Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-200DomainsRespond to security incidents
SC-200Free — No Signup

Respond to security incidents

Practice SC-200 Respond to security incidents questions with full explanations on every answer.

489questions

Start practicing

Respond to security incidents — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-200 Domains

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice Respond to security incidents questions

10Q20Q30Q50Q

SC-200 Respond to security incidents questions (showing 300 of 489)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

You are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?

2

During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)

3

Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?

4

An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?

5

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?

6

In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?

7

You are responding to an incident where a user's credentials were used to access a federated SaaS application from an IP address associated with a known threat actor. The user's account is not disabled. Which action is most effective to prevent further unauthorized access?

8

During an incident response, you need to collect forensic data from Microsoft Defender for Endpoint (MDE) on a remote device that is currently offline. What is the best approach?

9

An incident in Microsoft Sentinel involves a phishing campaign that delivered a malicious macro-enabled document. The document was opened by 15 users. Which playbook action should be triggered automatically to contain the threat?

10

An analyst creates a playbook in Microsoft Sentinel to automatically block an IP address when an alert fires. However, the playbook fails to block the IP. What is the most likely cause?

11

You run the above KQL query in Microsoft Sentinel to identify ransomware alerts from the last day. The result shows zero rows. Which is the most likely reason?

12

An administrator creates a Microsoft Defender for Cloud Apps policy to block unsanctioned cloud storage apps. Despite the policy, users can still access these apps. What is the most likely cause?

13

Which TWO actions are appropriate when responding to a confirmed data exfiltration incident via email?

14

Which THREE steps should be included in a Microsoft Sentinel playbook for automatic incident response when a high-severity alert fires?

15

Which THREE conditions must be met for Microsoft Sentinel to automatically run a playbook on an incident?

16

A security analyst receives a high-severity alert for a suspicious login from an unusual location. The alert was generated by Microsoft Sentinel from Microsoft Entra ID sign-in logs. The analyst needs to determine if the login was successful and if any data exfiltration occurred. What is the MOST efficient first step?

17

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. You need to create a custom anti-phishing policy to block similar emails in the future. What should you configure?

18

A security team is investigating a ransomware incident that encrypted files on several Windows servers. Microsoft Defender for Endpoint detected the ransomware but the initial infection vector is unknown. Which KQL query in Microsoft Sentinel would BEST identify the initial process that executed the ransomware?

19

You have a Microsoft Sentinel analytical rule with the above configuration. During a security incident, multiple high-severity alerts are generated within a 5-minute window. How does the rule handle these alerts?

20

You are deploying Microsoft Sentinel using the above ARM template parameters. After deployment, you notice that Microsoft Defender for Cloud alerts are not being ingested. What is the MOST likely reason?

21

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You receive an alert that a critical vulnerability exists on a virtual machine. What is the BEST immediate action to validate the alert and contain the threat?

22

A SOC analyst is investigating an incident where a user's credentials were compromised. The analyst uses Microsoft Sentinel to find all activities performed by the user in the last 24 hours. Which data source should the analyst query FIRST to get the most comprehensive view of the user's actions across Microsoft 365?

23

During a security incident, you need to block a malicious IP address at the network level for all Azure resources in a subscription. You have Azure Firewall deployed. What is the MOST efficient method to implement the block?

24

Your organization uses Microsoft Defender for Endpoint. An endpoint is detected as infected with a trojan. The analyst needs to isolate the device from the network while preserving forensic data. What action should the analyst take?

25

Which TWO actions should an analyst take when triaging a Microsoft Sentinel incident that involves a user who clicked a malicious link in a phishing email? (Choose two.)

26

Which THREE are valid data connectors in Microsoft Sentinel for ingesting security events from Microsoft 365 services? (Choose three.)

27

Which TWO are valid incident management actions in Microsoft Sentinel? (Choose two.)

28

You deploy the above ARM template to create a scheduled analytics rule in Microsoft Sentinel. After deployment, the rule runs but never generates incidents. What is the MOST likely cause?

29

A SOC analyst needs to investigate a potential data exfiltration incident involving a user uploading files to an external cloud storage service. Which Microsoft Sentinel data source would provide the MOST relevant information?

30

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You receive an alert that a fileless malware attack was detected on an on-premises server connected via Azure Arc. The server is running Windows Server 2019. What is the BEST action to contain the threat?

31

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert for a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately block the user from accessing the app. Which action should the analyst take?

32

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. You need to correlate the alerts and identify the initial entry point. Which KQL function should you use to combine the alerts?

33

A security analyst receives a Microsoft Defender for Cloud Apps alert about a user performing unusual file downloads from SharePoint. The analyst needs to investigate the user's activity in the last 24 hours. Which log source should the analyst query first?

34

Your organization has Microsoft Defender XDR enabled. An incident is generated for a user who clicked a phishing link in an email. The analyst needs to automatically disable the user's mailbox for suspicious activity. Which automated action should the analyst configure in a Microsoft Sentinel automation rule?

35

You are responding to a data exfiltration incident in Microsoft Sentinel. The attacker used a PowerShell script to upload data to an external storage account. You need to identify the specific storage account used. Which KQL query should you use in the AzureActivity table?

36

A security analyst needs to contain a compromised device that is spreading malware in the network. The device is enrolled in Microsoft Intune and managed by Microsoft Defender for Endpoint. What is the fastest way to isolate the device from the network?

37

During an incident investigation, you discover that an attacker used a legitimate account to access sensitive data in Microsoft Purview Information Protection. You need to identify what data was accessed and by whom. Which log source should you query?

38

Your organization uses Microsoft Sentinel with Fusion and Microsoft Security incident creation rules. You receive a high-severity incident from Microsoft Defender for Cloud Apps. The incident has a low confidence score. What should you do first?

39

You are investigating a brute force attack on a user account in Microsoft Entra ID. The sign-in logs show multiple failed attempts from different IP addresses. Which property in the sign-in logs indicates the type of authentication used?

40

Which TWO actions are valid for containing a compromised user account in Microsoft 365 Defender? (Choose two.)

41

Which THREE data sources in Microsoft Sentinel can be used to detect lateral movement in a network? (Choose three.)

42

Which TWO Microsoft 365 Defender portals provide automated investigation and response capabilities? (Choose two.)

43

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed without investigation. You need to identify why the incident was closed automatically. Which Sentinel feature should you review?

44

During an incident response, you need to collect a memory dump from a compromised Windows 10 device managed by Microsoft Defender for Endpoint. Which action should you take in the Microsoft Defender XDR portal?

45

An incident in Microsoft Sentinel was assigned to you. After investigation, you determine it is a false positive. What should you do to resolve the incident?

46

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident with severity Medium is created?

47

Your Microsoft 365 tenant is protected by Microsoft Defender for Office 365. A user reports receiving a suspicious email with a link. You need to investigate whether the link was malicious and if any other users clicked it. Which tool should you use first?

48

Refer to the exhibit. A security analyst runs this PowerShell script to query a Log Analytics workspace. What is the purpose of this query?

49

During an incident, you need to isolate a compromised device from the network while allowing communication with Microsoft Defender for Endpoint cloud services. Which isolation type should you choose in Microsoft Defender XDR?

50

Which Microsoft Sentinel feature allows you to automatically respond to incidents by running a playbook when an incident is created?

51

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert about an impossible travel activity for a user. What is the best first step to validate if this is a true positive?

52

During an incident investigation in Microsoft Sentinel, you need to gather related events from multiple data sources into a single view for analysis. Which feature should you use?

53

Refer to the exhibit. You are deploying this analytics rule in Microsoft Sentinel. Which activity will trigger an alert?

54

During an incident response, you identify that a user's account was used to sign in from an unusual location. You need to contain the incident immediately. What should you do first?

55

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. During an incident investigation, you find that a device is exfiltrating data to an external IP. You need to isolate the device from the network using automated response. Which action should you configure in an automation rule?

56

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts. You need to group related alerts under the same incident to reduce alert fatigue. What should you do?

57

You are responding to a phishing incident. The investigation reveals that a user clicked a link in a phishing email and entered credentials on a fake site. You need to contain the incident and prevent further compromise. What should you do first?

58

Your organization uses Microsoft Defender for Cloud Apps. During an incident, you discover that a user is downloading large amounts of data from SharePoint to an unmanaged device. You need to automatically block further downloads from that device. What should you configure?

59

You are investigating a security incident in Microsoft Sentinel. You want to visualize the relationships between entities such as IP addresses, users, and hosts. Which tool should you use?

60

You are responding to an incident where a malicious PowerShell script was executed on multiple endpoints. You need to collect the script content from the affected devices for analysis. What should you use?

61

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During an incident, you need to automatically disable a compromised Azure VM from the network. Which playbook action should you use?

62

You are investigating a suspicious sign-in to a privileged account. You need to determine if the sign-in was from a known malicious IP address. Which Microsoft Sentinel data source should you query?

63

Which TWO actions should you perform to contain a ransomware incident in Microsoft Defender for Endpoint?

64

Which THREE actions are part of the containment phase in the Microsoft Incident Response process?

65

Which TWO Microsoft Defender XDR entities can be managed during incident response?

66

You are reviewing an automation rule in Microsoft Sentinel. The rule triggers on incident creation with severity High. However, during a recent High severity incident, the playbook did not run. What is the most likely cause?

67

You are investigating repeated SQL injection alerts. The KQL query returns IP addresses with more than 5 alerts in the last 7 days. What is the purpose of the `summarize` and `where AlertCount > 5` lines?

68

You are reviewing an incident in Microsoft Sentinel. The incident is assigned to a user. What does the 'assignedTo' field indicate?

69

Your organization uses Microsoft Sentinel. You receive an alert for a suspicious sign-in from an unusual location. You want to automatically create an incident and assign it to the security team for investigation. What should you configure?

70

Your organization uses Microsoft Defender for Cloud Apps. You detect a suspicious app that has high data access and unusual API calls. You want to automatically block the app and notify the user. What should you implement?

71

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You suspect a compromised on-premises admin account that has been used to modify security groups. You want to quickly contain the threat. What should you do first?

72

Which TWO are valid incident response actions in Microsoft Sentinel?

73

Which THREE are valid ways to automatically respond to a security incident in Microsoft Defender XDR?

74

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender for Endpoint?

75

You are reviewing an alert rule in Microsoft Sentinel created via ARM template. What is the primary purpose of this rule?

76

You are analyzing a firewall policy in Azure Firewall deployed via Azure Policy. What is the effect of this rule?

77

You are reviewing a scheduled analytics rule in Microsoft Sentinel. What does the suppressionDuration setting affect?

78

Your organization uses Microsoft Defender for Cloud. You receive a security alert about a suspicious process on a virtual machine. You want to investigate the process further. What should you do?

79

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to automatically isolate a device when a high-severity incident is created. What is the most efficient way to achieve this?

80

Your organization uses Microsoft Sentinel. You have a requirement to automatically add a tag to incidents that involve a specific user. The tag should be added when the incident is created. What should you configure?

81

Your organization uses Microsoft Defender for Office 365. You detect a phishing email that was delivered to a user's inbox. You want to remove the email from all recipients. What should you do?

82

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt. What is the best first step to contain the potential threat?

83

Your organization uses Microsoft Sentinel and has enabled UEBA (User and Entity Behavior Analytics). You notice a series of incidents involving anomalous logon times for a privileged user. You want to automate the response to disable the user's account in Microsoft Entra ID when such incidents are created. What should you configure?

84

Your organization uses Microsoft Sentinel. A security analyst receives an alert indicating that a user account was used to sign in from an unfamiliar location. You need to investigate the incident using Microsoft Defender XDR. Which action should you take first?

85

During a security incident, you need to isolate a compromised Windows device from the network while allowing communication with Microsoft Defender for Endpoint services. Which Microsoft Defender for Endpoint action should you use?

86

You are investigating a phishing incident in Microsoft Defender XDR. The incident involves a user who clicked a malicious link in an email. Which data source would you use to trace the email's origin?

87

Your organization uses Microsoft Sentinel. You receive an incident that involves a potential lateral movement detected by Microsoft Defender for Identity. You need to investigate the timeline of the attack. Which Microsoft Sentinel feature should you use?

88

During a ransomware incident, you need to prevent the encryption of files on a server running Windows Server 2022. You have Microsoft Defender for Endpoint Plan 2. Which attack surface reduction rule should you enable?

89

You are responding to an incident where a user's device may be compromised. You need to collect forensic data from the device using Microsoft Defender for Endpoint. Which action should you take?

90

Your organization uses Microsoft Sentinel. A security incident is generated by a scheduled analytics rule. You need to automatically assign the incident to the SOC team and set its severity. What should you create?

91

During an incident, you need to prevent a malicious process from running on all endpoints using Microsoft Defender for Endpoint. The process is not yet detected by antivirus signatures. Which action should you use?

92

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different workloads. You need to view all related alerts in a single timeline. What should you use?

93

Which TWO actions can you perform in Microsoft Defender XDR as part of incident response?

94

Which THREE actions can you take in Microsoft Sentinel to respond to an incident?

95

Which TWO actions are valid containment steps for a compromised user account in Microsoft Defender XDR?

96

A security analyst receives an alert in Microsoft Defender XDR indicating a possible credential theft attempt from an external IP. The analyst wants to isolate the affected device immediately while preserving forensic data. What should the analyst do?

97

During an incident response, a SOC analyst needs to automatically collect relevant evidence from multiple Microsoft 365 services. Which Microsoft Sentinel playbook trigger should the analyst configure?

98

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. A critical server in Azure was compromised by ransomware. The incident response team needs to ensure that no other resources in the same resource group are affected. What is the most immediate containment action?

99

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule configured as above. An incident was created for multiple alerts triggering within a 5-hour window. The SOC team needs to investigate each alert separately because they involve different user accounts. What should the analyst do to ensure each alert generates a separate incident?

100

A SOC analyst is investigating a phishing campaign that targets Microsoft 365 users. The analyst needs to collect email message headers from multiple users' mailboxes. Which Microsoft 365 Defender action should the analyst use?

101

During an incident involving a compromised Azure VM, the security team wants to capture a memory dump for forensic analysis. The VM is running Windows Server 2022. What is the recommended approach?

102

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An alert fires for a potential DCSync attack. The incident response team needs to immediately block the source account from performing directory replication. Which action should be taken?

103

A SOC analyst is triaging an incident in Microsoft Sentinel and needs to assign it to a senior analyst for further investigation. What is the correct action?

104

Refer to the exhibit. A Microsoft Sentinel scheduled rule is configured as shown. The rule generates an alert, but the incident created contains only the first alert, and subsequent alerts do not update the incident. What is the most likely cause?

105

Which TWO actions can be performed using Microsoft Sentinel's automation rules? (Choose two.)

106

Which THREE are valid containment actions in Microsoft Defender for Endpoint? (Choose three.)

107

Which TWO are valid sources of evidence in a Microsoft Sentinel incident? (Choose two.)

108

Your organization uses Microsoft Purview to manage insider risk. A user is suspected of exfiltrating data via email. The incident response team needs to preserve a copy of the user's mailbox for legal hold. Which action should be taken?

109

A security analyst is investigating a Microsoft Defender for Cloud Apps alert about a suspicious OAuth app that has high permissions. The analyst needs to disable the app immediately. What is the correct action?

110

A SOC analyst is using Microsoft Sentinel to respond to an incident involving multiple compromised user accounts. The analyst needs to quickly see the timeline of all related events. Which feature should the analyst use?

111

A security analyst in your organization receives an alert from Microsoft Defender for Cloud Apps indicating that a user has installed a third-party app with high permissions in Microsoft 365. The analyst suspects a consent phishing attack. Which playbook in Microsoft Sentinel should the analyst use to automate the investigation and remediation?

112

You are responding to a ransomware incident in Microsoft Defender XDR. You have identified that the malware encrypted files on several devices and then deleted the volume shadow copies. Which of the following actions should you take first to contain the incident?

113

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud indicating that a virtual machine has a high severity vulnerability (CVE-2023-XXXX). You need to create an incident in Microsoft Sentinel and trigger a playbook to remediate the vulnerability. However, the incident is not being created automatically. What is the most likely cause?

114

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos activity that may indicate a golden ticket attack. Which of the following actions should you take to investigate this alert?

115

Your organization uses Microsoft Sentinel with the UEBA (User and Entity Behavior Analytics) feature enabled. A security analyst notices that a user account has been flagged with an anomaly indicating a possible compromised credential. Which entity type in Microsoft Sentinel's UEBA is most relevant for this alert?

116

Your organization has deployed Microsoft Sentinel and uses the Microsoft 365 connector to ingest audit logs. You receive an alert from Microsoft Defender for Office 365 about a phishing email that was delivered to a user's inbox. You need to create an incident in Sentinel and automatically quarantine the email. What is the most efficient way to achieve this?

117

Your organization uses Microsoft Defender for Cloud to protect hybrid cloud workloads. An alert indicates that a container in Azure Kubernetes Service (AKS) is running a privileged container. Which response action should you take first?

118

Your organization has Microsoft Defender for Endpoint deployed. A security analyst receives an alert about a suspicious PowerShell command executed on a device. The analyst needs to investigate the process tree. Which feature should the analyst use?

119

Your organization uses Microsoft Sentinel and has enabled the Microsoft 365 Defender connector. You want to automatically assign incidents to a specific analyst team based on the incident severity and type. Which component should you configure?

120

Which TWO of the following are valid response actions that can be taken on a device from Microsoft Defender for Endpoint? (Choose two.)

121

Which THREE of the following are valid incident management capabilities in Microsoft Sentinel? (Choose three.)

122

Which TWO of the following are valid sources for creating incidents in Microsoft Sentinel? (Choose two.)

123

Refer to the exhibit. You are investigating incidents related to suspicious process injection. The KQL query above is run in Microsoft Sentinel. What is the purpose of this query?

124

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The JSON snippet defines an automation rule. What is the expected behavior of this rule?

125

Refer to the exhibit. You are reviewing an alert in Microsoft Defender for Endpoint. The alert details are shown. Which of the following actions should you take first?

126

A SOC analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded 500 GB of data from SharePoint to an unmanaged device. The user has no history of such behavior. What is the best first step in the incident response process?

127

During an incident investigation, you find that a compromised account was used to log into a virtual machine via RDP from an IP address in a sanctioned country. The VM has Microsoft Defender for Endpoint installed. Which data source in Microsoft Sentinel would you query to see the RDP connection events?

128

You have been tasked with creating an automated response in Microsoft Sentinel for incidents involving lateral movement. Which Azure service allows you to run a playbook to automatically isolate a compromised VM?

129

Which TWO actions should you take when handling a confirmed ransomware incident in an environment protected by Microsoft Defender for Endpoint?

130

Which THREE components are required to enable automated investigation and response (AIR) in Microsoft Defender for Office 365?

131

Which TWO are legitimate sources of threat intelligence that can be ingested into Microsoft Sentinel?

132

Refer to the exhibit. The KQL query is used in a Microsoft Sentinel scheduled alert rule. What scenario does this query detect?

133

Refer to the exhibit. This is a snippet from an automation rule in Microsoft Sentinel. What is the purpose of the 'RunQuery' action?

134

An incident in Microsoft Sentinel has been classified as a true positive. According to the incident response process, what should the analyst do next?

135

During an investigation, you need to check if any user has been assigned privileged roles in Microsoft Entra ID outside of normal business hours. Which data source would provide this information?

136

You are investigating an incident where a user reported receiving a suspicious email with a malicious attachment. Microsoft Defender for Office 365 did not block it. The email originated from a known malicious sender domain. What configuration should you check first?

137

You receive an incident in Microsoft Sentinel that is a low-confidence alert from Microsoft Defender for Identity. What should be your first step?

138

After a security incident, you need to collect forensic evidence from a Windows 10 machine. Which Microsoft tool should you use to create a memory dump?

139

Refer to the exhibit. This JSON snippet is from an Azure Web Application Firewall (WAF) policy. What does this rule do?

140

You are responding to an incident where a user's credentials were stolen via a phishing email. The attacker used the credentials to access Microsoft Entra ID and then tried to perform privileged role escalation. Which Microsoft Sentinel solution should you use to detect this type of attack?

141

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed by a playbook before the investigation was complete. What should you do to prevent automatic closure in the future?

142

During an incident response, you need to collect a forensic image of a Windows 10 device managed by Microsoft Intune. Which Microsoft Defender XDR feature should you use?

143

Your organization uses Microsoft Sentinel. An incident is created from a fusion detection that combines multiple signals. You need to ensure that when the incident is resolved, all related alerts are also resolved automatically. What should you do?

144

A security analyst in your SOC receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded a large number of files from SharePoint in a short time. What is the most likely classification of this activity?

145

Your organization uses Microsoft Sentinel. You need to create an incident response playbook that automatically isolates a compromised device when a high-severity incident is created. The playbook should only run during business hours (9 AM - 5 PM local time). How should you configure this?

146

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel that triggers a playbook. The rule is not triggering. What is the most likely cause?

147

Your organization uses Microsoft Defender XDR. A security administrator reports that a user's device is showing high severity alerts for 'Tampering with Microsoft Defender Antivirus' but the device is not isolated. You need to ensure that when such alerts occur, the device is automatically isolated in Microsoft Defender for Endpoint. What should you do?

148

Your organization uses Microsoft Sentinel. An incident has been identified as a false positive. What is the recommended action to prevent similar false positives in the future?

149

Refer to the exhibit. You are investigating why the query returns only two rows (High and Medium) even though there are Low severity alerts. What is the problem?

150

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender XDR?

151

Which THREE actions should be taken when a phishing attack is detected in Microsoft Defender XDR?

152

Which TWO are valid incident classification categories in Microsoft Sentinel?

153

Refer to the exhibit. You are configuring an analytics rule in Microsoft Sentinel. What is the effect of this configuration?

154

Your organization uses Microsoft Sentinel. You need to implement a custom incident response process that requires approval before taking action on an incident. What should you use?

155

A security analyst receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request. What is the first step the analyst should take?

156

You are a security analyst investigating a detected phishing campaign targeting users in your organization. The Microsoft Defender for Office 365 alert indicates that several users clicked on a malicious link. Which action should you take first to prevent further compromise?

157

During a ransomware incident, the security team needs to prevent the encryption of files while allowing the investigation to continue. Which feature in Microsoft Defender for Endpoint should be used to achieve this?

158

Your organization uses Microsoft Sentinel. An incident is created for a possible data exfiltration via an unapproved external IP address. Which type of Microsoft Sentinel automation should you use to automatically block the IP address in the firewall?

159

You have detected a suspicious PowerShell command running on several workstations. The command appears to be downloading a payload from a known malicious URL. What is the most effective immediate response using Microsoft Defender for Endpoint?

160

A security administrator receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request from a domain controller. The alert suggests a possible Golden Ticket attack. Which action should the administrator take to validate the alert?

161

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert that an administrator performed an unusual bulk download from SharePoint. What is the recommended first step to respond?

162

A Microsoft Defender for Endpoint alert indicates that a device has been communicating with a known command-and-control (C2) server. The device is critical for production. What is the most appropriate response?

163

You are investigating a lateral movement incident in Microsoft Defender for Endpoint. The timeline shows that a user's credentials were used from a compromised workstation to access a sensitive server. Which action should you take to contain the incident?

164

An incident is opened in Microsoft Sentinel for multiple sign-in failures from a single IP address targeting a privileged user account. Which action is most effective in automatically responding to this incident?

165

Which TWO actions are appropriate when responding to a confirmed malware outbreak on multiple workstations identified by Microsoft Defender for Endpoint?

166

Which TWO actions should be taken to respond to a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

167

Which THREE steps are part of the incident response process when using Microsoft Sentinel?

168

The KQL query above is used in a Microsoft Sentinel analytics rule. What is the purpose of this rule?

169

The exhibit shows a partial playbook trigger configuration in Microsoft Sentinel. When will this playbook be triggered?

170

The exhibit shows the output of a Microsoft Defender for Endpoint API call to get machine information. What does the isolationStatus value indicate?

171

Your organization is using Microsoft Defender for Office 365. A user reports receiving a suspicious email that appears to be from the CEO requesting an urgent wire transfer. You need to investigate the email and take immediate action. What should you do first?

172

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to reduce similar false positives in the future without affecting legitimate detections. What should you do?

173

Your organization is using Microsoft Defender for Cloud to protect Azure workloads. A critical vulnerability was discovered in a virtual machine that is part of a production application. The vulnerability has a high severity score and is actively being exploited in the wild. You need to respond quickly to mitigate the risk. What is the most effective immediate action?

174

Your organization uses Microsoft Defender XDR. A user reports that their device is behaving erratically, with unexpected pop-ups and high CPU usage. You suspect malware infection. You need to collect forensic data from the device for analysis. What should you do?

175

Your organization uses Microsoft Sentinel. You have been asked to configure automated responses to security incidents. Which TWO of the following can be used to automate responses in Microsoft Sentinel?

176

Your organization uses Microsoft Defender XDR. A security incident involving a compromised user account has been identified. Which THREE actions should you take to contain and remediate the incident?

177

Your organization uses Microsoft Sentinel. You are investigating an incident and need to gather additional context about a suspicious IP address. Which TWO Microsoft Sentinel features can you use to enrich the investigation?

178

Your organization uses Microsoft Defender for Identity and Microsoft Defender XDR. You receive an alert about a suspicious LDAP query originating from a domain controller. The alert indicates potential use of the DCSync attack technique. What is the most effective immediate action to contain the attack?

179

Your organization uses Microsoft Sentinel. You have configured a data connector to ingest events from a third-party firewall. However, you notice that the logs are not appearing in Sentinel. What is the first thing you should check?

180

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user has been accessing sensitive data from an anonymous IP address. The user's account appears to be compromised. You need to prevent further data exfiltration. What should you do?

181

Your organization uses Microsoft Sentinel. You have a scheduled analytics rule that queries Windows Security Events to detect local admin group modifications. The rule runs every hour and looks back 1 hour. However, you are missing events that occur within the first few minutes of the hour. What is the most likely cause?

182

Your organization uses Microsoft Defender XDR. You receive an alert about a potentially unwanted application (PUA) being installed on a device. The PUA is not blocked by your current policy. You need to prevent future installations of this PUA without affecting other software. What should you do?

183

Your organization uses Microsoft Sentinel and Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps). You have an incident response team that operates 24/7. Recently, there have been multiple incidents involving users receiving phishing emails that lead to credential theft. The phishing emails are sophisticated and bypass Exchange Online Protection (EOP) and Defender for Office 365's built-in phishing filters. The emails contain links to fake login pages that harvest credentials. Once credentials are stolen, the attacker uses them to sign in from anonymous IP addresses and attempts to access sensitive data in SharePoint Online. You need to design a response strategy that includes automated containment and investigation. The solution must: - Automatically disable user accounts when a phishing incident is confirmed. - Automatically trigger an investigation into the user's activity in Microsoft Defender for Cloud Apps. - Send a notification to the incident response team with a summary of the incident. - Minimize manual effort. You have the following components available: - Microsoft Sentinel with automation rules and playbooks. - Microsoft Defender XDR with advanced hunting. - Microsoft Power Automate. What is the most efficient way to achieve these requirements?

184

Your organization uses Microsoft Sentinel. A security analyst receives an alert for a suspicious sign-in from an unfamiliar IP address. The analyst wants to quickly check if the same IP address has been associated with any other alerts in the past 30 days. Which action should the analyst take?

185

During an incident response, a security analyst identifies that a user's account was used to access sensitive data from an anomalous location. The analyst needs to immediately prevent further access from that account while preserving forensic data. Which action should the analyst take?

186

The exhibit shows an automation rule in Microsoft Sentinel. The analyst reports that the playbook is not triggered for high-severity incidents. What is the most likely cause?

187

A SOC analyst receives a Microsoft Defender for Cloud Apps alert about a mass download of files from a SharePoint site by a single user. The analyst needs to contain the incident. Which action should be taken first?

188

Your organization uses Microsoft Defender XDR. The incident queue shows multiple alerts related to a single endpoint: malware detected, suspicious PowerShell execution, and data exfiltration attempts. The analyst needs to investigate the incident. Which tool should the analyst use to correlate these events?

189

The exhibit shows a KQL query used during incident investigation. The analyst wants to identify devices with an unusually high number of outbound connections to public IPs. The query returns no results, though the analyst suspects there should be some. What is the most likely reason?

190

A security analyst in Microsoft Sentinel receives an incident with a high severity alert from Microsoft Defender for Identity. The incident description mentions a suspected lateral movement pass-the-hash attack. What should the analyst do first?

191

During a ransomware incident, an analyst needs to identify which files were encrypted on an endpoint. The endpoint is running Windows and is managed by Microsoft Defender for Endpoint. Which data source should the analyst query in Advanced hunting?

192

Your organization's Microsoft Sentinel workspace ingests logs from multiple regions. During an incident, you need to search for a specific user's activity across all workspaces in a single query. What is the most efficient way to accomplish this?

193

Which TWO actions should be taken immediately when a compromised user account is detected in Microsoft Entra ID?

194

Which THREE features in Microsoft Sentinel allow an analyst to automate incident response actions?

195

Which TWO of the following are valid methods to retrieve data from Microsoft Sentinel for external analysis during an incident?

196

Your organization uses Microsoft Sentinel with Microsoft Defender XDR integrated. A critical incident has been raised involving a user account that was used to access a confidential SharePoint site from an unusual location at 2:00 AM. The incident includes alerts from Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, and Microsoft Defender for Office 365. The analyst needs to contain the incident, investigate the scope, and begin remediation. The environment has the following: Microsoft Entra ID with conditional access policies, Microsoft Intune for device management, and Microsoft Defender for Endpoint on all devices. The analyst has identified the user account and the device used. Which course of action should the analyst take first?

197

You are a SOC analyst at Contoso Ltd. The company uses Microsoft Sentinel and Microsoft Defender XDR. A high-severity incident is generated from a Sentinel analytics rule that detects multiple failed logins followed by a successful login from a geographically unusual location for a user. The incident includes an alert from Microsoft Defender for Identity indicating a possible brute-force attack. The user's account is a privileged administrator. Your organization has strict compliance requirements: any privileged account compromise must be contained within 15 minutes of detection. You have the following tools available: Microsoft Entra ID with Privileged Identity Management (PIM), Microsoft Defender for Cloud Apps, and Microsoft 365 Defender automation rules. The incident is now 5 minutes old. What should you do to meet the compliance requirement?

198

Your company uses Microsoft Sentinel as its SIEM. You are investigating an incident where a user reported receiving a phishing email that appeared to come from the CEO requesting a wire transfer. The user did not respond. However, the incident also contains alerts from Microsoft Defender for Office 365 indicating that other users clicked on a malicious link in a similar email. The email was sent to 100 users. The company has Microsoft Defender for Endpoint deployed on all devices. The incident requires immediate containment to prevent further compromise. What should you do first?

199

A security analyst detects a suspicious sign-in from an unfamiliar IP address for a user with high privileges. The analyst wants to immediately contain the threat while preserving the user's ability to work with proper approvals. What is the most effective first step?

200

During a ransomware incident, security team needs to prevent encryption while preserving forensic data. Which action best achieves this balance?

201

An incident response playbook in Microsoft Sentinel has a step: 'Investigate the user's recent activities using Microsoft 365 Defender.' Which data source would provide the most relevant information for this step?

202

The analyst notices that the rule does not fire for a user who has 12 sign-ins from the same IP address, but all are low risk. The expected behavior is to alert when a single user has more than 10 sign-ins from the same IP with at least one high-risk sign-in. What is the issue?

203

A SOC analyst needs to automate response to a phishing email reported by a user. The playbook should automatically block the sender in Exchange Online and delete the email from all recipients. Which Microsoft Sentinel automation action should the analyst use?

204

During an incident, an analyst wants to use Microsoft Defender XDR's automatic attack disruption to contain an ongoing attack. What prerequisite must be met?

205

A company uses Microsoft Sentinel with Microsoft Defender for Cloud Apps. An incident is created when a user downloads 500 GB from SharePoint in one hour. The analyst wants to create a playbook that automatically suspends the user in Microsoft Entra ID when such activity is detected. Which connector and action should the analyst use in the playbook?

206

An analyst is investigating a potential data exfiltration incident involving a user who accessed sensitive files from a personal device. The analyst wants to gather evidence about the device's compliance status and recent activity. Which Microsoft Intune feature should the analyst use?

207

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user has signed in from a banned country. The analyst needs to block further access from that country for all users. What should the analyst configure?

208

Which TWO actions should an analyst take when a confirmed ransomware incident is detected on multiple endpoints? (Choose TWO.)

209

Which THREE elements are essential when creating a custom incident response playbook in Microsoft Sentinel? (Choose THREE.)

210

Which TWO are valid methods to collect forensic evidence from a compromised Windows endpoint during an incident? (Choose TWO.)

211

Which THREE indicators of compromise (IOCs) are commonly used in Microsoft Sentinel to detect advanced persistent threats (APTs)? (Choose THREE.)

212

Which TWO playbook actions can be used to automatically contain a compromised user account in Microsoft Entra ID during an incident? (Choose TWO.)

213

Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint protection. You have a custom analytics rule that triggers on suspicious PowerShell activity. The rule uses the following KQL query: ```kql DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | where InitiatingProcessFileName != "explorer.exe" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ``` The rule generates incidents that are assigned to the SOC team for investigation. However, analysts report that they are spending too much time manually collecting additional process details for each alert. You need to automate the enrichment of these incidents with additional context, such as parent process details, network connections, and file creation events from the same device within the last hour. The enrichment should be triggered automatically when an incident is created, and the results should be added as a comment to the incident. You have access to Azure Logic Apps and Azure Automation. Which approach should you use?

214

You are a security analyst at Contoso. A user reports that they received a suspicious email with an attachment named "Invoice.pdf.exe". The user did not open the attachment. You need to investigate this potential threat using Microsoft Defender XDR. You want to determine if any other users received the same email, and whether the attachment was detonated in a sandbox. You also want to block the sender domain and the attachment hash across the organization if it is malicious. You have the email message ID from the user. You have appropriate permissions to use advanced hunting and take action. Which set of actions should you take in Microsoft 365 Defender?

215

Your company uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is created when a user performs an unusual mass download from SharePoint Online. The playbook assigned to the incident automatically suspends the user account in Microsoft Entra ID. However, after investigation, the user's activity is determined to be legitimate (they were backing up data for a migration). You need to restore the user's account and ensure that the user can access all resources immediately. You also need to update the incident to reflect the findings. What should you do?

216

Your organization uses Microsoft Sentinel. A security analyst reports a high number of false positives from a scheduled analytics rule that detects anomalous sign-ins. The rule uses the 'UserAgent' field in the SigninLogs table. What is the best practice to reduce false positives while maintaining detection coverage?

217

Your company uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. The email contains an external link to a credential harvesting site. You need to block similar emails in the future. What should you do?

218

Your organization uses Microsoft Defender for Cloud Apps. A security investigator discovers that a user's session token was stolen and used to access sensitive data in SharePoint Online from an anomalous IP address. You need to immediately revoke the attacker's access while minimizing impact on the legitimate user. What should you do?

219

Your organization uses Microsoft Sentinel. A fusion incident was created involving multiple alerts from different sources. You need to investigate the incident to determine if it is a true positive. What is the first step you should take?

220

Your organization uses Microsoft 365 Defender. You are investigating a potential malware outbreak on several endpoints. Which TWO actions should you take to isolate affected devices and prevent lateral movement?

221

Your organization uses Microsoft Sentinel. A new analytics rule is needed to detect brute-force attacks against your Azure SQL databases. The rule should minimize false positives and trigger only when multiple failed logins occur from a single IP address within a short time window. Which THREE components are essential for building this rule?

222

Your organization uses Microsoft Defender for Cloud. You need to remediate a security recommendation that indicates a virtual machine is missing critical security updates. Which TWO actions should you take to remediate this recommendation?

223

Refer to the exhibit. An alert in Microsoft Defender for Identity shows suspicious PowerCLI execution on an Exchange server. The service account 'svc_exchange' is used. What is the most likely true-positive scenario?

224

Your organization uses Microsoft Sentinel. You are responsible for responding to incidents. A new 'MFA Denied' incident is created from Microsoft Entra ID sign-in logs, indicating that a user in your organization had multiple MFA denials from a suspicious IP address (203.0.113.5). The user is a sales representative who frequently travels. The incident severity is Medium. The incident contains entities: user 'jsmith@contoso.com', IP address 203.0.113.5, and a device running Windows 11. You need to investigate and determine if this is a true positive. The user is currently on a business trip in Europe, but the sign-in attempts originated from an IP address in a different region. What should you do first?

225

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You receive a high-severity incident indicating that a user's credentials were used to access a sensitive SharePoint site from an unmanaged device. The user, 'jdoe@contoso.com', is a senior executive. The IP address is from a public Wi-Fi hotspot. The incident includes a recommendation to apply session policy to block download of sensitive files. You need to create a policy in Microsoft Defender for Cloud Apps that blocks downloads from unmanaged devices for this specific user when accessing the sensitive site. The policy should trigger only when the user accesses the specific SharePoint site named 'ExecConfidential'. What should you do?

226

Your organization uses Microsoft 365 Defender. A security analyst detects a malware infection on a single endpoint named 'SalesPC01'. The malware is identified as 'Trojan:Win32/Emotet'. The endpoint is currently isolated from the network by the automatic response. You need to remediate the infection. The malware has been detected and the endpoint is isolated. What should you do next?

227

Your organization uses Microsoft Sentinel with the Microsoft Defender for Cloud connector enabled. You receive an incident that alerts on 'Suspicious resource deployment' from a user who has been compromised. The incident involves the deployment of a virtual machine in a subscription that is normally not used by that user. The incident severity is High. You need to contain the threat immediately. The deployment is still in progress. What should you do first?

228

Your organization uses Microsoft 365 Defender. An incident is created for a user who received a phishing email that contained a link to a malicious website. The user clicked the link but did not enter any credentials. The incident includes the alert 'Phishing delivered' from Microsoft Defender for Office 365. You need to remediate the incident and prevent future occurrences. The user is in the Finance department and frequently receives emails from external vendors. What is the best course of action?

229

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You receive an incident indicating that a user's account was used to sign in from an unusual location (Russia) while the user is in the United States. The sign-in was successful and no MFA challenge was prompted because the user had a valid session. The incident severity is High. You need to respond immediately. What should you do first?

