ExamworthyExamworthy
Open the appStart free

SC-200 domain - 37% of the exam

Respond to Security Incidents

Respond to Security Incidents is 37% of the Microsoft Security Operations Analyst (SC-200) (SC-200) exam. These are the objectives it covers, each with practice questions and worked explanations.

Objectives in this domain

Sample question from this domain

Free sampleRespond to Security Incidentshard

A security operations team is investigating an incident in Microsoft Defender XDR that began with a phishing email, progressed to a malicious sign-in, and then to suspicious process execution on a server. The analysts want to see how these alerts from Microsoft Defender for Office 365, Microsoft Entra ID, and Microsoft Defender for Endpoint were correlated into a single attack, including the timeline and the relationships between the involved entities. Which part of the Microsoft Defender XDR incident view should the analysts open to see this correlated end-to-end picture?

  • AThe Microsoft Defender vulnerability management dashboard, which ranks exposed devices by their weaknesses so the team can see which assets the attacker most likely targeted during the campaign.
  • BThe advanced hunting schema reference, which documents the available tables and columns so analysts can build a custom query that reconstructs the sequence of events for the incident.
  • CThe threat analytics report for the relevant campaign, which describes the actor techniques and supplies recommended mitigations the team should apply to reduce the impact of the attack.
  • DThe incident graph and attack story, which lay out the correlated alerts, affected assets, and entity relationships across the workloads as a connected timeline of how the attack unfolded. Correct
Use the Microsoft Defender XDR incident graph and attack story to understand how cross-workload alerts correlate into a single multi-stage attack. Microsoft Defender XDR automatically correlates related alerts from across its workloads into a single incident. The incident graph and attack story render those alerts, the affected entities, and their relationships as a connected timeline, so analysts can trace how an attack moved from email to identity to endpoint without manually piecing the stages together.

Why A is wrong: Vulnerability management surfaces device exposure and misconfigurations to drive proactive hardening, which is tempting when assessing attacker reach; it does not correlate alerts or render an incident timeline, so it cannot show how the stages connected.

Why B is wrong: The schema reference helps an analyst write hunting queries and could be used to rebuild a sequence manually, but it is documentation rather than the built-in correlated view; the incident already provides the joined attack story without query effort.

Why C is wrong: Threat analytics gives intelligence on actors and techniques with mitigation guidance, which feels relevant to a campaign; it is generic reporting and does not display this specific incident's correlated alerts, entities, or timeline.

Why D is correct: The incident graph and attack story are purpose-built to visualise how alerts from different Defender workloads were stitched into one incident, showing the entity relationships and the chronological progression an analyst needs to understand a multi-stage, multi-domain attack.

Other domains in this exam

See also the SC-200 cert hub, the study guide, and the cheat sheet.

Examworthy is not affiliated with or endorsed by Microsoft. Original, blueprint-aligned practice material only.