SC-200 Microsoft Security Operations Analyst Free Practice Exam Questions (2025 Updated)

To create a custom alert suppression rule in Microsoft Defender for Cloud (formerly Azure Security Center), you must first have an existing alert to base the suppression rule on. Suppression rules can only be configured for alert types that have already been triggered.

According to Microsoft’s Defender for Cloud documentation:

“You can create suppression rules for alerts that you’ve already received. To create the rule, locate the specific alert in Security alerts, open it, and then choose ‘Create suppression rule’ from the alert page.”

Therefore, before you can create a suppression rule for suspicious use of PowerShell on VM1, you must first trigger that alert by performing (or simulating) the action that causes it — in this case, generating a PowerShell activity alert on VM1.

The other options are incorrect:

(A) Workflow automation is used to respond automatically to alerts, not suppress them.

(B) Get-MPThreatCatalog retrieves malware threat details from Windows Defender, not alert data from Defender for Cloud.

(D) Exporting alerts to Log Analytics is for analysis, not suppression configuration.

✅ Correct answer: C. On VM1, trigger a PowerShell alert

In Microsoft 365 Security and Compliance (now part of Microsoft Purview), Data Loss Prevention (DLP) policies use Sensitive Information Types (SITs) to detect confidential data. These SITs rely on a combination of methods—primarily regular expressions (RegEx), keyword dictionaries, and validation checks—to identify patterns such as credit card numbers, national IDs, or custom formats.

Since the scenario specifies that customer account numbers are 32-character alphanumeric strings (not a predefined sensitive type in Microsoft 365), the appropriate detection mechanism is to create a custom Sensitive Information Type using RegEx pattern matching. Microsoft documentation explicitly states:

“You can create custom sensitive information types that use a regular expression to define your own pattern for detecting sensitive data.”

Using RegEx, you can define a pattern such as [A-Za-z0-9]{32} to match exactly 32 alphanumeric characters. SharePoint search (A) cannot perform sensitivity classification, hunting queries (B) are for threat detection, and Azure Information Protection (C) applies labels after data is classified. Therefore, RegEx pattern matching is the correct choice to detect sensitive documents in this case.

 Log Analytics workspace to use: LA1

 Windows security events to collect: All Events

To meet the Azure Defender (Microsoft Defender for Cloud) requirement that all servers send logs to the same Log Analytics workspace, you should select the existing workspace LA1. Defender for Cloud best practices recommend centralizing data in a single workspace for unified analytics, incident correlation, and cost control. Using the “Default workspace created by Azure Security Center” or creating a new workspace would fragment telemetry, complicate management, and contradict the stated requirement and the business goal to minimize costs (multiple workspaces can increase ingestion/retention overhead and complicate RBAC and automation).

For Windows hosts, Defender for Cloud’s Data collection setting controls the level of Windows Security Events collected: Minimal, Common, or All Events. The business requirement calls for logs that provide a full audit trail of user activities. In Microsoft guidance, All Events is the level intended for comprehensive auditing (including logon/logoff, account changes, privilege use, process creation, object access, and other advanced categories). Therefore, to satisfy the “full audit trail” requirement and ensure complete visibility for investigations and Sentinel analytics, choose All Events.

In summary: centralize on LA1 (single workspace) and collect All Events to achieve both operational and compliance objectives with Defender for Cloud and Sentinel.

In Microsoft 365 Defender advanced hunting, email attachments are recorded in EmailAttachmentInfo and endpoint file activity is recorded in DeviceFileEvents. To correlate a malicious attachment to devices where the same file was observed, you join on the file hash (SHA256). The hunting guidance specifies using EmailAttachmentInfo to filter by sender and to ensure the attachment has a hash (isnotempty(SHA256)). Then, a join with DeviceFileEvents on SHA256 links the email-borne file to endpoint observations.

Before joining, it’s best practice to reduce the right-hand dataset with project to only needed fields (e.g., FileName, SHA256, DeviceName, DeviceId, Timestamp) to improve performance and limit data volume. After the join, use project again to shape the final result set for investigation, including timeline and pivot identifiers: Timestamp, FileName, SHA256, DeviceName, DeviceId, plus email context such as NetworkMessageId, SenderFromAddress, and RecipientEmailAddress.

Therefore, the correct operator sequence is: join (subquery over DeviceFileEvents with project) on SHA256, then final project of the incident-relevant columns.

 If you hover over the virtual machine named vm1, you can view the running processes.

 If you select Info, you can navigate to the bookmarks related to the incident.

Azure Sentinel “playbooks” are Azure Logic Apps. Granting the minimal permissions to configure (create/edit) playbooks requires the Logic App Contributor role on the resource group where the playbooks reside. This satisfies the business requirement to use least privilege and specifically enables admin1 to design, modify, and manage Logic Apps that Sentinel automation rules or analytics rules will invoke. Roles like Automation Operator or Automation Runbook Operator apply to Azure Automation, not Logic Apps, and therefore don’t allow creating or editing Sentinel playbooks. Azure Sentinel Contributor allows managing Sentinel resources (incidents, analytics rules, workbooks) but, by itself, does not grant permissions to author Logic Apps. Assigning Logic App Contributor provides precisely what is needed to configure Sentinel playbooks without unnecessary broader permissions.

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cloud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features, turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection prerequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → Cloud Discovery, configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps. In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned. Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., impossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” are C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security.

The problem described in the case study states that “Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.” This behavior is commonly associated with the “Impossible travel” anomaly detection policy in Microsoft Defender for Cloud Apps.

According to Microsoft documentation, the “Impossible travel” policy detects when a user signs in from two locations that are geographically distant within an unrealistic timeframe. However, in multi-office environments (such as Boston and Seattle) or when VPN connections are used, this policy can frequently trigger false positives, since it may misinterpret legitimate connections as anomalous.

Microsoft recommends adjusting the impossible travel detection policy to account for trusted IP ranges, known locations, or VPN endpoints to reduce false alerts. Specifically, administrators can modify the policy’s sensitivity, include the organization’s office IP addresses as trusted, and exclude known network ranges.

This approach directly aligns with the case study’s scenario and satisfies the Defender for Cloud Apps requirement to reduce false positives while maintaining user anomaly detection accuracy.

✅ Final Answer for Question 3: D. Impossible travel

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user. In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping. When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account, IP, or Host. Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Account entity (and any other relevant entities) in Set rule logic, then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer:

According to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook, the correct configuration is to create a Scheduled rule and ensure the playbook includes a trigger.

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incidents or alerts. To connect a playbook to an analytics rule, it must include a trigger—specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other options are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, based on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user’s connection is anomalous based on tenant-level patterns, and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modify the Impossible travel policy settings—such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity—so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activity from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don’t address the “two-office” scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel.

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mapped entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel’s hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes. Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel’s investigation context.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel, Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension, Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector. Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

According to Microsoft’s official Defender for Identity deployment documentation, setting up Microsoft Defender for Identity (MDI) on an on-premises domain controller (DC) such as DC1 requires a specific sequence of steps. MDI monitors and protects Active Directory from advanced threats by using sensors installed directly on domain controllers.

The correct sequence is as follows:

1️⃣ Provide global administrator credentials to the Azure AD tenant.

Microsoft Defender for Identity is created and managed in the Microsoft 365 Defender portal or Microsoft Security portal, which requires global administrator permissions to provision the MDI instance and connect it to the Azure AD tenant.

2️⃣ Create an instance of Microsoft Defender for Identity.

You must create an MDI instance in the portal before deploying any sensors. This instance defines your Defender for Identity workspace and generates the configuration package that sensors will later use to connect to the cloud service.

3️⃣ Provide domain administrator credentials to the on-premises Active Directory domain.

Domain admin credentials are required for the sensor installation because the sensor must access the domain controller’s security logs, event logs, and directory services to monitor authentication traffic and suspicious activities.

4️⃣ Install the sensor on DC1.

Since DC1 is a domain controller connected directly to the internet, the standard sensor (not the standalone sensor) is installed directly on it. The standalone sensor is used only when you do not want to install the sensor directly on a DC. The sensor automatically connects to the created MDI instance and begins collecting telemetry for detection.

This sequence aligns with Microsoft Defender for Identity deployment guidance, ensuring secure onboarding of DC1 while maintaining the principle of least privilege and meeting the business requirement to protect all domain controllers.

✅ Final Order:

Provide global administrator credentials →

Create instance of Microsoft Defender for Identity →

Provide domain administrator credentials →

Install the sensor on DC1.

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel, Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension, Defender for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector. Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, enabling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector

In Microsoft Sentinel, entity mapping is a critical configuration that ensures detected events and alerts are correctly represented in the investigation graph, incidents, and hunting experiences. The Sentinel requirements in the case study specify:

“Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.”

To meet this requirement, the analytic rule must be configured to map entities such as IP address, user, hostname, or URL in the Set rule logic section. This mapping allows the incident and its related alerts to visually associate with those entities, enabling analysts to pivot and investigate in the Sentinel investigation graph.

According to Microsoft Sentinel documentation:

“Entity mapping in analytic rules helps correlate alerts and incidents to specific entities such as accounts, IPs, or hosts, enabling richer investigation experiences and faster triage.”

Therefore, configuring entity mapping directly under Set rule logic ensures that incidents are enriched with contextual information (for example, the specific IP address), meeting both the functional and investigative requirements.

✅ Final Answer for Question 2: C. From Set rule logic, map the entities.

 Internal threat: Modify the access policy settings for the key vault.

 External threat: Modify the Key Vault firewall settings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise is suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration changes at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats, Microsoft recommends hardening Key Vault firewall and networking: restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blocks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace. To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace('Fabrikam-WS').SecurityEvent, workspace('Contoso-WS').SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrikam needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

When you need to send a Microsoft Teams message (or perform any automated response) in Microsoft Defender for Cloud based on a new Microsoft Secure Score action, you must use workflow automation integrated with Azure Logic Apps.

Here’s the correct sequence of actions, step by step:

The Secure Score is part of Defender for Cloud’s Regulatory Compliance section.

To react to new Secure Score recommendations or actions, the Logic App must use the “When a Defender for Cloud regulatory compliance assessment is created or triggered” trigger.

This ensures that the automation is initiated whenever a new Secure Score change occurs.

According to Microsoft documentation:

“To automate Secure Score or compliance actions, select the ‘Regulatory compliance assessment trigger’ in Logic Apps. It triggers workflows when a new compliance or Secure Score recommendation is created or updated.”

Next, you configure the condition that specifies which Secure Score events should trigger the workflow.

For example, you can set conditions such as:

“If the assessment type = Secure Score,” or

“If compliance status = Failed.”

This filtering ensures that only relevant events (new Secure Score actions) will activate the workflow and prevent unnecessary Teams notifications.

Finally, in Defender for Cloud, you configure workflow automation to link the Logic App to the event stream.

From the Defender for Cloud portal, navigate to Workflow automation → Add automation → Choose trigger and Logic App.

Select the created Logic App as the target and define the scope (e.g., all subscriptions or resource groups).

This connects Defender for Cloud to the Logic App so that when a new Secure Score event occurs, the app automatically sends the Microsoft Teams message.

Box 1: Turn on Live Response

Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.

Box: 2 : Add a network assessment job

Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.