Free · No account needed · No credit card

Microsoft Security Operations Analyst SC-200 Practice Test

1,639 questions with instant explanations, domain breakdown, and wrong-answer analysis. Built for the real exam.

Instant feedback after each answer
Full explanations included
Domain score breakdown
Real exam: 120 min
Pass mark: 700%

Sample questions with explanations

This is exactly what you see during practice — question, options, and a full explanation after you answer.

Q1Mitigate threats using Microsoft Defender XDReasy
Full explanation →

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

AMicrosoft Defender for Endpoint
Microsoft Defender for Office 365 (Threat Explorer)Correct
CMicrosoft Defender for Identity
DMicrosoft Defender for Cloud Apps

Microsoft Defender for Office 365's Threat Explorer (now part of the unified investigation experience) provides a detailed entity view of an email, including delivery actions (e.g., delivered to Junk, blocked, or allowed), whether the email was part of a phishing simulation, and …Read full explanation

Q2Mitigate threats using Microsoft Defender XDRmedium
Full explanation →

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

AMicrosoft Defender for Endpoint
BMicrosoft Defender for Office 365
Microsoft Defender for Cloud AppsCorrect
DMicrosoft Defender for Identity

Microsoft Defender for Cloud Apps (Option C) is the correct workload because it provides visibility into cloud application usage, including SharePoint Online, and can generate alerts for suspicious file access patterns such as mass download, unusual file sharing, or access from a…Read full explanation

Q3Mitigate threats using Microsoft Defender XDRhard
Full explanation →

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

DeviceProcessEventsCorrect
BDeviceLogonEvents
CDeviceFileEvents
DDeviceRegistryEvents

The DeviceNetworkEvents table logs network connections, including outgoing RDP traffic (port 3389). To identify which process initiated a specific outgoing RDP connection, you must join with the DeviceProcessEvents table on DeviceId and Timestamp (or ProcessId), because DevicePro…Read full explanation

Untimed Practice

Answer at your own pace. Explanation and domain tag shown immediately after each answer.

Timed Practice

Countdown timer starts immediately. Results and domain scores shown at the end — just like the real exam.

Why practice here?

Full explanations on every question

Not just the right answer — you get exactly why each wrong option is wrong, so you learn the concept, not the answer.

Domain score breakdown

After each session see your score by exam domain so you know exactly where to focus study time.

100% free, forever

No subscription, no trial, no email wall. Start a session in under 10 seconds.

Exam-style questions

Scenario-based, precise wording, realistic distractors — written to match what you actually see on exam day.

← All SC-200 questionsSC-200 exam guideStudy guidePractice by domain