SC-200 Exam Dumps - Microsoft Certified: Security Operations Analyst Associate Questions and Answers

When modifying an existing Azure Sentinel playbook (Logic App) to send emails to a dynamic recipient , such as the resource owner , you must make the email destination configurable. This is achieved by adding a parameter in the Logic App.

You then modify the action (the “Send an email” step) to use this parameter as the recipient field instead of a static distribution list. This enables flexibility, allowing the playbook to adapt dynamically based on alert context or Sentinel data fields passed into it.

In Microsoft Sentinel documentation, the best practice for dynamic logic app responses is:

“Use parameters to pass entity information (such as Account, Host, or Owner) from Sentinel alerts into playbooks for dynamic action execution.”

Hence, the verif ied answer is D. Add a parameter and modify the action .

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS —against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the te am to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect mali cious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This direct ly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolve d using Microsoft Defender for Endpoint .

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace . To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’ s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace( ' Fabrikam-WS ' ).SecurityEvent, workspace( ' Contoso-WS ' ).SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrik am needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

In Microsoft Sentinel , Advanced Security Informa tion Model (ASIM) parsers normalize different data types for analytics. Built-in parsers update automatically when Microsoft releases improvements. However, you can prevent automatic updates by redeploying or overriding them.

Per Microsoft Sentinel ASIM do cumentation:

You can redeploy a built-in parser with custom parameters ( CallerContext=any , SourceSpecificParse=any ) to create a local copy. This local redeployment is treated as a custom parser and will not be automatically updated .

Alternatively, you can build a custom unify parser that references a specific parser version. Custom parsers are user-managed and unaffected by ASIM’s automated update pipeline.

Other options (like creating hunting queries or analytics rules) merely reference the parser and do n ot affect its update behavior.

✅ Correct answers: A and D

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall s ettings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise i s suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration change s at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats , Microsoft recommends hardening Key Vault firewall and networking : restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blo cks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

In Microsoft Defender for Identity (MDI) , data collected from Active Directory Domain Serv ices (AD DS) is stored in Microsoft 365 Defender advanced hunting tables under the Identity schema.

When investigating LDAP or authentication activities related to domain controllers, the correct table is IdentityLogonEvents .

The IdentityLogonEvents table contains information about all logons detected by Defender for Identity sensors on domain controllers — including LDAP binds , Kerberos , NTLM , and other authentication types.

You can identify LDAP simple binds using a query such as:

IdentityLogonEvents

| wh ere Protocol == " LDAP "

| where AuthenticationPackage == " SimpleBind "

Other options explained:

AADServicePrincipalRiskEvents – Contains Entra (Azure AD) service principal risk detections, not AD DS activity.

AADDomainServicesAccountLogon – Used for Azure AD Domain Services (AAD DS), not traditional on-prem AD DS.

SigninLogs – Contains Entra (Azure AD) sign-in data, not LDAP or on-prem authentication.

✅ Correct table: IdentityLogonEvents

To create a custom alert suppression rule in M icrosoft Defender for Cloud (formerly Azure Security Center) , you must first have an existing alert to base the suppression rule on. Suppression rules can only be configured for alert types that have already been triggered.

According to Microsoft’s Defende r for Cloud documentation:

“You can create suppression rules for alerts that you’ve already received. To create the rule, locate the specific alert in Security alerts, open it, and then choose ‘Create suppression rule’ from the alert page.”

Therefore, befo re you can create a suppression rule for suspicious use of PowerShell on VM1 , you must first trigger that alert by performing (or simulating) the action that causes it — in this case, generating a PowerShell activity alert on VM1.

The other options are inc orrect:

(A) Workflow automation is used to respond automatically to alerts, not suppress them.

(B) Get-MPThreatCatalog retrieves malware threat details from Windows Defender, not alert data from Defender for Cloud.

(D) Exporting alerts to Log Analytics is for analysis, not suppression configuration.

✅ Correct answer: C. On VM1, trigger a PowerShell alert

To enforce Multi-Factor Authentication (MFA) for remote users, Microsoft recommends using Conditional Access policies that distinguish between trusted (corporate) and untrusted (remote) network locations.

In Azure AD Conditional Acc ess, this is implemented using Named Locations . You define a named location by specifying trusted IP address ranges for your corporate network. The policy can then enforce MFA for sign-ins that originate outside those trusted locations.

Microsoft Learn sta tes:

“Use named locations in Conditional Access to define network boundaries for your organization and configure policies to enforce MFA for users accessing from untrusted networks.”

✅ Correct Answer: C. a named location

A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference: https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview