Free Practice Questions for Microsoft SC-200 Exam

In Azure Security Center (now integrated into M icrosoft Defender for Cloud ), when you receive a security alert , you can view details and recommended remediation actions directly within the portal. According to Microsoft documentation, each alert in Security Center provides two main sections when you ch oose Take Action :

Mitigate the threat – steps to remediate the immediate incident.

Prevent future attacks – recommendations generated by Defender for Cloud to strengthen your security posture and avoid similar alerts in the future.

To specifically view rec ommendations to resolve the alert , you expand the Prevent future attacks section. This section includes actionable insights such as enabling Just-In-Time (JIT) VM access, applying system updates, adjusting network security group rules, or enabling endpoint protection.

Other options are incorrect:

The Mitigate the threat section focuses on immediate containment, not preventive recommendations.

Regulatory compliance and Recommendations pages are general assessments, not alert-specific recommendations.

Therefore, the correct answer is A — select the alert → Take Action → expand Prevent future attacks .

In Microsoft Sentinel, when you need to escalate or transfer responsibility for an incident (which can include multiple alerts), the proper method is to assign the incident to another user or group. Assigning updates the Owner field, notifying the designated analyst or administrator responsible for further investigation.

Sharing the incident URL (B) only provides a link but does not change ownership or trigger notifications.

Creating a scheduled query rule (C) or incident creation rule (A) defines detection logic, not escalation workflow.

Activity from a country/region that could indicate malicious activity. This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organizatio n. Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This can indicate a credential breach, however, it ' s also possible that the user ' s actual location is masked , for example, by using a VPN.

In Microsoft Defender XDR , deception rules (part of the Defender for Endpoint Deception capability) allow security teams to deploy decoys and honeytokens to lure attackers. When configuring deception rules, scope management is essential to control which devices the ru le applies to.

According to Microsoft’s Defender XDR documentation:

“Deception rules can be targeted to specific devices or sets of devices by assigning them to device groups . Device groups allow you to manage and scope rules, configurations, and alerts ef ficiently.”

Therefore, before creating a deception rule that must apply only to a specific subset of devices, you first create device groups — then assign the deception rule to those groups.

✅ Final Answer: A. device groups

In Micro soft Defender for Cloud, regulatory compliance standards such as PCI DSS 4.0 , ISO 27001 , and NIST SP 800-53 are part of the Cloud Security Posture Management (CSPM) capabilities. To assign or view these regulatory initiatives, the CSPM plan must first be e nabled for the environment.

According to Microsoft Defender for Cloud documentation, when you open Environment settings → Security policy , you can view and manage the assigned initiatives. If the option to “Add more industry and regulatory standards” is gr ayed out or unavailable , it means that the CSPM plan is not active for that subscription.

Once you enable the Defender CSPM plan , Defender for Cloud automatically assigns the Microsoft Cloud Security Benchmark (MCSB) initiative and allows you to add additi onal frameworks such as PCI DSS 4.0, NIST, or SOC 2.

Option A (Correct) — Enabling CSPM unlocks regulatory compliance capabilities, allowing you to assign the PCI DSS 4.0 initiative.

Option B — Disabling MCSB is unnecessary and not required; it’s automatically included when CSPM is enabled.

Options C and D — Continuous export settings (to Event Hubs or Log Analytics) are used for exporting data, not enabling compliance initiatives.

Hence, the first step to make the “Add more standards” option avail able is to enable the Cloud Security Posture Management (CSPM) plan on the subscription.

To identify which Power BI report file was shared by User1, you should configure the search with the following parameters:

Activities: Shared Power BI report

Record Type: PowerBiAudit

Workload: PowerBi

These parameters will filter the search results to show only the events where a Power BI report was shar ed by a user in your organization. You can then look for the event that has User1 as the user ID and an external user as the recipient. The event details will show the name and URL of the Power BI report file that was shared. For more information, see  Search the audit log for events in Power BI  and  Search for c ontent in the Microsoft Purview compliance portal .

 Set the sensitivity level of the impossible travel alert policies to: Low

 To reduce the amount of false positive al erts: Add IP address ranges

In Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) , the impossible travel alert policy detects when a user signs in from two geographically distant locations within a timeframe that would make physical travel between them impossible. This is an important indicator of potential account compromise but can also generate false positives if not tuned properly.

Setting Sensitivity Level to Low: Microsoft Defender for Cloud Apps allows tuning of the Impossible travel policy sensitivity between Low , Medium , and High .

High sensitivity increases detection but also raises the likelihood of false positives.

Medium offers a balance.

Low reduces the number of alerts by limiting detections to only the most obvious and high-confidence anomalies. To meet operational requirements that minimize alert noise and false positives, the sensitivity should be set to Low .

Reducing False Positives — Add IP Address Ranges: According to Microsoft’s official Defender for Cloud Apps pol icy tuning guidance, the main way to reduce false positives in impossible travel alerts is by adding trusted IP address ranges (e.g., office networks, VPN exit nodes, proxy gateways) to the trusted IPs list . This ensures that logins from corporate or known network ranges are not flagged as anomalous, thereby significantly reducing false alerts.

Other options, like enabling or disabling leaked credential detection, are unrelated to the impossible travel anomaly and affect credential theft alerts instead.

The refore, the verified correct configuration is:

✅ Sensitivity level: Low

✅ Reduce false positives by: Add IP address ranges

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS —against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the te am to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect mali cious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This direct ly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolve d using Microsoft Defender for Endpoint .

In Microsoft Sentinel , ASI M (Advanced Security Information Model) parsers standardize data ingestion across different log sources. If you need to exclude a specific built-in, source-specific ASIM parser (for instance, to prevent it from being invoked by a unified parser), Microsoft documentation specifies creating a watchlist named _ASIM_Exclusions in your workspace.

The watchlist allows defining rules for exclusion by source or parser type—without modifying core ASIM logic—thus maintaining manageability and upgrade compatibility.

✅ Correct Answer: A. a watch list