The latest Microsoft Security Operations Analyst SC-200 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft Security Operations Analyst SC-200 exam and earn Microsoft Security Operations Analyst SC-200 certification.
Table of Contents
- Question 11
- Question
- Answer
- Reference
- Question 12
- Question
- Answer
- Reference
- Question 13
- Question
- Answer
- Reference
- Question 14
- Question
- Answer
- Reference
- Question 15
- Question
- Answer
- Explanation
- Question 16
- Question
- Answer
- Explanation
- Reference
- Question 17
- Question
- Answer
- Explanation
- Question 18
- Question
- Answer
- Explanation
- Question 19
- Question
- Answer
- Explanation
- Question 20
- Question
- Answer
- Reference
Question 11
Question
Hotspot Question
You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel.
You need to identify all the devices that contain files in emails sent by a known malicious email sender. The query will be based on the match of the SHA256 hash.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer
Reference
- Microsoft Docs > Microsoft 365 Defender > Investigate and respond to threats > Search for threats with advanced hunting > Learn, train, & get examples > Hunt for threats across devices, emails, apps, and identities
Question 12
Question
Hotspot Question
You need to use an Azure Resource Manager template to create a workflow automation that will trigger an automatic remediation when specific security alerts are received by Azure Security Center.
How should you complete the portion of the template that will provision the required Azure resources? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer
Reference
- Microsoft Docs > Azure > Security > Microsoft Defender for Cloud > Quickstart: Create an automatic response to a specific security alert using an ARM template
Question 13
Question
Drag and Drop Question
Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
- Create and run playbooks
- Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Answer Area:
- Azure Sentinel Contributor
- Azure Sentinel Responder
- Azure Sentinel Reader
- Logic App Contributor
Answer
- Create and run playbooks: Logic App Contributor
- Create workbooks and analytic rules: Azure Sentinel Contributor
Reference
- Microsoft Docs > Azure > Security > Microsoft Sentinel > Permissions in Microsoft Sentinel
Question 14
Question
Hotspot Question
You use Azure Sentinel to monitor irregular Azure activity.
You create custom analytics rules to detect threats as shown in the following exhibit.
You do NOT define any incident settings as part of the rule definition.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
If a user deploys three Azure virtual machines simultaneously, how many times will you receive [answer choice] in the next five hours.
- 0 alert
- 1 alert
- 2 alerts
- 3 alerts
If three separate users deploy one Azure virtual machine each within five minutes of each other, you will receive [answer choice].
- 0 alert
- 1 alert
- 2 alerts
- 3 alerts
Answer
If a user deploys three Azure virtual machines simultaneously, how many times will you receive 1 alert in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes of each other, you will receive 1 alert.
Reference
- Microsoft Docs > Azure > Security > Microsoft Sentinel > Create custom analytics rules to detect threats
Question 15
Question
You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage incident related to a suspected malicious document. After reviewing all the details, you have determined that the alert tied to this potentially malicious document is also related to another incident in your environment. However, the alert is not currently listed as a part of that second incident. Your investigation into the alert is ongoing, as is your investigation into the two related incidents.
You need to appropriately categorize the alert and ensure that it is associated with the second incident.
What two actions should you take in the Manage alert pane to fulfill this part of the investigation? Each correct answer presents a part of the solution.
A. Select the Link alert to another incident option.
B. Set classification to True alert.
C. Set status to New.
D. Set status to In progress.
E. Enter the Incident ID of the related incident in the Comment section.
Answer
A. Select the Link alert to another incident option.
D. Set status to In progress.
Explanation
The correct action to classify the alert would be to set the status to In progress. While the alert may seem to be legitimate as it is linked to another incident, until a final determination is reached, you should set the status to In progress to ensure that others know it is being worked on. Once a determination is reached, you can then change it to Resolved and select the appropriate classification (True alert or False alert).
The correct action to correlate the alert to the other incident would be to select the Link alert to another incident option.
While ideally the alert would automatically be included in both incidents, that is not always the case. If you notice an alert that is not linked to an incident that it is clearly connected to, using the Link alert to another incident option ensures they are tied together.
You should not set the classification to True alert. While a point can be made that it seems this malicious file involved in multiple incidents is likely to be a True alert, you are not yet able to make that determination. It also is not time to classify it as a false alert. The best practice while continuing an investigation would be not to change the classification at all, which means leaving it as the default Not set classification.
You should not enter the Incident ID of the related incident in the Comment section. While this might be helpful from an administrative perspective, it creates no link to the other incident.
You should not set the status to New. This is the default status of any alert. The question specifically seeks to ensure your peers know the alert is being investigated, so setting (or leaving) the status as New would make it impossible to differentiate from other uninvestigated alerts.
All of the actions mentioned in the options can be found in the Manage alert pane, which can be reached via the Alerts tab in the Incidents section of the Microsoft 365 Defender portal. This is an excellent central location from which you can manage incidents, and the components that make them up, including alerts.
Question 16
Question
Drag and Drop Question
Your company starts using Azure Sentinel. The manager wants the administration of the implemented solution to be divided into two groups, Group A and Group B, where:
- Group A takes responsibility for replacing the tags of Threat Intelligence Indicator.
- Group B takes responsibility for adding playbooks to automation rules.
You need to assign the appropriate roles for both groups to fulfill the manager’s request.
How should you assign the roles? To answer, drag the appropriate role to each group. A role may be used once, more than once, or not at all.
- Responder
- Reader
- Sentinel Automation Contributor
- Security Assessment Contributor
Answer
- Group A: Responder
- Group B: Sentinel Automation Contributor
Explanation
You should assign the Responder role to Group A. This role gives the user permission to manage incidents in Azure Sentinel (like assigning users for incidents, dismissing alerts, etc.) and to view several Azure Sentinel resources, including reports, incidents, and workbooks. This role also gives permission to replace Tags of Threat Intelligence Indicator. This role does not give permission to add playbooks to automation rules. Threat Intelligence Indicator is a cloud-based solution used within companies to analyze and act upon threat activities.
You should assign the Azure Sentinel Automation Contributor role to Group B. In addition to viewing Azure Sentinel resources, managing incidents, and working with workbooks, this role allows Azure Sentinel to add playbooks to automation rules. This meets the scenario requirement.
You should not assign the Reader role to either group. This role gives a user permission to view incidents in Azure Sentinel, but not the permission to replace tags of Threat Intelligence Indicator or to add playbooks to automation rules as required in the scenario.
You should not assign the Security Assessment Contributor role to either of the groups. This role gives permission to create security assessments on the company’s Azure Sentinel subscription, which is useful for knowing if another subscription of Azure Sentinel is needed. This role does not give the permission to replace tags of Threat Intelligence Indicator or to add playbooks to automation rules as required in the scenario.
Reference
- Microsoft Docs > Azure > Security > Microsoft Sentinel > Permissions in Microsoft Sentinel
- Microsoft Docs > Azure > Role-based access control > Azure built-in roles
Question 17
Question
You are currently using Azure Sentinel for the collection of Windows security events. You want to use Azure Sentinel to identify Remote Desktop Protocol (RDP) activity that is unusual for your environment.
You need to enable the Anomalous RDP Login Detection rule.
What two prerequisites do you need to ensure are in place before you can enable this rule? Each correct answer presents part of the solution.
A. Collect Security events or Windows Security Events with Event ID 4624.
B. Let the machine learning algorithm collect 30 days’ worth of Windows Security events data.
C. Select an event set other than None.
D. Collect Security events or Windows Security Events with Event ID 4720.
Answer
A. Collect Security events or Windows Security Events with Event ID 4624.
C. Select an event set other than None.
Explanation
One of the best features of a Security information and event management (SIEM) tool like Azure Sentinel is correlating important data and finding events that deserve your attention. The Anomalous RDP Login Detection rule does just that.
