Free SC-200 Practice Questions with Detailed Explanations

Test your security operations readiness with 25 free practice questions covering Microsoft Sentinel, Defender XDR, and Defender for Cloud.

20 min read
Updated April 2026
SC-200 Associate

The SC-200 (Microsoft Security Operations Analyst) exam tests your ability to investigate, respond to, and hunt for threats using Microsoft security tools. SOC analysts, threat hunters, and security engineers preparing for this exam need hands-on knowledge of Sentinel, Defender XDR, and Defender for Cloud.

These 25 questions cover real SOC scenarios — KQL queries, incident response workflows, SIEM configuration, and threat detection. For a full study roadmap, see our SC-200 study guide or compare paths with SC-200 vs SC-300.

What You'll Get:

  • 25 scenario-based questions across all three exam pillars
  • KQL query questions — exactly what you see on the real exam
  • Detailed explanations for every answer option
  • Scoring guide to assess your readiness

What These Questions Cover

8
Microsoft Defender XDR
Defender for Endpoint, Identity, Office 365, Cloud Apps
10
Microsoft Sentinel
Data connectors, analytics rules, KQL, SOAR playbooks
7
Defender for Cloud
Security posture, workload protection, compliance

📝 Practice Test Instructions

  • • Each question has ONE correct answer
  • • For KQL questions, read the query carefully before selecting
  • • Note your answers before scrolling to the answer key
  • • Aim to complete all 25 questions in 25 minutes
🛡️

Microsoft Defender XDR

Questions 1–8

1

Defender for Endpoint — Alert Triage

A security analyst receives an alert in Microsoft Defender XDR: "Suspicious process launched by Office application." The alert is classified as Medium severity. The analyst needs to determine if the alert is a true positive before escalating.

What is the FIRST action the analyst should take?

A)Examine the alert's process tree and timeline in the Defender XDR incident page
B)Immediately isolate the affected device
C)Block the user account in Microsoft Entra ID
D)Run a full antivirus scan on the device
2

Defender XDR — Incident Correlation

Your SOC receives 47 separate alerts across Defender for Endpoint, Defender for Office 365, and Defender for Identity related to the same attack chain. Analysts are struggling to see the full picture.

Which Microsoft Defender XDR capability automatically correlates these alerts into a single view?

A)Microsoft Sentinel incidents
B)Defender XDR Incidents (automatic alert correlation)
C)Microsoft Purview audit log
D)Azure Monitor alert rules
3

Defender for Endpoint — Live Response

During an active incident investigation, you need to collect a memory dump from a compromised Windows device and run a custom investigation script on it — all without physically accessing the device.

Which Defender for Endpoint feature allows this?

A)Device isolation
B)Automated investigation and remediation
C)Live response session
D)Advanced hunting query
4

Defender for Identity — Lateral Movement

Microsoft Defender for Identity raises an alert: "Suspected identity theft (pass-the-hash)." The alert shows a user account was used to authenticate to multiple servers within a 10-minute window using NTLM.

What does this alert indicate and what should you investigate first?

A)Normal behavior — NTLM is used for legacy authentication
B)A VPN connection issue causing duplicate authentication
C)A Microsoft Entra ID Conditional Access policy failure
D)A possible pass-the-hash attack — investigate the source machine for credential dumping tools
5

Defender for Office 365 — Safe Attachments

Users in your organization are reporting that they received emails with PDF attachments that deployed malware when opened. You need to prevent this from happening in the future.

Which Defender for Office 365 feature should you enable?

A)Safe Attachments policy with Dynamic Delivery
B)Anti-spam policy
C)Safe Links policy
D)Anti-phishing policy with impersonation protection
6

Advanced Hunting — KQL

You want to find all devices that had a process named "mimikatz.exe" execute within the last 7 days using Advanced Hunting in Microsoft Defender XDR.

Which KQL query would return this data from the DeviceProcessEvents table?

A)DeviceProcessEvents | filter FileName = "mimikatz.exe" AND time > 7d
B)DeviceProcessEvents | where FileName == "mimikatz.exe" | where Timestamp > ago(7d)
C)SELECT * FROM DeviceProcessEvents WHERE FileName = 'mimikatz.exe' AND date > NOW()-7
D)DeviceProcessEvents | where ProcessName contains "mimikatz" | limit 100
7

Defender for Cloud Apps — Shadow IT

Your security team wants to identify which unsanctioned cloud applications employees are accessing. You want a risk assessment of each discovered app based on compliance certifications and security controls.

Which Defender for Cloud Apps feature provides this capability?

A)Conditional Access App Control
B)App governance policies
C)Cloud Discovery (Shadow IT discovery)
D)Information protection policies
8

Automated Investigation and Remediation

An automated investigation in Defender for Endpoint has completed and recommends remediating a malicious file found on 12 devices. The recommendation is awaiting approval.

