Practice set
Microsoft Security Operations Analyst SC-200 questions
Question 1hardmulti select
Full question →A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)
Question 2mediummultiple choice
Full question →A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?
Question 3mediummultiple choice
Full question →A security analyst in Microsoft Defender for Cloud receives an alert that an Azure VM has a vulnerability with a high severity. The analyst wants to see the detailed finding, including the steps to remediate. Which blade or page should the analyst open?
Question 4mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The security team wants to receive security alerts about suspicious activities within the cluster, such as a container running with root privileges or attempts to read sensitive host paths. Which Defender for Cloud plan must be enabled to generate these alerts?
Question 5hardmultiple choice
Full question →A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.
Question 6easymultiple choice
Full question →An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?
Question 7mediummultiple choice
Full question →An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?
Question 8mediummultiple choice
Full question →A security analyst receives an alert in Microsoft Defender for Cloud about a suspicious process on an Azure VM. The alert indicates a potential credential dumping tool. The analyst needs to see the full command line and parent process of the suspicious process. Which Defender for Cloud feature should the analyst use?
Question 9hardmultiple choice
Full question →A company has multiple Azure subscriptions managed by Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to ensure that all Azure SQL Servers have Advanced Data Security (ADS) enabled, including Vulnerability Assessment. They decide to use Azure Policy to enforce this at scale. Which built-in policy initiative should they assign to achieve this?
Question 10mediummulti select
Full question →A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)
Question 11hardmultiple choice
Full question →A company has multiple Azure subscriptions under a management group. They want to ensure that all VMs across all subscriptions have Microsoft Defender for Cloud's vulnerability assessment solution (using the Microsoft Defender Vulnerability Management engine) enabled. They also want to automatically remediate any non-compliant VMs by enabling the VA solution when a VM is missing it. Which combination of policy initiatives and automation should they use?
Question 12mediummultiple choice
Full question →A company has Azure virtual machines running Windows Server. The security team wants to use Microsoft Defender for Cloud's vulnerability assessment solution to identify missing security updates. Which of the following is required to enable built-in vulnerability assessment for VMs?
Question 13mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?
Question 14mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?
Question 15mediummultiple choice
Full question →A company runs SQL Server on Azure Virtual Machines (IaaS). They want to enable Advanced Threat Protection (ATP) for these instances to detect SQL injection attempts. What must they do first?
Question 16easymultiple choice
Full question →A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?
Question 17mediummultiple choice
Full question →A Defender for Cloud alert repeatedly fires for a known test VM used by the security team. The alert type is valid, but it should not create noise for that VM. What should the analyst configure?
Question 18easymultiple choice
Full question →A company wants to enable vulnerability scanning for Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. What is the first step?
Question 19mediummultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team receives an alert indicating that a VM is communicating with a known malicious IP address. Which Defender for Cloud feature can be used to automatically block outbound traffic to that IP address by adjusting the network security group (NSG)?
Question 20mediummultiple choice
Full question →A cloud security administrator needs to ensure that all Azure virtual machines have the Microsoft Defender for Cloud agent (Log Analytics agent) installed automatically when they are provisioned. Which configuration should be set in Microsoft Defender for Cloud?
Question 21easymultiple choice
Full question →A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team wants to identify which VMs have missing system updates such as critical security patches. Which Defender for Cloud feature should they use?
Question 22mediummulti select
Full question →A hybrid environment contains Azure VMs and on-premises servers connected through Azure Arc. Which two outcomes can Defender for Cloud provide for these servers? (Choose 2.)
Question 23easymultiple choice
Full question →A security administrator in Microsoft Defender for Cloud notices that the Secure Score is lower than expected. Which action would most effectively improve the Secure Score by reducing the attack surface?
Question 24easymultiple choice
Full question →