Pass the Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with Dumpstech

The Fusion analytics rule in Microsoft Sentinel automatically correlates alerts from multiple sources (including Microsoft Defender connectors) to detect multistage attacks . Because Fusion runs continuously and cannot be disabled without losing multi-stage detection, the best practice for temporarily suppressing incidents from a specific connector (like Microsoft Defender) is to use automation rul es , not by disabling the Fusion rule itself.

An automation rule can be configured to trigger on specific conditions (such as “When incident is updated” or “When incident is created”) and then perform an action like running a playbook that applies suppressi on logic.

Here’s the reasoning:

Trigger:

Setting the trigger to “When incident is updated” ensures that the rule evaluates changes to existing incidents—such as enrichment or tagging from Fusion—and provides finer control over suppression, minimizing impac t on the Fusion detection pipeline.

Using “When incident is created” could interfere with Fusion’s initial detection process.

Action:

The appropriate action is “Run playbook” , which allows automated handling (for example, tagging or closing certain inciden ts from a specific connector). This requires minimal administrative effort and avoids turning off the Fusion rule.

This configuration ensures that Fusion continues to detect multistage attacks (so detection isn’t impacted) while automation handles temporar y suppression for specific connectors efficiently.

User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel correlates secur ity events with identity data to build behavioral baselines. UEBA enriches security signals with identity context from Azure AD, Defender for Identity, and other connected identity sources.

The IdentityInfo table in Log Analytics stores user account metadata and enrichment information , such as department, group membership, job title, and account status. This table is used to correlate events from the SecurityEvent table and others to link activity to known users and entities.

Microsoft documentation s tates:

“The IdentityInfo table contains enriched identity information from connected identity providers. It is used by UEBA to correlate with the SecurityEvent table and other identity-related logs.”

In Microsoft Defender for Cloud , Role-Based Access Control (RBAC) is used to ensure that users and groups have only the permissions required to perfor m their specific security or management tasks. Microsoft provides several built-in roles designed specifically for Defender for Cloud operations.

Security Admin: This role provides full management permissions for security policies, recommendations, and alerts within Defender for Cloud. A Security Admin can configure policies, suppress or dismiss alerts, enable or disable Defender plans, and manage settings at the subscription or management group level. According to Microsoft documentation, the Security A dmin role “has all permissions of the Security Reader role plus the ability to update security policies and dismiss alerts and recommendations.” Therefore, Group1 , which likely needs administrative control to manage and remediate findings, should be assign ed Security Admin .

Security Assessment Contributor: This role is more limited and focuses on providing access for security posture assessment without granting the ability to change or modify configurations. The Security Assessment Contributor role allows v iewing security recommendations and assessment data but not altering Defender for Cloud configurations or dismissing alerts. This makes it ideal for compliance or audit groups who need read and assess access. Hence, Group2 should be assigned Security Assessment Contributor .

These assignments ensure the right balance between operational control (Group1) and read-only assessment or compliance duties (Group2), aligning with Microsoft’s least-privilege and separation-of-duties best practices.

✅ Final Answe r:

Group1 → Security Admin

Group2 → Security Assessment Contributor

Enabling User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel requires permissions in both Azure Active Directory (Microsoft Entra ID) and Microsoft Sentinel because UEBA integrates identity data from Azure AD to perform behavioral analytics and anomaly detection.

Here’s the reasoning based on Microsoft’s official documentation and the principle of least privilege:

1️ ⃣ Azure AD role → Security administ rator

The Security Administrator role in Azure AD allows a user to manage security-related features , including security settings and integration of identity signals with other services like Microsoft Sentinel.

This role has the rights necessary to grant Sentinel access to Azure AD data for UEBA without requiring broader, high-privilege roles such as Global Administrator .

Microsoft documentation explicitly recommends the Security Administrator role to enable UEBA because Sentinel uses Azure AD identity inf ormation and risk detections for its entity behavior modeling.

2️ ⃣ Azure role → Microsoft Sentinel Contributor

Within Sentinel, the Microsoft Sentinel Contributor role allows a user to configure settings, enable features like UEBA, and manage analytic rule s, workbooks, and connectors , but does not grant rights to access workspace data directly (which would be excessive).

It’s the appropriate role for managing Sentinel features while adhering to the least privilege principle.

The Sentinel Responder role is t oo limited—it can handle incidents but cannot enable or configure UEBA.

✅ Final Answer:

Azure AD role: Security administrator

Azure role: Microsoft Sentinel Contributor

When you need to combine multiple tables ( AlertInfo , AlertEvidence , and DeviceLogonEvents ) and return all rows from all tables , you use the union operator in KQL (Kusto Query Language).

join would only return matching records between tables based on a key, not all rows.

ev aluate is used for external function evaluations.

search * searches across all tables but doesn’t create structured combined output.

Using union kind=inner appends results from all three tables while maintaining their structure, allowing you to analyze all alerts, evidence, and logon activity together.

✅ Answer: D. union kind = inner

Box 1: Owner

Only the Owner can assign initiatives.

Box 2: Contributor

Only the Contributor or the Owner can apply security recommendations.

To identify which blobs were deleted in an Azure Storage account, you must review Azure Storage Analytics logs , which record all operations (including DeleteBlob and DeleteContainer requests) made aga inst the storage service.

These logs contain details such as timestamp, requester IP, operation type, and object name—allowing you to pinpoint the exact blobs deleted.

Activity logs (Option B) record control-plane operations (e.g., resource creation or con figuration changes), not data-plane operations like blob deletions.

Alert details and related entities (Options C and D) summarize detection context but do not include full operation-level details.

✅ Correct Answer: A. the Azure Storage Analytics logs

To release quarantined items on a Windows device protected by M icrosoft Defender for Endpoint/Antivirus , you use the Microsoft Defender command-line utility MpCmdRun.exe . This tool supports maintenance actions including scanning, definition management, and quarantine operations. For quarantine specifically, the supported switch is -Restore , which restores items from quarantine. The typical syntax for restoring all items for a specific threat name is:

MpCmdRun.exe -Restore -Name " < ThreatName > " -All

Here, the -Name parameter specifies the detected threat family or name (for custom indicators it reflects the custom threat label, e.g., EUS:Win32/CustomEnterpriseBlock ), and -All applies the restore operation to all items associated with that name—ideal when multiple files (e.g., 20) were quarantined by the same indicat or.

Other options are not appropriate for this task:

-GetFiles collects diagnostic logs for support.

-RemoveDefinitions and -ResetPlatform handle antimalware engine/definitions, not quarantine.

MsMpEng.exe is the Defender service binary (not invoked direct ly), and Start-MpRollback is a separate PowerShell cmdlet for rolling back remediations, not for restoring quarantined files by name.

Therefore, to release the 20 files: MpCmdRun.exe -Restore -Name " EUS:Win32/CustomEnterpriseBlock " -All .

According to Microsoft Entra (formerly Azure Active Directory) and Microsoft Security Op erations documentation, when integrating Azure AD sign-in logs and audit logs with third-party SIEM systems , the supported and recommended method is to stream the logs to Azure Event Hubs through Diagnostic Settings .

Event Hubs act as a real-time data ingestion service that can integrate directly with external SIEM tools such as Splunk, QRadar, ArcSight, or Sumo Logic. This allows for near real-time alerting and analysis of Azure AD sign-in events.

Official Microsoft guidance states:

“To integrate Azure AD logs with third-party SIEMs, configure Azure AD Diagnostic Settings to send sign-in and audit logs to Azure Event Hubs. Event Hubs can then stream the data to your SIEM for near real-time monitoring.”

Other options do not meet the scenario’s requiremen t:

(A) and (C) involve Azure Sentinel, Microsoft’s native SIEM solution. Since the question specifies a third-party SIEM , Sentinel is not required.

(D) Archiving to a Storage account provides long-term retention and offline analysis but does not support ne ar real-time alerting.

Therefore, the correct approach to route Azure AD sign-in events for near real-time monitoring in a third-party SIEM is to configure Azure AD Diagnostic Settings to stream logs to an Azure Event Hub .

✅ Correct Answer: B. Configure th e Diagnostics settings in Azure AD to stream to an event hub

 First selection: ReportId

 Second selection: ReportId

In Microsoft Defender X DR advanced hunting, antivirus detections on endpoints are recorded in DeviceEvents with ActionType == " AntivirusDetection " . To find devices with more than five detections in the last 24 hours , filter the table to the last day, then summarize counts by DeviceId . To avoid returning multiple rows per device and to include a representative “latest” event field, use arg_max(Timestamp, ReportId) within summarize . The arg_max aggregation returns the row associated with the maximum Timestamp per device and keep s the ReportId from that latest event. Because you’re projecting specific fields from arg_max , you must specify the same fields on both sides of the assignment: (Timestamp, ReportId) = arg_max(Timestamp, ReportId) .

Final query pattern:

DeviceEvents

| where ingestion_time() > ago(1d)

| where ActionType == " AntivirusDetection "

| summarize (Timestamp, ReportId) = arg_max(Timestamp, ReportId), count() by DeviceId

| where count_ > 5

ingestion_time() > ago(1d) ensures the last 24 hours relative to ingestion, alig ning with fast, reliable time filtering.

count() tallies detections per device; where count_ > 5 filters to devices exceeding the threshold.

arg_max(Timestamp, ReportId) picks the latest detection per device and carries along a concrete identifier ( ReportI d ) from that event.