Microsoft Microsoft Certifications SC-200 Questions & Answers
Question 171:
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.
What should you create first?
A. a repository connection
B. a watchlist
C. an analytics rule
D. an automation rule
Correct Answer: D
To ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert, you should create an automation rule first.
Question 172:
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual machines that run Windows Server 2019. You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements:
1.
Limit the maximum request time to two hours.
2.
Limit protocols access to Remote Desktop Protocol (RDP) only.
3.
Minimize administrative effort. What should you use?
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.
You need to onboard EC2-1 to Defender for Cloud.
What should you install on EC2-1?
A. the Log Analytics agent
B. the Azure Connected Machine agent
C. the unified Microsoft Defender for Endpoint solution package
D. Microsoft Monitoring Agent
Correct Answer: B
To onboard an Amazon Elastic Compute Cloud (EC2) instance to Microsoft Defender for Cloud, you should install the Azure Connected Machine agent on the instance.
Question 174:
You have a Microsoft Sentinel workspace named Workspaces
You need to exclude a built-in. source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?
A. a workbook
B. a hunting query
C. a watchlist
D. an analytic rule
Correct Answer: D
To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create an analytic rule in the Microsoft Sentinel workspace. An analytic rule allows you to customize the behavior of the unified ASIM parser and exclude specific source-specific parsers from being used. Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-analytic-rule
Question 175:
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?
A. the incident automation settings
B. the query rule
C. entity mapping
D. the Alert automation settings
Correct Answer: C
Entity mapping is an integral part of the configuration of scheduled query analytics rules. It enriches the rules' output (alerts and incidents) with essential information that serves as the building blocks of any investigative processes and remedial actions that follow.
Note: How to map entities
1.
From the Microsoft Sentinel navigation menu, select Analytics.
2.
Select a scheduled query rule and select Edit from the details pane. Or create a new rule by clicking Create > Scheduled query rule at the top of the screen.
3.
Select the Set rule logic tab.
4.
In the Alert enrichment section, expand Entity mapping.
5.
In the now-expanded Entity mapping section, select an entity type from the Entity type drop-down list.
Note 2: The configuration of NRT rules is in most ways the same as that of scheduled analytics rules.
You can refer to multiple tables and watchlists in your query logic.
*-> You can use all of the alert enrichment methods: entity mapping, custom details, and alert details.
You can choose how to group alerts into incidents, and to suppress a query when a particular result has been generated.
You can automate responses to both alerts and incidents.
You need to visualize Microsoft Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC). What should you use?
A. notebooks in Microsoft Sentinel
B. Microsoft Defender for Cloud Apps
C. Azure Monitor
Correct Answer: A
To visualize Azure Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC), you can use notebooks in Azure Sentinel.
Notebooks in Azure Sentinel are interactive documents that allow you to run queries, create visualizations, and perform data analysis on your Azure Sentinel data. They also allow you to connect to other data sources, such as third-party
threat intelligence feeds, to enrich the data and identify indicators of compromise (IoCs).
Once you have connected to the third-party data source, you can use Azure Sentinel notebook to blend the data, and create visualizations, and perform data analysis to identify the potential attack.
Sign-in URL: https://www.company.com Which entities can be investigated by using UEBA?
A. IP address and email address only
B. app name, computer name, IP address, email address, and used client app only
C. IP address only
D. used client app and app name only
Correct Answer: B
BehaviorAnalytics table
The following table describes the behavior analytics data displayed on each entity details page in Microsoft Sentinel.
*
SourceIPAddress
The IP address from which activity was initiated.
*
SourceDevice
The hostname of the device that initiated the activity.
*
Etc.
The following table describes the user identity data included in the IdentityInfo table in Log Analytics.
*
MailAddress
The primary email address of the user account.
*
Etc.
ActivityInsights field The following tables describe the enrichments featured in the ActivityInsights dynamic field in the BehaviorAnalytics table: Action Performed App used Browser Used Etc. Note: UEBA enrichments
The BehaviorAnalytics table is where UEBA's output information is stored.
-
The UsersInsights and DevicesInsights fields contain entity information from Active Directory / Azure AD and Microsoft Threat Intelligence sources.
-
The ActivityInsights field contains entity information based on the behavioral profiles built by Microsoft Sentinel's entity behavior analytics.
The IdentityInfo table is where identity information synchronized to UEBA from Azure Active Directory (and from on-premises Active Directory via Microsoft Defender for Identity) is stored.
Note 2: Sentinel User and Entity Behavior Analytics works by aggregating multiple Azure data sources and finds rarities and outliers within those sources. The data sources are:
You have a Microsoft Sentinel workspace that uses the Microsoft 365 Defender data connector.
From Microsoft Sentinel, you investigate a Microsoft 365 incident.
You need to update the incident to include an alert generated by Microsoft Defender for Cloud Apps.
What should you use?
A. the entity side panel of the Timeline card in Microsoft Sentinel
B. the Timeline tab on the incidents page of Microsoft Sentinel
C. the investigation graph on the incidents page of Microsoft Sentinel
D. the Alerts page in the Microsoft 365 Defender portal
Correct Answer: A
Add alerts using the entity timeline (Preview) (see steps 5 to 7 below)
The entity timeline, as featured in the new incident experience (now in Preview), presents all the entities in a particular incident investigation. When an entity in the list is selected, a miniature entity page is displayed in a side panel.
1.
From the Microsoft Sentinel navigation menu, select Incidents.
2.
Select an incident to investigate. In the incident details panel, select View full details.
3.
In the incident page, select the Entities tab.
4.
Select an entity from the list.
5.
In the entity page side panel, select the Timeline card.
6.
Select an alert external to the open incident. These are indicated by a grayed-out shield icon and a dotted-line color band representing the severity. Select the plus-sign icon on the right end of that alert.
7.
Confirm adding the alert to the incident by selecting OK. You'll receive a notification confirming the adding of the alert to the incident, or explaining why it was not added.
You'll see that the added alert now appears in the open incident's Timeline widget in the Overview tab, with a full-color shield icon and a solid-line color band like any other alert in the incident.
The added alert is now a full part of the incident, and any entities in the added alert (that weren't already part of the incident) have also become part of the incident. You can now explore those entities' timelines for their other alerts that are now eligible to be added to the incident.
Note: Microsoft Sentinel's Microsoft 365 Defender incident integration allows you to stream all Microsoft 365 Defender incidents into Microsoft Sentinel and keep them synchronized between both portals. Incidents from Microsoft 365 Defender include all associated alerts, entities, and relevant information, providing you with enough context to perform triage and preliminary investigation in Microsoft Sentinel. Once in Sentinel, incidents will remain bi-directionally synced with Microsoft 365 Defender, allowing you to take advantage of the benefits of both portals in your incident investigation.
Working with Microsoft 365 Defender incidents in Microsoft Sentinel and bi-directional sync Microsoft 365 Defender incidents will appear in the Microsoft Sentinel incidents queue with the product name Microsoft 365 Defender, and with similar details and functionality to any other Sentinel incidents. Each incident contains a link back to the parallel incident in the Microsoft 365 Defender portal.
Question 179:
You have a Microsoft Sentinel workspace.
You investigate an incident that has the following entities:
1.
A user account named User1
2.
An IP address of 192.168.10.200
3.
An Azure virtual machine named VM1
4.
An on-premises server named Server1
You need to label an entity as an indicator of compromise (IoC) directly by using the incidents page.
Which entity can you label?
A. 192.168.10.200
B. VM1
C. Server1
D. User1
Correct Answer: A
Add entities to threat intelligence in Microsoft Sentinel When investigating an incident, you examine entities and their context as an important part of understanding the scope and nature of the incident. In the course of the investigation, you may discover a domain name, URL, file, or IP address in the incident that should be labeled and tracked as an indicator of compromise (IOC), a threat indicator.
For example, you may discover an IP address performing port scans across your network, or functioning as a command and control node, sending and/or receiving transmissions from large numbers of nodes in your network.
Microsoft Sentinel allows you to flag these types of entities as malicious, right from within your incident investigation, and add it to your threat indicator lists. You'll then be able to view the added indicators both in Logs and in the Threat Intelligence blade, and use them across your Microsoft Sentinel workspace.
You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files. Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.
B. From Cloud apps, select Files, and then filter File Type to Document.
C. From Settings, select Information Protection, select Files, and then enable file monitoring.
D. From Cloud apps, select Files, and then filter App to Office 365.
E. From Cloud apps, select Files, and then select New policy from search.
F. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SC-200 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.