Pass the Microsoft Microsoft Certified: Security Operations Analyst Associate SC-200 Questions and answers with CertsForce

In Microsoft Sentinel, data from applications, security solutions, and s ervices is ingested through data connectors . To integrate App1 with Sentinel and meet its monitoring or data ingestion requirements, you must configure a connector .

Microsoft Sentinel documentation specifies:

“Data connectors provide the integration point between Microsoft Sentinel and other data sources, including Microsoft services, third-party solutions, and custom applications.”

Connectors manage authentication, data formats, and continuous ingestion of logs or alerts into Sentinel’s Log Analytics works pace.

Other options:

API connection – supports Logic Apps but not direct Sentinel ingestion.

Trigger – used for playbooks or automation, not data ingestion.

Authorization – a setting used within connectors or playbooks, not configured separately.

✅ Correct configuration for App1: a connector

To have your query1 run every hour in a Microsoft Sentinel environment, you should configure it as an analytics rule—specifically a scheduled query (custom detection) rule . Microsoft’s official documentation for Sentinel describes “scheduled analytics rules” as queries that you configure to run on a recurring schedule, with a defined lookback period, and trigger alerts if the query results meet the rule criteria. Those scheduled rules are the mechanism by which KQL queries are periodically executed automatically.

When you create an analytics rule in Sentinel, you supply the query (i.e. query1) and you specify the recurrence (for example, every hour). Once configured as such, Sentinel takes care of executing it on schedule with minimal ongoing administrative intervention. This aligns exactly with “minimize administrative effort.”

Among the answer choices:

An automation rule is used to act upon alerts (for example, route, suppress, or apply playbooks) but does not itself schedule periodic queries.

Automated Investigation and Response (AIR) is part of Defender for Endpoint’s automated remediation workflow and is used for responding to alerts on endpoints—not for scheduling general KQL hunting queries.

A watchlist is a static data reference (list of values) you can use within queries or rules but does not itself execute queries on a schedule.

A custom detection (analytics) rule is exactly what you would use to wrap query1 into a scheduled operation.

Thus, converting query1 into a custom detection rule (i.e. a scheduled analyt ics rule) is the correct choice.

From Microsoft SecOps and Sentinel rule documentation: scheduled rules are based on Kusto queries configured to run at regular intervals over a lookback period, and if results cross a threshold, an alert is triggered. The rule’s scheduling frequency (such as hourly) is part of rule configuration. This model ensures your query1 gets executed every hour automatically with minimal manual work.

Microsoft’s alert-tuning capability (previously called suppression) in Microsoft Defender is intentionally focused on reducing alert noise by changing the handling of aler ts that match defined conditions. When you open the Tune alert pane for an alert you can define conditions and then choose an action . The product documentation and the Tune alert UI show two supported actions: Hide alert (prevents the alert from surfacing in the default alert queue / UI) and Resolve alert (automatically close/resolve the alert so it no longer requires manual triage). Those two actions are the built-in tun ing outcomes designed to reduce fatigue from frequent false positives. Other operations listed in the question—such as deleting alerts, merging alerts, or assigning ownership—are not offered as actions inside the alert-tuning rule itself (assigning or other workflow actions are available elsewhere in the product or via automation), so the on ly valid tuning rule actions are hide and resolve . This behavior is documented in the Microsoft Defender (XDR) “investigate and tune alerts” guidance and in the alert-tuning (suppression) documentation.

For SQL Server on Azure VMs (VM1) , Defender for Cloud’s Advanced Threat Protection and Vulnerability Assessment for SQL “on machines” are enabled by registering the instance as a SQL virtual machine using the SQL IaaS Agent extension . This single Azure VM extension onboards the SQL workload, exposes SQL VM resource management, and lights up Defender for SQL (ATP + VA) with minimal admin effort—no separate agents are required on Azure VMs beyond this extension for these features.

For on-premises/Arc servers (Server1) , the machine is already Arc-enabled . To protect SQL instances with Defender for Cloud and to surface vulnerabi lity assessment and threat protection signals, you deploy the Azure Arc SQL Server extension (delivered as an Arc “virtual machine extension”) to register the instance with Azure. In addition, Arc scenarios use the Azure Monitor Agent (AMA) for data collec tion and security signal ingestion in Defender for Cloud (the legacy Log Analytics agent is not recommended). This combination satisfies ATP/VA requirements while keeping operations simple and consistent with current agent guidance.

Therefore:

VM1: only th e Azure VM extension (SQL IaaS Agent extension).

Server1: AMA + an Azure (Arc) extension (Arc SQL Server extension).

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.

When Azure Defender for Key Vault (now Microsoft Defender for Key Vault) detects unauthorized access attempts—especially from Tor exit nodes or other suspicious IPs—the recommended mitigation is to restrict access to trusted networks by using Key Vault firewalls and virtual networks . Microsoft’s official guidance specifies: “Enable Key Vault firewalls and virtual networks to allow access only from specific public IP addresses, IP ranges, or selected virtual networks. Deny requests from untrusted sources such as Tor exit nodes.”

While Azure AD permissions and RBAC control who can authenticate and what operations they can perform, they do not prevent network-level threats. Access policies define granul ar permissions but cannot block specific network origins. Network-level controls like firewalls and VNets provide the strongest protection against malicious traffic or automated attacks from anonymous sources.

Therefore, to mitigate unauthorized access att empts coming from Tor exit nodes, the appropriate configuration is A. Key Vault firewalls and virtual networks .

Microsoft 365 Copilot for Security uses Security Compute Units (SCUs) to determine available processing capacity for AI-driven operations. Each SCU represents a fixed amount of comp ute resources for handling Copilot for Security prompts and plugin interactions (like Sentinel).

When a notification appears stating that “SCU usage is nearing the provisioned capacity limit,” it means that the organization’s current SCU allocation is insu fficient for ongoing demand. To restore full response functionality, the tenant admin (or authorized role) must increase the number of provisioned SCUs .

Microsoft documentation states:

“If Copilot for Security indicates that requests cannot be processed du e to SCU capacity, increase your provisioned SCUs in the Microsoft 365 admin center or Azure portal to meet demand.”

The other options do not resolve the issue:

Opening a second session does not add capacity.

Waiting does not guarantee SCU availability.

The Optimization Workbook relates to Sentinel performance, not Copilot SCU allocation.

✅ Answer: D. Update the provisioned SCUs

According to Microsoft Security Operations documentation, Microsoft Defender for Endpoint is designed to protect endpoint devices—including Windows, macOS, Android, and iOS —against cyberattacks through advanced behavioral analysis, threat intelligence, and automated investigation and remediation. In the given case study, the sales team exclusively uses iOS devices and has previously experienced attacks while exchanging files using third-party applications. These unmanaged file-sharing methods exposed the te am to malware, phishing, and data leakage threats.

By implementing Microsoft Defender for Endpoint on iOS, Contoso can apply unified endpoint protection across all mobile devices. Defender for Endpoint’s mobile threat defense (MTD) capabilities detect mali cious apps, risky network connections, jailbroken devices, and phishing attempts. It also integrates with Microsoft Intune for compliance enforcement and conditional access—ensuring only secure, compliant devices can access corporate resources. This direct ly mitigates the security challenges faced by the sales team while minimizing manual investigation effort through automated response.

Therefore, the issue affecting the sales team (mobile device attacks and unsafe file transfers) can be effectively resolve d using Microsoft Defender for Endpoint .