Microsoft Security Operations Analyst (SC-200)
Get full access to the updated question bank and confidently prepare for your exam.
Vendor
Microsoft
Certification
Security
Content
380 Qs
Status
Verified
Updated
5 hours ago
Test the Practice Engine
Experience our interactive testing environment with free demo questions
Premium Bundle
Complete Success Suite
Save $19 Instantly
-
โFull PDF + Interactive Engine Everything you need to pass
-
โAll Advanced Question Types Drag & Drop, Hotspots, Case Studies
-
โPriority 24/7 Expert Support Direct line to certification leads
-
โ90 Days Free Priority Updates Stay current as exams change
Success Metric
98.4% Pass Rate
Standard Simulation
Practice Engine
One-Time Payment
-
Web-Based (Zero Install)
-
Real Testing Environment Virtual & Practice Modes
-
Interactive Engine Drag & Drop, Hotspots
-
60 Days Free Updates
Compatible with All Devices
Basic Tier
PDF Study Guide
Digital Access
- โ Exam Questions (PDF)
- โ Mobile Friendly
- โ 60 Days Updates
Verified 76-Question Preview (SC-200)
Verified Community
The CertoMetrics Standard.
Recommend the #1 platform for verified Microsoft certification resources.
Success Network
Help a Colleague Succeed.
Invite a peer to get their own updated SC-200 prep kit.
Exam Overview
The Microsoft Security Operations Analyst (SC-200) certification validates your expertise in mitigating threats using Microsoft security products. This credential is vital for professionals tasked with responding to incidents, performing threat hunting, and implementing threat protection across an organization's hybrid environment. Achieving SC-200 demonstrates proficiency in leveraging Microsoft Defender for Endpoint, Microsoft 365 Defender, and Microsoft Sentinel to identify, respond to, and remediate security incidents. It significantly enhances your professional standing, showcasing your ability to operate effectively within a modern Security Operations Center (SOC) and protect digital assets, making you an invaluable asset in the cybersecurity landscape.
Questions
40-60
Passing Score
700/1000
Duration
100 Minutes
Difficulty
Intermediate
Level
Associate
Skills Measured
Career Path
Target Roles
Common Questions
Is the material up to date?
Yes. We update our question bank weekly to match the latest Microsoft standards. You get free updates for 90 days.
What format do I get?
You get instant access to both the **PDF** (for reading) and our **Premium Test Engine** (for exam simulation).
Is there a guarantee?
Absolutely. If you fail the SC-200 exam using our materials, we offer a full money-back guarantee.
When do I get the download?
Instantly. The download link is available in your dashboard immediately after payment is confirmed.
Free Study Guide Samples
Previewing updated SC-200 bank (76 Questions).
You have a third - party security information and event management (SIEM) solution. You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign - in events in near real time. What should you do to route events to the SIEM solution?
Correct Option: C
โ
Reasoning: Configuring Azure AD Diagnostics settings to stream events to an Azure Event Hub is the standard method for near real-time export of Azure AD logs to external systems, including third-party SIEM solutions that can consume data from Event Hubs. โ Why the other choices are incorrect:
- Option A is incorrect: Archiving to a storage account is for long-term retention, not near real-time streaming to a SIEM. SIEMs would need to pull this data, which isn't efficient for real-time alerting.
- Option B is incorrect: This option refers to Azure Sentinel, not a third-party SIEM, and the Security Events connector is primarily for Windows security events, not Azure AD sign-in events.
- Option D is incorrect: This option refers to Azure Sentinel, which is not the specified third-party SIEM. While Sentinel uses an Azure AD connector, it's not the mechanism for routing to an external SIEM.
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
All Windows devices are onboarded to Microsoft Defender for Endpoint.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.
Solution: You enable Live Response.
Does this meet the goal?
Correct Option: B
โ **No **
Reasoning: Live Response is a manual, reactive investigation and remediation tool, not a proactive or real-time detection and prevention feature. It enables security analysts to take actions after a threat is identified. The goal requires ensuring protection from undetected threats, which necessitates a continuous detection capability, not a manual response mechanism.
After you answer a question in this section, you will NOT be able to return to it. As a result,
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for Identity portal, you need to configure several accounts for attacker
Solution: You add each account as a Sensitive account.
Does this meet the goal?
Correct Option: B
โ
Reasoning: Adding an account as a 'Sensitive account' in Microsoft Defender for Identity designates it for enhanced monitoring due to its high privileges. This is distinct from configuring accounts as honeypots or decoys, which are specifically designed to lure and trap attackers to detect lateral movement. Sensitive accounts are protected, not bait. โ Why the other choices are incorrect:
- Option A is incorrect: Marking an account as 'Sensitive' only increases its monitoring level, assuming it's a high-value asset. It does not configure it as a decoy or honeypot account to specifically detect attacker activity.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You discover a malicious process that was initiated by a file named File1.exe on a device named Device1.
You need to create a KQL query that will identify when File1.exe was created. The solution must meet the following requirements:
โข Return the FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine columns.
โข Minimize the volume of data returned.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
โ
Reasoning: The DeviceFileEvents table in Microsoft Defender XDR stores information about file-related activities, including file creation. This is the appropriate table to query for FileCreated events.
โ
Reasoning: The project-keep operator in KQL selects specific columns from the input table, discarding all others. This fulfills the requirement to return only the specified FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine columns, thereby minimizing data volume.
Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi - factor authentication (MFA).
You need to enforce MFA for all users who work remotely. What should you include in the solution?
Correct Option: C
โ
Reasoning: To enforce MFA specifically for remote users, you must define your office network. A named location in Azure AD identifies trusted IP ranges (e.g., your Istanbul office). Conditional Access policies can then target users not connecting from this named location, thereby identifying remote users and enforcing MFA. โ Why the other choices are incorrect:
- Option A is incorrect: A "sign-in user policy" is too generic. Conditional Access policies are sign-in policies, but "named location" is the specific component used to define network boundaries for remote enforcement.
- Option B is incorrect: A user risk policy from Identity Protection applies actions based on a user's risk level (e.g., leaked credentials), not their network location (in-office vs. remote).
- Option D is incorrect: A fraud alert is an MFA reporting feature where users can report suspicious sign-ins. It does not configure when or where MFA is enforced.
You have a Microsoft 365 subscription that contains a Windows device named Device1. Device1 is onboarded to Microsoft Defender for Endpoint.
You initiate a live response session on Device1.
You need to execute a long running script. The solution must ensure that you can run additional commands during the session while the script is running.
How should you complete the live response command? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
โ **run **
Reasoning: The run command is the standard Live Response command in Microsoft Defender for Endpoint used to execute scripts, such as PowerShell scripts, or executable files on an onboarded device.
โ **& **
Reasoning: In PowerShell, appending & to a command causes it to run asynchronously in the background. This allows the Live Response session to remain interactive, enabling the analyst to execute additional commands simultaneously.
You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company's United States - based offices. You receive many alerts related to impossible travel and sign - ins from risky IP addresses.
You determine that 99 % of the alerts are legitimate sign - ins from your corporate offices.
You need to prevent alerts for legitimate sign - ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Option: B,E
โ Add the IP addresses to the corporate address range category.
Reasoning: Explicitly defining corporate IP ranges in Microsoft Cloud App Security (MCAS) is crucial. This informs built-in anomaly detection policies, such as "impossible travel" and "risky IP addresses," that traffic originating from these IPs is legitimate and trusted, thereby preventing false-positive alerts.
โ Create an activity policy that has an exclusion for the IP addresses.
Reasoning: An activity policy provides granular control. By creating a custom activity policy with an exclusion for the corporate IP addresses, you can specifically prevent alerts from being generated for known legitimate activities or for alerts triggered by a "custom threat detection policy" mentioned in the scenario, offering a precise suppression mechanism. โ Why the other choices are incorrect:
- Option A is incorrect: Adding to 'other' address ranges doesn't confer the same trusted status as 'corporate' for anomaly detection. Tags are for organization, not alert suppression logic.
- Option C is incorrect: Increasing sensitivity would generate more alerts, directly opposing the goal of preventing legitimate sign-in alerts.
- Option D is incorrect: Data enrichment adds context for investigation but does not prevent alerts from being generated by existing policies for known legitimate traffic.
You have a Microsoft 365 E5 subscription that contains a device named Device1.
From the Microsoft Defender portal, you discover that an alert was triggered for Device1.
From the Device inventory page, you isolate Device1.
You need to collect a list of installed programs on Device1.
What should you do?
Correct Option: A
โ
Reasoning: Collecting an investigation package is a standard action in Microsoft Defender for Endpoint to gather comprehensive data, including installed programs, from an isolated device for forensic analysis. The collected package is then available for download from the Action center. โ Why the other choices are incorrect:
- Option B is incorrect: While Live Response can be used, the specific "analyze" command is not used to list installed programs. The
software listcommand would be appropriate. - Option C is incorrect:
DeviceProcessEventstracks process creation and termination, not a comprehensive inventory of installed programs on the device. - Option D is incorrect:
DeviceTvmInfoGatheringprimarily contains data related to threat and vulnerability management assessments, not a direct or comprehensive list of all installed programs.
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace 1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi - staged attacks that include suspicious sign - ins to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
Correct Option: A,C
โ **Create a Microsoft Cloud App Security connector. **
Reasoning: Microsoft Cloud App Security (now Microsoft Defender for Cloud Apps) provides advanced anomaly detection for SaaS applications, including Office 365. Its alerts for anomalous Office 365 activity are a critical input for the Fusion rule to detect the second stage of a multi-stage attack.
โ **Create an Azure AD Identity Protection Connector **
Reasoning: Azure AD Identity Protection (now Microsoft Entra ID Protection) specifically detects "suspicious sign-ins" and other identity-based risks. Its high-fidelity risk detections are essential signals for the Fusion rule to identify the initial "suspicious sign-ins" stage of a multi-stage attack. โ Why the other choices are incorrect:
- Option B is incorrect: Creating an incident creation rule from Azure Security Center (now Microsoft Defender for Cloud) focuses on alert handling for Azure resources, not on providing the specific identity and O365 anomaly signals required for Fusion's multi-stage attack detection.
- Option D is incorrect: Fusion is a built-in machine learning rule that correlates alerts from other security services. Creating custom rules, while useful for specific detections, does not directly enable Fusion's cross-domain correlation capabilities for the scenario described.
You have a Microsoft 365 E5 subscription that contains a device named Device1.
From the Microsoft Defender portal, you discover that an alert was triggered for Device1.
From the Device inventory page, you isolate Device1.
You need to collect a list of installed programs on Device1.
What should you do?
Correct Option: D
โ
Reasoning: The DeviceTvmSoftwareInventory table in Advanced Hunting is explicitly designed to store comprehensive data about installed software on devices. Running a KQL query against this table provides a direct, efficient method to collect a list of installed programs on Device1. โ Why the other choices are incorrect:
- Option A is incorrect: The
processescommand in a live response session lists currently running processes, not a full inventory of installed programs. - Option B is incorrect: An automated investigation focuses on responding to an alert, not generating a complete list of installed programs. The Action center shows investigation outcomes, not software inventory.
- Option C is incorrect: There is no standard
analyzecommand in live response for enumerating installed programs. Commands likesoftwaremight exist, but Advanced Hunting withDeviceTvmSoftwareInventoryis the most effective for this inventory requirement.
You need to complete the query for failed sign - ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a query that contains the following statements.
You need to configure a custom detection rule that will use the query. The solution must minimize how long it takes to be notified about events that match the query.
Which frequency should you select for the rule?
Premium Solution Locked
Unlock all 380 answers & explanations
You create an Azure subscription.
You enable Azure Defender for the subscription.
You need to use Azure Defender to protect on-premises computers. What should you do on the on-premises computers?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription named Sub1 that contains the resources shown in the following table.
You plan to configure Rule1 to trigger Lapp1 when an incident is generated.
You need to recommend the role-based access control (RBAC) role that you should assign to WS1, and the scope at which should you assign the role. The solution must follow the principle of least privilege.
What should you recommend? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.
The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in Azure Security Center.
You need to ensure that the security administrator receives email alerts for all the activities. What should you configure in the Security Center settings?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft Sentinel workspace that has a default data retention period of 30 days. The workspace contains two custom tables as shown in the following table.
Each table ingested two records per day during the past 365 days.
You build KQL statements for use in analytic rules as shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You plan to create a data loss prevention (DLP) policy that will be used with insider risk management. The severity level is set to Low. You need to ensure that insider risk management alerts are generated from rules in the DLP policies.
What should you do?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 subscription that uses Microsoft Copilot for Security.
You create a promptbook named Book1.
For Book1, you need to create a prompt that contains an input named IncidentID.
How should you format IncidentID?
Premium Solution Locked
Unlock all 380 answers & explanations
You use Azure Security Center; you receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. What should you do?
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription that uses Microsoft Defender XDR.
From the Microsoft Defender portal, you perform an audit search and export the results as a file named File1.csv that contains 10,000 rows.
You use Microsoft Excel to perform Get & Transform Data operations to parse the AuditData column from File1.csv. The operations fail to generate columns for specific JSON properties.
You need to ensure that Excel generates columns for the specific JSON properties in the audit search results.
Solution: From Excel, you apply filters to the existing columns in File1.csv to reduce the number of rows, and then you perform the Get & Transform Data operations to parse the AuditData column.
Does this meet the requirement?
Premium Solution Locked
Unlock all 380 answers & explanations
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto - provisioning. You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.
Which two configurations should you modify? Each correct answer presents part of the solution.
NOTE. Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You have a Microsoft Sentinel workspace.
Microsoft Sentinel connectors are configured as shown in the following table.
You use Microsoft Sentinel to investigate suspicious Microsoft Graph API activity related to Conditional Access policies.
You need to search for the following activities:
โข Downloads of the Conditional Access policies by using PowerShell
โข Updates to the Conditional Access policies by using the Microsoft Entra admin center
Which tables should you query for each activity? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You need to complete the query for failed sign-ins to meet the technical requirements. Where can you find the column name to complete the where clause?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains two Azure key vaults named KV1 and KV2 that use Azure role-based access control (Azure RBAC).
The subscription contains the users shown in the following table.
KV1 contains a secret named Secret1. KV2 contains a secret named Secret2.
Which users can read the values of each secret? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.
Which two configurations should you modify? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have an on-premises Linux server that runs a background process named App1 and has the Azure Connected Machine agent installed.
You have a Microsoft Sentinel workspace named WS1.
You need to configure a data collection rule (DCR) named DCR1 that will use the Syslog via AMA connector to collect messages related to App1. The solution must meet the following requirements:
โข Only collect messages that have a priority level of critical.
โข Minimize the volume of data collected.
Which facility and log level should you configure for DCR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your companyโs United States- based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 subscription.
You need to identify all the security principals that submitted requests to change or delete groups.
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This question is part of a series of questions that present the same scenario. Each question in
the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: You add each account as a Sensitive account. Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription name Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Sub1 contains a Log Analytics workspace named Workspace1. All the logs from contoso.com are streamed to Workspace1.
You have a Microsoft 365 E5 subscription.
You need to query Workspace1 for the following:
โข HTTP requests to the Microsoft Graph service of contoso.com
โข Third-party app sign-in activities that use certificates or secrets
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.
You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database.
You need to ensure that an incident is created in WS1 when the new attack vector is detected.
What should you configure?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
What should you use?
Premium Solution Locked
Unlock all 380 answers & explanations
You have on-premises servers that run Windows Server.
You have a Microsoft Sentinel workspace named SW1. SW1 is configured to collect Windows Security log entries from the servers by using the Azure Monitor Agent data connector.
You plan to limit the scope of collected events to events 4624 and 4625 only.
You need to use a PowerShell script to validate the syntax of the filter applied to the connector.
How should you complete the script? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign- events in near real time.
What should you do to route events to the SIEM solution?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Contoso.com contains a user named User1. Sub1 contains a Microsoft Sentinel workspace.
You provision a Microsoft Copilot for Security capacity.
You need to ensure that User1 can use Copilot for Security to perform the following tasks:
โข Update the data sharing and feedback options.
โข Investigate Microsoft Sentinel incidents.
The solution must follow the principle of least privilege.
Which role should you assign to User1 for each task? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains two users named User1 and User2.
You plan to deploy Azure Defender.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.
The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
Select and Place:
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.
Solution: You configure endpoint detection and response (EDR) in block mode.
Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft Sentinel workspace.
You are investigating an incident that involves the following entities:
โข A host named Host1
โข A user account named User1
โข An IP address of 175.45.176.99
You need to update the threat intelligence list to include the entities.
Which entities can you add on the Incident page?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure Storage account that will be accessed by multiple Azure Function apps during the development of an application.
You need to hide Azure Defender alerts for the storage account.
Which entity type and field should you use in a suppression rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1 and a user named User1.
You need to ensure that User1 can investigate incidents by using Workspace1. The solution must follow the principle of least privilege.
Which role should you assign to User1?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity.
You need to hide the alerts automatically in Security Center.
Which three actions should you perform in sequence in Security Center? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Select and Place:
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription.
You need to configure Microsoft Defender XDR automatic attack disruption to use signals generated by Microsoft Defender for Cloud Apps.
Which two actions should you perform for Defender for Cloud Apps in the Microsoft Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription.
You need to delegate permissions to meet the following requirements:
Enable and disable Azure Defender.
Apply security recommendations to resource.
The solution must use the principle of least privilege.
Which Azure Security Center role should you use for each requirement? To answer, drag the appropriate roles to the correct requirements. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription.
You have a PowerShell script that queries the unified audit log.
You discover that the query returns only the first page of results due to server-side paging.
You need to ensure that you get all the results.
Which property should you query in the results?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that uses Azure Defender.
You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts. You need to create an Azure policy that will perform threat remediation automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace.
You need to create a KQL query that will combine data from the following sources:
โข Microsoft Graph
โข Risky users detected by using Microsoft Entra ID Protection
The solution must minimize the volume of data returned.
How should the query start?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning enabled.
You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.
What should you do first?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription named Sub1. Sub1 contains a Microsoft Sentinel workspace named SW1 and a virtual machine named VM1 that runs Windows Server. SW1 collects security logs from VM1 by using the Windows Security Events via AMA connector.
You need to limit the scope of events collected from VM1. The solution must ensure that only audit failure events are collected.
How should you complete the filter expression for the connector? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS). You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc. Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription that contains Windows 11 and Linux CentOS devices.
In Microsoft Defender XDR, Deception is set to On.
You plan to create a deception rule that will use a custom lure.
You need to specify the type of file, and the planting path for the custom lure.
What should you specify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS). You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You manually install the Log Analytics agent on the virtual machines.
Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription.
You have the following KQL query.
You need to use the query to create a Microsoft Defender XDR custom detection rule that can isolate an onboarded device.
How should you modify the query?
Premium Solution Locked
Unlock all 380 answers & explanations
You use Azure Sentinel.
You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege.
Which role should you assign to the analyst?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security.
You have a Copilot for Security workspace that uses the following plugins:
โข Microsoft Entra
โข Microsoft Defender XDR
From the Microsoft Defender portal, you use Copilot for Security to investigate a reported incident.
You need to run a promptbook that will include information from Microsoft Entra ID Protection in the investigation.
What should you do first?
Premium Solution Locked
Unlock all 380 answers & explanations
You create a hunting query in Azure Sentinel.
You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.
What should you use?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that contains a user named User1 and a Microsoft Sentinel workspace named WS1.
You deploy Advanced Security Information Model (ASIM) authentication parsers to WS1.
You need to use the parsers to query the authentication events generated by User1 during the last 24 hours. The solution must maximize the performance of the query.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1.
You need to enable Microsoft Defender for Cloud Apps session control for Site1.
Which type of policy should you create first?
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a livestream from a query.
Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft Sentinel workspace named SW1.
You need to identify which anomaly rules are enabled in SW1.
What should you review in Microsoft Sentinel?
Premium Solution Locked
Unlock all 380 answers & explanations
You need to create a query for a workbook. The query must meet the following requirements:
List all incidents by incident number.
Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 E5 subscription that contains a device named Device1.
From the Microsoft Defender portal, you discover that an alert was triggered for Device1.
From the Device inventory page, you isolate Device1.
You need to collect a list of installed programs on Device1.
What should you do?
Premium Solution Locked
Unlock all 380 answers & explanations
You have the resources shown in the following table.
You scplicate events from occurring in SW1.
What should you use for each action? To answer, drag the appropriate resources to the correct actions. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.
Solution: You configure Controlled folder access.
Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert
What should you create first?
Premium Solution Locked
Unlock all 380 answers & explanations
Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.
Solution: You enable automated investigation and response (AIR).
Does this meet the goal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Microsoft Sentinel workspace
You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts to activities. The solution must minimize administrative effort.
Which rule type should you query?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices.
You plan to create a Microsoft Defender XDR custom deception rule.
You need to ensure that the rule will be applied to only 10 specific devices.
What should you do first?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised
You need to review the alerts triggered on the devices to which User1 signed in
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
Hot Area:
Premium Solution Locked
Unlock all 380 answers & explanations
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to use an Azure Resource Manager (ARM) template to create a workflow automation that will trigger a logic app when specific alerts are received by Microsoft Defender for Cloud.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
You have two Azure subscriptions that use Microsoft Defender for Cloud.
You to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must minimize administrative effort.
What should you do in the Azure portal?
Premium Solution Locked
Unlock all 380 answers & explanations
You have a Microsoft Sentinel workspace.
You need to create playbooks that meet the following requirements:
โข Use an automation rule to trigger actions on an entity.
โข Call the Entities - Get Hosts action.
Which types of playbooks should you use, and which parameters should you specify? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Premium Solution Locked
Unlock all 380 answers & explanations
Full Question Bank Locked
You have reached the end of the free study guide preview. Upgrade now to unlock all 380 questions and the full simulation engine.
Certification Path
Related Certifications
Customer Reviews
Global Community Feedback
David M.
"The practice engine is incredible. It feels exactly like the real testing environment and helped me build so much confidence."
Sarah J.
"The PDF is very well organized and the explanations for the answers are actually helpful, not just random text."
Michael C.
"I was skeptical, but the content is high quality and definitely worth the price. I passed on my first try!"