SC-200 Microsoft Security Operations Analyst Free Practice Exam Questions (2025 Updated)

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks, which are workflows built on Azure Logic Apps. These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control changes—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a playbook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell or Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integrate orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remediate active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation response capabilities.

Microsoft Sentinel incidents that originate from the Microsoft 365 Defender data connector are synchronized automatically with the Microsoft 365 Defender portal. To add or link an additional alert (for example, from Defender for Cloud Apps) to an existing incident, you must do it from the Microsoft 365 Defender portal’s Alerts page, not directly in Sentinel.

Once updated in Microsoft 365 Defender, the changes sync back to Sentinel, maintaining incident parity between both platforms.

✅ Correct Answer: D. the Alerts page in the Microsoft 365 Defender portal

To ingest custom logs from on-premises servers into Microsoft Sentinel, the logs must first be collected through the Log Analytics workspace that Sentinel is built on. According to Microsoft Sentinel and Azure Monitor documentation, the required steps are:

Install the Log Analytics agent (MMA/OMS agent) on each on-premises Windows Server that will send logs.

This agent securely forwards Windows event logs, performance data, and custom log files to the Log Analytics workspace in Azure Monitor.

Although Azure Monitor Agent (AMA) is the newer option, custom log collection is still supported primarily via the Log Analytics agent until full parity is achieved.

The Microsoft Dependency agent is used only for service map and dependency data, not for log ingestion.

The Azure Connected Machine agent (for Azure Arc) can onboard machines for management but does not directly handle custom log configuration for Sentinel.

Configure custom log ingestion by defining custom log collection rules in the Log Analytics workspace settings.

In Sentinel, navigate to the underlying workspace → Advanced settings → Data → Custom Logs to define the log format, file path, and collection parameters.

The custom log configuration is always managed at the workspace level, since Sentinel queries data from the connected workspace’s tables.

Other options, like the Data connectors page or Logs blade of Sentinel, are used for connecting integrated services or for querying data, not for defining custom ingestion sources.

Therefore, based on official Microsoft Defender XDR and Sentinel integration guidance, the correct configuration steps are:

✅ On the servers, install the: Log Analytics agent

✅ Configure custom log settings by using the: Log Analytics workspace settings of Microsoft Sentinel

In Microsoft Purview, permissions to perform searches, audits, and investigations are managed through role groups within the Microsoft Purview compliance portal. Each role group provides specific capabilities aligned with least privilege principles.

To allow a user to:

Search the Microsoft Purview Audit logs, and

Review the Audit configuration and settings,

…the required role group is Audit Reader.

According to Microsoft documentation:

“Members of the Audit Reader role group can search the audit log for user and admin activities and view audit configuration settings.”

This group grants audit-related permissions only — it does not grant access to other Purview or mailbox content, meeting the least privilege requirement.

✅ User1 = Audit Reader

To allow a user to:

Perform content searches across Microsoft Exchange Online mailboxes,

…the correct role group is Data Investigator.

Per Microsoft Purview documentation:

“Members of the Data Investigator role group can perform content searches across Exchange Online, SharePoint Online, and OneDrive locations.”

Other options such as Communication Compliance Investigators or Insider Risk Management Investigators are specific to their respective Purview solutions and not used for general content or mailbox searches.

✅ User2 = Data Investigator

In Microsoft Defender for Endpoint (MDE) Live Response, security analysts can remotely connect to a device and execute forensic commands. When an executable is launched in the background during a live response session using the run command (for example, run File1.exe -background), the session creates a job associated with that command.

To identify the command ID of the background process, the correct command is jobs. The jobs command lists all currently running or completed background jobs initiated during the live response session. Each job entry includes details such as the job ID, command executed, and current status. This allows analysts to determine which process corresponds to File1.exe and its associated command ID.

Once the background process is identified, you can interact with File1.exe using the fg (foreground) command. The fg command is used to bring a background job to the foreground, allowing you to interact directly with it — for instance, to send inputs, observe outputs, or terminate it.

This procedure aligns with Microsoft Defender for Endpoint documentation, which specifies:

Use jobs to view or manage background jobs.

Use fg <JobID> to interact with a specific background process.

Therefore, the correct selections are:

Identify the command ID of File1.exe: jobs

Interact with File1.exe: fg

Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound (red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.

To collect Windows Security event logs in Microsoft Sentinel, each monitored server or virtual machine must send its logs to a Log Analytics workspace, which Sentinel uses as its data foundation. This requires deploying the Log Analytics agent (formerly OMS agent) to the Windows systems.

The Log Analytics agent collects data such as event logs (including Security, Application, and System logs) and forwards them to the connected Log Analytics workspace. Once the agent is installed and configured, the data becomes available for analysis and correlation in Microsoft Sentinel.

Why not the other agents:

The Azure Monitor agent (AMA) is newer but, at this time, some Sentinel connectors and data collection rules still rely on the Log Analytics agent for Windows event collection.

The Windows Azure VM Agent is only responsible for enabling Azure management extensions, not log collection.

Once the data is ingested into Sentinel, analysts use KQL (Kusto Query Language) to query, investigate, and create analytics rules or workbooks. KQL is the native query language for both Azure Monitor Logs and Microsoft Sentinel.

Therefore, the correct configuration is:

✅ Deploy the Log Analytics agent

✅ Query by using KQL

In Microsoft Defender for Identity, marking accounts as Sensitive instructs the system to monitor those accounts more closely for suspicious activity or lateral movement attempts.

The question describes the goal as configuring several accounts that attackers might exploit. Microsoft Defender for Identity documentation explicitly says:

“Accounts designated as Sensitive are prioritized for monitoring and detection to identify potential compromise attempts.”

Thus, adding the accounts as Sensitive accounts achieves the goal.

✅ Correct Answer: A. Yes

To view incidents across multiple Sentinel workspaces (50 in this case), the central view is provided from the Microsoft Sentinel page in the Azure portal.

This page provides a multi-workspace incident view, allowing SOC analysts to see all incidents across all connected workspaces without switching manually.

Microsoft Sentinel – Incidents → shows incidents from a single workspace only.

Microsoft Sentinel – Workbooks → used for analytics visualization.

Log Analytics workspaces → only for log storage and queries, not consolidated incident management.

✅ Correct Answer: C. Microsoft Sentinel

In Microsoft Defender for Endpoint (Plan 2), you can use indicator file hashes (IoC file hashes) to block files from executing or being downloaded. When you create a file hash indicator, you specify the exact file hash (for example, SHA-256 or MD5) and choose actions such as “block” or “remediate.”

However, an important detail is that file hash indicators are applied to specific files—that is, for a given executable or file content. You cannot use a hash indicator to block all files of a certain extension generically. If a given file has a different hash, it will not be blocked unless you add its specific hash. Because the question says you found suspected malware files sys, pdf, docx, xlsx, and you need to block users from downloading those files, only those files for which you can compute and apply a specific hash indicator can be blocked. The question implies you can create indicator hashes for each of those file names (assuming each has a unique hash).

Thus you can block all four (File1.sys, File2.pdf, File3.docx, File4.xlsx) by adding each as an indicator hash. The choice E lists all four. That is consistent with Microsoft’s statements that “you can create indicators that define detection, prevention, or exclusion of entities,” and file hash indicators specifically apply to those files. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

Options that exclude some file types (e.g. only blocking sys and docx but not pdf or xlsx) would leave gaps, which doesn’t satisfy the requirement of blocking all those suspected files. Hence E is the correct answer.

To integrate on-premises servers into Microsoft Defender for Cloud and support features such as Threat and Vulnerability Management (TVM) and data collection rules, the servers must first be connected to Azure Arc. Azure Arc allows non-Azure servers to be managed as Azure resources and enables Defender for Cloud capabilities such as endpoint protection, vulnerability management, and compliance assessment.

The correct sequence of steps is:

1️⃣ Generate the installation script:

In the Azure portal, navigate to Azure Arc → Servers → Add. From there, select the appropriate subscription and resource group, then generate the Azure Arc onboarding script. This script includes registration commands and configuration for the machine to connect to Azure.

2️⃣ Install the Azure Connected Machine agent:

On each on-premises server, run the generated script. This installs the Azure Connected Machine agent (Azure Arc agent), which establishes communication between the on-premises server and Azure. After installation, the server appears as an Arc-enabled machine in the Azure portal.

3️⃣ Create an Azure Arc Data Controller (if data services are required):

Once the machines are connected, you can configure data services or additional Defender for Cloud features (such as data collection and TVM). The Azure Arc Data Controller provides hybrid data capabilities for managing and monitoring on-premises workloads.

This sequence aligns with Microsoft’s Defender for Cloud documentation and Arc onboarding best practices, ensuring minimal administrative overhead while enabling full SecOps visibility across hybrid environments.

1️⃣ Connect-IPPSSession

2️⃣ New-ComplianceSearch

3️⃣ Start-ComplianceSearch

In Microsoft 365 E5 (which includes Microsoft Purview and Exchange Online), to identify phishing email messages using PowerShell, administrators can perform a compliance content search. The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.

Here’s the correct order and purpose of each cmdlet:

1️⃣ Connect-IPPSSession

This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center).

It’s required before executing any compliance-related PowerShell commands such as creating or starting a search.

Example:

Connect-IPPSSession

2️⃣ New-ComplianceSearch

After connecting, use this cmdlet to create a new compliance content search.

You can define parameters such as the search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).

Example:

New-ComplianceSearch -Name "PhishingSearch" -ExchangeLocation All -ContentMatchQuery 'Subject:"phish" OR Subject:"urgent action required"'

3️⃣ Start-ComplianceSearch

Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.

Example:

Start-ComplianceSearch -Identity "PhishingSearch"

Other cmdlets explained:

Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.

Search-UnifiedAuditLog searches the unified audit log, which is used for activity auditing, not email content searches.

✅ Final Correct Sequence:

Connect-IPPSSession

New-ComplianceSearch

Start-ComplianceSearch

In Microsoft Sentinel, playbooks (Logic Apps) that are connected to Sentinel are most commonly run in context of an incident. From the Incidents blade, you select an incident, then choose Actions → Run playbook to trigger a manual test against that specific incident’s entities and alert context. This is the recommended way to validate playbook inputs (entities, alert details, incident properties) and permissions end-to-end without changing analytics rules. While the Playbooks blade shows the Logic Apps and their connections, the incident view is where Sentinel exposes manual execution with full security operations context (assignments, comments, evidence), which is what “test a playbook manually in the Azure portal (from Sentinel)” refers to.

The Fusion analytics rule in Microsoft Sentinel automatically correlates alerts from multiple sources (including Microsoft Defender connectors) to detect multistage attacks. Because Fusion runs continuously and cannot be disabled without losing multi-stage detection, the best practice for temporarily suppressing incidents from a specific connector (like Microsoft Defender) is to use automation rules, not by disabling the Fusion rule itself.

An automation rule can be configured to trigger on specific conditions (such as “When incident is updated” or “When incident is created”) and then perform an action like running a playbook that applies suppression logic.

Here’s the reasoning:

Trigger:

Setting the trigger to “When incident is updated” ensures that the rule evaluates changes to existing incidents—such as enrichment or tagging from Fusion—and provides finer control over suppression, minimizing impact on the Fusion detection pipeline.

Using “When incident is created” could interfere with Fusion’s initial detection process.

Action:

The appropriate action is “Run playbook”, which allows automated handling (for example, tagging or closing certain incidents from a specific connector). This requires minimal administrative effort and avoids turning off the Fusion rule.

This configuration ensures that Fusion continues to detect multistage attacks (so detection isn’t impacted) while automation handles temporary suppression for specific connectors efficiently.