Courseiva

SC-200 · topic practice

Scenario practice questions

Use this page to practise SC-200 Scenario practice questions. The goal is not to memorise dumps, but to understand the concept, review the explanation and improve your exam readiness.

7 questionsDomain: Scenario
Practice 10 questionsBrowse domain →

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Practice set

Scenario questions

7 questions · select your answer, then reveal the explanation

Question 1easymultiple choice
Full question →

An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?

Full question →
Question 2easymultiple choice
Full question →

A security analyst wants to create a custom detection rule in Microsoft Sentinel that alerts when a user logs in from an IP address that is not in the company's approved IP range. The analyst has an existing watchlist named 'ApprovedIPs' containing the allowed ranges. Which KQL operator should the analyst use to compare the IP address from the SigninLogs table against the watchlist?

Full question →
Question 3mediummulti select
Full question →

Which of the following detection scenarios can be implemented using a scheduled analytics rule in Microsoft Sentinel? (Select all that apply.) (Choose 2.)

Full question →
Question 4mediummultiple choice
Full question →

A security analyst is investigating a potential business email compromise (BEC) campaign. The analyst wants to find all emails that were sent to external recipients from an internal user's mailbox that also had a login from an unusual location shortly after the email was sent. Which advanced hunting tables should the analyst query to get the email metadata and the sign-in details?

Full question →
Question 5easymultiple choice
Full question →

A SOC analyst needs to create a custom alert in Microsoft Sentinel that triggers when a specific user logs in from an unusual geographic location, compared to a learned baseline of normal locations. Which type of analytics rule is best suited for this scenario?

Full question →
Question 6mediummultiple choice
Full question →

A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a user logs in from an IP address outside of the organization's typical geographic locations, based on a learned baseline. Which type of analytics rule is best suited for this scenario?

Full question →
Question 7easymultiple choice
Full question →

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that runs every 5 minutes and alerts when a single IP address fails to authenticate more than 10 times in that time window using the Microsoft Entra ID SigninLogs table. Which KQL function should be used to group the results into 5-minute intervals?

Full question →
Continue with 20-question session →

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Sign up freeLog in

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

10 questions20 questions30 questions50 questions
Browse all Scenario questions →Mixed SC-200 session

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

SC-200 fundamentals practice questions

Practise SC-200 questions linked to SC-200 fundamentals.

SC-200 scenario practice questions

Practise SC-200 questions linked to SC-200 scenario.

SC-200 troubleshooting practice questions

Practise SC-200 questions linked to SC-200 troubleshooting.

Frequently asked questions

What does the SC-200 exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.