Pass the Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with Dumpstech

A livestream in Microsoft Sentinel is used for real-time query monitoring , allowing analysts to see new events that match a query as they occur. However, a livestream does not create alerts or incidents automatically .

To generate an incident when a specific condition (like a sign-in from a malicious IP address) occurs, you must create a scheduled analytics rule that runs a KQL query on a defined interval (e.g., every 5 or 10 minutes) and triggers an alert when matches are found.

Microsoft documentation clarifies:

“Livestream is an analyst tool for hunting in real time. It does not generate alerts or incidents. To generate incidents automatically, create an analytics rule using a scheduled query.”

Therefore , creating a livestream does not meet the requirement to automatically create incidents.

✅ Correct answer: B. No

 Table to start from: MicrosoftGraphActivityLogs

 Function to extract the path: parse_url(RequestUri).Path

To find which Azure resources were queried or modified by risky users , you should analyze API calls made to Micr osoft Graph (and ARM where applicable) and join them with Identity Protection risk signals . In Log Analytics, MicrosoftGraphActivityLogs records Graph API calls with useful fields for this task, including UserId , RequestUri , RequestMethod , ResponseStatusCode , and RequestId . These fields let you identify what resource endpoint was accessed, how (GET/POST/PATCH/DELETE), and whether the request succeeded.

You then join these API events with AADRiskyUsers on the user identifier ( $left.UserId == $right.Id ) to restrict results to users currently assessed as risky. To normalize the resource that was targeted, parse the endpoint from the full URL. The correct way is to extract just the path component using parse_url(RequestUri).Path , then clean versi on segments (e.g., /v1.0/ , /beta/ ) with replace_string / replace_regex to produce a comparable resourcePath . Finally, summarizing with dcount(RequestId) by UserId , RiskState , resourcePath , RequestMethod , and ResponseStatusCode yields a concise mapping of whi ch resources risky users queried or modified.

Therefore, the two correct choices are MicrosoftGraphActivityLogs and parse_url(RequestUri).Path .

Activity from a country/region that could indicate malicious activity. This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organizatio n. Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This can indicate a credential breach, however, it ' s also possible that the user ' s actual location is masked , for example, by using a VPN.

Use livestream to run a specific query constantly, presenting results as they come in.

When designing a Microsoft Sentinel workspace, cost optimization and data retention management are two key considerations. Microsoft Sentinel stores data in an Azure Log Analytics workspace , and pricing for data ingestion and retention is managed through Log Analytics settings.

Minimize costs for daily ingested data: Microsoft’s documentation on Log Analytics pricing models states that you can choose between Pay-As-You-Go (PAYG) and Commitment Tiers . The Commitment Tier model allows you to commit to a fixed amount of da ily ingestion (for example, 20 GB/day in this case) at a lower per-GB cost compared to PAYG pricing. If your ingestion volume is predictable (as in this scenario—20 GB per day), this model provides significant cost savings without the administrative overhe ad of managing caps or throttling. Therefore, to minimize ingestion cost, the correct choice is “Use a commitment tier.”

Maximize the data retention period without incurring extra costs: By default, Microsoft Sentinel (via Log Analytics) provides 90 days o f data retention at no additional charge . Extending retention beyond 90 days incurs additional storage charges. According to Microsoft’s official guidance, “Log Analytics retains data for 90 days at no cost; data kept beyond that period is billed at the re tention rate.” Therefore, to maximize the free retention period while avoiding extra cost, the correct configuration is “Set retention to 90 days.”

Summary:

Minimize costs for daily ingested data → Use a commitment tier

Maximize retention without extra cos ts → Set retention to 90 days

This configuration ensures both cost efficiency and maximum free data availability, aligning with Microsoft Security Operations (SecOps) and Sentinel best practices.

According to Microsoft Security Operations and Azure Defender (now Microsoft Defender for Cloud) documentation, to validate that Azure Security Center (ASC) — or Defender for Cloud — is properly configured to detect threats such as sign-ins from suspicious IP addresses , you must enable Defender for the subscription first. This step activates the advanced threat protection features that analyze security signals from Azure resources, including virtu al machines and network connections.

Once enabled, Microsoft provides a test alert validation process using a PowerShell script or an executable test file to simulate an alert. The official procedure states that to test the alert generation capability, administrators should copy a provided executable file to a virtual machine onboarded to Defender and rename the file using the naming convention beginning with ASC_AlertTest_ followed by random characters. This allows Defender for Cloud to recognize it as a test event.

After renaming, the executable is run with appropriate arguments to trigger a benign test alert that validates Defender’s detection pipeline. This alert verifies that the system correctly monitors VM activity and reports potential threats.

Ch anging alert severity or renaming files differently does not validate the configuration. Therefore, the correct sequence—confirmed by Microsoft documentation—is:

Enable Azure Defender for the subscription.

Copy and rename the alert test file (ASC_AlertTest _...).

Run the executable file with required arguments to trigger and validate detection.

In Microsoft Sentinel (Defender XDR SIEM), access control is based on Azure RBAC (Role-Based Access Control) to ensure least privilege op erations. According to Microsoft’s Sentinel role documentation:

Logic App Contributor: This role is required to create and run playbooks (automated workflows built on Azure Logic Apps). Although Sentinel integrates with Logic Apps, playbook creation and execution permissions are governed by the Logic App Contributor role at the resource group or subscription level where playbooks are deployed. Without this role, a user cannot design or execute automated responses.

Azure Sentinel Contributor: This role gra nts permission to create, edit, and delete analytic rules, workbooks, and hunting queries within the Sentinel workspace. It does not allow modifying playbooks or executing automation unless combined with Logic App Contributor. It’s the appropriate role for analysts or engineers who manage detection content (rules and visualizations).

The Azure Sentinel Reader role only allows viewing incidents, workbooks, and rules but not editing or creating them. The Sentinel Responder role focuses on handling and closing incidents, not authoring content or automation.

✅ Final Mapping:

Create and run playbooks → Logic App Contributor

Create workbooks and analytic rules → Azure Sentinel Contributor

In Microsoft Sentinel (now part of Microsoft Defender XDR), Kusto Query Language (KQL) is used to create queries for workbooks, analytics rules, and hunting q ueries. The SecurityIncident table contains all incidents created in Sentinel, including their timestamps, severities, and metadata.

To meet the requirements:

“List all incidents by incident number” → means grouping results by the field IncidentNumber .

“On ly include the most recent log for each incident” → means you must return only the latest record for each incident.

In KQL, the correct operator for this purpose is summarize arg_max() . The function arg_max(LastModifiedTime, *) returns the row (record) tha t has the maximum LastModifiedTime for each group—in this case, each unique IncidentNumber —along with all its other columns (indicated by * ).

Therefore, the complete and correct query is:

SecurityIncident

| summarize arg_max(LastModifiedTime, *) by Inciden tNumber

summarize aggregates records based on the specified grouping key ( IncidentNumber ).

arg_max() selects the latest record based on LastModifiedTime .

This query will return exactly one record per IncidentNumber , corresponding to the most recently modified incident entry—perfectly fulfilling the requirement of showing the latest incident state for each case in a Sentinel workbook.

✅ Correct selections:

First dropdown: summarize

Second dropdown: arg_max

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual mac hines:

User1

Review security recommendations and enable server vulnerability scans:

User1

Query successful

This is a role-based access control (RBAC) question using the principle of least privilege.

The table of users and roles is:

Name

Role

User1

Security administrator

User2

Security reader

User3

Contributor

Export to Sheets

Action: This is a management/configuration task at the subscription level, often related to enabling Defender plans and installing extensions on VMs.

Required Permissions: The ability to modify security policies and settings in Microsoft Defender for Cloud and the permission to install extensions on VMs.

The Security Administrato r role is explicitly designed for this, granting permissions to manage the security features, policies, and program enrollment (like enabling Defender plans).

The Contributor role can also perform this by installing the necessary agents and extensions, but it grants broad access to manage all resources, violating the principle of least privilege for a purely security-focused task.

Least Privilege User: User1 (Security administrator)

A ction: This task has two parts:

Review security recommendations: This is a read-only action. The Security Reader role is sufficient.

Enable server vulnerability scans: This means configuring a security feature (Vulnerability Assessment), which requires wri te access to the security configuration or the resource itself.

The Security Reader role cannot perform the " enable " action.

The Security Administrator role has the permissions required to modify security policy and configuration to enable scanning features.

The Contributor role can also do this, but again, the Security Administrator role is the least privileged for a security-specific configuration change.

Least Privilege User: Since the entire task includes an " enable " (write) action, we must use the role that can perform both read and write security actions. User1 (Security administrator) is the appropriate choice.

Task Analysis and Role Mapping 1. Enable Microsoft Defender for Servers on virtual machines. 2. Review security recommendations and enable server vulnerability scans.

Answer Area Task

User

Enable Microsoft Defender for Servers on virtual machines:

User1

Review security recommendations and enable server vulnerability scans:

User1