Back to Microsoft Security Operations Analyst SC-200 questions

Scenario-based practice

Drag and Drop Matching Questions

Practise Microsoft Security Operations Analyst SC-200 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

10
scenario questions
SC-200
exam code
Microsoft
vendor

Scenario guide

How to approach drag and drop matching questions

Matching questions give you two columns — concepts, commands, or protocols on the left, and their definitions or use-cases on the right. You drag each left item to its correct match. These appear on most certification exams and punish superficial memorisation.

Quick answer

Drag and Drop Matching Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-200 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummatching
Full question →

Match each Microsoft Defender for Cloud security alert to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anomalous process run on a VM

Multiple failed login attempts from an IP

Antimalware scan found a threat

Download of a suspicious file from an external source

Unusual outbound data transfer detected

Question 2mediummatching
Full question →

Match each Microsoft Purview compliance feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents accidental sharing of sensitive data

Searches and exports data for legal cases

Logs user and admin activities

Classifies and protects sensitive data with labels

Manages retention and disposal of records

Question 3mediummatching
Full question →

Match each Microsoft Sentinel data connector to its data source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Subscription-level events from Azure Resource Manager

Sign-in logs and audit logs from Azure Active Directory

Security events from Windows machines

Events from Linux and network devices

Exchange Online and SharePoint Online logs

Question 4mediummatching
Full question →

Match each incident severity level to its description in Microsoft 365 Defender.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No impact, but may indicate an issue

Minimal impact, likely false positive

Potential impact, requires investigation

Significant impact, immediate action needed

Widespread impact, urgent response required

Question 5mediummatching
Full question →

Match each Microsoft 365 Defender role to its permission level.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to all admin features

Manage security policies and view reports

Read-only access to security settings and logs

Respond to alerts and manage incidents

Manage compliance features and data loss prevention

Question 6mediummatching
Full question →

Match each Microsoft Sentinel incident management action to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Designate an owner for the incident

Resolve the incident as false positive or true positive

Document investigation notes

Adjust impact level based on findings

Trigger automated response actions

Question 7mediummatching
Full question →

Match each Kusto Query Language (KQL) operator to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Filters rows based on a condition

Groups rows and calculates aggregates

Selects specific columns

Creates computed columns

Combines rows from two tables

Question 8mediummatching
Full question →

Match each threat intelligence indicator type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv4 or IPv6 address associated with malicious activity

Domain name used for phishing or C2

Full URL path involved in an attack

MD5, SHA1, or SHA256 hash of a malicious file

Sender address from a phishing campaign

Question 9mediummatching
Full question →

Match each Microsoft 365 Defender workload to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects endpoints from cyber threats

Safeguards email and collaboration tools

Detects identity-based attacks using Active Directory signals

Provides visibility and control over cloud apps

Secures multicloud and hybrid environments

Question 10mediummatching
Full question →

Match each Microsoft Sentinel feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define conditions that generate incidents

Visualize data using custom dashboards

Proactively search for threats

Automate responses using Azure Logic Apps

Detect anomalous behavior based on entity analytics

These SC-200 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-200 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.