SC-200: Microsoft Security Operations Analyst Practice Exam

What the SC-200 exam covers

• Manage a Security Operations Environment170 questions
• Configure Protections and Detections157 questions
• Manage Incident Response157 questions
• Perform Threat Hunting133 questions

Free SC-200 sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 617.

1. Question 1Manage a Security Operations Environment

   Your organization has multiple Azure subscriptions across several regions. You need to centralize security event collection using Microsoft Sentinel. What is the recommended workspace architecture?

   • ACreate a separate Sentinel workspace for each Azure subscription
   • BUse Azure Monitor without Sentinel for centralized collection
   • CCreate a single centralized Log Analytics workspace with Sentinel enabledCorrect
   • DCreate a workspace per region with no cross-workspace queries
   ✓ Correct answer: C

   Microsoft's recommended Sentinel architecture for multi-subscription, multi-region organizations is a single centralized Log Analytics workspace with Microsoft Sentinel enabled on top of it. A single workspace gives you one place to run cross-source analytics rules, correlate incidents, and apply RBAC, and Azure Monitor Agent data collection rules can route logs from any subscription or region into it. This avoids the operational overhead and query gaps of fragmented workspaces while keeping cross-source correlation intact.

   Why the other options are wrong

   • ACreating a separate Sentinel workspace per subscription fragments your data, forces you to use slower cross-workspace queries for correlation, and multiplies management and cost overhead, which is the opposite of centralization.
   • BUsing Azure Monitor without Sentinel gives you log collection but none of the SIEM/SOAR capabilities (analytics rules, incidents, UEBA, hunting, playbooks) that the requirement to use Microsoft Sentinel demands.
   • DCreating a workspace per region with no cross-workspace queries actively prevents the centralized correlation and investigation that Sentinel requires, leaving each region in an isolated silo.
2. Question 2Manage a Security Operations Environment

   You are configuring Microsoft Sentinel for a new deployment. You need to ingest Microsoft Entra ID sign-in and audit logs. Which data connector should you enable?

   • AMicrosoft Entra ID data connectorCorrect
   • BCommon Event Format (CEF) data connector
   • CAzure Activity data connector
   • DMicrosoft 365 Defender data connector
   ✓ Correct answer: A

   The Microsoft Entra ID (formerly Azure Active Directory) data connector in Sentinel is the connector that ingests Entra ID sign-in logs and audit logs (and other Entra log categories) into the workspace. It uses the diagnostic-settings export path from Entra ID to Log Analytics, populating the SigninLogs and AuditLogs tables. This is the purpose-built connector for the data described.

   Why the other options are wrong

   • BThe Common Event Format (CEF) connector ingests syslog/CEF data from network appliances and other third-party devices, not native Entra ID sign-in and audit logs.
   • CThe Azure Activity connector ingests Azure Resource Manager control-plane operations on subscriptions, not Entra ID identity sign-in and audit events.
   • DThe Microsoft 365 Defender connector ingests Defender XDR alerts and advanced-hunting tables, not the Entra ID SigninLogs and AuditLogs tables.
3. Question 3Manage a Security Operations Environment

   Your Microsoft Sentinel deployment uses several playbooks that call external REST APIs for threat intelligence enrichment. The APIs require authentication with API keys. Where should you store these API keys securely?

   • AStore the API keys in a Microsoft Sentinel watchlist
   • BStore the API keys in Azure Key Vault and reference them from the Logic App using a Key Vault connector with managed identity authenticationCorrect
   • CInclude the API keys in the Logic App's application settings as plain text
   • DHardcode the API keys in the Logic App workflow definition
   ✓ Correct answer: B

   Azure Key Vault is the purpose-built service for securely storing and managing secrets such as API keys, keeping them encrypted at rest. Using a Logic App managed identity with the Key Vault connector ensures the keys are never exposed in the workflow definition, supports the principle of least privilege, simplifies key rotation, and provides audit trails for secret access.

   Why the other options are wrong

   • AStoring the API keys in a Microsoft Sentinel watchlist is incorrect because watchlists are designed for lookup and reference data, are not built to protect secrets, and are inappropriate for sensitive credentials.
   • CIncluding the API keys in the Logic App's application settings as plain text is incorrect because plain-text storage exposes credentials in configuration and violates secrets-management best practices.
   • DHardcoding the API keys in the Logic App workflow definition is incorrect because embedding credentials in the definition makes them visible to anyone with access to the workflow and greatly complicates key rotation.
4. Question 4Configure Protections and Detections

   You want to create a custom detection rule in Microsoft Defender XDR that runs a KQL query against the advanced hunting schema every 24 hours. Which table would you query to detect suspicious process executions on endpoints?

   • ACloudAppEvents
   • BIdentityLogonEvents
   • CEmailEvents
   • DDeviceProcessEventsCorrect
   ✓ Correct answer: D

   The DeviceProcessEvents table in Microsoft Defender XDR advanced hunting contains detailed information about process execution on endpoints. This table includes process creation events, parent-child process relationships, command-line arguments, and other behavioral indicators useful for detecting suspicious process executions such as unusual parent processes, obfuscated commands, or processes launched from unexpected locations.

   Why the other options are wrong

   • ACloudAppEvents is incorrect because it contains cloud application activity data, not endpoint process data.
   • BIdentityLogonEvents is incorrect because it records authentication events, not process execution.
   • CEmailEvents is incorrect because it contains email message and attachment data related to email threats, not process behaviors.
5. Question 5Configure Protections and Detections

   You need to configure a Microsoft Sentinel analytics rule that detects when a service principal in Microsoft Entra ID is assigned a high-privilege role like Application Administrator. Which log table should you query?

   • AAADServicePrincipalSignInLogs for service principal authentication events
   • BAzureActivity table for Azure resource role assignments
   • CAuditLogs table filtering for the 'Add member to role' operation category with the target being a service principalCorrect
   • DSigninLogs table filtering for service principal sign-ins
   ✓ Correct answer: C

   Assigning a directory role like Application Administrator to a service principal is an Entra ID directory change logged in the AuditLogs table as an 'Add member to role' operation, with the target object being the service principal. Filtering AuditLogs for that operation and a service-principal target detects the privileged assignment. AuditLogs is the authoritative source for directory role changes.

   Why the other options are wrong

   • AAADServicePrincipalSignInLogs records service principal authentication events, not the act of assigning a role to that principal.
   • BAzureActivity records Azure RBAC resource-scope role assignments and ARM operations, not Entra ID directory-role assignments to a service principal.
   • DSigninLogs records interactive/user sign-ins; service principal role assignment is a directory-change audit event, not a sign-in.
6. Question 6Manage Incident Response

   You receive a high-severity incident in Microsoft Sentinel involving a compromised user account. You need to immediately disable the account while the investigation continues. Which approach provides the fastest automated response?

   • AModify the data connector to stop ingesting the user's sign-in logs
   • BManually navigate to the Microsoft Entra admin center and disable the account
   • CRun a playbook from the incident that uses the Microsoft Entra ID connector to disable the accountCorrect
   • DCreate a new analytics rule that blocks the account
   ✓ Correct answer: C

   The fastest automated response is to run a Sentinel playbook (Logic App) directly from the incident that calls the Microsoft Entra ID connector to disable the compromised account. This executes immediately and consistently from within the incident, with no manual portal steps. Playbooks invoking the Entra ID connector are the standard SOAR mechanism for account disablement.

   Why the other options are wrong

   • AModifying the data connector to stop ingesting the user's sign-in logs only blinds you to their activity; it does nothing to disable the account or stop the attacker.
   • BManually navigating the Entra admin center is slower and not automated, which the question explicitly wants to avoid.
   • DAn analytics rule detects activity and creates alerts/incidents; it cannot block or disable an account.
7. Question 7Manage Incident Response

   You need to merge two Microsoft Sentinel incidents that were initially created separately but are determined to be part of the same attack. How should you handle this?

   • ASelect one incident as the primary and use the 'Merge incidents' feature to combine the alerts from the secondary incident into the primary oneCorrect
   • BClose both incidents and create a new one manually
   • CDelete the secondary incident and its alerts
   • DAdd cross-reference comments in each incident pointing to the other
   ✓ Correct answer: A

   Sentinel's Merge incidents feature lets you choose a primary incident and merge others into it, consolidating their alerts and entities under the primary while closing the merged ones with a reference. This is the supported way to unify separately created incidents that are part of the same attack. It preserves the alerts and creates a single case to work.

   Why the other options are wrong

   • BClosing both and creating a new one manually loses the original incident metadata and alert linkage; merging keeps everything intact.
   • CDeleting the secondary incident and its alerts destroys evidence rather than consolidating it.
   • DAdding cross-reference comments leaves two separate incidents to manage; merging actually combines them into one case.
8. Question 8Perform Threat HuntingSelect all that apply

   You are using Microsoft Sentinel notebooks for threat hunting. Which two technologies are used by Sentinel notebooks? (Choose two.)

   • AJupyter Notebooks with PythonCorrect
   • BMSTICPy library for security analysisCorrect
   • CAzure DevOps Pipelines
   • DPowerShell ISE
   ✓ Correct answer: A, B

   Microsoft Sentinel notebooks use Jupyter Notebooks as the environment and run Python code. MSTICPy is a specialized Python library providing security investigation functions like entity enrichment, threat intelligence lookups, and visualization. Together, these provide the technology stack for Sentinel notebooks.

   Why the other options are wrong

   • CAzure DevOps Pipelines are for CI/CD, not security analysis notebooks.
   • DPowerShell ISE is a Windows scripting environment, not integrated with Sentinel notebooks.
9. Question 9Manage a Security Operations Environment

   Which best practice should be followed when managing Operations within Manage a Security Operations Environment?

   • APerform all changes manually through the management console
   • BUse undocumented ad-hoc scripts maintained by one person
   • CAvoid automation to maintain direct hands-on control
   • DAutomate repeatable processes using infrastructure as codeCorrect
   ✓ Correct answer: D

   The recommended approach is to automate repeatable processes using infrastructure as code, because doing so makes the configuration repeatable, version-controlled, and auditable, reducing human error and configuration drift across the security operations environment. This aligns with Microsoft's guidance for building and running a Microsoft Sentinel and Defender-based security operations environment, where consistency, least privilege, and proactive monitoring are core principles. The remaining options describe anti-patterns that increase risk or operational fragility.

   Why the other options are wrong

   • APerforming all changes manually through the management console is slow, error-prone, and not repeatable or auditable, the opposite of reliable security operations.
   • BUsing undocumented ad-hoc scripts maintained by one person creates a single point of failure and unmaintainable, unauditable automation.
   • CAvoiding automation to maintain hands-on control does not scale, increases mean time to respond, and invites inconsistent, error-prone manual work.
10. Question 10Configure Protections and DetectionsSelect all that apply

    A consultant is reviewing the device control configuration at Fabrikam Inc. Which two actions should be performed to optimize the implementation? (Choose two.)

    • Aanomaly detection policies
    • Bsession policiesCorrect
    • CDisable device control monitoring
    • Dnext-generation protectionCorrect
    • Efile policies
    ✓ Correct answer: B, D

    For this scenario the two components to configure are session policies (session policies in Defender for Cloud Apps provide real-time control of user actions via reverse proxy) and next-generation protection (next-generation protection is Defender for Endpoint's antivirus/antimalware engine with cloud-delivered protection). These are the relevant Microsoft Defender and Microsoft Sentinel building blocks for the described requirement, so selecting them satisfies the implementation. The remaining options are either unrelated SC-200 concepts, garbled labels, or anti-patterns such as disabling monitoring, none of which apply here.

    Why the other options are wrong

    • AAnomaly detection policies is a valid concept (anomaly detection policies in Defender for Cloud Apps use UEBA to flag unusual user behavior), but it is not one of the two components this scenario calls for.
    • CDisable device control monitoring is an anti-pattern because turning off monitoring removes the visibility the SOC depends on, so it is never a valid optimization.
    • EFile policies is a valid concept (file policies in Defender for Cloud Apps scan and govern files in connected SaaS apps), but it is not one of the two components this scenario calls for.

SC-200 practice exam FAQ