SC-200 · topic practice

Respond to security incidents practice questions

Practise Microsoft Security Operations Analyst SC-200 Respond to security incidents practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Respond to security incidents

What the exam tests

What to know about Respond to security incidents

Respond to security incidents questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Respond to security incidents exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Respond to security incidents questions

20 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Ansible explanation →

You are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?

During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)

Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?

An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?

In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?

You are responding to an incident where a user's credentials were used to access a federated SaaS application from an IP address associated with a known threat actor. The user's account is not disabled. Which action is most effective to prevent further unauthorized access?

During an incident response, you need to collect forensic data from Microsoft Defender for Endpoint (MDE) on a remote device that is currently offline. What is the best approach?

Question 9mediummultiple choice
Read the full Ansible explanation →

An incident in Microsoft Sentinel involves a phishing campaign that delivered a malicious macro-enabled document. The document was opened by 15 users. Which playbook action should be triggered automatically to contain the threat?

Question 10hardmultiple choice
Read the full Ansible explanation →

An analyst creates a playbook in Microsoft Sentinel to automatically block an IP address when an alert fires. However, the playbook fails to block the IP. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block Malicious IP",
    "trigger": {
      "type": "Microsoft.SecurityInsights/alertRule",
      "alertRuleId": "1234"
    },
    "actions": [
      {
        "type": "Microsoft.SecurityInsights/incidentAction",
        "actionType": "BlockIP",
        "properties": {
          "ipAddress": "@{triggerBody()?['properties']?['alertRuleId']}",
          "blockDuration": "P1D"
        }
      }
    ]
  }
}

You run the above KQL query in Microsoft Sentinel to identify ransomware alerts from the last day. The result shows zero rows. Which is the most likely reason?

Exhibit

Refer to the exhibit.
```kql
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertName contains "ransomware"
| summarize count() by AlertName
| order by count_ desc
```

An administrator creates a Microsoft Defender for Cloud Apps policy to block unsanctioned cloud storage apps. Despite the policy, users can still access these apps. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "policyType": "Microsoft.CloudAppSecurity/Policy",
    "policyName": "Block Unapproved Storage",
    "policyMode": "Monitor",
    "filter": {
      "app": {
        "category": "Cloud storage",
        "tag": "Unsanctioned"
      }
    },
    "actions": [
      {
        "actionType": "Block",
        "actionValue": "true"
      }
    ]
  }
}

Which TWO actions are appropriate when responding to a confirmed data exfiltration incident via email?

Question 14mediummulti select
Read the full Ansible explanation →

Which THREE steps should be included in a Microsoft Sentinel playbook for automatic incident response when a high-severity alert fires?

Question 15hardmulti select
Read the full Ansible explanation →

Which THREE conditions must be met for Microsoft Sentinel to automatically run a playbook on an incident?

A security analyst receives a high-severity alert for a suspicious login from an unusual location. The alert was generated by Microsoft Sentinel from Microsoft Entra ID sign-in logs. The analyst needs to determine if the login was successful and if any data exfiltration occurred. What is the MOST efficient first step?

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. You need to create a custom anti-phishing policy to block similar emails in the future. What should you configure?

A security team is investigating a ransomware incident that encrypted files on several Windows servers. Microsoft Defender for Endpoint detected the ransomware but the initial infection vector is unknown. Which KQL query in Microsoft Sentinel would BEST identify the initial process that executed the ransomware?

You have a Microsoft Sentinel analytical rule with the above configuration. During a security incident, multiple high-severity alerts are generated within a 5-minute window. How does the rule handle these alerts?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "SOC Critical Alert Rule",
    "description": "Triggers on critical severity alerts",
    "severity": "High",
    "enabled": true,
    "query": "SecurityAlert | where Severity == 'High' | where TimeGenerated > ago(5m)",
    "queryFrequency": "PT5M",
    "queryPeriod": "PT5M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5M",
    "suppressionEnabled": false,
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": true,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5M",
        "entitiesMatchingMethod": "All"
      }
    }
  }
}
```

You are deploying Microsoft Sentinel using the above ARM template parameters. After deployment, you notice that Microsoft Defender for Cloud alerts are not being ingested. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "sentinel-workspace"
    },
    "location": {
      "value": "eastus"
    },
    "enableUEBA": {
      "value": true
    },
    "dataConnectors": {
      "value": [
        "AzureIdentity",
        "AzureActivity",
        "MicrosoftThreatProtection"
      ]
    }
  }
}
```

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Respond to security incidents sessions

Start a Respond to security incidents only practice session

Every question in these sessions is drawn from the Respond to security incidents domain — nothing else.

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-200 exam test about Respond to security incidents?
Respond to security incidents questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Respond to security incidents questions in a focused session?
Yes — the session launcher on this page draws every question from the Respond to security incidents domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.