Try 10 focused Microsoft SC-500 questions on Security Posture Monitoring, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try Microsoft SC-500 on Web View full Microsoft SC-500 practice page
| Field | Detail |
|---|---|
| Exam route | Microsoft SC-500 |
| Topic area | Manage and Monitor Security Posture |
| Blueprint weight | 22% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Manage and Monitor Security Posture for Microsoft SC-500. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 22% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Manage and Monitor Security Posture
Your company has enabled Microsoft Defender for Servers Plan 2 for an Azure subscription and onboarded its Azure virtual machines to Microsoft Defender for Endpoint. You must configure vulnerability assessment so VM software vulnerabilities are reported by Microsoft Defender Vulnerability Management. The solution must avoid third-party scanner extensions and inbound network changes. Which implementation should you use?
Options:
A. Enable Vulnerability assessment for machines with Microsoft Defender Vulnerability Management
B. Stream Defender for Cloud alerts to Microsoft Sentinel
C. Enable only Defender CSPM agentless scanning for the subscription
D. Deploy the Qualys vulnerability assessment extension to each VM
Best answer: A
Explanation: Microsoft Defender Vulnerability Management for Azure virtual machines is configured from Microsoft Defender for Cloud as part of the Defender for Servers settings. With Defender for Servers Plan 2 and Microsoft Defender for Endpoint onboarding in place, enabling the vulnerability assessment setting for machines and selecting Microsoft Defender Vulnerability Management satisfies the requirement without adding a third-party scanner extension or opening inbound access to the VMs. This setting controls how VM vulnerability findings are produced for Defender for Cloud posture and workload protection scenarios. Sentinel streaming can help centralize alerts, but it does not configure the vulnerability assessment provider.
Topic: Manage and Monitor Security Posture
A security operations manager is onboarding contract analysts to a Microsoft Sentinel workspace. The analysts must triage existing incidents by assigning owners, adding comments, and changing incident status. They must not create analytics rules, manage data connectors, edit automation, or change workspace settings. Which role assignment best reduces privilege risk while allowing the required work?
Options:
A. Assign Microsoft Sentinel Reader at the workspace scope.
B. Assign Microsoft Sentinel Contributor at the workspace scope.
C. Assign Log Analytics Contributor at the workspace scope.
D. Assign Microsoft Sentinel Responder at the workspace scope.
Best answer: D
Explanation: Microsoft Sentinel RBAC roles should be assigned at the narrowest scope that supports the required task. For analysts who only need to manage incident workflow, Microsoft Sentinel Responder is the least-privilege fit because it allows incident triage actions such as updating status, ownership, and comments. It does not provide the broader content and configuration permissions associated with Microsoft Sentinel Contributor or workspace administration roles. The key decision is to match the task to the Sentinel-specific role rather than granting general Log Analytics or contributor-level access.
Topic: Manage and Monitor Security Posture
A Microsoft Sentinel workspace receives many incidents from a scheduled analytics rule named LabAdminSignIn. The SOC has validated that these incidents are expected lab activity. New matching incidents should be handled automatically: close them as benign, keep an audit note, and avoid disabling the analytics rule or changing log ingestion. Which TWO automation rule actions should you configure? Select TWO.
Options:
A. Create a data connector filter for lab sign-in events.
B. Add a comment that identifies the approved lab activity.
C. Disable the LabAdminSignIn analytics rule.
D. Create a scheduled analytics rule for closed incidents.
E. Change the incident status to Closed with a benign classification.
F. Shorten retention for the workspace incident data.
Correct answers: B and E
Explanation: Microsoft Sentinel automation rules are used to automate repeatable incident or alert handling after matching conditions are met. In this scenario, the SOC still wants the analytics rule and ingestion to remain active, but wants routine incidents handled without manual triage. Suitable automation rule actions include changing the incident status, setting the closure classification, adding tags or comments, assigning an owner, or running a playbook. Closing the incident as benign addresses the handling requirement, and adding a comment preserves the audit context for why the incident was closed automatically. Changes to ingestion, retention, or analytics-rule creation do not implement the requested incident-handling automation.
