Common Traps on Which Command Should the Administrator Use Practice Questions
- ·Separate verification commands from configuration commands.
- ·Read whether the question asks to identify, verify, fix, permit or deny.
- ·Small command keywords often change the correct answer.
Sample Questions
Practice all 15 →An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?
Explanation: The file entity page in Microsoft 365 Defender shows the file's reputation, detection details, and the actions taken by automated investigations (e.g., block, allow, quarantine). The device page shows device-level actions. The user page shows user-related incidents. The email page is for email entities.
A Defender for Cloud alert repeatedly fires for a known test VM used by the security team. The alert type is valid, but it should not create noise for that VM. What should the analyst configure?
Explanation: Alert suppression rules can automatically dismiss alerts that match specific criteria such as resource/entity and alert type.
A security operations center (SOC) uses Microsoft Sentinel. The team wants to automatically assign incidents to the appropriate analyst based on the severity level of the alert. Which feature should be configured to achieve this automation?
Explanation: Automation rules in Microsoft Sentinel allow you to define automated responses that trigger when a condition is met, such as incident creation or update. You can set conditions based on severity, status, or other properties, and then automatically assign the incident to a specific analyst or team. Playbooks are used for more complex, multi-step responses, analytics rules generate alerts, and watchlists store reference data for correlation. Therefore, automation rules are the correct choice for severity-based automatic assignment.
A security administrator wants to enforce Just-in-Time (JIT) VM access for all Azure virtual machines in a management group to reduce the attack surface. The administrator wants to automatically enable JIT on any new VM and remediate existing non-compliant VMs. What should the administrator configure in Microsoft Defender for Cloud?
Explanation: To automatically enforce JIT VM access, the administrator should assign the built-in Azure Policy initiative 'Configure just-in-time network access on virtual machines' at the management group scope. This initiative uses the DeployIfNotExists effect to deploy the JIT configuration to VMs that do not have it. Manually enabling JIT per subscription would not be automated. Azure Policy Guest Configuration is for in-guest settings, not network access. Creating a custom policy from scratch is unnecessary when a built-in initiative exists.
A SOC analyst wants to create a watchlist in Microsoft Sentinel from a CSV file that contains IP addresses. The analyst needs to configure the watchlist so that it can be efficiently queried using IP address comparison operators (e.g., IP prefix matching). Which data type should be set for the key column?
Explanation: Microsoft Sentinel watchlists support KQL data types for columns. To perform IP address comparisons (e.g., using ipv4_is_match or ipv4_lookup), the column should be typed as 'ipaddress'. Using 'string' would require parsing and conversion each time, reducing performance and functionality. The 'dynamic' data type is for complex objects (e.g., arrays, JSON). 'guid' is for globally unique identifiers.
+10 more scenario questions available
Practice all Which Command Should the Administrator Use Practice QuestionsRelated Topics
Frequently asked questions
How do "Which Command Should the Administrator Use Practice Questions" appear on the real SC-200?
Practise command-choice questions where the task is to identify the correct verification, configuration or troubleshooting command. These appear throughout the SC-200 and require you to apply your knowledge, not just recall facts.
How many scenario questions are on the SC-200 exam?
Cisco doesn't publish an exact breakdown, but scenario-based questions (especially exhibit and command-output formats) make up a significant portion of the SC-200. Practicing each scenario type ensures you're ready for any format.
Are these SC-200 scenario practice questions free?
Yes — all scenario practice on Courseiva is completely free. Sign up for a free account to track your progress and see which scenario types you've mastered.
Ready to practice this scenario type?
Launch a full Which Command Should the Administrator Use Practice Questions session with instant scoring and detailed explanations.
Start Scenario Practice →