2025 Realistic Verified Free Microsoft SC-200 Exam Questions [Q170-Q194]

2025 Realistic Verified Free Microsoft SC-200 Exam Questions

SC-200 Real Exam Questions and Answers FREE

Microsoft SC-200 certification exam is an excellent credential for security professionals who are interested in validating their security operations skills. By passing the exam, you will demonstrate your ability to identify and mitigate security threats, analyze security data, and respond to security incidents. Microsoft Security Operations Analyst certification is a valuable credential that can help you advance your career and demonstrate your commitment to staying current with the latest security best practices and methodologies.

Microsoft SC-200 certification is a valuable credential for security professionals who are looking to advance their careers in the field of cybersecurity. Microsoft Security Operations Analyst certification demonstrates that the holder has the skills and knowledge needed to monitor and respond to security threats in Microsoft environments. Microsoft Security Operations Analyst certification is highly regarded by employers, as it validates that the holder has the skills and knowledge needed to protect critical business systems from cyber threats.

Microsoft SC-200 exam measures the skills and knowledge needed to perform security operations tasks such as identifying and investigating security incidents, configuring security solutions, and implementing security controls. Microsoft Security Operations Analyst certification exam is designed to validate the skills of security professionals who are responsible for protecting Microsoft environments against cyber threats. The SC-200 exam is an important step towards obtaining other Microsoft security certifications, such as the Microsoft Certified: Azure Security Engineer Associate certification.

NEW QUESTION # 170
You have a Microsoft Sentinel workspace named Workspaces
You need to exclude a built-in. source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?

A. a hunting query
B. a watchlist
C. a workbook
D. an analytic rule

Answer: D

Explanation:
To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create an analytic rule in the Microsoft Sentinel workspace. An analytic rule allows you to customize the behavior of the unified ASIM parser and exclude specific source-specific parsers from being used. Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-analytic-rule

NEW QUESTION # 171
You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to implement deception rules. The solution must ensure that you can limit the scope of the rules.
What should you create first? A. device groups

A. device groups
B. device tags
C. sensitive entity tags
D. honeytoken entity tags

Answer: A

NEW QUESTION # 172
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains two users named User1 and User2.
You plan to deploy Azure Defender.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.

The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions

NEW QUESTION # 173
You have a Microsoft 365 subscription that uses Microsoft Purview.
Your company has a project named Project1.
You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.
What should you do?

A. Perform an audit search.
B. Perform a content search.
C. Perform a user data search.
D. Create a records management disposition.

Answer: B

NEW QUESTION # 174
You need to implement the Microsoft Sentinel NRT rule for monitoring the designated break glass account.
The solution must meet the Microsoft Sentinel requirements.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:

NEW QUESTION # 175
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.

You initiate a live response session on each device.
You need to collect a Defender for Endpoint investigation package from each device.
On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?

A. Device1, Devke2, Device3, and Device4
B. Device3 and Device4 only
C. Device1, Device2, and Device3 only
D. Device1 and Device2 only

Answer: C

NEW QUESTION # 176
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1.
What should you do?

A. In sub1, register a provider.
B. From Security Center, create a Workflow automation.
C. In workspace1, create a workbook.
D. In workspace1, install a solution.

Answer: D

Explanation:
Explanation/Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

NEW QUESTION # 177
You need to implement the Defender for Cloud requirements.
What should you configure for Server2?

A. an Azure resource lock
B. the Azure Automanage machine configuration extension for Windows
C. the Microsoft Antimalware extension
D. an Azure resource tag

Answer: D

Explanation:
Topic 4, Misc. Questions
Fabrikam. Inc. is a financial services company.
The company has branch offices in New York. London, and Singapore. Fabrikam has remote users located across the globe. The remote users access company resources, including cloud resources, by using a VPN connection to a branch office.
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses Azure AD Connect with pass-through authentication enabled and password hash synchronization disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory Premium Plan 2 license. Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and enables log collectors.
Fabrikam has an Azure subscription that contains the resources shown in the following table.

Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
When the users use the VPN connections. Microsoft 365 Defender raises a high volume of impossible travel alerts that are false positives. Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.
Fabrikam plans to implement the following services:
* Microsoft Defender for Cloud
* Microsoft Sentinel
Fabrikam identifies the following business requirements:
* Use the principle of least privilege, whenever possible.
# Minimize administrative effort.
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
* Ensure that impossible travel alert policies are based on the previous activities of each user.
* Reduce the amount of impossible travel alerts that are false positives.
Minimize the administrative effort required to investigate the false positive alerts.
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
* Ensure that the members of Group2 can modify security policies.
* Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the Azure subscription level.
* Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.
* Minimize the administrative effort required to investigate the false positive alerts.
Fabrikam identifies the following Microsoft Sentinel requirements:
* Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced Security Information Model (ASIM) unifying parsers.
* From AWS EC2 instances, collect Windows Security event log entries that include local group membership changes.
* Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics (UEBA).
* Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
* Ensure that App1 is available for use in Microsoft Sentinel automation rules.
* Identify the mean time to triage for incidents generated during the last 30 days.
* Identify the mean time to close incidents generated during the last 30 days.
* Ensure that the members of Group1 can create and run playbooks.
* Ensure that the members of Group1 can manage analytics rules.
* Run hunting queries on Pool! by using Jupyter notebooks.
* Ensure that the members of Group2 can manage incidents.
* Maximize the performance of data queries.
* Minimize the amount of collected data.

NEW QUESTION # 178
You need to create a query for a workbook. The query must meet the following requirements:
* List all incidents by incident number.
* Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:

Reference:
https://www.drware.com/whats-new-soc-operational-metrics-now-available-in-sentinel/

NEW QUESTION # 179
You have a Microsoft Sentinel workspace that contains a custom workbook.
You need to query the number of daily security alerts. The solution must meet the following requirements:
* Identify alerts that occurred during the last 30 days.
* Display the results in a timechart.
How should you complete the query? To answer, select the appropriate options in the answer are a. NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION # 180
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:
Box 1: Turn on Live Response
Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.
Box: 2 : Add a network assessment job
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?
view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365- worldwide

NEW QUESTION # 181
Your on-premises network contains 100 servers that run Windows Server.
You have an Azure subscription that uses Microsoft Sentinel.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options m the answer area.

Answer:

Explanation:

NEW QUESTION # 182
You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

NEW QUESTION # 183
You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector.
While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query.

By which two components can you group alerts into incidents? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. user
B. IP address
C. resource group
D. computer

Answer: B,D

NEW QUESTION # 184
You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server.
You are troubleshooting an issue on the virtual machines.
In Security Center, you need to view the alerts generated by the virtual machines during the last five days.
What should you do?

A. View the Windows event logs on the virtual machines.
B. Change the rule expiration date of the suppression rule.
C. Modify the filter for the Security alerts page.
D. Change the state of the suppression rule to Disabled.

Answer: D

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules

NEW QUESTION # 185
You have an Azure subscription that contains the following resources:
* A virtual machine named VM1 that runs Windows Server
* A Microsoft Sentinel workspace named Sentinel1 that has User and Entity Behavior Analytics (UEBA) enabled You have a scheduled query rule named Rule1 that tracks sign-in attempts to VM1.
You need to update Rule 1 to detect when a user from outside the IT department of your company signs in to VM1. The solution must meet the following requirements:
* Utilize UEBA results.
* Maximize query performance.
* Minimize the number of false positives.
How should you complete the rule definition? To answer select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION # 186
You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams.
You have a team named Team1 that has a project named Project 1.
You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.
Which KQL query should you run?

Answer: D

NEW QUESTION # 187
You plan to connect an external solution that will send Common Event Format (CEF) messages to Azure Sentinel.
You need to deploy the log forwarder.
Which three actions should you perform in sequence? To answer, move the appropriate actions form the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

1 - Download and install the Log Analytics agent.
2 - Set the Log Analytics agent to listen on port 25226 and forward the CEF messages to A zure Sentinel.
3 - Configure the syslog daemon.Restart the syslog daemon and the Log Analytics agent.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog

NEW QUESTION # 188
You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom report that will visualise sign-in information over time.
What should you create first?

A. a notebook
B. a workbook
C. a playbook
D. a hunting query

Answer: B

Explanation:
A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference:
https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview

NEW QUESTION # 189
You have four Azure subscriptions. One of the subscriptions contains a Microsoft Sentinel workspace.
You need to deploy Microsoft Sentinel data connectors to collect data from the subscriptions by using Azure Policy. The solution must ensure that the policy will apply to new and existing resources in the subscriptions.
Which type of connectors should you provision, and what should you use to ensure that all the resources are monitored? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:

NEW QUESTION # 190
You need to meet the Microsoft Sentinel requirements for collecting Windows Security event logs. What should you do? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.

Answer:

Explanation:

Explanation:

NEW QUESTION # 191
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You need to implement deception rules.
The solution must ensure that you can limit the scope of the rules.
What should you create first?

A. device tags
B. sensitive entity tags
C. device groups
D. honeytoken entity tags

Answer: A

NEW QUESTION # 192
You have a Microsoft Sentinel workspace named sws1.
You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in sws1.
You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:
* Minimize administrative effort.
* Use the principle of least privilege.
How should you configure the credentials? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

NEW QUESTION # 193
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area NOTE: Each correct selection is worth one point.