200+ Free SC-200 Practice Questions
Pass your Security Operations Analyst Associate (SC-200) exam on the first try — instant access, no signup required.
Which Microsoft Defender for Endpoint advanced feature is designed to stop attackers from changing antivirus settings through apps or scripts?
Key Facts: SC-200 Exam
40-60 Q
Typical Questions
Microsoft
700/1000
Passing Score
Microsoft
100 min
Exam Duration
Microsoft
$165 USD
US Exam Fee
Microsoft
4 domains
Skills Areas
Microsoft
12 months
Renewal Cycle
Microsoft
SC-200 is Microsoft's intermediate security operations certification. The exam typically has 40-60 questions in 100 minutes, requires a scaled score of 700/1000, and was refreshed on January 22, 2026. Core domains cover security operations environment management (20-25%), protections and detections (15-20%), incident response (25-30%), and security threats and hunting (15-20%).
Sample SC-200 Practice Questions
Try these sample questions to test your SC-200 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.
1Which Microsoft Defender for Endpoint advanced feature is designed to stop attackers from changing antivirus settings through apps or scripts?
2Which advanced feature must be enabled before analysts can open a remote shell session to investigate a device directly from the Defender portal?
3Turning on the Microsoft Intune connection in Defender for Endpoint primarily enables which capability?
4What is the main purpose of turning on Preview features in Microsoft Defender?
5What is true about automated investigation in current Defender for Endpoint tenants?
6Which automated investigation and remediation level does Microsoft recommend for Defender for Endpoint device groups?
7Where do analysts review pending and completed remediation actions produced by automated investigation?
8What is the effect of setting a Defender for Endpoint device group to No automated response?
9Why do organizations commonly create device groups in Defender for Endpoint?
10If a single device matches two Defender for Endpoint device groups, how is the final group membership determined?
About the SC-200 Exam
The SC-200 exam validates practical security operations skills for Microsoft Defender XDR, Microsoft Sentinel, Microsoft Defender for Cloud workload protections, Microsoft Purview investigations, KQL-based threat hunting, and Security Copilot-assisted response workflows.
Questions
40 scored questions
Time Limit
100 minutes
Passing Score
700/1000
Exam Fee
$165 USD (Microsoft / Pearson VUE)
SC-200 Exam Content Outline
Manage a security operations environment
Configure Microsoft Defender XDR settings, manage assets and exposure, design Sentinel workspaces, and plan secure data ingestion and retention.
Configure protections and detections
Tune Defender protection policies, custom detections, analytics rules, entities, ASIM parsers, and behavioral analytics.
Manage incident response
Investigate incidents across Defender, Purview, Entra ID, and Sentinel using automation, playbooks, device actions, and Security Copilot.
Manage security threats
Use KQL, threat analytics, MITRE ATT&CK mapping, watchlists, hunts, archived log access, and workbooks to hunt and analyze threats.
How to Pass the SC-200 Exam
What You Need to Know
- Passing score: 700/1000
- Exam length: 40 questions
- Time limit: 100 minutes
- Exam fee: $165 USD
Keys to Passing
- Complete 500+ practice questions
- Score 80%+ consistently before scheduling
- Focus on highest-weighted sections
- Use our AI tutor for tough concepts
SC-200 Study Tips from Top Performers
Frequently Asked Questions
What does the SC-200 exam focus on?
SC-200 focuses on day-to-day Microsoft security operations work: managing Defender XDR and Sentinel, tuning detections, responding to incidents, and using KQL for threat hunting. It is aimed at analysts who monitor, investigate, and mitigate threats across Microsoft security platforms.
How many questions are on SC-200 and how long is it?
Microsoft states that most certification exams typically contain 40-60 questions, and the SC-200 exam page lists a 100-minute time limit. The passing score is 700 out of 1000.
How hard is the SC-200 exam?
SC-200 is an intermediate-level exam. It is harder than fundamentals exams because it expects operational judgment across Microsoft Defender XDR, Sentinel, incident triage, automation, and KQL-based investigations rather than simple product recognition.
How should I prepare for SC-200?
Study by domain weight and spend most of your time on incident response plus Defender XDR and Sentinel workflows. Combine Microsoft Learn with hands-on practice in analytics rules, incidents, KQL hunting, playbooks, and retention/search scenarios.