Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 301:

  DRAG DROP

  A company wants to analyze by using Microsoft 365 Apps.

  You need to describe the connected experiences the company can use.

  Which connected experiences should you describe? To answer, drag the appropriate connected experiences to the correct description. Each connected experience may be used once, more than once, or not at all. You may need to drag the

  split between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

• Question 302:

  DRAG DROP

  You have 50 on-premises servers.

  You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud deployment has Microsoft Defender for Servers and automatic provisioning enabled.

  You need to configure Defender for Cloud to support the on-premises servers. The solution must meet the following requirements:

  1.

  Provide threat and vulnerability management.

  2.

  Support data collection rules.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Step 1: From the Add servers with Azure Arc settings in the Azure portal, generate an installation script

  Connect hybrid machines to Azure using a deployment script

  You can enable Azure Arc-enabled servers for one or a small number of Windows or Linux machines in your environment by performing a set of steps manually. Or you can use an automated method by running a template script that we

  provide. This script automates the download and installation of both agents.

  Generate the installation script from the Azure portal

  The script to automate the download and installation, and to establish the connection with Azure Arc, is available from the Azure portal. To complete the process, perform the following steps:

  From your browser, go to the Azure portal.

  On the Servers - Azure Arc page, select Add at the upper left.

  On the Select a method page, select the Add a single server tile, and then select Generate script.

  Etc.

  Step 2: On the on-premises servers, install the Azure Connected Machine agent.

  Onboard machines as Azure Arc connected machines by installing the Hybrid Connected Machine agent on the target machine(s); this can be done by using a script or manually. Once a machine is onboarded, you will see it as Azure

  resource.

  Install and validate the agent on Windows

  Install manually

  You can install the Connected Machine agent manually by running the Windows Installer package AzureConnectedMachineAgent.msi.

  Reference:

  https://learn.microsoft.com/en-us/azure/azure-arc/servers/onboard-portal

  https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/protect-non-azure-resources-using-azure-arc-and-microsoft/ba-p/2277215

• Question 303:

  DRAG DROP

  You have a Microsoft subscription that has Microsoft Defender for Cloud enabled You configure the Azure logic apps shown in the following table.

  

  You need to configure an automatic action that will run if a Suspicious process executed alert is triggered. The solution must minimize administrative effort.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts

• Question 304:

  DRAG DROP

  You have a Microsoft Sentinel workspace that contains an Azure AD data connector.

  You need to associate a bookmark with an Azure AD-related incident.

  What should you do? To answer, drag the appropriate blades to the correct tasks. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: Hunting blade Create a bookmark

  Add a bookmark

  1.

  In the Azure portal, navigate to Microsoft Sentinel > Threat management > Hunting to run queries for suspicious and anomalous behavior.

  2.

  Select one of the hunting queries and on the right, in the hunting query details, select Run Query.

  3.

  Select View query results. For example:

  

  This action opens the query results in the Logs pane.

  4.

  From the log query results list, use the checkboxes to select one or more rows that contain the information you find interesting.

  5.

  Select Add bookmark:

  6.

  On the right, in the Add bookmark pane, optionally, update the bookmark name, add tags, and notes to help you identify what was interesting about the item.

  7.

  Etc.

  

  Box 2: Hunting blade Associate a bookmark with incident You can also create an incident from one or more bookmarks, or add one or more bookmarks to an existing incident. Select a checkbox to the left of any bookmarks you want to use, and then select Incident actions > Create new incident or

  Add to existing incident. Triage and investigate the incident like any other. Note: Add bookmarks to a new or existing incident

  1.

  In the Azure portal, navigate to Microsoft Sentinel > Threat management > Hunting > Bookmarks tab, and select the bookmark or bookmarks you want to add to an incident.

  2.

  Select Incident actions from the command bar:

  3.

  Select either Create new incident or Add to existing incident, as appropriate. Then:

  

  For a new incident: Optionally update the details for the incident, and then select Create. For adding a bookmark to an existing incident: Select one incident, and then select Add.

  To view the bookmark within the incident: Navigate to Microsoft Sentinel > Threat management > Incidents and select the incident with your bookmark. Select View full details, and then select the Bookmarks tab.

  Reference: https://learn.microsoft.com/en-us/azure/sentinel/bookmarks https://learn.microsoft.com/en-us/azure/sentinel/hunting

• Question 305:

  DRAG DROP

  You have an Azure subscription that contains 100 Linux virtual machines.

