Microsoft Microsoft Certifications SC-200 Questions & Answers
Question 221:
HOTSPOT
Your on-premises network contains 100 servers that run Windows Server.
You have an Azure subscription that uses Microsoft Sentinel.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Log Analytics agent
Collect data in custom log formats to Microsoft Sentinel with the Log Analytics agent.
Many applications log data to text files instead of standard logging services like Windows Event log or Syslog. You can use the Log Analytics agent to collect data in text files of nonstandard formats from both Windows and Linux computers.
Once collected, you can either parse the data into individual fields in your queries or extract the data during collection to individual fields.
Box 2 Data connectors page of Microsoft Sentinel
Configure the logs to be collected
Many device types have their own data connectors appearing in the Data connectors page in Microsoft Sentinel. Some of these connectors require special additional instructions to properly set up log collection in Microsoft Sentinel. These
instructions can include the implementation of a parser based on a Kusto function.
All connectors listed in Microsoft Sentinel will display any specific instructions on their respective connector pages in the portal, as well as in their sections of the Microsoft Sentinel data connectors reference page.
If your product is not listed in the Data connectors page, consult your vendor's documentation for instructions on configuring logging for your device.
A Microsoft Sentinel incident is generated as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Investigate
1.
To begin an investigation, select a specific incident. On the right, you can see detailed information for the incident including its severity, summary of the number of entities involved, the raw events that triggered this incident, the incident's unique ID, and any mapped MITRE ATTandCK tactics or techniques.
2.
To view more details about the alerts and entities in the incident, select View full details in the incident page and review the relevant tabs that summarize the incident information.
A page similar to the exhibit will be shown.
3.
Select Investigate to view the investigation map.
Incorrect:
Entities
In the Entities tab, you can see all the entities that you mapped as part of the alert rule definition. These are the objects that played a role in the incident, whether they be users, devices, addresses, files, or any other types.
Alerts
In the Alerts tab, review the alerts included in this incident. You'll see all relevant information about the alerts
Question 223:
HOTSPOT
You have a Microsoft 365 E5 subscription.
You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the following requirements:
1.
Only show emails sent during the last hour.
2.
Optimize query performance.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: | where Timestamp > ago(1h)
Only show emails sent during the last hour.
Optimize query performance.
Apply filters early
Question 224:
HOTSPOT
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: “Microsoft.Security/automations"
Box 2: triggers Quickstart: Create an automatic response to a specific security alert using an ARM template or Bicep
You have an Azure subscription that uses Microsoft Defender for Cloud.
You create a Google Cloud Platform (GCP) organization named GCP1.
You need to onboard GCP1 to Defender for Cloud by using the native cloud connector. The solution must ensure that all future GCP projects are onboarded automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: A management project and a custom role (See 5. Below) (Optional) If you select Organization, a management project and an organization custom role will be created on your GCP project for the onboarding process. Auto-provisioning will be enabled for the onboarding of new projects.
Box 2: Steps below:
10.
Select the GCP Cloud Shell >.
11.
The GCP Cloud Shell will open.
12.
Paste the script into the Cloud Shell terminal and run it.
Note: To protect your GCP-based resources, you can connect a GCP project with either:
Native cloud connector (recommended) - Provides an agentless connection to your GCP account that you can extend with Defender for Cloud's Defender plans to secure your GCP resources
Classic cloud connector
To connect your GCP project to Defender for Cloud with a native connector:
1.
Sign in to the Azure portal.
2.
Navigate to Defender for Cloud > Environment settings.
3.
Select + Add environment.
4.
Select the Google Cloud Platform.
5.
Enter all relevant information.
(Optional) If you select Organization, a management project and an organization custom role will be created on your GCP project for the onboarding process. Auto-provisioning will be enabled for the onboarding of new projects.
6.
Select the Next: Select Plans.
7.
Toggle the plans you want to connect to On.
8.
Select the Next: Configure access.
9.
Select Copy.
10.
Select the GCP Cloud Shell >.
11.
The GCP Cloud Shell will open.
12.
Paste the script into the Cloud Shell terminal and run it.
You have an Azure subscription that has Azure Defender enabled for all supported resource types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Azure Security Center.
You need to test LA1 in Security Center.
What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Question 227:
HOTSPOT
You have a Microsoft Sentinel workspace named sws1.
You need to create a query that will detect when a user creates an unusually large numbers of Azure AD user accounts.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: AuditLogs You might want to create a query that incorporates data from multiples sources. You can create a query that looks at Azure Active Directory audit logs for new users that were just created, and then checks your Azure logs to see if the user started making role assignment changes within 24 hours of creation. That suspicious activity would show up on this dashboard:
AuditLogs | where OperationName == "Add user" | project AddedTime = TimeGenerated, user = tostring(TargetResources[0].userPrincipalName) | join (AzureActivity | where OperationName == "Create role assignment" | project OperationName, RoleAssignmentTime = TimeGenerated, user = Caller) on user | project-away user1
You have an Azure subscription that contains a guest user named User1 and a Microsoft Sentinel workspace named workspace1.
You need to ensure that User1 can triage Microsoft Sentinel incidents in workspace1. The solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Microsoft Sentinel Responder Azure Role
Roles and permissions for working in Microsoft Sentinel Microsoft Sentinel-specific roles All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace.
Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.
-> Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).
Microsoft Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.
Microsoft Sentinel Playbook Operator can list, view, and manually run playbooks.
Microsoft Sentinel Automation Contributor allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts.
Box 2: Directory readers
Azure AD Role
If you have a guest user that needs to assign incidents, the user must be assigned the Directory Reader role in your Azure AD tenant. Regular (non-guest) users have this role assigned by default.
You have an Azure subscription that uses Microsoft Sentinel and contains a user named User1.
You need to ensure that User1 can enable User and Entity Behavior Analytics (UEBA) for entity behavior in Azure AD. The solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: Security Administrator
Azure AD Role
Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
Prerequisites
To enable or disable this feature (these prerequisites are not required to use the feature):
Your user must be assigned the Global Administrator or Security Administrator roles in Azure AD.
Your user must be assigned at least one of the following Azure roles (Learn more about Azure RBAC):
Microsoft Sentinel Contributor at the workspace or resource group levels.
Log Analytics Contributor at the resource group or subscription levels.
Your workspace must not have any Azure resource locks applied to it. Learn more about Azure resource locking.
You have an Azure subscription that contains the following resources:
1.
A virtual machine named VM1 that runs Windows Server
2.
A Microsoft Sentinel workspace named Sentinel1 that has User and Entity Behavior Analytics (UEBA) enabled
You have a scheduled query rule named Rule1 that tracks sign-in attempts to VM1.
You need to update Rule1 to detect when a user from outside the IT department of your company signs in to VM1. The solution must meet the following requirements:
1.
Utilize UEBA results.
2.
Maximize query performance.
3.
Minimize the number of false positives.
How should you complete the rule definition? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: inner
Use inner join to minimize false positives.
Example:
The following query resolves user and peer identifier fields:
) on $left.AADTenantId == $right.AccountTenantId, $left.UserId == $right.AccountObjectId
Box 2: IdentityInfo
IdentityInfo table
After you enable UEBA for your Microsoft Sentinel workspace, data from your Azure Active Directory is synchronized to the IdentityInfo table in Log Analytics for use in Microsoft Sentinel. You can embed user data synchronized from your
Azure AD in your analytics rules to enhance your analytics to fit your use cases and reduce false positives.
The following table describes the user identity data included in the IdentityInfo table in Log Analytics.
AccountObjectId string
The Azure Active Directory object ID for the user account.
AccountSID string
The on-premises security identifier of the user account.
Nowadays, the certification exams become more and more important and required by more and more enterprises when applying for a job. But how to prepare for the exam effectively? How to prepare for the exam in a short time with less efforts? How to get a ideal result and how to find the most reliable resources? Here on Vcedump.com, you will find all the answers. Vcedump.com provide not only Microsoft exam questions, answers and explanations but also complete assistance on your exam preparation and certification application. If you are confused on your SC-200 exam preparations and Microsoft certification application, do not hesitate to visit our Vcedump.com to find your solutions here.
