Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.
A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.
You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.
What should you include in the recommendation?
Built-in queries in Microsoft Sentinel are prewritten KQL queries that help analysts quickly hunt or investigate common scenarios. They improve speed and consistency, but they are primarily query templates and do not inherently provide advanced custom visualizations or a machine learning environment. They are useful for triage and hunting, but they don’t meet the requirement to infer threats using ML.
Livestream in Microsoft Sentinel is used for near-real-time monitoring of events as they arrive, helping analysts observe activity and quickly pivot during active investigations. While it can simplify monitoring, it is not designed for building custom visualizations beyond standard query results, nor does it provide a notebook-style environment to run machine learning models for threat inference.
Notebooks (Jupyter notebooks integrated with Microsoft Sentinel) are designed for advanced hunting and investigation using Python and data science libraries. They enable custom visualizations, enrichment, correlation across large datasets, and applying machine learning techniques (e.g., anomaly detection, clustering) to infer threats. This directly satisfies both requirements: custom visualization and ML-based inference at IoT scale.
Bookmarks in Microsoft Sentinel let analysts save and tag interesting events, query results, or investigation artifacts to preserve evidence and collaborate. They help manage investigations and document findings, but they do not provide custom visualization capabilities or machine learning-based analytics. Bookmarks are about investigation workflow and record-keeping rather than advanced analytics.
問題分析
Core concept:
This question tests Microsoft Sentinel investigation tooling that goes beyond basic KQL queries—specifically, capabilities for custom visualization and machine learning-assisted threat inference at scale. In Sentinel, this is addressed by Notebooks (Jupyter notebooks integrated with Sentinel/Log Analytics), which support advanced analytics, enrichment, and visualization.
Why the answer is correct:
With alerts from 10,000+ IoT devices, analysts need a way to reduce investigation complexity and apply data science techniques. Microsoft Sentinel Notebooks provide an interactive environment (typically Python) to pull data from Log Analytics, enrich it with external sources, run ML models (e.g., clustering, anomaly detection, classification), and create custom visualizations (timelines, graphs, entity relationships, geo maps). This directly matches the requirement to “provide a custom visualization” and “infer threats by using machine learning.”
Key features and best practices:
- Notebooks are built on Azure Machine Learning/Jupyter and integrate with Sentinel data via APIs and the Log Analytics workspace.
- They enable repeatable investigation playbooks: parameterized notebooks can standardize triage across many similar incidents.
- They support advanced visualizations (e.g., matplotlib/plotly) and graph analysis (e.g., network relationships between devices, IPs, and alerts), which is useful for IoT-scale correlation.
- From an Azure Well-Architected perspective, notebooks improve Operational Excellence (repeatable analysis), Reliability (consistent workflows), and Security (better detection/investigation depth). Use RBAC and least privilege for notebook access and data connectors.
Common misconceptions:
Built-in queries and bookmarks are helpful for investigation efficiency, but they don’t provide a full ML-enabled, custom visualization environment. Livestream focuses on near-real-time monitoring and hunting, not ML-driven inference and rich custom visuals.
Exam tips:
When you see “custom visualization” plus “machine learning” in Sentinel, think Notebooks. When you see “save evidence/important results,” think Bookmarks. When you see “real-time view,” think Livestream. When you see “KQL starting points,” think built-in queries.
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Regulatory compliance, you download the report.
Does this meet the goal?
Yes is incorrect because Regulatory compliance reports are not the intended mechanism for viewing recommendations to resolve an individual security alert. Those reports summarize compliance against frameworks and may include control-related recommendations, but they do not function as the primary alert remediation workflow. To meet the goal, the user should access the alert and its related recommendations directly in Security Center/Defender for Cloud.
No is correct because downloading a report from Regulatory compliance does not provide the alert-specific recommendations needed to resolve a security alert. Regulatory compliance focuses on standards, controls, and overall compliance posture across the environment. A security alert should be investigated from the alert details and associated recommendations within Security Center/Defender for Cloud, where remediation guidance is tied to the actual alert context.
問題分析
Core concept:
This question tests how to investigate and remediate a security alert in Azure Security Center (now Microsoft Defender for Cloud). Alert-specific remediation guidance is typically accessed from the security alert itself or related recommendations in the workload protection/security alerts experience, not by downloading a regulatory compliance report.
Why the solution is NOT correct:
Regulatory compliance in Security Center is used to assess your environment against compliance standards such as Azure CIS, NIST, or PCI DSS. Downloading a report from Regulatory compliance provides a compliance posture summary and control status, but it does not serve as the workflow for viewing recommendations to resolve a specific security alert. Therefore, using Regulatory compliance to resolve an alert does not meet the stated goal.
Key features and best practices:
To investigate an alert, open the alert details in Security Center/Defender for Cloud and review the alert description, affected resources, investigation steps, and remediation guidance. Security recommendations are generally surfaced in the Recommendations area or linked directly from the alert context. Regulatory compliance is better suited for governance, audits, and tracking adherence to standards rather than triaging individual alerts.
Common misconceptions:
A common mistake is assuming that all recommendations in Security Center are available through Regulatory compliance. In reality, compliance recommendations are mapped to standards and controls, whereas alert remediation guidance is tied to the specific threat or misconfiguration that triggered the alert. These are related but distinct experiences.
Exam tips:
For SC-200, distinguish between alert investigation tools and compliance reporting tools. If the task is to resolve or investigate a specific alert, think of Security alerts, incident details, and Recommendations. If the task is to prove adherence to standards or export audit/compliance evidence, think of Regulatory compliance.
3
問題 3
(2つ選択)
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Adding a playbook is required because Microsoft Sentinel uses playbooks, powered by Azure Logic Apps, to automate response actions. A playbook can include a Microsoft Teams connector that posts a message directly to a channel when triggered. This is the component that actually performs the notification action. Without a playbook, Sentinel has no workflow defined to send the Teams message.
Associating a playbook to an incident is necessary so the playbook runs when the relevant security event is detected and surfaced as an incident. In Sentinel, automation is tied to incident handling, allowing the playbook to execute in response to detections generated by analytics rules. This linkage ensures the Teams notification is triggered automatically rather than requiring manual execution. It is the operational step that connects the detection to the response workflow.
Entity behavior analytics, also known as UEBA in Microsoft Sentinel, helps identify anomalous behavior by analyzing users and entities over time. It improves investigation context and can contribute to detections, but it does not provide the mechanism to send a Microsoft Teams message. The question is specifically about notification automation, which requires a playbook-based response. Therefore, enabling this feature does not satisfy the messaging requirement.
A workbook in Microsoft Sentinel is used for data visualization, dashboards, and reporting. It can help analysts monitor suspicious sign-ins or trends, but it does not execute automated actions such as posting to Microsoft Teams. Workbooks are passive analytical tools rather than response mechanisms. As a result, creating a workbook would not meet the requirement to send a channel message when the event occurs.
The Fusion rule is a built-in correlation capability in Microsoft Sentinel that combines multiple low-fidelity alerts into higher-confidence incidents. While this can improve detection of complex attacks, it does not itself send notifications to Microsoft Teams. Even if Fusion generated the incident, you would still need a playbook and automation association to post the message. Therefore, enabling Fusion does not directly address the required response action.
問題分析
Core concept:
This question tests your understanding of how Microsoft Sentinel automates response actions by using playbooks and automation to notify external collaboration tools such as Microsoft Teams when a security event is detected.
Why the answer is correct:
To send a Microsoft Teams message when a suspicious sign-in is detected, you use a Microsoft Sentinel playbook. A playbook in Sentinel is built on Azure Logic Apps and can perform automated actions such as posting messages to Teams, sending emails, creating tickets, or invoking other services. After creating the playbook, you must associate it with the relevant incident or automation flow so that it runs when the detection occurs. Without both steps, the workflow exists but will not be triggered in response to the incident.
Key features / configurations:
- Microsoft Sentinel playbooks are based on Azure Logic Apps.
- Playbooks can integrate with Microsoft Teams using built-in connectors.
- Sentinel automation can trigger playbooks when incidents are created or updated.
- Incidents are generated from analytics rules, and automated response actions can be attached to those incidents.
- Associating a playbook ensures the notification action executes automatically when the specified security event is detected.
Common misconceptions:
- Enabling Entity Behavior Analytics helps enrich investigations, but it does not send Teams notifications.
- Workbooks are for visualization and reporting, not automated response.
- Fusion creates high-fidelity incidents by correlating alerts, but it does not by itself deliver Teams messages.
- Creating a playbook alone is not enough; it must also be linked to the incident workflow or automation rule.
Exam tips:
- If the question asks about automated response in Sentinel, think playbooks.
- If the requirement includes notifying Teams, email, ServiceNow, or other external systems, Azure Logic Apps integration is usually involved.
- Workbooks = dashboards/visualization, not response automation.
- Fusion and UEBA improve detection quality, not notification delivery.
- Pay attention to whether the question asks for creating the automation and triggering it; often both steps are required.
4
問題 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.
Does this meet the goal?
This option is correct because Azure Security Center allows you to open a security alert and use the Take Action experience to review remediation guidance. The Prevent future attacks section specifically contains recommendations that help address the root cause and reduce the chance of recurrence. That means the proposed steps do provide the recommendations needed to resolve or mitigate the alert. This matches the goal of viewing recommendations directly within Security Center.
This option is incorrect because the described solution does in fact meet the requirement. In Azure Security Center, selecting an alert and then choosing Take Action exposes guidance related to investigation, remediation, and prevention. The Prevent future attacks section is the relevant place to see recommendations associated with that alert. Therefore, saying the solution does not meet the goal is inaccurate.
問題分析
Core concept:
This question tests knowledge of how to investigate and remediate alerts in Azure Security Center (now part of Microsoft Defender for Cloud). Specifically, it focuses on where to find remediation guidance and recommendations associated with a security alert.
Why the answer is correct:
In Azure Security Center, when you open a security alert and choose Take Action, the interface provides response guidance and remediation steps. Expanding the Prevent future attacks section shows recommendations intended to reduce the likelihood of similar incidents recurring. This directly satisfies the requirement to view recommendations to resolve the alert in Security Center, because the portal surfaces actionable security guidance in the alert workflow itself.
Key features / configurations:
- Security alerts provide incident details, affected resources, and investigation context.
- The Take Action area in an alert includes remediation guidance.
- Prevent future attacks contains recommendations for hardening and reducing future risk.
- Azure Security Center integrates alert investigation with security posture improvement recommendations.
- Recommendations are designed to help remediate current exposure and improve ongoing protection.
Common misconceptions:
- Candidates often confuse Security alerts with the Recommendations blade. While the Recommendations area shows general posture issues, alert-specific remediation guidance can be accessed directly from the alert.
- Some assume Take Action is only for workflow or automation tasks, but it also includes guidance for remediation and prevention.
- Others think alerts only show detection details; in reality, Security Center also provides recommended next steps.
Exam tips:
- If the question asks for alert-specific remediation guidance, start from the alert itself.
- Look for Take Action when investigating a Security Center alert.
- Prevent future attacks is commonly where hardening recommendations are displayed.
- Distinguish between general security recommendations and recommendations tied to a specific alert.
5
問題 5
DRAG DROP -
You have an Azure subscription.
You need to delegate permissions to meet the following requirements:
✑ Enable and disable Azure Defender.
✑ Apply security recommendations to resource.
The solution must use the principle of least privilege.
Which Azure Security Center role should you use for each requirement? To answer, drag the appropriate roles to the correct requirements. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
パート1:
Select the correct answer(s) in the image below.
The correct mapping is: Enable and disable Azure Defender -> Security Admin; Apply security recommendations to a resource -> Subscription Contributor. Security Admin in Microsoft Defender for Cloud can manage security policies and Defender plans, including enabling or disabling Azure Defender/Defender for Cloud protections, without requiring full subscription ownership. Applying security recommendations usually changes the underlying Azure resource configuration, so Contributor permissions on the subscription are needed to remediate those resources. Resource Group Owner is more permissive than necessary, and Subscription Owner exceeds least-privilege requirements because it also grants access management capabilities.
6
問題 6
HOTSPOT -
You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The solution must minimize administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
パート1:
Microsoft Teams: ______
Microsoft Teams logs are collected through Microsoft 365 audit data (Unified Audit Log) and related Microsoft 365 service telemetry. In Microsoft Sentinel, the built-in connector for these SaaS signals is the Office 365 (Microsoft 365) data connector. This is the lowest administrative effort option because it’s a native integration: you enable the connector, grant the required permissions, and Sentinel pulls the relevant audit/activity data without you building custom ingestion.
Why others are wrong:
- A. Custom: would require creating and maintaining a custom ingestion pipeline (Graph API polling, custom tables, DCRs, etc.), which increases effort.
- C. Security Events: targets Windows security event logs, not Teams.
- D. Syslog: is for syslog-based devices/hosts (commonly Linux/network devices), not Microsoft 365 SaaS audit logs.
パート2:
Linux virtual machines in Azure: ______
For Linux virtual machines, the standard log source is syslog (e.g., auth, authpriv, daemon, kern). In Microsoft Sentinel, Linux log ingestion is typically configured by enabling Syslog collection via the Log Analytics agent or Azure Monitor Agent (AMA) and sending those syslog events into the Log Analytics workspace connected to Sentinel. This is the most straightforward and lowest-effort connector type among the options because it aligns with native Linux logging and Sentinel’s built-in syslog ingestion patterns.
Why others are wrong:
- A. Custom: unnecessary unless you have a non-syslog format or specialized ingestion needs; it increases operational overhead.
- B. Office 365: applies to Microsoft 365 services, not IaaS Linux VMs.
- C. Security Events: is primarily for Windows Event Logs (Security log) and not the typical connector choice for Linux.
7
問題 7
(2つ選択)
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Entity behavior analytics (UEBA) helps identify anomalous behavior by analyzing entities (users, hosts) and enriching incidents with insights. However, UEBA does not perform outbound actions like sending Teams messages. It’s a detection/enrichment capability, not an automation mechanism for incident notifications.
Associating a playbook to the analytics rule ensures the playbook runs automatically when that rule generates alerts/incidents. This is the key step that turns a Logic App workflow into an automated response. Without this association (or an automation rule), the Teams notification won’t trigger when the sign-in risk incident is activated.
The Fusion rule is a Microsoft Sentinel correlation capability that combines multiple alerts into higher-fidelity incidents using ML. It can improve incident quality but does not send notifications to Teams. Fusion is about detection and correlation, not automated response actions.
Adding (creating) a playbook is required to implement the action of posting a message to a Microsoft Teams channel. In Sentinel, playbooks are Logic Apps that can use the Teams connector to post channel messages. This provides the actual workflow that will run when the incident is created/activated.
Workbooks provide dashboards and interactive reports for monitoring and investigation. They do not execute actions or automate responses. Creating a workbook could help visualize sign-in risk incidents, but it will not send a Teams message when an incident is activated.
問題分析
Core concept:
This question tests Microsoft Sentinel incident response automation using Playbooks (Azure Logic Apps). In Sentinel, analytics rules generate alerts and can create incidents. To notify Microsoft Teams when a specific incident type (sign-in risk event) is activated, you automate the response with a playbook and ensure it runs when the incident is created/updated.
Why the answer is correct:
You must (1) create/add a playbook that posts a message to a Teams channel, and (2) associate that playbook to the analytics rule (or incident trigger) so it executes automatically when the rule creates an incident. In Sentinel, playbooks are the mechanism for outbound notifications (Teams, email, ServiceNow, etc.). Simply having a playbook in the workspace is not enough; it must be attached to the rule (automation) so it runs at the right time.
Key features and configuration points:
- Playbooks are built on Azure Logic Apps. For Teams, you typically use the Microsoft Teams connector action such as “Post message in a chat or channel.”
- The playbook trigger is commonly “When a response to an Azure Sentinel alert is triggered” (alert-based) or “When an incident is created/updated” (incident-based), depending on the template and requirement.
- Association is done via the analytics rule’s “Automated response” (or via Automation rules in Sentinel). For exam purposes, attaching the playbook to the analytics rule that triggered the incident is the direct linkage described.
- Ensure permissions: Sentinel playbooks require appropriate role assignments (e.g., Microsoft Sentinel Responder/Contributor and Logic App permissions) and connector authorization for Teams.
Common misconceptions:
- Enabling Fusion or Entity Behavior Analytics improves detection/correlation, but does not send notifications.
- Workbooks are for visualization/reporting, not automation.
- Creating a playbook without associating it to the rule (or an automation rule) will not trigger messages automatically.
Exam tips:
For “send a message / create a ticket / call a webhook when an alert/incident happens,” think: Playbook (Logic App) + attach it via analytics rule automated response or an automation rule. Distinguish detection features (Fusion, UEBA) from response automation (playbooks).
8
問題 8
You create a hunting query in Azure Sentinel.
You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.
What should you use?
A playbook is the only option listed that is designed for automated actions such as sending notifications. In Microsoft Sentinel, playbooks are based on Azure Logic Apps and are commonly used to notify analysts or take response actions when security events are detected. While a hunting query itself is not a native alert source, operationalizing the detection flow to produce notifications relies on automation, and a playbook is the relevant Sentinel feature among the choices. Therefore, it is the best answer available for receiving a notification with minimal additional custom analysis tooling.
A notebook is used for interactive investigation, enrichment, and advanced analysis, often with Python and data science workflows. It is not intended to monitor a hunting query continuously or generate notifications in the Azure portal when matches occur. Using a notebook would increase effort rather than minimize it because it requires manual execution and analytical setup. Therefore, it does not satisfy the requirement for prompt notification.
A livestream lets analysts watch query results update in near real time, which is useful during active investigations. However, it is primarily a visualization and monitoring experience rather than a notification mechanism that raises alerts in the Azure portal. The question specifically asks to receive a notification, and livestream does not serve as the standard alerting or automation feature for that purpose. As a result, it is not the best answer here.
A bookmark is used to save interesting events or results during an investigation so they can be revisited or attached to incidents. It does not execute queries, monitor for future matches, or generate notifications. Bookmarks are purely investigative artifacts and provide no automated detection or alerting capability. Therefore, they cannot meet the stated requirement.
問題分析
Core concept: Microsoft Sentinel hunting queries are primarily investigative and do not natively generate alerts or portal notifications just because they find matches. To receive a notification when matching activity is detected, you need automation tied to alerting or incident workflows. Why correct: Of the available options, a playbook is the only feature associated with sending notifications and automating response actions in Sentinel. Key features: playbooks are built on Azure Logic Apps and can send emails, Teams messages, or perform other response actions when triggered by Sentinel alerts or incidents. Common misconceptions: livestream is for interactive, near-real-time viewing of query results, but it is not the standard notification mechanism; notebooks and bookmarks are investigation aids, not alerting tools. Exam tips: when the requirement is notification or automated response, think playbook/automation; when the requirement is exploratory analysis, think hunting queries, notebooks, and bookmarks.
9
問題 9
HOTSPOT -
You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.
What should you recommend for each threat? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
パート1:
Internal threat: ______
Correct: B. Modify the access policy settings for the key vault.
An “internal threat” alert for Key Vault typically means a principal that already has access is performing suspicious actions (for example, unusual secret retrieval patterns, access from atypical locations, or excessive permissions being used). The most direct remediation is to reduce or correct permissions by modifying existing access policies (or RBAC role assignments in RBAC-enabled vaults) to enforce least privilege—e.g., remove broad Secret/Get/List permissions, scope to only required operations, and ensure only approved identities have access.
Why not A: Resource locks protect against management-plane changes (delete/update) but do not prevent data-plane operations like reading secrets/keys/certificates by an authorized identity.
Why not C: Creating a new access policy is typically used to grant access, not remediate an internal misuse scenario. Remediation usually involves tightening/removing existing permissions rather than adding new ones.
パート2:
External threat: ______
Correct: B. Modify the Key Vault firewall settings.
An “external threat” alert generally indicates the vault may be exposed to access attempts from the public internet or untrusted IP ranges. Key Vault provides a native firewall (“Networking” settings) where you can restrict access to selected networks, allow only specific public IPs, or require private endpoint access. Tightening these settings directly reduces the attack surface and is the most targeted remediation for external/network-based threats against a PaaS endpoint.
Why not A: Azure Firewall can help control outbound/inbound traffic for VNets, but it does not replace Key Vault’s own network controls for the public endpoint and is not the most direct fix for a Key Vault exposure alert.
Why not C: NSGs apply to subnets/NICs in VNets. They don’t govern access to Key Vault’s public endpoint and are not the primary control for restricting who can reach the vault.
10
問題 10
HOTSPOT -
You have an Azure subscription that uses Azure Defender.
You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts.
You need to create an Azure policy that will perform threat remediation automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
パート1:
Set available effects to: ______
DeployIfNotExists is the correct Azure Policy effect when you need the policy to automatically deploy a required resource/configuration if it is missing. In this case, the goal is to ensure the components needed for automatic threat remediation (for example, a Defender for Cloud automation configuration and/or a Logic App) are present at the target scope. DeployIfNotExists supports remediation tasks and can create resources via an ARM template when non-compliance is detected.
Append is used to add fields to a resource request during creation/update (for example, adding tags). It does not deploy separate resources like workflow automation or Logic Apps. EnforceRegoPolicy is associated with policy-as-code scenarios (OPA/Rego) and is not the standard mechanism for deploying Defender for Cloud workflow automation resources. Therefore, DeployIfNotExists is the only option that matches “create an Azure policy” that results in automatic deployment/remediation capability.
パート2:
To perform remediation use: ______
To perform remediation in response to Defender for Cloud threat alerts using workflow automation, the best fit is an Azure Logic Apps workflow with the Defender for Cloud alert trigger: “When an Azure Security Center (Defender for Cloud) Alert is created or triggered.” This trigger is designed specifically for alert-driven automation and is the common exam answer for implementing automated response actions (containment, notification, ticketing, enrichment).
An Azure Automation runbook with a webhook can be used for automation, but it is not the primary/native workflow automation pattern referenced for Defender for Cloud alert-based workflow automation in this context, and it typically requires additional wiring (calling the webhook from an action group/Logic App). The option “When a response to an Azure Security Center alert is triggered” is not the standard Logic Apps trigger used for Defender for Cloud alert creation events; the canonical trigger is the alert-created/triggered event. Hence, option B is the most accurate.
