SC-200 Microsoft Security Operations Analyst Questions and Answers

You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.

Which two configurations should you modify? Each correct answer present part of the solution.

NOTE: Each correct selection is worth one point.

You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements.

Which role should you assign?

You need to restrict cloud apps running on CUENT1 to meet the Microsoft Defender for Endpoint requirements. Which two configurations should you modify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

You need to create the test rule to meet the Azure Sentinel requirements. What should you do when you create the rule?

You need to create the analytics rule to meet the Azure Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Which rule setting should you configure to meet the Microsoft Sentinel requirements?

You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements. Which policy should you modify?

You need to implement the Azure Information Protection requirements. What should you configure first?

You need to ensure that the Group1 members can meet the Microsoft Sentinel requirements.

Which role should you assign to Group1?

You need to implement the scheduled rule for incident generation based on rulequery1.

What should you configure first?

You need to implement the Defender for Cloud requirements.

Which subscription-level role should you assign to Group1?

You need to implement the Microsoft Sentinel NRT rule for monitoring the designated break glass account. The solution must meet the Microsoft Sentinel requirements.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to ensure that the processing of incidents generated by rulequery1 meets the Microsoft Sentinel requirements.

What should you create first?

You need to monitor the password resets. The solution must meet the Microsoft Sentinel requirements.

What should you do? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to configure event monitoring for Server1. The solution must meet the Microsoft Sentinel requirements. What should you create first?

You need to implement the query for Workbook1 and Webapp1. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You need to ensure that the configuration of HuntingQuery1 meets the Microsoft Sentinel requirements.

What should you do?

You need to implement the Defender for Cloud requirements.

What should you configure for Server2?

You need to implement the ASIM query for DNS requests. The solution must meet the Microsoft Sentinel requirements. How should you configure the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 36S.

Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

You need to identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers.

How should you complete The KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace.

You plan to visualize data from Microsoft SharePoint Online and OneDrive sites.

You need to create a KQL query for the visual. The solution must meet the following requirements:

• Select all workloads as a single operation.

• Include two parameters named Operations and Users.

• In the results, exclude empty values for the site URLs.

How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint

You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.

What should you use in the Microsoft 365 Defender portal?

You need to correlate data from the SecurityEvent Log Anarytks table to meet the Microsoft Sentinel requirements for using UEBA. Which Log Analytics table should you use?

You have a Microsoft Sentinel workspace.

A Microsoft Sentinel incident is generated as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in [the graphic.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Purview.

Your company has a project named Project1.

You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.

What should you do?

You have the resources shown in the following table.

You need to prevent duplicate events from occurring in SW1.

What should you use for each action? To answer, drag the appropriate resources to the correct actions. Each resource may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XOR and contains a Windows device named Oevice1. You investigate a suspicious process named Prod on Device! by using a live response session. You need to perform the following actions:

• Stop Prod.

• Send Prod for further review.

Which live response command should you run for each action? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You open the Cloud App Security portal as shown in the following exhibit.

You need to remediate the risk for the Launchpad app.

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Your company uses Azure Security Center and Azure Defender.

The security operations team at the company informs you that it does NOT receive email notifications for security alerts.

What should you configure in Security Center to enable the email notifications?

You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1.

You need to create a visual based on the SecuntyEvent table. The solution must meet the following requirements:

• Identify the number of security events ingested during the past week.

• Display the count of events by day in a timechart

What should you add to Workbook1?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan Z and contains 1,000 Windows devices.

You have a PowerShell script named Script Vps1 that is signed digitally.

You need to ensure that you can run Script1.psl in a live response session on one of the devices.

What should you do first from the live response session?

You are investigating a potential attack that deploys a new ransomware strain.

You plan to perform automated actions on a group of highly valuable machines that contain sensitive information.

You have three custom device groups.

You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace

You develop a custom Advanced Security information Model (ASIM) parser named Parser1 that produces a schema named Schema1.

You need to validate Schema1.

How should you complete the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

The issue for which team can be resolved by using Microsoft Defender for Endpoint?

You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.

What should you recommend for each threat? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to complete the query for failed sign-ins to meet the technical requirements.

Where can you find the column name to complete the where clause?

You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements.

What should you include in the solution? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You need to recommend a solution to meet the technical requirements for the Azure virtual machines. What should you include in the recommendation?

The issue for which team can be resolved by using Microsoft Defender for Office 365?

You need to remediate active attacks to meet the technical requirements.

What should you include in the solution?

You need to create an advanced hunting query to investigate the executive team issue.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.