Back to Microsoft Security Operations Analyst SC-200 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Microsoft Security Operations Analyst SC-200 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SC-200
exam code
Microsoft
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-200 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

An organization has connected a Palo Alto Networks firewall to Microsoft Sentinel using the Common Event Format (CEF) connector via a Linux log forwarder. The analyst notices that some expected firewall logs are missing in Sentinel. Which troubleshooting step should be performed first to check if the logs are reaching the Sentinel workspace?

Question 2hardmultiple choice
Full question →

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

Question 3mediumdrag order
Full question →

Order the steps to investigate a user account compromise using Microsoft Sentinel incidents.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 4easymultiple choice
Full question →

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a ransomware incident. The analyst wants to find all processes that were created with a specific parent process ID. Which column in the DeviceProcessEvents table should the analyst use to filter the parent process?

Question 5hardmulti select
Full question →

An analyst writes an advanced hunting query to investigate a suspicious executable that initiated outbound connections. Which two Microsoft 365 Defender tables are most relevant? (Choose 2.)

Question 6easymultiple choice
Full question →

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

Question 7easymultiple choice
Full question →

A security analyst is using advanced hunting in Microsoft 365 Defender to investigate a potential brute-force attack against an on-premises Exchange server. The analyst wants to find authentication failures from a specific IP address. Which table should the analyst query?

Question 8mediummultiple choice
Full question →

A security analyst in Microsoft 365 Defender is using advanced hunting to investigate a suspected data exfiltration. The analyst wants to find all outbound network connections from a specific device that occurred in the last hour, ordered by timestamp. Which table and KQL query should the analyst use?

Question 9hardmultiple choice
Full question →

A security analyst is using Microsoft 365 Defender advanced hunting to investigate potential lateral movement. The analyst has identified a compromised device (DeviceA) and wants to find all other devices that initiated a remote desktop connection from DeviceA to other devices in the last 24 hours. Which table and query approach should the analyst use?

Question 10mediummultiple choice
Full question →

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst wants to find emails that were delivered to users (DeliveryAction != 'Blocked') and contained a specific malicious URL (e.g., 'https://malicious.com'). The EmailEvents table contains delivery information, and the EmailUrlInfo table contains URL details. Which KQL query correctly joins these two tables to find the desired emails?

Question 11easymultiple choice
Full question →

A security analyst uses Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst knows the Internet Message ID of a malicious email. Which table should the analyst query to find all users who received that specific email?

Question 12easymultiple choice
Full question →

An organization uses Microsoft Defender for Office 365. The security team wants to automatically investigate and respond to user-reported phishing emails. Which feature should they enable to automate this process?

Question 13easymultiple choice
Full question →

A security analyst receives an alert in Microsoft Defender for Cloud that an Azure virtual machine is running a process with a known indicator of compromise (IOC). The analyst wants to investigate the process details, including the command line and parent process. Which feature should the analyst use to gather this information from the VM?

Question 14easymultiple choice
Full question →

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

Question 15easymultiple choice
Full question →

As a security operations analyst, you receive an alert from Microsoft Defender for Identity about a suspicious Kerberos activity. You need to investigate the alert and determine if it is a true positive. What should you use to pivot from the alert to the related user and device timeline?

These SC-200 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-200 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.