentinel Graph, notebooks, and related data lake capabilities.
The April 2026 Microsoft Exam Frame
| Item | 2026 detail |
|---|---|
| Credential | Microsoft Certified: Security Operations Analyst Associate |
| Exam | SC-200: Microsoft Security Operations Analyst |
| Exam length | 100 minutes |
| Passing score | 700 or greater |
| Renewal | 12 months, with free Microsoft Learn renewal assessment |
| Provider | Pearson VUE, test center or online proctored |
| Current skills date | April 16, 2026 |
| Current domains | SOC environment 40-45%, incident response 35-40%, threat hunting 20-25% |
| Official page | Microsoft SC-200 certification page |
Microsoft says candidates reduce organizational risk by triaging, responding to incidents, hunting threats, and engineering detections. The exam expects familiarity with Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, Microsoft Defender for Cloud workload protections, KQL, Sentinel Graph, AI agents, and Copilots.
Domain 1: Manage A Security Operations Environment
This is now the largest domain at 40-45%. Treat it as the foundation of the exam. You need to know how a SOC environment is configured before you can answer response or hunting questions reliably.
Focus on automation for Microsoft Defender XDR and Microsoft Sentinel, alert notifications, tuning and suppression, automated investigation and response, automatic attack disruption, Sentinel automation rules, and playbooks. Then study the Sentinel platform: roles, retention, workbooks, data tiers, SOC optimization, data connectors, Windows Security Events through AMA, data collection rules, Syslog, CEF, Azure activity logs, threat indicators, custom log tables, analytics rules, near-real-time rules, machine learning rules, anomalies, and MITRE ATT&CK coverage.
The trap is thinking this domain is only administration. It is administration that changes detection quality. If you cannot explain how data is ingested, retained, normalized, alerted, and automated, you will struggle with scenario questions.
Domain 2: Respond To Security Incidents
Incident response is 35-40% of the exam and is the most realistic part of SC-200. You need to know where to investigate, which portal or product owns the signal, and which response action is appropriate.
Expect questions involving Microsoft Defender XDR incidents, Defender for Office 365, Microsoft Purview investigations, Defender for Cloud workload protections, Defender for Cloud Apps, Microsoft Entra ID, Defender for Identity, Microsoft Sentinel, Defender for Endpoint device timelines, live response, investigation packages, evidence and entity investigation, case management, Audit, Content Search, Microsoft Graph activity logs, complex multi-stage attacks, lateral movement, and embedded Copilot for Security.
Do not memorize response actions in isolation. Build an incident worksheet: alert source, affected entity, evidence source, containment action, remediation action, automation option, and documentation step.
Domain 3: Perform Threat Hunting
Threat hunting is 20-25%, but it can feel larger because KQL shows up across operations and response. You should be comfortable choosing the right table, writing and interpreting KQL, creating Advanced Hunting queries, using threat analytics, creating hunting graphs, analyzing entity relationships in Sentinel Graph, creating and monitoring Sentinel hunting queries, and using notebooks where appropriate.
The best prep is short daily KQL practice. Do not save KQL for the last week. Work with process, network, identity, email, cloud, and device examples until you can recognize which table and field would answer a question.
Six Weeks Through Sentinel, Defender, And KQL
Week 2: Configure the SOC environment. Study Defender XDR settings, Sentinel roles, connectors, AMA data collection rules, CEF/Syslog ingestion, retention, workbooks, automation rules, playbooks, analytics rules, custom detections, and MITRE mapping.
Week 3: Practice incident response workflows. Work through Defender XDR, Sentinel, Entra ID, Purview, Defender for Endpoint, Defender for Cloud Apps, Defender for Cloud, and case management scenarios. For every miss, identify whether the gap was tool selection, evidence interpretation, or response action.
Week 4: Drill KQL and hunting. Write small queries daily. Practice identifying tables, filtering events, projecting fields, joining where needed, summarizing counts, and explaining why a query finds a threat pattern.
Week 6: Final review. Target high accuracy on SOC environment questions because it is the largest domain. Rehearse incident triage checklists and KQL table selection. Review Microsoft Learn updates one last time before scheduling.
What Older SC-200 Guides Miss
Many pages still emphasize older domain names and smaller percentages. That can misallocate your study time. If a guide tells you incident response is 25-30% or separates configure protections and detections into its own 15-20% domain, compare it against Microsoft's April 16, 2026 study guide before relying on it.
The current outline makes environment configuration nearly half the exam. It also explicitly includes newer operational language around AI agents, Copilots, Sentinel Graph, data lake jobs, summary rule tables, and Sentinel MCP Server references. You do not need to become an expert in every feature, but you do need to recognize where each feature belongs in a SOC workflow.
SOC Analyst Readiness Check
You are ready when you can describe the SC-200 domains from memory, explain how Sentinel ingests and retains data, choose the right Defender or Sentinel response action, interpret a device timeline, distinguish Audit from Content Search, write basic KQL without panic, map detections to MITRE ATT&CK, and explain how automation rules and playbooks differ.
If your practice misses cluster around KQL, schedule later. If they cluster around product boundaries, make a one-page map of Defender XDR, Sentinel, Purview, Entra ID, Defender for Cloud, and Defender for Cloud Apps.
Post-April 2026 Lab Checklist
The current SC-200 outline is practical. Build labs around the workflows Microsoft names, not around product tours. In Defender XDR, practice incident queues, alert tuning, automated investigation concepts, action center review, threat analytics, and role-based access. In Sentinel, practice connecting data, analytics rules, incidents, workbooks, automation rules, playbooks, watchlists, content hub solutions, and KQL queries.
For hunting, write KQL daily. You should be comfortable filtering, projecting, summarizing, joining, parsing, using time windows, and turning a query into an investigation path. The April 2026 outline also names Sentinel Graph, notebooks, data lake capabilities, AI agents, and Copilots, so candidates using older courses need to check whether those workflows are covered.
A good readiness test is whether you can explain the SOC lifecycle from telemetry collection to incident triage, investigation, response, automation, hunting, and leadership reporting without switching study guides.
Buy on Amazon
Take courses on Udemy