SC-200 · topic practice

Scenario practice questions

Practise Microsoft Security Operations Analyst SC-200 Scenario practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
17 questionsDomain: Scenario

What the exam tests

What to know about Scenario

Scenario questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Scenario exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Scenario questions

17 questions · select your answer, then reveal the explanation

Question 1mediummultiple choice
Read the full Scenario explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?

Question 2hardmultiple choice
Read the full Scenario explanation →

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

Question 3mediummultiple choice
Read the full Scenario explanation →

A company uses Microsoft Defender for Cloud to protect their Azure resources. They have enabled the enhanced security features on a subscription that contains several Azure SQL databases. They want to be alerted if a user attempts to perform SQL injection attacks against these databases. Which Defender for Cloud plan specifically enables SQL injection detection alerts?

Question 4easymultiple choice
Read the full Scenario explanation →

A security analyst is reviewing a phishing incident in Microsoft 365 Defender. They need to find all users who received a specific email message by searching for the email's Internet Message ID. Which advanced hunting table should the analyst query?

Question 5easymultiple choice
Read the full Scenario explanation →

A SOC analyst needs to create a custom alert in Microsoft Sentinel that triggers when a specific user logs in from an unusual geographic location, compared to a learned baseline of normal locations. Which type of analytics rule is best suited for this scenario?

Question 6easymultiple choice
Read the full Scenario explanation →

A security analyst in Microsoft Sentinel wants to create a custom analytics rule that triggers when more than 10 failed logon attempts from a single source IP address occur within 5 minutes. The analyst writes a KQL query to aggregate sign-in logs. Which KQL operator should the analyst use to group events by source IP and count each failure?

Question 7mediummultiple choice
Read the full VPN explanation →

A SOC team uses Microsoft Sentinel. They need to correlate syslog events from on-premises firewalls with Microsoft Entra ID sign-in logs to detect VPN-based intrusions. The correlation requires joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Which type of analytics rule should the analyst configure?

Question 8mediummulti select
Read the full Scenario explanation →

Which of the following detection scenarios can be implemented using a scheduled analytics rule in Microsoft Sentinel? (Select all that apply.) (Choose 2.)

Question 9mediummultiple choice
Read the full Scenario explanation →

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect potential account compromise. The rule should trigger when a user account is created in Microsoft Entra ID and, within one hour, that same account is used to sign in from an unfamiliar location. The queries use the AuditLogs table for account creation and the SigninLogs table for sign-ins. Which KQL operator should be used to correlate these two events from different tables within a specific time window?

Question 10easymultiple choice
Read the full Scenario explanation →

A security analyst wants to create a custom detection rule in Microsoft Sentinel that alerts when a user logs in from an IP address that is not in the company's approved IP range. The analyst has an existing watchlist named 'ApprovedIPs' containing the allowed ranges. Which KQL operator should the analyst use to compare the IP address from the SigninLogs table against the watchlist?

Question 11mediummultiple choice
Read the full Scenario explanation →

A security analyst is investigating a potential business email compromise (BEC) campaign. The analyst wants to find all emails that were sent to external recipients from an internal user's mailbox that also had a login from an unusual location shortly after the email was sent. Which advanced hunting tables should the analyst query to get the email metadata and the sign-in details?

Question 12mediummultiple choice
Read the full Scenario explanation →

A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a user logs in from an IP address outside of the organization's typical geographic locations, based on a learned baseline. Which type of analytics rule is best suited for this scenario?

Question 13mediummultiple choice
Read the full Scenario explanation →

Your SOC is investigating an incident in Microsoft Sentinel. You need to quickly identify all related alerts and entities across the timeline. What Microsoft Sentinel feature should you use?

Question 14hardmultiple choice
Read the full Scenario explanation →

Your security operations center uses Microsoft Sentinel and Microsoft Defender XDR. A new type of attack involves a user receiving a malicious email that triggers a macro, which then executes PowerShell to download a payload. You need to create a detection that correlates email, process creation, and network connection events from multiple Microsoft 365 Defender sources. What should you use?

Question 15mediummultiple choice
Read the full Scenario explanation →

Your company uses Microsoft Sentinel and has a workspace in the East US region. You need to ingest logs from a non-Azure Windows server located in a branch office in Europe. You have limited bandwidth and need to ensure that log ingestion does not impact network performance. What should you use?

Question 16mediummultiple choice
Read the full Scenario explanation →

You are a security analyst at a company that uses Microsoft Defender XDR. You receive an alert about a potential ransomware activity on a workstation. The alert is generated by Microsoft Defender for Endpoint. You need to contain the threat by isolating the workstation from the network while allowing forensic analysis to proceed. You want to use Microsoft Defender XDR's built-in actions. What should you do?

Question 17hardmulti select
Read the full Scenario explanation →

Which TWO steps are necessary to configure Microsoft Sentinel to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Scenario sessions

Start a Scenario only practice session

Every question in these sessions is drawn from the Scenario domain — nothing else.

Related practice questions

Related SC-200 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SC-200 exam test about Scenario?
Scenario questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Scenario questions in a focused session?
Yes — the session launcher on this page draws every question from the Scenario domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SC-200 topics?
Use the topic links above to move to related areas, or go back to the SC-200 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SC-200 exam covers. They are not copied from any real exam or dump site.