Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 435
Measured Skill: Manage a security operations environment (20–25%)
You have an Azure subscription that uses Microsoft Copilot for Security.
You create a new user named User1 and assign User1 the following roles:
- The Security Operator role in Microsoft Entra
- The Security Copilot Contributor role
You need to ensure that User1 can use the Microsoft Sentinel plug in Copilot for Security. The solution must follow the principle of least privilege.
Which role should you assign to User1?| A | Microsoft Sentinel Reader |
| B | Security Reader |
| C | Global Administrator |
| D | Microsoft Sentinel Contributor |
Correct answer: AExplanation:
Microsoft Copilot for Security uses an on-behalf-of (OBO) model. This means Copilot can only access data that the user themselves is already authorized to access in the underlying product (in this case, Microsoft Sentinel).
You already assigned User1:
- Security Operator (Microsoft Entra) – allows operational security tasks but does not grant Sentinel workspace access
- Security Copilot Contributor – allows using Copilot features, but does not grant access to security data by itself
To use the Microsoft Sentinel plugin in Copilot for Security, User1 must have read access to the Sentinel workspace.
Microsoft Sentinel Reader is the least privileged role that allows User1 to view data, incidents, workbooks, and recommendations in a Microsoft Sentinel workspace.
Reference: Roles and permissions in the Microsoft Sentinel platform
Question: 436
Measured Skill: Manage a security operations environment (20–25%)
You have a Microsoft Sentinel workspace that contains a table named Table1. Table1 has the Analytics plan configured.
You need to configure the retention period for Table1. The solution must maximize the retention of data stored in Table1.
How should you configure the Data retention settings?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Interactive retention: 180 Days
Total retention period: 7 years |
| B | Interactive retention: 180 Days
Total retention period: 10 years |
| C | Interactive retention: 270 Days
Total retention period: 5 years |
| D | Interactive retention: 1 year
Total retention period: 12 years |
| E | Interactive retention: 1 year
Total retention period: 10 years |
| F | Interactive retention: 2 years
Total retention period: 12 years |
Correct answer: FExplanation:
The Microsoft Defender portal provides a centralized experience for configuring table-level data retention and tier settings across Microsoft Sentinel and Microsoft Defender XDR. You can view and manage retention settings, switch between analytics and data lake tiers, and optimize data storage based on operational and cost requirements.
The Manage table screen lets you modify the table's retention settings in the current tier, and change the storage tier, if necessary.
Analytics tier retention settings:
Analytics retention: 30 days to two years.
Total retention: Up to 12 years of long-term storage in the data lake. If you have Sentinel data lake, total retention represents retention of the data in the lake and by default is equal to analytics retention. For example, setting analytics retention to six months, also retains the data in the data lake for six months by default, at no extra cost. You can extend long-term retention in the lake for longer than the analytics tier retention. For example, setting analytics retention to six months and total retention to 1 year. Data lake retention is charged only for the duration beyond analytics retention, in this case 6 months.
Data lake tier: Set Retention to a value between 30 days and 12 years. Selecting Data lake tier stores data exclusively in the data lake.
Tier changes: If necessary, you can change tiers at any time based on your cost management and data usage needs.
Note: Tier changes aren't available for all tables. For example, some XDR and Microsoft Sentinel solution tables must be available in the analytics tier because Microsoft security services require the data in these tables for near-real-time analytics.
Reference: Configure table settings in Microsoft Sentinel
Question: 437
Measured Skill: Manage a security operations environment (20–25%)
You have a Microsoft Sentinel workspace that contains Common Event Format (CEF) data.
You need to run a query against the CEF data.
Which table should you query?| A | Syslog |
| B | SecurityEvent |
| C | CommonSecurityLog |
| D | ThreatIntelligentIndicator |
Correct answer: CExplanation:
In Microsoft Sentinel, when you ingest data using Common Event Format (CEF), the events are normalized and stored in a specific Log Analytics table. CEF data is always written to the CommonSecurityLog table. Queries against CEF-ingested data must therefore target this table.
References:
CEF and CommonSecurityLog field mapping
Ingest syslog and CEF messages to Microsoft Sentinel with the Azure Monitor Agent
Question: 438
Measured Skill: Manage security threats (15–20%)
You have a Microsoft 365 tenant.
You have a known threat file named File1.docx.
You need to prevent users from downloading File1.docx.
What should you do?| A | From the Microsoft Defender portal, add an indicator. |
| B | From the Microsoft Purview portal, create a data loss prevention (DLP) policy. |
| C | From the Microsoft Purview portal, create a sensitivity label. |
| D | From the Microsoft Defender portal configure an automated investigation. |
Correct answer: AExplanation:
The most direct and lowest-effort way to do this is by using Indicators of Compromise (IOCs) in Microsoft Defender XDR.
In the Microsoft Defender portal, you can create an indicator for a file, based on file hash, and set the action to Block. This will prevent the file from being downloaded and block execution and access where supported.
Defender indicators are designed specifically to stop known malicious files.
Reference: Create indicators for files
Question: 439
Measured Skill: Manage a security operations environment (20–25%)
You have a Microsoft Sentinel workspace.
You are investigating a multi-stage security attack on your environment.
You need to identify the MITRE ATT&CK phases of the tactics and techniques used by the attacker. The solution must minimize administrative effort.
What should you do?| A | From Microsoft Sentinel in the Microsoft Defender portal, select Threat management, and then use the MITRE ATT&CK node. |
| B | Use the Microsoft Security Compliance Toolkit. |
| C | From Investigation & response in the Microsoft Defender portal, select Incident & alerts, and then use the Incidents node. |
| D | From Microsoft Sentinel in the Microsoft Defender portal, select Threat management, and then use the Hunting node. |
Correct answer: AExplanation:
MITRE ATT&CK is a publicly accessible knowledge base of tactics and techniques commonly used by attackers. It's created and maintained based on real-world observations. Many organizations use the MITRE ATT&CK knowledge base to develop specific threat models and methodologies to verify security status in their environments.
Reference: View MITRE ATT&CK framework coverage in Microsoft Sentinel