Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

You need to examine Windows SecurityEvent records that are 150 days old in a Log Analytics workspace that is connected to Microsoft Sentinel. The workspace retains data in the interactive tier for 30 days; anything older is automatically placed in the archive tier. You must obtain a count of specific event IDs from those 150-day-old records without first restoring the data and while minimizing cost. What should you do?

  • Increase the workspace interactive retention to 180 days and rerun the KQL query in Log Analytics.

  • Start a Log Analytics search job scoped to the 150-day time range and query the automatically created *_SRCH results table for the event ID counts.

  • Restore the SecurityEvent table for the 150-day period and then run a standard KQL query against the restored data.

  • Configure Continuous Export to an Azure Storage account and analyze the exported logs by using Azure Data Explorer.

Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot