SC-200 Exam Dumps - Microsoft Certified: Security Operations Analyst Associate Questions and Answers

In Microsoft Defender for Cloud , suppression rules are used to automatically hide or suppress specific alerts that match defined conditi ons. These rules are often configured when certain alerts are expected (for example, during development or testing) and do not represent true security risks.

According to Microsoft Defender for Cloud documentation , when creating a suppression rule for a pa rticular Azure resource (like a Storage account ), you must select the appropriate entity type and field that uniquely identify that resource.

The Entity type defines what the suppression condition applies to. To suppress alerts for a specific Azure resourc e such as a storage account, virtual machine, or function app, the correct selection is Azure Resource .

The Field defines the attribute used to match that resource. Microsoft’s guidance specifies that Resource Id is the unique identifier for every Azure resource within a subscription, formatted as:

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProvider}/{resourceType}/{resourceName}

This ensures the suppression rule precisely targets alerts related only to that spec ific storage account and not others.

Alternative fields like Name , Address , or Command line do not uniquely identify Azure resources in Defender for Cloud. Therefore, they would not provide the necessary precision for suppressing alerts from a specific Azu re Storage account.

✅ Final Answers:

Entity type: Azure Resource

Field: Resource Id

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks , which are workflows built on Azure Logic Apps . These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control chang es—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a pla ybook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell o r Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integra te orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remedia te active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation r esponse capabilities.

When User and Entity Behavior Analytics (UEBA) is enabled in Microsoft Sentinel, it automatically monitors Azure AD Sign-in Logs and provides activity templates for detecting common risky behaviors, such as failed sign-in attempts , impossible travel , or infrequent country logins .

To detect faile d interactive sign-ins with minimal administrative effort , you can simply enable the UEBA activity template for sign-in failures rather than building a custom scheduled alert or hunting query.

✅ Answer: B. a UEBA activity template

The Fusion analytics rule in Microsoft Sentinel automatically correlates alerts from multiple sources (including Microsoft Defender connectors) to detect multistage attacks . Because Fusion runs continuously and cannot be disabled without losing multi-stage detection, the best practice for temporarily suppressing incidents from a specific connector (like Microsoft Defender) is to use automation rul es , not by disabling the Fusion rule itself.

An automation rule can be configured to trigger on specific conditions (such as “When incident is updated” or “When incident is created”) and then perform an action like running a playbook that applies suppressi on logic.

Here’s the reasoning:

Trigger:

Setting the trigger to “When incident is updated” ensures that the rule evaluates changes to existing incidents—such as enrichment or tagging from Fusion—and provides finer control over suppression, minimizing impac t on the Fusion detection pipeline.

Using “When incident is created” could interfere with Fusion’s initial detection process.

Action:

The appropriate action is “Run playbook” , which allows automated handling (for example, tagging or closing certain inciden ts from a specific connector). This requires minimal administrative effort and avoids turning off the Fusion rule.

This configuration ensures that Fusion continues to detect multistage attacks (so detection isn’t impacted) while automation handles temporar y suppression for specific connectors efficiently.

To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).

In Microsoft Defender XDR hunting, EmailAttachmentInfo includes metadata for received attachments (name, subject, and the file’s SHA256 ), while DeviceFileEvents records file operations on endpoints (open/read/execute) and also carries the SHA256 hash. Microsoft’s guidance for efficient joins in KQL recommends correlating artifacts using stable, high-cardinality identifiers (hashes) rather than paths or URLs, becau se paths can change and URLs may not be preserved on disk; hashes uniquely identify the same file across mail and endpoint telemetry. To minimize query resources , Kusto’s join kind=innerunique is preferred when the left side (EmailAttachmentInfo) is expect ed to have unique keys (one attachment hash per message instance) and you want at most one match per left record. It reduces shuffle/duplication compared to inner , improving performance while returning only devices that actually opened the same file (by ma tching SHA256 ) within the last 12 hours.

So the optimal query structure is:

EmailAttachmentInfo

| where Timestamp > ago(12h)

| where Subject == " Document Attachment " and FileName == " File1.pdf "

| join kind=innerunique

(DeviceFileEvents | where Timestamp > ago(12h))

on SHA256

This precisely identifies devices that received the email with File1.pdf and opened that same file, using the most efficient join strategy and a reliable correlation key.

In Microsoft Sentinel , the Advanced Security Information Model (ASIM) provides a standardized schema and parser layer fo r common telemetry types (DNS, Authentication, NetworkSession, etc.). To investigate DNS-related activity, you should use the ASIM-normalized table ASim_Dns , which unifies data from multiple DNS sources (Microsoft Defender for Endpoint, Azure Firewall, DNS servers, etc.) under a consistent schema.

The ASim_Dns parser standardizes key fields such as:

TimeGenerated → timestamp of the DNS event

ResponseCodeName → name of the DNS response code (e.g., NXDOMAIN , NOERROR , etc.)

QueryName → domain name queried

SrcIpAddr and DstIpAddr → IP addresses involved

To investigate recent DNS failures (e.g., non-existent domains), the query filters for events where:

TimeGenerated > ago(7d) — limits to the last 7 days of DNS logs.

ResponseCodeName == " NXDOMAIN " — identifie s DNS lookups that returned “Non-Existent Domain,” a common indicator of suspicious or misconfigured activity.

Therefore, the correct and compliant ASIM-based query syntax is:

ASim_Dns

| where TimeGenerated > ago(7d)

| where ResponseCodeName == " NXDOMAIN "

This approach ensures your investigation leverages ASIM normalization and aligns with Microsoft Sentinel best practices for DNS event analysis.

 Microsoft Entra role: Security Administrator

 Role for WS1: Microsoft Sentinel Contributor

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel , a user must have permission to configure data connectors that access Microsoft Entra ID (Azure AD) identity data and to manage Sentinel settings for the workspace.

This requires roles in two scopes :

1️ ⃣ Microsoft Entra ID (directory) level – for identity data access.

2️ ⃣ Sentinel workspace level – for Sentinel feature management.

Step 1: Microsoft Entra (Azure AD) Role → Security Administrator According to Microsoft documentation, enabling UEBA requires connecting Microsoft Sentinel to Microsoft Entra ID to import user and identity behavior data.

The Security Administrator role grants the necessary read permissions to user and sign-in data while still adhering to the principle of least privilege .

The Global Administrator role would also work but provides excessive privileges beyond what’s required for UEBA configuration.

The Security Operator role is limited to viewing alerts and cannot configure Sentinel connectors.

Hence, Security Administrator is the correct least-privilege directory role.

Step 2: Role for WS1 (Sentinel Workspace) → Microsoft Sentinel Contributor To manage Sentinel configuration and enable features such as UEBA , data connectors , and analytics rules , the Microsoft Sentinel Contributor role is required at the workspace level.

The Sentinel Contributor role allows enabling/disabling features, managing playbooks, and configuring connectors.

The Sentinel Automa tion Contributor role is only for playbook automation permissions.

The basic Contributor role can manage Azure resources but doesn’t grant Sentinel-specific privileges.

✅ Final Answer:

Microsoft Entra role: Security Administrator

Role for WS1: Microsoft Sentinel Contributor