SC-200 Microsoft Security Operations Analyst Free Practice Exam Questions (2026 Updated)

In Microsoft Sentinel , Advanced Security Informa tion Model (ASIM) parsers normalize different data types for analytics. Built-in parsers update automatically when Microsoft releases improvements. However, you can prevent automatic updates by redeploying or overriding them.

Per Microsoft Sentinel ASIM do cumentation:

You can redeploy a built-in parser with custom parameters ( CallerContext=any , SourceSpecificParse=any ) to create a local copy. This local redeployment is treated as a custom parser and will not be automatically updated .

Alternatively, you can build a custom unify parser that references a specific parser version. Custom parsers are user-managed and unaffected by ASIM’s automated update pipeline.

Other options (like creating hunting queries or analytics rules) merely reference the parser and do n ot affect its update behavior.

✅ Correct answers: A and D

In Microsoft Defender for Cloud , suppression rules are used to automatically hide or suppress specific alerts that match defined conditi ons. These rules are often configured when certain alerts are expected (for example, during development or testing) and do not represent true security risks.

According to Microsoft Defender for Cloud documentation , when creating a suppression rule for a pa rticular Azure resource (like a Storage account ), you must select the appropriate entity type and field that uniquely identify that resource.

The Entity type defines what the suppression condition applies to. To suppress alerts for a specific Azure resourc e such as a storage account, virtual machine, or function app, the correct selection is Azure Resource .

The Field defines the attribute used to match that resource. Microsoft’s guidance specifies that Resource Id is the unique identifier for every Azure resource within a subscription, formatted as:

/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProvider}/{resourceType}/{resourceName}

This ensures the suppression rule precisely targets alerts related only to that spec ific storage account and not others.

Alternative fields like Name , Address , or Command line do not uniquely identify Azure resources in Defender for Cloud. Therefore, they would not provide the necessary precision for suppressing alerts from a specific Azu re Storage account.

✅ Final Answers:

Entity type: Azure Resource

Field: Resource Id

User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel correlates secur ity events with identity data to build behavioral baselines. UEBA enriches security signals with identity context from Azure AD, Defender for Identity, and other connected identity sources.

The IdentityInfo table in Log Analytics stores user account metadata and enrichment information , such as department, group membership, job title, and account status. This table is used to correlate events from the SecurityEvent table and others to link activity to known users and entities.

Microsoft documentation s tates:

“The IdentityInfo table contains enriched identity information from connected identity providers. It is used by UEBA to correlate with the SecurityEvent table and other identity-related logs.”

In Microsoft Defender for Endpoint (MDE) , the actions available for a device depend on its onboarding and management state . These actions are part of the incident response toolkit used by SecOps analysts to contain, isolate, or investigate devices during malware incidents.

Device1 – Windows Server 2022 (Ma naged) Device1 is onboarded and managed through Microsoft Defender for Endpoint, meaning it supports the full range of response actions , including:

Isolate device – disconnects the device from the network while maintaining Defender for Endpoint connectivity for command and control.

Contain device – blocks communication between this device and other devices, reducing lateral movement.

Initiate Automated Investigation (AIR) – triggers Defender’s automated threat investigation and remediation process.

According to Microsoft’s official Defender for Endpoint documentation:

“For devices onboarded and managed by Microsoft Defender for Endpoint, SecOps can initiate automated investigations, isolate or contain devices, and perform live response actions.”

Thus, Device1 supports all three response actions.

✅ Answer for Device1: Isolate device, Initiate Automated Investigation, and Contain device

Device2 – Linux (Unmanaged) Device2 is discovered but unmanaged , meaning it has not been onboarded to Defender for Endpoint. For unmanaged or discovered-only devices , the available actions are limited. Microsoft documentation clearly states:

“For unmanaged devices discovered by Defender for Endpoint, response actions such as containment or investigation are unavailable. Only isolation recommendations can be made if supported.”

Because Device2 is a Linux device and not onboarded , the platform cannot perform full remediation or containment. The only applicable action that aligns with incident containment (but not management interference) is isolating the device from the network to prevent malware spread.

✅ Answer for Device2: Isolate device only

✅ Final Answers Summary:

Device1: Isolate device, Initiate Automated Investigation, and Contain device

Device2: Isolate device only

Dropdown/Step

Value to Select

where ResponseStatusCode in (...)

( " 204 " )

split([dropdown], " / " )[-3]

RequestUri

To detect Microsoft Graph operations that change role membership , you target POST requests to the directoryRoles … /members/$ref endpoint. Adding a member to a role via Microsoft Graph is performed with POST /directoryRoles/{role-id}/members/$ref and, on success, Graph returns HTTP 204 No Content . Therefore, filtering ResponseStatusCode to 204 isolates successful role -assignment events while excluding errors like 401/403 and non-mutating redirects such as 302.

The RequestUri contains the role identifier in the path. For URIs like:

https://graph.microsoft.com/v1.0/directoryRoles/{role-id}/members/$ref

splitting on “/” y ields: [https:, , graph.microsoft.com, v1.0, directoryRoles, {role-id}, members, $ref] . The element at index -3 is the {role-id} . Hence, extend Role = tostring(split(RequestUri, " / " )[-3]) correctly extracts the role GUID for reporting.

Putting it together, a concise query is:

MicrosoftGraphActivityLogs

| where RequestUri has_all ( " https://graph.microsoft.com/ " , " /directoryRoles " , " members/$ref " )

| where RequestMethod == " POST "

| where ResponseStatusCode in ( " 204 " )

| extend Role = tostring(split(RequestUri, " / " )[-3])

| project TimeGenerated, IPAddress, ResponseStatusCode, Role

This returns the timestamp, source IP, success code, and the affected role ID for each successful role-membership addition in your tenant.

To allow a security analyst to use the Microsoft 365 security center and also approve or reject pending remediation actions generated by Microsoft Defender for Endpoint, while adhering to the principle of least privilege, you must assign two complementary roles:

In Microsoft Defender for Endpoint, assign the Active remediation actions role. This role explicitly gives permission to take response actions (such as isolation, quarantine, etc.) or to approve or reject pending remediation tasks. Microsoft documentation states that when taking response actions on a device, “you must have at least the Active remediation actions role assigned.” Microsoft Learn

In Azure AD (or Microsoft Entra), assign the Security Reader role. This role grants read-only visibility into the security configuration and alerts in the Microsoft 365 security center without eleva ting the analyst to full security administration. This ensures the analyst can see what’s happening in the security environment, but not make broad configuration changes.

Here’s why those roles are correct and why the others are not:

The Active remediation actions role is narrowly scoped to remediation operations, which is exactly what is needed to approve or reject pending actions. Any broader role (like Security Administrator) would exceed the principle of least privilege.

The Security Reader role allows the analyst to navigate the Microsoft 365 security center (view incidents, alerts, reports) but does not grant write-level permissions that are unnecessary for their role.

The Security Administrator role (option C) would grant too many permissions—not least privilege—though it might allow the needed actions, it is overly permissive relative to what is needed.

The Compliance Data Administrator (option A) is unrelated to remediation within Defender or endpoint actions; it is designed around compliance and data governance.

Additionally, Microsoft’s role-mapping between Defender XDR unified RBAC and legacy roles confirms that the Active remediation actions permission is mapped to the “Response (manage)” capability in the unified RBAC model. Microsoft Learn

Together, assigning Active remediation actions (in Defender for Endpoint) and Security Reader (in Azure AD/Entra) gives the minimal necessary access: a bility to view security data and approve or reject remediation actions, without over-privileging the analyst.

In Microsoft 365 Defender advanced hunting , interactive sign-in activity on endpoints is recorded in the DeviceLogonEvents table. This table includes fields such as DeviceName , ActionType , and LogonType . For failed authentications, the normalized ActionType value is " LogonFailed " . To count failures per device (and optionally by logon type), you filter the target devices and failed-action events, then summarize. The query pattern is:

Start from DeviceLogonEvents (the canonical table for endpoint logon successes/failures).

Apply a whe re clause to limit to the three devices using DeviceName in (...) .

Add an and condition for ActionType == " LogonFailed " to select only failed authentications.

Use summarize with count() to total failures, grouping by DeviceName and LogonType to see counts per device and logon type.

Assembled query:

DeviceLogonEvents

| where DeviceName in ( " CFOLaptop " , " CEOLaptop " , " COOLaptop " ) and ActionType == " LogonFailed "

| summarize LogonFailures=count() by DeviceName, LogonType

This precisely returns the count of faile d sign-in authentications on the specified three devices.

Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.

Microsoft’s alert-tuning capability (previously called suppression) in Microsoft Defender is intentionally focused on reducing alert noise by changing the handling of aler ts that match defined conditions. When you open the Tune alert pane for an alert you can define conditions and then choose an action . The product documentation and the Tune alert UI show two supported actions: Hide alert (prevents the alert from surfacing in the default alert queue / UI) and Resolve alert (automatically close/resolve the alert so it no longer requires manual triage). Those two actions are the built-in tun ing outcomes designed to reduce fatigue from frequent false positives. Other operations listed in the question—such as deleting alerts, merging alerts, or assigning ownership—are not offered as actions inside the alert-tuning rule itself (assigning or other workflow actions are available elsewhere in the product or via automation), so the on ly valid tuning rule actions are hide and resolve . This behavior is documented in the Microsoft Defender (XDR) “investigate and tune alerts” guidance and in the alert-tuning (suppression) documentation.

