SC-200 Exam Flashcards

Q: What is the SC-200 passing score?

SC-200 requires 700 out of 1000 on a scaled scoring system, roughly 70%. The exam typically has 40-60 questions delivered in 100 minutes through Pearson VUE, either online proctored or at a test center.

Q: What changed in the April 16, 2026 SC-200 update?

Microsoft consolidated the exam from five domains to three: Manage a security operations environment (40-45%), Respond to security incidents (35-40%), and Perform threat hunting (20-25%). Sentinel Graph, the Data lake tier, agentic AI investigation with embedded Copilot for Security, KQL jobs, Summary rules, and the Sentinel MCP Server were added.

Q: Is Azure Sentinel still on SC-200?

Yes, now called Microsoft Sentinel after the rebrand. SC-200 covers Sentinel workspaces, data connectors (AMA, CEF/Syslog via AMA, WEF), analytics rules (scheduled, NRT, threat intelligence, ML), automation rules, playbooks, hunting queries, Sentinel Graph, and the new Data lake retention tier.

Q: How much KQL is on SC-200?

KQL appears across all three domains. Expect to read and reason about queries using tables such as DeviceEvents, EmailEvents, IdentityLogonEvents, SecurityAlert, SecurityIncident, and SigninLogs, and operators like where, project, summarize, join, and time functions ago() and bin().

Q: What does SC-200 cost and how is it renewed?

The SC-200 exam fee is $165 USD in the United States; regional pricing varies. Microsoft Learn training is free. The certification is valid for one year and renews free of charge through the renewal assessment on Microsoft Learn.

Q: How is SC-200 different from AZ-500 and SC-100?

SC-200 focuses on operating the Microsoft security stack as a SOC analyst (detection, investigation, response, hunting). AZ-500 focuses on engineering Azure platform security controls. SC-100 is the expert cybersecurity architect exam that builds on top of both.

Question 1

Microsoft Defender XDR

Accepted Answer

The unified extended detection and response platform at security.microsoft.com that correlates signals across endpoints, email, identity, apps, and cloud into a single incident with a unified investigation experience.

Question 2

Incident vs. alert in Defender XDR

Accepted Answer

An alert is a single detection. An incident is a correlated collection of related alerts, assets, and evidence that tells the full attack story, so analysts triage at the incident level, not alert by alert.

Question 3

Automatic attack disruption

Accepted Answer

A Defender XDR capability that uses high-confidence XDR signals to automatically contain an in-progress attack (e.g., disable a compromised account, isolate a device) before an analyst responds, limiting blast radius.

Question 4

Microsoft Secure Score vs. threat analytics

Accepted Answer

Secure Score measures your security posture and recommends configuration improvements (proactive). Threat analytics is in-product threat intelligence about active campaigns and your exposure to them (reactive/awareness).

Question 5

Defender for Endpoint: device isolation vs. live response

Accepted Answer

Isolation cuts a device off the network while keeping the Defender connection for investigation. Live response opens a remote shell to collect artifacts and run remediation; it must be enabled in advanced features.

Question 6

Attack Surface Reduction (ASR) rules

Accepted Answer

Configurable rules that block common attack behaviors (e.g., Office spawning child processes, credential theft from LSASS). Run in audit mode first to measure impact before switching to block.

Question 7

Tamper protection

Accepted Answer

Prevents apps, scripts, or the registry from disabling antivirus, real-time protection, or other Defender settings. Blocks attackers from turning off defenses as a precursor to further compromise.

Question 8

Automated investigation and remediation (AIR)

Accepted Answer

Defender automatically investigates alerts, determines verdicts, and can remediate (quarantine files, kill processes) based on the automation level configured for the device group.

Question 9

Defender for Office 365: Safe Attachments vs. Safe Links

Accepted Answer

Safe Attachments detonates email attachments in a sandbox before delivery. Safe Links rewrites and time-of-click verifies URLs in mail and Office docs to block weaponized links delivered or armed later.

Question 10

Zero-hour Auto Purge (ZAP)

Accepted Answer

Retroactively removes already-delivered malicious email from mailboxes once a verdict changes (e.g., a link is later found malicious). Closes the gap between delivery and detection.

Question 11

Defender for Identity

Accepted Answer

Monitors on-premises Active Directory signals to detect identity attacks such as pass-the-hash, pass-the-ticket, DCSync, and reconnaissance. It uses sensors on domain controllers, not endpoint agents.

Question 12

Entra ID Identity Protection risk types

Accepted Answer

Distinguishes user risk (likelihood the identity is compromised, e.g., leaked credentials) from sign-in risk (likelihood a specific sign-in is illegitimate, e.g., anonymous IP). Conditional Access acts on these signals.

Question 13

Defender for Cloud Apps

Accepted Answer

The CASB that discovers shadow IT, applies app governance and session controls, and detects anomalous SaaS activity. Conditional Access App Control enables real-time session policies via reverse proxy.

Question 14

Microsoft Defender for Cloud plans

Accepted Answer

Workload protection is enabled per plan (Servers, Containers, Storage, SQL, Key Vault, App Service, APIs, DevOps). Each plan adds specific threat detections and the secure score recommendations for that resource type.

Question 15

CSPM vs. CWPP in Defender for Cloud

Accepted Answer

Cloud Security Posture Management (CSPM) assesses misconfigurations and compliance. Cloud Workload Protection Platform (CWPP) provides runtime threat detection for workloads. SC-200 focuses on responding to CWPP alerts.

Question 16

Microsoft Purview eDiscovery and Content Search

Accepted Answer

Used during investigation to search Microsoft 365 content (mail, SharePoint, Teams) and preserve evidence. Audit log search reveals which user performed which activity and when.

Question 17

Insider Risk Management vs. Data Loss Prevention

Accepted Answer

DLP prevents sensitive data from leaving via policy at the point of action. Insider Risk Management correlates user behavior signals over time to surface risky data exfiltration patterns for investigation.

Question 18

Microsoft Sentinel

Accepted Answer

The cloud-native SIEM/SOAR built on a Log Analytics workspace. It ingests data via connectors, runs analytics rules to create incidents, and automates response with automation rules and playbooks.

Question 19

Sentinel data tiers: Analytics vs. Basic/Auxiliary vs. Data lake

Accepted Answer

Analytics tier is hot, fully queryable, for active detection/investigation. Basic/Auxiliary is cheaper for high-volume, lower-fidelity logs. The Data lake tier provides low-cost long-term retention with KQL jobs.

Question 20

Azure Monitor Agent (AMA) and connectors

Accepted Answer

AMA is the unified agent that collects Windows Security Events, Syslog, and CEF. CEF and Syslog are ingested via AMA (legacy MMA is deprecated); WEF forwards events from a collector.

Question 21

Data Collection Rules (DCRs)

Accepted Answer

DCRs define what AMA collects and how it is filtered/transformed before ingestion. Ingestion-time transformations reduce noise and cost by dropping or shaping data before it lands in the workspace.

Question 22

ASIM (Advanced Security Information Model)

Accepted Answer

A normalized schema with parsers that map diverse source data into common fields (e.g., imAuthentication). Lets one analytics rule or hunting query work across many products regardless of native format.

Question 23

Threat intelligence connector

Accepted Answer

Imports indicators (IPs, domains, hashes) into the ThreatIntelligenceIndicator table via TAXII or the Upload API. TI matching analytics rules then alert when those indicators appear in logs.

Question 24

Sentinel analytics rule types

Accepted Answer

Scheduled (runs on an interval over a lookback), Near-Real-Time/NRT (runs about every minute for fast detection), Microsoft Security (auto-creates incidents from Microsoft alerts), Anomaly, and ML behavior analytics.

Question 25

Scheduled vs. NRT rule trade-off

Accepted Answer

Scheduled rules support complex multi-table logic and aggregation but add detection latency. NRT rules run roughly every minute for low-latency detection but support a single query with limited aggregation.

Question 26

Fusion (advanced multistage attack detection)

Accepted Answer

An ML-based Sentinel correlation engine that combines low-fidelity alerts across products into a single high-confidence incident describing a multistage attack. Enabled via an analytics rule, not hand-written KQL.

Question 27

Entity mapping in analytics rules

Accepted Answer

Maps query columns to entities (account, host, IP, file). It enables entity pages, investigation graphs, and grouping/alert correlation, so configuring it is essential for usable incidents.

Question 28

MITRE ATT&CK mapping in Sentinel

Accepted Answer

Tagging analytics rules with tactics and techniques powers the MITRE ATT&CK coverage view, helping the SOC see detection gaps across the attack lifecycle rather than counting rules.

Question 29

Automation rules vs. playbooks

Accepted Answer

Automation rules are Sentinel-native triggers that run on incident creation/update to assign, tag, close, or run playbooks. Playbooks are Logic Apps that perform the actual actions (block IP, notify, enrich).

Question 30

Logic Apps playbook trigger types

Accepted Answer

Use the incident trigger to act on whole incidents (preferred for orchestration) or the alert trigger for single alerts. Managed identity is the recommended auth for playbook connectors.

Question 31

Automatic vs. manual playbook execution

Accepted Answer

Attach a playbook to an automation rule for hands-off response, or trigger it manually from an incident/alert for analyst-in-the-loop actions. Choose based on confidence and reversibility of the action.

Question 32

SOC optimization

Accepted Answer

Sentinel recommendations that improve coverage and cost: identify ingested tables not used by any detection (waste) and recommend additional detections to cover MITRE gaps for threats you face.

Question 33

KQL: where vs. filter

Accepted Answer

'where' is the primary row-filtering operator in KQL, applied early to reduce data scanned. Placing 'where' before heavy operations like 'join' or 'summarize' is a key performance practice.

Question 34

KQL: project vs. extend

Accepted Answer

'project' selects/renames a specific set of columns (and drops the rest). 'extend' adds a new computed column while keeping existing columns. Use project to trim output and extend to derive values.

Question 35

KQL: summarize

Accepted Answer

Aggregates rows into groups, e.g., 'summarize count() by Account'. Combine with bin() to bucket by time. It is the core operator for detecting spikes and anomalies in hunting queries.

Question 36

KQL: ago() and bin()

Accepted Answer

ago(1d) returns the timestamp 24 hours ago, used with 'where TimeGenerated > ago(1d)' to scope a lookback. bin(TimeGenerated, 1h) rounds timestamps into hourly buckets for time-series aggregation.

Question 37

KQL: join kinds

Accepted Answer

inner returns matched rows from both; leftouter keeps all left rows; leftanti returns left rows with NO match (useful to find first-seen or missing events). Choosing the right kind changes hunting logic entirely.

Question 38

Common Advanced Hunting tables

Accepted Answer

DeviceProcessEvents and DeviceNetworkEvents (endpoint), EmailEvents and EmailUrlInfo (Office 365), IdentityLogonEvents (identity), and CloudAppEvents (Cloud Apps). Picking the right table is half of a good hunt.

Question 39

Sentinel SecurityAlert vs. SecurityIncident tables

Accepted Answer

SecurityAlert holds individual alerts ingested into Sentinel. SecurityIncident holds the grouped incident records with status and severity. Reporting on response time queries SecurityIncident, not SecurityAlert.

Question 40

Hunting queries vs. analytics rules

Accepted Answer

Analytics rules run automatically and generate incidents. Hunting queries are run proactively/interactively by analysts to find threats that no rule caught; a promising hunt can be promoted into an analytics rule.

Question 41

Bookmarks in Sentinel hunting

Accepted Answer

Preserve interesting query results during a hunt so they can be revisited, annotated, or attached to an incident as evidence. They keep findings from being lost when the query result set changes.

Question 42

Sentinel notebooks and the Sentinel MCP Server

Accepted Answer

Jupyter notebooks enable advanced, repeatable hunting and ML analysis against Sentinel data. The Sentinel MCP Server lets notebooks and AI tooling query Sentinel through the Model Context Protocol.

Question 43

KQL jobs and Summary rules (Data lake tier)

Accepted Answer

KQL jobs run scheduled queries over the low-cost Data lake tier for long-range hunting. Summary rules aggregate verbose logs into compact summary tables, cutting query cost while keeping investigative value.

Question 44

Sentinel Graph and blast radius

Accepted Answer

Sentinel Graph models entity relationships so analysts can visualize how an attack spreads. A blast radius view shows what an attacker could reach from a compromised entity, prioritizing containment.

Question 45

Incident investigation graph

Accepted Answer

An interactive visualization of an incident's entities and their connections (accounts, hosts, IPs, files). It helps establish the attack timeline and scope and is driven by correct entity mapping.

Question 46

Embedded Copilot for Security (agentic investigation)

Accepted Answer

In the 2026 update, Copilot for Security is embedded in the unified Defender portal to summarize incidents, guide investigation, and run agentic analysis. Standalone Copilot expertise is validated by SC-5006.

Question 47

Case management in the unified portal

Accepted Answer

Lets the SOC manage incident lifecycle, assignment, status, and collaboration in one place across Defender XDR and Sentinel, replacing separate tracking and standardizing handoffs.

Question 48

Incident classification and closing

Accepted Answer

Closing an incident requires a classification: True Positive, Benign Positive (real but expected), or False Positive. Accurate classification trains automation and improves future detection fidelity.

Question 49

Alert tuning vs. suppression

Accepted Answer

Tuning adjusts the detection logic/threshold to reduce noise at the source. Suppression hides specific known-benign alerts without changing the rule. Prefer tuning for systemic noise, suppression for narrow exceptions.

Question 50

Sentinel RBAC roles

Accepted Answer

Sentinel Reader (view), Sentinel Responder (manage incidents), and Sentinel Contributor (create rules/playbooks). Assign at the resource group/workspace scope using least privilege for SOC tiers.

Free SC-200 Exam Flashcards

Filter by Topic

Jump to Card

About These SC-200 Flashcards

Topics Covered

Frequently Asked Questions

Microsoft Certified: Security Operations Analyst Associate (SC-200)

Explore More Microsoft Certifications

Microsoft Power BI Data Analyst

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900)

Azure MD-102

Azure MS-102

Microsoft Power Platform Functional Consultant

Microsoft Certified: Identity and Access Administrator Associate (SC-300)

More From This Family