SC-200 · topic practice

Manage a security operations environment practice questions

Practise Microsoft Security Operations Analyst SC-200 Manage a security operations environment practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Manage a security operations environment

What the exam tests

What to know about Manage a security operations environment

Manage a security operations environment questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Manage a security operations environment exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Manage a security operations environment questions

20 questions · select your answer, then reveal the explanation

Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?

Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?

Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?

Your company uses Microsoft Defender for Cloud to monitor multi-cloud resources. You want to ensure that all critical security recommendations are automatically assigned to the appropriate team leads based on the resource's tags. Which feature should you configure?

Your organization uses Microsoft Sentinel and has deployed the Microsoft Sentinel Solution for Microsoft Defender XDR. You need to correlate alerts from Microsoft Defender for Endpoint with Microsoft Defender for Office 365 in a single incident. What is the recommended approach?

Your SOC uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You need to configure a policy that triggers when a user downloads a large number of files from SharePoint Online within a short period. Which policy type should you use?

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Which THREE components are required to ingest Microsoft Entra ID (Azure AD) audit logs into Microsoft Sentinel?

Which TWO capabilities are provided by Microsoft Copilot for Security within the Microsoft Sentinel experience?

Question 13hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule created via ARM template. You notice that the rule is not triggering the playbook when a high-severity incident is created. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "High Severity Incident Response",
    "order": 1,
    "triggers": [
      {
        "properties": {
          "condition": "incident.severity == 'High'"
        },
        "triggerType": "IncidentCreated"
      }
    ],
    "actions": [
      {
        "order": 1,
        "actionType": "RunPlaybook",
        "properties": {
          "logicAppResourceId": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Logic/workflows/playbook-high"
        }
      }
    ]
  }
}
```

Refer to the exhibit. You are a security analyst reviewing a KQL query in Microsoft Sentinel. The query is intended to show the count of high-severity malware alerts in the last 24 hours. However, the query returns results only for alerts with exact severity string 'High', but you also need to include 'Informational' severity alerts that are related to malware. What should you modify?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity == "High"
| where AlertName contains "malware"
| summarize Count = count() by AlertName, AlertSeverity
| order by Count desc
```

Refer to the exhibit. You are running a PowerShell script to enable the Anomalies setting in Microsoft Sentinel. After running the script, you check the Sentinel settings in the portal and see that Anomalies is still disabled. What is the most likely reason?

Exhibit

Refer to the exhibit.
```powershell
Connect-AzAccount
$workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName "rg-sentinel" -Name "la-sentinel-prod"
Set-AzSentinelSetting -Workspace $workspace -SettingName "Anomalies" -Enabled $true
```

Your organization has deployed Microsoft Sentinel and configured a workspace with data connectors for Microsoft 365 Defender, Azure Activity, and Office 365. You need to ensure that security incidents are automatically assigned to the appropriate analyst based on the incident type. What should you configure?

Your company uses Microsoft Defender for Cloud to assess the security posture of hybrid workloads. You are configuring a governance rule to automatically remediate a specific recommendation that is out of compliance. The recommendation is 'Virtual machines should be migrated to new Azure Resource Manager resources'. You need to ensure that the remediation is applied at scale across all subscriptions in the management group. What should you do?

As a security operations analyst, you receive an alert from Microsoft Defender for Identity about a suspicious Kerberos activity. You need to investigate the alert and determine if it is a true positive. What should you use to pivot from the alert to the related user and device timeline?

Your organization uses Microsoft Defender for Endpoint and has enabled the 'Block at First Sight' feature. You notice that some legitimate executables are being blocked incorrectly. You need to temporarily allow these files while you submit them for analysis. What should you do?

Your SOC team uses Microsoft Sentinel to manage incidents. You want to improve the efficiency of incident triage by automatically enriching incidents with threat intelligence data from Microsoft Threat Intelligence. What should you configure?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Manage a security operations environment sessions

Start a Manage a security operations environment only practice session

Every question in these sessions is drawn from the Manage a security operations environment domain — nothing else.

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-200 exam test about Manage a security operations environment?
Manage a security operations environment questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage a security operations environment questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage a security operations environment domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.