Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Microsoft SC-200 Exam Questions
Microsoft Security Operations Analyst (Page 10 )

Updated On: 8-Mar-2026
Page 10 of 79
PDF with 424 Questions
View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription. From the Microsoft 365 Defender portal, which page should you use to create the query?

  1. Threat analytics
  2. Advanced Hunting
  3. Explorer
  4. Policies & rules

Answer(s): B

Explanation:

Advanced hunting is based on the Kusto query language. You can use Kusto operators and statements to construct queries that locate information in a specialized schema.
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Note: Create a custom detection rule
Prepare the query.
In the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
Create new rule and provide alert details.
With the query in the query editor, select Create detection rule and specify the following alert details
Choose the impacted entities.
Identify the columns in your query results where you expect to find the main affected or impacted entity.
4. Specify actions.
Your custom detection rule can automatically take actions on devices, files, or users that are returned by the query.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query- language
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort.
What should you do in the Microsoft 365 Defender portal?

  1. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
  2. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.
  3. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.
  4. Select Add indicator and set the IP address to 171.23.34.32/27.

Answer(s): A

Explanation:

Import a list of IoCs
You can choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the tab of the entity type you'd like to import indicators for.
Select Import > Choose file.
Select Import. Do this for all the files you'd like to import.
6. Select Done.
Note: You can create an indicator for:
Files
IP addresses URLs/domains Certificates
Incorrect:
Not B: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
Not C: Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators. Not D: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
Note 2: Create an indicator for IPs, URLs, or domains from the settings page
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the IP addresses or URLs/Domains tab.
Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators
Select Add item.
Specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator. Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then select Save.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain



View Related Case Study

You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block user-specified IP addresses and URLs.
What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft Defender portal?

  1. custom network indicators
  2. live response for servers
  3. endpoint detection and response (EDR) in block mode
  4. web content filtering

Answer(s): A

Explanation:

Custom network indicators
Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they'll be allowed or blocked based on your custom indicator list.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-features



View Related Case Study

DRAG DROP (Drag and Drop is not supported)
You have an Azure subscription that contains the users shown in the following table.


You need to delegate the following tasks:
Enable Microsoft Defender for Servers on virtual machines.
Review security recommendations and enable server vulnerability scans.
The solution must use the principle of least privilege.
Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: User1
Enable Microsoft Defender for Servers on virtual machines.
User1 is Security Admin. Security Admin
View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
Box 2: User2
Review security recommendations and enable server vulnerability scans.
User2 is Security Reader. Security Reader
View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.
Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines Required roles and permissions:
Owner (resource group level) can deploy the scanner Security Reader can view findings
Incorrect:
* Contributor (User3)
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription.
You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the following requirements:
Only show emails sent during the last hour. Optimize query performance.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: | where Timestamp > ago(1h)
Only show emails sent during the last hour. Optimize query performance.
Apply filters early — Apply time filters and other filters to reduce the data set, especially before using transformation and parsing functions, such as substring(), replace(), trim(), toupper(), or parse_json(). In the example below, the parsing function extractjson() is used after filtering operators have reduced the number of records.
DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| where DeviceName == "user-desktop.domain.com"
| extend DriveLetter = extractjson("$.DriveLetter", AdditionalFields)
Box 2: | join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256
The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification, and other file system events.
Optimize the join operator
The join operator merges rows from two tables by matching values in specified columns. Apply these tips to optimize queries that use this operator.
* Use the inner-join flavor
The default join flavor or the innerunique-join deduplicates rows in the left table by the join key before returning a row for each match to the right table. If the left table has multiple rows with the same value for the join key, those rows will be deduplicated to leave a single random row for each unique value.
This default behavior can leave out important information from the left table that can provide useful insight. For example, the query below will only show one email containing a particular attachment, even if that same attachment was sent using multiple emails messages
To address this limitation, we apply the inner-join flavor by specifying kind=inner to show all rows in the left table with matching values in the right:
| where Timestamp > ago(1h)
| where Subject == "Document Attachment" and FileName == "Document.pdf"
| join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices



Viewing page 10 of 79
Viewing questions 46 - 50 out of 424 questions



Post your Comments and Discuss Microsoft SC-200 exam dumps with other Community members:

SC-200 Exam Discussions & Posts

AI Tutor