Manage a security operations environment
Drill 20 practice questions focused entirely on Manage a security operations environment for the Microsoft SC-200 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
You manage Microsoft Defender for Endpoint for a large enterprise. The SOC wants unsanctioned and unmanaged devices discovered on the corporate network to be automatically onboarded and brought under Defender for Endpoint protection without manual intervention. Which advanced feature in the Microsoft Defender portal settings must you enable to achieve this?
Your organization plans to deploy Microsoft Defender for Endpoint attack surface reduction (ASR) rules to block credential stealing from LSASS. The security team is concerned that enabling the rule in Block mode immediately could disrupt legitimate line-of-business applications. What is the recommended first step to safely evaluate the impact of this ASR rule across the environment?
Your organization has enabled the ASR rule "Block Office applications from creating child processes" in Block mode across all Windows devices. A finance team uses a legacy macro-enabled Excel workbook that launches a signed helper executable, and this workbook is now being blocked. You must allow this specific workflow while keeping the ASR rule in Block mode for all other processes and users, using the least-permissive configuration. What should you do?
Your organization uses Microsoft Defender for Endpoint. The SOC team wants critical production servers in a device group named 'Prod-Servers' to have Defender automatically investigate alerts and remediate malicious artifacts without requiring an analyst to approve each action. However, for a device group named 'Executive-Laptops', the team wants Defender to investigate automatically but hold all remediation actions until an analyst manually approves them. What should you configure to meet both requirements?
Your organization uses Microsoft Defender for Endpoint. The SOC lead wants brand-new, never-before-seen executable files that arrive on endpoints to be automatically inspected in the cloud and blocked within seconds if they are determined to be malicious, before the file is allowed to run. Which combination of settings must be configured on the managed devices to enable this capability?
Your organization uses Microsoft Defender for Endpoint. You have created three device groups, each with a machine membership rule and a different automation level. A newly onboarded server matches the membership criteria of two of these device groups: 'Servers-Full-Remediation' (rank 3) and 'Production-Semi-Auto' (rank 1). Both were created before the built-in 'Ungrouped devices' group. Which automation level will apply to this server, and why?
Your SOC uses Microsoft Defender for Endpoint. The security team wants newly onboarded servers in the 'Manufacturing-OT' subnet to automatically be placed into a device group that has a lower automation level, without an analyst manually assigning each device. The servers already report a consistent registry-based tag applied during imaging. What is the most effective way to ensure these devices land in the correct device group automatically?
Your SOC wants to block access to gambling and newly-registered domain categories for all onboarded Windows devices in the Microsoft Defender portal. Before you can create a web content filtering policy, which prerequisite advanced feature must be enabled in Microsoft Defender for Endpoint settings?
Your SOC wants Microsoft Defender XDR automatic attack disruption to contain compromised devices and suspend risky user accounts during a human-operated ransomware attack, without waiting for analyst intervention. During testing, the disruption actions never trigger even though high-confidence incidents are being generated. Which configuration change is required to enable automatic attack disruption to act on these entities?
Your SOC uses an advanced hunting KQL query in Microsoft Defender XDR that reliably identifies devices where a malicious scheduled task has been created for persistence. You want to operationalize this query so it runs automatically every hour, generates alerts, and immediately isolates the affected device without analyst intervention. What should you do?
A SOC analyst notices that a legitimate internal vulnerability scanner running from a known server generates dozens of 'Suspicious network scanning activity' alerts in Microsoft Defender XDR every day. The scanner's behavior is expected and approved. The analyst wants to stop these specific alerts from being raised for this server going forward, while keeping the same detection active for all other devices in the organization. Which action should the analyst take in the Microsoft Defender portal?
You manage a Microsoft Sentinel scheduled analytics rule that detects failed sign-ins from a single IP address. During a password-spray campaign, the rule fires dozens of times per hour, each creating a separate incident. Analysts are overwhelmed by the volume. You want related alerts from this rule to be consolidated into as few incidents as possible while still grouping by the source IP. Which configuration should you apply in the rule's incident settings?
Your SOC team built a scheduled analytics rule in Microsoft Sentinel that queries a custom firewall table and generates alerts for repeated blocked outbound connections. Analysts complain that the resulting incidents show no clickable entities, so they cannot pivot on the source host or user, and the investigation graph is empty. The KQL query already returns columns named SrcHostName, SrcUserName, and SrcIP. What should you configure on the rule to resolve this?
Your SOC lead wants to understand which MITRE ATT&CK tactics and techniques are actively covered by your Microsoft Sentinel detections, and to identify gaps where no analytics rules exist. She asks you to produce this visibility using built-in Sentinel capabilities without exporting data to an external tool. Which approach should you use?
Your SOC needs to detect a specific high-severity event—the disabling of a critical Azure AD Conditional Access policy—with the lowest possible detection latency. You decide to create a Near-Real-Time (NRT) analytics rule in Microsoft Sentinel. During rule creation, you attempt to configure the query to join the AuditLogs table with the SigninLogs table across a 24-hour lookback to enrich the alert with recent sign-in context. The validation fails. Which characteristic of NRT rules explains this failure and represents the correct way to proceed?
Your SOC has enabled several built-in Microsoft Sentinel machine learning-based anomaly rules from the Anomalies blade. Analysts report that one anomaly rule for 'Anomalous login by user' is generating too many results during normal business hours, but you want to keep the underlying model active so you can validate a tuned version before replacing the original. What is the correct approach in Microsoft Sentinel to adjust the rule's sensitivity while comparing results against the original?
Your SOC uses several Microsoft Sentinel automation rules that trigger when incidents are created. One automation rule is meant to close incidents generated by a specific benign analytics rule during scheduled maintenance windows, but analysts report these incidents are still being assigned to a team and having playbooks executed before they are closed. You confirm all rules use the 'When incident is created' trigger. What should you change to ensure the closing automation rule takes effect before the others act on these incidents?
Your SOC deployed the Microsoft Sentinel solution for 'Microsoft Entra ID' from Content Hub three months ago, which installed several analytics rule templates. Since then, Microsoft has published updated versions of those rule templates with improved query logic. Your team has been manually editing the deployed active rules to tune thresholds. You want to apply Microsoft's newest template improvements while keeping your workspace's customizations visible and controllable. What should you do?
Your SOC recently onboarded a new Palo Alto Networks firewall and wants to deploy vendor-provided analytics rules, workbooks, hunting queries, and a data connector together as a maintained package that receives updates. A junior analyst suggests manually copying individual KQL rules from a GitHub repository into the workspace. As the security operations analyst, what is the most efficient supported approach to deploy and keep this content current in Microsoft Sentinel?
Your organization uses a proprietary web application that writes JSON-formatted security events to a log file. You need to ingest these logs into Microsoft Sentinel into a custom table, but the raw JSON contains a verbose 'debug_payload' field that inflates ingestion costs and provides no analytic value. You want to drop that field before the data is stored, while keeping all other fields. What is the most cost-effective way to accomplish this?
More SC-200 practice
Keep going with the other Microsoft Security Operations Analyst domains, or take a full timed mock exam.
← Back to SC-200 overview