Where should a security analyst go to approve or reject these remediation actions?

A)Defender XDR Settings — Endpoints
B)Microsoft Intune — Device compliance
C)Microsoft Sentinel Playbooks
D)Defender XDR Action Center — Pending actions
🔍

Microsoft Sentinel

Questions 9–18

9

Data Connectors

You need to ingest security events from Azure Active Directory sign-in logs, Azure Activity logs, and Microsoft 365 audit logs into Microsoft Sentinel.

What is the correct way to connect these data sources?

A)Enable the Microsoft Entra ID, Azure Activity, and Microsoft 365 data connectors in Microsoft Sentinel
B)Install the Log Analytics agent on each Azure service
C)Configure Azure Diagnostics to send logs to a storage account, then connect to Sentinel
D)Use Azure Event Hub to stream all logs to Sentinel
10

Analytics Rules

You want to create a detection rule in Microsoft Sentinel that fires an alert when a user signs in from two different countries within 30 minutes (impossible travel).

Which type of analytics rule should you create?

A)Microsoft incident creation rule
B)Scheduled query rule using KQL with entity mapping
C)Fusion rule
D)Machine learning behavioral analytics rule
11

KQL for Sentinel

You want a Sentinel query that shows all failed sign-in events from the SigninLogs table where the failure reason is "Invalid password" in the last 24 hours, ordered by most recent first.

Which KQL query is correct?

A)SigninLogs | filter ResultType = "failed" | filter time > 24h | sort by time
B)SELECT * FROM SigninLogs WHERE ResultType != 0 AND time > NOW()-24h ORDER BY time DESC
C)SigninLogs | where ResultType != 0 | where ResultDescription == "Invalid password" | where TimeGenerated > ago(24h) | order by TimeGenerated desc
D)SigninLogs | where Status == "Failure" | where Reason == "InvalidPassword" | top 100
12

Sentinel Watchlists

Your organization has a list of 500 known malicious IP addresses maintained by your threat intelligence team in a CSV file. You want to use this list in Sentinel analytics rules to detect when any of these IPs appear in sign-in events.

What is the BEST way to operationalize this IP list in Sentinel?

A)Create 500 individual analytics rules, one per IP address
B)Upload the CSV to Azure Blob Storage and query it directly from KQL
C)Create a custom log table by uploading the CSV via Log Analytics
D)Import the CSV as a Sentinel Watchlist and reference it in analytics rules using the _GetWatchlist() function
13

Sentinel Playbooks (SOAR)

When a high-severity incident is created in Sentinel, you want to automatically send a notification to the SOC Teams channel and create a ticket in ServiceNow. This should happen without analyst intervention.

What should you create to automate this response?

A)A Sentinel Automation Rule that triggers a Logic App (Playbook) on incident creation
B)A Sentinel analytics rule with alert grouping enabled
C)A Microsoft Defender XDR automated investigation
D)An Azure Function triggered by Azure Monitor alerts
14

Sentinel Workbooks

Your CISO wants a visual dashboard showing Sentinel incident trends over time, top alert sources, and mean time to close for incidents. The dashboard should refresh automatically.

What Sentinel feature should you use?

A)Microsoft Sentinel Analytics — rule activity
B)Microsoft Sentinel Workbooks
C)Azure Monitor dashboards
D)Microsoft Defender XDR Reports
15

Incident Investigation

A Sentinel incident is triggered: multiple failed SSH logins to an Azure VM followed by a successful login and execution of a cryptocurrency miner. You need to understand the full attack timeline and identify all affected entities.

Which Sentinel feature provides a visual map of the attack with all related entities and alerts?

A)The incident timeline view
B)The Sentinel threat intelligence page
C)The investigation graph
D)The entity behavior analytics page
16

Threat Intelligence

You subscribe to a TAXII threat intelligence feed that provides malicious IP indicators. You want these indicators to automatically trigger alerts in Sentinel when matched against your network logs.

What must you configure in Microsoft Sentinel?

A)A custom log table for threat intelligence and a Sentinel playbook to match IPs
B)A Defender for Endpoint custom indicator import
C)A Sentinel watchlist populated manually from the TAXII feed
D)A data connector for Threat Intelligence TAXII, then an analytics rule using the ThreatIntelligenceIndicator table
17

UEBA

Your organization wants Sentinel to detect when user behavior deviates significantly from their normal baseline — for example, a user downloading 50x more data than usual or accessing systems they never accessed before.

Which Sentinel capability provides this behavioral baseline and anomaly detection?

A)User and Entity Behavior Analytics (UEBA)
B)Scheduled analytics rules with static thresholds
C)Microsoft Defender for Identity alerts
D)Azure AD Identity Protection risk policies
18

Sentinel Cost Management

Your Sentinel workspace is ingesting 200 GB/day. Your security team only needs to query the last 90 days of data for investigations, but you must retain logs for 2 years for compliance purposes.

