SC-200 Exam Dumps : Microsoft Security Operations Analyst

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace . To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’ s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace( ' Fabrikam-WS ' ).SecurityEvent, workspace( ' Contoso-WS ' ).SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrik am needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.

When configuring the Syslog via Azure Monitor Agent (AMA) connector in Microsoft Sentinel , the Data Collection R ule (DCR) determines which Linux system logs are ingested. Syslog messages are filtered based on facility (the subsystem that generated the message) and severity level (priority) .

According to Microsoft’s “Collect Syslog data sources using Azure Monitor Ag ent” documentation:

“Syslog facilities define which type of process generated the log (e.g., authentication, cron, daemon), and log levels define the severity (0=emerg, 1=alert, 2=crit, 3=err, etc.). To minimize data ingestion and cost, select only the fac ility and the highest severity level required for your investigation.”

In this scenario:

You need to collect logs related to App1 , a background process (non-kernel, non-authentication, non-cron). Typically, such custom or application-level processes send logs to LOG_AUTH or LOG_DAEMON , depending on configuration. If App1 is an application that uses authentication or security features, the LOG_AUTH facility is appropriate.

You must collect only logs with a critical priority , which corresponds to Syslog severity 2 (critical) . In Syslog terminology, that maps to the LOG_EMERG or “emergency” level and above.

However, to ensure minimum data collection while still capturing critical events, Sentinel’s best practice is to configure the Syslog DCR to collect on ly the specific facility associated with the application and the exact required severity level. For “critical only,” LOG_EMERG is the correct choice because it ensures that only the most urgent (critical/emergency) events are ingested, reducing data volume and cost.

✅ Final Configuration:

Setting

Correct Option

Purpose

Facility

LOG_AUTH

Collects security/authentication-related logs for App1

Log level

LOG_EMERG

Collects only critical/emergency events (priority ≤ 0) to minimize ingestion volume

In summary:

Selecting LOG_AUTH and LOG_EMERG satisfies both requirements — capturing only the highest-severity logs relevant to App1 while keeping the ingestion volume minimal, in line with Microsoft Sentinel Syslog DCR configuration guidance.

The test analytics rule must generate alerts for inbound Office 365 access by several test users and group those alerts into separate incidents—one per user . In Azure Sentinel, incident grouping by entity depends on the rule’s Entity mapping . When you create a scheduled analytics rule, under Set rule logic you map columns from your query to entities like Account , IP , or Host . Once mapped, you can configure Event grouping so alerts with the same entity value (e.g., the same Account ) are automatically grouped into a single incident. Turning suppression on/off or changing severity/tactics doesn’t influence entity-based incident grouping. Therefore, to ensure “one incident per test user account,” you must map the Acco unt entity (and any other relevant entities) in Set rule logic , then enable grouping by that entity—fulfilling the Sentinel requirement.QUESTION NO: 3 HOTSPOT

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Answer: < map > < m x1= " 300 " x2= " 402 " y1= " 181 " y2= " 204 " ss= " 0 " a= " 0 " / > < m x1= " 294 " x2= " 386 " y1= " 295 " y2= " 321 " ss= " 0 " a= " 0 " / > < /map >

Acc ording to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule an d ensure the playbook includes a trigger .

Here’s why:

A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule’s conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.

A playbook in Sentinel is an Azure Logic App that automates responses to incident s or alerts. To connect a playbook to an analytics rule, it must include a trigger —specifically, the “Microsoft Sentinel Alert” or “Incident trigger.” This allows the rule to start the playbook automatically when the defined condition is met.

The other opt ions are incorrect because:

Fusion rules are built-in and use Microsoft’s machine learning to correlate signals automatically; they can’t be used for custom queries.

Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.

A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.

Diagnostics settings apply to log collection and retention, not rule automation.

Therefore, bas ed on Microsoft Sentinel best practices and documentation:

✅ Create the rule of type: Scheduled

✅ Configure the playbook to include: A trigger