Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 111:

  You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.

  You deploy Azure Sentinel.

  You need to use the existing logic app as a playbook in Azure Sentinel.

  What should you do first?

  A. And a new scheduled query rule.

  B. Add a data connector to Azure Sentinel.

  C. Configure a custom Threat Intelligence connector in Azure Sentinel.

  D. Modify the trigger in the logic app.

  Correct Answer: D

  https://docs.microsoft.com/en-us/azure/sentinel/playbook-triggers-actions https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

• Question 112:

  Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.

  A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.

  You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.

  What should you include in the recommendation?

  A. built-in queries

  B. livestream

  C. notebooks

  D. bookmarks

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/notebooks

• Question 113:

  You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.

  You need to create a query that will be used to display a bar graph.

  What should you include in the query?

  A. extend

  B. bin

  C. count

  D. workspace

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations

• Question 114:

  You use Azure Sentinel.

  You need to receive an immediate alert whenever Azure Storage account keys are enumerated.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Create a livestream

  B. Add a data connector

  C. Create an analytics rule

  D. Create a hunting query.

  E. Create a bookmark.

  Correct Answer: AD

  Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/livestream

• Question 115:

  You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC). What should you use?

  A. notebooks in Azure Sentinel

  B. Microsoft Cloud App Security

  C. Azure Monitor

  D. hunting queries in Azure Sentinel

  Correct Answer: A

  To visualize Azure Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC), you can use notebooks in Azure Sentinel.

  Notebooks in Azure Sentinel are interactive documents that allow you to run queries, create visualizations, and perform data analysis on your Azure Sentinel data. They also allow you to connect to other data sources, such as third-party

  threat intelligence feeds, to enrich the data and identify indicators of compromise (IoCs).

  Once you have connected to the third-party data source, you can use Azure Sentinel notebook to blend the data, and create visualizations, and perform data analysis to identify the potential attack.

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/notebooks

• Question 116:

  You are configuring Azure Sentinel.

  You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.

  Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Add a playbook.

  B. Associate a playbook to an incident.

  C. Enable Entity behavior analytics.

  D. Create a workbook.

  E. Enable the Fusion rule.

  Correct Answer: AB

  To send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected in Azure Sentinel, you will need to perform two actions: Add a playbook: A playbook is a set of actions that can be triggered in response to an incident, such as sending a message to a channel in Microsoft Teams. To add a playbook, you will need to navigate to the Playbooks tab in Azure Sentinel and create a new playbook that includes an action to send a message to a Microsoft Teams channel.

  Associate a playbook to an incident: After creating the playbook, you will need to associate it with an incident in Azure Sentinel. This can be done by navigating to the Incidents tab in Azure Sentinel and selecting the incident that you want to associate the playbook with. Then, select the "Associate Playbook" button and select the playbook that you created.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

• Question 117:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You use Azure Security Center.

  You receive a security alert in Security Center.

  You need to view recommendations to resolve the alert in Security Center.

  Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts

• Question 118:

  You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day.

  You need to create a query that will be used to display the time chart.

  What should you include in the query?

  A. extend

  B. bin

  C. makeset

  D. workspace

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries

• Question 119:

  Your company uses Azure Security Center and Azure Defender.

  The security operations team at the company informs you that it does NOT receive email notifications for security alerts.

  What should you configure in Security Center to enable the email notifications?

  A. Security solutions

  B. Security policy

  C. Pricing and settings

  D. Security alerts

  E. Azure Defender

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details

• Question 120:

  Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while

  others might not have a correct solution.

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You use Azure Security Center.

  You receive a security alert in Security Center.

  You need to view recommendations to resolve the alert in Security Center.

  Solution: From Regulatory compliance, you download the report.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts