Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

You need to examine Windows security events that might be related to a breach that began 45 days ago. The data from that period has already been archived in a Log Analytics workspace connected to Microsoft Sentinel. What is the most appropriate way to interrogate the archived data while minimizing the impact on interactive query performance in the workspace?

  • Use the Azure Monitor REST API to export the archived tables to Azure Storage and analyze them with an external SIEM.

  • Submit a Microsoft Sentinel search job that runs a Kusto Query Language (KQL) statement over the 45-day timeframe and review the results when the job completes.

  • Run the same KQL statement interactively in the Logs blade after temporarily raising the workspace retention to 60 days.

  • Create a new Microsoft Sentinel workbook that visualizes the query against the archive by enabling cross-workspace queries.

Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot