SC-200 Exam Dumps - Microsoft Security Operations Analyst

The case study requires:

“Ensure that the Group1 members can create and edit playbooks.”

In Microsoft Sentinel, the ability to create, edit, and assign playbooks is granted by the Microsoft Sentinel Automation Contributor role.

This role allows users to:

Create and manage automation rules,

Create and edit playbooks (Logic Apps) in the connected subscription,

Associate playbooks with Sentinel incidents or alerts.

By contrast:

Logic App Contributor allows Logic App creation but doesn’t include Sentinel-level integration permissions.

Automation Operator can run playbooks but not edit or create them.

Sentinel Playbook Operator can execute playbooks but cannot modify or assign them.

✅ Answer for Question 11: A. Microsoft Sentinel Automation Contributor

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1, browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts). Microsoft’s official Defender XDR and Sentinel integration guidance describes that:

Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deploying Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.

In Microsoft Sentinel, to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector. This connector collects Event ID 4723 (password change), 4724 (password reset), and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA). Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to detect abnormal reset volumes or potential compromise attempts.

The other options are not suitable:

Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.

Smart lockout protects against brute-force sign-in attempts but doesn’t generate detailed reset event telemetry.

Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.

Therefore, to meet the Sentinel requirements for monitoring password reset anomalies:

✅ Implement in the identity environment: Azure AD Password Protection

✅ Configure in Microsoft Sentinel: The Windows Security Events via AMA connector

The Sentinel requirement states:

“Ensure that multiple alerts generated by rulequery1 in response to a single user launching Azure Cloud Shell multiple times are consolidated as a single incident.”

This behavior is controlled by the event grouping setting in the analytics rule configuration.

Microsoft Sentinel documentation explains:

“Event grouping determines how alerts generated from the same rule are grouped into incidents. Selecting ‘Group all alerts triggered by this rule into a single incident’ allows all related alerts to be combined.”

Hence, configuring event grouping ensures that all alerts from rulequery1 related to the same user are consolidated into one incident, satisfying the requirement.

✅ Answer for Question 10: C. event grouping

In Microsoft Sentinel’s Advanced Security Information Model (ASIM), DNS queries are normalized through the Im_Dns parser, which unifies DNS telemetry from multiple sources (Infoblox, Windows DNS, Azure Firewall DNS proxy, etc.). Microsoft guidance states that when you need broad compatibility and want to “use built-in ASIM parsers whenever possible,” you should call the generic Im_Dns() parser. To minimize overhead, ASIM provides a pack parameter that restricts the parser to a specific content pack (vendor/source) so it won’t iterate through all available source parsers under the hood. For Infoblox NIOS, you pass the Infoblox pack via the pack parameter, which limits parsing to the Infoblox implementation and reduces query cost/latency while keeping the query portable across environments.

Putting it together, the recommended pattern is:

Im_Dns(pack="InfobloxNIOS")

| where DnsResponseCodeName == "NXDOMAIN"

| summarize count()

This approach satisfies all requirements:

Uses built-in ASIM (Im_Dns).

Minimizes query overhead (uses pack to limit parsing to Infoblox).

Targets NXDOMAIN responses for counting DNS request failures from Infoblox1.

The requirement is to enable Microsoft Defender for Servers Plan 2 on all Azure VMs while excluding Server2 from agentless scanning. Defender for Cloud provides a built-in mechanism to exclude specific machines from agentless scanning based on resource tags. The process is: assign a distinct tag name:value to the VM you want to exclude (Server2), and then, in Defender for Cloud’s Agentless scanning for machines settings, specify that tag pair under exclusions. Defender’s continuous discovery honors these exclusions and skips any VM that matches the configured tag. This approach aligns with the business requirement of least privilege and minimal administrative effort: it avoids broad configuration changes, requires no extensions on the VM, and is reversible by simply removing or changing the tag. The Microsoft Antimalware extension and Automanage configuration are unrelated to agentless scanning behavior, and a resource lock would only prevent modifications/deletions, not scanning. Therefore, to meet the Defender for Cloud requirement precisely, configure an Azure resource tag on Server2 and reference that tag in the agentless scanning exclusion settings.

Microsoft Sentinel UEBA (User and Entity Behavior Analytics) focuses on users and hosts (devices) and enriches data with contextual information.

When enabling UEBA with Audit logs and Signin logs, the only entities supported for investigation are:

User accounts (email addresses)

Hosts or devices (including IP addresses)

Other values like App name, Used client app, and Sign-in URL are attributes in log data but not tracked entities in UEBA investigations.

✅ Answer: B. IP address and email address only

UserName field set as the account entity: Yes

Watchlist cannot be updated after created: No

IPList variable set as the IP address entity: Yes

This Kusto Query Language (KQL) snippet is used in Microsoft Sentinel to correlate event data (Sysmon logs) with a watchlist containing known malicious IP addresses. The watchlist is retrieved using the _GetWatchlist() function, and entity mappings are explicitly set for account, host, and IP entities.

🔹 Step-by-step analysis:

1. UserName field as the Account entity → YES

At the end of the query, the entity mappings are defined as:

extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer

In Microsoft Sentinel, when an analytics rule uses this query, the AccountCustomEntity mapping links the UserName field to the account entity.

This enables account-level correlation in incidents and investigation graphs.

✅ Therefore, Yes, the UserName field is set as the account entity.

2. The watchlist cannot be updated after it is created → NO

This statement is incorrect.

In Sentinel, watchlists are designed to be dynamic and can be updated, edited, or replaced at any time.

Official Microsoft documentation confirms:

“You can edit, update, or replace a watchlist at any time to ensure your detection logic uses current data.”

Hence, watchlists can be updated, either manually via the portal or programmatically via API/PowerShell.

❌ Therefore, No, the watchlist can be updated after it is created.

3. The IPList variable is set as the IP address entity → YES

The first line of the query defines:

let IPList = _GetWatchlist('Bad_IPs');

This loads a list of known malicious IPs from the Bad_IPs watchlist.

Later in the query:

where SourceIP in (IPList) or DestinationIP in (IPList)

This confirms IPList contains IP address values used for matching with the event’s SourceIP or DestinationIP.

In Sentinel analytics rules, this variable represents IP address entities for correlation and visualization.

✅ Therefore, Yes, the IPList variable is set as the IP address entity.