๐Ÿ”’ Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
SC-200

Security Operations Analyst
Associate

The Microsoft security operations certification. Defender XDR, Sentinel, KQL hunting, incident response, and detection engineering โ€” explained with real SOC scenarios.

๐Ÿ“–

Study Guide

28 interactive modules

KQL Foundations, Advanced Hunting, and Incident Triage modules + 15 practice questions. No account needed.

Start Free โ†’
โœ๏ธ

Practice Exam

200 exam-style questions

Study mode with explanations + timed exam simulation. 15 free questions.

Try Free Questions โ†’

28

Modules

200

Questions

3

Domains

Free

Domain 3 included

๐Ÿ“ Sample Question

A Sentinel analytics rule needs to detect admin logins from new countries within 60 seconds. The logic involves only the SigninLogs table. Which rule type should you use?

A. Scheduled rule running every 5 minutes
B. NRT (near-real time) analytics rule โœ“
C. Threat intelligence matching rule

๐Ÿ“Š What you'll cover

Manage a Security Operations Environment 12 modules
Respond to Security Incidents 10 modules
Perform Threat Hunting (Free) 6 modules

What you'll learn

๐Ÿ›ก๏ธ

Defender XDR & Sentinel

The two products that dominate the exam. Configure workspaces, data connectors, analytics rules, and automation โ€” with real SOC scenarios.

โšก

KQL Threat Hunting

Write hunting queries that find what your detections missed. Cross-table joins, Advanced Hunting patterns, and Data Lake queries.

๐Ÿ”

Incident Response

Triage, investigate, and remediate incidents across endpoints, identity, email, cloud apps, and Purview. Copilot for Security included.

๐ŸŽฏ

Detection Engineering

Build custom detections, analytics rules, threat intel matching, and MITRE ATT&CK coverage analysis. The full detection lifecycle.

Full Curriculum

28 interactive modules across 3 exam domains

1

Manage a Security Operations Environment

12 modules

Premium

Configure Microsoft Sentinel workspace, roles, and data retention. Set up data connectors for Windows, Syslog, CEF, and Azure. Configure Defender for Endpoint, ASR rules, alert tuning, automated investigation, and detection engineering with MITRE ATT&CK coverage.

  1. 1Sentinel Workspace
  2. 2Windows Connectors
  3. 3Syslog/CEF/Azure
  4. 4MDE Core Setup
  5. 5ASR & Security Policies
  6. 6XDR Alert Tuning
  7. 7Auto Investigation
  8. 8Sentinel Automation
  9. 9Custom Detections
  10. 10Analytics & Threat Intel
  11. 11MITRE & Anomalies
  12. 12Detection Engineering
Preview Domain
2

Respond to Security Incidents

10 modules

Premium

Triage incidents in Defender XDR, investigate threats from Purview, Defender for Cloud, identity, and cloud apps. Use Copilot for Security for AI-assisted investigation. Handle complex multi-stage attacks, endpoint forensics with live response, and M365 audit investigations.

  1. 1Incident Triage
  2. 2Purview & Cloud Threats
  3. 3Identity Threats
  4. 4Cloud App Security
  5. 5Sentinel Incidents
  6. 6Copilot for Security
  7. 7Complex Attacks
  8. 8Timeline & Live Response
  9. 9Evidence & Entities
  10. 10M365 Investigations
Preview Domain
3

Perform Threat Hunting

6 modules

Free

Master KQL for threat hunting. Write Advanced Hunting queries across Defender XDR. Build Sentinel hunting queries with bookmarks and livestream. Use threat analytics, hunting graphs, Data Lake KQL jobs, and notebooks with the Sentinel MCP Server.

  1. 1KQL Foundations
  2. 2Advanced Hunting
  3. 3Sentinel Hunting
  4. 4Threat Analytics & Graphs
  5. 5Data Lake & Summary Rules
  6. 6Notebooks & MCP Server
Start Free โ†’

Practice Exam Lab

200 original questions โ€” two study modes

๐Ÿ“–

Study Mode

Learn as you go

  • โœ“ See explanation after each question
  • โœ“ "Why wrong" for every option
  • โœ“ Real-world context & exam tips
  • โœ“ Microsoft Learn links
โฑ๏ธ

Exam Mode

Simulate the real thing

  • โœ“ 120 minutes timed session
  • โœ“ Randomised question order
  • โœ“ Score breakdown by domain
  • โœ“ Pass/fail against 700 / 1000
1

Manage a Security Operations Environment

90 questions ยท Exam weight: 40-45%

0 Free

27

Easy

40

Medium

23

Hard

Every question includes a scenario, detailed explanation, and a link to Microsoft Learn.

Preview Questions
2

Respond to Security Incidents

70 questions ยท Exam weight: 35-40%

5 Free

21

Easy

32

Medium

17

Hard

Every question includes a scenario, detailed explanation, and a link to Microsoft Learn.

Try Free Questions โ†’
3

Perform Threat Hunting

40 questions ยท Exam weight: 20-25%

10 Free

12

Easy

18

Medium

10

Hard

Every question includes a scenario, detailed explanation, and a link to Microsoft Learn.

Try Free Questions โ†’

๐ŸŽ Free tier: 15 questions. No account needed.

Choose your path

Start free. Upgrade when you're ready.

Practice Exam

$14

one-time purchase

  • โœ“ 200 exam-style questions
  • โœ“ Study mode + Exam mode
  • โœ“ Detailed explanations

Study Guide

$19

one-time purchase

  • โœ“ 28 interactive modules
  • โœ“ Flashcards & ELI5
  • โœ“ Progress tracking
Recommended

Complete Bundle

$29

save $4

  • โœ“ Everything in both
  • โ˜… Best value

๐ŸŽ Free tier: KQL Foundations, Advanced Hunting, and Incident Triage modules + 15 practice questions. No account needed. No account needed.

About the SC-200 Exam

Exam code
SC-200
Duration
120 minutes
Passing score
700 / 1000
Question types
MCQ, multi-select, case studies
Cost
$165 USD

Exam Domains & Weights

D1: Manage a Security Operations Environment (40-45%)
D2: Respond to Security Incidents (35-40%)
D3: Perform Threat Hunting (20-25%)
View on Microsoft Learn โ†’

Frequently Asked Questions

What is SC-200?
SC-200 is the Microsoft Security Operations Analyst Associate certification. It tests your ability to detect, investigate, and respond to threats using Microsoft Defender XDR, Microsoft Sentinel, and related security tools.
How much KQL do I need to know?
KQL is 20-25% of the exam (Domain 3). You need to write hunting queries, select the right tables, and use operators like where, summarize, join, and project. Our KQL modules teach you the patterns with practical examples.
What's in the free tier?
Three study modules โ€” KQL Foundations, Advanced Hunting, and Incident Triage โ€” plus 15 practice questions. These are the most searched-for SC-200 topics.
Is this harder than SC-900?
Yes. SC-200 is an associate-level exam that assumes you already know security fundamentals. It tests operational skills โ€” configuring real tools, investigating real incidents, writing real KQL. Every concept starts with an analogy before the technical depth.
Is this a one-time purchase?
Yes. Pay once, access forever. No subscription or recurring fees.
Can I study on my phone?
Yes โ€” every module is optimised for 10-minute mobile study sessions.

Ready to start?

Try the free tier. Upgrade when you're ready to pass.

Start Free โ†’ Try Practice Quiz

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.