Microsoft Role-based SC-200 Questions & Answers

• Question 11:

  You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector.

  You need to customize which details will be included when an alert is created for a specific event.

  What should you do?

  A. Modify the properties of the connector.

  B. Create a Data Collection Rule (DCR).

  C. Create a scheduled query rule.

  D. Enable User and Entity Behavior Analytics (UEBA)

  Correct Answer: C

  https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details

• Question 12:

  Your company has an on-premises network that uses Microsoft Defender for Identity.

  The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.

  You need remediate the security risk.

  What should you do?

  A. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.

  B. Modify the properties of the computer objects listed as exposed entities.

  C. Disable legacy protocols on the computers listed as exposed entities.

  D. Enforce LDAP signing on the computers listed as exposed entities.

  Correct Answer: B

  To remediate the security risk associated with unsecure Kerberos delegation, you should modify the properties of the computer objects listed as exposed entities. Specifically, you should set the Kerberos delegation settings to either 'Trust this computer for delegation to any service' or 'Trust this computer for delegation to specified services only'. This will ensure that the computer is not allowed to use Kerberos delegation to access other computers on the network.

  Reference: https://docs.microsoft.com/en- us/windows/security/identity-protection/microsoft-defender-for-identity/configure-kerberos- delegation

• Question 13:

  You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.

  You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort

  Which blade should you use in the Microsoft 365 Defender portal?

  A. Advanced hunting

  B. Threat analytics

  C. Incidents and alerts

  D. Learning hub

  Correct Answer: B

  Threat analytics Track and respond to emerging threats with the following Microsoft 365 Defender threat analytics: Threat analytics is the Microsoft 365 Defender threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:

  Active threat actors and their campaigns Popular and new attack techniques Critical vulnerabilities Common attack surfaces Prevalent malware

  Incorrect:

  *

  Advanced hunting

  You can build custom detection rules and hunt for specific threats in your environment. Hunting uses a query-based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities. These

  rules run automatically to check for, and then respond to, suspected breach activity, misconfigured machines, and other findings.

  *

  Learning Hub

  Microsoft 365 Defender portal includes a learning hub that provides guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation.

  Reference:

  https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender-portal

• Question 14:

  Your company uses Microsoft Sentinel

  A new security analyst reports that she cannot assign and resolve incidents in Microsoft Sentinel.

  You need to ensure that the analyst can assign and resolve incidents. The solution must use the principle of least privilege.

  Which role should you assign to the analyst?

  A. Microsoft Sentinel Responder

  B. Logic App Contributor

  C. Microsoft Sentinel Reader

  D. Microsoft Sentinel Contributor

  Correct Answer: A

  The Microsoft Sentinel Responder role allows users to investigate, triage, and resolve security incidents, which includes the ability to assign incidents to other users. This role is designed to provide the necessary permissions for incident management and response while still adhering to the principle of least privilege. Other roles such as Logic App Contributor and Microsoft Sentinel Contributor would have more permissions than necessary and may not be suitable for the analyst's needs. Microsoft Sentinel Reader role is not sufficient as it doesn't have permission to assign and resolve incidents.

  Reference: https:// docs.microsoft.com/en-us/azure/sentinel/role-based-access-control-rbac

• Question 15:

  You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.

  You need to add threat indicators for all the IP addresses in a range of 171.23.3432- 171.2334.63. The solution must minimize administrative effort.

  What should you do in the Microsoft 365 Defender portal?

  A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.

  B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.

  C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.

  D. Select Add indicator and set the IP address to 171.23.34.32/27.

  Correct Answer: A

  Import a list of IoCs

  You can choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.

  1.

  Download the sample CSV to know the supported column attributes.

  2.

  In the navigation pane, select Settings > Endpoints > Indicators (under Rules).

  3.

  Select the tab of the entity type you'd like to import indicators for.

  4.

  Select Import > Choose file.

  5.

  Select Import. Do this for all the files you'd like to import.

  6.

  Select Done.

  Note: You can create an indicator for:

  Files

  IP addresses

  URLs/domains

  Certificates

  Incorrect:

  Not B: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

  Not C: Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators.

  Not D: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

  Note 2: Create an indicator for IPs, URLs, or domains from the settings page

  1.

  In the navigation pane, select Settings > Endpoints > Indicators (under Rules).

  2.

  Select the IP addresses or URLs/Domains tab.

  Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators

  3.

  Select Add item.

  4.

  Specify the following details:

  Indicator - Specify the entity details and define the expiration of the indicator.

  Action - Specify the action to be taken and provide a description.

  Scope - Define the scope of the machine group.

  5.

  Review the details in the Summary tab, then select Save.

  Reference:

  https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage

  https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators

  https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain

• Question 16:

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

  A remediation action for an automated investigation quarantines a file across multiple devices.

  You need to mark the file as safe and remove the file from quarantine on the devices.

  What should you use in the Microsoft 365 Defender portal?

  A. From Threat tracker, review the queries.

  B. From the History tab in the Action center, revert the actions.

  C. From the investigation page, review the AIR processes.

  D. From Quarantine from the Review page, modify the rules.

  Correct Answer: B

  View and manage actions in the Action center Applies to: Microsoft 365 Defender

  To remove a file from quarantine across multiple devices

  1.

  Go to the Action center (https://security.microsoft.com/action-center) and sign in.

  2.

  On the History tab, select a file that has a Quarantine file Action type.

  3.

  In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.

  4.

  Reference: Microsoft 365 Defender remove quarantine file

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-actions

• Question 17:

  You have an Azure subscription that uses Microsoft Sentinel.

  You need to create a custom report that will visualise sign-in information over time.

  What should you create first?

  A. a workbook

  B. a hunting query

  C. a notebook

  D. a playbook

  Correct Answer: A

  Once you have connected your data sources to Microsoft Sentinel, you can visualize and monitor the data using the Microsoft Sentinel adoption of Azure Monitor Workbooks, which provides versatility in creating custom dashboards. While the Workbooks are displayed differently in Microsoft Sentinel, it may be useful for you to see how to create interactive reports with Azure Monitor Workbooks. Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/monitor-your-data

• Question 18:

  You create an Azure subscription.

  You enable Microsoft Defender for Cloud for the subscription.

  You need to use Defender for Cloud to protect on-premises computers.

  What should you do on the on-premises computers?

  A. Configure the Hybrid Runbook Worker role.

  B. Install the Connected Machine agent.

  C. Install the Log Analytics agent

  D. Install the Dependency agent.

  Correct Answer: C

  https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc

• Question 19:

  You need to investigate a potential attack deploying a new ransomware strain.

  You will perform automated actions on a group of highly valuable machines containing sensitive information.

  There are three custom device groups.

  You are required to temporarily group the machines to perform actions on the devices.

  Which three actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Add a tag to the device group.

  B. Create a new device group that has a rank of 1.

  C. Create a new device group that has a rank of 4.

  D. Create a new admin role.

  E. Add a tag to the machines.

  F. Add the device users to the admin role.

  Correct Answer: ABE

  Reference: https://www.drware.com/how-to-use-tagging-effectively-in-microsoft-defender-for-endpoint-part-1/

• Question 20:

  You have a Microsoft Sentinel workspace.

  You need to prevent a built-in Advance Security information Model (ASIM) parse from being updated automatically.

  What are two ways to achieve this goal? Each correct answer presents a complete solution.

  NOTE: Each correct selection is worth one point.

  A. Create a hunting query that references the built-in parser.

  B. Build a custom unifying parser and include the built-in parser version.

  C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.

  D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.

  E. Create an analytics rule that includes the built-in parser.

  Correct Answer: BC

  B: Replace a built-in, source-specific parser that's used by a unifying parser with a custom, source-specific parser. Replace built-in parsers when you want to:

  Use a version of the built-in parser other than the one used by default in the unifying parser.

  Prevent automated updates by preserving the version of the source-specific parser used by the unifying parser.

  Use a modified version of a built-in parser.

  C: Use the following process to prevent automatic updates for built-in, source-specific parsers:

  1.

  Add the built-in parser version you want to use, such as _Im_Dns_AzureFirewallV02, to the custom unifying parser. For more information, see above, Add a custom parser to a built-in unifying parser.

  2.

  Add an exception for the built-in parser. For example, when you want to entirely opt out from automatic updates, and therefore exclude a large number of built-in parsers, add:

  A record with Any as the SourceSpecificParser field, to exclude all parsers for the CallerContext.

  A record for Any in the CallerContext and the SourceSpecificParser fields to exclude all built-in parsers.

  Reference: https://learn.microsoft.com/en-us/azure/sentinel/normalization-manage-parsers