Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Microsoft SC-200 Exam Questions
Microsoft Security Operations Analyst (Page 13 )

Updated On: 8-Mar-2026
Page 13 of 79
PDF with 424 Questions
View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.
What should you use in the Microsoft 365 Defender portal?

  1. incidents
  2. Remediation
  3. Investigations
  4. Advanced hunting

Answer(s): D



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Purview and contains a user named User1.
User1 shares a Microsoft Power BI report file from the Microsoft OneDrive folder of your company to an external user by using Microsoft Teams.
You need to identify which Power BI report file was shared.
How should you configure the search? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Share file, folder, or site Activities
Box 2: Shared Power BI report Record type
Box 3: Microsoft teams Workload
Note: Search-UnifiedAuditLog Applies to:
Exchange Online, Exchange Online Protection
This cmdlet is available only in the cloud-based service.
Use the Search-UnifiedAuditLog cmdlet to search the unified audit log. This log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365 services. You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.
Example:
Search-UnifiedAuditLog -StartDate 5/1/2018 -EndDate 5/8/2018 -RecordType SharePointFileOperation - Operations FileAccessed -SessionId "WordDocs_SharepointViews"-SessionCommand ReturnLargeSet
This example searches the unified audit log for any files accessed in SharePoint Online from May 1, 2018 to
May 8, 2018. The data is returned in pages as the command is rerun sequentially while using the same SessionId value.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/auditing https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams. You have a team named Team1 that has a project named Project1.
You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.
Which KQL query should you run?

  1. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))
  2. AuditLogs
    | where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))
    | where FileName contains “Project1”
  3. Project1(c:c)(date=2023-02-01..2023-02-10)
  4. AuditLogs
    | where Timestamp > ago(10d)
    | where FileName contains “Project1”

Answer(s): C



View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.
Which operator should you use?

  1. search *
  2. union kind = inner
  3. join kind = inner
  4. evaluate hint.remote =

Answer(s): B

Explanation:

KQL, union operator
Takes two or more tables and returns the rows of all of them.
Syntax
[ T | ] union [ UnionParameters ] [kind= inner|outer] [withsource= ColumnName] [isfuzzy= true|false] Tables


Reference:

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/unionoperator



View Related Case Study

You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices. You onboard the devices to Microsoft Defender 365.
You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.
What should you do first?

  1. Modify the permissions for Microsoft 365 Defender.
  2. Create a device group.
  3. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.
  4. Configure role-based access control (RBAC).

Answer(s): D

Explanation:

Live Response session
Live Response is a feature in Defender for Endpoint that provides security analysts a remote shell connection to access a device. This allows a security analyst to perform in-depth investigation on an affected device.
First, we need to ensure that the following settings are enabled.


After we have enabled these two settings, we can start initiate a live response session on an affected device.


Reference:

https://m365internals.com/2021/05/14/using-microsoft-defender-for-endpoint-during-investigation/



Viewing page 13 of 79
Viewing questions 61 - 65 out of 424 questions



Post your Comments and Discuss Microsoft SC-200 exam dumps with other Community members:

SC-200 Exam Discussions & Posts

AI Tutor