Professional Documents
Culture Documents
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 1/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 1
DRAG DROP -
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and
COOLaptop.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 2/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DeviceLogonEvents
| where TimeGenerated >= ago(14d)
| distinct ActionType
Result:
LogonSuccess
LogonFailed
LogonAttempted
That should clear the doubts that "LogonFailed" is the correct option, not "FailureReason". Strongly suggest going through the official schema and
the actual query for validation.
upvoted 4 times
DeviceLogonEvents
ActionType == FailureReason
The DeviceLogonEvents table is selected, which contains logon events for devices.
The where clause filters the events to only include those that have a DeviceName of CFOLaptop, CEOLaptop, or COOLaptop, and an ActionType of
FailureReason. This effectively filters the events to only include failed logon events from the specified devices.
The summarize clause counts the number of events that match the previous criteria, grouping the results by DeviceName and LogonType. The
count() function counts the number of events in each group, and the LogonFailures alias is used to label this count in the resulting output.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 3/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Under DeviceLogonEvents schema, below are the ActionType values available and FailureReason is the column in the schema that can be fetched
ActionType values:
LogonAttempted
LogonFailed
LogonSuccess
and hence the answer is ActionType == 'LogonFailed' ; also a string should be mentioned in a single or double quotes
upvoted 2 times
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices?view=o365-worldwide
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 4/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 1
You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to
sign in.
Which anomaly detection policy should you use?
A. Impossible travel
D. Malware detection
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
First, both "Impossible travel" and "Activity from infrequent country" are detection rule that help prevent breaches from foreign attackers.
The difference between the rule is the type of historical data. "Impossible travel" actually compares between the new location's sign-in with the last
known one. So it basically means if someone already logged into a location (corporate network with USA-based IP range) and now he is logged
into a China network then it is likely the user is compromised (assume the organization doesn't have any traffic/record/association with China
network). Moreover it is based on geographically distant locations within a time period shorter. So in my example China is too far from USA.
"Activity from infrequent country" is a bit different. Instead of comparing with the last known location, it detects if an account is logged in from a
country that has never been accessed by any user in the organization. This rule is based on user behavior using entity behavioral analytics and
machine learning.
upvoted 28 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 5/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
I will go with C
upvoted 1 times
albd 1 month, 4 weeks ago
In exam today (23 dec 2022)
upvoted 3 times
Question#67
You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company's United States - based offices. You receive many alerts
related to impossible travel and sign - ins from risky IP addresses.
You determine that 99 % of the alerts are legitimate sign - ins from your corporate offices.
You need to prevent alerts for legitimate sign - ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add the IP addresses to the other address range category and add a tag
B. Create an activity policy that has an exclusion for the IP addresses.
C. Increase the sensitivity level of the impossible travel anomaly detection policy
D. Override automatic data enrichment
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 6/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This
can indicate a credential breach, however, it's also possible that the user's actual location is masked, for example, by using a VPN.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 7/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 1
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each
consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?
A. SharePoint search
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
You must use Azure AIP as a tool for DLP. And then Regex is a way to build your pattern in case there is not any built-in sensitive pattern type that
supports your case (account number with 32 char).
To detect sensitive documents in SharePoint Online, you can use a RegEx (regular expression) pattern matching rule in the data loss prevention
(DLP) policy. A RegEx pattern is a sequence of characters that defines a search pattern, which can be used to match specific sequences of characters
in the documents.
In this scenario, you can use a RegEx pattern to match the customer account numbers, which consist of 32 alphanumeric characters. By using a
RegEx pattern, you can accurately identify the sensitive documents that contain the customer account numbers and take appropriate action, such
as blocking access to the documents or sending notifications to the appropriate users.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 8/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Once you have defined the RegEx pattern, you can create a DLP policy in Microsoft Defender for Office 365 that uses the pattern to detect sensitive
documents. The DLP policy can then be configured to take appropriate action, such as blocking access to the sensitive documents or sending
notifications to the appropriate users.
upvoted 1 times
ERROR505 1 week, 1 day ago
Selected Answer: D
D. RegEx pattern matching is the best option to detect which documents contain sensitive information in this scenario. You can create a DLP policy
that uses RegEx to scan the contents of documents for the specific pattern of 32 alphanumeric characters that represent customer account
numbers. This will help identify and protect the sensitive documents in your SharePoint Online sites.
upvoted 2 times
Whilst you are "protecting" the data it doesn't necesarily need to be AIP, it could be DLP with the RegEx policy to prevent it being sent externally
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 9/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 10/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 1
Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes.
Which two commands can you run to achieve the goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A.
B.
C.
D.
Correct Answer: BC
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/attack-surface-reduction
These are 2 complete solutions on their own. Not a step by step by step.
1) Add the rule and enable it.
2) Add the rule, set the rule to overwrite existing rules, and enable it.
"Set-MpPreference will always overwrite the existing set of rules. If you want to add to the existing set, use Add-MpPreference instead."
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-
worldwide#powershell
The command does not need to mention anything about block because the GUID references a Rule with already set actions.
Configuration Manager name: Block Office application from creating child processes
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?
source=recommendations&view=o365-worldwide#block-all-office-applications-from-creating-child-processes
upvoted 9 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 11/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Link : https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-worldwide
upvoted 4 times
upvoted 1 times
pedromonteirozikado 1 year ago
I was thinking C,D because normally we set a new policy with Add-MpPreference with audit-mode to see the effects of the policy, and after Set-
MpPreference to change policy to Enabled mode. But, the correct is A,D because the questions said "Each correct answer presents a complete
solution", so both Add-MpPreference and Set-MpPreference in Enable mode is correct, cause Set and Add can create policies, but the Set can
change policies too.
upvoted 4 times
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-
worldwide#block-all-office-applications-from-creating-child-processes
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 13/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 1
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 14/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
BDE.
This changed. I know, not in the docs(Docs are old and not updated). I had to go to the tech community.
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-
p/3562719
upvoted 3 times
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-
p/3562719
upvoted 3 times
E. Generate the alert: You need to generate the alert first so that you can see it in the Alerts queue.
B. Hide the alert: After generating the alert, you can hide it if you want to remove it from view.
D. Create a suppression rule scoped to a device group: You can also create a suppression rule scoped to a specific device group if you want to only
apply it to a specific group of devices. This helps you maintain the existing security posture.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 15/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/introducing-the-new-alert-suppression-experience/ba-p/3562719
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 16/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 1
DRAG DROP -
You open the Cloud App Security portal as shown in the following exhibit.
Your environment does NOT have Microsoft Defender for Endpoint enabled.
You need to remediate the risk for the Launchpad app.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/governance-discovery
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 17/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 18/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 1
HOTSPOT -
You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a malicious email attachment.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 19/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/advanced-hunting-query-emails-devices?view=o365-worldwide
EmailAttachmentInfo
| where SenderFromAddress =~ "mcasdemo@juno.com"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
But if you choose the following from the answers presented in the question you will get the results you need to answer the question:
EmailAttachmentInfo
| where SenderFromAddress =~ "mcasdemo@juno.com"
| where isnotempty(SHA256)
| join (
DeviceFileEvents
| extend FileName, SHA256
) on SHA256
| project Timestamp, FileName, SHA256, DeviceName, DeviceId, NetworkMessageId, SenderFromAddress, RecipientEmailAddress
This has also been tested on live tenants and returns the correct result.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 20/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 21 times
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/extendoperator
upvoted 2 times
The where clause filters the attachments to only include those that were sent from the address "MaliciousSender@example.com" and have a non-
empty SHA256 hash value. This effectively filters the results to only include attachments from the specified sender and that have a known hash
value.
The join operator combines the results of the previous step with the results of a second query that selects the DeviceFileEvent table and projects
the FileName and SHA256 fields. This effectively creates a join between the two tables based on the SHA256 field, linking the attachments with file
events on devices.
The project operator selects the desired fields from the joined results and includes them in the final output.
upvoted 1 times
Why would we use extend here? Extend is for creating calculated columns and there is no requirement for this.
See https://www.examtopics.com/discussions/microsoft/view/60115-exam-sc-200-topic-1-question-17-discussion/
EmailAttachmentInfo
| where isnotempty (SHA256)
| join (DeviceFileEvents
| project FileName, SHA256)
on SHA256
| project Timestamp, NetworkMessageId, etc, etc
upvoted 1 times
"Error message
'project' operator: Failed to resolve scalar expression named 'DeviceName'
How to resolve
Fix semantic errors in your query"
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 21/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
In this case inside join there is no DeviceName and DeviceID(in this queue), to join the column of this table we have to extend it.
I tested this in live environment with join, project, project, it gives an error. Join, extend, project just says no results found and if I change the sender
email address I'm getting results.
upvoted 4 times
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#check-if-files-
from-a-known-malicious-sender-are-on-your-devices
upvoted 7 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 22/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 1
You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: AE
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules
DeviceProcessEvents
| where Timestamp > ago (24h)
//Pivoting for rundll32
| where InitiatingProcessFileName =~ 'rundll32.exe'
//Looking for empty command line
and InitiatingProcessCommandLine !contains " " and InitiatingProcessCommandLine != ""
//Looking for schtasks.exe as the created process
and FileName in~ ('schtasks.exe')
//Disabling system restore
and ProcessCommandLine has 'Change' and ProcessCommandLine has 'SystemRestore'
and ProcessCommandLine has 'disable'
| project Timestamp, AccountName, ProcessCommandLine, DeviceId, ReportId
According to the link below, DeviceID and ReportID are REQUIRED columns for any custom query.
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide#suppress-an-alert-and-create-
a-new-suppression-rule
upvoted 6 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 23/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Add DeviceId and ReportId to the output of the query: In order to include relevant information about the device and alert in the generated alert,
you should include the DeviceId and ReportId fields in the output of the query. You can do this by adding DeviceId and ReportId to the list of fields
selected by the project operator at the end of the query.
upvoted 1 times
Metasploit 4 months, 1 week ago
Selected Answer: AE
A = Requirement is to create an alert.
Not B = This will hide the the alert.
Not C = Avoid filtering custom detections using the Timestamp column. The data used for custom detections is pre-filtered based on the detection
frequency.
Not D = Random filler answer
E = To create a custom detection rule, the query must return the following columns:
->Timestamp—used to set the timestamp for generated alerts
->ReportId—enables lookups for the original records
One of the following columns that identify specific devices, users, or mailboxes:
-> DeviceId
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 24/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 1
You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly sensitive information.
You plan to perform automated actions on all devices.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
--> A: So you create this custom group(AllDeviceTempGroup) and add a Tag filter(RansomIRTag) to group devices into this device group.
You see that there are no devices in this group. Why? You have not tagged your devices yet.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 25/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Hamatew 1 month, 2 weeks ago
Thanks for the explanation. Probably i skipped some aspect while studying, i have this question, Assuming i have 100s of devices how can i tag all
at once. I need to give RansomIRtag to 100 devices, will i start adding one by one?
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 26/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: From Entity tags, you add the accounts as Honeytoken accounts.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 27/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: From Azure AD Identity Protection, you configure the sign-in risk policy.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 28/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
You can also manually tag entities as sensitive or honeytoken accounts. If you manually tag additional users or groups, such as board members,
company executives, and sales directors, Defender for Identity will consider them sensitive.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 29/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 30/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You implement Safe Attachments policies in Microsoft Defender for Office 365.
Users report that email messages containing attachments take longer than expected to be received.
You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments
must be scanned for malware, and any messages that contain malware must be blocked.
What should you configure in the Safe Attachments policies?
A. Dynamic Delivery
B. Replace
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?view=o365-worldwide
Dynamic Delivery is a feature in Microsoft Defender for Office 365 that allows you to optimize the delivery of email messages containing
attachments by scanning the attachments for malware before they are delivered to the recipient's mailbox. This allows you to quickly deliver
messages that are deemed safe while still protecting against malware threats.
To configure the Safe Attachments policies to use Dynamic Delivery, you can go to the Mail flow > Safe attachments policies page in the Microsoft
365 admin center and select the "Dynamic Delivery" option for each policy.
Options B, C, and D are not relevant to reducing the delivery time for email messages with attachments and do not provide the same level of
protection against malware threats as Dynamic Delivery.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 31/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 32/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You are informed of an increase in malicious email being received by users.
You need to create an advanced hunting query in Microsoft 365 Defender to identify whether the accounts of the email recipients were
compromised. The query must return the most recent 20 sign-ins performed by the recipients within an hour of receiving the known malicious
email.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 33/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
synonyms".
I tested by myself, and the only query that return the latest results was: top 20 by Timestamp, because only "top 20" didn't work.
upvoted 23 times
jasonfmj Highly Voted 1 year, 6 months ago
//Define new table for malicious emails
let MaliciousEmails=EmailEvents
//List emails detected as malware, getting only pertinent columns
| where ThreatTypes has "Malware"
| project TimeEmail = Timestamp, Subject, SenderFromAddress, AccountName = tostring(split(RecipientEmailAddress, "@")[0]);
MaliciousEmails
| join (
//Merge malicious emails with logon events to find logons by recipients
IdentityLogonEvents
| project LogonTime = Timestamp, AccountName, DeviceName
) on AccountName
//Check only logons within 30 minutes of receipt of an email
| where (LogonTime - TimeEmail) between (0min.. 30min)
| take 10
upvoted 9 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 34/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
take operator
There is no guarantee which records are returned, unless the source data is sorted.
------------------------
for this query the correct would not use top ?
Since they ask for recent records
upvoted 3 times
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-schema-changes?view=o365-worldwide
upvoted 6 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 35/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You receive a security bulletin about a potential attack that uses an image file.
You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack.
Which indicator type should you use?
C. a file hash indicator that has Action set to Alert and block
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-file?view=o365-worldwide
3. Select Add indicator.
5. Indicator - Specify the entity details and define the expiration of the indicator.
* Action - Specify the action to be taken and provide a description.
* Scope - Define the scope of the device group.
* Review the details in the Summary tab, then select Save.
upvoted 17 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 36/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: BD
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
If you follow the question directly, they are not asking either/or. They want you to assign 2 roles to the Analyst each being half of the entire
solution. Using least privileges the answer should be BD.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 37/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
3. Select Add indicator.
5. Indicator - Specify the entity details and define the expiration of the indicator.
* Action - Specify the action to be taken and provide a description.
* Scope - Define the scope of the device group.
* Review the details in the Summary tab, then select Save.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 38/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel.
You need to identify all the devices that contain files in emails sent by a known malicious email sender. The query will be based on the match of
the SHA256 hash.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 39/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
The where clause filters the EmailAttachmentInfo table to only include attachments sent by the specified sender and that have a non-empty
SHA256 hash value. This effectively filters the results to only include attachments from the specified sender and that have a known hash value.
The join operator combines the results of the previous step with the results of a second query that selects the DeviceFileEvent table and projects
the FileName, SHA256, DeviceName, and DeviceId fields. This effectively creates a join between the two tables based on the SHA256 field, linking
the attachments with file events on devices.
The project operator selects the desired fields from the joined results and includes them in the final output.
This query will work in both Microsoft Defender and Azure Sentinel, as it is a valid advanced hunting query in both platforms.
upvoted 10 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 40/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of
confidential files.
Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information
Protection classification labels and content inspection warnings from this tenant.
C. Select Investigate files, and then select New policy from search.
D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure
Information Protection classification labels and content inspection warnings.
E. From Settings, select Information Protection, select Files, and then enable file monitoring.
Correct Answer: DE
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp https://docs.microsoft.com/en-us/cloud-app-security/azip-integration
E:
Settings>Information Protection>Files>Enable file monitoring.
upvoted 1 times
E. From Settings, select Information Protection, select Files, and then enable file monitoring. This will enable Cloud App Security to monitor files for
external sharing and other activities, and to generate alerts and trigger remediation actions in response to potential threats or policy violations.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 41/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
I think C might be one of the responses because I see this sentence "Create a file policy that detects these stale public files by selecting New policy
from search" in the following link: https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters
upvoted 1 times
jayek 2 months, 2 weeks ago
https://learn.microsoft.com/en-us/defender-cloud-apps/policies-information-protection#detect-and-prevent-external-sharing-of-sensitive-data
upvoted 2 times
C= generate alerts and trigger remediation actions (In response to external sharing of confidential files)
E= Gives defender for cloud apps access to files in your SaaS apps.
Not D= This setting would be ideal in the long run, but for the question this is just too much configuration not mentioned in the answer. Where-as
C answers it directly for the need.
See below link, Its more than just a simple "checkbox". The checkbox is only to enable the integration between DefenderCA and MIP.
https://learn.microsoft.com/en-us/defender-cloud-apps/azip-integration
upvoted 1 times
In Defender for Cloud Apps, under the settings cog, select the Settings page under the System heading.
Under Microsoft Information Protection, select Automatically scan new files for Microsoft Information Protection sensitivity labels.
https://docs.microsoft.com/en-us/defender-cloud-apps/tutorial-dlp
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 42/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
Tested on the MCAS portal. When you select Activity policy only you get to filter from IP address.
upvoted 32 times
anomaly-detection-policy:
Activity from suspicious IP addresses:
This detection identifies that users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 43/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
involved in malicious activities, such as performing password spray, Botnet C&C, and may indicate compromised account. This detection uses a
machine-learning algorithm that reduces "false positives", such as mis-tagged IP addresses that are widely used by users in the organization.
upvoted 3 times
While I want to say Anomaly detection policy for the 1st answer, when I tested it in the lab, it came back with no templates under that category.
While Activity Policy came back with a bunch related to logins from risky IP, potential ransomware activity, etc.
upvoted 2 times
Activity policies in Cloud App Security are designed to detect specific types of activity in the cloud apps that are being monitored. The "Botnet
Network Activity" policy template is a pre-defined policy that is designed to detect and alert on suspicious activity from botnet networks. This
policy uses a combination of machine learning and threat intelligence to identify botnet network activity, such as attempts to compromise accounts
or access sensitive data.
"Access Policy," is a type of policy that is used to control access to specific cloud apps or resources based on specified conditions, such as the
location of the user or the type of device being used.
"Anomaly detection policy," is a type of policy that is used to detect anomalies in the activity of specific cloud apps or resources based on specified
conditions, such as the number of times a resource is accessed or the type of activity that is being performed. Neither of these options is suitable
for detecting connections to Microsoft 365 apps that originate from a botnet network.
upvoted 5 times
For anomaly detections says "such as mis-tagged IP addresses" so it doesn't use IPs tagged as malicious, and the filter used according to scenario
in filter can only be IP address tag.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 44/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
If we were to choose anomaly detections, the filter should be source, as it originates from a botnet.
And there is no "Anomaly policy" after pushing the "Create policy" button so all the Anomaly Policies are built-in and not custom ones.
Thus:
Policy template type: Activity Policy
Filter based on: IP address tag
upvoted 4 times
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide#review-
logon-attempts-after-receipt-of-malicious-emails
upvoted 1 times
Reason being that you cannot create an anomaly detection policy as it's a built-in policy. Also, you cannot filter the policy based on IP address tags
either. Activity Policy and IP address tag has to be the correct selection.
If it asked for you to ensure that activity from Botnets were alerted on and it was to be filtered for specific users then yes this policy could be edited
to suit that but currently as it stands you cannot create this policy or filter by IP tags.
upvoted 5 times
https://docs.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 45/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi-factor authentication (MFA).
You need to enforce MFA for all users who work remotely.
What should you include in the solution?
A. a fraud alert
C. a named location
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 47/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
C. Increase the sensitivity level of the impossible travel anomaly detection policy.
D. Add the IP addresses to the other address range category and add a tag.
Correct Answer: AD
https://docs.microsoft.com/en-us/cloud-app-security/investigate-anomaly-alerts
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 48/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Explanation:
B. By adding the IP addresses to the corporate address range category, you are indicating that these addresses are trusted and belong to your
organization. This will prevent alerts from being generated for legitimate sign-ins from these IP addresses.
E. By creating an activity policy that has an exclusion for the IP addresses, you can further customize the alerts and specify that you don't want to
receive alerts for sign-ins from the trusted IP addresses. This will reduce the number of alerts that you receive and ensure that you are only notified
when there is a real security threat
upvoted 1 times
B. Add the IP addresses to the corporate address range category. This will ensure that sign-ins from these IP addresses are not flagged as
suspicious.
E. Create an activity policy that has an exclusion for the IP addresses. This will allow you to exclude sign-ins from these IP addresses from being
flagged as anomalous or risky.
upvoted 1 times
Answer B below
5) Config boxes: Name, Ip address ranges(Add US based IP addresses), Category(Select Corporate), Tags
Answer A below
5.1) Override automatic data enrichment: [] Override registered ISP, [] Override location(check and select United States.)
Corporate Tag: These IPs should be all the public IP addresses of your internal network, your branch offices, and your Wi-Fi roaming addresses.
https://learn.microsoft.com/en-us/defender-cloud-apps/ip-tags
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 50/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: You add each account as a Sensitive account.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 51/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
A. the Threat Protection Status report in Microsoft Defender for Office 365
C. the Safe Attachments file types report in Microsoft Defender for Office 365
Correct Answer: A
To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide
To determine if ZAP moved your message, you have the following options:
Number of messages: Use the Mailflow view in the Mailflow status report to see the number of ZAP-affected messages for the specified date
range.
Message details: Use Threat Explorer (and real-time detections) to filter All email events by the value ZAP for the Additional action column.
"The report provides the count of email messages with malicious content, such as files or website addresses (URLs) that were blocked by the
anti-malware engine, zero-hour auto purge (ZAP), and Defender for Office 365 features like Safe Links, Safe Attachments, and impersonation
protection features in anti-phishing policies."
upvoted 3 times
https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide
B - does not make sense to check Safe Attachments when we're looking for mails.
C & D: ZAP is not logged in the Exchange mailbox audit logs as a system action.
upvoted 2 times
So the answer is - A
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 52/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer,
Just check this https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide#how-
to-see-if-zap-moved-your-message
upvoted 1 times
D should be.,=
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 53/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
✑ Microsoft Excel macros that download scripts from untrusted websites
✑ Users that open executable attachments in Microsoft Outlook
✑ Outlook rules and forms exploits
What should you use?
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 54/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.
What should you do to route events to the SIEM solution?
C. Create an Azure Sentinel workspace that has an Azure Active Directory connector.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 55/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains two users named User1 and User2.
You plan to deploy Azure Defender.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.
Correct Answer:
Box 1: Owner -
Only the Owner can assign initiatives.
Box 2: Contributor -
Only the Contributor or the Owner can apply security recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 56/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You can't choose 'Security Admin' because the key in the questions is 'at the subscription level'. Read the Security Admin section in the
documentation https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
However, only the Owner can 'Enable auto provisioning'... to be the owner of the extension you're deploying. "For auto provisioning, the specific
role required depends on the extension you're deploying." Check the section under the roles table https://docs.microsoft.com/en-
us/azure/defender-for-cloud/permissions
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 57/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Details here:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-data-collection?tabs=autoprovision-loganalytic#availability
upvoted 3 times
Tanasi 5 months, 1 week ago
Contributor on subscription role for both. Remember that big difference between Contributor and Owner is that Owner also has access to modify
RBAC (which is not required here, and will not adhere to Principle of Least Privilege)
upvoted 3 times
User2: Contributor
in the question it's indicate "Subscription level" security admin is not on subscription level. you can refer to this link
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
upvoted 9 times
The question states at the start that this is at the subscription level. Thus, the contributor role cannot Add/assign initiatives (including)
regulatory compliance standards)
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 58/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The
solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box: 2 -
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide
Ensure that the device has an Automation Remediation level assigned to it.
You'll need to enable, at least, the minimum Remediation Level for a given Device Group. Otherwise you won't be able to establish a Live Response
session to a member of that group.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 59/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 11 times
doch Most Recent 2 weeks, 4 days ago
1. Turn On Live Response
2. Automation Level should be full. Ensure that the device has an Automation Remediation level assigned to it. https://learn.microsoft.com/en-
us/microsoft-365/security/defender-endpoint/live-response?source=recommendations&view=o365-worldwide
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 60/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Box 1: join -
An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists
the alerts that have been triggered on those devices.
DeviceInfo -
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 61/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Box 2: project -
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide
Filtering the DeviceInfo table to only include rows where the LoggedOnUsers field contains the string "user1".
Removing duplicates based on the DeviceId field.
Joining the resulting set of devices with the AlertEvidence table based on the DeviceId field.
Projecting the AlertId field from the resulting set.
Joining the resulting set of alerts with the AlertInfo table based on the AlertId field.
Projecting the AlertId, Timestamp, Title, Severity, and Category fields from the resulting set of alerts.
This query retrieves a list of alerts that are related to devices where the user "user1" is logged on, and it includes the alert ID, timestamp, title,
severity, and category for each alert. The "join" and "project" operations in the query are used to combine and filter the data from the various
tables in the ATP data model.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 62/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their
accounts were deleted.
What should you use?
Correct Answer: C
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level
for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered.
Default alert policies include:
Unusual external user file activity - Generates an alert when an unusually large number of activities are performed on files in SharePoint or
OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy
has a High severity setting.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies
https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-
users
When users leave your organization, there are specific risk indicators typically associated with data theft by departing users. This policy template
uses exfiltration indicators for risk scoring and focuses on detection and alerts in this risk area.
upvoted 9 times
Insider risk policies in Microsoft 365 can monitor user activity across different services, including SharePoint Online, to detect potential insider risks
such as data leaks or theft. You can configure an insider risk policy to trigger an alert when certain user activity matches a defined risk level or
condition, such as downloading a large number of documents.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 63/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Collection: Detects download activities by in-scope policy users. Example risk management activities include downloading files from SharePoint
sites or moving files into a compressed folder.
https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-policies?view=o365-worldwide#data-theft-by-departing-
users
upvoted 2 times
Lokmane14 2 months, 3 weeks ago
Selected Answer: D
D seems to be correct, insider risk policy suits to this question.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 64/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.
You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?
B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center
D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal
Correct Answer: C
Labeling activities are available in Activity explorer.
For example:
https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-overview?view=o365-worldwide
You can find data classification in the Microsoft Purview compliance portal (or Microsoft 365 Defender portal) > Classification > Data Classification.
trainable classifiers
sensitive information types
Learn about exact data match based sensitive information types
content explorer
-------> activity explorer
https://learn.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer?view=o365-worldwide
upvoted 2 times
Tres bien
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 66/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A. Investigations
B. Devices
D. Alerts
Correct Answer: C
The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.
Incorrect:
* The Investigations tab lists all the automated investigations triggered by alerts in this incident. Automated investigations will perform
remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender
for Endpoint and Defender for Office 365.
* Devices
The Devices tab lists all the devices related to the incident.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents
Question emphasizes on 'incident'. Though you can view affected entities by clicking on Alerts tab > Alert list, it will be for that particular alert one
alert doesn't necessarily be an incident. An incident can have multiple alerts. So you need to click on Incidents tab, open the Incident, go to
Evidences and Response tab and look there.
upvoted 9 times
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
upvoted 1 times
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide
upvoted 3 times
Answer is correct as C
upvoted 3 times
The Evidence and Response tab in the Microsoft 365 Defender portal provides a detailed view of an incident, including information about the
affected entities. When you select an incident in the Investigations tab, the Evidence and Response tab will display information about the affected
users, devices, applications, and other entities. You can use this information to understand the scope of the incident and to determine which
entities may have been compromised or affected by the incident.
The Devices, Alerts, and Investigations tabs may also contain information about affected entities, but the Evidence and Response tab provides the
most comprehensive view of the entities involved in an incident.
upvoted 3 times
"The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident."
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 68/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide#evidence-and-response
upvoted 4 times
natxu 4 months, 1 week ago
Selected Answer: C
You can find all affected entities under Evidence and Response.
upvoted 2 times
You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.
You need to identify all the changes made to Domain Admins group during the past 30 days.
B. the identity security posture assessment in Microsoft Defender for Cloud Apps
Correct Answer: A
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 69/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have
aggregated alerts configured.
What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?
C. Management log
Correct Answer: C
https://youtu.be/FW1pIwDLVHY?t=112
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 70/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription.
From the Microsoft 365 Defender portal, which page should you use to create the query?
A. Threat analytics
B. Advanced Hunting
C. Explorer
Correct Answer: B
Answer is B
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 71/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative
effort.
A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.
Correct Answer: A
You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block a user-specified range of IP addressed and URLs.
What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal?
Correct Answer: A
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 72/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP
-
You have an Azure subscription that contains the users shown in the following table.
Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or
not at all. You may need to drag the split bar between panes or scroll to view content.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 73/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the
following requirements:
How should you complete the query? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 74/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
D. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.
Correct Answer: C
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
A remediation action for an automated investigation quarantines a file across multiple devices.
You need to mark the file as safe and remove the file from quarantine on the devices.
A. From the History tab in the Action center, revert the actions.
Correct Answer: A
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 75/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must
minimize administrative effort.
Which blade should you use in the Microsoft 365 Defender portal?
A. Advanced hunting
B. Threat analytics
D. Learning hub
Correct Answer: B
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 76/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
You need to resolve the existing alert, not prevent future alerts. Therefore, you need to select the 'Mitigate the threat' option.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts
(Mitigate the threat) - provides manual remediation steps for this security alert (Provides recommendations on what to do to resolve the alert)
(Prevent future attacks) - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks.(Provides recommendations for security in general such as Remediate Vulnerabilities and win defender should be activated on all devices)
upvoted 4 times
Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 77/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
* Mitigate the threat - provides manual remediation steps for this security alert
* Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks
upvoted 2 times
MiKeDee 8 months ago
Selected Answer: B
According to https://docs.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts Yes stands for "Prevent future attacks -
provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future attacks". This answer does
not provide remediation steps, it provides attack surface reduction steps.
upvoted 1 times
Take action tab. Use this tab to take further actions regarding the security alert. Actions such as:[...]
Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 78/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 2
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/defender-for-key-vault-usage
If the source of the alert has an Azure Active Directory role in your tenant:
Contact your administrator.
Determine whether there's a need to reduce or revoke Azure Active Directory permissions.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 79/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 80/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 2
HOTSPOT -
You have an Azure subscription that has Azure Defender enabled for all supported resource types.
You create an Azure logic app named LA1.
You plan to use LA1 to automatically remediate security risks detected in Azure Security Center.
You need to test LA1 in Security Center.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation#create-a-logic-app-and-define-when-it-should-automatically-run
https://docs.microsoft.com/en-us/azure/azure-monitor/reference/tables/securitynestedrecommendation
upvoted 8 times
https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 81/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Option 1, "When an Azure Security Centre Recommendation is created or triggered," is not a valid trigger. Recommendations are suggestions for
remediation or improvement that are provided by Azure Security Center, but they do not trigger the execution of a logic app.
Option 2, "When an Azure Security Centre is created or triggered," is also not a valid trigger. Azure Security Center is a service, not an entity that
can be created or triggered.
Option 3, "When a response to an Azure Security Center alert is triggered," is also not a valid trigger. Responses to alerts are actions taken in
response to an alert, such as acknowledging or dismissing the alert. They do not trigger the execution of a logic app.
upvoted 1 times
Note:
If you are using the legacy trigger "When a response to a Microsoft Defender for Cloud alert is triggered", your logic apps will not be launched
by the Workflow Automation feature. Instead, use either of the triggers mentioned above.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 82/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 2
Correct Answer: C
The Contributor role for RG1 will allow SecAdmin1 to perform tasks such as deploying resources and modifying resource properties within RG1, but
it will not grant them access to perform administrative tasks at the subscription level. This will allow SecAdmin1 to apply quick fixes to the virtual
machines using Azure Defender, while still adhering to the principle of least privilege.
upvoted 6 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 83/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 2
A. cp /bin/echo ./asc_alerttest_662jfi039n
C. cp /bin/echo ./alerttest
Correct Answer: AD
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation#simulate-alerts-on-your-azure-vms-linux-
upvoted 1 times
Task 1 year, 8 months ago
Correct answer
upvoted 1 times
Question #6 Topic 2
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 85/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 2
DRAG DROP -
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to configure Azure Security Center to detect possible threats related to sign-ins from suspicious IP addresses to Azure virtual machines.
The solution must validate the configuration.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 86/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Same here!
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 87/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 2
The security operations team at the company informs you that it does NOT receive email notifications for security alerts.
What should you configure in Security Center to enable the email notifications?
A. Security solutions
B. Security policy
D. Security alerts
E. Azure Defender
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details
From Defender for Cloud's Environment settings area, select the relevant subscription, and open Email notifications.
Define the recipients for your notifications with one or both of these options:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 88/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
somsom 1 year, 10 months ago
correct. the navigation is as follows home - security center- pricing and settings
upvoted 10 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 89/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 2
DRAG DROP -
You have resources in Azure and Google cloud.
You need to ingest Google Cloud Platform (GCP) data into Azure Defender.
In which order should you perform the actions? To answer, move all actions from the list of actions to the answer area and arrange them in the
correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-gcp
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 90/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp
upvoted 2 times
Snaileyes 3 months ago
...more specifically:
https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp#how-to-connect-gcp-security-configuration-to-defender-for-cloud-
apps
upvoted 2 times
We copy the GCP Cloud Shell script from the GCP Connector, then run it at GCP Cloud Shell, and then we have an auto-generated service account
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 91/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Regulatory compliance, you download the report.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 92/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 93/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that has Azure Defender enabled for all supported resource types.
You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event
management (SIEM) solution.
To which service should you export the alerts?
A. Azure Cosmos DB
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/security-center/continuous-export?tabs=azure-portal
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 94/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You are responsible for responding to Azure Defender for Key Vault alerts.
During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node.
What should you configure to mitigate the threat?
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/network-security
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 95/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You need to use an Azure Resource Manager template to create a workflow automation that will trigger an automatic remediation when specific
security alerts are received by Azure Security Center.
How should you complete the portion of the template that will provision the required Azure resources? To answer, select the appropriate options in
the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/quickstart-automation-alert
alertnamecontains/azuredeploy.json
upvoted 21 times
albd Highly Voted 1 month, 4 weeks ago
In Exam today (23 dec 2022)
upvoted 9 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 97/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/security-center/enable-azure-defender
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 98/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
C. Create an Azure logic app that has an Azure Security Center alert trigger.
Correct Answer: AC
Reference:
https://docs.microsoft.com/en-us/azure/storage/common/azure-defender-storage-configure?tabs=azure-security-center
https://docs.microsoft.com/en-us/azure/security-center/workflow-automation
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 99/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You manage the security posture of an Azure subscription that contains two virtual machines name vm1 and vm2.
The secure score in Azure Security Center is shown in the Security Center exhibit. (Click the Security Center tab.)
Azure Policy assignments are configured as shown in the Policies exhibit. (Click the Policies tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 100/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-restrict-unauthorized-network-access/ba-p/1593833
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-secure-management-ports/ba-p/1505770
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 101/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 102/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects your environment.
You need to use Microsoft Defender Security Center to request remediation from the team responsible for the affected systems if there is a
documented active exploit available.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/microsoft-defender-atp-remediate-apps-using-mem/ba-p/1599271
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 103/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 104/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section.
B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-managing-and-responding-alerts
To view recommendations to resolve a security alert in Azure Security Center, you should follow these steps:
Under Mitigate the threat it gives you recommendations on how to resolve this particular alert
Under prevent future attacks its all about recommendations in relation to prevent future attacks
upvoted 1 times
Under prevent future attacks its all about recommendations in relation to prevent future attacks so A is incorrect.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 105/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
"Mitigate the threat - provides manual remediation steps for this security alert
Prevent future attacks - provides security recommendations to help reduce the attack surface, increase security posture, and thus prevent future
attacks"
Obviously, it is prevent furture attacks, not mitigate the threat, to view security recommendations.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 106/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server.
You are troubleshooting an issue on the virtual machines.
In Security Center, you need to view the alerts generated by the virtual machines during the last five days.
What should you do?
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules
Answer B would prevent future alerts from being supressed but the question is asking to view alerts created in the last 5 days - these would have
been dismissed by the supression rule and to view them you need to alter the filter to display dismissed alerts.
Ref: https://docs.microsoft.com/en-us/azure/security-center/alerts-suppression-rules#what-are-suppression-rules
upvoted 40 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 107/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: C
C: Modify the filter.
The logic here is that the alerts have been supressed, and therefore you won't be able to see the alerts until you disabled the rule.
Answer C may change the filter, however changing the filter won't matter because the supresssion rule is still active. Godsky is correct
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 108/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have an Azure Storage account that will be accessed by multiple Azure Function apps during the development of an application.
You need to hide Azure Defender alerts for the storage account.
Which entity type and field should you use in a suppression rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts-are-now/ba-p/1404920
Correct.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 109/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 21 times
Lone__Wolf Most Recent 6 days, 10 hours ago
Correct! ✌
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 110/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: A
Security Center collects data from your Azure virtual machines (VMs), virtual machine scale sets, IaaS containers, and non-Azure (including on-
premises) machines to monitor for security vulnerabilities and threats.
Data is collected using:
✑ The Log Analytics agent, which reads various security-related configurations and event logs from the machine and copies the data to your
workspace for analysis. Examples of such data are: operating system type and version, operating system logs (Windows event logs), running
processes, machine name, IP addresses, and logged in user.
✑ Security extensions, such as the Azure Policy Add-on for Kubernetes, which can also provide data to Security Center regarding specialized
resource types.
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-enable-data-collection
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 111/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 112/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and
potential successful brute force attacks.
The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The
alerts appear in
Azure Security Center.
You need to ensure that the security administrator receives email alerts for all the activities.
What should you configure in the Security Center settings?
B. a cloud connector
Correct Answer: A
Reference:
https://techcommunity.microsoft.com/t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 113/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure Functions app that generates thousands of alerts in Azure Security Center each day for normal activity.
You need to hide the alerts automatically in Security Center.
Which three actions should you perform in sequence in Security Center? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts-are-now/ba-p/1404920
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 114/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Answer is correct.
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 115/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure subscription.
You need to delegate permissions to meet the following requirements:
✑ Enable and disable Azure Defender.
✑ Apply security recommendations to resource.
The solution must use the principle of least privilege.
Which Azure Security Center role should you use for each requirement? To answer, drag the appropriate roles to the correct requirements. Each
role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/security-center/security-center-permissions
-Sec Admin
-Resource Group Owner (this has lower priv than subscription contributor and can still apply security recommendations)
upvoted 41 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 116/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Avoid assigning broader roles at broader scopes . By limiting roles and scopes, you limit what resources are at risk if the security principal is
ever compromised.
upvoted 2 times
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 117/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Otherwise it is:
- Sec admin
- Resource group owner
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 118/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have an Azure subscription that uses Azure Defender.
You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts.
You need to create an Azure policy that will perform threat remediation automatically.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/governance/policy/concepts/effects https://docs.microsoft.com/en-us/azure/security-
center/workflow-automation
EnforceOPAConstraint
EnforceRegoPolicy
upvoted 5 times
upvoted 3 times
AbdulMueez 9 months, 2 weeks ago
Yes. Correct
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 120/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning
enabled.
You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.
What should you do first?
D. From Azure Security Center, export the alerts to a Log Analytics workspace.
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?view=o365-worldwide
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 121/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 122/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc
upvoted 11 times
Now, the agent can be automatically deployed after Azure Arc is deployed. Answer should be A) Yes.
upvoted 4 times
Note
Defender for Cloud's auto-deploy tools for deploying the Log Analytics agent works with machines running Azure Arc however this capability is
currently in preview . When you've connected your machines using Azure Arc, use the relevant Defender for Cloud recommendation to deploy the
agent and benefit from the full range of protections offered by Defender for Cloud:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 124/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have Linux virtual machines on Amazon Web Services (AWS).
You deploy Azure Defender and enable auto-provisioning.
You need to monitor the virtual machines by using Azure Defender.
Solution: You manually install the Log Analytics agent on the virtual machines.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc
If you're onboarding machines running on Amazon Web Services (AWS), Defender for Cloud's connector for AWS transparently handles the
Azure Arc deployment for you. Learn more in Connect your AWS accounts to Microsoft Defender for Cloud.
upvoted 1 times
When Azure Defender is enabled with auto-provisioning, it automatically deploys the necessary monitoring agents on the virtual machines. In this
case, since you have deployed Linux virtual machines on AWS, you would need to configure the Azure Defender for servers (Linux) solution to
monitor these virtual machines. Once enabled, Azure Defender for servers (Linux) will automatically deploy the necessary monitoring agents on the
virtual machines without the need for manual installation.
upvoted 2 times
HERE: YOU NEED TO MONITOR THOSE VM WITH AZURE DEFENDER. meaning first we need to do the first step to monitor them, and that first step
is not install the Log analytics agent. First we should enable Azure Arc on them. So I think answer is no B
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 125/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 126/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: B
Defender for Cloud depends on the Log Analytics agent.
Use the Log Analytics agent if you need to:
* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure
* Etc.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/os-coverage https://docs.microsoft.com/en-us/azure/azure-
monitor/agents/agents-overview#log-analytics-agent
Once the Azure Connected Machine agent is installed, you can then install the Log Analytics agent to collect security data from the servers and
send it to the Log Analytics workspace in Azure. This will allow you to use Defender for Cloud to monitor the security of your Linux servers, identify
threats, and respond to security incidents.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 127/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
To connect hybrid machines to Azure, you install the Azure Connected Machine agent on each machine. This agent does not replace the Azure Log
Analytics agent / Azure Monitor Agent. The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:
-Proactively monitor the OS and workloads running on the machine
-Manage it using Automation runbooks or solutions like Update Management
-Use other Azure services like Microsoft Defender for Cloud
https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview
upvoted 2 times
C may be a requirement but i think it is something not needed to be installed but is a setup for connector.
upvoted 1 times
Here you can see a table where says "Protect on-premises servers: Onboard them as Azure Arc machines and deploy agents with automation
provisioning"
upvoted 1 times
A machine with Azure Arc-enabled servers becomes an Azure resource and - when you've installed the Log Analytics agent on it - appears in
Defender for Cloud with recommendations like your other Azure resources
https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-machines?pivots=azure-arc
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 128/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 2 times
ACSC 3 months ago
Selected Answer: B
https://learn.microsoft.com/en-us/azure/defender-for-cloud/os-coverage#supported-operating-systems
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 129/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification.
The solution must generate a test email.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 130/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
4. Etc.
Step 2: From Logic App Designer, run a trigger.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 131/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP
-
You have a Microsoft subscription that has Microsoft Defender for Cloud enabled.
You configure the Azure logic apps shown in the following table.
You need to configure an automatic action that will run if a Suspicious process executed alert is triggered. The solution must minimize
administrative effort.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Correct Answer:
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts#respond-to-security-alerts
upvoted 6 times
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 133/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
Correct Answer: B
Make sure the selected LA workspace has security solution installed. The LA agent and AMA are currently configured in the subscription level.
All of your AWS accounts and GCP projects under the same subscription will inherit the subscription settings for the LA agent and AMA.
upvoted 1 times
upvoted 1 times
nhmh90 2 weeks ago
Selected Answer: B
To connect hybrid machines to Azure, you install the Azure Connected Machine agent on each machine. This agent does not replace the Azure Log
Analytics agent / Azure Monitor Agent. The Log Analytics agent or Azure Monitor Agent for Windows and Linux is required in order to:
https://learn.microsoft.com/en-us/azure/azure-arc/servers/overview
upvoted 3 times
Searching for the exact term "Azure Arc Agent" seems not right - with no hits. All it says is Azure-Arc enabled servers and "Azure Connect Machine
agent" as per https://learn.microsoft.com/en-us/azure/azure-arc/servers/plan-at-scale-deployment
Is it confirmed even without written documentation that Azure Arc Agent = Azure Connect Machine Agent?
I'm still thinking that B is the answer, unless otherwise there is Azure Connect Machine Agent in the choices.
upvoted 1 times
To collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud, you need to install the Azure Arc agent first on Server1. Azure
Arc allows you to manage your servers, including non-Azure servers, as if they were native Azure resources. By installing the Azure Arc agent on
Server1, you can onboard it to Azure and enable Azure services, such as Microsoft Defender for Cloud, to protect and monitor the server. The Azure
Arc agent enables the connection between the server and Azure, allowing for communication and data transfer between them. The other options
(Microsoft Monitoring Agent, Azure Monitor agent and Azure Pipelines agent) are used for different purposes and are not necessary for this
scenario.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 135/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1.
You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.
Correct Answer: B
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 136/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to filter the security alerts view to show the following alerts:
A. Informational
B. Low
C. Medium
D. High
Correct Answer: C
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 137/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.
You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.
A. Description
B. Intent
C. ExtendedProperies
D. Entities
Correct Answer: A
The extendedProperties key in the JSON structure of an alert contains the MITRE ATT&CK information for the alert, such as the tactics and
techniques used by the attacker. The key contains the tactic name in the MITRE ATT&CK framework, such as "Privilege Escalation", "Initial Access",
"Execution" and so on.
You can use the extendedProperties key to filter and search for alerts that are related to the Privilege Escalation tactic in your third-party SIEM
solution.
It's also important to note that, the other options A,B,C are not related to the MITRE ATT&CK information and are used for different purposes.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 138/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 139/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP
-
You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud deployment has Microsoft Defender for Servers
and automatic provisioning enabled.
You need to configure Defender for Cloud to support the on-premises servers. The solution must meet the following requirements:
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Correct Answer:
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection
https://learn.microsoft.com/en-us/azure/azure-arc/servers/learn/quick-enable-hybrid-vm
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 140/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 141/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 142/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You have an Azure subscription that has Microsoft Defender for Cloud enabled for all supported resource types.
You plan to use LA1 to automatically remediate security risks detected in Defender for Cloud.
What should you do? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 143/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that has Microsoft Defender for Cloud enabled.
You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed.
You need to simulate an attack on the virtual machine that will generate an alert.
Correct Answer: B
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 144/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP
-
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running
Windows Server.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and
arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 145/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.
You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and
costs.
Which two actions should you perform? Each correct answer presents part of the solution.
A. From the workspace created by Defender for Cloud, set the data collection level to Common.
B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.
D. From the workspace created by Defender for Cloud, set the data collection level to All Events.
E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.
Correct Answer: AE
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user named User1.
You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege.
A. Security operator
B. Security Admin
C. Owner
D. Contributor
Correct Answer: B
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 146/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to identify whether the identity of User1 was compromised during the last 90 days.
Correct Answer: B
You have an Azure subscription that uses Microsoft Defender for Cloud.
You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.
Correct Answer: A
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 147/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual
machines that run Windows Server 2019.
You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements:
B. Azure Policy
C. Azure Bastion
Correct Answer: C
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 148/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #1 Topic 3
DRAG DROP -
You plan to connect an external solution that will send Common Event Format (CEF) messages to Azure Sentinel.
You need to deploy the log forwarder.
Which three actions should you perform in sequence? To answer, move the appropriate actions form the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-cef-agent?tabs=rsyslog
1- Installs the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes:
--- listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
--- sending the messages securely over TLS to your Microsoft Sentinel workspace, where they are parsed and enriched
2- Configures the built-in Linux Syslog daemon (rsyslog.d/syslog-ng) for the following purposes:
--- listening for Syslog messages from your security solutions on TCP port 514
--- forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 149/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
The need for restarting the daemon and the agent is to ensure the changes take effect (on Linux this is required)
upvoted 8 times
rupeshngp Most Recent 5 days, 7 hours ago
was in the exam today! The answer is correct!
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 150/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 3
HOTSPOT -
From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases#use-the-investigation-graph-to-deep-dive
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 151/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
what is item? xD
In the Timeline tab, review the timeline of alerts and bookmarks in the incident, which can help you reconstruct the timeline of attacker activity.
while in entities, ''In the Entities tab, you can see all the entities that you mapped as part of the alert rule definition.''
upvoted 6 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 152/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 3
DRAG DROP -
You have an Azure Sentinel deployment.
You need to query for all suspicious credential access activities.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
Reference:
https://davemccollough.com/2020/11/28/threat-hunting-with-azure-sentinel/
If you "filter by tactics" after "selecting hunting", the option available will be to "run selected queries" not "run all queries"
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 153/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 3
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel.
What should you do first?
Correct Answer: B
The logic app is currently triggered manually, but to use it as a playbook in Azure Sentinel, it needs to be triggered automatically when certain
conditions are met. This requires modifying the trigger in the logic app so that it is triggered based on an event or a schedule in Azure Sentinel. For
example, you could trigger the logic app when a new user is created in Azure AD, or when a specific security alert is generated in Azure Sentinel.
Once the trigger in the logic app has been modified, you can proceed to the next steps, which may include adding a data connector to Azure
Sentinel, configuring a custom Threat Intelligence connector, and creating a scheduled query rule.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 154/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
Nailik_Ms 3 weeks, 3 days ago
Selected Answer: B
I think maybe is B. MS Sentinel have out of the box connectors, but they as far as I undersand must be activated FIRST
https://learn.microsoft.com/en-us/azure/sentinel/connect-azure-active-directory#connect-to-azure-active-directory
From the data connectors gallery, select Azure Active Directory and then select Open connector page.
Mark the check boxes next to the log types you want to stream into Microsoft Sentinel (see above), and select Connect.
So if i'm not confused (probably i'm) first would need to connect the newly deployed Sentinel to my AAD and after modify the logic app trigger.
upvoted 2 times
In order to use an existing logic app as a playbook in Azure Sentinel, you will first need to modify the trigger in the logic app. This will allow the
logic app to be triggered automatically by Azure Sentinel, rather than being triggered manually. Once the trigger has been modified, you will then
be able to configure the logic app as a playbook in Azure Sentinel.
upvoted 2 times
Currently, the logic app is triggered manually, which means that it can only be initiated by a user manually clicking the "Run" button or by an
external system sending a request to the logic app's HTTP trigger. In order to use the logic app as a playbook in Azure Sentinel, you will need to
modify the trigger to allow it to be triggered by Azure Sentinel.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources
https://learn.microsoft.com/en-us/azure/sentinel/data-connectors-reference
upvoted 1 times
upvoted 2 times
valuze_sm 8 months, 3 weeks ago
Selected Answer: D
I vote for D. AAD Connector in Sentinel is not required to use Azure AD Actions inside Logic Apps. Of course you should enable the Connector to
generate alerts but not needed for a functioning Logic App.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 156/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 3
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.
A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.
You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine
learning.
What should you include in the recommendation?
A. built-in queries
B. livestream
C. notebooks
D. bookmarks
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebooks
Additionally, notebooks can be used in security big data analytics for fast data processing on large datasets.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 157/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 3
Correct Answer: D
Reference:
https://azsec.azurewebsites.net/2020/01/19/notify-azure-sentinel-alert-to-your-email-automatically/
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 159/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #7 Topic 3
By which two components can you group alerts into incidents? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. user
B. resource group
C. IP address
D. computer
Correct Answer: CD
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 161/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #8 Topic 3
Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure
AD) tenant.
Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log
Analytics workspace in each machine's respective subscription.
You deploy Azure Sentinel to a new Azure subscription.
You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
B. Create a query that uses the workspace expression and the union operator.
D. Create a query that uses the resource expression and the alias operator.
Correct Answer: BE
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 162/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
I would answer:
- Lack of a single pane of glass
- Increased deployment complexity
https://charbelnemnom.com/top-best-practices-for-deploying-azure-sentinel/
upvoted 1 times
https://learn.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
upvoted 3 times
Kusto
Copy
TableName
| union workspace("WorkspaceName").TableName
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 163/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer
https://docs.microsoft.com/en-us/learn/modules/create-manage-azure-sentinel-workspaces/2-plan-for-azure-sentinel-workspace
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 164/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #9 Topic 3
A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-a-playbook-on-demand
In Incidents view, choose a specific incident, open its Alerts tab, and choose an alert.
Click on View playbooks for the chosen alert. You will get a list of all playbooks that start with an When an Azure Sentinel Alert is triggered and that
you have access to.
Select the Runs tab to view a list of all the times any playbook has been run on this alert. It might take a few seconds for any just-completed run to
appear in this list.
Clicking on a specific run will open the full run log in Logic Apps.
upvoted 19 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 165/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 166/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. There are connectivity issues between the data sources and Log Analytics.
C. The rule query takes too long to run and times out.
D. Permissions to one of the data sources of the rule query were modified.
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom
D is a "Permanent failure - rule auto-disabled" - "In consecutive permanent failures, Azure Sentinel stops trying to execute......"Adds the words
"AUTO DISABLED"
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 167/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 13 times
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles
All Azure Sentinel built-in roles grant read access to the data in your Azure Sentinel workspace.
Azure Sentinel Reader can view data, incidents, workbooks, and other Azure Sentinel resources.
Azure Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.)
Azure Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Azure Sentinel Automation Contributor allows Azure Sentinel to add playbooks to automation rules. It is not meant for user accounts.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 168/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 169/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
✑ Create and run playbooks
✑ Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than
once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 170/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. a data connector
B. a playbook
C. a workbook
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 171/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You use Azure Sentinel to monitor irregular Azure activity.
You create custom analytics rules to detect threats as shown in the following exhibit.
You do NOT define any incident settings as part of the rule definition.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 172/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator#examples
upvoted 7 times
The make-series operator creates a series of specified aggregated values along a specified axis. In this case the "Caller", this will make 3 rows, 1
row.
This will create a table that shows arrays of the ResourceID's of each query result from each "Caller" ordered by specified time range.
The rule specifies when the query returns 2 results in a 5 minute timespan, trigger the alert, in this case the first scenario would only trigger 1 row
on the results table as it uses "DCOUNT".
In the second scenario it will trigger 1 alert as the threshold is 2 results and group results on a single alert option is selected.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 173/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-seriesoperator
upvoted 2 times
j888 9 months ago
I think the answer 1,1 is correct.
The alert will be based on 5 hours and it will only trigger when it is having 2 counts.
You will end up with 3 counts of computers been created through a single deployment, regardless this should be visible under the 5 hours log.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 174/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
Cross-workspace queries can now be included in scheduled analytics rules. You can use cross-workspace analytics rules in a central SOC, and across
tenants (using Azure Lighthouse) as in the case of an MSSP, subject to the following limitations:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants#cross-workspace-workbooks
upvoted 12 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 175/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. The rule query takes too long to run and times out.
D. There are connectivity issues between the data sources and Log Analytics
Correct Answer: AD
Incorrect Answers:
B: This would cause it to fail every time, not just intermittently.
C: This would cause it to fail every time, not just intermittently.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 176/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a scheduled query rule for a data connector.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are
reached, generate incidents for your SOC to triage and investigate, and respond to threats with automated tracking and remediation processes.
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 177/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a hunting bookmark.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
Hunting Bookmarks:
https://learn.microsoft.com/en-us/azure/sentinel/bookmarks
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 178/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a Microsoft incident creation rule for a data connector.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
An incident creation rule is used to create incidents in Azure Sentinel based on specific criteria, such as when a certain number of alerts are
triggered within a certain timeframe. While an incident creation rule can be used in conjunction with data connectors to analyze data from other
sources, it does not directly detect sign-ins from malicious IP addresses.
To detect sign-ins from malicious IP addresses, you would need to create an analytics rule that looks for specific signs of a malicious IP address,
such as a high number of failed login attempts or login attempts from a known malicious IP. Once the rule detects a sign-in from a malicious IP, it
can trigger an alert, which can then be used to create an incident in Azure Sentinel.
upvoted 1 times
https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#configure-the-incident-creation-settings
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 179/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the
activity as a time chart aggregated by day.
You need to create a query that will be used to display the time chart.
What should you include in the query?
A. extend
B. bin
C. makeset
D. workspace
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/get-started-queries
To create groups that are based on continuous values, it's best to break the range into manageable units by using bin.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 180/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Add a playbook.
D. Create a workbook.
Correct Answer: AB
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
Playbooks in Azure Sentinel are based on workflows built in Azure Logic Apps, which means that you get all the power, customizability, and built-in
templates of Logic Apps.
To send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected in Azure Sentinel, you will need to
perform two actions:
Add a playbook: A playbook is a set of actions that can be triggered in response to an incident, such as sending a message to a channel in
Microsoft Teams. To add a playbook, you will need to navigate to the Playbooks tab in Azure Sentinel and create a new playbook that includes an
action to send a message to a Microsoft Teams channel.
Associate a playbook to an incident: After creating the playbook, you will need to associate it with an incident in Azure Sentinel. This can be done
by navigating to the Incidents tab in Azure Sentinel and selecting the incident that you want to associate the playbook with. Then, select the
"Associate Playbook" button and select the playbook that you created.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 181/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
kakakayayaya 1 year, 2 months ago
For me B is a wrong choice. We can NOT associate a playbook to an incident! We can:
- trigger playbook when incident happens
- associate playbook to an ANALYTIC RULE
Fusion rule is important to catch Multistage attacks not suspicious sign-in.
So A - ok
B - weird.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 182/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
C. Azure Monitor
Correct Answer: A
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebooks
The same API is also available for external tools such as Jupyter notebooks and Python. While many common tasks can be carried out in the portal,
Jupyter extends the scope of what you can do with this data. It combines full programmability with a huge collection of libraries for machine
learning, visualization, and data analysis. These attributes make Jupyter a compelling tool for security investigation and hunting.
To visualize Azure Sentinel data and enrich it by using third-party data sources to identify indicators of compromise (IoC), you can use notebooks in
Azure Sentinel.
Notebooks in Azure Sentinel are interactive documents that allow you to run queries, create visualizations, and perform data analysis on your Azure
Sentinel data. They also allow you to connect to other data sources, such as third-party threat intelligence feeds, to enrich the data and identify
indicators of compromise (IoCs).
Once you have connected to the third-party data source, you can use Azure Sentinel notebook to blend the data, and create visualizations, and
perform data analysis to identify the potential attack.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 183/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security
Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?
A. extend
B. bin
C. count
D. workspace
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations
requests
| summarize Requests = count() by Result = strcat('Http ', resultCode)
| order by Requests desc
The query returns two columns: Requests metric and Result category. Each value of the Result column will get its own bar in the chart with height
proportional to the Requests metric.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 184/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Create a livestream
E. Create a bookmark.
Correct Answer: BD
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/livestream
Then whether it is Hunting query or Livestream. Near real-time is the keyword here and the answer reveales a reference link to Livestream, not to
hunting. With Livestream, any matching results will generate "Azure Alerts" which are shown at the Notification bell. So the correct answer is A not
D.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 185/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: AB
B Make sure the data connector is set.
A Create a Livestream for Azure storage key enumeration (NO custom alert/hunting query or bookmark needed).
https://learn.microsoft.com/en-us/azure/sentinel/livestream#create-a-livestream-session
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 186/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The solution must minimize
administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 187/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
For me is:
- Office 365
- Security Events
upvoted 1 times
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 188/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
D. Add a playbook.
E. Create a workbook.
Correct Answer: AB
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics https://docs.microsoft.com/en-us/azure/sentinel/automate-
responses-with-playbooks
Add a playbook: A playbook is a set of actions that can be triggered in response to an incident, such as sending a message to a channel in
Microsoft Teams. To add a playbook, you will need to navigate to the Playbooks tab in Azure Sentinel and create a new playbook that includes an
action to send a message to a Microsoft Teams channel.
Associate a playbook to the analytics rule that triggered the incident: After creating the playbook, you will need to associate it with the analytics
rule that triggered the incident. This can be done by navigating to the Analytics tab in Azure Sentinel, select the analytics rule that you want to
associate the playbook with, and then selecting the "Associate Playbook" button and selecting the playbook that you created.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 189/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
UEBA also requires data sources from Azure and/or Thirdparty and will be able to help analyze and investigate an incident. This is not relevant to
the question. So we have to assume data connectors are in place.
upvoted 6 times
Fukacz 5 months, 1 week ago
Selected Answer: BD
B+D is the right way
upvoted 1 times
For example:
A Microsoft Sentinel incident was created from an alert by an analytics rule that generates username and IP address entities.
The incident triggers an automation rule which runs a playbook with the following steps:
Send a message to your security operations channel in Microsoft Teams or Slack to make sure your security analysts are aware of the incident.
Send all the information in the alert by email to your senior network admin and security admin. The email message will include Block and Ignore
user option buttons.
Wait until a response is received from the admins, then continue to run.
If the admins have chosen Block, send a command to the firewall to block the IP address in the alert, and another to Azure AD to disable the user.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 190/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
I echo
B& D
upvoted 1 times
liberty123 12 months ago
Selected Answer: BD
Agree with BD
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 191/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You need to use an Azure Sentinel analytics rule to search for specific criteria in Amazon Web Services (AWS) logs and to generate incidents.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 192/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 193/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Azure Sentinel -
A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.
Correct Answer: AD
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection https://docs.microsoft.com/en-us/defender-for-
identity/configure-event-collection
A: Configure the Advanced Audit Policy Configuration settings for the domain controllers
For the correct events to be audited and included in the Windows Event Log, your domain controllers require accurate Advanced Audit Policy
settings.
https://learn.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection
To enhance detection capabilities, Defender for Identity needs the Windows events listed in Configure event collection. These can either be read
automatically by the Defender for Identity sensor or in case the Defender for Identity sensor is not deployed, it can be forwarded to the Defender
for Identity standalone sensor in one of two ways, by configuring the Defender for Identity standalone sensor to listen for SIEM events or by
configuring Windows Event Forwarding.
https://learn.microsoft.com/en-us/defender-for-identity/configure-event-forwarding
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 194/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
B. Security Administrator
Correct Answer: A
Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 195/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. a playbook
B. a notebook
C. a livestream
D. a bookmark
Correct Answer: C
Use livestream to run a specific query constantly, presenting results as they come in.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/hunting
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 196/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant
named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office
365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft
Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
Correct Answer: AB
C is a no go as there is no log upload etc setup nor we talking about custom or third party apps or Shadow IT of any kind.
