Microsoft Security Operations Analyst Associate Practice Test (SC-200)
Use the form below to configure your Microsoft Security Operations Analyst Associate Practice Test (SC-200). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft Security Operations Analyst Associate SC-200 Information
The Microsoft Security Operations Analyst Associate certification, exam code SC-200, is designed for professionals who monitor, investigate, and respond to security incidents across hybrid and cloud environments. This exam validates the candidate’s ability to use Microsoft Defender, Microsoft Sentinel, and Microsoft 365 Defender to mitigate threats and reduce organizational risk. Preparing with SC-200 practice tests, exam simulations, and practice questions can help test takers strengthen their understanding of security alerts, incident management, and threat hunting—key domains covered in the exam.
SC-200 Practice Tests and Preparation
To pass the SC-200, candidates should become familiar with analyzing threat data, responding to security incidents, and configuring Microsoft security tools. Using Microsoft SC-200 practice exams allows learners to experience real-world scenarios and identify weak areas before sitting for the official test. Many students find that completing practice questions on incident investigation and automated response enhances confidence and helps them retain crucial concepts such as KQL (Kusto Query Language), data connectors, and playbooks in Microsoft Sentinel.
Why Take SC-200 Practice Exams
The Microsoft Security Operations Analyst Associate exam is not just about theory—it tests practical knowledge of security operations in live environments. Regularly using SC-200 practice tests provides exposure to the style and difficulty of Microsoft’s real exam items, ensuring candidates are fully prepared. Whether you’re an aspiring security analyst or already working in cybersecurity, consistent use of practice exams and scenario-based questions can be the difference between a passing score and a retake, making this certification an essential step for anyone pursuing a career in security operations.
Free Microsoft Security Operations Analyst Associate SC-200 Practice Test
- 20 Questions
- Unlimited
- Manage a security operations environmentConfigure protections and detectionsManage incident responseManage security threats
Your organization uses Microsoft Defender for Cloud Apps together with Microsoft 365. You must ensure that any file containing the phrase "Highly Confidential" that users upload to SharePoint Online or OneDrive for Business is automatically assigned the Confidential sensitivity label, encrypted, and generates an alert for the security team. Which type of Defender for Cloud Apps policy should you configure to meet this requirement?
Activity policy
Session policy
File policy
Anomaly detection policy
Answer Description
A file policy in Microsoft Defender for Cloud Apps can scan files stored in connected SaaS applications such as SharePoint Online and OneDrive for Business. File policies support deep content inspection, can identify files that match a sensitive information type or keyword, and can automatically apply a Microsoft Purview Information Protection sensitivity label that encrypts the file. They also allow configuring governance actions, including sending alerts. Session policies control real-time actions such as downloads or uploads but cannot apply sensitivity labels. Activity policies monitor user actions and can generate alerts but cannot label or encrypt files. Anomaly detection policies are used for behavior analytics and do not perform content inspection or apply labels. Therefore, creating a file policy is the correct solution.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Cloud Apps?
What can a file policy do in Defender for Cloud Apps?
Why can't other policies like session or activity policies apply sensitivity labels?
You manage Microsoft Defender for Cloud Apps for an organization that uses SharePoint Online and OneDrive for Business. Compliance requires that any document uploaded by users that contains a U.S. Social Security number must automatically receive the Confidential sensitivity label so that encryption is enforced. Which Defender for Cloud Apps configuration should you implement to meet the requirement?
Create an activity policy that monitors upload events for sensitive information and sends an alert email to administrators.
Enable a built-in anomaly detection policy that identifies publicly shared files containing sensitive data and triggers a security investigation.
Create a file policy that detects the U.S. Social Security Number sensitivity information type and uses the Apply sensitivity label governance action to assign the Confidential label.
Create a session policy that blocks file downloads unless users provide a business justification when sensitive information is detected.
Answer Description
Only a file policy can inspect files at rest across connected cloud storage services and take governance actions on the affected files. By selecting the built-in U.S. Social Security Number data classification as the content inspection criterion and choosing the Apply sensitivity label governance action, Defender for Cloud Apps will automatically apply the Confidential label to matching files in SharePoint Online or OneDrive for Business. Activity policies and session policies work in near real time but cannot assign Microsoft Purview Information Protection labels, and anomaly detection policies are limited to behavioral anomalies rather than deterministic DLP actions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a file policy in Microsoft Defender for Cloud Apps?
What does the Apply sensitivity label governance action do?
How does the U.S. Social Security Number classification work in Defender for Cloud Apps?
You manage a Microsoft Sentinel workspace. You want to ingest JSON-formatted telemetry from a line-of-business applications by using the Azure Monitor Logs Ingestion API. The data must be stored in a new custom log table named AppEvents_CL within the workspace. Before you can send events to the ingestion endpoint, which Azure resource must you create to satisfy a required prerequisite?
A data collection endpoint (DCE) that your data collection rule will reference
A workbook template that defines the schema of the AppEvents_CL table
A diagnostic setting that routes the application events to the custom table
A syslog forwarder configured with the Log Analytics agent
Answer Description
The Azure Monitor Logs Ingestion API requires two main components before data can be sent: a data collection endpoint (DCE) that exposes an ingestion endpoint URI and a data collection rule (DCR) that defines the target Log Analytics workspace, the custom table name, and (optionally) any transformations. The DCE is mandatory because the API call that sends the JSON payload targets the DCE's endpoint. Diagnostic settings and workbooks play no role in the Logs Ingestion API flow, and the Log Analytics (MMA) agent is not used for this method of data collection.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Data Collection Endpoint (DCE)?
How does a Data Collection Rule (DCR) work with DCE?
What is the Azure Monitor Logs Ingestion API used for?
You create a scheduled analytics rule in Microsoft Sentinel that runs the following query every five minutes:
SecurityEvent
| where EventID == 4625
| project TimeGenerated, Computer, TargetUserName, IpAddress
The rule reliably generates incidents, but the resulting incidents show no entities on the investigation graph. You need Microsoft Sentinel to recognize the Computer value as a Host entity and the TargetUserName value as an Account entity so that future incidents are automatically enriched. Which action should you take while editing the analytics rule?
Use the Entities mapping section of the rule wizard to map Computer to Host and TargetUserName to Account.
Add Computer and TargetUserName as custom incident details in the rule settings.
Enable User and Entity Behavior Analytics (UEBA) for the workspace.
Turn on alert grouping and choose to group alerts by entity values.
Answer Description
Microsoft Sentinel does not infer entities from a query automatically. For each analytics rule you must explicitly tell Sentinel which columns represent which entity types. The Analytics rule wizard provides an Entities mapping (sometimes labeled Entity mapping) section where you choose an entity type-such as Host, Account, IP, URL-and then select the corresponding column from your query results. Mapping Computer to the Host entity type and TargetUserName to the Account entity type causes those values to appear as entities in alerts and incidents, enabling investigation graph visualization and UEBA enrichment. Alert grouping, custom details, or simply enabling UEBA do not create the required entity records unless the entity mapping step is completed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are entities in Microsoft Sentinel and how do they help in investigations?
What is the Entities Mapping feature in Microsoft Sentinel analytics rules?
How does User and Entity Behavior Analytics (UEBA) work in Microsoft Sentinel?
You open the Security recommendations page in Microsoft Defender Vulnerability Management and review a recommendation that has a high exposure reduction potential. You want the Endpoint Protection team, who manage Microsoft Intune, to deploy the required configuration change to all affected Windows devices. Which action should you select for the recommendation in order to create an Intune security task that the team can track and complete?
Add exception
Request remediation
Export to CSV
Open a service ticket
Answer Description
Selecting the Request remediation action opens a remediation activity for the selected recommendation. When your Defender for Endpoint tenant is connected to Microsoft Intune, this action creates a security task in Intune that targets the devices listed in the recommendation. The Endpoint Protection team can then view the task in the Intune admin center, deploy the suggested update or configuration change, and mark the task as completed. Opening a service ticket or adding an exception does not generate an Intune task, and exporting data to CSV is only for reporting purposes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Intune?
How does Microsoft Defender for Endpoint integrate with Intune?
What is the role of the Endpoint Protection team in this process?
Your SOC uses Microsoft Defender XDR with device groups set to the automation level "Semi - require approval for any remediation." An automated investigation runs on a workstation after an alert for suspicious PowerShell activity. The investigation proposes several remediation actions.
Which remediation action will be carried out immediately without waiting for analyst approval?
Delete the malicious registry run-key.
Collect an investigation package from the device.
Quarantine the suspicious PowerShell script file.
Place the workstation in full network isolation.
Answer Description
When the automation level is set to "Semi - require approval for any remediation," Microsoft Defender for Endpoint pauses every remediation action and places it in a Pending state. However, activities that only collect evidence are not classed as remediation; they are executed automatically so the investigation can finish gathering the data it needs. Collecting an investigation package is therefore performed right away, whereas actions such as quarantining a file, removing a registry value, or isolating a device are remediation steps that stay Pending until an analyst approves or rejects them.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR and how does it work in a SOC?
What is the difference between 'collecting an investigation package' and remediation actions like quarantining files?
What does 'Semi - require approval for any remediation' mean in Microsoft Defender settings?
You are configuring a scheduled analytics rule in Microsoft Sentinel that runs a Kusto Query Language (KQL) statement against the SecurityEvent table. The query returns the columns Account, Computer, and SrcIpAddr. When the rule raises an incident, you want the investigation graph to automatically show the related user, host, and IP address so other alerts can be correlated. Which configuration should you apply to the rule to meet this requirement?
Edit the corresponding data connector and configure Connected Data Sources field mapping for user, host, and IP fields.
Enable Entity Behavior Analytics (UEBA) in Microsoft Sentinel and associate the rule with the UEBA module.
Attach an automation playbook that enriches the incident with user, host, and IP information after the alert is generated.
In the analytics rule wizard, map the query's Account, Computer, and SrcIpAddr columns to the Account, Host, and IP entity types in the Entities section.
Answer Description
Microsoft Sentinel displays entities such as accounts, hosts, and IP addresses in the incident investigation graph only when the analytics rule explicitly maps the query's result columns to Sentinel's built-in entity types. This is done in the Entities (entity mapping) section of the rule wizard, where you specify which query column represents each entity-for example, map Account to Account, Computer to Host, and SrcIpAddr to IP. Simply enabling Entity Behavior Analytics, adding playbooks, or configuring field mappings in a data connector does not cause incidents from this specific rule to include entities because those settings do not create the required per-rule entity bindings.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is entity mapping in Microsoft Sentinel?
What is the role of KQL in analytics rules in Microsoft Sentinel?
What is the purpose of the investigation graph in Microsoft Sentinel?
You create a vulnerability notification rule in Microsoft Defender XDR so that your SecOps mailbox receives only high-risk vulnerability announcements for workstations in the Finance device group. The notifications must arrive once per day instead of every time a new matching CVE is discovered. In the New vulnerability notification rule wizard, which configuration accomplishes this requirement?
Turn off the option Send one email per alert.
Enable Exploitation status = Exploited in the wild.
Set Frequency to Daily.
Select the High and Critical severity levels.
Answer Description
The Frequency setting controls how often Defender XDR sends an email that summarizes all new vulnerabilities matching the rule criteria during the selected interval. Choosing Daily groups all matches into a single email every 24 hours, preventing multiple messages when several CVEs are published on the same day. Settings such as Severity, Device groups, or Exploitation status filter which vulnerabilities are included but do not affect how often emails are sent. The Send one email per alert option exists only in alert notification rules, not in vulnerability notification rules.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR?
What is a CVE in cybersecurity?
How does setting 'Frequency to Daily’ work in vulnerability notification rules?
You need to give a group of SecOps analysts the ability to query Microsoft Sentinel incidents through Microsoft Security Copilot so they can include incident details in their investigations. The analysts already have the Security Copilot User role. Which additional action should you take to enable this capability?
Assign the Azure OpenAI User role to the analysts in the Azure subscription.
Create an Automation rule in Microsoft Sentinel that triggers a Security Copilot playbook.
Add all Microsoft Sentinel data connectors in the Security Copilot portal and grant Microsoft Graph Security Reader API permissions.
Assign the Microsoft Sentinel Reader role on the workspace that contains the incidents.
Answer Description
Security Copilot obtains data from products such as Microsoft Sentinel by using product-specific plugins (connectors). Granting the analysts the Microsoft Sentinel Reader role lets Security Copilot retrieve incident information from the Sentinel workspace on their behalf. Without at least Reader rights in Sentinel, requests sent from Security Copilot are denied, even if the users have the Security Copilot User role. Assigning the Azure OpenAI User role, adding data connectors in Sentinel, or granting Microsoft Graph permissions does not give Copilot the required workspace access to read incidents.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why do SecOps analysts need the Microsoft Sentinel Reader role?
What is the function of the Microsoft Security Copilot User role?
What are Microsoft Sentinel data connectors and why are they not sufficient for this scenario?
While reviewing a Threat analytics report about a newly discovered zero-day vulnerability in the Microsoft Defender portal, you need to determine which of your organization's devices are currently vulnerable and export that list for remediation. Which action should you take in the Threat analytics article to accomplish this task?
Open the Mitigation tab and choose Download recommendations.
Select the View impacted devices link in the Exposure section.
Go to the References tab and export the CVE list.
Expand the Summary section and click View all incidents.
Answer Description
Each Threat analytics article contains an Exposure section that lists the devices in your environment affected by the threat or vulnerability. Selecting the View impacted devices link opens a filtered Devices list, which you can then export for further action. The other options either provide high-level insights (Summary), general security guidance (Mitigation), or external resources (References) and do not show a pivotable list of vulnerable endpoints.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a zero-day vulnerability?
What is the role of the Exposure section in Threat analytics?
What does exporting the filtered Device list accomplish?
Your organization has a device group named CriticalServers in Microsoft Defender XDR. You must ensure that the SOC receives an email each time an alert with a severity of High or above is raised on any device in that group, while suppressing notifications for Medium and Low alerts. Which configuration should you create to meet the requirement?
Create a vulnerability notification rule that filters on CVSS severity High and targets the CriticalServers device group.
Create an alert notification rule scoped to the CriticalServers device group with a minimum alert severity of High.
Build a scheduled hunting query in Microsoft Sentinel that looks for High-severity alerts on CriticalServers and sends an action-group email.
Create an incident notification rule with a minimum incident severity of High and no additional filters.
Answer Description
Alert notification rules are designed to send email messages whenever an alert that meets the rule's criteria is generated. When creating the rule you can scope it to one or more device groups and set a minimum alert severity. Selecting the CriticalServers device group and setting the minimum severity to High guarantees that only High- and Critical-severity alerts originating from those devices trigger an email. Vulnerability notification rules focus on CVEs and exposure rather than alert events, incident notification rules have no device-group filter and could notify on unrelated resources, and a Sentinel hunting query is unnecessary overhead when Defender XDR already provides purpose-built alert notifications.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR?
How do alert notification rules work in Microsoft Defender XDR?
What’s the difference between alert notification rules and vulnerability notification rules in Defender XDR?
While triaging a malware alert in Microsoft Defender for Endpoint, you open the device timeline for the affected Windows 11 workstation. You must quickly locate every event where a registry value was changed on the device during the last two weeks so you can determine whether the malware modified Run-key startup entries. Which action should you take in the device timeline pane to accomplish this task with the least amount of effort?
Scroll through the timeline manually and mark every registry event with the Add to evidence command.
Export the timeline to CSV and search the file for registry events by using a spreadsheet filter.
Apply an Advanced filter that specifies Action type equals Registry value set and limits the date range to the last 14 days.
Start a Live Response session and run a registry command to enumerate Run-key entries.
Answer Description
In the device timeline, the fastest way to isolate only registry change events is to use the built-in Advanced filters feature. Selecting Action type equals Registry value set (or Registry value deleted/created) and narrowing the Date range to the last 14 days immediately hides all other event categories such as file, network, or process events. Manually scrolling, exporting raw data, or running a Live Response session are unnecessary and more time-consuming for the stated goal.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is an Advanced filter in Microsoft Defender for Endpoint?
How do malware attacks typically use Run-key registry entries?
Why is exporting the timeline to CSV not recommended for registry investigations?
While reviewing an incident in the Microsoft Defender portal, you notice that the file "contoso.exe" appears in the Evidence tab with a suspicious verdict. You must quickly learn how many devices have encountered this file during the last 30 days and whether it is common in your organization. Which action should you take from within the incident to obtain this information with the fewest steps?
Open the primary affected device's page, select Timeline, and filter events for contoso.exe over the last 30 days.
In the incident's Evidence tab, select contoso.exe and choose Open file page to view its prevalence details.
Run an advanced hunting query in Microsoft Sentinel that searches all FileEvent records for contoso.exe across the past month.
Switch to the incident's Graph view, expand the file node, and review the connected entities for device counts.
Answer Description
Choosing Open file page from the Evidence tab opens the dedicated file entity page. This page automatically aggregates telemetry across your tenant, displaying organization prevalence, global prevalence, first-seen and last-seen timestamps, and a list of devices where the file was observed in the selected time range (by default, 30 days). The timeline or graph views, while useful, show relationships only within the current incident and do not summarize prevalence across the tenant. Running an advanced hunting query or switching to Microsoft Sentinel would also require additional manual work and may miss devices if the query scope or data source is incomplete. Therefore, opening the file page directly from the Evidence tab is the quickest built-in method to obtain the required prevalence details.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Evidence tab in the Microsoft Defender portal?
What is the file page in Microsoft Defender, and what information does it provide?
What is the difference between organizational prevalence and global prevalence for a file?
You need to collect AWS GuardDuty findings and VPC Flow Logs from your company's Amazon Web Services (AWS) accounts into Microsoft Sentinel. Which built-in data connector should you configure in the Microsoft Sentinel portal to meet this requirement with the least administrative effort?
Common Event Format (CEF) Syslog data connector
Amazon Web Services (AWS) S3 data connector
Azure Activity data connector
Custom log (HTTP API) data connector
Answer Description
Microsoft Sentinel includes a native "Amazon Web Services S3" data connector that uses an AWS CloudFormation template to stream multiple security log types- including GuardDuty findings, VPC Flow Logs, CloudTrail, and AWS Security Hub findings- from the customer's AWS accounts to an Amazon S3 bucket and then to an Azure Event Hub or Log Analytics workspace. Enabling this single connector therefore ingests both GuardDuty and VPC Flow Logs without requiring a separate CEF agent or custom API integration. The other listed options either collect only Azure activity, require custom log creation, or rely on legacy agent-based CEF ingestion, which demands more configuration effort.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the Amazon Web Services S3 data connector in Microsoft Sentinel?
How does the AWS CloudFormation template work with the S3 connector in Microsoft Sentinel?
Why isn’t the Common Event Format (CEF) Syslog connector or custom API integration used for this scenario?
Your organization uses Microsoft Purview Insider Risk Management. A security operations analyst opens a high-severity insider risk alert in the Microsoft Defender portal but cannot preview the SharePoint documents that triggered the alert; the viewer displays "Preview not available." You must ensure the analyst can see full file and email content during future investigations without giving unnecessary additional rights. Which role group should you assign to the analyst?
Compliance Data Administrator
Insider Risk Management Investigators
Insider Risk Management Analysts
eDiscovery Manager
Answer Description
Only members of the Insider Risk Management Investigators role group can open and read the full content of files and emails referenced in insider risk alerts. Insider Risk Management Analysts can review alert metadata and user activity timelines but cannot see content. Compliance Data Administrators and eDiscovery Managers have capabilities in other Microsoft Purview areas but do not grant the specific permission required to preview insider risk evidence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of Insider Risk Management Investigators in Microsoft Purview?
How does Insider Risk Management Analysts differ from Investigators?
Why can't Compliance Data Administrators or eDiscovery Managers view insider risk alert evidence?
You are creating a custom Microsoft Sentinel workbook that must work in any Sentinel-enabled Log Analytics workspace without editing the query each time the workbook is imported. You add a query control and need the Kusto Query Language (KQL) query to refer to the workspace that the workbook is currently connected to. Which KQL construct should you use to make the query automatically scope to the active workspace when the workbook runs?
workspace('Contoso-Sentinel')workspaceGuid()workspaces(Guid1, Guid2)workspace()
Answer Description
When you want a query in an Azure Monitor or Microsoft Sentinel workbook to run against the workspace the workbook is opened from, you do not hard-code the workspace name. Instead, you use the workspace() function without arguments. At run time the workbook engine replaces the empty workspace() call with the ID of the currently selected Log Analytics workspace, so the query always scopes itself correctly after the workbook is copied to or opened from another workspace.
Hard-coding a workspace name inside workspace('Contoso-Sentinel') would force the query to run against that specific workspace only. The workspaceGuid() and workspaces() functions require you to supply one or more explicit workspace identifiers, so they cannot adjust automatically.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the `workspace()` function in KQL?
How does `workspace('Contoso-Sentinel')` differ from `workspace()` in functionality?
Why can't `workspaceGuid()` or `workspaces(Guid1, Guid2)` be used for dynamic scoping?
A security operations center (SOC) engineer must be able to create, edit, enable, and disable automation rules in Microsoft Sentinel and troubleshoot playbook executions that those rules trigger. The engineer must not be able to view raw log data, modify analytics rules, or change resource-level access control. You need to assign the minimum built-in Azure role at the Sentinel workspace scope to meet these requirements.
Which role should you assign?
