Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

You are building a custom hunting query in Microsoft Defender XDR. Your team maintains a daily list of approximately 200 malicious SHA-256 hashes that should be matched against DeviceFileEvents. You want the query to remain portable, easy to read, and return only the events that match those hashes, showing the DeviceName and Timestamp columns. Which approach should you use?

  • Place the hashes in a dynamic array, mv-expand it inside a let statement, and cross-apply it to DeviceFileEvents.

  • Store the hashes in a scalar variable and filter DeviceFileEvents with where SHA256 in (hashList).

  • Create an inline datatable that lists the hashes and perform an innerunique join with DeviceFileEvents on the SHA256 column.

  • Use the externaldata operator to load the hash list from Azure Storage and apply a leftouter join to DeviceFileEvents.

Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot