Pass the Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with ValidTests

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning. Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags. The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions. Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort: it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatchlist('<watchlist-name>'), which returns a table with standard columns (including SearchKey) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist('breakglass_account')) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requirement to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimizing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist, and join UserPrincipalName to the watchlist’s SearchKey.

Live Response in Microsoft Defender for Endpoint is a powerful investigative and remediation capability that lets responders interactively run commands on an endpoint, collect files, and perform remediation steps (collect investigation packages, pull files, run scripts, or take forensic artifacts). However, Live Response is an on-demand tool invoked during or after an investigation; it does not by itself provide continuous detection coverage or automatic blocking of artifacts that a third-party AV missed. The requirement is to ensure devices are protected from malicious artifacts that were undetected by the third-party antivirus. To meet that objective you need capabilities that detect and block artifacts automatically (for example, EDR in block mode which actively blocks/remediates post-breach artifacts even when Defender AV is passive). Live Response helps respond to an identified artifact but does not create the detection and automatic blocking coverage that prevents or remediate undetected malicious artifacts at scale. Therefore enabling Live Response alone does not meet the stated protection goal.

A suppression rule in Azure Security Center (Defender for Cloud) prevents specific alerts from appearing in the portal or triggering notifications. When a suppression rule is active, alerts that match its conditions are hidden from view, even though they still occur in the background.

If you need to temporarily view alerts from the suppressed virtual machines — for example, while troubleshooting or verifying detections — you can disable the suppression rule. Microsoft documentation states: “To temporarily resume visibility of alerts suppressed by a rule, change the rule state to Disabled. When disabled, the rule no longer hides alerts that meet its conditions.”

Changing the expiration date (Option A) only controls when the rule automatically stops; it does not immediately restore visibility.

Modifying filters (Option C) won’t reveal suppressed alerts, as those are already hidden from query results.

Viewing Windows event logs (Option D) provides raw OS data but not Security Center alert context.

Thus, to see the suppressed alerts for the last five days, you must disable the suppression rule, making B the correct answer.

When you create a Microsoft Sentinel workbook that visualizes data retrieved using a Kusto Query Language (KQL) query, the workbook must use a data source that supports log analytics queries. According to Microsoft Sentinel and Azure Monitor documentation, Logs (Analytics) is the correct data source type for querying tables stored within a Log Analytics workspace, such as the SecurityIncident table. This table is where Microsoft Sentinel stores incident data.

In the workbook configuration, the Resource type determines which service the query context applies to. Since you are querying Microsoft Sentinel incidents (not general Azure Monitor logs or metrics), you must set the resource type to Microsoft Sentinel. This ensures that the workbook is connected to Sentinel’s analytics schema and can display visualizations (charts, metrics, timelines) based on Sentinel’s native data tables.

Alternative resource types such as Log Analytics or Workspace could technically access the same data, but Microsoft Sentinel documentation recommends selecting Microsoft Sentinel when the workbook is designed for security operations and incident analysis. This provides tighter integration with the SOC dashboard experience, Sentinel permissions, and security insights views.

✅ Therefore, the correct selections are:

Data source: Logs (Analytics)

Resource type: Microsoft Sentinel

To enforce Multi-Factor Authentication (MFA) for remote users, Microsoft recommends using Conditional Access policies that distinguish between trusted (corporate) and untrusted (remote) network locations.

In Azure AD Conditional Access, this is implemented using Named Locations. You define a named location by specifying trusted IP address ranges for your corporate network. The policy can then enforce MFA for sign-ins that originate outside those trusted locations.

Microsoft Learn states:

“Use named locations in Conditional Access to define network boundaries for your organization and configure policies to enforce MFA for users accessing from untrusted networks.”

✅ Correct Answer: C. a named location

To use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity, you should perform the following two actions:

Create an Azure AD Identity Protection connector. This will allow you to monitor suspicious activities in your Azure AD tenant and detect malicious sign-ins.

Create a custom rule based on the Office 365 connector templates. This will allow you to monitor and detect anomalous activities in the Microsoft 365 subscription. Reference: https://docs.microsoft.com/en-us/azure/sentinel/fusion-rules

In Microsoft Defender for Endpoint, Live Response provides an interactive remote shell for investigating a device directly from the Microsoft Defender portal. It allows security analysts to run commands, collect data, inspect processes, and perform incident response tasks without manually logging into the endpoint.

For this scenario, you must:

Identify all active network connections.

Identify all running processes.

Retrieve login history.

All of these can be achieved efficiently through a Live Response session. Once connected, you can use built-in commands such as:

netstat to view active network connections,

ps to list running processes,

cat or less to review log files containing login history.

According to Microsoft Defender for Endpoint documentation, “Live response enables analysts to perform in-depth investigation on a device remotely to collect forensic data, run scripts, and remediate threats.” It is the least administrative-intensive way to gather this information compared to collecting an investigation package, which is more time-consuming and primarily for offline forensic analysis.

Option A (disable authenticated telemetry) is unrelated to investigation tasks.

Option B (enable unsigned script execution) is only needed for running custom scripts, not built-in commands.

Option C (collect investigation package) gathers data for offline review and does not allow interactive analysis.

Option D (initiate live response) gives immediate, interactive insight into processes, connections, and logs — satisfying all requirements with minimal effort.

✅ Therefore, the correct first step is to initiate a live response session on Device1.

When you deploy the ASIM unifying parser for DNS, you should query the normalized schema via the function imDns() (ASIM convention: im). To maximize performance, pass filtering arguments directly to the parser so the function prunes data early at source, rather than piping a large dataset into subsequent where filters. ASIM DNS supports parameters such as starttime, endtime, and responsecodename (for example, NXDOMAIN). Therefore, using imDns(starttime=ago(1d), responsecodename='NXDOMAIN') limits ingestion to the last 24 hours and only events whose ResponseCodeName equals NXDOMAIN.

Once normalized rows are returned, use summarize with bin() to aggregate efficiently. The ASIM DNS schema exposes the client address as SrcIpAddr; grouping by this field and bin(TimeGenerated, 15m) produces per–source-IP counts in 15-minute buckets. The final query:

imDns(starttime=ago(1d), responsecodename='NXDOMAIN')

| summarize count() by SrcIpAddr, bin(TimeGenerated, 15m)

meets all requirements: it lists all DNS events with NXDOMAIN in the last 24 hours and aggregates them by source IP in 15-minute intervals, using ASIM’s parameterized parser to achieve optimal performance.

In Microsoft 365 Defender, the Collect investigation package action allows a security analyst to remotely gather forensic evidence (logs, running processes, network info, registry data, etc.) from a device for deeper analysis.

This capability is supported on both Windows and Linux devices onboarded to Microsoft Defender for Endpoint.

The other options serve different purposes:

Run antivirus scan: triggers a malware scan, not evidence collection.

Initiate Automated Investigation: starts automated threat response but not direct evidence collection.

Initiate Live Response Session: opens an interactive session, but the question specifically asks for package collection via the portal.

✅ Correct Answer: C. Collect investigation package