Microsoft Updated SC-200 Exam Questions and Answers by iqra

Microsoft Sentinel “Microsoft security” analytics rules (for products like Defender for Cloud) create incidents from alerts generated by that product. Even if multiple identical Microsoft security rules exist for the same product, a single incoming alert will result in one incident in the workspace, not one per rule.

Azure Identity Protection is used to detect and remediate risky sign-ins based on user behavior and risk levels, but it does not configure decoy or Honeytoken accounts. Honeytoken accounts are a Defender for Identity feature, not an Identity Protection feature.

The solution described (configuring sign-in risk policies in Azure Identity Protection) relates to conditional access and risk-based sign-in responses, not to creating monitored decoy accounts.

Hence, the goal of configuring several accounts for attacker exploitation (Honeytoken monitoring) is not met by this solution.

To identify which anomaly rules are enabled in a Microsoft Sentinel workspace (here, SW1), you look at the Sentinel analytics configuration in the portal. In Microsoft’s documentation “Work with anomaly detection analytics rules in Microsoft Sentinel,” it explains:

“You can now find anomaly rules displayed in a grid in the Anomalies tab in the Analytics page. … On the Analytics page, select the Anomalies tab. … Status – whether the rule is enabled or disabled.” Microsoft Learn

Thus, anomaly detection rules are a subtype of analytics rules in Sentinel, and they are surfaced under the Analytics area (in the Anomalies tab). That is where you can review which anomaly detection rules are active (enabled) or not.

By contrast:

Settings is used for workspace-wide configurations (e.g. enabling UEBA, toggling anomalies on/off).

Entity behavior is a separate feature (UEBA) for monitoring entities and their behavioral baselines, not the repository of which anomaly rules are enabled.

Content hub is the repository of shared analytics templates and solutions you can import; it does not list which rules are enabled in your workspace.

Therefore, the correct place to review enabled anomaly detection rules is C. Analytics (specifically under the Anomalies tab).

In Microsoft Sentinel, ASIM (Advanced Security Information Model) parsers standardize data ingestion across different log sources. If you need to exclude a specific built-in, source-specific ASIM parser (for instance, to prevent it from being invoked by a unified parser), Microsoft documentation specifies creating a watchlist named _ASIM_Exclusions in your workspace.

The watchlist allows defining rules for exclusion by source or parser type—without modifying core ASIM logic—thus maintaining manageability and upgrade compatibility.

✅ Correct Answer: A. a watch list