SC-200 Online Practice Questions and Answers

Questions 4

You need to complete the query for failed sign-ins to meet the technical requirements. Where can you find the column name to complete the where clause?

A. Security alerts in Azure Security Center

B. Activity log in Azure

C. Azure Advisor

D. the query windows of the Log Analytics workspace

Buy Now

Questions 5

You have an Azure subscription that uses Microsoft Defender for Cloud.

You have a GitHub account named Account1 that contains 10 repositories.

You need to ensure that Defender for Cloud can access the repositories in Account1.

What should you do first in the Microsoft Defender for Cloud portal?

A. Enable integrations.

B. Enable a plan.

C. Add an environment.

D. Enable security policies.

Buy Now

Questions 6

The custom analytics rule which can detect threats in Azure Sentinel stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED. What is the problem?

A. The number of alerts exceeded 10,000 within two minutes.

B. There are connectivity issues between the data sources and Log Analytics.

C. The rule query takes too long to run and times out.

D. Permissions to one of the data sources of the rule query were modified.

Buy Now

Questions 7

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.

You need to add threat indicators for all the IP addresses in a range of 171.23.3432- 171.2334.63. The solution must minimize administrative effort.

What should you do in the Microsoft 365 Defender portal?

A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.

B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.

C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.

D. Select Add indicator and set the IP address to 171.23.34.32/27.

Buy Now

Questions 8

You have a Microsoft 365 subscription that uses Microsoft Purview.

Your company has a project named Project1.

You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.

What should you do?

A. Create a records management disposition.

B. Perform a user data search.

C. Perform an audit search.

D. Perform a content search.

Buy Now

Questions 9

You have a Microsoft 365 subscription that contains the following resources:

100 users that are assigned a Microsoft 365 E5 license

100 Windows 11 devices that are joined to the Microsoft Entra tenant

The users access their Microsoft Exchange Online mailbox by using Outlook on the web.

You need to ensure that if a user account is compromised, the Outlook on the web session token can be revoked. What should you configure?

A. security defaults in Microsoft Entra

B. Microsoft Entra Verified ID

C. a Conditional Access policy in Microsoft Entra

D. Microsoft Entra ID Protection

Buy Now

Questions 10

You have a Microsoft Sentinel workspace named SW1.

In SW1, you investigate an incident that is associated with the following entities:

Host

IP address

User account

Malware name

Which entity can be labeled as an indicator of compromise (IoC) directly from the incident's page?

A. malware name

B. host

C. user account

D. IP address

Buy Now

Questions 11

HOTSPOT

You have the following SQL query.

For each of the following statements, select Yes if the statement is true. Otherwise. select No. NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Questions 12

HOTSPOT

You have the resources shown in the following table.

You have an Azure subscription that uses Microsoft Defender for Cloud.

You need to use Defender for Cloud to protect VM1 and Server1. The solution must meet the following requirements:

Support Advanced Threat Protection and vulnerability assessment.

Minimize implementation and administrative effort.

What should you deploy to each server? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Questions 13

DRAG DROP

You have a Microsoft Sentinel workspace that contains an Azure AD data connector.

You need to associate a bookmark with an Azure AD-related incident.

What should you do? To answer, drag the appropriate blades to the correct tasks. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content

NOTE: Each correct selection is worth one point.

Select and Place:

Buy Now

Correct Answer:

Box 1: Hunting blade Create a bookmark

Add a bookmark

In the Azure portal, navigate to Microsoft Sentinel > Threat management > Hunting to run queries for suspicious and anomalous behavior.

Select one of the hunting queries and on the right, in the hunting query details, select Run Query.

Select View query results. For example:

This action opens the query results in the Logs pane.

From the log query results list, use the checkboxes to select one or more rows that contain the information you find interesting.

Select Add bookmark:

On the right, in the Add bookmark pane, optionally, update the bookmark name, add tags, and notes to help you identify what was interesting about the item.

Etc.

Box 2: Hunting blade Associate a bookmark with incident You can also create an incident from one or more bookmarks, or add one or more bookmarks to an existing incident. Select a checkbox to the left of any bookmarks you want to use, and then select Incident actions > Create new incident or

Add to existing incident. Triage and investigate the incident like any other. Note: Add bookmarks to a new or existing incident

In the Azure portal, navigate to Microsoft Sentinel > Threat management > Hunting > Bookmarks tab, and select the bookmark or bookmarks you want to add to an incident.

Select Incident actions from the command bar:

Select either Create new incident or Add to existing incident, as appropriate. Then:

For a new incident: Optionally update the details for the incident, and then select Create. For adding a bookmark to an existing incident: Select one incident, and then select Add.

To view the bookmark within the incident: Navigate to Microsoft Sentinel > Threat management > Incidents and select the incident with your bookmark. Select View full details, and then select the Bookmarks tab.

Reference: https://learn.microsoft.com/en-us/azure/sentinel/bookmarks https://learn.microsoft.com/en-us/azure/sentinel/hunting

Exam Code: SC-200

Exam Name: Microsoft Security Operations Analyst

Last Update: Jun 06, 2026

Questions: 406

10%OFF Coupon Code: SAVE10

PDF (Q&A)

$49.99

ADD TO CART

VCE

$55.99

ADD TO CART

PDF + VCE

$65.99

ADD TO CART