Back to Microsoft Security Operations Analyst SC-200 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Microsoft Security Operations Analyst SC-200 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SC-200
exam code
Microsoft
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SC-200 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

Refer to the exhibit. You are running a PowerShell script to enable the Anomalies setting in Microsoft Sentinel. After running the script, you check the Sentinel settings in the portal and see that Anomalies is still disabled. What is the most likely reason?

Exhibit

Refer to the exhibit.
```powershell
Connect-AzAccount
$workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName "rg-sentinel" -Name "la-sentinel-prod"
Set-AzSentinelSetting -Workspace $workspace -SettingName "Anomalies" -Enabled $true
```
Question 2hardmultiple choice
Full question →

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in ARM template format. The rule is enabled but no incidents are being created even though matching sign-in events exist. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Malicious IP Login Detection",
    "description": "Detects logins from known malicious IPs",
    "severity": "Medium",
    "enabled": true,
    "query": "SigninLogs | where IPAddress in (dynamic(['10.0.0.1', '192.168.1.1'])) | project TimeGenerated, UserPrincipalName, IPAddress",
    "queryFrequency": "PT5H",
    "queryPeriod": "PT5H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "tactics": ["InitialAccess"],
    "techniques": ["T1078"],
    "alertRuleTemplateName": null,
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities",
        "groupByEntities": [],
        "groupByAlertDetails": [],
        "groupByCustomDetails": null
      }
    },
    "eventGroupingSettings": {
      "aggregationKind": "SingleAlert"
    }
  }
}
```
Question 3hardmultiple choice
Full question →

You are analyzing sign-in logs in Microsoft Sentinel. The KQL query shown in the exhibit returns a list of users who have signed into Office 365 Exchange Online more than 10 times in the last 24 hours. You need to identify potential brute-force attacks. What additional information should you add to the query to improve detection?

Exhibit

Refer to the exhibit.

```kql
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == "0"
| where AppDisplayName == "Office 365 Exchange Online"
| summarize LoginCount = count() by UserPrincipalName, IPAddress
| where LoginCount > 10
| project UserPrincipalName, IPAddress, LoginCount
```
Question 4hardmultiple choice
Full question →

Refer to the exhibit. You are troubleshooting an endpoint that is not receiving real-time protection from Microsoft Defender Antivirus. The output shows RealTimeProtectionEnabled is False. Which command should you run next to enable real-time protection?

Exhibit

Refer to the exhibit.
```powershell
PS C:\> Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled

AMProductVersion AMServiceEnabled AntivirusEnabled RealTimeProtectionEnabled
--------------- ----------------- ---------------- -----------------------
4.18.2304.9     True              True             False
```
Question 5mediummultiple choice
Full question →

Refer to the exhibit. You are creating a scheduled analytics rule in Microsoft Sentinel using the ARM template snippet. The rule runs every 5 minutes and queries the last 5 minutes of data. The rule is not generating alerts even though malware detections are occurring. What is the most likely issue?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Malware detected on endpoint",
    "severity": "Medium",
    "queryPeriod": "PT5M",
    "queryFrequency": "PT5M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "query": "DeviceEvents | where ActionType == \"AntivirusDetection\" | where Timestamp > ago(5m)"
  }
}
```
Question 6mediummultiple choice
Full question →

Refer to the exhibit. Your SOC manager runs this KQL query in Microsoft Sentinel to see which analysts have the most active high-severity incidents in the past 7 days. The query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.
```kusto
SecurityIncident
| where Status == "Active" and Severity == "High"
| where CreatedTime > ago(7d)
| summarize Count = count() by Owner
| top 5 by Count desc
```
Question 7easymultiple choice
Full question →

Refer to the exhibit. You deploy this ARM template to your subscription. After deployment, you cannot find the saved search 'Test Search' in the Microsoft Sentinel workspace. What is the most likely reason?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "name": "[concat(parameters('workspaceName'), '/TestSearch')]",
      "apiVersion": "2020-08-01",
      "properties": {
        "displayName": "Test Search",
        "category": "Test",
        "query": "Heartbeat | summarize Count() by Computer",
        "tags": []
      }
    }
  ]
}
Question 8mediummultiple choice
Full question →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns no results even though you know there are alerts with the name 'Malware detected'. What is the most likely issue?

Exhibit

SecurityAlert
| where AlertName == "Malware detected"
| extend entities = parse_json(Entities)
| mv-expand entities
| where entities.Type == "file"
| project FileHash = entities.FileHash, AlertTime = TimeGenerated
Question 9hardmultiple choice
Full question →

Refer to the exhibit. You are analyzing a KQL query used in a custom detection rule in Microsoft Defender XDR. The rule is supposed to detect devices where a parent process launched more than 10 instances of PowerShell or cmd.exe in the last 7 days. However, the query returns no results even though you know such activity exists. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| extend ParentPID = InitiatingProcessParentFileName
| summarize Count = count() by DeviceName, InitiatingProcessFileName
| where Count > 10
```
Question 10mediummultiple choice
Full question →

Refer to the exhibit. You have created a scheduled analytics rule in Microsoft Sentinel as shown. The rule is not generating any incidents, even though you know Copilot for Microsoft 365 is accessing sensitive files. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Sensitive Data Access Alert",
    "severity": "Medium",
    "query": "OfficeActivity | where Operation == 'FileAccessed' and UserAgent contains 'Microsoft.Copilot' | project TimeGenerated, UserId, FileName",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5
  }
}
```
Question 11hardmultiple choice
Full question →

Refer to the exhibit. A security administrator runs this PowerShell script. What is the effect?

Exhibit

Refer to the exhibit.

```powershell
$params = @{
    ResourceGroupName = "SOC-RG"
    WorkspaceName = "sentinel-workspace"
    Name = "DailySummaryReport"
    Enabled = $true
    Description = "Generates daily incident summary"
    DisplayName = "Daily Summary"
    LogicAppResourceId = "/subscriptions/.../resourceGroups/SOC-RG/providers/Microsoft.Logic/workflows/DailySummary"
    TriggerConditions = @(
        @{
            Property = "Microsoft.Security.Incident"
            Condition = "Equals"
            Value = "Medium"
        }
    )
}
New-AzSentinelAutomationRule @params
```
Question 12mediummultiple choice
Full question →

Refer to the exhibit. You have a KQL query in a Microsoft Sentinel analytics rule. The rule is not generating incidents even though there are 'Suspicious sign-in' alerts from non-contoso.com users. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertName == "Suspicious sign-in"
| extend UserPrincipalName = tostring(Entities[0].AccountUpn)
| where UserPrincipalName !endswith "@contoso.com"
| project TimeGenerated, AlertName, UserPrincipalName
```
Question 13hardmultiple choice
Full question →

Refer to the exhibit. An automation rule in Microsoft Sentinel is configured as shown. When a high-severity incident is created, what is the expected behavior?

Exhibit

{
  "properties": {
    "displayName": "SOC Automation Rules",
    "rules": [
      {
        "name": "High Severity Incidents",
        "description": "Assign incidents with severity High to tier1 group and run a playbook.",
        "actions": [
          { "order": 1, "actionType": "AddIncidentTask", "taskName": "Notify SOC Lead" },
          { "order": 2, "actionType": "RunPlaybook", "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/NotifySOC" },
          { "order": 3, "actionType": "ModifyIncident", "status": "Active", "owner": "SOC-Tier1@contoso.com" }
        ]
      }
    ]
  }
}
Question 14hardmultiple choice
Full question →

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. The rule does not trigger as expected for newly created incidents with High severity. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "SOC Automation",
    "description": "Playbook for automated incident response",
    "state": "Enabled",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/Incident",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          },
          {
            "property": "Status",
            "operator": "Equals",
            "value": "New"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "/subscriptions/sub-123/resourceGroups/rg-sentinel/providers/Microsoft.Logic/workflows/playbook-assign-incident"
      }
    ]
  }
}
```
Question 15hardmultiple choice
Full question →

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel. The rule is enabled but does not assign incidents. What is the most likely issue?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Incident Response Workflow",
    "description": "Automates incident response",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/Incident",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "Medium"
          },
          {
            "property": "Owner",
            "operator": "Equals",
            "value": "Unassigned"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "AssignIncident",
        "assignedTo": "soc-team@contoso.com"
      }
    ]
  }
}
```

These SC-200 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-200 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.