Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Microsoft SC-200 Exam Questions
Microsoft Security Operations Analyst (Page 14 )

Updated On: 8-Mar-2026
Page 14 of 79
PDF with 424 Questions
View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint. You need to create a detection rule that meets the following requirements:
Is triggered when a device that has critical software vulnerabilities was active during the last hour Limits the number of duplicate results
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: distinct DeviceID
The DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema contains the Microsoft Defender Vulnerability Management list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
The table includes:
DeviceId
Unique identifier for the machine in the service
CveID
Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system
Etc.
Note: distinct operator
Produces a table with the distinct combination of the provided columns of the input table.
Syntax
T | distinct ColumnName[,ColumnName2, ...] Box 2: project Timestamp, DeviceId, ReportId
Incorrect:
project-keep
Select what columns from the input to keep in the output. Only the columns that are specified as arguments will be shown in the result. The other columns are excluded.
Example
The following query returns columns from the ConferenceSessions table that contain the word "session".
ConferenceSessions
| project-keep session*
Syntax
T | project-keep ColumnNameOrPattern [, ...]
* project-away operator
Select what columns from the input table to exclude from the output table.
Syntax
T | project-away ColumnNameOrPattern [, ...]
Examples
The input table PopulationData has 2 columns: State and Population. Project-away the Population column and you're left with a list of state names.
PopulationData
| project-away Population


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting- devicetvmsoftwarevulnerabilities-table



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Teams.
You need to perform a content search of Teams chats for a user by using the Microsoft Purview compliance portal. The solution must minimize the scope of the search.
How should you configure the content search? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Exchange mailboxes Locations
Searching for and exporting Teams chat content
Here's how to use Content search in the Microsoft Purview compliance portal to search
In the Microsoft Purview compliance portal, go to Content search.
On the Searches tab, select New search, and name the new search.
On the Locations page, choose the content locations that you want to search. You can search mailboxes,
sites, and public folders.


Exchange mailboxes: Set the toggle to On. The option to search all Exchange mailboxes is automatically selected. If needed, select Choose users, groups, or teams to specify the mailboxes to search. Use the search box to find user mailboxes and distribution groups. You can also search the mailbox associated with a Microsoft Team (for channel messages), Microsoft 365 Group, and Viva Engage Group.
SharePoint sites: Set the toggle to On. The option to search all SharePoint sites is automatically selected. Select Choose sites to specify SharePoint sites and OneDrive sites to search. Enter the URL for each site that you want to search. You can also add the URL for the SharePoint site for a Microsoft Team, Microsoft 365 Group, or Viva Engage Group.
Exchange public folders: Set the toggle to On. The option to search all Exchange public folders is automatically selected to search all public folders in your Exchange Online organization. You can't choose specific public folders to search. Leave the toggle switch off if you don't want search all public folders.
Keep this checkbox selected to search for Teams content for on-premises users. For example, if you search all Exchange mailboxes in the organization and this checkbox is selected, the cloud-based storage used to store Teams chat data for on-premises users will be included in the scope of the search. For more information, see Search for Teams chat data for on-premises users.
Box 2: kind Keywords
On the Define your search conditions page, create a keyword query and add conditions to the search query if necessary. To only search for Team chats data, you can add the following query in the Keywords box:
kind:im AND kind:microsoftteams
5. Submit and run the search. Any search results for on-premises users can be previewed like any other search results. You can also export the search results (including any Teams chat data) to a PST file.


Reference:

https://learn.microsoft.com/en-us/purview/ediscovery-search-cloud-based-mailboxes-for-on-premises-users https://learn.microsoft.com/en-us/purview/ediscovery-content-search



View Related Case Study

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender XDR.
You need to initiate the collection of investigation packages from the devices by using the Microsoft Defender
portal.
Which response action should you use?

  1. Run antivirus scan
  2. Initiate Automated Investigation
  3. Collect investigation package
  4. Initiate Live Response Session

Answer(s): C



View Related Case Study

You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. From Settings, select Cloud Apps, select Microsoft Information Protection, and then select Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.
  2. From Cloud apps, select Files, and then filter File Type to Document.
  3. From Settings, select Cloud Apps, select Microsoft Information Protection, select Files, and then enable file monitoring.
  4. From Cloud apps, select Files, and then filter App to Microsoft 365.
  5. From Cloud apps, select Files, and then select New policy from search.
  6. From Settings, select Cloud Apps, select Microsoft Information Protection, and then select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.

Answer(s): C,F

Explanation:

Discover and protect sensitive information in your organization
Phase 1: Discover your data Details omitted.
(F) Phase 2: Classify sensitive informationDefine which information is sensitive. Details omitted.Enable Microsoft Information Protection integrationIn the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps.Under Information Protection, go to Microsoft Information Protection. Select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.Etc.
Phase 3: Protect your data
Phase 4: Monitor and report on your data
C: File filters in Microsoft Defender for Cloud Apps
File monitoring should be enabled in Settings. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Information Protection, select Files. Select Enable file monitoring and then select Save.
Note: To provide data protection, Microsoft Defender for Cloud Apps gives you visibility into all the files from your connected apps. After you connect Microsoft Defender for Cloud Apps to an app using the App connector, Microsoft Defender for Cloud Apps scans all the files, for example all the files stored in OneDrive and Salesforce. Then, Defender for Cloud Apps rescans each file every time it's modified – the modification can be to content, metadata, or sharing permissions. Scanning times depend on the number of files stored in your app. You can also use the Files page to filter files to investigate what kind of data is saved in your cloud apps.
('Microsoft 365 Defender' and 'Microsoft Defender XDR' are just terminologies used to group different platforms together.)


Reference:

https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp https://docs.microsoft.com/en-us/cloud-app-security/azip-integration https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Purview. Your company has a project named Project1.
You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.
What should you do?

  1. Perform a user data search.
  2. Create a records management disposition.
  3. Perform an audit search.
  4. Perform a content search.

Answer(s): D

Explanation:

Content search in Microsoft Purview allows you to search for specific content across user mailboxes, SharePoint sites, and OneDrive locations. In this case, you want to identify email messages that contain the word Project1 in the subject line. A content search will allow you to specify the keyword "Project1" and narrow down the search to the mailboxes of specific users who worked on the project.
User data search is not a feature in Microsoft Purview that matches this requirement.
Records management disposition deals with managing records and their lifecycle (such as retention and deletion), but it is not related to searching email messages.
Audit search allows you to search the audit logs for activities performed by users, but it does not search the content of emails or documents.



Viewing page 14 of 79
Viewing questions 66 - 70 out of 424 questions



Post your Comments and Discuss Microsoft SC-200 exam dumps with other Community members:

SC-200 Exam Discussions & Posts

AI Tutor