
Microsoft Security Operations Analyst - SC-200 Exam Questions
QUESTION NO: 1
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: A,C,E
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 2
You need to meet the Microsoft Defender for Cloud Apps requirements
What should you do? To answer. select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You need to meet the Microsoft Defender for Cloud Apps requirements
What should you do? To answer. select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:
Set the sensitivity level of the impossible travel alert policies to: Low To reduce the amount of false positive alerts: Add IP address ranges In Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) , the impossible travel alert policy detects when a user signs in from two geographically distant locations within a timeframe that would make physical travel between them impossible. This is an important indicator of potential account compromise but can also generate false positives if not tuned properly.
* Setting Sensitivity Level to Low: Microsoft Defender for Cloud Apps allows tuning of the Impossible travel policy sensitivity between Low , Medium , and High .
* High sensitivity increases detection but also raises the likelihood of false positives.
* Medium offers a balance.
* Low reduces the number of alerts by limiting detections to only the most obvious and high- confidence anomalies. To meet operational requirements that minimize alert noise and false positives, the sensitivity should be set to Low .
* Reducing False Positives - Add IP Address Ranges: According to Microsoft's official Defender for Cloud Apps policy tuning guidance, the main way to reduce false positives in impossible travel alerts is by adding trusted IP address ranges (e.g., office networks, VPN exit nodes, proxy gateways) to the trusted IPs list . This ensures that logins from corporate or known network ranges are not flagged as anomalous, thereby significantly reducing false alerts.
Other options, like enabling or disabling leaked credential detection, are unrelated to the impossible travel anomaly and affect credential theft alerts instead.
Therefore, the verified correct configuration is:
# Sensitivity level: Low
# Reduce false positives by: Add IP address ranges
QUESTION NO: 3
You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to implement deception rules. The solution must ensure that you can limit the scope of the rules.
What should you create first? A. device groups
You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to implement deception rules. The solution must ensure that you can limit the scope of the rules.
What should you create first? A. device groups
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 4
You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

According to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule and ensure the playbook includes a trigger .
Here's why:
* A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule's conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.
* A playbook in Sentinel is an Azure Logic App that automates responses to incidents or alerts. To connect a playbook to an analytics rule, it must include a trigger -specifically, the "Microsoft Sentinel Alert" or "Incident trigger." This allows the rule to start the playbook automatically when the defined condition is met.
The other options are incorrect because:
* Fusion rules are built-in and use Microsoft's machine learning to correlate signals automatically; they can't be used for custom queries.
* Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.
* A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.
* Diagnostics settings apply to log collection and retention, not rule automation.
Therefore, based on Microsoft Sentinel best practices and documentation:
# Create the rule of type: Scheduled
# Configure the playbook to include: A trigger
QUESTION NO: 5
A company wants to analyze by using Microsoft 365 Apps.
You need to describe the connected experiences the company can use.
Which connected experiences should you describe? To answer, drag the appropriate connected experiences to the correct description. Each connected experience may be used once, more than once, or not at all. You may need to drag the split between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

A company wants to analyze by using Microsoft 365 Apps.
You need to describe the connected experiences the company can use.
Which connected experiences should you describe? To answer, drag the appropriate connected experiences to the correct description. Each connected experience may be used once, more than once, or not at all. You may need to drag the split between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

QUESTION NO: 6
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area NOTE: Each correct selection is worth one point.

You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

To launch a Logic App from a Microsoft Defender for Cloud alert, you create a Defender for Cloud automation resource and attach a Logic App action. In ARM, this is modeled with the resource type Microsoft.Security/automations . Its properties include isEnabled , scopes , sources (for alert filters), and actions -where actionType is LogicApp . For Logic App actions, Defender for Cloud needs the Logic App's manual trigger callback URL . The ARM pattern uses:
listCallbackURL(resourceId(subscriptionId, resourceGroupName, ' Microsoft.Logic/workflows/ < workflowName > /triggers/manual ' ), ' 2019-05-01 ' ).value Hence, the path segment inserted between .../workflows/ and the trigger name is triggers (because the callback URL is retrieved for the manual trigger of the workflow).
So the two correct selections to wire up app1 to run when a selected Defender for Cloud alert fires are:
* Set the ARM resource type to Microsoft.Security/automations .
* In the callback URL construction, append triggers (... /workflows/ < app1 > /triggers/manual ).
QUESTION NO: 7
You have a Microsoft Sentinel workspace that has user and Entity Behavior Analytics (UEBA) enabled for Signin Logs.
You need to ensure that failed interactive sign-ins are detected.
The solution must minimize administrative effort.
What should you use?
You have a Microsoft Sentinel workspace that has user and Entity Behavior Analytics (UEBA) enabled for Signin Logs.
You need to ensure that failed interactive sign-ins are detected.
The solution must minimize administrative effort.
What should you use?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 8
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema. You need to make the 200 parsers available in Workspace1. The solution must minimize administrative effort. What should you do first?
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema. You need to make the 200 parsers available in Workspace1. The solution must minimize administrative effort. What should you do first?
Correct Answer: D
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 9
You need to complete the query for failed sign-ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
You need to complete the query for failed sign-ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 10
Your on-premises network contains an Active Directory Domain Services (AD DS) forest.
You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.
Which table should you query?
Your on-premises network contains an Active Directory Domain Services (AD DS) forest.
You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.
Which table should you query?
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 11
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
Correct Answer: B
Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).
QUESTION NO: 12
You have a Microsoft Sentinel workspace.
A Microsoft Sentinel incident is generated as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in [the graphic.
NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace.
A Microsoft Sentinel incident is generated as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in [the graphic.
NOTE: Each correct selection is worth one point.

Correct Answer:





