Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

While triaging a malware alert in Microsoft Defender for Endpoint, you open the device timeline for the affected Windows 11 workstation. You must quickly locate every event where a registry value was changed on the device during the last two weeks so you can determine whether the malware modified Run-key startup entries. Which action should you take in the device timeline pane to accomplish this task with the least amount of effort?

  • Scroll through the timeline manually and mark every registry event with the Add to evidence command.

  • Export the timeline to CSV and search the file for registry events by using a spreadsheet filter.

  • Start a Live Response session and run a registry command to enumerate Run-key entries.

  • Apply an Advanced filter that specifies Action type equals Registry value set and limits the date range to the last 14 days.

Microsoft Security Operations Analyst Associate SC-200
Manage incident response
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot