The latest Microsoft Security Operations Analyst SC-200 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft Security Operations Analyst SC-200 exam and earn Microsoft Security Operations Analyst SC-200 certification.
Table of Contents
- Question 91
- Question
- Answer
- Question 92
- Question
- Answer
- Reference
- Question 93
- Question
- Answer
- Reference
- Question 94
- Question
- Answer
- Reference
- Question 95
- Question
- Answer
- Reference
- Question 96
- Question
- Answer
- Question 97
- Question
- Answer
- Explanation
- Reference
- Question 98
- Question
- Answer
- Reference
- Question 99
- Question
- Answer
- Reference
- Question 100
- Question
- Answer
- Explanation
- Reference
Question 91
Question
You create a custom analytics rule to detect threats in Azure Sentinel. You discover that the rule fails intermittently. What are two possible causes of the failures? (Each correct answer presents part of the solution. Choose two.)
A. The rule query takes too long to run and times out.
B. The target workspace was deleted.
C. Permissions to the data sources of the rule query were modified.
D. There are connectivity issues between the data sources and Log Analytics.
Answer
A. The rule query takes too long to run and times out.
D. There are connectivity issues between the data sources and Log Analytics.
Question 92
Question
You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: You add each account as a Sensitive account.
Does this meet the goal?
A. Yes
B. No
Answer
B. No
Reference
- Microsoft Docs > How-to guides > Manage sensitive or honeytoken accounts
Question 93
Question
You have Linux virtual machines on Amazon Web Services (AWS). You deploy Azure Defender and enable auto-provisioning. You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
Does this meet the goal?
A. Yes
B. No
Answer
B. No
Reference
- Microsoft Docs > Azure > Security > Microsoft Defender for Cloud > Connect your non-Azure machines to Microsoft Defender for Cloud
Question 94
Question
You are configuring Azure Sentinel. You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a livestream from a query.
Does this meet the goal?
A. Yes
B. No
Answer
B. No
Reference
- Microsoft Docs > Azure > Security > Microsoft Sentinel > Connect Microsoft Defender for Cloud alerts to Microsoft Sentinel
Question 95
Question
Your company has a single office in Istanbul and a Microsoft 365 subscription. The company plans to use conditional access policies to enforce multi-factor authentication (MFA). You need to enforce MFA for all users who work remotely. What should you include in the solution?
A. a fraud alert
B. a user risk policy
C. a named location
D. a sign-in user policy
Answer
C. a named location
Reference
- Microsoft Docs > Azure > Active Directory > Conditional Access > Using the location condition in a Conditional Access policy
Question 96
Question
You are configuring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company’s United States-based offices. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations. Which two actions should you perform? (Each correct answer presents part of the solution. Choose two.)
A. Configure automatic data enrichment.
B. Add the IP addresses to the corporate address range category.
C. Increase the sensitivity level of the impossible travel anomaly detection policy.
D. Add the IP addresses to the other address range category and add a tag.
E. Create an activity policy that has an exclusion for the IP addresses.
Answer
A. Configure automatic data enrichment.
D. Add the IP addresses to the other address range category and add a tag.
Question 97
Question
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365. What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
A. the Threat Protection Status report in Microsoft Defender for Office 365
B. the mailbox audit log in Exchange
C. the Safe Attachments file types report in Microsoft Defender for Office 365
D. the mail flow report in Exchange
Answer
A. the Threat Protection Status report in Microsoft Defender for Office 365
Explanation
To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).
Reference
- Microsoft 365 > Office 365 security > Prevent > Zero-hour auto purge – protection against spam and malware > Zero-hour auto purge (ZAP) in Exchange Online
Question 98
Question
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed. You need to mitigate the following device threats:
- Microsoft Excel macros that download scripts from untrusted websites.
- Users that open executable attachments in Microsoft Outlook.
- Outlook rules and forms exploits.
What should you use?
A. Microsoft Defender Antivirus
B. attack surface reduction rules in Microsoft Defender for Endpoint
C. Windows Defender Firewall
D. adaptive application control in Azure Defender
Answer
B. attack surface reduction rules in Microsoft Defender for Endpoint
Reference
- Microsoft 365 > Microsoft Defender for Endpoint > Detect threats and protect endpoints > Attack surface reduction overview > Understand and use attack surface reduction capabilities
Question 99
Question
You have a third-party security information and event management (SIEM) solution. You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time. What should you do to route events to the SIEM solution?
A. Create an Azure Sentinel workspace that has a Security Events connector.
B. Configure the Diagnostics settings in Azure AD to stream to an event hub.
C. Create an Azure Sentinel workspace that has an Azure Active Directory connector.
D. Configure the Diagnostics settings in Azure AD to archive to a storage account.
Answer
B. Configure the Diagnostics settings in Azure AD to stream to an event hub.
Reference
- Microsoft Docs > Azure > Active Directory > Reports and monitoring > What is Azure Active Directory monitoring?
Question 100
Question
You create an Azure subscription. You enable Azure Defender for the subscription. You need to use Azure Defender to protect on-premises computers. What should you do on the on-premises computers?
A. Install the Log Analytics agent.
B. Install the Dependency agent.
C. Configure the Hybrid Runbook Worker role.
D. Install the Connected Machine agent.
Answer
A. Install the Log Analytics agent.
Explanation
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-premises) machines to monitor for security vulnerabilities and threats.
Data is collected using:
- The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running processes, machine name, IP addresses, and logged in user.
- Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Security Center regarding specialized resource types.
Reference
- Microsoft Docs > Azure > Security > Microsoft Defender for Cloud > Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud