SC-200 Practice Questions

 First blank (create a stub table): datatable

 Second blank (union option): isfuzzy=true

In KQL for Microsoft Sentinel, a safe way to test whether a table exists across multiple workspaces (without throwing an error when it doesn’t) is to union a guaranteed single-row “stub” table with a query against the target table, and use union isfuzzy=true . The stu b is created with datatable , e.g., let mtable = datatable(isMissing:int) [1]; which always yields one row ( isMissing=1 ). The second branch queries the real table and, if it exists, emits a row with isMissing=0 . When the table is missing, that branch return s no rows, but because isfuzzy=true is used, the reference to a potentially missing table is treated as an empty input rather than an error. Finally, selecting a single row (e.g., | top 1 by isMissing asc ) ensures you return 0 if the table exists (preferre d), otherwise 1 from the stub.

A complete pattern for the answer area is:

let mtable = datatable(isMissing:int) [1];

union isfuzzy=true

mtable,

(AzureActivity | getschema | project isMissing=0)

| top 1 by isMissing asc

This meets the requirements: it checks existence per workspace, returns one row with isMissing=0 if the table exists, or one row with isMissing=1 if it does not, with minimal overhead and no failures when the table is absent.

NNY

UserName field set as the account entity: Yes

Watchlist cannot be updated after created: No

IPList variable set as the IP address entity: Yes

This Kusto Query Language (KQL) snippet is used in Microsoft Sentinel to correlate event data (Sysmon logs) with a watchlist containing known malicious IP addresses. The watchlist is retrieved using the _GetWatchlist() function, and entity mappings are explicitly set for account, host, and IP entities.

???? Step-by-step analysis:

1. UserName field as the Account entity → YES

At the end of the query, the entity mappings are defined as:

extend timestamp = TimeGenerated, AccountCustomEntity = UserName, HostCustomEntity = Computer

In Microsoft Sentinel, when an analytics rule uses this query, the AccountCustomEntity mapping links the UserName field to the account entity .

This enables account-level correlation in incidents and investigation graphs.

✅ Therefore, Ye s , the UserName field is set as the account entity.

2. The watchlist cannot be updated after it is created → NO

This statement is incorrect.

In Sentinel, watchlists are designed to be dynamic and can be updated, edited, or replaced at any time.

Official Microsoft documentation confirms:

“You can edit, update, or replace a watchlist at any time to ensure your detection logic uses current data.”

Hence, watchlists can be updated , either manually via the portal or programmatically via API/PowerShell.

❌ Therefore, No , the watchlist can be updated after it is created.

3. The IPList variable is set as the IP address entity → YES

The first line of the query defines:

let IPList = _GetWatchlist( ' Bad_IPs ' );

This loads a list of known malicious IPs from the Bad_IPs watchlist.

Later in the query:

where SourceIP in (IPList) or DestinationIP in (IPList)

This confirms IPList contains IP address values used for matching with the event’s SourceIP or DestinationIP.

In Sentinel analytics rules, this variable represents IP address entities for correlation and visualization.

✅ Therefore, Yes , the IPList variable is set as the IP address entity.

 Policy template type: Access policy

 Filter based on: IP address tag

In Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security), policies are used to detect, alert, and control access or activity patterns across cloud applications.

To detect connections originating from a botnet network , you need a policy that evaluates real-time access conditions such as the user’s IP address, device, or location at the time of the connection attempt. This is achieved thr ough an Access policy , which controls and monitors session access to cloud apps using Conditional Access App Control.

Microsoft documentation specifies that Access policies can filter based on IP address ranges, tags, or risk levels. The “IP address tag” i s particularly used to classify addresses into categories like “Risky,” “Anonymous proxy,” “Botnet,” etc. Microsoft’s built-in IP address tagging capability recognizes malicious or suspicious sources, including known botnet IPs.

Activity policies monitor i n-app user actions such as file downloads, sharing, or admin operations—not the connection origin.

Anomaly detection policies rely on behavioral analytics and machine learning, not static IP classifications, and cannot explicitly target botnet IPs.

Therefo re, to meet the requirement of detecting connections to Microsoft 365 apps from botnet networks , you must configure an Access policy that filters based on the IP address tag set to “Botnet.”

To allow a security analyst to use the Microsoft 365 security center and also approve or reject pending remediation actions generated by Microsoft Defender for Endpoint, while adhering to the principle of least privilege, you must assign two complementary roles:

In Microsoft Defender for Endpoint, assign the Active remediation actions role. This role explicitly gives permission to take response actions (such as isolation, quarantine, etc.) or to approve or reject pending remediation tasks. Microsoft documentation states that when taking response actions on a device, “you must have at least the Active remediation actions role assigned.” Microsoft Learn

In Azure AD (or Microsoft Entra), assign the Security Reader role. This role grants read-only visibility into the security configuration and alerts in the Microsoft 365 security center without eleva ting the analyst to full security administration. This ensures the analyst can see what’s happening in the security environment, but not make broad configuration changes.

Here’s why those roles are correct and why the others are not:

The Active remediation actions role is narrowly scoped to remediation operations, which is exactly what is needed to approve or reject pending actions. Any broader role (like Security Administrator) would exceed the principle of least privilege.

The Security Reader role allows the analyst to navigate the Microsoft 365 security center (view incidents, alerts, reports) but does not grant write-level permissions that are unnecessary for their role.

The Security Administrator role (option C) would grant too many permissions—not least privilege—though it might allow the needed actions, it is overly permissive relative to what is needed.

The Compliance Data Administrator (option A) is unrelated to remediation within Defender or endpoint actions; it is designed around compliance and data governance.

Additionally, Microsoft’s role-mapping between Defender XDR unified RBAC and legacy roles confirms that the Active remediation actions permission is mapped to the “Response (manage)” capability in the unified RBAC model. Microsoft Learn

Together, assigning Active remediation actions (in Defender for Endpoint) and Security Reader (in Azure AD/Entra) gives the minimal necessary access: a bility to view security data and approve or reject remediation actions, without over-privileging the analyst.

1️ ⃣ Connect-IPPSSession

2️ ⃣ New-ComplianceSearch

3️ ⃣ Start-ComplianceSearch

In Microsoft 365 E5 (which includes Microsoft Purview and Exchange On line), to identify phishing email messages using PowerShell, administrators can perform a compliance content search . The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.

Here’s the correct order and purpose of each cmdlet:

1️ ⃣ Connect-IPPSSession

This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center) .

It’s required before exe cuting any compliance-related PowerShell commands such as creating or starting a search.

Example:

Connect-IPPSSession

2️ ⃣ New-ComplianceSearch

After connecting, use this cmdlet to create a new compliance content search .

You can define parameters such as th e search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).

Example:

New-ComplianceSearch -Name " PhishingSearch " -ExchangeLocation All -ContentMatchQuery ' Subject: " phish " OR Subject: " urgent action required " '

3️ ⃣ Start-ComplianceSearch

Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.

Example:

Start-Complia nceSearch -Identity " PhishingSearch "

Other cmdlets explained:

Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.

Search-UnifiedAuditLog searches the unified audit log , which is used for activity a uditing, not email content searches.

✅ Final Correct Sequence:

Connect-IPPSSession

New-ComplianceSearch

Start-ComplianceSearch

To integrate Microsoft Defender for Cloud Apps (MCAS) with Microsoft Sentinel , Microsoft’s official SecOps and Sentinel documentation specifies a two-step configuration process.

In the Defender for Cloud Apps portal – You add a security extension to enable integration with external SIEM platforms. This action allows MCAS to forward its alerts, activities, and discovered app telemetry to other Microsoft or third-party security platforms. By adding the security extension , Defende r for Cloud Apps is authorized to send data streams and alerts to Microsoft Sentinel through a supported API connection.

In Microsoft Sentinel (Azure portal) – You then add a data connector . Data connectors in Sentinel are predefined integration pipelines that bring in telemetry from Microsoft or external security solutions. The Microsoft Defender for Cloud Apps connector specifically ingests MCAS alerts and audit logs into Sentinel, where they can be correlated with other Microsoft Defender XDR signals, en abling unified detection and investigation across identity, endpoint, and cloud layers.

This integration approach adheres to Microsoft’s principle of minimizing administrative effort by using native connectors rather than custom ingestion or log collector configurations. Once connected, Sentinel automatically normalizes MCAS alerts into its SecurityAlert and CloudAppEvents tables for rule creation, playbook automation, and incident correlation.

Therefore, the verified correct configuration is:

Defender for Cloud Apps: Add a security extension

Sentinel: Add a data connector