Microsoft Role-based SC-200 Questions & Answers

• Question 71:

  HOTSPOT

  You use Azure Sentinel to monitor irregular Azure activity.

  You create custom analytics rules to detect threats as shown in the following exhibit.

  

  You do NOT define any incident settings as part of the rule definition.

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  The first scenario will not generate any alerts, as each series by Caller generates a single result; there is only one caller, therefore 1 result, which is below the threshold (results > 2). In the second scenario, there will be 3 results (one for each caller), so one alert will be generated (as this is above the threshold and the results are grouped into a single alert).

• Question 72:

  HOTSPOT

  From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit.

  

  Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases#use-the-investigation-graph-to-deep-dive

• Question 73:

  HOTSPOT

  You have an Azure subscription that has Microsoft Defender for Cloud enabled for all supported resource types.

  You create an Azure logic app named LA1.

  You plan to use LA1 to automatically remediate security risks detected in Defender for Cloud.

  You need to test LA1 in Defender for Cloud.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Box 1: When a Microsoft Defender for Cloud Recommendation is created or triggered When a Microsoft Defender for Cloud Recommendation is created or triggered - If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you'll need to update the trigger. (also see step 6 below)

  Incorrect:

  When a Defender for Cloud Alert is created or triggered

  You can customize the trigger so that it relates only to alerts with the severity levels that interest you.

  When a response to a Defender for Cloud alert is triggered.

  Note:

  If you are using the legacy trigger "When a response to a Microsoft Defender for Cloud alert is triggered", your logic apps will not be launched by the Workflow Automation feature. Instead, use either of the triggers mentioned above [rather in

  step 6 below].

  Box 2: Regulatory compliance standards Configure workflow automation at scale using the supplied policies Automating your organization's monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

  To implement these policies:

  1. From the table below, select the policy you want to apply:

  Workflow automation for security alerts Deploy Workflow Automation for Microsoft Defender for Cloud alerts

  Workflow automation for security recommendations Deploy Workflow Automation for Microsoft Defender for Cloud recommendations

  [This one!] Workflow automation for regulatory compliance changes Deploy Workflow Automation for Microsoft Defender for Cloud regulatory compliance

  2.

  From the relevant Azure Policy page, select Assign.

  3.

  Etc.

  Note 1: There is similar question where Workflow automation is the correct answer. This option is not available here.

  Note 2: Create a logic app and define when it should automatically run

  1.

  From Defender for Cloud's sidebar, select Workflow automation.

  From this page you can create new automation rules, enable, disable, or delete existing ones.

  2.

  To define a new workflow, select Add workflow automation. The options pane for your new automation opens.

  Here you can enter:

  A name and description for the automation.

  The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains "SQL" is generated.

  The Logic App that will run when your trigger conditions are met.

  3.

  From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.

  4.

  Select (+) Add.

  5.

  Fill out all required fields and select Review + Create.

  The message Deployment is in progress appears. Wait for the deployment complete notification to appear and select Go to resource from the notification.

  6.

  Review the information you entered and select Create.

  The logic app designer supports the following Defender for Cloud triggers:

  When a Microsoft Defender for Cloud Recommendation is created or triggered - If your logic app relies on a recommendation that gets deprecated or replaced, your automation will stop working and you'll need to update the trigger. To track changes to recommendations, use the release notes.

  When a Defender for Cloud Alert is created or triggered - You can customize the trigger so that it relates only to alerts with the severity levels that interest you.

  When a Defender for Cloud regulatory compliance assessment is created or triggered - Trigger automations based on updates to regulatory compliance assessments.

  7. Etc.

  Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

• Question 74:

  You create an Azure subscription.

  You enable Azure Defender for the subscription.

  You need to use Azure Defender to protect on-premises computers.

  What should you do on the on-premises computers?

  A. Install the Log Analytics agent.

  B. Install the Dependency agent.

  C. Configure the Hybrid Runbook Worker role.

  D. Install the Connected Machine agent.

  Correct Answer: A

  Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats. Data is collected using:

  1.

  The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.

  2.

  Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Security Center regarding specialized resource types.

  Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

• Question 75:

  You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.

  You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.

  You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.

  Which two actions should you perform? Each correct answer present part of the solution.

  NOTE: Each correct selection is worth one point.

  A. Create custom rule based on the Office 365 connector templates.

  B. Create a Microsoft incident creation rule based on Azure Security Center.

  C. Create a Microsoft Cloud App Security connector.

  D. Create an Azure AD Identity Protection connector.

  Correct Answer: AD

  Create custom rule based on the Office 365 connector templates. The Office 365 connector templates include a number of pre-built queries that can be used to detect anomalous Microsoft Office 365 activity. You can create a custom rule

  based on these templates to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.

  Create an Azure AD Identity Protection connector. The Azure AD Identity Protection connector provides information about suspicious sign-ins to Azure AD. This information can be used to improve the accuracy of the Fusion rule.

• Question 76:

  You create an Azure subscription named sub1.

  In sub1, you create a Log Analytics workspace named workspace1.

  You enable Azure Security Center and configure Security Center to use workspace1.

  You need to collect security event logs from the Azure virtual machines that report to workspace1.

  What should you do?

  A. From Security Center, enable data collection

  B. In sub1, register a provider.

  C. From Security Center, create a Workflow automation.

  D. In workspace1, create a workbook.

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection

• Question 77:

  After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

  You are configuring Azure Sentinel.

  You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.

  Solution: You create a livestream from a query.

  Does this meet the goal?

  A. Yes

  B. No

  Correct Answer: B

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

• Question 78:

  You use Azure Sentinel.

  You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege.

  Which role should you assign to the analyst?

  A. Azure Sentinel Contributor

  B. Security Administrator

  C. Azure Sentinel Responder

  D. Logic App Contributor

  Correct Answer: A

  Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/roles

• Question 79:

  You create a hunting query in Azure Sentinel.

  You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.

  What should you use?

  A. a playbook

  B. a notebook

  C. a livestream

  D. a bookmark

  Correct Answer: C

  Use livestream to run a specific query constantly, presenting results as they come in.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/hunting

• Question 80:

  A user wants to sign in from a location which has never been used by the other users in your organization. Which anomaly detection policy will you use if you need to receive a security alert ?

  A. Activity from infrequent country

  B. Activity from anonymous IP addresses

  C. Impossible travel

  D. Malware detection

  Correct Answer: A

  Reference: https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy