Microsoft Certified: Security Operations Analyst Associate (SC-200) is an Associate-level certification for SOC (Security Operations Center) analysts who detect, investigate, and respond to threats using Microsoft Sentinel and Microsoft Defender XDR. In Japan it is increasingly required for SOC, MSSP, and in-house CSIRT roles, and for companies that adopt the Microsoft security stack it is effectively the standard SOC certification. Alongside SC-300 (Identity Admin), it is one of the most directly job-relevant exams in the Microsoft security Associate lineup.
This article walks through the SC-200 exam specs, the 4-domain breakdown, key operating points for the Defender XDR suite and Sentinel, the required KQL skill set, a 3-4 month pass roadmap, and the next steps after passing. Microsoft security products evolve quickly, so reviewing the latest Skills measured revision is a prerequisite to passing.
SC-200 follows the Associate tier specs. 100 minutes, 40-60 questions, passing score 700/1000, USD 165 / JPY 21,103, valid for 12 months (renewable via the free renewal assessment). You can take it through Pearson VUE either online with OnVUE or at a test center, with multiple languages including Japanese. In addition to multiple-choice questions, the exam includes KQL query reading, scenario questions based on the Defender XDR / Sentinel UI, and case studies, with most items following the SOC analyst workflow (alert reception → triage → investigation → response → retrospective).
Microsoft Defender XDR is a cross-domain XDR suite that integrates multiple Defender products. It consists of six components: Defender for Endpoint (EDR), Defender for Identity (attack detection against on-prem AD), Defender for Office 365 (phishing/malware mail defense), Defender for Cloud Apps (CASB; SaaS app visibility), Defender for Cloud (CWPP/CSPM for Azure/AWS/GCP workloads), and Defender Vulnerability Management. These are unified for incident management in the Defender XDR portal (formerly the Microsoft 365 Defender portal), so attacks that span multiple products can be correlated into a single incident.
The domain for building the SOC foundation. The core topics are Defender XDR portal configuration and role management (RBAC), Microsoft Sentinel Workspace design and data connector setup (Microsoft 365, Azure Activity, AWS CloudTrail, Syslog, CEF, custom logs), Analytics Rules configuration (Microsoft Security Rule, Scheduled Query Rule, Fusion, ML Behavior Analytics), and integrating Automation Rules with Playbooks (Logic Apps). Common pitfalls in this domain are confusing Defender for Cloud (CWPP/CSPM) with Defender for Cloud Apps (CASB), and Workspace consolidation design (single Sentinel Workspace vs. per-site separation).
The domain for preventive defense and detection rule configuration. The core topics are Defender for Endpoint Attack Surface Reduction (ASR) rules, Web Content Filtering, Network Protection, and Application Control; Defender for Cloud Microsoft Cloud Security Benchmark compliance, the Regulatory Compliance dashboard, Just-in-Time VM Access, and Adaptive Application Controls; Defender for Identity sensor deployment (to Domain Controllers) and Lateral Movement Path detection; Custom Detection Rules (turning Defender XDR Advanced Hunting queries into automated alerts); and Sentinel Analytics Rule threshold/severity tuning.
The highest-weighted core domain, and the single biggest factor in pass/fail. The core topics are incident investigation in Defender XDR (Attack Story comprehension, Asset relationship graphs, Timeline, Evidence and Response), incident triage in Sentinel (owner assignment, severity changes, tagging, merging related alerts), Playbook execution (Logic App response automation: mail quarantine, user disablement, IP blocking, ticket creation), phishing response in Defender for Office 365 (Submissions, Threat Explorer, Tenant Allow/Block List), and Threat Intelligence (TI) usage (Microsoft Defender Threat Intelligence, TAXII feeds, Indicators of Compromise).
This domain is the biggest hurdle for candidates without hands-on experience. If at all possible, run 5-10 Sentinel incident response flows in a real SOC environment or a sandbox before the exam — it makes a major difference in your score.
The domain for proactively hunting unknown threats beyond known alerts. The core topics are Sentinel Hunting Queries (hypothesis-driven KQL queries), Notebooks (Jupyter) for advanced investigation (Microsoft Sentinel ML notebooks), Bookmarks for saving query results during an investigation, Livestream for continuous query execution, Defender XDR Advanced Hunting (KQL access to M365/Defender data), and MITRE ATT&CK mapping (designing hunts by Tactics/Techniques). Hunting is an Indicators of Attack (IoA)-based proactive threat discovery technique, positioned as a critical skill that elevates a SOC by one full level.
Every query in Microsoft Sentinel and Defender XDR Advanced Hunting is written in KQL. Minimum syntax to know: project, extend, summarize, where, join, union, parse, extract, mv-expand, bin, ago, now, make-set, dcount. SQL users can typically catch up in a few days; the syntax is more concise than SQL. The go-to learning resources are the Microsoft Learn module "Write your first query with Kusto Query Language" and reading and modifying 30-50 Detection/Hunting Queries from the Azure-Sentinel GitHub repository.
A 3-month plan assuming 1-3 years of SOC experience plus Azure fundamentals. Month 1: review SC-900 and work through the Microsoft Learn SC-200 learning path (Defender XDR section); get comfortable with the Defender for Endpoint and Defender for Office 365 portal UI. Month 2: build a Sentinel Workspace, enable 5 data connectors, write 5 Analytics Rules, 1 Playbook, and 10 KQL Hunting Queries. Month 3: practice 5-10 incident response scenarios, work on Threat Hunting and MITRE ATT&CK mapping, and iterate on the official Practice Assessment until you can hit 80%. SOC beginners should add 1-2 months of SC-900 and SIEM fundamentals before this plan, for a total of 4-5 months.
To cover the security track, the standard combo is SC-300 (Identity and Access Administrator) and SC-400 (Information Protection Administrator). To move up to strategy and architecture, take SC-100 (Cybersecurity Architect Expert); for full Azure security implementation coverage, SC-500 (the AZ-500 successor, GA expected September 2026). For details on how to choose between SC-200 and SC-300, see "SC-200 vs SC-300 Complete Comparison". Outside Microsoft, pairing with CompTIA Security+, CISSP, GIAC GCIA/GCFA, or OffSec OSCP is highly valued in the SOC/Red Team job market. For an in-house SOC analyst role at an end-user company, SC-200 + SC-300 + SC-100 is a strong three-cert set; for MSSP or consulting, SC-200 + CISSP is the go-to combo.
What kind of exam is SC-200?
Microsoft Certified: Security Operations Analyst Associate (SC-200) is an Associate-level certification for SOC analysts who detect, investigate, and respond to threats using Microsoft Sentinel and Microsoft Defender XDR. The exam is 100 minutes, 40-60 questions, costs USD 165, requires 700/1000 to pass, is valid for 12 months, and is offered in multiple languages including Japanese. It broadly covers the Defender XDR suite (Defender for Endpoint, Defender for Cloud, Defender for Identity, Defender for Office 365, Defender for Cloud Apps) and Microsoft Sentinel (SIEM/SOAR) operations. In Japan, it is increasingly listed as a hard requirement for SOC, MSSP, and in-house CSIRT roles.
Is hands-on security experience required?
Strongly recommended. SC-200 directly tests the day-to-day work of a SOC analyst: incident response, threat hunting, and writing KQL queries. The learning curve is steep without prior field experience. At a minimum, you will study far more efficiently if you can: 1) write queries in at least one SIEM product (Sentinel, Splunk, QRadar, etc.), 2) understand incident triage workflows, and 3) list the tactics in the MITRE ATT&CK framework. Beginners should take SC-900 (Security Fundamentals) first, then spend 30-50 hours on Microsoft Learn hands-on labs for Defender/Sentinel before tackling SC-200.
What are the exam domains and weightings?
Four domains. Manage a security operations environment (20-25%): Defender XDR/Sentinel configuration, Workspace design, data connectors, automation rules. Configure protections and detections (15-20%): Defender for Endpoint Attack Surface Reduction, Defender for Cloud Workload Protection, Defender for Identity sensor deployment, Custom Detection Rules. Manage incident response (35-40%, the most important): Defender XDR incident investigation, Sentinel Playbook (Logic App) response automation, Defender for Office 365 phishing response, Threat Intelligence usage. Perform threat hunting (15-20%): Sentinel KQL Hunting Queries, Notebooks (Jupyter), Bookmarks, and Livestream. Hands-on experience makes the biggest difference in the highest-weighted incident response domain.
How much KQL do I need?
Effectively a required skill. Every query, Hunting Query, Workbook, Alert Rule, and Custom Detection in Microsoft Sentinel is written in KQL (Kusto Query Language). The minimum you need: 1) basic operators like project, extend, summarize, where, join, union; 2) string/array operations like parse, extract, mv-expand; 3) time functions like bin, ago, now; 4) aggregations like make-set, dcount; 5) external data references like externaldata, externalbase. The standard prep is the Microsoft Learn module "Write your first query with Kusto Query Language" plus reading and modifying 30-50 queries from the Sentinel GitHub samples (https://github.com/Azure/Azure-Sentinel). SQL users typically catch up in a few days.
How much study time do I need, and what does the roadmap look like?
Typical ranges from Japanese exam reports: 80-120 hours with 1-3 years of SOC experience, 150-200 hours for IT security pros new to Sentinel, and 300+ hours for beginners. The standard prep stack is the Microsoft Learn SC-200 learning path (~50 hours), the official Practice Assessment, and hands-on work with a Sentinel workspace and Defender for Cloud on the Azure free account (USD 200 / 30 days). Defender for Endpoint and Defender for Identity require licenses (M365 E5 trial or Azure evaluation licenses); using your employer's test environment is more efficient if possible. Expect 3-4 months of focused study.
How much does it cost, and how can I get a free voucher?
USD 165 / JPY 21,103 (tax incl.), typically paid by credit card via Pearson VUE. The Associate tier does not get the direct Virtual Training Day voucher perk, but you can earn discounts or free vouchers through Microsoft Reactor security hands-on events, Microsoft Sentinel Ninja Training completion rewards, Cloud Skills Challenge security tracks, and event giveaways at Microsoft Ignite/Build. Microsoft security certifications (SC-100/SC-200/SC-300/SC-400/SC-500) run campaigns relatively often, so free vouchers are easier to come by. The most reproducible route is regularly checking the Microsoft Learn Cloud Skills Challenge.
How does renewal work?
SC-200 is valid for 12 months, and you can renew it for free via the Microsoft Learn renewal assessment starting 6 months before expiration. The renewal assessment is much shorter (about 25-30 questions), open-book (you can reference Microsoft Learn), and uses a lower passing score. If you let it expire, you have to retake the full exam and pay USD 165 again. Because Defender/Sentinel evolves rapidly, the renewal assessment is refreshed yearly to cover the latest features (e.g., Copilot for Security automated triage, the Unified XDR portal incident experience). The safe play is to watch for Credly expiration emails and start renewing 3 months before expiration.
What should I pursue after SC-200?
To cover the security track, the standard combo is SC-300 (Identity and Access Administrator) and SC-400 (Information Protection Administrator). To move up to strategy and architecture, take SC-100 (Cybersecurity Architect Expert). For full Azure security implementation coverage, take SC-500 (the AZ-500 successor, GA expected September 2026), and consider progressing toward the Microsoft Certified: Identity and Access Administrator Expert path. Outside Microsoft, pairing with CompTIA Security+, CISSP, GIAC GCIA/GCFA, or OffSec OSCP is highly valued in the SOC/Red Team job market. If you target an in-house SOC analyst role at an end-user company, SC-200 + SC-300 + SC-100 is a strong three-cert set; for MSSP or consulting, SC-200 + CISSP is the go-to combo.
Related Articles & Exam Info
SC-300 完全ガイド|Microsoft Identity and Access Administrator Associate 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Identity and Access Administrator Associate (SC-300) の完全ガイド。4 ドメインの出題範囲、Microsoft Entra ID の ユーザー / グループ / アプリ管理、Conditional Access / MFA / PIM / Entra ID Governance の実装、3-4 ヶ月の合格ロードマップ、SC-200 / SC-100 / SC-500 への展開ルートを日本語で網羅。
MS-102 完全ガイド|Microsoft 365 Administrator Expert 出題範囲・学習リソース・合格戦略【2026 年版】
Microsoft Certified: Microsoft 365 Administrator Expert (MS-102) の完全ガイド。4 ドメインの出題範囲、テナント / Entra ID / Defender XDR / Purview を横断的にカバー、SC-300 / SC-200 との重複と差異、Microsoft 365 Developer Program 活用法、3-4 ヶ月の合格ロードマップ、SC-100 / MD-102 への展開ルートを日本語で網羅。
SC-900 完全ガイド|Microsoft Security, Compliance, and Identity Fundamentals 出題範囲・学習リソース・合格戦略
Microsoft Certified: Security, Compliance, and Identity Fundamentals (SC-900) の完全ガイド。Zero Trust・Microsoft Entra・Defender スイート・Purview の出題範囲、無料 Virtual Training Day バウチャー、4 週間合格ロードマップ、SC-200 / SC-300 / SC-500 / SC-100 へのキャリアパスを日本語で網羅。
SC-200 vs SC-300 完全比較|Microsoft Security Operations Analyst vs Identity Administrator の違いと選び方【2026 年版】
Microsoft セキュリティ系 Associate の双璧 SC-200 (Security Operations Analyst) と SC-300 (Identity and Access Administrator) を完全比較。対象ロール・出題範囲・難易度・学習時間・受験料・キャリアパスを表形式で整理。二刀流取得の価値、SC-100 への進化ルートまで日本語で網羅。
Exam information in this article is based on the official Microsoft Learn SC-200 page and the official Study Guide. This article is not an official Microsoft Corporation product and has no sponsorship or partnership relationship with Microsoft. Microsoft, Azure, Microsoft Sentinel, Microsoft Defender, and Microsoft Entra are trademarks of the Microsoft group of companies. Information is based on official materials publicly available as of May 24, 2026. For the latest information, always check the official pages.
Practice with certification-focused question sets
View Azure exam prep pageNicheeLab Editorial Team
NicheeLab editorial team focused on data engineering and cloud certification learning. Content is structured around practical study needs and official exam domains.
AZ-900 Azure Fundamentals: Complete Exam Guide (2026)
Pass AZ-900 — cloud concepts, Azure architecture, management...
Azure Certification Roadmap: Which Cert to Take Next (2026)
Choose your Azure certification path — Fundamentals, Associa...
AI-901 Azure AI Fundamentals (Beta): Complete Guide (2026)
Pass AI-901 — Microsoft Foundry, generative AI, responsible ...
Microsoft Entra ID Fundamentals for Azure Certs (2026)
Entra ID basics every cert candidate needs — tenants, identi...
DP-900 Azure Data Fundamentals: Complete Guide (2026)
Pass DP-900 — relational, non-relational, analytics, Power B...