SC-200 Exam Questions and Answers

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

Microsoft Defender for Endpoint

Microsoft Defender for Office 365 (Threat Explorer)

Threat Explorer provides a detailed email entity view including delivery actions, phish simulation, and campaign information.

Microsoft Defender for Identity

Microsoft Defender for Cloud Apps

Why: Threat Explorer in Microsoft Defender for Office 365 (Microsoft 365 Defender portal) allows security analysts to investigate emails, see delivery actions, identify phishing campaigns, and view simulation data. Other options are for different workloads: Defender for Endpoint focuses on endpoints, Defender for Identity on user identities, and Defender for Cloud Apps on cloud application activities.

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

Microsoft Defender for Endpoint

Microsoft Defender for Office 365

Microsoft Defender for Cloud Apps

Defender for Cloud Apps monitors cloud app activity including SharePoint Online and can alert on suspicious file access.

Microsoft Defender for Identity

Why: Microsoft Defender for Cloud Apps provides visibility into cloud app activities, including SharePoint Online file access. It can detect unusual file sharing, mass downloads, and other anomalous behavior. Defender for Endpoint focuses on endpoints, Defender for Office 365 on email, and Defender for Identity on identity threats.

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

DeviceProcessEvents

DeviceProcessEvents contains process creation events, which can be joined with network events to identify the process initiating the RDP connection.

DeviceLogonEvents

DeviceFileEvents

DeviceRegistryEvents

Why: To correlate network connections with the processes that initiated them, you join DeviceNetworkEvents with DeviceProcessEvents. DeviceLogonEvents show logon events, not process initiation. DeviceFileEvents show file operations, and DeviceRegistryEvents show registry changes.

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

The delivery location and whether the email was delivered to Inbox, Junk, or Quarantine.

The authentication statuses (SPF, DKIM, DMARC) for the sender domain.

The sender IP address and the recipient email address.

The detection technology (e.g., Advanced ML, Reputation) and if the email was part of a phish simulation or a campaign.

Correct. Detection details show how the email was flagged, including specific technologies, simulation tags, and campaign information.

Why: In Microsoft 365 Defender, the email entity page provides detailed information about a specific email. The 'Detection details' section includes the detection technology used (e.g., machine learning models, reputation lists), the phish simulation details if the email was part of a simulated attack, and the campaign ID if it was associated with a known campaign. Delivery location (e.g., inbox, junk) is shown in the 'Summary' tab under 'Delivery details'. Sender IP is in the 'Internet headers' section.

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

Trigger a training campaign for the user who reported the email.

Move the email to the tenant's shared mailbox for review.

Remove the Report Message add-in from Outlook to prevent false reports.

Soft-delete the email from the user's mailbox and other mailboxes that received the same message.

Correct. AIR can automatically delete the reported email across the organization to contain the threat.

Why: In Defender for Office 365, AIR playbooks are triggered by alerts, including user-reported phishing emails. A common automated action is to delete the email from all mailboxes where it was delivered (soft delete), preventing users from accessing the malicious content. Moving the email to the tenant's mailbox (which is not a standard location) is not an option. Triggering training is not a default AIR action; training campaigns are separate. AIR playbooks do not automatically remove add-ins.

All Mitigate threats using Microsoft Defender for Cloud questions

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

DeviceNetworkEvents | where RemoteIP == 'user@contoso.com' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5

IdentityLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5

DeviceLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5

Correct. This query filters for the user's interactive logons, groups by 10-minute windows, counts distinct DeviceNames, and returns windows where the count exceeds 5.

DeviceLogonEvents | where AccountUpn == 'user@contoso.com' | summarize count() by DeviceName, bin(Timestamp, 10m) | where count_ > 5

Why: This query needs to find logon events for a specific user across devices, then group by user and bin time, and count distinct DeviceName. The correct query uses DeviceLogonEvents (assuming Interactive logon type), summarizes by user and time bin with dcount(DeviceName), then filters where count greater than 5. The other options have errors: using DeviceNetworkEvents (network connections, not logins), using IdentityLogonEvents (which covers Microsoft Entra ID logons, not Windows interactive logons on devices), or summarizing incorrectly.

Want more Mitigate threats using Microsoft Defender XDR practice?

Practice this domain

Domain 2: Mitigate threats using Microsoft Defender for Cloud

A security operations analyst is reviewing recommendations in Microsoft Defender for Cloud. For a virtual machine that is missing critical security updates, which recommendation category will highlight this issue?

