Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-200DomainsManage a security operations environment
SC-200Free — No Signup

Manage a security operations environment

Practice SC-200 Manage a security operations environment questions with full explanations on every answer.

554questions

Start practicing

Manage a security operations environment — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-200 Domains

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice Manage a security operations environment questions

10Q20Q30Q50Q

SC-200 Manage a security operations environment questions (showing 300 of 554)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?

2

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?

3

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

4

Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?

5

Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?

6

Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?

7

Your company uses Microsoft Defender for Cloud to monitor multi-cloud resources. You want to ensure that all critical security recommendations are automatically assigned to the appropriate team leads based on the resource's tags. Which feature should you configure?

8

Your organization uses Microsoft Sentinel and has deployed the Microsoft Sentinel Solution for Microsoft Defender XDR. You need to correlate alerts from Microsoft Defender for Endpoint with Microsoft Defender for Office 365 in a single incident. What is the recommended approach?

9

Your SOC uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You need to configure a policy that triggers when a user downloads a large number of files from SharePoint Online within a short period. Which policy type should you use?

10

Which TWO actions can you perform using Microsoft Sentinel automation rules?

11

Which THREE components are required to ingest Microsoft Entra ID (Azure AD) audit logs into Microsoft Sentinel?

12

Which TWO capabilities are provided by Microsoft Copilot for Security within the Microsoft Sentinel experience?

13

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule created via ARM template. You notice that the rule is not triggering the playbook when a high-severity incident is created. What is the most likely cause?

14

Refer to the exhibit. You are a security analyst reviewing a KQL query in Microsoft Sentinel. The query is intended to show the count of high-severity malware alerts in the last 24 hours. However, the query returns results only for alerts with exact severity string 'High', but you also need to include 'Informational' severity alerts that are related to malware. What should you modify?

15

Refer to the exhibit. You are running a PowerShell script to enable the Anomalies setting in Microsoft Sentinel. After running the script, you check the Sentinel settings in the portal and see that Anomalies is still disabled. What is the most likely reason?

16

Your organization has deployed Microsoft Sentinel and configured a workspace with data connectors for Microsoft 365 Defender, Azure Activity, and Office 365. You need to ensure that security incidents are automatically assigned to the appropriate analyst based on the incident type. What should you configure?

17

Your company uses Microsoft Defender for Cloud to assess the security posture of hybrid workloads. You are configuring a governance rule to automatically remediate a specific recommendation that is out of compliance. The recommendation is 'Virtual machines should be migrated to new Azure Resource Manager resources'. You need to ensure that the remediation is applied at scale across all subscriptions in the management group. What should you do?

18

As a security operations analyst, you receive an alert from Microsoft Defender for Identity about a suspicious Kerberos activity. You need to investigate the alert and determine if it is a true positive. What should you use to pivot from the alert to the related user and device timeline?

19

Your organization uses Microsoft Defender for Endpoint and has enabled the 'Block at First Sight' feature. You notice that some legitimate executables are being blocked incorrectly. You need to temporarily allow these files while you submit them for analysis. What should you do?

20

Your SOC team uses Microsoft Sentinel to manage incidents. You want to improve the efficiency of incident triage by automatically enriching incidents with threat intelligence data from Microsoft Threat Intelligence. What should you configure?

21

You are a security analyst at a company that uses Microsoft Defender for Cloud Apps. You receive an alert that an anomalous activity was detected from a user's device. You need to investigate the activity to determine if it is a true positive. What should you do first?

22

Your company uses Microsoft Sentinel and has a workspace in the East US region. You need to ingest logs from a non-Azure Windows server located in a branch office in Europe. You have limited bandwidth and need to ensure that log ingestion does not impact network performance. What should you use?

23

Your organization has a Microsoft Sentinel workspace that ingests data from multiple sources. You notice that the cost of data ingestion is higher than expected. You need to reduce costs without affecting security visibility. Which action should you take?

24

Your SOC uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves malicious email attachments to quarantine before they reach user mailboxes. What should you configure?

25

Which TWO actions can be performed using automation rules in Microsoft Sentinel? (Select TWO.)

26

Which THREE capabilities are provided by Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select THREE.)

27

Which TWO data sources can you connect to Microsoft Sentinel to ingest security logs? (Select TWO.)

28

You are reviewing an automation rule in Microsoft Sentinel with the configuration shown in the exhibit. The rule is intended to delete a custom analytics rule when an incident is created. What is the most likely issue with this configuration?

29

You are analyzing sign-in logs in Microsoft Sentinel. The KQL query shown in the exhibit returns a list of users who have signed into Office 365 Exchange Online more than 10 times in the last 24 hours. You need to identify potential brute-force attacks. What additional information should you add to the query to improve detection?

30

You run the PowerShell command shown in the exhibit to enable diagnostics on an Azure VM. The VM is running Windows Server 2022. You want to collect security events and send them to a Log Analytics workspace. What should you include in the diagnostics.json configuration file?

31

Your SOC team uses Microsoft Sentinel with multiple workspaces across regions. You need to implement a solution that allows analysts to query all workspaces from a single location without moving data. Which feature should you configure?

32

Your organization uses Microsoft Defender for Cloud with enhanced security features enabled. You need to ensure that all Azure subscriptions are covered by a single Defender for Cloud policy that enforces specific security standards. The policy must be automatically applied to new subscriptions. What should you do?

33

You are configuring Microsoft Sentinel SOAR capabilities. You need to create an automated response that, when a critical incident is created, triggers a playbook that sends a message to a Teams channel. Which connector should you use in the playbook?

34

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for identity-related threats. The solution should automatically contain a compromised user by disabling their account. Which setting should you enable?

35

Your organization uses Microsoft Sentinel with UEBA enabled. You notice that the UEBA entity pages are not showing any insights for Azure resources. What is the most likely cause?

36

You need to grant a junior analyst the ability to view and investigate incidents in Microsoft Sentinel, but not make any changes. Which built-in role should you assign?

37

Your SOC team uses Microsoft Sentinel analytics rules. You need to ensure that a scheduled rule runs every hour, but only during business hours (8 AM to 6 PM). What configuration should you use?

38

Your organization uses Microsoft Defender for Endpoint. You need to configure a device group that automatically assigns devices to the group based on their domain membership. Devices joined to 'contoso.com' should be in the 'Corporate' group, and all others in 'Non-Corporate'. What should you use?

39

You need to ensure that Microsoft Sentinel can access threat intelligence feeds from external sources like AlienVault OTX. Which data connector should you use?

40

Which TWO of the following are valid ways to automate incident response in Microsoft Sentinel?

41

Which TWO of the following are required to enable user and entity behavior analytics (UEBA) in Microsoft Sentinel?

42

Which THREE of the following are valid methods to reduce the cost of Microsoft Sentinel data ingestion?

43

Your security operations team receives an alert from Microsoft Sentinel about a suspicious sign-in from an unfamiliar IP address. You need to investigate the alert by correlating it with user activity and device information. Which data sources should you query first?

44

You are configuring Microsoft Sentinel to detect potential ransomware activity. The security team wants to be alerted when a single host contacts multiple suspicious domains within a short time. Which analytic rule type should you create?

45

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to create a custom detection rule that triggers when a user is added to a privileged role in Microsoft Entra ID and within 5 minutes performs a mass download from SharePoint. Which approach should you use?

46

Your security team uses Microsoft Sentinel automation rules to respond to incidents. You need to ensure that critical incidents are automatically assigned to a senior analyst in the Americas time zone and that a Teams message is sent to a specific channel. Which configuration should you use?

47

You are a security operations analyst. You need to review all incidents from the past 24 hours that have a high severity and involve multiple users. In Microsoft Sentinel, which blade should you use?

48

Your organization uses Microsoft Sentinel in a multi-workspace environment with a central SOC. You need to create a single incident view across all workspaces while minimizing latency. What should you deploy?

49

Your Microsoft Sentinel environment is not generating incidents from a custom KQL detection rule. The rule runs successfully in the Log Analytics query editor but no incidents appear. What is the most likely cause?

50

As a SOC analyst, you need to quickly identify if a specific user account has been involved in any incidents in the past week. Which feature in Microsoft Sentinel allows you to search for user-related incidents?

51

Your security operations center uses Microsoft Sentinel and Microsoft Defender XDR. A new type of attack involves a user receiving a malicious email that triggers a macro, which then executes PowerShell to download a payload. You need to create a detection that correlates email, process creation, and network connection events from multiple Microsoft 365 Defender sources. What should you use?

52

Which TWO actions should you take to improve the performance of Microsoft Sentinel analytics rules that are running slowly? (Choose two.)

53

Which THREE components are required to enable automation in Microsoft Sentinel? (Choose three.)

54

Which TWO data sources are natively supported by Microsoft Sentinel for ingesting security events? (Choose two.)

55

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in ARM template format. The rule is enabled but no incidents are being created even though matching sign-in events exist. What is the most likely reason?

56

Refer to the exhibit. You are analyzing a KQL query for a Microsoft Sentinel scheduled rule. The query is intended to detect devices that have both a high number of process executions and network connections to a single IP within an hour. However, the query returns no results even though there are devices meeting the criteria. What is the most likely cause?

57

Refer to the exhibit. You have a Microsoft Sentinel analytic rule configured to detect brute force attacks. The rule runs every 30 minutes and groups alerts into incidents based on Account and IP. You notice that multiple incidents are created for the same user and IP within a short time. What should you do to reduce the number of incidents?

58

Your organization uses Microsoft Sentinel with a Log Analytics workspace in the East US region. You need to ensure that incident investigation data is retained for two years for compliance. What should you configure?

59

Your security team uses Microsoft Defender XDR to investigate incidents. You have a custom detection rule that runs a KQL query every hour. Recently, the rule stopped generating alerts. You verify that the query syntax is correct and that data is being ingested. What is the most likely cause?

60

Your company deploys Microsoft Sentinel in a multi-workspace environment. You need to centralize incident management across workspaces while maintaining data residency. You configure Sentinel workspaces in each region. What additional configuration is required to view all incidents from a single pane?

61

Your organization has Microsoft Defender for Cloud Apps enabled. You need to generate an alert when a user downloads more than 100 files from SharePoint in one hour. What should you create?

62

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the incident category. What should you configure?

63

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Defender XDR are automatically synchronized to Sentinel. You have enabled the Defender XDR connector. However, some incidents are not appearing. What should you check first?

64

Your organization uses Microsoft Purview Data Loss Prevention (DLP). You need to receive an alert when a user attempts to share a credit card number via email. What should you configure?

65

Your SOC is investigating an incident in Microsoft Sentinel. You need to quickly identify all related alerts and entities across the timeline. What Microsoft Sentinel feature should you use?

66

Your organization has Microsoft Sentinel with UEBA enabled. An incident is generated for a user with high risk score. You need to identify if the user's recent behavior deviates from their baseline. Which Sentinel feature should you use?

67

Which TWO actions should you take to optimize cost in Microsoft Sentinel while maintaining security coverage? (Choose two.)

68

Which THREE components are required to automate incident response in Microsoft Sentinel using playbooks? (Choose three.)

69

Which TWO data connectors can be used to ingest Microsoft 365 audit logs into Microsoft Sentinel? (Choose two.)

70

Refer to the exhibit. You are creating a scheduled analytics rule in Microsoft Sentinel using the ARM template snippet. The rule runs every 5 minutes and queries the last 5 minutes of data. The rule is not generating alerts even though malware detections are occurring. What is the most likely issue?

71

Refer to the exhibit. You are troubleshooting an endpoint that is not receiving real-time protection from Microsoft Defender Antivirus. The output shows RealTimeProtectionEnabled is False. Which command should you run next to enable real-time protection?

72

Refer to the exhibit. Your SOC manager runs this KQL query in Microsoft Sentinel to see which analysts have the most active high-severity incidents in the past 7 days. The query returns no results. What is the most likely reason?

73

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all cloud security alerts are automatically ingested into Sentinel. What should you configure?

74

Your security team uses Microsoft Sentinel UEBA to detect anomalous user behavior. You need to configure UEBA to baseline user activities and generate alerts for deviations. What must you do first?

75

Your company uses Microsoft Defender for Office 365. You want to automatically take action on malicious emails that bypass the filter. What should you configure?

76

Your organization has Microsoft Defender for Endpoint deployed. You need to configure automatic attack disruption for ransomware attacks. What should you enable?

77

Your team uses Microsoft Sentinel to investigate incidents. You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. What is the most efficient way to achieve this?

78

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from unmanaged devices for a specific cloud app. What should you configure?

79

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You need to ensure that data from a specific source is retained for 2 years while other data remains at the default retention. What should you do?

80

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. What is the most appropriate first step?

81

Your Microsoft Sentinel environment uses multiple workspaces. You need to centrally manage incidents from all workspaces in a single interface. What should you use?

82

Which TWO actions are valid methods to ingest non-Microsoft security logs into Microsoft Sentinel?

83

Which THREE components are part of Microsoft's unified security operations platform (Microsoft Defender XDR)?

84

Which TWO features are available in Microsoft Sentinel to automate incident response?

85

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule created via ARM template. What is the effect of the grouping configuration?

86

Refer to the exhibit. You run the PowerShell command against Microsoft Defender for Endpoint. What is the result?

87

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What does it return?

88

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are configuring Microsoft Defender for Identity to protect against lateral movement attacks. Which configuration should you prioritize to detect pass-the-hash attacks?

89

Your organization uses Microsoft Sentinel to manage security incidents. You need to ensure that critical incidents are automatically assigned to the senior security analyst on duty. What should you configure?

90

Your organization uses Microsoft Defender for Cloud Apps to discover shadow IT. You notice that a new cloud app is being used by multiple users but has a risk score of 8. What should you do first to manage the risk?

91

Your organization uses Microsoft Sentinel and you have configured a fusion analytics rule for advanced multistage attack detection. You notice that the rule is generating a high number of false positives. What should you do to reduce the false positives without disabling the rule?

92

Your organization uses Microsoft Defender XDR and you are configuring attack surface reduction (ASR) rules. You need to implement a rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion. Which ASR rule should you enable?

93

Your organization uses Microsoft Sentinel and you need to ensure that incidents are automatically closed when a related playbook completes successfully. What should you configure?

94

Your organization uses Microsoft Defender for Cloud and you need to ensure that security recommendations are automatically remediated for non-compliant resources. You have enabled 'Auto provisioning' for the Log Analytics agent. What additional step is required to enable automatic remediation?

95

Your organization uses Microsoft Purview Compliance Manager to manage compliance activities. You need to assign a specific improvement action to a colleague for implementation. What should you do?

96

Your organization uses Microsoft Sentinel and you have a playbook that sends an email notification when a high-severity incident is created. You want to ensure that the playbook only runs for incidents that are not already assigned to a user. What should you configure?

97

Which TWO actions should you take to ensure that Microsoft Sentinel can properly ingest logs from a Linux server running rsyslog? (Choose two.)

98

Which THREE features are available in Microsoft Defender XDR to help automate incident response? (Choose three.)

99

Which TWO are valid methods to connect a non-Azure Windows server to Microsoft Sentinel? (Choose two.)

100

Refer to the exhibit. You are reviewing an Azure Security Center automation (now Microsoft Defender for Cloud) that should automatically trigger a Logic App when an alert is generated. However, the automation is not triggering. What is the most likely cause?

101

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that returns accounts with more than 10 failed logins within 5 minutes. The query is not returning any results even though you know there have been multiple failed logins. What is the most likely reason?

102

Refer to the exhibit. You are reviewing a custom Azure Policy definition that should block deployments from specific IP addresses. However, the policy does not seem to be evaluating any resources. What is the most likely issue?

103

Your organization has a Microsoft Sentinel workspace that ingests logs from Azure resources, Microsoft 365, and third-party firewalls. You need to ensure that data retention for Azure Activity logs complies with a regulatory requirement of 3 years, while keeping costs low for other data types. What should you do?

104

Your security team uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to investigate incidents. You notice that some alerts from Microsoft Defender for Endpoint are not being automatically correlated into incidents as expected. You have confirmed that the relevant alert sources are enabled in the Microsoft Defender XDR portal. What is the most likely cause?

105

You are configuring Microsoft Sentinel to ingest syslog data from a network appliance. After configuring the data connector, you notice that no data is appearing in the CommonSecurityLog table. The syslog server is sending data to the Azure Monitor Agent (AMA) on the log collector. What should you verify first?

106

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You need to ensure that security alerts from on-premises servers running Windows Server 2022 are forwarded to Microsoft Sentinel. The servers are not yet onboarded to Azure Arc. What should you do first?

107

You are managing a Microsoft Sentinel environment with multiple workspaces across different regions. You need to centralize incident management and allow security analysts to triage incidents from all workspaces in a single view. What should you configure?

108

Your Microsoft Sentinel workspace has a Microsoft 365 Defender connector configured. You notice that incidents are being created from Microsoft Defender for Office 365 alerts, but not from Microsoft Defender for Identity alerts. What should you check?

109

Your organization uses Microsoft Sentinel with Azure Monitor Agent (AMA) to collect Windows security events. You need to collect process creation events (Event ID 4688) and include command-line information. The current Data Collection Rule (DCR) collects only basic security events. What should you modify?

110

You are configuring automated responses in Microsoft Sentinel. You have created an automation rule that runs a playbook when an incident is created. The playbook performs actions in Microsoft Entra ID and Microsoft Defender for Cloud. However, the playbook fails with a permissions error. What should you do?

111

You need to ensure that critical incidents in Microsoft Sentinel are automatically assigned to a senior security analyst. What should you configure?

112

Which TWO actions should you take to reduce the cost of Microsoft Sentinel while maintaining security coverage?

113

Which THREE components are required to collect syslog messages from a network appliance into Microsoft Sentinel using the Azure Monitor Agent?

114

Which TWO Azure services can be used to automate response actions in Microsoft Sentinel when an incident is created?

115

Refer to the exhibit. You have an automation rule defined as shown. The rule is enabled but never triggers. What is the most likely reason?

116

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns no results even though you know there are alerts with the name 'Malware detected'. What is the most likely issue?

117

Refer to the exhibit. You deploy this ARM template to your subscription. After deployment, you cannot find the saved search 'Test Search' in the Microsoft Sentinel workspace. What is the most likely reason?

118

Your security team is investigating an incident in Microsoft Defender XDR where a user received multiple phishing emails. The team needs to create an automated response that blocks the sender's email address across all mailboxes in the organization. Which action should you configure in an automated investigation and response (AIR) playbook?

119

You are configuring a Microsoft Sentinel analytics rule to detect failed logons from multiple IP addresses. The rule should trigger an incident only when the same user account has failed logons from more than three distinct IP addresses within 5 minutes. Which rule setting should you configure?

120

Your organization uses Microsoft Defender XDR and has a custom detection rule that queries DeviceProcessEvents for suspicious PowerShell commands. You notice that the rule is generating a high number of false positives. You need to reduce false positives while still detecting real threats. What should you do?

121

Your team uses Microsoft Sentinel to monitor Azure subscriptions. You need to ensure that only users with the 'Microsoft Sentinel Contributor' role can create and edit analytics rules. You want to enforce this using Azure Policy. What should you do?

122

You are setting up Microsoft Sentinel for the first time. You need to ingest Windows security events from on-premises servers using the Azure Monitor Agent. Which data connector should you enable in Microsoft Sentinel?

123

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. You need to create an automated playbook that, when a Microsoft Sentinel incident is created from a Defender for Cloud Apps alert, automatically suspends the user in Microsoft Entra ID and sends a notification to the security team. Which two connectors should you use in the playbook?

124

Your security team uses Microsoft Defender XDR to investigate a potential malware outbreak. You need to collect a full memory dump from an affected Windows 10 device for forensic analysis. Which action should you take from the Microsoft Defender XDR portal?

125

You are configuring Microsoft Sentinel to send email notifications to the security team when high-severity incidents are created. Which feature should you use?

126

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS applications. You discover that a user is downloading a large number of files from SharePoint Online to an unmanaged device. You need to automatically block the download and require the user to acknowledge a policy violation. Which action should you configure in a session policy?

127

Which TWO actions are valid ways to integrate on-premises firewall logs into Microsoft Sentinel for analysis?

128

Which THREE components are required to implement a threat intelligence feed in Microsoft Sentinel using the Threat Intelligence - TAXII data connector?

129

Which TWO actions can a Microsoft Sentinel automation rule perform when an incident is created?

130

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in JSON. The rule is intended to trigger an incident when more than 5 sign-ins from anomalous locations occur within an hour. However, the rule is not triggering as expected. What is the most likely cause?

131

Refer to the exhibit. You are analyzing a KQL query used in a custom detection rule in Microsoft Defender XDR. The rule is supposed to detect devices where a parent process launched more than 10 instances of PowerShell or cmd.exe in the last 7 days. However, the query returns no results even though you know such activity exists. What is the most likely reason?

132

Refer to the exhibit. You are reviewing an Azure Policy definition intended to block malicious IPs by denying the creation of network security group rules that allow traffic from a list of blocked IPs. However, the policy is not working as expected. What is the most likely reason?

133

A SOC analyst receives a high-severity alert for a user who downloaded a malicious file from a phishing email. The analyst needs to quickly assess the scope of the incident across endpoints, email, and identities. Which Microsoft Defender XDR feature should the analyst use to get a unified view of the incident?

134

Your organization uses Microsoft Sentinel for security operations. You need to ensure that critical alerts are automatically assigned to the appropriate SOC tier for investigation. What should you configure in Microsoft Sentinel?

135

A SOC manager wants to implement a new workflow where high-severity Microsoft Defender for Cloud Apps alerts are automatically sent to a Teams channel for immediate action. The solution must not require custom code. What should the manager configure?

136

Your company uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to ensure that when a device is determined to be compromised, the device is automatically isolated from the network and a Sentinel incident is updated with the isolation status. What is the most efficient way to achieve this?

137

A junior SOC analyst receives multiple low-severity alerts from Microsoft Sentinel. The alerts are related to failed logon attempts from a single IP address over a short period. The analyst wants to group these alerts into a single incident to reduce noise. What should the analyst do?

138

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all Defender XDR incidents are automatically synchronized into Microsoft Sentinel for a single pane of glass. What should you configure?

139

A security operations center (SOC) uses Microsoft Sentinel for log management. The SOC manager wants to reduce storage costs by automatically archiving logs that are older than 90 days to long-term retention, but retains the ability to search them if needed. What should the manager configure?

140

Your SOC team uses Microsoft Sentinel incident investigation. An analyst needs to quickly see all related entities (users, IPs, machines) for an incident. Which feature should the analyst use?

141

A SOC analyst suspects a user account is compromised based on anomalous sign-in activity detected by Microsoft Entra ID Protection. The analyst needs to confirm and contain the threat. What is the first action the analyst should take?

142

Which TWO actions can be performed using Microsoft Sentinel automation rules? (Select TWO.)

143

Which THREE capabilities are provided by Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select THREE.)

144

Which TWO actions can be taken directly from the Microsoft Defender XDR incident queue? (Select TWO.)

145

Refer to the exhibit. You are reviewing an automation rule configuration in Microsoft Sentinel. Based on the JSON snippet, what will happen when a high-severity incident is created?

146

Refer to the exhibit. You are investigating a user entity in Microsoft Sentinel. The entity details show a riskLevel of 'high' and riskState 'atRisk'. What does this indicate?

147

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

148

Your organization uses Microsoft Sentinel for security operations. You need to ensure that a specific AWS CloudTrail log is ingested into Microsoft Sentinel. Which data connector should you use?

149

Your security team receives alerts from Microsoft Defender for Cloud. You need to configure automated response to remediate a specific alert type. What should you create in Microsoft Sentinel?

150

You are managing a Microsoft Sentinel workspace that ingests data from Microsoft 365 Defender. You notice that some incident creation rules are not generating incidents as expected. What should you check first?

151

Which TWO actions should you take when configuring Microsoft Sentinel to minimize false positives from an analytics rule?

152

Which THREE of the following are valid methods to archive logs in Microsoft Sentinel to reduce costs?

153

Which TWO permissions are required for a user to manage Microsoft Sentinel playbooks?

154

Refer to the exhibit. You have created a scheduled analytics rule in Microsoft Sentinel as shown. The rule is not generating any incidents, even though you know Copilot for Microsoft 365 is accessing sensitive files. What is the most likely cause?

155

Refer to the exhibit. You run the KQL query in Microsoft Sentinel to identify analysts with high incident assignments. The query returns no results, but you know incidents exist. What is the most likely reason?

156

Refer to the exhibit. You execute the Azure CLI command to create an analytics rule in Microsoft Sentinel. The rule is created but never triggers. What is the most likely cause?

157

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. You want to forward MDI alerts to Microsoft Sentinel. What should you configure?

158

You are responsible for Microsoft Sentinel pricing. You notice that data ingestion costs are high due to verbose logs from Windows security events. You need to reduce costs while still collecting critical security events. What should you do?

159

Your team uses Microsoft Sentinel workbooks to visualize security data. You want to allow team members to customize a workbook without affecting the original. What should you do?

160

Which THREE are valid incident management features in Microsoft Sentinel?

161

Which TWO are supported methods to ingest syslog data into Microsoft Sentinel?

162

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to ensure that when an incident is created from a specific rule, a Teams message is sent to the security team. What should you configure?

163

Your organization uses Microsoft Sentinel with a pay-as-you-go pricing tier. You need to reduce costs by archiving older logs that are rarely accessed. Which action should you take?

164

A security analyst reports that a scheduled analytics rule in Microsoft Sentinel has stopped generating incidents after a recent update. The rule still runs but produces no alerts. What should you check first?

165

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You discover that a user is performing unusual bulk downloads from SharePoint. You need to automatically create an incident in Sentinel and suspend the user in Microsoft Entra ID. What should you use?

166

You are configuring Microsoft Defender for Cloud Apps session controls for a SharePoint site containing sensitive data. Which condition must be met to apply real-time monitoring?

167

Your Microsoft Sentinel workspace ingests logs from multiple sources but you notice that some custom logs are missing in the Log Analytics workspace. You've confirmed that the data connectors are healthy. What is the most likely cause?

168

You are designing an automation rule in Microsoft Sentinel that should automatically assign incidents to the appropriate analyst based on the incident type. However, the rule fails to assign correctly for some incidents. What should you verify?

169

Your organization is migrating from Azure Active Directory to Microsoft Entra ID. You need to ensure that Microsoft Sentinel continues to receive identity logs. What should you do?

170

You have deployed Microsoft Defender for Endpoint and integrated it with Microsoft Sentinel. You notice that alerts from Defender for Endpoint are not appearing in Sentinel. What should you check first?

171

You are configuring an automated investigation and response (AIR) playbook in Microsoft Sentinel. The playbook should automatically block a user in Microsoft Entra ID when a high-severity incident is created. Which action should you include in the playbook?

172

Which TWO actions can reduce the cost of Microsoft Sentinel while maintaining security coverage?

173

Which THREE components are required to use Microsoft Sentinel's automation rules to automatically respond to incidents?

174

Which TWO Microsoft Sentinel features allow you to organize and prioritize incidents for better triage?

175

Your security team receives frequent false positive alerts from Microsoft Defender for Cloud Apps. You need to reduce noise without disabling any threat detection policies. What should you do?

176

You are managing a Microsoft Sentinel environment. You need to ensure that incidents are automatically assigned to the appropriate analyst based on the type of attack. The assignment must consider the current workload of each analyst. What should you use?

177

Your organization uses Microsoft Defender XDR. You need to ensure that all cloud app alerts are forwarded to Microsoft Sentinel for correlation. What should you configure?

178

You are responsible for Microsoft Defender for Identity. The security team reports that some high-confidence alerts are not triggering any automated response. You need to automate the response for these alerts. What should you configure?

179

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to automatically group related incidents from different rules into a single incident to reduce analyst workload. The grouping should occur within 30 minutes of the first incident creation. What should you do?

180

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email, the email is automatically analyzed and remediated. What should you configure?

181

You are the security analyst for a company that uses Microsoft Sentinel. You notice that a critical analytics rule has not generated any incidents in the past week, but you know that relevant logs are being ingested. You need to troubleshoot why the rule is not firing. What is the first step you should take?

182

Your company uses Microsoft Defender XDR. The security team needs to restrict access to the Microsoft Defender portal so that only analysts in the 'Security Operations' group can view incidents. What is the most efficient way to achieve this?

183

You manage Microsoft Sentinel. You need to ensure that an automated response is triggered when a specific type of incident is created. The response should send an email to the on-call security engineer. What should you use?

184

Which TWO actions should you take to improve the performance of Microsoft Sentinel analytics rules that query large datasets?

185

Which THREE components are required to enable automated investigation and response (AIR) in Microsoft Defender XDR for alerts from Microsoft Defender for Identity?

186

Which TWO tasks can you perform using Microsoft Sentinel automation rules?

187

Refer to the exhibit. You have a Logic Apps playbook that triggers on Microsoft Sentinel alerts. The playbook is not posting messages to Teams. What is the most likely cause?

188

Refer to the exhibit. You have a KQL query in a Microsoft Sentinel analytics rule. The rule is not generating incidents even though there are 'Suspicious sign-in' alerts from non-contoso.com users. What is the most likely issue?

189

Refer to the exhibit. You deploy this ARM template to deploy a saved search in a Microsoft Sentinel workspace. After deployment, the saved search does not appear in Sentinel. What is the most likely reason?

190

Your organization uses Microsoft Sentinel. You need to ensure that incident investigation is efficient by automatically grouping related alerts into incidents. Which configuration should you use?

191

Your security team uses Microsoft Defender XDR. You need to ensure that a user who is suspected of credential theft is immediately blocked from accessing corporate email and cloud apps, while the investigation continues. What should you do?

192

You manage a Microsoft Sentinel workspace that ingests logs from multiple sources. You notice that the workspace is approaching its daily ingestion quota, and some data sources are being dropped. You need to ensure that security-related logs are prioritized and that non-critical logs are not ingested. What should you configure?

193

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the type of alert. What should you create?

194

Your company uses Microsoft Defender for Cloud Apps. You discover that a user is accessing sensitive data from an unfamiliar IP address. You need to immediately block the user's access to all cloud apps while preserving the session for investigation. What should you do?

195

You are configuring Microsoft Sentinel automation rules to handle incidents from multiple analytics rules. You need to ensure that incidents from a specific rule are automatically assigned to the 'SOC Tier 2' group and have a severity of 'High' regardless of the original severity. What should you do?

196

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to ensure that incidents generated in Microsoft 365 Defender are automatically synchronized to Microsoft Sentinel. What should you configure?

197

You are investigating a security incident in Microsoft Sentinel. You need to preserve a snapshot of the investigation including comments, bookmarks, and entities for future reference. What should you do?

198

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a device is identified as compromised by Defender for Endpoint, an incident is automatically created in Sentinel with high severity. What should you configure?

199

Which TWO are valid methods to ingest syslog data into Microsoft Sentinel?

200

Which THREE actions can be performed by automation rules in Microsoft Sentinel?

201

Which TWO are required to enable Microsoft Sentinel to use AI-generated incident summaries?

202

Refer to the exhibit. You are reviewing a playbook configuration for Microsoft Sentinel. What does this playbook do?

203

Refer to the exhibit. You are analyzing high severity alerts from Microsoft Defender for Endpoint in Microsoft Sentinel. What does this KQL query do?

204

Refer to the exhibit. A security administrator runs this PowerShell script. What is the effect?

205

You are a security analyst at a company that uses Microsoft Sentinel. You need to ensure that only users with a specific tag in Microsoft Entra ID can access the Sentinel workspace. Which Azure feature should you use?

206

Your organization uses Microsoft Defender XDR. You notice that automated investigations are being blocked for certain devices due to high-severity alerts. You need to ensure that automated actions can proceed for devices with a risk score below 30. What should you configure?

207

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. The data connector shows 'Connected' but no events are being received. You have verified network connectivity and firewall configuration. What should you check next?

208

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to assign a custom initiative to a specific management group to track compliance. Which two components must you create?

209

You are a security operations analyst at a company that uses Microsoft Sentinel. You have enabled User and Entity Behavior Analytics (UEBA) to detect anomalies. A new alert fires indicating a user is logging in from an unusual location. However, the user is a known traveler. How can you reduce false positives without disabling the UEBA rule?

210

You are reviewing an analytics rule in Microsoft Sentinel. The rule is supposed to alert when a Confidential sensitivity label file is accessed. However, no alerts have been generated despite known accesses. What is the most likely reason?

