Skip to Content

Microsoft Security Operations Analyst SC-200 Exam Questions and Answers – 1

The latest Microsoft Security Operations Analyst SC-200 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft Security Operations Analyst SC-200 exam and earn Microsoft Security Operations Analyst SC-200 certification.

Microsoft Security Operations Analyst SC-200 Exam Questions and Answers

Question 71

Question

Case Study 2 – Litware Inc

Overview

Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.

Name Type Description
LA1 Log Analytics workspace Contains logs and metrics collected from all Azure resources and on-premises servers
VM1 Virtual machine Server that run Windows Server 2019
VM2 Virtual machine Server that run Ubuntu 18.04 LTS

Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.

Name Operating system Office Description
DC1 Windows Server 2019 Boston Domain controller in litware.com that connects directly to the Internet.
CLIENT1 Windows 10 Boston Domain-joined client computer.

Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

  • Create and configure Azure Sentinel in the Azure subscription.
  • Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

  • The principle of least privilege must be used whenever possible.
  • Costs must be minimized, as long as all other requirements are met.
  • Logs collected by Log Analytics must provide a full audit trail of user activities.
  • All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

  • Integrate Azure Sentinel and Cloud App Security.
  • Ensure that a user named admin1 can configure Azure Sentinel playbooks.
  • Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
  • Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
  • Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements.
Which role should you assign?

A. Automation Operator
B. Automation Runbook Operator
C. Azure Sentinel Contributor
D. Logic App Contributor

Answer

C. Azure Sentinel Contributor

Explanation

Litware must meet the following requirements:

  • Ensure that a user named admin1 can configure Azure Sentinel playbooks.
  • The principle of least privilege must be used whenever possible.

Azure Sentinel Contributor can view data, incidents, workbooks, and other Azure Sentinel resources, manage incidents (assign, dismiss, etc.), create and edit workbooks, analytics rules, and other Azure Sentinel resources.

Reference

Question 72

Question

Case Study 2 – Litware Inc

Overview

Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.

Name Type Description
LA1 Log Analytics workspace Contains logs and metrics collected from all Azure resources and on-premises servers
VM1 Virtual machine Server that run Windows Server 2019
VM2 Virtual machine Server that run Ubuntu 18.04 LTS

Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.

Name Operating system Office Description
DC1 Windows Server 2019 Boston Domain controller in litware.com that connects directly to the Internet.
CLIENT1 Windows 10 Boston Domain-joined client computer.

Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

  • Create and configure Azure Sentinel in the Azure subscription.
  • Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

  • The principle of least privilege must be used whenever possible.
  • Costs must be minimized, as long as all other requirements are met.
  • Logs collected by Log Analytics must provide a full audit trail of user activities.
  • All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

  • Integrate Azure Sentinel and Cloud App Security.
  • Ensure that a user named admin1 can configure Azure Sentinel playbooks.
  • Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
  • Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
  • Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You need to create the test rule to meet the Azure Sentinel requirements.
What should you do when you create the rule?

A. From Set rule logic, turn off suppression.
B. From Analytics rule details, configure the tactics.
C. From Set rule logic, map the entities.
D. From Analytics rule details, configure the severity.

Answer

C. From Set rule logic, map the entities.

Reference

Question 73

Question

Case Study 2 – Litware Inc

Overview

Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.

Name Type Description
LA1 Log Analytics workspace Contains logs and metrics collected from all Azure resources and on-premises servers
VM1 Virtual machine Server that run Windows Server 2019
VM2 Virtual machine Server that run Ubuntu 18.04 LTS

Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.

Name Operating system Office Description
DC1 Windows Server 2019 Boston Domain controller in litware.com that connects directly to the Internet.
CLIENT1 Windows 10 Boston Domain-joined client computer.

Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

  • Create and configure Azure Sentinel in the Azure subscription.
  • Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

  • The principle of least privilege must be used whenever possible.
  • Costs must be minimized, as long as all other requirements are met.
  • Logs collected by Log Analytics must provide a full audit trail of user activities.
  • All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

  • Integrate Azure Sentinel and Cloud App Security.
  • Ensure that a user named admin1 can configure Azure Sentinel playbooks.
  • Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
  • Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
  • Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

Hotspot Question
You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Create the rule of type:

  • Fusion
  • Microsoft incident creation
  • Scheduled

Configure the playbook to include:

  • Diagnostics settings
  • A service principal
  • A trigger

Answer

Create the rule of type: Scheduled

Configure the playbook to include: A trigger

Reference

Question 74

Question

You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in.
Which anomaly detection policy should you use?

A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection

Answer

C. Activity from infrequent country

Reference

Question 75

Question

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?

A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching

Answer

C. Azure Information Protection

Reference

Question 76

Question

Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You plan to enable protection against downloading and running additional payloads from the Office VBA macros as additional child processes.
You need to identify which Office VBA macros might be affected.
Which two commands can you run to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

A. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled
B. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode
C. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode
D. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules Actions Enabled

Answer

B. Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode
C. Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB -401B -4EFC -AADC -AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode

Reference

  • Microsoft 365 > Microsoft Defender for Endpoint > Detect threats and protect endpoints > Attack surface reduction > Attack surface reduction (ASR) rules > Learn about ASR rules > Attack surface reduction rules overview

Question 77

Question

Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company’s accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing security posture.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.

Answer

B. Hide the alert.
C. Create a suppression rule scoped to any device.
E. Generate the alert.

Reference

Question 78

Question

You have the following advanced hunting query in Microsoft 365 Defender.

You have the following advanced hunting query in Microsoft 365 Defender.

You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.

Answer

A. Create a detection rule.
E. Add DeviceId and ReportId to the output of the query.

Reference

  • Microsoft 365 > Microsoft 365 Defender > Investigate and respond to threats > Search for threats with advanced hunting > Custom detections > Create & manage detection rules > Create and manage custom detections rules

Question 79

Question

You are investigating a potential attack that deploys a new ransomware strain.
You plan to perform automated actions on a group of highly valuable machines that contain sensitive information.
You have three custom device groups.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add a tag to the device group.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.

Answer

B. Add the device users to the admin role.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.

Reference

  • Microsoft Docs > Learn > Browse > Deploy the Microsoft Defender for Endpoint environment > Manage access

Question 80

Question

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: From Entity tags, you add the accounts as Honeytoken accounts.
Does this meet the goal?

A. Yes
B. No

Answer

A. Yes

Reference

Ads Blocker Image Powered by Code Help Pro

Ads Blocker Detected!!!

We have detected that you are using extensions to block ads. We need money to operate the site, and almost all of it comes from online advertising. Please support us by disabling these ads blocker.

Please disable ad blocker