Skip to main content

SC-200 prep, Microsoft Security Operations Analyst roadmap with ARIA

The Microsoft Security Operations Analyst Associate (SC-200) is 120 minutes, roughly 40 to 55 questions, 700 out of 1000 to pass, associate level, with Microsoft Sentinel accounting for half the exam. I prep you for it with a CAT evaluation that maps your gaps across three domains, a roadmap weighted to where this exam actually scores you, an error backlog that tags KQL operator failures and detection logic traps by type, and a pass guarantee tied to five measurable conditions. Start your free CAT evaluation at claudelab.me/onboarding/select-cert?code=SC-200.

TL;DR

  • 120 minutes, 40 to 55 questions, 700 out of 1000, associate level. No lab segment.
  • Microsoft Sentinel is 50 to 55 percent of the exam. If you under-prepare Sentinel, you cannot pass by excelling elsewhere.
  • KQL is required and tested on recognition, modification, and rule logic. Not authorship from scratch.
  • Defender for Cloud at 15 to 20 percent is the lightest domain but still gated on plan-level knowledge.
  • No prerequisites. Real SOC or security operations experience makes the scenarios readable.

What the SC-200 exam is

SC-200 is the current Microsoft Security Operations Analyst Associate exam. It targets security analysts who operate in a SOC environment using Microsoft's detection and response toolchain. The exam assumes you work in Sentinel daily, triage incidents across Microsoft 365 Defender products, and understand how Defender for Cloud surfaces infrastructure risk.

About 40 to 55 scenario-based questions in 120 minutes. Passing score of 700 out of 1000. Annual renewal required via a free Microsoft Learn assessment.

The three domains and their weights:

DomainWeightWhat it covers
Mitigate threats using Microsoft 365 Defender25–30%Defender for Endpoint device onboarding and live response, Defender for Office 365 email threat investigation, Defender for Identity alert triage, Microsoft Defender XDR incident correlation, attack simulation training, hunting in Defender portal.
Mitigate threats using Defender for Cloud15–20%Defender for Cloud recommendations and secure score, workload protection plans (Servers P1 vs P2, Containers, Databases), alert investigation and response, regulatory compliance posture mapping.
Mitigate threats using Microsoft Sentinel50–55%Workspace architecture, data connectors and DCR-based ingestion, analytics rule types (Scheduled, NRT, Fusion, Anomaly), KQL for detection and hunting, watchlists, entity behavior analytics (UEBA), SOAR playbooks via Logic Apps, incident triage and investigation graph, workbook reporting, content hub solutions, threat intelligence integration.

Sentinel at 50 to 55 percent means you cannot compensate for a weak Sentinel phase by mastering the other two. The roadmap reflects this: Sentinel gets the most milestones regardless of starting level.

How ARIA preps you for it

ARIA owns your SC-200 prep end to end. Three phases, heavily weighted toward Sentinel, with KQL drilled as a first-class skill rather than an afterthought.

The CAT evaluation. Your first session is a 15 to 25 question adaptive test across the three SC-200 domains. It finds your real level on Sentinel versus Defender versus Defender for Cloud. Candidates who come from endpoint backgrounds often arrive strong on M365 Defender and weak on Sentinel; the roadmap adjusts. Read the full CAT explainer for mechanics.

The personalized roadmap weighted to Sentinel. Sentinel always gets the most milestones, but the sequencing within it depends on your CAT results. Weak on KQL means KQL milestones come first; weak on SOAR means the playbook phase opens early. The other two domains run in parallel phases with lighter milestone counts. Full structure at the roadmap overview.

The daily task engine. One card per day. Roadmap practice sessions advance milestones; free-play tasks improve readiness but do not advance milestones. The distinction matters more on SC-200 than on many certs because KQL requires spaced repetition to stick.

The error backlog with detection-trap tags. Every wrong answer is tagged by the trap pattern. Sub-patterns I track for SC-200 include "analytics rule type selection (Scheduled vs NRT vs Fusion)", "KQL operator class (filter, aggregation, join kind, time window, projection)", "Sentinel connector type (AMA vs MMA vs REST)", "Defender for Cloud plan tier (P1 vs P2 feature boundary)", "incident vs alert scope confusion", "SOAR playbook authorization gap", "watchlist KQL join pattern", and "UEBA entity type". A trap retires after three correct answers in a row, spaced.

The gauntlet. Readiness of 60 unlocks the demo test. Readiness of 80 unlocks the gauntlet. The pass guarantee requires one gauntlet pass at 80 percent or higher before exam day.

Common pitfalls on SC-200

These are the six traps that pull the most points on this exam.

1. Analytics rule types and when to use each

Sentinel has five analytics rule types with distinct behaviors. Getting the rule type wrong is a pattern across dozens of forum reports.

Scheduled rules run a KQL query on a defined cadence and look-back window. They are the most flexible and most common. Near Real-Time (NRT) rules run approximately every five minutes with a one-minute look-back; they are for detections where latency matters, like brute-force or impossible travel. Fusion rules are Microsoft-managed ML models that correlate multiple low-fidelity alerts into high-confidence incidents; they cannot be customized by the user. Anomaly rules build a behavioral baseline per entity and fire when behavior deviates; they also cannot be customized directly. ML Behavior Analytics rules require UEBA to be enabled and use Microsoft's behavioral models on top of entity data.

