Microsoft · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?
Configure an analytics rule to set the incident owner to the senior analyst and enable Teams integration in Sentinel settings.
Create a playbook that reassigns incidents and posts to Teams, and attach it to an automation rule triggered by high-severity incidents.
Create a workbook that filters high-severity incidents and configure a Teams webhook in the workbook settings.
Create an automation rule that runs when an incident is created with severity High, sets the owner to the senior analyst, and then runs a playbook to post a message to Teams.
Automation rules can assign owners and trigger playbooks that post to Teams.
Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?
Create a data loss prevention (DLP) policy in Microsoft Purview that triggers on failed logins.
Deploy a session policy in Defender for Cloud Apps that blocks after 50 failed logins.
Configure an app connector for each SaaS app and then create a custom activity policy.
Enable the 'Multiple failed login attempts' anomaly detection policy in Defender for Cloud Apps.
Anomaly detection policies include built-in templates for failed login attempts.
You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?
A mail flow rule in Exchange Online configured to forward alerts.
Microsoft 365 Defender email notification settings.
Microsoft 365 Defender can send email alerts for incidents and alerts.
Microsoft Defender for Cloud Apps notification settings.
A Microsoft Sentinel analytics rule configured to send email notifications.
Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?
Examine the analytics rule that creates incidents from Microsoft Defender for Office 365 alerts and verify the severity threshold.
The analytics rule filters alerts; a severity threshold may be too high.
Check the Microsoft 365 Defender portal to confirm that the alerts are being generated.
Review the Microsoft Sentinel workbooks for any visualization errors.
Verify that the Microsoft Defender for Office 365 data connector in Microsoft Sentinel is connected and data is ingested.
Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?
The latency is determined solely by the MDI sensor health and network speed.
The incident creation time is controlled by the Microsoft Defender for Cloud Apps connector.
The incident will be created within 5 minutes because MDI writes directly to Microsoft Sentinel.
The latency depends on the Microsoft 365 Defender connector's polling interval and the analytics rule's frequency.
The connector polls every few minutes, and the analytics rule runs on a schedule.
Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?
A playbook that uses the Microsoft Graph API to disable the user.
Playbooks can automate response actions like disabling a user.
An analytics rule that includes a query to disable the user.
An automation rule that runs a PowerShell script on a hybrid worker.
A workbook that triggers a webhook to disable the user.
Want more Manage a security operations environment practice?
Practice this domainYou are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?
Disable the user's account
Revoke the user's active sessions
Reset the user's password
Block the malicious domain on the firewall
Blocking the domain prevents further access to the malicious site, containing the threat.
During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)
Block the unapproved cloud storage app
Blocking the app prevents further uploads.
Suspend the user's account
Suspending the account stops the user from accessing resources.
Notify the user about the policy violation
Initiate a legal hold on the user's data
Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?
Block the source IP address on the firewall
Investigate the incident details
Investigation confirms the attack and provides context.
Notify the users of the failed login attempts
Reset passwords for all affected accounts
An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?
Isolate the device from the network
Isolation prevents further spread and encryption.
Disable the user's account
Run a full antivirus scan on the device
Collect a memory dump from the device
Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?
The user's account is compromised
Unusual location and anomalous data access strongly indicate compromise.
The alert is a false positive due to user travel
The user is an insider threat
The user is conducting a ransomware attack
In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?
Run an automated playbook to contain the threat
Close the incident as false positive
Triage the incident by reviewing the evidence
Triage confirms the validity and urgency.
Escalate the incident to senior management
Want more Respond to security incidents practice?
Practice this domainA security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?
... | where SentBytes > 1000000 | project SourceIP, SentBytes
... | extend TotalBytes=SentBytes | summarize count() by SourceIP
... | project SourceIP, SentBytes | sort by SentBytes desc
... | summarize TotalBytes=sum(SentBytes) by SourceIP | top 10 by TotalBytes desc
Correctly uses summarize with sum and top to find top source IPs by total sent bytes.
A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?
DeviceNetworkEvents table, SHA256 column
DeviceEvents table, SHA256 column
DeviceProcessEvents table, SHA256 column
DeviceProcessEvents records process executions with SHA256 hash.
DeviceFileEvents table, SHA256 column
During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?
Upload the CSV to a custom threat intelligence feed using the Threat Intelligence - Upload Indicators API
This makes the IPs available as threat intelligence indicators for use in detection rules.
Add the IPs to a Microsoft Sentinel watchlist and reference the watchlist in an analytics rule
Create a custom analytics rule that includes the IPs as inline indicators
Use Azure Logic Apps to create a playbook that blocks the IPs automatically
A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?