B should not be the case as we are talking about identity compromise and then actions followed in O365, not on-prem so Azure Security center is
out. Question is not talking about Incident generation either but fusion rule.
Coming to A, there are samples of analytics rules about Log4J activities and other type of suspicious patterns, but there is nothing sort of specific
about covering everything, so nothing is there built-in but all logs are there to capture any kind of activities in O365 and their pattern, so a custom
rule makes sense which would need to cover relevant scenarios
To use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365
activity, you will need to perform two actions:
Create custom rule based on the Office 365 connector templates: By creating a custom rule based on the Office 365 connector templates, you can
monitor Office 365 activity for suspicious behavior, such as anomalous login attempts, or unusual activity from a specific IP address.
Create an Azure AD Identity Protection connector: Azure AD Identity Protection is a security solution that provides visibility, control, and protection
for Azure AD identities. By creating an Azure AD Identity Protection connector, you can monitor Azure AD activity for suspicious behavior, such as
suspicious sign-ins, or unusual activity from a specific IP address.
upvoted 1 times
Create a Microsoft Cloud App Security connector: You can use the Microsoft Cloud App Security connector to import data from Microsoft Cloud
App Security and use it in your Azure Sentinel workspace. This will allow you to detect anomalous Microsoft Office 365 activity and use this data in
your Fusion rule.
upvoted 2 times
-You don't need to add another connector because the connector already set up.
so C and D is not the correct answer.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 198/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 199/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a livestream from a query.
Does this meet the goal?
A. Yes
B. No
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 200/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You need to create a query for a workbook. The query must meet the following requirements:
✑ List all incidents by incident number.
✑ Only include the most recent log for each incident.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://www.drware.com/whats-new-soc-operational-metrics-now-available-in-sentinel/
SecurityIncident
| summarize arg_max(LastModifiedTime, *) by IncidentNumber
upvoted 7 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 201/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have the resources shown in the following table.
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
Using the same machine to forward both plain Syslog and CEF messages.
1) Server 1 Change to stop the Plain Syslog from also sending CEF logs to the forwarder:
2) Server 1 Change to disable the Log Analytics Agent from syncing with Microsoft Sentinel's Syslog configuration so that changes made in step 1
do not get overwritten.
SW1 receives the data only from CEF1, CEF1 needs to send data collected in CEF message from Server1 and Plain Syslog from Server2. Seeing that
Server 2 is configured to send plain syslog to CEF1, there is no log analytics agent on this server to duplicate data. Everything is happening on
Server1.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 202/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Using the same machine to forward both plain Syslog and CEF messages
If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the
Syslog and CommonSecurityLog tables:
a. On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that
are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent
for detailed instructions on how to do this.
b. You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Microsoft
Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable'
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
upvoted 1 times
For CEF1:
Install the Log Analytics agent for Linux (also known as the OMS agent) and configures it for the following purposes:
• Listening for CEF messages from the built-in Linux Syslog daemon on TCP port 25226
Configures the built-in Linux Syslog daemon for the following purposes:
• Listening for Syslog messages from your security solutions on TCP port 514
• Forwarding only the messages it identifies as CEF to the Log Analytics agent on localhost using TCP port 25226
From <https://docs.microsoft.com/en-us/learn/modules/connect-common-event-format-logs-to-azure-sentinel/3-connect-your-external-solution-
use-common-event-format-connector
upvoted 1 times
https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog#run-the-deployment-script
upvoted 4 times
Using the same machine to forward both plain Syslog and CEF messages
If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the
Syslog and CommonSecurityLog tables:
**On each source machine that sends logs to the forwarder in CEF format**, you must edit the Syslog configuration file to remove the facilities that
are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent
for detailed instructions on how to do this.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 203/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You must run the following command **on those machines** to disable the synchronization of the agent with the Syslog configuration in Microsoft
Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.
upvoted 4 times
youl_cla 8 months ago
Server 2 & Server 2
cf: the purple note on the documentation provided: https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog
upvoted 1 times
Correct Answer: CD
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook?tabs=LAC
Microsoft Sentinel's Automation rules can be used to automatically trigger actions or playbooks in response to detected security incidents. This
reduces the need for manual intervention and minimizes administrative effort.
Playbooks in Microsoft Sentinel can be used to automate incident response tasks and remediation steps, such as quarantining an affected machine
or disabling a compromised account. This allows you to quickly and consistently take action on security incidents, further reducing administrative
effort.
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 204/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a
dashboard. The solution must minimize development effort.
What should you use to create the visuals?
A. plotly
B. TensorFlow
C. msticpy
D. matplotlib
Correct Answer: C
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: query log data from multiple
sources. enrich the data with Threat Intelligence, geolocations and Azure resource data. extract Indicators of Activity (IoA) from logs and
unpack encoded data.
MSTICPy reduces the amount of code that customers need to write for Microsoft Sentinel, and provides:
Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint, Splunk, and other data sources.
Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.
Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction, and WhoIs lookups.
Visualization tools using event timelines, process trees, and geo mapping.
Advanced analyses, such as time series decomposition, anomaly detection, and clustering.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebook-get-started https://msticpy.readthedocs.io/en/latest/
msticpy is a Python library that can be used to quickly and easily create visuals in Jupyter notebooks for Microsoft Sentinel. It has built-in support
for Kusto queries, making it easy to retrieve and visualize the results of custom queries you've created in your Sentinel workspace. Additionally,
msticpy contains a number of pre-built visualizations and functions that can be easily incorporated into your notebooks, minimizing development
effort. So, it is the best option to create the visuals.
upvoted 1 times
Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint, Splunk, and other data sources.
Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.
Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction, and WhoIs lookups.
Visualization tools using event timelines, process trees, and geo mapping.
Advanced analyses, such as time series decomposition, anomaly detection, and clustering.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 205/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have a Microsoft Sentinel workspace named sws1.
You need to create a hunting query to identify users that list storage keys of multiple Azure Storage accounts. The solution must exclude users
that list storage keys for a single storage account.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 206/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Box 1: AzureActivity -
The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your
query with the following code:
Box 2: autocluster()
Example: description: |
'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access
to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source
IP address from which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only had single operations do not appear in this list
as we cannot learn from it their normal activity (only based on a single event). The activities for listing storage account keys is correlated with
this learned clusters of expected activities and activity which is not expected is returned.'
AzureActivity -
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| join kind= inner (
AzureActivity -
| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action"
| where ActivityStatusValue == "Succeeded"
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount =
dcount
(ResourceId) by OperationNameValue, Caller, CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
Reference:
https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity/Anomalous_Listing_Of_Storage_Keys.yaml
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 207/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
First one is kind given away within the answer. Then second keyword is evaluate, which is the operator for the autocluster() plugin.
Answer is correct.
upvoted 7 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 208/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have a Microsoft Sentinel workspace named workspace1 and an Azure virtual machine named VM1.
You receive an alert for suspicious use of PowerShell on VM1.
You need to investigate the incident, identify which event triggered the alert, and identify whether the following actions occurred on VM1 after the
alert:
The modification of local group memberships
Correct Answer:
Incident Insights -
The Incident Insights gives the analyst a view of ongoing Sentinel Incidents and allows for quick access to their associated metadata including
alerts and entity information.
Entity Insights -
The Entity Insights allows the analyst to take entity data either from an incident or through manual entry and explore related information about
that entity. This workbook presently provides view of the following entity types:
IP Address -
Account -
Host -
URL -
Step 3: From the details pane of the incident, select Investigate.
Choose a single incident and click View full details or Investigate.
Reference:
https://github.com/Azure/Azure-Sentinel/wiki/Investigation-Insights---Overview https://docs.microsoft.com/en-us/azure/sentinel/investigate-
cases
First click on ticket, then investigate, then insight and then asset.
Just tested.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 210/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have a Microsoft Sentinel workspace that contains the following incident.
Brute force attack against Azure Portal analytics rule has been triggered.
You need to identify the geolocation information that corresponds to the incident.
What should you do?
B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.
C. From Incidents, review the details of the AccountCustomEntity entity associated with the incident.
Correct Answer: A
Potential malicious events: When traffic is detected from sources that are known to be malicious, Microsoft Sentinel alerts you on the map. If
you see orange, it is inbound traffic: someone is trying to access your organization from a known malicious IP address. If you see Outbound
(red) activity, it means that data from your network is being streamed out of your organization to a known malicious IP address.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/get-visibility#get-visualization
The Potential malicious events map in the Overview section of Microsoft Sentinel can display geolocation information for incidents, such as a brute
force attack against an Azure Portal analytics rule. By reviewing this map, you can identify the location from where the attack is originating.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 211/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
kiketxu 2 months, 4 weeks ago
Currently, this question is outdated. It can't be in the Overview (A) because the Map was removed from there.
Additionally, the question is asking to identify the geolocation information that corresponds to the incident. So, I opt for B, inside Investigation and
selecting the IP, in entities you can find Geolocation info.
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 212/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have two Azure subscriptions that use Microsoft Defender for Cloud.
You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must
minimize administrative effort.
What should you do in the Azure portal?
Correct Answer: D
You can use alerts suppression rules to suppress false positives or other unwanted security alerts from Defender for Cloud.
Note: To create a rule directly in the Azure portal:
1. From Defender for Cloud's security alerts page:
Select the specific alert you don't want to see anymore, and from the details pane, select Take action.
Or, select the suppression rules link at the top of the page, and from the suppression rules page select Create new suppression rule:
2. In the new suppression rule pane, enter the details of your new rule.
Your rule can dismiss the alert on all resources so you don't get any alerts like this one in the future.
Your rule can dismiss the alert on specific criteria - when it relates to a specific IP address, process name, user account, Azure resource, or
location.
3. Enter details of the rule.
4. Save the rule.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules
To suppress specific Defender for Cloud security alerts at the root management group level, you can create an Azure Policy assignment. This will
allow you to apply a policy that will suppress the alerts across all subscriptions and management groups in the tenant. Azure Policy allows you to
define and assign policies that govern your resources and enforce compliance. By creating an Azure Policy assignment, you can set up the
suppression of alerts in one place, minimizing administrative effort.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 213/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Selected Answer: A
"To suppress alerts at the management group level, use Azure Policy"
https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-rules#create-a-suppression-rule
upvoted 2 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 214/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named
User1.
You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.
Which role should you assign to User1?
B. Owner
C. Contributor
D. Reader
Correct Answer: B
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 215/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active
Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.
What should you create first?
