Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

Certifications›SC-200›Objectives›Mitigate threats using Microsoft Sentinel
Objective 3.0

Mitigate threats using Microsoft Sentinel

SC-200 Practice Questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Full Practice Test →All Objectives

What this objective tests

SC-200 Mitigate threats using Microsoft Sentinel — Key Topics

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

  • Threat actor types and motivations (APT, script kiddie, insider, nation-state).
  • Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.
  • Vulnerability scanning vs penetration testing vs risk assessment.
  • Mitigation strategies mapped to specific attack types.

Common exam traps

Where candidates lose marks on Mitigate threats using Microsoft Sentinel

  • ⚠Social engineering targets people, not systems — the attack vector matters.
  • ⚠A vulnerability scanner finds weaknesses; it does not exploit them.
  • ⚠Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • ⚠Zero-day vulnerabilities have no patch available at the time of discovery.

SC-200 Mitigate threats using Microsoft Sentinel — Practice Questions

30 questions from this objective

Question 2easymultiple choice
Full question →

A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?

Question 3mediummultiple choice
Read the full Ansible explanation →

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

Question 4hardmultiple choice
Full question →

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

Question 5mediummultiple choice
Full question →

A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?

Question 6hardmultiple choice
Read the full NAT/PAT explanation →

A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?

Question 7mediummultiple choice
Full question →

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

Question 8easymultiple choice
Full question →

A security operations center (SOC) uses Microsoft Sentinel. The team wants to automatically assign incidents to the appropriate analyst based on the severity level of the alert. Which feature should be configured to achieve this automation?

Question 9hardmultiple choice
Full question →

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect a possible password spray attack. The rule must trigger when a single source IP address has more than 10 failed logon attempts on different user accounts within a 30-minute window. The analyst writes a KQL query starting with 'SigninLogs | where ResultType == 50057' (failed logon). Which operator should the analyst use to group events by source IP and count distinct user accounts, then filter for counts above 10?

Question 10mediummultiple choice
Read the full VPN explanation →

A SOC team uses Microsoft Sentinel. They need to correlate syslog events from on-premises firewalls with Microsoft Entra ID sign-in logs to detect VPN-based intrusions. The correlation requires joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Which type of analytics rule should the analyst configure?

Question 11mediummultiple choice
Read the full Ansible explanation →

A security analyst is configuring a Microsoft Sentinel playbook to automate the response to phishing incidents. When an incident is created based on a phishing analytics rule, the playbook needs to execute an action in Microsoft 365 Defender, such as blocking the sender email address. Which connector should the analyst add to the playbook to interact with Microsoft 365 Defender?

Question 12easymultiple choice
Full question →

A security analyst in Microsoft Sentinel wants to create a custom analytics rule that triggers when more than 10 failed logon attempts from a single source IP address occur within 5 minutes. The analyst writes a KQL query to aggregate sign-in logs. Which KQL operator should the analyst use to group events by source IP and count each failure?

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

A SOC team uses Microsoft Sentinel. They receive a large volume of low-severity incidents from a specific analytics rule that causes alert fatigue. They want to automatically close incidents that match certain criteria (e.g., originating from a known test IP). Which feature should they configure?

Question 14hardmultiple choice
Read the full Ansible explanation →

A security analyst is configuring a playbook in Microsoft Sentinel to run automatically when a new incident of severity 'High' is created. The playbook should only run for incidents that are not already assigned to an analyst. How can the analyst configure this automation?

Question 15mediummulti select
Full question →

A SOC team uses Microsoft Sentinel and wants to automate the response to high-severity incidents. When a new incident of severity 'High' is created, they need to send an email notification to the on-call analyst and assign the incident to that analyst. Which two components must be configured together to achieve this? (Choose the best answer.)

Question 16mediummultiple choice
Full question →

A security analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect multiple failed logon attempts from the same source IP address. The rule should generate an incident only when the count of failed logons exceeds 10 within a 5-minute window. Which configuration setting is essential to limit the incident generation to this threshold?

Question 17mediummultiple choice
Read the full network assurance explanation →

A SOC analyst needs to ingest firewall logs from an on-premises Cisco ASA into Microsoft Sentinel. The logs are sent via syslog to a Linux server. Which data connector should the analyst use to properly parse and collect these logs?

Question 18hardmultiple choice
Read the full Ansible explanation →

A security analyst is configuring a Microsoft Sentinel playbook to automatically respond to phishing incidents. The playbook should only run when an incident of severity 'High' is created and the incident is not already assigned to a user. Which automation rule condition and trigger configuration should the analyst use?

Question 19hardmulti select
Read the full Ansible explanation →

A SOC analyst in Microsoft Sentinel needs to create an automation rule that triggers a playbook when a new incident is created and the incident severity is 'High'. Additionally, the playbook should only run if the incident is not already assigned to an analyst. Which two conditions must the analyst include in the automation rule? (Select all that apply.) (Choose 2.)

Question 20easymultiple choice
Full question →

A SOC team uses Microsoft Sentinel and needs to ingest custom logs from an on-premises Linux server that writes events to a local text file. The team installs the Azure Monitor Agent (AMA) on the Linux server. Which configuration step is required in Sentinel to collect the custom log file?

Question 21easymultiple choice
Full question →

A security analyst in Microsoft Sentinel wants to create a scheduled analytics rule to detect repeated failed HTTP requests to an Azure Application Gateway, indicating a possible brute force attack. Which Azure Monitor table should the analyst query to capture the access and error logs from the Application Gateway?

Question 22mediummultiple choice
Full question →

A SOC team wants to automatically categorize incidents in Microsoft Sentinel with MITRE ATT&CK tactics (e.g., 'Initial Access', 'Execution') when an analytics rule triggers. How can they achieve this?

Question 23easymultiple choice
Full question →

A SOC analyst needs to create a custom alert in Microsoft Sentinel that triggers when a specific user logs in from an unusual geographic location, compared to a learned baseline of normal locations. Which type of analytics rule is best suited for this scenario?

Question 24mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst has created a custom scheduled analytics rule in Microsoft Sentinel that runs every hour and generates an incident when a certain pattern is detected. The analyst notices that the same set of events is causing a new incident every hour, leading to duplicates. What should the analyst configure to prevent duplicate incident generation from the same events?

Question 25mediummultiple choice
Full question →

A SOC team uses Microsoft Sentinel and ingests Windows Security Events from domain controllers using the Azure Monitor Agent (AMA). They want to create a scheduled analytics rule that generates an incident when a user account is created in a sensitive Active Directory group (e.g., Domain Admins) outside of approved change windows (e.g., after 9 PM). The required event IDs are 4728 (member added to security-enabled global group) and 4732 (member added to security-enabled local group). Which KQL query should the analyst use to filter for these specific events and the targeted group?

Question 26mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect anomalous Microsoft Entra ID sign-ins. The rule runs every 5 minutes and queries the SigninLogs table for sign-ins from IP addresses outside the organization's known country codes. To avoid duplicates, the rule should generate an incident only once for a particular user-IP combination until the combination is not seen for 60 minutes. Which configuration should the analyst use in the analytics rule wizard?

Question 27hardmultiple choice
Full question →

A SOC team uses Microsoft Sentinel with multiple workspaces in a single region. They have deployed Azure Policy to send all Azure resource logs to a central Log Analytics workspace. Now they want to create a set of analytics rules that run across multiple workspaces to detect cross-workspace attacks. However, they note that the built-in analytics rules can only query data within the workspace they are defined. Which solution should the team implement to efficiently query data from multiple workspaces for detection?

Question 28hardmultiple choice
Full question →

Match each Microsoft Sentinel data connector on the left with the table name it populates on the right.

Question 29mediummulti select
Read the full Ansible explanation →

A SOC analyst is configuring a Microsoft Sentinel automation rule to trigger a playbook when an incident is created. The playbook should only run if the incident severity is 'High' and the incident title contains 'Phishing'. Which two conditions should the analyst add to the automation rule? (Select all that apply.) (Choose 2.)

Question 30hardmultiple choice
Full question →

A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.

Question 31easymultiple choice
Full question →

A SOC analyst needs to create a custom scheduled analytics rule in Microsoft Sentinel that detects when a user attempts to sign in from an IP address not in the organization's allowlist. The rule should run every 5 minutes. Which table should the analyst query?

More Mitigate threats using Microsoft Sentinel questions available in the full practice test.

Continue Practising →
←

Previous objective

Mitigate threats using Microsoft Defender for Cloud

All SC-200 Objectives

  • 1.Mitigate threats using Microsoft Defender XDR
  • 2.Mitigate threats using Microsoft Defender for Cloud
  • 3.Mitigate threats using Microsoft Sentinel