Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 41:

  You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.

  You need to identify all the changes made to Domain Admins group during the past 30 days.

  What should you use?

  A. the Azure Active Directory Provisioning Analysis workbook

  B. the Overview settings of Insider risk management

  C. the Modifications of sensitive groups report in Microsoft Defender for Identity

  D. the identity security posture assessment in Microsoft Defender for Cloud Apps

  Correct Answer: C

  Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender.

  In my role working with Defender for Identity (MDI) customers, I'm often asked if MDI can help them answer questions about activities taking place within the environment. MDI does have a lot of information around the activities taking place in

  Active Directory and now combined with the power of Advanced Hunting in Microsoft 365 Defender, we can help customers answer some these questions with ease and efficiency.

  1.

  MDI tracks the changes made to Active Directory group memberships. These changes are recorded by MDI as an activity and are available in the Microsoft 365 Defender Advanced Hunting, IdentityDirectoryEvents. MDI records these

  changes from two different sources:

  2.

  Tracking changes made to an entity by the Active Directory Update Sequence Number (USN). In the case of a group, MDI can see who has been added or removed from a group, but we don't see the actor who made the change or which

  domain controller the change was made on.

  Tracking changes to a group, including who performed the action. MDI requires specific Windows events to be recorded on the domain controller.

  Reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to-sensitive-groups-with-advanced-hunting-in/ba-p/3275198

• Question 42:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have Linux virtual machines on Amazon Web Services (AWS).

  You deploy Azure Defender and enable auto-provisioning.

  You need to monitor the virtual machines by using Azure Defender.

  Solution: You manually install the Log Analytics agent on the virtual machines.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc

• Question 43:

  You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed. You need to mitigate the following device threats:

  1.

  Microsoft Excel macros that download scripts from untrusted websites

  2.

  Users that open executable attachments in Microsoft Outlook

  3.

  Outlook rules and forms exploits What should you use?

  A. Microsoft Defender Antivirus

  B. attack surface reduction rules in Microsoft Defender for Endpoint

  C. Windows Defender Firewall

  D. adaptive application control in Azure Defender

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide

• Question 44:

  You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning enabled.

  You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.

  What should you do first?

  A. From Azure Security Center, add a workflow automation.

  B. On VM1, run the Get-MPThreatCatalog cmdlet.

  C. On VM1 trigger a PowerShell alert.

  D. From Azure Security Center, export the alerts to a Log Analytics workspace.

  Correct Answer: C

  Create a suppression rule

  To create a rule for a specific alert in the Azure portal:

  1.

  From Defender for Cloud's security alerts page, select the alert you want to suppress.

  2.

  From the details pane, select Take action.

  3.

  In the Suppress similar alerts section of the Take action tab, select Create suppression rule.

  4.

  In the New suppression rule pane, enter the details of your new rule.

  *

  Entities - The resources that the rule applies to. You can specify a single resource, multiple resources, or resources that contain a partial resource ID. If you don't specify any resources, the rule applies to all resources in the subscription.

  *

  Etc.

  Incorrect:

  Not D: The Get-MpThreatCatalog cmdlet gets known threats from the Windows Defender definitions catalog. The definitions catalog contains references to all known threats that Windows Defender can identify.

  Example: Get a known threat from the definitions catalog

  PS C:\> Get-MpThreatCatalog -ThreatID 1994

  This command gets the known threat that has the ID 1994.

  Reference:

  https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide

• Question 45:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You have Linux virtual machines on Amazon Web Services (AWS).

  You deploy Azure Defender and enable auto-provisioning.

  You need to monitor the virtual machines by using Azure Defender.

  Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: A

  Defender for Cloud leverages Azure Arc to simplify the on-boarding and security of virtual machines running in AWS and other clouds. This includes automatic agent provisioning, policy management, vulnerability management, embedded EDR, and much more. Keyword: automatic agent provisioning Source https://techcommunity.microsoft.com/t5/itops-talk-blog/step-by-step-how-to-connect-aws-machines-to-microsoft-defender/ba-p/3251096

• Question 46:

  You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.

  What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?

  A. the Threat Protection Status report in Microsoft Defender for Office 365

  B. the mailbox audit log in Exchange

  C. the Safe Attachments file types report in Microsoft Defender for Office 365

  D. the mail flow report in Exchange

  Correct Answer: A

  To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide

• Question 47:

  HOTSPOT

  You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled.

  You need to identify all the log entries that relate to security-sensitive user actions performed on a server named Server1. The solution must meet the following requirements:

  1.

  Only include security-sensitive actions by users that are NOT members of the IT department.

  2.

  Minimize the number of false positives.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Innerunique

  Innerunique -Returns rows from the left table with distinct values in linked field that have a match in the right table.

  This is the default unspecified join type.

  Incorrect:

  Inner - Returns a single for each combination of matching rows from both tables.

  Fullouter - Returns all records from both left and right tables, matching or not.

  Unmatched values will be null.

  Box 2: BehaviorAnalytics

  When you turn on UEBA you end up with four new tables

  BehaviorAnalytics

• Question 48:

  HOTSPOT

  You have a Microsoft Sentinel workspace.

  You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: imAuthentication

  For example, to filter only authentication events from the last day to a specific user, use:

  imAuthentication (targetusername_has = 'johndoe', starttime = ago(1d), endtime=now())

  Box 2: SrcGeoCountry

  Example, User login from different countries within 3 hours (Uses Authentication Normalization).:

  let timeframe = ago(3h);

  let threshold = 2;

  imAuthentication

  | where TimeGenerated > timeframe

  | where EventType=='Logon' and EventResult=='Success'

  | where isnotempty(SrcGeoCountry)

  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct) , NumOfCountries = dcount(SrcGeoCountry) by TargetUserId, TargetUsername, TargetUserType

  | where NumOfCountries >= threshold

  | extend timestamp = StartTime, AccountCustomEntity = TargetUsername

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/authentication-normalization-schema https://techcommunity.microsoft.com/t5/microsoft-sentinel/why-does-the-quot-user-login-from-different-countries-quot-rule/m-p/3278769

• Question 49:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.

  You have the hunting query shown in the following exhibit.

  

  The users perform the following actions:

  Correct Answer:

  

• Question 50:

  HOTSPOT

  You have a Microsoft Sentinel workspace.

  You develop a custom Advanced Security Information Model (ASIM) parser named Parser1 that produces a schema named Schema1.

  You need to validate Schema1.

  How should you complete the command? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: getschema

  Validate the output schema

  To make sure that your parser produces a valid schema, use the ASIM schema tester by running the following query in the Microsoft Sentinel Logs page:

  KQL

  | getschema | invoke ASimSchemaTester('')

  Box 2: invoke

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers