Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-200Exam Questions

Microsoft · Free Practice Questions · Last reviewed May 2026

SC-200 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

50 exam questions
120 min time limit
Pass: 700/1000 / 1000
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Manage a security operations environment2. Respond to security incidents3. Perform threat hunting4. Mitigate threats using Microsoft Defender XDR5. Mitigate threats using Microsoft Defender for Cloud6. Mitigate threats using Microsoft Sentinel
1

Domain 1: Manage a security operations environment

All Manage a security operations environment questions
Q1
mediumFull explanation →

Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?

A

Configure an analytics rule to set the incident owner to the senior analyst and enable Teams integration in Sentinel settings.

B

Create a playbook that reassigns incidents and posts to Teams, and attach it to an automation rule triggered by high-severity incidents.

C

Create a workbook that filters high-severity incidents and configure a Teams webhook in the workbook settings.

D

Create an automation rule that runs when an incident is created with severity High, sets the owner to the senior analyst, and then runs a playbook to post a message to Teams.

Automation rules can assign owners and trigger playbooks that post to Teams.

Why: Option D is correct because automation rules in Microsoft Sentinel can directly set the incident owner when an incident is created, and then trigger a playbook to post a message to Microsoft Teams. This two-step configuration ensures high-severity incidents are automatically assigned to the senior analyst on call and the SOC team is notified via Teams without manual intervention.
Q2
hardFull explanation →

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?

A

Create a data loss prevention (DLP) policy in Microsoft Purview that triggers on failed logins.

B

Deploy a session policy in Defender for Cloud Apps that blocks after 50 failed logins.

C

Configure an app connector for each SaaS app and then create a custom activity policy.

D

Enable the 'Multiple failed login attempts' anomaly detection policy in Defender for Cloud Apps.

Anomaly detection policies include built-in templates for failed login attempts.

Why: Option D is correct because Microsoft Defender for Cloud Apps includes a built-in anomaly detection policy named 'Multiple failed login attempts' that specifically monitors for a high volume of failed logins from a single user within a short time window. This policy is enabled by default and can be customized to trigger alerts when the threshold (e.g., more than 50 failed attempts in 10 minutes) is exceeded, without requiring any additional configuration or custom policy creation.
Q3
easyFull explanation →

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

A

A mail flow rule in Exchange Online configured to forward alerts.

B

Microsoft 365 Defender email notification settings.

Microsoft 365 Defender can send email alerts for incidents and alerts.

C

Microsoft Defender for Cloud Apps notification settings.

D

A Microsoft Sentinel analytics rule configured to send email notifications.

Why: The automated email alerting a user about possible credential theft is sent by Microsoft 365 Defender's built-in email notification settings. These settings allow security teams to configure notifications for specific alert severities or categories, such as credential theft, directly from the Microsoft 365 Defender portal. The email includes a link to investigate the alert, which aligns with the notification functionality within Microsoft 365 Defender.
Q4
mediumFull explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?

A

Examine the analytics rule that creates incidents from Microsoft Defender for Office 365 alerts and verify the severity threshold.

The analytics rule filters alerts; a severity threshold may be too high.

B

Check the Microsoft 365 Defender portal to confirm that the alerts are being generated.

C

Review the Microsoft Sentinel workbooks for any visualization errors.

D

Verify that the Microsoft Defender for Office 365 data connector in Microsoft Sentinel is connected and data is ingested.

Why: Option A is correct because the analytics rule that maps Microsoft Defender for Office 365 alerts to incidents in Microsoft Sentinel includes a severity threshold filter. If the rule is configured to only create incidents for alerts with a severity of 'High' or 'Medium', alerts with 'Low' severity or 'Informational' will be silently dropped and not generate incidents. Verifying and adjusting this threshold directly addresses the root cause of missing incidents.
Q5
hardFull explanation →

Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?

A

The latency is determined solely by the MDI sensor health and network speed.

B

The incident creation time is controlled by the Microsoft Defender for Cloud Apps connector.

C

The incident will be created within 5 minutes because MDI writes directly to Microsoft Sentinel.

D

The latency depends on the Microsoft 365 Defender connector's polling interval and the analytics rule's frequency.

The connector polls every few minutes, and the analytics rule runs on a schedule.

Why: Option D is correct because the incident creation latency in this architecture depends on two factors: the Microsoft 365 Defender connector's polling interval (which retrieves alerts from Microsoft 365 Defender) and the frequency of the Microsoft Sentinel analytics rule that creates incidents from those ingested alerts. Even if MDI sends alerts quickly to Microsoft 365 Defender, the connector polls at a configurable interval (default every 5 minutes), and the analytics rule runs on its own schedule (typically every 5 minutes). Thus, the total time to incident creation is the sum of these intervals, not a fixed 5 minutes.
Q6
easyFull explanation →

Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?

A

A playbook that uses the Microsoft Graph API to disable the user.

Playbooks can automate response actions like disabling a user.

B

An analytics rule that includes a query to disable the user.

C

An automation rule that runs a PowerShell script on a hybrid worker.

D

A workbook that triggers a webhook to disable the user.

Why: A playbook is the correct component because it is an automated workflow that can be triggered by a Microsoft Sentinel incident. By using the Microsoft Graph API within the playbook, you can programmatically disable a user account in Microsoft Entra ID, which is the required action for a high-severity incident. This aligns with the need for an automated response that integrates Sentinel with identity management.

Want more Manage a security operations environment practice?

Practice this domain
2

Domain 2: Respond to security incidents

All Respond to security incidents questions
Q1
mediumFull explanation →

You are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?

A

Disable the user's account

B

Revoke the user's active sessions

C

Reset the user's password

D

Block the malicious domain on the firewall

Blocking the domain prevents further access to the malicious site, containing the threat.

Why: The correct action is to block the malicious domain at the firewall or proxy to prevent further access. Disabling the user account might be premature if no compromise is confirmed. Resetting password and revoking sessions are post-compromise steps. Blocking the domain is immediate containment.
Q2
hardFull explanation →

During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)

A

Block the unapproved cloud storage app

Blocking the app prevents further uploads.

B

Suspend the user's account

Suspending the account stops the user from accessing resources.

C

Notify the user about the policy violation

D

Initiate a legal hold on the user's data

Why: The immediate actions are to suspend the user's access to prevent further data exfiltration and block the unapproved app to stop data uploads. Initiating a legal hold and notifying the user are later steps.
Q3
easyFull explanation →

Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?

A

Block the source IP address on the firewall

B

Investigate the incident details

Investigation confirms the attack and provides context.

C

Notify the users of the failed login attempts

D

Reset passwords for all affected accounts

Why: The first step is to investigate the incident to confirm it's a true positive and assess scope. Blocking the IP might be premature without verification. Resetting passwords and notifying users come after confirmation.
Q4
mediumFull explanation →

An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?

A

Isolate the device from the network

Isolation prevents further spread and encryption.

B

Disable the user's account

C

Run a full antivirus scan on the device

D

Collect a memory dump from the device

Why: The immediate containment action is to isolate the device from the network to stop lateral movement and encryption. Running antivirus or collecting forensic data is secondary. Disabling the user account does not stop the device.
Q5
hardFull explanation →

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?

A

The user's account is compromised

Unusual location and anomalous data access strongly indicate compromise.

B

The alert is a false positive due to user travel

C

The user is an insider threat

D

The user is conducting a ransomware attack

Why: The combination of unusual location and mass download of sensitive files by a low-privilege user suggests account compromise. It is not necessarily ransomware or a false positive, and insider threat is less likely without evidence of intent.
Q6
easyFull explanation →

In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?

A

Run an automated playbook to contain the threat

B

Close the incident as false positive

C

Triage the incident by reviewing the evidence

Triage confirms the validity and urgency.

D

Escalate the incident to senior management

Why: Option C is correct because the first step in incident response within Microsoft Sentinel is to triage the incident by reviewing the evidence. A Fusion rule correlates multiple alerts into a single incident, and the analyst must examine the correlated alerts, entities, and timeline to validate the incident's legitimacy and understand the scope before taking any action. Automated playbooks or escalations should only occur after triage confirms the incident is a genuine threat.

Want more Respond to security incidents practice?

Practice this domain
3

Domain 3: Perform threat hunting

All Perform threat hunting questions
Q1
easyFull explanation →

A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?

A

... | where SentBytes > 1000000 | project SourceIP, SentBytes

B

... | extend TotalBytes=SentBytes | summarize count() by SourceIP

C

... | project SourceIP, SentBytes | sort by SentBytes desc

D

... | summarize TotalBytes=sum(SentBytes) by SourceIP | top 10 by TotalBytes desc

Correctly uses summarize with sum and top to find top source IPs by total sent bytes.

Why: The summarize operator with sum() aggregation computes total bytes per source IP, and top 10 limits to the top results. Option A is correct. Option B (where) filters but does not aggregate. Option C (project) only selects columns. Option D (extend) adds computed columns without aggregation.
Q2
mediumFull explanation →

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?

A

DeviceNetworkEvents table, SHA256 column

B

DeviceEvents table, SHA256 column

C

DeviceProcessEvents table, SHA256 column

DeviceProcessEvents records process executions with SHA256 hash.

D

DeviceFileEvents table, SHA256 column

Why: DeviceProcessEvents contains process execution events, and SHA256 stores the hash. Option C is correct. Option A (DeviceFileEvents) is for file creation/modification, not execution. Option B (DeviceNetworkEvents) is for network connections. Option D (DeviceEvents) is a generic table that may not include process hash.
Q3
hardFull explanation →

During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?

A

Upload the CSV to a custom threat intelligence feed using the Threat Intelligence - Upload Indicators API

This makes the IPs available as threat intelligence indicators for use in detection rules.

B

Add the IPs to a Microsoft Sentinel watchlist and reference the watchlist in an analytics rule

C

Create a custom analytics rule that includes the IPs as inline indicators

D

Use Azure Logic Apps to create a playbook that blocks the IPs automatically

Why: Option C is correct because Microsoft Sentinel can ingest threat intelligence from custom CSV files via a Threat Intelligence - Upload Indicators API or TAXII connector; the analyst can upload the CSV as a new threat intelligence feed. Option A (watchlist) is for temporary lookups, not persistent IOCs for detection. Option B (custom analytics rule) would require the rule to reference the data, but the IOCs are not stored as indicators. Option D (Azure Logic Apps) could automate but is not the primary method for persisting IOCs.
Q4
easyFull explanation →

A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?

A

Use a Microsoft Sentinel playbook to automatically flag any password reset

B

Write a KQL query that joins SigninLogs with AuditLogs on user principal name and times within a short window

This correlates the two events to detect the sequence of unusual login followed by password reset.

C

Search the SigninLogs table for logins from unusual locations

D

Create a watchlist of known unusual locations and use it in a query against AuditLogs

Why: Option B (KQL query using join between two tables) is correct because it allows correlating login events from one table with password reset events from another table, combining the two conditions. Option A (single table) cannot correlate two different event types. Option C (watchlist) is for static data, not real-time correlation. Option D (playbook) is for automated response, not hunting.
Q5
mediumFull explanation →

A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?

A

Review Conditional Access app control policies for any block rules

B

Check Microsoft 365 Defender alerts for malicious OAuth apps

C

Query the Microsoft 365 Defender advanced hunting table 'CloudAppEvents' for app installation events and then use 'AppGovernance' to list all apps

D

Use the Cloud App Security activity log to search for 'Install app' events and then review the 'App governance' dashboard for all instances

This allows hunting for the app installations and then investigating all instances via app governance.

Why: Option D (use the Activity log to search for app installations and then investigate using App Governance or Cloud App Security) is correct because it first identifies the app via installations and then uses app analytics to scope all instances. Option A (conditional access policy) is reactive and not hunting. Option B (alerts) only catches known threats. Option C (OAuth apps page) can list apps but may not show all historical installations; activity log is more comprehensive for hunting.
Q6
hardFull explanation →

A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?

A

Create a Sentinel watchlist of known attacker IPs and compare with server logs

B

Enable Sysmon on the server and use its Event ID 3 (network connection) to find the IP

C

Ingest Windows Security Event logs (Event ID 4624) from the server into a Log Analytics workspace, and join with SigninLogs on account name and timestamp

This correlates on-premises logon events with cloud sign-ins to find the compromise path.

D

Use the DeviceLogonEvents table in Microsoft Defender XDR advanced hunting

Why: Option A is correct because the server's Security Event ID 4624 (account logon) can be used to identify the logon session, and then the account's IP can be correlated with Azure AD SigninLogs. Option B (DeviceLogonEvents) is for Microsoft Defender for Endpoint, not on-premises servers without MDE. Option C (Sysmon) requires additional configuration. Option D (Sentinel watchlist) is static and not suitable for dynamic correlation.

Want more Perform threat hunting practice?

Practice this domain
4

Domain 4: Mitigate threats using Microsoft Defender XDR

All Mitigate threats using Microsoft Defender XDR questions
Q1
easyFull explanation →

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

A

Microsoft Defender for Endpoint

B

Microsoft Defender for Office 365 (Threat Explorer)

Threat Explorer provides a detailed email entity view including delivery actions, phish simulation, and campaign information.

C

Microsoft Defender for Identity

D

Microsoft Defender for Cloud Apps

Why: Microsoft Defender for Office 365's Threat Explorer (now part of the unified investigation experience) provides a detailed entity view of an email, including delivery actions (e.g., delivered to Junk, blocked, or allowed), whether the email was part of a phishing simulation, and the associated campaign information. This tool is specifically designed for deep email threat investigation within the Defender for Office 365 portal, leveraging telemetry from Exchange Online Protection (EOP) and Defender for Office 365.
Q2
mediumFull explanation →

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

A

Microsoft Defender for Endpoint

B

Microsoft Defender for Office 365

C

Microsoft Defender for Cloud Apps

Defender for Cloud Apps monitors cloud app activity including SharePoint Online and can alert on suspicious file access.

D

Microsoft Defender for Identity

Why: Microsoft Defender for Cloud Apps (Option C) is the correct workload because it provides visibility into cloud application usage, including SharePoint Online, and can generate alerts for suspicious file access patterns such as mass download, unusual file sharing, or access from anomalous locations. It uses behavioral analytics and anomaly detection to identify compromised accounts accessing sensitive data in SaaS applications like SharePoint.
Q3
hardFull explanation →

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

A

DeviceProcessEvents

DeviceProcessEvents contains process creation events, which can be joined with network events to identify the process initiating the RDP connection.

B

DeviceLogonEvents

C

DeviceFileEvents

D

DeviceRegistryEvents

Why: The DeviceNetworkEvents table logs network connections, including outgoing RDP traffic (port 3389). To identify which process initiated a specific outgoing RDP connection, you must join with the DeviceProcessEvents table on DeviceId and Timestamp (or ProcessId), because DeviceProcessEvents contains the process creation details (e.g., mstsc.exe) that launched the network connection. This join reveals the parent process responsible for the lateral movement attempt.
Q4
mediumFull explanation →

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

A

The delivery location and whether the email was delivered to Inbox, Junk, or Quarantine.

B

The authentication statuses (SPF, DKIM, DMARC) for the sender domain.

C

The sender IP address and the recipient email address.

D

The detection technology (e.g., Advanced ML, Reputation) and if the email was part of a phish simulation or a campaign.

Correct. Detection details show how the email was flagged, including specific technologies, simulation tags, and campaign information.

Why: Option D is correct because the 'Detection details' section on the email entity page in Microsoft 365 Defender specifically shows the detection technology used (e.g., Advanced ML, Reputation, Bulk) and whether the email was part of a phishing simulation or a campaign. This information helps analysts understand how the email was identified as malicious and its context within broader threat activity.
Q5
easyFull explanation →

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

A

Trigger a training campaign for the user who reported the email.

B

Move the email to the tenant's shared mailbox for review.

C

Remove the Report Message add-in from Outlook to prevent false reports.

D

Soft-delete the email from the user's mailbox and other mailboxes that received the same message.

Correct. AIR can automatically delete the reported email across the organization to contain the threat.

Why: When a user reports a phishing email via the Report Message add-in, the automated investigation and response (AIR) playbook in Microsoft Defender for Office 365 can automatically soft-delete the email from the user's mailbox and from all other mailboxes that received the same message. This action is part of the built-in remediation steps that AIR can take after confirming the threat, leveraging the email entity's hash or message ID to perform tenant-wide removal via the threat protection pipeline.
Q6
hardFull explanation →

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

A

DeviceNetworkEvents | where RemoteIP == 'user@contoso.com' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5

B

IdentityLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5

C

DeviceLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5

Correct. This query filters for the user's interactive logons, groups by 10-minute windows, counts distinct DeviceNames, and returns windows where the count exceeds 5.

D

DeviceLogonEvents | where AccountUpn == 'user@contoso.com' | summarize count() by DeviceName, bin(Timestamp, 10m) | where count_ > 5

Why: Option C is correct because DeviceLogonEvents is the Microsoft 365 Defender table that captures logon events on devices, including RDP interactive logons. The query filters for the specific user account and interactive logon type, then uses summarize with dcount(DeviceName) by bin(Timestamp, 10m) to count distinct devices within each 10-minute window, and finally filters for windows where the distinct device count exceeds 5, which matches the lateral movement scenario.

Want more Mitigate threats using Microsoft Defender XDR practice?

Practice this domain
5

Domain 5: Mitigate threats using Microsoft Defender for Cloud

All Mitigate threats using Microsoft Defender for Cloud questions
Q1
easyFull explanation →

A security operations analyst is reviewing recommendations in Microsoft Defender for Cloud. For a virtual machine that is missing critical security updates, which recommendation category will highlight this issue?

A

Secure score

Secure score includes recommendations for remediating vulnerabilities like missing critical updates.

B

Regulatory compliance

C

Workload protections

D

Inventory

Why: In Microsoft Defender for Cloud, the Secure score category directly reflects the security posture of your resources by tracking the implementation of security recommendations. Missing critical security updates on a virtual machine are flagged as a recommendation within this category, and resolving them improves your secure score percentage. This is because secure score is calculated based on the compliance status of each recommendation, with missing updates being a key control for vulnerability management.
Q2
mediumFull explanation →

A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)

A

Create an alert suppression rule based on alert entity

Alert suppression rules can be configured to suppress alerts based on entity, such as specific IP addresses or resources.

B

Modify the alert's severity

C

Set an automatic response action

D

Define a rule to automatically dismiss alerts that meet criteria

You can create suppression rules that automatically dismiss alerts based on criteria like alert type or entity.

Why: Option A is correct because Microsoft Defender for Cloud allows you to create suppression rules that automatically dismiss alerts based on specific alert entities (such as alert ID, title, or severity) to reduce noise. These rules are configured in the security alerts settings and can be scoped to a subscription or management group, ensuring that alerts matching the defined criteria are silently dismissed without generating incidents.
Q3
easyFull explanation →

A security analyst reviews Microsoft Defender for Cloud recommendations for an Azure virtual machine. The VM has a recommendation titled 'Install endpoint protection solution on virtual machines'. The analyst clicks on the recommendation and sees affected resources. Which of the following best describes the purpose of this recommendation in the context of Defender for Cloud?

A

It identifies VMs that have an open network security group inbound rule that should be closed.

B

It suggests enabling Azure Firewall on the virtual network to protect the VM from external threats.

C

It recommends enabling disk encryption for the VM's OS and data disks.

D

It advises deploying a supported endpoint protection solution, such as Microsoft Defender Antivirus, to protect the VM from malware and other threats.

Correct. The recommendation prompts installation of endpoint protection software. Defender for Cloud integrates with Microsoft Defender Antivirus and supports partner solutions.

Why: Option D is correct because the recommendation 'Install endpoint protection solution on virtual machines' in Microsoft Defender for Cloud specifically identifies VMs that lack a supported endpoint protection solution (e.g., Microsoft Defender Antivirus, Trend Micro, Symantec). Its purpose is to ensure that VMs are protected against malware, viruses, and other threats by deploying an endpoint protection solution, which is a core security control in the cloud security posture management (CSPM) framework.
Q4
mediumFull explanation →

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to secure its Azure virtual machines. A security analyst needs to grant a developer temporary RDP access to a specific VM for debugging purposes. Instead of using the default request approval flow, the analyst wants to configure an exemption so that the developer's access request never triggers a recommendation for that VM. Which action must the analyst perform?

A

Approve the access request once from the JIT blade and set a long expiration.

B

Add an exemption for the VM on the 'Management ports should be closed on just-in-time based virtual machines' recommendation.

Correct. Exempting the VM from the recommendation disables JIT monitoring for that VM, allowing permanent open ports without alerts.

C

Configure a custom Azure Policy to allow open management ports for that VM.

D

Disable the JIT solution for the entire subscription from the Defender for Cloud environment settings.

Why: To prevent a specific VM from triggering a recommendation for open management ports, you must add an exemption directly on the 'Management ports should be closed on just-in-time based virtual machines' recommendation in Defender for Cloud. This exemption tells the recommendation engine to exclude that VM from compliance evaluation, so no alert or recommendation is generated for it. Approving a request with a long expiration does not suppress the underlying recommendation; it only grants temporary access.
Q5
mediumFull explanation →

A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?

A

Azure Policy for Kubernetes add-on installation to enforce pod security policies.

B

Kubernetes audit logs are automatically streamed to the Log Analytics workspace.

C

Security alerts for container runtime threats, such as privilege escalation in a container.

Correct. The plan enables advanced threat detection, generating security alerts based on behavioral analytics of cluster activities.

D

Integration with Microsoft Sentinel for monitoring AKS logs.

Why: Option C is correct because enabling the Defender for Containers plan in Microsoft Defender for Cloud activates host-level and cluster-level threat detection for AKS, including runtime threat protection. This allows Defender for Cloud to generate security alerts for container-specific threats such as privilege escalation, container breakout, and suspicious process execution within containers, which are not available with just the basic Defender for Cloud enabled on the subscription.
Q6
easyFull explanation →

A security analyst is using Microsoft Defender for Cloud's adaptive application controls (AAC) to allowlist trusted applications on Azure VMs. After enabling AAC and running in 'Audit' mode for a week, the analyst wants to switch to 'Enforce' mode. Which pre-requisite must be met before enforcement can be applied?

A

The VM must have the Guest Configuration extension installed.

B

A valid Microsoft Defender for Servers Plan 2 license must be assigned to the VM.

C

The VM must have a baseline of allowed applications generated from at least two weeks of audit data.

Correct. AAC requires a baseline of known good applications from audit mode before enforcement can block unapproved applications.

D

The VM must be running on a supported operating system like Windows Server 2016 or later.

Why: Adaptive application controls require a minimum of two weeks of audit data to establish a reliable baseline of allowed applications before enforcement can be applied. This baseline ensures that legitimate applications are not blocked when switching from Audit to Enforce mode, reducing false positives and operational disruptions.

Want more Mitigate threats using Microsoft Defender for Cloud practice?

Practice this domain
6

Domain 6: Mitigate threats using Microsoft Sentinel

All Mitigate threats using Microsoft Sentinel questions
Q1
easyFull explanation →

A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?

A

Azure Activity Logs

B

SigninLogs

SigninLogs contain successful and failed sign-in events needed to detect brute force attacks.

C

Office Activity Logs

D

SecurityEvent

Why: SigninLogs captures user authentication attempts to Microsoft Entra ID, including failed sign-ins, which are essential for detecting brute force attacks. This data source provides detailed properties such as IP address, application, and status codes (e.g., 50076 for invalid password), enabling accurate detection of repeated failed attempts. Azure Activity Logs, Office Activity Logs, and SecurityEvent do not contain Entra ID authentication events.
Q2
mediumFull explanation →

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

A

Azure Logic Apps trigger

Playbooks are Logic Apps workflows; they use a built-in Logic Apps trigger to respond to Sentinel alerts.

B

Sentinel trigger

C

Alert trigger

D

Automation rule trigger

Why: In Microsoft Sentinel, playbooks are built on Azure Logic Apps, and the correct trigger to invoke a playbook automatically when an alert is generated is the Azure Logic Apps trigger. This trigger listens for the Sentinel alert creation event and initiates the playbook workflow. The other options are not valid trigger concepts within Sentinel's architecture.
Q3
hardFull explanation →

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

A

Provision compute → Clone Sentinel notebooks → Connect to workspace → Execute cells

This order follows the recommended setup: compute first, then notebooks, then workspace connection, then execution.

B

Clone Sentinel notebooks → Provision compute → Connect to workspace → Execute cells

C

Connect to workspace → Provision compute → Clone Sentinel notebooks → Execute cells

D

Provision compute → Connect to workspace → Clone Sentinel notebooks → Execute cells

Why: Option A is correct because the correct sequence to start executing a Jupyter notebook for threat hunting in Microsoft Sentinel is to first provision compute (i.e., create a compute instance in Azure Machine Learning), then clone the Sentinel notebooks from the official GitHub repository, connect to the Sentinel workspace using the msticpy library, and finally execute the cells. This order ensures the compute environment is ready before loading the notebooks and establishing the workspace connection.
Q4
mediumFull explanation →

A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?

A

Set the alert threshold to 5 occurrences within the query lookback period.

Correct. Alert threshold sets a minimum number of matching events required to generate an alert, reducing noise from single anomalous but benign logins.

B

Enable entity mapping for the user account to correlate with other data sources.

C

Increase the query scheduling frequency to every 5 minutes from every hour.

D

Group all events into a single alert and set the suppression limit to 1 hour.

Why: Option A is correct because setting an alert threshold (e.g., 5 occurrences within the query lookback period) reduces false positives by requiring the anomalous behavior to be persistent rather than a single outlier. In Microsoft Sentinel, the alert threshold filters out noise from occasional legitimate logins that might accidentally fall outside business hours or the known IP range, ensuring the rule only fires when the pattern is repeated enough to indicate a real threat.
Q5
hardFull explanation →

A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?

A

CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize totalBytes = sum(BytesSent) by bin(TimeGenerated, 5m) | where totalBytes > 100000000

Correct. This groups events by 5-minute windows, sums bytes sent per window, and filters those windows exceeding 100 MB (100000000 bytes).

B

CommonSecurityLog | where SourceIp == '10.0.0.1' | extend bin = bin(TimeGenerated, 5m) | where BytesSent > 100000000

C

CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize make_list(BytesSent) by TimeGenerated | where array_length(make_list) > 100000000

D

CommonSecurityLog | where SourceIp == '10.0.0.1' | project BytesSent, TimeGenerated | summarize sum(BytesSent) by bin(TimeGenerated, 5m) | where sum_BytesSent > 100000000

Why: Option A is correct because it first filters the CommonSecurityLog table for the specific source IP, then uses `summarize` with `bin(TimeGenerated, 5m)` to aggregate total bytes sent in 5-minute windows, and finally filters for windows where the sum exceeds 100 MB (100,000,000 bytes). This correctly implements a time-windowed aggregation to detect large outbound transfers, which is the standard pattern for identifying data exfiltration over a period.
Q6
mediumFull explanation →

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

A

Create a Syslog data connector and specify the facility and severity to filter the application logs from /var/log.

B

Configure the Log Analytics agent to collect performance counters for the application process.

C

Use the Custom Logs feature in the Log Analytics workspace to specify the path to the application log file and define the log type name.

Correct. Custom Logs allow ingestion of text files by monitoring specified file paths and parsing lines into custom logs.

D

Deploy a Log Analytics gateway and configure the application to write directly to the gateway using the HTTP Data Collector API.

Why: Option C is correct because the Custom Logs feature in the Log Analytics workspace is specifically designed to ingest text-based log files from on-premises Linux servers via the Log Analytics agent. You must specify the exact file path (e.g., /var/log/myapp.log) and define a custom log type name (e.g., MyApp_CL) to parse the file and send the data to a custom table in the Log Analytics workspace. This is the only method that directly collects custom application log files without requiring syslog or API-based ingestion.

Want more Mitigate threats using Microsoft Sentinel practice?

Practice this domain

Frequently asked questions

How many questions are on the SC-200 exam?

The SC-200 exam has 50 questions and must be completed in 120 minutes. The passing score is 700/1000.

What types of questions appear on the SC-200 exam?

Security operations scenario questions covering Microsoft Sentinel, Defender XDR, Defender for Cloud, and incident investigation and response.

How are SC-200 questions organised by domain?

The exam covers 6 domains: Manage a security operations environment, Respond to security incidents, Perform threat hunting, Mitigate threats using Microsoft Defender XDR, Mitigate threats using Microsoft Defender for Cloud, Mitigate threats using Microsoft Sentinel. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual SC-200 exam questions?

No. These are original exam-style practice questions written against the official Microsoft SC-200 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 60 SC-200 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all SC-200 questionsTake a timed practice test