Back to Microsoft Security Operations Analyst Associate (SC-200)

Manage a security operations environment

Configure Microsoft Defender XDR settings, manage assets and environments, design Microsoft Sentinel workspaces, and ingest data sources.

5 minutes 5 Questions

Managing a security operations environment is a critical responsibility for Microsoft Security Operations Analysts. This involves overseeing and maintaining the infrastructure, tools, and processes that enable effective threat detection, investigation, and response within an organization. The secur…

Concepts covered
Configure alert and vulnerability notification rulesPlan and configure Syslog and CEF event collectionsConfigure Microsoft Defender for Endpoint advanced featuresConfigure endpoint rules settingsManage automated investigation and response in Defender XDRConfigure automatic attack disruption in Defender XDRConfigure device groups, permissions, and automation levelsIdentify unmanaged devices in Defender for EndpointDiscover unprotected resources with Defender for CloudIdentify and remediate devices at risk with Vulnerability ManagementMitigate risk using Exposure Management in Defender XDRPlan a Microsoft Sentinel workspaceConfigure Microsoft Sentinel rolesSpecify Azure RBAC roles for Sentinel configurationDesign Sentinel data storage, log types, and retentionIdentify data sources for Microsoft Sentinel ingestionImplement and use Content hub solutionsConfigure Microsoft connectors for Azure resourcesConfigure Windows Security events with data collection rulesCreate custom log tables in Sentinel workspaceMonitor and optimize Sentinel data ingestion
Test mode:
Start practice test
SC-200 - Manage a security operations environment Example Questions

Test your knowledge of Manage a security operations environment

Question 1

What is the primary method used in Microsoft Sentinel to monitor the volume of data ingested across different tables in a Log Analytics workspace?

Correct Answer: The Usage table that tracks ingestion metrics per table and data type

The correct answer is: The Usage table that tracks ingestion metrics per table and data type.

In Microsoft Sentinel and Log Analytics workspaces, the Usage table is specifically designed to monitor and track data ingestion volume. This table provides detailed metrics about:

• Data volume ingested per table
• Data type breakdowns
• Ingestion trends over time
• Cost estimation based on data ingestion
• Historical ingestion patterns

The Usage table contains records that show which tables are consuming the most data, allowing administrators to identify high-volume data sources and optimize their data collection strategy. This is essential for managing costs and ensuring efficient workspace utilization.

Why the other answers are incorrect:

The AzureActivity table is primarily used for tracking Azure Resource Manager operations and administrative activities within Azure subscriptions. While it does log some resource operations, it is not designed or intended for monitoring data ingestion volumes across workspace tables.

The answer suggesting the Usage table consolidates billing events and workspace capacity allocations is misleading. While the Usage table does relate to billing through ingestion volume tracking, its primary purpose is not billing event consolidation or capacity allocation management - it's specifically focused on ingestion metrics per table and data type.

The Heartbeat table is used to monitor the health and connectivity status of connected agents and resources. It tracks whether systems are online and responding, not data ingestion volumes or workspace performance statistics related to data collection.

Question 2

You are a Security Operations Analyst at Horizon Telecommunications, a service provider managing network infrastructure for enterprise clients. The company has deployed Microsoft Sentinel to monitor security events across its operations. Thomas, a newly hired security analyst, will be working the evening shift performing triage activities. His daily tasks include reviewing incoming security alerts, updating incident ownership assignments to appropriate team members, modifying incident severity ratings based on initial assessment, adding investigation notes and context to incident records, and executing approved automation playbooks when specific threat patterns are detected. The SOC manager emphasized that Thomas needs operational permissions to handle the incident response workflow but should be prevented from altering analytics rule configurations, creating new data connectors, or modifying workspace-level settings. Which role should be assigned to Thomas to support his triage and response activities?

Correct Answer: Microsoft Sentinel Responder role assigned at the workspace scope

The Microsoft Sentinel Responder role is the correct choice for Thomas's requirements.

This role is specifically designed for security analysts who need to perform incident triage and response activities. The Responder role provides the following capabilities that align perfectly with Thomas's job responsibilities:

• View and manage incidents (assign ownership, update severity, change status)
• Add comments and investigation notes to incidents
• Run playbooks on incidents and alerts
• View alerts, bookmarks, and other Sentinel data
• View workbooks and analytics rules (read-only)

Crucially, the Responder role does NOT allow:
• Creating or modifying analytics rules
• Creating or modifying data connectors
• Changing workspace-level settings or configurations

These restrictions align with the SOC manager's requirement that Thomas should be prevented from altering analytics rule configurations, creating new data connectors, or modifying workspace-level settings.

Why the other options are incorrect:

The Contributor role would grant Thomas excessive permissions, including the ability to create and modify analytics rules, data connectors, and workspace settings - exactly what the SOC manager wants to prevent. This violates the principle of least privilege.

The Automation Contributor role is specifically designed for managing playbook permissions and does not provide the necessary incident management capabilities. This role alone would not allow Thomas to view incidents, assign ownership, or modify incident properties - core requirements for his triage duties.

Combining Reader with Logic App Contributor would not provide sufficient permissions. The Reader role only allows viewing data without any modification capabilities, meaning Thomas could not assign incidents, update severity, or add investigation notes. While Logic App Contributor helps with playbooks, it doesn't grant the incident management permissions needed for triage activities.

Question 3

Azure Dynamics Corporation is planning their Microsoft Sentinel workspace and the security architect is evaluating role assignments for the SOC team. The company has 5 senior analysts who need to create and modify analytics rules, workbooks, and playbooks, 12 junior analysts who should investigate incidents and run queries but cannot modify detection logic, and 3 compliance auditors who need read-only access to review incidents and reports. The IT director wants to follow the principle of least privilege while ensuring operational efficiency. What Azure RBAC role should be assigned to the junior analysts for their day-to-day incident investigation activities?

Correct Answer: Microsoft Sentinel Responder role to enable incident management and threat hunting query execution

The correct answer is the Microsoft Sentinel Responder role to enable incident management and threat hunting query execution.

This is the ideal role for junior analysts because:

  1. Incident Management Capabilities: The Responder role allows users to view, assign, investigate, and resolve incidents - which are the core day-to-day activities of junior analysts.

  2. Query Execution: Responders can run queries in Log Analytics to investigate threats and hunt for suspicious activities, which is essential for their investigation work.

  3. Appropriate Permissions: This role provides read access to Microsoft Sentinel data and the ability to manage incidents without the ability to modify detection logic, analytics rules, or other configurations.

  4. Principle of Least Privilege: It gives junior analysts exactly what they need - no more, no less - which aligns with the IT director's requirement.

Why the other options are incorrect:

The Contributor role would be inappropriate because it grants too many permissions, including the ability to create and modify analytics rules, workbooks, and playbooks. These are capabilities specified for senior analysts, not junior analysts. This violates the principle of least privilege.

The Reader role combined with Log Analytics Contributor is problematic because while Reader provides read-only access, the Log Analytics Contributor role would grant write permissions to the underlying workspace, which is excessive and could allow junior analysts to modify or delete data. Additionally, the Reader role alone doesn't provide the incident management capabilities needed for investigations.

The Log Analytics Reader role alone is insufficient because it only provides read access to log data but doesn't include the Microsoft Sentinel-specific incident management capabilities that junior analysts need to assign, investigate, and resolve incidents. This role would severely limit their operational effectiveness in handling security incidents.

More Manage a security operations environment questions
771 questions (total)
Start 100 question test