SC-200 Microsoft Security Operations Analyst Free Practice Exam Questions (2026 Updated)

When onboarding non-Azure ser vers (including AWS EC2 and on-premises machines) to Microsoft Defender for Cloud , Microsoft’s official guidance is to install the Azure Connected Machine agent (also known as Azure Arc agent ).

Once connected, Defender for Cloud can monitor and protect that resource as if it were an Azure VM.

The Log Analytics or MMA agents are legacy solutions, and Defender for Endpoint packages alone don’t integrate the instance into Defender for Cloud’s resource view.

So, for AWS EC2 onboarding, install the Azure Connect ed Machine agent .

To correlate malicious email attachments with endpoints, Microsoft Defender data schemas expose attachment metadata in EmailAttachmentInfo (including the SHA256 hash) and endpoint file activity in DeviceFileEvents (which also records SHA256 for observed files). The recommended investigation pattern is: (1) filter email telemetry to the suspected sender and keep only attachments with a populated hash; (2) join that result with endpoint file events on the SHA256 hash to find devices where an identical file (by cryptographic hash) was seen. In KQL, isnotempty(SHA256) ensures you only pass attachments with a valid hash to the join, and join ... on SHA256 performs an exact-match correlation across datasets. This method aligns with Defender’s guidance to use hash-based correlation as the most reliable way to match artifacts across different security workloads (email vs. endpoint), since filenames and paths can change, but a cryptographic hash uniquely identifies file content. The final project selects operational fields for response—timestamps, file name and hash, device identifiers/names, message IDs, and sender/recipient—so the SOC can quickly pivot to the impacted devices and the original email that delivered the file.

In Microsoft Sentinel , analysts manage and investigate incidents through the Incident page , which provides multiple investigation and triage tools. The two core aspects of incident analysis relevant here are entity visualization and investigation audit tracking .

Entity Map (Investigate):

Selecting Investigate opens the Investigation Graph view in Microsoft Sentinel.

This interactive map visually displays all the entities (users, IPs, hosts, accounts, files, etc.) related to the alert and their relationships.

It helps analysts understand how alerts are connected, uncover lateral movements, and explore correlated suspicious activities.

Microsoft documentation describes this as:

“The investigation graph provides a visual representation of the entities involved in the incident, showing relationships between them to aid root-cause analysis.”

Hence, to view a map of connected entities, choose Investig ate .

Investigation Activities (Comments):

The Comments tab tracks the activities and analyst notes during the incident lifecycle.

This includes changes to status, assignments, and documented investigation steps — essentially functioning as an activity log for the incident.

Microsoft’s official Sentinel documentation states:

“The Comments section in the incident pane provides a timeline of analyst interactions, investigation notes, and changes performed on the incident.”

Therefore, to view the list of invest igation activities, select Comments .

In Microsoft Defender for Endpoint (MDE) live response sessions, to execute a PowerShell or other script on a remote device, the file must first be up loaded to the device from your local session. Microsoft documentation specifies that the putfile command is used to transfer a file (such as a script, tool, or executable) from the analyst’s workstation to the target device’s temporary working directory fo r execution.

Even though Script1.ps1 is digitally signed, Defender for Endpoint live response does not automatically access files from local storage or network paths. The analyst must explicitly upload the script using putfile , after which it can be execut ed within the live response shell.

The library and upload to library commands are used for storing reusable scripts centrally in the Microsoft Defender portal, but that’s not required for a single manual session. Modifying the PowerShell execution policy i s unnecessary because MDE live response sessions already allow executing approved scripts.

Hence, to minimize administrative effort and successfully run Script1.ps1 in the live session, the correct first action is:

B. Run the putfile command.

When you need to send a Microsoft Teams message (or perform any automated response) in Microsoft Defender for Cloud based on a new Microsoft Secure Score action , you must use workflow automation integrated with Azure Logic Apps .

Here’s the correct sequence of actions, step by step:

The Secure Score is part of Defender for Cloud’s Regulatory Compliance section.

To react to new Secure Score recommendations or actions, the Logic App must use the “When a Defender for Cloud regulatory compliance assessment is created or triggered” trigger.

This ensures that the automation is initiated whenever a new Secure Score change occurs.

According to Microsoft documentation:

Step 1: Create an Azure Logic App that includes the Defender for Cloud regulatory compliance assessment trigger “To automate Secure Score or compliance actions, select the ‘Regulatory compliance assessment trigger’ in Logic Apps. It triggers workflows when a new compliance or Secure Score recommendation is created or updated.”

Next, you configure the condition that specifies which Secure Score events should trigger the workflow.

For example, you can set conditions such as:

“If the assessment type = Secure Score,” or

“If compliance status = Failed.”

This filtering ensures that only relevant events (new Secure Score actions) will activate the workflow and prevent unnecessary Teams notifications.

Step 2: Configure a trigger condition

Finally, in Defender for Cloud, you configure workflow automation to link the Logic App to the event stream.

From the Defender for Cloud portal, navigate to Workflow automation → Add automation → Choose trigger and Logic App .

Select the created Logic App as the target and define the scope (e.g., all subscriptions or resource groups).

This connects Defender for Cloud to the Logic App so that when a new Secure Score event occurs, the app automatically sends the Microsoft Teams message.

Step 3: Configure workflow automation

In Microsoft Defender for Cloud , Role-Based Access Control (RBAC) is used to ensure that users and groups have only the permissions required to perfor m their specific security or management tasks. Microsoft provides several built-in roles designed specifically for Defender for Cloud operations.

Security Admin: This role provides full management permissions for security policies, recommendations, and alerts within Defender for Cloud. A Security Admin can configure policies, suppress or dismiss alerts, enable or disable Defender plans, and manage settings at the subscription or management group level. According to Microsoft documentation, the Security A dmin role “has all permissions of the Security Reader role plus the ability to update security policies and dismiss alerts and recommendations.” Therefore, Group1 , which likely needs administrative control to manage and remediate findings, should be assign ed Security Admin .

Security Assessment Contributor: This role is more limited and focuses on providing access for security posture assessment without granting the ability to change or modify configurations. The Security Assessment Contributor role allows v iewing security recommendations and assessment data but not altering Defender for Cloud configurations or dismissing alerts. This makes it ideal for compliance or audit groups who need read and assess access. Hence, Group2 should be assigned Security Assessment Contributor .

These assignments ensure the right balance between operational control (Group1) and read-only assessment or compliance duties (Group2), aligning with Microsoft’s least-privilege and separation-of-duties best practices.

✅ Final Answe r:

Group1 → Security Admin

Group2 → Security Assessment Contributor

Microsoft Sentinel playboo ks can be triggered by different types of events— alerts , incidents , or entities . Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an inc ident trigger .

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger . This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto- closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1 , browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft’s official Defender XDR and Sentinel integrat ion guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deployin g Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password res et) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to d etect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects agains t brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring passwo rd reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

In Microsoft Sentinel’s Advanced Security Information Model (ASI M) , DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser . To minimize overhead , ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recomme nded pattern is:

Im_Dns(pack= " InfobloxNIOS " )

| where DnsResponseCodeName == " NXDOMAIN "

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXD OMAIN responses for counting DNS request failures from Infoblox1 .

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning . Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags . The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions . Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort : it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configurati on.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combine d.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

✅ Answer for Question 10: C. event grouping

The case s tudy requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps .

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically dis tant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives , since it may misinterpret legitimate connections as anomalous.

Mi crosoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s off ice IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

✅ Final Answer for Question 3: D. Impossible travel

According to Micros oft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from adva nced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️ ⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Def ender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️ ⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in th e portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️ ⃣ Provide domain administrator credentials to the on-pr emises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious acti vities.

4️ ⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while mai ntaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

To show labeled files from Windows 10 endpoints in the Azure Information Protection – Data discovery dashboard , you must first enable the built-in integration between Microsoft Defender for Endpoint and Azure Information Protection (AIP) . This is turned on in the Microsoft Defender Securit y Center under Settings → Advanced features . When enabled, Defender for Endpoint inventories sensitivity labels seen on files across managed Windows devices and streams that telemetry to the AIP Data discovery experience, providing visibility into where la beled data resides on endpoints. Scanner clusters and content scan jobs in AIP are intended for on-premises repositories (file shares/SharePoint servers), not for endpoint discovery. Device health/compliance reports do not surface or forward label inventor y to AIP. Therefore, the first configuration step is enabling the AIP integration advanced feature in Defender for Endpoint so labeled files on Windows clients appear in the AIP Data discovery dashboard.

In Copilot for Security promptbooks, inputs are referenced as placeholders wrapped in angle brackets (for example, < SENTINEL_INCIDENT_ID > ). To define an input named IncidentID in a prompt, format it as < IncidentID > .

In Microsoft Sentinel, entity ma pping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph , incidents , and hunting experiences . The Sentinel requirements in the case study specify:

“Add notes to events that represent dat a access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, h ostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentine l documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.