Question 1,461 of 1,639
Respond to security incidentshardMultiple SelectObjective-mapped

SC-200 Unusual behavior alerts Practice Question

This SC-200 practice question tests your understanding of respond to security incidents. Match the stated requirement to the specific cloud service, access model, or configuration option — many options are valid in isolation but not for this scenario. A key principle to apply: unusual behavior alerts. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

Which THREE actions are appropriate when investigating a potential data exfiltration incident in Microsoft Defender for Cloud Apps?

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Use the app dashboard to view unusual behavior alerts

Options B, D, and E are correct. Option B: Using the app dashboard to view unusual behavior alerts provides context about potential exfiltration. Option D: Checking file policy matches helps identify which files were flagged as suspicious. Option E: Reviewing the user's activity log in Defender for Cloud Apps helps determine the scope of the exfiltration. Option A is incorrect because checking device inventory is not a cloud app investigation action—it applies to endpoint devices. Option C is incorrect because suspending the user's account is a containment action, not an investigative step.

Key principle: Unusual behavior alerts

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Check the device inventory for suspicious applications

    Why it's wrong here

    Incorrect. Checking device inventory is not directly relevant to investigating data exfiltration in cloud apps. It may be part of a device-based investigation but not in this context.

  • Use the app dashboard to view unusual behavior alerts

    Why this is correct

    Correct. Unusual behavior alerts in the app dashboard provide early warnings of abnormal activity that could indicate exfiltration attempts.

    Related concept

    Unusual behavior alerts

  • Suspend the user's account immediately

    Why it's wrong here

    Incorrect. Suspending the user's account is a containment step, not an investigative one. It should only be taken after investigation confirms malicious intent.

  • Check the file policy matches for the user

    Why this is correct

    Correct. File policy matches show which files were flagged by data loss prevention policies, directly indicating possible exfiltration events.

    Related concept

    Unusual behavior alerts

  • Review the user's activity log in Defender for Cloud Apps

    Why this is correct

    Correct. Reviewing the activity log gives a detailed view of the user's actions, helping to confirm exfiltration and understand its scope.

    Related concept

    Unusual behavior alerts

Common exam traps

Common exam trap: answer the scenario, not the keyword

Candidates may confuse containment actions (e.g., suspending the user) with investigative steps, or mistakenly think device inventory is relevant in cloud app investigations.

Detailed technical explanation

How to think about this question

Treat this as a scenario question. Identify the problem, the constraint, and the best action. Then compare each option against those facts.

KKey Concepts to Remember

  • Unusual behavior alerts
  • File policy matches
  • Activity log
  • Investigation vs. Containment

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Unusual behavior alerts

Real-world example

How this comes up in practice

A cloud solutions architect for a retail company is evaluating services for a new workload. The correct answer here reflects best practice for the specific scenario described — not a general cloud recommendation. Unusual behavior alerts Cloud exam questions reward reading the constraint carefully: the same technology can be right or wrong depending on the use case.

What to study next

Got this wrong? Here's your next step.

Review unusual behavior alerts, then practise related SC-200 questions on the same topic to reinforce the concept.

Related practice questions

Related SC-200 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free SC-200 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this SC-200 question test?

Respond to security incidents — This question tests Respond to security incidents — Unusual behavior alerts.

What is the correct answer to this question?

The correct answer is: Use the app dashboard to view unusual behavior alerts — Options B, D, and E are correct. Option B: Using the app dashboard to view unusual behavior alerts provides context about potential exfiltration. Option D: Checking file policy matches helps identify which files were flagged as suspicious. Option E: Reviewing the user's activity log in Defender for Cloud Apps helps determine the scope of the exfiltration. Option A is incorrect because checking device inventory is not a cloud app investigation action—it applies to endpoint devices. Option C is incorrect because suspending the user's account is a containment action, not an investigative step.

What should I do if I get this SC-200 question wrong?

Review unusual behavior alerts, then practise related SC-200 questions on the same topic to reinforce the concept.

What is the key concept behind this question?

Unusual behavior alerts

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Keep practising

More SC-200 practice questions

Last reviewed: Jun 21, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This SC-200 practice question is part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SC-200 exam.