Practice set
Microsoft Security Operations Analyst SC-200 questions
Question 1mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The security team wants to receive security alerts about suspicious activities within the cluster, such as a container running with root privileges or attempts to read sensitive host paths. Which Defender for Cloud plan must be enabled to generate these alerts?
Question 2mediummultiple choice
Full question →A security analyst in Microsoft Defender for Cloud receives an alert that an Azure VM has a vulnerability with a high severity. The analyst wants to see the detailed finding, including the steps to remediate. Which blade or page should the analyst open?
Question 3hardmultiple choice
Full question →A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.
Question 4easymultiple choice
Full question →An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?
Question 5mediummultiple choice
Full question →An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?
Question 6mediummultiple choice
Full question →A security analyst receives an alert in Microsoft Defender for Cloud about a suspicious process on an Azure VM. The alert indicates a potential credential dumping tool. The analyst needs to see the full command line and parent process of the suspicious process. Which Defender for Cloud feature should the analyst use?
Question 7hardmultiple choice
Full question →A company has multiple Azure subscriptions managed by Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to ensure that all Azure SQL Servers have Advanced Data Security (ADS) enabled, including Vulnerability Assessment. They decide to use Azure Policy to enforce this at scale. Which built-in policy initiative should they assign to achieve this?
Question 8mediummulti select
Full question →A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)
Question 9hardmulti select
Full question →A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)
Question 10mediummultiple choice
Full question →A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?
Question 11mediummultiple choice
Full question →A company has enabled Microsoft Defender for Cloud on their subscription containing Azure SQL databases. They receive an alert about a potential SQL injection attack. The analyst wants to see the actual query that was executed. Where can the analyst find the query details associated with the alert?
Question 12mediummultiple choice
Full question →A cloud security administrator needs to ensure that all Azure virtual machines have the Microsoft Defender for Cloud agent (Log Analytics agent) installed automatically when they are provisioned. Which configuration should be set in Microsoft Defender for Cloud?
Question 13mediummultiple choice
Full question →A cloud security administrator receives an alert from Microsoft Defender for Cloud indicating that a virtual machine has been compromised. The administrator wants to quickly isolate the VM from the network to prevent further spread while preserving the disk for forensic analysis. Which action should the administrator take?
Question 14mediummultiple choice
Full question →A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to integrate a third-party vulnerability assessment solution for their Azure VMs and ensure findings appear in the Defender for Cloud recommendations. What must be done?
Question 15mediummultiple choice
Full question →A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent (Azure Monitor Agent) turned on. Where should this configuration be set to cover existing and future VMs?
Question 16easymultiple choice
Full question →A company enables Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing and future Azure VMs have Just-In-Time (JIT) VM access configured. Which of the following actions must the team take first to enable JIT for VMs?
Question 17mediummultiple choice
Full question →A company has Azure virtual machines running Windows Server. The security team wants to use Microsoft Defender for Cloud's vulnerability assessment solution to identify missing security updates. Which of the following is required to enable built-in vulnerability assessment for VMs?
Question 18easymultiple choice
Full question →A company has enabled Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing virtual machines have a vulnerability assessment solution installed. Which Defender for Cloud feature can automatically deploy a vulnerability assessment agent to supported VMs?
Question 19mediummultiple choice
Full question →A company has enabled Microsoft Defender for Cloud on multiple Azure subscriptions. The security team wants to view a unified security score that aggregates the scores from all subscriptions. Which feature should they use?
Question 20hardmultiple choice
Full question →A company has multiple Azure subscriptions under a management group. They want to ensure that all VMs across all subscriptions have Microsoft Defender for Cloud's vulnerability assessment solution (using the Microsoft Defender Vulnerability Management engine) enabled. They also want to automatically remediate any non-compliant VMs by enabling the VA solution when a VM is missing it. Which combination of policy initiatives and automation should they use?
Question 21mediummultiple choice
Full question →A company has several Azure virtual machines running SQL Server (IaaS). The security team wants to enable Advanced Threat Protection for these SQL Server instances to detect threats like SQL injection. What should they do?
Question 22easymultiple choice
Full question →A company manages multiple Azure subscriptions under a single management group. The security team wants to enable Microsoft Defender for Cloud's enhanced security features (e.g., Defender for Servers) for all subscriptions under that management group with minimal administrative effort. Which method should they use?
Question 23mediummultiple choice
Full question →A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?
Question 24easymultiple choice
Full question →