Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 390
Measured Skill: Manage incident response (25–30%)
You have a Microsoft 365 E5 subscription that contains a device named Device1.
From the Microsoft Defender portal, you discover that an alert was triggered for Device1.
From the Device inventory page, you isolate Device1.
You need to collect a list of installed programs on Device1.
What should you do?| A | Collect an investigation package and download the results from the Action center. |
| B | Initiate a live response session and run the analyze command. |
| C | Run an advanced hunting query against the DeviceProcessEvents table. |
| D | Run an advanced hunting query against the DeviceTvmInfoGathering table. |
Correct answer: AExplanation:
As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
For Windows devices, the package contains numerous information including a .CSV file that contains the list of installed programs.
Reference: Investigation package contents for Windows devices
Question: 391
Measured Skill: Configure protections and detections (15–20%)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint.
You discover unauthorized changes to the membership of the Administrators group for the devices.
You need to configure a solution that meets the following requirements:
- Every hour, check the Administrators group membership of each endpoint.
- When a change to the Administrators group membership is detected, create an incident in Microsoft Defender XDR.
What should you create first?| A | A device group |
| B | An advanced hunting query |
| C | An alert tuning rule |
| D | A detection rule |
Correct answer: BExplanation:
To detect changes in the Administrators group membership across your endpoints, you first need a KQL-based advanced hunting query that identifies those changes. This query will serve as the foundation for your detection logic.
Once the query is validated and reliably detects the changes you're concerned about, you can then use it to create a custom detection rule that runs hourly and generates alerts or incidents in Microsoft Defender XDR.
Reference: Create custom detection rules
Question: 392
Measured Skill: Manage security threats (15–20%)
You have a Microsoft Sentinel workspace named Workspace1.
You need to create a custom workbook named Workbook1. Workbook1 must display a time chart that shows failed Microsoft Entra sign-ins from the past seven days. The solution must ensure that the chart includes a count of failed sign-ins for each day.
How should you complete the KQL query?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: | extend
P2: default=0 on TimeGenerated step 1d |
| B | P1: | extend
P2: as DailyTotal, TimeFrame="1d" |
| C | P1: | make-series
P2: by bin(TimeGenerated, 1d) |
| D | P1: | make-series
P2: as DailyTotal, TimeFrame="1d" |
| E | P1: | summarize
P2: default=0 on TimeGenerated step 1d |
| F | P1: | summarize
P2: by bin(TimeGenerated, 1d) |
Correct answer: FExplanation:
To group the failed sign-ins (ResultType != 0) into daily bins (1d) and count how many occurred each day, we need to complete the KQL query as shown below:
SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType != 0
| summarize Count=count() as by bin(TimeGenerated, 1d)
| render timechart
References:
summarize operator
count() (aggregation function)
bin()
Question: 393
Measured Skill: Manage security threats (15–20%)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR, Microsoft Purview, and Exchange Online.
You have a partner company named Contoso, Ltd.
You need to review all the emails that contain PDF attachments and were received from Contoso during the past month. The solution must minimize administrative effort.
What should you use?| A | Content search |
| B | Content explorer |
| C | Activity explorer |
| D | Advanced Hunting |
Correct answer: AExplanation:
You can use the Content search eDiscovery tool in the Microsoft Purview portal to search for in-place content such as email, documents, and instant messaging conversations in your organization. Use this tool to search for content in these cloud-based Microsoft 365 data sources:
- Exchange Online mailboxes
- SharePoint Online sites and OneDrive for Business accounts
- Microsoft Teams
- Microsoft 365 Groups
- Viva Engage
After you run a search, the number of content locations and an estimated number of search results are displayed on the search flyout page. You can quickly view statistics, such as the content locations that have the most items that match the search query. After you run a search, you can preview the results or export them to a local computer.
Content search in Microsoft Purview is designed for targeted queries across Exchange Online mailboxes, SharePoint sites, and OneDrive accounts. It allows you to:
- Search for emails with specific attachment types (like PDFs).
- Filter by sender domain (e.g.,
@contoso.com).
- Specify a date range (e.g., past month).
- Export results for review or compliance purposes.
Reference: Get started with Content search
Question: 394
Measured Skill: Manage security threats (15–20%)
You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom workbook that will calculate the average time it takes to close security incidents. The solution must minimize administrative effort.
Which built-in Microsoft Sentinel workbook template should you select?| A | Security operations efficiency |
| B | Incident Overview |
| C | Workspace Usage Report |
| D | Investigation Insights |
Correct answer: AExplanation:
The Security operations efficiency template is intended for security operations center (SOC) managers to view overall efficiency metrics and measures regarding the performance of their team.
As a Security Operations Center (SOC) manager, you need to have overall efficiency metrics and measures at your fingertips to gauge the performance of your team. You'll want to see incident operations over time by many different criteria, like severity, MITRE tactics, mean time to triage, mean time to resolve, and more. Microsoft Sentinel now makes this data available to you with the new SecurityIncident table and schema in Log Analytics and the accompanying Security operations efficiency workbook. You'll be able to visualize your team's performance over time and use this insight to improve efficiency. You can also write and use your own KQL queries against the incident table to create customized workbooks that fit your specific auditing needs and KPIs.
The SecurityIncident table is built into Microsoft Sentinel. You'll find it with the other tables in the SecurityInsights collection under Logs. You can query it like any other table in Log Analytics.
References:
Commonly used Microsoft Sentinel workbooks
Manage your SOC better with incident metrics