Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

A security analyst is reviewing a high-severity alert in the Microsoft 365 Defender portal that was generated by a Microsoft Purview insider risk policy for potential data exfiltration. The analyst must determine exactly which files the user copied to a personal cloud storage location and preserve the evidence for possible legal review without alerting the user. Which action should the analyst perform first?

  • Create an eDiscovery (Premium) hold from the alert to add the content to a new case.

  • Run an immediate Microsoft Purview content search scoped to the user's OneDrive and download the results.

  • Publish a Microsoft Purview retention policy that retains all OneDrive files for the user for seven years.

  • Disable the user's account in Microsoft Entra ID and reset the password.

Microsoft Security Operations Analyst Associate SC-200
Manage incident response
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot