Back to Microsoft Security Operations Analyst Associate (SC-200)

Manage security threats

Hunt for threats using Microsoft Defender XDR and Microsoft Sentinel, and create workbooks for security monitoring.

Encompasses hunting for threats using Microsoft Defender XDR including identifying threats with Kusto Query Language (KQL), interpreting threat analytics, and creating custom hunting queries. Covers hunting for threats using Microsoft Sentinel through MITRE ATT&CK matrix analysis, threat indicators management, hunt creation and management, hunting query monitoring, hunting bookmarks for data investigations, archived log data retrieval, and search job management. Also includes creating and configuring Microsoft Sentinel workbooks by activating and customizing workbook templates, creating custom workbooks with KQL, and configuring visualizations for security monitoring and reporting.
5 minutes 5 Questions

Managing security threats is a critical responsibility for Microsoft Security Operations Analyst Associates. This involves identifying, analyzing, and responding to potential security incidents across an organization's infrastructure. The process begins with threat detection, where analysts utilize…

Concepts covered: Identify threats using Kusto Query Language (KQL), Interpret threat analytics in the Defender portal, Create custom hunting queries with KQL, Analyze attack vector coverage with MITRE ATT&CK matrix, Manage and use threat indicators in Sentinel, Create and manage hunts in Microsoft Sentinel, Create and monitor hunting queries in Sentinel, Use hunting bookmarks for data investigations, Retrieve and manage archived log data, Create and manage search jobs in Sentinel, Activate and customize workbook templates, Create custom workbooks with KQL, Configure workbook visualizations

Test mode:
Start practice test
SC-200 - Manage security threats Example Questions

Test your knowledge of Manage security threats

Question 1

A security analyst at Fabrikam Manufacturing discovers unusual authentication patterns in their environment. They need to query SigninLogs data from 45 days ago to identify failed login attempts from suspicious geographic locations. The analyst initiates a search job targeting a 60-day timeframe across 800GB of data. After the search job completes successfully, where will the analyst find the retrieved results to perform further KQL analysis and correlation with other security events?

Correct Answer: In a new table created in the Log Analytics workspace with a '_SRCH' suffix appended to the original table name

When a search job completes successfully in Azure Monitor/Log Analytics, the retrieved results are stored in a new table that is automatically created in the same Log Analytics workspace. This new table follows a specific naming convention where the original table name gets a '_SRCH' suffix appended to it.

In this scenario, since the analyst is querying SigninLogs data, the search job results would be stored in a table named 'SigninLogs_SRCH'. This allows the analyst to:

  1. Run KQL queries against the restored data without affecting the original table
  2. Correlate the historical data with current security events
  3. Perform advanced analytics on data that is outside the normal interactive query timeframe
  4. Join the search results with other tables in the workspace for comprehensive analysis

The search results table persists in the workspace according to the workspace's retention settings, giving analysts sufficient time to complete their investigations.

Why the other answers are incorrect:

The option about results being tagged in the original SigninLogs table is incorrect because search jobs create separate tables rather than modifying or adding metadata to the original table. This separation ensures data integrity and allows for easier management of search results.

The option about Hunting queries section is incorrect because search job results are not stored in the Hunting interface. While hunting queries can be used to analyze the data once it's restored, the actual search results reside in the new table within the workspace, not in a dedicated folder within the Hunting section.

The option about a temporary workspace container is incorrect because search job results are stored as actual tables in the Log Analytics workspace itself, not in a separate container or dashboard. The results are accessed through standard KQL queries against the newly created table with the '_SRCH' suffix, not through a specialized dashboard interface.

Question 2

A defense contractor operates a Microsoft Sentinel workspace monitoring classified network traffic across 12 secure facilities. The NetworkSecurityGroupFlowLogs table maintains 75 days of data in Analytics tier, with older records automatically archived within the same workspace for a total retention of 5 years. An internal security audit revealed that a senior network engineer with Log Analytics Reader role repeatedly attempts to execute KQL queries against archived flow logs from 8 months ago to analyze historical traffic patterns for a research project. The engineer's queries consistently return empty result sets, even though workspace storage metrics confirm the archived data exists and consumes approximately 320 GB. The workspace Archive tier is properly enabled and the engineer has verified the correct time ranges in the KQL queries. The security operations manager must identify the missing component preventing the engineer from accessing this archived data. What specific Azure RBAC permission must be assigned to the engineer's account to enable creation of data restoration operations for querying the archived network flow logs?

Correct Answer: Log Analytics Contributor role on the workspace resource to initiate restore operations for archived data

The correct answer is that the engineer needs the Log Analytics Contributor role on the workspace resource to initiate restore operations for archived data.

In Microsoft Sentinel and Log Analytics, archived data cannot be queried directly. When data is moved to the Archive tier, it must first be restored to the Analytics tier through a restore operation before it can be queried using KQL. This is a critical architectural detail.

The Log Analytics Reader role that the engineer currently has only provides read permissions for data that is actively available in the Analytics tier. It does not include permissions to create restore jobs or restore operations, which are required to bring archived data back into a queryable state.

The Log Analytics Contributor role includes the necessary permissions to:
- Create and manage restore operations
- Initiate search jobs that restore archived data to a temporary table
- Execute the restore process that makes archived data available for querying

This explains why the engineer's queries return empty results despite the archived data existing - the data is present in archive storage but hasn't been restored to a queryable format. The workspace storage metrics confirm the data exists (320 GB), but it's in the Archive tier and inaccessible for direct querying.

Why the other options are incorrect:

The Microsoft Sentinel Contributor role combined with Storage Blob Data Reader is unnecessary because archived data restoration in Log Analytics workspaces is managed through the Log Analytics service itself, not through direct storage account access. The restoration process is handled by Azure's managed services, and users don't need direct blob storage permissions.

The Log Analytics Data Access Administrator role is designed for managing data access policies and resource-context RBAC, not for performing restore operations. This role focuses on granting fine-grained access to specific tables or resources, not on creating restoration jobs for archived data.

The Azure Monitor Contributor role at the subscription level is overly broad and provides unnecessary elevated permissions beyond what's needed. Archive restoration only requires contributor-level permissions on the specific workspace resource, not subscription-wide Azure Monitor permissions. This violates the principle of least privilege and would grant access to many other monitoring resources unnecessarily.

Question 3

Kayla, a Security Operations Analyst at Contoso Healthcare, is examining a threat analytics report in the Microsoft Defender portal about a sophisticated spear-phishing campaign targeting healthcare providers. The report displays multiple metrics including 'Global Prevalence: High', 'Active for: 28 days', and several technical indicators. Within the report, Kayla notices a section showing 'Detection Methods' that lists the various security technologies and signals used to identify this threat across the Microsoft security ecosystem. This section displays items such as 'Email threat protection signals', 'Endpoint behavioral analysis', 'Cloud app anomaly detection', and 'Identity risk signals', each with accompanying detection confidence scores. The section also shows correlation logic explaining how these different signal sources work together to identify the complete attack chain. Kayla's security architecture team is evaluating whether their current Microsoft 365 license tier provides adequate visibility into this type of threat, and they need to understand which detection capabilities are actively contributing to threat identification in their environment. The team lead asks Kayla to determine what the Detection Methods section primarily reveals about their security stack's capabilities. What does this section indicate?

Correct Answer: The security products and signal sources currently deployed that successfully identified various stages of this threat activity within the organization's environment

The Detection Methods section in Microsoft Defender's threat analytics reports shows the security products and signal sources that are currently deployed and actively detecting threats within the organization's environment.

This is the correct answer because:

Threat analytics reports in Microsoft Defender provide real-time visibility into how threats are being detected within YOUR specific environment. The Detection Methods section displays the actual security technologies that are currently licensed, deployed, and functioning in your organization. When you see items like 'Email threat protection signals', 'Endpoint behavioral analysis', 'Cloud app anomaly detection', and 'Identity risk signals' with detection confidence scores, these represent the active security stack components that successfully identified different stages of the attack chain in your environment.

This section is particularly valuable for understanding your current security posture and licensing effectiveness. It shows which Microsoft security products you have operational and how they're contributing to threat detection. This directly addresses Kayla's team's need to evaluate whether their current Microsoft 365 license tier provides adequate visibility.

Why the other answers are incorrect:

The second answer is wrong because the Detection Methods section does not show all available Microsoft security products that could potentially be deployed. It only shows what is currently active and detecting threats in your environment. If a product isn't licensed or deployed, it won't appear in this section.

The third answer is incorrect because while Microsoft does provide recommendations for security coverage, the Detection Methods section specifically shows what IS detecting threats, not what Microsoft recommends you should implement. Recommendations would be found in different sections of the portal, such as Microsoft Secure Score or specific recommendation pages.

The fourth answer is wrong because the Detection Methods section does not provide performance benchmarks or industry comparisons. It focuses on displaying your organization's active detection capabilities and how different security signals correlate to identify threats. Comparative analytics and industry benchmarking are found in other reporting areas, not in the Detection Methods section of threat analytics reports.

More Manage security threats questions
517 questions (total)
Start 100 question test