Pass the Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with Dumpstech

When User and Entity Behavior Analytics (UEBA) is enabled in Microsoft Sentinel, it automatically monitors Azure AD Sign-in Logs and provides activity templates for detecting common risky behaviors, such as failed sign-in attempts , impossible travel , or infrequent country logins .

To detect faile d interactive sign-ins with minimal administrative effort , you can simply enable the UEBA activity template for sign-in failures rather than building a custom scheduled alert or hunting query.

✅ Answer: B. a UEBA activity template

In Micros oft Sentinel, to detect and alert on a specific behavior (such as enumeration of Azure Storage account keys ), two steps are needed:

Add a data connector — This step ensures that the relevant Azure Activity or Azure Storage logs are ingested into Sentinel. Without connecting the appropriate data source, Sentinel cannot analyze or detect that event type.

Create an analytics rule — Once the data is ingested, you define a rule that continuously runs a KQL query to detect specific activities (like key enumeratio n). The analytics rule evaluates the query on a schedule and triggers an immediate alert when conditions are met.

Microsoft’s Sentinel operations documentation confirms:

“To generate alerts, data must first be collected from relevant sources via connectors . Analytics rules then process this data to detect threats and trigger alerts or incidents.”

Livestream , hunting queries , and bookmarks are used for investigation or manual hunting but do not trigger automated alerts .

Hence, the correct combination is:

✅ B. Add a data connector

✅ C. Create an analytics rule

Microsoft Sentinel UEBA (U ser and Entity Behavior Analytics) focuses on users and hosts (devices) and enriches data with contextual information.

When enabling UEBA with Audit logs and Signin logs , the only entities supported for investigation are:

User accounts (email addresses)

Ho sts or devices (including IP addresses)

Other values like App name , Used client app , and Sign-in URL are attributes in log data but not tracked entities in UEBA investigations.

✅ Answer: B. IP address and email address only

To correlate malicious email attachments with endpoints, Microsoft Defender data schemas expose attachment metadata in EmailAttachmentInfo (including the SHA256 hash) and endpoint file activity in DeviceFileEvents (which also records SHA256 for observed files). The recommended investigation pattern is: (1) filter email telemetry to the suspected sender and keep only attachments with a populated hash; (2) join that result with endpoint file events on the SHA256 hash to find devices where an identical file (by cryptographic hash) was seen. In KQL, isnotempty(SHA256) ensures you only pass attachments with a valid hash to the join, and join ... on SHA256 performs an exact-match correlation across datasets. This method aligns with Defender’s guidance to use hash-based correlation as the most reliable way to match artifacts across different security workloads (email vs. endpoint), since filenames and paths can change, but a cryptographic hash uniquely identifies file content. The final project selects operational fields for response—timestamps, file name and hash, device identifiers/names, message IDs, and sender/recipient—so the SOC can quickly pivot to the impacted devices and the original email that delivered the file.

In Microsoft 365 Defender , Advanced Hunting is the dedicated feature for creating and managing custom Kusto Query Language (KQL) queries used to proactively detect threats, investigate suspicious activity, and track ongoing risks across Microsoft 365 services (including Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Defender for Office 365).

A custom tracked query is a saved hunting query that continuously assesses your environment’s threat status over time. According to Microsoft documentation, you create, edit, and manage these queries under the “Advanced Huntin g” page in the Microsoft 365 Defender portal. The tracked queries appear under the “Custom detection rules” or “Tracked queries” tabs within this section, depending on their purpose.

Here’s how it works:

Navigate to Microsoft 365 Defender portal → Hunting → Advanced Hunting .

Use KQL to define your custom query that identifies specific threat patterns or anomalies.

Save it as a tracked query , allowing Microsoft 365 Defender to run it regularly and surface ongoing results in the hunting dashboard.

Other options are not correct:

Policies & rules – used for configuration of alerting and security policies, not ad-hoc or proactive hunting.

Explorer – provides real-time investigation of emails and threats but doesn’t support custom KQL queries.

Threat analytic s – offers intelligence-driven insights and reports but doesn’t allow creating custom queries.

✅ Correct Answer: D. Advanced Hunting

To validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server, you should perform the following three actions in sequence:

Copy an executable file on a virtual machine and rename the file as ASC_AlertTest_662jfi039N.exe

Run the executable file and specify the appropriate arguments

Enable Microsoft Defender for Cloud’s enhanced security features for the subscription.

These actions will simulate a malicious activity on the virtual machine and generate an alert in Defender for Cloud. You can then verify the alert details and response recommendations in the Azure portal. For more information, see  Alert validation - Microsoft Defender for Cloud .

In Microsoft Sentinel , when you identify an alert as a false positive for a specific account, the most efficient w ay to suppress future alerts for that entity—without affecting others—is to use an automation rule .

Microsoft Sentinel documentation explains:

“Automation rules can automatically close incidents or suppress alerts based on conditions such as user, IP, or entity name. This helps reduce noise and prevent false positives without modifying analytics rules or affecting other entities.”

By configuring an automation rule to auto-close or suppress alerts where the username equals the known account , Sentinel will p revent new alerts for that account while continuing normal detection for others.

Other options are incorrect:

Watchlist (B) only stores reference data; it doesn’t suppress alerts.

Modify analytics rule (C) affects all users, not just one account.

Activity templates (D) are used for entity behavior analysis, not alert suppression.

✅ Correct answer: A. Create an automation rule

A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference: https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview