Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-200TopicsMitigate threats using Microsoft Defender XDR
Free · No Signup RequiredMicrosoft · SC-200

SC-200 Mitigate threats using Microsoft Defender XDR Practice Questions

20+ practice questions focused on Mitigate threats using Microsoft Defender XDR — one of the most tested topics on the Microsoft Security Operations Analyst SC-200 exam. Each question includes a detailed explanation so you learn why the right answer is correct.

Start Mitigate threats using Microsoft Defender XDR Practice

Exam Domains

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft SentinelAll domains →

Study Tools

Practice TestMock ExamFlashcardsAll Topics

Sample Mitigate threats using Microsoft Defender XDR Questions

Practice all 20+ →
1.

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365 (Threat Explorer)
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps

Explanation: Microsoft Defender for Office 365's Threat Explorer (now part of the unified investigation experience) provides a detailed entity view of an email, including delivery actions (e.g., delivered to Junk, blocked, or allowed), whether the email was part of a phishing simulation, and the associated campaign information. This tool is specifically designed for deep email threat investigation within the Defender for Office 365 portal, leveraging telemetry from Exchange Online Protection (EOP) and Defender for Office 365.

2.

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity

Explanation: Microsoft Defender for Cloud Apps (Option C) is the correct workload because it provides visibility into cloud application usage, including SharePoint Online, and can generate alerts for suspicious file access patterns such as mass download, unusual file sharing, or access from anomalous locations. It uses behavioral analytics and anomaly detection to identify compromised accounts accessing sensitive data in SaaS applications like SharePoint.

3.

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

A.DeviceProcessEvents
B.DeviceLogonEvents
C.DeviceFileEvents
D.DeviceRegistryEvents

Explanation: The DeviceNetworkEvents table logs network connections, including outgoing RDP traffic (port 3389). To identify which process initiated a specific outgoing RDP connection, you must join with the DeviceProcessEvents table on DeviceId and Timestamp (or ProcessId), because DeviceProcessEvents contains the process creation details (e.g., mstsc.exe) that launched the network connection. This join reveals the parent process responsible for the lateral movement attempt.

4.

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

A.The delivery location and whether the email was delivered to Inbox, Junk, or Quarantine.
B.The authentication statuses (SPF, DKIM, DMARC) for the sender domain.
C.The sender IP address and the recipient email address.
D.The detection technology (e.g., Advanced ML, Reputation) and if the email was part of a phish simulation or a campaign.

Explanation: Option D is correct because the 'Detection details' section on the email entity page in Microsoft 365 Defender specifically shows the detection technology used (e.g., Advanced ML, Reputation, Bulk) and whether the email was part of a phishing simulation or a campaign. This information helps analysts understand how the email was identified as malicious and its context within broader threat activity.

5.

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

A.Trigger a training campaign for the user who reported the email.
B.Move the email to the tenant's shared mailbox for review.
C.Remove the Report Message add-in from Outlook to prevent false reports.
D.Soft-delete the email from the user's mailbox and other mailboxes that received the same message.

Explanation: When a user reports a phishing email via the Report Message add-in, the automated investigation and response (AIR) playbook in Microsoft Defender for Office 365 can automatically soft-delete the email from the user's mailbox and from all other mailboxes that received the same message. This action is part of the built-in remediation steps that AIR can take after confirming the threat, leveraging the email entity's hash or message ID to perform tenant-wide removal via the threat protection pipeline.

+15 more Mitigate threats using Microsoft Defender XDR questions available

Practice all Mitigate threats using Microsoft Defender XDR questions

How to master Mitigate threats using Microsoft Defender XDR for SC-200

1. Baseline your knowledge

Start with 10 questions to gauge your current understanding of Mitigate threats using Microsoft Defender XDR. This tells you whether you need a concept refresher or just practice.

2. Review every explanation

For each question — right or wrong — read the full explanation. Understanding why an answer is correct is more valuable than knowing the answer itself.

3. Focus on exam traps

Mitigate threats using Microsoft Defender XDR questions on the SC-200 frequently use trap wording. Look for subtle differences in answers that test your precision, not just general knowledge.

4. Reach 80% consistently

Do repeated sessions until you score 80%+ three times in a row. Then move to mixed-mode practice to test cross-topic recall under realistic conditions.

Frequently asked questions

How many SC-200 Mitigate threats using Microsoft Defender XDR questions are on the real exam?

The exact number varies per candidate. Mitigate threats using Microsoft Defender XDR is tested as part of the Microsoft Security Operations Analyst SC-200 blueprint. Practicing with targeted Mitigate threats using Microsoft Defender XDR questions ensures you can handle any format or difficulty that appears.

Are these SC-200 Mitigate threats using Microsoft Defender XDR practice questions free?

Yes. Courseiva provides free SC-200 practice questions across all exam topics and domains. The platform includes topic-based practice, mock exams, missed-question review, bookmarked questions, and readiness tracking — no account required.

Is Mitigate threats using Microsoft Defender XDR one of the harder SC-200 topics?

Difficulty is subjective, but Mitigate threats using Microsoft Defender XDR is a high-priority exam concept tested in multiple ways — direct recall, scenario analysis, and command-output interpretation. Consistent practice is the best way to build confidence.

Ready to practice?

Launch a full Mitigate threats using Microsoft Defender XDR practice session with instant scoring and detailed explanations.

Start Mitigate threats using Microsoft Defender XDR Practice →

Topic Info

Topic

Mitigate threats using Microsoft Defender XDR

Exam

SC-200

Questions available

20+