Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 231:

  HOTSPOT

  You have an Azure subscription that contains a Microsoft Sentinel workspace.

  You need to create a hunting query using Kusto Query Language (KQL) that meets the following requirements:

  1.

  Identifies an anomalous number of changes to the rules of a network security group (NSG) made by the same security principal.

  2.

  Automatically associates the security principal with a Microsoft Sentinel entity.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 232:

  HOTSPOT

  You have a Microsoft Sentinel workspace.

  You need to configure a report visual for a custom workbook. The solution must meet the following requirements:

  1.

  The count and usage trend of AppDisplayName must be included.

  2.

  The TrendList column must be useable in a sparkline visual.

  How should you complete the KQL query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: join

  Incorrect:

  let

  Not the correct syntax for let.

  Example:

  let timeRange = 1d;

  lookup

  To support a lookup from an external file, KQL offers the "exernaldata" operator. Unlike lookup implementation in other SIEM products, externaldata is not a lookup operator. Instead, externaldata enables using files as if they were Azure

  Sentinel tables, allowing pre-processing of the file before performing the lookup, such as filtering and parsing. I will demonstrate each in the examples below.

  Box 2: make-series

  The make-series operator create series of specified aggregated values along a specified axis.

  Syntax

  T | make-series [MakeSeriesParameters] [Column =] Aggregation [default = DefaultValue] [, ...] on AxisColumn [from start] [to end] step step [by [Column =] GroupExpression [, ...]]

  Incorrect:

  render

  Example of usage:

  render timechart title = "Syslog by time"

  make_bag()

  Returns a property bag of dynamic values within the group

  mv-expand

  mv-expand, or multi-value expand, at its most basic, takes a dynamic array of data and expands it out to multiple rows. When we use mv-expand, KQL expands out the dynamic data, and simply duplicates any non-dynamic data. Leaving us with multiple rows to use in our queries.

  mv-expand is essentially the opposite of summarize operators such as make_list and make_set. With those we are creating arrays, mv-expand we are reversing that, and expanding arrays.

  Example: SigninLogs | project TimeGenerated, UserPrincipalName, Location, ConditionalAccessPolicies | mv-expand ConditionalAccessPolicies

  Reference: https://learnsentinel.blog/2023/05/15/have-a-json-headache-in-kql-try-mv-expand-or-mv-apply/ https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator

• Question 233:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

  You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers.

  How should you complete the KQL query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: IdentityLogonEvents Example: // Notice we no longer have the extra columns from a join. This might be useful if you want to track // logon activity with devices (the DeviceLogonEvents table) and Active Directory \ Azure Active Directory // (the IdentityLogonEvents table) in one query.

  DeviceLogonEvents

  | extend Table = 'DeviceLogonEvents'

  | take 100

  | union (

  IdentityLogonEvents

  | extend Table = 'IdentityLogonEvents'

  | take 100

  ) | project-reorder Timestamp, Table, AccountDomain, AccountName, AccountUpn, AccountSid | order by Timestamp asc

  Box 2: union

  Reference: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%202%20-%20Joins.txt

• Question 234:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

  You need to identify LDAP requests by AD DS users to enumerate AD DS objects.

  How should you complete the KQL query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: IdentityQueryEvents

  The IdentityQueryEvents table in the advanced hunting schema contains information about queries performed against Active Directory objects, such as users, groups, devices, and domains.

  Box 2: isnotempty

  Example:

  IdentityQueryEvents

  | where isnotempty(AccountSid)

  | take 100

  // IdentityQueryEvents

  // - contains query activities performed against Active Directory objects, such as users, groups, devices, and domains monitored by Azure ATP

  // - Includes SAMR, DNS and LDAP requests

  // --------------

  Incorrect:

  IdentityInfo

  The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Azure Active Directory.

  IdentityDirectoryEvents

  IdentityDirectoryEvents

  The IdentityDirectoryEvents table in the advanced hunting schema contains events involving an on-premises domain controller running Active Directory (AD). This table captures various identity-related events, like password changes,

  password expiration, and user principal name (UPN) changes. It also captures system events on the domain controller, like scheduling of tasks and PowerShell activity.

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityqueryevents-table https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitydirectoryevents-table https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Webcasts/TrackingTheAdversary/Episode%201%20-%20KQL%20Fundamentals.txt

• Question 235:

  HOTSPOT

  You have a custom detection rule that includes the following KQL query.

  

  For each of the following statements, select Yes if True. Otherwise, select No.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 236:

  HOTSPOT

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

  You need to identify all the interactive authentication attempts by the users in the finance department of your company.

  How should you complete the KQL query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: IdentityInfo Example: IdentityInfo | where JobTitle == "CONSULTANT" | join hint.shufflekey = AccountObjectId (IdentityDirectoryEvents

  | where Application == "Active Directory" | where ActionType == "Private data retrieval") on AccountObjectId

  Note: The IdentityInfo table in the advanced hunting schema contains information about user accounts obtained from various services, including Azure Active Directory. Use this reference to construct queries that return information from this table.

  AccountObjectId Unique identifier for the account in Azure AD

  Department Name of the department that the account user belongs to

  Box 2: IdentityLogonEvents The IdentityLogonEvents table in the advanced hunting schema contains information about authentication activities made through your on-premises Active Directory captured by Microsoft Defender for Identity and authentication activities related to Microsoft online services captured by Microsoft Defender for Cloud Apps.

  Column names include:

  AccountObjectId Unique identifier for the account in Azure AD

  Etc.

  Incorrect:

  Audit Logs (User and group management activity)

  SignInLogs (Authentication Activity)

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identityinfo-table https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-identitylogonevents-table

• Question 237:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that uses Microsoft Purview and contains a user named User1.

  User1 shares a Microsoft Power BI report file from the Microsoft OneDrive folder of your company to an external user by using Microsoft Teams.

  You need to identify which Power BI report file was shared.

  How should you configure the search? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Share file, folder, or site

  Activities

  Box 2: Shared Power BI report

  Record type

  Box 3: Microsoft teams

  Workload

  Note: Search-UnifiedAuditLog

  Applies to:

  Exchange Online, Exchange Online Protection

  This cmdlet is available only in the cloud-based service.

  Use the Search-UnifiedAuditLog cmdlet to search the unified audit log. This log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365

  services. You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.

  Example:

  Search-UnifiedAuditLog -StartDate 5/1/2018 -EndDate 5/8/2018 -RecordType SharePointFileOperation -Operations FileAccessed -SessionId "WordDocs_SharepointViews"-SessionCommand ReturnLargeSet

  This example searches the unified audit log for any files accessed in SharePoint Online from May 1, 2018 to May 8, 2018. The data is returned in pages as the command is rerun sequentially while using the same SessionId value.

  Reference:

  https://learn.microsoft.com/en-us/microsoft-365/security/defender/auditing

  https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog

• Question 238:

  HOTSPOT

  You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.

  You have an Azure DevOps organization named AzDO1.

  You need to integrate Sub1 and AzDO1. The solution must meet the following requirements:

  1.

  Detect secrets exposed in pipelines by using Defender for Cloud.

  2.

  Minimize administrative effort.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Add an environment

  Connect your Azure DevOps repositories to Microsoft Defender for Cloud

  Connect your Azure DevOps organization

  To connect your Azure DevOps organization to Defender for Cloud by using a native connector:

  1.

  Sign in to the Azure portal.

  2.

  Go to Microsoft Defender for Cloud > Environment settings.

  3.

  Select Add environment.

  4.

  Select Azure DevOps.

  5.

  Etc.

  Box 2: Install an extension

  Prerequisites

  To complete this quickstart, you need:

  An Azure account with Defender for Cloud onboarded.

  The Microsoft Security DevOps Azure DevOps extension configured.

  Reference:

  https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-devops

• Question 239:

  HOTSPOT

  You have an Azure subscription that is linked to a hybrid Azure AD tenant and contains a Microsoft Sentinel workspace named Sentinel1.

  You need to enable User and Entity Behavior Analytics (UEBA) for Sentinel and configure UEBA to use data collected from Active Directory Domain Services (AD DS).

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you must have the MDI sensor installed on your Active Directory domain controller

  https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics

• Question 240:

  HOTSPOT

  You have a Microsoft Sentinel workspace that contains a custom workbook.

  You need to query the number of daily security alerts. The solution must meet the following requirements:

  1.

  Identify alerts that occurred during the last 30 days.

  2.

  Display the results in a timechart.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer: