Microsoft Role-based SC-200 Questions & Answers

• Question 41:

  You have an Azure subscription that has Microsoft Defender for Cloud enabled.

  You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).

  You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.

  What should you install first on Server1?

  A. the Microsoft Monitoring Agent

  B. the Azure Monitor agent

  C. the Azure Arc agent

  D. the Azure Pipelines agent

  Correct Answer: B

  Connect your non-Azure machines to Microsoft Defender for Cloud

  Defender for Cloud can monitor the security posture of your non-Azure computers, but first you need to connect them to Azure.

  You can connect your non-Azure computers in any of the following ways:

  Using Azure Arc-enabled servers (recommended)

  From Defender for Cloud's pages in the Azure portal (Getting started and Inventory)

  Add non-Azure machines with Azure Arc

  The preferred way of adding your non-Azure machines to Microsoft Defender for Cloud is with Azure Arc-enabled servers.

  A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've installed the Log Analytics agent on it - appears in Defender for Cloud with recommendations like your other Azure resources.

  Note: The Log Analytics agent is on a deprecation path and won't be supported after August 31, 2024. If you use the Log Analytics agent to ingest data to Azure Monitor, migrate to the new Azure Monitor agent prior to that date.

  Reference: https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc

  https://learn.microsoft.com/en-us/azure/azure-monitor/agents/log-analytics-agent

• Question 42:

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

  You plan to create a hunting query from Microsoft Defender.

  You need to create a custom tracked query that will be used to assess the threat status of the subscription.

  From the Microsoft 365 Defender portal, which page should you use to create the query?

  A. Threat analytics

  B. Advanced Hunting

  C. Explorer

  D. Policies and rules

  Correct Answer: B

  Advanced hunting is based on the Kusto query language. You can use Kusto operators and statements to construct queries that locate information in a specialized schema.

  Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches. Note: Create a custom detection rule

  1.

  Prepare the query.

  In the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.

  2.

  Create new rule and provide alert details.

  With the query in the query editor, select Create detection rule and specify the following alert details

  3.

  Choose the impacted entities.

  Identify the columns in your query results where you expect to find the main affected or impacted entity.

  4.

  Specify actions.

  Your custom detection rule can automatically take actions on devices, files, or users that are returned by the query.

  Reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-language

  https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules

• Question 43:

  You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.

  You need to identify the impacted entities in an aggregated alert.

  What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?

  A. the Events tab of the alert

  B. the Sensitive Info Types tab of the alert

  C. Management log

  D. the Details tab of the alert

  Correct Answer: C

  Advanced DLP alert options are configured in the existing DLP policy authoring workflow. These provide eligible DLP customers with the ability to tailor how they organize and display DLP policy enforcement event alerts with the information they need to investigate and address DLP policy violations quickly. Historical workflow information for alerts is available in the Management log

  Note: Advanced alert configuration options: These options are part of the DLP policy authoring flow. Use them to create rich alert configurations. You can create a single-event alert or an aggregated alert, based on the number of events or the size of the leaked data.

  Incorrect:

  *

  the Events tab of the alert

  Select the Events tab to view all of the events associated with the alert. You can choose a particular event to view its details.

  *

  . the Sensitive Info Types tab of the alert

  Select the Sensitive Info Types tab to view details about the sensitive information types detected in the content. Details include confidence and count.

  *

  the Details tab of the alert

  

  Reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/announcing-microsoft-endpoint-dlp-general-availability/ba-p/1814010 https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alerts-policies

• Question 44:

  You have a Microsoft Sentinel workspace.

  You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities. The solution must minimize administrative effort.

  Which rule type should you query?

  A. Fusion

  B. Microsoft Security

  C. ML Behavior Analytics

  D. Scheduled

  Correct Answer: A

• Question 45:

  You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

  You need to identify all the entities affected by an incident.

  Which tab should you use in the Microsoft 365 Defender portal?

  A. Investigations

  B. Devices

  C. Evidence and Response

  D. Alerts

  Correct Answer: C

  The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.

  Incorrect:

  *

  The Investigations tab lists all the automated investigations triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your

  automated investigations to run in Defender for Endpoint and Defender for Office 365.

  *

  Devices

  The Devices tab lists all the devices related to the incident.

  Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents

• Question 46:

  You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named User1.

  You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.

  Which role should you assign to User1?

  A. User Access Administrator

  B. Owner

  C. Contributor

  D. Reader

  Correct Answer: B

• Question 47:

  You have an Azure subscription that uses Microsoft Sentinel.

  You detect a new threat by using a hunting query.

  You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must minimize administrative effort.

  What should you do?

  A. Create a playbook.

  B. Create a watchlist.

  C. Create an analytics rule.

  D. Add the query to a workbook.

  Correct Answer: C

  By creating an analytics rule, you can set up a query that will automatically run and alert you when the threat is detected, without having to manually run the query. This will help minimize administrative effort, as you can set up the rule once

  and it will run on a schedule, alerting you when the threat is detected.

  Reference:

  https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-rule

• Question 48:

  You have a Microsoft Sentinel workspace.

  You have a query named Query1 as shown in the following exhibit.

  

  You plan to create a custom parser named Parser 1. You need to use Query1 in Parser1.

  What should you do first?

  A. Remove line 2.

  B. In line 4. remove the TimeGenerated predicate.

  C. Remove line 5.

  D. In line 3, replace the 'contains operator with the !has operator.

  Correct Answer: A

  Parsers should not filter by time, as the query using the parser already filters for time.

  Filtering in KQL is done using the where operator.

  Note: Unifying parsers

  When using ASIM in your queries, use unifying parsers to combine all sources, normalized to the same schema, and query them using normalized fields. The unifying parser name is _Im_ for built-in parsers and im for

  workspace deployed parsers, where stands for the specific schema it serves.

  For example, the following query uses the built-in unifying DNS parser to query DNS events using the ResponseCodeName, SrcIpAddr, and TimeGenerated normalized fields:

  Kusto

  _Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN')

  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m) The example uses filtering parameters, which improve ASIM performance. The same example without filtering parameters would look like this:

  Kusto

  _Im_Dns

  | where TimeGenerated > ago(1d)

  | where ResponseCodeName =~ "NXDOMAIN"

  | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

  Incorrect:

  Not D: Select fields in the result set

  The parser can optionally select fields in the results set. Removing unneeded fields can improve performance and add clarity by avoiding confusing between normalized fields and remaining source fields.

  The following KQL operators are used to select fields in your results set:

  *

  project - Selects fields that existed before, or were created as part of the statement, and removes all other fields.

  Not recommended for use in a parser, as the parser should not remove any other fields that are not normalized.

  *

  project-away - Removes fields.

  Use project-away for specific fields that you want to remove from the result set. We recommend not removing the original fields that are not normalized from the result set, unless they create confusion or are very large and may have

  performance implications.

  If you need to remove specific fields, such as temporary values used during parsing, use project-away to remove them from the results.

  Reference: https://docs.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers https://docs.microsoft.com/en-us/azure/sentinel/normalization-about-parsers

• Question 49:

  You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector.

  You need to customize which details will be included when an alert is created for a specific event.

  What should you do?

  A. Modify the properties of the connector.

  B. Create a Data Collection Rule (DCR).

  C. Create a scheduled query rule.

  D. Enable User and Entity Behavior Analytics (UEBA)

  Correct Answer: C

  https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details

• Question 50:

  Your company has an on-premises network that uses Microsoft Defender for Identity.

  The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.

  You need remediate the security risk.

  What should you do?

  A. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.

  B. Modify the properties of the computer objects listed as exposed entities.

  C. Disable legacy protocols on the computers listed as exposed entities.

  D. Enforce LDAP signing on the computers listed as exposed entities.

  Correct Answer: B

  To remediate the security risk associated with unsecure Kerberos delegation, you should modify the properties of the computer objects listed as exposed entities. Specifically, you should set the Kerberos delegation settings to either 'Trust this computer for delegation to any service' or 'Trust this computer for delegation to specified services only'. This will ensure that the computer is not allowed to use Kerberos delegation to access other computers on the network.

  Reference: https://docs.microsoft.com/en- us/windows/security/identity-protection/microsoft-defender-for-identity/configure-kerberos- delegation