[Q151-Q169] Real Microsoft SC-200 Exam Questions [Updated 2026]

Share

Real Microsoft SC-200 Exam Questions [Updated 2026]

SC-200 Exam Dumps Pass with Updated 2026 Microsoft Security Operations Analyst


Microsoft SC-200 exam covers a wide range of topics, including threat protection, vulnerability management, incident response, and compliance. Microsoft Security Operations Analyst certification exam is designed to test a candidate's ability to identify, assess, and respond to security threats in real-time. SC-200 exam consists of multiple-choice questions that test a candidate's knowledge and skills in various areas of cybersecurity. SC-200 exam duration is 180 minutes, and the candidate must score at least 700 out of 1000 to pass the exam.

 

NEW QUESTION # 151
You plan to connect an external solution that will send Common Event Format (CEF) messages to Azure Sentinel.
You need to deploy the log forwarder.
Which three actions should you perform in sequence? To answer, move the appropriate actions form the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog


NEW QUESTION # 152
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.
You investigate Device1 for malicious activity and discover a suspicious file named File1.exe. You collect an investigation package from Device1.
You need to review the following forensic data points:
. Is an attacker currently accessing Device1 remotely?
. When was File1.exe first executed?
Which folder in the investigation package should you review for each data point? To answer, select the appropriate options in the answer area.

Answer:

Explanation:

Explanation:

To determine whether a device is being accessed remotely by an attacker, analysts must inspect active network connections collected from the investigation package.
Microsoft Defender for Endpoint investigation packages contain a NetworkConnections.txt file that includes all established, listening, and closed network sessions, including remote IP addresses, ports, and associated processes.
Microsoft's official Defender for Endpoint documentation states:
"The investigation package includes a list of active network connections at the time of collection, helping analysts identify potential remote access activity or suspicious outbound connections." By reviewing the network connections folder/file, you can check for any live sessions to external IPs, RDP, SSH, or other remote-control tools indicating an attacker's presence.
Data Point 2: When was File1.exe first executed?
# Verified Answer = Prefetch files
To find when a file was first executed, you use Prefetch files.
Windows Prefetch is a forensic artifact that records metadata about executables that have been launched, including:
* The first and last execution timestamps
* The number of times executed
* The path and hash of the executable
Microsoft's forensic analysis guidance for Defender investigation packages specifies:
"Prefetch files provide information on when applications were first and last executed, which assists in establishing file execution timelines during investigations." Therefore, to determine when File1.exe was first executed, you should analyze the Prefetch files contained within the investigation package.
# Final Verified Answers:
Forensic Data Point
Folder/File to Review
Is an attacker currently accessing Device1 remotely?
Network connections
When was File1.exe first executed?
Prefetch files
Summary:
* Network connections # Identify active remote sessions (possible attacker access)
* Prefetch files # Determine first execution time of suspicious executable These answers align with Microsoft Defender for Endpoint investigation package structure and Microsoft 365 E5 SecOps documentation.


NEW QUESTION # 153
You need to build a KQL query in a Microsoft Sentinel workspace. The query must return the SecurityEvent record for accounts that have the last record with an EventID value of 4624. How should you complete the query' To answer, select the appropriate options in the answer area.
NOTE: Each coned selection is worth one point

Answer:

Explanation:

Explanation:


NEW QUESTION # 154
You have an Azure subscription that uses Microsoft Sentinel and contains a user named User1.
You need to ensure that User1 can enable User and Entity Behavior Analytics (UEBA) for entity behavior in the Microsoft Entra tenant. The solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation:


NEW QUESTION # 155
Your on-premises network contains 100 servers that run Windows Server.
You have an Azure subscription that uses Microsoft Sentinel.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options m the answer area.

Answer:

Explanation:


NEW QUESTION # 156
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.
Does this meet the goal?

  • A. Yes
  • B. No

Answer: B

Explanation:
Explanation
You need to resolve the existing alert, not prevent future alerts. Therefore, you need to select the 'Mitigate the threat' option.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts


NEW QUESTION # 157
You have an Microsoft Sentinel workspace named SW1.
You plan to create a custom workbook that will include a time chart.
You need to create a query that will identify the number of security alerts per day for each provider.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation


NEW QUESTION # 158
The issue for which team can be resolved by using Microsoft Defender for Endpoint?

  • A. sales
  • B. marketing
  • C. executive

Answer: A

Explanation:
According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices-including Windows, macOS, Android, and iOS-against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the team to malware, phishing, and data leakage threats.
By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint's mobile threat defense (MTD) capabilities detect malicious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access-ensuring only secure, compliant devices can access corporate resources. This directly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.
Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolved using Microsoft Defender for Endpoint.


NEW QUESTION # 159
You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.
What should you recommend for each threat? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault


NEW QUESTION # 160
You have a Microsoft 365 E5 subscription.
You need to search the Microsoft Purview audit log by using PowerShell on a Windows device.
What should you do first?

  • A. Enable PowerShell remoting.
  • B. Install the Microsoft Exchange Online PowerShell module.
  • C. Install the Microsoft Graph PowerShell module.
  • D. Modify the TrustedHosts list

Answer: B


NEW QUESTION # 161
You have a Microsoft Sentinel workspace that contains the following Advanced Security Information Model (ASIM) parsers:
* _Im_ProcessCreate
* InProceessCreate
You create a new source-specific parser named vimProcessCreate.
You need to modify the parsers to meet the following requirements:
* Call all the ProcessCreate parsers.
* Standardize fields to the Process schema.
Which parser should you modify to meet each requirement? To answer, drag the appropriate parsers to the correct requirements. tach parser may be used once, more than once, or not at all You may need to drag the split bar between panes or scroll to view content.
NOTE Each correct selection is worth one point.

Answer:

Explanation:


NEW QUESTION # 162
Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
Create and run playbooks
Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles


NEW QUESTION # 163
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide


NEW QUESTION # 164
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 36S.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.
You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers.
How should you complete The KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Answer:

Explanation:

Explanation


NEW QUESTION # 165
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device 1. You initiate a live response session on Device1 and launch an executable file named File1.exe in the background. You need to perform the following actions:
* Identify the command ID of File1 exe.
* lnteractwithFile1.exe.
Which live response command should you run for each action? To answer, select the appropriate options in the answer area.
NOTE Each correct selection is worth one point.

Answer:

Explanation:

Explanation:


NEW QUESTION # 166
You have a Microsoft 365 E5 subscription.
You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the following requirements:
* Only show emails sent during the last hour.
* Optimize query performance.
How should you complete the query? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.

Answer:

Explanation:

Explanation:


NEW QUESTION # 167
You have a Microsoft 365 subscription that uses Microsoft Purview and contains a Microsoft SharePoint Online site named Site1. Site1 contains the files shown in the following table.

From Microsoft Purview, you create the content search queries shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE; Each correct selection is worth one point.

Answer:

Explanation:

Explanation:


NEW QUESTION # 168
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification. The solution must generate a test email.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Answer:

Explanation:

Explanation:
Step 1: From Logic App Designer, create a logic app.
Create a logic app and define when it should automatically run
1. From Defender for Cloud's sidebar, select Workflow automation.
2. To define a new workflow, click Add workflow automation. The options pane for your new automation opens.

Here you can enter:
A name and description for the automation.
The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.
The Logic App that will run when your trigger conditions are met.
3. From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.
4. Etc.
Step 2: From Logic App Designer, run a trigger.
Manually trigger a Logic App
You can also run Logic Apps manually when viewing any security alert or recommendation.
Step 3: From Workflow automation in Defender for cloud, add a workflow automation.
Configure workflow automation at scale using the supplied policies
Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation


NEW QUESTION # 169
......

SC-200 Exam Dumps, SC-200 Practice Test Questions: https://www.freecram.com/Microsoft-certification/SC-200-exam-dumps.html

Free SC-200 Exam Dumps to Pass Exam Easily: https://drive.google.com/open?id=1fO78Smt4hlQ21gWaF7lyFhdsOZBfqPTd

0
0
0
10