Back to Microsoft Security Operations Analyst SC-200

Microsoft exam questions

Microsoft Security Operations Analyst SC-200 practice test

Practise questions on virtualization concepts cover hypervisor types, VM resource management, and host/guest relationships for SC-200.

1,639
practice questions
6
topics covered
SC-200
exam code
Microsoft
vendor

Study modes

Three ways to study

Start with the Study Sheet to learn the material, switch to Practice Tests for active recall, then take a Mock Exam to simulate the real thing.

Study Sheet

All 1,639 questions with correct answers and explanations already visible. Read at your own pace — no time pressure.

Start reading →

Practice Test

Answer first, then see feedback and explanation. Tracks your score per session. Best for active recall and identifying weak areas.

Mock Exam

Full timed simulation with countdown. Answers hidden until the end. Includes all question types just like the real exam.

Start mock exam →

Study Sheet

All 1,639 SC-200 questions with answers

Every question in the bank, paginated 75 per page. Correct answers and full explanations are revealed upfront — ideal for first-pass learning and pre-exam review.

22 pages · 75 questions per page · 1,639 total

Related practice questions

Study SC-200 by topic

Topic pages go deep on individual concepts — each one covers a specific exam topic with questions, explanations, and study notes.

Courseiva uses original exam-style practice questions created for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps. Learn the difference →

Sample questions

Microsoft Security Operations Analyst SC-200 practice questions

Start practice test
Question 1mediummultiple choice
Read the full Ansible explanation →

An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

An organization has enabled enhanced security features for a hybrid infrastructure including SQL servers on-premises and in Azure. Which Microsoft Defender for Cloud plan provides threat detection for both SQL Server on-premises and Azure SQL Database?

A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?

A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?

A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?

A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)

A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?

A hybrid environment contains Azure VMs and on-premises servers connected through Azure Arc. Which two outcomes can Defender for Cloud provide for these servers? (Choose 2.)

A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?

A company uses Microsoft Defender for Cloud. They need to continuously assess the compliance of their Azure resources against the CIS benchmark. Which feature should they enable?

Question 14hardmultiple choice
Read the full NAT/PAT explanation →

A SOC analyst is configuring a Microsoft Sentinel scheduled analytics rule to detect rare operations on Azure Key Vaults. The rule uses the AzureActivity table. The analyst wants to use a machine learning algorithm to identify anomalies based on historical activity patterns. Which analytics rule type should the analyst choose?

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

A security administrator wants to assess their Azure environment against the Azure Security Benchmark and also include custom security controls defined by their organization. They need a single, reusable policy initiative that can be assigned across multiple subscriptions and management groups. What should the administrator create in Microsoft Defender for Cloud?

A security analyst is investigating a suspicious email that was reported by a user. The email contains an attachment with a known malicious macro. The analyst wants to find all instances of this same email being delivered to other users in the organization. Which Advanced Hunting table should the analyst query to find the delivery events?

A security analyst wants to see the delivery status and phishing verdict of an email. Which advanced hunting table should the analyst query in Microsoft 365 Defender?

A large enterprise uses Microsoft Defender for Cloud with the integrated Microsoft Defender Vulnerability Management solution enabled for all servers. The security team wants to identify all virtual machines that have not been scanned for vulnerabilities in the last 7 days. They plan to use Azure Resource Graph (ARG) to generate a report. Which KQL query would correctly identify these machines?

A security analyst is investigating a user who may have been compromised. The analyst sees a sign-in from an unusual location and then a series of suspicious actions performed by that user, including deleting files and sending emails. The analyst wants to find all emails sent by the user after the anomalous sign-in. Which advanced hunting tables should be used?

A security analyst is investigating a compromised user account using Microsoft 365 Defender. The analyst wants to see all the sign-in attempts made by this user in the last 24 hours, including the IP addresses and locations. Which advanced hunting table should the analyst query?

A security analyst in Microsoft 365 Defender needs to review all actions that were automatically taken by an investigation (e.g., isolating a device, deleting a file) that occurred during an incident. Where should the analyst find this list of executed actions?

A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?

Question 24hardmultiple choice
Read the full NAT/PAT explanation →

A security analyst in Microsoft Sentinel wants to correlate Microsoft Entra ID sign-in logs with IP addresses known to be associated with a threat actor. The threat actor's IPs are stored in a custom table named 'ThreatIntelligence_IP' that is ingested daily. The analyst needs to create an analytics rule that triggers only when a sign-in occurs from one of these IPs AND when the user is not in a list of approved users (stored in another custom table 'ApprovedUsers'). Which KQL query pattern should the analyst use to achieve this correlation and filtering?

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

Exam question guide

How to use these SC-200 questions

Use these questions as active recall, not passive reading. Try the question first, review the answer choices, then open the explanation and connect the result back to the exam topic.

Quick answer

Tests understanding of hypervisors, virtual machines, resource allocation, and host vs. guest OS requirements.

Identify Type 1 vs Type 2 hypervisors and their use cases.

Understand virtual machine resource allocation (CPU, RAM, storage).

Recognize host vs. guest operating system roles.

Know virtualization security and isolation requirements.

These SC-200 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-200 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.