Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 382
Measured Skill: Manage security threats (15–20%)
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to create and customize a workbook for the Microsoft Entra ID Audit Logs.
Which three actions should you perform in sequence?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)
| A | Sequence: 2, 6, 3 |
| B | Sequence: 2, 1, 3 |
| C | Sequence: 4, 2, 5 |
| D | Sequence: 6, 4, 2 |
Correct answer: BExplanation:
The first step is to install the Microsoft Entra ID solution from Content hub. The solution contains the Microsoft Entra ID Audit logs workbook.
The second step is to Save the workbook template to the Microsoft Sentinel workspace.
As the third step, we can View the saved workbook and make the customizations.
Reference: Visualize and monitor your data by using workbooks in Microsoft Sentinel
Question: 383
Measured Skill: Manage security threats (15–20%)
You have an Azure subscription named Sub1 that contains a Microsoft Sentinel workspace named WS1.
You need to create a hunting query in WS1 that meets the following requirements:
- Returns the number of changes performed daily by each Microsoft Entra security principal during a seven-day period
- Identifies all the successful changes to the resources in Sub1
- Substitutes any missing data points with 0
How should you complete the KQL query?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: AuditLogs
P2: | make-series |
| B | P1: AuditLogs
P2: | mv-expand |
| C | P1: AzureActivity
P2: | make-series |
| D | P1: AzureActivity
P2: | summarize |
| E | P1: AzureDiagnostics
P2: | mv-expand |
| F | P1: AzureDiagnostics
P2: | summarize |
Correct answer: CExplanation:
The AzureActivity table contains entries from the Azure Activity log that provides insight into any subscription-level or management group level events that have occurred in Azure.
The make-series operator creates series of specified aggregated values along a specified axis.
References:
AzureActivity
Queries for the AzureActivity table
make-series operator
Question: 384
Measured Skill: Manage security threats (15–20%)
You have a Microsoft Sentinel workbook that contains the following KQL query.
let nonInteractive == AADNonInteractiveUserSignInLogs
| extend Status = parse_json(Status);
union SigninLogs,nonInteractive
| extend ErrorCode = tostring(Status.failureReason)
| summarize errCount = count() by ErrorCode, FailureReason, Category
You need to create a visual that will change the color of the errCount column based on the value returned.
How should you configure the visual?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Visualization: Graph
Column renderer: Text |
| B | Visualization: Graph
Column renderer: Big number |
| C | Visualization: Grid
Column renderer: Heatmap |
| D | Visualization: Grid
Column renderer: Text |
| E | Visualization: Text
Column renderer: Threshold |
| F | Visualization: Text
Column renderer: Heatmap |
Correct answer: CExplanation:
Azure Workbooks rendering options can be uses with grids, tiles, and graphs to produce visualizations in optimal format.
You can choose from the following column renderers:
References:
Visualize and monitor your data by using workbooks in Microsoft Sentinel
Rendering options
Question: 385
Measured Skill: Manage a security operations environment (20–25%)
You have an on-premises Windows 11 Pro device named Device1 that is onboarded to Microsoft Defender for Endpoint.
You have a Microsoft 365 subscription.
You need to identify the processes running on Device1 and which network connections the processes have open. The solution must minimize administrative effort.
Which four actions should you perform in the Microsoft Defender portal in sequence?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.) 
| A | Sequence: 3, 7, 6, 1 |
| B | Sequence: 3, 2, 5, 4 |
| C | Sequence: 3, 1, 7, 6 |
| D | Sequence: 3, 2, 4, 1 |
Correct answer: BExplanation:
As part of the investigation or response process, you can collect an investigation package from a device. By collecting the investigation package, you can identify the current state of the device and further understand the tools and techniques used by the attacker.
For Windows devices, the package contains a folder named Network connections. The folder contains multiple files including ActiveNetConnections.txt which displays protocol statistics and current TCP/IP network connections and enables you to look for suspicious connectivity made by a process.
Note: The netstat utility is not available in a live response session.
Reference: Collect investigation package from devices
Question: 386
Measured Skill: Manage incident response (25–30%)
You have the Azure subscriptions shown in the following table.
You have a Microsoft Entra tenant that contains the users shown in the following table.
The users have the Azure roles shown in the following table.
You configure Microsoft Copilot for Security capacities as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | User1 can add an additional capacity to Capacity1: Yes
User2 can view the capacity usage information Capacity2: Yes
User3 can configure additional plugins in Capacity2: Yes |
| B | User1 can add an additional capacity to Capacity1: Yes
User2 can view the capacity usage information Capacity2: Yes
User3 can configure additional plugins in Capacity2: No |
| C | User1 can add an additional capacity to Capacity1: No
User2 can view the capacity usage information Capacity2: Yes
User3 can configure additional plugins in Capacity2: No |
| D | User1 can add an additional capacity to Capacity1: No
User2 can view the capacity usage information Capacity2: Yes
User3 can configure additional plugins in Capacity2: Yes |
| E | User1 can add an additional capacity to Capacity1: No
User2 can view the capacity usage information Capacity2: No
User3 can configure additional plugins in Capacity2: Yes |
| F | User1 can add an additional capacity to Capacity1: No
User2 can view the capacity usage information Capacity2: No
User3 can configure additional plugins in Capacity2: No |
Correct answer: AExplanation:
Capacity in the context of Security Copilot, is an Azure resource that contains SCUs. SCUs are provisioned for Security Copilot. You can easily manage capacity by increasing or decreasing provisioned SCUs within the Azure portal or the Security Copilot portal. Security Copilot provides a usage monitoring dashboard for Copilot owners, allowing them to track usage over time and make informed decisions about capacity provisioning.
User1 is a Security Operator and an Owner of Sub1 which contains RG1. You need to be an Azure subscription owner or contributor to create capacity.
User2 is a Security Administrator and a Reader for Sub2 which contains RG2 and RG3. Security Administrators and Global Administrators inherit Copilot owner access.
User3 is a Global Administrator and an Owner of RG2. Security Administrators and Global Administrators inherit Copilot owner access. At least the Security Administrator role is required to manage the plugins that Security Copilot uses as a data source to respond to prompts.
References:
Get started with Microsoft Security Copilot
Understand authentication in Microsoft Security Copilot