0.2 SC-200 Exam Overview and Study Strategy
SC-200 Exam Overview and Study Strategy
The SC-200 (Microsoft Security Operations Analyst) certification validates your ability to mitigate threats using Microsoft Defender XDR, Microsoft Sentinel, Microsoft Defender for Cloud, and related technologies. This subsection gives you the exam structure, scoring, and a study strategy that aligns this course with the exam objectives.
Exam structure
| Attribute | Detail |
|---|---|
| Exam code | SC-200 |
| Passing score | 700 out of 1000 |
| Number of questions | 40-60 (varies per exam session) |
| Time limit | 120 minutes |
| Question types | Multiple choice, multiple select, drag-and-drop ordering, case studies, scenario-based |
| Cost | $165 USD |
| Validity | 1 year (renewable via free online assessment) |
| Last updated | January 22, 2026 |
| Prerequisites | None formally required. Microsoft recommends familiarity with M365, Azure, and operating systems. |
The four exam domains
The SC-200 exam tests four skill areas. The percentage ranges indicate how many questions you can expect from each domain:
Domain 1: Manage a Security Operations Environment (20-25%)
This domain tests whether you can set up and maintain the platforms. Specific skills include:
- Configure settings in Microsoft Defender XDR (alert rules, advanced features, automated investigation, attack disruption)
- Manage assets and environments (device groups, unmanaged devices, vulnerability management, exposure management)
- Design and configure a Microsoft Sentinel workspace (planning, roles, RBAC, data storage, log types, retention)
- Ingest data sources in Microsoft Sentinel (data connectors, Content Hub, Syslog/CEF, Windows events, custom logs, monitoring ingestion)
Covered in: Modules 1, 4, 6, 7, 8
Domain 2: Configure Protections and Detections (15-20%)
This domain tests whether you can configure security policies and build detection rules. Specific skills include:
- Configure protections in Defender security technologies (Cloud Apps policies, Office 365 policies, Endpoint policies including ASR rules, Defender for Cloud workload protections)
- Configure detections in Microsoft Defender XDR (custom detection rules, alert management, tuning, suppression, correlation, deception rules)
- Configure detections in Microsoft Sentinel (entities, analytics rules — scheduled, NRT, threat intelligence, machine learning — ASIM parsers, behavioral analytics)
Covered in: Modules 1, 4, 5, 9, 15
Domain 3: Manage Incident Response (25-30%)
This is the largest domain — nearly a third of the exam. It tests whether you can investigate and respond to threats across every product. Specific skills include:
- Respond to alerts and incidents in the Defender portal (Office 365 threats, ransomware, BEC, Purview DLP, insider risk, Defender for Cloud, Cloud Apps, Entra ID, Defender for Identity)
- Respond to Defender for Endpoint alerts (device timelines, live response, investigation packages, evidence/entity investigation)
- Investigate M365 activities (unified audit log, Content Search, Graph activity logs)
- Respond to incidents in Microsoft Sentinel (investigate, automate, create playbooks, run on-premises)
- Implement and use Security Copilot (promptbooks, plugins, connectors, permissions, capacity, cost, threat identification, incident investigation)
Covered in: Modules 1, 2, 3, 4, 9, 11, 12, 13, 14
Domain 4: Manage Security Threats (15-20%)
This domain tests proactive threat hunting and workbook creation. Specific skills include:
- Hunt for threats using Defender XDR (KQL threat identification, threat analytics, custom hunting queries)
- Hunt for threats using Sentinel (MITRE ATT&CK analysis, threat indicators, hunts, hunting queries, bookmarks, archived logs, search jobs)
- Create and configure Sentinel workbooks (templates, custom workbooks with KQL, visualizations)
Covered in: Modules 6, 9, 10, 15
Study strategy
Do not study domain by domain. The exam domains overlap significantly. A question about “responding to an Office 365 alert” (Domain 3) requires you to understand Defender for Office 365 configuration (Domain 2) and KQL investigation (Domain 1). The domains are a classification system, not a study path.
Instead, follow this course’s module order. The modules are sequenced to build skills progressively. By the time you reach Module 9 (Detections and Investigations), you have the KQL skills (Module 6), the Sentinel workspace (Module 7), and the data connectors (Module 8) to understand analytics rules in context.
The exam tests scenarios, not recall. You will not see “What is the name of the Sentinel table that stores sign-in logs?” You will see “A user reports they cannot access their email. You investigate and find a sign-in from an unfamiliar IP address 30 minutes before the user was locked out. The sign-in shows MFA satisfied. What should you investigate next?” This is why every Check My Knowledge section in this course uses scenario-based questions.
SC-200 exam callouts appear throughout the course. When a subsection covers a specific exam objective, you will see a callout like this:
Domain 1 — Manage a SOC Environment: "Configure and manage device groups, permissions, and automation levels in Microsoft Defender for Endpoint." This objective is covered in detail in Module 4.7.
These callouts help you connect course content to exam expectations. They are not exam questions — they are signposts that say “the exam will test you on this specific skill.”
Practice with the free Microsoft assessment. Microsoft offers a free practice assessment for SC-200 at learn.microsoft.com. Take it before you start the course (to identify your gaps) and again after Module 10 (to measure your progress). Do not rely on brain dumps or question banks from third-party sites — they test memorization, not understanding, and they go stale as Microsoft updates the exam.