SC-200 Exam Prep Free practice test →

Free SC-200 Practice Questions

10 free, exam-style Microsoft Certified: Security Operations Analyst Associate (SC-200) (SC-200) practice questions with answers and explanations. No signup required. Work through them below, then take the full free SC-200 practice test to study every exam domain.

These 10 free SC-200 questions are organized by exam domain, so you can see how each part of the Microsoft Certified: Security Operations Analyst Associate (SC-200) blueprint is tested. Reveal the answer and explanation under each question.

Domain 1: Manage a security operations environment (40-45%)

Question 1

You need a Microsoft Sentinel detection that triggers as close to real time as possible when a specific high-risk sign-in pattern appears, without waiting for a scheduled query interval. Which analytics rule type should you create?

  1. A near-real-time (NRT) rule
  2. A scheduled query rule
  3. A Fusion correlation rule
  4. A threat intelligence rule
Show answer & explanation

Correct answer: A - A near-real-time (NRT) rule

Question 2

A SOC lead wants a single detection that automatically correlates multiple lower-fidelity alerts into one high-fidelity multistage-attack incident, and the team must not be able to edit the underlying correlation logic. Which analytics rule type meets these requirements?

  1. A Fusion rule
  2. A scheduled rule using custom KQL
  3. An anomaly rule with tunable thresholds
  4. A Microsoft security rule
Show answer & explanation

Correct answer: A - A Fusion rule

Question 3

A new tier-1 analyst must triage Microsoft Sentinel incidents, change their status, and investigate entities, but must NOT be able to create or modify analytics rules. Following least privilege, which role should you assign?

  1. Microsoft Sentinel Responder
  2. Microsoft Sentinel Contributor
  3. Microsoft Sentinel Reader
  4. Microsoft Sentinel Playbook Operator
Show answer & explanation

Correct answer: A - Microsoft Sentinel Responder

Question 4

You must collect only specific Windows Security event IDs from on-premises servers onboarded to Azure Arc, minimizing the volume of data ingested into Microsoft Sentinel. What should you configure?

  1. Windows Security Events via AMA with a data collection rule
  2. Windows Event Forwarding to a dedicated collector server
  3. A Syslog via AMA connector scoped to the security facility
  4. The Azure activity connector with a diagnostic setting
Show answer & explanation

Correct answer: A - Windows Security Events via AMA with a data collection rule

Question 5

When a Microsoft Sentinel incident is created you must automatically assign an owner, add a tag, and then run a Logic Apps workflow that posts to Microsoft Teams - centralized, with minimal administrative effort. What should you create?

  1. An automation rule that sets fields and calls a playbook
  2. A single playbook that performs every one of the actions
  3. A scheduled analytics rule with an alert-grouping action
  4. A workbook that contains an embedded automation step
Show answer & explanation

Correct answer: A - An automation rule that sets fields and calls a playbook

Question 6

You are creating a custom detection rule from an Advanced Hunting query in Microsoft Defender XDR, but the rule cannot be saved. Which columns must the query return for the rule to be valid?

  1. DeviceName together with the AccountObjectId column
  2. Timestamp, plus DeviceId and ReportId as the event ID
  3. The AlertId column together with the Severity column
  4. AccountObjectId together with the ReportId column
Show answer & explanation

Correct answer: B - Timestamp, plus DeviceId and ReportId as the event ID

Question 7

You want to deploy a new attack surface reduction (ASR) rule to measure its potential impact and surface false positives before it blocks anything. Which mode should you configure?

  1. Block
  2. Audit
  3. Warn
  4. Disable
Show answer & explanation

Correct answer: B - Audit

Question 8

Your organization must keep security logs queryable for seven years for compliance, but the data is rarely accessed and cost must be minimized. Recent 30-day data must still power real-time analytics rules. What is the most appropriate approach?

  1. Keep every table in the analytics tier for seven years
  2. Recent data in the analytics tier, older data in the data lake tier
  3. Export all logs to a storage account, then purge the workspace
  4. Raise interactive retention on all tables to seven years
Show answer & explanation

Correct answer: B - Recent data in the analytics tier, older data in the data lake tier

Domain 2: Respond to security incidents (35-40%)

Question 9

A phishing email reached the inboxes of 200 users before it was detected. You need to locate every copy across all mailboxes and soft-delete them from one place. Which tool should you use?

  1. Quarantine in the Microsoft Defender portal
  2. Threat Explorer in Defender for Office 365
  3. Content Search in Microsoft Purview
  4. The user submissions portal
Show answer & explanation

Correct answer: B - Threat Explorer in Defender for Office 365

Question 10

Microsoft Entra ID Identity Protection reports a sign-in you have verified is genuinely malicious. You want to mark the user as compromised so the risk engine learns from the decision and triggers remediation. Which action should you take?

  1. Dismiss the user's risk
  2. Confirm user compromised
  3. Reset the user's password only
  4. Block sign-ins with Conditional Access
Show answer & explanation

Correct answer: B - Confirm user compromised

The rest of the SC-200 blueprint

The SC-200 exam also covers these domains. Drill them in the full free practice test:

Ready for the real thing?

Practice hundreds more SC-200 questions with instant scoring, weak-area drills, and full exam simulations.

Start the free practice test See pricing