The latest Microsoft Security Operations Analyst SC-200 certification actual real practice exam question and answer (Q&A) dumps are available free, which are helpful for you to pass the Microsoft Security Operations Analyst SC-200 exam and earn Microsoft Security Operations Analyst SC-200 certification.
Table of Contents
- Question 111
- Question
- Answer
- Reference
- Question 112
- Question
- Answer
- Reference
- Question 113
- Question
- Answer
- Question 114
- Question
- Answer
- Reference
- Question 115
- Question
- Answer
- Reference
- Question 116
- Question
- Answer
- Reference
- Question 117
- Question
- Answer
- Reference
- Question 118
- Question
- Answer
- Reference
- Question 119
- Question
- Answer
- Reference
- Question 120
- Question
- Answer
Question 111
Question
You have an Azure Sentinel workspace. You need to test a playbook manually in the Azure portal. From where can you run the test in Azure Sentinel?
A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents
Answer
D. Incidents
Reference
- Microsoft Docs > Azure > Security > Microsoft Sentinel > Run a playbook on demand
Question 112
Question
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You manually install the Log Analytics agent on the virtual machines.
Does this meet the goal?
A. Yes
B. No
Answer
B. No
Reference
- Microsoft Docs > Azure > Security > Microsoft Defender for Cloud > Connect your non-Azure machines to Microsoft Defender for Cloud
Question 113
Question
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A. Create custom rule based on the Office 365 connector templates.
B. Create a Microsoft incident creation rule based on Azure Security Center.
C. Create a Microsoft Cloud App Security connector.
D. Create an Azure AD Identity Protection connector.
Answer
A. Create custom rule based on the Office 365 connector templates.
B. Create a Microsoft incident creation rule based on Azure Security Center.
Question 114
Question
HOTSPOT
You have an Azure subscription that uses Azure Defender.
You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts.
You need to create an Azure policy that will perform threat remediation automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Set available effects to:
- Append
- DeployIfNotExists
- EnforceRegoPolicy
To perform remediation use:
- An Azure Automatic runbook that has a webhook
- An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered
- An Azure Logic Apps app that has the trigger set to When a response to an Azure Security Center alert is triggered
Answer
Set available effects to: DeployIfNotExists
To perform remediation use: An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered
Reference
- Microsoft Docs > Azure > Governance > Policy > Understand Azure Policy effects
- Microsoft Docs > Azure > Security > Microsoft Defender for Cloud > Automate responses to Microsoft Defender for Cloud triggers
Question 115
Question
DRAG DROP
You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity.
You need to hide the alerts automatically in Security Center.
Which three actions should you perform in sequence in Security Center? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Select and Place:
- Select Pricing & settings.
- Select Security alerts.
- Select IP as the entity type and specify the IP address.
- Select Azure Resource as the entity type and specify the ID.
- Select Suppression rules, and then select Create new suppression rule.
- Select Security policy.
Answer
- Select Security alerts.
- Select Suppression rules, and then select Create new suppression rule.
- Select Azure Resource as the entity type and specify the ID.
Reference
Question 116
Question
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace*!.
You enable Azure Security Center and configure Security Center to use workspace*!.
You need to collect security event logs from the Azure virtual machines that report to workspace 1.
What should you do?
A. From Security Center, enable data collection
B. In sub*!, register a provider.
C. From Security Center, create a Workflow automation.
D. In workspace*!, create a workbook.
Answer
A. From Security Center, enable data collection
Reference
- Microsoft Docs > Azure > Security > Microsoft Defender for Cloud > Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud
Question 117
Question
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
Microsoft Excel macros that download scripts from untrusted websites
Users that open executable attachments in Microsoft Outlook Outlook rules and forms exploits What should you use?
A. Microsoft Defender Antivirus
B. attack surface reduction rules in Microsoft Defender for Endpoint
C. Windows Defender Firewall
D. adaptive application control in Azure Defender
Answer
B. attack surface reduction rules in Microsoft Defender for Endpoint
Reference
- Microsoft 365 > Microsoft Defender for Endpoint > Detect threats and protect endpoints > Attack surface reduction overview > Understand and use attack surface reduction capabilities
Question 118
Question
HOTSPOT
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Policy template type:
- Access policy
- Activity policy
- Anomaly detection policy
Filter based on:
- IP address tag
- Source
- User agent string
Answer
Policy template type: Anomaly detection policy
Filter based on: IP address tag
Reference
- Microsoft Docs > Get behavioral analytics and anomaly detection
Question 119
Question
Note: This question-is part of a series of questions that present the same scenario. Each question-in the series contains a unique solution that might meet the stated goals. Some question-sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question-in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: From Azure AD Identity Protection, you configure the sign-in risk policy.
Does this meet the goal?
A. Yes
B. No
Answer
B. No
Reference
- Microsoft Docs > How-to guides > Manage sensitive or honeytoken accounts
Question 120
Question
DRAG DROP –
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Select and Place:
- | project LogonFailures=count ()
- | summarize LogonFailures=count () by DeviceName, LogonType
- | where ActionType == FailureReason
- | where DeviceName in (“CFOLaptop”, “CEOLaptop”, “COOLaptop”)
- ActionType == “LogonFailed”
- ActionType == FailureReason
- DeviceEvents
- DeviceLogonEvents
Answer
- DeviceLogonEvents
- | where DeviceName in (“CFOLaptop”, “CEOLaptop”, “COOLaptop”)
- ActionType == FailureReason
- | summarize LogonFailures=count () by DeviceName, LogonType