230

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud that a virtual machine has a high severity vulnerability: 'CVE-2023-XXXX' with a CVSS score of 9.8. The virtual machine is running a critical application for the finance department. You need to remediate the vulnerability as quickly as possible while minimizing downtime. The application vendor has not yet released a patch but has provided a workaround. What should you do?

231

A security analyst is investigating a potential ransomware incident in Microsoft Defender XDR. The analyst needs to confirm the scope of the attack and halt further propagation. Which TWO actions should the analyst take first?

232

During a security incident, a Microsoft Sentinel analytics rule generated an alert for a suspicious sign-in from an unusual location. The incident involves a user whose account has been compromised. The security team needs to take immediate actions to remediate and prevent further damage. Which THREE actions should the security team prioritize?

233

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You receive an alert indicating that a user from the finance department accessed a sensitive SharePoint file from an IP address associated with a known malicious Tor exit node. The file contains payment information. The user's account has not been disabled. What should you do first to contain the incident?

234

Your organization has deployed Microsoft Sentinel with the Microsoft Defender XDR connector. A high-severity incident is created for a user who received a phishing email that contained a malicious link. The user clicked the link, and the attacker gained access to the user's mailbox. The security team needs to remove the attacker's access and prevent future occurrences. What should you do first?

235

You are investigating a security incident in Microsoft Sentinel involving a series of failed logon attempts followed by a successful logon from a different geographic location. The user's account is a privileged administrator. The incident is assigned a medium severity. What should you do first to contain the potential breach?

236

You are a security analyst for a company using Microsoft Defender XDR. An incident is detected involving a device that has been communicating with a known command-and-control (C2) server. The device is currently online and the user is active. What should you do first to contain the threat?

237

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An incident is created for a user whose credentials were used from an unusual location to access sensitive HR data. The user's account is a domain admin. The security team needs to ensure the attacker cannot use the account again. What should you do first?

238

You are investigating a low-severity incident in Microsoft Sentinel where a user reported receiving a phishing email. The email was not blocked by the email security solution. The user did not click any links. What should you do first?

239

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. An alert indicates that an external IP address is downloading large amounts of data from a SharePoint site containing confidential documents. The activity is coming from a valid user account that appears to be compromised. What should you do first to stop the data exfiltration?

240

Your organization has Microsoft Sentinel and Microsoft Defender for Identity deployed. An incident is created for a user whose account was used to access a sensitive database from an unusual workstation. The user is a member of the 'Database Admins' group. The security team needs to prevent further unauthorized access and preserve evidence. What should you do first?

241

A security analyst receives a Microsoft Defender for Cloud Apps alert about a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately prevent further access from that IP. What should the analyst do?

242

During an incident response, a SOC analyst identifies that a malicious PowerShell script was executed on multiple endpoints. The analyst needs to collect relevant files from all affected endpoints for further analysis. What should the analyst use?

243

An analyst is investigating a phishing campaign that targeted multiple users. The analyst needs to identify if any users clicked a malicious link in the email. Which Microsoft Defender for Office 365 feature should be used?

244

Your organization uses Microsoft Sentinel. A new incident is created from a fusion alert that combines multiple low-severity alerts. The analyst needs to determine the entities involved. What should the analyst review?

245

A SOC team uses Microsoft Sentinel with Microsoft Defender XDR integration. An incident is created from a Defender for Endpoint alert. The analyst wants to run a KQL query across all affected devices without creating a new analytics rule. How can the analyst achieve this?

246

During an incident, an analyst finds that a user's account was compromised and used to send spam. The analyst needs to revoke all active sessions for that user. What should the analyst do?

247

A security analyst receives a Microsoft Defender for Identity alert about a suspicious Kerberos attack. The analyst needs to contain the compromised account immediately. What should the analyst do?

248

Your organization uses Microsoft Defender for Cloud to protect Azure resources. A security alert indicates that a virtual machine (VM) is communicating with a known malicious IP. The analyst needs to isolate the VM from the network to prevent further data exfiltration. What should the analyst do?

249

A SOC analyst is responding to a ransomware incident. The analyst identifies that the ransomware encrypted files on a file share and left a ransom note. The analyst needs to prevent the ransomware from spreading to other shares. Which action should the analyst take first?

250

Which TWO actions should an analyst take when a user reports receiving a suspicious email with an attachment? (Select TWO.)

251

Which THREE steps are part of the containment phase of incident response in Microsoft Sentinel? (Select THREE.)

252

Which TWO are valid incident classification categories in Microsoft Sentinel? (Select TWO.)

253

Refer to the exhibit. An analyst runs the query to identify the top 10 entities with the most malware alerts. However, the query returns no results. What is the most likely reason?

254

Refer to the exhibit. An analyst runs Get-MpThreat on a device. Based on the output, what is the status of the threat?

255

Refer to the exhibit. An analyst runs the command to install the Azure Monitor Agent on a VM. What is the primary purpose of installing this agent in the context of security incident response?

256

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and exhibiting unusual network activity. You run a live response session and find a suspicious process running. Which action should you take first to contain the threat?

257

You are investigating an incident in Microsoft Sentinel where a user account was used to sign in from an unfamiliar location and then accessed multiple sensitive files. Which step is most important to perform first?

258

During a security incident, you need to create a custom detection rule in Microsoft Sentinel to alert on multiple failed logins followed by a successful login from the same IP within 10 minutes. Which KQL function should you use to group events by IP address and time window?

259

Your organization uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading large amounts of data from SharePoint Online. What should you do first to investigate?

260

You receive a Microsoft Defender for Identity alert for a suspicious Kerberos ticket request. What is the most likely intent of this attack?

261

Refer to the exhibit. You are investigating a malware outbreak in Microsoft Sentinel. The KQL query returns no results. What is the most likely reason?

262

Your organization uses Microsoft Defender XDR. You receive an automated investigation that found a malicious file on a device. The investigation recommends 'Block the file'. What does this action do?

263

During an incident response, you need to collect forensic evidence from a compromised Windows device using Microsoft Defender for Endpoint live response. Which command should you use to gather running processes?

264

Your Microsoft Sentinel workspace receives logs from multiple sources. You need to ensure that an incident response playbook is triggered automatically when a specific alert is generated. What should you create?

265

Which TWO actions can you perform in Microsoft Defender XDR's automated investigation and response (AIR) to contain a threat? (Select TWO.)

266

Which THREE are valid investigation actions in Microsoft Sentinel? (Select THREE.)

267

Which TWO are valid methods to submit a file for analysis in Microsoft Defender for Endpoint? (Select TWO.)

268

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel to trigger a playbook when an alert is created. However, the playbook does not run. What is the most likely cause?

269

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to detect suspicious PowerShell activity. Why might this query generate many false positives?

270

After containing a security incident, what is the most important next step in the incident response process?

271

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert about suspicious activity from a user account indicating a potential ransomware attack. The analyst needs to quickly isolate the user's device and revoke the user's access to all cloud apps. What is the most efficient way to achieve this?

272

During a security incident, your team needs to preserve evidence from a Microsoft Defender for Endpoint onboarded device for forensic analysis. The device is still running and connected to the network. Which action should be taken to collect a forensic image while minimizing disruption?

273

Your organization uses Microsoft Sentinel. A security incident is created, and the assigned analyst needs to perform initial triage. What is the first step the analyst should take according to Microsoft best practices for incident response?

274

Your Microsoft Sentinel workspace ingests logs from multiple sources. During an incident, you need to quickly identify all user accounts that have been compromised based on a known malicious IP address. Which KQL operator is most efficient for this?

275

Your organization uses Microsoft Purview Data Loss Prevention (DLP) and Microsoft Defender for Cloud Apps. During an incident, you discover that a user is exfiltrating sensitive data via a sanctioned cloud app. You need to block the user's ability to share files in that app immediately. What should you do?

276

Your team uses Microsoft Sentinel to manage incidents. You want to automatically assign incidents with a severity of 'High' to the Tier 2 security team. Which feature should you configure?

277

During an incident response, you need to collect email messages from a user's mailbox in Microsoft 365 for evidence. The user is suspected of phishing. Which Microsoft Purview solution should you use?

278

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule triggers when an incident is created, changes its status to 'Active', assigns it to 'tier2', and runs a playbook. However, you notice that the playbook is not executing for incidents with severity 'Low'. What is the most likely reason?

279

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel during an investigation. The analyst expects to see alerts related to malware from IP 10.0.0.5 but receives no results. The SecurityAlert table contains data from the last 24 hours. What is the most likely reason for no results?

280

Your organization is responding to a ransomware incident. Which TWO actions should be taken first to contain the incident while preserving forensic evidence?

281

A security analyst is investigating a potential data exfiltration incident in Microsoft Sentinel. The analyst needs to identify which users may have been compromised. Which THREE data sources should be queried to gather the most relevant evidence?

282

Your organization uses Microsoft 365 Defender. During an incident, which TWO actions can be taken directly from the Microsoft 365 Defender portal to remediate a compromised email account?

283

Your team uses Microsoft Defender for Endpoint. An incident involving a device is identified as a high-severity malware infection. Which THREE remediation actions can be performed directly from the incident in Microsoft 365 Defender?

284

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a security incident involving a compromised Azure VM, which THREE actions are appropriate to contain and investigate the incident?

285

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule definition. The rule is intended to automatically change the severity to High, assign to tier2, and set status to Active for incidents triggered by alerts containing 'malware'. However, incidents are not being updated. What is the most likely cause?

286

Your security team is investigating a suspicious sign-in from an unfamiliar IP address. The user has Microsoft Entra ID P2 licenses and is assigned a Conditional Access policy that requires MFA for all cloud apps. During the incident response, you find that the sign-in succeeded despite the user not completing MFA. Which action should you take first to investigate the discrepancy?

287

During a ransomware incident, a security analyst needs to isolate an affected Windows 10 device managed by Microsoft Intune. The device is currently online and connected to the corporate network. Which remediation action should be taken from Microsoft Defender XDR to achieve this?

288

Your organization uses Microsoft Sentinel. You receive a high-severity incident indicating a potential data exfiltration from an Azure Storage account. The incident contains entities such as IP addresses and user accounts. Which step should you perform first to contain the threat?

289

Your security operations center (SOC) uses Microsoft Sentinel with a custom analytics rule that generates an incident when more than 10 failed logons occur within 5 minutes. During a review, you notice that a single user triggered the rule by forgetting their password multiple times. The incident was automatically closed by a playbook. What is the most effective way to reduce false positives for this rule?

290

A security analyst is investigating an incident involving a suspicious process that was detected on multiple devices. The analyst wants to check if the same file hash was observed on other devices in the past 30 days. Which Microsoft 365 Defender table should be queried in KQL?

291

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that generates an incident for users with more than 5 failed sign-in attempts (error code 50057 indicates user account is disabled) from a single IP in the last hour. After enabling the rule, you receive too many incidents from a service account that legitimately fails frequently. How should you modify the query to reduce false positives?

292

An analyst in your SOC receives a Microsoft Defender for Cloud Apps alert indicating a suspicious Power Automate flow that is forwarding emails to an external domain. The analyst needs to disable the flow immediately. Which action should they take?

293

During an incident response, you need to collect forensic evidence from a compromised Azure virtual machine that is currently offline. What is the most efficient method to acquire a disk snapshot for analysis while preserving the integrity of the evidence?

294

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You have a custom analytics rule that triggers on a Defender for Endpoint alert. When the rule triggers, a playbook is executed that creates an incident in Microsoft Sentinel and sends a message to a Teams channel. The playbook fails to execute. Which permission should you verify first?

295

Which TWO actions can be taken directly from within a Microsoft Sentinel incident to aid in investigation? (Choose two.)

296

Which THREE of the following are valid incident types in Microsoft 365 Defender? (Choose three.)

297

Which TWO response actions are available in Microsoft Defender for Endpoint for a compromised device? (Choose two.)

298

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel to block IP addresses from high-severity incidents. The rule triggers on incident creation but fails to block the IP. What is the most likely cause?

299

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Defender XDR to find devices running encoded PowerShell commands in the last hour. The query returns results showing a device named 'DESKTOP-123' with account 'jdoe'. The analyst suspects malicious activity. Which immediate next step should the analyst take?

300

Refer to the exhibit. An Azure administrator deploys this ARM template to create a Microsoft Sentinel automation rule. After deployment, the automation rule does not trigger when a high-severity incident is created. What is the most likely reason?

Practice all 300 Respond to security incidents questions

Other SC-200 exam domains

Manage a security operations environmentPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Frequently asked questions

What does the Respond to security incidents domain cover on the SC-200 exam?

The Respond to security incidents domain covers the key concepts tested in this area of the SC-200 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-200 domains — no account required.

How many Respond to security incidents questions are in the SC-200 question bank?

The Courseiva SC-200 question bank contains 300 questions in the Respond to security incidents domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Respond to security incidents for SC-200?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Respond to security incidents questions for SC-200?

Yes — the session launcher on this page draws questions exclusively from the Respond to security incidents domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-200 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-500SC-900CS0-003