Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SC-200›Objectives›Mitigate threats using Microsoft Defender XDR
Objective 1.0

Mitigate threats using Microsoft Defender XDR

SC-200 Practice Questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Full Practice Test →All Objectives

What this objective tests

SC-200 Mitigate threats using Microsoft Defender XDR — Key Topics

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

  • Threat actor types and motivations (APT, script kiddie, insider, nation-state).
  • Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.
  • Vulnerability scanning vs penetration testing vs risk assessment.
  • Mitigation strategies mapped to specific attack types.

Common exam traps

Where candidates lose marks on Mitigate threats using Microsoft Defender XDR

  • ⚠Social engineering targets people, not systems — the attack vector matters.
  • ⚠A vulnerability scanner finds weaknesses; it does not exploit them.
  • ⚠Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • ⚠Zero-day vulnerabilities have no patch available at the time of discovery.

SC-200 Mitigate threats using Microsoft Defender XDR — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

Question 3mediummultiple choice
Read the full NAT/PAT explanation →

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

Question 4hardmultiple choice
Full question →

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

Question 5mediummultiple choice
Full question →

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

Question 6easymultiple choice
Read the full Ansible explanation →

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

Question 7hardmultiple choice
Full question →

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

Question 8mediummultiple choice
Full question →

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user's device was compromised. The analyst wants to determine if the attacker attempted to access sensitive files stored in SharePoint Online from that device. Which advanced hunting table should the analyst query to find file access events from cloud apps?

Question 9easymultiple choice
Full question →

A security analyst is reviewing an incident in Microsoft 365 Defender where malware was detected on multiple endpoints. The analyst wants to see a visual representation of the attack progression, including the initial entry point and all affected devices. Which feature in the Microsoft 365 Defender portal should the analyst use?

Question 10hardmultiple choice
Full question →

A global enterprise uses Microsoft 365 Defender across multiple tenants. During an incident, a security analyst needs to search for a specific file hash indicator of compromise (IOC) across all mailboxes and endpoints in all tenants from a single interface. Which feature allows the analyst to run a query across multiple tenants without switching contexts?

Question 11easymultiple choice
Read the full Ansible explanation →

A security analyst is investigating an incident in Microsoft 365 Defender where a device is detected as infected with a trojan. The analyst wants to use automated investigation to contain the threat. Which action can be automatically taken on the affected device as part of a standard AIR playbook for endpoint detection and response?

Question 12mediummultiple choice
Full question →

An organization uses Microsoft 365 Defender. A security analyst is reviewing an incident that involves a user who clicked a phishing link in an email. The analyst wants to see the email's full timeline, including delivery, click, and any follow-up actions. Which section of the email entity page provides this information?

Question 13mediummultiple choice
Full question →

A security analyst in Microsoft 365 Defender uses advanced hunting to detect possible credential theft. They want to find instances where a user signed in from an IP address that is not in their organization's known IP range. Which table should they query to get sign-in location and IP address?

Question 14easymultiple choice
Full question →

A security analyst in Microsoft 365 Defender is investigating an incident that involves multiple devices. The analyst wants to see a visual representation of the attack, showing how the attacker moved from one device to another. Which feature provides this view?

Question 15easymultiple choice
Full question →

A security analyst is investigating a phishing incident in Microsoft 365 Defender. They need to view the original email's sender, delivery action, and any automated remediation steps taken. Which entity page should the analyst open?

Question 16hardmultiple choice
Full question →

A security analyst is using advanced hunting in Microsoft 365 Defender to detect lateral movement. The analyst wants to find all devices where a specific user account had an interactive logon, and then identify which of those devices subsequently initiated outbound Remote Desktop Protocol (RDP) connections to other internal IP addresses. Which KQL approach is most efficient for this investigation?

Question 17mediummultiple choice
Full question →

An organization uses Microsoft Defender for Office 365. The security team wants to automatically remove from all user mailboxes any messages that were already delivered but are later identified as malicious. Which feature should they enable?

Question 18mediummultiple choice
Full question →

A security analyst is investigating an incident in Microsoft 365 Defender that involves a user who clicked a phishing link. The analyst wants to find all processes executed on the user's device immediately after the email was opened. Which advanced hunting table should the analyst query to obtain process creation events with timestamps relative to the email event?

Question 19hardmultiple choice
Full question →

A security analyst is investigating a suspected lateral movement attack in Microsoft 365 Defender. The analyst wants to identify all devices where a specific user account (user@contoso.com) had an interactive logon, and then check which of those devices subsequently made outbound RDP connections to other internal IP addresses. Which KQL query approach is most efficient to find this chain?

Question 20easymultiple choice
Full question →

A security analyst is reviewing an email-related incident in Microsoft 365 Defender. The analyst wants to see the full delivery details, including the sender IP, authentication status, and the reason why the email was determined to be malicious. Which section of the email entity page should the analyst open?

Question 21hardmultiple choice
Full question →

A security analyst is hunting for a targeted phishing attack in Microsoft 365 Defender. They have identified a phishing email delivered to a user and want to find all devices where the user clicked the link in the email, and any processes that were spawned from the browser on those devices. Which advanced hunting strategy is most effective to correlate the email, network, and process data?

Question 22mediummultiple choice
Read the full Ansible explanation →

An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?

Question 23easymultiple choice
Full question →

An organization uses Microsoft Defender for Office 365. The security team wants to automatically investigate and respond to user-reported phishing emails. Which feature should they enable to automate this process?

Question 24mediummultiple choice
Full question →

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user received a phishing email that contained a link to a malicious domain. The user clicked the link, but the domain was blocked by Microsoft Defender for Office 365 at the time of click. The analyst needs to view the full details of the click verdict, including the time of click and the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

Question 25easymultiple choice
Full question →

A security analyst is using advanced hunting in Microsoft 365 Defender to investigate a potential brute-force attack against an on-premises Exchange server. The analyst wants to find authentication failures from a specific IP address. Which table should the analyst query?

Question 26easymultiple choice
Full question →

An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?

Question 27mediummultiple choice
Full question →

A security analyst is investigating lateral movement in Microsoft 365 Defender. They have identified a compromised device (DeviceA) and want to find all other devices that have been accessed from DeviceA via RDP in the last 24 hours. Which advanced hunting table contains RDP connection events?

Question 28mediummultiple choice
Full question →

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

Question 29mediummultiple choice
Full question →

A security analyst is investigating an incident in Microsoft 365 Defender involving a user who received a phishing email. The analyst needs to identify all devices on which the user clicked a link from the email. Which advanced hunting table should the analyst query to find the click events?

Question 30mediummultiple choice
Full question →

A security analyst is investigating an incident in Microsoft 365 Defender where a user's device is suspected to be compromised. The analyst wants to collect a copy of a specific suspicious file from the device for offline analysis without disrupting the user. Which action should the analyst initiate?

Question 31mediummultiple choice
Full question →

An organization uses Microsoft 365 Defender. A security analyst wants to identify all devices that have been accessed from a compromised device via RDP in the past 24 hours. Which advanced hunting table should the analyst query?

More Mitigate threats using Microsoft Defender XDR questions available in the full practice test.

Continue Practising →

Next objective

Mitigate threats using Microsoft Defender for Cloud

→

All SC-200 Objectives

  • 1.Mitigate threats using Microsoft Defender XDR
  • 2.Mitigate threats using Microsoft Defender for Cloud
  • 3.Mitigate threats using Microsoft Sentinel