In Microsoft Sentinel workbooks , when displaying query results in a grid visualization , you can limit the number of displayed rows by using KQL query operators. The take operator in Kusto Query Language (KQL) is specifically designed to restrict output to a fixed number of records.

Microsoft Sentinel workbook guidance states:

“To control the number of results returned in a workbook grid, use the KQL take operator. For example, adding | take 100 ensures that only 1 00 rows are returned and displayed.”

This approach enforces both performance efficiency and readability, ensuring large result sets don’t overload the visualization.

Other options are incorrect:

Settings and Advanced Editor adjust workbook configuration, not query limits.

Project only selects specific columns, not row count.

✅ Correct answer: D. In the grid query, include the take operator

By creating an analytics rule, you can set up a query that will automatically run and alert you when the threat is detected, without having to manually run the query. This will help minimize administrative effort, as you can set up the rule once and it will run on a schedule, alerting you when the threat is detected. Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-rule

To find all security principals (users or service principals/apps) that changed or deleted groups , you should query MicrosoftGraphActivityLogs and filter for requests targeting the groups endpoint, then exclude read-only operations. The RequestUri field contains the full Graph URL that the principal called (e.g., /v1.0/groups/{id} ), so filtering where RequestUri contains " /group " (or " /groups " ) isolates group-related operations. Changes and deletions are non-read HTTP verbs such as POST , PATCH , PUT , and DELETE . The simplest way to capture all of them is to exclude reads: where RequestMethod != " GET " . Finally, projecting AppId , UserId , and ServicePrincipalId returns the identities (user or app) behind each request, which are the “security principals” you need to report.

So the co mpleted KQL is:

MicrosoftGraphActivityLogs

| where RequestUri contains " /group "

| where RequestMethod != " GET "

| project AppId, UserId, ServicePrincipalId

To create a custom alert suppression rule in M icrosoft Defender for Cloud (formerly Azure Security Center) , you must first have an existing alert to base the suppression rule on. Suppression rules can only be configured for alert types that have already been triggered.

According to Microsoft’s Defende r for Cloud documentation:

“You can create suppression rules for alerts that you’ve already received. To create the rule, locate the specific alert in Security alerts, open it, and then choose ‘Create suppression rule’ from the alert page.”

Therefore, befo re you can create a suppression rule for suspicious use of PowerShell on VM1 , you must first trigger that alert by performing (or simulating) the action that causes it — in this case, generating a PowerShell activity alert on VM1.

The other options are inc orrect:

(A) Workflow automation is used to respond automatically to alerts, not suppress them.

(B) Get-MPThreatCatalog retrieves malware threat details from Windows Defender, not alert data from Defender for Cloud.

(D) Exporting alerts to Log Analytics is for analysis, not suppression configuration.

✅ Correct answer: C. On VM1, trigger a PowerShell alert

According to Microsoft Defender for Cloud documentation, continuous export allows you to stream security alerts and recommendations to other monitoring or SIEM systems. When exporting alerts in real time, Azure Event Hubs is the supported mechanism. Event Hubs provides a scalable data-streaming platform that can feed events into third-party SIEM tools such as Splunk, IBM QRadar, or ArcSight. Microsoft states: “To enable real-time stream ing of security alerts or recommendations, configure Continuous Export to Azure Event Hubs. From there, your external SIEM or event processing solution can consume the data.”

The other options serve different purposes:

Azure Cosmos DB is a NoSQL database, not used for alert streaming.

Azure Event Grid is for reactive event-driven automation but not intended for continuous log export.

Azure Data Lake is for large-scale storage and analytics, not streaming.

Thus, exporting Defender alerts to Azure Event Hubs is the correct and supported configuration for continuous export to third-party SIEM solutions.

 If you hover over the virtual machine named vm1 , you can view the running processes .

 If you select Info , you can navigate to the bookmarks related to the incident.

To run a PowerShell script when a suspicious-IP access alert is raised for Storage, use Workflow automation in Defender for Cloud to trigger a Logic App whenever a matching security alert occurs. The Logic App should use the Azure Security Center (Defender for Clo ud) alert trigger , and from there you can call an Automation Runbook (PowerShell) or another action to execute your script. A manual or HTTP trigger isn’t needed because the flow must start automatically from the security alert, and an AAD app registration is not required for the basic alert-triggered flow.