Topic: Manage and Monitor Security Posture
A security team has enabled Defender CSPM for subscription Prod-01. Defender for Cloud inventory shows Azure virtual machines and Azure SQL databases in that subscription that require workload threat protection. No Defender for Cloud workload protection plans are enabled for Prod-01. You need to start protection without enabling unrelated plans. What should you do next?
Options:
A. Enable Defender CSPM again for Prod-01.
B. Connect Defender for Cloud alerts to Microsoft Sentinel.
C. Enable every Defender for Cloud plan in all subscriptions.
D. Enable Defender for Servers and Defender for Databases for Prod-01.
Best answer: D
Explanation: Defender for Cloud separates posture management from workload protection. Defender CSPM helps assess risk and prioritization, but workload threat protection requires enabling the relevant Defender for Cloud plans for the environment that hosts the resources. In this case, the resources needing protection are Azure VMs and Azure SQL databases in Prod-01, so the next implementation step is to enable Defender for Servers and Defender for Databases for that subscription. Alert routing, recommendation review, and further hardening come after the required plans are enabled.
Topic: Manage and Monitor Security Posture
A security engineer must prove that Microsoft Copilot user interactions are being captured for investigation. A pilot user, alice@contoso.com, used Copilot in Word at 14:05 UTC. The compliance team requires audit evidence from Microsoft Purview Audit in Defender XDR. Which evidence best validates that the audit control is working?
Options:
A. Purview Audit record: Alice, Word, Copilot interaction, after 14:05 UTC
B. Sentinel connector status: Microsoft Defender XDR is connected
C. Entra sign-in log: Alice signed in before 14:05 UTC
D. Defender XDR incident queue: no alerts for Alice after 14:05 UTC
Best answer: A
Explanation: When the requirement is audit evidence, the validation should come from Microsoft Purview Audit in Defender XDR and match the controlled test activity. The strongest evidence is an audit record with the expected user, workload or app context, activity type, and timestamp after the test. A lack of Defender XDR alerts only indicates that no alert was generated. A Sentinel connector status only validates ingestion connectivity. A Microsoft Entra sign-in record confirms authentication, not that the Copilot interaction was audited.
Topic: Manage and Monitor Security Posture
A security engineer reviews Defender for Cloud for a subscription that hosts Azure VMs. The team asks why VM software vulnerability findings are not being generated automatically.
Exhibit: Defender for Cloud summary
| Item | State |
|---|---|
| Defender CSPM | Enabled |
| Defender for Servers Plan 2 | Enabled |
| VM vulnerability assessment | Not configured |
| CSPM recommendation | Enable vulnerability assessment on machines |
| Recommendation state | Unhealthy on 18 VMs |
What is the best interpretation and next action?
Options:
A. Onboard the VM names to Defender EASM discovery.
B. Configure VM vulnerability assessment for the machines.
C. Enable Defender CSPM for the subscription.
D. Create a Microsoft Sentinel connector for Defender for Cloud.
Best answer: B
Explanation: Defender CSPM and VM vulnerability management are related but not the same control. Defender CSPM evaluates posture and can show recommendations, such as machines missing vulnerability assessment. That recommendation is evidence of a configuration gap; it does not itself enable vulnerability scanning or produce VM CVE findings. In the exhibit, Defender CSPM and Defender for Servers Plan 2 are already enabled, but the VM vulnerability assessment setting is not configured. The next action is to configure vulnerability assessment for the Azure VMs through the Defender for Servers vulnerability-management settings. Sentinel collection or EASM discovery would address different monitoring or external attack-surface goals, not this VM scanning gap.
Topic: Manage and Monitor Security Posture
A security engineer must provide audit evidence showing who changed sensitivity labels on files in a SharePoint site during a suspected exposure window. The organization has not ingested these audit records into Microsoft Sentinel. Which TWO actions should the engineer take in Microsoft Defender XDR? Select TWO.
Options:
A. Review Defender CSPM recommendations for file label history.
B. Use Microsoft Entra sign-in logs to identify the file label changes.
C. Use the returned audit records to document actor, activity, timestamp, and affected object.
D. Query the Microsoft Sentinel SecurityEvent table for SharePoint label changes.
E. Run a Microsoft Purview Audit search scoped by users, activities, and time range.
F. Run advanced hunting only against Defender XDR DeviceEvents.
Correct answers: C and E
Explanation: Microsoft Purview Audit is the evidence source for audited user and admin activity across Microsoft 365 services, including SharePoint activity, when the requirement is to prove who did what and when. In Microsoft Defender XDR, the engineer should query Audit directly and scope the search to the relevant time window, users, and activities. The resulting audit records can then be reviewed or exported to show fields such as the actor, operation, timestamp, workload, and affected object. Sentinel is useful only if the needed audit data has been ingested there; the stem explicitly says it has not.
SecurityEvent contains Windows security events, not un-ingested Purview workload audit records.Topic: Manage and Monitor Security Posture
A SOC team uses a Microsoft Security Copilot workspace. Tier-1 analysts must be able to run prompts with approved plugins, but they must not manage workspace roles, publish plugins, or change workspace settings. You assign the analysts the Security Copilot Contributor role only. Which evidence best validates that the intended control is working?
Options:
A. Microsoft Sentinel connector status shows healthy ingestion.
B. Plugin activity logs show approved plugins were invoked.
C. A permission test allows prompts and denies role management.
D. Microsoft Entra sign-in logs show successful Copilot access.
Best answer: C
Explanation: Security Copilot role validation should prove the effective permissions in the Copilot workspace scope. For an operations-only requirement, the evidence should show that analysts can perform allowed user actions, such as running prompts, while owner-level actions, such as managing roles, publishing plugins, or changing settings, are denied. Successful sign-in or plugin activity shows access or usage, but it does not prove least-privilege enforcement. Connector health validates data availability for a source, not Security Copilot role boundaries. The strongest validation is an allow/deny permission result that matches the assigned Contributor-only design.
Topic: Manage and Monitor Security Posture
Defender for Cloud shows two active security alerts for subscription Prod-Sub and a separate posture recommendation to restrict public storage access. In Microsoft Sentinel workspace secops-law, queries against SecurityAlert return no rows for Prod-Sub. The SOC needs the Defender alerts in Sentinel before creating automation. What is the best next step?
Options:
A. Remediate the public storage access recommendation
B. Create a Sentinel automation rule for new incidents
C. Enable Defender CSPM for attack path findings
D. Validate and connect the Defender for Cloud data connector
Best answer: D
Explanation: When monitoring data is missing from Microsoft Sentinel but the source service already has alerts, the next step is to validate the relevant Sentinel data connector for the correct workspace and subscription. Defender for Cloud posture recommendations, such as restricting public storage access, are security-hardening findings; they do not explain why SecurityAlert records are absent from Sentinel. After the connector is connected and permissions/ingestion are verified, analytics rules and automation can process the incoming alerts. Fix ingestion first, then build response workflows or remediate separate posture items.
SecurityAlert.Topic: Manage and Monitor Security Posture
A security team must provide quarterly evidence that Azure resources in several subscriptions align with the Microsoft cloud security benchmark and an industry framework. Deployments must continue normally, and the team needs control-level pass/fail posture evidence with remediation guidance. Which action should the security engineer take?
Options:
A. Enable Defender for Servers on every subscription.
B. Add the required standards in Defender for Cloud Regulatory compliance.
C. Apply resource locks to all production resource groups.
D. Create Microsoft Sentinel analytics rules for resource changes.
Best answer: B
Explanation: Defender for Cloud Regulatory compliance is designed to evaluate cloud resources against security standards and compliance frameworks. Adding the required standards at the appropriate scope lets the team view which controls pass or fail, see affected resources, and follow linked recommendations for remediation. This supports audit evidence and posture management without turning the requirement into a deployment-blocking control. Workload protection plans and SIEM analytics can help detect threats, but they do not provide the same mapped framework evidence.
Use the Microsoft SC-500 Practice Test page for the full IT Mastery practice bank, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try Microsoft SC-500 on Web View Microsoft SC-500 Practice Test
Read the Microsoft SC-500 Cheat Sheet for compact concept review before returning to timed practice.