매달, 우리는 1000명 이상의 사람들이 시험 준비를 잘하고 시험을 잘 통과할 수 있도록 도와줍니다.
Microsoft Security Operations Analyst 온라인 연습
최종 업데이트 시간: 2026년06월04일
당신은 온라인 연습 문제를 통해 Microsoft SC-200 시험지식에 대해 자신이 어떻게 알고 있는지 파악한 후 시험 참가 신청 여부를 결정할 수 있다.
시험을 100% 합격하고 시험 준비 시간을 35% 절약하기를 바라며 SC-200 덤프 (최신 실제 시험 문제)를 사용 선택하여 현재 최신 51개의 시험 문제와 답을 포함하십시오.
정답:
Explanation:
Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps)
documents: =
To monitor Linux virtual machines in AWS using Azure Defender (Microsoft Defender for Cloud), you must onboard those VMs into Azure’s management plane. The recommended and supported approach is via Azure Arc.
Azure Arc enables Azure Defender to extend its security monitoring and policies to non-Azure machines (including AWS and on-premises). Once onboarded through Azure Arc, the Log Analytics agent (MMA/AMA) can be automatically provisioned, allowing Defender for Cloud to collect and analyze security data.
Microsoft documentation states:
“To monitor machines outside Azure (on-premises or in other clouds like AWS or GCP), onboard them to Azure using Azure Arc. Azure Defender will then auto-provision the required agent and begin monitoring.”
Thus, enabling Azure Arc and onboarding the AWS VMs meets the goal.
✅ Correct answer: A. Yes
정답:
Explanation:
To create a custom alert suppression rule in Microsoft Defender for Cloud (formerly Azure Security Center), you must first have an existing alert to base the suppression rule on. Suppression rules can only be configured for alert types that have already been triggered.
According to Microsoft’s Defender for Cloud documentation:
“You can create suppression rules for alerts that you’ve already received. To create the rule, locate the specific alert in Security alerts, open it, and then choose ‘Create suppression rule’ from the alert page.”
Therefore, before you can create a suppression rule for suspicious use of PowerShell on VM1, you must first trigger that alert by performing (or simulating) the action that causes it ― in this case, generating a PowerShell activity alert on VM1.
The other options are incorrect:
(A) Workflow automation is used to respond automatically to alerts, not suppress them.
(B) Get-MPThreatCatalog retrieves malware threat details from Windows Defender, not alert data from Defender for Cloud.
(D) Exporting alerts to Log Analytics is for analysis, not suppression configuration.
✅ Correct answer: C. On VM1, trigger a PowerShell alert
정답: 
Explanation:
In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation allows you to automatically respond to security alerts and recommendations by triggering remediation actions.
When you create an Azure Policy to enforce automatic remediation based on Defender alerts or recommendations, the effect determines what the policy does when a resource is found noncompliant:
DeployIfNotExists is the correct effect to use for automatic remediation. This effect automatically deploys a remediation task (such as a Logic App or other automation) when a matching noncompliant resource is detected. It’s commonly used in Defender for Cloud to deploy missing security configurations or initiate an automated remediation workflow.
Append only adds metadata or parameters to resources―it does not enforce or deploy remediation actions.
EnforceRegoPolicy is used for container compliance with Gatekeeper policies (Kubernetes), not for Defender workflows.
For the automation mechanism:
An Azure Logic Apps app with the trigger “When an Azure Security Center alert is created or triggered” is the correct choice. This Logic App acts as the workflow automation engine that runs whenever a new alert is raised. It can perform actions such as isolating VMs, disabling users, or notifying SOC teams.
Using a trigger for “When a response to an Azure Security Center alert is triggered” would only activate after a manual response, not automatically.
Automation runbooks with webhooks can be used for custom automation, but Defender workflow automation integrates natively with Logic Apps and not directly with runbooks.
✅ Final Answer. Set available effects to: DeployIfNotExists
To perform remediation use: An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered
정답:
Explanation:
According to Microsoft Entra (formerly Azure Active Directory) and Microsoft Security Operations documentation, when integrating Azure AD sign-in logs and audit logs with third-party SIEM systems, the supported and recommended method is to stream the logs to Azure Event Hubs through Diagnostic Settings.
Event Hubs act as a real-time data ingestion service that can integrate directly with external SIEM tools such as Splunk, QRadar, ArcSight, or Sumo Logic. This allows for near real-time alerting and analysis of Azure AD sign-in events.
Official Microsoft guidance states:
“To integrate Azure AD logs with third-party SIEMs, configure Azure AD Diagnostic Settings to send sign-in and audit logs to Azure Event Hubs. Event Hubs can then stream the data to your SIEM for near real-time monitoring.”
Other options do not meet the scenario’s requirement:
(A) and (C) involve Azure Sentinel, Microsoft’s native SIEM solution. Since the question specifies a third-party SIEM, Sentinel is not required.
(D) Archiving to a Storage account provides long-term retention and offline analysis but does not support near real-time alerting.
Therefore, the correct approach to route Azure AD sign-in events for near real-time monitoring in a third-party SIEM is to configure Azure AD Diagnostic Settings to stream logs to an Azure Event Hub.
✅ Correct Answer. B. Configure the Diagnostics settings in Azure AD to stream to an event hub
정답:
Explanation:
According to official Microsoft Defender for Endpoint documentation, Attack Surface Reduction (ASR) rules are specifically designed to block behaviors commonly used by malware and ransomware, such as malicious macro execution, script downloads from untrusted sources, and the abuse of Office applications to launch harmful executables or exploits.
In this scenario:
Excel macros downloading scripts from untrusted websites are mitigated by the ASR rule: “Block Office applications from creating child processes” and “Block Office communication application from creating child processes.”
Users opening executable attachments in Outlook are covered by:
“Block executable content from email and webmail.”
Outlook rules and forms exploits are addressed by:
“Block Office applications from injecting code into other processes.”
Microsoft’s Defender for Endpoint security baseline and documentation highlight that these rules “reduce the attack surface by minimizing the number of entry points an attacker can use to exploit a system.” Administrators can configure them through Microsoft Intune, Group Policy, or PowerShell, and monitor their effectiveness in the Microsoft 365 Defender portal under Threat & Vulnerability Management.
Other options like Defender Antivirus (A) focus on detecting known malware after execution rather than blocking risky behaviors preemptively. Windows Defender Firewall (C) controls network traffic, not application-level threats. Adaptive application control in Azure Defender (D) is used for whitelisting applications on Azure VMs, not on Microsoft 365 endpoints.
✅ Therefore, the correct answer is: B. Attack surface reduction rules in Microsoft Defender for Endpoint o365-worldwide
정답:
Explanation:
To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide
정답:
Explanation:
To use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity, you should perform the following two actions:
Create an Azure AD Identity Protection connector. This will allow you to monitor suspicious activities in your Azure AD tenant and detect malicious sign-ins.
Create a custom rule based on the Office 365 connector templates. This will allow you to monitor and detect anomalous activities in the Microsoft 365 subscription.
Reference: https://docs.microsoft.com/en-us/azure/sentinel/fusion-rules
정답:
Explanation:
Use livestream to run a specific query constantly, presenting results as they come in.
Reference: https://docs.microsoft.com/en-us/azure/sentinel/hunting
정답:
Explanation:
Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Reference: https://docs.microsoft.com/en-us/azure/sentinel/roles
정답: 
Explanation:
In Azure Security Center (now Microsoft Defender for Cloud), different roles have different levels of permission. To meet the principle of least privilege, you must assign only the minimal role required for each action.
Enable and disable Azure Defender
Enabling or disabling Microsoft Defender plans (formerly Azure Defender) changes billing and protection settings at the subscription level.
According to Microsoft documentation:
“Only users with the Subscription Owner or Security Admin roles at the subscription level can enable or disable Microsoft Defender plans.”
Because this change affects billing and overall subscription configuration, the Subscription Owner role is the appropriate one ― it has full control at the subscription scope.
Apply security recommendations to a resource
Applying recommendations (such as enabling disk encryption or updating system patches) involves managing configuration settings on specific resources.
The Resource Group Owner role provides full management access to all resources within that resource group, which includes the ability to implement or remediate recommendations.
Microsoft Defender for Cloud guidance states:
“To apply recommendations or perform remediation tasks on specific resources, the user must have write permissions on those resources ― typically provided by the Resource Group Owner or Contributor role.”
✅ Final Correct Mapping:
Enable and disable Azure Defender → Subscription Owner
Apply security recommendations to a resource → Resource Group Owner
정답: 
Explanation:
Reference: https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts-are-now/ba-p/1404920
정답:
Explanation:
Reference: In Azure Security Center (now known as Microsoft Defender for Cloud), email notifications for security alerts are controlled by the Email notifications settings under Environment settings → Email notifications. These settings allow administrators to specify who receives notifications and what severity levels (High, Medium, Low) will trigger email alerts.
By default, Security Center sends email notifications only for High severity alerts. This explains why the administrator receives alerts for “potential malware uploaded” or “brute-force attacks” (both high severity) but not for “antimalware action failed” or “suspicious network activity” (which are usually medium or low severity).
To ensure all alert types trigger an email, you must change the severity level of email notifications to include Medium and Low.
Microsoft documentation states:
“Security Center can send email notifications about new security alerts. You can define the recipients and choose to receive notifications for High, Medium, and Low severity alerts. By default, only High severity alerts trigger notifications.”
The other options are incorrect:
(B) Cloud connector C used for connecting AWS or GCP environments, unrelated to email alert settings.
(C) Azure Defender plans C control which resources are protected, not notification delivery.
(D) Integration settings for Threat detection C manage data sources and integrations, not email alerts.
✅ Therefore, the correct answer is A. the severity level of email notifications.
정답:
Explanation:
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.
Data is collected using:
The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine
name, IP addresses, and logged in user.
Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Security Center regarding specialized resource types.
Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
정답: 
Explanation:
When configuring suppression rules in Microsoft Defender for Cloud (previously Azure Security Center), you define the specific entity type and field values to suppress recurring or expected alerts. In this scenario, you want to hide Azure Defender alerts for a specific Azure Storage account that is being accessed during application development.
In Defender for Cloud, each protected asset (such as a virtual machine, SQL database, or storage account) is represented as an Azure Resource. Therefore, to suppress alerts for that storage account, you must target the Azure Resource entity type.
The unique identifier used to target an exact Azure resource in suppression conditions is its Resource
Id, which follows the format:
/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProvider
}/{resourceName}
By specifying Entity type = Azure Resource and Field = Resource Id, the suppression rule ensures that only alerts generated from that specific storage account are hidden.
Other entity types such as IP address, Host, or User account do not apply to Azure Storage alerts.
Likewise, fields like Address, Command line, or Name are not used for resource-based suppression.
✅ Final Answer. Entity type: Azure Resource
Field: Resource Id
정답:
Explanation:
In Microsoft Defender for Identity, marking accounts as Sensitive instructs the system to monitor those accounts more closely for suspicious activity or lateral movement attempts.
The question describes the goal as configuring several accounts that attackers might exploit.
Microsoft Defender for Identity documentation explicitly says:
“Accounts designated as Sensitive are prioritized for monitoring and detection to identify potential compromise attempts.”
Thus, adding the accounts as Sensitive accounts achieves the goal.
✅ Correct Answer. A. Yes