The exam describes a detection requirement and asks which rule type to use. The traps: using Scheduled where NRT is the correct answer because latency matters; trying to configure a Fusion rule when you need custom logic (impossible); or picking Anomaly when the scenario requires a threshold-based alert (use Scheduled).

2. Sentinel data connector types and the AMA migration

Sentinel ingests data via connectors that fall into categories: native Microsoft connectors (Azure AD, M365 Defender, Azure Activity), syslog via Azure Monitor Agent (AMA) or legacy Microsoft Monitoring Agent (MMA), CEF via AMA, partner connectors, and REST API-based connectors. The Azure Monitor Agent is the current standard; the MMA/OMS agent is being deprecated.

Data Collection Rules (DCRs) are the configuration layer for AMA-based ingestion. They define what data to collect, from where, and how to transform it before sending. Candidates who do not know the AMA migration path often pick legacy connector types in scenarios where AMA plus DCR is the correct answer.

3. Incident vs alert scope for response actions

In Sentinel, an alert is an individual detection signal. An incident groups related alerts into a single case. When a playbook or manual response action is triggered at the alert level and that alert belongs to an incident, the incident state does not update automatically. The exam writes scenarios where "nothing happened to the incident" after a response action. The root cause is acting at the alert scope when the correct scope is the incident.

The inverse trap also appears: dismissing or closing an incident without addressing the underlying alerts, then asking why the same alerts keep generating new incidents.

4. SOAR playbook authorization gap

Sentinel playbooks are Logic Apps. They run on a managed identity or a service principal. When a playbook is supposed to automatically close incidents or update entities, it needs the Sentinel Responder role (or higher) on the Sentinel workspace. When a playbook calls a third-party API, it needs credentials stored in the Logic App connector.

The exam writes a scenario where a playbook is correctly configured and triggers, but nothing happens on the Sentinel side. The answer is almost always a missing role assignment for the Logic App's managed identity. Candidates who focus on the Logic App logic rather than the authorization chain pick the wrong fix.

5. Defender for Cloud plan tiers

Defender for Cloud has a free foundational tier and paid workload protection plans. Each workload has its own plan, and the feature boundary between plan levels matters on the exam.

For Defender for Servers, Plan 1 gives Microsoft Defender for Endpoint integration and just-in-time VM access. Plan 2 adds file integrity monitoring, adaptive application controls, threat intelligence, and vulnerability assessment. The exam writes scenarios where an organization needs file integrity monitoring and asks which plan is required. Candidates who answer "any Defender for Servers plan" are picking Plan 1 and getting it wrong.

6. KQL cost estimation questions (the Sentinel pricing trap)

This is the trap that community forums report most often and that is not in Microsoft's official study materials. Sentinel pricing questions appear in the form of architecture scenarios: "An organization ingests 800 GB of security data per day. Which pricing model minimizes cost?" The answer depends on whether the volume crosses the commitment tier thresholds, where paying for a reserved capacity block is cheaper than pay-as-you-go per GB.

Candidates who have not looked at the Sentinel pricing page and practiced the commitment tier math fail these questions. I include pricing scenario cards in the Sentinel phase so this does not appear as a surprise.

Common questions

How much KQL do I actually need?

More than on AZ-500. The exam tests recognition and modification, not composition from a blank page. You read a hunting query, predict what it returns, or find the operator that breaks it. The most important operator classes: filtering with where and has, aggregating with summarize and count, shaping with project and extend, joining with join (inner, leftouter, rightsemi), and bucketing time with bin. I drill all of these against real Sentinel table schemas so the patterns transfer directly to exam scenarios.

Does SC-200 have a lab?

No. The current SC-200 exam is multiple-choice and multiple-response only, 40 to 55 items, 120 minutes. Every question is scenario-based. No interactive console, no portal navigation.

SC-200 vs AZ-500 for cloud security specialization?

Different roles. AZ-500 is the security engineer cert: configuring Azure security infrastructure, identity access controls, network perimeter, and encryption. SC-200 is the operations analyst cert: detecting and responding to threats using the SOC toolchain. Engineers take AZ-500. Analysts take SC-200. The Sentinel and Defender coverage overlaps meaningfully, but the framing is configure vs detect-and-respond.

What Sentinel tables are most tested?

SecurityEvent (Windows events), SigninLogs and AADNonInteractiveUserSignInLogs (Entra ID sign-in), AzureActivity (control-plane), OfficeActivity (M365 workloads), DeviceEvents and DeviceProcessEvents (MDE endpoint), CommonSecurityLog (CEF), and Syslog. Knowing which scenario calls for which table is half the KQL battle.

Does SC-200 require annual renewal?

Yes. Annual renewal via a free Microsoft Learn assessment, same as other associate-level Microsoft certs.

What is the pass guarantee for SC-200?

SC-200 qualifies. Five conditions: every milestone completed, every phase completed, two mock exams at 700 or higher, one gauntlet at 80 percent or higher, and a live readiness score of 80 or above. Full terms at the pass guarantee page.

Start your SC-200 prep

If you work in a SOC and have touched Sentinel or Defender, your gaps are probably in KQL depth and Sentinel architecture, not in understanding what a SOC does. The CAT evaluation tells you which specific Sentinel capabilities are weak in 15 minutes.

Start your free SC-200 evaluation at claudelab.me/onboarding/select-cert?code=SC-200.

Related reading: AZ-500 for the security engineer path that pairs with this one, and the cybersecurity cert roadmap article for how SC-200 fits into a broader security career track.