Microsoft SC-200

Decreasing the expiration time reduces storage because fewer replays are retained. However, it changes the retention period (from 1 week to something shorter), which can negatively impact investigations and may violate implicit retention requirements. The question focuses on improving space utilization without changing the 10-minute interval, and the best fit is an optimization feature rather than reducing retention.

Setting the minimum allowed replay interval to 15 minutes directly conflicts with the requirement to keep a 10-minute interval. Even if it reduces storage by capturing fewer replays, it changes the collection cadence and therefore does not meet the stated constraint.

Changing the interval to 24 hours drastically reduces the number of replays and storage usage, but it violates the explicit requirement to keep the 10-minute interval. It would also significantly reduce investigative granularity and is not an acceptable solution given the constraints.

Not required. Storage Center Update Utility usage is generally not gated by a simple “enable utility” checkbox in Storage Center settings. While some products have feature toggles, SCOS update workflows typically rely on correct connectivity, credentials, and validated upgrade paths rather than a GUI checkbox. This option is a plausible distractor because “enable feature” steps are common in admin tools.

Not required and generally incorrect. Disabling SupportAssist would not normally be needed for the update utility to communicate with the Storage Center; if anything, SupportAssist improves supportability and diagnostics. Communication issues are usually solved by network/proxy/firewall configuration, correct ports, and credentials—not by disabling support tooling.

Not required. Applying a special license to use the Storage Center Update Utility is not typically a prerequisite for SCOS updates. Licensing may apply to advanced features (replication, Live Volume, etc.), but the ability to update the system software is generally part of standard platform maintenance and support entitlement, not an add-on license.

Incorrect. This option creates a cross-zone between the physical WWPNs of system B and the virtual WWPNs of system A, but that is not one of the required standard zones for this replication setup. The documented requirement is based on physical-to-physical, virtual-to-virtual, and combined physical-and-virtual zoning rather than asymmetric cross-zones. On its own, this zone does not provide the complete or correct connectivity model expected for Virtual Port mode replication.

Incorrect. This is the mirror image of option A, zoning the physical WWPNs of system A to the virtual WWPNs of system B. While it may sound plausible if one assumes physical-to-virtual communication is required, it is not part of the standard required three-zone pattern for this scenario. The exam is testing recognition of the vendor-specific zoning layout, which does not use these cross-zones as the correct answer set.

Synchronous replication with High Availability conflicts with the requirement to stop all local writes when remote communication fails. “High Availability” typically implies continuing operations despite failures (often allowing local writes to proceed or failing over), which can risk divergence or require complex quorum/failover behavior. The question explicitly prioritizes consistency over availability.

Asynchronous replication of the Active Replay cannot guarantee that data on both sides always matches because replication is decoupled from the write acknowledgment. Even if changes are shipped quickly, there is always a potential lag (non-zero RPO). If the link fails, local writes usually continue, which directly violates the requirement to stop writes on communication failure.

Asynchronous replication with frequent replays reduces lag but still does not provide the strict guarantee that both sides always match at every moment. Frequent replays can improve RPO, but it remains non-zero and depends on replay intervals and network conditions. Additionally, asynchronous designs typically allow local writes during link failure, contradicting the requirement.

Incorrect. RAID level is determined by the underlying storage configuration (disk group/aggregate/pool) and is not typically changed by a volume-level action like pre-allocating space. Pre-allocation affects how capacity is reserved for the volume, not the redundancy/performance layout of disks (RAID 0/1/5/6/10).

Incorrect. Data progression (tiering/moving data between performance and capacity tiers) is generally controlled by storage policies and access patterns, not by whether the volume is thin or thick. While some platforms may have specific interactions, pre-allocating space alone does not inherently disable data progression on a volume.

A scheduled query rule (analytics rule) creates alerts/incidents from log queries. While analytics rules can be paired with automation rules to run playbooks, this does not address the core blocker: the Logic App is manually triggered and not yet compatible as a Sentinel playbook trigger. You would typically create/adjust detections after the playbook is usable, not as the first step to convert it.

A data connector is used to ingest data sources into Microsoft Sentinel (for example, Entra ID, Microsoft 365 Defender, or Azure Activity). Data ingestion is important for detections and investigations, but it does not change how a Logic App is triggered. Adding a connector won’t make a manually triggered Logic App callable as a Sentinel playbook.

Threat Intelligence connectors are for ingesting TI indicators (STIX/TAXII, platforms, etc.) into Sentinel for correlation and detection. They are unrelated to incident response automation and do not affect whether an existing Logic App can be used as a playbook. This option confuses threat intel ingestion with SOAR execution requirements.

Security Reader at the subscription scope is read-only for security information. SecAdmin1 could view Defender for Cloud recommendations, alerts, and secure score data, but cannot execute remediation actions or deploy extensions/agents to VMs. This fails the requirement to “apply quick fixes,” because those actions require write permissions on the underlying resources.

Contributor at the subscription scope would allow SecAdmin1 to remediate VMs, but it grants broad write access across the entire subscription (all resource groups and resources). This violates the principle of least privilege given the requirement is only for the 100 VMs in RG1. It’s a common trap: correct capability, wrong scope.

Owner on RG1 would also allow applying quick fixes, but it is more privileged than necessary because it includes Microsoft.Authorization/* permissions (ability to grant access to others). Unless the scenario requires SecAdmin1 to manage RBAC assignments, Owner is excessive and does not meet least privilege compared to Contributor.

Incorrect. Although it includes the keyword “eicar”, it attempts to run a program named “alerttest”, which is not created by any other correct step in this option set unless you also run option C. Even if created, the process name may not match the specific test harness name expected for this Defender simulation scenario.

Incorrect. This creates an executable named “alerttest”, not the expected “asc_alerttest_662jfi039n”. While renaming /bin/echo is a safe way to create a runnable file, the alert simulation in this question is tied to the specific filename shown in the other options, so this step alone (or paired with B) may not trigger the intended Defender alert.

Security solutions is used to discover, connect, or manage integrated security products and protections, not to define who receives email notifications. It focuses on security tooling and integrations rather than administrative contact settings. Even if a solution generates findings, this section does not control Security Center's built-in alert email recipients. Therefore it cannot be used to enable email notifications for the security operations team.

Pricing & settings is primarily used to enable Defender plans, select coverage, and manage subscription-level onboarding or pricing-related configuration. Although it affects what protections are active, it is not the location used to define security contact email notifications for alerts. Confusing plan configuration with notification configuration is a common mistake. Enabling services here alone would not cause alert emails to be sent to the operations team.

Security alerts is the workspace for viewing, triaging, and investigating alerts that have already been generated. It is an operational dashboard, not a settings page for configuring notification recipients. Users can analyze incidents and remediation guidance there, but they cannot enable alert emails from that blade. As a result, it does not solve the problem described in the question.

Azure Defender refers to the advanced threat protection capabilities within Security Center/Defender for Cloud. Turning it on increases detection and alert generation, but it does not specify who should receive email notifications. Notification recipients and alert email behavior are configured separately in policy/security contact settings. Therefore Azure Defender itself is not the correct place to enable email notifications.

This option is incorrect because the described solution does in fact meet the goal. In Azure Security Center, selecting a security alert and then reviewing the Take Action and Mitigate the threat sections is a valid way to see remediation guidance. Saying "No" would imply that this path does not provide recommendations, which is not true. The platform is designed to surface alert-specific mitigation steps in exactly this location.

Built-in queries in Microsoft Sentinel are prewritten KQL queries that help analysts quickly hunt or investigate common scenarios. They improve speed and consistency, but they are primarily query templates and do not inherently provide advanced custom visualizations or a machine learning environment. They are useful for triage and hunting, but they don’t meet the requirement to infer threats using ML.

Livestream in Microsoft Sentinel is used for near-real-time monitoring of events as they arrive, helping analysts observe activity and quickly pivot during active investigations. While it can simplify monitoring, it is not designed for building custom visualizations beyond standard query results, nor does it provide a notebook-style environment to run machine learning models for threat inference.

Bookmarks in Microsoft Sentinel let analysts save and tag interesting events, query results, or investigation artifacts to preserve evidence and collaborate. They help manage investigations and document findings, but they do not provide custom visualization capabilities or machine learning-based analytics. Bookmarks are about investigation workflow and record-keeping rather than advanced analytics.

Executives are high-value targets for phishing and BEC, so they benefit from Defender for Office 365 protections (Safe Links, anti-phishing). However, they typically do not administer security policies or perform investigations/remediation. The security/SOC team uses MDO to analyze threats, run investigations, and remove malicious messages from mailboxes.

Marketing users often receive external emails, attachments, and links, increasing exposure to phishing and malware. Defender for Office 365 helps protect them, but marketing is not the team that configures MDO policies or resolves incidents. Security operations manages alert triage, threat hunting in Explorer, and remediation actions like quarantine or message removal.

Sales teams are frequent targets of credential phishing and invoice fraud, so they benefit from MDO protections. But sales is not responsible for security tooling operations. The security team uses Defender for Office 365 to investigate suspicious emails, identify affected users, and take remediation actions (quarantine, delete, block URLs/senders) to resolve the issue.

Incorrect. Device health and compliance reports in Microsoft Defender Security Center relate to endpoint posture and compliance reporting (often tied to Defender for Endpoint and Intune). They do not establish or enable Azure Information Protection scanning. AIP requirements around discovering/classifying on-prem files are met through AIP scanner configuration, not Defender device compliance report settings.

Incorrect. Content scan jobs define what to scan (repositories/paths), when to scan, and what actions to take (discover, label, protect). However, you can’t effectively create and run scan jobs until the scanner infrastructure is established—specifically the scanner cluster and registered scanner nodes. Jobs are a later step built on top of the cluster.

Incorrect. Advanced features in Microsoft Defender Security Center typically enable additional endpoint capabilities (for example, advanced hunting, automated investigation, or integration features depending on the product context). These do not configure Azure Information Protection scanning. AIP scanner setup is done in AIP/Microsoft Purview Information Protection tooling, not by toggling Defender advanced features.

Impossible travel detects sign-ins for the same user from geographically distant locations within a time window that makes travel unrealistic (for example, sign-in from the US and then Europe minutes later). It is about velocity and physical plausibility between consecutive sign-ins, not whether the location is new to the organization. It would not reliably trigger just because a country was never used by other users.

Activity from anonymous IP addresses flags sign-ins coming from IPs associated with anonymization services such as Tor, VPN endpoints, or known proxy infrastructure. This detection focuses on IP reputation and obfuscation rather than geographic novelty. A sign-in from a new country could occur from a normal ISP IP and would not necessarily be detected as anonymous IP activity.

Malware detection is not an Identity Protection sign-in anomaly policy. Malware-related detections typically come from Microsoft Defender for Endpoint, Defender for Office 365, or other threat protection signals indicating malicious code execution or delivery. It does not address geographic sign-in anomalies and would not be the correct control for detecting unusual sign-in locations.

Create a suppression rule scoped to any device is incorrect because it is overly broad and would suppress similar alerts across the entire environment. That would weaken security posture by potentially hiding real malicious macro activity on devices outside the accounting team. The question explicitly requires maintaining the existing security posture, which implies using the narrowest effective scope. A device group is the appropriate boundary for this scenario.

Generate the alert is incorrect because it is not an alert-tuning or queue-management action used to hide false positives in Microsoft Defender for Endpoint. The scenario asks what actions should be performed to suppress or hide known benign alerts, not how to reproduce or validate them. While observing an alert may help an analyst understand it, generating an alert is not part of the operational solution described by Defender’s suppression and alert-handling features. Therefore, it should not be selected as one of the required actions.

Playbooks is where you create, view, and manage the Logic Apps that Sentinel uses for automation, but it is not the standard Sentinel location for manually running a playbook in context. From this blade, you can access the underlying Logic App resource, but that is management rather than the Sentinel execution surface referenced by the question. In exam terms, this option confuses administration of playbooks with manual execution from within Sentinel operations. Therefore, it is not the best answer for where to run the test in Azure Sentinel.

Analytics is used to create and manage detection rules, including configuring automation that may invoke playbooks when alerts or incidents are generated. However, it does not provide the primary interface for manually running a playbook on demand. Its purpose is detection engineering rather than incident response execution. For this reason, Analytics is not the correct place to manually test a playbook in Sentinel.

Threat intelligence is used to manage indicators of compromise and related intelligence data within Microsoft Sentinel. It has no role in manually executing Logic Apps or testing playbooks. Although threat intelligence can influence detections and investigations, it is not an automation execution surface. Therefore, this option is clearly incorrect.

No is incorrect because adding accounts as Honeytoken accounts from Entity tags is exactly the supported method for marking deceptive accounts in Microsoft Defender for Identity. This feature is specifically intended to identify accounts that should never be used legitimately and to trigger alerts when attackers interact with them. The scenario asks for configuring accounts for attackers to exploit, which aligns with the purpose of honeytokens. Therefore, saying the solution does not meet the goal misunderstands how Defender for Identity deception features work.