Practice Questions Edition’21

Exam SC-200: Microsoft

Security Operations
Analyst (Part1)

EXPLORE
Hello learners!
Microsoft estimated that there is a shortage of about 3.5 million security
professionals. It released four new security-focused certifications that allow IT
professionals and security professionals to validate their skills or skill up in one
of the most indispensable assets. One of these certifications is the new SC-200:
Microsoft Security Operations Analyst.

This is an associate-level certification and specializes in the security domain of

operations. The designation you receive after completing this certification is the
Microsoft Certified Security Operations Analyst Associate.
Are you willing to get recognized for these skills?

Responsibilities include threat management, monitoring, and response by using

a variety of security solutions across their environment. The role primarily
investigates, responds to, and hunts for threats using Microsoft Azure Sentinel,
Azure Defender, Microsoft 365 Defender, and third-party security products.

Are you willing to get recognized for these skills?

If yes, then you must get certified in Microsoft Exam SC-200 to obtain the required
skills and get awarded with a certification which makes you stand out and gives you
a big boost to speed up in this fast-moving world.

If you are planning to take up the SC-200 certification exam, this edition offering 25
practice questions will be of great help. You can find the correct answers and links
to additional resources at the bottom of the document.

2
Here goes the Quiz
01. You are a security operations analyst, and you can create custom detection.
Which of the following will you use:

Select one or more:

A. Azure Defender

B. An alert

C. Advanced Hunting

D. An incident

02. You need to block files even if a third-party antivirus is used. What settings will you enable
or turn on to block files in Advanced features?

Which setting will you enable or turn on in advanced features?

A. Allow or block filed

B. Enable block files

C. Automated Investigation

D. Enable EDR in block mode

03. There are various components in DLP. Which among the following classifies as a
document, and which component can protect content in locations like SharePoint Online?

Select one:

A. Sensitive info types and Access Policy

B. Access Policy and DLP Policy

C. Sensitivity label and DLP Policy

D. DLP Policy and Retention Policy

3
Here goes the Quiz
04. Your organization uses Azure Security Center and Azure Defender.
In Azure Security Center, you want to see the topology of your workloads.
Which feature of Security Center enables you to see:

Select one:

A. Biometric analytics

B. Network map

C. Inventory

D. Secure Score

05. Your organization uses Azure Security Center and Azure Defender.
You need to describe the primary role of Azure Defender.

Which of the following can describe the primary role?

A. Cloud workload protection

B. Cloud configuration protection

C. Cloud security posture management

D. Cloud configuration management

06. You have an Azure Sentinel. You need to create a query using Kusto
Query Language(KQL).

Which function will return a distinct count on the expression provided to the function?

A. count()

B. arg_max()

C. bin()

D. dcount()

4
Here goes the Quiz
07. You have Azure Defender. You can use Kusto Query Language (KQL) and do
advanced Hunting. Operators use advanced Hunting to perform the query.

Which of the operator is not allowed?

A. where

B. count

C. sum

D. find

08. Your organization used Azure Security Center and went to Hunting to run the query.
Do you need to create a query with a suspicious command to search for a specific string with
a timed rage greater than seven days ago?
Note: Assume | project column names are there in query.

A. union DeviceProcessEvents, DeviceNetworkEvents

| where Timestamp > ago(7d)
| where ProcessCommandLine has_any(“MyStringToSearch”)

B. union DeviceProcessEvents, DeviceNetworkEvents

| where ProcessCommandLine has_any(“MyStringToSearch”)
| where Timestamps > ago(7d)

C. union DeviceProcessEvents, DeviceNetworkEvents

| where Timestamp > ago(7d)
| where ProcessCommandLine has_any=”MyStringToSearch”

D. union DeviceProcessEvents, DeviceNetworkEvents

| where ProcessCommandLine has_any=”MyStringToSearch”
| where Timestamps > ago(7d)

5
Here goes the Quiz
09. Your organization has Microsoft 365 Defender, Microsoft Defender for Endpoint.
Your organization need you to do an in-depth investigation and take immediate
response action on identified threats in real-time?

Select one:

A. Live device investigation manager

B. Security operations

C. Hunt for emerging threats

D. Live response

10. Which live response basic command is used to Initiates a live response session to
the device?
Select one:

A. connections

B. processes

C. connect

D. init

Test your exam readiness before the actual exam!

What’s in for you?
• Unlimited library of Microsoft certification exam preparation resources.
• Practice MCQs
• Hands-on and Scenario based questions
Click here and subscribe to CloudThat’s Exam Ready platform.

6
Here goes the Quiz
11. Your organization wants to respond to threats in a controlled and more cost-effective
manner.
You are assigned to create a policy that allows or block access based on authenticatio
or identity type.
Which policy should you use:

A. sign-in risks policy

B. User risks policy

C. Risk policy based on identity type

12. You have Microsoft Defender for Endpoint.

In Indicators, which file type and type is used to upload and accepted type?

Select one:

A. XML and Certificates

B. CSV and Code data

C. JSON and Email subject line

D. CSV and Certificates

13. While doing deep file analysis, Cybersecurity investigations are typically
triggered by what?
Which extensions are including for deep analysis which currently supports for
extensive analysis of portable executable (PE) files?

Select one:

A. Triggered by an alert and supports .exe and .dll files

B. Triggered by threat and supports .csv and .json files

C. Triggered by an alert and supports .csv and .json files

D. Triggered by threat and supports .exe and .dll files

7
Here goes the Quiz
14. Your organization has a Microsoft Defender. You need to protect against the identity risks.
What will be your solution?
Solution: configure Identity Protection
Does it meet your goal?

A. Yes

B. No

Get Unlimited Access Microsoft Azure Certification Trainings.

Subscribe to CloudThat’s AZURE MASTERY PASS

Why Azure Mastery Pass?

1. Instructor-Led Live Training from Certified Experts

2. Practice Lab and Projects Aligned to Azure Learning

3. Flexible & Convenient Learning – Anytime anywhere

15. Your organization has a Microsoft Defender. You need to protect the identity-related risks.
What will be your solution?
Solution: Navigate to Azure AD, configure alerts on risks.
Does it meet your goal?

A. Yes

B. No

8
Here goes the Quiz
16. What types of risks are there in Azure AD?

Select one:
A. Sign-in and identity risk

B. User and sign-in risks

C. User and identity risks

D. Credentials and identity risks

17. Your organization has Azure Security Center and Azure Defender.
You need to protect against identity risk. Your organization’s specialist expertise is in retail
and not a security specialist.

What can you use to protect against identity risk?

A. Azure AD Identity Protection

B. Security manager

C. Identity manager

D. Security Center

18. Your organization has Azure Security Center and Azure Defender.
You need to investigate potential cyberattack, and the sooner you identify better off your
organization will be. You are receiving alerts.
What will you use to investigate automatically and respond with a set of security
playbooks when an alert triggered?
Select one:

A. Automated investigation and response (AIR)

B. remediate

C. threat mitigation

D. Automated alert and response (AAR)

9
Here goes the Quiz
19. Your organization has a Microsoft 365 E5 subscription to micros.com Azure AD tenant.
You have Windows 10 machines deployed with Microsoft Defender Endpoint.
Microsoft Cloud App Security built-in detection policies are enabled.
The problem facing is Cloud app security generates false positive alerts whenever a user
connects to two offices simultaneously.
You have to fulfil the requirement that the cloud app security must identify whenever a user
connection is abnormal based on tenant-level data.

Which policy should you modify to modify the anomaly detection policy settings to meet
cloud app security requirement?

Select one:

A. Activity from suspicious IP addresses

B. Activity from anonymous IP addresses

C. Sign-in policy

D. Activity from unknown IP addresses

20. You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You plan to configure the detection policy to receive an alert when the user tries to log in
from an unknown location. Other users in the organization never used that location.
Which detection policy will you configure or use?

A. Activity from anonymous IP addresses

B. Activity from infrequent country

C. Malware detection

D. Impossible travel

10
Here goes the Quiz
21. Your organization have Microsoft Defender and Microsoft Cloud App Security.
You have sensitive data which contain users details such as card numbers, etc.
You plan to create a policy that can help to protect sensitive information.
You plan to use a data loss prevention (DLP) policy to protect.
What will you use to detect sensitive information/data, and in which document is it?
Select one:

A. Azure Information Protection

B. Hunting query in Microsoft Defender

C. Document Scanner

D. SharePoint search

22. Your organization has Microsoft Cloud App Security.

You have to investigate DLP alert in Cloud App Security. DLP is configured and created
cloud app security file policy.
You found an alert that contains suspicious activity due to that it requires an
immediate response.

