Question 1hardmulti select
Full question →SC-200 · topic practice
Mitigate Threats Using Microsoft Sentinel practice questions
Use this page to practise SC-200 Mitigate Threats Using Microsoft Sentinel practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.
What the exam tests
What to know about Mitigate Threats Using Microsoft Sentinel
Mitigate Threats Using Microsoft Sentinel questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Practice set
Mitigate Threats Using Microsoft Sentinel questions
20 questions · select your answer, then reveal the explanation
Question 2mediummultiple choice
Full question →A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?
Question 3mediummultiple choice
Full question →A security analyst in Microsoft Defender for Cloud receives an alert that an Azure VM has a vulnerability with a high severity. The analyst wants to see the detailed finding, including the steps to remediate. Which blade or page should the analyst open?
Question 4mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The security team wants to receive security alerts about suspicious activities within the cluster, such as a container running with root privileges or attempts to read sensitive host paths. Which Defender for Cloud plan must be enabled to generate these alerts?
Question 5hardmultiple choice
Full question →A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.
Question 6easymultiple choice
Full question →An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?
Question 7mediummultiple choice
Full question →An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?
Question 8mediummultiple choice
Full question →A security analyst receives an alert in Microsoft Defender for Cloud about a suspicious process on an Azure VM. The alert indicates a potential credential dumping tool. The analyst needs to see the full command line and parent process of the suspicious process. Which Defender for Cloud feature should the analyst use?
Question 9hardmultiple choice
Full question →A company has multiple Azure subscriptions managed by Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to ensure that all Azure SQL Servers have Advanced Data Security (ADS) enabled, including Vulnerability Assessment. They decide to use Azure Policy to enforce this at scale. Which built-in policy initiative should they assign to achieve this?
Question 10mediummulti select
Full question →A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)
Question 11hardmultiple choice
Full question →A company has multiple Azure subscriptions under a management group. They want to ensure that all VMs across all subscriptions have Microsoft Defender for Cloud's vulnerability assessment solution (using the Microsoft Defender Vulnerability Management engine) enabled. They also want to automatically remediate any non-compliant VMs by enabling the VA solution when a VM is missing it. Which combination of policy initiatives and automation should they use?
Question 12mediummultiple choice
Full question →A company has Azure virtual machines running Windows Server. The security team wants to use Microsoft Defender for Cloud's vulnerability assessment solution to identify missing security updates. Which of the following is required to enable built-in vulnerability assessment for VMs?
Question 13mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?
Question 14mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?
Question 15easymultiple choice
Full question →A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?
Question 16easymultiple choice
Full question →A company wants to enable vulnerability scanning for Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. What is the first step?
Question 17mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team receives an alert indicating that a VM is communicating with a known malicious IP address. Which Defender for Cloud feature can be used to automatically block outbound traffic to that IP address by adjusting the network security group (NSG)?
Question 18mediummultiple choice
Full question →A cloud security administrator needs to ensure that all Azure virtual machines have the Microsoft Defender for Cloud agent (Log Analytics agent) installed automatically when they are provisioned. Which configuration should be set in Microsoft Defender for Cloud?
Question 19easymultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team wants to identify which VMs have missing system updates such as critical security patches. Which Defender for Cloud feature should they use?
Question 20easymultiple choice
Full question →A security administrator in Microsoft Defender for Cloud notices that the Secure Score is lower than expected. Which action would most effectively improve the Secure Score by reducing the attack surface?
Watch out for
Common Mitigate Threats Using Microsoft Sentinel exam traps
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.
Free account
Track your progress over time
Create a free account to save your results and see which topics improve across sessions.
Focused Mitigate Threats Using Microsoft Sentinel sessions
Start a Mitigate Threats Using Microsoft Sentinel only practice session
Every question in these sessions is drawn from the Mitigate Threats Using Microsoft Sentinel domain — nothing else.
Related practice questions
Related SC-200 topic practice pages
Move into related areas when this topic feels solid.
Frequently asked questions
- What does the SC-200 exam test about Mitigate Threats Using Microsoft Sentinel?
- Mitigate Threats Using Microsoft Sentinel questions test whether you can apply the concept in context, not just recognise a definition.
- How should I use these practice questions?
- Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
- Can I practise just Mitigate Threats Using Microsoft Sentinel questions in a focused session?
- Yes — the session launcher on this page draws every question from the Mitigate Threats Using Microsoft Sentinel domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
- Where can I practise other SC-200 topics?
- Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
- Are these real exam questions or dumps?
- These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.
Mitigate Threats Using Microsoft Sentinel only
Mixed SC-200 sessionTrack your progress
A free account saves results across sessions and highlights which topics need work.
Sign up freeStudy resources
Exam traps to avoid
- ▸Answering from memory before reading the full scenario.
- ▸Missing a constraint such as cost, availability, security, scope or command context.
- ▸Choosing a broad answer when the question asks for the most specific fix.
- ▸Ignoring why the wrong options are tempting.