Microsoft Role-based SC-200 Questions & Answers

• Question 21:

  You need to create the test rule to meet the Azure Sentinel requirements. What should you do when you create the rule?

  A. From Set rule logic, turn off suppression.

  B. From Analytics rule details, configure the tactics.

  C. From Set rule logic, map the entities.

  D. From Analytics rule details, configure the severity.

  Correct Answer: C

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom

• Question 22:

  You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements. Which two configurations should you modify? Each correct answer present part of the solution. NOTE: Each correct selection is worth one point.

  A. the Onboarding settings from Device management in Microsoft Defender Security Center

  B. Cloud App Security anomaly detection policies

  C. Advanced features from Settings in Microsoft Defender Security Center

  D. the Cloud Discovery settings in Cloud App Security

  Correct Answer: CD

  All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

  Reference: https://docs.microsoft.com/en-us/cloud-app-security/mde-govern

• Question 23:

  You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements. Which role should you assign?

  A. Automation Operator

  B. Automation Runbook Operator

  C. Azure Sentinel Contributor

  D. Logic App Contributor

  Correct Answer: C

  Litware must meet the following requirements:

  1.

  Ensure that a user named admin1 can configure Azure Sentinel playbooks.

  2.

  The principle of least privilege must be used whenever possible.

  Azure Sentinel Contributor can view data, incidents, workbooks, and other Azure Sentinel resources, manage incidents (assign, dismiss, etc.), create and edit workbooks, analytics rules, and other Azure Sentinel resources.

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/roles

• Question 24:

  You need to deploy the native cloud connector to Account 1 to meet the Microsoft Defender for Cloud requirements. What should you do in Account1 first?

  A. Create an AWS user for Defender for Cloud.

  B. Configure AWS Security Hub.

  C. Deploy the AWS Systems Manager (SSM) agent.

  D. Create an Access control (IAM) role for Defender for Cloud.

  Correct Answer: A

  Dynamic scaled onboarding of AWS EC2 instances to Azure Arc using Ansible

  Create an AWS identity

  In order for Terraform to create resources in AWS, we will need to create a new AWS IAM role with appropriate permissions and configure Terraform to use it.

  Scenario: Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.

  Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and

  does NOT have any agents installed.

  Reference:

  https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/aws_scaled_ansible/_index.md

• Question 25:

  You need to identify which mean time metrics to use to meet the Microsoft Sentinel requirements. Which workbook should you use?

  A. Event Analyzer

  B. Investigation Insights

  C. Security Operations Efficiency

  D. Analytics Efficiency

  Correct Answer: C

  Identify the mean time to close incidents generated during the last 30 days.

  As a Security Operations Center (SOC) manager, you need to have overall efficiency metrics and measures at your fingertips to gauge the performance of your team. You'll want to see incident operations over time by many different criteria,

  like severity, MITRE tactics, mean time to triage, mean time to resolve, and more. Microsoft Sentinel now makes this data available to you with the new SecurityIncident table and schema in Log Analytics and the accompanying Security

  operations efficiency workbook. You'll be able to visualize your team's performance over time and use this insight to improve efficiency. You can also write and use your own KQL queries against the incident table to create customized

  workbooks that fit your specific auditing needs and KPIs.

  Note: Security operations efficiency workbook

  To complement the SecurityIncidents table, we’ve provided you an out-of-the-box security operations efficiency workbook template that you can use to monitor your SOC operations. The workbook contains the following metrics:

  Incident created over time

  Incidents created by closing classification, severity, owner, and status

  Mean time to triage

  *-> Mean time to closure

  Incidents created by severity, owner, status, product, and tactics over time

  Time to triage percentiles

  Time to closure percentiles

  Mean time to triage per owner

  Recent activities

  Recent closing classifications

  Reference:

  https://learn.microsoft.com/en-us/azure/sentinel/manage-soc-with-incident-metrics

• Question 26:

  You need to minimize the effort required to investigate the Microsoft Defender for Identity false positive alerts. What should you review?

  A. the status update time

  B. the resolution method of the source computer

  C. the alert status

  D. the certainty of the source computer

  Correct Answer: D

  Scenario: Microsoft Defender for Identity Requirements: Minimize the administrative effort required to investigate the false positive alerts.

  Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.

  Note: Suspected DCSync attack (replication of directory services) (external ID 2006)

  Previous name: Malicious replication of directory services.

  Description

  Active Directory replication is the process by which changes that are made on one domain controller are synchronized with all other domain controllers. Given necessary permissions, attackers can initiate a replication request, allowing them

  to retrieve the data stored in Active Directory, including password hashes.

  In this detection, an alert is triggered when a replication request is initiated from a computer that isn't a domain controller.

  If the source computer is a domain controller, failed or low certainty resolution can prevent Defender for Identity from being able to confirm identification.

  Check if the source computer is a domain controller? If the answer is yes, Close the alert as a B-TP activity.

  Reference:

  https://learn.microsoft.com/en-us/defender-for-identity/domain-dominance-alerts

• Question 27:

  You need to ensure that you can run hunting queries to meet the Microsoft Sentinel requirements. Which type of workspace should you create?

  A. Azure Synapse Analytics

  B. Azure Machine Learning

  C. Log Analytics

  D. Azure Databricks

  Correct Answer: B

  Fabrikam identifies the following Microsoft Sentinel requirements:

  Run hunting queries on Pool1 by using Jupyter notebooks.

  Get started with Jupyter notebooks and MSTICPy in Microsoft Sentinel

  Run and initialize the Getting Started Guide notebook

  This procedure describes how to launch your notebook and initialize MSTICpy.

  1.

  In Microsoft Sentinel, select Notebooks from the left.

  2.

  From the Templates tab, select A Getting Started Guide For Microsoft Sentinel ML Notebooks > Save notebook to save it to your Azure ML workspace.

  3.

  Etc.

  Reference: https://learn.microsoft.com/en-us/azure/sentinel/notebook-get-started

• Question 28:

  You need to correlate data from the SecurityEvent Log Analytics table to meet the Microsoft Sentinel requirements for using UEBA. Which Log Analytics table should you use?

  A. IdentityInfo

  B. AADRiskyUsers

  C. SentinelAudit

  D. IdentityDirectoryEvents

  Correct Answer: A

  UEBA also synchronizes the user information from Azure Active Directory and on-premises Active Directory (currently in preview when using Microsoft Defender for Identity) into the IdentityInfo table, for you to use later on.

  Note:

  Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics (UEBA).

  Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.

  Reference:

  https://cloudbrothers.info/en/microsoft-sentinel-ueba/

• Question 29:

  You need to meet the Microsoft Sentinel requirements for App1. What should you configure for App1?

  A. a trigger

  B. a connector

  C. authorization

  D. an API connection

  Correct Answer: A

  Ensure that App1 is available for use in Microsoft Sentinel automation rules.

  Automation rules are made up of several components:

  Triggers that define what kind of incident event will cause the rule to run, subject to...

  Conditions that will determine the exact circumstances under which the rule will run and perform...

  Actions to change the incident in some way or call a playbook.

  Reference:

  https://learn.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules

• Question 30:

  You have an Azure subscription that uses Microsoft Defender for Cloud.

  You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.

  You need to onboard EC2-1 to Defender for Cloud.

  What should you install on EC2-1?

  A. the Log Analytics agent

  B. the Azure Connected Machine agent

  C. the unified Microsoft Defender for Endpoint solution package

  D. Microsoft Monitoring Agent

  Correct Answer: A

  Defender for Cloud can monitor the security posture of your non-Azure computers, but first you need to connect them to Azure.

  You can connect your non-Azure computers in any of the following ways:

  Using Azure Arc-enabled servers (recommended)

  From Defender for Cloud's pages in the Azure portal (Getting started and Inventory)

  Add non-Azure machines with Azure Arc

  The preferred way of adding your non-Azure machines to Microsoft Defender for Cloud is with Azure Arc-enabled servers.

  A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've installed the Log Analytics agent on it - appears in Defender for Cloud with recommendations like your other Azure resources.

  Reference:

  https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines