Courseiva
Back to Microsoft Security Operations Analyst SC-200 questions

Scenario-based practice

SC-200 Which Command Should the Administrator Use Practice Questions

Use this page to practise SC-200 Which Command Should the Administrator Use Practice Questions practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

Start full practice testRead exam guide
15
scenario questions
SC-200
exam code
Microsoft
vendor

Scenario guide

How to approach which command should the administrator use practice questions

Practise command-choice questions where the task is to identify the correct verification, configuration or troubleshooting command.

Quick answer

Which Command Should the Administrator Use Practice Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SC-200 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

SC-200 fundamentals practice questions

Practise SC-200 questions linked to SC-200 fundamentals.

SC-200 scenario practice questions

Practise SC-200 questions linked to SC-200 scenario.

SC-200 troubleshooting practice questions

Practise SC-200 questions linked to SC-200 troubleshooting.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

Full question →
Question 2mediummultiple choice
Full question →

A Defender for Cloud alert repeatedly fires for a known test VM used by the security team. The alert type is valid, but it should not create noise for that VM. What should the analyst configure?

Full question →
Question 3easymultiple choice
Full question →

A security operations center (SOC) uses Microsoft Sentinel. The team wants to automatically assign incidents to the appropriate analyst based on the severity level of the alert. Which feature should be configured to achieve this automation?

Full question →
Question 4mediummultiple choice
Full question →

A security administrator wants to enforce Just-in-Time (JIT) VM access for all Azure virtual machines in a management group to reduce the attack surface. The administrator wants to automatically enable JIT on any new VM and remediate existing non-compliant VMs. What should the administrator configure in Microsoft Defender for Cloud?

Full question →
Question 5hardmultiple choice
Full question →

A SOC analyst wants to create a watchlist in Microsoft Sentinel from a CSV file that contains IP addresses. The analyst needs to configure the watchlist so that it can be efficiently queried using IP address comparison operators (e.g., IP prefix matching). Which data type should be set for the key column?

Full question →
Question 6mediummultiple choice
Full question →

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

Full question →
Question 7mediummultiple choice
Full question →

A security administrator wants to ensure that all existing and future Azure virtual machines have Microsoft Defender for Cloud's built-in vulnerability assessment solution (Qualys or Microsoft) installed without manual intervention. Which feature should the administrator configure?

Full question →
Question 8hardmultiple choice
Full question →

A security analyst is configuring a playbook in Microsoft Sentinel to run automatically when a new incident of severity 'High' is created. The playbook should only run for incidents that are not already assigned to an analyst. How can the analyst configure this automation?

Full question →
Question 9mediummultiple choice
Full question →

A SOC team uses Microsoft Sentinel and wants to automate the response to high-severity incidents. When a new incident of severity 'High' is created, they need to send an email notification to the on-call analyst and assign the incident to that analyst. Which two components must be configured together to achieve this? (Choose the best answer.)

Full question →
Question 10mediummultiple choice
Full question →

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

Full question →
Question 11mediummultiple choice
Full question →

A SOC analyst wants to automate a response in Microsoft Sentinel: whenever an incident is created that contains a compromised user entity (e.g., a user whose credentials were used in a breach), a playbook should run to disable that user in Microsoft Entra ID. Which condition should be configured in the automation rule to trigger this playbook?

Full question →
Question 12mediummultiple choice
Full question →

A SOC team uses Microsoft Sentinel. They need to correlate syslog events from on-premises firewalls with Microsoft Entra ID sign-in logs to detect VPN-based intrusions. The correlation requires joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Which type of analytics rule should the analyst configure?

Full question →
Question 13mediummultiple choice
Full question →

A SOC team wants to automate response to incidents detected by Microsoft Sentinel. When a new incident is created with severity "High" and contains a specific tag "malware", they want to run a playbook that isolates the affected device. What is the correct way to configure this automation?

Full question →
Question 14hardmultiple choice
Full question →

A SOC team uses Microsoft Sentinel. They receive a large volume of low-severity incidents from a specific analytics rule that causes alert fatigue. They want to automatically close incidents that match certain criteria (e.g., originating from a known test IP). Which feature should they configure?

Full question →
Question 15easymultiple choice
Full question →

An organization has connected a Palo Alto Networks firewall to Microsoft Sentinel using the Common Event Format (CEF) connector via a Linux log forwarder. The analyst notices that some expected firewall logs are missing in Sentinel. Which troubleshooting step should be performed first to check if the logs are reaching the Sentinel workspace?

Full question →

These SC-200 practice questions are part of Courseiva's free Microsoft certification practice question bank. Courseiva provides original exam-style SC-200 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.