Respond to security incidents
Drill 20 practice questions focused entirely on Respond to security incidents for the Microsoft SC-200 exam. Tap an answer for instant feedback and a full explanation — no sign-up, always free.
During an incident in Microsoft Defender XDR, an alert from Microsoft Defender for Cloud Apps flags a third-party OAuth application in your Entra ID tenant as malicious. The app was granted delegated Mail.Read and Files.ReadWrite.All permissions by 40 users after a phishing campaign. You must immediately stop the app from accessing tenant data while preserving evidence for further investigation. Which action in the Defender XDR portal best meets this requirement?
A SOC analyst is investigating a Defender XDR incident that flags a user account exhibiting anomalous behavior: the user signed in from an unmanaged personal device and is actively downloading large volumes of sensitive files from SharePoint Online. The account is not yet confirmed compromised, and business leadership requires the user to retain read-only access to complete a time-sensitive task. The analyst must stop data exfiltration from the unmanaged device while allowing continued in-browser viewing. Which response action best meets these requirements?
Your organization uses Microsoft Defender for Cloud with security alerts streamed into Microsoft Defender XDR. During an incident investigation in the Defender portal, you see a correlated incident that includes a Defender for Cloud alert titled "Suspicious download of multiple files from a storage account." You need to view the affected Azure resource, understand the recommended remediation, and take action on the underlying cloud workload. Where should you go to review the resource's security posture recommendations and apply hardening guidance related to this alert?
During an incident investigation, you connect a live response session to a compromised Windows server and locate a suspicious executable at C:\Temp\svc-update.exe. Before you decide whether to quarantine it, you want to submit the file to Microsoft's cloud for a deep threat verdict directly from within the live response session, without downloading it to your local machine first. Which live response command should you run?
A high-severity incident in Microsoft Defender XDR involves a suspicious executable that ran on a Windows workstation. Automated investigation has already completed, and the Investigation graph shows the entity was classified with a verdict of 'No threats found'. However, as the SOC analyst you have external threat intelligence indicating this exact file hash is a newly weaponized loader. You need to force remediation on the affected device without waiting for a new automated investigation to trigger. Which action should you take first?
During an active investigation, a SOC analyst identifies a suspicious executable running on an onboarded Windows device in Microsoft Defender for Endpoint. The analyst needs to retrieve the actual binary from the device for offline malware analysis in a sandbox, while the device remains online. Which action should the analyst take?
During an incident, you need to acquire forensic artifacts from a compromised Windows workstation using Microsoft Defender for Endpoint. The device is currently powered off but is expected to reconnect intermittently over the next few hours. You want the full investigation package (autoruns, scheduled tasks, network connections, prefetch files, and more) collected automatically the next time the device comes online, without keeping a live response console session open. Which action should you take from the device page?
During an incident investigation, you are using a live response session on a compromised Windows device. You need to safely retrieve a suspicious executable from the device's C:\Temp folder so that your malware analysis team can examine it in an isolated sandbox environment. The file must be retrieved in a way that prevents accidental execution when it is downloaded to the analyst's workstation. Which live response action should you use?
During an incident investigation, you connect a live response session to a compromised Windows workstation in Microsoft Defender for Endpoint. You attempt to use the 'getfile' command to retrieve a suspected malware sample located at C:\Users\Public\payload.dll, which is 12 MB in size. The command fails. A colleague suggests the file is too large. What is the maximum file size that the live response 'getfile' command can retrieve, and what is the correct conclusion?
During an active incident, a SOC analyst confirms a compromised Windows workstation is exhibiting suspicious PowerShell activity that appears to still be running. The analyst needs to capture the current running processes, network connections, scheduled tasks, and autoruns as a single consolidated snapshot for the forensics team, without deciding in advance which individual files to retrieve. Which Microsoft Defender for Endpoint response action best meets this requirement?
During investigation of a Microsoft Defender XDR incident, you confirm that a Windows 11 workstation is actively communicating with a known command-and-control server and executing a malicious PowerShell process. You need to immediately stop the outbound C2 traffic while preserving the ability to continue collecting forensic evidence from the device using live response. Which action should you take from the device page in the Microsoft Defender portal?
A SOC analyst is investigating a Defender for Endpoint incident on a Windows server that shows signs of an in-memory (fileless) attack. The analyst needs to capture the volatile memory contents of a suspicious running process for later forensic analysis, without terminating the process or taking the whole device offline. Which live response action should the analyst use?
During an active investigation, a SOC analyst suspects that a compromised Windows workstation (already onboarded to Microsoft Defender for Endpoint) is beaconing to a command-and-control server. The analyst needs to view the current active TCP/IP connections and listening ports on the live device to confirm the suspicious outbound session before deciding whether to isolate it. The analyst has an active Live Response session on the device. Which action provides the fastest way to obtain this information directly from the live endpoint?
During an incident investigation, a device timeline in Microsoft Defender for Endpoint shows that a suspicious process wrote a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to an executable in the user's AppData folder. You start a live response session on the affected device to remove this persistence mechanism and confirm the malicious binary is no longer set to auto-start. Which sequence of live response actions accomplishes this?
During an incident investigation, you connect a live response session to a compromised Windows server in Microsoft Defender for Endpoint. The attacker installed a malicious Windows service named 'SvcHostUpdater' that re-launches a backdoor after every reboot. You have already stopped and quarantined the running backdoor process, but you must prevent the service from restarting the backdoor while forensics continues. Which live response command should you use to inspect and act on this persistence mechanism?
During an incident in Microsoft Defender for Endpoint, you are reviewing the device timeline of a workstation flagged for a suspicious PowerShell process that beaconed to an external IP. You need to prevent the device from communicating with anything other than the Defender for Endpoint cloud service while still allowing the SOC to run live response commands and investigation packages on it. Which response action should you take on the device?
During an active incident, a Defender for Endpoint device timeline shows a suspicious unsigned binary launching PowerShell repeatedly on a critical file server. Your SOC lead does not want to fully isolate the server because it hosts a business-critical database that other systems depend on, but wants to stop any untrusted, unsigned executables from running while the investigation continues. Which single Defender for Endpoint response action best meets this requirement?
During an incident investigation, a SOC analyst connects a live response session to a compromised Windows server. The analyst wants to identify all currently loaded drivers on the device to detect a suspected rootkit, but the built-in live response commands do not include a driver-enumeration command. The analyst has a PowerShell script named 'Get-LoadedDrivers.ps1' that produces the needed output. What must the analyst do before this script can be executed in the live response session?
During an active incident, you connect a live response session to a compromised Windows server. Your SOC has a vetted PowerShell remediation script named CleanupPersistence.ps1 that must be executed on the device. When you attempt to use the runscript command, live response reports that the script cannot be found. What must you do so the script can be executed through runscript?
During an active incident in Microsoft Defender for Endpoint, a SOC analyst identifies a persistence mechanism on an onboarded Windows server: a malicious scheduled task that re-downloads a payload. The analyst wants to remediate the task on the live device without waiting for a full reimage, using a PowerShell script that the SOC team has already validated and stored centrally so it can be reused across future live response sessions. Which action allows the analyst to execute this pre-approved script during a live response session?
More SC-200 practice
Keep going with the other Microsoft Security Operations Analyst domains, or take a full timed mock exam.
← Back to SC-200 overview