SC-200 Exam Dumps - Microsoft Security Operations Analyst

When you deploy the ASIM unifying parser for DNS, you should query the normalized schema via the function imDns() (ASIM convention: im). To maximize performance, pass filtering arguments directly to the parser so the function prunes data early at source, rather than piping a large dataset into subsequent where filters. ASIM DNS supports parameters such as starttime, endtime, and responsecodename (for example, NXDOMAIN). Therefore, using imDns(starttime=ago(1d), responsecodename='NXDOMAIN') limits ingestion to the last 24 hours and only events whose ResponseCodeName equals NXDOMAIN.

Once normalized rows are returned, use summarize with bin() to aggregate efficiently. The ASIM DNS schema exposes the client address as SrcIpAddr; grouping by this field and bin(TimeGenerated, 15m) produces per–source-IP counts in 15-minute buckets. The final query:

imDns(starttime=ago(1d), responsecodename='NXDOMAIN')

| summarize count() by SrcIpAddr, bin(TimeGenerated, 15m)

meets all requirements: it lists all DNS events with NXDOMAIN in the last 24 hours and aggregates them by source IP in 15-minute intervals, using ASIM’s parameterized parser to achieve optimal performance.

Microsoft Sentinel “Microsoft security” analytics rules (for products like Defender for Cloud) create incidents from alerts generated by that product. Even if multiple identical Microsoft security rules exist for the same product, a single incoming alert will result in one incident in the workspace, not one per rule.

Microsoft Defender for Cloud collects security-related event data from virtual machines (VMs) by connecting them to a Log Analytics workspace. To minimize both administrative overhead and cost, the most efficient configuration involves automatic provisioning and setting an appropriate data collection level.

Automatic Provisioning (Option E):According to Microsoft Defender for Cloud documentation, enabling automatic provisioning ensures that the Log Analytics agent (also known as the Defender for Cloud agent) is automatically installed and configured on all existing and new Azure virtual machines. This eliminates the need for manual agent deployment, significantly reducing administrative effort.

Data Collection Level – Common (Option A):Defender for Cloud allows configuration of event collection levels — None, Common, and All Events.

Common collects essential security events needed for threat detection, such as logon failures, account lockouts, and other critical activities, thereby reducing storage and processing costs.

All Events collects all Windows security logs, increasing data volume and cost without necessarily improving detection for most environments.

By combining automatic provisioning with the “Common” event level, you ensure coverage for Defender for Cloud’s analytics with minimal manual configuration and optimized costs.

Therefore, the correct and verified answer is:

✅ A. Set data collection level to Common

✅ E. Enable automatic provisioning for the virtual machines

To run a PowerShell script when a suspicious-IP access alert is raised for Storage, use Workflow automation in Defender for Cloud to trigger a Logic App whenever a matching security alert occurs. The Logic App should use the Azure Security Center (Defender for Cloud) alert trigger, and from there you can call an Automation Runbook (PowerShell) or another action to execute your script. A manual or HTTP trigger isn’t needed because the flow must start automatically from the security alert, and an AAD app registration is not required for the basic alert-triggered flow.

AzureActivity Extend

Explanation = Use AzureActivity because NSG rule changes (operations like Microsoft.Network/networkSecurityGroups/securityRules/write) are recorded in the Azure Activity logs. To automatically associate the security principal (the caller) with a Sentinel entity you create a new column AccountCustomEntity and set it to Caller — that is done with the extend operator.

A completed/cleaned-up version of the query (showing the filled choices) would look like:

AzureActivity

| where OperationNameValue in ("Microsoft.Network/networkSecurityGroups/securityRules/write")

| where ActivityStatusValue == "Succeeded"

| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller

| extend timestamp = todatetime(EventSubmissionTimestamp[0])

| extend AccountCustomEntity = Caller

This produces the anomaly/hunting results grouped by the caller and makes Sentinel treat the Caller value as an account entity for investigations and alert enrichment.

Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.

Data is collected using:

The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.

Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Security Center regarding specialized resource types.