Which Log Analytics retention configuration optimizes cost while meeting both requirements?

A)Set total retention to 730 days (2 years) at the workspace level — all data billed at full rate
B)Set interactive retention to 90 days and archive retention to 730 days total — archived data is much cheaper
C)Export all logs after 90 days to Azure Storage and delete from Sentinel
D)Create a second workspace for compliance archiving and query it separately
☁️

Microsoft Defender for Cloud

Questions 19–25

19

Secure Score

Your Microsoft Defender for Cloud Secure Score is 45%. Your CISO wants to improve it to 70% within 3 months. You need to identify which recommendations will have the highest impact on the score.

How should you prioritize remediation efforts?

A)Fix all recommendations alphabetically
B)Enable all Defender for Cloud plans first
C)Address recommendations with the highest score impact first, filtered by the Secure Score impact column
D)Focus on critical severity alerts only
20

Defender for Cloud Plans

Your organization runs workloads in Azure, on-premises servers, and AWS. You want Microsoft Defender for Cloud to protect all these workloads with advanced threat detection including just-in-time VM access and file integrity monitoring.

What do you need to enable?

A)Defender for Cloud free tier — it covers all environments
B)Microsoft Defender for Endpoint only — it covers all platforms
C)Azure Security Center legacy features
D)Enhanced security features (paid Defender plans) for each workload type across all connected environments
21

Just-In-Time VM Access

Attackers are attempting brute force attacks against management ports (RDP port 3389, SSH port 22) on your Azure VMs. You need to reduce the attack surface by ensuring these ports are only open when explicitly requested.

Which Defender for Cloud feature should you enable?

A)Just-in-time VM access
B)Network Security Group rules blocking all inbound traffic
C)Azure Bastion for all VMs
D)Defender for Cloud adaptive network hardening
22

Regulatory Compliance

Your organization needs to demonstrate compliance with the CIS Microsoft Azure Foundations Benchmark. You need a dashboard showing which controls are passing and failing, mapped to specific Azure resource configurations.

Where in Defender for Cloud would you find this?

A)Defender for Cloud — Recommendations
B)Defender for Cloud — Regulatory compliance dashboard
C)Microsoft Purview Compliance Manager
D)Azure Policy compliance dashboard
23

Security Alerts

Defender for Cloud raises an alert: "Suspicious authentication activity — possible brute force." The alert shows 500 failed login attempts to an Azure SQL Database followed by a successful login from an unusual IP. The data in the database contains customer PII.

What is the recommended immediate response?

A)Dismiss the alert as a false positive if the IP is a known country
B)Only act if the severity is Critical — Medium severity alerts are informational
C)Investigate the successful login, check what data was accessed, and consider revoking the SQL credentials and notifying the privacy team
D)Enable Microsoft Purview auditing to see what queries were run
24

Defender for Cloud — CSPM vs CWPP

Your security architect asks you to explain the difference between CSPM and CWPP components in Defender for Cloud.

Which statement BEST describes both components?

A)CSPM prevents network attacks; CWPP detects application vulnerabilities
B)CSPM manages identities; CWPP manages network security groups
C)Both CSPM and CWPP serve identical functions with different dashboards
D)CSPM (Cloud Security Posture Management) assesses and improves your security configuration; CWPP (Cloud Workload Protection Platform) detects runtime threats against your workloads
25

Multi-Cloud Security

Your organization uses both Azure and AWS. You want a single pane of glass to see security recommendations and threat detections for both cloud environments in Defender for Cloud.

How do you connect AWS to Microsoft Defender for Cloud?

A)Add AWS as a connected environment using the Cloud Connectors in Defender for Cloud
B)Install the Log Analytics agent on all AWS EC2 instances
C)Deploy Microsoft Defender for Endpoint on AWS EC2 instances
D)Use Azure Arc to proxy all AWS resources through Azure

✋ Stop Here Before Scrolling!

Have you answered all 25 questions? Complete the test before checking the answers below.

Pro tip: Note your KQL answers carefully — they appear as code on the real exam too

📝 Answer Key with Detailed Explanations

Review each explanation carefully, even for questions you answered correctly

Quick Answer Reference

Q1
A
Q2
B
Q3
C
Q4
D
Q5
A
Q6
B
Q7
C
Q8
D
Q9
A
Q10
B
Q11
C
Q12
D
Q13
A
Q14
B
Q15
C
Q16
D
Q17
A
Q18
B
Q19
C
Q20
D
Q21
A
Q22
B
Q23
C
Q24
D
Q25
A
1

Question 1: Alert Triage

✓ Correct Answer: A) Examine the alert's process tree and timeline in the Defender XDR incident page

Why this is correct:

Before taking any containment action, analysts must determine if an alert is a true positive. The Defender XDR incident page shows the full process tree, parent-child process relationships, command lines executed, and timeline — giving context to assess severity and confirm the threat without taking premature action that could alert the attacker.

