Top 10 SC-200 interview questions and how to answer them in 2026

The 10 questions

1. What’s the difference between Microsoft Defender XDR and Microsoft Sentinel?

Defender XDR is the unified incident-and-investigation portal for the Microsoft 365 security stack — Defender for Endpoint, Identity, Office 365, and Cloud Apps. Sentinel is a cloud-native SIEM/SOAR that ingests logs from anything (Microsoft, third-party, on-prem) and runs analytics, KQL hunting, workbooks, and playbooks. In 2026 the two share the unified Defender portal, but they are still distinct products with separate licensing and data-retention models. Candidates who treat them as “the same product” lose the round.

2. A confirmed-malicious file lands on a developer laptop. Walk me through MDE’s auto-remediation logic.

Automated investigation and remediation (AIR) runs per device group, not tenant-wide. Workstations are typically set to Full — MDE auto-remediates confirmed malicious artifacts. Servers are set to Semi, requiring analyst approval. The gotcha: a tenant-wide automation level forces you to over- or under-trust entire asset classes, which is why device-group scoping is the most-tested concept in MDE on the SC-200.

3. Defender for Identity raises a “Suspected DCSync attack” on your legitimate vulnerability scanner. What do you do?

Add a per-detection exclusion for that scanner’s service account on the “Suspected DCSync attack” detection. Don’t tag it as a honeytoken — those are decoys that should never authenticate. Don’t mark it as a sensitive account — that heightens alerting. Don’t disable the detection globally — you lose the real ones. Per-detection exclusions are the right surface.

4. Write a KQL hunt for failed sign-ins followed by a successful one from the same IP within 10 minutes.

Hint at the structure even if you don’t recite syntax perfectly: query SigninLogs, filter ResultType != 0 for fails and ResultType == 0 for successes, project the IP and time, then join kind=inner on IPAddress with a where SuccessTime between (FailTime .. FailTime + 10m) guard. Interviewers care that you reach for join + time-window, and that you remember SigninLogs is the table for interactive sign-ins (use AADNonInteractiveUserSignInLogs for service principals).

5. What is a Microsoft Sentinel analytics rule vs. a hunting query?

Analytics rules run on a schedule (or near real-time) and produce incidents with severity, tactics, and entity mapping. Hunting queries are ad-hoc KQL you run interactively or save for the analyst-driven hunt library — they don’t create incidents on their own. Promote a hunting query to an analytics rule once the false-positive rate is low enough and the detection is worth waking someone up for.

6. How do you reduce Sentinel ingestion cost without losing detection coverage?

Three levers. First, route low-value, high-volume tables (verbose Office 365 audit, Sysmon information events) to the Auxiliary Logs or Basic Logs tier — cheaper ingestion, search-only retention. Second, use DCR (Data Collection Rule) transformations to drop or project columns at ingest. Third, kill the rules that fire on benign admin tooling and don’t make incidents anyone investigates. “Just ingest everything” is the answer that loses interviews; tiered ingestion is the answer that wins them.

7. Safe Links vs. Safe Attachments in Defender for Office 365 — when do you use which?

Safe Links rewrites URLs and detonates the destination at time of click, defending against freshly-weaponized domains that were clean at delivery. Safe Attachments detonates attachments in a sandbox before delivery (Dynamic Delivery lets the body arrive while the attachment is scanned). They’re complementary — you enable both. Anti-phishing policies handle impersonation; mail flow rules are the wrong layer for either job.

8. A Defender for Cloud regulatory compliance score for PCI DSS just dropped. What’s your triage?

Open Defender for Cloud → Regulatory compliance, drill into the failing PCI control, list the resources marked unhealthy, and group by recommendation. Most score drops in 2026 trace to one of three causes: a new subscription was onboarded without baseline policies, a recently created storage account or VM disabled encryption, or a managed identity was granted over-broad RBAC. Fix the recommendations with the highest resource count first — that’s where the score moves.

9. What’s the difference between a Sentinel playbook and an automation rule?

Automation rules run inside Sentinel and handle simple post-incident logic — reassign, change severity, close on a condition, tag. Playbooks are Azure Logic Apps triggered by Sentinel — they reach into Defender for Endpoint, Teams, ServiceNow, custom APIs, and so on. The pattern hiring managers reward: automation rule fires on incident creation, evaluates conditions, and conditionally invokes a playbook for the heavy lift. Building everything as a playbook is wasteful; building nothing as a playbook makes you a slow SOC.

10. How much do SC-200–anchored SOC roles pay in 2026?

$95,000–$130,000 in US metros for SOC analyst and security engineer roles requiring SC-200 plus 2+ years of Defender or Sentinel operations. Senior detection engineer and Sentinel content developer roles reach $135,000–$170,000. The official Microsoft Learn SC-200 page lists the current skills measured. BLS reports a 2024 median of $124,910 for information security analysts; SC-200–anchored postings cluster at and above that median.

What these questions test

Every question has a “book answer” and an “operational answer.” Interviewers want the operational one — the version that includes the gotcha (per-detection exclusions for tuning, device-group scoping in MDE, tiered ingestion in Sentinel, automation rule + playbook split). Passing the SC-200 proves you can recognize the right blade. Answering these correctly proves you’ve actually run the platform on a noisy tenant under a real SLA.

Frequently asked questions