SC-200 Exam Dumps - Microsoft Certified: Security Operations Analyst Associate Questions and Answers

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace. Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-minimization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for comprehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increases data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities, the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

✅ Log Analytics workspace to use: LA1

✅ Windows security events to collect: Common

In Microsoft Defender for Cloud, suppression rules are used to automatically hide or suppress specific alerts that match defined conditions. These rules are often configured when certain alerts are expected (for example, during development or testing) and do not represent true security risks.

According to Microsoft Defender for Cloud documentation, when creating a suppression rule for a particular Azure resource (like a Storage account), you must select the appropriate entity type and field that uniquely identify that resource.

The Entity type defines what the suppression condition applies to. To suppress alerts for a specific Azure resource such as a storage account, virtual machine, or function app, the correct selection is Azure Resource.

The Field defines the attribute used to match that resource. Microsoft’s guidance specifies that Resource Id is the unique identifier for every Azure resource within a subscription, formatted as:

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProvider}/{resourceType}/{resourceName}

This ensures the suppression rule precisely targets alerts related only to that specific storage account and not others.

Alternative fields like Name, Address, or Command line do not uniquely identify Azure resources in Defender for Cloud. Therefore, they would not provide the necessary precision for suppressing alerts from a specific Azure Storage account.

✅ Final Answers:

Entity type: Azure Resource

Field: Resource Id

Box 1: Owner

Only the Owner can assign initiatives.

Box 2: Contributor

Only the Contributor or the Owner can apply security recommendations.

In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation allows you to automatically respond to security alerts and recommendations by triggering remediation actions.

When you create an Azure Policy to enforce automatic remediation based on Defender alerts or recommendations, the effect determines what the policy does when a resource is found noncompliant:

DeployIfNotExists is the correct effect to use for automatic remediation. This effect automatically deploys a remediation task (such as a Logic App or other automation) when a matching noncompliant resource is detected. It’s commonly used in Defender for Cloud to deploy missing security configurations or initiate an automated remediation workflow.

Append only adds metadata or parameters to resources—it does not enforce or deploy remediation actions.

EnforceRegoPolicy is used for container compliance with Gatekeeper policies (Kubernetes), not for Defender workflows.

For the automation mechanism:

An Azure Logic Apps app with the trigger “When an Azure Security Center alert is created or triggered” is the correct choice. This Logic App acts as the workflow automation engine that runs whenever a new alert is raised. It can perform actions such as isolating VMs, disabling users, or notifying SOC teams.

Using a trigger for “When a response to an Azure Security Center alert is triggered” would only activate after a manual response, not automatically.

Automation runbooks with webhooks can be used for custom automation, but Defender workflow automation integrates natively with Logic Apps and not directly with runbooks.

✅ Final Answer:

Set available effects to: DeployIfNotExists

To perform remediation use: An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered

If you manually install the Log Analytics agent on your AWS Linux VMs and connect them to your Azure Log Analytics workspace, Defender for Cloud can begin collecting telemetry data from those machines. Once connected, Azure Defender automatically protects and monitors them, even if they are hosted outside Azure.

Microsoft Defender for Cloud documentation explains:

“You can manually install the Log Analytics agent on non-Azure machines and connect them to your workspace. Once connected, Defender for Servers will begin applying protections and generating alerts.”

Although Azure Arc provides centralized management and auto-provisioning, manually installing the Log Analytics agent is a valid and supported alternative method. Therefore, this solution also meets the goal.

✅ Correct answer: A. Yes

In Microsoft Defender for Office 365 Safe Attachments, Dynamic Delivery is specifically designed to shorten perceived delivery time while keeping full detonation scanning in place. Microsoft explains that with Dynamic Delivery, the service “delivers the message body right away and replaces attachments with a placeholder while scanning”; once the sandbox verdict is clean, the original file is reinserted automatically. If malware is found, the attachment is blocked/removed and the message is handled per policy (for example, quarantined). This option meets both requirements in the question: (1) users get messages quickly (no long wait for full message delivery) and (2) security isn’t reduced because attachments are still detonated before users can open them.

By contrast, Block delays or stops delivery when malicious; Replace swaps detected-malicious attachments with a .txt summary but doesn’t reduce the initial delivery time for clean items; Monitor only logs without enforcing protection. Therefore, to reduce delivery latency without compromising protection and still block malware, configure Dynamic Delivery in your Safe Attachments policy.

EDR in block mode is a Defender for Endpoint capability designed specifically for environments where a non-Microsoft antivirus is the primary real-time protection (i.e., Microsoft Defender Antivirus is running in passive mode). The official documentation explains that EDR in block mode “provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product.” Practically, that means behavioral detections and EDR cloud signals can trigger remediation actions (quarantine, remove, kill process, etc.) even if the third-party AV missed the artifact. Microsoft explicitly states EDR in block mode remediates post-breach artifacts that were missed by the primary antivirus and is recommended for this scenario. Note that some prevention features that require Defender Antivirus active (on-access real-time scanning, certain ASR/network protection features) won’t be available while Defender AV is passive, but EDR in block mode still provides post-detection blocking/remediation — which meets the stated goal of protecting devices from artifacts undetected by the third-party AV.

 Table to start from: MicrosoftGraphActivityLogs

 Function to extract the path: parse_url(RequestUri).Path

To find which Azure resources were queried or modified by risky users, you should analyze API calls made to Microsoft Graph (and ARM where applicable) and join them with Identity Protection risk signals. In Log Analytics, MicrosoftGraphActivityLogs records Graph API calls with useful fields for this task, including UserId, RequestUri, RequestMethod, ResponseStatusCode, and RequestId. These fields let you identify what resource endpoint was accessed, how (GET/POST/PATCH/DELETE), and whether the request succeeded.

You then join these API events with AADRiskyUsers on the user identifier ($left.UserId == $right.Id) to restrict results to users currently assessed as risky. To normalize the resource that was targeted, parse the endpoint from the full URL. The correct way is to extract just the path component using parse_url(RequestUri).Path, then clean version segments (e.g., /v1.0/, /beta/) with replace_string/replace_regex to produce a comparable resourcePath. Finally, summarizing with dcount(RequestId) by UserId, RiskState, resourcePath, RequestMethod, and ResponseStatusCode yields a concise mapping of which resources risky users queried or modified.

Therefore, the two correct choices are MicrosoftGraphActivityLogs and parse_url(RequestUri).Path.

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall settings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise is suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration changes at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats, Microsoft recommends hardening Key Vault firewall and networking: restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blocks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

In Microsoft Sentinel’s Advanced Security Information Model (ASIM), DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser. To minimize overhead, ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recommended pattern is:

Im_Dns(pack="InfobloxNIOS")

| where DnsResponseCodeName == "NXDOMAIN"

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXDOMAIN responses for counting DNS request failures from Infoblox1.