Which type of violation is it?

A. Serious violations

B. Questionable violations

C. Authorized violations

D. File policy violation

11
Here goes the Quiz

23. Your organization has a Microsoft 365 subscription that uses Microsoft Defender
for Office 365.

Which type of policy is used?

A. Access Policy

B. Session Policy

C. Anomaly detection policy

D. File Policy

24. Your organization has Microsoft Defender for Endpoint. Which of the following is used to
identify the current state of a device and understand the tools and techniques used by the
attacker as part of the investigation and response process?
Select one:

A. action center

B. collecting the investigation package from the device

C. investigation manager

25. You have an Azure subscription that has Azure Defender.

You have configured alerts in Azure Defender for Key Vault.
You receive an alert from Key Vault, and in the investigation, you know that alert is
triggered due to multiple suspicious IP addresses.
You need to reduce the potential of Key Vault secrets being leaked while you
investigate the issue.

What will you do in the first place?

A. Create an application security group

B. Modify the access policy for the key vault

C. Enable the Key Vault firewall

D. Modify the access control settings for the key vault

12
Check out the answers below:
1 2
C D
3
B
4
C
5 6
A D

A
7 8
C
9 10
D C

D
11 12
C
13 14
A A

B
15 16
B

A
17 18
A
19
B
20
D

13
Check out the answers below:
21 22
A A
23 24
D B
25
C

Want to take up the certification exam after solving this edition?

Here’s your chance to get the exam voucher at a special discounted rate!
CloudThat is offering the exam voucher worth INR 4800 at an exclusive price of
INR 3500 only!

Disclaimer: These questions are NOT appearing in the certification exam. CloudThat
does not have any official tie-up with Microsoft regarding the certification or the kind
of questions asked. These are the best guesses for the kind of questions to expect with
Microsoft in general and with the examination.

14
 Additional resources to support your preparation:

Click here to enrol for SC-200 Course.  

 To read more about the security courses, Click here.  

Best
of luck!

15
About CloudThat
CloudThat is the first company in India to offer Cloud
Training & Consulting services for mid-market &
enterprise clients from across the globe. Founded by
Bhavesh Goswami, an ex-Amazonian with more than
10 years of experience in Cloud computing space,
CloudThat has been empowering tech professionals
with best-in-class training and consulting services.

Since, our inception in 2012, we have trained over

350K IT professionals from Fortune 500 companies
on technologies such as Microsoft Azure, Amazon
Web Services, Artificial Intelligence, Machine Learning,
Google Cloud, IoT, OpenStack, OpenShift, DevOps,
MongoDB, Big Data and more. We have global
presence with offices in Bengaluru, Mumbai, UK, and
the USA.

Over the years, CloudThat has proven its excellence

in the field and has recently been recognized as the
winner of Microsoft 2020 Global Partner of the Year
Finalist award. With expertise in major Cloud platforms,
CloudThat is a proud Microsoft Gold Partner, AWS
Advanced Consulting Partner, Google Cloud Platform
Partner, and Databricks Partner.

Build your career with CloudThat

We are Microsoft Gold Partner and the winner of Microsoft Learning Partner Year Finalist
award, 2020.

CloudThat CEO is the MCT Regional Lead for India.

Till date CloudThat has trained more than 350K+ professionals in VILT & ILT modes.

We are a dynamic team of Microsoft certified trainers and professionals.

We have attended to the training and consulting needs of more than 100 clients.

We offer 200+ cloud certifications in emerging technologies.

Our training modules are equipped with 50%-60% hands-on labs sessions.

16
 To get regular updated about our upcoming training sessions study guides/exam prep material, giveaways,
and other useful resources to help you upskill, you can follow us on our social media pages.

Want to know more about Cloud?

Read out to us at:
#610, 2nd Floor, 80 Feet Road,
6th Block Koramangala Bengaluru- 560095.
Tel: +91-888-000-2200
Email Id: [email protected]

17