Microsoft Updated SC-200 Exam Questions and Answers by alissa

Microsoft Defender for Cloud (formerly Azure Security Center) ingests GCP security signals via a native GCP connector that reads findings from Google Cloud Security Command Center (SCC). The documented onboarding flow begins in GCP: first, enable the SCC API so the service can be invoked by tooling and service accounts. Next, configure SCC at the organization/project level (turn it on and set scope), then enable Security Health Analytics (SHA)—the built-in SCC detector that continuously evaluates resources and emits misconfiguration and vulnerability findings Defender for Cloud relies on. After telemetry is being produced, create a dedicated service account with the required reader roles and generate a private key (JSON); Defender for Cloud uses this credential to securely pull SCC findings. Finally, in Defender for Cloud, add a GCP cloud connector and provide the service account key to establish the connection and start ingestion. This sequence minimizes errors: APIs and detections are active before credentials are created, and the connector is added only after data is available, ensuring immediate validation and lowest administrative overhead.

In Microsoft 365 Defender advanced hunting, if you want to automatically receive alerts based on a KQL query—such as detecting when a process disables System Restore—you must convert that query into a custom detection rule. According to Microsoft’s official documentation, custom detection rules “run hunting queries on a schedule and create alerts and incidents when results are found.”

In order for the detection rule to function properly and correlate results across devices and incidents, the query must output DeviceId and ReportId. These fields are mandatory for any advanced hunting query that you want to convert into a detection rule because they uniquely identify the device and event instance. Without them, the rule cannot properly generate correlated alerts.

Therefore:

Create a detection rule (A) – ensures the query runs automatically and alerts are generated.

Add DeviceId and ReportId (E) – required for detection rule creation and accurate device/event correlation.

Other options are incorrect:

Suppression rule (B) filters alerts, not generate them.

Order by Timestamp (C) is optional for display, not alerting.

DeviceNetworkEvents (D) is unrelated to this process query.

In Microsoft Sentinel, roles define access based on least privilege.

To investigate incidents, a user needs permissions to view incidents, alerts, entities, and evidence, and to perform investigation actions (like assigning, commenting, or changing incident status).

Microsoft defines the Microsoft Sentinel Responder role as:

“Allows users to view incidents, assign incidents to themselves or others, change incident severity and status, and run playbooks.”

This is the minimal role required for incident investigation.

Reader: Can view data but cannot act on incidents.

Responder ✅: Can investigate and respond.

Contributor: Can create and edit rules, analytics, and automation (more privileges than required).

Automation Contributor: Used for playbook automation, not investigation.

✅ Answer: A. Microsoft Sentinel Responder

Defender for Cloud depends on the Log Analytics agent.

Use the Log Analytics agent if you need to:

* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure

* Etc.