- A
securityresources | where type == 'microsoft.security/assessments' | summarize arg_max(properties.status.severity, properties.timeGenerated) by id
Why wrong: This queries assessments, but not specifically the 'Vulnerability assessment solution is enabled' assessment that records last scan time.
- B
securityresources | where type == 'microsoft.security/assessments' and properties.displayName == 'Vulnerability assessment solution should be enabled on your virtual machines' and properties.status.code == 'Healthy' | project id, properties.timeGenerated | where properties.timeGenerated < ago(7d)
This assessment shows 'Healthy' when the VA solution is installed and running, and includes a timeGenerated indicating last scan. Filtering for older than 7 days identifies VMs not recently scanned.
- C
resources | where type == 'microsoft.compute/virtualmachines' | join kind=leftouter (securityresources) on $left.id == $right.id
Why wrong: Incomplete query; doesn't filter for assessment data related to vulnerability scanning.
- D
operationalinsights | where TimeGenerated < ago(7d)
Why wrong: Not a valid table or approach; Log Analytics tables like 'SecurityEvent' don't directly provide VA scan data.
SC-200 Practice Question: Mitigate threats using Microsoft Defender for Cloud
This SC-200 practice question tests your understanding of mitigate threats using microsoft defender for cloud. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. A key principle to apply: azure Resource Graph (ARG) queries security posture across subscriptions.. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have an Azure subscription with many VMs that are all protected by Defender for Servers. The security team wants to identify VMs that have not had a vulnerability assessment scan in the last 7 days. The integrated vulnerability assessment (Microsoft Defender Vulnerability Management) is enabled. Which KQL query in Azure Resource Graph or Log Analytics can achieve this?
Answer choices
Why each option matters
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
securityresources | where type == 'microsoft.security/assessments' and properties.displayName == 'Vulnerability assessment solution should be enabled on your virtual machines' and properties.status.code == 'Healthy' | project id, properties.timeGenerated | where properties.timeGenerated < ago(7d)
Option B is correct because it queries the 'securityresources' table in Azure Resource Graph for assessments where the display name matches 'Vulnerability assessment solution should be enabled on your virtual machines' and the status code is 'Healthy'. A 'Healthy' status indicates the assessment passed, meaning a scan occurred within the configured period. By filtering for 'properties.timeGenerated < ago(7d)', it identifies VMs where the last scan was more than 7 days ago, directly meeting the requirement.
Key principle: Azure Resource Graph (ARG) queries security posture across subscriptions.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
- ✗
securityresources | where type == 'microsoft.security/assessments' | summarize arg_max(properties.status.severity, properties.timeGenerated) by id
Why it's wrong here
This queries assessments, but not specifically the 'Vulnerability assessment solution is enabled' assessment that records last scan time.
- ✓
securityresources | where type == 'microsoft.security/assessments' and properties.displayName == 'Vulnerability assessment solution should be enabled on your virtual machines' and properties.status.code == 'Healthy' | project id, properties.timeGenerated | where properties.timeGenerated < ago(7d)
Why this is correct
This assessment shows 'Healthy' when the VA solution is installed and running, and includes a timeGenerated indicating last scan. Filtering for older than 7 days identifies VMs not recently scanned.
Related concept
Azure Resource Graph (ARG) queries security posture across subscriptions.
- ✗
resources | where type == 'microsoft.compute/virtualmachines' | join kind=leftouter (securityresources) on $left.id == $right.id
Why it's wrong here
Incomplete query; doesn't filter for assessment data related to vulnerability scanning.
- ✗
operationalinsights | where TimeGenerated < ago(7d)
Why it's wrong here
Not a valid table or approach; Log Analytics tables like 'SecurityEvent' don't directly provide VA scan data.
Common exam traps
Common exam trap: answer the scenario, not the keyword
The trap here is that candidates often confuse the 'Healthy' status as indicating a good state (scanned recently) and forget to apply the time filter 'ago(7d)', or they incorrectly use 'Unhealthy' thinking it means no scan, when in fact 'Unhealthy' means the assessment failed or is missing, which would include VMs that never had a scan at all, not just those not scanned in 7 days.
Detailed technical explanation
How to think about this question
The integrated vulnerability assessment uses Microsoft Defender Vulnerability Management (MDVM) built into Defender for Servers. The assessment 'Vulnerability assessment solution should be enabled on your virtual machines' is a regulatory compliance assessment that checks if the MDVM agent is installed and scanning. When the status is 'Healthy', it means the VM has been scanned; the 'timeGenerated' field records the last scan time. In Azure Resource Graph, the 'securityresources' table contains all security assessments, and filtering by 'properties.status.code == 'Healthy'' is critical because an 'Unhealthy' status would indicate no scan or a failed scan, which would incorrectly include VMs that never scanned.
KKey Concepts to Remember
- Azure Resource Graph (ARG) queries security posture across subscriptions.
- The `securityresources` table in ARG contains Defender for Cloud assessments.
- The 'Vulnerability assessment solution should be enabled' assessment indicates VA status.
- The `timeGenerated` property of a 'Healthy' VA assessment reflects the last scan/check.
TExam Day Tips
- Watch for words such as best, first, most likely and least administrative effort.
- Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Azure Resource Graph (ARG) queries security posture across subscriptions.
Real-world example
How this comes up in practice
An e-commerce site experiences heavy traffic on Black Friday and near-zero traffic during off-peak weeks. Rather than provisioning permanent large VMs, the team uses auto-scaling groups that add capacity automatically under load and reduce it overnight. Questions like this test whether you understand elasticity, availability zones, and cloud compute scaling patterns.
What to study next
Got this wrong? Here's your next step.
Review azure Resource Graph (ARG) queries security posture across subscriptions., then practise related SC-200 questions on the same topic to reinforce the concept.
- →
Mitigate threats using Microsoft Defender for Cloud — study guide chapter
Learn the concepts, then practise the questions
- →
Mitigate threats using Microsoft Defender for Cloud practice questions
Targeted practice on this topic area only
- →
All SC-200 questions
1,639 questions across all exam domains
- →
Microsoft Security Operations Analyst SC-200 study guide
Full concept coverage aligned to exam objectives
- →
SC-200 practice test guide
How to use practice tests most effectively before exam day
Related practice questions
Related SC-200 practice-question pages
Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.
Manage a security operations environment practice questions
Practise SC-200 questions linked to Manage a security operations environment.
Respond to security incidents practice questions
Practise SC-200 questions linked to Respond to security incidents.
Perform threat hunting practice questions
Practise SC-200 questions linked to Perform threat hunting.
Mitigate threats using Microsoft Defender XDR practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Defender XDR.
Mitigate threats using Microsoft Defender for Cloud practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Defender for Cloud.
Mitigate threats using Microsoft Sentinel practice questions
Practise SC-200 questions linked to Mitigate threats using Microsoft Sentinel.
SC-200 fundamentals practice questions
Practise SC-200 questions linked to SC-200 fundamentals.
SC-200 scenario practice questions
Practise SC-200 questions linked to SC-200 scenario.
SC-200 troubleshooting practice questions
Practise SC-200 questions linked to SC-200 troubleshooting.
Practice this exam
Start a free SC-200 practice session
Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.
FAQ
Questions learners often ask
What does this SC-200 question test?
Mitigate threats using Microsoft Defender for Cloud — This question tests Mitigate threats using Microsoft Defender for Cloud — Azure Resource Graph (ARG) queries security posture across subscriptions..
What is the correct answer to this question?
The correct answer is: securityresources | where type == 'microsoft.security/assessments' and properties.displayName == 'Vulnerability assessment solution should be enabled on your virtual machines' and properties.status.code == 'Healthy' | project id, properties.timeGenerated | where properties.timeGenerated < ago(7d) — Option B is correct because it queries the 'securityresources' table in Azure Resource Graph for assessments where the display name matches 'Vulnerability assessment solution should be enabled on your virtual machines' and the status code is 'Healthy'. A 'Healthy' status indicates the assessment passed, meaning a scan occurred within the configured period. By filtering for 'properties.timeGenerated < ago(7d)', it identifies VMs where the last scan was more than 7 days ago, directly meeting the requirement.
What should I do if I get this SC-200 question wrong?
Review azure Resource Graph (ARG) queries security posture across subscriptions., then practise related SC-200 questions on the same topic to reinforce the concept.
What is the key concept behind this question?
Azure Resource Graph (ARG) queries security posture across subscriptions.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Last reviewed: Jun 11, 2026
This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.