Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Mitigate threats using Microsoft Defender XDR practice sets

SC-200 Mitigate threats using Microsoft Defender XDR • Complete Question Bank

SC-200 Mitigate threats using Microsoft Defender XDR — All Questions With Answers

Complete SC-200 Mitigate threats using Microsoft Defender XDR question bank — all 0 questions with answers and detailed explanations.

108
Questions
Free
No signup
Certifications/SC-200/Practice Test/Mitigate threats using Microsoft Defender XDR/All Questions
Question 1easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

Question 3hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

Question 4mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

Question 5easymultiple choice
Read the full Ansible explanation →

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

Question 6hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

Question 7mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user's device was compromised. The analyst wants to determine if the attacker attempted to access sensitive files stored in SharePoint Online from that device. Which advanced hunting table should the analyst query to find file access events from cloud apps?

Question 8easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is reviewing an incident in Microsoft 365 Defender where malware was detected on multiple endpoints. The analyst wants to see a visual representation of the attack progression, including the initial entry point and all affected devices. Which feature in the Microsoft 365 Defender portal should the analyst use?

Question 9hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A global enterprise uses Microsoft 365 Defender across multiple tenants. During an incident, a security analyst needs to search for a specific file hash indicator of compromise (IOC) across all mailboxes and endpoints in all tenants from a single interface. Which feature allows the analyst to run a query across multiple tenants without switching contexts?

Question 10easymultiple choice
Read the full Ansible explanation →

A security analyst is investigating an incident in Microsoft 365 Defender where a device is detected as infected with a trojan. The analyst wants to use automated investigation to contain the threat. Which action can be automatically taken on the affected device as part of a standard AIR playbook for endpoint detection and response?

Question 11mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. A security analyst is reviewing an incident that involves a user who clicked a phishing link in an email. The analyst wants to see the email's full timeline, including delivery, click, and any follow-up actions. Which section of the email entity page provides this information?

Question 12mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender uses advanced hunting to detect possible credential theft. They want to find instances where a user signed in from an IP address that is not in their organization's known IP range. Which table should they query to get sign-in location and IP address?

Question 13easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender is investigating an incident that involves multiple devices. The analyst wants to see a visual representation of the attack, showing how the attacker moved from one device to another. Which feature provides this view?

Question 14easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a phishing incident in Microsoft 365 Defender. They need to view the original email's sender, delivery action, and any automated remediation steps taken. Which entity page should the analyst open?

Question 15hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is using advanced hunting in Microsoft 365 Defender to detect lateral movement. The analyst wants to find all devices where a specific user account had an interactive logon, and then identify which of those devices subsequently initiated outbound Remote Desktop Protocol (RDP) connections to other internal IP addresses. Which KQL approach is most efficient for this investigation?

Question 16mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft Defender for Office 365. The security team wants to automatically remove from all user mailboxes any messages that were already delivered but are later identified as malicious. Which feature should they enable?

Question 17mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating an incident in Microsoft 365 Defender that involves a user who clicked a phishing link. The analyst wants to find all processes executed on the user's device immediately after the email was opened. Which advanced hunting table should the analyst query to obtain process creation events with timestamps relative to the email event?

Question 18hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a suspected lateral movement attack in Microsoft 365 Defender. The analyst wants to identify all devices where a specific user account (user@contoso.com) had an interactive logon, and then check which of those devices subsequently made outbound RDP connections to other internal IP addresses. Which KQL query approach is most efficient to find this chain?

Question 19easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is reviewing an email-related incident in Microsoft 365 Defender. The analyst wants to see the full delivery details, including the sender IP, authentication status, and the reason why the email was determined to be malicious. Which section of the email entity page should the analyst open?

Question 20hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is hunting for a targeted phishing attack in Microsoft 365 Defender. They have identified a phishing email delivered to a user and want to find all devices where the user clicked the link in the email, and any processes that were spawned from the browser on those devices. Which advanced hunting strategy is most effective to correlate the email, network, and process data?

Question 21mediummultiple choice
Read the full Ansible explanation →

An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?

Question 22easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft Defender for Office 365. The security team wants to automatically investigate and respond to user-reported phishing emails. Which feature should they enable to automate this process?

Question 23mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user received a phishing email that contained a link to a malicious domain. The user clicked the link, but the domain was blocked by Microsoft Defender for Office 365 at the time of click. The analyst needs to view the full details of the click verdict, including the time of click and the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

Question 24easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is using advanced hunting in Microsoft 365 Defender to investigate a potential brute-force attack against an on-premises Exchange server. The analyst wants to find authentication failures from a specific IP address. Which table should the analyst query?

Question 25easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?

Question 26mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating lateral movement in Microsoft 365 Defender. They have identified a compromised device (DeviceA) and want to find all other devices that have been accessed from DeviceA via RDP in the last 24 hours. Which advanced hunting table contains RDP connection events?

Question 27mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

Question 28mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating an incident in Microsoft 365 Defender involving a user who received a phishing email. The analyst needs to identify all devices on which the user clicked a link from the email. Which advanced hunting table should the analyst query to find the click events?

Question 29mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating an incident in Microsoft 365 Defender where a user's device is suspected to be compromised. The analyst wants to collect a copy of a specific suspicious file from the device for offline analysis without disrupting the user. Which action should the analyst initiate?

Question 30mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. A security analyst wants to identify all devices that have been accessed from a compromised device via RDP in the past 24 hours. Which advanced hunting table should the analyst query?

Question 31easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is reviewing a phishing incident in Microsoft 365 Defender. They need to find all users who received a specific email message by searching for the email's Internet Message ID. Which advanced hunting table should the analyst query?

Question 32hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft Defender for Office 365. A security analyst is investigating a phishing email that was delivered to a user. The user clicked the link, but it was blocked by Defender for Office 365 at the time of click. The analyst needs to view the full click verdict, including the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

Question 33easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst uses Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst knows the Internet Message ID of a malicious email. Which table should the analyst query to find all users who received that specific email?

Question 34mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender. An automated investigation on a device identifies a malicious file and blocks it. The analyst now wants to allow a specific trusted application that was incorrectly blocked, while keeping other malicious files blocked. Which action should the analyst take from the device's entity page?

Question 35hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is using Microsoft 365 Defender advanced hunting to investigate potential lateral movement. The analyst has identified a compromised device (DeviceA) and wants to find all other devices that initiated a remote desktop connection from DeviceA to other devices in the last 24 hours. Which table and query approach should the analyst use?

Question 36easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is investigating a malware incident in Microsoft 365 Defender and has isolated the compromised device using automated investigation and response. The analyst now needs to collect a copy of a suspicious file from that device for further analysis in a sandbox. Which action should the analyst take from the device's entity page?

Question 37mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a potential data exfiltration incident in Microsoft 365 Defender. They have identified a suspicious email sent to an external recipient containing an attachment. They want to know if the attachment has been opened and if any sensitive data was accessed. Which advanced hunting table should the analyst query to find email attachment activities, such as file download or view?

Question 38easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a compromised user account using Microsoft 365 Defender. The analyst wants to see all the sign-in attempts made by this user in the last 24 hours, including the IP addresses and locations. Which advanced hunting table should the analyst query?

Question 39mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to view all processes that initiated outbound network connections to known malicious IPs on a specific device. Which advanced hunting table should the analyst query?

Question 40hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is investigating a sophisticated attack involving a compromised device. The analyst has identified a malicious process that spawned multiple child processes. The analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a specific parent process creates a child process that makes an outbound network connection to any IP not in the organization's internal range. Which KQL query and rule type should the analyst use?

Question 41mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a phishing incident and needs to find the specific email message that was delivered to a user. The analyst knows the subject line and the sender domain. Which advanced hunting table should the analyst query?

Question 42easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a malware incident on an endpoint using Microsoft 365 Defender. The analyst wants to see all processes that were created on the device in the last hour, including the command line arguments. Which advanced hunting table should they query?

Question 43mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An organization uses Microsoft 365 Defender and receives an alert for a suspicious email sent to multiple recipients. The analyst wants to view the email metadata, including the sender, subject, and any attachments. Which advanced hunting table should the analyst use?

Question 44mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a phishing campaign targeting multiple users. The analyst has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to any user and contained this specific attachment. Which advanced hunting table should the analyst query in Microsoft 365 Defender to obtain the message IDs of emails containing the attachment?

Question 45mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is using Microsoft 365 Defender and discovers that a legitimate business application has been incorrectly blocked as malicious by an automated investigation. The analyst needs to unblock this application immediately so it can run on all endpoints in the organization. What action should the analyst take from the file's entity page in Microsoft 365 Defender?

Question 46easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is reviewing phishing emails in Microsoft 365 Defender and wants to identify all messages that were blocked by an anti-phish policy before delivery. The analyst plans to use advanced hunting. Which table column indicates whether an email was blocked as phishing?

Question 47easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a suspicious process on an endpoint and needs to see all network connections initiated by that process. The analyst knows the ProcessId and DeviceName. Which advanced hunting table in Microsoft 365 Defender should the analyst query to retrieve network connection details associated with this process?

Question 48mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating a malware incident and has identified a specific parent process ID (PID) on an endpoint. The analyst wants to retrieve all outbound network connections made by any child processes spawned by this parent process. Which advanced hunting table should the analyst query to get the network connection details, including the destination IP and the child process ID?

Question 49easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a potential phishing campaign and has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to users and contained this exact attachment. Which advanced hunting table should the analyst query to obtain the network message IDs of the relevant emails?

Question 50easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a suspicious process on an endpoint and wants to see all changes made to the Windows Registry by that process. Which advanced hunting table should the analyst query to find registry modification events associated with the process?

Question 51mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender needs to review all actions that were automatically taken by an investigation (e.g., isolating a device, deleting a file) that occurred during an incident. Where should the analyst find this list of executed actions?

Question 52hardmulti select
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a sophisticated attack where an attacker used a compromised account to send a phishing email. The analyst wants to correlate the email event with the subsequent sign-in activity from the same sender's mailbox using Advanced Hunting. Which two tables should the analyst join to link the email sender to the sign-in IP address?

Question 53hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating a ransomware incident and needs to find all files that were written to a specific device within a 5-minute window before the ransomware process started. The analyst knows the device name and the ransomware process start time. Which advanced hunting table and KQL operator combination would be most efficient to find the file creation events?

Question 54easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst wants to see the delivery status and phishing verdict of an email. Which advanced hunting table should the analyst query in Microsoft 365 Defender?

Question 55easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, what is the primary function of the Action center?

Question 56mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is investigating a file that was detected as malicious on several devices. In Microsoft 365 Defender, where can the analyst find information about the file's prevalence, global reputation, and related incidents?

Question 57easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, after an automated investigation completes, where can an analyst review the specific remediation actions that were taken (e.g., file quarantine, device isolation)?

Question 58mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, a security analyst wants to get a detailed report on a newly discovered malware campaign, including indicators of compromise, recommended actions, and impacted devices. Where should the analyst go to find this information?

Question 59mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a potential business email compromise (BEC) campaign. The analyst wants to find all emails that were sent to external recipients from an internal user's mailbox that also had a login from an unusual location shortly after the email was sent. Which advanced hunting tables should the analyst query to get the email metadata and the sign-in details?

Question 60mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender is investigating an email-based threat. The analyst needs to find all emails that were initially delivered to user inboxes but were later remediated (e.g., moved to junk, deleted, or quarantined) by Zero-Hour Auto Purge (ZAP). Which advanced hunting tables should the analyst query to get both the original email metadata and the post-delivery remediation events?

Question 61mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst in Microsoft 365 Defender has just completed an automated investigation on a device. The analyst wants to review the specific remediation actions that were taken automatically, such as file quarantine or process termination, as well as any actions that are still pending approval. Where should the analyst look?

Question 62easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender is investigating an incident that contains multiple alerts from different sources (e.g., Microsoft Defender for Endpoint, Microsoft 365 Defender for Office). The analyst wants to see a consolidated list of all alerts associated with the incident, including their severity, status, and detection source. Which tab within the incident details page should the analyst use?

Question 63easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to see a timeline of all actions performed on a specific device, including file creation, registry modifications, and network connections, in chronological order. Which feature should the analyst use?

Question 64mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst wants to identify all users who received a phishing email that contained a known malicious URL. The analyst has the URL. Which advanced hunting table should the analyst query first to find the emails that contained this URL?

Question 65mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, an analyst is investigating an incident involving a malicious script. The analyst wants to see the command-line arguments executed by the script on a specific device. Which Advanced Hunting table should the analyst query?

Question 66mediummultiple choice
Read the full DNS explanation →

A security analyst suspects a user's device is exfiltrating data via DNS queries to a known malicious domain. Which Advanced Hunting table should the analyst query to find DNS requests made from the device?

Question 67mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, a security analyst reviews an automated investigation that found a potentially unwanted application on multiple devices. The analyst wants to manually approve the suggested remediation action of uninstalling the application. Where should the analyst go?

Question 68mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender is using advanced hunting to investigate a suspected data exfiltration. The analyst wants to find all outbound network connections from a specific device that occurred in the last hour, ordered by timestamp. Which table and KQL query should the analyst use?

Question 69easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, an incident is created automatically. An analyst wants to see all related alerts for that incident. Which tab on the incident details page should the analyst select?

Question 70hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a complex incident in Microsoft 365 Defender that involves multiple stages: a phishing email, credential theft, and lateral movement. The analyst wants to view a visual representation of the attack chain, showing how alerts and entities are related. Which feature should the analyst use?

Question 71easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst in Microsoft 365 Defender is investigating an incident that involves a malicious email attachment. Which advanced hunting table should the analyst use to find information about the email including sender, recipient, and subject?

Question 72hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a ransomware attack in Microsoft 365 Defender and needs to understand how the attacker moved laterally from an initial compromised workstation to a domain controller. Which feature should the analyst use to see a visual timeline of device-to-device connections and process executions?

Question 73mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a user receives more than 5 emails with the same attachment name within 1 hour, indicating a possible malware campaign. Which advanced hunting tables should be joined to achieve this detection?

Question 74mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a user who may have been compromised. The analyst sees a sign-in from an unusual location and then a series of suspicious actions performed by that user, including deleting files and sending emails. The analyst wants to find all emails sent by the user after the anomalous sign-in. Which advanced hunting tables should be used?

Question 75hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender advanced hunting, an analyst is investigating a case where a user's device was compromised via a malicious base64-encoded PowerShell script. The analyst wants to find all processes that were created by this script by decoding the command line. Which KQL function should be applied to the ProcessCommandLine column in the DeviceProcessEvents table?

Question 76mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

In Microsoft 365 Defender, an analyst is investigating an incident where a user's credentials were used to sign in from an unusual geo-location. The analyst wants to find all other sign-in events from the same IP address in the last 7 days. Which Advanced Hunting table should be used?

Question 77hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a sophisticated attack chain that started with a user clicking a link in a phishing email, which led to a drive-by download from a malicious website. The analyst wants to see the full list of URLs visited from the user's browser on the device. Which Advanced Hunting table contains this information?

Question 78hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a sophisticated attack that involved multiple devices. The analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a process with a specific SHA256 hash is executed on any device AFTER an attacker-controlled file is created on another device. Which approach should the analyst use to build this detection?

Question 79mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a suspicious email that was reported by a user. The email contains an attachment with a known malicious macro. The analyst wants to find all instances of this same email being delivered to other users in the organization. Which Advanced Hunting table should the analyst query to find the delivery events?

Question 80easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a ransomware incident. The analyst wants to find all processes that were created with a specific parent process ID. Which column in the DeviceProcessEvents table should the analyst use to filter the parent process?

Question 81mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating a potential malware outbreak using Microsoft 365 Defender advanced hunting. The analyst wants to find all devices where a file with a specific SHA256 hash was first created and then later deleted, which may indicate a cleanup attempt. Which query pattern on the DeviceFileEvents table is appropriate?

Question 82easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a phishing campaign using Microsoft 365 Defender advanced hunting. The analyst needs to find all emails sent from a specific sender address in the last 7 days. Which table should be queried?

Question 83mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify ransomware activity. The rule should trigger when files with specific extensions (e.g., .encrypted, .locked) are created on multiple devices within a short time frame, suggesting a widespread attack. Which combination of advanced hunting tables should be used to obtain both file creation events and device information?

Question 84mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a potential malware outbreak detected by Microsoft 365 Defender. The analyst needs to identify all devices that have executed a specific parent process with a given ProcessId. Which column in the DeviceProcessEvents table should be used to find processes whose parent is the specified process?

Question 85mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst wants to find emails that were delivered to users (DeliveryAction != 'Blocked') and contained a specific malicious URL (e.g., 'https://malicious.com'). The EmailEvents table contains delivery information, and the EmailUrlInfo table contains URL details. Which KQL query correctly joins these two tables to find the desired emails?

Question 86hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating an advanced persistent threat (APT) campaign that involves lateral movement using RDP. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a device remotely connects to another device via RDP (process: mstsc.exe) and, within 10 minutes, the remote device executes a suspicious script (e.g., PowerShell.exe with encoded command). Which KQL query pattern in advanced hunting should be used to correlate these events across devices?

Question 87hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst is investigating an advanced persistent threat campaign that involves lateral movement using RDP. The analyst suspects that an attacker uses RDP from DeviceA to DeviceB, and then within a few minutes executes a malicious PowerShell script on DeviceB. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when this pattern occurs. Which KQL query pattern should be used to correlate these events across devices?

Question 88mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?

Question 89mediummulti select
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is investigating a ransomware outbreak using Microsoft 365 Defender Advanced Hunting. They need to find all devices where a file with the extension '.locked' was created within one hour after a known malicious process (e.g., 'ransomware.exe') was executed on the same device. Which two tables should be joined in the query? (Choose 2.)

Question 90hardmultiple choice
Read the full NAT/PAT explanation →

An analyst is creating a custom detection rule in Microsoft 365 Defender to detect lateral movement. The rule should trigger when a device (DeviceA) connects to another device (DeviceB) via SMB (port 445) and, within 5 minutes, a scheduled task is created on DeviceB. Which Advanced Hunting query pattern correctly correlates these events across devices?

Question 91mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is investigating an incident where a user's mailbox was compromised. The analyst wants to find all mailbox access events (e.g., logins, message access) performed from a specific IP address. Which Advanced Hunting table in Microsoft 365 Defender should be queried?

Question 92hardmultiple choice
Read the full NAT/PAT explanation →

An analyst is investigating a data exfiltration incident. They suspect that a user downloaded sensitive files from a SharePoint site and then uploaded them to a non-corporate cloud storage service (e.g., Dropbox) using the same device. Which combination of Advanced Hunting tables should the analyst query to correlate the SharePoint download activity with network connections to external IPs?

Question 93easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst wants to find all devices that have run a specific process named 'malware.exe' in the last 24 hours using Microsoft 365 Defender Advanced Hunting. Which table should be the primary source for this query?

Question 94easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst wants to identify all devices in the organization that have a specific software vulnerability (CVE-2023-1234) installed using Microsoft 365 Defender Advanced Hunting. Which table should be queried?

Question 95easymultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security analyst is investigating a malware outbreak and needs to find all devices where a specific malicious file with a known SHA1 hash has been observed in the last 24 hours. Which Advanced Hunting table in Microsoft 365 Defender should be the primary source for this query?

Question 96mediummulti select
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is building a custom detection rule in Microsoft 365 Defender to identify potential data exfiltration. The rule should alert when a process (e.g., powershell.exe) initiates multiple outbound network connections to an external IP address that is not in the company's corporate IP range within a short time. Which two Advanced Hunting tables must be joined to correlate process execution with network connection details?

Question 97hardmulti select
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst writes an advanced hunting query to investigate a suspicious executable that initiated outbound connections. Which two Microsoft 365 Defender tables are most relevant? (Choose 2.)

Question 98mediummultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?

Question 99mediummulti select
Read the full Mitigate threats using Microsoft Defender XDR explanation →

A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)

Question 100hardmultiple choice
Read the full Mitigate threats using Microsoft Defender XDR explanation →

An analyst is using advanced hunting in Microsoft 365 Defender. A device made outbound RDP connections shortly after a suspicious PowerShell process started. Which join is most useful to identify the initiating process for those network connections?

Question 101mediumdrag order
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Arrange the steps to configure an Azure Sentinel data connector for Windows Security Events via Azure Monitor Agent in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 102mediumdrag order
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Order the steps to investigate a user account compromise using Microsoft Sentinel incidents.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 103mediumdrag order
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Arrange the steps to enable and configure Microsoft Defender for Identity (MDI) sensor on a domain controller.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 104mediumdrag order
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Order the steps to set up a Microsoft Sentinel workspace and connect Microsoft 365 Defender data.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 105mediummatching
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Match each Microsoft 365 Defender workload to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects endpoints from cyber threats

Safeguards email and collaboration tools

Detects identity-based attacks using Active Directory signals

Provides visibility and control over cloud apps

Secures multicloud and hybrid environments

Question 106mediummatching
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Match each Microsoft Defender for Cloud security alert to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anomalous process run on a VM

Multiple failed login attempts from an IP

Antimalware scan found a threat

Download of a suspicious file from an external source

Unusual outbound data transfer detected

Question 107mediummatching
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Match each threat intelligence indicator type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv4 or IPv6 address associated with malicious activity

Domain name used for phishing or C2

Full URL path involved in an attack

MD5, SHA1, or SHA256 hash of a malicious file

Sender address from a phishing campaign

Question 108mediummatching
Read the full Mitigate threats using Microsoft Defender XDR explanation →

Match each Microsoft Sentinel incident management action to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Designate an owner for the incident

Resolve the incident as false positive or true positive

Document investigation notes

Adjust impact level based on findings

Trigger automated response actions

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-200 Practice Test 1 — 10 Questions→SC-200 Practice Test 2 — 10 Questions→SC-200 Practice Test 3 — 10 Questions→SC-200 Practice Test 4 — 10 Questions→SC-200 Practice Test 5 — 10 Questions→SC-200 Practice Exam 1 — 20 Questions→SC-200 Practice Exam 2 — 20 Questions→SC-200 Practice Exam 3 — 20 Questions→SC-200 Practice Exam 4 — 20 Questions→Free SC-200 Practice Test 1 — 30 Questions→Free SC-200 Practice Test 2 — 30 Questions→Free SC-200 Practice Test 3 — 30 Questions→SC-200 Practice Questions 1 — 50 Questions→SC-200 Practice Questions 2 — 50 Questions→SC-200 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Mitigate threats using Microsoft Defender XDR setsAll Mitigate threats using Microsoft Defender XDR questionsSC-200 Practice Hub