Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 161:

  You need to complete the query for failed sign-ins to meet the technical requirements. Where can you find the column name to complete the where clause?

  A. Security alerts in Azure Security Center

  B. Activity log in Azure

  C. Azure Advisor

  D. the query windows of the Log Analytics workspace

  Correct Answer: D

• Question 162:

  You have an Azure subscription that has Microsoft Defender for Cloud enabled.

  You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).

  You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.

  What should you install first on Server1?

  A. the Microsoft Monitoring Agent

  B. the Azure Monitor agent

  C. the Azure Connected Machine agent

  D. the Azure Pipelines agent

  Correct Answer: C

  https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-aws?pivots=env-settings

• Question 163:

  You have an Azure subscription that contains a Microsoft Sentinel workspace.

  You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert. What should you create first?

  A. a hunting query in Microsoft Sentinel

  B. an Azure logic app

  C. an automation rule in Microsoft Sentinel

  D. a trigger in Azure Functions

  Correct Answer: B

  Azure logic apps are a workflow automation platform that provides a visual designer to model and automate processes as a series of steps or actions. Logic apps can be triggered by events, such as an alert in Microsoft Sentinel, and can perform a variety of actions, such as sending an email or creating a work item in Azure DevOps.

• Question 164:

  You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema.

  You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.

  What should you do first?

  A. Copy the parsers to the Azure Monitor Logs page.

  B. Create a JSON file based on the DNS template.

  C. Create an XML file based on the DNS template.

  D. Create a YAML file based on the DNS template.

  Correct Answer: D

  Deploy parsers

  Deploy parsers manually by copying them to the Azure Monitor Log page and saving the query as a function. This method is useful for testing.

  To deploy a large number of parsers, we recommend using parser ARM templates, as follows:

  Create a YAML file based on the relevant template for each schema and include your query in it. Start with the YAML template relevant for your schema and parser type, filtering or parameter-less.

  Use the ASIM Yaml to ARM template converter to convert your YAML file to an ARM template.

  If deploying an update, delete older versions of the functions using the portal or the function delete PowerShell tool.

  Deploy your template using the Azure portal or PowerShell.

  Reference:

  https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers

• Question 165:

  You have an Azure subscription that uses Microsoft Defender for Cloud. You need to filter the security alerts view to show the following alerts:

  1.

  Unusual user accessed a key vault

  2.

  Log on from an unusual location

  3.

  Impossible travel activity Which severity should you use?

  A. Informational

  B. Low

  C. Medium

  D. High

  Correct Answer: C

  Medium This is probably a suspicious activity might indicate that a resource is compromised. Defender for Cloud's confidence in the analytic or finding is medium and the confidence of the malicious intent is medium to high. These would usually be machine learning or anomaly-based detections, for example a sign-in attempt from an unusual location.

  Incorrect:

  *

  High There is a high probability that your resource is compromised. You should look into it right away. Defender for Cloud has high confidence in both the malicious intent and in the findings used to issue the alert. For example, an alert that detects the execution of a known malicious tool such as Mimikatz, a common tool used for credential theft.

  *

  Low This might be a benign positive or a blocked attack. Defender for Cloud isn't confident enough that the intent is malicious and the activity might be innocent. For example, log clear is an action that might happen when an attacker tries to hide their tracks, but in many cases is a routine operation performed by admins. Defender for Cloud doesn't usually tell you when attacks were blocked, unless it's an interesting case that we suggest you look into.

  *

  Low This might be a benign positive or a blocked attack. Defender for Cloud isn't confident enough that the intent is malicious and the activity might be innocent. For example, log clear is an action that might happen when an attacker tries to hide their tracks, but in many cases is a routine operation performed by admins. Defender for Cloud doesn't usually tell you when attacks were blocked, unless it's an interesting case that we suggest you look into.

  Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-overview

• Question 166:

  You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.

  You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATTandCK tactic.

  Which JSON key should you search?

  A. Description

  B. Intent

  C. ExtendedProperies

  D. Entities

  Correct Answer: B

  The "Intent" key is part of the JSON format used by Microsoft Defender for Cloud to transmit security alert data to third-party security information and event management (SIEM) solutions. The "Intent" key provides information on the type of attack or tactic that the alert is related to, and can be used to identify alerts that are specifically related to the Privilege Escalation tactic.

• Question 167:

  You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user named User1.

  You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege.

  Which role should you assign to User1?

  A. Security operator

  B. Security Admin

  C. Owner

  D. Contributor

  Correct Answer: B

  Security Admin

  View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.

  Incorrect:

  *

  Security Reader

  View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.

  * owner - too much permissions

  *

  Contributor (too much permissions)

  Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

  Reference:

  https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles

• Question 168:

  You have an Azure subscription that contains a user named User1.

  User1 is assigned an Azure Active Directory Premium Plan 2 license.

  You need to identify whether the identity of User1 was compromised during the last 90 days.

  What should you use?

  A. the risk detections report

  B. the risky users report

  C. Identity Secure Score recommendations

  D. the risky sign-ins report

  Correct Answer: B

  Scenario: User compromised (True positive)

  ‘Risky users

• Question 169:

  You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines.

  You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements:

  1.

  Minimize administrative effort.

  2.

  Minimize the parsing required to read fog data. What should you configure?

  A. a Log Analytics Data Collector API

  B. REST API integration

  C. a Common Evert Format (CEF) connector

  D. a Syslog connector

  Correct Answer: C

  CEF is a standard format for log data that is used by many security and event management systems, including Microsoft Sentinel. By using a CEF connector, the log data can be ingested into Sentinel with minimal parsing required, reducing administrative effort. Additionally, CEF is a widely supported format among security products, so it will minimize administrative effort by not having to configure multiple connectors to different products.

• Question 170:

  You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.

  You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and costs.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. From the workspace created by Defender for Cloud, set the data collection level to Common.

  B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.

  C. From the Azure portal, create an Azure Event Grid subscription.

  D. From the workspace created by Defender for Cloud, set the data collection level to All Events.

  E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.

  Correct Answer: AE

  A (not D): What event types are stored for "Common" and "Minimal"?

  The Common and Minimal event sets were designed to address typical scenarios based on customer and industry standards for the unfiltered frequency of each event and their usage.

  *

  Common - A set of events that satisfies most customers and provides a full audit trail.

  This set is intended to provide a full user audit trail, including events with low volume. For example, this set contains both user logon events (event ID 4624) and user logoff events (event ID 4634). We include auditing actions like security

  group changes, key domain controller Kerberos operations, and other events that are recommended by industry organizations.

  *

  Minimal

  *

  All events