Microsoft SC-200 - Microsoft Security Operations Analyst

In Microsoft Sentinel (Log Analytics), table retention uses two tiers: Interactive retention (hot, immediately queryable) and Archive (cold, queryable via Search/Restore). Sentinel includes up to 90 days of interactive retention at no additional cost ; extending interactive retention beyond 90 days incurs standard Log Analytics retention charges. To mini mize cost , you should keep the interactive period at 90 days (the free tier).

For longer-term availability of data while still controlling costs, you set a higher Total retention so that, after the interactive window, data is moved to Archive storage at a significantly lower price per GB . Archived data remains available to analysts using Search jobs or temporary Restore to hot for detailed queries. Therefore, to maximize the period during which the table data remains available at the lowest cost, select the longest offered total retention, 2 years , which keeps older data in Archive instead of deleting it.

Thus, the optimal cost/availability configuration is Interactive = 90 days and Total = 2 years .

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents : =

To monitor Linux virtual machines in AWS using Azure Defender (Microsoft Defender for Cloud) , you must onboard those VMs into Azure’s management plane. The recommended and supported approach is via Azure Arc .

Azure Arc enables Azure Defender to extend its security monitoring and policies to non-A zure machines (including AWS and on-premises). Once onboarded through Azure Arc, the Log Analytics agent (MMA/AMA) can be automatically provisioned, allowing Defender for Cloud to collect and analyze security data.

Microsoft documentation states:

“To monit or machines outside Azure (on-premises or in other clouds like AWS or GCP), onboard them to Azure using Azure Arc. Azure Defender will then auto-provision the required agent and begin monitoring.”

Thus, enabling Azure Arc and onboarding the AWS VMs meets t he goal .

✅ Correct answer: A. Yes

A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference: https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview

To collect event logs from Linux virtual machines in Microsoft Sentinel, the data ingestion path must be correctly configured through Azure Monitor (Log Analytics) and Sentinel connectors . The correct order of actions is as follows:

1️ ⃣ Add Microsoft Sentinel to a workspace:

Sentinel requires a Log Analytics workspace as its data foundation. You must first enable Microsoft Sentinel on a workspace by selecting Microsoft Sentinel → Add → Select workspace . This step prepares the workspace to receive and analyze security data.

2️ ⃣ Add a Syslog connector to the workspace:

Linux systems send event data through Syslog . You must enable the Syslog connector within the Sentinel workspace. The connector d efines which Syslog facilities and severities should be collected and ingested into Sentinel. It acts as the integration bridge between the Linux hosts and Sentinel’s analytics engine.

3️ ⃣ Install the Log Analytics agent for Linux on the virtual machines:

To forward the logs, each Linux virtual machine needs the Log Analytics agent (OMS agent) . This agent collects the configured Syslog and performance data and sends it to the connected Log Analytics workspace.

This sequence ensures proper setup for Linux lo g ingestion: Sentinel is first activated, then the Syslog data source is configured, and finally, agents are deployed to gather and transmit the logs.

To investigate which accounts generate the most alerts and correlate them with incident data , Microsoft Sentinel requires a solution package that provides identity-focused analytics and workbooks.

The Cloud Identity Threat Protection Essentials solution from the Microsoft Sentinel Content hub delivers:

Prebuilt workbooks and analytics rules integrating Azure Activity , Entra ID logs , and Defender XDR alerts .

Visualizations showing users with most alerts and related incidents.

UEBA integration is optional, but installing this solution automatically provides identity-centric detection with minimal configuration.

UEBA (Us er and Entity Behavior Analytics) , by itself, detects anomalies but does not provide built-in alert correlation dashboards. Therefore, to meet the requirement with minimal administrative effort, installing the prebuilt Sentinel content package is the corre ct step.

✅ Correct Answer: B. From Content hub, install Cloud Identity Threat Protection Essentials

Automated Investigation and Response (AIR ) automates investigation and remediation actions for alerts that Defender already detects: it triages alerts, runs investigation playbooks, and can execute remediation (quarantine files, terminate processes, remove persistence) based on the investigation outcome. AIR is powerful for reducing analyst load and quickly remediating detected threats. However, AIR only runs in response to detections/alerts it receives—if the third-party AV completely misses an artifact and no EDR/behavioral detection generates a n alert, AIR will not be triggered. In contrast, EDR in block mode is specifically built to catch post-breach detections that the primary AV missed and to remediate them. Therefore, enabling AIR alone does not guarantee protection from artifacts missed by the third-party antivirus; AIR helps remediate once a detection exists but does not itself create the missed detection coverage that EDR in block mode provides.

In Microsoft Sentinel , analysts manage and investigate incidents through the Incident page , which provides multiple investigation and triage tools. The two core aspects of incident analysis relevant here are entity visualization and investigation audit tracking .

Entity Map (Investigate):

Selecting Investigate opens the Investigation Graph view in Microsoft Sentinel.

This interactive map visually displays all the entities (users, IPs, hosts, accounts, files, etc.) related to the alert and their relationships.

It helps analysts understand how alerts are connected, uncover lateral movements, and explore correlated suspicious activities.

Microsoft documentation describes this as:

“The investigation graph provides a visual representation of the entities involved in the incident, showing relationships between them to aid root-cause analysis.”

Hence, to view a map of connected entities, choose Investig ate .

Investigation Activities (Comments):

The Comments tab tracks the activities and analyst notes during the incident lifecycle.

This includes changes to status, assignments, and documented investigation steps — essentially functioning as an activity log for the incident.

Microsoft’s official Sentinel documentation states:

“The Comments section in the incident pane provides a timeline of analyst interactions, investigation notes, and changes performed on the incident.”

Therefore, to view the list of invest igation activities, select Comments .

Live Response in Microsoft Defender for Endpoint is a powerful investigative and remediation capability that lets responders interactively run commands on an endpoint, collect files, and perform remediation steps (collect investigation packages, pull files, run scripts, or take forensic artifacts). However, Live Response is an on-demand tool invoked during or after an investigation; it does not by itself provide continuous detection coverage or automatic blocking of artifac ts that a third-party AV missed. The requirement is to ensure devices are protected from malicious artifacts that were undetected by the third-party antivirus . To meet that objective you need capabilities that detect and block artifacts automatically (for example, EDR in block mode which actively blocks/remediates post-breach artifacts even when Defender AV is passive). Live Response helps respond to an identified artifact but does not create the detection and automatic blocking coverage that prevents or re mediate undetected malicious artifacts at scale. Therefore enabling Live Response alone does not meet the stated protection goal.

In Microsoft Sentinel, roles define access based on least privilege.

To investigate incidents , a user needs permissions to view incidents, alerts, entities, and evidence, and to perform investigation actions (like assigning, commenting, or changing incident status).

Mi crosoft defines the Microsoft Sentinel Responder role as:

“Allows users to view incidents, assign incidents to themselves or others, change incident severity and status, and run playbooks.”

This is the minimal role required for incident investigation.

Reader : Can view data but cannot act on incidents.

Responder ✅ : Can investigate and respond.

Contributor : Can create and edit rules, analytics, and automation (more privileges than required).

Automation Contributor : Used for playbook automation, not investigation.

✅ Answer: A. Microsoft Sentinel Responder