SC-200 · topic practice

Perform threat hunting practice questions

Practise Microsoft Security Operations Analyst SC-200 Perform threat hunting practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Perform threat hunting

What the exam tests

What to know about Perform threat hunting

Perform threat hunting questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Perform threat hunting exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Perform threat hunting questions

20 questions · select your answer, then reveal the explanation

A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?

During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?

A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?

A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?

A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?

A threat hunter wants to proactively search for signs of ransomware activity in the environment using Microsoft Sentinel. Which data source is most likely to provide early indicators of ransomware, such as mass file renaming or encryption?

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple servers in the environment. The script connects to an external IP address and downloads a payload. The analyst wants to find all other servers that may have been compromised by the same script. What is the most efficient way to search for this across the environment?

A threat hunter is using Microsoft Sentinel to hunt for a potential advanced persistent threat (APT) that is using living-off-the-land binaries (LOLBins). The hunter creates a KQL query that lists all instances of certutil.exe making network connections. The query returns many legitimate results. What is the best way to reduce false positives while still detecting malicious use?

A threat hunter is using Microsoft Sentinel to hunt for signs of privilege escalation via Azure AD role assignment changes. Which TWO KQL operators or functions are most useful for identifying changes that added a user to a high-privilege role?

Question 11hardmulti select
Read the full DNS explanation →

A threat hunter is investigating a potential data exfiltration via DNS tunneling using Microsoft Defender for Endpoint advanced hunting. Which THREE columns from the DeviceNetworkEvents table should the hunter include in a query to detect anomalous DNS queries?

A security analyst is using Microsoft Sentinel to hunt for signs of a brute-force attack against Azure AD. Which TWO data sources are most relevant for this hunt?

A threat hunter runs the KQL query above in Microsoft Sentinel to detect accounts that have experienced multiple failed sign-in attempts due to a disabled account (ResultType 50057) from the same IP. The query returns no results even though the hunter knows that some disabled accounts are being attacked. What is the most likely reason for the false negatives?

Exhibit

Refer to the exhibit.

```kql
let threshold = 5;
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50057"  // User account is disabled
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > threshold
| project UserPrincipalName, IPAddress, FailedAttempts
```

A threat hunter writes the KQL query above in Microsoft Defender for Endpoint advanced hunting to find devices where a script host process was launched with encoded commands and then connected to an HTTPS endpoint within 10 minutes. The query is syntactically correct but returns no results. The hunter knows that such activity has occurred. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-e "
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemotePort == 443
    | project Timestamp, DeviceName, RemoteUrl
) on DeviceName, Timestamp
| where Timestamp between (Timestamp1 .. Timestamp1 + 10m)
```

A threat hunter in Microsoft Sentinel is reviewing a JSON definition for a scheduled analytics rule as shown in the exhibit. The rule is intended to run daily and alert on any device running powershell.exe with an encoded command. However, no alerts have been generated even though the hunter knows such activity exists. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Hunt for suspicious PowerShell",
    "description": "Detects PowerShell with encoded commands",
    "tactics": ["Execution"],
    "techniques": ["T1059.001"],
    "requiredDataConnectors": [
      { "connectorId": "MicrosoftThreatProtection", "dataTypes": ["DeviceProcessEvents"] }
    ],
    "queryPeriod": "14d",
    "queryFrequency": "1d",
    "triggerOperator": "gt",
    "triggerThreshold": 0,
    "query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ProcessCommandLine contains '-enc'",
    "suppressionEnabled": false
  }
}
```

During a threat hunt, you discover that a PowerShell script executed on multiple servers and established outbound connections to an external IP address. Which data source should you query in Microsoft Defender XDR to identify the specific command-line arguments used?

Your threat hunt aims to detect possible Kerberoasting attacks. Which KQL query in Microsoft Sentinel would best identify service principal name (SPN) requests from unusual accounts?

You are threat hunting for signs of credential dumping via LSASS access. Which Advanced Hunting schema table in Microsoft Defender XDR should you primarily query to find processes that opened a handle to LSASS?

Your threat hunt involves correlating alerts from Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint. Which Microsoft Sentinel integration should you use to unify these alerts for hunting?

During a hunt, you find that a user account has logged in from an IP address associated with a known command-and-control (C2) server. The hunt also reveals that the same IP accessed a SharePoint site containing sensitive documents. Which Microsoft Purview feature should you use to investigate data exfiltration?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Perform threat hunting sessions

Start a Perform threat hunting only practice session

Every question in these sessions is drawn from the Perform threat hunting domain — nothing else.

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-200 exam test about Perform threat hunting?
Perform threat hunting questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Perform threat hunting questions in a focused session?
Yes — the session launcher on this page draws every question from the Perform threat hunting domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.