Microsoft SC-200 Questions & Answers

Microsoft Security Operations Analyst

Version: 1.0
 Microsoft SC-200 Exam
QUESTION NO: 1 HOTSPOT

General Background

You work at a company that specializes in selling products to customers. There is one office
based in your region. The company uses Azure Defender. The company has a domain named
Company1.

The Current Environment

A breach occurs at your company, in which a hacker uses phishing to steal the credentials of
one of the employees. The manager notices the breach after being informed by the employee.
The manager has a global administrator account with the email address
[email protected]. The email address of the employee who suffered the breach is
[email protected].

An employee in the IT department reports that they saw their colleague running a suspicious
script on their device, which belongs to the company, and that data on this employee’s devices
have been compromised.

Virtual machines (VMs) are implemented in the company. The employees of the IT department
start using VMs in their daily tasks.

An employee reports that several security recommendations displayed for certain incidents are
not applicable to the company’s policy.

New Requirements

Security alerts must be configured so that any time a high severity alert is triggered, an email is
sent directly to your manager. The security alerts must be configured using REST API.

The manager needs the creation of workflow automation that triggers automatic remediation
when the employees of the IT department run suspicious scripts on the company’s devices.

The coordinator of the IT department wants to receive an alert when a successful backup is
done for any VM.

The manager wants a solution that will fine-tune security recommendations in Azure Security
Center.

You need to create a query to configure security alerts as required.

How should you complete the query? To answer, select the appropriate options in the answer
area.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 2

 Microsoft SC-200 Exam

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 3

 Microsoft SC-200 Exam

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 4

 Microsoft SC-200 Exam

QUESTION NO: 2 HOTSPOT

General Background

You work at a company that specializes in selling products to customers. There is one office
based in your region. The company uses Azure Defender. The company has a domain named
Company1.

The Current Environment

A breach occurs at your company, in which a hacker uses phishing to steal the credentials of
one of the employees. The manager notices the breach after being informed by the employee.
The manager has a global administrator account with the email address
[email protected]. The email address of the employee who suffered the breach is
[email protected].

An employee in the IT department reports that they saw their colleague running a suspicious
script on their device, which belongs to the company, and that data on this employee’s devices
have been compromised.

Virtual machines (VMs) are implemented in the company. The employees of the IT department
start using VMs in their daily tasks.

An employee reports that several security recommendations displayed for certain incidents are
not applicable to the company’s policy.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 5
 Microsoft SC-200 Exam
New Requirements

Security alerts must be configured so that any time a high severity alert is triggered, an email is
sent directly to your manager. The security alerts must be configured using REST API.

The manager needs the creation of workflow automation that triggers automatic remediation
when the employees of the IT department run suspicious scripts on the company’s devices.

The coordinator of the IT department wants to receive an alert when a successful backup is
done for any VM.

The manager wants a solution that will fine-tune security recommendations in Azure Security
Center.

You need to use the template of Azure Resource Manager to create a workflow automation as
requested by the manager regarding employees of the IT department running suspicious scripts
on the company’s devices.

How should you complete the following portion of the template? To answer, select the appropriate
options from the drop-down menus.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 6

 Microsoft SC-200 Exam

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 7

 Microsoft SC-200 Exam

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 8

 Microsoft SC-200 Exam

QUESTION NO: 3

General Background

You work at a company that specializes in selling products to customers. There is one office
based in your region. The company uses Azure Defender. The company has a domain named
Company1.

The Current Environment

A breach occurs at your company, in which a hacker uses phishing to steal the credentials of
one of the employees. The manager notices the breach after being informed by the employee.
The manager has a global administrator account with the email address
[email protected]. The email address of the employee who suffered the breach is
[email protected].

An employee in the IT department reports that they saw their colleague running a suspicious
script on their device, which belongs to the company, and that data on this employee’s devices
have been compromised.

Virtual machines (VMs) are implemented in the company. The employees of the IT department
start using VMs in their daily tasks.

An employee reports that several security recommendations displayed for certain incidents are
not applicable to the company’s policy.

New Requirements

"Leading the way in IT Testing & Certification Tools" - www.testking.com 9

 Microsoft SC-200 Exam
Security alerts must be configured so that any time a high severity alert is triggered, an email is
sent directly to your manager. The security alerts must be configured using REST API.

The manager needs the creation of workflow automation that triggers automatic remediation
when the employees of the IT department run suspicious scripts on the company’s devices.

The coordinator of the IT department wants to receive an alert when a successful backup is
done for any VM.

The manager wants a solution that will fine-tune security recommendations in Azure Security
Center.

You need to use a solution that enables the coordinator to receive alerts when a successful
backup is done for any VM.

What solution should you use?

A.
Sensitivity labels

B.
Azure Defender

C.
Azure Monitor

D.
Azure Lighthouse

Answer: C
Explanation:

QUESTION NO: 4

General Background

You work at a company that specializes in selling products to customers. There is one office
based in your region. The company uses Azure Defender. The company has a domain named
Company1.

The Current Environment

"Leading the way in IT Testing & Certification Tools" - www.testking.com 10

 Microsoft SC-200 Exam
A breach occurs at your company, in which a hacker uses phishing to steal the credentials of
one of the employees. The manager notices the breach after being informed by the employee.
The manager has a global administrator account with the email address
[email protected]. The email address of the employee who suffered the breach is
[email protected].

An employee in the IT department reports that they saw their colleague running a suspicious
script on their device, which belongs to the company, and that data on this employee’s devices
have been compromised.

Virtual machines (VMs) are implemented in the company. The employees of the IT department
start using VMs in their daily tasks.

An employee reports that several security recommendations displayed for certain incidents are
not applicable to the company’s policy.

New Requirements

Security alerts must be configured so that any time a high severity alert is triggered, an email is
sent directly to your manager. The security alerts must be configured using REST API.

The manager needs the creation of workflow automation that triggers automatic remediation
when the employees of the IT department run suspicious scripts on the company’s devices.

The coordinator of the IT department wants to receive an alert when a successful backup is
done for any VM.

The manager wants a solution that will fine-tune security recommendations in Azure Security
Center.

Your manager assigns you to fine-tune security recommendations in Azure Security Center.

What action should you perform?

A.
Enable attack surface reduction (ASR) rules.

B.
Create a data loss prevention (DLP) policy.

C.
Add Cloud Connectors from Azure Security Center.

D.
Create Exemption rules.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 11

 Microsoft SC-200 Exam
Answer: D
Explanation:

QUESTION NO: 5 HOTSPOT

General Background

You work at a company that specializes in managing information systems. The company’s main
office is based in your region and has several branches outside your country. The company uses
Azure Sentinel.

Current Environment

A user in the IT department has created a storage account in Azure for their own personal use
without their coordinator noticing.

A member of the accounting team reports that several workbooks related to customers’ data
have been deleted in the Azure Sentinel workspace of the company.

A member of the IT department reports that five incidents of high severity occurred in the past
week.

A new employee starts working at your company. You create a new account for the employee in
Azure Active Directory. A colleague of the new employee reports that the new employee created
a role assignment the moment they started working on the company’s device.

New Requirements

An analytics rule should be created where the rule query logic will alert the IT coordinator when
any user creates a storage account.

The manager wants to view all delete operations performed in the company’s Azure Sentinel
workspace.

The manager wants to run an investigation about the incidents occurring within the past 10 days
so better analysis can be achieved.

The manager wants to know when any new user in Azure Active Directory creates a role
assignment.

You need to create a query for the rule logic to alert the IT coordinator when a storage account is
created, as requested.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 12
 Microsoft SC-200 Exam
How should you complete the query? To answer, select the appropriate options from the drop-
down menus.

Answer:

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 13

 Microsoft SC-200 Exam
QUESTION NO: 6 HOTSPOT

General Background

You work at a company that specializes in managing information systems. The company’s main
office is based in your region and has several branches outside your country. The company uses
Azure Sentinel.

Current Environment

A user in the IT department has created a storage account in Azure for their own personal use
without their coordinator noticing.

A member of the accounting team reports that several workbooks related to customers’ data
have been deleted in the Azure Sentinel workspace of the company.

A member of the IT department reports that five incidents of high severity occurred in the past
week.

A new employee starts working at your company. You create a new account for the employee in
Azure Active Directory. A colleague of the new employee reports that the new employee created
a role assignment the moment they started working on the company’s device.

New Requirements

An analytics rule should be created where the rule query logic will alert the IT coordinator when
any user creates a storage account.

The manager wants to view all delete operations performed in the company’s Azure Sentinel
workspace.

The manager wants to run an investigation about the incidents occurring within the past 10 days
so better analysis can be achieved.

The manager wants to know when any new user in Azure Active Directory creates a role
assignment.

You need to use the AzureActivity table query to fulfill the manager’s request of viewing deleted
operations.

How should you complete the query? To answer, select the appropriate options from the drop-
down menus.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 14

 Microsoft SC-200 Exam

Answer:

Explanation:

QUESTION NO: 7

General Background

You work at a company that specializes in managing information systems. The company’s main
office is based in your region and has several branches outside your country. The company uses
Azure Sentinel.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 15

 Microsoft SC-200 Exam
Current Environment

A user in the IT department has created a storage account in Azure for their own personal use
without their coordinator noticing.

A member of the accounting team reports that several workbooks related to customers’ data
have been deleted in the Azure Sentinel workspace of the company.

A member of the IT department reports that five incidents of high severity occurred in the past
week.

A new employee starts working at your company. You create a new account for the employee in
Azure Active Directory. A colleague of the new employee reports that the new employee created
a role assignment the moment they started working on the company’s device.

New Requirements

An analytics rule should be created where the rule query logic will alert the IT coordinator when
any user creates a storage account.

The manager wants to view all delete operations performed in the company’s Azure Sentinel
workspace.

The manager wants to run an investigation about the incidents occurring within the past 10 days
so better analysis can be achieved.

The manager wants to know when any new user in Azure Active Directory creates a role
assignment.

You need to recommend a solution that enables you to run an investigation as required by the
manager.

What solution should you recommend?

A.
Use Data Loss Prevention (DLP) Policies.

B.
Use Microsoft Graph.

C.
Create a workbook in Azure Sentinel.

D.
Create a hunting bookmark.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 16

 Microsoft SC-200 Exam
Answer: C
Explanation:

QUESTION NO: 8

General Background

You work at a company that specializes in managing information systems. The company’s main
office is based in your region and has several branches outside your country. The company uses
Azure Sentinel.

Current Environment

A user in the IT department has created a storage account in Azure for their own personal use
without their coordinator noticing.

A member of the accounting team reports that several workbooks related to customers’ data
have been deleted in the Azure Sentinel workspace of the company.

A member of the IT department reports that five incidents of high severity occurred in the past
week.

A new employee starts working at your company. You create a new account for the employee in
Azure Active Directory. A colleague of the new employee reports that the new employee created
a role assignment the moment they started working on the company’s device.

New Requirements

An analytics rule should be created where the rule query logic will alert the IT coordinator when
any user creates a storage account.

The manager wants to view all delete operations performed in the company’s Azure Sentinel
workspace.

The manager wants to run an investigation about the incidents occurring within the past 10 days
so better analysis can be achieved.

The manager wants to know when any new user in Azure Active Directory creates a role
assignment.

You need to find a solution that provides data for the manager about creating new role
assignments.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 17
 Microsoft SC-200 Exam
What action should you perform?

A.
Use Azure Lighthouse.

B.
Use a Windows Security Events connector.

C.
Use the SecurityIncident table in Azure Sentinel.

D.
Use Data Retention in Microsoft Defender for endpoint.

Answer: C
Explanation:

QUESTION NO: 9

You are investigating a potential insider threat at your company. An alert has been triggered in
response to a policy that is designed to identify possible data theft carried out by an employee
leaving the company. Upon examining the alert, you determine that additional escalation is
needed.

You need to escalate this alert to an Advanced eDiscovery investigation.

What action should you take before initiating the Advanced eDiscovery investigation?

A.
Send the user a notice.

B.
Click the resolve case button in the Cases tab.

C.
Add a custodian to an eDiscovery case.

D.
Create an insider risk management case.

Answer: D

"Leading the way in IT Testing & Certification Tools" - www.testking.com 18

 Microsoft SC-200 Exam
Explanation:

QUESTION NO: 10

You are using Microsoft Defender for Office 365. In order to protect against malware, you decide
to implement Safe Attachments. Initially, you want to simply track the results of this policy and not
interfere with the delivery of attachments.

You need to create a Safe Attachments policy that fulfills the tracking requirement and sends
potentially malicious attachments to an admin’s email address for review.

Which three configurations should you implement to create the policy? Each correct answer
presents part of the solution.

A.
Click the Add condition button.

B.
Select the Dynamic Delivery option.

C.
Select the Monitor option.

D.
Click the checkbox for Enable redirect.

E.
Select the Block option.

F.
Enter the admin’s email address.

Answer: C,D,F
Explanation:

QUESTION NO: 11

You are using Microsoft Defender for Office 365 to protect SharePoint, OneDrive, and Microsoft
Teams. Your company has seen an increase in attempts to deliver malicious content through
these applications.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 19
 Microsoft SC-200 Exam
You need to turn on Safe Attachments for SharePoint, OneDrive, and Microsoft Teams and ensure
that users are not able to download any malicious content to their systems.

Using PowerShell, which two commands should you run to accomplish these requirements? Each
correct answer presents part of the solution.

A.
Using the SharePoint Online PowerShell module, run Set-SPOTenant -
DisallowInfectedFileDownload $true.

B.
Using the SharePoint Online PowerShell module, run Set-AtpPolicyForO365 -
EnableATPForSPOTeamsODB $true.

C.
Using the Exchange Online PowerShell module, run Set-AtpPolicyForO365 -
EnableATPForSPOTeamsODB $true.

D.
Using the Exchange Online PowerShell module, run Get-AtpPolicyForO365 -
EnableATPForSPOTeamsODB $true.

E.
Using the SharePoint Online PowerShell module, run Get-SPOTenant -
DisallowInfectedFileDownload $true.

F.
Using the Exchange Online PowerShell module, run Set-SPOTenant -
DisallowInfectedFileDownload $true.

Answer: A,C
Explanation:

QUESTION NO: 12

Your manager asks you to configure alerts in Microsoft Defender for Endpoint so that the
members of the accounting team can receive alerts when a vulnerability is detected. You configure
the alerts as requested. One of the employees reports that they are not receiving email
notifications when a vulnerability is detected like their colleagues.

You need to make sure the employee receives the email notifications.

What solution should you implement?

"Leading the way in IT Testing & Certification Tools" - www.testking.com 20
 Microsoft SC-200 Exam
A.
Delete the notification rule.

B.
Edit the created notification rule.

C.
Modify the Include tenant-specific portal link field of the notification rule.

D.
Check the employee’s Junk Email folder and mark the security emails as Not Junk.

Answer: D
Explanation:

QUESTION NO: 13

The coordinator of the human resources department notices that an application on their device
keeps on running suspicious scripts. The device that the coordinator is using belongs to the
company.

You need to implement a solution that constrains such software behavior.

What solution should you use?

A.
Data Loss Prevention policies

B.
Sensitivity labels

C.
Attack Surface Reduction rules

D.
Data Retention

Answer: C
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 21

 Microsoft SC-200 Exam
QUESTION NO: 14

Your manager wants the accounting team’s coordinator to be able to create detection rules.

You need to assign the appropriate role for the coordinator.

What role should you assign to the coordinator?

A.
Compliance Administrator

B.
Security Administrator

C.
Compliance Data Administrator

D.
Security Reader

Answer: B
Explanation:

QUESTION NO: 15

You work for a company that is using Microsoft Defender for Endpoint. You have been instructed
to share an overview of the current threat environment with your peers. You are currently
reviewing the Threats summary section of the threat analytics dashboard.

You need to include data from the categories contained in the Threats summary section in your
report.

Which three categories are included in the Threats summary section? Each correct answer
presents part of the solution.

A.
Active alerts

B.
Threats with active alerts

"Leading the way in IT Testing & Certification Tools" - www.testking.com 22

 Microsoft SC-200 Exam
C.
No alerts

D.
Resolved alerts

E.
Threats with resolved alerts

F.
Threats with no alerts

Answer: B,E,F
Explanation:

QUESTION NO: 16

You are using Microsoft Defender for Endpoint to create file indicators. You have been tasked with
allowing a specific file to run, so you want to add a file hash indicator of compromise (IoC) to
identify that exact file.

You create an IoC policy with an Allow action and use an MD5 hash for the File indicator. One of
your peers had previously added an IoC policy with a Block and remediate action and also used
an MD5 hash for the File indicator. Both hashes refer to the same identical file.

What action do you need to take to ensure the file is allowed to run?

A.
Delete the IoC policy that is using the Block and remediate action.

B.
Keep both existing policies, but add an IoC policy using an SHA-256 hash File indicator for the
same file with an Allow action.

C.
Keep both existing policies active as the Allow action will take precedence.

D.
Delete the IoC policy that is using the Allow action.

Answer: A
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 23

 Microsoft SC-200 Exam

QUESTION NO: 17

You are using Microsoft Defender for Endpoint APIs to assist in vulnerability management.

You need to use an API call to get a list of devices connected to a particular vulnerability ID.

What is the correct HTTP GET request that will be sent for the method associated with this API
call?

A.
GET /api/vulnerabilities/{cveId}/machineReferences

B.
GET /api/vulnerabilities/machinesVulnerabilities

C.
GET /api/vulnerabilities/{cveId}

D.
GET /api/vulnerabilities

Answer: A
Explanation:

QUESTION NO: 18

After an automated investigation, a device has been isolated. You find out that the device presents
no threat to the company and that the case is a false positive alert.

You need to remove the device from isolation.

What action should you perform?

A.
Select the Threat analytics tab in the Microsoft Defender portal.

B.
Select the Undo option on the History tab in the Microsoft Defender portal.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 24

 Microsoft SC-200 Exam
C.
Select the Security Efficiency Workbook option on the Incidents page in the Azure Sentinel portal.

D.
Select the Incidents option in the Azure Sentinel portal.

Answer: B
Explanation:

QUESTION NO: 19

After a hacker attacks your company, the identities of your company’s accounting department
employees, which are stored in an on-premises Azure Active Directory, have been compromised.
Your manager wants to prevent this from happening again.

You need to recommend a solution that fulfills the manager’s request.

What solution should you recommend?

A.
Azure Firewall

B.
Active Directory backup

C.
Azure Defender

D.
Microsoft Defender for Identity

Answer: D
Explanation:

QUESTION NO: 20

The coordinator of the human resources team reports that their Microsoft Office 365 account has
been compromised. Your manager wants you to implement a solution that notifies them by email
when an employee’s account is at risk.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 25
 Microsoft SC-200 Exam
You need to recommend a solution that fulfills the manager’s request.

What solution should you recommend?

A.
Azure Lighthouse

B.
Sensitivity labels

C.
Azure Defender

D.
Azure AD Identity Protection

Answer: D
Explanation:

QUESTION NO: 21

You work for a company that wants to improve its security posture by implementing Azure AD
Identity Protection.

You need to determine the minimum license level you need to activate user risk and sign-in risk
policies. Your solution should not be more expensive than it needs to be.

Select the correct licensing option to meet these requirements.

A.
Azure AD Premium P1

B.
Azure AD Free

C.
Office 365 E3

D.
Azure AD Premium P2

E.
EMS E5
"Leading the way in IT Testing & Certification Tools" - www.testking.com 26
 Microsoft SC-200 Exam
Answer: D
Explanation:

QUESTION NO: 22

You work for a company that wants to implement Microsoft Defender for Identity.

You need to work with the rest of the implementation team on the placement of the Microsoft
Defender for Identity (MDI) sensors.

What two types of servers could these sensors be directly installed on? Each correct answer
presents a complete solution.

A.
Any non-domain controller with an instance of Windows Server 2016 or newer

B.
Domain controllers

C.
A RADIUS server

D.
AD FS

Answer: B,D
Explanation:

QUESTION NO: 23

One of the employees at your company runs an executable attached to an email, which steals the
employee’s credentials. Your manager requests a solution that responds to such threats.

You need to recommend a solution that fulfills the manager’s request.

What solution should you recommend?

"Leading the way in IT Testing & Certification Tools" - www.testking.com 27

 Microsoft SC-200 Exam
A.
Azure Lighthouse

B.
Microsoft Graph

C.
Data Retention

D.
Microsoft Secure Score

Answer: D
Explanation:

QUESTION NO: 24

Your manager wants to know if any unsanctioned apps are being used within the company that
are not compliant with the company’s security policies.

You need to recommend a solution that fulfills the manager’s request.

What solution should you recommend?

A.
Cloud Discovery in Microsoft Cloud App Security

B.
Azure Monitor

C.
Azure AD Identity Protection

D.
Azure Defender

Answer: A
Explanation:

QUESTION NO: 25
"Leading the way in IT Testing & Certification Tools" - www.testking.com 28
 Microsoft SC-200 Exam
An employee accidentally sends confidential information to a person outside your company. You
decide to enforce information protection with Microsoft Cloud App Security (MCAS).

You need to execute the first two steps included in the process of enforcing information protection.

Which two actions should you perform? Each correct answer presents part of the solution.

A.
Classify sensitive information within the company through Microsoft Cloud App Security.

B.
Create a File policy within Microsoft Cloud App Security.

C.
Investigate alerts that are displayed in the Alerts pane.

D.
Make sure that applications within the company are connected to Microsoft Cloud App. Security.

E.
Integrate log data from Microsoft 365 and non-Azure virtual machines.

Answer: A,D
Explanation:

QUESTION NO: 26

A user in the accounting department of your company violates a policy related to risky IP
addresses by accessing a risky IP address. The manager contacts you and wants to solve the
problem immediately. You access the alerts page in the Cloud App Security portal to view the
violation.

You need to perform immediate remediation actions to protect the company’s data from the
employee’s behavior.

Which two actions should you perform? Each correct answer presents part of the solution.

A.
Suspend the user until a decision is made concerning the case.

B.
Sanction a cloud app.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 29
 Microsoft SC-200 Exam
C.
Send a notification to the user to ask if the violation was intentional.

D.
View how many files are shared publicly.

E.
Access the Cloud App Security Dashboard to view the status of uploading data to cloud apps.

Answer: A,C
Explanation:

QUESTION NO: 27

The manager wants a solution that detects the number of employees in the IT department that is
using a new cloud app constantly. You decided to use a Cloud Discovery policy in Microsoft Cloud
App Security (MCAS).

You need to ensure you meet the prerequisites in order for you to use the policy.

Which two actions should you take? Each correct answer presents a complete solution.

A.
Connect an app to MCAS using a cloud connector.

B.
Establish an automatic log upload for the reports of Cloud Discovery.

C.
Establish a security group in the company’s Azure Active Directory.

D.
Set naming conventions for the service accounts in the company.

E.
Enable the integration of Cloud App Security with Defender for Endpoint.

Answer: B,E
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 30

 Microsoft SC-200 Exam
QUESTION NO: 28

The coordinator of the accounting team reports an incident where a user sends an email
containing sensitive information to people outside the organization. Your manager wants the
incident to be identified by the term Red Incident by Microsoft 365 Defender. Also, they want any
similar incidents to be identified in a group.

You need to manage incidents in Microsoft 365 Defender to fulfill the manager’s request.

What two actions should you perform to meet the requirement? Each correct answer presents part
of the solution.

A.
Add a tag to the incident.

B.
Classify the incident as a false alert.

C.
Add a comment to the incident.

D.
Edit the name of the incident.

E.
Classify the incident as a true alert.

Answer: A,D
Explanation:

QUESTION NO: 29

You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage
incident related to a suspected malicious document. After reviewing all the details, you have
determined that the alert tied to this potentially malicious document is also related to another
incident in your environment. However, the alert is not currently listed as a part of that second
incident. Your investigation into the alert is ongoing, as is your investigation into the two related
incidents.

You need to appropriately categorize the alert and ensure that it is associated with the second
incident.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 31

 Microsoft SC-200 Exam
What two actions should you take in the Manage alert pane to fulfill this part of the investigation?
Each correct answer presents part of the solution.

A.
Set status to In progress.

B.
Select the Link alert to another incident option.

C.
Enter the Incident ID of the related incident in the Comment section.

D.
Set status to New.

E.
Set classification to True alert.

Answer: A,B
Explanation:

QUESTION NO: 30

You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage
incident. This incident involved a risky user sign-in that was blocked because Multi Factor
Authentication (MFA) was not completed, but the credentials provided were correct. You contacted
the user impacted by telephone and discovered this sign-in was not the user in question. The user
is tech savvy and completed the self-service password reset (SSPR) process while on the phone
with you. You confirm the user’s password has been updated.

You need to take appropriate action to close the initial malicious risk detection as a result of this
incident.

What manual risk detection resolution should you select in order to categorize the risk detection
correctly?

A.
Select Confirm user compromised.

B.
Select Confirm sign-in compromised.

C.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 32
 Microsoft SC-200 Exam
Select Confirm sign-in safe.

D.
Select Dismiss user(s) risk.

Answer: D
Explanation:

QUESTION NO: 31

You are using Microsoft 365 Defender to be proactive and search for threats in your environment
before receiving alerts. You enter the Microsoft 365 Defender portal to create a query using Kusto
Query Language (KQL). This query is seeking out a specific process executing in your
environment.

You need to narrow the focus of this query to include only the last two weeks and only 50 results,
sorted by the time range column.

Which two lines should you add to the query to accomplish these requirements? Each correct
answer presents part of the solution.

A.
| top 50 by Timestamp

B.
| join Timestamp > ago (14d)

C.
| limit 50 by Timestamp

D.
| limit Timestamp > ago(14d)

E.
| where Timestamp > ago(14d)

Answer: B,E
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 33

 Microsoft SC-200 Exam
QUESTION NO: 32 DRAG DROP

You work for a company that uses Microsoft 365 Defender and automated investigations. In
response to a recent automated investigation, you quarantined a file you believed to be malicious.
This file was found and quarantined on 12 devices. You have now completed further research on
the file and know that it is not malicious.

You need to remove this file from quarantine and return it to the devices where it had previously
been discovered.

Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of possible actions to the answer area and arrange them in the correct order.

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 34

 Microsoft SC-200 Exam

Explanation:

QUESTION NO: 33

You are using Microsoft Defender for Endpoint and configuring roles for users. You are configuring
roles for Azure Active Directory groups.

You need to assign a permission for a user that allows them to manage email notifications in the
Azure Active Directory portal.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 35
 Microsoft SC-200 Exam
What permission should you assign to the user?

A.
Active remediation actions – Security Operations

B.
View Data – Security Operations

C.
Manage security settings in Security Center

D.
View Data – Threat and vulnerability management

Answer: C
Explanation:

QUESTION NO: 34

Programmers at your company create a web application based on buying and selling products.
Your manager wants the web application to be protected against malicious attacks.

You need to recommend a solution that protects the web application.

What solution should you recommend?

A.
Azure Defender

B.
Detection rules

C.
Sensitivity labels

D.
Data Loss Prevention policies

Answer: A
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 36

 Microsoft SC-200 Exam
QUESTION NO: 35

You want to protect the virtual machines in your company from malicious attacks. You decide to
implement Azure Defender.

You need to enable Azure Defender for your company.

What should you do first?

A.
Enable Preview features for Microsoft Defender for Endpoints.

B.
Enable attack surface reduction rules.

C.
Enable Azure Security Center.

D.
Use Azure Lighthouse to manage workspaces across tenants.

Answer: C
Explanation:

QUESTION NO: 36

You are working in a hybrid cloud environment and use Azure Defender for protection.

You have several other servers in both Amazon Web Services (AWS) and Google Cloud Platform
(GCP,) and you would like to extend Azure Defender security to those virtual machines, several of
which are SQL (Structured Query Language) servers.

You need to determine the requirements for these servers to become an Azure resource and show
up in the Security Center.

Which two steps should you take to meet the goal? Each correct answer presents part of the
solution.

A.
Use Azure Arc on the servers.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 37
 Microsoft SC-200 Exam
B.
Deploy Azure SQL Edge.

C.
Install the Log Analytics agent on the servers.

D.
Use Azure Migrate on the servers.

Answer: A,C
Explanation:

QUESTION NO: 37

You are defending your hybrid cloud environment with Azure Defender. After initially enabling the
solution, you have decided to manually roll out the Log Analytics agent to several virtual machines
for testing. You used PowerShell for this process.

You need to use PowerShell to check the status of the Log Analytics agent deployment on a
specific virtual machine (VM).

What command should you run to gather this information?

A.
Get-AzVMExtension -ResourceGroupName myResourceGroup -VMName myVM -Name
myExtensionName

B.
Set-AzVMExtension -ResourceGroupName myResourceGroup -Name myExtensionName

C.
Set-AzVMExtension -ResourceGroupName myResourceGroup -VMName myVM -Name
myExtensionName

D.
Get-AzVMExtension -ResourceGroupName myResourceGroup -Name myExtensionName

Answer: A
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 38

 Microsoft SC-200 Exam
QUESTION NO: 38

You are using Azure Defender to protect your cloud environment and Azure Monitor to collect data
from your virtual machines (VMs).

You are not receiving data from the Azure Monitor agent on one of your VMs. You determine that
this is related to the local firewall on the VM.

You need to allow communication with the required HTTPS endpoints for the Azure Monitor agent,
while keeping the rules as specific as possible.

Which three HTTPS endpoints should you allow via the local firewall? Each correct answer
presents part of the solution.

A.
*.opinsights.azure.com

B.
*.control.monitor.azure.com

C.
*.azure.com

D.
*.ods.opinsights.azure.com

E.
*.monitor.azure.com

F.
*.ingest.monitor.azure.com

Answer: B,D,F
Explanation:

QUESTION NO: 39

The programming coordinator at your company wants to connect their Amazon Web Services
(AWS) account to Azure Security Center.

You need to recommend methods to allow Security Center to authenticate to AWS.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 39

 Microsoft SC-200 Exam
What two methods should you recommend? Each correct answer presents a complete solution.

A.
Create a user risk policy in Azure Identity Protection.

B.
Create a sign-in risk policy in Azure Identity Protection.

C.
Create an AWS user for Security Center.

D.
Create an IAM role for Security Center.

E.
Use Microsoft Graph.

Answer: C,D
Explanation:

QUESTION NO: 40

Your manager has resources in Google Cloud and Azure. They ask you to connect them with each
other. You are connecting the data in Google Cloud Platform (GCP) to Azure Security Center. You
have already configured the GCP Security Command Center, enabled Security Health Analytics,
and enabled the GCP Security Command Center API.

You need to perform the two remaining steps that will allow you to connect the data.

What two actions should you perform to meet the requirement? Each correct answer presents part
of the solution.

A.
Add Cloud Connectors from Azure Security Center.

B.
Register Azure resource providers.

C.
Generate an installation script.

D.
Create a dedicated service account and a private key.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 40

 Microsoft SC-200 Exam
Answer: A,D
Explanation:

QUESTION NO: 41

You are using Azure Security Center to collect data related to IP addresses.

You need to identify what tools to use in Azure Security Center.

Which two tools should you use to collect data through Azure Security Center? Each correct
answer presents a complete solution.

A.
Log Analytics agent

B.
Windows Security Events connector

C.
Detection rules

D.
Sensitivity labels

E.
Security extensions

Answer: A,E
Explanation:

QUESTION NO: 42

Your manager wants to transport data from one database server to another. They decide to deploy
Azure server management services. They ask you for a solution that would improve the process of
deployment so that transportation can be achieved easily.

You need to recommend a solution that fulfills the manager's request.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 41

 Microsoft SC-200 Exam
What solution should you recommend?

A.
Azure Lighthouse

B.
Automated onboarding

C.
Data Loss Prevention policy

D.
Automated investigation

Answer: B
Explanation:

QUESTION NO: 43

You work for a company that uses Azure Defender.

You are trying to address an issue with certain alerts that are overwhelming your security team
and not providing valuable information. A suppression rule was previously created to try and
resolve this and had been effective, but it is no longer catching the alerts. No changes have been
made to the rule since it was created.

You need to investigate the reason this rule is no longer suppressing the alerts as intended.

What two possible options could result in this behavior? Each correct answer presents a complete
solution.

A.
The State field for the rule was set to Disabled.

B.
The rule was not tested with the Simulate button.

C.
The wrong subscription was selected in the Subscription field.

D.
The rule was based on specific criteria that have changed.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 42

 Microsoft SC-200 Exam
E.
The expiration date of the rule has been reached.

Answer: D,E
Explanation:

QUESTION NO: 44 HOTSPOT

You are using Azure Defender and Azure Sentinel to protect your cloud workloads and monitor
your environment.

You need to use the Kusto Query Language (KQL) to construct a query that identifies Azure
Defender alerts.

What query should you write to meet this requirement? To answer, complete the query by
selecting the correct options from the drop-down menus.

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 43

 Microsoft SC-200 Exam

Explanation:

QUESTION NO: 45

You are currently using Azure Defender and Azure Security Center to protect and monitor your
critical cloud workloads. You configure Azure Defender alert notifications.

Upon initial implementation, you left the recipients portion of the notification settings at the default
configuration, but under Notification types you set up notifications for all alerts regardless of
severity. The recipients of these alerts have stated that they no longer feel the need to receive
low-severity alerts. Also, in addition to the users that are currently receiving the alerts, you have
been asked to add two other recipients. Both of these new recipients are in Contributor roles. All
existing recipients should continue receiving alerts.

You need to make the required changes to the Email notifications page.

What two actions should you take? Each correct answer presents part of the solution.

A.
Type the new recipients’ email addresses into the Additional email addresses (separated by

commas) field.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 44

 Microsoft SC-200 Exam
B.
Select the Contributor role from the All users with the following roles drop-down.

C.
Set the Notify about alerts with the following severity (or higher) drop-down to Medium.

D.
Set the Notify about alerts with the following severity (or higher) drop-down to High.

Answer: A,C
Explanation:

QUESTION NO: 46

You are using Azure Defender. Several alerts have been triggering too often for them to be useful.
You are an Owner at the subscription level.

You need to assign roles to your teammates so that they can create and read suppression rules
that will address this issue.

Which two of the following roles could you assign these users to meet these requirements? Each
correct answer presents a complete solution.

A.
Reader

B.
Security Admin

C.
Owner

D.
Azure Sentinel Contributor

E.
Security Reader

Answer: B,C
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 45

 Microsoft SC-200 Exam
QUESTION NO: 47

Your manager installs an Azure virtual machine (VM) on their device running Linux operating
system. They want to test if the alerts in Azure Defender are working well.

You need to simulate alerts on the manager’s device.

Which two actions should you perform? Each answer presents part of the solution.

A.
Create a data loss prevention (DLP) policy.

B.
Execute the file in the Command Prompt.

C.
Create an Event Connector.

D.
Use Data Retention.

E.
Copy an executable to a location on the device.

Answer: B,E
Explanation:

QUESTION NO: 48

Your company starts buying products online from a vendor outside your country. False-positive
alerts are showing up constantly due the accounting team accessing the vendor’s website. Azure
Defender considers the IP address of the vendor as suspicious.

You want to hide the false-positive alerts produced due to accessing the vendor’s website.

What two actions should you perform after selecting the false-positive alert on the Security Alerts
page? Each correct answer presents part of the solution.

A.
Choose the Create Suppression Rule option.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 46

 Microsoft SC-200 Exam
B.
Access the Prevent Future Attacks section.

C.
Access the Trigger automated response section.

D.
Enter the details of the new suppression rule.

E.
Access the Mitigate the threat section.

Answer: A,D
Explanation:

QUESTION NO: 49

You are investigating a possible attack that uses a new malicious software strain. You intend to
automate operations on a collection of hugely important machines that store sensitive data. You
have four custom device groups.

You need to group the machines temporarily in order to perform actions on the devices.

What action should you perform to meet the requirement?

A.
Set the automation level of the device group to Full – remediate threats automatically.

B.
Enable Conditional Access.

C.
Set the automation level of the device group to Semi – require approval for any remediation.

D.
Create an admin role that gives users access to tagged machines.

Answer: D
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 47

 Microsoft SC-200 Exam
QUESTION NO: 50

You are using Azure Resource Manager templates to manage Azure infrastructure through a
consistent, repeatable process.

You decide to use nested templates. In your parent template, you add a deployments resource.

You need to ensure that the template expressions are evaluated in the nested template scope.

What value should you set for the expressionEvaluationOptions property in order to have this
nested scope?

A.
Incremental

B.
Microsoft.Resources/deployments

C.
inner

D.
outer

Answer: C
Explanation:

QUESTION NO: 51 HOTSPOT

The coordinator of the IT department in your company is creating a playbook in Azure Security
Center. They want to export a playbook to share with others, and they ask you to finish the job.
You start the process of exporting the playbook and reach the part where you want to templatize
resources that should be created for each connection with the playbook.

You need to complete the query to fulfill the coordinator’s request.

How should you complete the query? To answer, select the appropriate expressions from the
drop-down menus.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 48

 Microsoft SC-200 Exam

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 49

 Microsoft SC-200 Exam

Explanation:

QUESTION NO: 52

You are a member of the security operations team at a company using Microsoft Defender for
Office 365. To improve response times for threat identification and mitigation, you use automated
investigation and response (AIR) capabilities. An alert has triggered and an automated
investigation has been initiated.

On analyzing the progress of the automated investigation, you see that it resulted in a status of
Terminated By System.

What two reasons can there be for this status to be displayed? Each correct answer presents a
"Leading the way in IT Testing & Certification Tools" - www.testking.com 50
 Microsoft SC-200 Exam
complete solution.

A.
One or more investigation analyzers did not properly complete.

B.
Pending actions timed out after one week.

C.
The investigation was held in queue for too long.

D.
Pending actions timed out after 48 hours.

E.
Actions are too numerous to run all analyzers.

Answer: B,E
Explanation:

QUESTION NO: 53

You are investigating an alert from Azure Defender for Key Vault. The alert in question is related to
a suspicious application that accessed your Key Vault from within Azure.

You need to collect indicators of compromise (IoCs) from the alert to then threat hunt for related
events in your environment.

What two IoCs can you gather from this alert that you can use for further investigation?

A.
Object ID

B.
IP address of the suspicious resource

C.
Process ID

D.
User Principal Name of the suspicious resource

Answer: A,B
"Leading the way in IT Testing & Certification Tools" - www.testking.com 51
 Microsoft SC-200 Exam
Explanation:

QUESTION NO: 54

You are using Azure Defender and Azure Security Center to protect and monitor your cloud
environment. You are investigating alerts.

You need to filter out the lowest severity alerts to narrow in on alerts that are more likely to be
malicious.

What severity alert should you filter out to generate this view?

A.
High

B.
Informational

C.
Low

D.
Medium

Answer: B
Explanation:

QUESTION NO: 55

You are using threat reports in Azure Security Center to review important information about the
risks your company is facing in the current threat landscape. You want to view a report that looks
at tactics, techniques, and procedures of attackers, since you suspect you are being targeted by
an Advanced Persistent Threat (APT).

You need to pull a report that only focuses on the behaviors of this APT.

What report type should you pull to gather this information?

"Leading the way in IT Testing & Certification Tools" - www.testking.com 52

 Microsoft SC-200 Exam
A.
Activity Group Report

B.
Campaign Report

C.
Threat Intelligence Report

D.
Threat Summary Report

Answer: A
Explanation:

QUESTION NO: 56 HOTSPOT

Your manager wants you to build a hunting query for the company’s Azure Sentinel workspace
named Hunting Targets.

You need to complete the request body of the query.

How should you complete the request body of the query? To answer, select the appropriate
options in the answer area.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 53

 Microsoft SC-200 Exam

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 54

 Microsoft SC-200 Exam

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 55

 Microsoft SC-200 Exam
QUESTION NO: 57

Your manager wants a solution that uses anomaly detection to identify threats.

You need to implement a solution that fulfills the manager’s request.

What solution should you use?

A.
Create a data loss prevention policy.

B.
Use Microsoft Graph.

C.
Use Azure Security Center.

D.
Create a sensitivity label.

Answer: C
Explanation:

QUESTION NO: 58

You are tasked with enabling Azure Sentinel.

You need the correct role to be able to complete this task, while following the principle of least
privilege.

What role should you be assigned?

A.
Reader on the resource group that contains the Sentinel workspace

B.
Contributor on the subscription that contains the Sentinel workspace

C.
Reader on the subscription that contains the Sentinel workspace

"Leading the way in IT Testing & Certification Tools" - www.testking.com 56

 Microsoft SC-200 Exam
D.
Contributor on the resource group that contains the Sentinel workspace

Answer: B
Explanation:

QUESTION NO: 59

You implement an additional layer of security for your company’s emails using Safe Attachments
policies. Employees in the accounting team report that they are having a problem with emails from
customers, including attachments being delayed.

You need to configure the settings in Safe Attachments in order for the emails to be received
directly, without compromising the security of your company.

What should you configure in Safe Attachments settings?

A.
The Dynamic Delivery option

B.
The Monitor option

C.
The Off option

D.
The Block option

Answer: A
Explanation:

QUESTION NO: 60

You are in the process of implementing Azure Sentinel. Your manager wants the log data to be
kept in the company’s workspace for 550 days.

You need to recommend a solution that meets the manager’s request.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 57
 Microsoft SC-200 Exam
What should you recommend?

A.
Use security extensions in Azure Security Center.

B.
Create sensitivity labels in the Security & Compliance Center.

C.
Create a workbook in the Azure portal.

D.
Use data retention in the Azure portal.

Answer: D
Explanation:

QUESTION NO: 61 DRAG DROP

Your company has decided to implement a SIEM (Security Information and Event Management)
solution with SOAR (Security Orchestration, Automation, and Response) capabilities. Specifically,
you have decided that Azure Sentinel meets these requirements and integrates seamlessly with
your other Microsoft solutions.

You need to set up Azure Sentinel in your environment. This is a new, first-time deployment.

Which five actions should you perform in sequence? To answer, move the appropriate actions
from the list of possible actions to the answer area and arrange them in the correct order.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 58

 Microsoft SC-200 Exam

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 59

 Microsoft SC-200 Exam

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 60

 Microsoft SC-200 Exam

QUESTION NO: 62

You are deploying Azure Sentinel and want to assign roles to users.

You need to ensure that all users are able to create and edit workbooks, analytics rules, and other
Azure Sentinel resources.

Which two of the following roles could you assign to these users to meet the requirements? Each
correct answer presents a complete solution.

A.
Azure Sentinel Responder

B.
Azure Sentinel Contributor

C.
Azure Sentinel Contributor and Logic App Contributor
"Leading the way in IT Testing & Certification Tools" - www.testking.com 61
 Microsoft SC-200 Exam
D.
Azure Sentinel Reader

Answer: B,C
Explanation:

QUESTION NO: 63

The coordinator of the finance team reports that the Microsoft 365 data of a team member is
compromised. Your manager assigns you to implement a solution that enables the company to
collect log data.

You need to recommend a solution that fulfills the manager’s request.

What solution should you recommend?

A.
Windows Security Events connector

B.
Exemption rules

C.
Attack surface reduction rules

D.
Azure Sentinel connectors

Answer: D
Explanation:

QUESTION NO: 64

You are the global administrator of your company’s Microsoft Azure environment. A member of the
programming team wants to integrate the Azure Active Directory Identity Protection solution with
Azure Sentinel.

You need to assign a role for the team member to enable them to execute the integration.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 62
 Microsoft SC-200 Exam
What role should you assign to the user?

A.
Compliance Administrator

B.
Security Reader

C.
Security Administrator

D.
Compliance Data Administrator

Answer: C
Explanation:

QUESTION NO: 65

You enable Azure Sentinel in your company. Your manager wants to integrate log data from
Microsoft 365 and non-Azure virtual machines.

You need to recommend a solution to fulfill the manager’s request.

What solution should you recommend?

A.
Using Data Loss Prevention policies

B.
Using Microsoft Graph

C.
Adding a playbook on Azure Sentinel

D.
Creating data connectors on Azure Sentinel

Answer: D
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 63

 Microsoft SC-200 Exam
QUESTION NO: 66

You are in the process of connecting data sources to Azure Sentinel. You want to digest Azure
Active Directory Identity Protection data into Azure Sentinel.

You need to identify the prerequisites required in order to make this connection.

Where can you navigate to find this list of prerequisites?

A.
On the Data Connectors page for Azure Active Directory, under the Instructions tab.

B.
On the Data Connectors page for Azure Active Directory Identity Protection, under the Instructions
tab.

C.
On the Data Connectors page for Azure Active Directory Identity Protection, under the Next Steps
tab.

D.
On the Data Connectors page for Azure Active Directory, under the Configuration heading.

Answer: B
Explanation:

QUESTION NO: 67 DRAG DROP

Your company has decided to implement Azure Sentinel. You are working on the early stages of
implementation and have been tasked with setting up the security event collection for Windows
machines. Specifically, you are working on non-Azure Windows machine collection.

You need to collect these events by installing the Log Analytics agent on your non-Azure
Windows. machines.

What four actions should you take to fulfill this requirement? To answer, move the correct actions
from the list of possible options to the answer area and arrange them in the correct order.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 64

 Microsoft SC-200 Exam

Answer:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 65

 Microsoft SC-200 Exam

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 66

 Microsoft SC-200 Exam

QUESTION NO: 68

You are currently using Azure Sentinel for the collection of Windows security events. You want to
use Azure Sentinel to identify Remote Desktop Protocol (RDP) activity that is unusual for your
environment.

You need to enable the Anomalous RDP Login Detection rule.

What two prerequisites do you need to ensure are in place before you can enable this rule? Each
correct answer presents part of the solution.

A.
Collect Security events or Windows Security Events with Event ID 4720.

B.
Let the machine learning algorithm collect 30 days’ worth of Windows Security events data.

C.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 67

 Microsoft SC-200 Exam
Collect Security events or Windows Security Events with Event ID 4624.

D.
Select an event set other than None.

Answer: C,D
Explanation:

QUESTION NO: 69

Your manager travels to another country. They are connected to the company’s Windows cloud
server, which is linked to its Azure Sentinel workspace. A new employee in the country the
manager travels to is accepted to work online for the company. Your manager wants to be able to
view how you will create the user account for the new employee through the Windows cloud
server.

You need to implement a solution that can enable the manager to view how the creation of user
accounts is done from any Windows cloud server linked with the company’s Azure Sentinel
workspace.

What action should you perform?

A.
Create a Microsoft 365 Defender connector.

B.
Create a Cloud Connector.

C.
Use Azure Defender.

D.
Use Windows Security Events connectors.

Answer: D
Explanation:

QUESTION NO: 70

"Leading the way in IT Testing & Certification Tools" - www.testking.com 68

 Microsoft SC-200 Exam
An employee reports that their data was compromised through a cyber-attack.

You need to implement a solution that detects the origin of the attack and identifies the potential
data loss.

What solution should you recommend?

A.
Sensitivity labels

B.
Analytics rules in Azure Sentinel

C.
Data Loss Prevention policies

D.
Cloud Connectors in Azure Security Center

Answer: B
Explanation:

QUESTION NO: 71

Your manager wants to ban the employees of the accounting departments from accidentally
sharing sensitive information with people outside the organization. You indicate that the
coordinators of the accounting department should configure a data loss prevention (DLP) policy.

You need to assign the appropriate role for the coordinator so they can configure the policy.

What role should you assign?

A.
Compliance Data Administrator

B.
Communication Compliance Viewer

C.
Communication Compliance Analyst

D.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 69
 Microsoft SC-200 Exam
Compliance Manager Reader

Answer: A
Explanation:

QUESTION NO: 72

Azure Sentinel offers a significant amount of built-in rules, but your company has some specific
use cases that require more granular control of both rule sets and alerting. You are working on
creating custom rules in Azure Sentinel to meet these use cases.

You need to create a rule that runs every hour and stops running if there is a single alert.

What two options should you select in the Analytics rule wizard to meet these requirements? Each
correct answer presents part of the solution.

A.
Under Event grouping, select Group all events into a single alert.

B.
Under Run query every, select 1 hour.

C.
Under Lookup data from the last, select 1 hour.

D.
Under Stop running query after alert is generated, select On.

Answer: B,D
Explanation:

QUESTION NO: 73

You are creating a custom rule in Azure Sentinel. You have decided to group the alerts this rule
generates into a single incident by Severity.

You need to select the right alert grouping option in the Analytics rule wizard.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 70

 Microsoft SC-200 Exam
What option should you select to group the alerts?

A.
Grouping all alerts triggered by this rule into a single incident.

B.
Re-open closed matching incidents.

C.
Grouping alerts into a single incident if all the entities match (recommended).

D.
Grouping alerts into a single incident if the selected entities match.

Answer: D
Explanation:

QUESTION NO: 74

You use Azure Sentinel queries to generate alerts and group them into incidents.

You connect Azure Active Directory (Azure AD) Identity Protection using the data connector. You
make sure that all prerequisites are met.

You need to ensure that incidents are created automatically.

What should you do?

A.
Select User risk policy and turn Enforce policy to On on the Azure AD Identity Protection page
under Security.

B.
Select Sign-in risk policy and turn Enforce policy to On on the Azure AD Identity Protection page
under Security.

C.
Click Create Incidents - Recommended! on the Azure AD Identity Protection Data Connectors
page.

D.
Click Connect on the Azure AD Identity Protection Data Connector page under Configuration.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 71

 Microsoft SC-200 Exam
Answer: C
Explanation:

QUESTION NO: 75

Your manager wants a solution that runs playbooks as a response to incidents that are likely to
occur at the company.

You need to recommend a solution that fulfills the manager’s request.

What solution should you recommend?

A.
Notebooks in Azure Sentinel

B.
Microsoft Cloud App Security’s anomaly detection policies

C.
Attack surface reduction rules

D.
Automation rules in Azure Sentinel

Answer: D
Explanation:

QUESTION NO: 76 DRAG DROP

Your company starts using Azure Sentinel. The manager wants the administration of the
implemented solution to be divided into groups in the company, with responsibilities divided as
follows:

Group A – to take responsibility for viewing and managing incidents

Group B – to take responsibility for adding playbooks

You need to assign the appropriate roles for both groups.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 72

 Microsoft SC-200 Exam
What roles should you assign? To answer, drag the appropriate Azure Sentinel role to each group.
A role may be used once, more than once, or not at all.

Answer:

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 73

 Microsoft SC-200 Exam

QUESTION NO: 77

You use Azure Sentinel as a Security Information and Event Management (SIEM) solution and
want to increase its Security Orchestration, Automation and Response (SOAR) capabilities.

You need to create a playbook that uses an Azure Logic App to communicate with other systems
and services via API calls to a known, commonly used product or service.

Which connector should you configure?

A.
Trigger

B.
Azure Sentinel connector

C.
Managed connector

D.
Custom connector

Answer: C
Explanation:

QUESTION NO: 78

You are using Azure Sentinel for automated responses to alerts and incidents in your
environment, but you are experiencing issues with a playbook not running. While troubleshooting,
you notice that the playbook has a trigger kind of Not initialized.

You need to remediate this issue and make the playbook functional.

What should you do?

A.
Add triggers or actions to the playbook.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 74

 Microsoft SC-200 Exam
B.
Run the playbook manually.

C.
Edit the analytics rule that generates the incident you want to define an automated response for.

D.
From the Automation rules tab in the Automation blade, create a new automation rule and specify
the appropriate conditions and desired actions.

Answer: A
Explanation:

QUESTION NO: 79

You create an Azure Sentinel playbook. After several months you notice some areas for
improvement. You decide to make a copy of your playbook and make changes to the copy instead
of the original.

Which two Logic Apps actions should you choose? Each correct answer presents part of the
solution.

A.
Export

B.
Update Schema

C.
Clone

D.
Refresh

E.
Edit

Answer: C,E
Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 75

 Microsoft SC-200 Exam
QUESTION NO: 80

You are configuring insider risk management for your company. The accounting team’s
coordinator wants their team to be able to view the insider risk management’s analytics and alerts
but does not want the team to access the insider risk management Content explorer.

You need to identify the correct role group to fulfill the coordinator’s request.

What role group should you use?

A.
Insider Risk Management Auditors

B.
Insider Risk Management Admin

C.
Insider Risk Management Investigators

D.
Insider Risk Management Analysts

Answer: D
Explanation:

QUESTION NO: 81

You are using Azure Sentinel to investigate a series of incidents that occurred within the last
48 hours.

You need to narrow down your investigation to the incidents that most recently had additional
details/information added, and those that are categorized as High severity.

What two actions should you perform on the Incidents page? Each correct answer presents part of
the solution.

A.
Select the Last update time column header to sort by this parameter.

B.
Change the Status filter from New, Active to New.
"Leading the way in IT Testing & Certification Tools" - www.testking.com 76
 Microsoft SC-200 Exam
C.
Change the Severity filter from All to High.

D.
Go to Search and add the Alert severity parameter.

Answer: A,C
Explanation:

QUESTION NO: 82

You are wrapping up an investigation within Azure Sentinel. After significant research into the
alerts within the incident, you conclude that the incident was not malicious and that several of the
alerts were generated by analytics rules that do not work properly.

You need to categorize the incident.

What classification should you choose?

A.
Benign Positive – suspicious but expected

B.
Undetermined

C.
False Positive – inaccurate data

D.
False Positive – incorrect alert logic

Answer: D
Explanation:

QUESTION NO: 83

You are the lead of an Azure Sentinel investigation.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 77

 Microsoft SC-200 Exam
You need to ensure that your team members know that you are investigating the incident.

Which two actions should you perform? Each correct answer presents part of the solution.

A.
Change the Owner to Assign to me.

B.
Change the status to New.

C.
Change the status to In Progress.

D.
When closing the incident, include your name in the Comment section.

Answer: A,C
Explanation:

QUESTION NO: 84 HOTSPOT

Your manager wants to compare the trends of traffic within the past ten days. You plan to create a
workbook query.

You need to complete the query to fulfill the manager’s request.

How should you complete the query? To answer, select the appropriate expressions from the
drop-down menus.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 78

 Microsoft SC-200 Exam

Answer:

Explanation:

QUESTION NO: 85

Your manager wants to implement the Analytics Efficiency workbook template in Azure Sentinel to
gain insights into the efficiency of the analytics rules created in the company.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 79

 Microsoft SC-200 Exam
You need to implement the data type required to be able to use the workbook.

What action should you perform?

A.
Create security incidents in Azure Sentinel.

B.
Create security events in Azure Sentinel.

C.
Use data connectors in Azure Sentinel.

D.
Use ProtectionStatus in Azure Sentinel.

Answer: A
Explanation:

QUESTION NO: 86

You want to improve your Azure Sentinel workbook based on user feedback. You want to add
more parameters to make data filtering more effective and relevant.

You need to ensure that users are able to view the workbook data of the last 24 hours, 48 hours,
and the last 7 days choosing from a drop-down list. The solution should minimize the required
administrative effort.

Which two actions should you perform? Each correct answer presents part of the solution.

A.
Select the check boxes next to 24 hours, 48 hours, and Allow custom time range under Available
time ranges.

B.
Select the Time range picker parameter type.

C.
Select the Drop down parameter type.

D.
Select the check boxes next to 24 hours, 48 hours, and 7 days under Available time ranges.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 80

 Microsoft SC-200 Exam
Answer: B,D
Explanation:

QUESTION NO: 87

You are editing a workbook. You wish to add a static element to the workbook that displays the
label of the current time range that is selected. You add a text control to the workbook.

You need to add the correct TimeRange parameters.

Which two parameters should you use? Each correct answer presents part of the solution.

A.
{TimeRange:label}

B.
{TimeRange:value}

C.
{TimeRange:query}

D.
{TimeRange}

Answer: A,D
Explanation:

QUESTION NO: 88

Your company has an Azure Sentinel deployment. Some employees in the accounting department
upload sensitive data to the cloud without taking into consideration potential risks.

You need to query for suspicious activities carried out by accounting department employees.

Which two actions should you perform? Each correct answer presents part of the solution.

A.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 81

 Microsoft SC-200 Exam
Select the Hunting option in the Azure Sentinel portal.

B.
Select Notebooks in the Azure Sentinel portal.

C.
Select the Run All Queries option on the Hunting page.

D.
Select the New Query option on the Hunting page.

E.
Select the Create a new AML workspace option on the Notebooks page.

Answer: A,C
Explanation:

QUESTION NO: 89 DRAG DROP

Your company starts using Azure Sentinel. The manager wants the administration of the
implemented solution to be divided into two groups, Group A and Group B, where:

Group A takes responsibility for replacing the tags of Threat Intelligence Indicator.

Group B takes responsibility for adding playbooks to automation rules.

You need to assign the appropriate roles for both groups to fulfill the manager’s request.

How should you assign the roles? To answer, drag the appropriate role to each group. A role may
be used once, more than once, or not at all.

"Leading the way in IT Testing & Certification Tools" - www.testking.com 82

 Microsoft SC-200 Exam

Answer:

Explanation:

"Leading the way in IT Testing & Certification Tools" - www.testking.com 83

 Microsoft SC-200 Exam

QUESTION NO: 90

You are using Azure Sentinel to hunt for threats in your environment. You design a query and find
some results that potentially indicate an ongoing, active threat.

You need to ensure that the results are marked and easy to reference alongside related data.

Which two actions should you perform within the query to meet these requirements? Each correct
answer presents part of the solution.

A.
Edit the Query information section before saving.

B.
Add relevant tags and notes in the Add bookmark pane before saving.

C.
In the query results, mark the checkboxes for any rows you want to preserve, and select Add
bookmark.

D.
Select Bookmark Logs from the command bar on the Bookmarks tab on the Hunting Page.

Answer: B,C
Explanation:

QUESTION NO: 91

You are using Azure Sentinel’s threat hunting capabilities. Your company has been adding to the
"Leading the way in IT Testing & Certification Tools" - www.testking.com 84
 Microsoft SC-200 Exam
built-in queries by creating their own custom queries. One of the queries titled Query A does not
seem to be producing relevant data, and may need to be tweaked.

You need to test Query A to see if matches are happening when events occur.

Which action should you perform on the Azure Sentinel Hunting page to meet these
requirements?

A.
On the Bookmarks tab, select Bookmark A and click Investigate.

B.
On the Queries tab, right-click Query A and select Add to livestream.

C.
On the Livestream tab, Select + New livestream.

D.
On the Livestream tab, select the livestream titled Query A.

Answer: B

"Leading the way in IT Testing & Certification Tools" - www.testking.com 85