Why other answers are incorrect:

B: Immediate isolation disrupts the user, could destroy forensic evidence if done too early, and is inappropriate for an unconfirmed Medium alert.
C: Blocking the user account is a drastic action that should only happen after confirming compromise.
D: A full AV scan may miss the threat if it's a fileless attack and alerts the attacker to detection.

💡 Key Concept:

SOC triage order: 1) Understand (process tree, timeline), 2) Confirm (true/false positive), 3) Contain (if confirmed), 4) Remediate, 5) Document.

2

Question 2: Incident Correlation

✓ Correct Answer: B) Defender XDR Incidents (automatic alert correlation)

Why this is correct:

Microsoft Defender XDR automatically correlates related alerts from Defender for Endpoint, Office 365, Identity, and Cloud Apps into a single incident using AI-based correlation. This "attack story" view shows the full kill chain instead of dozens of separate alerts.

Why other answers are incorrect:

A: Sentinel incidents are from SIEM — while Sentinel can ingest Defender alerts, the correlation of native Defender alerts happens in Defender XDR first.
C: Purview audit log is for data governance/compliance, not security incident correlation.
D: Azure Monitor creates infrastructure alerts — not security incident correlation.

💡 Key Concept:

Defender XDR incident = correlation of multiple alerts across Defender products. Sentinel incident = correlation from any data source in Sentinel. They complement each other — Sentinel can ingest Defender XDR incidents too.

3

Question 3: Live Response

✓ Correct Answer: C) Live response session

Why this is correct:

Live response gives analysts an interactive command-line shell on a remote device. You can upload and run scripts, collect files, collect memory dumps, run forensic tools, and investigate processes — all remotely without physically touching the device or deploying additional agents.

Why other answers are incorrect:

A: Device isolation cuts off network access — useful for containment but doesn't enable forensic collection.
B: Automated investigation runs pre-defined workflows — it doesn't give interactive access or allow custom script execution.
D: Advanced hunting queries historical telemetry — it doesn't give you interactive access to the device.

💡 Key Concept:

Live response prerequisites: Defender for Endpoint P2, device online, analyst has "Live response" permission in RBAC. Available for Windows, macOS, and Linux devices.

4

Question 4: Lateral Movement

✓ Correct Answer: D) A possible pass-the-hash attack — investigate the source machine for credential dumping tools

Why this is correct:

Pass-the-hash (PtH) is an attack where the attacker captures an NTLM hash from one machine and uses it to authenticate to other systems without knowing the plaintext password. Rapid NTLM authentication to multiple servers is a key indicator. The source machine is the starting point — it likely has Mimikatz or similar credential dumping tools.

Why other answers are incorrect:

A: NTLM used this rapidly and broadly is NOT normal behavior — it's a key IOC.
B: VPN issues don't cause rapid authentication to multiple internal servers.
C: CA policy failures generate Entra ID sign-in log errors, not NTLM lateral movement alerts.

💡 Key Concept:

Pass-the-Hash vs Pass-the-Ticket: PtH uses NTLM hashes, Pass-the-Ticket uses Kerberos TGTs. Both are credential theft lateral movement techniques. Defender for Identity detects both.

5

Question 5: Safe Attachments

✓ Correct Answer: A) Safe Attachments policy with Dynamic Delivery

Why this is correct:

Safe Attachments detonates email attachments in a sandbox environment before delivering them to users. Dynamic Delivery delivers the email body immediately and replaces the attachment with a placeholder while it's being scanned — minimizing delays while blocking malicious attachments.

Why other answers are incorrect:

B: Anti-spam policies filter based on sender reputation and content analysis — they don't sandbox and detonate attachments.
C: Safe Links rewrites URLs and checks them at click time — it doesn't scan file attachments.
D: Anti-phishing with impersonation protection detects spoofed senders — not malicious attachments.

💡 Key Concept:

Safe Attachments modes: Off, Monitor (deliver + log), Block (quarantine), Replace (remove attachment), Dynamic Delivery (deliver immediately, replace attachment while scanning). Dynamic Delivery is best UX.

6

Question 6: KQL — Advanced Hunting

✓ Correct Answer: B) DeviceProcessEvents | where FileName == "mimikatz.exe" | where Timestamp > ago(7d)

Why this is correct:

This is valid KQL syntax. "where" is the correct KQL filter operator, "==" is the equality operator for strings, and "ago(7d)" is the correct KQL timespan function. Timestamp is the correct field name in DeviceProcessEvents for the process execution time.

Why other answers are incorrect:

A: "filter" and "AND" are not KQL operators — "where" is used for filtering. "time" is not the field name (it's Timestamp).
C: SQL syntax (SELECT, FROM, WHERE, NOW()) is not valid KQL.
D: "ProcessName" is not the field — it's "FileName" in DeviceProcessEvents. Also "limit" is valid but should come after filtering.

💡 Key Concept:

Key KQL operators for SC-200: where (filter), project (select columns), summarize (aggregate), extend (add calculated column), join, union, ago() for time ranges, startofday()/endofday() for time bucketing.

7

Question 7: Shadow IT Discovery

✓ Correct Answer: C) Cloud Discovery (Shadow IT discovery)

Why this is correct:

Cloud Discovery in Defender for Cloud Apps analyzes network traffic logs (from firewalls, proxies, or the MDE integration) to identify cloud applications in use. It then scores each app across 90+ risk factors including compliance certifications, security controls, and data handling practices.

Why other answers are incorrect:

A: Conditional Access App Control provides session controls for sanctioned apps — it doesn't discover unknown apps.
B: App governance monitors OAuth app permissions and consent — for known, consented apps.
D: Information protection policies classify and protect data within known apps.

💡 Key Concept:

Cloud Discovery uses: Firewall/proxy logs (manual upload or automated), or MDE integration (gives per-device, per-user app usage). The app risk catalog scores 31,000+ cloud apps.

8

Question 8: Action Center

✓ Correct Answer: D) Defender XDR Action Center — Pending actions

Why this is correct:

The Defender XDR Action Center is the central location for reviewing and approving/rejecting automated investigation remediation actions. The Pending tab shows actions waiting for approval, and the History tab shows already completed actions. This applies to both automated and manual response actions.

Why other answers are incorrect:

A: Settings — Endpoints configures Defender for Endpoint behavior — not remediation approval.
B: Intune device compliance is for MDM compliance — not Defender remediation actions.
C: Sentinel Playbooks automate responses but don't manage Defender for Endpoint remediation approval.

💡 Key Concept:

Action Center — Pending: Automated investigation recommendations, manual Response actions queued. You can approve individual actions or all actions at once. History shows last 30 days of actions.

9

Question 9: Data Connectors

✓ Correct Answer: A) Enable the Microsoft Entra ID, Azure Activity, and Microsoft 365 data connectors in Microsoft Sentinel

Why this is correct:

Microsoft Sentinel uses Data Connectors to ingest data from various sources. For Microsoft services, there are dedicated built-in connectors (Microsoft Entra ID, Azure Activity, Microsoft 365 Defender, Office 365) that use direct API connections — no agent installation required on Azure services.

Why other answers are incorrect:

B: The Log Analytics agent (or Azure Monitor Agent) is for on-premises/VM logs, not native Azure service logs.
C: While storage account export is possible, it adds latency and complexity — direct connectors are the preferred approach.
D: Event Hub is used for some high-volume custom integrations, but Microsoft first-party services have dedicated connectors.

💡 Key Concept:

Sentinel connector types: Microsoft first-party (direct API), Syslog (Linux via agent), CEF (via forwarder VM), Custom connector (REST API/Logic App), AWS (via CloudTrail connector).

10

Question 10: Analytics Rules

✓ Correct Answer: B) Scheduled query rule using KQL with entity mapping

Why this is correct:

Scheduled query rules allow you to write custom KQL queries that run on a schedule and generate alerts when conditions are met. For impossible travel, you'd write a query joining consecutive sign-in events from the same user in different countries within the time window. Entity mapping connects the rule output to Sentinel entities (User, IP, Host).

Why other answers are incorrect:

A: Microsoft incident creation rules sync incidents from Defender products into Sentinel — they don't create custom detections.
C: Fusion rules use ML to correlate multiple low-fidelity signals — they're predefined and not customizable for specific scenarios.
D: ML behavioral analytics provide anomaly detection but for the specific impossible travel scenario, a custom KQL rule gives you full control.

💡 Key Concept:

Sentinel analytics rule types: Scheduled (custom KQL, runs every X minutes), NRT (Near Real Time, <5 min latency), Microsoft incident creation, Fusion (ML correlation), Anomaly, Threat Intelligence.

11

Question 11: KQL for Sentinel

✓ Correct Answer: C) SigninLogs | where ResultType != 0 | where ResultDescription == "Invalid password" | where TimeGenerated > ago(24h) | order by TimeGenerated desc

Why this is correct:

In Sentinel, the timestamp field for most tables is TimeGenerated (not Timestamp like in Defender XDR). ResultType = 0 means success; non-zero means failure. "order by" is the correct KQL sorting operator. The query structure is correct KQL.

Why other answers are incorrect:

A: "filter" and "sort by" without "order" are not valid KQL. Time filter syntax is wrong.
B: SQL syntax is not valid KQL.
D: "Status" and "Reason" are not the field names in SigninLogs. It's ResultType and ResultDescription.

💡 Key Concept:

Sentinel tables use TimeGenerated for timestamps (vs Timestamp in Defender XDR Advanced Hunting). SigninLogs key fields: UserPrincipalName, IPAddress, Location, ResultType (0=success), ResultDescription.

12

Question 12: Watchlists

✓ Correct Answer: D) Import the CSV as a Sentinel Watchlist and reference it in analytics rules using the _GetWatchlist() function

Why this is correct:

Sentinel Watchlists are designed exactly for this use case — importing structured data (CSV) like IP lists, employee lists, or IOCs and referencing them in KQL queries. The _GetWatchlist("WatchlistName") function returns the watchlist data that can be joined against log tables.

Why other answers are incorrect:

A: 500 individual rules would be unmanageable, create alert fatigue, and hit rule limits.
B: Blob Storage requires custom connector code — not the built-in Sentinel approach.
C: Custom log tables via the API are complex and don't have the built-in _GetWatchlist() integration.

💡 Key Concept:

Watchlist KQL example: let maliciousIPs = _GetWatchlist("MaliciousIPs") | project IPAddress; SigninLogs | where IPAddress in (maliciousIPs) | project TimeGenerated, UserPrincipalName, IPAddress

13

Question 13: Playbooks

✓ Correct Answer: A) A Sentinel Automation Rule that triggers a Logic App (Playbook) on incident creation

Why this is correct:

Sentinel Automation Rules define when to trigger a response (on incident creation/update, for specific analytic rules). When triggered, they can run a Playbook (Logic App), which is where the actual automated actions happen — Teams notifications, ServiceNow API calls, etc. The combination of Automation Rule + Logic App is Sentinel's SOAR capability.

Why other answers are incorrect:

B: Alert grouping in analytics rules combines related alerts into incidents — it doesn't automate responses.
C: Defender XDR automated investigation handles endpoint threats — it doesn't send Teams/ServiceNow notifications.
D: Azure Functions could work but Logic Apps with the Sentinel connector are the designed approach and simpler to configure.

💡 Key Concept:

Sentinel SOAR flow: Incident created → Automation Rule evaluates → Triggers Logic App (Playbook) → Playbook executes actions (Teams, email, ITSM, block IP, disable user). Automation Rules can also change incident severity/status/owner.

14

Question 14: Workbooks

✓ Correct Answer: B) Microsoft Sentinel Workbooks

Why this is correct:

Sentinel Workbooks (built on Azure Monitor Workbooks) provide rich, interactive dashboards built from KQL queries. They support charts, tables, time-brushing, and auto-refresh. Sentinel includes pre-built workbooks for common scenarios, and you can create custom ones.

Why other answers are incorrect:

A: Analytics rule activity shows rule health/run history — not trend dashboards.
C: Azure Monitor dashboards can be used but don't have Sentinel-specific templates and are less integrated.
D: Defender XDR Reports focus on Defender-specific data — not cross-workspace Sentinel data.

💡 Key Concept:

Sentinel Workbooks vs Dashboards: Workbooks = rich, query-driven, interactive, support parameters. Pin individual charts to Azure Dashboards for persistent executive views.

15

Question 15: Investigation Graph

✓ Correct Answer: C) The investigation graph

Why this is correct:

The Sentinel investigation graph provides a visual, interactive map showing all entities (users, hosts, IPs, accounts) associated with an incident and their relationships. You can expand nodes to see related alerts and entities, making it easy to understand lateral movement and the attack scope.

Why other answers are incorrect:

A: The incident timeline shows events in chronological order — useful but not a visual entity relationship map.
B: Threat intelligence page shows IOCs and their status — not incident-specific investigation.
D: Entity behavior analytics shows individual entity anomalies — not the incident relationship graph.

💡 Key Concept:

Investigation graph: click on any entity (user, IP, host) to expand and see all related incidents and alerts. You can trace lateral movement paths visually without writing KQL queries.

16

Question 16: Threat Intelligence

✓ Correct Answer: D) A data connector for Threat Intelligence TAXII, then an analytics rule using the ThreatIntelligenceIndicator table

Why this is correct:

The Threat Intelligence TAXII data connector in Sentinel connects to TAXII servers and imports STIX indicators into the ThreatIntelligenceIndicator table. You then write analytics rules that join this table with sign-in or network logs to detect matches. This is the fully automated, scalable approach.

Why other answers are incorrect:

A: Custom log table + playbook is much more complex and doesn't use Sentinel's built-in TI infrastructure.
B: Defender for Endpoint custom indicators handle endpoint-level blocking — not SIEM-level correlation.
C: Manual watchlist population defeats the purpose of an automated TAXII feed.

💡 Key Concept:

Sentinel TI sources: TI TAXII connector (STIX/TAXII feeds), Microsoft Defender Threat Intelligence connector, manual CSV upload, Microsoft Graph Security API. TI indicators auto-expire based on the Valid Until field.

17

Question 17: UEBA

✓ Correct Answer: A) User and Entity Behavior Analytics (UEBA)

Why this is correct:

UEBA in Sentinel learns each user's normal behavior over a baseline period (typically 14+ days), then detects anomalies. It creates an entity behavior profile for each user and entity, assigning anomaly scores. High scores surface in the UEBA dashboard and can feed into Fusion incidents.

Why other answers are incorrect:

B: Static threshold rules are brittle — they generate noise for high-volume users and miss threats from low-volume users.
C: Defender for Identity handles on-premises AD identity threats specifically — UEBA covers broader cross-source behavior.
D: Entra ID Identity Protection handles sign-in risk — it doesn't analyze post-authentication behavior patterns across workloads.

💡 Key Concept:

UEBA provides: Entity pages (users, hosts, IPs), anomaly scores, peer group comparisons ("this user is behaving differently from 95% of their peers"), and integration with Sentinel incidents.

18

Question 18: Sentinel Cost Management

✓ Correct Answer: B) Set interactive retention to 90 days and archive retention to 730 days total — archived data is much cheaper

Why this is correct:

Log Analytics supports a two-tier retention model: Interactive retention (hot, queryable instantly, full price) and Archive (cold, cheaper but requires restore before full query). Setting interactive to 90 days and total to 730 days gives analysts fast access to recent data while meeting 2-year compliance retention at significantly lower cost.

Why other answers are incorrect:

A: All data at full interactive retention rate for 730 days is the most expensive option.
C: Exporting to storage and deleting makes compliance retrieval complex and doesn't support native Sentinel querying.
D: Multiple workspaces increase complexity and cross-workspace query latency.

💡 Key Concept:

Log Analytics retention pricing: Interactive (default 90 days, up to 2 years): full price. Archive (beyond interactive up to 7 years): ~12x cheaper. Restore archived data for ad-hoc investigation: billed per GB restored.

19

Question 19: Secure Score

✓ Correct Answer: C) Address recommendations with the highest score impact first, filtered by the Secure Score impact column

Why this is correct:

Defender for Cloud shows the potential Secure Score increase for each recommendation. Sorting by "Potential score increase" identifies the high-value remediations that will move the score the most with the least effort. This is the data-driven prioritization approach.

Why other answers are incorrect:

A: Alphabetical order ignores business risk and score impact — inefficient.
B: Enabling Defender plans improves detection coverage but doesn't directly increase the configuration-based Secure Score.
D: Alerts are runtime threats — Secure Score is about configuration posture, not active alerts.

💡 Key Concept:

Secure Score formula: (Points secured / Total potential points) × 100. Each recommendation has a "Max score" (points if fully remediated). Focus on high max-score recommendations for fastest improvement.

20

Question 20: Defender for Cloud Plans

✓ Correct Answer: D) Enhanced security features (paid Defender plans) for each workload type across all connected environments

Why this is correct:

The free tier of Defender for Cloud provides basic CSPM (security posture assessment). Advanced threat detection features (JIT VM access, file integrity monitoring, adaptive application controls, workload-specific threat detection) require the paid enhanced security plans — one per workload type (Servers, Databases, Containers, etc.).

Why other answers are incorrect:

A: Free tier provides CSPM and basic recommendations — not JIT or FIM.
B: MDE detects endpoint threats but doesn't provide JIT VM access, FIM, or cloud workload-specific protections.
C: Azure Security Center was rebranded to Defender for Cloud — "legacy features" is not meaningful here.

💡 Key Concept:

Defender for Cloud plans: Defender for Servers (P1/P2), Databases, Containers, App Service, Storage, Key Vault, DNS, Resource Manager, APIs. Each plan enables specific protections for that workload type.

21

Question 21: Just-In-Time VM Access

✓ Correct Answer: A) Just-in-time VM access

Why this is correct:

JIT VM access closes management ports (RDP 3389, SSH 22, WinRM 5985/5986) by default using NSG rules. When an analyst needs access, they request it through Defender for Cloud (or MDE portal), specifying duration and IP. The NSG rule is temporarily opened only for that IP and time window, dramatically reducing the attack surface.

Why other answers are incorrect:

B: Blocking all inbound traffic makes VMs inaccessible even to legitimate admins.
C: Azure Bastion provides secure RDP/SSH via browser without exposing ports — complementary but different purpose. JIT is specifically about dynamic port management.
D: Adaptive network hardening recommends NSG rule improvements but doesn't dynamically open/close ports on request.

💡 Key Concept:

JIT workflow: Analyst requests access via Defender for Cloud → Specifies max time (1-24h) and source IP → NSG rule temporarily opens the port → Port closes automatically after time expires. Full audit log of all JIT requests.

22

Question 22: Regulatory Compliance

✓ Correct Answer: B) Defender for Cloud — Regulatory compliance dashboard

Why this is correct:

The Regulatory Compliance dashboard in Defender for Cloud maps Azure resource configurations to specific compliance framework controls (CIS, NIST, PCI-DSS, ISO 27001, etc.). It shows passing/failing controls, the specific resources affected by each failing control, and provides remediation guidance.

Why other answers are incorrect:

A: Recommendations are improvement suggestions — they're not organized by regulatory framework controls.
C: Purview Compliance Manager assesses Microsoft 365 workload compliance, not Azure infrastructure configuration compliance.
D: Azure Policy compliance shows policy assignment pass/fail but isn't organized into regulatory framework views.

💡 Key Concept:

Defender for Cloud supports 35+ regulatory frameworks out-of-the-box. You can add custom frameworks and assign them to specific subscriptions. Each control maps to specific Secure Score recommendations.

23

Question 23: Security Alerts Response

✓ Correct Answer: C) Investigate the successful login, check what data was accessed, and consider revoking the SQL credentials and notifying the privacy team

Why this is correct:

A successful SQL login after 500 brute force attempts strongly suggests credential compromise. With PII in the database, this is a potential data breach. The response should include: confirming the access was unauthorized, checking audit logs for data exfiltration, revoking compromised credentials, and notifying the privacy team (GDPR/CCPA may require breach notification within 72 hours).

Why other answers are incorrect:

A: Never dismiss potential breaches involving PII based solely on country of origin.
B: Medium severity with PII involved requires immediate attention — severity guides triage speed, not whether to act.
D: Enabling auditing after the fact won't capture what already happened — and it should have been enabled before.

💡 Key Concept:

Breach notification timelines: GDPR = 72 hours to supervisory authority. CCPA = "expedient" notification. When PII databases are involved in security incidents, always involve privacy/legal teams immediately.

24

Question 24: CSPM vs CWPP

✓ Correct Answer: D) CSPM assesses and improves your security configuration; CWPP detects runtime threats against your workloads

Why this is correct:

CSPM (Cloud Security Posture Management) focuses on configuration — is your storage account publicly accessible? Are your VMs missing security patches? It's proactive and preventative. CWPP (Cloud Workload Protection Platform) focuses on runtime — detecting attacks happening right now against your VMs, containers, databases.

Why other answers are incorrect:

A: CSPM doesn't specifically focus on network attacks; CWPP protects more than just application vulnerabilities.
B: Neither CSPM nor CWPP specifically manages identities or NSGs as their primary function.
C: They serve very different purposes — CSPM is posture/configuration, CWPP is runtime threat detection.

💡 Key Concept:

Simple memory aid: CSPM = "Are we configured securely?" (proactive, preventative). CWPP = "Are we under attack right now?" (reactive, detective). Defender for Cloud provides both in one product.

25

Question 25: Multi-Cloud

✓ Correct Answer: A) Add AWS as a connected environment using the Cloud Connectors in Defender for Cloud

Why this is correct:

Defender for Cloud natively supports multi-cloud through Cloud Connectors. For AWS, you connect via an IAM role that grants read access to AWS Security Hub and other services. Once connected, AWS recommendations appear in Defender for Cloud alongside Azure, with a single Secure Score.

Why other answers are incorrect:

B: Log Analytics agent on EC2 gives VM telemetry but doesn't provide cloud-level posture management for AWS services (S3, RDS, etc.).
C: MDE on EC2 provides endpoint threat detection but not AWS service posture management.
D: Azure Arc onboards VMs as Azure resources but doesn't provide AWS-native service posture visibility.

💡 Key Concept:

Defender for Cloud supported clouds: Azure (native), AWS (via Cloud Connector), GCP (via Cloud Connector). Each connector requires specific IAM permissions. Multi-cloud shows a unified Secure Score and recommendations.

📊 How Did You Score?

23–25
Exam Ready
Excellent! Schedule your exam.
19–22
Almost There
Review KQL and Sentinel analytics.
14–18
Keep Studying
Focus on Sentinel and SOAR workflows.
0–13
More Study Needed
Work through the SC-200 study guide.

Ready for More SC-200 Practice?

These 25 questions are just a sample. The actual SC-200 exam has 40–60 questions.

MSCertQuiz SC-200 includes 500 questions covering:

  • ✓ KQL queries for both Advanced Hunting and Sentinel
  • ✓ Sentinel analytics rules, playbooks, and workbooks
  • ✓ Full Defender XDR product suite in depth
  • ✓ Defender for Cloud CSPM, CWPP, and compliance
  • ✓ All scenario types including complex multi-step incidents

$14.99 One-Time Payment

Lifetime access • No subscription • 500 questions

Try 40 Free QuestionsGet 500 Questions — $14.99

📚 Related SC-200 Resources

📖

SC-200 Study Guide

Complete guide covering all exam domains with study strategies

⚖️

SC-200 vs SC-300

Which security certification is right for your career path?