Crucial Exams

Microsoft Security Operations Analyst Associate SC-200 Practice Question

Your Microsoft Sentinel workspace keeps log data for 30 days and then moves it to the archive tier for up to seven years. An incident that occurred 14 months ago now requires an interactive Kusto Query Language (KQL) hunt that will join the historic SecurityEvent table with currently active sign-in data. Before you can run this hunting query in Microsoft Sentinel, which action should you perform on the archived SecurityEvent data?

  • Increase the workspace retention setting to 730 days so that the archived data is automatically moved back into the hot cache for querying.

  • Configure a data export rule to move the archived SecurityEvent data to Azure Storage and connect the storage account as a new data source.

  • Create a search job over the archive tier and wait for it to complete, then run the hunting query against the search job results.

  • Initiate a log restore operation for the SecurityEvent table to copy the required 14-month-old data into a temporary restored table.

Microsoft Security Operations Analyst Associate SC-200
Manage security threats
Your Score:
Settings & Objectives
Random Mixed
Questions are selected randomly from all chosen topics, with a preference for those you haven’t seen before. You may see several questions from the same objective or domain in a row.
Rotate by Objective
Questions cycle through each objective or domain in turn, helping you avoid long streaks of questions from the same area. You may see some repeat questions, but the distribution will be more balanced across topics.

Check or uncheck an objective to set which questions you will receive.

Wipe Score
Bash, the Crucial Exams Chat Bot
AI Bot