Free Microsoft SC-200 Practice Exam with Questions & Answers | Set: 2

To have a Microsoft Sentinel workbook pull live data from an external web service, you use the workbook’s built-in JSON data source. Workbooks can query REST endpoints that return JSON and render results dynamically in visuals. Because the Azure portal (where the workbook runs) is a different origin than your on-prem/public Webapp1, browsers will block these cross-origin requests unless the endpoint explicitly allows them. Therefore, the external service must enable CORS to permit the portal’s origin to fetch the JSON. This aligns with Microsoft guidance that Workbooks can query HTTP/HTTPS JSON endpoints and that external endpoints must allow cross-origin requests for client-side calls from the Azure portal. Enforcing CORS on Webapp1 satisfies the security model while enabling the workbook to retrieve data at view time—meeting the requirement to “dynamically retrieve data from Webapp1.” Options like “custom endpoint” or “custom resource provider” aren’t needed here, and enabling SOP or only enforcing TLS 1.2 wouldn’t address the browser’s cross-origin policy blocking the call.

Microsoft Sentinel playbooks can be triggered by different types of events—alerts, incidents, or entities. Since the requirement specifies “incidents generated by rulequery1” and asks for automatic processing of those incidents, the correct approach is to use a playbook with an incident trigger.

According to Microsoft Sentinel automation documentation:

“When you want automation to start after an incident is created or updated, use the incident trigger. This allows you to automate workflows such as closing incidents, adding comments, or sending notifications.”

This trigger type works with automation rules that specify when and how to execute playbooks based on incident state or severity. Using a playbook with an incident trigger meets the need for post-incident automation (e.g., auto-closing incidents if they match certain conditions).

✅ Answer for Question 8: A. a playbook with an incident trigger

To hunt across multiple subscriptions/workspaces from a single Microsoft Sentinel workspace, you don’t need to re-ingest data; you can query it where it already lives using cross-workspace queries. In KQL, this is done with the workspace() expression combined with union to stitch results from several workspaces in one result set (for example: union workspace('WS1').SecurityEvent, workspace('WS2').SecurityEvent …). This approach is the supported method for hunting across many projects/subscriptions while keeping data in its original Log Analytics workspaces, and it avoids duplicating ingestion or moving data. In addition, to integrate those remote workspaces with Sentinel features and ensure consistent schema/solution components, you add the Microsoft Sentinel solution to each workspace you want to include. Installing the solution enables Sentinel’s content pack, schemas, and permissions model on those workspaces so they can fully participate in Sentinel scenarios while you run cross-workspace hunts from your central workspace. Therefore: (B) Create a query that uses the workspace expression and the union operator and (E) Add the Azure Sentinel solution to each workspace.

Explanation (concise): The Regulatory compliance dashboard/report shows standards-based compliance posture and related recommendations across resources, not the alert-specific remediation steps. To view how to fix a specific Security Center (Defender for Cloud) alert, you open the alert, choose Take action, and review the Mitigate the threat guidance. Therefore, downloading the Regulatory compliance report does not meet the goal.

For Linux alert simulation in Defender for Cloud, you first copy /bin/echo to a test file named asc_alerttest_662jfi039n, then execute it with the parameters testing eicar pipe. This sequence generates a benign test alert that validates the Defender for Cloud pipeline. The options using ./alerttest are incorrect file names and won’t trigger the simulation.QUESTION NO: 8

You create an Azure subscription named sub1.

In sub1, you create a Log Analytics workspace named workspace1.

You enable Azure Security Center and configure Security Center to use workspace1.

You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1.

What should you do?

A.In workspace1, install a solution.

B.In sub1, register a provider.

C.From Security Center, create a Workflow automation.

D.In workspace1, create a workbook.

Answer: A

When configuring Microsoft Defender for Cloud (formerly Azure Security Center) to use a specific Log Analytics workspace, you must ensure the Security solution is installed in that workspace so that security events from VMs reporting to the workspace are processed by Defender for Cloud. Registering a provider, creating workflow automations, or creating a workbook do not enable data processing for recommendations/alerts; installing the solution (now surfaced as the Defender for Cloud agent/solution enablement) does.

The Fusion analytics rule in Microsoft Sentinel automatically correlates alerts from multiple sources (including Microsoft Defender connectors) to detect multistage attacks. Because Fusion runs continuously and cannot be disabled without losing multi-stage detection, the best practice for temporarily suppressing incidents from a specific connector (like Microsoft Defender) is to use automation rules, not by disabling the Fusion rule itself.

An automation rule can be configured to trigger on specific conditions (such as “When incident is updated” or “When incident is created”) and then perform an action like running a playbook that applies suppression logic.

Here’s the reasoning:

Trigger:

Setting the trigger to “When incident is updated” ensures that the rule evaluates changes to existing incidents—such as enrichment or tagging from Fusion—and provides finer control over suppression, minimizing impact on the Fusion detection pipeline.

Using “When incident is created” could interfere with Fusion’s initial detection process.

Action:

The appropriate action is “Run playbook”, which allows automated handling (for example, tagging or closing certain incidents from a specific connector). This requires minimal administrative effort and avoids turning off the Fusion rule.

This configuration ensures that Fusion continues to detect multistage attacks (so detection isn’t impacted) while automation handles temporary suppression for specific connectors efficiently.

In Microsoft 365 Defender advanced hunting, email attachments are recorded in EmailAttachmentInfo and endpoint file activity is recorded in DeviceFileEvents. To correlate a malicious attachment to devices where the same file was observed, you join on the file hash (SHA256). The hunting guidance specifies using EmailAttachmentInfo to filter by sender and to ensure the attachment has a hash (isnotempty(SHA256)). Then, a join with DeviceFileEvents on SHA256 links the email-borne file to endpoint observations.

Before joining, it’s best practice to reduce the right-hand dataset with project to only needed fields (e.g., FileName, SHA256, DeviceName, DeviceId, Timestamp) to improve performance and limit data volume. After the join, use project again to shape the final result set for investigation, including timeline and pivot identifiers: Timestamp, FileName, SHA256, DeviceName, DeviceId, plus email context such as NetworkMessageId, SenderFromAddress, and RecipientEmailAddress.

Therefore, the correct operator sequence is: join (subquery over DeviceFileEvents with project) on SHA256, then final project of the incident-relevant columns.

To block unsanctioned cloud apps on Windows 10 endpoints with Microsoft Defender for Endpoint and Microsoft Defender for Cloud Apps (formerly Cloud App Security), you must enable and configure the product integration on both sides. First, in Microsoft Defender Security Center → Settings → Advanced features, turn on the Microsoft Defender for Cloud Apps integration (and ensure network protection prerequisites are met). This allows Defender for Endpoint to receive the unsanctioned app list and enforce endpoint-based blocking when users on CLIENT1 attempt to access those apps via the browser or client.

Second, in Defender for Cloud Apps → Settings → Cloud Discovery, configure the Microsoft Defender for Endpoint integration and enable Block unsanctioned apps. In Cloud Discovery, apps are discovered, assessed, and can be tagged as Unsanctioned. Once the MDE integration is enabled, that tag is exported to endpoints, which then enforce blocking based on the tenant’s app catalog and policies.

Options A (Onboarding settings) are for enrolling devices and do not control app blocking behavior. B (Anomaly detection policies) govern behavioral detections (e.g., impossible travel, anonymous IP) and are unrelated to endpoint enforcement of app access. Therefore, the two configurations you must modify to meet the requirement “block unsanctioned apps on Windows 10 computers by using Microsoft Defender for Endpoint” are C. Advanced features in Microsoft Defender Security Center and D. Cloud Discovery settings in Cloud App Security.

According to Microsoft Defender for Cloud (formerly Azure Security Center) documentation, when integrating servers and virtual machines for security monitoring, the Defender for Cloud data is stored and analyzed in a Log Analytics workspace. Microsoft best practices recommend using an existing workspace when one is already deployed for centralized log collection—especially if it already gathers telemetry from Azure and on-premises resources.

In this case, the existing workspace LA1 already “contains logs and metrics collected from all Azure resources and on-premises servers.” This satisfies the business requirement of “all servers must send logs to the same Log Analytics workspace.” Creating a new workspace would violate the cost-minimization and centralization requirements. Therefore, LA1 is the correct workspace to use.

For the Windows security events collection setting, Defender for Cloud offers three levels:

Minimal – collects essential security events only (insufficient for comprehensive monitoring).

Common – collects a balanced set of security-related events (such as account logon, privilege use, and object access), recommended by Microsoft for most environments.

All Events – collects every possible security event, which increases data ingestion cost and is typically used only for high-security or regulated environments.

Because Litware Inc. must minimize cost while ensuring a full audit trail of user activities, the Common level provides the optimal balance of visibility and cost efficiency.

Therefore, based on Microsoft Defender for Cloud configuration guidelines:

✅ Log Analytics workspace to use: LA1

✅ Windows security events to collect: Common