Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Mitigate threats using Microsoft Sentinel practice sets

SC-200 Mitigate threats using Microsoft Sentinel • Complete Question Bank

SC-200 Mitigate threats using Microsoft Sentinel — All Questions With Answers

Complete SC-200 Mitigate threats using Microsoft Sentinel question bank — all 0 questions with answers and detailed explanations.

108
Questions
Free
No signup
Certifications/SC-200/Practice Test/Mitigate threats using Microsoft Sentinel/All Questions
Question 1easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?

Question 2mediummultiple choice
Read the full Ansible explanation →

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

Question 3hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

Question 4mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?

Question 6mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

Question 7easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security operations center (SOC) uses Microsoft Sentinel. The team wants to automatically assign incidents to the appropriate analyst based on the severity level of the alert. Which feature should be configured to achieve this automation?

Question 8hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect a possible password spray attack. The rule must trigger when a single source IP address has more than 10 failed logon attempts on different user accounts within a 30-minute window. The analyst writes a KQL query starting with 'SigninLogs | where ResultType == 50057' (failed logon). Which operator should the analyst use to group events by source IP and count distinct user accounts, then filter for counts above 10?

Question 9mediummultiple choice
Read the full VPN explanation →

A SOC team uses Microsoft Sentinel. They need to correlate syslog events from on-premises firewalls with Microsoft Entra ID sign-in logs to detect VPN-based intrusions. The correlation requires joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Which type of analytics rule should the analyst configure?

Question 10mediummultiple choice
Read the full Ansible explanation →

A security analyst is configuring a Microsoft Sentinel playbook to automate the response to phishing incidents. When an incident is created based on a phishing analytics rule, the playbook needs to execute an action in Microsoft 365 Defender, such as blocking the sender email address. Which connector should the analyst add to the playbook to interact with Microsoft 365 Defender?

Question 11easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst in Microsoft Sentinel wants to create a custom analytics rule that triggers when more than 10 failed logon attempts from a single source IP address occur within 5 minutes. The analyst writes a KQL query to aggregate sign-in logs. Which KQL operator should the analyst use to group events by source IP and count each failure?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A SOC team uses Microsoft Sentinel. They receive a large volume of low-severity incidents from a specific analytics rule that causes alert fatigue. They want to automatically close incidents that match certain criteria (e.g., originating from a known test IP). Which feature should they configure?

Question 13hardmultiple choice
Read the full Ansible explanation →

A security analyst is configuring a playbook in Microsoft Sentinel to run automatically when a new incident of severity 'High' is created. The playbook should only run for incidents that are not already assigned to an analyst. How can the analyst configure this automation?

Question 14mediummulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel and wants to automate the response to high-severity incidents. When a new incident of severity 'High' is created, they need to send an email notification to the on-call analyst and assign the incident to that analyst. Which two components must be configured together to achieve this? (Choose the best answer.)

Question 15mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect multiple failed logon attempts from the same source IP address. The rule should generate an incident only when the count of failed logons exceeds 10 within a 5-minute window. Which configuration setting is essential to limit the incident generation to this threshold?

Question 16mediummultiple choice
Read the full network assurance explanation →

A SOC analyst needs to ingest firewall logs from an on-premises Cisco ASA into Microsoft Sentinel. The logs are sent via syslog to a Linux server. Which data connector should the analyst use to properly parse and collect these logs?

Question 17hardmultiple choice
Read the full Ansible explanation →

A security analyst is configuring a Microsoft Sentinel playbook to automatically respond to phishing incidents. The playbook should only run when an incident of severity 'High' is created and the incident is not already assigned to a user. Which automation rule condition and trigger configuration should the analyst use?

Question 18hardmulti select
Read the full Ansible explanation →

A SOC analyst in Microsoft Sentinel needs to create an automation rule that triggers a playbook when a new incident is created and the incident severity is 'High'. Additionally, the playbook should only run if the incident is not already assigned to an analyst. Which two conditions must the analyst include in the automation rule? (Select all that apply.) (Choose 2.)

Question 19easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel and needs to ingest custom logs from an on-premises Linux server that writes events to a local text file. The team installs the Azure Monitor Agent (AMA) on the Linux server. Which configuration step is required in Sentinel to collect the custom log file?

Question 20easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst in Microsoft Sentinel wants to create a scheduled analytics rule to detect repeated failed HTTP requests to an Azure Application Gateway, indicating a possible brute force attack. Which Azure Monitor table should the analyst query to capture the access and error logs from the Application Gateway?

Question 21mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team wants to automatically categorize incidents in Microsoft Sentinel with MITRE ATT&CK tactics (e.g., 'Initial Access', 'Execution') when an analytics rule triggers. How can they achieve this?

Question 22easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create a custom alert in Microsoft Sentinel that triggers when a specific user logs in from an unusual geographic location, compared to a learned baseline of normal locations. Which type of analytics rule is best suited for this scenario?

Question 23mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst has created a custom scheduled analytics rule in Microsoft Sentinel that runs every hour and generates an incident when a certain pattern is detected. The analyst notices that the same set of events is causing a new incident every hour, leading to duplicates. What should the analyst configure to prevent duplicate incident generation from the same events?

Question 24mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel and ingests Windows Security Events from domain controllers using the Azure Monitor Agent (AMA). They want to create a scheduled analytics rule that generates an incident when a user account is created in a sensitive Active Directory group (e.g., Domain Admins) outside of approved change windows (e.g., after 9 PM). The required event IDs are 4728 (member added to security-enabled global group) and 4732 (member added to security-enabled local group). Which KQL query should the analyst use to filter for these specific events and the targeted group?

Question 25mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect anomalous Microsoft Entra ID sign-ins. The rule runs every 5 minutes and queries the SigninLogs table for sign-ins from IP addresses outside the organization's known country codes. To avoid duplicates, the rule should generate an incident only once for a particular user-IP combination until the combination is not seen for 60 minutes. Which configuration should the analyst use in the analytics rule wizard?

Question 26hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel with multiple workspaces in a single region. They have deployed Azure Policy to send all Azure resource logs to a central Log Analytics workspace. Now they want to create a set of analytics rules that run across multiple workspaces to detect cross-workspace attacks. However, they note that the built-in analytics rules can only query data within the workspace they are defined. Which solution should the team implement to efficiently query data from multiple workspaces for detection?

Question 27hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

Match each Microsoft Sentinel data connector on the left with the table name it populates on the right.

Question 28mediummulti select
Read the full Ansible explanation →

A SOC analyst is configuring a Microsoft Sentinel automation rule to trigger a playbook when an incident is created. The playbook should only run if the incident severity is 'High' and the incident title contains 'Phishing'. Which two conditions should the analyst add to the automation rule? (Select all that apply.) (Choose 2.)

Question 29hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.

Question 30easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create a custom scheduled analytics rule in Microsoft Sentinel that detects when a user attempts to sign in from an IP address not in the organization's allowlist. The rule should run every 5 minutes. Which table should the analyst query?

Question 31hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team uses Microsoft Sentinel with multiple workspaces distributed across different regions. They need to create a single analytics rule that can query data from multiple workspaces to detect cross-tenant attacks. What is the recommended approach?

Question 32mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute-force attacks on Microsoft Entra ID. The rule should generate an incident when a single user account fails to authenticate more than 10 times in 5 minutes from the same IP address. Which KQL operator is most appropriate to aggregate the count of failed sign-ins?

Question 33mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a user logs in from an IP address outside of the organization's typical geographic locations, based on a learned baseline. Which type of analytics rule is best suited for this scenario?

Question 34mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create a scheduled analytics rule in Microsoft Sentinel that detects when a user logs in from an IP address that is not in a predefined list of known corporate IP ranges. The list is maintained as a custom Sentinel watchlist and frequently updated. Which KQL function should the analyst use to reference the watchlist within the rule's query?

Question 35hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst in Microsoft Sentinel wants to correlate Microsoft Entra ID sign-in logs with IP addresses known to be associated with a threat actor. The threat actor's IPs are stored in a custom table named 'ThreatIntelligence_IP' that is ingested daily. The analyst needs to create an analytics rule that triggers only when a sign-in occurs from one of these IPs AND when the user is not in a list of approved users (stored in another custom table 'ApprovedUsers'). Which KQL query pattern should the analyst use to achieve this correlation and filtering?

Question 36easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is configuring a scheduled analytics rule in Microsoft Sentinel. The rule runs every hour and queries the SigninLogs table for failed sign-ins. The analyst wants to avoid generating multiple incidents for the same user and IP address within a 1-hour window. Which configuration should the analyst use in the 'Incident creation' section of the rule?

Question 37mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a Microsoft Sentinel scheduled analytics rule to detect failed sign-in attempts from a specific list of known malicious IP addresses. The IP addresses are stored in a CSV file that is updated weekly. The analyst uploads the file as a new table in the Log Analytics workspace. Which KQL operator should the analyst use to reference this table within the rule's query?

Question 38mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect sign-ins from IP addresses known to be associated with a threat actor. The list of threat actor IPs is maintained in a custom Microsoft Sentinel watchlist and is updated daily. The analyst wants the rule to query the SigninLogs table and compare the IP address against this list. What is the most efficient way to reference the list in the KQL query?

Question 39easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create a basic analytics rule in Microsoft Sentinel to detect when an Azure VM is created with an open management port (e.g., SSH or RDP). Which data source should the analyst configure to get the VM creation events?

Question 40hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst is configuring a Microsoft Sentinel scheduled analytics rule to detect rare operations on Azure Key Vaults. The rule uses the AzureActivity table. The analyst wants to use a machine learning algorithm to identify anomalies based on historical activity patterns. Which analytics rule type should the analyst choose?

Question 41easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a new analytics rule in Microsoft Sentinel to detect when a user account is disabled. The analyst needs to select a rule template that uses Microsoft Entra ID audit logs. Which rule type should the analyst choose?

Question 42easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a single user attempts to sign in from more than three different countries within 10 minutes. Which tables and KQL operators are needed?

Question 43mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is building a scheduled analytics rule in Microsoft Sentinel to detect PowerShell downloads from external IPs. The rule queries the DeviceProcessEvents table from Microsoft Defender for Endpoint forwarded to Sentinel. The analyst wants to reduce alert fatigue by excluding processes initiated by known system accounts (e.g., SYSTEM). Which KQL operator should the analyst use in the query?

Question 44mediummultiple choice
Read the full Ansible explanation →

An organization uses Microsoft Sentinel with the Microsoft Defender for Cloud connector enabled. A security analyst receives an alert from Defender for Cloud about a potential brute-force attack on an Azure VM. The analyst wants to automatically create an incident in Sentinel and trigger a playbook that blocks the attacker's IP using a firewall. Which type of Sentinel automation rule should the analyst configure?

Question 45mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect when a user account is added to a privileged role in Microsoft Entra ID. The analyst wants to correlate with the user's previous role assignments to identify potential privilege escalation. Which table should the analyst query?

Question 46easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

An SOC analyst wants to quickly enable detection for when a user account is added to the Global Administrator role in Microsoft Entra ID using a built-in analytics rule template in Microsoft Sentinel. Which type of analytics rule template should the analyst use?

Question 47mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst wants to leverage Microsoft Sentinel's User and Entity Behavior Analytics (UEBA) to detect anomalous sign-in attempts where a user signs in from a country outside their typical pattern. The analyst needs to create an analytics rule that queries the necessary UEBA data. Which Sentinel table should the rule's KQL query primarily reference to evaluate geographic anomalies?

Question 48hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst is configuring a scheduled analytics rule in Microsoft Sentinel that detects sign-ins from IP addresses contained in a custom threat intelligence watchlist. The analyst wants to avoid creating multiple incidents for the same user and source IP address combination within a 6-hour window. Which configuration in the 'Incident creation' settings should the analyst use to achieve this suppression?

Question 49hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to detect when a user signs in from a device that has never been used by that user before. The analyst plans to use Microsoft Sentinel with the SigninLogs table. Which KQL approach correctly identifies sign-ins from devices not previously associated with the user within the last 30 days?

Question 50mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect when a user is added to the Global Administrator role in Microsoft Entra ID. The analyst also needs to capture the user who performed the addition. Which Microsoft Entra ID table should the analyst query in the rule's KQL query?

Question 51hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect sign-ins from IP addresses that are not in the organization's known allow list. The allow list is maintained in a custom watchlist named 'AllowedIPs'. The analyst wants the KQL query to efficiently filter out allowed IPs. Which KQL approach should the analyst use?

Question 52easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to create a visual dashboard in Microsoft Sentinel to monitor sign-in activity trends over the past 30 days. Which feature should the analyst use?

Question 53mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

An organization ingests Windows Security Events into Microsoft Sentinel via the Security Events connector. An analyst wants to create a scheduled analytics rule that alerts when more than 10 failed logon events (Event ID 4625) occur for the same user within a 5-minute window. Which KQL operator should the analyst use to count events per user in that time window?

Question 54mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to ensure that multiple alerts from the same analytics rule that occur within a 1-hour window for the same user are automatically merged into a single incident. Which configuration setting should the analyst adjust in the analytics rule?

Question 55mediummultiple choice
Read the full Ansible explanation →

A SOC team wants to automatically run a playbook that retrieves threat intelligence details whenever a high-severity incident is created in Microsoft Sentinel. Which type of automation should they configure?

Question 56mediummulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

Which of the following detection scenarios can be implemented using a scheduled analytics rule in Microsoft Sentinel? (Select all that apply.) (Choose 2.)

Question 57hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

Arrange the steps in the correct order to create and save a custom hunting query in Microsoft Sentinel.

Question 58hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

Match each Microsoft Sentinel analytics rule type to its correct description.

Question 59mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create an automation rule that triggers only when an incident contains a specific custom tag (e.g., 'PII'). Which condition should the analyst use to filter incidents based on the presence of that tag?

Question 60mediummulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team in Microsoft Sentinel wants to automatically assign high-severity incidents to the 'SOC Tier 2' group and automatically close low-severity incidents that have not been updated in 7 days. Which two configuration elements are required in a single automation rule?

Question 61hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst needs to write a KQL query for a Microsoft Sentinel scheduled analytics rule that detects impossible travel activity. The rule should alert when a user signs in from two different countries within 60 minutes. The analyst has the SigninLogs table with columns: UserPrincipalName, IPAddress, Location (country), TimeGenerated. Which KQL query pattern correctly triggers an alert for each pair of sign-ins meeting the condition?

Question 62hardmulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create a custom watchlist in Microsoft Sentinel to use in an analytics rule. Order the following steps from first to last to correctly create and use the watchlist (Choose 4.)

Question 63easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst needs to identify incidents in Microsoft Sentinel that are related to IP addresses known to be associated with a specific threat actor. The analyst has a CSV file containing a list of these IP addresses. Which feature should the analyst use to make this list available for queries in Sentinel?

Question 64mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst needs to create a Microsoft Sentinel scheduled analytics rule that detects a potential brute-force attack. The rule should alert when a single IP address attempts to sign in to more than 10 different user accounts within 5 minutes. The data is in the 'SigninLogs' table. Which KQL operator should the analyst use to count distinct users per IP address per 5-minute time window?

Question 65mediummultiple choice
Read the full NAT/PAT explanation →

An organization ingests its Palo Alto firewall logs into a custom table named 'PaloAlto_CL' in Microsoft Sentinel. A security analyst wants to create a scheduled analytics rule that triggers an incident when a single source IP is involved in more than 100 outbound connections to different destinations in 1 minute. Which KQL query and configuration would trigger the alert correctly?

Question 66hardmultiple choice
Read the full Ansible explanation →

A SOC analyst is creating an automation rule in Microsoft Sentinel to trigger a playbook when a new incident is created. The analyst wants the rule to apply only to incidents that have a severity of 'High' and where the 'User' entity is present. Which condition configuration should the analyst use?

Question 67mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team ingests Microsoft 365 Defender advanced hunting data into Microsoft Sentinel. They want to create a scheduled analytics rule that detects when a user receives more than 5 emails from an external sender containing a specific attachment name within 1 hour. Which KQL tables and approach should the analyst use?

Question 68mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is investigating a potential brute-force attack on an Azure VM. The analyst has ingested Windows Security Events into Microsoft Sentinel. Which KQL query would count the number of failed logon attempts (EventID 4625) per user account in the last hour?

Question 69hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security team wants to automatically block an IP address in Azure Firewall when Microsoft Sentinel detects a high number of failed logins from that IP. Which automation approach should they use?

Question 70hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC team wants to use Microsoft Sentinel to detect when a user logs in from a new country not previously seen for that user. They have the SigninLogs table. Which KQL function is most appropriate to build this anomaly detection?

Question 71easymultiple choice
Read the full network assurance explanation →

A security analyst is configuring a Microsoft Sentinel workspace. The analyst needs to connect a third-party firewall that sends logs via Syslog and supports a common event format (CEF). Which data connector should the analyst use to ingest these logs?

Question 72hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel that uses the following KQL query to detect impossible travel: SigninLogs | where TimeGenerated > ago(1d) | summarize Countries = make_set(Location) by UserPrincipalName | where array_length(Countries) > 1 However, the analyst notices that the rule generates too many false positives for users who travel legitimately. What is the best way to refine the rule to reduce false positives without missing actual impossible travel?

Question 73easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst needs to create a custom watchlist in Microsoft Sentinel to correlate IP addresses known to be used by a threat actor. The watchlist will be uploaded from a CSV file. Which data type should the analyst specify for the watchlist alias?

Question 74mediummultiple choice
Read the full Ansible explanation →

A SOC team wants to automate response to incidents detected by Microsoft Sentinel. When a new incident is created with severity "High" and contains a specific tag "malware", they want to run a playbook that isolates the affected device. What is the correct way to configure this automation?

Question 75mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst needs to create a Microsoft Sentinel scheduled analytics rule that triggers when an Microsoft Entra ID user performs more than 10 failed sign-in attempts from different IP addresses within 15 minutes, using the SigninLogs table. Which KQL query aggregate pattern should be used?

Question 76easymultiple choice
Read the full network assurance explanation →

A SOC analyst wants to ingest firewall logs from a Palo Alto Networks appliance into Microsoft Sentinel using the Common Event Format (CEF) connector. The analyst has already set up a Linux syslog forwarder. What is the next required step to complete the data ingestion?

Question 77easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that runs every 5 minutes and alerts when a single IP address fails to authenticate more than 10 times in that time window using the Microsoft Entra ID SigninLogs table. Which KQL function should be used to group the results into 5-minute intervals?

Question 78mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel with the following KQL query: SigninLogs | where TimeGenerated > ago(1h) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, IPAddress | where EndTime - StartTime < 5m and count_IPAddress > 1 The intended purpose is to detect users logging in from multiple IP addresses in a short time (impossible travel). However, the rule does not generate any alerts. What is the most likely cause?

Question 79easymultiple choice
Read the full network assurance explanation →

A security analyst needs to connect a Palo Alto Networks firewall to Microsoft Sentinel to ingest logs. The firewall supports Syslog and Common Event Format (CEF). Which data connector should the analyst use?

Question 80easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst wants to create a custom detection rule in Microsoft Sentinel that alerts when a user logs in from an IP address that is not in the company's approved IP range. The analyst has an existing watchlist named 'ApprovedIPs' containing the allowed ranges. Which KQL operator should the analyst use to compare the IP address from the SigninLogs table against the watchlist?

Question 81mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst is configuring an analytics rule in Microsoft Sentinel. The rule should run every hour and check for sign-ins from users who have been inactive for more than 30 days. The analyst uses the SigninLogs and IdentityInfo tables. Which KQL query pattern should be used to identify these users?

Question 82hardmultiple choice
Read the full Ansible explanation →

A SOC analyst needs to create an automated response in Microsoft Sentinel that, when a specific type of incident is created, automatically creates a ticket in ServiceNow and blocks the source IP address in Azure Firewall. The analyst already has a playbook that performs these actions. What is the correct configuration to trigger this playbook?

Question 83easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A security analyst wants to quickly check the number of incidents created in Microsoft Sentinel in the last 7 days, grouped by severity. Which KQL query should the analyst use?

Question 84easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that detects when a user is added to a privileged Microsoft Entra ID role (e.g., Global Administrator). Which data table is essential for the query?

Question 85mediummultiple choice
Read the full Ansible explanation →

A SOC analyst wants to automate a response in Microsoft Sentinel such that whenever an incident is created containing a specific user entity (e.g., compromised user), a playbook runs that disables the user in Microsoft Entra ID. Which condition should be configured in the automation rule?

Question 86hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to create a watchlist in Microsoft Sentinel from a CSV file that contains IP addresses. The analyst needs to configure the watchlist so that it can be efficiently queried using IP address comparison operators (e.g., IP prefix matching). Which data type should be set for the key column?

Question 87easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

An organization has connected a Palo Alto Networks firewall to Microsoft Sentinel using the Common Event Format (CEF) connector via a Linux log forwarder. The analyst notices that some expected firewall logs are missing in Sentinel. Which troubleshooting step should be performed first to check if the logs are reaching the Sentinel workspace?

Question 88mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to create a Microsoft Sentinel scheduled analytics rule that alerts when a user from a critical department (e.g., Finance) logs on from an IP address that is not in the company's approved IP address ranges. The analyst has an Azure Sentinel watchlist named 'FinanceApprovedIPs' containing the allowed IP ranges. Which KQL operator should be used in the rule's query to efficiently check if the IP address from SigninLogs falls within any of the watchlist ranges?

Question 89mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

An organization uses Microsoft Sentinel to monitor Microsoft Entra ID sign-ins. A SOC analyst creates a scheduled analytics rule that runs every 15 minutes and uses the following KQL query: SigninLogs | where TimeGenerated > ago(30m) | summarize count() by IPAddress | where count_ > 10. The rule is intended to detect brute-force attacks from a single IP address. However, the analyst notices that alerts are generated even when IP addresses are within the company's trusted corporate network range. What is the most appropriate fix to reduce false positives?

Question 90mediummultiple choice
Read the full Ansible explanation →

A SOC analyst wants to automate a response in Microsoft Sentinel: whenever an incident is created that contains a compromised user entity (e.g., a user whose credentials were used in a breach), a playbook should run to disable that user in Microsoft Entra ID. Which condition should be configured in the automation rule to trigger this playbook?

Question 91easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that runs every hour and detects multiple failed user login attempts from a single IP address within a 5-minute window. Which KQL function should be used in the query to group the failed events by 5-minute time intervals?

Question 92mediummulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is building a scheduled analytics rule in Microsoft Sentinel to detect when a user is added to a privileged Microsoft Entra ID role (e.g., Global Administrator). Which two tables must be included in the KQL query to capture the role assignment event and to retrieve user details? (Choose 2.)

Question 93easymultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC manager wants to quickly view the number of incidents generated in Microsoft Sentinel over the past 7 days, grouped by Azure subscription. Which KQL query should be used on the SecurityIncident table?

Question 94hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is configuring a multi-region deployment of Microsoft Sentinel. The requirement is to ingest security logs from Azure resources located in three different Azure regions. The analyst needs to create the workspace in one region and then use cross-workspace queries to view data from all regions. What is the correct sequence of steps?

Question 95mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel to detect anomalous Microsoft Entra ID sign-ins. The rule uses the SigninLogs table and runs every 15 minutes. The analyst wants to alert when a user signs in from a country that is not in the allowed list (['US', 'CA']). Which KQL query pattern should be used in the rule?

Question 96mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst creates a watchlist in Microsoft Sentinel from a CSV file containing IP ranges (10.0.0.0/16) and a tag. The analyst wants to use this watchlist in a KQL query to check if a sign-in IP is within the ranges. Which KQL function should be used?

Question 97easymultiple choice
Read the full Ansible explanation →

A SOC analyst wants to create an automation rule in Microsoft Sentinel that runs a playbook to disable a user's Microsoft Entra ID account every time an incident is created with a specific 'User' entity (e.g., compromised user). Which condition should be configured in the automation rule?

Question 98mediummultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect potential account compromise. The rule should trigger when a user account is created in Microsoft Entra ID and, within one hour, that same account is used to sign in from an unfamiliar location. The queries use the AuditLogs table for account creation and the SigninLogs table for sign-ins. Which KQL operator should be used to correlate these two events from different tables within a specific time window?

Question 99mediummultiple choice
Read the full NAT/PAT explanation →

A SOC analyst wants to use Microsoft Sentinel's User and Entity Behavior Analytics (UEBA) to identify a user who is performing suspicious actions, such as accessing a high number of resources outside of their normal pattern. What must be enabled for UEBA to function correctly in Microsoft Sentinel?

Question 100hardmulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)

Question 101hardmultiple choice
Read the full Mitigate threats using Microsoft Sentinel explanation →

A KQL query detects brute-force attempts by summarizing failed sign-ins by user, IP address, and five-minute time bins. Which operator is most appropriate for this aggregation?

Question 102hardmulti select
Read the full Mitigate threats using Microsoft Sentinel explanation →

A Microsoft Sentinel incident contains alerts from multiple analytics rules. The analyst suspects the same compromised account performed impossible travel followed by suspicious mailbox access. Which two actions best help correlate identity and mailbox activity?

Question 103mediumdrag order
Read the full Mitigate threats using Microsoft Sentinel explanation →

Arrange the steps to run a Microsoft 365 Defender advanced hunting query and create a custom detection rule from it.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 104mediumdrag order
Read the full Mitigate threats using Microsoft Sentinel explanation →

Order the steps to configure a Microsoft Sentinel analytics rule using a scheduled query.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 105mediumdrag order
Read the full Ansible explanation →

Arrange the steps to configure a Microsoft Sentinel playbook (automation) using Azure Logic Apps.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 106mediummatching
Read the full Mitigate threats using Microsoft Sentinel explanation →

Match each Microsoft Sentinel data connector to its data source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Subscription-level events from Azure Resource Manager

Sign-in logs and audit logs from Azure Active Directory

Security events from Windows machines

Events from Linux and network devices

Exchange Online and SharePoint Online logs

Question 107mediummatching
Read the full Mitigate threats using Microsoft Sentinel explanation →

Match each Microsoft Sentinel feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define conditions that generate incidents

Visualize data using custom dashboards

Proactively search for threats

Automate responses using Azure Logic Apps

Detect anomalous behavior based on entity analytics

Question 108mediummatching
Read the full Mitigate threats using Microsoft Sentinel explanation →

Match each Microsoft Purview compliance feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents accidental sharing of sensitive data

Searches and exports data for legal cases

Logs user and admin activities

Classifies and protects sensitive data with labels

Manages retention and disposal of records

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-200 Practice Test 1 — 10 Questions→SC-200 Practice Test 2 — 10 Questions→SC-200 Practice Test 3 — 10 Questions→SC-200 Practice Test 4 — 10 Questions→SC-200 Practice Test 5 — 10 Questions→SC-200 Practice Exam 1 — 20 Questions→SC-200 Practice Exam 2 — 20 Questions→SC-200 Practice Exam 3 — 20 Questions→SC-200 Practice Exam 4 — 20 Questions→Free SC-200 Practice Test 1 — 30 Questions→Free SC-200 Practice Test 2 — 30 Questions→Free SC-200 Practice Test 3 — 30 Questions→SC-200 Practice Questions 1 — 50 Questions→SC-200 Practice Questions 2 — 50 Questions→SC-200 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Mitigate threats using Microsoft Sentinel setsAll Mitigate threats using Microsoft Sentinel questionsSC-200 Practice Hub