SC-200 Microsoft Security Operations Analyst Exam : 2026

Practice questions for the SC-200: Microsoft Security Operations Analyst exam that have been carefully and methodically developed to assist the learner with meeting exam requirements and for real world knowledge.

Skills measured on Microsoft SC-200 Exam

• Manage a security operations environment (25–30%)

• Configure protections and detections (15–20%)

• Manage incident response (35–40%)

• Perform threat hunting (15–20%)

Manage a security operations environment (25–30%)

Configure settings in Microsoft Defender XDR

• Configure a connection from Defender XDR to a Sentinel workspace

• Configure alert and vulnerability notification rules

• Configure Microsoft Defender for Endpoint advanced features

• Configure endpoint rules settings, including indicators and web content filtering

• Manage automated investigation and response capabilities in Microsoft Defender XDR

• Configure automatic attack disruption in Microsoft Defender XDR

Manage assets and environments

• Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint

• Identify and remediate unmanaged devices in Microsoft Defender for Endpoint

• Manage resources by using Azure Arc

• Connect environments to Microsoft Defender for Cloud (by using multi-cloud account management)

• Discover and remediate unprotected resources by using Defender for Cloud

• Identify and remediate devices at risk by using Microsoft Defender Vulnerability Management

Design and configure a Microsoft Sentinel workspace

• Plan a Microsoft Sentinel workspace

• Configure Microsoft Sentinel roles

• Specify Azure RBAC roles for Microsoft Sentinel configuration

• Design and configure Microsoft Sentinel data storage, including log types and log retention

• Manage multiple workspaces by using Workspace manager and Azure Lighthouse

Ingest data sources in Microsoft Sentinel

• Identify data sources to be ingested for Microsoft Sentinel

• Implement and use Content hub solutions

• Configure and use Microsoft connectors for Azure resources, including Azure Policy and diagnostic settings

• Configure bidirectional synchronization between Microsoft Sentinel and Microsoft Defender XDR

• Plan and configure Syslog and Common Event Format (CEF) event collections

• Plan and configure collection of Windows Security events by using data collection rules, including Windows Event Forwarding (WEF)

• Configure threat intelligence connectors, including platform, TAXII, upload indicators API, and MISP

• Create custom log tables in the workspace to store ingested data

Configure protections and detections (15–20%)

Configure protections in Microsoft Defender security technologies

• Configure policies for Microsoft Defender for Cloud Apps

• Configure policies for Microsoft Defender for Office

• Configure security policies for Microsoft Defender for Endpoints, including attack surface reduction (ASR) rules

• Configure cloud workload protections in Microsoft Defender for Cloud

Configure detection in Microsoft Defender XDR

• Configure and manage custom detections

• Configure alert tuning

• Configure deception rules in Microsoft Defender XDR

Configure detections in Microsoft Sentinel

• Classify and analyze data by using entities

• Configure scheduled query rules, including KQL

• Configure near-real-time (NRT) query rules, including KQL

• Manage analytics rules from Content hub

• Configure anomaly detection analytics rules

• Configure the Fusion rule

• Query Microsoft Sentinel data by using ASIM parsers

• Manage and use threat indicators

Manage incident response (35–40%)

Respond to alerts and incidents in Microsoft Defender XDR

• Investigate and remediate threats to Microsoft Teams, SharePoint Online, and OneDrive

• Investigate and remediate threats in email by using Microsoft Defender for Office

• Investigate and remediate ransomware and business email compromise incidents identified by automatic attack disruption

• Investigate and remediate compromised entities identified by Microsoft Purview data loss prevention (DLP) policies

• Investigate and remediate threats identified by Microsoft Purview insider risk policies

• Investigate and remediate alerts and incidents identified by Microsoft Defender for Cloud

• Investigate and remediate security risks identified by Microsoft Defender for Cloud Apps

• Investigate and remediate compromised identities in Microsoft Entra ID

• Investigate and remediate security alerts from Microsoft Defender for Identity

• Manage actions and submissions in the Microsoft Defender portal

Respond to alerts and incidents identified by Microsoft Defender for Endpoint

• Investigate timeline of compromised devices

• Perform actions on the device, including live response and collecting investigation packages

• Perform evidence and entity investigation

Enrich investigations by using other Microsoft tools

• Investigate threats by using unified audit Log

• Investigate threats by using Content Search

• Perform threat hunting by using Microsoft Graph activity logs

Manage incidents in Microsoft Sentinel

• Triage incidents in Microsoft Sentinel

• Investigate incidents in Microsoft Sentinel

• Respond to incidents in Microsoft Sentinel

Configure security orchestration, automation, and response (SOAR) in Microsoft Sentinel

• Create and configure automation rules

• Create and configure Microsoft Sentinel playbooks

• Configure analytic rules to trigger automation

• Trigger playbooks manually from alerts and incidents

• Run playbooks on On-premises resources

Perform threat hunting (15–20%)

Hunt for threats by using KQL

• Identify threats by using Kusto Query Language (KQL)

• Interpret threat analytics in the Microsoft Defender portal

• Create custom hunting queries by using KQL

Hunt for threats by using Microsoft Sentinel

• Analyze attack vector coverage by using the MITRE ATT&CK in Microsoft Sentinel

• Customize content gallery hunting queries

• Use hunting bookmarks for data investigations

• Monitor hunting queries by using Livestream

• Retrieve and manage archived log data

• Create and manage search jobs

Analyze and interpret data by using workbooks

• Activate and customize Microsoft Sentinel workbook templates

• Create custom workbooks that include KQL

• Configure visualizations

The learner is recommended to work through the course on Microsoft Learn for SC-200 and use this set of questions to verifiy knowledge for the exam.

As ever I take great pride in the practice question banks and if there are any issues or I can assist in any way please message me.

Good luck with your exam!