Microsoft Sentinel Automation Contributor
Logic App Contributor
Microsoft Sentinel Responder
Microsoft Sentinel Contributor
Answer Description
The Microsoft Sentinel Automation Contributor role is designed for users who manage automation in Microsoft Sentinel. It lets them create, modify, enable, or disable automation rules and manage playbooks (because it includes the actions of the Logic App Operator role). The role purposely excludes permissions to read raw data in the Log Analytics workspace, change analytics rules, or assign Azure RBAC roles, satisfying the stated restrictions.
Microsoft Sentinel Contributor would allow management of analytics rules, which is disallowed.
Microsoft Sentinel Responder can update incidents but cannot modify automation rules or playbooks.
Logic App Contributor applies to Logic Apps but grants broader permissions than required and does not cover Sentinel automation rules.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of Microsoft Sentinel Automation Contributor?
How does the Logic App Operator role contribute to automation in Microsoft Sentinel?
Why can't Microsoft Sentinel Contributor or Responder roles be used in this scenario?
While authoring a scheduled analytics rule in Microsoft Sentinel, you need to prevent incident sprawl by ensuring that every alert produced during a one-hour window is grouped into a single incident, even if different hosts or accounts are involved. Which of the following alert-grouping options should you select in the rule wizard to meet the requirement?
Inherit the alert grouping configuration from the rule's template
Disable alert grouping so that each alert becomes a separate incident
Group alerts into a single incident when the selected entities match
Group all alerts triggered by this rule into a single incident
Answer Description
Selecting "Group all alerts triggered by this rule into a single incident" causes Microsoft Sentinel to funnel every alert fired by the rule during the chosen grouping period into the same incident, regardless of which entities the individual alerts reference. The "group when selected entities match" option would still split incidents whenever the entities differ, and disabling alert grouping would create one incident per alert. Relying on the template's settings offers no assurance because the template may not use the required grouping configuration.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is alert grouping in Microsoft Sentinel?
What does 'Group all alerts triggered by this rule into a single incident' mean in Microsoft Sentinel?
How does 'Group alerts into a single incident when the selected entities match' differ from the correct option?
You manage Microsoft Defender XDR for your company. Security leadership wants to receive an email whenever Microsoft Defender Vulnerability Management first detects a new high-severity CVE on any onboarded device. In the Microsoft 365 Defender portal you browse to Settings → Microsoft Defender XDR → Email notifications and select + Add notification rule. Which notification rule type should you choose to meet the requirement?
Alert
Remediation progress
Vulnerability
Threat analytics
Answer Description
Only a Vulnerability notification rule is designed to trigger when software vulnerabilities (CVEs) are first discovered on devices that Microsoft Defender Vulnerability Management monitors. Alert notification rules are limited to detection alerts raised by Defender for Endpoint or other Defender workloads, not to vulnerability discoveries. Threat analytics notifications relate to published intelligence reports, and remediation progress rules track the status of remediation activities after a ticket is created. Therefore, the correct choice is the Vulnerability notification rule.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a CVE?
How does Microsoft Defender XDR detect vulnerabilities like CVEs?
What are email notification rules in Microsoft Defender XDR?
Your Microsoft Defender for Endpoint tenant contains two device groups named Workstations and Servers.
- All threats detected on workstations must be remediated automatically without analyst approval.
- Remediation actions on servers must always require analyst approval, regardless of file location.
Which change should you make to meet these requirements?
Set the Workstations device group to Full - remediate threats automatically and the Servers device group to Semi - require approval for all folders.
Set the Workstations device group to Semi - require approval for non-temp folders and the Servers device group to Semi - require approval for core folders.
Set the Workstations device group to Semi - require approval for all folders and the Servers device group to Full - remediate threats automatically.
Enable automatic attack disruption for Workstations and assign the Security Operator role to all server administrators.
Answer Description
Automation levels control how Automated Investigation and Response (AIR) handles remediation.
- Full - remediate threats automatically allows Defender to take every recommended remediation action with no human intervention, satisfying the workstation requirement.
- Semi - require approval for all folders blocks every remediation action until an analyst approves it, which meets the server requirement for full approval.
Other semi-automation levels (Require approval for non-temp folders or for core folders only) still permit some automatic actions, so they do not ensure that all server remediations are approved. Changing user roles, alert-severity thresholds, or attack-disruption settings does not directly control AIR behavior at the device-group level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Automated Investigation and Response (AIR)?
Why should servers require analyst approval for remediation actions?
How do automation levels affect device groups in Microsoft Defender for Endpoint?
Cool beans!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.