Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 51:

  HOTSPOT

  You have 100 Azure subscriptions that have enhanced security features in Microsoft Defender for Cloud enabled. All the subscriptions are inked to a single Azure Active Directory (Azure AD) tenant.

  You need to stream the Defender for Cloud logs to a syslog server. The solution must minimize administrative effort.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 52:

  HOTSPOT

  You have an Azure subscription.

  You plan to implement an Microsoft Sentinel workspace. You anticipate that you will ingest 20 GB of security log data per day.

  You need to configure storage for the workspace. The solution must meet the following requirements:

  1.

  Minimize costs for daily ingested data.

  2.

  Maximize the data retention period without incurring extra costs.

  What should you do for each requirement? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Use a Commitment Tier

  How you're charged for Microsoft Sentinel

  Microsoft Sentinel offers flexible pricing based on the types of logs ingested into a workspace. Analytics logs typically make up most of your high security value logs. Basic logs tend to be verbose with low security value.

  Analytics logs

  There are two ways to pay for the analytics logs: Pay-As-You-Go and Commitment Tiers.

  Pay-As-You-Go is the default model, based on the actual data volume stored and optionally for data retention beyond 90 days. Data volume is measured in GB (10^9 bytes).

  Log Analytics and Microsoft Sentinel also have Commitment Tier pricing, formerly called Capacity Reservations, which is more predictable and saves as much as 65% compared to Pay-As-You-Go pricing.

  Box 2: 90 days

  You can retain all data ingested into the workspace at no charge for the first 90 days. Retention beyond 90 days is charged per the standard Log Analytics retention prices.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier

• Question 53:

  HOTSPOT

  You have the following KQL query.

  

  Hot Area:

  

  Correct Answer:

  

• Question 54:

  HOTSPOT

  You have an Azure subscription that contains an Microsoft Sentinel workspace.

  You need to create a hunting query using Kusto Query Language (KQL) that meets the following requirements:

  1.

  Identifies an anomalous number of changes to the rules of a network security group (NSG) made by the same security principal

  2.

  Automatically associates the security principal with an Microsoft Sentinel entity

  How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Microsoft Sentinel hunting query OperationNameValue ActivityStatusValue EventSubmissionTimeStamp

  Microsoft Sentinel hunting query AccountCustomEntity

  Box 1: AzureActivity

  The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

  | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"

  For example, to find out who was the last user to edit a particular analytics rule, use the following query (replacing xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx with the rule ID of the rule you want to check):

  AzureActivity

  | where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"

  | where Properties contains "alertRules/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

  | project Caller , TimeGenerated , Properties

  Box 2: where

  Example:

  Find all actions taken by a specific user in the last 24 hours

  The following AzureActivity table query lists all actions taken by a specific Azure AD user in the last 24 hours.

  AzureActivity

  | where OperationNameValue contains "SecurityInsights"

  | where Caller == "[AzureAD username]"

  | where TimeGenerated > ago(1d)

  Reference:

  https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data

• Question 55:

  HOTSPOT

  You have a Microsoft Sentinel workspace named Workspace1.

  You configure Workspace1 to collect DNS events and deploy the Advanced Security Information Model (ASIM) unifying parser for the DNS schema.

  You need to query the ASIM DNS schema to list all the DNS events from the last 24 hours that have a response code of ‘NXDOMAIN

  Correct Answer:

  

  Box 1: _Im_Dns

  Example:

  If your data source supports full DNS logging and you've chosen to log multiple segments, adjust your queries to prevent data duplication in Microsoft Sentinel.

  For example, you might modify your query with the following normalization:

  KQL

  _Im_Dns | where SrcIpAddr != "127.0.0.1" and EventSubType == "response"

  Box 2: | where TimeGenerated > ago(1d) | where ResponseCodeName =~ "NXDOMAIN" Example without filtering parameters would look like this:

  Kusto

  _Im_Dns | where TimeGenerated > ago(1d) | where ResponseCodeName =~ "NXDOMAIN" | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

  Incorrect:

  (starttime=ago(1d), responsecodename='NXDOMAIN'

  Closing parantheses missing.

  Correct would be: (starttime=ago(1d), responsecodename='NXDOMAIN') as in the following code:

  _Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

  Reference: https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns

• Question 56:

  HOTSPOT

  You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.

  You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.

  What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: Turn on Live Response

  Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.

  Box: 2 : Add a network assessment job

  Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.

• Question 57:

  HOTSPOT

  You have a Microsoft Sentinel workspace named sws1.

  You need to create a hunting query to identify users that list storage keys of multiple Azure Storage accounts. The solution must exclude users that list storage keys for a single storage account.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: AzureActivity

  The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

  Box 2: autocluster()

  Example: description: |

  'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this

  type, it would be interesting to see if the account performing this activity or the source IP address from

  which it is being done is anomalous.

  The query below generates known clusters of ip address per caller, notice that users which only had single

  operations do not appear in this list as we cannot learn from it their normal activity (only based on a single

  event). The activities for listing storage account keys is correlated with this learned clusters of expected activities and activity which is not expected is returned.'

  AzureActivity

  | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" | where ActivityStatusValue == "Succeeded"

  | join kind= inner (

  AzureActivity

  | where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" | where ActivityStatusValue == "Succeeded"

  | project ExpectedIpAddress=CallerIpAddress, Caller | evaluate autocluster()

  ) on Caller

  | where CallerIpAddress != ExpectedIpAddress

  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress

  | extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress

• Question 58:

  HOTSPOT

  You have the following SQL query.

  

  For each of the following statements, select Yes if the statement is true. Otherwise. select No. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 59:

  HOTSPOT

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.

  You are notified that the account of User1 is compromised.

  You need to review the alerts triggered on the devices to which User1 signed in.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: join An inner join.

  This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.

  This query uses the DeviceInfo table to check if a potentially compromised user () has logged on to any devices and then lists the alerts that have been triggered on those devices. DeviceInfo //Query for devices that the potentially compromised account has logged onto | where LoggedOnUsers contains '' | distinct DeviceId //Crosscheck devices against alert records in AlertEvidence and AlertInfo tables | join kind=inner AlertEvidence on DeviceId | project AlertId //List all alerts on devices that user has logged on to | join AlertInfo on AlertId | project AlertId, Timestamp, Title, Severity, Category DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"

  Box 2: project

• Question 60:

  HOTSPOT

  You need to create a query for a workbook. The query must meet the following requirements:

  1.

  List all incidents by incident number.

  2.

  Only include the most recent log for each incident.

  How should you complete the query? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://www.drware.com/whats-new-soc-operational-metrics-now-available-in-sentinel/