Pass the Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with ExamsMirror

In Microsoft Sentinel, Microsoft incident creation rules are used to automatically create incidents from alerts generated by connected Microsoft security products (like Microsoft Defender XDR, Defender for Endpoint, or Defender for Cloud Apps). However, these rules do not detect malicious IP activity on their own. They simply define how and when alerts from Microsoft security connectors should be grouped or converted into incidents.

To meet the goal — “create an incident when a sign-in to an Azure virtual machine from a malicious IP address is detected” — you must use an analytics rule (scheduled query) or a Fusion rule that actively correlates sign-in logs with threat intelligence data (malicious IPs). Analytics rules in Sentinel run KQL queries that can match sign-in activity (from Azure Activity or SigninLogs) with known malicious IP lists, and they can automatically generate incidents when matches occur.

Therefore, creating a Microsoft incident creation rule for a data connector does not meet the requirement, since it cannot detect or correlate malicious sign-in activity itself.

Hence, the correct answer is B. No.

Microsoft Sentinel can automatically disable scheduled analytics rules and mark them “AUTO DISABLED” when their executions repeatedly fail. A common cause is query performance issues, such as long-running queries that exceed execution time limits or hit throttling, especially with large lookback windows or inefficient joins. When a rule’s query persistently times out, Sentinel halts it to protect service health and prevent unnecessary load. Other options listed don’t align as primary triggers in Sentinel’s auto-disable behavior: exceeding 10,000 alerts in two minutes is not the documented threshold used to auto-disable rules; generic “connectivity issues” are not specific to a single rule; permissions changes can cause failures but the well-known, tested cause that leads to the AUTO DISABLED prefix in practice is repeated timeout/failure of the query itself.

In Microsoft Sentinel, to receive near real-time alerts when specific activities occur—such as Azure Storage account key enumeration—you combine two Sentinel capabilities: Livestream and Analytics rules.

Livestream provides real-time monitoring of events based on KQL queries. According to Microsoft Sentinel documentation, Livestream “lets you run queries continuously and get notified immediately when results match specific conditions.” This allows SOC analysts to detect ongoing attacks (such as credential enumeration) as they happen.

Analytics rules provide ongoing automated monitoring and alerting. A scheduled analytics rule runs periodically (for example, every 5 minutes) and generates an alert when a defined condition is met. The “Storage account keys enumerated” event comes from Microsoft Defender for Cloud (or Azure Activity) logs, so you can define a KQL-based rule to detect these activities.

Therefore:

B (Analytics rule): to automatically generate alerts when the condition is met.

C (Livestream): to receive those alerts or detections in near real-time as they occur.

Together, these meet the requirement for near real-time detection and alerting with minimal manual monitoring.

To identify which blobs were deleted, you should review the activity logs of the storage account. The activity logs contain information about all the operations that have taken place in the storage account, including delete operations. These logs can be accessed in the Azure portal by navigating to the storage account, selecting "Activity log" under the "Monitoring" section, and filtering by the appropriate time range. You can also use Azure Monitor and Log Analytics to query and analyze the activity logs data.

In Microsoft Defender for Identity, marking accounts as Sensitive instructs the system to monitor those accounts more closely for suspicious activity or lateral movement attempts.

The question describes the goal as configuring several accounts that attackers might exploit. Microsoft Defender for Identity documentation explicitly says:

“Accounts designated as Sensitive are prioritized for monitoring and detection to identify potential compromise attempts.”

Thus, adding the accounts as Sensitive accounts achieves the goal.

✅ Correct Answer: A. Yes

Enable and disable advanced features of Microsoft Defender for Cloud: Subscription Owner

Apply security recommendations to a resource: Security Admin

To identify which blobs were deleted in an Azure Storage account, you must review Azure Storage Analytics logs, which record all operations (including DeleteBlob and DeleteContainer requests) made against the storage service.

These logs contain details such as timestamp, requester IP, operation type, and object name—allowing you to pinpoint the exact blobs deleted.

Activity logs (Option B) record control-plane operations (e.g., resource creation or configuration changes), not data-plane operations like blob deletions.

Alert details and related entities (Options C and D) summarize detection context but do not include full operation-level details.

✅ Correct Answer: A. the Azure Storage Analytics logs

Controlled Folder Access (CFA) is an anti-ransomware feature that protects specified folders from unauthorized modification by untrusted apps. While CFA helps prevent malicious processes from encrypting or modifying important files, it is a targeted hardening control and does not provide the broad detection/remediation capability required to ensure devices are protected from arbitrary malicious artifacts that a third-party antivirus missed. CFA blocks certain behaviors (file write/modify) for protected directories but won’t detect, quarantine, or remove unknown malicious files system-wide. The documented purpose of CFA is behavior-based protection for protected folders, not full post-breach remediation or EDR-style blocking. Therefore enabling CFA alone does not satisfy the requirement of ensuring devices are protected from artifacts that were undetected by the third-party AV.

Defender for Cloud depends on the Log Analytics agent.

Use the Log Analytics agent if you need to:

* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure

* Etc.

In Microsoft 365 Security and Compliance (now part of Microsoft Purview), Data Loss Prevention (DLP) policies use Sensitive Information Types (SITs) to detect confidential data. These SITs rely on a combination of methods—primarily regular expressions (RegEx), keyword dictionaries, and validation checks—to identify patterns such as credit card numbers, national IDs, or custom formats.

Since the scenario specifies that customer account numbers are 32-character alphanumeric strings (not a predefined sensitive type in Microsoft 365), the appropriate detection mechanism is to create a custom Sensitive Information Type using RegEx pattern matching. Microsoft documentation explicitly states:

“You can create custom sensitive information types that use a regular expression to define your own pattern for detecting sensitive data.”

Using RegEx, you can define a pattern such as [A-Za-z0-9]{32} to match exactly 32 alphanumeric characters. SharePoint search (A) cannot perform sensitivity classification, hunting queries (B) are for threat detection, and Azure Information Protection (C) applies labels after data is classified. Therefore, RegEx pattern matching is the correct choice to detect sensitive documents in this case.