200+ Free SC-200 Practice Questions

Pass your Security Operations Analyst Associate (SC-200) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately

200+ Questions

100% Free

1 / 200

Question 1

Score: 0/0

Which Microsoft Defender for Endpoint advanced feature is designed to stop attackers from changing antivirus settings through apps or scripts?

Tamper protection

Live response

Device discovery

Preview features

to track

2026 Statistics

Key Facts: SC-200 Exam

40-60 Q

Typical Questions

Microsoft

700/1000

Passing Score

Microsoft

100 min

Exam Duration

Microsoft

$165 USD

US Exam Fee

Microsoft

4 domains

Skills Areas

Microsoft

12 months

Renewal Cycle

Microsoft

SC-200 is Microsoft's intermediate security operations certification. The exam typically has 40-60 questions in 100 minutes, requires a scaled score of 700/1000, and was refreshed on January 22, 2026. Core domains cover security operations environment management (20-25%), protections and detections (15-20%), incident response (25-30%), and security threats and hunting (15-20%).

Sample SC-200 Practice Questions

Try these sample questions to test your SC-200 exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 200+ question experience with AI tutoring.

1Which Microsoft Defender for Endpoint advanced feature is designed to stop attackers from changing antivirus settings through apps or scripts?

A.Tamper protection

B.Live response

C.Device discovery

D.Preview features

Explanation: Tamper protection locks key Microsoft Defender Antivirus settings so they cannot be changed easily by malicious tools or unauthorized processes. It is meant to preserve the integrity of endpoint protection during an attack.

2Which advanced feature must be enabled before analysts can open a remote shell session to investigate a device directly from the Defender portal?

A.Device discovery

B.Authenticated telemetry

C.Live response

D.Automatic attack disruption

Explanation: Live response allows authorized analysts to connect to a device and run investigative commands remotely. Without that feature enabled, the portal cannot start a live response session.

3Turning on the Microsoft Intune connection in Defender for Endpoint primarily enables which capability?

A.Sharing device risk information with Intune for device risk-based Conditional Access

B.Sending CEF logs directly to Microsoft Sentinel

C.Running attack path simulations from the endpoint portal

D.Automatically creating device groups from Microsoft Entra ID groups

Explanation: The Intune connection lets Defender for Endpoint share device risk information with Intune so access policies can consider endpoint risk. Microsoft requires the integration to be enabled on both the Intune and Defender sides for this to work.

4What is the main purpose of turning on Preview features in Microsoft Defender?

A.To enable automated investigation for all devices

B.To unlock upcoming features before general availability and provide feedback

C.To archive endpoint telemetry into the Microsoft Sentinel data lake

D.To convert built-in roles into custom roles

Explanation: Preview features expose early capabilities so security teams can evaluate them before general availability. They are not the control used to turn on AIR, retention, or RBAC.

5What is true about automated investigation in current Defender for Endpoint tenants?

A.It must still be turned on from Advanced features before any investigation can run

B.It is enabled by default, and the old Advanced features toggle was removed

C.It is available only in Defender for Business

D.It runs only when a custom detection rule triggers it manually

Explanation: Microsoft removed the old Advanced features toggle for automated investigation in Defender for Endpoint. Automated investigation is now enabled by default, while remediation behavior is controlled through automation levels and device groups.

6Which automated investigation and remediation level does Microsoft recommend for Defender for Endpoint device groups?

A.No automated response

B.Semi - require approval for all folders

C.Full - remediate threats automatically

D.Semi - require approval for non-temp folders

Explanation: Microsoft recommends full automation because high-confidence malicious entities can be remediated automatically. This reduces analyst workload while still recording actions in the Action Center for review.

7Where do analysts review pending and completed remediation actions produced by automated investigation?

A.Advanced hunting

B.Action Center

C.Exposure management

D.Content hub

Explanation: The Action Center tracks remediation actions generated by automated investigation and response workflows. Pending actions that need approval and completed actions that already ran are both surfaced there.

8What is the effect of setting a Defender for Endpoint device group to No automated response?

A.Incidents stop being created for devices in that group

B.Automated investigation does not run, so no AIR remediation actions are taken for that group

C.The devices are automatically excluded from device discovery

D.Only antivirus remediation is blocked, but AIR still runs

Explanation: No automated response disables automated investigation for devices in that group, so AIR does not create pending or completed remediation actions for them. Microsoft does not recommend this setting except for limited cases because it lowers protection.

9Why do organizations commonly create device groups in Defender for Endpoint?

A.To convert managed devices into unmanaged assets for testing

B.To limit access to related alerts and data for specific user groups with assigned roles

C.To replace Microsoft Entra ID groups entirely

D.To store long-term endpoint logs outside the workspace

Explanation: Device groups are used to scope visibility and actions so the right analysts see the right devices. They also allow separate automation levels and more controlled operations across different parts of the environment.

10If a single device matches two Defender for Endpoint device groups, how is the final group membership determined?

A.The device belongs to both groups equally

B.The newest group always wins

C.The device is added only to the highest ranked matching group

D.The group with the broadest membership always wins

Explanation: Defender for Endpoint resolves overlapping matches by rank. A device that matches multiple rules is placed only in the highest ranked device group, which then determines access and automation settings.

About the SC-200 Exam

The SC-200 exam validates practical security operations skills for Microsoft Defender XDR, Microsoft Sentinel, Microsoft Defender for Cloud workload protections, Microsoft Purview investigations, KQL-based threat hunting, and Security Copilot-assisted response workflows.

Questions

40 scored questions

Time Limit

100 minutes

Passing Score

700/1000

Exam Fee

$165 USD (Microsoft / Pearson VUE)

SC-200 Exam Content Outline

20-25%

Manage a security operations environment

Configure Microsoft Defender XDR settings, manage assets and exposure, design Sentinel workspaces, and plan secure data ingestion and retention.

15-20%

Configure protections and detections

Tune Defender protection policies, custom detections, analytics rules, entities, ASIM parsers, and behavioral analytics.

25-30%

Manage incident response

Investigate incidents across Defender, Purview, Entra ID, and Sentinel using automation, playbooks, device actions, and Security Copilot.

15-20%

Manage security threats

Use KQL, threat analytics, MITRE ATT&CK mapping, watchlists, hunts, archived log access, and workbooks to hunt and analyze threats.

How to Pass the SC-200 Exam

What You Need to Know

Passing score: 700/1000
Exam length: 40 questions
Time limit: 100 minutes
Exam fee: $165 USD

Keys to Passing

Complete 500+ practice questions
Score 80%+ consistently before scheduling
Focus on highest-weighted sections
Use our AI tutor for tough concepts

SC-200 Study Tips from Top Performers

1Spend the most time on incident response because it is the heaviest weighted domain.

2Practice KQL every week instead of treating it as a last-minute topic.

3Know where to investigate alerts in Defender XDR versus Sentinel and when to pivot between them.

4Understand data ingestion design choices in Sentinel, especially connectors, DCRs, CEF/Syslog, and retention tradeoffs.

5Learn automation rules, playbooks, and Security Copilot roles well enough to choose the right response workflow in scenario questions.

6Review Purview, Entra ID, Defender for Identity, and Defender for Cloud incidents because SC-200 spans more than Sentinel alone.

Frequently Asked Questions

What does the SC-200 exam focus on?

SC-200 focuses on day-to-day Microsoft security operations work: managing Defender XDR and Sentinel, tuning detections, responding to incidents, and using KQL for threat hunting. It is aimed at analysts who monitor, investigate, and mitigate threats across Microsoft security platforms.

How many questions are on SC-200 and how long is it?

Microsoft states that most certification exams typically contain 40-60 questions, and the SC-200 exam page lists a 100-minute time limit. The passing score is 700 out of 1000.

How hard is the SC-200 exam?

SC-200 is an intermediate-level exam. It is harder than fundamentals exams because it expects operational judgment across Microsoft Defender XDR, Sentinel, incident triage, automation, and KQL-based investigations rather than simple product recognition.

How should I prepare for SC-200?

Study by domain weight and spend most of your time on incident response plus Defender XDR and Sentinel workflows. Combine Microsoft Learn with hands-on practice in analytics rules, incidents, KQL hunting, playbooks, and retention/search scenarios.