Hard SC-200 practice questions
Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 23 hard questions available — no sign-up, always free.
A SOC analyst is investigating a Defender XDR incident that flags a user account exhibiting anomalous behavior: the user signed in from an unmanaged personal device and is actively downloading large volumes of sensitive files from SharePoint Online. The account is not yet confirmed compromised, and business leadership requires the user to retain read-only access to complete a time-sensitive task. The analyst must stop data exfiltration from the unmanaged device while allowing continued in-browser viewing. Which response action best meets these requirements?
A high-severity incident in Microsoft Defender XDR involves a suspicious executable that ran on a Windows workstation. Automated investigation has already completed, and the Investigation graph shows the entity was classified with a verdict of 'No threats found'. However, as the SOC analyst you have external threat intelligence indicating this exact file hash is a newly weaponized loader. You need to force remediation on the affected device without waiting for a new automated investigation to trigger. Which action should you take first?
During an incident, a Defender for Endpoint automated investigation quarantined a file named 'BillingExport.exe' on 40 devices. Your finance team confirms the file is a legitimate internally developed reporting tool that was mistakenly flagged. You need to restore the file on all affected devices in a single action and prevent it from being quarantined again by the same detection logic, while retaining the ability to reverse the restoration if new evidence emerges. Which action in the Microsoft Defender portal best meets these requirements?
During an incident in Microsoft Defender XDR, you confirm that a phishing email delivered to 40 mailboxes is malicious. However, three of the recipient mailboxes are subject to an active eDiscovery legal hold for unrelated litigation. You need to remove the malicious email from all 40 mailboxes using Threat Explorer's remediation action while ensuring you do not violate preservation obligations for the mailboxes under hold. What should you do?
Your SOC wants Microsoft Defender XDR automatic attack disruption to contain compromised devices and suspend risky user accounts during a human-operated ransomware attack, without waiting for analyst intervention. During testing, the disruption actions never trigger even though high-confidence incidents are being generated. Which configuration change is required to enable automatic attack disruption to act on these entities?
You are threat hunting in Microsoft Defender XDR Advanced Hunting. Threat analytics reports that an active campaign begins with a malicious Office document that spawns a scripting host, which then downloads a payload roughly 30-90 seconds later. You want a single KQL query that surfaces devices where a Word or Excel process spawned a scripting host (wscript.exe, cscript.exe, or powershell.exe) and correlates it with an outbound network connection from that same scripting host within 2 minutes. Which approach best builds this hunt?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you suspect that several endpoints are resolving domains associated with a known malware campaign before establishing outbound connections. You want to identify which devices performed DNS queries for the suspicious domain names, including cases where no subsequent TCP/UDP connection succeeded. Which table should you query to reliably capture the DNS query activity?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you need to find all instances where a renamed copy of a legitimate signed binary was executed. Attackers commonly rename tools like certutil.exe or rundll32.exe to evade name-based detections. Which DeviceProcessEvents column should you compare against the file name to reliably detect a renamed system binary?
A SOC analyst at a manufacturing firm suspects a phishing campaign led to malware execution on endpoints. They want a single Advanced Hunting query in Microsoft Defender XDR that correlates malicious emails with subsequent file activity on the recipients' devices, so they can identify which users both received the email and later ran a suspicious attachment. Which approach correctly combines the required tables?
A SOC analyst is investigating a suspected illicit consent grant attack. An Entra ID alert indicates a user consented to a newly registered third-party application that then began enumerating mailbox contents through the Microsoft Graph API. The analyst needs to confirm exactly which Graph API endpoints the application called and the timestamps of those calls, on behalf of the compromised user, to scope the data accessed. Which data source should the analyst query to obtain this detail?
Your SOC needs to detect a specific high-severity event—the disabling of a critical Azure AD Conditional Access policy—with the lowest possible detection latency. You decide to create a Near-Real-Time (NRT) analytics rule in Microsoft Sentinel. During rule creation, you attempt to configure the query to join the AuditLogs table with the SigninLogs table across a 24-hour lookback to enrich the alert with recent sign-in context. The validation fails. Which characteristic of NRT rules explains this failure and represents the correct way to proceed?
Your SOC has enabled several built-in Microsoft Sentinel machine learning-based anomaly rules from the Anomalies blade. Analysts report that one anomaly rule for 'Anomalous login by user' is generating too many results during normal business hours, but you want to keep the underlying model active so you can validate a tuned version before replacing the original. What is the correct approach in Microsoft Sentinel to adjust the rule's sensitivity while comparing results against the original?
A threat hunter needs to search 18 months of historical DNS and network logs stored in the Microsoft Sentinel data lake tier to trace a slow-and-low command-and-control beacon. The data is no longer in the analytics tier, and the query is computationally heavy and must run against the full retention window without impacting live analytics performance. Which approach should the hunter use to execute this hunt?
You are a SOC analyst using the Microsoft Sentinel data lake tier. You have ingested 18 months of high-volume firewall logs into the data lake for long-term retention. You need to run a scheduled KQL job that aggregates daily outbound traffic by destination IP over the full retention window, and you want the aggregated results to remain queryable by your standard analytics rules and hunting queries with fast, interactive performance. Where must the KQL job write its results to meet this requirement?
You are a SOC analyst investigating a slow, low-and-slow data exfiltration campaign that appears to span the past 11 months. The relevant NetworkSession logs have already aged out of the analytics tier (90-day retention) but are still retained in the Microsoft Sentinel data lake tier. You need to run an iterative, complex KQL hunt across the full 11-month history and then, for the small subset of records that match your final hypothesis, make them queryable alongside your near-real-time analytics rules with minimal ongoing cost. Which approach should you use?
A SOC analyst at a manufacturing company must hunt across 18 months of NetworkSessions logs that were moved to the Microsoft Sentinel data lake tier for cost reasons. The analyst wants to run an ad-hoc KQL investigation over the full historical range but is only occasionally querying this data and does not want to incur the cost of promoting the entire table back into the analytics tier. Which approach in the Microsoft Sentinel platform best meets this requirement?
Your SOC uses Microsoft Sentinel and Microsoft Defender for Endpoint. Analysts triage incidents in the Sentinel portal and want to onboard a compromised device (isolate it) directly as a response action from a Sentinel automation rule triggered on Defender for Endpoint alerts. You have enabled the Microsoft Defender XDR data connector in Sentinel. During testing, the automation rule fires, but the device isolation action fails with a permissions error. What is the most likely cause?
Your SOC uses Microsoft Sentinel with the Fusion advanced multistage attack detection engine enabled. The threat hunting team has authored a high-fidelity scheduled analytics rule that detects a specific credential-dumping technique. They want Fusion to be able to combine alerts generated by this custom scheduled rule with anomalies and other signals to create higher-confidence multistage incidents. What must you do so Fusion can incorporate alerts from this custom scheduled rule?
Your organization is a managed security service provider (MSSP) that monitors three customer tenants, each with its own Microsoft Sentinel workspace, plus your own central workspace. Analysts in your SOC need to run a single scheduled analytics rule that correlates sign-in failures across all four workspaces to detect password-spray campaigns spanning tenants. What is the recommended approach to enable this cross-workspace, cross-tenant detection while keeping each customer's data in its own workspace?
Your SOC uses Microsoft Sentinel. You built a Logic Apps playbook that enriches incidents by querying an external threat intelligence API and adding the results as a comment. You want the playbook to run automatically whenever any new incident is created by a specific high-fidelity analytics rule, without requiring an analyst to trigger it manually. What should you configure, and what permission must be granted?
Your SOC wants to build a new Microsoft Sentinel playbook that reacts to incoming incidents. The playbook must run multiple stateful workflows, support local debugging in Visual Studio Code, and be billed based on a fixed hosting plan rather than per-action execution to keep costs predictable for a very high volume of triggered runs. Which Logic App resource type should you choose when creating the playbook?
Your SOC has built a Microsoft Sentinel playbook (Logic App) that must add a compromised user's account to an Azure AD group and post a message to a Microsoft Teams channel when triggered by an incident. Currently the playbook fails at the step that modifies the group membership with an authorization error, though the Teams step (which uses an API connection authenticated as a service account) succeeds. The playbook is configured to authenticate to Azure AD using its system-assigned managed identity. What is the MOST appropriate action to resolve the failure while following least-privilege practices?
Your SOC ingests very high volumes of raw network firewall logs into a Microsoft Sentinel workspace. Analysts rarely query the raw records but frequently need aggregated hourly statistics (total bytes, connection counts per source IP) for detections and dashboards, and these aggregates must remain queryable for long periods at low cost. You want to keep the verbose raw data in cheap storage while making the aggregated data readily available for analytics rules. Which approach best meets these requirements?