SC-200 Microsoft Security Operations Analyst Free Practice Exam Questions (2025 Updated)

You need to configure event monitoring for Server1. The solution must meet the Microsoft Sentinel requirements. What should you create first?

You need to ensure that the configuration of HuntingQuery1 meets the Microsoft Sentinel requirements.

What should you do?

You need to implement the Defender for Cloud requirements.

What should you configure for Server2?

You need to implement the scheduled rule for incident generation based on rulequery1.

What should you configure first?

You need to implement the Defender for Cloud requirements.

Which subscription-level role should you assign to Group1?

You need to ensure that the processing of incidents generated by rulequery1 meets the Microsoft Sentinel requirements.

What should you create first?

You need to monitor the password resets. The solution must meet the Microsoft Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to implement the Microsoft Sentinel NRT rule for monitoring the designated break glass account. The solution must meet the Microsoft Sentinel requirements.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to implement the ASIM query for DNS requests. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You need to implement the query for Workbook1 and Webapp1. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that contains two users named User! and User2. You have the hunting query shown in the following exhibit.

The users perform the following anions:

• User1 assigns User2 the Global administrator role.

• User1 creates a new user named User3 and assigns the user a Microsoft Teams license.

• User2 creates a new user named User4 and assigns the user the Security reader role.

• User2 creates a new user named User5 and assigns the user the Security operator role.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains two users named User1 and User2.

You need to ensure that the users can perform searches by using the Microsoft Purview portal. The solution must meet the following requirements:

• Ensure that User1 can search the Microsoft Purview Audit service logs and review the Microsoft Purview Audit service configuration.

• Ensure that User2 can search Microsoft Exchange Online mailboxes.

• Follow the principle of least privilege.

To which Microsoft Purview role group should you add each user? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector. You need to customize which details will be included when an alert is created for a specific event. What should you do?

You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.

You have an Azure DevOps organization named AzDO1.

You need to integrate Sub! and AzDO1. The solution must meet the following requirements:

• Detect secrets exposed in pipelines by using Defender for Cloud.

• Minimize administrative effort.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You have the on-premises devices shown in the following table.

You are preparing an incident response plan for devices infected by malware. You need to recommend response actions that meet the following requirements:

• Block malware from communicating with and infecting managed devices.

• Do NOT affect the ability to control managed devices.

Which actions should you use for each device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace. You need to create a KQL query that will combine data from the following sources:

• Microsoft Graph

• Risky users detected by using Microsoft Entra ID Protection

The solution must minimize the volume of data returned. How should the query start?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices. You plan to create a Microsoft Defender XDR custom deception rule. You need to ensure that the rule will be applied to only 10 specific devices. What should you do first?

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You have a Microsoft Sentinel workspace.

Microsoft Sentinel connectors are configured as shown in the following table.

You use Microsoft Sentinel to investigate suspicious Microsoft Graph API activity related to Conditional Access policies. You need to search for the following activities:

• Downloads of the Conditional Access policies by using PowerShell

• Updates to the Conditional Access policies by using the Microsoft Entra admin center

Which tables should you query for each activity? lo answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.

You need to identify all the changes made to sensitivity labels during the past seven days.

What should you use?