Cisco
CompTIA
ISC
EC-Council
EXIN
Fortinet
ITIL
Juniper
Microsoft
VMware
Avaya
SAP
Google
NVIDIA
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk
ServiceNow
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Microsoft SC-200 Exam Questions
Microsoft Security Operations Analyst (Page 9 )

Updated On: 8-Mar-2026
Page 9 of 79
PDF with 424 Questions
View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online. You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.
What should you use?

  1. a file policy in Microsoft Defender for Cloud Apps
  2. an access review policy
  3. an alert policy in Microsoft Defender for Office 365
  4. an insider risk management policy

Answer(s): D



View Related Case Study

Your organization has a Microsoft 365 subscription and uses Microsoft Defender XDR and Microsoft Purview. You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?

  1. the Incidents blade of the Microsoft Defender portal
  2. the Alerts settings on the Data Loss Prevention blade of the Microsoft Purview compliance portal
  3. Activity explorer in the Microsoft Purview compliance portal
  4. the Explorer settings on the Email & collaboration blade of the Microsoft Defender portal

Answer(s): C

Explanation:

Labeling activities are available in Activity explorer.
For example:
Sensitivity label applied
This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.
It is captured at the time of save in Office native applications and web applications. It is captured at the time of occurrence in Azure Information protection add-ins.
Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer- available-events?view=o365-worldwide



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?

  1. Investigations
  2. Devices
  3. Evidence and Response
  4. Alerts

Answer(s): C

Explanation:

The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.
Incorrect:
* The Investigations tab lists all the automated investigations triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender for Endpoint and Defender for Office 365.
* Devices
The Devices tab lists all the devices related to the incident.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents



View Related Case Study

You have a Microsoft 365 E5 subscription that is linked to a hybrid Microsoft Entra tenant. You need to identify all the changes made to Domain Admins group during the past 30 days. What should you use?

  1. the Modifications of sensitive groups report in Microsoft Defender for Identity
  2. the identity security posture assessment in Microsoft Defender for Cloud Apps
  3. the Microsoft Entra ID Provisioning Analysis workbook
  4. the Overview settings of Insider risk management

Answer(s): A

Explanation:

Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender.
In my role working with Defender for Identity (MDI) customers, I'm often asked if MDI can help them answer questions about activities taking place within the environment. MDI does have a lot of information around the activities taking place in Active Directory and now combined with the power of Advanced Hunting in Microsoft 365 Defender, we can help customers answer some these questions with ease and efficiency.
MDI tracks the changes made to Active Directory group memberships. These changes are recorded by MDI as an activity and are available in the Microsoft 365 Defender Advanced Hunting, IdentityDirectoryEvents. MDI records these changes from two different sources:
2. Tracking changes made to an entity by the Active Directory Update Sequence Number (USN). In the case of a group, MDI can see who has been added or removed from a group, but we don’t see the actor who made the change or which domain controller the change was made on.
Tracking changes to a group, including who performed the action. MDI requires specific Windows events to be recorded on the domain controller.


Reference:

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to- sensitive-groups-with-advanced-hunting-in/ba-p/3275198



View Related Case Study

You have a Microsoft 365 subscription. The subscription uses Microsoft Purview and has data loss prevention (DLP) policies that have aggregated alerts configured.
You need to identify the impacted entities in an aggregated alert.
What should you review in the DLP alert management dashboard of the Microsoft Purview compliance portal?

  1. the Events tab of the alert
  2. the Sensitive Info Types tab of the alert
  3. Management log
  4. the Details tab of the alert

Answer(s): A



Viewing page 9 of 79
Viewing questions 41 - 45 out of 424 questions



Post your Comments and Discuss Microsoft SC-200 exam dumps with other Community members:

SC-200 Exam Discussions & Posts

AI Tutor