Use a Microsoft Sentinel playbook to automatically flag any password reset
Write a KQL query that joins SigninLogs with AuditLogs on user principal name and times within a short window
This correlates the two events to detect the sequence of unusual login followed by password reset.
Search the SigninLogs table for logins from unusual locations
Create a watchlist of known unusual locations and use it in a query against AuditLogs
A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?
Review Conditional Access app control policies for any block rules
Check Microsoft 365 Defender alerts for malicious OAuth apps
Query the Microsoft 365 Defender advanced hunting table 'CloudAppEvents' for app installation events and then use 'AppGovernance' to list all apps
Use the Cloud App Security activity log to search for 'Install app' events and then review the 'App governance' dashboard for all instances
This allows hunting for the app installations and then investigating all instances via app governance.
A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?
Create a Sentinel watchlist of known attacker IPs and compare with server logs
Enable Sysmon on the server and use its Event ID 3 (network connection) to find the IP
Ingest Windows Security Event logs (Event ID 4624) from the server into a Log Analytics workspace, and join with SigninLogs on account name and timestamp
This correlates on-premises logon events with cloud sign-ins to find the compromise path.
Use the DeviceLogonEvents table in Microsoft Defender XDR advanced hunting
Want more Perform threat hunting practice?
Practice this domainA user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?
Microsoft Defender for Endpoint
Microsoft Defender for Office 365 (Threat Explorer)
Threat Explorer provides a detailed email entity view including delivery actions, phish simulation, and campaign information.
Microsoft Defender for Identity
Microsoft Defender for Cloud Apps
During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
Microsoft Defender for Cloud Apps
Defender for Cloud Apps monitors cloud app activity including SharePoint Online and can alert on suspicious file access.
Microsoft Defender for Identity
A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?
DeviceProcessEvents
DeviceProcessEvents contains process creation events, which can be joined with network events to identify the process initiating the RDP connection.
DeviceLogonEvents
DeviceFileEvents
DeviceRegistryEvents
During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?
The delivery location and whether the email was delivered to Inbox, Junk, or Quarantine.
The authentication statuses (SPF, DKIM, DMARC) for the sender domain.
The sender IP address and the recipient email address.
The detection technology (e.g., Advanced ML, Reputation) and if the email was part of a phish simulation or a campaign.
Correct. Detection details show how the email was flagged, including specific technologies, simulation tags, and campaign information.
An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?
Trigger a training campaign for the user who reported the email.
Move the email to the tenant's shared mailbox for review.
Remove the Report Message add-in from Outlook to prevent false reports.
Soft-delete the email from the user's mailbox and other mailboxes that received the same message.
Correct. AIR can automatically delete the reported email across the organization to contain the threat.
A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?
DeviceNetworkEvents | where RemoteIP == 'user@contoso.com' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
IdentityLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
DeviceLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
Correct. This query filters for the user's interactive logons, groups by 10-minute windows, counts distinct DeviceNames, and returns windows where the count exceeds 5.
DeviceLogonEvents | where AccountUpn == 'user@contoso.com' | summarize count() by DeviceName, bin(Timestamp, 10m) | where count_ > 5
Want more Mitigate threats using Microsoft Defender XDR practice?
Practice this domainA security operations analyst is reviewing recommendations in Microsoft Defender for Cloud. For a virtual machine that is missing critical security updates, which recommendation category will highlight this issue?
Secure score
Secure score includes recommendations for remediating vulnerabilities like missing critical updates.
Regulatory compliance
Workload protections
Inventory
A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)
Create an alert suppression rule based on alert entity
Alert suppression rules can be configured to suppress alerts based on entity, such as specific IP addresses or resources.
Modify the alert's severity
Set an automatic response action
Define a rule to automatically dismiss alerts that meet criteria
You can create suppression rules that automatically dismiss alerts based on criteria like alert type or entity.
A security analyst reviews Microsoft Defender for Cloud recommendations for an Azure virtual machine. The VM has a recommendation titled 'Install endpoint protection solution on virtual machines'. The analyst clicks on the recommendation and sees affected resources. Which of the following best describes the purpose of this recommendation in the context of Defender for Cloud?
It identifies VMs that have an open network security group inbound rule that should be closed.
It suggests enabling Azure Firewall on the virtual network to protect the VM from external threats.
It recommends enabling disk encryption for the VM's OS and data disks.
It advises deploying a supported endpoint protection solution, such as Microsoft Defender Antivirus, to protect the VM from malware and other threats.
Correct. The recommendation prompts installation of endpoint protection software. Defender for Cloud integrates with Microsoft Defender Antivirus and supports partner solutions.
A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to secure its Azure virtual machines. A security analyst needs to grant a developer temporary RDP access to a specific VM for debugging purposes. Instead of using the default request approval flow, the analyst wants to configure an exemption so that the developer's access request never triggers a recommendation for that VM. Which action must the analyst perform?
Approve the access request once from the JIT blade and set a long expiration.
Add an exemption for the VM on the 'Management ports should be closed on just-in-time based virtual machines' recommendation.
Correct. Exempting the VM from the recommendation disables JIT monitoring for that VM, allowing permanent open ports without alerts.
Configure a custom Azure Policy to allow open management ports for that VM.
Disable the JIT solution for the entire subscription from the Defender for Cloud environment settings.
A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?
Azure Policy for Kubernetes add-on installation to enforce pod security policies.
Kubernetes audit logs are automatically streamed to the Log Analytics workspace.
Security alerts for container runtime threats, such as privilege escalation in a container.
Correct. The plan enables advanced threat detection, generating security alerts based on behavioral analytics of cluster activities.
Integration with Microsoft Sentinel for monitoring AKS logs.
A security analyst is using Microsoft Defender for Cloud's adaptive application controls (AAC) to allowlist trusted applications on Azure VMs. After enabling AAC and running in 'Audit' mode for a week, the analyst wants to switch to 'Enforce' mode. Which pre-requisite must be met before enforcement can be applied?
The VM must have the Guest Configuration extension installed.
A valid Microsoft Defender for Servers Plan 2 license must be assigned to the VM.
The VM must have a baseline of allowed applications generated from at least two weeks of audit data.
Correct. AAC requires a baseline of known good applications from audit mode before enforcement can block unapproved applications.
The VM must be running on a supported operating system like Windows Server 2016 or later.
Want more Mitigate threats using Microsoft Defender for Cloud practice?
Practice this domainA security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?
Azure Activity Logs
SigninLogs
SigninLogs contain successful and failed sign-in events needed to detect brute force attacks.
Office Activity Logs
SecurityEvent
A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?
Azure Logic Apps trigger
Playbooks are Logic Apps workflows; they use a built-in Logic Apps trigger to respond to Sentinel alerts.
Sentinel trigger
Alert trigger
Automation rule trigger
A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?
Provision compute → Clone Sentinel notebooks → Connect to workspace → Execute cells
This order follows the recommended setup: compute first, then notebooks, then workspace connection, then execution.
Clone Sentinel notebooks → Provision compute → Connect to workspace → Execute cells
Connect to workspace → Provision compute → Clone Sentinel notebooks → Execute cells
Provision compute → Connect to workspace → Clone Sentinel notebooks → Execute cells
A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?
Set the alert threshold to 5 occurrences within the query lookback period.
Correct. Alert threshold sets a minimum number of matching events required to generate an alert, reducing noise from single anomalous but benign logins.
Enable entity mapping for the user account to correlate with other data sources.
Increase the query scheduling frequency to every 5 minutes from every hour.
Group all events into a single alert and set the suppression limit to 1 hour.
A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?
CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize totalBytes = sum(BytesSent) by bin(TimeGenerated, 5m) | where totalBytes > 100000000
Correct. This groups events by 5-minute windows, sums bytes sent per window, and filters those windows exceeding 100 MB (100000000 bytes).
CommonSecurityLog | where SourceIp == '10.0.0.1' | extend bin = bin(TimeGenerated, 5m) | where BytesSent > 100000000
CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize make_list(BytesSent) by TimeGenerated | where array_length(make_list) > 100000000
CommonSecurityLog | where SourceIp == '10.0.0.1' | project BytesSent, TimeGenerated | summarize sum(BytesSent) by bin(TimeGenerated, 5m) | where sum_BytesSent > 100000000
A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?
Create a Syslog data connector and specify the facility and severity to filter the application logs from /var/log.
Configure the Log Analytics agent to collect performance counters for the application process.
Use the Custom Logs feature in the Log Analytics workspace to specify the path to the application log file and define the log type name.
Correct. Custom Logs allow ingestion of text files by monitoring specified file paths and parsing lines into custom logs.
Deploy a Log Analytics gateway and configure the application to write directly to the gateway using the HTTP Data Collector API.
Want more Mitigate threats using Microsoft Sentinel practice?
Practice this domainThe SC-200 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.
Security operations scenario questions covering Microsoft Sentinel, Defender XDR, Defender for Cloud, and incident investigation and response.
The exam covers 6 domains: Manage a security operations environment, Respond to security incidents, Perform threat hunting, Mitigate threats using Microsoft Defender XDR, Mitigate threats using Microsoft Defender for Cloud, Mitigate threats using Microsoft Sentinel. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Microsoft SC-200 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.