SC-200: Microsoft Security Operations Analyst Part 4
Question #: 204
Topic #: 3
You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named User1.
You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. User Access Administrator
B. Owner
C. Contributor
D. Reader
Selected Answer: C
Question #: 205
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user named User1.
You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege.
Which role should you assign to User1?
A. Security operator
B. Security Admin
C. Owner
D. Contributor
Selected Answer: B
Question #: 207
Topic #: 3
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.
What should you create first?
A. a repository connection
B. a watchlist
C. an analytics rule
D. an automation rule
Selected Answer: D
Question #: 208
Topic #: 2
You have an Azure subscription that contains a user named User1.
User1 is assigned an Azure Active Directory Premium Plan 2 license.
You need to identify whether the identity of User1 was compromised during the last 90 days.
What should you use?
A. the risk detections report
B. the risky users report
C. Identity Secure Score recommendations
D. the risky sign-ins report
Selected Answer: B
Question #: 209
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.
You need to onboard EC2-1 to Defender for Cloud.
What should you install on EC2-1?
A. the Log Analytics agent
B. the Azure Connected Machine agent
C. the unified Microsoft Defender for Endpoint solution package
D. Microsoft Monitoring Agent
Selected Answer: B
Question #: 210
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.
What should you configure first?
A. the User enrichment settings
B. the Azure connector
C. the Office 365 connector
D. the Automatic log upload settings
Selected Answer: C
Question #: 211
Topic #: 3
You have a Microsoft Sentinel workspace.
You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities. The solution must minimize administrative effort.
Which rule type should you query?
A. Fusion
B. Microsoft Security
C. ML Behavior Analytics
D. Scheduled
Selected Answer: A
Question #: 212
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual machines that run Windows Server 2019.
You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements:
• Limit the maximum request time to two hours.
• Limit protocols access to Remote Desktop Protocol (RDP) only.
• Minimize administrative effort.
What should you use?
A. Azure AD Privileged Identity Management (PIM)
B. Azure Policy
C. Azure Bastion
D. Azure Front Door
Selected Answer: B
Question #: 213
Topic #: 3
You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines.
You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements:
✑ Minimize administrative effort.
✑ Minimize the parsing required to read fog data.
What should you configure?
A. a Log Analytics Data Collector API
B. REST API integration
C. a Common Evert Format (CEF) connector
D. a Syslog connector
Selected Answer: C
Question #: 214
Topic #: 1
51 HOTSPOT
You have a custom detection rule that includes the following KQL query.
For each of the following statements, select Yes if True. Otherwise, select No.
NOTE: Each correct selection is worth one point.
A. a Log Analytics Data Collector API
B. REST API integration
C. a Common Evert Format (CEF) connector
D. a Syslog connector
Selected Answer: D
Question #: 217
Topic #: 1
You have an Azure subscription that uses Microsoft Defender for Servers Plan 1 and contains a server named Server1.
You enable agentless scanning.
You need to prevent Server1 from being scanned. The solution must minimize administrative effort.
What should you do?
A. Create an exclusion tag.
B. Upgrade the subscription to Defender for Servers Plan 2.
C. Create a governance rule.
D. Create an exclusion group.
Selected Answer: A
Question #: 219
Topic #: 1
You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.
B. From Cloud apps, select Files, and then filter File Type to Document.
B. From Settings, select Information Protection, select Files, and then enable file monitoring.
D. From Cloud apps, select Files, and then filter App to Office 365.
E. From Cloud apps, select Files, and then select New policy from search.
F. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.
Selected Answer: EF
Question #: 220
Topic #: 2
You have an Azure subscription that contains a virtual machine named VM1 and uses Microsoft Defender for Cloud.
Microsoft Defender for Cloud has automatic provisioning configured to use Azure Monitor Agent.
You need to create a custom alert suppression rule that will suppress false positive alerts for suspicious use of PowerShell on VM1.
What should you do first?
A. From Microsoft Defender for Cloud, export the alerts to a Log Analytics workspace.
B. From Microsoft Defender for Cloud, add a workflow automation.
C. On VM1, trigger a PowerShell alert.
D. On VM1, run the Get-MPThreatCatalog cmdlet.
Selected Answer: C
Question #: 225
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.
What should you use in the Microsoft 365 Defender portal?
A. incidents
B. Remediation
C. Investigations
D. Advanced hunting
Selected Answer: D
Question #: 226
Topic #: 3
You have a Microsoft Sentinel workspace.
You have a query named Query1 as shown in the following exhibit.
You plan to create a custom parser named Parser1.
You need to use Query1 in Parser1.
What should you do first?
A. Remove line 5.
B. Remove line 2.
C. In line 3, replace the !contains operator with the !has operator.
D. In line 4, remove the TimeGenerated predicate.
Selected Answer: B
Question #: 231
Topic #: 3
You have a Microsoft Sentinel workspace.
You receive multiple alerts for failed sign-in attempts to an account.
You identify that the alerts are false positives.
You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements:
• Ensure that failed sign-in alerts are generated for other accounts.
• Minimize administrative effort
What should do?
A. Modify the analytics rule.
B. Create a watchlist.
C. Add an activity template to the entity behavior.
D. Create an automation rule.
Selected Answer: D
Question #: 232
Topic #: 2
You have the resources shown in the following table.
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to enable Microsoft Defender for Servers on each resource.
Which resources will require the installation of the Azure Arc agent?
A. Server3 only
B. Server1 and Server4 only
C. Server1, Server2, and Server4 only
D. Server1, Server2, Server3, and Server4
Selected Answer: C
Question #: 241
Topic #: 1
You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices.
You onboard the devices to Microsoft Defender 365.
You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.
What should you do first?
A. Modify the permissions for Microsoft 365 Defender.
B. Create a device group.
C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.
D. Configure role-based access control (RBAC).
Selected Answer: C
Question #: 244
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.
You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure auto-provisioning by setting the security event storage to Common.
B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.
C. From the Azure portal, create an Azure Event Grid subscription.
D. Configure auto-provisioning by setting the security event storage to All Events.
E. From Defender for Cloud in the Azure portal, enable Microsoft Defender for Servers.
Selected Answer: AE
Question #: 247
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) subscription. The subscription contains multiple virtual machines that run Windows Server.
You need to enable Microsoft Defender for Servers on the virtual machines.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct answer is worth one point.
A. From Defender for Cloud, enable agentless scanning.
B. Onboard the virtual machines to Microsoft Defender for Endpoint.
C. From Defender for Cloud, configure the AWS connector.
D. Install the Azure Virtual Machine Agent (VM Agent) on each virtual machine.
E. From Defender for Cloud, configure auto-provisioning.
Selected Answer: CE
Question #: 250
Topic #: 1
You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365.
You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal.
Which response action should you use?
A. Run antivirus scan
B. Initiate Automated Investigation
C. Collect investigation package
D. Initiate Live Response Session
Selected Answer: C
Question #: 252
Topic #: 1
You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Settings, select Cloud App, select Microsoft Information Protection, and then select Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.
B. From Cloud apps, select Files, and then filter File Type to Document.
C. From Settings, select Cloud App, select Microsoft Information Protection, select Files, and then enable file monitoring.
D. From Cloud apps, select Files, and then filter App to Office 365.
E. From Cloud apps, select Files, and then select New policy from search.
F. From Settings, select Cloud App, select Microsoft Information Protection, and then select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.
Selected Answer: CF
Question #: 253
Topic #: 2
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Microsoft Defender for Cloud and configure Defender for Cloud to use workspace1.
You need to collect security event logs from the Azure virtual machines that report to workspace1.
What should you do?
A. From Defender for Cloud, modify Microsoft Defender for Servers plan settings.
B. In sub1, register a provider.
C. From Defender for Cloud, create a workflow automation.
D. In workspace1, create a workbook.
Selected Answer: A
Question #: 254
Topic #: 3
You have a Microsoft Sentinel workspace.
You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Create a hunting query that references the built-in parser.
B. Build a custom unifying parser and include the built-in parser version.
C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.
D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.
E. Create an analytics rule that includes the built-in parser.
Selected Answer: BC
Question #: 259
Topic #: 3
You have a Microsoft Sentinel workspace named Workspace1.
You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?
A. an analytic rule
B. a watchlist
C. a workbook
D. a hunting query
Selected Answer: B
Question #: 260
Topic #: 3
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.
What should you create first?
A. a hunting query in Microsoft Sentinel
B. an Azure logic app
C. an automation rule in Microsoft Sentinel
D. a trigger in Azure Functions
Selected Answer: B
Question #: 263
Topic #: 3
You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector.
You need to customize which details will be included when an alert is created for a specific event.
What should you do?
A. Enable User and Entity Behavior Analytics (UEBA).
B. Create a Data Collection Rule (DCR).
C. Modify the properties of the connector.
D. Create a scheduled query rule.
Selected Answer: D
Question #: 264
Topic #: 3
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema.
You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.
What should you do first?
A. Copy the parsers to the Azure Monitor Logs page.
B. Create a JSON file based on the DNS template.
C. Create an XML file based on the DNS template.
D. Create a YAML file based on the DNS template.
Selected Answer: D
Question #: 274
Topic #: 3
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?
A. the incident automation settings
B. the query rule
C. entity mapping
D. the Alert automation settings
Selected Answer: B
Question #: 275
Topic #: 3
You need to visualize Microsoft Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
A. notebooks in Microsoft Sentinel
B. Microsoft Defender for Cloud Apps
C. Azure Monitor
Selected Answer: A
Question #: 281
Topic #: 3
You have a Microsoft Sentinel workspace.
You enable User and Entity Behavior Analytics (UEBA) by using Audit Logs and Signin Logs.
The following entities are detected in the Azure AD tenant:
• App name: App1
• IP address: 192.168.1.2
• Computer name: Device1
• Used client app: Microsoft Edge
• Email address: user1@company.com
• Sign-in URL: https://www.company.com
Which entities can be investigated by using UEBA?
A. IP address and email address only
B. app name, computer name, IP address, email address, and used client app only
C. IP address only
D. used client app and app name only
Selected Answer: B
Question #: 285
Topic #: 3
You have a Microsoft Sentinel workspace that uses the Microsoft 365 Defender data connector.
From Microsoft Sentinel, you investigate a Microsoft 365 incident.
You need to update the incident to include an alert generated by Microsoft Defender for Cloud Apps.
What should you use?
A. the entity side panel of the Timeline card in Microsoft Sentinel
B. the Timeline tab on the incidents page of Microsoft Sentinel
C. the investigation graph on the incidents page of Microsoft Sentinel
D. the Alerts page in the Microsoft 365 Defender portal
Selected Answer: A
Question #: 286
Topic #: 3
You have a Microsoft Sentinel workspace.
You investigate an incident that has the following entities:
• A user account named User1
• An IP address of 192.168.10.200
• An Azure virtual machine named VM1
• An on-premises server named Server1
You need to label an entity as an indicator of compromise (IoC) directly by using the incidents page.
Which entity can you label?
A. 192.168.10.200
B. VM1
C. Server1
D. User1
Selected Answer: A
Question #: 287
Topic #: 3
You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled for Signin Logs.
You need to ensure that failed interactive sign-ins are detected. The solution must minimize administrative effort.
What should you use?
A. a scheduled alert query
B. the Activity Log data connector
C. a UEBA activity template
D. a hunting query
Selected Answer: C
Question #: 291
Topic #: 3
You have 50 Microsoft Sentinel workspaces.
You need to view all the incidents from all the workspaces on a single page in the Azure portal. The solution must minimize administrative effort.
Which page should you use in the Azure portal?
A. Microsoft Sentinel – Incidents
B. Microsoft Sentinel – Workbooks
C. Microsoft Sentinel
D. Log Analytics workspaces
Selected Answer: A
