Exam2pass
0 items Sign In or Register
  • Home
  • IT Exams
  • Guarantee
  • FAQs
  • Reviews
  • Contact Us
  • Demo
Exam2pass > Microsoft > Microsoft Certifications > SC-200 > SC-200 Online Practice Questions and Answers

SC-200 Online Practice Questions and Answers

Questions 4

You have a Microsoft 365 subscription that uses Azure Defender.

You have 100 virtual machines in a resource group named RG1.

You assign the Security Admin roles to a new user named SecAdmin1.

You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of least privilege.

Which role should you assign to SecAdmin1?

A. the Security Reader role for the subscription

B. the Contributor for the subscription

C. the Contributor role for RG1

D. the Owner role for RG1

Buy Now

Correct Answer: C

Questions 5

You have a custom analytics rule to detect threats in Azure Sentinel.

You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.

What is a possible cause of the issue?

A. There are connectivity issues between the data sources and Log Analytics.

B. The number of alerts exceeded 10,000 within two minutes.

C. The rule query takes too long to run and times out.

D. Permissions to one of the data sources of the rule query were modified.

Buy Now

Correct Answer: D

Permanent failure - rule auto-disable due to the following reasons

The target workspace (on which the rule query operated) has been deleted.

The target table (on which the rule query operated) has been deleted.

Microsoft Sentinel had been removed from the target workspace.

A function used by the rule query is no longer valid; it has been either modified or removed.

Permissions to one of the data sources of the rule query were changed.

One of the data sources of the rule query was deleted or disconnected.

Reference:

https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

Questions 6

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You are configuring Azure Sentinel.

You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.

Solution: You create a livestream from a query.

Does this meet the goal?

A. Yes

B. No

Buy Now

Correct Answer: B

Reference: https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

Questions 7

You have a Microsoft Sentinel workspace that uses the Microsoft 365 Defender data connector.

From Microsoft Sentinel, you investigate a Microsoft 365 incident.

You need to update the incident to include an alert generated by Microsoft Defender for Cloud Apps.

What should you use?

A. the entity side panel of the Timeline card in Microsoft Sentinel

B. the Timeline tab on the incidents page of Microsoft Sentinel

C. the investigation graph on the incidents page of Microsoft Sentinel

D. the Alerts page in the Microsoft 365 Defender portal

Buy Now

Correct Answer: A

Add alerts using the entity timeline (Preview) (see steps 5 to 7 below)

The entity timeline, as featured in the new incident experience (now in Preview), presents all the entities in a particular incident investigation. When an entity in the list is selected, a miniature entity page is displayed in a side panel.

1.

From the Microsoft Sentinel navigation menu, select Incidents.

2.

Select an incident to investigate. In the incident details panel, select View full details.

3.

In the incident page, select the Entities tab.

4.

Select an entity from the list.

5.

In the entity page side panel, select the Timeline card.

6.

Select an alert external to the open incident. These are indicated by a grayed-out shield icon and a dotted-line color band representing the severity. Select the plus-sign icon on the right end of that alert.

7.

Confirm adding the alert to the incident by selecting OK. You'll receive a notification confirming the adding of the alert to the incident, or explaining why it was not added.

You'll see that the added alert now appears in the open incident's Timeline widget in the Overview tab, with a full-color shield icon and a solid-line color band like any other alert in the incident.

The added alert is now a full part of the incident, and any entities in the added alert (that weren't already part of the incident) have also become part of the incident. You can now explore those entities' timelines for their other alerts that are now eligible to be added to the incident.

Note: Microsoft Sentinel's Microsoft 365 Defender incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft 365 Defender include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation.

Working with Microsoft 365 Defender incidents in Microsoft Sentinel and bi-directional sync Microsoft 365 Defender incidents will appear in the Microsoft Sentinel incidents queue with the product name Microsoft 365 Defender, and with similar details and functionality to any other Sentinel incidents. Each incident contains a link back to the parallel incident in the Microsoft 365 Defender portal.

Questions 8

HOTSPOT

You have a Microsoft 365 E5 subscription.

You plan to perform cross-domain investigations by using Microsoft 365 Defender.

You need to create an advanced hunting query to identify devices affected by a malicious email attachment.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-query-emails-devices?view=o365-worldwide

Questions 9

HOTSPOT

You are informed of an increase in malicious email being received by users.

You need to create an advanced hunting query in Microsoft 365 Defender to identify whether the accounts of the email recipients were compromised. The query must return the most recent 20 sign-ins performed by the recipients within an

hour of receiving the known malicious email.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide

Questions 10

HOTSPOT

You have an Azure subscription that uses Microsoft Defender for Cloud.

You create a Google Cloud Platform (GCP) organization named GCP1.

You need to onboard GCP1 to Defender for Cloud by using the native cloud connector. The solution must ensure that all future GCP projects are onboarded automatically.

What should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Box 1: A management project and a custom role (See 5. Below) (Optional) If you select Organization, a management project and an organization custom role will be created on your GCP project for the onboarding process. Auto-provisioning will be enabled for the onboarding of new projects.

Box 2: Steps below:

10.

Select the GCP Cloud Shell >.

11.

The GCP Cloud Shell will open.

12.

Paste the script into the Cloud Shell terminal and run it.

Note: To protect your GCP-based resources, you can connect a GCP project with either:

Native cloud connector (recommended) - Provides an agentless connection to your GCP account that you can extend with Defender for Cloud's Defender plans to secure your GCP resources

Classic cloud connector

To connect your GCP project to Defender for Cloud with a native connector:

1.

Sign in to the Azure portal.

2.

Navigate to Defender for Cloud > Environment settings.

3.

Select + Add environment.

4.

Select the Google Cloud Platform.

5.

Enter all relevant information.

(Optional) If you select Organization, a management project and an organization custom role will be created on your GCP project for the onboarding process. Auto-provisioning will be enabled for the onboarding of new projects.

6.

Select the Next: Select Plans.

7.

Toggle the plans you want to connect to On.

8.

Select the Next: Configure access.

9.

Select Copy.

10.

Select the GCP Cloud Shell >.

11.

The GCP Cloud Shell will open.

12.

Paste the script into the Cloud Shell terminal and run it.

Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp

Questions 11

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You have the on-premises devices shown in the following table.

You are preparing an incident response plan for devices infected by malware. You need to recommend response actions that meet the following requirements:

1.

Block malware from communicating with and infecting managed devices.

2.

Do NOT affect the ability to control managed devices.

Which actions should you use for each device? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Questions 12

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

You investigate Device1 for malicious activity and discover a suspicious file named File1.exe. You collect an investigation package from Device1.

You need to review the following forensic data points:

1.

Is an attacker currently accessing Device1 remotely?

2.

When was File1.exe first executed?

Which folder in the investigation package should you review for each data point? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Questions 13

HOTSPOT

You need to create an advanced hunting query to investigate the executive team issue.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Hot Area:

Buy Now

Correct Answer:

Exam Code: SC-200
Exam Name: Microsoft Security Operations Analyst
Last Update: Jun 12, 2025
Questions: 394

PDF (Q&A)

$45.99
ADD TO CART

VCE

$49.99
ADD TO CART

PDF + VCE

$59.99
ADD TO CART

Exam2Pass----The Most Reliable Exam Preparation Assistance

There are tens of thousands of certification exam dumps provided on the internet. And how to choose the most reliable one among them is the first problem one certification candidate should face. Exam2Pass provide a shot cut to pass the exam and get the certification. If you need help on any questions or any Exam2Pass exam PDF and VCE simulators, customer support team is ready to help at any time when required.

Home | Guarantee & Policy |  Privacy & Policy |  Terms & Conditions |  How to buy |  FAQs |  About Us |  Contact Us |  Demo |  Reviews

2025 Copyright @ exam2pass.com All trademarks are the property of their respective vendors. We are not associated with any of them.