Microsoft Role-based SC-200 Questions & Answers

• Question 1:

  You have an Azure subscription that uses Microsoft Sentinel.

  You need to create a custom report that will visualise sign-in information over time.

  What should you create first?

  A. a workbook

  B. a hunting query

  C. a notebook

  D. a playbook

  Correct Answer: A

  Once you have connected your data sources to Microsoft Sentinel, you can visualize and monitor the data using the Microsoft Sentinel adoption of Azure Monitor Workbooks, which provides versatility in creating custom dashboards. While the Workbooks are displayed differently in Microsoft Sentinel, it may be useful for you to see how to create interactive reports with Azure Monitor Workbooks. Microsoft Sentinel allows you to create custom workbooks across your data, and also comes with built-in workbook templates to allow you to quickly gain insights across your data as soon as you connect a data source.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/monitor-your-data

• Question 2:

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

  A remediation action for an automated investigation quarantines a file across multiple devices.

  You need to mark the file as safe and remove the file from quarantine on the devices.

  What should you use in the Microsoft 365 Defender portal?

  A. From Threat tracker, review the queries.

  B. From the History tab in the Action center, revert the actions.

  C. From the investigation page, review the AIR processes.

  D. From Quarantine from the Review page, modify the rules.

  Correct Answer: B

  View and manage actions in the Action center Applies to: Microsoft 365 Defender

  To remove a file from quarantine across multiple devices

  1.

  Go to the Action center (https://security.microsoft.com/action-center) and sign in.

  2.

  On the History tab, select a file that has a Quarantine file Action type.

  3.

  In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.

  4.

  Reference: Microsoft 365 Defender remove quarantine file

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-actions

• Question 3:

  DRAG DROP

  You need to add notes to the events to meet the Azure Sentinel requirements.

  Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/bookmarks

• Question 4:

  DRAG DROP

  You need to configure DC1 to meet the business requirements.

  Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

  Select and Place:

  

  Correct Answer:

  

  Step 1: log in to https://portal.atp.azure.com as a global admin Step 2: Create the instance Step 3. Connect the instance to Active Directory Step 4. Download and install the sensor.

  Reference: https://docs.microsoft.com/en-us/defender-for-identity/install-step1 https://docs.microsoft.com/en-us/defender-for-identity/install-step4

• Question 5:

  HOTSPOT

  You need to create the analytics rule to meet the Azure Sentinel requirements.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#set-automated-responses-and-create-the-rule https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

• Question 6:

  HOTSPOT

  You need to implement Azure Defender to meet the Azure Defender requirements and the business requirements.

  What should you include in the solution? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

• Question 7:

  HOTSPOT

  You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.

  What should you recommend for each threat? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/key-vault/general/secure-your-key-vault

• Question 8:

  HOTSPOT

  You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements.

  What should you include in the solution? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants

• Question 9:

  HOTSPOT

  You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements.

  What should you do? To answer, select the appropriate options in the answer area.

  NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer:

  

  Reference: https://docs.microsoft.com/en-us/cloud-app-security/siem-sentinel

• Question 10:

  HOTSPOT

  You have an Azure subscription that contains an Microsoft Sentinel workspace.

  You need to create a hunting query using Kusto Query Language (KQL) that meets the following requirements:

  Identifies an anomalous number of changes to the rules of a network security group (NSG) made by the same security principal

  Automatically associates the security principal with an Microsoft Sentinel entity

  How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

  Hot Area:

  

  Correct Answer: