SC-200: Microsoft Security Operations Analyst Part 3
Question #: 138
Topic #: 1
You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company’s United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure automatic data enrichment.
B. Add the IP addresses to the corporate address range category.
C. Increase the sensitivity level of the impossible travel anomaly detection policy.
D. Add the IP addresses to the other address range category and add a tag.
E. Create an activity policy that has an exclusion for the IP addresses.
Selected Answer: AB
Question #: 139
Topic #: 3
You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day.
You need to create a query that will be used to display the time chart.
What should you include in the query?
A. extend
B. bin
C. makeset
D. workspace
Selected Answer: B
Question #: 140
Topic #: 1
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: You add each account as a Sensitive account.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 141
Topic #: 2
You create an Azure subscription.
You enable Azure Defender for the subscription.
You need to use Azure Defender to protect on-premises computers.
What should you do on the on-premises computers?
A. Install the Log Analytics agent.
B. Install the Dependency agent.
C. Configure the Hybrid Runbook Worker role.
D. Install the Connected Machine agent.
Selected Answer: A
Question #: 142
Topic #: 3
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a playbook.
B. Associate a playbook to an incident.
C. Enable Entity behavior analytics.
D. Create a workbook.
E. Enable the Fusion rule.
Selected Answer: AB
Question #: 143
Topic #: 3
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
A. notebooks in Azure Sentinel
B. Microsoft Cloud App Security
C. Azure Monitor
D. hunting queries in Azure Sentinel
Selected Answer: A
Question #: 144
Topic #: 2
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.
The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in
Azure Security Center.
You need to ensure that the security administrator receives email alerts for all the activities.
What should you configure in the Security Center settings?
A. the severity level of email notifications
B. a cloud connector
C. the Azure Defender plans
D. the integration settings for Threat detection
Selected Answer: A
Question #: 145
Topic #: 1
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
A. the Threat Protection Status report in Microsoft Defender for Office 365
B. the mailbox audit log in Exchange
C. the Safe Attachments file types report in Microsoft Defender for Office 365
D. the mail flow report in Exchange
Selected Answer: A
Question #: 147
Topic #: 3
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?
A. extend
B. bin
C. count
D. workspace
Selected Answer: C
Question #: 148
Topic #: 1
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
✑ Microsoft Excel macros that download scripts from untrusted websites
✑ Users that open executable attachments in Microsoft Outlook
✑ Outlook rules and forms exploits
What should you use?
A. Microsoft Defender Antivirus
B. attack surface reduction rules in Microsoft Defender for Endpoint
C. Windows Defender Firewall
D. adaptive application control in Azure Defender
Selected Answer: B
Question #: 150
Topic #: 3
You use Azure Sentinel.
You need to receive an alert in near real-time whenever Azure Storage account keys are enumerated.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Create a livestream
B. Add a data connector
C. Create an analytics rule
D. Create a hunting query.
E. Create a bookmark.
Selected Answer: AD
Question #: 151
Topic #: 1
You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.
What should you do to route events to the SIEM solution?
A. Create an Azure Sentinel workspace that has a Security Events connector.
B. Configure the Diagnostics settings in Azure AD to stream to an event hub.
C. Create an Azure Sentinel workspace that has an Azure Active Directory connector.
D. Configure the Diagnostics settings in Azure AD to archive to a storage account.
Selected Answer: B
Question #: 156
Topic #: 3
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
A. Create a Microsoft incident creation rule
B. Share the incident URL
C. Create a scheduled query rule
D. Assign the incident
Selected Answer: B
Question #: 157
Topic #: 1
You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning enabled.
You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.
What should you do first?
A. From Azure Security Center, add a workflow automation.
B. On VM1, run the Get-MPThreatCatalog cmdlet.
C. On VM1 trigger a PowerShell alert.
D. From Azure Security Center, export the alerts to a Log Analytics workspace.
Selected Answer: C
Question #: 159
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 160
Topic #: 3
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable Entity behavior analytics.
B. Associate a playbook to the analytics rule that triggered the incident.
C. Enable the Fusion rule.
D. Add a playbook.
E. Create a workbook.
Selected Answer: AB
Question #: 162
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.
What should you use?
A. a file policy in Microsoft Defender for Cloud Apps
B. an access review policy
C. an alert policy in Microsoft Defender for Office 365
D. an insider risk policy
Selected Answer: D
Question #: 163
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You manually install the Log Analytics agent on the virtual machines.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 164
Topic #: 2
You have five on-premises Linux servers.
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to use Defender for Cloud to protect the Linux servers.
What should you install on the servers first?
A. the Dependency agent
B. the Log Analytics agent
C. the Azure Connected Machine agent
D. the Guest Configuration extension
Selected Answer: C
Question #: 165
Topic #: 3
You have the following environment:
Azure Sentinel –
✑ A Microsoft 365 subscription
✑ Microsoft Defender for Identity
✑ An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.
B. Modify the permissions of the Domain Controllers organizational unit (OU).
C. Configure auditing in the Microsoft 365 compliance center.
D. Configure Windows Event Forwarding on the domain controllers.
Selected Answer: AD
Question #: 166
Topic #: 1
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.
You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?
A. the Incidents blade of the Microsoft 365 Defender portal
B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center
C. Activity explorer in the Microsoft 365 compliance center
D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal
Selected Answer: C
Question #: 168
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A. Investigations
B. Devices
C. Evidence and Response
D. Alerts
Selected Answer: C
Question #: 169
Topic #: 3
You use Azure Sentinel.
You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege.
Which role should you assign to the analyst?
A. Azure Sentinel Contributor
B. Security Administrator
C. Azure Sentinel Responder
D. Logic App Contributor
Selected Answer: A
Question #: 171
Topic #: 1
You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.
You need to identify all the changes made to Domain Admins group during the past 30 days.
What should you use?
A. the Modifications of sensitive groups report in Microsoft Defender for Identity
B. the identity security posture assessment in Microsoft Defender for Cloud Apps
C. the Azure Active Directory Provisioning Analysis workbook
D. the Overview settings of Insider risk management
Selected Answer: A
Question #: 172
Topic #: 3
You create a hunting query in Azure Sentinel.
You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.
What should you use?
A. a playbook
B. a notebook
C. a livestream
D. a bookmark
Selected Answer: C
Question #: 173
Topic #: 2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
What should you install first on Server1?
A. the Microsoft Monitoring Agent
B. the Azure Monitor agent
C. the Azure Arc agent
D. the Azure Pipelines agent
Selected Answer: C
Question #: 174
Topic #: 3
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A. Create custom rule based on the Office 365 connector templates.
B. Create a Microsoft incident creation rule based on Azure Security Center.
C. Create a Microsoft Cloud App Security connector.
D. Create an Azure AD Identity Protection connector.
Selected Answer: AD
Question #: 175
Topic #: 1
You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.
You need to identify the impacted entities in an aggregated alert.
What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?
A. the Events tab of the alert
B. the Sensitive Info Types tab of the alert
C. Management log
D. the Details tab of the alert
Selected Answer: A
Question #: 176
Topic #: 3
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a livestream from a query.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 177
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1.
You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted.
What should you review?
A. the activity logs of storage1
B. the Azure Storage Analytics logs
C. the alert details
D. the related entities of the alert
Selected Answer: B
Question #: 178
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription.
From the Microsoft 365 Defender portal, which page should you use to create the query?
A. Threat analytics
B. Advanced Hunting
C. Explorer
D. Policies & rules
Selected Answer: B
Question #: 180
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort.
What should you do in the Microsoft 365 Defender portal?
A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.
C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.
D. Select Add indicator and set the IP address to 171.23.34.32/27.
Selected Answer: A
Question #: 181
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to filter the security alerts view to show the following alerts:
• Unusual user accessed a key vault
• Log on from an unusual location
• Impossible travel activity
Which severity should you use?
A. Informational
B. Low
C. Medium
D. High
Selected Answer: C
Question #: 183
Topic #: 1
You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block a user-specified range of IP addressed and URLs.
What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal?
A. custom network indicators
B. live response for servers
C. endpoint detection and response (EDR) in block mode
D. web content filtering
Selected Answer: A
Question #: 184
Topic #: 2
You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.
You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.
Which JSON key should you search?
A. Description
B. Intent
C. ExtendedProperies
D. Entities
Selected Answer: B
Question #: 187
Topic #: 3
You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Sentinel bookmarks
B. Azure Automation runbooks
C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks
E. Azure Functions apps
Selected Answer: CD
Question #: 190
Topic #: 3
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.
What should you use to create the visuals?
A. plotly
B. TensorFlow
C. msticpy
D. matplotlib
Selected Answer: C
Question #: 193
Topic #: 1
Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
You need remediate the security risk.
What should you do?
A. Disable legacy protocols on the computers listed as exposed entities.
B. Enforce LDAP signing on the computers listed as exposed entities.
C. Modify the properties of the computer objects listed as exposed entities.
D. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.
Selected Answer: C
Question #: 195
Topic #: 2
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed.
You need to simulate an attack on the virtual machine that will generate an alert.
What should you do first?
A. Run the Log Analytics Troubleshooting Tool.
B. Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe.
C. Modify the settings of the Microsoft Monitoring Agent.
D. Run the MMASetup executable and specify the –foo argument.
Selected Answer: B
Question #: 196
Topic #: 1
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
A remediation action for an automated investigation quarantines a file across multiple devices.
You need to mark the file as safe and remove the file from quarantine on the devices.
What should you use in the Microsoft 365 Defender portal?
A. From the History tab in the Action center, revert the actions.
B. From the investigation page, review the AIR processes.
C. From Quarantine from the Review page, modify the rules.
D. From Threat tracker, review the queries.
Selected Answer: A
Question #: 198
Topic #: 1
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.
Which blade should you use in the Microsoft 365 Defender portal?
A. Advanced hunting
B. Threat analytics
C. Incidents & alerts
D. Learning hub
Selected Answer: B
Question #: 199
Topic #: 3
You have a Microsoft Sentinel workspace that contains the following incident.
Brute force attack against Azure Portal analytics rule has been triggered.
You need to identify the geolocation information that corresponds to the incident.
What should you do?
A. From Overview, review the Potential malicious events map.
B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.
C. From Incidents, review the details of the AccountCustomEntity entity associated with the incident.
D. From Investigation, review insights on the incident entity.
Selected Answer: B
Question #: 200
Topic #: 2
You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.
You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From the workspace created by Defender for Cloud, set the data collection level to Common.
B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.
C. From the Azure portal, create an Azure Event Grid subscription.
D. From the workspace created by Defender for Cloud, set the data collection level to All Events.
E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.
Selected Answer: AE
Question #: 201
Topic #: 3
You have two Azure subscriptions that use Microsoft Defender for Cloud.
You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must minimize administrative effort.
What should you do in the Azure portal?
A. Create an Azure Policy assignment.
B. Modify the Workload protections settings in Defender for Cloud.
C. Create an alert rule in Azure Monitor.
D. Modify the alert settings in Defender for Cloud.
Selected Answer: A
