SC-200 Exam Dumps - Microsoft Security Operations Analyst

To remediate active attacks automatically once alerts or incidents are detected, Microsoft Sentinel uses playbooks, which are workflows built on Azure Logic Apps. These playbooks can execute remediation actions—such as isolating a machine, blocking an account, or triggering other security control changes—without manual intervention. Microsoft’s documentation clearly states that “playbooks in Microsoft Sentinel are based on workflows built in Azure Logic Apps” and that they can “automate and orchestrate your threat response by using playbooks … run a playbook on-demand or automatically in response to specific alerts or incidents.”

When an analytics rule in Sentinel triggers an alert or incident, you can attach an automation rule which in turn invokes a playbook (i.e. a Logic Apps workflow) to perform the remediation steps. The automation rule defines the trigger conditions and calls the playbook action as part of its response actions.

Let us evaluate other options:

Azure Automation runbooks (Option A) are powerful for scripting in Azure (e.g., PowerShell or Python) and can perform remediation tasks, but they are not the native mechanism within Sentinel for orchestrated, alert-driven response workflows.

Azure Functions (Option C) are serverless compute for custom code, but you would have to build and integrate orchestration logic manually; they are not the out-of-box SOAR component in Sentinel.

Azure Sentinel livestreams (Option D) is not a recognized remediation automation component—it is irrelevant in this context.

Therefore, the correct solution to remediate active attacks (triggering automated actions in response to alerts/incidents with minimal manual effort) is to use Azure Logic Apps (via Sentinel playbooks) as the orchestration engine. Logic Apps are the documented foundation of Sentinel’s automation response capabilities.

ï‚· Internal threat: Modify the access policy settings for the key vault.

ï‚· External threat: Modify the Key Vault firewall settings.

For internal threats involving a potential compromise of Fabrikam’s own Azure AD applications, the most direct and least disruptive remediation is to modify the Key Vault access policies (or RBAC assignments, if RBAC for Key Vault data-plane is in use) to immediately remove or reduce the compromised service principal’s permissions (Get/List/Decrypt/Sign/Wrap). Microsoft guidance for Key Vault access emphasizes least privilege and promptly revoking credentials or app permissions when compromise is suspected. Access policies (or data-plane RBAC) govern which identities can access secrets, keys, and certificates; adjusting these stops further data-plane actions by the compromised app. “Resource locks” protect against deletion or configuration changes at the management plane, but they do not remove a compromised identity’s ability to read or use vault objects, so they are not an appropriate first response for this scenario.

For external threats, Microsoft recommends hardening Key Vault firewall and networking: restrict public network access, allow only required IPs, use virtual network rules, and prefer private endpoints. Key Vault includes a built-in firewall for IP and VNet ACLs; tuning these controls reduces exposure to the public internet and blocks unauthorized traffic. NSGs apply to IaaS subnets/nics and don’t directly secure the public Key Vault endpoint. Azure Firewall can add perimeter control, but it is not necessary for remediating a specific Key Vault Defender alert; the most effective and immediate remediation is tightening the Key Vault firewall settings to limit external access pathways.

ï‚· Table: DeviceFileEvents

ï‚· Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents, DeviceProcessEvents, and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity—specifically identifying when files have been accessed, modified, or created repeatedly—the correct data source table is DeviceFileEvents. This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typical timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters to show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcessEvents focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace. To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace('Fabrikam-WS').SecurityEvent, workspace('Contoso-WS').SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrikam needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

As outlined in Microsoft’s official Defender for Office 365 documentation, this service provides comprehensive protection against threats targeting Microsoft 365 collaboration tools—such as SharePoint Online, OneDrive for Business, and Microsoft Teams. The marketing team uses SharePoint Online for vendor collaboration and has experienced incidents in which vendors uploaded malicious files. Microsoft Defender for Office 365 specifically addresses this scenario through features like Safe Attachments and Safe Links, which automatically scan uploaded or shared files for malware and block access to harmful content.

When a vendor uploads a file to SharePoint Online, Defender for Office 365 inspects the file in real time within a virtual sandbox environment before allowing users to open or share it. If malware is detected, the system quarantines or removes the file and notifies administrators. These detection and remediation capabilities prevent infection propagation, protect sensitive marketing data, and maintain compliance with Contoso’s security posture.

By leveraging Defender for Office 365, Contoso’s marketing team can continue external collaboration safely, ensuring that all uploaded files are scanned and validated before internal access—thereby resolving their specific malware-related issue.

In Microsoft Sentinel, Hunting queries are used to proactively search for threats and anomalies across collected security data. The requirement states that HuntingQuery1 must run automatically when the Hunting page of Microsoft Sentinel is accessed. According to Microsoft’s official Sentinel documentation, this behavior is achieved by adding the hunting query to “Favorites.”

When a query is marked as a favorite in the Sentinel Hunting blade, Sentinel automatically runs it every time the Hunting page is opened. This provides updated results without the need for manual execution, ensuring analysts always see the most current data for that query. This configuration also adheres to the organization’s requirement to minimize administrative effort, since it eliminates the need for scheduling, automation, or manual refresh actions.

Other options do not meet this functional requirement:

A. Add to a livestream is used to monitor near-real-time data streams, not to auto-run queries upon accessing the Hunting page.

B. Create a watchlist is used for referencing static external data sets (like IPs, users, or devices) inside KQL queries, not for automating hunting query execution.

C. Create an automation rule applies to incident management workflows, not hunting query execution.

Therefore, as per Microsoft Sentinel’s hunting documentation and best practices, the correct and verified answer is:

D. Add HuntingQuery1 to favorites.

For a near-real-time (NRT) analytics rule that detects sign-ins by a designated break-glass account, the most direct and performant pattern is to filter SigninLogs by joining to a Microsoft Sentinel watchlist that contains the protected account(s). Sentinel exposes watchlists to KQL through the helper function _GetWatchlist('<</b>watchlist-name>'), which returns a table with standard columns (including SearchKey) plus any custom columns you imported. Using join kind=inner ensures the result set includes only those SigninLogs rows whose UserPrincipalName matches an entry in the watchlist—ideal for alerting on a high-value account without post-filtering.

The completed query is:

SigninLogs | join kind=inner (_GetWatchlist('breakglass_account')) on $left.UserPrincipalName == $right.SearchKey

This approach satisfies the requirement to implement an NRT rule for the break-glass account because:

NRT rules support KQL with joins and watchlists and are optimized for rapid evaluation over fresh data.

Using a watchlist lets SecOps adjust monitored accounts without editing the rule—minimizing administrative effort and aligning with least-privilege operations (no extra permissions beyond watchlist management).

The inner join pattern reduces noise by returning only matched events, which are then turned into alerts/incidents by the NRT rule.

Thus, select join and GetWatchlist, and join UserPrincipalName to the watchlist’s SearchKey.