Microsoft SC-200 Exam Actual Questions
You have an Azure Sentinel workspace. You need to test a playbook manually in the Azure portal. From where can you run the test in Azure Sentinel? A. Playbooks B. Analytics C. Threat intelligence D. Incidents
A. Playbooks B. Analytics C. Threat intelligence D. Incidents
You have a playbook in Azure Sentinel. When you trigger the playbook, it sends an email to a distribution group. You need to modify the playbook to send the email to the owner of the resource instead of the distribution group. What should you do? A. Add a parameter and modify the trigger. B. Add a custom data connector and modify the trigger. C. Add a condition and modify the action. D. Add a parameter and modify the action.
A. Add a parameter and modify the trigger. B. Add a custom data connector and modify the trigger. C. Add a condition and modify the action. D. Add a parameter and modify the action.
Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant. Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription. You deploy Azure Sentinel to a new Azure subscription. You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions. Which two actions should you perform? A. Add the Security Events connector to the Azure Sentinel workspace. B. Create a query that uses the workspace expression and the union operator. C. Use the alias statement. D. Create a query that uses the resource expression and the alias operator. E. Add the Azure Sentinel solution to each workspace.
A. Add the Security Events connector to the Azure Sentinel workspace. B. Create a query that uses the workspace expression and the union operator. C. Use the alias statement. D. Create a query that uses the resource expression and the alias operator. E. Add the Azure Sentinel solution to each workspace.
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually. You deploy Azure Sentinel. You need to use the existing logic app as a playbook in Azure Sentinel. What should you do first? A. And a new scheduled query rule. B. Add a data connector to Azure Sentinel. C. Configure a custom Threat Intelligence connector in Azure Sentinel. D. Modify the trigger in the logic app.
A. And a new scheduled query rule. B. Add a data connector to Azure Sentinel. C. Configure a custom Threat Intelligence connector in Azure Sentinel. D. Modify the trigger in the logic app.
You are investigating a potential attack that deploys a new ransomware strain. You have three custom device groups. The groups contain devices that store highly sensitive information. You plan to perform automated actions on all devices.You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. A. Assign a tag to the device group. B. Add the device users to the admin role. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. E. Create a new admin role. F. Create a new device group that has a rank of 4.
A. Assign a tag to the device group. B. Add the device users to the admin role. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. E. Create a new admin role. F. Create a new device group that has a rank of 4.
You have an Azure subscription that has Azure Defender enabled for all supported resource types. You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event management (SIEM) solution. To which service should you export the alerts? A. Azure Cosmos DB B. Azure Event Grid C. Azure Event Hubs D. Azure Data Lake
A. Azure Cosmos DB B. Azure Event Grid C. Azure Event Hubs D. Azure Data Lake
You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server. You are troubleshooting an issue on the virtual machines. In Security Center, you need to view the alerts generated by the virtual machines during the last five days. What should you do? A. Change the rule expiration date of the suppression rule. B. Change the state of the suppression rule to Disabled. C. Modify the filter for the Security alerts page. D. View the Windows event logs on the virtual machines.
A. Change the rule expiration date of the suppression rule. B. Change the state of the suppression rule to Disabled. C. Modify the filter for the Security alerts page. D. View the Windows event logs on the virtual machines.
You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform? Each correct answer presents part of the solution. A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query.
A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query.
You implement Safe Attachments policies in Microsoft Defender for Office 365. Users report that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked. What should you configure in the Safe Attachments policies? A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect
A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect
You use Azure Defender. You have an Azure Storage account that contains sensitive information. You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From Azure Security Center, enable workflow automation. B. Create an Azure logic app that has a manual trigger. C. Create an Azure logic app that has an Azure Security Center alert trigger. D. Create an Azure logic app that has an HTTP trigger. E. From Azure Active Directory (Azure AD), add an app registration.
A. From Azure Security Center, enable workflow automation. B. Create an Azure logic app that has a manual trigger. C. Create an Azure logic app that has an Azure Security Center alert trigger. D. Create an Azure logic app that has an HTTP trigger. E. From Azure Active Directory (Azure AD), add an app registration.
You create an Azure subscription named sub1. In sub1, you create a Log Analytics workspace named workspace1. You enable Azure Security Center and configure Security Center to use workspace1. You need to collect security event logs from the Azure virtual machines that report to workspace1. What should you do? A. From Security Center, enable data collection B. In sub1, register a provider. C. From Security Center, create a Workflow automation. D. In workspace1, create a workbook.
A. From Security Center, enable data collection B. In sub1, register a provider. C. From Security Center, create a Workflow automation. D. In workspace1, create a workbook.
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. What should you do? A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section. B. From Security alerts, select Take Action, and then expand the Mitigate the threat section. C. From Regulatory compliance, download the report. D. From Recommendations, download the CSV report.
A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section. B. From Security alerts, select Take Action, and then expand the Mitigate the threat section. C. From Regulatory compliance, download the report. D. From Recommendations, download the CSV report.
You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of confidential files. Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution. A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant. B. Select Investigate files, and then filter App to Office 365. C. Select Investigate files, and then select New policy from search. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring. F. Select Investigate files, and then filter File Type to Document.
A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant. B. Select Investigate files, and then filter App to Office 365. C. Select Investigate files, and then select New policy from search. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring. F. Select Investigate files, and then filter File Type to Document.
You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in. Which anomaly detection policy should you use? A. Impossible travel B. Activity from anonymous IP addresses C. Activity from infrequent country D. Malware detection
A. Impossible travel B. Activity from anonymous IP addresses C. Activity from infrequent country D. Malware detection
You create an Azure subscription. You enable Azure Defender for the subscription. You need to use Azure Defender to protect on-premises computers. What should you do on the on-premises computers? A. Install the Log Analytics agent. B. Install the Dependency agent. C. Configure the Hybrid Runbook Worker role. D. Install the Connected Machine agent.
A. Install the Log Analytics agent. B. Install the Dependency agent. C. Configure the Hybrid Runbook Worker role. D. Install the Connected Machine agent.
You are responsible for responding to Azure Defender for Key Vault alerts. During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node. What should you configure to mitigate the threat? A. Key Vault firewalls and virtual networks B. Azure Active Directory (Azure AD) permissions C. role-based access control (RBAC) for the key vault D. the access policy settings of the key vault
A. Key Vault firewalls and virtual networks B. Azure Active Directory (Azure AD) permissions C. role-based access control (RBAC) for the key vault D. the access policy settings of the key vault
You receive an alert from Azure Defender for Key Vault. You discover that the alert is generated from multiple suspicious IP addresses. You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as possible and must minimize the impact on legitimate users. What should you do first? A. Modify the access control settings for the key vault. B. Enable the Key Vault firewall. C. Create an application security group. D. Modify the access policy for the key vault.
A. Modify the access control settings for the key vault. B. Enable the Key Vault firewall. C. Create an application security group. D. Modify the access policy for the key vault.
You are configuring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations. Which two actions should you perform? Each correct answer presents part of the solution. A. Override automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. E. Create an activity policy that has an exclusion for the IP addresses.
A. Override automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. E. Create an activity policy that has an exclusion for the IP addresses.
Your company uses Microsoft Defender for Endpoint. The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team. You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution. A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.
A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert. B -> C -> E
Your company uses Azure Security Center and Azure Defender. The security operations team at the company informs you that it does NOT receive email notifications for security alerts. What should you configure in Security Center to enable the email notifications? A. Security solutions B. Security policy C. Pricing & settings D. Security alerts E. Azure Defender
A. Security solutions B. Security policy C. Pricing & settings D. Security alerts E. Azure Defender
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365. You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters. You need to create a data loss prevention (DLP) policy to protect the sensitive documents. What should you use to detect which documents are sensitive? A. SharePoint search B. a hunting query in Microsoft 365 Defender C. Azure Information Protection D. RegEx pattern matching
A. SharePoint search B. a hunting query in Microsoft 365 Defender C. Azure Information Protection D. RegEx pattern matching
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Azure AD Identity Protection, you configure the sign-in risk policy. Does this meet the goal?
A. Yes B. No
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Entity tags, you add the accounts as Honeytoken accounts. Does this meet the goal?
A. Yes B. No
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group. Does this meet the goal?
A. Yes B. No
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add each account as a Sensitive account. Does this meet the goal?
A. Yes B. No
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Regulatory compliance, you download the report. Does this meet the goal?
A. Yes B. No
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section. Does this meet the goal?
A. Yes B. No
You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section. Does this meet the goal?
A. Yes B. No You need to resolve the existing alert, not prevent future alerts. Therefore, you need to select the 'Mitigate the threat' option.
You receive a security bulletin about a potential attack that uses an image file. You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack. Which indicator type should you use? A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a file hash indicator that has Action set to Alert and block D. a certificate indicator that has Action set to Alert and block
A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a file hash indicator that has Action set to Alert and block D. a certificate indicator that has Action set to Alert and block
Your company has a single office in Istanbul and a Microsoft 365 subscription. The company plans to use conditional access policies to enforce multi-factor authentication (MFA). You need to enforce MFA for all users who work remotely. What should you include in the solution? A. a fraud alert B. a user risk policy C. a named location D. a sign-in user policy
A. a fraud alert B. a user risk policy C. a named location D. a sign-in user policy
You have an Azure subscription that contains a Log Analytics workspace. You need to enable just-in-time (JIT) VM access and network detections for Azure resources. Where should you enable Azure Defender? A. at the subscription level B. at the workspace level C. at the resource level
A. at the subscription level B. at the workspace level C. at the resource level
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices. A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents. You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning. What should you include in the recommendation? A. built-in queries B. livestream C. notebooks D. bookmarks
A. built-in queries B. livestream C. notebooks D. bookmarks
You provision a Linux virtual machine in a new Azure subscription.You enable Azure Defender and onboard the virtual machine to Azure Defender. You need to verify that an attack on the virtual machine triggers an alert in Azure Defender. Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution. A. cp /bin/echo ./asc_alerttest_662jfi039n B. ./alerttest testing eicar pipe C. cp /bin/echo ./alerttest D. ./asc_alerttest_662jfi039n testing eicar pipe
A. cp /bin/echo ./asc_alerttest_662jfi039n B. ./alerttest testing eicar pipe C. cp /bin/echo ./alerttest D. ./asc_alerttest_662jfi039n testing eicar pipe
Your company deploys the following services: ✑ Microsoft Defender for Identity ✑ Microsoft Defender for Endpoint ✑ Microsoft Defender for Office 365 You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege. Which two roles should assign to the analyst? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD)
A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD)
You have a Microsoft 365 subscription that uses Azure Defender. You have 100 virtual machines in a resource group named RG1. You assign the Security Admin roles to a new user named SecAdmin1. You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of least privilege. Which role should you assign to SecAdmin1? A. the Security Reader role for the subscription B. the Contributor for the subscription C. the Contributor role for RG1 D. the Owner role for RG1
A. the Security Reader role for the subscription B. the Contributor for the subscription C. the Contributor role for RG1 D. the Owner role for RG1
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks. The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in Azure Security Center. You need to ensure that the security administrator receives email alerts for all the activities. What should you configure in the Security Center settings? A. the severity level of email notifications B. a cloud connector C. the Azure Defender plans D. the integration settings for Threat detection
A. the severity level of email notifications B. a cloud connector C. the Azure Defender plans D. the integration settings for Threat detection
You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector. While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query.By which two components can you group alerts into incidents?
A. user B. resource group C. IP address D. computer