Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Microsoft SC-200 Exam Questions
Microsoft Security Operations Analyst (Page 11 )

Updated On: 8-Mar-2026
Page 11 of 79
PDF with 424 Questions
View Related Case Study

Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
You need remediate the security risk. What should you do?

  1. Disable legacy protocols on the computers listed as exposed entities.
  2. Enforce LDAP signing on the computers listed as exposed entities.
  3. Modify the properties of the computer objects listed as exposed entities.
  4. Install the Windows Local Administrator Password Solution (Windows LAPS) extension on the computers listed as exposed entities.

Answer(s): C

Explanation:

Security assessment: Unsecure Kerberos delegation
Remediation
Use the remediation appropriate to your delegation type.
Unconstrained delegation
Either disable delegation or use one of the following Kerberos constrained delegation (KCD) types: Constrained delegation: Restricts which services this account can impersonate.
Select Trust this computer for delegation to specified services only.
How do I use this security assessment?
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.


2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
Incorrect:
* LAPS
Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
What risk does not implementing LAPS pose to an organization?
LAPS provide a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolve this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.


Reference:

https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unconstrained-kerberos



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices.
What should you use in the Microsoft 365 Defender portal?

  1. From the History tab in the Action center, revert the actions.
  2. From the investigation page, review the AIR processes.
  3. From Quarantine from the Review page, modify the rules.
  4. From Threat tracker, review the queries.

Answer(s): A

Explanation:

View and manage actions in the Action center Applies to: Microsoft 365 Defender
To remove a file from quarantine across multiple devices
1. Go to the Action center (https://security.microsoft.com/action-center) and sign in.
On the History tab, select a file that has a Quarantine file Action type.
3. In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.
4.


Reference:

Microsoft 365 Defender remove quarantine file


https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-actions



View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.
Which blade should you use in the Microsoft Defender portal?

  1. Advanced hunting
  2. Threat analytics
  3. Incidents & alerts
  4. Learning hub

Answer(s): B

Explanation:

Threat analytics
Track and respond to emerging threats with the following Microsoft 365 Defender threat analytics: Threat analytics is the Microsoft 365 Defender threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:
Active threat actors and their campaigns Popular and new attack techniques Critical vulnerabilities
Common attack surfaces Prevalent malware
Incorrect:
Advanced hunting
You can build custom detection rules and hunt for specific threats in your environment. Hunting uses a query- based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities. These rules run automatically to check for, and then respond to, suspected breach activity, misconfigured machines, and other findings.
* Learning Hub
Microsoft 365 Defender portal includes a learning hub that provides guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender-portal



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with a
Microsoft Entra tenant.
You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers. How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: IdentityLogonEvents Example:
// Notice we no longer have the extra columns from a join. This might be useful if you want to track
// logon activity with devices (the DeviceLogonEvents table) and Active Directory \ Azure Active Directory
// (the IdentityLogonEvents table) in one query.
DeviceLogonEvents
| extend Table = 'DeviceLogonEvents'
| take 100
| union (
IdentityLogonEvents
| extend Table = 'IdentityLogonEvents'
| take 100
)
| project-reorder Timestamp, Table, AccountDomain, AccountName, AccountUpn, AccountSid
| order by Timestamp asc Box 2: union


Reference:

https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/ TrackingTheAdversary/Episode%202%20-%20Joins.txt



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.
You need to identify LDAP requests by AD DS users to enumerate AD DS objects.
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: IdentityQueryEvents
The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains.
Box 2: isnotempty Example:
IdentityQueryEvents
| where isnotempty(AccountSid)
| take 100
// IdentityQueryEvents
// - contains query activities performed against Active Directory objects, such as users, groups, devices, and domains monitored by Azure ATP
// - Includes SAMR, DNS and LDAP requests
// Incorrect:
IdentityInfo
The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Azure Active Directory.
* IdentityDirectoryEvents IdentityDirectoryEvents
The IdentityDirectoryEvents table in the advanced hunting schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes, password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents- table
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/ TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.txt



Viewing page 11 of 79
Viewing questions 51 - 55 out of 424 questions



Post your Comments and Discuss Microsoft SC-200 exam dumps with other Community members:

SC-200 Exam Discussions & Posts

AI Tutor