$0.00
Microsoft SC-200 Dumps

Microsoft SC-200 Exam Dumps

Microsoft Security Operations Analyst

Total Questions : 388
Update Date : July 16, 2026
PDF + Test Engine
$65 $95
Test Engine
$55 $85
PDF Only
$45 $75



Last Week SC-200 Exam Results

230

Customers Passed Microsoft SC-200 Exam

93%

Average Score In Real SC-200 Exam

99%

Questions came from our SC-200 dumps.



SC-200 Dumps – Pass Your Microsoft SC-200 Certification Exam with Confidence

At Certs4Future, we provide you with the highest-quality SC-200 dumps to ensure you are fully prepared for the certification exam. Here’s why our exam materials stand out:

Authentic Exam Dumps: Our SC-200 exam dumps contain real, exam-specific questions and answers that you are likely to face on your exam.

Guaranteed Success: We are so confident in the quality of our materials that we offer a 100% pass guarantee. If you don’t pass the SC-200 exam, we’ll provide a refund or free updated dumps.

Up-to-Date Content: Our SC-200 dumps are continuously updated to reflect the latest exam changes and trends.

Detailed Explanations: Every question comes with an explanation to help you understand the reasoning behind the correct answers.

How to Use Our SC-200 Dumps

Download the Dumps: After purchasing, you will receive instant access to download the SC-200 exam dumps. You can study from any device, anywhere, anytime.

Start Practicing: Go through the practice questions and simulate the real exam environment. Track your progress and focus on areas that need improvement.

Take the Exam: After thorough preparation, take your SC-200 exam with confidence, knowing that you’ve used the best possible resources.

Pass and Succeed: With our authentic SC-200 dumps, you are guaranteed to pass the exam and earn your certification. If not, take advantage of our refund or free updated dumps.

Start Your SC-200 Exam Preparation Today!

Don’t leave your certification success to chance! Get the authentic SC-200 exam dumps from Certs4Future and start preparing today. With our expert-curated resources and pass guarantee, you'll be ready for the Microsoft SC-200 exam in no time.


Related Exams


Microsoft SC-200 Sample Question Answers

Question # 1

You have an on-premises virtual machine named VM1 that runs Windows Server. You have a Microsoft Sentinel workspace named Workspacel. You install the Azure Connected Machine agent on VM1. You need to collect events from VM1 and send the events to Workspacel. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct answer is worth one point. 

A. From the Microsoft Defender portal, add the Windows Security Events via AMA data connector.
 B. From the Microsoft Defender portal, add the Syslog via AMA data connector. 
C. On VM1, install the Log Analytics agent. 
D. On VM1, enable the Azure Monitor Agent extensions. 
E. On VM1, install the Microsoft Monitonng Agent. 
F. From the Microsoft Defender portal, create a data collection rule (DCR) that targets VM1.



Question # 2

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a user named User1. You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege. Which role should you assign to User1?

A. Desktop Analytics Administrator 
B. Security Operator 
C. Security Administrator 
D. Cloud Device Administrator 



Question # 3

Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Microsoft Entra tenant. Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription. You deploy Microsoft Sentinel to a new Azure subscription. You need to perform hunting queries in Microsoft Sentinel to search across all the Log Analytics workspaces of all the subscriptions. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. 

A. Create a query that uses the resource expression and the alias operator.
 B. Use the alias statement. 
C. Add the Microsoft Sentinel solution to each workspace. 
D. Create a query that uses the workspace expression and the union operator. 
E. Add the Security Events connector to the Microsoft Sentinel workspace. 



Question # 4

You have a Microsoft 365 E5 subscription that contains a database server named DB1. DB1 is onboarded to Microsoft Defender XDR. You need to ensure that DB1 appears on the attack surface map. What should you configure? 

A. a critical asset rule 
B. an asset rule 
C. a honeytoken entity tag 
D. a sensitive entity tag 



Question # 5

You have a Microsoft 365 E5 subscription. You need to search the Microsoft Purview audit log by using PowerShell on a Windows device. What should you do first?

A. Modify the TrustedHosts list 
B. Install the Microsoft Exchange Online PowerShell module. 
C. Install the Microsoft Graph PowerShell module. 
D. Enable PowerShell remoting. 



Question # 6

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices. As part of an incident investigation, you identify the following suspected malware files: • sys • pdf • docx • xlsx You need to create indicator hashes to block users from downloading the files to the devices. Which files can you block by using the indicator hashes?

A. File1.sysonly 
B. File1.sysand File3.docxonly 
C. File1.sys. File3.docx, and File4jclsx only 
D. File2.pdf. File3.docxr and File4.xlsx only 
E. File1.sys, File2.pdf, File3.dooc, and File4.xlsx 



Question # 7

You need to update the threat intelligence list to include the entities. Which entities can you add on the Incident page?

A. 175.45.176.99 only 
B. Host1 only 
C. Used only 
D. 175.45.176.99 and Host1 only 
E. Host1 and User1 only 
F. 175.45.176.99, Host1, and User1 



Question # 8

You have an Azure subscription that uses Microsoft Defender XDR. From the Microsoft Defender portal, you perform an audit search and export the results as a file named Filel.csv that contains 10,000 rows. You use Microsoft Excel to perform Get & Transform Data operations to parse the AuditData column from Filel.csv. The operations fail to generate columns for specific JSON properties. You need to ensure that Excel generates columns for the specific JSON properties in the audit search results. Solution: From Defender, you modify the search criteria of the audit search to reduce the number of returned records, and then you export the results. From Excel, you perform the Get & Transform Data operations by using the new export. Does this meet the requirement? 

A. Yes
 B. No 



Question # 9

You have an Azure subscription that uses Microsoft Defender for Cloud. You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1. You need to onboard EC2-1 to Defender for Cloud. What should you install on EC2-1?

A. the Log Analytics agent 
B. the Azure Connected Machine agent 
C. the unified Microsoft Defender for Endpoint solution package 
D. Microsoft Monitoring Agent 



Question # 10

You have an Azure subscription that uses Microsoft Defender for Cloud. You need to configure Defender for Cloud to mitigate the following risks: • Vulnerabilities within the application source code • Exploitation toolkits in declarative templates • Operations from malicious IP addresses • Exposed secrets Which two Defender for Cloud services should you use? Each correct answer presents part of the solution. NOTE: Each correct answer is worth one point.

A. Microsoft Defender for APIs 
B. Microsoft Defender for Resource Manager 
C. Microsoft Defender for App Service 
D. Microsoft Defender for DevOps 
E. Microsoft Defender for Servers 



Question # 11

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have a Copilot for Security workspace that uses the following plugins: • Microsoft Entra • Microsoft Defender XDR From the Microsoft Defender portal, you use Copilot for Security to investigate a reported incident. You need to run a promptbook that will include information from Microsoft Entra ID Protection in the investigation. What should you do first?

A. From the Microsoft Defender portal, create an incident report
 B. From the Microsoft Defender portal, create an advanced hunting query. 
C. Open the investigation in the Copilot for Security standalone experience. 
D. Open the investigation in Microsoft Sentinel. 



Question # 12

You have a Microsoft 365 E5 subscription that contains two users named Userl and User2 and From the Copilot for Security portal, User1 starts a session and creates the following prompts: • Prompt1: Provides access to the Entra plugin • Prompt2: Provides access to the Intune plugin • Prompt3: Provides access to the Entra plugin User1 shares the session with User2. User2 does NOT have access to Microsoft Intune. For which prompts can User2 view results during the shared session? 

A. Prompt1 only 
B. Prompt1 and Prompt2 only 
C. Prompt3 only 
D. Prompt1 and Prompt3 only 
E. Prompt1, Prompt2, and Prompt3 



Question # 13

You have an Azure subscription that contains a resource group named RG1. RG1 contains a Microsoft Sentinel workspace. The subscription is linked to a Microsoft Entra tenant that contains a user named User1. You need to ensure that User1 can deploy and customize Microsoft Sentine1 workbook templates. The solution must follow the principle of least privilege. Which role should you assign to User1 for RG1?

A. Workbook Contributor 
B. Microsoft Sentinel Contributor 
C. Contributor 
D. Microsoft Sentinel Automation Contributor 



Question # 14

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue. You need to tune the alerts. Which two actions can an alert tuning rule perform for the alerts? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. 

A. delete 
B. hide 
C. resolve 
D. merge 
E. assign 



Question # 15

You have a Microsoft 365 subscription. You have the following KQL query. DeviceEvents | where ActionType == "AntivirusDetection* You need to ensure that you can create a Microsoft Defender XDR custom detection rule by using the query. What should you add to the query? 

A. summarize (Timestamp, DeviceHanw)=arg_min(Timestampf DeviceName), count() by Deviceld
 B. sumarize (Timestamp, ReportId)>arg_max(Timestanp, Reportld), count{) by Deviceld 
C. summarize (Timestamp)=range(Timestatip), count() by Deviceld 
D. sumarize (ReportId)=make_set(ReportId), count() by Deviceld 



Question # 16

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1. What should you do?

A. Run an advanced hunting query against the DeviceTvmlnfoGathering table. 
B. Initiate a live response session and run the processes command. 
C. Run an advanced hunting query against the DeviceTvmSoftwarelnventory table. 
D. Run an advanced hunting query against the DeviceProcessEvents table. 



Question # 17

Your on-premises network contains two Active Directory Domain Services (AD DS) domains named contoso.com and fabrikam.com. Contoso.com contains a group named Group1. Fabrikam.com contains a group named Group2. You have a Microsoft Sentinel workspace named WS1 that contains a scheduled query rule named Rule1. Rule1 generates alerts in response to anomalous AD DS security events. Each alert creates an incident. You need to implement an incident triage solution that meets the following requirements: · Security incidents from contoso.com must be assigned to Group1. · Security incidents from fabrikam.com must be assigned to Group2. · Administrative effort must be minimized. What should you include in the solution?

A. one automation rule assigned to Rule1 
B. a playbook that is triggered by the creation of an incident 
C. two automation rules assigned to Rule1 
D. a playbook that is triggered by the creation of an alert 



Question # 18

You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint. You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You identify that an attacker performed the following actions on a device: • Modified the file system path of a registry-based antivirus exclusion • Downloaded a malicious file to the file system path You initiate a live response session on the device. You need to undo the registry change. Which command should you run?

A. analyze 
B. registry 
C. remediate 
D. scan 



Question # 19

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices. You plan to create a Microsoft Defender XDR custom deception rule. You need to ensure that the rule will be applied to only 10 specific devices. What should you do first?

A. Add the IP address of each device to the list of decoy accounts and hosts of the rule. 
B. Add the devices to a group. 
C. Add custom lures to the rule. 
D. Assign a tag to the devices 



Question # 20

You have a Microsoft 365 E5 subscription. Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint. You have an incident involving a user that received maIware-infected email messages on a managed device. Which action requires manual remediation of the incident?

A. containing the device 
B. hard deleting the email message 
C. isolating the device 
D. soft deleting the email message 



Question # 21

You have a Microsoft 365 subscription that uses Microsoft Copilot for Security. You create a promptbook named Book1. For Book1, you need to create a prompt that contains an input named IncidentID. How should you format IncidentID?

A. <IncidentID>
B. SIncidentlD$
C. ##IncidentID##
D. [IncidentID]



Question # 22

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps. What should you configure first?

A. the Azure connector 
B. the User enrichment settings 
C. the Automatic log upload settings 
D. the Microsoft 365 connector 



Question # 23

You have a Microsoft 365 E5 subscription that contains 500 Windows 11 devices. You have a Microsoft Defender for Endpoint deployment that has the following settings: Discovery mode: Basic Live Response: Disabled Enable EDR in block mode: Off Tamper Protection: Off You need to implement automatic attack disruption in Microsoft Defender XDR. What should you do?

A. Set Enable EDR in block mode to On. 
B. Set Live Response to On. 
C. Change Discovery mode to Standard discovery. 
D. Set Tamper Protection to On. 



Question # 24

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You start a Copilot for Security session and enter five prompts that each provide responses. You need to create a promptbook that will use the prompts but will NOT contain the responses. The solution must minimize administrative effort. What should you do? 

A. Enter a new prompt that has the following input: Create a promptbook from my session prompts. 
B. Select each prompt, and then select Create promptbook. 
C. Share the session, and then select Create promptbook. 
D. Create a new promptbook and include each prompt. 



Question # 25

You have a Microsoft 365 subscription that contains the following resources: • 100 users that are assigned a Microsoft 365 E5 license • 100 Windows 11 devices that are joined to the Microsoft Entra tenant The users access their Microsoft Exchange Online mailbox by using Outlook on the web. You need to ensure that if a user account is compromised, the Outlook on the web session token can be revoked. What should you configure?

A. Microsoft Entra ID Protection 
B. Microsoft Entra Verified ID 
C. a Conditional Access policy in Microsoft Entra 
D. security defaults in Microsoft Entra 



Question # 26

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint You discover unauthorized changes to the membership of the Administrators group on the devices. You need to configure a solution that meets the following requirements: • Every hour, check the Administrators group membership of each endpoint. • When a change to the Administrators group membership is detected, create an incident in Microsoft Defender XDR. What should you create first?

A. a device group 
B. a detection rule 
C. an alert tuning rule 
D. an advanced hunting query 



Question # 27

You have a Microsoft Sentinel workspace named Workspace1 that contains the AzureActivity table. You need to configure the retention period for the AzureActivity table. The solution must meet the following requirements: • Maximize the period during which you can run interactive queries. • Minimize retention costs. To what should you set the retention period? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.  

A. 30 days 
B. 90 days 
C. 180 days 
D. 2 years 



Question # 28

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. WS1 has the Azure Activity connector and the Microsoft Entra ID connector configured. You need to investigate which accounts have the most alerts and any corresponding incident information for each alert. The solution must minimize administrative effort What should you do first in WS1?

A. Enable User and Entity Behavior Analytics (UEBA). 
B. From Content hub, install Cloud Identity Threat Protection Essentials. 
C. From Content hub, install the Microsoft Purview insider risk management solution. 
D. Use User and Entity Behavior Analytics (UEBA) to detect anomalies. 



Question # 29

You have an Azure subscription. You need to stream the Microsoft Graph activity logs to a third-party security information and event management (SIEM) tool. The solution must minimize administrative effort. To where should you stream the logs?

A. an Azure Event Hubs namespace 
B. an Azure Event Grid namespace 
C. an Azure Storage account 
D. a Log Analytics workspace 



Question # 30

You have 500 on-premises devices. You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You onboard 100 devices to Microsoft Defender XDR. You need to identify any unmanaged on-premises devices. The solution must ensure that only specific onboarded devices perform the discovery. What should you do first?

A. Set Discovery mode to Basic 
B. Create a device group. 
C. Create a tag. 
D. Create an exclusion. 



Question # 31

You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint You enable Network device discovery. You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device. Which built-in function should you use?

A. current_cluster,endpoint()
 B. DeviceFromIP () 
C. next () 
D. SeenBy ()



Question # 32

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. Copilot for Security has the default settings configured. You need to ensure that a user named User1 can use Copilot for Security to perform the following tasks: • Upload files. • View the usage dashboard. • Share promptbooks with all users. The solution must follow the principle of least privilege. Which role should you assign to User1?

A. Security Administrator 
B. Cloud Application Administrator 
C. Copilot Contributor 
D. Copilot Owner 



Question # 33

You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace. You need to create a KQL query that will combine data from the following sources: • Microsoft Graph • Risky users detected by using Microsoft Entra ID Protection The solution must minimize the volume of data returned. How should the query start?

A. MicrosoftGraphActivityLogs lookup kind=leftouter AADRiskyUsers on $left.Userld == $right.Id 
B. MicrosoftGraphActivityLogs join AADRiskyUsers on $left.Userld == $right.Id 
C. MicrosoftGraphActivityLogs join AADUserRiskEvents on $left.Userld == $right.Id 
D. find in (MicrosoftGraphActivityLogs, AADUserRiskEvents) where 



Question # 34

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You are investigating an incident. You need to review the incident tasks that were performed. The solution must include a query that will display the incidents in a workbook, and then display the tasks of each incident in another grid. Which table should you target in the query?

A. Securitylncident 
B. SecurityEvent 
C. Sentine1Audit 
D. SecurityAlert 



Question # 35

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. All endpoint devices are onboarded to Microsoft Defender for Endpoint. You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace 1. All Microsoft Defender XDR events are ingested into Workspace1. You have a Microsoft Entra tenant. You create a KQL query named query1 that searches device logs for a known vulnerability. You need to ensure that query1 runs every hour. The solution must minimize administrative effort. What should you configure?

A. an automation rule 
B. automated investigation and response (AIR) 
C. a watchlist 
D. a custom detection rule 



Question # 36

You have a Microsoft 365 B5 subscription. You have a PowerShell script that queries the unified audit log. You discover that the query returns only the first page of results due to server-side paging. You need to ensure that you get all the results. Which property should you query in the results? 

A. @odata.nextlink 
B. @odata.deltaLink 
C. @odata.context 
D. @odata.count 



Question # 37

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 100 virtual machines that run Windows Server. You need to configure the collection of Windows Security event logs for ingestion to WS1. The solution must meet the following requirements: • Capture a full user audit trail including user sign-in and user sign-out events. • Minimize the volume of events. • Minimize administrative effort. Which event set should you select?

A. All events 
B. Custom 
C. Minimal 
D. Common 



Question # 38

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan Z and contains 1,000 Windows devices. You have a PowerShell script named Script Vps1 that is signed digitally. You need to ensure that you can run Script1.psl in a live response session on one of the devices. What should you do first from the live response session?

A. Run the library command.
 B. Run the putfile command 
C. Modify the PowerShell execution policy of the device. 
D. Upload Script1.ps 1 to the library. 



Question # 39

Your on-premises network contains an Active Directory Domain Services (AD DS) forest. You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers. Which table should you query?

A. AADServicePrincipalRiskEventi 
B. IdentityLOgonEvents 
C. AADDomainServicesAccountLogon 
D. Signinlogs