  You need to configure Microsoft Sentinel to collect event logs from the virtual machines.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

• Question 306:

  DRAG DROP

  You have an Azure subscription that contains the users shown in the following table.

  

  You need to delegate the following tasks:

  1.

  Enable Microsoft Defender for Servers on virtual machines.

  2.

  Review security recommendations and enable server vulnerability scans.

  The solution must use the principle of least privilege.

  Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: User1

  Enable Microsoft Defender for Servers on virtual machines.

  User1 is Security Admin.

  Security Admin

  View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.

  Box 2: User2

  Review security recommendations and enable server vulnerability scans.

  User2 is Security Reader.

  Security Reader

  View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.

  Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines

  Required roles and permissions:

  Owner (resource group level) can deploy the scanner

  Security Reader can view findings

  Incorrect:

  Contributor (User3)

  Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.

  Reference: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm

• Question 307:

  DRAG DROP

  You create a new Azure subscription and start collecting logs for Azure Monitor.

  You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server.

  Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.

  NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.

  Select and Place:

  

  Correct Answer:

  

• Question 308:

  DRAG DROP

  Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with an Azure AD tenant.

  You have a Microsoft Sentinel workspace named Sentinel1.

  You need to enable User and Entity Behavior Analytics (UEBA) for Sentinel1 and collect security events from the AD DS domain.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Step 1: To the AD DS domain, deploy Microsoft Defender for Identity

  UEBA is integrated with Microsoft Sentinel through the use of the Microsoft Defender for Identity and Microsoft Cloud App Security connectors. These connectors allow UEBA data to be imported into Sentinel for analysis and investigation.

  Step 2: For Sentinel1, configure the Microsoft Defender for Identity Connector

  Step 3: For Sentinel1, enable UEBA

  When you enable UEBA, it synchronizes your Azure Active Directory with Microsoft Sentinel, storing the information in an internal database visible through the IdentityInfo table in Log Analytics.

  Note: How to enable User and Entity Behavior Analytics

  1.

  Go to the Entity behavior configuration page.

  2.

  On the Entity behavior configuration page, switch the toggle to On.

  3.

  Mark the check boxes next to the Active Directory source types from which you want to synchronize user entities with Microsoft Sentinel.

  Active Directory on-premises (Preview)

  Azure Active Directory

  To sync user entities from on-premises Active Directory, your Azure tenant must be onboarded to Microsoft Defender for Identity (either standalone or as part of Microsoft 365 Defender) and you must have the MDI sensor installed on your

  Active Directory domain controller.

  4.

  Mark the check boxes next to the data sources on which you want to enable UEBA.

  5.

  Select Apply. If you accessed this page through the Entity behavior page, you will be returned there.

  Reference:

  https://learn.microsoft.com/en-us/azure/sentinel/identify-threats-with-entity-behavior-analytics

  https://learn.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics

• Question 309:

  DRAG DROP

  You have an Azure subscription that contains two users named User1 and User2 and a Microsoft Sentinel workspace named workspace1.

  You need to ensure that the users can perform the following tasks in workspace1:

  1.

  User1 must be able to dismiss incidents and assign incidents to users.

  2.

  User2 must be able to modify analytics rules.

  The solution must use the principle of least privilege.

  Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

  NOTE: Each correct selection is worth one point.

  Select and Place:

  

  Correct Answer:

  

  Box 1: Microsoft Sentinel Responder

  User1 must be able to dismiss incidents and assign incidents to users.

  Azure Role

  Roles and permissions for working in Microsoft Sentinel

  Microsoft Sentinel-specific roles

  All Microsoft Sentinel built-in roles grant read access to the data in your Microsoft Sentinel workspace.

  Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources.

  -> Microsoft Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.).

  -> Microsoft Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Microsoft Sentinel resources.

  Microsoft Sentinel Playbook Operator can list, view, and manually run playbooks.

  Microsoft Sentinel Automation Contributor allows Microsoft Sentinel to add playbooks to automation rules. It isn't meant for user accounts.

  Box 2: Microsoft Sentinel Contributor

  User2 must be able to modify analytics rules. Reference: https://learn.microsoft.com/en-us/azure/sentinel/roles

• Question 310:

  DRAG DROP

  You have a Microsoft 365 E5 subscription that uses Microsoft Exchange Online.

  You need to identify phishing email messages.

  Which three cmdlets should you run in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer: