Download Microsoft Security Operations Analyst.SC-200.ExamTopics.2026-01-26.158q.vcex
| Vendor: | Microsoft |
| Exam Code: | SC-200 |
| Exam Name: | Microsoft Security Operations Analyst |
| Date: | Jan 26, 2026 |
| File Size: | 6 MB |
How to open VCEX files?
Files with VCEX extension can be opened by ProfExam Simulator.
Purchase
Coupon: TAURUSSIM_20OFF
Discount: 20%
Demo Questions
Question 1
Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
You need remediate the security risk.
What should you do?
- Disable legacy protocols on the computers listed as exposed entities.
- Enforce LDAP signing on the computers listed as exposed entities.
- Modify the properties of the computer objects listed as exposed entities.
- Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.
Correct answer: C
Explanation:
C: 23 - Mosted C: 23 - Mosted
Question 2
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.
Which blade should you use in the Microsoft 365 Defender portal?
- Advanced hunting
- Threat analytics
- Incidents & alerts
- Learning hub
Correct answer: B
Explanation:
B: 8 - Mosted B: 8 - Mosted
Question 3
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.
You need to onboard EC2-1 to Defender for Cloud.
What should you install on EC2-1?
- the Log Analytics agent
- the Azure Connected Machine agent
- the unified Microsoft Defender for Endpoint solution package
- Microsoft Monitoring Agent
Correct answer: B
Explanation:
A: 7B: 30 - Mosted A: 7B: 30 - Mosted
Question 4
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Correct answer: To work with this question, an Exam Simulator is required.
Question 5
You have an Azure subscription that uses Microsoft Defender for Cloud.
You create a Google Cloud Platform (GCP) organization named GCP1.
You need to onboard GCP1 to Defender for Cloud by using the native cloud connector. The solution must ensure that all future GCP projects are onboarded automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Question 6
You have an Azure subscription that contains a virtual machine named VM1 and uses Microsoft Defender for Cloud.
Microsoft Defender for Cloud has automatic provisioning configured to use Azure Monitor Agent.
You need to create a custom alert suppression rule that will suppress false positive alerts for suspicious use of PowerShell on VM1.
What should you do first?
- From Microsoft Defender for Cloud, export the alerts to a Log Analytics workspace.
- From Microsoft Defender for Cloud, add a workflow automation.
- On VM1, trigger a PowerShell alert.
- On VM1, run the Get-MPThreatCatalog cmdlet.
Correct answer: C
Explanation:
C: 4 - Mosted C: 4 - Mosted
Question 7
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might conta`in exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote users located across the globe. The remote users access company resources, including cloud resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses Azure AD Connect with pass-through authentication enabled and password hash synchronization disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics (UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to assign role-based access control (RBAC) roles to Group1 and Group2 to meet the Microsoft Defender for Cloud requirements and the business requirements.
Which role should you assign to each group? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Question 8
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might conta`in exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote users located across the globe. The remote users access company resources, including cloud resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses Azure AD Connect with pass-through authentication enabled and password hash synchronization disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics (UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to meet the Microsoft Sentinel requirements for collecting Windows Security event logs.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Question 9
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might conta`in exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote users located across the globe. The remote users access company resources, including cloud resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses Azure AD Connect with pass-through authentication enabled and password hash synchronization disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- • Microsoft Defender for Cloud
- • Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics (UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to meet the Microsoft Defender for Cloud Apps requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Correct answer: To work with this question, an Exam Simulator is required.
Question 10
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.
What should you configure first?
- the User enrichment settings
- the Azure connector
- the Office 365 connector
- the Automatic log upload settings
Correct answer: C
Explanation:
C: 15 - Mosted C: 15 - Mosted
HOW TO OPEN VCE FILES
Use VCE Exam Simulator to open VCE files
HOW TO OPEN VCEX FILES
Use ProfExam Simulator to open VCEX files
ProfExam at a 20% markdown
You have the opportunity to purchase ProfExam at a 20% reduced price
Get Now!