SC-200 Exam Dumps - Microsoft Security Operations Analyst

Labeling activities are available in Activity explorer.

For example:

Sensitivity label applied

This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.

It is captured at the time of save in Office native applications and web applications.

It is captured at th e time of occurrence in Azure Information protection add-ins.

Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter.

Box 1: AzureActivity

The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

Box 2: autocluster()

Example: description: |

' Listing of storage keys is an interesting operation in Azure which might expose additional

secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this

type, it would be interesting to see if the account performing this activity or th e source IP address from

which it is being done is anomalous.

The query below generates known clusters of ip address per caller, notice that users which only had single

operations do not appear in this list as we cannot learn from it their normal act ivity (only based on a single

event). The activities for listing storage account keys is correlated with this learned

clusters of expected activities and activity which is not expected is returned. '

AzureActivity

| where OperationNameValue =~ " mic rosoft.storage/storageaccounts/listkeys/action "

| where ActivityStatusValue == " Succeeded "

| join kind= inner (

AzureActivity

| where OperationNameValue =~ " microsoft.storage/storageaccounts/listkeys/action "

| where ActivityStatusValu e == " Succeeded "

| project ExpectedIpAddress=CallerIpAddress, Caller

| evaluate autocluster()

) on Caller

| where CallerIpAddress != ExpectedIpAddress

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress

| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

Microsoft Defender for DevOps integrates security analysis directly into CI/CD pipelines such as Azure Pipelines , GitHub Actions , and others. To enable secret scanning (and other code security checks) during the execution of a pipeline in Azure DevOps , the correct integration is through the Microsoft Security DevOps (MSDO) extension — not the older Microsoft Security Code Analysis (MSCA) extension.

Step 1: Install the Microsoft Security DevOps extension Microsoft documentation (Defender for Cloud → Defender for DevOps integration guide) clearly states that:

“To enable scanning and policy enforcement for Azure DevOps pipelines, install the Microsoft Security DevOps extension from the Azure DevOps Marketplace. This extension integrates with Microsoft Defender for Cloud to perform security scans, including secret detection, infrastructure-as-code analysis, and dependency vulnerability checks.”

The older Microsoft Security Code Analysis (MSCA) extension has been superseded by Microsoft Security DevOps , which provides broader coverage and native Defender for Cloud integration.

Step 2: Add the MSDO scanner steps to the YAML pipeline After installing the extension, you must modify the pipeline definition (YAML) to add MSDO scanning steps .

The syntax typically looks like this:

steps:

- task: MicrosoftSecurityDevOps@1

displayName: ' Run Microsoft Security DevO ps '

This step runs all configured scans (including secret scanning) automatically each time the pipeline runs. You add it under the steps section because it represents a specific task in the pipeline workflow.

✅ Final Answers:

Install: The Microsoft Security DevOps extension

Add: Steps

ï‚· To the AD DS domain cont rollers, deploy: Microsoft Defender for Identity sensors

ï‚· For Sentinel1, configure: The Security Events data source

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel using data from on-premises Active Directory Domain Services (AD DS) , you must collect detailed identity and authentication events. This requires integration with Microsoft Defender for Identity (MDI) — the native tool designed to monitor domain controller traffic and send identity telemetry to Microsoft Sentinel.

Step 1: Deploy Microsoft Defender for Identity sensors According to Microsoft documentation:

“To collect signals from your on-premises Active Directory domain controllers, install Microsoft Defender for Identity sensors directly on each domain controller or on a dedicated server.”

These sensors capture Windows event logs and network authentication data (Kerberos, NTLM, LDAP) and send the information securely to Defender for Identity cloud service.

The Azure Connected Machine agent and Azure Monitor agent do not provide the specialized identity telemetry required by UEBA. Therefore, the correct deployment is the Microsoft Defender for Identity sensors .

Step 2: Configure the Security Events data source in Sentinel After integrating Defender for Identity, you must connect the right data source in Microsoft Sentinel .

The Security Events data source ingests domain controller event logs (such as sign-ins, account management, and group membership changes) that UEBA relies on for behavioral baselines and anomaly detection.

Microsoft Sentinel UEBA documentation confirms:

“UEBA uses data from identity-related data sources, such as SecurityEvents and Azure Active Directory sign-ins, to build user and entity profiles and detect anomalies.”

The Audit Logs and Signin Logs tables are specific to Azure AD and cloud identity events — not on-premises AD DS domain controllers.

✅ Final Configuration:

Deploy Microsoft Defender for Identity sensors to the domain controllers.

Configure The Security Events data source for Sentinel1.

ï‚· First table: BehaviorAnalytics

ï‚· Joined table: AuditLogs

To detect when a user creates an unusually large number of Azure AD user accounts in Microsoft Sentine l, you should leverage UEBA signals from the BehaviorAnalytics table and enrich them with Azure AD audit data from AuditLogs . The BehaviorAnalytics table contains UEBA-derived insights (for example, the ActivityInsights flag and UsersInsights ) and normaliz ed activity fields such as ActionType (e.g., " Add user " ). Filtering BehaviorAnalytics for ActionType == " Add user " and ActivityInsights has " True " targets activities that the UEBA engine already assessed as anomalous, reducing noise and focusing on outlier s.

Then, join these anomalies to the AuditLogs table to pull authoritative Azure AD audit details (target object, initiator, correlation, and operation context). This combination aligns with Sentinel guidance: use BehaviorAnalytics for anomaly detection an d AuditLogs for the Azure AD operational record. Sorting by TimeGenerated and projecting user and insight fields completes the hunting query so analysts can review who triggered unusual “Add user” bursts and with what context.

Therefore, complete the query by selecting BehaviorAnalytics as the primary dataset and AuditLogs in the join(...) .

In Microsoft Sentinel , to automatically generate incidents when a specific pattern or behavior is detected by a query, you must create a scheduled analytics rule .

A scheduled query rule :

Runs a KQL query on a defined schedule (e.g., every hour).

Triggers an alert and incident when the query returns results.

Can map detections to MITRE ATT & CK tactics and techniques , aligning with the requirement for attack vector mapping.

Other options explained:

Fusion rule – Uses built-in machine learning for correlation, not custom KQL logic.

Query bookmark – Saves hunting results but does not trigger incidents.

Hunting livestream session – Used for live monitoring, not alert generation.

✅ Correct answer: C. a scheduled query rule

As outlined in Microsoft’s official Defender for Of fice 365 documentation, this service provides comprehensive protection against threats targeting Microsoft 365 collaboration tools—such as SharePoint Online , OneDrive for Business , and Microsoft Teams . The marketing team uses SharePoint Online for vendor c ollabora tion and has experienced incidents in which vendors uploaded malicious files. Microsoft Defender for Office 365 specifically addresses this scenario through features like Safe Attachments and Safe Links , which automatically scan uploaded or shared files for malware and block access to harmful content.

When a vendor uploads a file to SharePoint Online, Defender for Office 365 inspects the file in real time within a virtual sandbox environment before allowing users to open or share it. If malware is d etected, the system quarantines or removes the file and notifies administrators. These detection and remediation capabilities prevent infection propagation, protect sensitive marketing data, and maintain compliance with Contoso’s security posture.

By leveraging Defender for Office 365, Contoso’s marketing team can continue external collaboration safely, ensuring that all uploaded files are scanned and validated before internal access—thereby resolving their specific malware-related issue.

To complete the KQL query against the BehaviorAnalytics t able, you need to know the exact column name (for example, the Boolean field that flags a new or first-time country for the sign-in). Microsoft’s standard method to discover table schemas and column names is the Logs (Log Analytics) query window . In this p ane, the left-hand Schema browser lists all connected tables and, when expanded, shows every column name and data type . Selecting a table (e.g., BehaviorAnalytics ) reveals its fields, and the editor provides IntelliSense/autocomplete for columns as you typ e your KQL, making it straightforward to complete a clause like | where < ColumnName > == true .

Security alerts in Azure Security Center (Defender for Cloud), the Azure Activity log, and Azure Advisor do not expose the per-table column schema needed to build KQL filters. Security Center surfaces alerts and recommendations; the Activity log records control-plane operations; and Advisor provides optimization guidance—none of these replace the Logs experience for exploring data schemas.

Therefore, to accurately identify and verify the column required in the where clause for failed sign-ins from a first-time country, you should use the Log Analytics workspace query window , consult the Schema pane for the BehaviorAnalytics table, and leverage the editor’s autocompl ete to insert the correct column name.