Secure score

Secure score includes recommendations for remediating vulnerabilities like missing critical updates.

Regulatory compliance

Workload protections

Inventory

Why: Secure score recommendations in Defender for Cloud include findings for missing system updates, misconfigurations, and other vulnerabilities that affect your security posture. Workload protections focus on threat detection, not missing updates. Regulatory compliance shows compliance standards, and Inventory lists resources.

A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)

Create an alert suppression rule based on alert entity

Alert suppression rules can be configured to suppress alerts based on entity, such as specific IP addresses or resources.

Modify the alert's severity

Set an automatic response action

Define a rule to automatically dismiss alerts that meet criteria

You can create suppression rules that automatically dismiss alerts based on criteria like alert type or entity.

Why: Alert suppression rules allow you to automatically dismiss alerts that match certain criteria (e.g., based on entity or alert type). You can also define rules to automatically dismiss alerts. Modifying the alert's severity is not a persistent suppression method. Automatic response actions do not suppress alerts.

A security analyst reviews Microsoft Defender for Cloud recommendations for an Azure virtual machine. The VM has a recommendation titled 'Install endpoint protection solution on virtual machines'. The analyst clicks on the recommendation and sees affected resources. Which of the following best describes the purpose of this recommendation in the context of Defender for Cloud?

It identifies VMs that have an open network security group inbound rule that should be closed.

It suggests enabling Azure Firewall on the virtual network to protect the VM from external threats.

It recommends enabling disk encryption for the VM's OS and data disks.

It advises deploying a supported endpoint protection solution, such as Microsoft Defender Antivirus, to protect the VM from malware and other threats.

Correct. The recommendation prompts installation of endpoint protection software. Defender for Cloud integrates with Microsoft Defender Antivirus and supports partner solutions.

Why: Defender for Cloud provides security recommendations to improve the secure state of your resources. 'Install endpoint protection solution on virtual machines' is a built-in recommendation that prompts you to deploy a Microsoft or partner endpoint protection solution (e.g., Microsoft Defender Antivirus). The recommendation is not about network security groups or encryption, but specifically about adding an endpoint protection agent to protect against malware.

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to secure its Azure virtual machines. A security analyst needs to grant a developer temporary RDP access to a specific VM for debugging purposes. Instead of using the default request approval flow, the analyst wants to configure an exemption so that the developer's access request never triggers a recommendation for that VM. Which action must the analyst perform?

Approve the access request once from the JIT blade and set a long expiration.

Add an exemption for the VM on the 'Management ports should be closed on just-in-time based virtual machines' recommendation.

Correct. Exempting the VM from the recommendation disables JIT monitoring for that VM, allowing permanent open ports without alerts.

Configure a custom Azure Policy to allow open management ports for that VM.

Disable the JIT solution for the entire subscription from the Defender for Cloud environment settings.

Why: In Defender for Cloud, you can disable JIT for a specific VM by adding an exemption to the 'Management ports should be closed on just-in-time based virtual machines' recommendation. The exemption removes the VM from the JIT recommendation's compliance scope, effectively allowing open management ports (like RDP) without triggering alerts. Approving access is a one-time grant; exemption makes the VM permanently excluded from JIT recommendations. Creating a custom policy is not needed for this simple exclusion.

A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?

Azure Policy for Kubernetes add-on installation to enforce pod security policies.

Kubernetes audit logs are automatically streamed to the Log Analytics workspace.

Security alerts for container runtime threats, such as privilege escalation in a container.

Correct. The plan enables advanced threat detection, generating security alerts based on behavioral analytics of cluster activities.

Integration with Microsoft Sentinel for monitoring AKS logs.

Why: Defender for Containers provides runtime threat detection for AKS clusters, including host-level and cluster-level alerts. Without the plan, you get only basic security recommendations (like Azure Policy for Kubernetes). The plan enables security alerts for suspicious activities such as container escape attempts and privilege escalations. Azure Policy for Kubernetes (Add-ons) and Kubernetes audit logs are prerequisites, but the alerts themselves appear only when the plan is active.

All Mitigate threats using Microsoft Sentinel questions

A security analyst is using Microsoft Defender for Cloud's adaptive application controls (AAC) to allowlist trusted applications on Azure VMs. After enabling AAC and running in 'Audit' mode for a week, the analyst wants to switch to 'Enforce' mode. Which pre-requisite must be met before enforcement can be applied?

The VM must have the Guest Configuration extension installed.

A valid Microsoft Defender for Servers Plan 2 license must be assigned to the VM.

The VM must have a baseline of allowed applications generated from at least two weeks of audit data.

Correct. AAC requires a baseline of known good applications from audit mode before enforcement can block unapproved applications.

The VM must be running on a supported operating system like Windows Server 2016 or later.

Why: Adaptive application controls require a baseline of allowed applications generated from at least two weeks of audit data. You cannot enforce immediately without sufficient baseline. The baseline must be trusted. No additional licensing is needed beyond Defender for Cloud (already required). The Microsoft monitoring agent is used, but that is already in place. The key pre-requisite is that the machine has been running in audit mode long enough to build a reliable baseline.

Want more Mitigate threats using Microsoft Defender for Cloud practice?

Practice this domain

Domain 3: Mitigate threats using Microsoft Sentinel

A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?

Azure Activity Logs

SigninLogs

SigninLogs contain successful and failed sign-in events needed to detect brute force attacks.

Office Activity Logs

SecurityEvent

Why: SigninLogs from Microsoft Entra ID contain authentication details including failed attempts, timestamps, and user information, which are essential for detecting brute force patterns. Azure Activity Logs are for management plane operations, Office Activity Logs are for Office 365 workloads, and SecurityEvent is for Windows security logs.

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

Azure Logic Apps trigger

Playbooks are Logic Apps workflows; they use a built-in Logic Apps trigger to respond to Sentinel alerts.

Sentinel trigger

Alert trigger

Automation rule trigger

Why: Playbooks in Sentinel are built on Azure Logic Apps. The Logic Apps trigger "When a response to a Microsoft Sentinel alert is triggered" (or similar) is used to start the playbook when an alert fires. Sentinel triggers are not a separate concept. Automation rules can invoke playbooks, but the playbook itself uses a Logic Apps trigger.

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

Provision compute → Clone Sentinel notebooks → Connect to workspace → Execute cells

This order follows the recommended setup: compute first, then notebooks, then workspace connection, then execution.

Clone Sentinel notebooks → Provision compute → Connect to workspace → Execute cells

Connect to workspace → Provision compute → Clone Sentinel notebooks → Execute cells

Provision compute → Connect to workspace → Clone Sentinel notebooks → Execute cells

Why: The correct order is: First provision an Azure Machine Learning compute instance, then clone the Microsoft Sentinel notebook repository, next connect the notebook to the Sentinel workspace using msticpy, and finally execute the notebook cells. This ensures the environment and data source are ready before analysis.

A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?

Set the alert threshold to 5 occurrences within the query lookback period.

Correct. Alert threshold sets a minimum number of matching events required to generate an alert, reducing noise from single anomalous but benign logins.

Enable entity mapping for the user account to correlate with other data sources.

Increase the query scheduling frequency to every 5 minutes from every hour.

Group all events into a single alert and set the suppression limit to 1 hour.

Why: To reduce false positives in anomaly detection, you can use threshold and alert grouping. The 'Alert threshold' allows setting a minimum number of events per time window before an alert is fired, which helps ignore isolated anomalies. Entity mapping enriches alerts but does not reduce false positives. Event grouping and scheduling frequency control how alerts are aggregated, but the threshold directly filters out low-occurrence events.

A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?

CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize totalBytes = sum(BytesSent) by bin(TimeGenerated, 5m) | where totalBytes > 100000000

Correct. This groups events by 5-minute windows, sums bytes sent per window, and filters those windows exceeding 100 MB (100000000 bytes).

CommonSecurityLog | where SourceIp == '10.0.0.1' | extend bin = bin(TimeGenerated, 5m) | where BytesSent > 100000000

CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize make_list(BytesSent) by TimeGenerated | where array_length(make_list) > 100000000

CommonSecurityLog | where SourceIp == '10.0.0.1' | project BytesSent, TimeGenerated | summarize sum(BytesSent) by bin(TimeGenerated, 5m) | where sum_BytesSent > 100000000

Why: To aggregate data over a time window, you use the summarize operator with bin on TimeGenerated to create 5-minute buckets. Then you sum BytesSent (or similar numeric field) and filter with where on the aggregated sum. The bin function creates time intervals; summarize aggregates; where filters the results. Other options either don't aggregate correctly or use incorrect operators like make_list or project.