Enabling this rule requires two prerequisites:
You should collect Security events or Windows Security Events with Event ID 4624. This is the event ID for an account successfully logging on to a machine/system. This covers many log in types, including RDP. Without this data, Azure Sentinel would be blind to RDP logins entirely. This process would be completed in the Security Events Data Connector or Windows Security Events (Preview) Data Connector pages within Azure Sentinel.
You should also select an event set other than None. This is a configuration step completed during the data connector implementation described above. This step ensures that the connector detailed in the above step is actually passing data. Options other than None include All events, Common, and Minimal. Although it may seem counterintuitive that there would even be a None event set, this can be used to disable a connector without deleting/removing it. This can be helpful in certain troubleshooting scenarios.
You should not create a data collection rule that includes Event ID 4720. This is the Event ID for the creation of a user account, not for logging on to a machine or system. While it may seem picky to expect a security professional to memorize exact event IDs, it is incredibly helpful to recognize some of the most common ones. Log ins (4624) and user creation (4720) are two that are very critical to know well in the event of conducting time sensitive research of a potential compromise and privilege escalation/account creation incident response (IR) scenario.
You should not let the machine learning algorithm collect 30 days’ worth of Windows Security events data. This is, however, a very important time frame in regards to the time after you enable the rule. This rule relies on a machine learning algorithm that ultimately requires 30 days’ worth of data before it can build a baseline. This baseline is a profile of your company’s normal user behavior, so you need to allow 30 days of Windows Security events data to be ingested before this rule will result in the discovery of any incidents. Remember, however, that the question only refers to the process to enable the rule and not the generation of incidents thereafter.
Finally, the actual process to enable the rule after these prerequisites are set is fairly simple. Starting in the Azure Sentinel portal, you will click Analytics, and then click the Rule templates tab. Next, you must choose the (Preview) Anomalous RDP Login Detection rule and simply move the Status slider from Disabled (the default) to Enabled.
Question 18
Question
Drag and Drop Question
You are threat hunting using Azure Sentinel. You have created a query designed to identify a specific event on your domain controller.
You need to create several similar queries because you have multiple domain controllers and want to keep each query separate. The solution should minimize administrative effort.
Which three actions should you perform in sequence to clone a query? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.
Possible actions:
- On the Create custom query page, make your edits then click the Create button.
- On the Hunting page of Azure Sentinel, select New query.
- Choose Clone query by clicking the ellipsis icon at the end of the row.
- On the Hunting page of Azure Sentinel, find the query you wish to clone.
- Select the ellipsis in the line of the query you want to modify, and select Edit query.
Answer
Actions in order:
- On the Hunting page of Azure Sentinel, find the query you wish to clone.
- Choose Clone query by clicking the ellipsis icon at the end of the row.
- On the Create custom query page, make your edits then click the Create button.
Explanation
You should perform the following tasks in order:
- On the Hunting page of Azure Sentinel, find the query you wish to clone.
- Choose Clone query by clicking the ellipsis icon at the end of the row.
- On the Create custom query page, make your edits then click the Create button.
First, you should find the query you wish to clone. You will do this by navigating to the Hunting page within Azure Sentinel and then looking through the list of queries. This will allow you to ensure the right initial query is cloned in the next step.
Next, you should choose the Clone query option. This is accessible via the ellipsis at the end of the row for the query you found in step one. This will make a copy of the query you identified in the first step and will take you to the page where you can make changes to that copy.
Finally, you should make your edits then click the Create button. These edits will be made on the Create custom query page, which is the page you are taken to after selecting Clone query in step two. This will allow you to tweak the copy to your needs. When you click Create, the initial query you copied will still exist in its original state, and a new query with the changes you make in this step will be generated/saved.
