Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Microsoft SC-200 Exam Questions
Microsoft Security Operations Analyst (Page 8 )

Updated On: 8-Mar-2026
Page 8 of 79
PDF with 424 Questions
View Related Case Study

You have a Microsoft 365 subscription that contains 1,000 Windows 11 devices.
The devices have Microsoft 365 Apps installed and are onboarded to Microsoft Defender for Endpoint. You need to mitigate the following device threats:
Microsoft Excel macros that download scripts from untrusted websites Users that open executable attachments in Microsoft Outlook
Outlook rules and forms exploits What should you use?

  1. antivirus exclusions of Microsoft Defender for Endpoint.
  2. attack surface reduction rules in Microsoft Defender for Endpoint
  3. Windows Defender Firewall rules
  4. adaptive application control in Microsoft Defender for Cloud

Answer(s): B

Explanation:

Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces.
Incorrect:
* antivirus exclusions of Microsoft Defender for Endpoint Exclusions would reduce the protection.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction? view=o365-worldwide



View Related Case Study

You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign- events in near real time.
What should you do to route events to the SIEM solution?

  1. Create an Microsoft Sentinel workspace that has a Security Events connector.
  2. Configure the Diagnostics settings in Azure AD to stream to an event hub.
  3. Create an Microsoft Sentinel workspace that has an Azure Active Directory connector.
  4. Configure the Diagnostics settings in Azure AD to archive to a storage account.

Answer(s): B


Reference:

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring



View Related Case Study

DRAG DROP (Drag and Drop is not supported)
You have an Azure subscription linked to a Microsoft Entra tenant. The tenant contains two users named User1 and User2.
You plan to deploy Microsoft Defender for Cloud.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.


The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Owner
Only the Owner can assign initiatives.
Box 2: Contributor
Only the Contributor or the Owner can apply security recommendations.


Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft
Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Turn on Live Response
Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.
Box: 2
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts? view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365- worldwide



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1. You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: join An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.
DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
DeviceInfo LoggedOnUsers AlertEvidence "project AlertID" Box 2: project


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails- devices?view=o365-worldwide



Viewing page 8 of 79
Viewing questions 36 - 40 out of 424 questions



Post your Comments and Discuss Microsoft SC-200 exam dumps with other Community members:

SC-200 Exam Discussions & Posts

AI Tutor