SC-200 Exam Dumps - Microsoft Certified: Security Operations Analyst Associate Questions and Answers

Microsoft Sentinel is built on top of Azure Monitor Log Analytics . All Sentinel data — including security alerts, incidents, and telemetry from connected sources — is stored and queried thr ough a Log Analytics workspace . Sentinel’s hunting feature uses Kusto Query Language (KQL) , which runs directly against the Log Analytics workspace data.

Official Sentinel documentation specifies:

“Microsoft Sentinel uses an Azure Monitor Log Analytics wor kspace as its foundation. All data collected by Sentinel is stored in that workspace, and hunting queries run on this data.”

Other workspace types such as Azure Synapse , Azure Databricks , or Azure Machine Learning are for analytics, data science, and model ing — not security log collection or KQL-based hunting.

✅ Therefore, to run hunting queries in Microsoft Sentinel, you must create a Log Analytics workspace.

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud controls inbound traffic to virtual machines, reducing exposure to attacks. Microsoft’s guidance allows JIT policies to be centrally configured and applied automatically across a resource group using Azure Policy , which provides the lowest administrative overhead.

To meet the requir ements:

Limit request time to two hours: Defender for Cloud JIT policy allows defining a maximum allowed access duration per request.

Limit protocol to RDP only: The JIT configuration can restrict the protocol and port (TCP/3389 for RDP).

Minimize administrative effort: Azure Policy can automatically enforce this configuration for all VMs in RG1 without manually setting up each VM.

Other options are less suitable:

A. PIM controls user privileges, not network access.

C. Azure Front Door handles web application traffic.

D. Azure Bastion provides secure RDP/SSH via portal but doesn’t manage just-in-time network policies.

✅ Correct Answer: B. Azure Policy

To minimize administrative effort in responding to incidents and remediating security threats in Microsoft Sentinel , you s hould use the platform’s built-in automation and orchestration capabilities — specifically Automation Rules and Playbooks .

Microsoft Sentinel Automation Rules (Option C):

Automation rules in Sentinel allow you to automate incident management tasks such as assigning owners, changing severity, tagging, or automatically running playbooks when an incident or alert is created.

They help standardize responses across similar alerts, significantly reducing manual intervention.

Microsoft documentation states:

“Autom ation rules simplify the management of playbook triggers and incident handling by allowing you to define actions that automatically occur when incidents are created or updated.”

Microsoft Sentinel Playbooks (Option D):

Playbooks are Logic App–based workflo ws that automate responses to security alerts or incidents.

They can perform remediation actions such as disabling compromised accounts, isolating infected devices, blocking IP addresses, or sending notifications to SOC teams.

You can link playbooks direct ly to analytics rules or call them through automation rules for end-to-end automation.

Incorrect Options:

A. Bookmarks are used for hunting investigations, not for automation or remediation.

B. Azure Automation runbooks can be used for specific administrative scripts but require more manual setup and integration — not the most efficient choice for Sentinel’s automated workflows.

E. Azure Functions apps are custom code execution environments; while powerful, they are not the primary tool for Senti nel’s automated response.

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual mac hines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Query successful

This is a role-based access control (RBAC) question using the principle of least privilege.

The table of users and roles is:

Name

Role

User1

Security administrator

User2

Security reader

User3

Contributor

Export to Sheets

Action: This is a management/configuration task at the subscription level, often related to enabling Defender plans and installing extensions on VMs.

Required Permissions: The ability to modify security policies and settings in Microsoft Defender for Cloud and the permission to install extensions on VMs.

The Security Administrato r role is explicitly designed for this, granting permissions to manage the security features, policies, and program enrollment (like enabling Defender plans).

The Contributor role can also perform this by installing the necessary agents and extensions, but it grants broad access to manage all resources, violating the principle of least privilege for a purely security-focused task.

Least Privilege User: User1 (Security administrator)

A ction: This task has two parts:

Review security recommendations: This is a read-only action. The Security Reader role is sufficient.

Enable server vulnerability scans: This means configuring a security feature (Vulnerability Assessment), which requires wri te access to the security configuration or the resource itself.

The Security Reader role cannot perform the " enable " action.

The Security Administrator role has the permissions required to modify security policy and configuration to enable scanning features.

The Contributor role can also do this, but again, the Security Administrator role is the least privileged for a security-specific configuration change.

Least Privilege User: Since the entire task includes an " enable " (write) action, we must use the role that can perform both read and write security actions. User1 (Security administrator) is the appropriate choice.

Task Analysis and Role Mapping 1. Enable Microsoft Defender for Servers on virtual machines. 2. Review security recommendations and enable server vulnerability scans.

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1

XDR Custom Detection Rules Documentation):

In Microsoft Defender XDR, custom detection rules are scheduled KQL queries that evaluate telemetry on a recurring schedule, using a lookback (loopback) period to determine how much historical data to analyze during each run.

The loopback period determines the time window over which data i s evaluated (e.g., 12 hours, 48 hours). To change this period, administrators modify the rule’s schedule configuration — specifically the frequency or recurrence settings in the custom detection rule editor. The KQL query (including summarize or where oper ators) defines the logic but not the temporal scope of data evaluation.

Therefore, extending the loopback from 12 hours to 48 hours requires adjusting the frequency (schedule) configuration of the rule, not the query itself.

✅ Correct Answer: A. the freque ncy

The DeviceTvm SoftwareInventory table in Microsoft Defender XDR advanced hunting contains detailed information about installed applications, software versions, publishers, and installation details across onboarded endpoints. When you need to retrieve a list of installed programs for a specific device (like Device1), this is the correct table to query.

Microsoft documentation describes this table as:

“The DeviceTvmSoftwareInventory table provides a comprehensive inventory of all software discovered on devices, including v ersion and vendor information.”

DeviceTvmInfoGathering contains vulnerability assessment and scan status details, not software lists.

DeviceProcessEvents captures process execution data (runtime events).

Live response processes command lists currently running processes, not all installed software.

✅ Correct Answer: C. DeviceTvmSoftwareInventory

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps .

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically dis tant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives , since it may misinterpret legitimate connections as anomalous.

Mi crosoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s off ice IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

✅ Final Answer for Question 3: D. Impossible travel

Defender for Cloud depends on the Log Analytics agent.

Use the Log Analytics agent if you need to:

* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure

* Etc.

In Microsoft Sentinel, each workspac e acts as a logical container for security data and analytics. When integrating Sentinel across organizations or environments—such as between Contoso and Fabrikam —each Azure subscription needs at least one Log Analytics workspace that Sentinel can attach t o. This workspace becomes the data repository for logs and analytics rules.

Therefore, Fabrikam requires a minimum of one Log Analytics workspace to onboard Microsoft Sentinel and begin collecting and analyzing data. Multiple workspaces may be used for isolation or region-specific requirements, but one is sufficient for a functional deployment.

To query and correlate data between multiple workspaces or tenants , Sentinel uses the workspace() KQL function. This function allows cross-workspace queries, lett ing you pull data from different Sentinel instances for investigation or threat correlation. For example:

union workspace( " FabrikamWorkspace " ).SecurityEvent, workspace( " ContosoWorkspace " ).SecurityEvent

| summarize count() by Account

This KQL syntax enables cross-tenant or cross-subscription correlation when Defender or Sentinel workspaces are connected through proper permissions (e.g., Azure Lighthouse or cross-tenant data access).

✅ Final Answers:

Minimum number of Log Analytics workspaces: 1

Query element required to correlate data between tenants: workspace