Add to collection(s) Add to saved
  1. No category
Uploaded by endless dreamers

SC-200

advertisement 
Vendor: Microsoft
Exam Code: SC-200
Exam Name: Microsoft Security Operations Analyst
Version: 23.111
Important Notice
Product
Our Product Manager keeps an eye for Exam updates by Vendors. Free update is available within
One year after your purchase.
You can login member center and download the latest product anytime. (Product downloaded
from member center is always the latest.)
PS: Ensure you can pass the exam, please check the latest product in 2-3 days before the exam
again.
Feedback
We devote to promote the product quality and the grade of service to ensure customers interest.
If you have any questions about our product, please provide Exam Number, Version, Page
Number, Question Number, and your Login Account to us, please contact us at
support@passleader.com and our technical experts will provide support in 24 hours.
Copyright
The product of each order has its own encryption code, so you should use it independently.
If anyone who share the file we will disable the free update and account access.
Any unauthorized changes will be inflicted legal punishment. We will reserve the right of final
explanation for this statement.
Order ID:
****************
PayPal Name: ****************
PayPal ID:
****************
QUESTION 1
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
2
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
The issue for which team can be resolved by using Microsoft Defender for Endpoint?
A.
B.
C.
D.
executive
sales
marketing
security
Answer: B
Explanation:
Sales need iOS EndPoint Protection from DfE.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defenderatp/microsoft-defender-atp-ios
QUESTION 2
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
3
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
The issue for which team can be resolved by using Microsoft Defender for Office 365?
A.
B.
C.
D.
executive
marketing
security
sales
Answer: B
Explanation:
If the marketing team at Contoso has experienced incidents in which vendors uploaded files that
contain malware to SharePoint Online sites, Microsoft Defender for Office 365 could potentially
be useful for helping to protect against these types of threats.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-for-spo-odb-andteams?view=o365-worldwide
QUESTION 3
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
4
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
5
You need to recommend a solution to meet the technical requirements for the Azure virtual
machines.
What should you include in the recommendation?
A.
B.
C.
D.
just-in-time (JIT) access
Azure Defender
Azure Firewall
Azure Application Gateway
Answer: B
Explanation:
Defender for Cloud helps you limit exposure to brute force attacks.
https://docs.microsoft.com/en-us/azure/security-center/azure-defender
QUESTION 4
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
6
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
Hotspot Question
You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.
What should you recommend for each threat?To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
7
Explanation:
If the key vault is there, there would be a policy too. We need to modify that policy. For external
threats, we just need to update the "Network" section in the Key Vault configuration. So you don't
have to go to NSG or Azure firewall for this.
https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault
QUESTION 5
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
8
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
Hotspot Question
You need to create an advanced hunting query to investigate the executive team issue.
How should you complete the query?To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
9
Answer:
Explanation:
Box 1: CloudAppEvents
The AppFileEvents table, which contains file activities from these applications, will stop getting
populated with new data in early 2021. Activities involving these applications, including file
activities, will be recorded in the new CloudAppEvents table.
Box 2: Count
https://techcommunity.microsoft.com/t5/microsoft-365-defender/hunt-across-cloud-app-activitieswith-microsoft-365-defender/ba-p/1893857
QUESTION 6
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
10
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
11
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
You need to implement the Azure Information Protection requirements.
What should you configure first?
A.
B.
C.
D.
Device health and compliance reports settings in Microsoft Defender Security Center
scanner clusters in Azure Information Protection from the Azure portal
content scan jobs in Azure Information Protection from the Azure portal
Advanced features from Settings in Microsoft Defender Security Center
Answer: D
Explanation:
Turn on the Azure Information Protection integration so that when a file that contains sensitive
information is discovered by Defender for Endpoint though labels or information types, it is
automatically forwarded to Azure Information Protection from the device.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/information-protectionin-windows-overview?view=o365-worldwide#data-discovery-and-data-classification
QUESTION 7
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
12
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
13
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
You need to modify the anomaly detection policy settings to meet the Cloud App Security
requirements.
Which policy should you modify?
A.
B.
C.
D.
Activity from suspicious IP addresses
Activity from anonymous IP addresses
Impossible travel
Risky sign-in
Answer: C
Explanation:
Users connecting to two geographically separate locations at the same time would trigger the
impossible travel alert, however as these are legitimate then this setting needs to be altered to
include both network addresses.
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy#tune-anomalydetection-policies
QUESTION 8
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
14
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
15
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure
Sentinel requirements and the business requirements.
Which role should you assign?
A.
B.
C.
D.
Automation Operator
Automation Runbook Operator
Azure Sentinel Contributor
Logic App Contributor
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#microsoftsentinel-automation-contributor
QUESTION 9
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
16
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
17
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
You need to create the test rule to meet the Azure Sentinel requirements.
What should you do when you create the rule?
A.
B.
C.
D.
From Set rule logic, turn off suppression.
From Analytics rule details, configure the tactics.
From Set rule logic, map the entities.
From Analytics rule details, configure the severity.
Answer: C
Explanation:
Check any analytics rules, after you map the entities under the "Set rule logic" tab, then you can
enable the "Alert grouping" under "Incident settings" by selecting "Enabled", then select
"Grouping alerts into a single incident if the selected entity types and details match:" and select
the entities from the drop down menu.
If you don't map entities, you can't group alerts under "Incident settings" becuase the drop down
menu will show "no available items".
https://docs.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities#how-to-map-entities
QUESTION 10
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
18
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
19
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
Hotspot Question
You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do?To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
20
Answer:
Explanation:
Fusion rules are pre-built and cannot be custom.
None of the playbook options can be used except trigger so it must be trigger.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#set-automatedresponses-and-create-the-rule
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
QUESTION 11
You need to receive a security alert when a user attempts to sign in from a location that was
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
21
never used by the other users in your organization to sign in.
Which anomaly detection policy should you use?
A.
B.
C.
D.
Impossible travel
Activity from anonymous IP addresses
Activity from infrequent country
Malware detection
Answer: C
Explanation:
First, both "Impossible travel" and "Activity from infrequent country" are detection rule that help
prevent breaches from foreign attackers.
The difference between the rule is the type of historical data. "Impossible travel" actually
compares between the new location's sign-in with the last known one. So it basically means if
someone already logged into a location (corporate network with USA-based IP range) and now
he is logged into a China network then it is likely the user is compromised (assume the
organization doesn't have any traffic/record/association with China network). Moreover it is based
on geographically distant locations within a time period shorter. So in my example China is too far
from USA.
"Activity from infrequent country" is a bit different. Instead of comparing with the last known
location, it detects if an account is logged in from a country that has never been accessed by any
user in the organization. This rule is based on user behavior using entity behavioral analytics and
machine learning.
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
QUESTION 12
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents
contain customer account numbers that each consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?
A.
B.
C.
D.
SharePoint search
a hunting query in Microsoft 365 Defender
Azure Information Protection
RegEx pattern matching
Answer: C
Explanation:
You must use Azure AIP as a tool for DLP. And then Regex is a way to build your pattern in case
there is not any built-in sensitive pattern type that supports your case (account number with 32
char).
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
QUESTION 13
Your company uses line-of-business apps that contain Microsoft Office VBA macros.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
22
You plan to enable protection against downloading and running additional payloads from the
Office VBA macros as additional child processes.
You need to identify which Office VBA macros might be affected.
Which two commands can you run to achieve the goal?Each correct answer presents a complete
solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
Answer: AD
Explanation:
Must use Set-MpPreference with Enabled and then Add-MpPreference with Enabled. Audit does
not block.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surfacereduction?view=o365-worldwide#powershell
QUESTION 14
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used
frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security
posture.
Which three actions should you perform?Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Resolve the alert automatically.
Hide the alert.
Create a suppression rule scoped to any device.
Create a suppression rule scoped to a device group.
Generate the alert.
Answer: BDE
Explanation:
First you need to generate the alert, or you have nothing to suppress. Then a suppression rule on
those devices (not globally), then in the suppression rule - hide the alert.
In the Scope section, set the Scope by selecting specific device, multiple devices, device groups,
the entire organization or by user. In this question there is accounting team so there will be device
group.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
23
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-newalert-suppression-experience/ba-p/3562719
QUESTION 15
You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device managed
by Microsoft Defender during the last 24 hours.
Which two actions should you perform?Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Create a detection rule.
Create a suppression rule.
Add | order by Timestamp to the query.
Replace DeviceProcessEvents with DeviceNetworkEvents.
Add DeviceId and ReportId to the output of the query.
Answer: AE
Explanation:
- Create detection rule
- Add ReportId and DeviceId to the output
Both fields are supported in DeviceProcessEvents table.
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingdeviceprocessevents-table?view=o365-worldwide)
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-findransomware?view=o365-worldwide#turning-off-system-restore-rules
QUESTION 16
You are investigating a potential attack that deploys a new ransomware strain.
You plan to perform automated actions on a group of highly valuable machines that contain
sensitive information.
You have three custom device groups.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform?Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Assign a tag to the device group.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
24
B.
C.
D.
E.
F.
Add the device users to the admin role.
Add a tag to the machines.
Create a new device group that has a rank of 1.
Create a new admin role.
Create a new device group that has a rank of 4.
Answer: ACD
Explanation:
https://docs.microsoft.com/en-us/learn/modules/deploy-microsoft-defender-for-endpointsenvironment/4-manage-access
QUESTION 17
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for
attackers to exploit.
Solution: From Entity tags, you add the accounts as Honeytoken accounts.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
QUESTION 18
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for
attackers to exploit.
Solution: From Azure Identity Protection, you configure the sign-in risk policy.
Does this meet the goal?
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
25
A. Yes
B. No
Answer: B
Explanation:
Honeytoken entities are used as traps for malicious actors. Any authentication associated with
these honeytoken entities triggers an alert.
Settings>Identities>Entity tags>Honey Token> Add Users or Devices
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
QUESTION 19
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for
attackers to exploit.
Solution: You add the accounts to an Active Directory group and add the group as a Sensitive
group.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
Manually tagging entities
You can also manually tag entities as sensitive or honeytoken accounts. If you manually tag
additional users or groups, such as board members, company executives, and sales directors,
Defender for Identity will consider them sensitive.
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
QUESTION 20
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
26
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the
Prevent future attacks section.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
You need to resolve the existing alert, not prevent future alerts. Therefore, you need to select the
'Mitigate the threat' option.
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-respondingalerts
QUESTION 21
You receive an alert from Azure Defender for Key Vault.
You discover that the alert is generated from multiple suspicious IP addresses.
You need to reduce the potential of Key Vault secrets being leaked while you investigate the
issue. The solution must be implemented as soon as possible and must minimize the impact on
legitimate users.
What should you do first?
A.
B.
C.
D.
Modify the access control settings for the key vault.
Enable the Key Vault firewall.
Create an application security group.
Modify the access policy for the key vault.
Answer: B
Explanation:
You create firewall rules and adds trusted range to ensure Key Vault can only be accessed from
those trusted IP addresses while you are doing investigation.
https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-usage
QUESTION 22
You have a Microsoft 365 subscription that uses Azure Defender.
You have 100 virtual machines in a resource group named RG1.
You assign the Security Admin roles to a new user named SecAdmin1.
You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure
Defender. The solution must use the principle of least privilege.
Which role should you assign to SecAdmin1?
A. the Security Reader role for the subscription
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
27
B. the Contributor for the subscription
C. the Contributor role for RG1
D. the Owner role for RG1
Answer: C
Explanation:
To ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender,
while also following the principle of least privilege, you should assign the Contributor role for RG1
to SecAdmin1.
The Contributor role for RG1 will allow SecAdmin1 to perform tasks such as deploying resources
and modifying resource properties within RG1, but it will not grant them access to perform
administrative tasks at the subscription level. This will allow SecAdmin1 to apply quick fixes to the
virtual machines using Azure Defender, while still adhering to the principle of least privilege.
QUESTION 23
You provision a Linux virtual machine in a new Azure subscription.
You enable Azure Defender and onboard the virtual machine to Azure Defender.
You need to verify that an attack on the virtual machine triggers an alert in Azure Defender.
Which two Bash commands should you run on the virtual machine?Each correct answer presents
part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
cp /bin/echo ./asc_alerttest_662jfi039n
./alerttest testing eicar pipe
cp /bin/echo ./alerttest
./asc_alerttest_662jfi039n testing eicar pipe
Answer: AD
Explanation:
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation#simulatealerts-on-your-azure-vms-linux-
QUESTION 24
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to ensure that Security Center processes events from the Azure virtual machines that
report to workspace1.
What should you do?
A. From Security Center, enable data collection
B. In sub1, register a provider.
C. From Security Center, create a Workflow automation.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
28
D. In workspace1, create a workbook.
Answer: A
Explanation:
Data collection
Store additional raw data - Windows security events
To help audit, investigate, and analyze threats, you can collect raw events, logs, and additional
security data and save it to your Log Analytics workspace.
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
QUESTION 25
Your company uses Azure Security Center and Azure Defender.
The security operations team at the company informs you that it does NOT receive email
notifications for security alerts.
What should you configure in Security Center to enable the email notifications?
A.
B.
C.
D.
E.
Security solutions
Security policy
Pricing & settings
Security alerts
Azure Defender
Answer: C
Explanation:
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contactdetails
QUESTION 26
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Regulatory compliance, you download the report.
Does this meet the goal?
A. Yes
B. No
Answer: B
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
29
Explanation:
The correction option would be to choose "mitigate the threat" as the recommendations from this
tab resolves the alert, whereas the other "Prevent.." Just provides recommendations in general.
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-respondingalerts
QUESTION 27
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the
Mitigate the threat section.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-respondingalerts
QUESTION 28
You plan to create a custom Azure Sentinel query that will track anomalous Azure Active
Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day.
You need to create a query that will be used to display the time chart.
What should you include in the query?
A.
B.
C.
D.
extend
bin
makeset
workspace
Answer: B
Explanation:
Grouping results can also be based on a time column, or another continuous value. Simply
summarizing by TimeGenerated, though, would create groups for every single millisecond over
the time range, because these are unique values.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
30
To create groups that are based on continuous values, it's best to break the range into
manageable units by using bin.
QUESTION 29
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious
IP address is detected.
Which two actions should you perform in Azure Sentinel?Each correct answer presents part of
the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Add a playbook.
Associate a playbook to an incident.
Enable Entity behavior analytics.
Create a workbook.
Enable the Fusion rule.
Answer: AB
Explanation:
Playbooks are collections of procedures that can be run from Azure Sentinel in response to an
alert or incident. A playbook can help automate and orchestrate your response, and can be set to
run automatically when specific alerts or incidents are generated, by being attached to an
analytics rule or an automation rule, respectively. It can also be run manually on-demand.
Playbooks in Azure Sentinel are based on workflows built in Azure Logic Apps, which means that
you get all the power, customizability, and built-in templates of Logic Apps.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
QUESTION 30
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources
to identify indicators of compromise (IoC).
What should you use?
A.
B.
C.
D.
notebooks in Azure Sentinel
Microsoft Cloud App Security
Azure Monitor
hunting queries in Azure Sentinel
Answer: A
Explanation:
The Azure portal and all Azure Sentinel tools use a common API to access this data store.
The same API is also available for external tools such as Jupyter notebooks and Python. While
many common tasks can be carried out in the portal, Jupyter extends the scope of what you can
do with this data. It combines full programmability with a huge collection of libraries for machine
learning, visualization, and data analysis. These attributes make Jupyter a compelling tool for
security investigation and hunting.
https://docs.microsoft.com/en-us/azure/sentinel/notebooks
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
31
QUESTION 31
You plan to create a custom Azure Sentinel query that will provide a visual representation of the
security alerts generated by Azure Security Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?
A.
B.
C.
D.
extend
bin
count
workspace
Answer: C
Explanation:
Sample query :
requests
| summarize Requests = count() by Result = strcat('Http ', resultCode)
| order by Requests desc
The query returns two columns: Requests metric and Result category. Each value of the Result
column will get its own bar in the chart with height proportional to the Requests metric.
https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations
QUESTION 32
You use Azure Sentinel.
You need to receive an immediate alert whenever Azure Storage account keys are enumerated.
Which two actions should you perform?Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Create a livestream
Add a data connector
Create an analytics rule
Create a hunting query.
Create a bookmark.
Answer: AD
Explanation:
Use hunting livestream to create interactive sessions that let you test newly created queries as
events occur, get notifications from the sessions when a match is found, and launch
investigations if necessary. You can quickly create a livestream session using any Log Analytics
query.
https://docs.microsoft.com/en-us/azure/sentinel/livestream
QUESTION 33
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD)
users. The logic app is triggered manually.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
32
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel.
What should you do first?
A.
B.
C.
D.
And a new scheduled query rule.
Add a data connector to Azure Sentinel.
Configure a custom Threat Intelligence connector in Azure Sentinel.
Modify the trigger in the logic app.
Answer: D
Explanation:
You must modify existing Logic App and choose Azure Sentinel actions either the following ones:
- When a response to an Azure Sentinel Alert is triggered
- When Azure Sentinel incident creation rule was triggered
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
QUESTION 34
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.
A security manager at the company reports that tracking security threats is increasingly difficult
due to the large number of incidents.
You need to recommend a solution to provide a custom visualization to simplify the investigation
of threats and to infer threats by using machine learning.
What should you include in the recommendation?
A.
B.
C.
D.
built-in queries
livestream
notebooks
bookmarks
Answer: C
Explanation:
Jupyter notebooks allow you to supercharge your threat hunting and investigation by enabling
documents that contain live code, visualizations, and narrative text. These documents can be
codified and served for specialized visualizations, an investigation guide, and sophisticated threat
hunting.
Additionally, notebooks can be used in security big data analytics for fast data processing on
large datasets.
https://docs.microsoft.com/en-us/azure/sentinel/notebooks
QUESTION 35
You have a playbook in Azure Sentinel.
When you trigger the playbook, it sends an email to a distribution group.
You need to modify the playbook to send the email to the owner of the resource instead of the
distribution group.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
33
What should you do?
A.
B.
C.
D.
Add a parameter and modify the trigger.
Add a custom data connector and modify the trigger.
Add a condition and modify the action.
Add a parameter and modify the action.
Answer: D
Explanation:
You need to add a new parameter in Send email action. That parameter specifies who you want
to send to.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-aplaybook-on-demand
QUESTION 36
You provision Azure Sentinel for a new Azure subscription.
You are configuring the Security Events connector.
While creating a new rule from a template in the connector, you decide to generate a new alert for
every event.
You create the following rule query.
By which two components can you group alerts into incidents?Each correct answer presents a
complete solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
user
resource group
IP address
computer
Answer: AD
Explanation:
IP address data is removed from the query in the | summarize, and is not mapped to the IP
custom entity.
We can see that the Account and Computer were mapped to entities and were returned in the
'summarize' section.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
34
QUESTION 37
Your company stores the data for every project in a different Azure subscription. All the
subscriptions use the same Azure Active Directory (Azure AD) tenant.
Every project consists of multiple Azure virtual machines that run Windows Server. The Windows
events of the virtual machines are stored in a Log Analytics workspace in each machine's
respective subscription.
You deploy Azure Sentinel to a new Azure subscription.
You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics
workspaces of all the subscriptions.
Which two actions should you perform?Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Add the Security Events connector to the Azure Sentinel workspace.
Create a query that uses the workspace expression and the union operator.
Use the alias statement.
Create a query that uses the resource expression and the alias operator.
Add the Azure Sentinel solution to each workspace.
Answer: BE
Explanation:
Every sentinel deployment must have a workspace - and the union command is used to join
multiple workspaces together.
https://docs.microsoft.com/en-us/learn/modules/create-manage-azure-sentinel-workspaces/2plan-for-azure-sentinel-workspace
QUESTION 38
You have an Azure Sentinel workspace.
You need to test a playbook manually in the Azure portal.
From where can you run the test in Azure Sentinel?
A.
B.
C.
D.
Playbooks
Analytics
Threat intelligence
Incidents
Answer: D
Explanation:
Manual triggering is available from the Azure Sentinel portal in the following blades:
In Incidents view, choose a specific incident, open its Alerts tab, and choose an alert.
In Investigation, choose a specific alert.
Click on View playbooks for the chosen alert. You will get a list of all playbooks that start with an
When an Azure Sentinel Alert is triggered and that you have access to.
Click on Run on the line of a specific playbook to trigger it.
Select the Runs tab to view a list of all the times any playbook has been run on this alert. It might
take a few seconds for any just-completed run to appear in this list.
Clicking on a specific run will open the full run log in Logic Apps.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
35
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-aplaybook-on-demand
QUESTION 39
You have a custom analytics rule to detect threats in Azure Sentinel.
You discover that the analytics rule stopped running. The rule was disabled, and the rule name
has a prefix of AUTO DISABLED.
What is a possible cause of the issue?
A.
B.
C.
D.
There are connectivity issues between the data sources and Log Analytics.
The number of alerts exceeded 10,000 within two minutes.
The rule query takes too long to run and times out.
Permissions to one of the data sources of the rule query were modified.
Answer: D
Explanation:
Permanent failure - rule auto-disable due to the following reasons
The target workspace (on which the rule query operated) has been deleted.
The target table (on which the rule query operated) has been deleted.
Microsoft Sentinel had been removed from the target workspace.
A function used by the rule query is no longer valid; it has been either modified or removed.
Permissions to one of the data sources of the rule query were changed.
One of the data sources of the rule query was deleted or disconnected.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#issue-a-scheduledrule-failed-to-execute-or-appears-with-auto-disabled-added-to-the-name
QUESTION 40
Your company uses Azure Sentinel.
A new security analyst reports that she cannot assign and dismiss incidents in Azure Sentinel.
You need to resolve the issue for the analyst. The solution must use the principle of least
privilege.
Which role should you assign to the analyst?
A.
B.
C.
D.
Azure Sentinel Responder
Logic App Contributor
Azure Sentinel Contributor
Azure Sentinel Reader
Answer: A
Explanation:
Roles for working in Azure Sentinel
Azure Sentinel-specific roles
All Azure Sentinel built-in roles grant read access to the data in your Azure Sentinel workspace.
Azure Sentinel Reader can view data, incidents, workbooks, and other Azure Sentinel resources.
Azure Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.)
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
36
Azure Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics
rules, and other Azure Sentinel resources.
Azure Sentinel Automation Contributor allows Azure Sentinel to add playbooks to automation
rules. It is not meant for user accounts.
https://docs.microsoft.com/en-us/azure/sentinel/roles
QUESTION 41
You have an Azure subscription that contains the resources shown in the following table.
You plan to enable Azure Defender for the subscription.
Which resources can be protected by using Azure Defender?
A.
B.
C.
D.
E.
VM1, VNET1, storage1, and Vault1
VM1, VNET1, and storage1 only
VM1, storage1, and Vault1 only
VM1 and VNET1 only
VM1 and storage1 only
Answer: C
QUESTION 42
Drag and Drop Question
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three
devices named CFOLaptop, CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
37
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/devicelogonevents
QUESTION 43
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
38
Drag and Drop Question
You open the Cloud App Security portal as shown in the following exhibit.
You need to remediate the risk for the Launchpad app.
Which four actions should you perform in sequence?To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
39
Explanation:
https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery
QUESTION 44
Hotspot Question
You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a malicious email
attachment.
How should you complete the query?To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
40
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
41
Explanation:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-queryemails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-yourdevices
QUESTION 45
Hotspot Question
You manage the security posture of an Azure subscription that contains two virtual machines
name vm1 and vm2.
The secure score in Azure Security Center is shown in the Security Center exhibit. (Click the
Security Center tab.)
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
42
Azure Policy assignments are configured as shown in the Policies exhibit. (Click the Policies tab.)
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
43
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
44
Explanation:
JIT is about port control. Fix management port = +4 points
https://docs.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-overview
QUESTION 46
Drag and Drop Question
You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects
your environment.
You need to use Microsoft Defender Security Center to request remediation from the team
responsible for the affected systems if there is a documented active exploit available.
Which three actions should you perform in sequence?To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
45
Answer:
Explanation:
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud. We've
also renamed Azure Defender plans to Microsoft Defender plans. The answers in this are based
on Azure Security Center.
Open Security.microsoft.com --> Enpoints --> Vulnerabilty Management --> Weakness
Search/select CVE and click "Go to related security recommendations"
Click on Security recommendation task i.e. "update putty to version x.x.x"
Click on Request Remediation.
Reference:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-defender-atpremediate-apps-using-mem/ba-p/1599271
QUESTION 47
Hotspot Question
You have an Azure subscription that has Azure Defender enabled for all supported resource
types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Azure Security Center.
You need to test LA1 in Security Center.
What should you do?To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
46
Answer:
Explanation:
To manually run a Logic App, open an alert or a recommendation and click Trigger Logic App.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation#manually-triggera-logic-app
QUESTION 48
Drag and Drop Question
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to configure Azure Security Center to detect possible threats related to sign-ins from
suspicious IP addresses to Azure virtual machines. The solution must validate the configuration.
Which three actions should you perform in a sequence?To answer, move the appropriate actions
from the list of action to the answer area and arrange them in the correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
47
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation
QUESTION 49
Drag and Drop Question
You have resources in Azure and Google cloud.
You need to ingest Google Cloud Platform (GCP) data into Azure Defender.
In which order should you perform the actions?To answer, move all actions from the list of actions
to the answer area and arrange them in the correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
48
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboardgcp?pivots=classic-connector
QUESTION 50
Drag and Drop Question
You plan to connect an external solution that will send Common Event Format (CEF) messages
to Azure Sentinel.
You need to deploy the log forwarder.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
49
Which three actions should you perform in sequence?To answer, move the appropriate actions
form the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
1- Installs the Log Analytics agent for Linux (also known as the OMS agent) and configures it for
the following purposes:
--- listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
--- sending the messages securely over TLS to your Microsoft Sentinel workspace, where they
are parsed and enriched
2- Configures the built-in Linux Syslog daemon (rsyslog.d/syslog-ng) for the following purposes:
--- listening for Syslog messages from your security solutions on TCP port 514
--- forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost
using TCP port 25226
The need for restarting the daemon and the agent is to ensure the changes take effect (on Linux
this is required)
Reference:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
50
https://docs.microsoft.com/en-us/azure/sentinel/connect-common-event-format#designate-a-logforwarder-and-install-the-log-analytics-agent
QUESTION 51
Hotspot Question
From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the
following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
51
Explanation:
Definitely "Entities", as this button shows items in 3 sections:
1) Entities involved in the incident (user, device, IP etc.)
2) Alerts
3) Bookmarks
These are the items associated with the incident.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases#use-the-investigationgraph-to-deep-dive
QUESTION 52
Drag and Drop Question
You have an Azure Sentinel deployment.
You need to query for all suspicious credential access activities.
Which three actions should you perform in sequence?To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
52
Explanation:
Microsoft Sentinel -> Hunting -> Add filter “Tactics”, select “Credential Access” -> Run All Queries
https://davemccollough.com/2020/11/28/threat-hunting-with-azure-sentinel/
QUESTION 53
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
53
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
You need to remediate active attacks to meet the technical requirements.
What should you include in the solution?
A.
B.
C.
D.
Azure Automation runbooks
Azure Logic Apps
Azure Functions
Azure Sentinel livestreams
Answer: B
Explanation:
Playbooks in Azure Sentinel are based on workflows built in Azure Logic Apps, a cloud service
that helps you schedule, automate, and orchestrate tasks and workflows across systems
throughout the enterprise. This means that playbooks can take advantage of all the power and
customizability of Logic Apps' built-in templates.
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
QUESTION 54
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
54
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
55
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
Drag and Drop Question
You need to configure DC1 to meet the business requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
56
Explanation:
Step 1: Create the instance of Microsoft Defender for Identity.
Step 2: Provide domain administrator credentials to the litware.com Active Directory domain.
Step 3: Install the sensor on DC1.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/install-step1
https://docs.microsoft.com/en-us/defender-for-identity/install-step4
QUESTION 55
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
57
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
58
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
Hotspot Question
You need to implement Azure Defender to meet the Azure Defender requirements and the
business requirements.
What should you include in the solution? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: LA1
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
59
As the requirements state that all logs need to be gathered in one workspace. And this one
already existed.
Box 2: Common
A standard set of events for auditing purposes. A full user audit trail is included in this set.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/windows-security-event-id-reference
https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA
QUESTION 56
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
60
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
Drag and Drop Question
You need to add notes to the events to meet the Azure Sentinel requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of action to the answer area and arrange them in the correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
61
Answer:
Explanation:
https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
QUESTION 57
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
62
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
63
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
Hotspot Question
You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
64
Explanation:
To connect Defender for Cloud Apps (MCAS) to Microsoft Sentinel:
1. From Defender for Cloud Apps --> Security extensions --> Add SIEM agents tab --> then click
"Add SIEM agent" and select Microsoft Sentinel
2. From Sentinel --> Data connectors --> Select "Microsoft Defender for Cloud Apps" --> and
make sure it is connected.
Reference:
https://docs.microsoft.com/en-us/defender-cloud-apps/siem-sentinel
https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#microsoft-defenderfor-cloud-apps
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-cloud-app-securitymcas-activity-log-in-azure-sentinel/ba-p/1849806
QUESTION 58
You implement Safe Attachments policies in Microsoft Defender for Office 365.
Users report that email messages containing attachments take longer than expected to be
received.
You need to reduce the amount of time it takes to deliver messages that contain attachments
without compromising security. The attachments must be scanned for malware, and any
messages that contain malware must be blocked.
What should you configure in the Safe Attachments policies?
A.
B.
C.
D.
Dynamic Delivery
Replace
Block and Enable redirect
Monitor and Enable redirect
Answer: A
Explanation:
Dynamic Delivery Delivers messages immediately, but replaces attachments with placeholders
until Safe Attachments scanning is complete.
For details, see the Dynamic Delivery in Safe Attachments policies section later in this article.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
65
Avoid message delays while protecting recipients from malicious files.
Enable recipients to preview attachments in safe mode while scanning is taking place.
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safeattachments?view=o365-worldwide
QUESTION 59
You receive a security bulletin about a potential attack that uses an image file.
You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to
prevent the attack.
Which indicator type should you use?
A.
B.
C.
D.
a URL/domain indicator that has Action set to Alert only
a URL/domain indicator that has Action set to Alert and block
a file hash indicator that has Action set to Alert and block
a certificate indicator that has Action set to Alert and block
Answer: C
Explanation:
The steps for to Create an indicator for files from the settings page
1. In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
2. Select the File hashes tab.
3. Select Add indicator.
4. Specify the following details:
5. Indicator - Specify the entity details and define the expiration of the indicator.
* Action - Specify the action to be taken and provide a description.
* Scope - Define the scope of the device group.
* Review the details in the Summary tab, then select Save.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicatorfile?view=o365-worldwide
QUESTION 60
Your company deploys the following services:
- Microsoft Defender for Identity
- Microsoft Defender for Endpoint
- Microsoft Defender for Office 365
You need to provide a security analyst with the ability to use the Microsoft 365 security center.
The analyst must be able to approve and reject pending actions generated by Microsoft Defender
for Endpoint. The solution must use the principle of least privilege.
Which two roles should assign to the analyst? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
the Compliance Data Administrator in Azure Active Directory (Azure AD)
the Active remediation actions role in Microsoft Defender for Endpoint
the Security Administrator role in Azure Active Directory (Azure AD)
the Security Reader role in Azure Active Directory (Azure AD)
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
66
Answer: BD
Explanation:
Security Reader - can access M365 Security Center.
Active Remediation Actions role in Defender for Endpoint meets need to 'approve and reject'
pending actions with respect to Defender For Endpoint.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365worldwide
QUESTION 61
You have an Azure subscription that has Azure Defender enabled for all supported resource
types.
You need to configure the continuous export of high-severity alerts to enable their retrieval from a
third-party security information and event management (SIEM) solution.
To which service should you export the alerts?
A.
B.
C.
D.
Azure Cosmos DB
Azure Event Grid
Azure Event Hubs
Azure Data Lake
Answer: C
Explanation:
Continuous export lets you fully customize what will be exported, and where it will go. For
example, you can configure it so that:
All high severity alerts are sent to an Azure Event Hub
All medium or higher severity findings from vulnerability assessment scans of your SQL servers
are sent to a specific Log Analytics workspace
Specific recommendations are delivered to an Event Hub or Log Analytics workspace whenever
they're generated
The secure score for a subscription is sent to a Log Analytics workspace whenever the score for
a control changes by 0.01 or more
Reference:
https://docs.microsoft.com/en-us/azure/security-center/continuous-export?tabs=azure-portal
QUESTION 62
You are responsible for responding to Azure Defender for Key Vault alerts.
During an investigation of an alert, you discover unauthorized attempts to access a key vault from
a Tor exit node.
What should you configure to mitigate the threat?
A.
B.
C.
D.
Key Vault firewalls and virtual networks
Azure Active Directory (Azure AD) permissions
role-based access control (RBAC) for the key vault
the access policy settings of the key vault
Answer: A
Explanation:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
67
To be able to prevent unauthorized access to the key vault through suspicious IPs you have to
change the networking settings under the key vault resource.
https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
QUESTION 63
You have an Azure subscription that contains a Log Analytics workspace.
You need to enable just-in-time (JIT) VM access and network detections for Azure resources.
Where should you enable Azure Defender?
A. at the subscription level
B. at the workspace level
C. at the resource level
Answer: A
Explanation:
Enabling it at the workspace level doesn't enable just-in-time VM access, adaptive application
controls, and network detections for Azure resources. In addition, the only Microsoft Defender
plans available at the workspace level are Microsoft Defender for servers and Microsoft Defender
for SQL servers on machines.
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-enhanced-security
QUESTION 64
You use Azure Defender.
You have an Azure Storage account that contains sensitive information.
You need to run a PowerShell script if someone accesses the storage account from a suspicious
IP address.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
From Azure Security Center, enable workflow automation.
Create an Azure logic app that has a manual trigger.
Create an Azure logic app that has an Azure Security Center alert trigger.
Create an Azure logic app that has an HTTP trigger.
From Azure Active Directory (Azure AD), add an app registration.
Answer: AC
Explanation:
You want a security trigger for the login and you use this trigger to start the automation workflow
with the powershellscript.
https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storageconfigure?tabs=azure-security-center
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation
QUESTION 65
You recently deployed Azure Sentinel.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
68
You discover that the default Fusion rule does not generate any alerts. You verify that the rule is
enabled.
You need to ensure that the Fusion rule can generate alerts.
What should you do?
A.
B.
C.
D.
Disable, and then enable the rule.
Add data connectors
Create a new machine learning analytics rule.
Add a hunting bookmark.
Answer: B
Explanation:
Add data connectors to bring in source data for rules, notebooks, playbooks to query/take action
against.
https://docs.microsoft.com/en-us/azure/sentinel/configure-fusion-rules
QUESTION 66
A company uses Azure Sentinel.
You need to create an automated threat response.
What should you use?
A.
B.
C.
D.
a data connector
a playbook
a workbook
a Microsoft incident creation rule
Answer: B
Explanation:
Use playbooks together with automation rules to automate your incident response and remediate
security threats detected by Microsoft Sentinel.
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
QUESTION 67
You have an Azure Sentinel deployment in the East US Azure region.
You create a Log Analytics workspace named LogsWest in the West US Azure region.
You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel
deployment to generate alerts based on queries to LogsWest.
What should you do first?
A.
B.
C.
D.
Deploy Azure Data Catalog to the West US Azure region.
Modify the workspace settings of the existing Azure Sentinel deployment.
Add Azure Sentinel to a workspace.
Create a data connector in Azure Sentinel.
Answer: C
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
69
Explanation:
Cross-workspace queries can now be included in scheduled analytics rules. You can use crossworkspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse) as in
the case of an MSSP, subject to the following limitations:
* Up to 20 workspaces can be included in a single query.
* Azure Sentinel must be deployed on every workspace referenced in the query.
* Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist
only in the workspace where the rule was defined. They will not be displayed in any of the other
workspaces referenced in the query.
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspacestenants#cross-workspace-workbooks
QUESTION 68
You create a custom analytics rule to detect threats in Azure Sentinel.
You discover that the rule fails intermittently.
What are two possible causes of the failures? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
The rule query takes too long to run and times out.
The target workspace was deleted.
Permissions to the data sources of the rule query were modified.
There are connectivity issues between the data sources and Log Analytics
Answer: AD
Explanation:
Incorrect Answers:
B: This would cause it to fail every time, not just intermittently.
C: This would cause it to fail every time, not just intermittently.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom#troubleshooting
QUESTION 69
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from
a malicious IP address is detected.
Solution: You create a scheduled query rule for a data connector.
Does this meet the goal?
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
70
A. Yes
B. No
Answer: B
Explanation:
You can create scheduled rules from Data connector pages (Next steps tab). But the bottom line
is whoever wrote this question should be fired on the spot.
QUESTION 70
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from
a malicious IP address is detected.
Solution: You create a hunting bookmark.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
You need to create a custom analytics rule in Azure Sentinel that detects sign-ins from malicious
IP addresses and triggers an incident.
https://learn.microsoft.com/en-us/azure/sentinel/bookmarks
QUESTION 71
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from
a malicious IP address is detected.
Solution: You create a Microsoft incident creation rule for a data connector.
Does this meet the goal?
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
71
A. Yes
B. No
Answer: A
Explanation:
As this kind of alert is generated by ASC, so we need the Microsoft incident creation rule to
create incidents from ASC into sentinel.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-reference
QUESTION 72
Hotspot Question
You are informed of an increase in malicious email being received by users.
You need to create an advanced hunting query in Microsoft 365 Defender to identify whether the
accounts of the email recipients were compromised. The query must return the most recent 20
sign-ins performed by the recipients within an hour of receiving the known malicious email.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
72
Explanation:
Box 1: EmailEvents
Only EmailEvents table have the Subject column, but both EmailEvents and EmailAttachmentInfo
have the ThreatType table (old MalwareFilterVerdict).
Box 2: IdentityLogonEvents
It is the only table that have identity objects related.
Box 3: take 20
Take 20 is equal to top 20 by timestamp.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-queryemails-devices?view=o365-worldwide
QUESTION 73
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure
subscription that uses Azure Sentinel.
You need to identify all the devices that contain files in emails sent by a known malicious email
sender. The query will be based on the match of the SHA256 hash.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
73
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
74
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-queryemails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-yourdevices
QUESTION 74
Hotspot Question
You need to use an Azure Resource Manager template to create a workflow automation that will
trigger an automatic remediation when specific security alerts are received by Azure Security
Center.
How should you complete the portion of the template that will provision the required Azure
resources? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
75
Explanation:
https://docs.microsoft.com/en-us/azure/security-center/quickstart-automation-alert
https://raw.githubusercontent.com/Azure/azure-quickstarttemplates/master/quickstarts/microsoft.security/securitycenter-create-automation-foralertnamecontains/azuredeploy.json
QUESTION 75
Drag and Drop Question
Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
- Create and run playbooks
- Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct
tasks. Each role may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
76
Answer:
Explanation:
Logic Apps Contributor - Attach playbooks to analytics and automation rules and run playbooks.
Note: This role also allows users to modify playbooks.
Logic apps contributor cannot be the right answer as it can't create playbooks.
Sentinel contributor for both.
https://docs.microsoft.com/en-us/azure/sentinel/roles
QUESTION 76
Hotspot Question
You use Azure Sentinel to monitor irregular Azure activity.
You create custom analytics rules to detect threats as shown in the following exhibit.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
77
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
78
You do NOT define any incident settings as part of the rule definition.
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
The first scenario will not generate any alerts, as each series by Caller generates a single result;
there is only one caller, therefore 1 result, which is below the threshold (results > 2).
In the second scenario, there will be 3 results (one for each caller), so one alert will be generated
(as this is above the threshold and the results are grouped into a single alert).
make-series is going to make lists of all the EventSubmissionTimestamp values for each user,
with each user being on a separate row. This means that if 1 user creates 3 machines, it will
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
79
aggregate them all into 1 row. And if 3 users create 1 virtual machine we will see 3 separate
rows.
Reference:
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator#examples
QUESTION 77
You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage
incident related to a suspected malicious document. After reviewing all the details, you have
determined that the alert tied to this potentially malicious document is also related to another
incident in your environment. However, the alert is not currently listed as a part of that second
incident. Your investigation into the alert is ongoing, as is your investigation into the two related
incidents.
You need to appropriately categorize the alert and ensure that it is associated with the second
incident.
What two actions should you take in the Manage alert pane to fulfill this part of the investigation?
Each correct answer presents a part of the solution.
A.
B.
C.
D.
E.
Select the Link alert to another incident option.
Set classification to True alert.
Set status to New.
Set status to In progress.
Enter the Incident ID of the related incident in the Comment section.
Answer: AD
Explanation:
The correct action to classify the alert would be to set the status to In progress. While the alert
may seem to be legitimate as it is linked to another incident, until a final determination is reached,
you should set the status to In progress to ensure that others know it is being worked on. Once a
determination is reached, you can then change it to Resolved and select the appropriate
classification (True alert or False alert).
The correct action to correlate the alert to the other incident would be to select the Link alert to
another incident option. While ideally the alert would automatically be included in both incidents,
that is not always the case. If you notice an alert that is not linked to an incident that it is clearly
connected to, using the Link alert to another incident option ensures they are tied together.
You should not set the classification to True alert. While a point can be made that it seems this
malicious file involved in multiple incidents is likely to be a True alert, you are not yet able to
make that determination. It also is not time to classify it as a false alert. The best practice while
continuing an investigation would be not to change the classification at all, which means leaving it
as the default Not set classification.
You should not enter the Incident ID of the related incident in the Comment section. While this
might be helpful from an administrative perspective, it creates no link to the other incident.
You should not set the status to New. This is the default status of any alert. The question
specifically seeks to ensure your peers know the alert is being investigated, so setting (or leaving)
the status as New would make it impossible to differentiate from other uninvestigated alerts.
All of the actions mentioned in the options can be found in the Manage alert pane, which can be
reached via the Alerts tab in the Incidents section of the Microsoft 365 Defender portal. This is an
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
80
excellent central location from which you can manage incidents, and the components that make
them up, including alerts.
QUESTION 78
Drag and Drop Question
Your company starts using Azure Sentinel. The manager wants the administration of the
implemented solution to be divided into two groups, Group A and Group B, where:
- Group A takes responsibility for replacing the tags of Threat
Intelligence Indicator.
- Group B takes responsibility for adding playbooks to automation
rules.
You need to assign the appropriate roles for both groups to fulfill the manager’s request.
How should you assign the roles? To answer, drag the appropriate role to each group. A role may
be used once, more than once, or not at all.
Answer:
Explanation:
You should assign the Responder role to Group A. This role gives the user permission to manage
incidents in Azure Sentinel (like assigning users for incidents, dismissing alerts, etc.) and to view
several Azure Sentinel resources, including reports, incidents, and workbooks. This role also
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
81
gives permission to replace Tags of Threat Intelligence Indicator. This role does not give
permission to add playbooks to automation rules. Threat Intelligence Indicator is a cloud-based
solution used within companies to analyze and act upon threat activities.
You should assign the Azure Sentinel Automation Contributor role to Group B. In addition to
viewing Azure Sentinel resources, managing incidents, and working with workbooks, this role
allows Azure Sentinel to add playbooks to automation rules. This meets the scenario
requirement.
You should not assign the Reader role to either group. This role gives a user permission to view
incidents in Azure Sentinel, but not the permission to replace tags of Threat Intelligence Indicator
or to add playbooks to automation rules as required in the scenario.
You should not assign the Security Assessment Contributor role to either of the groups. This role
gives permission to create security assessments on the company’s Azure Sentinel subscription,
which is useful for knowing if another subscription of Azure Sentinel is needed. This role does not
give the permission to replace tags of Threat Intelligence Indicator or to add playbooks to
automation rules as required in the scenario.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles
https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
QUESTION 79
You are currently using Azure Sentinel for the collection of Windows security events. You want to
use Azure Sentinel to identify Remote Desktop Protocol (RDP) activity that is unusual for your
environment.
You need to enable the Anomalous RDP Login Detection rule.
What two prerequisites do you need to ensure are in place before you can enable this rule? Each
correct answer presents part of the solution.
A.
B.
C.
D.
Collect Security events or Windows Security Events with Event ID 4624.
Let the machine learning algorithm collect 30 days' worth of Windows Security events data.
Select an event set other than None.
Collect Security events or Windows Security Events with Event ID 4720.
Answer: AC
Explanation:
One of the best features of a Security information and event management (SIEM) tool like Azure
Sentinel is correlating important data and finding events that deserve your attention. The
Anomalous RDP Login Detection rule does just that. Enabling this rule requires two prerequisites:
You should collect Security events or Windows Security Events with Event ID 4624. This is the
event ID for an account successfully logging on to a machine/system. This covers many log in
types, including RDP. Without this data, Azure Sentinel would be blind to RDP logins entirely.
This process would be completed in the Security Events Data Connector or Windows Security
Events (Preview) Data Connector pages within Azure Sentinel.
You should also select an event set other than None. This is a configuration step completed
during the data connector implementation described above. This step ensures that the connector
detailed in the above step is actually passing data. Options other than None include All events,
Common, and Minimal. Although it may seem counterintuitive that there would even be a None
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
82
event set, this can be used to disable a connector without deleting/removing it. This can be
helpful in certain troubleshooting scenarios.
You should not create a data collection rule that includes Event ID 4720. This is the Event ID for
the creation of a user account, not for logging on to a machine or system. While it may seem
picky to expect a security professional to memorize exact event IDs, it is incredibly helpful to
recognize some of the most common ones. Log ins (4624) and user creation (4720) are two that
are very critical to know well in the event of conducting time sensitive research of a potential
compromise and privilege escalation/account creation incident response (IR) scenario.
You should not let the machine learning algorithm collect 30 days' worth of Windows Security
events data. This is, however, a very important time frame in regards to the time after you enable
the rule. This rule relies on a machine learning algorithm that ultimately requires 30 days' worth of
data before it can build a baseline. This baseline is a profile of your company's normal user
behavior, so you need to allow 30 days of Windows Security events data to be ingested before
this rule will result in the discovery of any incidents. Remember, however, that the question only
refers to the process to enable the rule and not the generation of incidents thereafter.
Finally, the actual process to enable the rule after these prerequisites are set is fairly simple.
Starting in the Azure Sentinel portal, you will click Analytics, and then click the Rule templates
tab. Next, you must choose the (Preview) Anomalous RDP Login Detection rule and simply move
the Status slider from Disabled (the default) to Enabled.
QUESTION 80
Drag and Drop Question
You are threat hunting using Azure Sentinel. You have created a query designed to identify a
specific event on your domain controller.
You need to create several similar queries because you have multiple domain controllers and
want to keep each query separate. The solution should minimize administrative effort.
Which three actions should you perform in sequence to clone a query? To answer, move the
appropriate actions from the list of possible actions to the answer area and arrange them in the
correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
83
Answer:
Explanation:
You should perform the following tasks in order:
On the Hunting page of Azure Sentinel, find the query you wish to clone.
Choose Clone query by clicking the ellipsis icon at the end of the row.
On the Create custom query page, make your edits then click the Create button.
First, you should find the query you wish to clone. You will do this by navigating to the Hunting
page within Azure Sentinel and then looking through the list of queries. This will allow you to
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
84
ensure the right initial query is cloned in the next step.
Next, you should choose the Clone query option. This is accessible via the ellipsis at the end of
the row for the query you found in step one. This will make a copy of the query you identified in
the first step and will take you to the page where you can make changes to that copy.
Finally, you should make your edits then click the Create button. These edits will be made on the
Create custom query page, which is the page you are taken to after selecting Clone query in step
two. This will allow you to tweak the copy to your needs. When you click Create, the initial query
you copied will still exist in its original state, and a new query with the changes you make in this
step will be generated/saved.
This process would allow you, for example, to alter the IP or hostname in the query to match your
other domain controllers (DCs) but keep the rest of the query the same. As mentioned above, it
also leaves the original query untouched/as-is. This is a fast, efficient way to make several
queries that are related but require minor tweaks to meet the desired outcome. Starting each
query from scratch would take much longer and would be more likely to result in human error in
the query syntax.
You should not select New query on the Hunting page of Azure Sentinel. While this option could
ultimately be chosen to generate the queries for your other DCs, as mentioned above, you would
be starting from scratch. If you only need to change a few minor things in your query, going to
New query is a waste of time as the clone option gives you a better starting point.
You should not select the ellipsis in the line of the query you want to modify, and select Edit
query. This would allow you to edit an existing query, but it would not create a copy of it. Any
edits made here would alter the original query. With the Clone query option, you leave the original
unaltered, while efficiently creating new queries based on it.
QUESTION 81
Hotspot Question
You are using Azure Defender and Azure Sentinel to protect your cloud workloads and monitor
your environment.
You need to use the Kusto Query Language (KQL) to construct a query that identifies Azure
Defender alerts.
What query should you write to meet this requirement? To answer, complete the query by
selecting the correct options from the drop-down menus.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
85
Answer:
Explanation:
You should complete the query as follows:
SecurityAlert
| where ProductName == "Azure Security Center"
This completes a basic query to identify all security alerts in Azure Security Center. Placing
SecurityAlert first queries the SecurityAlert table, and then using | where ProductName == "Azure
Security Center" afterwards ensures that in that SecurityAlert table you are only looking for
entries where the ProductName column has a value of Azure Security Center. From here, you
can expand. For example, you could use KQL to specify time frames or specific devices to query.
Kusto Query Language (KQL) is the language you will use when building queries in Azure
Sentinel. Queries serve as a way to search through the massive amount of data Azure Sentinel
has access to.
You should not begin the query with Azure Security Center. The structure of a query requires that
you first identify the key table you will be querying. The SecurityAlert table includes the security
alerts that are being digested by Azure Sentinel. You should first query this table, then narrow the
search to the alerts coming from the Azure Security Center product.
You should not begin the query with Azure Sentinel. Again, the structure of a query requires that
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
86
you first identify the key table you will be querying. In this case, that would be the SecurityAlert
table. More importantly, while Azure Sentinel is the solution aggregating this data and performing
the query, it should not be used as the ProductName. This should be specified as the Azure
Security Center.
You should not end the query with Azure Sentinel. As mentioned in the paragraph above, the
ProductName (solution source) for the SecurityAlert (alerts) table you should query is Azure
Security Center. The query would be run in Azure Sentinel, but do not confuse the solution being
queried with the one running the query.
You should not end the query with SecurityAlert. Here you need to name the solution you want to
query. In this case, that is Azure Security Center. SecurityAlert would not be a valid
ProductName.
QUESTION 82
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
87
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
Hotspot Question
You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical
requirements.
What should you include in the solution? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
88
Explanation:
You will use the workspace ID and the union operator to extend queries across workspaces.
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
QUESTION 83
You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation
actions in response to external sharing of confidential files.
Which two actions should you perform in the Cloud App Security portal? Each correct answer
presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Settings, select Information Protection, select Azure Information Protection, and then select
Only scan files for Azure Information Protection classification labels and content inspection
warnings from this tenant.
B. Select Investigate files, and then filter App to Office 365.
C. Select Investigate files, and then select New policy from search.
D. From Settings, select Information Protection, select Azure Information Protection, and then select
Automatically scan new files for Azure Information Protection classification labels and content
inspection warnings.
E. From Settings, select Information Protection, select Files, and then enable file monitoring.
F. Select Investigate files, and then filter File Type to Document.
Answer: DE
Explanation:
In Defender for Cloud Apps, under the settings cog, select the Settings page under the System
heading.
Under Microsoft Information Protection, select Automatically scan new files for Microsoft
Information Protection sensitivity labels.
https://docs.microsoft.com/en-us/defender-cloud-apps/tutorial-dlp
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
89
https://www.microsoft.com/en-us/videoplayer/embed/RE4CMYG?postJsllMsg=true
QUESTION 84
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
What should you do?
A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future
attacks section.
B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.
C. From Regulatory compliance, download the report.
D. From Recommendations, download the CSV report.
Answer: B
Explanation:
With the 'Mitigate the threat' action you receive recommendations to mitigate this threat. The
'Prevent future attacks' action provides security recommendations to help reduce the attack
surface, increase security posture, and thus prevent future attacks.
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-respondingalerts
QUESTION 85
You have a suppression rule in Azure Security Center for 10 virtual machines that are used for
testing. The virtual machines run Windows Server.
You are troubleshooting an issue on the virtual machines.
In Security Center, you need to view the alerts generated by the virtual machines during the last
five days.
What should you do?
A.
B.
C.
D.
Change the rule expiration date of the suppression rule.
Change the state of the suppression rule to Disabled.
Modify the filter for the Security alerts page.
View the Windows event logs on the virtual machines.
Answer: C
Explanation:
Suppressed alerts will be hidden in Azure Security Center, Azure Sentinel and third-party SIEM
solutions, but will still be reachable if needed later on with dismissed state.
So you have to modify the filter to display dismissed alerts and not the "Active" one.
Reference:
https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/suppression-rules-for-azuresecurity-center-alerts-are-now/ba-p/1404920
QUESTION 86
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
90
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
A.
B.
C.
D.
Create a Microsoft incident creation rule
Share the incident URL
Create a scheduled query rule
Assign the incident
Answer: D
Explanation:
Incidents can be assigned to a specific user or to a group. For each incident you can assign an
owner, by setting the Owner field. All incidents start as unassigned. You can also add comments
so that other analysts will be able to understand what you investigated and what your concerns
are around the incident.
https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases
QUESTION 87
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever an incident representing a
sign-in risk event is activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of
the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Enable Entity behavior analytics.
Associate a playbook to the analytics rule that triggered the incident.
Enable the Fusion rule.
Add a playbook.
Create a workbook.
Answer: BD
Explanation:
You need the playbook to be created first then associated.
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
QUESTION 88
You have the following environment:
-
Azure Sentinel
A Microsoft 365 subscription
Microsoft Defender for Identity
An Azure Active Directory (Azure AD) tenant
You configure Azure Sentinel to collect security logs from all the Active Directory member servers
and domain controllers.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
91
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
Configure the Advanced Audit Policy Configuration settings for the domain controllers.
Modify the permissions of the Domain Controllers organizational unit (OU).
Configure auditing in the Microsoft 365 compliance center.
Configure Windows Event Forwarding on the domain controllers.
Answer: AD
Explanation:
For the correct events to be audited and included in the Windows Event Log, your domain
controllers require accurate Advanced Audit Policy settings.
To enhance detection capabilities, Defender for Identity needs the Windows events listed in
Configure event collection. These can either be read automatically by the Defender for Identity
sensor or in case the Defender for Identity sensor is not deployed, it can be forwarded to the
Defender for Identity standalone sensor in one of two ways, by configuring the Defender for
Identity standalone sensor to listen for SIEM events or by configuring Windows Event Forwarding.
https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection
https://learn.microsoft.com/en-us/defender-for-identity/configure-event-forwarding
QUESTION 89
Hotspot Question
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365
apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
92
Answer:
Explanation:
Box 1: Activity Policy
Control -> Templates -> Logon from a risky IP address -> Create (activity) policy -> Activities
matching any of the following -> IP address | Category | equals | Risky.
Box 2: IP address tag
Select a filter --> IP Address --> Select a filter --> Tag --> Select IP address tag --> Botnet
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
https://docs.microsoft.com/en-us/defender-cloud-apps/control-cloud-apps-with-policies
QUESTION 90
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
93
Hotspot Question
You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux
virtual machines in Azure. The solution must minimize administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
94
Explanation:
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365
https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog
QUESTION 91
Drag and Drop Question
You need to use an Azure Sentinel analytics rule to search for specific criteria in Amazon Web
Services (AWS) logs and to generate incidents.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
95
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
96
Explanation:
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
QUESTION 92
Case Study 1 - Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout
North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston,
Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In
addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam
recently purchased an Azure subscription and enabled Azure Defender for all supported resource
types.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
97
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team
spends too much time identifying which cybersecurity alerts are legitimate threats, and which are
not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with
customers by using a variety of third-party tools. In the past, the sales team experienced various
attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating
with external vendors. The marketing team has had several incidents in which vendors uploaded
files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you
identify which files had more than five activities during the past 48 hours, including data access,
download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security
operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the
environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso
and Fabrikam.
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of
external attackers and a potential compromise of its own Azure AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a
given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
You need to complete the query for failed sign-ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
A.
B.
C.
D.
Security alerts in Azure Security Center
Activity log in Azure
Azure Advisor
the query windows of the Log Analytics workspace
Answer: D
Explanation:
The query window will provide IntelliSense to help figure out what the column is as you type. You
can also just do a broad search for all failed logins and see which columns are returned in the
output.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
98
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial#write-a-query
QUESTION 93
Case Study 2 - Litware Inc
Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the
United States. To access Litware resources, including cloud resources, the remote users
establish a VPN connection to either office.
Existing Environment
Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active
Directory (Azure AD) tenant named litware.com.
Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft
Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App
Security built-in anomaly detection policies are enabled.
Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription
contains resources in the East US Azure region as shown in the following table.
Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the
virtual networks in the Azure subscription.
On-premises Environment
The on-premises network contains the computers shown in the following table.
Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices
simultaneously.
Planned Changes
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
99
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available
from the Azure Information Protection – Data discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level
data.
Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.
Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:
Integrate Azure Sentinel and Cloud App Security.
Ensure that a user named admin1 can configure Azure Sentinel playbooks.
Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically
initiate the execution of a playbook.
Add notes to events that represent data access from a specific IP address to provide the ability
to reference the IP address when navigating through an investigation graph while hunting.
Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the
Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into
individual incidents, with one incident per test user account.
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint
requirements.
Which two configurations should you modify? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
the Onboarding settings from Device management in Microsoft Defender Security Center
Cloud App Security anomaly detection policies
Advanced features from Settings in Microsoft Defender Security Center
the Cloud Discovery settings in Cloud App Security
Answer: CD
Explanation:
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by
using Microsoft Defender for Endpoint.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
100
You can also add URLs/Domains to block directly from Defender - Settings - Endpoints Indicators - URLs/Domains tab - Add items --> to add cloud apps to block.
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/mde-govern
QUESTION 94
Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi-factor authentication
(MFA).
You need to enforce MFA for all users who work remotely.
What should you include in the solution?
A.
B.
C.
D.
a fraud alert
a user risk policy
a named location
a sign-in user policy
Answer: C
Explanation:
Named locations can be defined by IPv4/IPv6 address ranges or by countries.
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/locationcondition#named-locations
QUESTION 95
You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company’s
United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Configure automatic data enrichment.
Add the IP addresses to the corporate address range category.
Increase the sensitivity level of the impossible travel anomaly detection policy.
Add the IP addresses to the other address range category and add a tag.
Create an activity policy that has an exclusion for the IP addresses.
Answer: AB
Explanation:
If you override the automatic detection of location for company IP address ranges, you can
prevent the impossible travel alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
101
And you need to define your corporate address ranges so that they are not seen as risky.
https://docs.microsoft.com/en-us/defender-cloud-apps/media/newipaddress-range.png
https://docs.microsoft.com/en-us/cloud-app-security/ip-tags
QUESTION 96
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for
attackers to exploit.
Solution: You add each account as a Sensitive account.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
QUESTION 97
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for
Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message
from the mailbox of a user?
A.
B.
C.
D.
the Threat Protection Status report in Microsoft Defender for Office 365
the mailbox audit log in Exchange
the Safe Attachments file types report in Microsoft Defender for Office 365
the mail flow report in Exchange
Answer: A
Explanation:
To determine if ZAP moved your message, you can use either the Threat Protection Status report
or Threat Explorer (and real-time detections).
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-autopurge?view=o365-worldwide
QUESTION 98
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices
have Microsoft Office 365 installed.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
102
You need to mitigate the following device threats:
- Microsoft Excel macros that download scripts from untrusted websites
- Users that open executable attachments in Microsoft Outlook
- Outlook rules and forms exploits
What should you use?
A.
B.
C.
D.
Microsoft Defender Antivirus
attack surface reduction rules in Microsoft Defender for Endpoint
Windows Defender Firewall
adaptive application control in Azure Defender
Answer: B
Explanation:
Attack Surface Reduction rules.
Block all Office applications from creating child processes
Block executable content from email client and webmail
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surfacereduction-rules-reference?view=o365-worldwide
QUESTION 99
You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure
AD) sign-events in near real time.
What should you do to route events to the SIEM solution?
A.
B.
C.
D.
Create an Azure Sentinel workspace that has a Security Events connector.
Configure the Diagnostics settings in Azure AD to stream to an event hub.
Create an Azure Sentinel workspace that has an Azure Active Directory connector.
Configure the Diagnostics settings in Azure AD to archive to a storage account.
Answer: B
Explanation:
Routing logs to an Azure event hub allows you to integrate with third-party SIEM tools like
Sumologic and Splunk.
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/tutorial-azure-monitorstream-logs-to-event-hub
QUESTION 100
Drag and Drop Question
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant. The
tenant contains two users named User1 and User2.
You plan to deploy Azure Defender.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the
following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
103
The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct
users. Each role may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
104
Explanation:
Box 1: Owner
At the Subscription Level, only Contributor and Owner can :
- Apply security recommendations
- Add/Assign initiatives
- Edit security policy
- Dismiss alerts
However, only the Owner can 'Enable auto provisioning'... to be the owner of the extension you're
deploying. "For auto provisioning, the specific role required depends on the extension you're
deploying."
Box 2: Contributor
Only the Contributor or the Owner can apply security recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-datacollection?tabs=autoprovision-loganalytic#availability
QUESTION 101
Hotspot Question
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in
Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly
from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate
options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
105
Answer:
Explanation:
Box 1: Turn on Live Response
Live response is a capability that gives you instantaneous access to a device by using a remote
shell connection. This gives you the power to do in-depth investigative work and take immediate
response actions.
Box 2: Automation level to Full
Ensure that the device has an Automation Remediation level assigned to it.
You'll need to enable, at least, the minimum Remediation Level for a given Device Group.
Otherwise you won't be able to establish a Live Response session to a member of that group.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/networkdevices?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/liveresponse?view=o365-worldwide
QUESTION 102
Hotspot Question
You have an Azure Storage account that will be accessed by multiple Azure Function apps during
the development of an application.
You need to hide Azure Defender alerts for the storage account.
Which entity type and field should you use in a suppression rule? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
106
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
107
Explanation:
Entity Type = Azure Resource (Azure Storage is a Resource)
Field = Resource ID (All Azure resources have an ID)
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azuresecurity-center-alerts-are-now/ba-p/1404920
QUESTION 103
You create an Azure subscription.
You enable Azure Defender for the subscription.
You need to use Azure Defender to protect on-premises computers.
What should you do on the on-premises computers?
A.
B.
C.
D.
Install the Log Analytics agent.
Install the Dependency agent.
Configure the Hybrid Runbook Worker role.
Install the Connected Machine agent.
Answer: A
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
108
Explanation:
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets,
IaaS containers, and non-Azure (including on-premises) machines to monitor for security
vulnerabilities and threats.
Data is collected using:
The Log Analytics agent, which reads various security-related configurations and event logs
from the machine and copies the data to your workspace for analysis. Examples of such data
are: operating system type and version, operating system logs (Windows event logs), running
processes, machine name, IP addresses, and logged in user.
Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide
data to Security Center regarding specialized resource types.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
QUESTION 104
A security administrator receives email alerts from Azure Defender for activities such as potential
malware uploaded to a storage account and potential successful brute force attacks.
The security administrator does NOT receive email alerts for activities such as antimalware action
failed and suspicious network activity. The alerts appear in Azure Security Center.
You need to ensure that the security administrator receives email alerts for all the activities.
What should you configure in the Security Center settings?
A.
B.
C.
D.
the severity level of email notifications
a cloud connector
the Azure Defender plans
the integration settings for Threat detection
Answer: A
Explanation:
Email notifications are free; for security alerts, enable the enhanced security plans.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications
QUESTION 105
Drag and Drop Question
You have an Azure Functions app that generates thousands of alerts in Azure Security Center
each day for normal activity.
You need to hide the alerts automatically in Security Center.
Which three actions should you perform in sequence in Security Center? Each correct answer
presents part of the solution.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
109
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-asuppression-rule
QUESTION 106
Drag and Drop Question
You have an Azure subscription.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
110
You need to delegate permissions to meet the following requirements:
- Enable and disable Azure Defender.
- Apply security recommendations to resource.
The solution must use the principle of least privilege.
Which Azure Security Center role should you use for each requirement? To answer, drag the
appropriate roles to the correct requirements. Each role may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Security Admin
Box 2: Resource Group Owner
This has lower privilege than subscription contributor and can still apply security
recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
111
QUESTION 107
Hotspot Question
You have an Azure subscription that uses Azure Defender.
You plan to use Azure Security Center workflow automation to respond to Azure Defender threat
alerts.
You need to create an Azure policy that will perform threat remediation automatically.
What should you include in the solution? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Append is used to add additional fields to the requested resource during creation or update.
The following effects are deprecated:
EnforceOPAConstraint
EnforceRegoPolicy
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
112
QUESTION 108
You have an Azure subscription that contains a virtual machine named VM1 and uses Azure
Defender. Azure Defender has automatic provisioning enabled.
You need to create a custom alert suppression rule that will supress false positive alerts for
suspicious use of PowerShell on VM1.
What should you do first?
A.
B.
C.
D.
From Azure Security Center, add a workflow automation.
On VM1, run the Get-MPThreatCatalog cmdlet.
On VM1 trigger a PowerShell alert.
From Azure Security Center, export the alerts to a Log Analytics workspace.
Answer: C
Explanation:
For a rule to suppress an alert on a specific subscription, that alert type has to have been
triggered at least once before the rule is created.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-asuppression-rule
QUESTION 109
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
Does this meet the goal?
A. Yes
B. No
Answer: A
Explanation:
A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've
installed the Log Analytics agent on it - appears in Defender for Cloud with recommendations like
your other Azure resources.
Install Log Analytics manually or when you enable auto provisioning of Log Analytics in
"Autoprovisioning" tag, auto provisioning is already turned on.
Reference:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
113
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboardmachines?pivots=azure-arc
https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-datacollection?tabs=autoprovision-feature
QUESTION 110
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You manually install the Log Analytics agent on the virtual machines.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've
installed the Log Analytics agent on it - appears in Defender for Cloud with recommendations like
your other Azure resources.
Install Log Analytics manually or when you enable auto provisioning of Log Analytics in
"Autoprovisioning" tag, auto provisioning is already turned on.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboardmachines?pivots=azure-arc
https://docs.microsoft.com/en-us/azure/defender-for-cloud/enable-datacollection?tabs=autoprovision-feature
QUESTION 111
You use Azure Sentinel.
You need to use a built-in role to provide a security analyst with the ability to edit the queries of
custom Azure Sentinel workbooks. The solution must use the principle of least privilege.
Which role should you assign to the analyst?
A.
B.
C.
D.
Azure Sentinel Contributor
Security Administrator
Azure Sentinel Responder
Logic App Contributor
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
114
Answer: A
Explanation:
Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure
Sentinel resources.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles
QUESTION 112
You create a hunting query in Azure Sentinel.
You need to receive a notification in the Azure portal as soon as the hunting query detects a
match on the query. The solution must minimize effort.
What should you use?
A.
B.
C.
D.
a playbook
a notebook
a livestream
a bookmark
Answer: C
Explanation:
Livestream notifications for new events use Azure portal notifications, you see these notifications
whenever you use the Azure portal.
https://docs.microsoft.com/en-us/azure/sentinel/livestream#receive-notifications-when-newevents-occur
QUESTION 113
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to
an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an
Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365
subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to
contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
Create custom rule based on the Office 365 connector templates.
Create a Microsoft incident creation rule based on Azure Security Center.
Create a Microsoft Cloud App Security connector.
Create an Azure AD Identity Protection connector.
Answer: CD
Explanation:
The question clearly states "You need to use the Fusion rule..." so there's no need to create any
additional rules.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
115
Fusion Rule needs signals from Azure AD Identity Protection connector and from Microsoft Cloud
App Security connector to generate the alerts.
QUESTION 114
Note: This question is part of a series of questions that present the same scenario. Each
question in the series contains a unique solution that might meet the stated goals. Some
question sets might have more than one correct solution, while others might not have a
correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result,
these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from
a malicious IP address is detected.
Solution: You create a livestream from a query.
Does this meet the goal?
A. Yes
B. No
Answer: B
Explanation:
You create a Microsoft incident creation rule for a data connector.
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
QUESTION 115
Hotspot Question
You need to create a query for a workbook. The query must meet the following requirements:
- List all incidents by incident number.
- Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
116
Answer:
Explanation:
If you wanted to return a list of all incidents sorted by their incident number but only wanted to
return the most recent log per incident, you could do this using the arg_max KQL operator*:
List incidents by incident number
SecurityIncident
| summarize arg_max(LastModifiedTime, *) by IncidentNumber
QUESTION 116
Drag and Drop Question
You have the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
117
You need to prevent duplicate events from occurring in SW1.
What should you use for each action? To answer, drag the appropriate resources to the correct
actions. Each resource may be used once, more than once, or not at all. You may need to drag
the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Server1
On each source machine that sends logs to the forwarder in CEF format (SERVER1), you must
edit the Syslog configuration file to remove the facilities that are being used to send CEF
messages. This way, the facilities that are sent in CEF won't also be sent in Syslog.
Box 2: Server1
You must run the following command on those machines (the ones you ran it previously, i.e
SERVER1) to disable the synchronization of the agent with the Syslog configuration in Microsoft
Sentinel. This ensures that the configuration change you made in the previous step does not get
overwritten
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-thedeployment-script
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
118
QUESTION 117
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint
Online sites during the month before their accounts were deleted.
What should you use?
A.
B.
C.
D.
a file policy in Microsoft Defender for Cloud Apps
an access review policy
an alert policy in Microsoft Defender for Office 365
an insider risk policy
Answer: D
Explanation:
When users leave your organization, there are specific risk indicators typically associated with
data theft by departing users. This policy template uses exfiltration indicators for risk scoring and
focuses on detection and alerts in this risk area.
Reference:
https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-managementpolicies?view=o365-worldwide#data-theft-by-departing-users
QUESTION 118
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.
You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?
A.
B.
C.
D.
the Incidents blade of the Microsoft 365 Defender portal
the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center
Activity explorer in the Microsoft 365 compliance center
the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal
Answer: C
Explanation:
Labeling activities are available in Activity explorer.
For example:
Sensitivity label applied
This event is generated each time an unlabeled document is labeled or an email is sent with a
sensitivity label.
It is captured at the time of save in Office native applications and web applications. It is captured
at the time of occurrence in Azure Information protection add-ins. Upgrade and downgrade labels
actions can also be monitored via the Label event type field and filter.
Reference: https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activityexplorer-available-events?view=o365-worldwide
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
119
QUESTION 119
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A.
B.
C.
D.
Investigations
Devices
Evidence and Response
Alerts
Answer: C
Explanation:
The Evidence and Response tab shows all the supported events and suspicious entities in the
alerts in the incident.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents
QUESTION 120
You have five on-premises Linux servers.
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to use Defender for Cloud to protect the Linux servers.
What should you install on the servers first?
A.
B.
C.
D.
the Dependency agent
the Log Analytics agent
the Azure Connected Machine agent
the Guest Configuration extension
Answer: B
Explanation:
Defender for Cloud depends on the Log Analytics agent.
Use the Log Analytics agent if you need to:
* Collect logs and performance data from Azure virtual machines or hybrid machines hosted
outside of Azure
* Etc.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/os-coverage
https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#log-analyticsagent
QUESTION 121
You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and remediate
the security threats detected by Microsoft Sentinel.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
120
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
E.
Microsoft Sentinel bookmarks
Azure Automation runbooks
Microsoft Sentinel automation rules
Microsoft Sentinel playbooks
Azure Functions apps
Answer: CD
Explanation:
Microsoft Sentinel's Automation rules can be used to automatically trigger actions or playbooks in
response to detected security incidents. This reduces the need for manual intervention and
minimizes administrative effort.
Playbooks in Microsoft Sentinel can be used to automate incident response tasks and
remediation steps, such as quarantining an affected machine or disabling a compromised
account. This allows you to quickly and consistently take action on security incidents, further
reducing administrative effort.
QUESTION 122
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto
queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will
display the results of the queries and be pinned to a dashboard. The solution must minimize
development effort.
What should you use to create the visuals?
A.
B.
C.
D.
plotly
TensorFlow
msticpy
matplotlib
Answer: C
Explanation:
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes
functionality to: query log data from multiple sources. enrich the data with Threat Intelligence,
geolocations and Azure resource data. extract Indicators of Activity (IoA) from logs and unpack
encoded data.
MSTICPy reduces the amount of code that customers need to write for Microsoft Sentinel, and
provides:
- Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint,
Splunk, and other data sources.
- Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.
Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction,
and WhoIs lookups.
- Visualization tools using event timelines, process trees, and geo mapping. Advanced analyses,
such as time series decomposition, anomaly detection, and clustering.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
121
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebook-get-started
https://msticpy.readthedocs.io/en/latest/
QUESTION 123
You have a Microsoft Sentinel workspace that contains the following incident.
Brute force attack against Azure Portal analytics rule has been triggered.
You need to identify the geolocation information that corresponds to the incident.
What should you do?
A.
B.
C.
D.
From Overview, review the Potential malicious events map.
From Incidents, review the details of the iPCustomEntity entity associated with the incident.
From Incidents, review the details of the AccouncCuscomEntity entity associated with the incident.
From Investigation, review insights on the incident entity.
Answer: B
Explanation:
The IPCustomEntity entity associated with the incident should provide the IP address that
triggered the brute force attack. You can then use a geolocation lookup tool to determine the
country or region associated with that IP address.
QUESTION 124
You have two Azure subscriptions that use Microsoft Defender for Cloud.
You need to ensure that specific Defender for Cloud security alerts are suppressed at the root
management group level. The solution must minimize administrative effort.
What should you do in the Azure portal?
A.
B.
C.
D.
Create an Azure Policy assignment.
Modify the Workload protections settings in Defender for Cloud.
Create an alert rule in Azure Monitor.
Modify the alert settings in Defender for Cloud.
Answer: A
Explanation:
To suppress alerts at the management group level, use Azure Policy.
Reference:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-asuppression-rule
QUESTION 125
Hotspot Question
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user
named User1.
You are notified that the account of User1 is compromised.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
122
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
123
Explanation:
Filtering the DeviceInfo table to only include rows where the LoggedOnUsers field contains the
string "user1".
Removing duplicates based on the DeviceId field.
Joining the resulting set of devices with the AlertEvidence table based on the DeviceId field.
Projecting the AlertId field from the resulting set.
Joining the resulting set of alerts with the AlertInfo table based on the AlertId field.
Projecting the AlertId, Timestamp, Title, Severity, and Category fields from the resulting set of
alerts.
This query retrieves a list of alerts that are related to devices where the user "user1" is logged on,
and it includes the alert ID, timestamp, title, severity, and category for each alert. The "join" and
"project" operations in the query are used to combine and filter the data from the various tables in
the ATP data model.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-queryemails-devices?view=o365-worldwide
QUESTION 126
Drag and Drop Question
You have an Azure subscription. The subscription contains 10 virtual machines that are
onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a
virtual machine, you receive an email notification. The solution must generate a test email.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
124
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
Step 1: From Logic App Designer, create a logic app.
Create a logic app and define when it should automatically run
1. From Defender for Cloud's sidebar, select Workflow automation.
2. To define a new workflow, click Add workflow automation. The options pane for your new
automation opens.
Here you can enter:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
125
A name and description for the automation.
The triggers that will initiate this automatic workflow. For example, you might want your Logic App
to run when a security alert that contains "SQL" is generated.
The Logic App that will run when your trigger conditions are met.
3. From the Actions section, select visit the Logic Apps page to begin the Logic App creation
process.
4. Etc.
Step 2: From Logic App Designer, run a trigger.
Manually trigger a Logic App
You can also run Logic Apps manually when viewing any security alert or recommendation.
Step 3: From Workflow automation in Defender for cloud, add a workflow automation. Configure
workflow automation at scale using the supplied policies Automating your organization's
monitoring and incident response processes can greatly improve the time it takes to investigate
and mitigate security incidents.
Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation
QUESTION 127
Hotspot Question
You have a Microsoft Sentinel workspace named sws1.
You need to create a hunting query to identify users that list storage keys of multiple Azure
Storage accounts. The solution must exclude users that list storage keys for a single storage
account.
How should you complete the query? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
126
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
127
Explanation:
Box 1: AzureActivity
The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in
only data from Microsoft Sentinel, start your query with the following code:
Box 2: autocluster()
Example: description: |
'Listing of storage keys is an interesting operation in Azure which might expose additional secrets
and PII to callers as well as granting access to VMs. While there are many benign operations of
this
type, it would be interesting to see if the account performing this activity or the source IP address
from
which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only
had single
operations do not appear in this list as we cannot learn from it their normal activity (only based on
a single event). The activities for listing storage account keys is correlated with this learned
clusters of expected activities and activity which is not expected is returned.'
AzureActivity
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" | where
ActivityStatusValue == "Succeeded"
| join kind= inner (
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
128
AzureActivity
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" | where
ActivityStatusValue == "Succeeded"
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds =
make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller,
CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity =
CallerIpAddress
Reference: https://github.com/Azure/AzureSentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.ya
ml
QUESTION 128
Drag and Drop Question
You have a Microsoft Sentinel workspace named workspace1 and an Azure virtual machine
named VM1.
You receive an alert for suspicious use of PowerShell on VM1.
You need to investigate the incident, identify which event triggered the alert, and identify whether
the following actions occurred on VM1 after the alert:
- The modification of local group memberships
- The purging of event logs
Which three actions should you perform in sequence in the Azure portal? To answer, move the
appropriate actions from the list of actions to the answer area and arrange them in the correct
order.
Answer:
Explanation:
Step 1: From the details pane of the incident, select Investigate.
Choose a single incident and click View full details or Investigate.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
129
Step 2: From the Investigation blade, select the entity that represents VM1.
The Investigation Insights workbook is broken up into 2 main sections, Incident Insights and
Entity Insights.
Incident Insights
The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick
access to their associated metadata including alerts and entity information.
Entity Insights
The Entity Insights allows the analyst to take entity data either from an incident or through manual
entry and explore related information about that entity. This workbook presently provides view of
the following entity types:
IP Address
Account
Host
URL
Step 3: From the Investigation blade, select Insights
The Investigation Insights Workbook is designed to assist in investigations of Azure Sentinel
Incidents or individual IP/Account/Host/URL entities.
Reference:
https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview
https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases
QUESTION 129
You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.
You need to identify all the changes made to Domain Admins group during the past 30 days.
What should you use?
A.
B.
C.
D.
the Azure Active Directory Provisioning Analysis workbook
the Overview settings of Insider risk management
the Modifications of sensitive groups report in Microsoft Defender for Identity
the identity security posture assessment in Microsoft Defender for Cloud Apps
Answer: C
Explanation:
The Modifications of sensitive groups report in Microsoft Defender for Identity would be the best
option to use to identify all the changes made to the Domain Admins group during the past 30
days. This report provides information about changes made to sensitive groups, including the
Domain Admins group, in the Azure AD environment and helps to identify potential security
threats.
QUESTION 130
You have a Microsoft Sentinel workspace.
You need to prevent a built-in Advance Security information Model (ASIM) parse from being
updated automatically.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
130
A. Redeploy the built-in parse and specify a CallerContext parameter of any and a
SourceSpecificParse parameter of any.
B. Create a hunting query that references the built-in parse.
C. Redeploy the built-in parse and specify a CallerContext parameter of built-in.
D. Build a custom unify parse and include the build- parse version
E. Create an analytics rule that includes the built-in parse
Answer: AD
QUESTION 131
You have a Microsoft Sentinel workspace.
You receive multiple alerts for failed sign-in attempts to an account.
You identify that the alerts are false positives.
You need to prevent additional failed sign-in alerts from being generated for the account. The
solution must meet the following requirements:
- Ensure that failed sign-in alerts are generated for other accounts.
- Minimize administrative effort
What should do?
A.
B.
C.
D.
Create an automation rule.
Create a watchlist.
Modify the analytics rule.
Add an activity template to the entity behavior.
Answer: A
Explanation:
Two methods for avoiding false positives:
Automation rules create exceptions without modifying analytics rules.
Scheduled analytics rules modifications permit more detailed and permanent exceptions.
https://learn.microsoft.com/en-us/azure/sentinel/false-positives
QUESTION 132
You have a custom Microsoft Sentinel workbook named Workbook1.
You need to add a grid to Workbook1. The solution must ensure that the grid contains a
maximum of 100 rows.
What should you do?
A.
B.
C.
D.
In the query editor interface, configure Settings.
In the query editor interface, select Advanced Editor
In the grid query, include the project operator.
In the grid query, include the take operator.
Answer: D
Explanation:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
131
The take operator allows you to limit the number of rows returned by a query. By including the
take operator in the grid query and specifying a maximum of 100 rows, you can ensure that the
grid in Workbook1 contains a maximum of 100 rows.
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/takeoperator
QUESTION 133
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource
group named RG1. RG1 contains 20 virtual machines that run Windows Server 2019.
You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must
meet the following requirements:
- Limit the maximum request time to two hours.
- Limit protocols access to Remote Desktop Protocol (RDP) only.
- Minimize administrative effort.
What should you use?
A.
B.
C.
D.
Azure AD Privileged Identity Management (PIM)
Azure Policy
Azure Front Door
Azure Bastion
Answer: C
Explanation:
To meet the given requirements, you should use Azure Bastion to configure just-in-time (JIT)
access for the virtual machines in RG1.
Azure Bastion provides secure and seamless RDP and SSH access to virtual machines over a
web browser and eliminates the need for a public IP address. It simplifies the process of
connecting to virtual machines by allowing users to connect directly to virtual machines through
the Azure portal.
To enable JIT access with Azure Bastion, you can create a JIT policy that defines the rules for
access, including limiting access to specific protocols like RDP and setting the maximum request
time to two hours. This can be done using the Azure portal or Azure CLI, and once the policy is
created, Azure Bastion will automatically enforce the access rules when users try to connect to
the virtual machines.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/just-in-time-access-usage
QUESTION 134
You have a Microsoft Sentinel workspace named Workspace1.
You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM)
parser from a built-in unified ASIM parser.
What should you create in Workspace1?
A.
B.
C.
D.
a watch list
an analytic rule
a hunting query
a workbook
Answer: A
Explanation:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
132
To support excluding built-in source-specific parsers, ASIM uses a watchlist.
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers#set-up-yourworkspace
QUESTION 135
You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block a user-specified range of IP addressed and
URLs.
What should you enable first in the Advanced features from the Endpoints Settings in the
Microsoft 365 Defender portal?
A.
B.
C.
D.
endpoint detection and response (EDR) in block mode
custom network indicators
web content filtering
Live response for servers
Answer: B
Explanation:
In the prerequisite for "Create indicators for IPs and URLs/domains"
Ensure that Custom network indicators is enabled in Microsoft 365 Defender > Settings >
Advanced features.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ipdomain?view=o365-worldwide
QUESTION 136
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage
account named storage1.
You receive an alert that there was an unusually high volume of delete operations on the blobs in
storage1.
You need to identify which blobs were deleted.
What should you review?
A.
B.
C.
D.
the Azure Storage Analytics logs
the activity logs of storage1
the alert details
the related entities of the alert
Answer: A
Explanation:
Azure Storage Analytics performs logging and provides metrics data for a storage account. You
can use this data to trace requests, analyze usage trends, and diagnose issues with your storage
account.
https://learn.microsoft.com/en-us/rest/api/storageservices/storage-analytics-logged-operationsand-status-messages#logged-operations
QUESTION 137
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
133
You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed.
You need to simulate an attack on the virtual machine that will generate an alert.
What should you do first?
A.
B.
C.
D.
Run the Log Analytics Troubleshooting Tool.
Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe.
Modify the settings of the Microsoft Monitoring Agent.
Run the MMASetup executable and specify the –foo argument.
Answer: B
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alert-validation
QUESTION 138
Hotspot Question
You have the following KQL query.
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
134
Explanation:
The account entity is set as the username not the opposite.
The username is not set as the account entity it's the opposite.
https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage#edit-a-watchlist-item
https://learn.microsoft.com/en-us/azure/sentinel/entities-reference#entity-types-and-identifiers
QUESTION 139
Drag and Drop Question
A company wants to analyze by using Microsoft 365 Apps.
You need to describe the connected experiences the company can use.
Which connected experiences should you describe? To answer, drag the appropriate connected
experiences to the correct description. Each connected experience may be used once, more than
once, or not at all. You may need to drag the split between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 140
You have an Azure subscription that has the enhanced security features in Microsoft Defender for
Cloud enabled and contains a user named User1.
You need to ensure that User1 can export alert data from Defender for Cloud. The solution must
use the principle of least privilege.
Which role should you assign to User1?
A.
B.
C.
D.
User Access Administrator
Owner
Contributor
Reader
Answer: B
Explanation:
Because Security admin isn't in the answers.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azureportal#availability
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
135
QUESTION 141
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft
Sentinel workspace that has an Azure Active Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated
alert.
What should you create first?
A.
B.
C.
D.
a repository connection
a watchlist
an analytics rule
an automation rule
Answer: D
Explanation:
To ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert, you
should create an automation rule first.
QUESTION 142
You have a Microsoft Sentinel workspace.
You need to identify which rules are used to detect advanced multistage attacks that comprise
two or more alerts or activities. The solution must minimize administrative effort.
Which rule type should you query?
A.
B.
C.
D.
Fusion
Microsoft Security
ML Behavior Analytics
Scheduled
Answer: A
Explanation:
Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning
algorithms, to automatically detect multistage attacks.
https://learn.microsoft.com/en-us/azure/sentinel/fusion
QUESTION 143
You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual
machines.
You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the
following requirements:
- Minimize administrative effort.
- Minimize the parsing required to read fog data.
What should you configure?
A.
B.
C.
D.
a Log Analytics Data Collector API
REST API integration
a Common Evert Format (CEF) connector
a Syslog connector
Answer: C
Explanation:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
136
Minimize the parsing required to read fog data. CEF connector sends Common Event Format
data which means easy to read. As for administrative effort. You only need to configure the CEF
server to listen for syslog from all the linux vms and then send the CEF data to Sentinel.
QUESTION 144
Hotspot Question
You have 100 Azure subscriptions that have enhanced security features in Microsoft Defender for
Cloud enabled.
All the subscriptions are inked to a single Azure Active Directory (Azure AD) tenant.
You need to stream the Defender for Cloud logs to a syslog server. The solution must minimize
administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: Azure Event hub
To stream alerts into //Syslog servers// ,and other monitoring solutions, connect Defender for
Cloud using continuous export and Azure Event Hubs.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
137
Box 2: Azure Policy
Note:
To stream alerts at the tenant level, use this //Azure policy// and set the scope at the root
management group.
Reference:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem#stream-alerts-withcontinuous-export
https://docs.microsoft.com/en-us/azure/defender-for-cloud/continuous-export?tabs=azurepolicy#configure-continuous-export-at-scale-using-the-supplied-policies
QUESTION 145
Drag and Drop Question
You have an Azure subscription that contains 100 Linux virtual machines.
You need to configure Microsoft Sentinel to collect event logs from the virtual machines.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
138
Explanation:
https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog
QUESTION 146
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint. You need to
add threat indicators for all the IP addresses in a range of 171.23.34.32 - 171.23.34.63. The
solution must minimize administrative effort.
What should you do in the Microsoft 365 Defender portal?
A. Create an import file that contains the IP address of 171.23.34.32/27.
Select import and import the file.
B. Select Add indicator and set the IP address to 171.23.34.32 - 171.23.34.63.
C. Select Add indicator and set the IP address to 171.23.34.32/27
D. Create an import file that contains the individual IP addresses in the range.
Select import and import the file.
Answer: C
QUESTION 147
Your company has an on-premises network that uses Microsoft Defender for Identity. The
Microsoft Secure Score for the company includes a security assessment associated with
unsecure Kerberos delegation.
You need remediate the security risk.
What should you do?
A. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as
exposed entities.
B. Modify the properties of the computer objects listed as exposed entities.
C. Disable legacy protocols on the computers listed as exposed entities.
D. Enforce LDAP signing on the computers listed as exposed entities.
Answer: B
Explanation:
https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unconstrainedkerberos
QUESTION 148
Hotspot Question
You have a Microsoft Sentinel workspace named Workspace1.
You configure Workspace1 to collect DNS events and deploy the Advanced Security Information
Model (ASIM) unifying parser for the DNS schema.
You need to query the ASIM DNS schema to list all the DNS events from the last 24 hours that
have a response code of ‘NXDOMAIN’ and were aggregated by the source IP address in 15minute intervals. The solution must maximize query performance.
How should you complete the query? To answer, select the appropriate options in the answer
area.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
139
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Every schema that supports filtering parameters supports at least the starttime and endtime
parameters and using them is often critical for optimizing performance.
https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers#optimizing-parsingusing-parameters
QUESTION 149
Hotspot Question
You have an Azure subscription that contains an Microsoft Sentinel workspace.
You need to create a hunting query using Kusto Query Language (KQL) that meets the following
requirements:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
140
- Identifies an anomalous number of changes to the rules of a network
security group (NSG) made by the same security principal
- Automatically associates the security principal with an Microsoft
Sentinel entity
How should you complete the query? To answer, select the appropriate options in the answer
area. NOTE: Each correct selection is worth one point.
Answer:
QUESTION 150
You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage
incident related to a suspected malicious document. After reviewing all the details, you have
determined that the alert tied to the potentially malicious document is also related to another
incident in your environment. However, the alert is not currently listed as a part of that second
incident.
Your investigation into the alert is ongoing, as it is your investigation into the two related
incidents.
You need to appropriately categorize the alert and ensure that it is associated with the second
incident.
What two actions should you take in the Manage alert pane to fulfill this part of the investigation?
(Choose two)
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
141
A.
B.
C.
D.
E.
Set status to In progress
Set status to New
Set classification to True alert
Enter the Incident ID of the related incident in the Comment section.
Select the Link alert to another incident option.
Answer: AE
Explanation:
The correct action to classify the alert would be to set the status to In progress. While the alert
may seem to be legitimate as it is linked to another incident, until a final determination is reached,
you should set the status to In progress to ensure that others know it is being worked on. Once a
determination is reached, you can then change it to Resolved and select the appropriate
classification (True alert or False alert).
The correct action to correlate the alert to the other incident would be to select the Link alert to
another incident option. While ideally, the alert would automatically be included in both incidents
that are not always the case. If you notice an alert that is not linked to an incident that it is clearly
connected to, using the Link alert to another incident option ensures they are tied together.
You should not set the classification to True alert. While a point can be made that it seems this
malicious file involved in multiple incidents is likely to be a True alert, you cannot yet make that
determination. It is also not the time to classify it as a false alert. The best practice while
continuing an investigation would be not to change the classification at all, which means leaving it
as the default Not set classification.
You should not enter the Incident ID of the related incident in the Comment section. While this
might be helpful from an administrative perspective, it creates no link to the other incident.
You should not set the status to New. This is the default status of any alert. The question
specifically seeks to ensure your peers know the alert is being investigated, so setting (or leaving)
the status as New would make it impossible to differentiate from other uninvestigated alerts.
All of the actions mentioned in the options can be found in the Manage alert pane, which can be
reached via the Alerts tab in the Incidents section of the Microsoft 365 Defender portal.
References:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-alerts
https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigateincidents?view=o365-worldwide
QUESTION 151
Which of the following choices best defines threat hunting using Microsoft Defender for Endpoint?
A. Sensing and blocking apps that are considered unsafe but may not be detected as malware.
B. Decrease vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop
malware.
C. You can proactively look at events in your network using a powerful search and query tool.
D. All of the above.
Answer: C
Explanation:
Option A is incorrect. This is an explanation of advanced protection provided by Windows
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
142
Defender Antivirus.
Options B, D are incorrect. This is an explanation of attack surface reduction.
Option C is correct. Microsoft Defender for Endpoint advanced threat hunting is built on top of a
query language that gives you flexibility.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-huntingoverview?view=o365-worldwide
QUESTION 152
Which of the following is not a component of Microsoft Defender for Endpoint?
A.
B.
C.
D.
Endpoint detection and response
Cloud device management
Next generation protection
Integrity monitoring
Answer: B
Explanation:
Options A and C are incorrect. Threat and vulnerability management, attack surface reduction,
next-generation protection, endpoint detection and response, automated investigation and
remediation are all components of Microsoft Defender for Endpoint.
Option B is correct. Cloud device management is not a component of the security administration
of Microsoft Defender for Endpoint.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defenderendpoint?view=o365-worldwide
QUESTION 153
You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for
Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command
line. You start by going through the incident and apprehend all the related alerts, devices, and
evidence.
You open the alert page to evaluate the Alert and choose to perform further analysis on the
device. You open the Device page and decide that you require remote access to the device to
collect more forensics information using a custom .ps1 script.
Which type of information is gathered in an Investigation package?
A.
B.
C.
D.
Prefetch Files
Network transactions
Command History
Process History
Answer: A
Explanation:
Network transactions, Process and Command History are not collected. Only Prefetch files are
collected.
An investigation package contains the following folders when you collect it from a device as part
of the investigation process. These can help us identify the present state of devices and methods
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
143
used by attackers.
Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes,
Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions,
System Information, Temp Directories, Users and Groups, WdSupportLogs,
CollectionSummaryReport.xls
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide
QUESTION 154
You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for
Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command
line. You start by going through the incident and apprehend all the related alerts, devices, and
evidence.
You open the alert page to evaluate the Alert and choose to perform further analysis on the
device. You open the Device page and decide that you require remote access to the device to
collect more forensics information using a custom .ps1 script.
Which one of the below is a Device action?
A.
B.
C.
D.
Reformat device
Isolate device
Reboot
Reinstall
Answer: B
Explanation:
You can't issue either reboot, reinstall or reformat action. You can perform isolation devices.
Depending on the severity of the attack and the sensitivity of the device, you might want to isolate
the device from the network. This action can help prevent the attacker from controlling the
compromised device and performing further activities such as data exfiltration and lateral
movement.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide
QUESTION 155
Which of the below artifact types contains an investigation page?
A.
B.
C.
D.
Domain
Threat Actor
Hunter
Alert
Answer: A
Explanation:
Option A is correct. Domain contains an investigation page.
Option B is incorrect. Threat Actor is not a forensic artifact.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
144
Option C is incorrect. Hunter does not have an investigation page.
Option D is incorrect. Alert does not have an investigation page.
Reference :
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigatemachines?view=o365-worldwide
QUESTION 156
What information is shared by a deep file analysis?
A.
B.
C.
D.
Registry Modifications
Code change history
Command history
Process history
Answer: A
Explanation:
Command history, process and code change history are not reported. Only Registry modifications
are reported.
Deep file analysis results contain the file's activities, behaviors, and artifacts like dropped files,
registry changes and IP communication.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-filealerts?view=o365-worldwide
QUESTION 157
Which information is shared on the user account page?
A.
B.
C.
D.
Security groups
Threat hunt ID
Associated alerts
All of the above
Answer: C
Explanation:
The security groups, user accounts belong to and threat hunt ID is not shown.
Associated alerts are made available.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-users?view=o365worldwide
QUESTION 158
Multiple false positive alerts are generating in a company XYZ. A security operations analyst
working for XYZ needs to exclude an executable file to reduce alerts c:\myxyzapp\myxyzwinapp.exe, which exclusion type must they use?
A. Extension
B. Folder
C. File
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
145
D. Registry
Answer: C
Explanation:
File will exclude only this specific file, whereas extension would exclude all files with the
extensions, and folder would exclude all files in a folder. Registry exclusion doesn't happen.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extensionfile-exclusions-microsoft-defender-antivirus?view=o365-worldwide
QUESTION 159
In advanced features, which setting must be turned on to obstruct files even if a 3rd party AV is
used?
A.
B.
C.
D.
Turn on EDR with block mode.
Automated Investigation
Allow or block file
All of the above
Answer: A
Explanation:
Option A is correct. EDR with block mode can be used with third-party AV.
Option B is incorrect. The "Allow or block file" feature requires Defender AV.
Option C is incorrect. Automated investigations do not block files.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defenderantivirus-compatibility?view=o365-worldwide
QUESTION 160
Microsoft Defender for Endpoint gives configuration selections for alerts and detections. These
include notifications, custom indicators, and detection rules. Which filter is a part of an Alert
notification rule?
A.
B.
C.
D.
Subject IDs
Alert Severity
Account
Alert IDs
Answer: B
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-emailnotifications?view=o365-worldwide
QUESTION 161
You are in charge of working with the endpoint team to patch weaknesses reported by Threat
Vulnerability Management. Which report keeps an inventory of the vulnerabilities of your systems
that are wide-open by listing the CVE IDs?
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
146
A.
B.
C.
D.
Weakness
Software Inventory
Event Timeline
Incident
Answer: A
Explanation:
Option A is correct. This report is enumerated by the CVE ID.
Option B is incorrect. The software inventory page contains a list of software installed in your
organization.
Option C is incorrect. The event timeline is a risk feed that lets you understand how risk is
introduced in the organization.
Option D is incorrect. The incident report doesn't contain any weaknesses or vulnerabilities.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvmweaknesses?view=o365-worldwide
QUESTION 162
Which selection is an ASR (attack surface reduction) rule that can be implemented and blocked?
A.
B.
C.
D.
Content from mobile devices
PowerShell from executing
Process creations initiating from WMI and PSExec commands
None of the above
Answer: C
Explanation:
Option A is incorrect. This is not an ASR rule that can be implemented and blocked.
Option B is incorrect. .ps1 execution cannot be blocked with an ASR rule.
Option C is correct. This is an ASR rule that can be implemented and blocked.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surfacereduction?view=o365-worldwide
QUESTION 163
From which of the following can a SOC (Security Operation Center) analyst make a customized
detection?
A.
B.
C.
D.
Alert
Incident
Advanced Hunting
Request
Answer: C
Explanation:
Advanced hunting gives a choice to save the query as a detection, while Alert and Incident don't
provide an option to save as a detection.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
147
results?view=o365-worldwide
QUESTION 164
Microsoft Defender for Endpoint gives a purpose based UI to manage and inspect security
incidents and alerts. Which option can't be accomplished in the Action Center?
A.
B.
C.
D.
Review completed actions.
Configure action email notifications.
Manage pending actions.
None of the above
Answer: B
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contactdetails
QUESTION 165
A SOC analyst found out about an event of interest. What is the next step to take it forward for
further review?
A.
B.
C.
D.
Flag
Tag
Highlight
Close
Answer: A
Explanation:
While looking into the device timeline for suspicious activity, we can search and filter for specific
events. We can set event flags by:
- Highlighting the most important events
- Marking events that require a deep dive
- Building a clean breach timeline
Find the event that we want to flag. Select the flag icon in the Flag column.
Once events are flagged, we can filter suspicious events more easily. In the timeline Filters
section, enable Flagged events. Only flagged events are displayed. You can apply more filters
that will only show events prior to the flagged event.
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/investigate-entity
QUESTION 166
What type of Behavioural blocking can be utilized with 3rd-party AVs?
A.
B.
C.
D.
EDR with block mode
Feedback-loop blocking
Client behavior blocking
Malicious behavior blocking
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
148
Answer: A
Explanation:
Option A is correct. EDR with Block mode allows you for blocking even when another AV is in
use.
Options B, C, D are incorrect. Feedback-loop and Client behavior blocking are used with
Defender AV.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-blockmode?view=o365-worldwide
QUESTION 167
A Windows 10 system is not showing in the device inventory list. What may be the problem?
A.
B.
C.
D.
System is not having the latest KB's
System has no alerts in the past 30 days.
System was renamed.
None of the above
Answer: B
Explanation:
Options A, C, D are incorrect. Neither renaming any device nor KB's has any impact on the
Device inventory list.
Option B is correct. We can modify the "time setting" to find the system.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/asset-inventory
QUESTION 168
Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and
alerts across Microsoft 365 services.
You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender
solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and
Cloud App Security.
You are required to monitor related alerts across all the solutions as a single incident to observe
the incident's full impact and do an RCA (root cause investigation). The Microsoft Security center
portal has a fused view of incidents and actions are taken on them.
Which tab is present on the incident page when investigating a particular incident?
A.
B.
C.
D.
Machines
Mailboxes
Networks
Incidents
Answer: B
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigateincidents?view=o365-worldwide
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
149
QUESTION 169
Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and
alerts across Microsoft 365 services.
You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender
solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and
Cloud App Security.
You are required to monitor related alerts across all the solutions as a single incident to observe
the incident's full impact and do an RCA (root cause investigation). The Microsoft Security center
portal has a fused view of incidents and actions taken on them.
Which of the following can be classified as an Incident?
A.
B.
C.
D.
Test alert
True alert
High alert
Positive alert
Answer: B
Explanation:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigateincidents?view=o365-worldwide
QUESTION 170
You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has
data loss prevention (DLP) policies that have aggregated alerts configured.
You need to identify the impacted entities in an aggregated alert.
What should you review in the DLP alert management dashboard of the Microsoft 365
compliance center?
A.
B.
C.
D.
the Events tab of the alert
the Sensitive Info Types tab of the alert
Management log
the Details tab of the alert
Answer: A
Explanation:
In order to identify the impacted entities in an aggregated alert, you should review the "Events"
tab of the DLP alert management dashboard in the Microsoft 365 compliance center. This tab will
display a list of all the events that triggered the alert, including the specific entities (e.g. files,
emails, etc.) that were affected. You can further investigate each event to identify the specific
user, device and action that caused the alert to be triggered.
https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alertspolicies?view=o365-worldwide
QUESTION 171
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
150
You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the
subscription.
From the Microsoft 365 Defender portal, which page should you use to create the query?
A.
B.
C.
D.
Threat analytics
Advanced Hunting
Explorer
Policies & rules
Answer: B
Explanation:
"Use Advance mode if you're comfortable creating custom queries."
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingoverview?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingmodes?view=o365-worldwide#get-started-with-guided-hunting-mode
QUESTION 172
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You need to add threat indicators for all the IP addresses in a range of 171.23.34.32171.23.34.63. The solution must minimize administrative effort.
What should you do in the Microsoft 365 Defender portal?
A. Create an import file that contains the individual IP addresses in the range. Select Import and
import the file.
B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import
the file.
C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.
D. Select Add indicator and set the IP address to 171.23.34.32/27.
Answer: A
QUESTION 173
Drag and Drop Question
You have an Azure subscription that contains the users shown in the following table.
You need to delegate the following tasks:
- Enable Microsoft Defender for Servers on virtual machines.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
151
- Review security recommendations and enable server vulnerability
scans.
The solution must use the principle of least privilege.
Which user should perform each task? To answer, drag the appropriate users to the correct
tasks. Each user may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-allowedactions
QUESTION 174
Hotspot Question
You have a Microsoft 365 E5 subscription.
You need to create a hunting query that will return every email that contains an attachment
named Document.pdf. The query must meet the following requirements:
- Only show emails sent during the last hour.
- Optimize query performance.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
152
Answer:
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-bestpractices?view=o365-worldwide
Apply filters early - so start with the timestamp > ago(1h)
then the join with an inner-join
QUESTION 175
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
A remediation action for an automated investigation quarantines a file across multiple devices.
You need to mark the file as safe and remove the file from quarantine on the devices.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
153
What should you use in the Microsoft 365 Defender portal?
A.
B.
C.
D.
From the History tab in the Action center, revert the actions.
From the investigation page, review the AIR processes.
From Quarantine from the Review page, modify the rules.
From Threat tracker, review the queries.
Answer: A
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoiractions?view=o365-worldwide#undo-completed-actions
QUESTION 176
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable
resources in the subscription. The solution must minimize administrative effort.
Which blade should you use in the Microsoft 365 Defender portal?
A.
B.
C.
D.
Advanced hunting
Threat analytics
Incidents & alerts
Learning hub
Answer: B
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/threat-analytics?view=o365worldwide
QUESTION 177
Drag and Drop Question
You have a Microsoft subscription that has Microsoft Defender for Cloud enabled.
You configure the Azure logic apps shown in the following table.
You need to configure an automatic action that will run if a Suspicious process executed alert is
triggered. The solution must minimize administrative effort.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
154
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-respondingalerts#respond-to-security-alerts
QUESTION 178
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in
Amazon Web Services (AWS).
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
What should you install first on Server1?
A.
B.
C.
D.
the Microsoft Monitoring Agent
the Azure Monitor agent
the Azure Arc agent
the Azure Pipelines agent
Answer: C
Explanation:
Azure Arc for servers installed on your EC2 instances.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=envsettings
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
155
QUESTION 179
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to filter the security alerts view to show the following alerts:
- Unusual user accessed a key vault
- Log on from an unusual location
- Impossible travel activity
Which severity should you use?
A.
B.
C.
D.
Informational
Low
Medium
High
Answer: C
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview#how-are-alertsclassified
QUESTION 180
You plan to review Microsoft Defender for Cloud alerts by using a third-party security information
and event management (SIEM) solution.
You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.
Which JSON key should you search?
A.
B.
C.
D.
Description
Intent
ExtendedProperies
Entities
Answer: B
Explanation:
Intent
PrivilegeEscalation string
Privilege escalation is the result of actions that allow an adversary to obtain a higher level of
permissions on a system or network.
https://learn.microsoft.com/en-us/rest/api/defenderforcloud/alerts/list?tabs=HTTP#intent
QUESTION 181
Drag and Drop Question
You have 50 on-premises servers.
You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud
deployment has Microsoft Defender for Servers and automatic provisioning enabled.
You need to configure Defender for Cloud to support the on-premises servers. The solution must
meet the following requirements:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
156
- Provide threat and vulnerability management.
- Support data collection rules.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection
https://learn.microsoft.com/en-us/azure/azure-arc/servers/learn/quick-enable-hybrid-vm
QUESTION 182
Hotspot Question
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure
logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is
generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the
appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
157
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
158
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-automation-alert?tabs=CLI
QUESTION 183
Hotspot Question
You have an Azure subscription that has Microsoft Defender for Cloud enabled for all supported
resource types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Defender for Cloud.
You need to test LA1 in Defender for Cloud.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
159
Answer:
QUESTION 184
Drag and Drop Question
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is
present on an Azure virtual machine running Windows Server.
Which three actions should you perform in a sequence? To answer, move the appropriate actions
from the list of action to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the
correct orders you select.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
160
Answer:
QUESTION 185
You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual
machines that run Windows Server.
You need to configure Defender for Cloud to collect event data from the virtual machines. The
solution must minimize administrative effort and costs.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From the workspace created by Defender for Cloud, set the data collection level to Common.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
161
B.
C.
D.
E.
From the Microsoft Endpoint Manager admin center, enable automatic enrollment.
From the Azure portal, create an Azure Event Grid subscription.
From the workspace created by Defender for Cloud, set the data collection level to All Events.
From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual
machines.
Answer: BE
Explanation:
B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment: This will
automatically enroll all Windows devices, including the virtual machines in your subscription, in
Microsoft Endpoint Manager, which will then allow Defender for Cloud to collect event data from
these devices. To enable automatic enrollment, you can follow the steps in the Microsoft
documentation.
E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual
machines: This will automatically configure the virtual machines to send event data to Defender
for Cloud without the need for manual configuration or agent installation. To enable automatic
provisioning, you can follow the steps in the Azure Defender documentation.
QUESTION 186
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user
named User1.
You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The
solution must use the principle of least privilege.
Which role should you assign to User1?
A.
B.
C.
D.
Security operator
Security Admin
Owner
Contributor
Answer: B
Explanation:
Security reader: Has rights to view Defender for Cloud items such as recommendations, alerts,
policy, and health. Can't make changes.
Security admin: Has the same view rights as security reader. Can also update the security policy
and dismiss alerts.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/tutorial-security-policy#who-can-editsecurity-policies
QUESTION 187
You have an Azure subscription that contains a user named User1.
User1 is assigned an Azure Active Directory Premium Plan 2 license.
You need to identify whether the identity of User1 was compromised during the last 90 days.
What should you use?
A. the risk detections report
B. the risky users report
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
162
C. Identity Secure Score recommendations
D. the risky sign-ins report
Answer: A
Explanation:
The risk detections report contains filterable data for up to the past 90 days (three months).
https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identityprotection-investigate-risk#risk-detections
QUESTION 188
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute
Cloud (EC2) instance named EC2-1.
You need to onboard EC2-1 to Defender for Cloud.
What should you install on EC2-1?
A.
B.
C.
D.
the Log Analytics agent
the Azure Connected Machine agent
the unified Microsoft Defender for Endpoint solution package
Microsoft Monitoring Agent
Answer: D
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration
QUESTION 189
Hotspot Question
You have an Azure subscription that uses Microsoft Defender for Cloud.
You create a Google Cloud Platform (GCP) organization named GCP1.
You need to onboard GCP1 to Defender for Cloud by using the native cloud connector. The
solution must ensure that all future GCP projects are onboarded automatically.
What should you include in the solution? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
163
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp
QUESTION 190
You have an Azure subscription that contains a virtual machine named VM1 and uses Microsoft
Defender for Cloud.
Microsoft Defender for Cloud has automatic provisioning configured to use Azure Monitor Agent.
You need to create a custom alert suppression rule that will suppress false positive alerts for
suspicious use of PowerShell on VM1.
What should you do first?
A. From Microsoft Defender for Cloud, export the alerts to a Log Analytics workspace.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
164
B. From Microsoft Defender for Cloud, add a workflow automation.
C. On VM1, trigger a PowerShell alert.
D. On VM1, run the Get-MPThreatCatalog cmdlet.
Answer: C
Explanation:
You must trigger the alert before deploying a suppression rule.
QUESTION 191
You have an Azure subscription that uses Microsoft Sentinel.
You detect a new threat by using a hunting query.
You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must
minimize administrative effort.
What should you do?
A.
B.
C.
D.
Create an analytics rule.
Add the query to a workbook.
Create a watchlist.
Create a playbook.
Answer: A
Explanation:
Creating an analytics rule in Microsoft Sentinel is the best way to ensure that the system
automatically detects the threat with minimal administrative effort. Analytics rules allow you to
create custom detections based on specific events or patterns that you want to monitor.
QUESTION 192
You have a Microsoft Sentinel workspace.
You have a query named Query1 as shown in the following exhibit.
You plan to create a custom parser named Parser1.
You need to use Query1 in Parser1.
What should you do first?
A. Remove line 5.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
165
B. Remove line 2.
C. In line 3, replace the !contains operator with the !has operator.
D. In line 4, remove the TimeGenerated predicate.
Answer: B
Explanation:
In Microsoft Sentinel, parsing and normalizing happen at query time.
https://learn.microsoft.com/en-us/azure/sentinel/normalization-parsers-overview
QUESTION 193
You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom report that will visualise sign-in information over time.
What should you create first?
A.
B.
C.
D.
a hunting query
a workbook
a notebook
a playbook
Answer: B
Explanation:
A Workbook is a collection of visualizations and data that can be used to analyze and report on
data in Azure Sentinel. It can be used to create custom reports that visualize sign-in information
over time.
https://learn.microsoft.com/en-us/azure/sentinel/monitor-your-data
QUESTION 194
Hotspot Question
You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.
You have the hunting query shown in the following exhibit.
The users perform the following actions:
- User1 assigns
- User1 creates
Teams license.
- User2 creates
Security reader
- User2 creates
User2 the Global administrator role.
a new user named User3 and assigns the user a Microsoft
a new user named User4 and assigns the user the
role.
a new user named User5 and assigns the user the
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
166
Security operator role.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
https://learn.microsoft.com/fr-fr/azure/sentinel/get-visibility
QUESTION 195
Hotspot Question
You have a Microsoft Sentinel workspace.
You develop a custom Advanced Security Information Model (ASIM) parser named Parser1 that
produces a schema named Schema1.
You need to validate Schema1.
How should you complete the command? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
167
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#validate-theoutput-schema
QUESTION 196
Hotspot Question
You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA)
enabled.
You need to identify all the log entries that relate to security-sensitive user actions performed on a
server named Server1. The solution must meet the following requirements:
- Only include security-sensitive actions by users that are NOT members
of the IT department.
- Minimize the number of false positives.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
168
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/investigate-with-ueba#embed-identityinfo-data-inyour-analytics-rules-public-preview
QUESTION 197
Hotspot Question
You have a Microsoft Sentinel workspace.
You need to create a KQL query that will identify successful sign-ins from multiple countries
during the last three hours.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
169
Explanation:
https://github.com/Azure/AzureSentinel/blob/master/Detections/ASimAuthentication/imAuthSigninsMultipleCountries.yaml
QUESTION 198
Hotspot Question
You have an Azure subscription.
You plan to implement a Microsoft Sentinel workspace. You anticipate that you will ingest 20 GB
of security log data per day.
You need to configure storage for the workspace. The solution must meet the following
requirements:
- Minimize costs for daily ingested data.
- Maximize the data retention period without incurring extra costs.
What should you do for each requirement? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
170
Explanation:
1. Commitment Tiers allow you to reserve a fixed amount of daily data ingestion capacity for
Azure Monitor and Azure Sentinel for a fixed, predictable daily fee.
2. Data ingested into either classic or workspace-based Application Insights is retained for 90
days without any charge.
https://azure.microsoft.com/en-us/pricing/details/monitor/
QUESTION 199
Hotspot Question
You have a Microsoft Sentinel workspace named sws1.
You plan to create an Azure logic app that will raise an incident in an on-premises IT service
management system when an incident is generated in sws1.
You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution
must meet the following requirements:
- Minimize administrative effort.
- Use the principle of least privilege.
How should you configure the credentials? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
171
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/authenticate-playbooks-to-sentinel#authenticatewith-managed-identity
QUESTION 200
You have a Microsoft Sentinel workspace.
You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being
updated automatically.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Create a hunting query that references the built-in parser.
B. Build a custom unifying parser and include the built-in parser version.
C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a
SourceSpecificParser parameter of Any.
D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.
E. Create an analytics rule that includes the built-in parser.
Answer: BC
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers
https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers#prevent-anautomated-update-of-a-built-in-parser
QUESTION 201
Hotspot Question
You have a Microsoft Sentinel workspace named SW1.
You plan to create a custom workbook that will include a time chart.
You need to create a query that will identify the number of security alerts per day for each
provider.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
172
Answer:
Explanation:
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-workbooks-101with-sample-workbook/ba-p/1409216
QUESTION 202
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.
What should you create first?
A.
B.
C.
D.
a hunting query in Microsoft Sentinel
an Azure logic app
an automation rule in Microsoft Sentinel
a trigger in Azure Functions
Answer: B
Explanation:
Azure logic apps are a workflow automation platform that provides a visual designer to model and
automate processes as a series of steps or actions. Logic apps can be triggered by events, such
as an alert in Microsoft Sentinel, and can perform a variety of actions, such as sending an email
or creating a work item in Azure DevOps.
QUESTION 203
Hotspot Question
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
173
Your on-premises network contains 100 servers that run Windows Server.
You have an Azure subscription that uses Microsoft Sentinel.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/connect-custom-logs?tabs=DCG
QUESTION 204
You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace
contains a Microsoft Defender for Cloud data connector.
You need to customize which details will be included when an alert is created for a specific event.
What should you do?
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
174
A.
B.
C.
D.
Enable User and Entity Behavior Analytics (UEBA).
Create a Data Collection Rule (DCR).
Modify the properties of the connector.
Create a scheduled query rule.
Answer: D
Explanation:
To customize which details will be included when an alert is created for a specific event in
Microsoft Sentinel, you can modify the properties of the Microsoft Defender for Cloud data
connector.
https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details
QUESTION 205
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced
Security Information Model (ASIM) parsers based on the DNS schema.
You need to make the 200 parses available in Workspace1. The solution must minimize
administrative effort.
What should you do first?
A.
B.
C.
D.
Copy the parsers to the Azure Monitor Logs page.
Create a JSON file based on the DNS template.
Create an XML file based on the DNS template.
Create a YAML file based on the DNS template.
Answer: D
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers#deploy-parsers
QUESTION 206
Hotspot Question
You have a Microsoft Sentinel workspace.
A Microsoft Sentinel incident is generated as shown in the following exhibit.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
175
Use the drop-down menus to select the answer choice that completes each statement based on
the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
176
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases
QUESTION 207
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
177
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
178
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to minimize the effort required to investigate the Microsoft Defender for Identity false
positive alerts.
What should you review?
A.
B.
C.
D.
the status update time
the resolution method of the source computer
the alert status
the certainty of the source computer
Answer: D
Explanation:
https://learn.microsoft.com/en-us/defender-for-identity/understanding-security-alerts#defenderfor-identity-and-nnr-network-name-resolution
QUESTION 208
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
179
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
180
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
Hotspot Question
You need to meet the Microsoft Defender for Cloud Apps requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
181
QUESTION 209
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
182
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
183
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
Hotspot Question
You need to assign role-based access control (RBAC) roles to Group1 and Group2 to meet the
Microsoft Defender for Cloud requirements and the business requirements.
Which role should you assign to each group? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
184
QUESTION 210
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
185
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
186
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to deploy the native cloud connector to Account 1 to meet the Microsoft Defender for
Cloud requirements.
What should you do in Account1 first?
A.
B.
C.
D.
Create an AWS user for Defender for Cloud.
Configure AWS Security Hub.
Deploy the AWS Systems Manager (SSM) agent.
Create an Access control (IAM) role for Defender for Cloud.
Answer: A
QUESTION 211
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
187
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
188
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
Drag and Drop Question
You need to assign role-based access control (RBAC) roles to Group1 and Group2 to meet the
Microsoft Sentinel requirements and the business requirements.
Which role should you assign to each group? To answer, drag the appropriate roles to the correct
groups. Each role may be used once, more than once, or not at all. You may need to drag the
split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
189
QUESTION 212
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
190
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
191
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to correlate data from the SecurityEvent Log Analytics table to meet the Microsoft
Sentinel requirements for using UEBA.
Which Log Analytics table should you use?
A.
B.
C.
D.
IdentityInfo
AADRiskyUsers
SentinelAudit
IdentityDirectoryEvents
Answer: A
QUESTION 213
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
192
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
193
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to meet the Microsoft Sentinel requirements for App1.
What should you configure for App1?
A.
B.
C.
D.
a trigger
a connector
authorization
an API connection
Answer: A
QUESTION 214
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
194
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
195
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to ensure that you can run hunting queries to meet the Microsoft Sentinel requirements.
Which type of workspace should you create?
A.
B.
C.
D.
Azure Synapse Analytics
Azure Machine Learning
Log Analytics
Azure Databricks
Answer: B
QUESTION 215
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
196
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
197
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
You need to identify which mean time metrics to use to meet the Microsoft Sentinel requirements.
Which workbook should you use?
A.
B.
C.
D.
Event Analyzer
Investigation Insights
Security Operations Efficiency
Analytics Efficiency
Answer: C
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics
QUESTION 216
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
198
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
199
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
Hotspot Question
You need to create a query to investigate DNS-related activity. The solution must meet the
Microsoft Sentinel requirements.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
200
Answer:
QUESTION 217
Case Study 3 - Litware Inc
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote
users located across the globe. The remote users access company resources, including cloud
resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com
that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses
Azure AD Connect with pass-through authentication enabled and password hash synchronization
disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory
Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and
enables log collectors.
Azure Environment
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
201
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains
100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022.
The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of
impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false
positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
- Microsoft Defender for Cloud
- Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
- Use the principle of least privilege, whenever possible.
- Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
- Ensure that impossible travel alert policies are based on the previous activities of each user.
- Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
- Ensure that the members of Group2 can modify security policies.
- Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the
Azure subscription level.
- Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers
to the existing and future resources of Account1.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
202
- Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
- Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced
Security Information Model (ASIM) unifying parsers.
- From AWS EC2 instances, collect Windows Security event log entries that include local group
membership changes.
- Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics
(UEBA).
- Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
- Ensure that App1 is available for use in Microsoft Sentinel automation rules.
- Identify the mean time to triage for incidents generated during the last 30 days.
- Identify the mean time to close incidents generated during the last 30 days.
- Ensure that the members of Group1 can create and run playbooks.
- Ensure that the members of Group1 can manage analytics rules.
- Run hunting queries on Pool1 by using Jupyter notebooks.
- Ensure that the members of Group2 can manage incidents.
- Maximize the performance of data queries.
- Minimize the amount of collected data.
Hotspot Question
You need to meet the Microsoft Sentinel requirements for collecting Windows Security event logs.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
203
Explanation:
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-agent
QUESTION 218
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that
syncs with Azure AD.
You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS
domain controllers.
How should you complete the KQL query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
204
Answer:
Explanation:
Box 1: IdentityLogonEvents
The final column requires "AccountUpn." Therefore, "IdentityInfo" would not be appropriate. Since
it's about sign-in attempts to ADDS domain controllers, "IdentityLogonEvents" would be the
suitable choice.
Box 2: union
We need to extract the latest 100 sign-in attempts from BOTH "Devices" AND "ADDS domain
controllers." Using "union" would be optimal.
QUESTION 219
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
205
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that
syncs with Azure AD.
You need to identify LDAP requests by AD DS users to enumerate AD DS objects.
How should you complete the KQL query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
Box 1: IdentityQueryEvents
When considering a table with AccountSid and it's about the LDAP request, it is
"IdentityQueryEvents."
Box 2: isnotempty
For determining whether there is a value in the AccountSid, it is "isnotempty."
QUESTION 220
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
206
You need to ensure that you can investigate threats by using data in the unified audit log of
Microsoft Defender for Cloud Apps.
What should you configure first?
A.
B.
C.
D.
the User enrichment settings
the Azure connector
the Office 365 connector
the Automatic log upload settings
Answer: C
Explanation:
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-office-365
QUESTION 221
Hotspot Question
You have a custom detection rule that includes the following KQL query.
For each of the following statements, select Yes if True. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
207
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detectionrules?view=o365-worldwide#4-specify-actions
QUESTION 222
You have an Azure subscription that uses Microsoft Defender for Servers Plan 1 and contains a
server named Server1.
You enable agentless scanning.
You need to prevent Server1 from being scanned. The solution must minimize administrative
effort.
What should you do?
A.
B.
C.
D.
Create an exclusion tag.
Upgrade the subscription to Defender for Servers Plan 2.
Create a governance rule.
Create an exclusion group.
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-agentless-scanningvms#exclude-machines-from-scanning
QUESTION 223
You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger
remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer
presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Settings, select Information Protection, select Azure Information Protection, and then select
Only scan files for Azure Information Protection classification labels and content inspection
warnings from this tenant.
B. From Cloud apps, select Files, and then filter File Type to Document.
C. From Settings, select Information Protection, select Files, and then enable file monitoring.
D. From Cloud apps, select Files, and then filter App to Office 365.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
208
E. From Cloud apps, select Files, and then select New policy from search.
F. From Settings, select Information Protection, select Azure Information Protection, and then select
Automatically scan new files for Azure Information Protection classification labels and content
inspection warnings.
Answer: BF
QUESTION 224
Hotspot Question
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that
syncs with Azure AD.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
You need to identify all the interactive authentication attempts by the users in the finance
department of your company.
How should you complete the KQL query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
209
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-huntingidentitylogonevents-table?view=o365-worldwide
QUESTION 225
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to identify any devices that triggered a malware alert and collect evidence related to the
alert. The solution must ensure that you can use the results to initiate device isolation for the
affected devices.
What should you use in the Microsoft 365 Defender portal?
A.
B.
C.
D.
incidents
Remediation
Investigations
Advanced hunting
Answer: C
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide
QUESTION 226
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Purview and contains a user
named User1.
User1 shares a Microsoft Power BI report file from the Microsoft OneDrive folder of your company
to an external user by using Microsoft Teams.
You need to identify which Power BI report file was shared.
How should you configure the search? To answer, select the appropriate options in the answer
area.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
210
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
211
QUESTION 227
You have the resources shown in the following table.
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to enable Microsoft Defender for Servers on each resource.
Which resources will require the installation of the Azure Arc agent?
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
212
A.
B.
C.
D.
Server3 only
Server1 and Server4 only
Server1, Server2, and Server4 only
Server1, Server2, Server3, and Server4
Answer: C
Explanation:
Azure Arc agent is a software that enables you to manage your Windows and Linux machines
hosted outside of Azure on your corporate network or other cloud providers. It allows you to
project your existing non-Azure and/or on-premises resources into Azure Resource Manager
QUESTION 228
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have a GitHub account named Account1 that contains 10 repositories.
You need to ensure that Defender for Cloud can access the repositories in Account1.
What should you do first in the Microsoft Defender for Cloud portal?
A.
B.
C.
D.
Enable integrations.
Enable a plan.
Add an environment.
Enable security policies.
Answer: C
Explanation:
To add an environment, you need to sign in to the Azure portal, go to Microsoft Defender for
Cloud > Environment settings, select Add environment, and then select GitHub. You also need to
enter a name, select your subscription, resource group, and region.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github#connectyour-github-account
QUESTION 229
Hotspot Question
You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.
You have an Azure DevOps organization named AzDO1.
You need to integrate Sub1 and AzDO1. The solution must meet the following requirements:
- Detect secrets exposed in pipelines by using Defender for Cloud.
- Minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
213
Answer:
Explanation:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboarddevops?branch=main
https://learn.microsoft.com/en-us/azure/defender-for-cloud/azure-devops-extension
QUESTION 230
Hotspot Question
You have a Microsoft Sentinel workspace named sws1.
You need to create a query that will detect when a user creates an unusually large numbers of
Azure AD user accounts.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
214
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
215
QUESTION 231
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?
A.
B.
C.
D.
the incident automation settings
the query rule
entity mapping
the Alert automation settings
Answer: B
Explanation:
To create an NRT rule, you need to follow these steps:
From the Microsoft Sentinel navigation menu, select Analytics.
Select Create from the button bar, then NRT query rule (preview) from the drop-down list.
Follow the instructions of the analytics rule wizard.
QUESTION 232
You need to visualize Microsoft Sentinel data and enrich the data by using third-party data
sources to identify indicators of compromise (IoC).
What should you use?
A. notebooks in Microsoft Sentinel
B. Microsoft Defender for Cloud Apps
C. Azure Monitor
Answer: A
Explanation:
Notebooks are interactive tools that allow you to run Python code, query data, perform machine
learning, and create visualizations. Notebooks can help you hunt for threats, investigate incidents,
and perform data analysis using Microsoft Sentinel data and external data sources.
QUESTION 233
Drag and Drop Question
You have a Microsoft Sentinel workspace that contains an Azure AD data connector.
You need to associate a bookmark with an Azure AD-related incident.
What should you do? To answer, drag the appropriate blades to the correct tasks. Each blade
may be used once, more than once, or not at all. You may need to drag the split bar between
panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
216
Answer:
QUESTION 234
Hotspot Question
You have an Azure subscription that contains a guest user named User1 and a Microsoft Sentinel
workspace named workspace1.
You need to ensure that User1 can triage Microsoft Sentinel incidents in workspace1. The
solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
217
Answer:
QUESTION 235
Hotspot Question
You have an Azure subscription that uses Microsoft Sentinel and contains a user named User1.
You need to ensure that User1 can enable User and Entity Behavior Analytics (UEBA) for entity
behavior in Azure AD. The solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
218
Answer:
QUESTION 236
Hotspot Question
You have an Azure subscription that contains the following resources:
- A virtual machine named VM1 that runs Windows Server
- A Microsoft Sentinel workspace named Sentinel1 that has User and
Entity Behavior Analytics (UEBA) enabled
You have a scheduled query rule named Rule1 that tracks sign-in attempts to VM1.
You need to update Rule1 to detect when a user from outside the IT department of your company
signs in to VM1. The solution must meet the following requirements:
- Utilize UEBA results.
- Maximize query performance.
- Minimize the number of false positives.
How should you complete the rule definition- To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
219
Answer:
Explanation:
The BehaviorAnalytics table is where UEBA's output information is stored.
https://learn.microsoft.com/en-us/azure/sentinel/ueba-reference.
QUESTION 237
Drag and Drop Question
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
220
Your network contains an on-premises Active Directory Domain Services (AD DS) domain that
syncs with an Azure AD tenant.
You have a Microsoft Sentinel workspace named Sentinel1.
You need to enable User and Entity Behavior Analytics (UEBA) for Sentinel1 and collect security
events from the AD DS domain.
Which three actions should you perform in sequence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange them in the correct order.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
221
Explanation:
For Sentinel1, configure the Microsoft defender for identity connector.
This will allow you to sync user entities from on-premises Active Directory, using Microsoft
Defender for Identity.
To the AD DS Domain, deploy Microsoft Defender for Identity.
You need to install the MDI sensor on your Active Directory domain controller to enable UEBA to
collect security events from your on-premises AD DS domain.
For Sentinel1, enable UEBA.
You need to switch the toggle to On and select the data sources on which you want to enable
UEBA.
QUESTION 238
You have a Microsoft Sentinel workspace.
You enable User and Entity Behavior Analytics (UEBA) by using Audit Logs and Signin Logs.
The following entities are detected in the Azure AD tenant:
-
App name: App1
IP address: 192.168.1.2
Computer name: Device1
Used client app: Microsoft Edge
Email address: user1@company.com
Sign-in URL: https://www.company.com
Which entities can be investigated by using UEBA?
A.
B.
C.
D.
IP address and email address only
app name, computer name, IP address, email address, and used client app only
IP address only
used client app and app name only
Answer: B
QUESTION 239
Hotspot Question
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to create a hunting query using Kusto Query Language (KQL) that meets the following
requirements:
- Identifies an anomalous number of changes to the rules of a network
security group (NSG) made by the same security principal.
- Automatically associates the security principal with a Microsoft
Sentinel entity.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
222
Answer:
QUESTION 240
Hotspot Question
You have a Microsoft Sentinel workspace.
You need to configure a report visual for a custom workbook. The solution must meet the
following requirements:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
223
- The count and usage trend of AppDisplayName must be included.
- The TrendList column must be useable in a sparkline visual.
How should you complete the KQL query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
224
QUESTION 241
Drag and Drop Question
You have an Azure subscription that contains two users named User1 and User2 and a Microsoft
Sentinel workspace named workspace1.
You need to ensure that the users can perform the following tasks in workspace1:
- User1 must be able to dismiss incidents and assign incidents to
users.
- User2 must be able to modify analytics rules.
The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct
users. Each role may be used once, more than once, or not at all. You may need to drag the split
bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
225
Answer:
QUESTION 242
You have a Microsoft Sentinel workspace that uses the Microsoft 365 Defender data connector.
From Microsoft Sentinel, you investigate a Microsoft 365 incident.
You need to update the incident to include an alert generated by Microsoft Defender for Cloud
Apps.
What should you use?
A.
B.
C.
D.
the entity side panel of the Timeline card in Microsoft Sentinel
the Timeline tab on the incidents page of Microsoft Sentinel
the investigation graph on the incidents page of Microsoft Sentinel
the Alerts page in the Microsoft 365 Defender portal
Answer: D
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
226
Explanation:
Open the Microsoft 365 Defender portal and select Alerts.
Find the alert that you want to add to the incident and select it.
In the alert details page, select Add to existing incident.
In the Add alert to incident pane, select the incident that you want to update and then select Add.
This will add the alert to the incident in both Microsoft 365 Defender and Microsoft Sentinel
portals. Any changes you make to the incident in Microsoft 365 Defender will be synchronized to
the same incident in Microsoft Sentinel
QUESTION 243
You have a Microsoft Sentinel workspace.
You investigate an incident that has the following entities:
-
A user account named User1
An IP address of 192.168.10.200
An Azure virtual machine named VM1
An on-premises server named Server1
You need to label an entity as an indicator of compromise (IoC) directly by using the incidents
page.
Which entity can you label?
A.
B.
C.
D.
192.168.10.200
VM1
Server1
User1
Answer: A
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/add-entity-to-threat-intelligence?tabs=incidents
QUESTION 244
You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams.
You have a team named Team1 that has a project named Project1.
You need to identify any Project1 files that were stored on the team site of Team1 between
February 1, 2023, and February 10, 2023.
Which KQL query should you run?
A. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))
B. AuditLogs
| where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))
| where FileName contains "Project1"
C. Project1(c:c)(date=2023-02-01..2023-02-10)
D. AuditLogs
| where Timestamp > ago(10d)
| where FileName contains "Project1"
Answer: C
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
227
QUESTION 245
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents
tables. The solution must return all the rows in the tables.
Which operator should you use?
A.
B.
C.
D.
search *
union kind = inner
join kind = inner
evaluate hint.remote =
Answer: B
QUESTION 246
You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices.
You onboard the devices to Microsoft Defender 365.
You need to ensure that you can initiate remote shell connections to the onboarded devices from
the Microsoft 365 Defender portal.
What should you do first?
A. Modify the permissions for Microsoft 365 Defender.
B. Create a device group.
C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable
automated investigation.
D. Configure role-based access control (RBAC).
Answer: D
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/liveresponse?view=o365-worldwide
QUESTION 247
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to create a detection rule that meets the following requirements:
- Is triggered when a device that has critical software vulnerabilities
was active during the last hour
- Limits the number of duplicate results
How should you complete the KQL query? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
228
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
229
QUESTION 248
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Teams.
You need to perform a content search of Teams chats for a user by using the Microsoft Purview
compliance portal. The solution must minimize the scope of the search.
How should you configure the content search? To answer, select the appropriate options in the
answer area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
230
Answer:
Explanation:
Categories are "The categories to search. Categories can be defined by users by using Outlook
or Outlook on the web... The possible values are red, blue, green, etc."
ItemClass: "Use this property to search specific third-party data types that your organization
imported to Office 365." We are not importing any third-party data types.
Kind: "The type of email message to search for. Possible values: contacts, microsoftteams,
meetings, etc."
https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-search-conditions
QUESTION 249
You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are
onboarded to Microsoft Defender 365.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
231
You need to initiate the collection of investigation packages from the devices by using the
Microsoft 365 Defender portal.
Which response action should you use?
A.
B.
C.
D.
Run antivirus scan
Initiate Automated Investigation
Collect investigation package
Initiate Live Response Session
Answer: D
Explanation:
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machinealerts?view=o365-worldwide#initiate-live-response-session
QUESTION 250
You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger
remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer
presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Settings, select Cloud App, select Microsoft Information Protection, and then select Only
scan files for Microsoft Information Protection sensitivity labels and content inspection warnings
from this tenant.
B. From Cloud apps, select Files, and then filter File Type to Document.
C. From Settings, select Cloud App, select Microsoft Information Protection, select Files, and then
enable file monitoring.
D. From Cloud apps, select Files, and then filter App to Office 365.
E. From Cloud apps, select Files, and then select New policy from search.
F. From Settings, select Cloud App, select Microsoft Information Protection, and then select
Automatically scan new files for Microsoft Information Protection sensitivity labels and content
inspection warnings.
Answer: CF
QUESTION 251
You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA)
enabled for Signin Logs.
You need to ensure that failed interactive sign-ins are detected. The solution must minimize
administrative effort.
What should you use?
A.
B.
C.
D.
a scheduled alert query
the Activity Log data connector
a UEBA activity template
a hunting query
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
232
Answer: C
QUESTION 252
Hotspot Question
You have an Azure subscription that is linked to a hybrid Azure AD tenant and contains a
Microsoft Sentinel workspace named Sentinel1.
You need to enable User and Entity Behavior Analytics (UEBA) for Sentinel and configure UEBA
to use data collected from Active Directory Domain Services (AD DS).
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Explanation:
To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to
Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
233
must have the MDI sensor installed on your Active Directory domain controller.
https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics
QUESTION 253
Hotspot Question
You have a Microsoft Sentinel workspace that contains a custom workbook.
You need to query the number of daily security alerts. The solution must meet the following
requirements:
- Identify alerts that occurred during the last 30 days.
- Display the results in a timechart.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 254
Hotspot Question
You have four Azure subscriptions. One of the subscriptions contains a Microsoft Sentinel
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
234
workspace.
You need to deploy Microsoft Sentinel data connectors to collect data from the subscriptions by
using Azure Policy. The solution must ensure that the policy will apply to new and existing
resources in the subscriptions.
Which type of connectors should you provision, and what should you use to ensure that all the
resources are monitored? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
235
QUESTION 255
You have 50 Microsoft Sentinel workspaces.
You need to view all the incidents from all the workspaces on a single page in the Azure portal.
The solution must minimize administrative effort.
Which page should you use in the Azure portal?
A.
B.
C.
D.
Microsoft Sentinel - Incidents
Microsoft Sentinel - Workbooks
Microsoft Sentinel
Log Analytics workspaces
Answer: A
Explanation:
When you open Microsoft Sentinel, you are presented with a list of all the workspaces to which
you have access rights, across all selected tenants and subscriptions. To the left of each
workspace name is a checkbox. Selecting the name of a single workspace will bring you into that
workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then
select the View incidents button at the top of the page.
https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view
QUESTION 256
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
236
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
237
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
You need to implement the scheduled rule for incident generation based on rulequery1.
What should you configure first?
A.
B.
C.
D.
custom details
entity mapping
event grouping
alert details
Answer: B
QUESTION 257
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
238
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
239
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
You need to ensure that the processing of incidents generated by rulequery1 meets the Microsoft
Sentinel requirements.
What should you create first?
A.
B.
C.
D.
a playbook with an incident trigger
a playbook with an alert trigger
an Azure Automation rule
a playbook with an entity trigger
Answer: A
QUESTION 258
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
240
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
241
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
Hotspot Question
You need to monitor the password resets. The solution must meet the Microsoft Sentinel
requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
242
QUESTION 259
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
243
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
244
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
Hotspot Question
You need to implement the ASIM query for DNS requests. The solution must meet the Microsoft
Sentinel requirements.
How should you configure the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
245
Explanation:
https://learn.microsoft.com/en-us/azure/sentinel/normalization-about-parsers
QUESTION 260
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
246
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
247
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
You need to configure event monitoring for Server1. The solution must meet the Microsoft
Sentinel requirements.
What should you create first?
A.
B.
C.
D.
a Microsoft Sentinel automation rule
an Azure Event Grid topic
a Microsoft Sentinel scheduled query rule
a Data Collection Rule (DCR)
Answer: D
QUESTION 261
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
248
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
249
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
Hotspot Question
You need to implement the Microsoft Sentinel NRT rule for monitoring the designated break glass
account. The solution must meet the Microsoft Sentinel requirements.
How should you complete the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Answer:
QUESTION 262
Case Study 4 - Litware Inc
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
250
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
251
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
You need to ensure that the Group1 members can meet the Microsoft Sentinel requirements.
Which role should you assign to Group1?
A.
B.
C.
D.
Microsoft Sentinel Playbook Operator
Logic App Contributor
Automation Operator
Microsoft Sentinel Automation Contributor
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
252
Answer: B
QUESTION 263
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
253
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
You need to ensure that the configuration of HuntingQuery1 meets the Microsoft Sentinel
requirements.
What should you do?
A. Add HuntingQuery1 to a livestream.
B. Create a watchlist.
C. Create an Azure Automation rule.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
254
D. Add HuntingQuery1 to favorites.
Answer: D
QUESTION 264
Case Study 4 - Litware Inc
Overview
Adatum Corporation is a United States-based financial services company that has regional offices
in New York, Chicago, and San Francisco.
Existing Environment
Identity Environment
The on-premises network contains an Active Directory Domain Services (AD DS) forest named
corp.adatum.com that syncs with an Azure AD tenant named adatum.com. All user and group
management tasks are performed in corp.adatum.com. The corp.adatum.com domain contains a
group named Group1 that syncs with adatum.com.
Licensing Status
All the users at Adatum are assigned a Microsoft 365 ES license and an Azure Active Directory
Premium P2 license.
Cloud Environment
The cloud environment contains a Microsoft 365 subscription, an Azure subscription linked to the
adatum.com tenant, and the resources shown in the following table.
On-premises Environment
The on-premises network contains the resources shown in the following table.
Requirements
Planned changes
Adatum plans to perform the following changes:
- Implement a query named rulequery1 that will include the following KQL query.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
255
- Implement a Microsoft Sentinel scheduled rule that generates incidents based on rulequery1.
Microsoft Defender for Cloud Requirements
Adatum identifies the following Microsoft Defender for Cloud requirements:
- The members of Group1 must be able to enable Defender for Cloud plans and apply regulatory
compliance initiatives.
- Microsoft Defender for Servers Plan 2 must be enabled on all the Azure virtual machines.
- Server2 must be excluded from agentless scanning.
Microsoft Sentinel Requirements
Adatum identifies the following Microsoft Sentinel requirements:
- Implement an Advanced Security Information Model (ASIM) query that will return a count of
DNS requests that results in an NXDOMAIN response from Infoblox1.
- Ensure that multiple alerts generated by rulequery1 in response to a single user launching
Azure Cloud Shell multiple times are consolidated as a single incident.
- Implement the Windows Security Events via AMA connector for Microsoft Sentinel and configure
it to monitor the Security event log of Server1.
- Ensure that incidents generated by rulequery1 are closed automatically if Azure Cloud Shell is
launched by the company’s SecOps team.
- Implement a custom Microsoft Sentinel workbook named Workbook1 that will include a query to
dynamically retrieve data from Webapp1.
- Implement a Microsoft Sentinel near-real-time (NRT) analytics rule that detects sign-ins to a
designated break glass account.
- Ensure that HuntingQuery1 runs automatically when the Hunting page of Microsoft Sentinel in
the Azure portal is accessed.
- Ensure that higher than normal volumes of password resets for corp.adatum.com user accounts
are detected.
- Minimize the overhead associated with queries that use ASIM parsers.
- Ensure that the Group1 members can create and edit playbooks.
- Use built-in ASIM parsers whenever possible.
Business Requirements
Adatum identifies the following business requirements:
- Follow the principle of least privilege whenever possible.
- Minimize administrative effort whenever possible.
Hotspot Question
You need to implement the query for Workbook1 and Webapp1. The solution must meet the
Microsoft Sentinel requirements.
How should you configure the query? To answer, select the appropriate options in the answer
area.
NOTE: Each correct selection is worth one point.
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
256
Answer:
Get Latest & Actual SC-200 Exam's Question and Answers from Passleader.
https://www.passleader.com
257
Related documents
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Getting Started - Microsoft Azure Platform Academic 150 day Pass.ppt
Microsoft Dynamics AX Roadmap - The Partner Connections Event
Microsoft Dynamics AX Roadmap - The Partner Connections Event
Credible SC-200 practice Test questions
Credible SC-200 practice Test questions
Ericsson Baseband Description
Ericsson Baseband Description
LAB1
LAB1
MS900+-+Whats+in+a+M365+Subscription
MS900+-+Whats+in+a+M365+Subscription
Windows Azure Active Directory Overview
Windows Azure Active Directory Overview
Download
advertisement