This process would allow you, for example, to alter the IP or hostname in the query to match your other domain controllers (DCs) but keep the rest of the query the same. As mentioned above, it also leaves the original query untouched/as-is. This is a fast, efficient way to make several queries that are related but require minor tweaks to meet the desired outcome. Starting each query from scratch would take much longer and would be more likely to result in human error in the query syntax.
You should not select New query on the Hunting page of Azure Sentinel. While this option could ultimately be chosen to generate the queries for your other DCs, as mentioned above, you would be starting from scratch. If you only need to change a few minor things in your query, going to New query is a waste of time as the clone option gives you a better starting point.
You should not select the ellipsis in the line of the query you want to modify, and select Edit query. This would allow you to edit an existing query, but it would not create a copy of it. Any edits made here would alter the original query.
With the Clone query option, you leave the original unaltered, while efficiently creating new queries based on it.
Question 19
Question
Hotspot Question
You are using Azure Defender and Azure Sentinel to protect your cloud workloads and monitor your environment.
You need to use the Kusto Query Language (KQL) to construct a query that identifies Azure Defender alerts.
What query should you write to meet this requirement? To answer, complete the query by selecting the correct options from the drop-down menus.
Answer
Explanation
You should complete the query as follows:
SecurityAlert | where ProductName == "Azure Security Center"
This completes a basic query to identify all security alerts in Azure Security Center. Placing SecurityAlert first queries the SecurityAlert table, and then using | where ProductName == “Azure Security Center” afterwards ensures that in that SecurityAlert table you are only looking for entries where the ProductName column has a value of Azure Security Center. From here, you can expand. For example, you could use KQL to specify time frames or specific devices to query. Kusto Query Language (KQL) is the language you will use when building queries in Azure Sentinel. Queries serve as a way to search through the massive amount of data Azure Sentinel has access to.
You should not begin the query with Azure Security Center. The structure of a query requires that you first identify the key table you will be querying. The SecurityAlert table includes the security alerts that are being digested by Azure Sentinel. You should first query this table, then narrow the search to the alerts coming from the Azure Security Center product.
You should not begin the query with Azure Sentinel. Again, the structure of a query requires that you first identify the key table you will be querying. In this case, that would be the SecurityAlert table. More importantly, while Azure Sentinel is the solution aggregating this data and performing the query, it should not be used as the ProductName. This should be specified as the Azure Security Center.
You should not end the query with Azure Sentinel. As mentioned in the paragraph above, the ProductName (solution source) for the SecurityAlert (alerts) table you should query is Azure Security Center. The query would be run in Azure Sentinel, but do not confuse the solution being queried with the one running the query.
You should not end the query with SecurityAlert. Here you need to name the solution you want to query. In this case, that is Azure Security Center. SecurityAlert would not be a valid ProductName.
Question 20
Question
Case Study 1 – Contoso Ltd
Overview
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment
End-User Environment
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of the sales team at Contoso.
Cloud and Hybrid Infrastructure
All Contoso applications are deployed to Azure.
You enable Microsoft Cloud App Security.
Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam recently purchased an Azure subscription and enabled Azure Defender for all supported resource types.
Current Problems
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In the past, the sales team experienced various attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors.
The marketing team has had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities during the past 48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements
Planned Changes
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements
Contoso identifies the following technical requirements:
- Receive alerts if an Azure virtual machine is under brute force attack.
- Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
- Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
- Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its own Azure AD applications.
- Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides you with the following incomplete query.
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| where ________ == True
Hotspot Question
You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Minimum number of Log Analytics workspaces required in the Azure subscription of Fabrikam:
- 0
- 1
- 2
- 3
Query element required to correlate data between tenants:
- extend
- project
- workspace
Answer
Minimum number of Log Analytics workspaces required in the Azure subscription of Fabrikam: 1
Query element required to correlate data between tenants: workspace
Reference
- Microsoft Docs > Azure > Security > Microsoft Sentinel > Extend Microsoft Sentinel across workspaces and tenants