Pass the Microsoft Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with CertsForce

To create a query in Microsoft Sentinel (using Kusto Query Language – KQL) that displays the number of daily security alerts over the last 30 days in a timechart, you need to:

Filter the dataset (SecurityAlert) to include only alerts generated in the last 30 days.

Aggregate the number of alerts per provider per day using summarize.

Group those alerts into daily time buckets using bin(TimeGenerated, 1d).

Render the output visually with a timechart.

The correct query structure is:

SecurityAlert

| where TimeGenerated >= ago(30d)

| summarize count() by ProviderName, bin(TimeGenerated, 1d)

| render timechart

summarize → Used to aggregate or count data (e.g., total alerts) by specified fields. In this case, it’s needed to count alerts per provider and per day.

bin → Used to group time-based data into evenly spaced intervals (1 day here) for trend visualization. It aligns timestamps to a fixed period boundary (daily).

lookup → Used to enrich data from another table, not aggregation.

project → Used to select specific columns, not to count or group.

make-series → Also used for time-series data but more suited for generating continuous series (useful for missing data handling). Here, bin is simpler and sufficient.

range → Used to create a sequence of numbers or times manually, not for aggregation.

✅ Final Query Answer:

SecurityAlert

| where TimeGenerated >= ago(30d)

| summarize count() by ProviderName, bin(TimeGenerated, 1d)

| render timechart

In Microsoft Sentinel, playbooks (Logic Apps) that are connected to Sentinel are most commonly run in context of an incident. From the Incidents blade, you select an incident, then choose Actions → Run playbook to trigger a manual test against that specific incident’s entities and alert context. This is the recommended way to validate playbook inputs (entities, alert details, incident properties) and permissions end-to-end without changing analytics rules. While the Playbooks blade shows the Logic Apps and their connections, the incident view is where Sentinel exposes manual execution with full security operations context (assignments, comments, evidence), which is what “test a playbook manually in the Azure portal (from Sentinel)” refers to.

The goal is to automatically execute the Azure Logic App (app1), which is known as a Playbook in Microsoft Sentinel, in response to a newly created alert.

The Playbook (Logic App): An Azure Logic App used for security response in Microsoft Sentinel is called a Playbook. It is a workflow that must start with a trigger, typically the Microsoft Sentinel incident or Microsoft Sentinel alert trigger.

The Trigger Mechanism (Automation Rule): To run a playbook automatically when an alert or incident is created, you must use a Microsoft Sentinel Automation Rule.

Required Flow: The Logic App (app1) acts as the action to be performed, but it must be called by an automation component. The recommended and modern approach for linking automated actions (playbooks) to alerts and incidents in Microsoft Sentinel is via Automation Rules.

The sequence of operations is:

The Azure AD Connector ingests data into the Microsoft Sentinel workspace.

A corresponding Analytics Rule (Option C) detects a threat in that data and generates an Alert. This alert usually leads to the creation of an Incident.

The Automation Rule (Option D) is configured to:

Trigger: When an incident is created (or when an alert is created).

Condition: Filter for the specific alert or incident (e.g., where the Analytic Rule Name is the one that detects the Azure AD threat).

Action: Select the Run playbook action and specify app1.

While an Analytics Rule (C) generates the initial alert, the Automation Rule (D) is the specific component that takes that alert/incident as input and performs the action of launching the Logic App (playbook) automatically. The ability to invoke playbooks directly from Analytics Rules (the "Alert automation (classic)" method) is deprecated in favor of using Automation Rules, making the Automation Rule the correct and contemporary first step for this requirement.

Microsoft’s documentation states clearly that the Deep analysis feature in Defender for Endpoint supports only PE files (Portable Executable files) — specifically .exe and .dll binaries. In the “Take response actions on a file” article, Microsoft says:

“Only PE files are supported, including .exe and .dll files.” Microsoft Learn

That means only File2.exe and File3.dll among your three examples are eligible for deep analysis.

Further, a file’s “Deep analysis” is only enabled when the file exists in the Defender backend sample collection or is observed on a supported Windows device. The tool won’t support script files like .ps1 (PowerShell scripts) via that deep analysis mechanism.

To break it down:

File1.ps1 (PowerShell script) is not a PE file, so it cannot be submitted to the deep analysis sandbox that expects an executable or library format.

File2.exe is a standard executable (PE format) and is valid for deep analysis.

File3.dll is a dynamic-link library (also PE format) and is likewise valid for deep analysis.

Thus, the only files you can submit for deep analysis in Microsoft Defender XDR are those in the proper PE format — File2.exe and File3.dll.

In Microsoft Sentinel, data from applications, security solutions, and services is ingested through data connectors. To integrate App1 with Sentinel and meet its monitoring or data ingestion requirements, you must configure a connector.

Microsoft Sentinel documentation specifies:

“Data connectors provide the integration point between Microsoft Sentinel and other data sources, including Microsoft services, third-party solutions, and custom applications.”

Connectors manage authentication, data formats, and continuous ingestion of logs or alerts into Sentinel’s Log Analytics workspace.

Other options:

API connection – supports Logic Apps but not direct Sentinel ingestion.

Trigger – used for playbooks or automation, not data ingestion.

Authorization – a setting used within connectors or playbooks, not configured separately.

✅ Correct configuration for App1: a connector

User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel correlates security events with identity data to build behavioral baselines. UEBA enriches security signals with identity context from Azure AD, Defender for Identity, and other connected identity sources.

The IdentityInfo table in Log Analytics stores user account metadata and enrichment information, such as department, group membership, job title, and account status. This table is used to correlate events from the SecurityEvent table and others to link activity to known users and entities.

Microsoft documentation states:

“The IdentityInfo table contains enriched identity information from connected identity providers. It is used by UEBA to correlate with the SecurityEvent table and other identity-related logs.”

If you manually install the Log Analytics agent on your AWS Linux VMs and connect them to your Azure Log Analytics workspace, Defender for Cloud can begin collecting telemetry data from those machines. Once connected, Azure Defender automatically protects and monitors them, even if they are hosted outside Azure.

Microsoft Defender for Cloud documentation explains:

“You can manually install the Log Analytics agent on non-Azure machines and connect them to your workspace. Once connected, Defender for Servers will begin applying protections and generating alerts.”

Although Azure Arc provides centralized management and auto-provisioning, manually installing the Log Analytics agent is a valid and supported alternative method. Therefore, this solution also meets the goal.

✅ Correct answer: A. Yes

When you need to combine multiple tables (AlertInfo, AlertEvidence, and DeviceLogonEvents) and return all rows from all tables, you use the union operator in KQL (Kusto Query Language).

join would only return matching records between tables based on a key, not all rows.

evaluate is used for external function evaluations.

search * searches across all tables but doesn’t create structured combined output.

Using union kind=inner appends results from all three tables while maintaining their structure, allowing you to analyze all alerts, evidence, and logon activity together.

✅ Answer: D. union kind = inner

In Microsoft Sentinel, data connectors are the mechanisms that collect logs and telemetry from various Azure and non-Azure sources into a Log Analytics workspace.

When your goal is to automatically connect multiple Azure subscriptions (both existing and new resources) to Sentinel, the correct approach is to use Azure Policy with connectors that rely on diagnostic settings.

Many Azure resources (e.g., Key Vaults, Storage Accounts, Azure Firewall, and Activity Logs) send logs to Sentinel via diagnostic settings. This connector type allows logs to be exported directly to the Sentinel workspace without requiring agents or manual configuration.

By using Azure Policy, you can automatically enforce and deploy these diagnostic settings across all current and future resources — ensuring continuous log ingestion with minimal administrative overhead.

When applying the Azure Policy, existing resources might not yet have diagnostic settings configured. To fix this, you create a remediation task. This instructs Azure Policy to apply the compliance settings to existing resources, not just new ones. Without a remediation task, only newly created resources would comply automatically.

Connector type: Diagnostic settings → used for policy-based deployment across subscriptions.

Use: A remediation task → ensures policy applies to both existing and new resources for full coverage.

✅ Final Answer:

Connector type: Diagnostic settings

Use: A remediation task