211

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malware to quarantine before delivery. Which policy type should you use?

212

You are managing Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from a sanctioned cloud app. You need to automatically suspend the user's access when the download exceeds 5 GB in 10 minutes. What should you create?

213

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that runs an automation rule to create a support ticket in ServiceNow. The playbook fails intermittently with a timeout error. You have verified that the playbook's managed identity has the correct permissions. What should you check next?

214

Which TWO permissions are required to configure a data connector in Microsoft Sentinel?

215

Which THREE components are part of the Microsoft Defender XDR incident management process?

216

Which TWO actions can you perform using Microsoft Sentinel automation rules?

217

Which THREE conditions can you use to trigger a Microsoft Sentinel scheduled analytics rule?

218

You are a security analyst for a multinational company with Microsoft Sentinel deployed in a central workspace. You need to grant a team of analysts in the European branch the ability to view incidents and run queries, but they should not be able to modify analytics rules or data connectors. The team already has Microsoft Sentinel Reader role assigned. However, they report that they cannot run KQL queries in the Logs blade. You need to provide the minimum additional permissions. What should you do?

219

You are a security operations analyst at a company that uses Microsoft Defender XDR and Microsoft Sentinel. You have configured a custom detection rule in Microsoft Defender XDR that uses a KQL query to detect suspicious PowerShell activity. The rule triggers an alert, but you want to automatically create an incident in Microsoft Sentinel and run a playbook that isolates the affected device. You have already set up the Microsoft Defender XDR connector in Sentinel and enabled incident creation from Defender XDR alerts. However, the playbook does not run automatically when a Defender XDR incident is created. You have verified that the playbook is properly configured and has the correct permissions. What should you do?

220

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The security team wants to automatically create an incident in Microsoft Sentinel when a Microsoft Defender for Endpoint alert is triggered. What should you configure?

221

Your security operations team uses Microsoft Sentinel workbooks to monitor security posture. You notice that a workbook query is timing out when run against a large workspace. What is the best way to optimize the query without changing its results?

222

Your organization is implementing Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. The SOC team needs to investigate incidents across all tenants from a single interface. Which configuration is required?

223

Your organization has Microsoft Defender for Cloud Apps (MDA) connected to Microsoft Sentinel. The SOC team wants to receive alerts when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

224

Your Microsoft Sentinel workspace is experiencing high ingestion costs. Which of the following actions will most effectively reduce costs while maintaining security visibility?

225

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics) enabled. The SOC team notices that UEBA is not generating any anomalies for a specific user group. What is the most likely cause?

226

Your organization uses Microsoft Defender for Office 365. You want to automatically isolate a user's mailbox if a high-confidence phishing email is detected. Which Microsoft Sentinel automation should you use?

227

Your SOC team uses Microsoft Sentinel incident management. They want to automatically assign high-severity incidents to a senior analyst and send a notification to Microsoft Teams. What should you use?

228

Your organization is migrating to Microsoft Sentinel. You need to ensure that the workspace retains data for 2 years for compliance, but you want to reduce costs by using cheaper storage for data older than 90 days. What should you configure?

229

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The SOC team needs to investigate a cross-tenant incident. Which TWO actions should you take? (Choose two.)

230

Your organization uses Microsoft Sentinel and Microsoft Copilot for Security. You want to improve incident response efficiency. Which THREE features should you implement? (Choose three.)

231

Your organization plans to implement Microsoft Sentinel. Which THREE components are required for a basic deployment? (Choose three.)

232

Refer to the exhibit. You are reviewing an Azure Resource Manager (ARM) template for a Microsoft Sentinel analytics rule. Based on the exhibit, which statement is true?

233

Your organization, Contoso, uses Microsoft Sentinel in a single Log Analytics workspace. You have ingested logs from Microsoft Defender XDR, Microsoft Entra ID, and Azure Firewall. The SOC team needs to investigate an incident where a user's account was compromised and used to access sensitive data from an external IP address. The incident was created from a Microsoft Defender for Cloud Apps alert. The SOC team wants to automatically block the user from further access and disable the user account in Microsoft Entra ID. You need to design an automated response using Microsoft Sentinel playbooks. The solution must minimize manual intervention. You have the following options: A) Create a playbook that triggers on the incident and uses the Microsoft Graph API to disable the user account and revoke sessions. Configure the playbook to run automatically from an automation rule. B) Create a playbook that triggers on the alert and uses the Defender for Cloud Apps API to suspend the user. Configure the automation rule to run the playbook on incident creation. C) Create a playbook that sends an email to the SOC team to manually disable the user. D) Create an automation rule that automatically changes the incident status to 'Active' and assigns it to a senior analyst. Which option should you choose?

234

Your organization, Fabrikam, has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are using Microsoft Sentinel and Microsoft Defender XDR. You have enabled Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. Recently, you received an incident in Microsoft Sentinel indicating a potential DCSync attack from a domain controller. The incident was generated from an MDI alert. You need to investigate the incident and determine if the attack was successful. You have the following options: A) Use the Microsoft Sentinel incident investigation graph to view entities and relationships. Then query the IdentityDirectoryEvents table for the domain controller to see if any directory replication requests were made. B) Use the Microsoft Defender XDR advanced hunting to query the IdentityLogonEvents table for the domain controller. C) Use the Microsoft Sentinel workbook for MDI to visualize the attack timeline. D) Use the Microsoft Defender for Cloud Apps activity log to review the domain controller's activities. Which option should you choose?

235

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that an external user from a partner organization can access a specific Sentinel workbook without having access to the entire Log Analytics workspace. What should you do?

236

Refer to the exhibit. An automation rule in Microsoft Sentinel is configured as shown. When a high-severity incident is created, what is the expected behavior?

237

Your organization wants to use Microsoft Copilot for Security to generate incident summaries. What is the minimum license required?

238

Your organization uses Microsoft Sentinel. You need to configure a playbook that automatically responds to incidents by creating a support ticket in ServiceNow. Which connector should you use?

239

Refer to the exhibit. A KQL query is used in a Microsoft Sentinel scheduled analytics rule to detect unhealthy agents. The rule runs every 5 minutes and has a lookback period of 5 minutes. What is the potential issue?

240

Your organization uses Microsoft Defender for Cloud. You need to view a list of all security recommendations for your Azure subscriptions. Which blade should you use?

241

Your organization uses Microsoft Defender XDR. You want to ensure that all incidents with severity 'High' are automatically assigned to the 'Tier1' group and have a playbook executed. What should you use?

242

Your organization has deployed Microsoft Sentinel in multiple regions. You need to ensure that incidents created in one workspace are available for correlation in a central workspace. What should you implement?

243

Your organization uses Microsoft Defender for Identity. You need to create a role that allows analysts to view security alerts but not modify them. Which built-in role should you assign?

244

Which TWO actions can you perform using Microsoft Sentinel automation rules? (Select two.)

245

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Select three.)

246

Which TWO roles in Microsoft Entra ID can manage Microsoft Defender for Cloud Apps? (Select two.)

247

You are a SOC analyst at Contoso. The environment includes Microsoft Sentinel in a single workspace, Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps), Microsoft Entra ID, and Microsoft Intune. You need to design a solution to automatically triage and respond to phishing incidents detected by Defender for Office 365. The requirements are: 1) When a phishing alert is generated with high confidence, an incident should be automatically created in Sentinel. 2) The incident should be assigned to the 'Phishing' team and have a severity of High. 3) A playbook should run that will send a Teams message to the Phishing team and also block the sender in Exchange Online. 4) The incident should be automatically closed if the playbook successfully executes. What should you do?

248

Your organization has recently deployed Microsoft Sentinel and wants to ensure that all critical Azure resources are monitored for security misconfigurations. You have already enabled Microsoft Defender for Cloud on all subscriptions. You need to configure a solution that will automatically create a Sentinel incident whenever a new security recommendation with severity 'High' is generated in Defender for Cloud. The incident should be assigned to the 'Infrastructure' team. Additionally, you want to run a playbook that will open a ticket in your IT Service Management (ITSM) tool. What should you do?

249

Your SOC team uses Microsoft Sentinel. You need to ensure that all incidents are classified and resolved within 72 hours. Currently, analysts manually update the incident status and classification. You want to automate the following: 1) If an incident is not updated within 48 hours, send a reminder to the assigned analyst via email. 2) If an incident remains open after 72 hours, automatically escalate it to the SOC manager and increase its severity. What should you implement?

250

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that a new SOC analyst can triage incidents without being able to delete or modify analytics rules. Which role should you assign?

251

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to reduce data ingestion costs while retaining security events for one year. You have enabled Azure Monitor Agent on all servers. What should you do?

252

You are configuring a Microsoft Sentinel automation rule to automatically assign incidents to a specific owner based on a custom property. Which action type should you use?

253

Which TWO actions can be performed using Microsoft Sentinel automation rules? (Choose two.)

254

Which TWO conditions must be met to enable Microsoft Sentinel UEBA? (Choose two.)

255

Which THREE permissions are required for a user to manage Microsoft Sentinel playbooks using Azure Logic Apps? (Choose three.)

256

You are reviewing a Microsoft Sentinel analytics rule configuration. The rule is not generating incidents as expected. What is the most likely cause?

257

Your organization has recently deployed Microsoft Sentinel and Microsoft Defender XDR. You are tasked with configuring the environment to ensure that incidents created by Microsoft Defender for Cloud Apps are automatically synchronized to Microsoft Sentinel. The security operations team wants to manage all incidents from within Sentinel. You have already connected the Microsoft Defender XDR connector to Sentinel. However, you notice that incidents from Defender for Cloud Apps are not appearing in Sentinel. You verify that the Defender for Cloud Apps connector is not listed in the data connectors blade. What should you do to resolve this issue?

258

Your organization uses Microsoft Sentinel with multiple workspaces for different business units. You need to provide a single-pane-of-glass view for incident management across all workspaces. You have deployed Azure Lighthouse to manage multiple workspaces from a single portal. The SOC team is able to see incidents from all workspaces, but when they try to investigate an incident by clicking on it, they receive a 'Resource not found' error. The team has the necessary permissions on the Sentinel resources. What is the most likely cause of this error?

259

You are the security operations lead for a multinational company using Microsoft Sentinel. You have deployed a custom analytics rule that uses a KQL query to detect anomalous outbound network traffic. The rule runs every hour and looks back 24 hours. Recently, the rule has been generating a high number of false positives. You need to tune the rule to reduce false positives without missing genuine threats. The rule currently triggers when the count of outbound connections to a single IP exceeds 100 in an hour. You analyze the data and find that legitimate cloud services often trigger the rule. What should you do?

260

Your organization uses Microsoft Sentinel with UEBA enabled. You are investigating a suspicious incident where a user's account is reported to have accessed an unusual amount of data from a SharePoint site. The incident alert points to the user 'jdoe@contoso.com'. You open the incident and see that the entity timeline for jdoe shows several activities, including file downloads. However, you notice that the timeline does not include any Azure AD sign-in events for this user. You need to include sign-in events in the entity timeline to get a complete picture. What should you do?

261

You are a security analyst at a company that uses Microsoft Defender XDR. You receive an alert about a potential ransomware activity on a workstation. The alert is generated by Microsoft Defender for Endpoint. You need to contain the threat by isolating the workstation from the network while allowing forensic analysis to proceed. You want to use Microsoft Defender XDR's built-in actions. What should you do?

262

Your company uses Microsoft Sentinel to monitor security events. You have configured a daily email report that summarizes the top 10 incidents from the past 24 hours. The report is sent using a Logic App playbook triggered by a scheduled query. Recently, the report has stopped being delivered. You check the Logic App run history and see that the last run failed with an HTTP 403 error when connecting to the Microsoft Sentinel API. The Logic App uses a managed identity for authentication. What is the most likely cause of the failure?

263

Your organization has Microsoft Sentinel deployed in a single workspace. You need to implement role-based access control (RBAC) so that only senior analysts can modify analytics rules, while junior analysts can only view incidents. You have created custom roles in Azure. You assign the junior analysts the 'Microsoft Sentinel Reader' role. However, you find that junior analysts can still create and modify analytics rules. What is the most likely reason?

264

Your company uses Microsoft Defender for Cloud Apps to monitor cloud applications. You have discovered that a user is accessing a sanctioned cloud storage app from an IP address that belongs to a known malicious botnet. You need to automatically block the user's access to the app and require them to re-authenticate. You have already configured session policies in Defender for Cloud Apps. What should you do next?

265

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to ensure that incidents are automatically assigned to the appropriate team based on the incident type. Which two actions should you take?

266

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that high-severity incidents are automatically escalated to the on-call security engineer via Microsoft Teams. Which three components should you configure?

267

You are managing a Microsoft Sentinel workspace that ingests data from multiple sources. You need to reduce the cost of log ingestion while maintaining security visibility. Which two actions should you take?

268

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to ensure that security alerts from Defender for Cloud are automatically synchronized to Sentinel and assigned to the cloud security team. Which three actions should you take?

269

You are a security analyst at a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects failed logon attempts from multiple IP addresses within 5 minutes. Which two KQL operators should you use?

270

Your organization uses Microsoft Sentinel with UEBA enabled. You need to investigate a potential insider threat where a user is accessing sensitive data outside of business hours. Which three built-in UEBA entities should you review?

271

You are configuring Microsoft Defender for Identity (MDI) in your on-premises Active Directory environment. You need to ensure that MDI can detect lateral movement attacks. Which two configurations are required?

272

You are the security operations lead for a multinational company that uses Microsoft Sentinel in a single workspace. You have recently onboarded 10 new business units, each with their own analytics rules and automation. The security team is overwhelmed by the number of low-fidelity incidents generated. You need to reduce noise without disabling critical detections. You must ensure that each business unit retains ownership of their incidents and can customize their own suppression rules. You also need centralized reporting on incident trends across all business units. You have identified that many low-fidelity alerts come from a common set of data sources. What should you do?

273

You are a security analyst for a company that uses Microsoft Defender XDR. You receive a high-severity incident indicating that a user's device has been compromised with a remote access trojan (RAT). The incident is automatically generated by Microsoft Defender XDR. You need to contain the threat immediately while preserving forensic data. You also need to ensure that the user can continue working with minimal disruption. What should you do?

274

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user account is created and then deleted within 24 hours, which could indicate a test account used for malicious purposes. The rule should only run on the SecurityEvent table. You have written the KQL query and now need to configure the rule settings. Which alert scheduling configuration should you set to minimize latency while ensuring that the rule catches the pattern?

275

You are a security operations analyst for a company that uses Microsoft Sentinel and Microsoft Defender for Cloud. You have configured the Microsoft Defender for Cloud connector to stream security alerts into Sentinel. However, you notice that some alerts from Defender for Cloud are not appearing in Sentinel. You have verified that the connector is enabled and the subscription is connected. The missing alerts are of the type 'Security misconfiguration' from Azure Policy. You need to ensure all alerts appear in Sentinel. What should you do?

276

You are a security operations architect for a company that uses Microsoft Sentinel in a hybrid environment with multiple workspaces. The company has a central SOC team that needs to view incidents from all workspaces in a single pane of glass. Each workspace belongs to a different business unit and has its own retention and access policies. You need to design a solution that provides centralized incident management without duplicating data or requiring users to switch workspaces. You also need to ensure that the SOC team can perform actions on incidents across workspaces. What should you do?

277

You are a security analyst for a company that uses Microsoft Defender for Office 365. You receive an incident indicating that a user reported a phishing email. You need to investigate the email and determine if it was delivered to other users. You also need to ensure that similar emails are blocked in the future. What should you do?

278

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a workbook that displays the top 10 most common alert types over the last 7 days. The workbook will be used by the SOC manager to identify trends. You have already created a new workbook and added a query step. Which KQL query should you use in the query step?

279

You are a security operations engineer for a company that uses Microsoft Defender XDR. You need to create a custom detection rule that alerts when a user performs more than 10 failed logon attempts within 5 minutes from different IP addresses. The rule should use the IdentityLogonEvents table. You have written the KQL query and now need to configure the rule settings in Microsoft 365 Defender. Which configuration should you use for the rule frequency and lookback period to minimize false positives while ensuring timely detection?

280

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Defender for Cloud are automatically ingested into Sentinel with the least latency. What should you configure?

281

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. The rule does not trigger as expected for newly created incidents with High severity. What is the most likely cause?

282

Your team uses Microsoft Defender XDR to manage incidents. You need to ensure that all incidents with a severity of 'High' are automatically assigned to a specific SOC analyst group. What should you configure?

283

Your organization uses Microsoft Sentinel with a hybrid environment including on-premises servers and Azure VMs. You notice that some Windows events from on-premises servers are not being collected in Sentinel. Log Analytics agent is installed on all servers. Other events are collected. What should you check first?

284

Your organization uses Microsoft Defender for Office 365. You need to create a custom alert that triggers when users receive external emails with attachments from untrusted domains. What should you configure?

285

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule is enabled but never runs. The playbook exists and is in the same resource group. What is the most likely cause?

286

Your organization uses Microsoft Defender for Cloud Apps. You need to receive alerts when a user accesses a cloud app from a location that is not whitelisted. What should you configure?

287

Your SOC team uses Microsoft Sentinel incident management. You need to ensure that when an incident is created, it automatically runs a playbook to gather additional context from threat intelligence sources. What should you create?

288

Your organization uses Microsoft Defender for Identity. You need to receive alerts when suspicious LDAP queries are detected. What should you configure?

289

Which TWO actions are valid for automation rules in Microsoft Sentinel? (Choose two.)

290

Which THREE components are part of Microsoft Sentinel's SOAR capabilities? (Choose three.)

291

Which TWO roles can be used to manage Microsoft Sentinel? (Choose two.)

292

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel. The rule is enabled but does not assign incidents. What is the most likely issue?

293

Your organization uses Microsoft Sentinel. You need to provide a SOC analyst with the ability to create and modify incident comments but not delete incidents. Which role should you assign?

294

Your organization uses Microsoft Defender XDR. You need to ensure that when a user reports a phishing email in Outlook, it automatically triggers an investigation in Microsoft Defender XDR. What should you configure?

295

Your organization uses Microsoft Sentinel with multiple workspaces. You need to ensure that incidents involving the same alert in different workspaces are automatically grouped into a single incident. What should you configure?

296

You are managing Microsoft Defender XDR. The security team reports that some automated investigations are closing prematurely without sufficient evidence. You need to ensure that investigations only close when a minimum confidence level is reached. What should you modify?

297

Your organization uses Microsoft Sentinel. You need to ensure that an incident is automatically assigned to a specific analyst when it is created. What should you create?

298

You have a Microsoft Sentinel automation rule that triggers a playbook. The playbook definition is shown in the exhibit. The playbook runs but no email is sent. What is the most likely cause?

299

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security alerts from Defender for Cloud are automatically ingested into Sentinel. What should you configure?

300

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a malware alert is generated, an automated investigation is triggered. What should you configure?

Practice all 300 Manage a security operations environment questions

Other SC-200 exam domains

Respond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Frequently asked questions

What does the Manage a security operations environment domain cover on the SC-200 exam?

The Manage a security operations environment domain covers the key concepts tested in this area of the SC-200 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-200 domains — no account required.

How many Manage a security operations environment questions are in the SC-200 question bank?

The Courseiva SC-200 question bank contains 300 questions in the Manage a security operations environment domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Manage a security operations environment for SC-200?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Manage a security operations environment questions for SC-200?

Yes — the session launcher on this page draws questions exclusively from the Manage a security operations environment domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-200 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-500SC-900CS0-003