SC-200: Microsoft Security Operations Analyst
Question #: 7
Topic #: 9
You need to implement the Azure Information Protection requirements.
What should you configure first?
A. Device health and compliance reports settings in Microsoft Defender Security Center
B. scanner clusters in Azure Information Protection from the Azure portal
C. content scan jobs in Azure Information Protection from the Azure portal
D. Advanced features from Settings in Microsoft Defender Security Center
Selected Answer: D
Question #: 8
Topic #: 4
You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 100 virtual machines that run Windows Server.
You need to configure the collection of Windows Security event logs for ingestion to WS1. The solution must meet the following requirements:
• Capture a full user audit trail including user sign-in and user sign-out events.
• Minimize the volume of events.
• Minimize administrative effort.
Which event set should you select?
A. Minimal
B. Common
C. All events
D. Custom
Selected Answer: B
Question #: 9
Topic #: 5
You have a Microsoft 365 subscription that contains the following resources:
• 100 users that are assigned a Microsoft 365 E5 license
• 100 Windows 11 devices that are joined to the Microsoft Entra tenant
The users access their Microsoft Exchange Online mailbox by using Outlook on the web.
You need to ensure that if a user account is compromised, the Outlook on the web session token can be revoked. What should you configure?
A. security defaults in Microsoft Entra
B. Microsoft Entra Verified ID
C. a Conditional Access policy in Microsoft Entra
D. Microsoft Entra ID Protection
Selected Answer: C
Question #: 10
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 11
Topic #: 8
The issue for which team can be resolved by using Microsoft Defender for Endpoint?
A. executive
B. sales
C. marketing
Selected Answer: B
Question #: 12
Topic #: 12
You need to complete the query for failed sign-ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
A. Security alerts in Azure Security Center
B. Activity log in Azure
C. Azure Advisor
D. the query windows of the Log Analytics workspace
Selected Answer: D
Question #: 13
Topic #: 13
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.
Which two configurations should you modify? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A. the Onboarding settings from Device management in Microsoft Defender Security Center
B. Cloud App Security anomaly detection policies
C. Advanced features from Settings in Microsoft Defender Security Center
D. the Cloud Discovery settings in Cloud App Security
Selected Answer: CD
Question #: 18
Topic #: 4
You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps and has Cloud Discovery enabled.
You need to enrich the Cloud Discovery data. The solution must ensure that usernames in the Cloud Discovery traffic logs are associated with the user principal name (UPN) of the corresponding Microsoft Entra ID user accounts.
What should you do first?
A. From Conditional Access App Control, configure User monitoring.
B. Create a Microsoft 365 app connector.
C. Enable automatic redirection to Microsoft 365 Defender.
D. Create an Azure app connector.
Selected Answer: B
Question #: 19
Topic #: 5
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to configure Defender for Cloud to mitigate the following risks:
• Vulnerabilities within the application source code
• Exploitation toolkits in declarative templates
• Operations from malicious IP addresses
• Exposed secrets
Which two Defender for Cloud services should you use? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. Microsoft Defender for Resource Manager
B. Microsoft Defender for DNS
C. Microsoft Defender for App Service
D. Microsoft Defender for Servers
E. Microsoft Defender for DevOps
Selected Answer: AE
Question #: 20
Topic #: 12
You need to remediate active attacks to meet the technical requirements.
What should you include in the solution?
A. Azure Automation runbooks
B. Azure Logic Apps
C. Azure Functions
D. Azure Sentinel livestreams
Selected Answer: D
Question #: 21
Topic #: 11
You need to recommend a solution to meet the technical requirements for the Azure virtual machines.
What should you include in the recommendation?
A. just-in-time (JIT) access
B. Azure Defender
C. Azure Firewall
D. Azure Application Gateway
Selected Answer: B
Question #: 22
Topic #: 8
The issue for which team can be resolved by using Microsoft Defender for Office 365?
A. executive
B. marketing
C. security
D. sales
Selected Answer: B
Question #: 23
Topic #: 9
You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements and resolve the reported problem.
Which policy should you modify?
A. Activity from suspicious IP addresses
B. Activity from anonymous IP addresses
C. Impossible travel
D. Risky sign-in
Selected Answer: C
Question #: 24
Topic #: 1
You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in.
Which anomaly detection policy should you use?
A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection
Selected Answer: C
Question #: 25
Topic #: 2
You receive an alert from Azure Defender for Key Vault.
You discover that the alert is generated from multiple suspicious IP addresses.
You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as possible and must minimize the impact on legitimate users.
What should you do first?
A. Modify the access control settings for the key vault.
B. Enable the Key Vault firewall.
C. Create an application security group.
D. Modify the access policy for the key vault.
Selected Answer: B
Question #: 34
Topic #: 6
You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Sentinel workbooks
B. Azure Automation runbooks
C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks
E. Azure Functions apps
Selected Answer: CD
Question #: 35
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?
A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
Selected Answer: C
Question #: 39
Topic #: 6
You have an Azure subscription that contains a user named User1 and a Microsoft Sentinel workspace named WS1. WS1 uses Microsoft Defender for Cloud.
You have the Microsoft security analytics rules shown in the following table.
User1 performs an action that matches Rule1, Rule2, Rule3, and Rule4.
How many incidents will be created in WS1?
A. 1
B. 2
C. 3
D. 4
Selected Answer: D
Question #: 40
Topic #: 7
Your on-premises network contains an Active Directory Domain Services (AD DS) forest.
You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.
You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.
Which table should you query?
A. AADServicePrincipalRiskEvents
B. AADDomainServicesAccountLogon
C. SigninLogs
D. IdentityLogonEvents
Selected Answer: D
Question #: 41
Topic #: 13
You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements.
Which role should you assign?
A. Automation Operator
B. Automation Runbook Operator
C. Azure Sentinel Contributor
D. Azure Sentinel Responder
Selected Answer: C
Question #: 42
Topic #: 2
You have a Microsoft 365 subscription that uses Azure Defender.
You have 100 virtual machines in a resource group named RG1.
You assign the Security Admin roles to a new user named SecAdmin1.
You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
A. the Security Reader role for the subscription
B. the Contributor for the subscription
C. the Contributor role for RG1
D. the Owner role for RG1
Selected Answer: C
Question #: 43
Topic #: 3
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel.
What should you do first?
A. And a new scheduled query rule.
B. Add a data connector to Azure Sentinel.
C. Configure a custom Threat Intelligence connector in Azure Sentinel.
D. Modify the trigger in the logic app.
Selected Answer: B
Question #: 46
Topic #: 4
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a user named User1.
You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege.
Which role should you assign to User1?
A. Security Administrator
B. Security Operator
C. Cloud Device Administrator
D. Desktop Analytics Administrator
Selected Answer: A
Question #: 47
Topic #: 1
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company’s accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
Selected Answer: BDE
Question #: 48
Topic #: 6
You have an on-premises network.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.
From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.
Suspected identity theft (pass-the-ticket) (external ID 2018)
You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.
What should you do?
A. Disable User1 only.
B. Quarantine Device1 only.
C. Reset the password for all the accounts that previously signed in to Device1.
D. Disable User1 and quarantine Device1.
E. Disable User1, quarantine Device1, and reset the password for all the accounts that previously signed in to Device1.
Selected Answer: E
Question #: 49
Topic #: 2
You provision a Linux virtual machine in a new Azure subscription.
You enable Azure Defender and onboard the virtual machine to Azure Defender.
You need to verify that an attack on the virtual machine triggers an alert in Azure Defender.
Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. cp /bin/echo ./asc_alerttest_662jfi039n
B. ./alerttest testing eicar pipe
C. cp /bin/echo ./alerttest
D. ./asc_alerttest_662jfi039n testing eicar pipe
Selected Answer: CD
Question #: 50
Topic #: 13
Which rule setting should you configure to meet the Azure Sentinel requirements?
A. From Set rule logic, turn off suppression.
B. From Analytics rule details, configure the tactics.
C. From Set rule logic, map the entities.
D. From Analytics rule details, configure the severity.
Selected Answer: C
Question #: 51
Topic #: 3
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.
A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.
You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.
What should you include in the recommendation?
A. built-in queries
B. livestream
C. notebooks
D. bookmarks
Selected Answer: C
Question #: 56
Topic #: 5
You have 500 on-premises devices.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
You onboard 100 devices to Microsoft Defender 365.
You need to identify any unmanaged on-premises devices. The solution must ensure that only specific onboarded devices perform the discovery.
What should you do first?
A. Create a device group.
B. Create an exclusion.
C. Set Discovery mode to Basic.
D. Create a tag.
Selected Answer: C
Question #: 57
Topic #: 7
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
• Identify all the active network connections on Device1.
• Identify all the running processes on Device1.
• Retrieve the login history of Device1.
• Minimize administrative effort.
What should you do first from the Microsoft Defender portal?
A. From Devices, click Collect investigation package for Device1.
B. From Advanced features in Endpoints, enable Live Response unsigned script execution.
C. From Devices, initiate a live response session on Device1.
D. From Advanced features in Endpoints, disable Authenticated telemetry.
Selected Answer: A
Question #: 58
Topic #: 3
You have a playbook in Azure Sentinel.
When you trigger the playbook, it sends an email to a distribution group.
You need to modify the playbook to send the email to the owner of the resource instead of the distribution group.
What should you do?
A. Add a parameter and modify the trigger.
B. Add a custom data connector and modify the trigger.
C. Add a condition and modify the action.
D. Add an alert and modify the action.
Selected Answer: C
Question #: 59
Topic #: 2
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to collect security event logs from the Azure virtual machines that report to workspace1.
What should you do?
A. From Security Center, enable data collection
B. In sub1, register a provider.
C. From Security Center, create a Workflow automation.
D. In workspace1, create a workbook.
Selected Answer: A
Question #: 64
Topic #: 5
You have a Microsoft 365 E5 subscription that contains a device named Device1. Device1 is enrolled in Microsoft Defender for Endpoint.
Device1 reports an incident that includes a file named File1.exe as evidence.
You initiate the Collect Investigation Package action and download the ZIP file.
You need to identify the first and last time File1.exe was executed.
What should you review in the investigation package?
A. Processes
B. Autoruns
C. Security event log
D. Scheduled tasks
E. Prefetch files
Selected Answer: E
Question #: 65
Topic #: 4
You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1.
You need to create a visual based on the SecurityEvent table. The solution must meet the following requirements:
• Identify the number of security events ingested during the past week.
• Display the count of events by day in a timechart.
What should you add to Workbook1?
A. a query
B. a metric
C. a group
D. links or tabs
Selected Answer: A
Question #: 66
Topic #: 3
You provision Azure Sentinel for a new Azure subscription.
You are configuring the Security Events connector.
While creating a new rule from a template in the connector, you decide to generate a new alert for every event.
You create the following rule query.
By which two components can you group alerts into incidents? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. user
B. resource group
C. IP address
D. computer
Selected Answer: AC
Question #: 70
Topic #: 5
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
What should you install first on Server1?
A. the Microsoft Monitoring Agent
B. the Azure Monitor agent
C. the Azure Connected Machine agent
D. the Azure Pipelines agent
Selected Answer: C
Question #: 71
Topic #: 3
Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant.
Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine’s respective subscription.
You deploy Azure Sentinel to a new Azure subscription.
You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add the Security Events connector to the Azure Sentinel workspace.
B. Create a query that uses the workspace expression and the union operator.
C. Use the alias statement.
D. Create a query that uses the resource expression and the alias operator.
E. Add the Azure Sentinel solution to each workspace.
Selected Answer: BE
Question #: 72
Topic #: 1
You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.
Selected Answer: AE
Question #: 73
Topic #: 2
Your company uses Azure Security Center and Azure Defender.
The security operations team at the company informs you that it does NOT receive email notifications for security alerts.
What should you configure in Security Center to enable the email notifications?
A. Security solutions
B. Security policy
C. Pricing & settings
D. Security alerts
E. Azure Defender
Selected Answer: C
Question #: 76
Topic #: 5
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table.
You need to search for malicious activities in your organization.
Which tactics can you analyze by using the MicrosoftGraphActivityLogs table?
A. Tactic2 only
B. Tactic1 and Tactic2 only
C. Tactic2 and Tactic3 only
D. Tactic1, Tactic2, and Tactic3
Selected Answer: D
Question #: 77
Topic #: 1
You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly sensitive information.
You plan to perform automated actions on all devices.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Assign a tag to the device group.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.
Selected Answer: ACD
Question #: 78
Topic #: 6
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 1,000 Windows devices.
You have a PowerShell script named Script1.ps1 that is signed digitally.
You need to ensure that you can run Script1.ps1 in a live response session on one of the devices.
What should you do first from the live response session?
A. Run the library command.
B. Upload Script1.ps1 to the library.
C. Run the putfile command.
D. Modify the PowerShell execution policy of the device.
Selected Answer: B
Question #: 79
Topic #: 4
You have an Azure subscription.
You need to stream the Microsoft Graph activity logs to a third-party security information and event management (SIEM) tool. The solution must minimize administrative effort.
To where should you stream the logs?
A. an Azure Event Hubs namespace
B. an Azure Storage account
C. an Azure Event Grid namespace
D. a Log Analytics workspace
Selected Answer: A
Question #: 80
Topic #: 3
You have an Azure Sentinel workspace.
You need to test a playbook manually in the Azure portal.
From where can you run the test in Azure Sentinel?
A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents
Selected Answer: D
