Back to Microsoft Security Operations Analyst SC-200 questions

Scenario-based practice

Select Two (Multi-Select) Questions

Practise Microsoft Security Operations Analyst SC-200 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SC-200
exam code
Microsoft
vendor

Scenario guide

How to approach select two (multi-select) questions

Multi-select questions tell you to 'Choose TWO' or 'Choose THREE'. Getting partial credit is not a thing — you must select all correct answers with no incorrect ones. The stem always states how many to choose, so trust it. These questions require precision, not best-guess elimination.

Quick answer

Select Two (Multi-Select) Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-200 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)

Question 2mediummulti select
Full question →

A hybrid environment contains Azure VMs and on-premises servers connected through Azure Arc. Which two outcomes can Defender for Cloud provide for these servers? (Choose 2.)

Question 3hardmulti select
Full question →

A Microsoft Sentinel incident contains alerts from multiple analytics rules. The analyst suspects the same compromised account performed impossible travel followed by suspicious mailbox access. Which two actions best help correlate identity and mailbox activity?

Question 4mediummulti select
Full question →

A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)

Question 5mediummulti select
Full question →

A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)

Question 6mediummulti select
Full question →

An analyst is investigating a ransomware outbreak using Microsoft 365 Defender Advanced Hunting. They need to find all devices where a file with the extension '.locked' was created within one hour after a known malicious process (e.g., 'ransomware.exe') was executed on the same device. Which two tables should be joined in the query? (Choose 2.)

Question 7hardmulti select
Full question →

A SOC analyst needs to create a custom watchlist in Microsoft Sentinel to use in an analytics rule. Order the following steps from first to last to correctly create and use the watchlist (Choose 4.)

Question 8hardmulti select
Full question →

An analyst writes an advanced hunting query to investigate a suspicious executable that initiated outbound connections. Which two Microsoft 365 Defender tables are most relevant? (Choose 2.)

Question 9mediummulti select
Full question →

Which of the following detection scenarios can be implemented using a scheduled analytics rule in Microsoft Sentinel? (Select all that apply.) (Choose 2.)

Question 10mediummulti select
Full question →

Which of the following resource types are supported by Microsoft Defender for Cloud's workload protection plans? (Select all that apply.) (Choose 3.)

Question 11mediummulti select
Full question →

A SOC analyst is building a scheduled analytics rule in Microsoft Sentinel to detect when a user is added to a privileged Microsoft Entra ID role (e.g., Global Administrator). Which two tables must be included in the KQL query to capture the role assignment event and to retrieve user details? (Choose 2.)

Question 12hardmulti select
Read the full Ansible explanation →

A SOC analyst in Microsoft Sentinel needs to create an automation rule that triggers a playbook when a new incident is created and the incident severity is 'High'. Additionally, the playbook should only run if the incident is not already assigned to an analyst. Which two conditions must the analyst include in the automation rule? (Select all that apply.) (Choose 2.)

Question 13mediummulti select
Read the full Ansible explanation →

A SOC analyst is configuring a Microsoft Sentinel automation rule to trigger a playbook when an incident is created. The playbook should only run if the incident severity is 'High' and the incident title contains 'Phishing'. Which two conditions should the analyst add to the automation rule? (Select all that apply.) (Choose 2.)

Question 14mediummulti select
Full question →

A SOC team uses Microsoft Sentinel and wants to automate the response to high-severity incidents. When a new incident of severity 'High' is created, they need to send an email notification to the on-call analyst and assign the incident to that analyst. Which two components must be configured together to achieve this? (Choose the best answer.)

Question 15mediummulti select
Full question →

An analyst is building a custom detection rule in Microsoft 365 Defender to identify potential data exfiltration. The rule should alert when a process (e.g., powershell.exe) initiates multiple outbound network connections to an external IP address that is not in the company's corporate IP range within a short time. Which two Advanced Hunting tables must be joined to correlate process execution with network connection details?

Question 16mediummulti select
Full question →

A SOC team in Microsoft Sentinel wants to automatically assign high-severity incidents to the 'SOC Tier 2' group and automatically close low-severity incidents that have not been updated in 7 days. Which two configuration elements are required in a single automation rule?

Question 17hardmulti select
Full question →

A security analyst is investigating a sophisticated attack where an attacker used a compromised account to send a phishing email. The analyst wants to correlate the email event with the subsequent sign-in activity from the same sender's mailbox using Advanced Hunting. Which two tables should the analyst join to link the email sender to the sign-in IP address?

Question 18hardmulti select
Read the full Ansible explanation →

Which THREE components are required to automate incident response in Microsoft Sentinel using playbooks? (Choose three.)

Question 19hardmulti select
Full question →

Which THREE capabilities are provided by Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select THREE.)

Question 20mediummulti select
Full question →

Which TWO capabilities are provided by Microsoft Copilot for Security within the Microsoft Sentinel experience?

These SC-200 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-200 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.