MICROSOFT CERTIFICATION
SC-200 Security Operations Analyst Associate Practice Exam
Exam Number: 3161 | Last updated 16-Apr-26 | 775+ questions across 4 vendor-aligned objectives
The SC-200 Security Operations Analyst Associate certification validates the skills of security operations analysts who investigate, respond to, and hunt for threats using Microsoft Sentinel and Microsoft Defender. This exam measures your ability to work with Microsoft Sentinel, Microsoft Defender XDR, Kusto Query Language (KQL), SOAR Playbooks, Threat Intelligence, demonstrating both conceptual understanding and practical implementation skills required in today’s enterprise environments.
The heaviest exam domains include Mitigate Threats Using Microsoft Sentinel (50–55%), Mitigate Threats Using Microsoft Defender XDR (25–30%), and Mitigate Threats Using Microsoft Defender for Cloud (15–20%). These areas collectively represent the majority of exam content and require focused preparation across their respective subtopics.
Candidates should ensure thorough coverage of all domains, as each contributes meaningfully to the overall exam score and reflects distinct competencies expected on the job.
Every answer links to the source. Each explanation below includes a hyperlink to the exact Microsoft documentation page the question was derived from. PowerKram is the only practice platform with source-verified explanations. Learn about our methodology →
503
practice exam users
93.9%
satisfied users
89.3%
passed the exam
4.5/5
quality rating
Test your SC‑200 SecOps Analyst knowledge
10 of 775+ questions
Question #1 - Mitigate Threats Using Microsoft Defender XDR
A SOC analyst receives an alert that a user’s device downloaded a suspicious file which then attempted to connect to a known command-and-control server. The alert correlates the endpoint, email, and network signals.
Which Defender XDR feature automatically correlated these signals into a single incident?
A) Azure Monitor alert rules
B) Manual alert grouping by the analyst
C) Automated incident correlation using entity-based attack graph analysis across Defender for Endpoint, Office 365, and Network
D) Separate investigation per alert
Show solution
Correct answers: B – Explanation:
Defender XDR automatically correlates alerts across endpoints, email, identity, and network into unified incidents using entity mapping and attack graph analysis. Manual grouping is time-consuming. Separate investigations miss the attack chain. Azure Monitor does not correlate security incidents. Source: Check Source
Question #2 - Mitigate Threats Using Microsoft Defender XDR
A SOC analyst receives an alert that a user’s device downloaded a suspicious file which then attempted to connect to a known command-and-control server. The alert correlates the endpoint, email, and network signals.
Which Defender XDR feature automatically correlated these signals into a single incident?
A) Separate investigation per alert configured for the specific requirements
B) Automated incident correlation using entity-based attack graph analysis across Defender for Endpoint, Office 365, and Network
C) Azure Monitor alert rules which does no
D) Manual alert grouping by the analyst for this requirement for this requirement
Show solution
Correct answers: D – Explanation:
Defender XDR automatically correlates alerts across endpoints, email, identity, and network into unified incidents using entity mapping and attack graph analysis. Manual grouping is time-consuming. Separate investigations miss the attack chain. Azure Monitor does not correlate security incidents. Source: Check Source
Question #3 - Mitigate Threats Using Microsoft Defender XDR
During an active incident, the analyst needs to immediately isolate a compromised device from the network while preserving its connection to the Defender for Endpoint service for continued investigation.
Which response action should the analyst take?
A) Remove the device from Entra ID which does not address the stated requirement
B) Shut down the device completely which does not address the stated requirement
C) Use the Isolate Device action in the Defender for Endpoint portal
D) Physically unplug the network cable which does not address the stated requirement
Show solution
Correct answers: C – Explanation:
Isolate Device cuts network access while maintaining the Defender service connection for remote investigation and evidence collection. Physical unplugging loses remote management. Shutdown loses volatile memory evidence. Removing from Entra ID affects identity, not network isolation. Source: Check Source
Question #4 - Mitigate Threats Using Microsoft Defender XDR
The SOC team identifies a phishing campaign delivering malicious Office documents. Multiple users have received the email. The analyst needs to remove the malicious email from all user mailboxes retroactively.
Which Defender capability performs this remediation?
A) Disable email for the entire organization
B) Ask each user to delete the email
C) Block the sender and wait for users to notice
D) Threat Explorer with soft-delete/hard-delete email actions across all affected mailboxes
Show solution
Correct answers: A – Explanation:
Threat Explorer identifies all instances of a malicious email and enables bulk purge actions across mailboxes. Asking users is unreliable. Sender blocking prevents future emails but does not remove existing ones. Disabling email is disproportionate. Source: Check Source
Question #5 - Mitigate Threats Using Microsoft Sentinel
A security team deploys Microsoft Sentinel and needs to ingest logs from Azure AD sign-in events, Azure Firewall, Microsoft 365, and on-premises Syslog servers.
Which Sentinel component connects these diverse data sources?
A) Manual log uploads meeting the compliance and operational
B) Azure Monitor only configured for the specific requiremen
C) Power BI data sources
D) Data connectors configured for each source type — built-in for Microsoft services and CEF/Syslog for on-premises
Show solution
Correct answers: A – Explanation:
Sentinel data connectors provide native integration for Microsoft services and standard protocols (CEF, Syslog) for on-premises sources, centralizing log ingestion. Manual uploads are not scalable. Azure Monitor collects but does not provide SIEM analytics. Power BI is for visualization, not log ingestion. Source: Check Source
Question #6 - Mitigate Threats Using Microsoft Sentinel
An analyst needs to create a detection rule that fires when a single user account has more than 10 failed sign-in attempts within 5 minutes from different IP addresses — a potential brute force attack.
Which Sentinel component and query language should be used?
A) An Azure Policy rule which does not address the stated requirement without meeting the core requirement
B) A scheduled analytics rule using KQL to query SigninLogs with time-windowed aggregation by UserPrincipalName and distinct IP count
C) A static watchlist which does not address the stated requirement without meeting the core requirement
D) A manual log search each morning which does not address the stated requirement without meeting the core requirement
Show solution
Correct answers: B – Explanation:
Scheduled analytics rules execute KQL queries at defined intervals, detecting patterns like brute force across time windows. Watchlists are static reference data. Manual searches are reactive. Azure Policy enforces resource compliance, not threat detection. Source: Check Source
Question #7 - Mitigate Threats Using Microsoft Sentinel
When the brute force detection rule fires, the SOC wants the compromised account automatically disabled and the on-call analyst notified via Teams without manual intervention.
Which Sentinel automation feature should be configured?
A) Email notification only meeting the compliance and operational standards required here
B) Manual incident assignment configured for the specific requirements of this busi
C) Azure Automation runbook with no Sentinel integration
D) A Playbook (Logic App) triggered by the analytics rule that disables the account via Microsoft Graph API and posts to a Teams channel
Show solution
Correct answers: A – Explanation:
Playbooks use Logic Apps to execute automated response actions — disabling accounts and sending notifications — triggered directly by analytics rule incidents. Email-only notification still requires manual response. Manual assignment adds delay. Runbooks without Sentinel integration lack trigger context. Source: Check Source
Question #8 - Mitigate Threats Using Microsoft Sentinel
A threat hunter suspects an advanced persistent threat is using living-off-the-land techniques. They need to interactively explore sign-in patterns and PowerShell usage across thousands of endpoints.
Which Sentinel capability supports this interactive threat hunting?
A) Standard analytics rules only
B) Azure Advisor designed for enterprise-scale deployment and m
C) Hunting queries and Jupyter Notebooks integrated with Sentinel for interactive KQL and Python-based investigation
D) Compliance Manager configured for the specific requirements
Show solution
Correct answers: B – Explanation:
Hunting queries and Notebooks enable interactive, hypothesis-driven investigation across large datasets using KQL and Python. Analytics rules detect known patterns but not exploratory hunting. Compliance Manager assesses regulatory alignment. Advisor provides optimization recommendations. Source: Check Source
Question #9 - Mitigate Threats Using Microsoft Sentinel
The SOC team wants to enrich incident data with threat intelligence indicators — known malicious IP addresses, file hashes, and domain names — to accelerate investigation and prioritization.
