Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 101:

  You recently deployed Azure Sentinel.

  You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled.

  You need to ensure that the Fusion rule can generate alerts.

  What should you do?

  A. Disable, and then enable the rule.

  B. Add data connectors

  C. Create a new machine learning analytics rule.

  D. Add a hunting bookmark.

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

• Question 102:

  A company uses Azure Sentinel.

  You need to create an automated threat response.

  What should you use?

  A. a data connector

  B. a playbook

  C. a workbook

  D. a Microsoft incident creation rule

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

• Question 103:

  You have an Azure Sentinel deployment in the East US Azure region.

  You create a Log Analytics workspace named LogsWest in the West US Azure region.

  You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to LogsWest.

  What should you do first?

  A. Deploy Azure Data Catalog to the West US Azure region.

  B. Modify the workspace settings of the existing Azure Sentinel deployment.

  C. Add Azure Sentinel to a workspace.

  D. Create a data connector in Azure Sentinel.

  Correct Answer: C

  Cross-workspace queries can now be included in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across tenants (using Azure Lighthouse) as in the case of an MSSP, subject to the following limitations:

  1.

  Up to 20 workspaces can be included in a single query.

  2.

  Azure Sentinel must be deployed on every workspace referenced in the query.

  3.

  Alerts generated by a cross-workspace analytics rule, and the incidents created from them, exist only in the workspace where the rule was defined. They will not be displayed in any of the other workspaces referenced in the query.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-workspace-workbooks

• Question 104:

  You create a custom analytics rule to detect threats in Azure Sentinel.

  You discover that the rule fails intermittently.

  What are two possible causes of the failures? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. The rule query takes too long to run and times out.

  B. The target workspace was deleted.

  C. Permissions to the data sources of the rule query were modified.

  D. There are connectivity issues between the data sources and Log Analytics

  Correct Answer: AD

  Incorrect Answers:

  B: This would cause it to fail every time, not just intermittently.

  C: This would cause it to fail every time, not just intermittently.

• Question 105:

  Your company uses Azure Sentinel.

  A new security analyst reports that she cannot assign and dismiss incidents in Azure Sentinel.

  You need to resolve the issue for the analyst. The solution must use the principle of least privilege.

  Which role should you assign to the analyst?

  A. Azure Sentinel Responder

  B. Logic App Contributor

  C. Azure Sentinel Contributor

  D. Azure Sentinel Reader

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/roles

• Question 106:

  You have an Azure Sentinel workspace.

  You need to test a playbook manually in the Azure portal.

  From where can you run the test in Azure Sentinel?

  A. Playbooks

  B. Analytics

  C. Threat intelligence

  D. Incidents

  Correct Answer: D

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-a-playbook-on-demand

• Question 107:

  You have a custom analytics rule to detect threats in Azure Sentinel.

  You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.

  What is a possible cause of the issue?

  A. There are connectivity issues between the data sources and Log Analytics.

  B. The number of alerts exceeded 10,000 within two minutes.

  C. The rule query takes too long to run and times out.

  D. Permissions to one of the data sources of the rule query were modified.

  Correct Answer: D

  Permanent failure - rule auto-disable due to the following reasons

  The target workspace (on which the rule query operated) has been deleted.

  The target table (on which the rule query operated) has been deleted.

  Microsoft Sentinel had been removed from the target workspace.

  A function used by the rule query is no longer valid; it has been either modified or removed.

  Permissions to one of the data sources of the rule query were changed.

  One of the data sources of the rule query was deleted or disconnected.

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

• Question 108:

  Your company stores the data for every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant.

  Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription.

  You deploy Azure Sentinel to a new Azure subscription.

  You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Add the Security Events connector to the Azure Sentinel workspace.

  B. Create a query that uses the workspace expression and the union operator.

  C. Use the alias statement.

  D. Create a query that uses the resource expression and the alias operator.

  E. Add the Azure Sentinel solution to each workspace.

  Correct Answer: BE

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

• Question 109:

  You have a playbook in Azure Sentinel.

  When you trigger the playbook, it sends an email to a distribution group.

  You need to modify the playbook to send the email to the owner of the resource instead of the distribution group.

  What should you do?

  A. Add a parameter and modify the trigger.

  B. Add a custom data connector and modify the trigger.

  C. Add a condition and modify the action.

  D. Add a parameter and modify the action.

  Correct Answer: D

  Reference: https://azsec.azurewebsites.net/2020/01/19/notify-azure-sentinel-alert-to-your-email-automatically/

• Question 110:

  You provision Azure Sentinel for a new Azure subscription.

  You are configuring the Security Events connector.

  While creating a new rule from a template in the connector, you decide to generate a new alert for every event.

  You create the following rule query.

  

  By which two components can you group alerts into incidents? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point.

  A. user

  B. resource group

  C. IP address

  D. computer

  Correct Answer: AD

  To group alerts into incidents in Azure Sentinel, you can use any combination of the available grouping fields. In this case, since the rule query does not include information on resource groups or IP addresses, only user and computer can be used to group alerts into incidents.

  Grouping alerts by user and computer can help you identify patterns of activity and better understand the scope and impact of potential security threats. By grouping alerts into incidents, you can also more easily manage and track your response to security incidents.