PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free SC-200 Practice Questions

Pass your Microsoft Certified: Security Operations Analyst Associate (SC-200) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
~65-75% Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

You ingest a custom application log to Sentinel and want it to land in a new table. Which item must you create or configure?

A
B
C
D
to track
Same family resources

Explore More Microsoft Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Microsoft Power BI Data Analyst

Practice QuestionsStudy GuideCheat SheetFlashcards3 videos4 blogs

Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900)

Practice QuestionsStudy GuideCheat SheetFlashcards1 video2 blogs

Azure MD-102

Practice QuestionsStudy GuideCheat SheetFlashcards1 video1 blog

Azure MS-102

Practice QuestionsCheat Sheet2 videos3 blogs

Microsoft Power Platform Functional Consultant

Practice Questions2 blogs

Microsoft Certified: Identity and Access Administrator Associate (SC-300)

Practice Questions1 video1 blog

More From This Family

Videos and articles for deeper review.

VideoSC-200 2026: Microsoft SOC Workflow Study GuideThis examVideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoFREE MD-102 Exam Guide 2026: Pass Microsoft Endpoint Administrator (Intune, Autopilot, Windows 11)VideoFREE MS-102 Exam Guide 2026: Pass Microsoft 365 Administrator (Entra, Defender XDR, Purview)ArticleSC-200 2026: Microsoft SOC Workflow Study Guide8 min readArticlePL-900 Exam Guide 2026: Current Outline and Free Prep17 min readArticleFREE PL-400 Power Platform Developer Exam Guide 2026: Pass First Try16 min readArticlePL-200 2026: Pass Power Platform Functional Consultant FREE16 min read
2026 Statistics

Key Facts: SC-200 Exam

40-60

Exam Questions

Microsoft Learn

700/1000

Passing Score

Microsoft scaled

100 min

Exam Duration

Microsoft Learn

$165

Exam Fee (USD)

Microsoft pricing

Apr 2026

Skills Updated

Microsoft Learn

1 year

Renewal Cycle

Free on Microsoft Learn

SC-200 is Microsoft's associate-level Security Operations Analyst certification. The April 16, 2026 update has three domains: Manage a security operations environment (40-45%), Respond to security incidents (35-40%), and Perform threat hunting (20-25%). Coverage includes Microsoft Defender XDR, Microsoft Sentinel (now with Data lake tier and Sentinel Graph), Defender for Cloud workload protections, Defender for Identity, Defender for Cloud Apps, Defender for Office 365, Entra ID, Purview, KQL hunting, automation/playbooks, and embedded Copilot for Security. $165 USD via Pearson VUE; 100 minutes; 700/1000 to pass.

Sample SC-200 Practice Questions

Try these sample questions to test your SC-200 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which Microsoft Defender for Endpoint advanced feature stops attackers from changing antivirus settings through apps, scripts, or registry edits?
A.Tamper protection
B.Live response
C.Device discovery
D.Endpoint detection and response in block mode
Explanation: Tamper protection locks core Microsoft Defender Antivirus settings such as real-time protection, cloud-delivered protection, and IOAV scanning so they cannot be disabled by malicious tools, registry changes, or unauthorized PowerShell. It is one of the first advanced features to enable in Defender for Endpoint.
2Which advanced feature must be enabled before an analyst can open a remote investigation shell on a managed device from the unified Defender portal?
A.Device discovery
B.Authenticated telemetry
C.Live response
D.Automatic attack disruption
Explanation: Live response lets an authorized analyst connect to a device and run commands such as run, getfile, putfile, and remediate from security.microsoft.com. Without the Live response feature enabled (and the role permission), the portal will not start a session.
3Enabling the Microsoft Intune connection in Microsoft Defender for Endpoint primarily allows you to do what?
A.Share device risk scores with Intune so Conditional Access can require compliant or low-risk devices
B.Stream Defender for Endpoint events to a Microsoft Sentinel workspace
C.Run Defender for Endpoint scans on Linux servers without an agent
D.Replace Defender Antivirus with a third-party engine
Explanation: The Intune connector publishes Defender for Endpoint device risk to Intune. Conditional Access can then evaluate the risk signal and block or restrict access from devices above a chosen risk threshold. Streaming to Sentinel is done through a separate connector.
4An analyst wants to receive an email whenever a new high-severity incident is created in the Microsoft Defender portal. Where is this configured?
A.In Microsoft Sentinel automation rules only
B.In Defender XDR settings under email notifications for incidents
C.In Microsoft Entra ID risky sign-in settings
D.In the Microsoft Purview alert policy for incidents
Explanation: Defender XDR has dedicated email notification settings for incidents, actions, and threat analytics. You scope rules by severity, device group, and recipient. Sentinel automation rules can also send mail, but the native Defender XDR email notification is the right answer here.
5Which Microsoft Defender for Endpoint capability automatically isolates a compromised device, suspends user accounts, or blocks a malicious URL across the tenant when high-confidence signals are detected?
A.Automated investigation and response (AIR)
B.Automatic attack disruption
C.Endpoint DLP
D.Network protection
Explanation: Automatic attack disruption uses high-confidence Defender XDR signals (including AI) to take immediate containment actions such as device isolation, user suspension, and URL blocking on in-progress attacks like ransomware and BEC. AIR is broader investigation/remediation, not the disruption response.
6Which automation level in Defender for Endpoint will remediate malicious files automatically without requiring analyst approval?
A.No automated response
B.Semi - require approval for any remediation
C.Semi - require approval for non-temp folders
D.Full - remediate threats automatically
Explanation: Full - remediate threats automatically lets AIR take any remediation action without analyst approval. The Semi options pause for approval depending on file location (any folder vs. non-temp folders). No automated response only investigates.
7You want to block Office apps from creating child processes only on the finance device group, while keeping the rest of the org in audit mode. What is the best approach?
A.Create one tenant-wide ASR rule in Block mode and accept the impact
B.Use device group scoping with separate ASR policies set to Block for finance and Audit elsewhere
C.Disable the rule globally and rely on tamper protection
D.Create a Sentinel analytics rule to alert on Office child processes instead
Explanation: Attack surface reduction rules can be assigned through device-group-scoped policies in Defender for Endpoint. You set Block for the finance group and Audit elsewhere, which is the recommended way to roll out ASR safely without a tenant-wide impact.
8Which Microsoft Sentinel object should you use to run a Logic Apps workflow as a response to an alert or incident?
A.Workbook
B.Hunting query
C.Playbook
D.Watchlist
Explanation: A Microsoft Sentinel playbook is a Logic Apps workflow with the Microsoft Sentinel connector. Automation rules call playbooks (or perform built-in actions) in response to alerts and incidents. Workbooks visualize data and watchlists store reference lists.
9An automation rule should close incidents matching a known false-positive pattern. Which two configuration elements are required?
A.Trigger When incident is created and an action Change status to Closed with a classification
B.A scheduled analytics rule and a workbook tile
C.A Logic App with HTTP trigger and a watchlist of users
D.A custom log table and an ASIM parser
Explanation: Automation rules in Microsoft Sentinel run on triggers like When incident is created or When incident is updated. To auto-close benign matches you set the action to Change status to Closed and provide a classification (e.g., False Positive - Inaccurate data) plus a comment.
10Which Microsoft Sentinel role can create and edit analytics rules and playbooks but cannot manage workspace permissions?
A.Microsoft Sentinel Reader
B.Microsoft Sentinel Responder
C.Microsoft Sentinel Contributor
D.Owner
Explanation: Microsoft Sentinel Contributor lets analysts manage analytics rules, playbooks, workbooks, and incidents within the workspace. Reader is read-only; Responder can manage incidents but not authoring; Owner is an Azure RBAC role with permission management beyond what SC-200 expects an analyst to use day-to-day.

About the SC-200 Exam

SC-200 validates the skills required to operate as a Microsoft security operations analyst — triaging alerts, responding to incidents, hunting for threats, and engineering detections across Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud workload protections. The April 16, 2026 update adds Sentinel Graph, the Sentinel Data lake retention tier, agentic AI investigation with embedded Copilot for Security, KQL jobs, and the Sentinel MCP Server.

Questions

50 scored questions

Time Limit

100 minutes

Passing Score

700/1000 (scaled, ~70%)

Exam Fee

$165 USD (Microsoft / Pearson VUE)

SC-200 Exam Content Outline

40-45%

Manage a security operations environment

Configure automation for Microsoft Defender XDR and Sentinel (notifications, ASR rules, AIR, attack disruption, automation rules, playbooks); configure the Sentinel SIEM and platform (roles, retention across Analytics/Data lake/XDR tiers, workbooks, SOC optimization); ingest data via Windows Security Events via AMA, WEF, Syslog/CEF via AMA, Azure activities, threat indicators, and custom log tables; configure detections via Advanced Hunting custom detection rules, Sentinel analytics rules (scheduled, NRT, threat intelligence, ML), MITRE ATT&CK coverage, and anomalies.

35-40%

Respond to security incidents

Investigate and remediate alerts and incidents in Microsoft Defender XDR across Defender for Office 365, Purview, Defender for Cloud workload protections, Defender for Cloud Apps, Entra ID, Defender for Identity, and Sentinel; investigate complex multi-stage, multi-domain, and lateral-movement attacks; investigate by using agentic AI with embedded Copilot for Security; manage incidents with case management; respond in Defender for Endpoint via device timelines, live response, evidence collection, and automatic attack disruption; investigate Microsoft 365 activities via Audit, Content Search, and Microsoft Graph activity logs.

20-25%

Perform threat hunting

Detect threats with Microsoft Defender XDR by selecting the right Advanced Hunting table, writing KQL, interpreting threat analytics, building hunting graphs and blast radius views, and analyzing entity relationships in Sentinel Graph; detect threats in Microsoft Sentinel by creating and monitoring hunting queries, managing KQL jobs in the Data lake tier, building Summary rule tables, and hunting in Notebooks connected to the Sentinel MCP Server.

How to Pass the SC-200 Exam

What You Need to Know

  • Passing score: 700/1000 (scaled, ~70%)
  • Exam length: 50 questions
  • Time limit: 100 minutes
  • Exam fee: $165 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

SC-200 Study Tips from Top Performers

1Study from the April 16, 2026 skills measured — older guides still listing five domains are out of date
2Spend the most time on the SecOps environment domain (40-45%) — connectors, analytics rules, and automation get tested heavily
3Practice KQL daily on the Microsoft Defender XDR Advanced Hunting demo tenant; learn DeviceEvents, EmailEvents, IdentityLogonEvents, SigninLogs, SecurityAlert, and SecurityIncident schemas
4Know which Sentinel analytics rule type fits which scenario — scheduled, near-real-time (NRT), Microsoft security (built-in), threat intelligence, and ML/anomaly
5Memorize what each Defender plan covers in Defender for Cloud (Servers, Containers, Storage, SQL, Key Vault, App Service, APIs, DevOps) and which alerts each one raises
6Practice case management in the unified Defender portal and the new agentic AI investigation flows powered by embedded Copilot for Security
7Drill the Sentinel data tiers — Analytics, Auxiliary/Basic, and the new Data lake retention tier — and which is best for SOC investigation versus long-term storage
8Use the free Microsoft Practice Assessment alongside this 100-question bank for spaced repetition before exam day

Frequently Asked Questions

What is the SC-200 exam?

SC-200 is Microsoft's associate-level certification for security operations analysts. It validates skills to triage, investigate, and respond to threats across Microsoft Defender XDR, Microsoft Sentinel, Microsoft Entra ID, Microsoft Purview, and Microsoft Defender for Cloud workload protections, and to hunt threats with KQL and Sentinel Graph. The current skills measured are dated April 16, 2026.

How many questions are on SC-200?

SC-200 typically delivers 40-60 questions in 100 minutes. Question formats include multiple choice, multiple select, drag-and-drop, active-screen interactive scenarios, and short case studies. The passing score is 700 out of 1000 on a scaled scoring system.

What does SC-200 cost in 2026?

The SC-200 exam fee is $165 USD in the United States (regional pricing varies). Microsoft Learn training is free. The certification is valid for one year and renews free of charge through the renewal assessment on Microsoft Learn.

How is SC-200 different from AZ-500 and SC-100?

SC-200 focuses on operating the Microsoft security stack as a SOC analyst — detection, investigation, response, and hunting. AZ-500 focuses on engineering Azure platform security controls. SC-100 is the expert architect exam built on top of both. Most analysts take SC-200 first; SC-100 has SC-200 (or AZ-500) as a recommended prerequisite.

How should I prepare for SC-200 in 2026?

Build hands-on time in Microsoft Defender XDR (security.microsoft.com) and Microsoft Sentinel — connect data via AMA, write Advanced Hunting KQL, configure scheduled and NRT analytics rules, and trigger automation rules and playbooks. Practice incident investigation across Defender for Office 365, Defender for Cloud Apps, Defender for Identity, and Entra ID. Try the embedded Copilot for Security agentic experiences. Then do timed practice — at least 100 questions — focused on the April 16, 2026 skills outline.

Is SAT, GRE, or any academic exam needed before SC-200?

No. SC-200 is a professional certification with no academic prerequisites. Microsoft recommends prior hands-on experience with the security stack (Defender XDR, Sentinel, Entra, Purview) and basic KQL skill, but there is no required degree, course, or other certification.