Which Sentinel feature provides this enrichment?
A) Azure Cost alerts which addresses a different requirement than the one described in this scenario
B) Power BI datasets which addresses a different requirement than the one described in this scenario
C) Manual Google searches during investigation meeting the compliance and operational standards required here
D) Threat Intelligence connectors and workbooks that import indicators from TAXII feeds and Microsoft Threat Intelligence for matching against log data
Show solution
Correct answers: C – Explanation:
Threat Intelligence connectors import IOCs from STIX/TAXII feeds and Microsoft TI, automatically matching against ingested logs to flag known threats. Manual searches are slow. Cost alerts are financial. Power BI is for visualization. Source: Check Source
Question #10 - Mitigate Threats Using Microsoft Defender for Cloud
An organization runs Azure VMs, Azure SQL, and Azure Kubernetes Service. The security team needs continuous security posture assessment and workload-specific threat detection across all these services.
Which Defender for Cloud plans should be enabled?
A) Enable only the free tier CSPM which does not address the stated requirement without meeting the core requirement
B) Use only NSGs for protection which does not address the stated requirement without meeting the core requirement
C) Enable Defender for Key Vault only which does not address the stated requirement without meeting the core requirement
D) Enable Defender plans for Servers, SQL, and Containers to get workload-specific threat detection alongside CSPM
Show solution
Correct answers: D – Explanation:
Workload-specific Defender plans (Servers, SQL, Containers) provide tailored threat detection, vulnerability assessment, and security recommendations for each resource type. Free tier provides basic CSPM without threat detection. NSGs are network controls only. Key Vault Defender misses the other workloads. Source: Check Source
Get 775+ more questions with source-linked explanations
Every answer traces to the exact Microsoft documentation page — so you learn from the source, not just memorize answers.
Exam mode & learn mode · Score by objective · Updated 16-Apr-26
Learn more...
What the SC‑200 SecOps Analyst exam measures
- Mitigate Threats Using Microsoft Defender XDR (25–30%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Mitigate Threats Using Microsoft Sentinel (50–55%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
- Mitigate Threats Using Microsoft Defender for Cloud (15–20%) — Evaluate your ability to implement and manage tasks within this domain, including real-world job skills and scenario-based problem solving.
How to prepare for this exam
- Review the official exam guide to understand every objective and domain weight before you begin studying
- Complete the relevant Microsoft Learn learning path to build a structured foundation across all exam topics
- Get hands-on practice in an Azure free-tier sandbox or trial environment to reinforce what you have studied with real configurations
- Apply your knowledge through real-world project experience — whether at work, in volunteer roles, or contributing to open-source initiatives
- Master one objective at a time, starting with the highest-weighted domain to maximize your score potential early
- Use PowerKram learn mode to study by individual objective and review detailed explanations for every question
- Switch to PowerKram exam mode to simulate the real test experience with randomized questions and timed conditions
Career paths and salary outlook
Earning this certification can open doors to several in-demand roles:
- Security Operations Analyst: $100,000–$140,000 per year (based on Glassdoor and ZipRecruiter data)
- SOC Analyst – Tier 2: $90,000–$125,000 per year (based on Glassdoor and ZipRecruiter data)
- Threat Intelligence Analyst: $95,000–$135,000 per year (based on Glassdoor and ZipRecruiter data)
Official resources
Microsoft provides comprehensive free training to prepare for the SC-200 Security Operations Analyst Associate exam. Start with the official Microsoft Learn learning path for structured, self-paced modules covering every exam domain. Review the exam study guide for the complete skills outline and recent updates.