Pass the Microsoft Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with CertsForce

To ensure that a compromised user’s Outlook on the web (OWA) session token can be revoked, you need to use a Conditional Access policy in Microsoft Entra ID (formerly Azure AD). Conditional Access allows you to enforce session control and reauthentication requirements, including immediate sign-out and token revocation when specific conditions are met, such as user risk detection or sign-in risk.

The correct control in this scenario is "Sign-in frequency" or "Require reauthentication" configured in a Conditional Access session policy. This forces the user’s browser-based OWA session token to expire, requiring them to sign in again — effectively revoking the compromised session.

A. Microsoft Entra ID Protection: Detects risky users and sign-ins but doesn’t revoke tokens by itself.

B. Microsoft Entra Verified ID: Used for decentralized identity verification, not for session control.

D. Security defaults: Apply baseline security but do not provide session token revocation granularity.

✅ Answer: C. a Conditional Access policy in Microsoft Entra

 The UserName field is set as the account entity. → Yes

 The watchlist cannot be updated after it is created. → No

 The IPList variable is set as the IP address entity. → No

In Microsoft Sentinel analytics rules, entity mapping is done by assigning special alias fields in the query result such as AccountCustomEntity, HostCustomEntity, and IPCustomEntity. In the provided KQL, the final line explicitly maps AccountCustomEntity = UserName and HostCustomEntity = Computer, which sets UserName as the account entity and Computer as the host entity. No mapping is provided for an IP entity; the query defines let IPList = _GetWatchlist('Bad_IPs'); to retrieve a watchlist named Bad_IPs and then uses it only for filtering (SourceIP in (IPList) or DestinationIP in (IPList)). Because IPList is a dataset used for comparison and not assigned to IPCustomEntity, it is not set as the IP address entity. Additionally, Microsoft Sentinel watchlists are editable—you can upload new files, append, or replace data after creation—so the statement that a watchlist cannot be updated is false.

 First table: BehaviorAnalytics

 Joined table: AuditLogs

To detect when a user creates an unusually large number of Azure AD user accounts in Microsoft Sentinel, you should leverage UEBA signals from the BehaviorAnalytics table and enrich them with Azure AD audit data from AuditLogs. The BehaviorAnalytics table contains UEBA-derived insights (for example, the ActivityInsights flag and UsersInsights) and normalized activity fields such as ActionType (e.g., "Add user"). Filtering BehaviorAnalytics for ActionType == "Add user" and ActivityInsights has "True" targets activities that the UEBA engine already assessed as anomalous, reducing noise and focusing on outliers.

Then, join these anomalies to the AuditLogs table to pull authoritative Azure AD audit details (target object, initiator, correlation, and operation context). This combination aligns with Sentinel guidance: use BehaviorAnalytics for anomaly detection and AuditLogs for the Azure AD operational record. Sorting by TimeGenerated and projecting user and insight fields completes the hunting query so analysts can review who triggered unusual “Add user” bursts and with what context.

Therefore, complete the query by selecting BehaviorAnalytics as the primary dataset and AuditLogs in the join(...).

AzureActivity Extend

Explanation = Use AzureActivity because NSG rule changes (operations like Microsoft.Network/networkSecurityGroups/securityRules/write) are recorded in the Azure Activity logs. To automatically associate the security principal (the caller) with a Sentinel entity you create a new column AccountCustomEntity and set it to Caller — that is done with the extend operator.

A completed/cleaned-up version of the query (showing the filled choices) would look like:

AzureActivity

| where OperationNameValue in ("Microsoft.Network/networkSecurityGroups/securityRules/write")

| where ActivityStatusValue == "Succeeded"

| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller

| extend timestamp = todatetime(EventSubmissionTimestamp[0])

| extend AccountCustomEntity = Caller

This produces the anomaly/hunting results grouped by the caller and makes Sentinel treat the Caller value as an account entity for investigations and alert enrichment.

 File1.exe will be blocked on Device3. — No

 User2 will be marked with a risk level of medium. — No

 An investigation package will be collected from Device1. — Yes

Custom detection rules in Microsoft Defender XDR are scoped to devices or device groups and only take device-related actions for devices that are in that scope. As the documentation states, “Only data from devices in the scope will be queried. Also, actions are taken only on those devices.” Therefore a rule scoped to DevGroup1 will apply actions only to devices in DevGroup1 (Device1 and Device2); it will not apply to Device3 because Device3 is in DevGroup2. Microsoft Learn

File blocking is a file-level action triggered by the rule, but blocking is applied only where the rule is in scope. Consequently File1.exe will not be blocked on Device3 (out of scope). For the user action, the rule’s Mark user as compromised action explicitly “sets the users risk level to 'high' in Microsoft Entra ID” — it does not set a medium risk. So the statement that User2 will be marked with risk level medium is incorrect; the documented outcome is a high risk marking. Microsoft Learn

Finally, device actions include Collect investigation package and these are applied to the DeviceId results when the rule matches. Because Device1 is in DevGroup1 (in scope) and the rule specifies collecting an investigation package for matching devices, an investigation package will be collected from Device1 when the rule fires. Microsoft Learn

Sources: Official Microsoft Defender XDR documentation for custom detection rules (actions, scope, and user actions). Microsoft Learn

In Microsoft Sentinel, analysts manage and investigate incidents through the Incident page, which provides multiple investigation and triage tools. The two core aspects of incident analysis relevant here are entity visualization and investigation audit tracking.

Entity Map (Investigate):

Selecting Investigate opens the Investigation Graph view in Microsoft Sentinel.

This interactive map visually displays all the entities (users, IPs, hosts, accounts, files, etc.) related to the alert and their relationships.

It helps analysts understand how alerts are connected, uncover lateral movements, and explore correlated suspicious activities.

Microsoft documentation describes this as:

“The investigation graph provides a visual representation of the entities involved in the incident, showing relationships between them to aid root-cause analysis.”

Hence, to view a map of connected entities, choose Investigate.

Investigation Activities (Comments):

The Comments tab tracks the activities and analyst notes during the incident lifecycle.

This includes changes to status, assignments, and documented investigation steps — essentially functioning as an activity log for the incident.

Microsoft’s official Sentinel documentation states:

“The Comments section in the incident pane provides a timeline of analyst interactions, investigation notes, and changes performed on the incident.”

Therefore, to view the list of investigation activities, select Comments.

In Microsoft Defender XDR Deception, lures (also known as decoy files) are strategically planted within endpoints to attract attackers and detect credential theft or lateral movement attempts. When configuring a custom lure, you must align the file type and planting path with the operating system environment of the targeted devices.

Since the environment in this question includes Windows 11 and Linux CentOS devices, the chosen configuration must be valid across both OS types. The BIN file type is a binary executable type commonly recognized on Linux systems (for example, *.bin files) and supported by the deception engine for non-Windows environments. Microsoft documentation for Defender Deception specifies that BIN files are the appropriate lure type for Linux-based devices, whereas EXE or LNK files are specific to Windows-only deception scenarios.

For the planting path, {HOME} is the correct choice. Defender Deception automatically resolves {HOME} to the user’s home directory, which is a standard, writable, and expected location across both Windows (C:\Users<username>) and Linux (/home/<username>) environments. This ensures consistent deployment and operation of the lure without requiring administrative customization of shared or temporary directories.

Therefore, to meet cross-platform coverage and minimal configuration effort:

✅ File type: BIN

✅ Planting path: {HOME}

To protect on-premises computers using Microsoft Defender for Cloud, you must first connect those machines to Azure so that Defender for Cloud can assess their security posture, collect telemetry, and provide threat protection. According to Microsoft’s Defender for Cloud documentation, on-premises and non-Azure machines can be onboarded using the Log Analytics agent (also called the Microsoft Monitoring Agent - MMA). This agent enables the machine to communicate with a Log Analytics workspace, which Defender for Cloud uses to store and analyze security data.

When you enable Defender for Cloud on an Azure subscription, it automatically protects Azure resources. However, to extend protection to on-premises or other-cloud environments, you must manually install the Log Analytics agent on each server or via automation. The agent sends the required telemetry (such as security events, performance counters, and configuration data) to Defender for Cloud. Once data begins flowing, Defender for Cloud evaluates it against its threat intelligence and security recommendations to detect vulnerabilities and threats.

Other options are not applicable:

A. Hybrid Runbook Worker is used for Azure Automation, not Defender for Cloud onboarding.

B. Connected Machine agent (Azure Arc agent) connects machines to Azure for governance and management, but Defender for Cloud specifically relies on the Log Analytics agent (or Azure Monitor agent in newer implementations).

D. Dependency agent is used for map visualizations in Service Map, not for Defender for Cloud protection.

Thus, the verified answer is C. Install the Log Analytics agent.

1️⃣ Connect-IPPSSession

2️⃣ New-ComplianceSearch

3️⃣ Start-ComplianceSearch

In Microsoft 365 E5 (which includes Microsoft Purview and Exchange Online), to identify phishing email messages using PowerShell, administrators can perform a compliance content search. The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.

Here’s the correct order and purpose of each cmdlet:

1️⃣ Connect-IPPSSession

This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center).

It’s required before executing any compliance-related PowerShell commands such as creating or starting a search.

Example:

Connect-IPPSSession

2️⃣ New-ComplianceSearch

After connecting, use this cmdlet to create a new compliance content search.

You can define parameters such as the search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).

Example:

New-ComplianceSearch -Name "PhishingSearch" -ExchangeLocation All -ContentMatchQuery 'Subject:"phish" OR Subject:"urgent action required"'

3️⃣ Start-ComplianceSearch

Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.

Example:

Start-ComplianceSearch -Identity "PhishingSearch"

Other cmdlets explained:

Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.

Search-UnifiedAuditLog searches the unified audit log, which is used for activity auditing, not email content searches.

✅ Final Correct Sequence:

Connect-IPPSSession

New-ComplianceSearch

Start-ComplianceSearch