Microsoft Role-based SC-200 Questions & Answers

• Question 1:

  A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.

  The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in Azure Security Center.

  You need to ensure that the security administrator receives email alerts for all the activities.

  What should you configure in the Security Center settings?

  A. the severity level of email notifications

  B. a cloud connector

  C. the Azure Defender plans

  D. the integration settings for Threat detection

  Correct Answer: A

  Reference: https://techcommunity.microsoft.com/t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518

• Question 2:

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

  You plan to create a hunting query from Microsoft Defender.

  You need to create a custom tracked query that will be used to assess the threat status of the subscription.

  From the Microsoft 365 Defender portal, which page should you use to create the query?

  A. Threat analytics

  B. Advanced Hunting

  C. Explorer

  D. Policies and rules

  Correct Answer: B

  Advanced hunting is based on the Kusto query language. You can use Kusto operators and statements to construct queries that locate information in a specialized schema.

  Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Note: Create a custom detection rule

  1.

  Prepare the query.

  In the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.

  2.

  Create new rule and provide alert details.

  With the query in the query editor, select Create detection rule and specify the following alert details

  3.

  Choose the impacted entities.

  Identify the columns in your query results where you expect to find the main affected or impacted entity.

  4.

  Specify actions.

  Your custom detection rule can automatically take actions on devices, files, or users that are returned by the query.

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language

  https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules

• Question 3:

  HOTSPOT

  You have a Microsoft Sentinel workspace named sws1.

  You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in sws1.

  You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:

  1.

  Minimize administrative effort.

  2.

  Use the principle of least privilege.

  How should you configure the credentials? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: A managed identity Managed Identity for Azure Sentinel Logic Apps connector With the availability of Managed Identity for the Azure Sentinel connector, you can give permissions directly to the playbook (Logic App workflow resource), so Sentinel connector actions will operate on its behalf, as if it were an independent object which has permissions on Azure Sentinel. This lowers the number of identities you have to manage and gives the power to give access directly to the resource that operates.

  Incorrect:

  The service principal connection type allows us to create a registered application and use it as the identity behind the connector. You can define what this app can do, who can access it and what resources can this app access. It's easy to delete it or replace its credentials if it's suspected to have been compromised. For these reasons it's great from a security perspective, but it still requires managing as another identity in the cloud that has credentials and permissions which potentially others can use.

  Many would prefer not to authenticate with a user to a tool that generates automated actions. It is harder to audit (for example, using the incident table) which actions have been taken on behalf of a user and which are made by the playbook. It also makes less sense to see, for example, new comments that were generated by a playbook, but appear as if a user is their author. Also, if a user leaves the organization, you need to update all the connections that use its identity.

  Box 2: Azure Sentinel Responder role

  Reference: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-managed-identity-for-azure-sentinel-logic-apps/ba-p/2068204

• Question 4:

  HOTSPOT

  You have a Microsoft Sentinel workspace named SW1.

  You plan to create a custom workbook that will include a time chart.

  You need to create a query that will identify the number of security alerts per day for each provider.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: bin

  bin() rounds values down to an integer multiple of a given bin size.

  Used frequently in combination with summarize by .... If you have a scattered set of values, they'll be grouped into a smaller set of specific values.

  Null values, a null bin size, or a negative bin size will result in null.

  Alias to floor() function.

  Syntax

  bin(value,roundTo)

  The following expression calculates a histogram of durations, with a bucket size of 1 second:

  Kusto

  T | summarize Hits=count() by bin(Duration, 1s)

  Box 2: render

  render operator instructs the user agent to render the results of the query in a particular way.

  Syntax

  T | render Visualization [with ( PropertyName = PropertyValue [, ...] )]

  Arguments

  Visualization indicates the kind of visualization to use. The supported values are timechart for example.

  Reference: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/renderoperator?pivots=azuredataexplorer

• Question 5:

  You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.

  You need to identify the impacted entities in an aggregated alert.

  What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?

  A. the Events tab of the alert

  B. the Sensitive Info Types tab of the alert

  C. Management log

  D. the Details tab of the alert

  Correct Answer: C

  Advanced DLP alert options are configured in the existing DLP policy authoring workflow. These provide eligible DLP customers with the ability to tailor how they organize and display DLP policy enforcement event alerts with the information they need to investigate and address DLP policy violations quickly. Historical workflow information for alerts is available in the Management log

  Note: Advanced alert configuration options: These options are part of the DLP policy authoring flow. Use them to create rich alert configurations. You can create a single-event alert or an aggregated alert, based on the number of events or the size of the leaked data.

  Incorrect:

  *

  the Events tab of the alert

  Select the Events tab to view all of the events associated with the alert. You can choose a particular event to view its details.

  *

  . the Sensitive Info Types tab of the alert

  Select the Sensitive Info Types tab to view details about the sensitive information types detected in the content. Details include confidence and count.

  *

  the Details tab of the alert

  

  Reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-microsoft-endpoint-dlp-general-availability/ba-p/1814010 https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alerts-policies

• Question 6:

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

  You need to identify all the entities affected by an incident.

  Which tab should you use in the Microsoft 365 Defender portal?

  A. Investigations

  B. Devices

  C. Evidence and Response

  D. Alerts

  Correct Answer: C

  The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.

  Incorrect:

  *

  The Investigations tab lists all the automated investigations triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your

  automated investigations to run in Defender for Endpoint and Defender for Office 365.

  *

  Devices

  The Devices tab lists all the devices related to the incident.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents

• Question 7:

  You have a Microsoft Sentinel workspace.

  You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities. The solution must minimize administrative effort.

  Which rule type should you query?

  A. Fusion

  B. Microsoft Security

  C. ML Behavior Analytics

  D. Scheduled

  Correct Answer: A

  Fusion rules in Microsoft Sentinel are rules that are used to detect advanced multistage attacks by combining alerts and activities from different sources. Fusion rules can be used to identify attacks that may not be detectable by a single alert or activity, making them particularly useful for detecting complex attacks that involve multiple stages.

• Question 8:

  You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named User1.

  You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.

  Which role should you assign to User1?

  A. User Access Administrator

  B. Owner

  C. Contributor

  D. Reader

  Correct Answer: B

• Question 9:

  You have an Azure subscription that uses Microsoft Sentinel.

  You detect a new threat by using a hunting query.

  You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must minimize administrative effort.

  What should you do?

  A. Create a playbook.

  B. Create a watchlist.

  C. Create an analytics rule.

  D. Add the query to a workbook.

  Correct Answer: C

  By creating an analytics rule, you can set up a query that will automatically run and alert you when the threat is detected, without having to manually run the query. This will help minimize administrative effort, as you can set up the rule once

  and it will run on a schedule, alerting you when the threat is detected.

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-rule

• Question 10:

  You have a Microsoft Sentinel workspace.

  You have a query named Query1 as shown in the following exhibit.

  

  You plan to create a custom parser named Parser 1. You need to use Query1 in Parser1.

  What should you do first?

  A. Remove line 2.

  B. In line 4. remove the TimeGenerated predicate.

  C. Remove line 5.

  D. In line 3, replace the 'contains operator with the !has operator.

  Correct Answer: A

  Parsers should not filter by time, as the query using the parser already filters for time.

  Filtering in KQL is done using the where operator.

  Note: Unifying parsers

  When using ASIM in your queries, use unifying parsers to combine all sources, normalized to the same schema, and query them using normalized fields. The unifying parser name is _Im_ for built-in parsers and im for

  workspace deployed parsers, where stands for the specific schema it serves.

  For example, the following query uses the built-in unifying DNS parser to query DNS events using the ResponseCodeName, SrcIpAddr, and TimeGenerated normalized fields:

  Kusto

  _Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN')

  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m) The example uses filtering parameters, which improve ASIM performance. The same example without filtering parameters would look like this:

  Kusto

  _Im_Dns

  | where TimeGenerated > ago(1d)

  | where ResponseCodeName =~ "NXDOMAIN"

  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

  Incorrect:

  Not D: Select fields in the result set

  The parser can optionally select fields in the results set. Removing unneeded fields can improve performance and add clarity by avoiding confusing between normalized fields and remaining source fields.

  The following KQL operators are used to select fields in your results set:

  *

  project - Selects fields that existed before, or were created as part of the statement, and removes all other fields.

  Not recommended for use in a parser, as the parser should not remove any other fields that are not normalized.

  *

  project-away - Removes fields.

  Use project-away for specific fields that you want to remove from the result set. We recommend not removing the original fields that are not normalized from the result set, unless they create confusion or are very large and may have

  performance implications.

  If you need to remove specific fields, such as temporary values used during parsing, use project-away to remove them from the results.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers https://docs.microsoft.com/en-us/azure/sentinel/normalization-about-parsers