Perform threat hunting
Drill 20 practice questions focused entirely on Perform threat hunting for the Microsoft SC-200 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
You are a SOC analyst hunting in Microsoft Defender XDR Advanced Hunting. You need to identify all interactive and remote sign-in attempts on managed endpoints, including which account attempted the logon, the logon type, and whether it succeeded or failed, so you can spot brute-force patterns against local accounts. Which table should form the basis of your KQL query?
A SOC analyst in Microsoft Defender XDR Advanced Hunting suspects that several endpoints are beaconing to a command-and-control server at regular intervals. The analyst wants to identify devices making repeated outbound connections to the same remote IP address over the past 7 days, and calculate the time interval consistency between those connections to spot beaconing behavior. Which table should form the base of the KQL query?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you need to build a query that surfaces every file, IP address, and account that has been flagged as evidence across all high-severity alerts raised in the last 7 days, and correlate that evidence back to the specific alert title and detection source. You want to join two tables to produce this correlated result. Which pair of tables should you use, and on what key should you join them?
A threat analyst hunting in Microsoft Defender XDR Advanced Hunting wants to identify all devices that have made outbound connections to a newly published malicious domain and then correlate those devices with any interactive logons that occurred within 30 minutes after the connection. Which pair of tables should the analyst join to build this hunting query?
During a proactive threat hunt in Microsoft Defender XDR Advanced Hunting, you need to identify recently created inbox rules that automatically forward or delete messages containing keywords like 'invoice' or 'payment' — a common business email compromise (BEC) persistence technique. You want a single table that surfaces the rule-creation activity across Exchange Online mailboxes with the operation name and the parameters used. Which table should you query?
You are a SOC analyst hunting in Microsoft Defender XDR Advanced Hunting. Threat analytics reports a new campaign exploiting devices running an outdated OS build. You need to produce a live list of currently onboarded devices, including their operating system platform, OS version, and current onboarding/health status, so you can prioritize patching. Which table should you query?
A threat hunter in a retail company suspects that an attacker used a compromised OAuth token to access files stored in the organization's SharePoint Online sites. The hunter wants to build a single Advanced Hunting query in Microsoft Defender XDR that returns file download activities recorded against cloud apps such as SharePoint and OneDrive, including the source IP address and the acting user account. Which table should the hunter query?
During threat hunting in Microsoft Defender XDR Advanced Hunting, you receive a threat intelligence report listing a SHA256 file hash associated with a newly observed ransomware loader. You need to identify every managed device where this exact file was created or downloaded over the past 14 days, along with the initiating process. Which single table should you query as the primary source?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you suspect that a malicious executable named 'update_svc.exe' was staged across multiple endpoints before execution. You need a KQL query that returns each distinct device where the file was created, along with the earliest creation time per device, so you can prioritize the first-affected hosts. Which query best meets this requirement?
A SOC analyst reads a Microsoft Defender XDR threat analytics report about a newly tracked ransomware operator. The report lists file hashes, malicious domains, and specific process command lines associated with the campaign. The analyst wants to quickly determine whether any managed devices in the environment have already encountered these indicators, without manually copying each IOC into a KQL query. What is the most efficient way to accomplish this?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, an analyst wants to find all files with the name 'update.ps1' that were created on any onboarded device within the last 7 days, and return only the device name, file folder path, and the initiating process account. Which KQL query best accomplishes this goal while following efficient query design?
A threat analyst in Microsoft Defender XDR Advanced Hunting must confirm whether a suspicious executable that appeared on several endpoints was actually launched by a user or process — not merely written to disk. Which table should the analyst query to establish that the file was executed with its command line and initiating parent process?
A SOC analyst in Microsoft Defender XDR Advanced Hunting is investigating a phishing campaign. They already identified a malicious attachment SHA256 in EmailAttachmentInfo and now need to determine which endpoints actually saved that same file to disk, so they can prioritize device remediation. Which single KQL approach most directly answers this question?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you need to identify hosts where a legitimate signed Windows binary (a LOLBin such as rundll32.exe) loaded an unsigned DLL from a user's temp directory. Your query must correlate the specific DLL module that was mapped into the process memory, not just the file being written to disk. Which Advanced Hunting table should you query to see the DLL being loaded into the process?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you have already confirmed a malicious executable landed on multiple endpoints. You now need to determine the exact URL each device downloaded the file from, and which process initiated the download, so you can identify the delivery vector. Which single table provides both the source download URL and the initiating process in the same records for file creation events?
You are threat hunting in Microsoft Defender XDR Advanced Hunting. Threat analytics reports that an active campaign begins with a malicious Office document that spawns a scripting host, which then downloads a payload roughly 30-90 seconds later. You want a single KQL query that surfaces devices where a Word or Excel process spawned a scripting host (wscript.exe, cscript.exe, or powershell.exe) and correlates it with an outbound network connection from that same scripting host within 2 minutes. Which approach best builds this hunt?
You are hunting for a suspected pass-the-hash attack in Microsoft Defender XDR Advanced Hunting. You need to identify interactive and network logons that occurred directly on onboarded Windows endpoints, including the logon type and the account used, so you can pivot on lateral movement between managed devices. Which table should you query?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you must identify all outbound connections that internal endpoints made to a specific set of 12 known malicious IP addresses supplied by your threat intelligence team. You want a single, efficient KQL query that returns the device name, remote IP, remote port, and initiating process for each matching connection over the last 7 days. Which approach best meets this requirement?
During a threat hunt in Microsoft Defender XDR Advanced Hunting, you suspect that several endpoints are resolving domains associated with a known malware campaign before establishing outbound connections. You want to identify which devices performed DNS queries for the suspicious domain names, including cases where no subsequent TCP/UDP connection succeeded. Which table should you query to reliably capture the DNS query activity?
A threat hunter in Microsoft Defender XDR Advanced Hunting must correlate the most recent successful interactive sign-in for a set of high-value servers with any process that spawned an outbound connection to a newly published command-and-control domain during the same session window. Which combination of tables should the hunter join to build this query most accurately?
More SC-200 practice
Keep going with the other Microsoft Security Operations Analyst domains, or take a full timed mock exam.
← Back to SC-200 overview