Free Microsoft SC-200 Security Operations Analyst Actual Exam Questions
Dumps Box (DumpsBox) offers up-to-date practice exam questions for SC-200 certification exam which are developed and validated by Microsoft subject domain experts certified in Microsoft SC-200 Security Operations Analyst . These practice questions are update regularly as we keep an eye on any recent changes in SC-200 syllabus, and when there is update our team quickly adjusts the questions. This commitment to providing the best quality exam prep material to certification aspirants is what makes DumpsBox.com the best certification exam prep website. On top of that, our strong, yet strictly moderated, community based feedback keeps the content clean and current. Each question has helpful community discussion that provides it extra perspective and introduces helpful resources for better exam preparation. This also saves students from other outdated practice questions or illicit exam dumps that can have adverse affects on career. Browse through our Microsoft SC-200 Security Operations Analyst exam questions and pass your exam on first try.
DRAG DROP You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects your environment. You need to use the Microsoft Defender portal to request remediation from the team responsible for the affected systems if there is a documented active exploit available. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. 
First, I’d check the CVE details in Defender to confirm the active exploit. Then create an alert to notify the right team. Finally, assign the remediation task so they can start fixing it.
Check CVE exploit status first, then create alert, assign remediation last.
named User1.
You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and
Endpoint security policies. The solution must follow the principle of least privilege.
Which role should you assign to User1?
C, because Security Administrator handles both detection rules and endpoint policies properly.
I’m thinking A might be off since Desktop Analytics Admin is more about analytics, not security rules. Could B be too limited if it mainly covers monitoring? Wondering if D grants more device control than security policy rights.
HOTSPOT You need to implement the ASIM query for DNS requests. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer are a. 
Option A matches the current ASIM DNS fields syntax better than B or C.
I think option C might fit since it aligns with the latest ASIM DNS schema updates I've seen, especially on how request fields are handled. B is solid but could miss newer attributes important in Sentinel.
DRAG DROP Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant. You have a Microsoft Sentinel workspace named Sentinel1. You need to enable User and Entity Behavior Analytics (UEBA) for Sentinel1 and collect security events from the AD DS domain. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. 
I’d start by enabling Defender for Identity since it focuses on AD DS security events, then set up the data connector in Sentinel to ingest those events, and lastly turn on UEBA to analyze the collected data.
Starting with enabling Defender for Identity makes sense since it directly monitors AD DS. After that, setting up event collection ensures data flows into Sentinel1, and finally turning on UEBA lets you analyze behaviors effectively.
DRAG DROP You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects your environment. You need to use Microsoft Defender Security Center to request remediation from the team responsible for the affected systems if there is a documented active exploit available. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. 
Checking for active exploits in Threat Analytics (D) first helps confirm if the vulnerability is being actively used. Then listing affected devices (B) before sending the remediation request (C) ensures the team knows exactly what to fix.
I think checking active exploit in Threat Analytics (D) first makes sense before listing devices (B) and sending request (C).
HOTSPOT You have a Microsoft Sentinel workspace You develop a custom Advanced Security information Model (ASIM) parser named Parser1 that produces a schema named Schema1. You need to validate Schema1. How should you complete the command? To answer, select the appropriate options in the answer area.
Make sure the command includes both Parser1 and Schema1 parameters explicitly.
I think the key is to specify both the parser and schema in the command so it knows exactly what to validate, which rules out any generic validation commands. So, options mentioning both Parser1 and Schema1 make the most sense here.
DRAG DROP You are investigating an incident by using Microsoft 365 Defender. You need to create an advanced hunting query to detect failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop. How should you complete the query? To answer, select the appropriate options in the answer area. 
Using 'DeviceName_s in' with a list is cleaner than multiple OR conditions.
I’d go with filtering on the SigninLogs table since it tracks sign-in events and uses DeviceName_s for device names. For failed sign-ins, filtering on ResultType == 50074 or Status == "Failure" usually catches those failures cleanly. Then just use a where clause checking if DeviceName_s matches any of the three laptops. That way you avoid partial matches or case sensitivity issues. Also, it’s better to use an “in” statement for the device names rather than multiple ORs for cleaner code.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
Sharing the incident URL (B) is the easiest way to let the other admin check those alerts without taking over the whole incident. It keeps things simple and flexible. B
B imo, sharing the incident URL lets the other admin access everything and decide what to focus on without locking the whole incident to them. It’s simpler than reassigning the entire incident.
DRAG DROP You create a new Azure subscription and start collecting logs for Azure Monitor. You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server. Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order. NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select. 
I'd say start by enabling Microsoft Defender for the subscription first, so protection is active. Then onboard the Azure VM to ensure it's monitored, and finally trigger the alert with the malicious file simulation.
You can also start by onboarding the VM (B) if Defender is already enabled by default, then simulate the malicious file (C), and finally check alerts. Skipping onboarding means no data to analyze even if Defender’s on.
incident
You need to review the incident tasks that were performed. What can you use on the Incident page?
I’m thinking it has to be D as well. The alert timeline gives crucial insight into alert progression that you can’t ignore when reviewing incident tasks. Just looking at tasks or activity logs (A, B, or C) isn’t enough to get the full picture of what happened during the incident response.
Makes sense to me that it’s D. The alert timeline adds valuable context you can’t get from just tasks or activity logs alone.
HOTSPOT You have an Azure subscription named Sub1 and an Azure DevOps organization named AzDO1. AzDO1 uses Defender for Cloud and contains a project that has a YAML pipeline named Pipeline1. Pipeline1 outputs the details of discovered open source software vulnerabilities to Defender for Cloud. You need to configure Pipeline1 to output the results of secret scanning to Defender for Cloud, What should you add to Pipeline1? To answer, select the appropriate options in the answer area. 
I think adding just the secret scanning task (B) won’t be enough—there must be a way to push those results to Defender. So probably need to add both the secret scan task and the publish step (like D) for the results to show in Defender.
Adding a task alone won’t send results; need to confirm publishing step too.
You need to create a visual based on the SecuntyEvent table. The solution must meet the following
requirements:
• Identify the number of security events ingested during the past week.
• Display the count of events by day in a timechart
What should you add to Workbook1?
I’m thinking B might not fit since metrics usually track performance counters, not detailed event counts. If we want a timechart by day, wouldn’t a query pulling SecurityEvent data be more straightforward?
Maybe A, since a query directly pulls and visualizes the event counts by day.
DRAG DROP You need to add notes to the events to meet the Azure Sentinel requirements. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order. 
Choosing the event first makes sense so you know where to add the note. After that, adding the actual note should come before saving, or else there’s nothing to save. So the order has to be select event, add note, then save.
I agree with starting by selecting the event, but I’d add that after that, you should choose the option to add or edit notes before saving. You can't save notes without entering them first, so the middle step has to be opening the note editor or similar. Saving is obviously last to lock in your changes. This sequence makes sense to avoid errors and ensure the note actually gets attached properly.
DRAG DROP You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity. You need to hide the alerts automatically in Security Center. Which three actions should you perform in sequence in Security Center? 
You can also try setting up an automation rule to filter these alerts based on severity or source, then apply a status update to hide them automatically. This avoids messing with custom detection rules.
I’d drop creating a custom alert rule first to target the noisy alerts, then configure alert suppression with that rule, and finally set auto-hide so those suppressed alerts don’t clutter the dashboard.
HOTSPOT You have the resources shown in the following table. 
You have an Azure subscription that uses Mictosoft Defender for Cloud. You need to use Defender for Cloud to protect VM1 and Server1. The solution must meet the following requirements: • Support Advanced Threat Protection and vulnerability assessment • Register each SQL Server 2022 instance as a SQL virtual machine. • Minimize implementation and administrative effort What should you deploy to each server? To answer, select the appropriate options in the answer area.
If Server1 isn't an Azure VM but on-prem, deploying the Defender for SQL Server extension there makes sense. VM1, as an Azure VM, should have the SQL IaaS Agent Extension to support advanced protection and vulnerability scans.
I agree with using the SQL IaaS Agent extension on VM1 since it’s an Azure VM and that extension handles both vulnerability assessment and advanced threat protection automatically. For Server1, if it’s on-premises or a non-Azure VM, the Defender for SQL Server extension is the way to go because it supports ATP and vulnerability scans but doesn’t require you to register it as a SQL virtual machine. This setup keeps admin effort low for both servers and meets all the requirements without extra manual steps.