SC-200 · topic practice

Mitigate threats using Microsoft Sentinel practice questions

Use this page to practise threats, attacks and vulnerabilities questions. CompTIA Security+ is scenario-heavy here — you must identify not just the attack type but the most appropriate response.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Mitigate threats using Microsoft Sentinel

What the exam tests

What to know about Mitigate threats using Microsoft Sentinel

Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.

Threat actor types and motivations (APT, script kiddie, insider, nation-state).

Attack techniques: phishing, social engineering, ransomware, SQL injection, XSS.

Vulnerability scanning vs penetration testing vs risk assessment.

Mitigation strategies mapped to specific attack types.

Watch out for

Common Mitigate threats using Microsoft Sentinel exam traps

  • Social engineering targets people, not systems — the attack vector matters.
  • A vulnerability scanner finds weaknesses; it does not exploit them.
  • Phishing is email-based; vishing is voice-based; smishing is SMS-based.
  • Zero-day vulnerabilities have no patch available at the time of discovery.

Practice set

Mitigate threats using Microsoft Sentinel questions

20 questions · select your answer, then reveal the explanation

A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?

Question 2mediummultiple choice
Read the full Ansible explanation →

A security analyst wants to configure a playbook in Microsoft Sentinel that runs automatically when a specific alert is generated. Which trigger concept is used to invoke the playbook?

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?

Question 5hardmultiple choice
Read the full NAT/PAT explanation →

A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

A security operations center (SOC) uses Microsoft Sentinel. The team wants to automatically assign incidents to the appropriate analyst based on the severity level of the alert. Which feature should be configured to achieve this automation?

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect a possible password spray attack. The rule must trigger when a single source IP address has more than 10 failed logon attempts on different user accounts within a 30-minute window. The analyst writes a KQL query starting with 'SigninLogs | where ResultType == 50057' (failed logon). Which operator should the analyst use to group events by source IP and count distinct user accounts, then filter for counts above 10?

Question 9mediummultiple choice
Read the full VPN explanation →

A SOC team uses Microsoft Sentinel. They need to correlate syslog events from on-premises firewalls with Microsoft Entra ID sign-in logs to detect VPN-based intrusions. The correlation requires joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Which type of analytics rule should the analyst configure?

Question 10mediummultiple choice
Read the full Ansible explanation →

A security analyst is configuring a Microsoft Sentinel playbook to automate the response to phishing incidents. When an incident is created based on a phishing analytics rule, the playbook needs to execute an action in Microsoft 365 Defender, such as blocking the sender email address. Which connector should the analyst add to the playbook to interact with Microsoft 365 Defender?

A security analyst in Microsoft Sentinel wants to create a custom analytics rule that triggers when more than 10 failed logon attempts from a single source IP address occur within 5 minutes. The analyst writes a KQL query to aggregate sign-in logs. Which KQL operator should the analyst use to group events by source IP and count each failure?

Question 12hardmultiple choice
Read the full NAT/PAT explanation →

A SOC team uses Microsoft Sentinel. They receive a large volume of low-severity incidents from a specific analytics rule that causes alert fatigue. They want to automatically close incidents that match certain criteria (e.g., originating from a known test IP). Which feature should they configure?

Question 13hardmultiple choice
Read the full Ansible explanation →

A security analyst is configuring a playbook in Microsoft Sentinel to run automatically when a new incident of severity 'High' is created. The playbook should only run for incidents that are not already assigned to an analyst. How can the analyst configure this automation?

A SOC team uses Microsoft Sentinel and wants to automate the response to high-severity incidents. When a new incident of severity 'High' is created, they need to send an email notification to the on-call analyst and assign the incident to that analyst. Which two components must be configured together to achieve this? (Choose the best answer.)

A security analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect multiple failed logon attempts from the same source IP address. The rule should generate an incident only when the count of failed logons exceeds 10 within a 5-minute window. Which configuration setting is essential to limit the incident generation to this threshold?

Question 16mediummultiple choice
Read the full network assurance explanation →

A SOC analyst needs to ingest firewall logs from an on-premises Cisco ASA into Microsoft Sentinel. The logs are sent via syslog to a Linux server. Which data connector should the analyst use to properly parse and collect these logs?

Question 17hardmultiple choice
Read the full Ansible explanation →

A security analyst is configuring a Microsoft Sentinel playbook to automatically respond to phishing incidents. The playbook should only run when an incident of severity 'High' is created and the incident is not already assigned to a user. Which automation rule condition and trigger configuration should the analyst use?

Question 18hardmulti select
Read the full Ansible explanation →

A SOC analyst in Microsoft Sentinel needs to create an automation rule that triggers a playbook when a new incident is created and the incident severity is 'High'. Additionally, the playbook should only run if the incident is not already assigned to an analyst. Which two conditions must the analyst include in the automation rule? (Select all that apply.) (Choose 2.)

A SOC team uses Microsoft Sentinel and needs to ingest custom logs from an on-premises Linux server that writes events to a local text file. The team installs the Azure Monitor Agent (AMA) on the Linux server. Which configuration step is required in Sentinel to collect the custom log file?

A security analyst in Microsoft Sentinel wants to create a scheduled analytics rule to detect repeated failed HTTP requests to an Azure Application Gateway, indicating a possible brute force attack. Which Azure Monitor table should the analyst query to capture the access and error logs from the Application Gateway?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Mitigate threats using Microsoft Sentinel sessions

Start a Mitigate threats using Microsoft Sentinel only practice session

Every question in these sessions is drawn from the Mitigate threats using Microsoft Sentinel domain — nothing else.

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-200 exam test about Mitigate threats using Microsoft Sentinel?
Threats, attacks and vulnerabilities questions test whether you can identify attack types, threat actor motivations and the correct mitigation for a given scenario.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Mitigate threats using Microsoft Sentinel questions in a focused session?
Yes — the session launcher on this page draws every question from the Mitigate threats using Microsoft Sentinel domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.