Pass the Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with ExamsMirror

 Log Analytics workspace to use: LA1

 Windows security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace, you should select the existing workspace LA1. Defender for Cloud best practices recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the level of Windows Security Events collected: Minimal, Common, or All Events. The business requirement calls for logs that provide a full audit trail of user activities. In Microsoft guidance, All Events is the level intended for comprehensive auditing (including logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose All Events.

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user. In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping. When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account, IP, or Host. Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Account entity (and any other relevant entities) in Set rule logic, then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

According to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook, the correct configuration is to create a Scheduled rule and ensure the playbook includes a trigger.

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incidents or alerts. To connect a playbook to an analytics rule, it must include a trigger—specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other options are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, based on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns, and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modify the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activity from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel.

In Microsoft Sentinel, entity mapping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph, incidents, and hunting experiences. The Sentinel requirements in the case study specify:

“Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, hostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentinel documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.

The Risky users report in Microsoft Entra ID Protection provides visibility into users whose identities might have been compromised. It shows risk levels, risk states, and when risk detections occurred — allowing you to investigate activity for the last 90 days.

The Risk detections report lists individual risk events but not overall user risk status, while risky sign-ins report only sign-in attempts, not the cumulative user risk.

Thus, to determine whether User1’s identity was compromised during the last 90 days, use the risky users report.

To have your query1 run every hour in a Microsoft Sentinel environment, you should configure it as an analytics rule—specifically a scheduled query (custom detection) rule. Microsoft’s official documentation for Sentinel describes “scheduled analytics rules” as queries that you configure to run on a recurring schedule, with a defined lookback period, and trigger alerts if the query results meet the rule criteria. Those scheduled rules are the mechanism by which KQL queries are periodically executed automatically.

When you create an analytics rule in Sentinel, you supply the query (i.e. query1) and you specify the recurrence (for example, every hour). Once configured as such, Sentinel takes care of executing it on schedule with minimal ongoing administrative intervention. This aligns exactly with “minimize administrative effort.”

Among the answer choices:

An automation rule is used to act upon alerts (for example, route, suppress, or apply playbooks) but does not itself schedule periodic queries.

Automated Investigation and Response (AIR) is part of Defender for Endpoint’s automated remediation workflow and is used for responding to alerts on endpoints—not for scheduling general KQL hunting queries.

A watchlist is a static data reference (list of values) you can use within queries or rules but does not itself execute queries on a schedule.

A custom detection (analytics) rule is exactly what you would use to wrap query1 into a scheduled operation.

Thus, converting query1 into a custom detection rule (i.e. a scheduled analytics rule) is the correct choice.

From Microsoft SecOps and Sentinel rule documentation: scheduled rules are based on Kusto queries configured to run at regular intervals over a lookback period, and if results cross a threshold, an alert is triggered. The rule’s scheduling frequency (such as hourly) is part of rule configuration. This model ensures your query1 gets executed every hour automatically with minimal manual work.

When you create a Near-Real-Time (NRT) analytics rule in Microsoft Sentinel, the rule runs every minute and triggers almost immediately when matching events are ingested. These NRT rules are designed for time-sensitive detections, such as when you need to respond quickly to activity from connectors like Azure Activity.

However, NRT rules do not generate incidents directly. Instead, they produce alerts, which can then trigger playbooks or automations via the Alert automation settings section.

A. Incident automation settings:This applies to standard scheduled analytics rules that create incidents, not NRT rules. Since NRT rules generate alerts (not incidents), this option would not apply.

B. Entity mapping:This is used to map data fields (like Account, Host, IP) for better investigation, but it does not control playbook execution.

C. The query rule:The query defines what data triggers the rule, not the automation or playbook execution. The playbook is attached separately.

D. Alert automation settings: ✅According to Microsoft documentation, “To automatically run a playbook when an alert is created by a near-real-time rule, configure the playbook in the Alert automation settings section.”This allows the playbook to run immediately when the alert is generated, achieving near-real-time response with minimal latency.

To identify which anomaly rules are enabled in a Microsoft Sentinel workspace (here, SW1), you look at the Sentinel analytics configuration in the portal. In Microsoft’s documentation “Work with anomaly detection analytics rules in Microsoft Sentinel,” it explains:

“You can now find anomaly rules displayed in a grid in the Anomalies tab in the Analytics page. … On the Analytics page, select the Anomalies tab. … Status – whether the rule is enabled or disabled.” Microsoft Learn

Thus, anomaly detection rules are a subtype of analytics rules in Sentinel, and they are surfaced under the Analytics area (in the Anomalies tab). That is where you can review which anomaly detection rules are active (enabled) or not.

By contrast:

Settings is used for workspace-wide configurations (e.g. enabling UEBA, toggling anomalies on/off).

Entity behavior is a separate feature (UEBA) for monitoring entities and their behavioral baselines, not the repository of which anomaly rules are enabled.

Content hub is the repository of shared analytics templates and solutions you can import; it does not list which rules are enabled in your workspace.

Therefore, the correct place to review enabled anomaly detection rules is C. Analytics (specifically under the Anomalies tab).

In Microsoft Sentinel (part of Microsoft Defender XDR), data connectors are used to integrate log sources for security analytics and monitoring.

For Microsoft Teams, the correct and most efficient connector is Office 365. Microsoft Teams logs—including user activities, chat events, and team management actions—are part of the Office 365 audit logs. Microsoft Sentinel provides a built-in Office 365 connector that ingests auditing data from Exchange Online, SharePoint Online, and Microsoft Teams directly from the Microsoft 365 security and compliance center. This connector requires only minimal configuration (enabling audit logging and connecting the tenant), satisfying the requirement to minimize administrative effort.

For Linux virtual machines hosted in Azure, the appropriate connector is Syslog. Linux systems send their security and operational events via Syslog, and Microsoft Sentinel supports this natively through the Syslog data connector. The Syslog agent (Log Analytics agent or AMA) collects logs and sends them to the Sentinel workspace. This connector is purpose-built for Linux VMs and ensures that authentication, authorization, and system logs are captured for correlation and threat detection.

Therefore:

Microsoft Teams → Office 365 (because Teams audit data flows via Office 365 logs)

Linux virtual machines in Azure → Syslog (because Linux uses Syslog for event forwarding)

This configuration follows Microsoft’s documented best practices for Sentinel data ingestion with minimal setup and maximum native integration.

In Microsoft Sentinel workbooks, when displaying query results in a grid visualization, you can limit the number of displayed rows by using KQL query operators. The take operator in Kusto Query Language (KQL) is specifically designed to restrict output to a fixed number of records.

Microsoft Sentinel workbook guidance states:

“To control the number of results returned in a workbook grid, use the KQL take operator. For example, adding | take 100 ensures that only 100 rows are returned and displayed.”

This approach enforces both performance efficiency and readability, ensuring large result sets don’t overload the visualization.

Other options are incorrect:

Settings and Advanced Editor adjust workbook configuration, not query limits.

Project only selects specific columns, not row count.

✅ Correct answer: D. In the grid query, include the take operator