SC-200 · topic practice

Mitigate threats using Microsoft Defender XDR practice questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Mitigate threats using Microsoft Defender XDR

What the exam tests

What to know about Mitigate threats using Microsoft Defender XDR

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

Threat actor types and motivations (APT, script kiddie, insider, nation-state).

Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.

Vulnerability scanning vs penetration testing vs risk assessment.

Mitigation strategies mapped to specific attack types.

Watch out for

Common Mitigate threats using Microsoft Defender XDR exam traps

  • Social engineering targets people, not systems — the attack vector matters.
  • A vulnerability scanner finds weaknesses; it does not exploit them.
  • Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • Zero-day vulnerabilities have no patch available at the time of discovery.

Practice set

Mitigate threats using Microsoft Defender XDR questions

20 questions · select your answer, then reveal the explanation

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

Question 2mediummultiple choice
Read the full NAT/PAT explanation →

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

Question 5easymultiple choice
Read the full Ansible explanation →

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user's device was compromised. The analyst wants to determine if the attacker attempted to access sensitive files stored in SharePoint Online from that device. Which advanced hunting table should the analyst query to find file access events from cloud apps?

A security analyst is reviewing an incident in Microsoft 365 Defender where malware was detected on multiple endpoints. The analyst wants to see a visual representation of the attack progression, including the initial entry point and all affected devices. Which feature in the Microsoft 365 Defender portal should the analyst use?

A global enterprise uses Microsoft 365 Defender across multiple tenants. During an incident, a security analyst needs to search for a specific file hash indicator of compromise (IOC) across all mailboxes and endpoints in all tenants from a single interface. Which feature allows the analyst to run a query across multiple tenants without switching contexts?

Question 10easymultiple choice
Read the full Ansible explanation →

A security analyst is investigating an incident in Microsoft 365 Defender where a device is detected as infected with a trojan. The analyst wants to use automated investigation to contain the threat. Which action can be automatically taken on the affected device as part of a standard AIR playbook for endpoint detection and response?

An organization uses Microsoft 365 Defender. A security analyst is reviewing an incident that involves a user who clicked a phishing link in an email. The analyst wants to see the email's full timeline, including delivery, click, and any follow-up actions. Which section of the email entity page provides this information?

A security analyst in Microsoft 365 Defender uses advanced hunting to detect possible credential theft. They want to find instances where a user signed in from an IP address that is not in their organization's known IP range. Which table should they query to get sign-in location and IP address?

A security analyst in Microsoft 365 Defender is investigating an incident that involves multiple devices. The analyst wants to see a visual representation of the attack, showing how the attacker moved from one device to another. Which feature provides this view?

A security analyst is investigating a phishing incident in Microsoft 365 Defender. They need to view the original email's sender, delivery action, and any automated remediation steps taken. Which entity page should the analyst open?

A security analyst is using advanced hunting in Microsoft 365 Defender to detect lateral movement. The analyst wants to find all devices where a specific user account had an interactive logon, and then identify which of those devices subsequently initiated outbound Remote Desktop Protocol (RDP) connections to other internal IP addresses. Which KQL approach is most efficient for this investigation?

An organization uses Microsoft Defender for Office 365. The security team wants to automatically remove from all user mailboxes any messages that were already delivered but are later identified as malicious. Which feature should they enable?

A security analyst is investigating an incident in Microsoft 365 Defender that involves a user who clicked a phishing link. The analyst wants to find all processes executed on the user's device immediately after the email was opened. Which advanced hunting table should the analyst query to obtain process creation events with timestamps relative to the email event?

A security analyst is investigating a suspected lateral movement attack in Microsoft 365 Defender. The analyst wants to identify all devices where a specific user account (user@contoso.com) had an interactive logon, and then check which of those devices subsequently made outbound RDP connections to other internal IP addresses. Which KQL query approach is most efficient to find this chain?

A security analyst is reviewing an email-related incident in Microsoft 365 Defender. The analyst wants to see the full delivery details, including the sender IP, authentication status, and the reason why the email was determined to be malicious. Which section of the email entity page should the analyst open?

A security analyst is hunting for a targeted phishing attack in Microsoft 365 Defender. They have identified a phishing email delivered to a user and want to find all devices where the user clicked the link in the email, and any processes that were spawned from the browser on those devices. Which advanced hunting strategy is most effective to correlate the email, network, and process data?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Mitigate threats using Microsoft Defender XDR sessions

Start a Mitigate threats using Microsoft Defender XDR only practice session

Every question in these sessions is drawn from the Mitigate threats using Microsoft Defender XDR domain — nothing else.

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-200 exam test about Mitigate threats using Microsoft Defender XDR?
Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Mitigate threats using Microsoft Defender XDR questions in a focused session?
Yes — the session launcher on this page draws every question from the Mitigate threats using Microsoft Defender XDR domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.