A. a repository connection
B. a watchlist
C. an analytics rule
D. an automation rule
Correct Answer: D
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 216/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Fusion
B. Microsoft Security
C. ML Behavior Analytics
D. Scheduled
Correct Answer: A
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 217/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines.
You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements:
✑ Minimize administrative effort.
✑ Minimize the parsing required to read fog data.
What should you configure?
D. a Syslog connector
Correct Answer: D
Minimize the parsing required to read fog data. CEF connector sends Common Event Format data which means easy to read. As for administrative
effort. You only need to configure the CEF server to listen for syslog from all the linux vms and then send the CEF data to Sentinel.
upvoted 9 times
CEF is a standard format for log data that is used by many security and event management systems, including Microsoft Sentinel. By using a CEF
connector, the log data can be ingested into Sentinel with minimal parsing required, reducing administrative effort. Additionally, CEF is a widely
supported format among security products, so it will minimize administrative effort by not having to configure multiple connectors to different
products.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 218/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
and it requires parsing to extract the relevant data from the logs. This can require additional effort and resources, particularly if the logs are large or
complex.
In contrast, the Syslog connector is a widely-used standard for logging system events that is supported by many systems, including Linux systems.
Syslog uses a simple text-based format that is easy to parse and understand, minimizing the effort and resources required to extract the relevant
data from the logs. Therefore, using a Syslog connector may be a better choice for minimizing administrative effort and the parsing required to
read log data in this scenario.
upvoted 2 times
yaza85 3 months, 2 weeks ago
Selected Answer: C
CEF is a format that uses Syslog but is in a common format so no parsing in Sentinel is needed
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 219/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT -
You have 100 Azure subscriptions that have enhanced security features in Microsoft Defender for Cloud enabled. All the subscriptions are inked to
a single Azure
Active Directory (Azure AD) tenant.
You need to stream the Defender for Cloud logs to a syslog server. The solution must minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
With Log Analytics Workspace, you can configure Defender for Cloud to stream logs to the workspace and then set up a Log Analytics action group
to forward the logs to the syslog server. This can be done in the Azure portal, which provides a simple and intuitive interface for setting up log
forwarding.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 220/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
In comparison, using Event Hubs requires you to set up and configure the Event Hubs Forwarder or an event hub consumer to stream the logs
from the Event Hub to the syslog server. This may require additional setup and configuration, which can increase the administrative effort required
to stream the Defender for Cloud logs to a syslog server.
Therefore, if you want to minimize administrative effort, I would recommend using Log Analytics Workspace to stream the Defender for Cloud logs
to a syslog server.
upvoted 1 times
SuperGraham 2 months ago
As the question asks that 'the solution must minimize administrative effort' - configuring 100 subscriptions can't be correct, so the answer is Event
Hub and Azure Policy.
upvoted 1 times
To stream alerts into //Syslog servers// ,and other monitoring solutions, connect Defender for Cloud using continuous export and Azure Event
Hubs.
Note:
To stream alerts at the tenant level, use this //Azure policy// and set the scope at the root management group.
upvoted 3 times
The question says to export to a Syslog and Syslog is not used by Microsoft Sentinel since is already natively integrated, the answer should be
Event Hub.
https://docs.microsoft.com/en-us/azure/defender-for-cloud/export-to-siem
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 221/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
DRAG DROP -
You have an Azure subscription that contains 100 Linux virtual machines.
You need to configure Microsoft Sentinel to collect event logs from the virtual machines.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
Correct Answer:
upvoted 6 times
AMZ Most Recent 3 months, 3 weeks ago
Not sure about the options - You wouldn't add a syslog connector to the workspace, as it is on by default. - I'm wondering if they want you to
enable the workbook? Defo not security events as that is for Windows hosts. gonna say add workbook for the last step.
upvoted 1 times
You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must minimize administrative effort.
C. Create a watchlist.
D. Create a playbook.
Correct Answer: D
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 223/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
A. Remove line 5.
B. Remove line 2.
Correct Answer: B
https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 224/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to create a custom report that will visualise sign-in information over time.
A. a hunting query
B. a workbook
C. a notebook
D. a playbook
Correct Answer: B
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 225/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements:
• Ensure that failed sign-in alerts are generated for other accounts.
• Minimize administrative effort
B. Create a watchlist.
Correct Answer: D
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 226/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
Correct Answer:
AuditLogs
| where OperationName == "Add user"
// show all newly created users, this part will identify creation of user 3 and user 5
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 227/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 228/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
For each of the following statements, select Yes if the statement is true. Otherwise. select No.
Correct Answer:
So my guess
N,N,Y
upvoted 2 times
upvoted 1 times
learnlearnlearn 1 month ago
"The watchlist can not be updated after it is created" should be "No". This here are docs explaining how to edit them
https://learn.microsoft.com/en-us/azure/sentinel/watchlists-manage#edit-a-watchlist-item
upvoted 2 times
HOTSPOT
-
You develop a custom Advanced Security Information Model (ASIM) parser named Parser1 that produces a schema named Schema1.
How should you complete the command? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 230/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled.
You need to identify all the log entries that relate to security-sensitive user actions performed on a server named Server1. The solution must meet
the following requirements:
• Only include security-sensitive actions by users that are NOT members of the IT department.
• Minimize the number of false positives.
How should you complete the query? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 231/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours.
How should you complete the query? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 232/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You plan to implement a Microsoft Sentinel workspace. You anticipate that you will ingest 20 GB of security log data per day.
You need to configure storage for the workspace. The solution must meet the following requirements:
What should you do for each requirement? To answer, select the appropriate options in the answer area.
Correct Answer:
Retention for Application Insights data types default to 90 days and will get the workspace retention if it is over 90 days
upvoted 1 times
PAYG sounds more practical here due to the commitment tier being 100gb which is much more than 20gb.
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 233/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 1 times
HOTSPOT
-
You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in
sws1.
You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:
How should you configure the credentials? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 234/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
B. Build a custom unifying parser and include the built-in parser version.
C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.
Correct Answer: BC
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 235/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows.
Correct Answer: D
The take operator allows you to limit the number of rows returned by a query. By including the take operator in the grid query and specifying a
maximum of 100 rows, you can ensure that the grid in Workbook1 contains a maximum of 100 rows.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 236/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You plan to create a custom workbook that will include a time chart.
You need to create a query that will identify the number of security alerts per day for each provider.
How should you complete the query? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 237/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.
A. an analytic rule
B. a watchlist
C. a workbook
D. a hunting query
Correct Answer: B
An analytic rule allows you to specify the conditions under which data is collected and analyzed. By creating an analytic rule in Workspace1, you
can exclude a built-in, source-specific ASIM parser from a built-in unified ASIM parser by specifying conditions that exclude the data generated by
that parser.
For example, you could create an analytic rule that filters out all events generated by the built-in, source-specific parser you want to exclude, by
using the "where" clause, this way the unified parser will not process the events generated by that source-specific parser.
While the other options (B, C, D) are useful for different purposes, but none of them can be used to exclude a specific parser from a unified parser.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 238/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.
Correct Answer: C
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 239/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
You configure Workspace1 to collect DNS events and deploy the Advanced Security Information Model (ASIM) unifying parser for the DNS
schema.
You need to query the ASIM DNS schema to list all the DNS events from the last 24 hours that have a response code of ‘NXDOMAIN’ and were
aggregated by the source IP address in 15-minute intervals. The solution must maximize query performance.
How should you complete the query? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 240/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
Your on-premises network contains 100 servers that run Windows Server.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options in the answer area.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 241/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data
connector.
You need to customize which details will be included when an alert is created for a specific event.
Correct Answer: A
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the
DNS schema.
You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.
Correct Answer: D
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 242/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
HOTSPOT
-
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 243/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 244/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 4 - Testlet 1
Question #1 Topic 4
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 245/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
The issue for which team can be resolved by using Microsoft Defender for Endpoint?
A. executive
B. sales
C. marketing
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-ios
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 246/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 4
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 247/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its
own Azure
AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides
you with the following incomplete query.
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
The issue for which team can be resolved by using Microsoft Defender for Office 365?
A. executive
B. marketing
C. security
D. sales
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/atp-for-spo-odb-and-teams?view=o365-worldwide
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 248/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 5 - Testlet 2
Question #1 Topic 5
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 249/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Planned Changes -
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Question
You need to implement the Azure Information Protection requirements.
What should you configure first?
A. Device health and compliance reports settings in Microsoft Defender Security Center
C. content scan jobs in Azure Information Protection from the Azure portal
Correct Answer: D
Reference:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 250/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integration?view=o365-worldwide#azure-
information-protection
upvoted 2 times
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/information-protection-in-windows-overview?view=o365-
worldwide#data-discovery-and-data-classification
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 251/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 5
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 252/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Question
You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements and resolve the reported problem.
Which policy should you modify?
C. Impossible travel
D. Risky sign-in
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
Resolve the requirement: In the Impossible Travel policy, you can set the sensitivity slider to determine the level of anomalous behavior needed
before an alert is triggered
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy#tune-anomaly-detection-policies
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 254/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 5
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 255/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Question
DRAG DROP -
You need to configure DC1 to meet the business requirements.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and
arrange them in the correct order.
Select and Place:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 256/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 257/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 6 - Testlet 3
Question #1 Topic 6
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 258/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Planned Changes -
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Question
HOTSPOT -
You need to implement Azure Defender to meet the Azure Defender requirements and the business requirements.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 259/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Common is also correct. following the link referenced by ReffG it is stated for common logs: 'A standard set of events for auditing purposes. A full
user audit trail is included in this set.'
upvoted 15 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 260/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 7 - Testlet 4
Question #1 Topic 7
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 261/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
HOTSPOT -
You need to recommend remediation actions for the Azure Defender alerts for Fabrikam.
What should you recommend for each threat? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/key-vault/general/security-features https://docs.microsoft.com/en-us/azure/key-
vault/general/secure-your-key-vault
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 263/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 7
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 264/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Develop a procedure to remediate Azure Defender for Key Vault alerts for Contoso in case of external and internal threats. The solution must
minimize the impact on legitimate attempts to access the key vault content.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides
you with the following incomplete query.
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
You need to recommend a solution to meet the technical requirements for the Azure virtual machines.
What should you include in the recommendation?
B. Azure Defender
C. Azure Firewall
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/security-center/azure-defender
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 265/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 8 - Testlet 5
Question #1 Topic 8
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 266/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
You need to complete the query for failed sign-ins to meet the technical requirements.
Where can you find the column name to complete the where clause?
C. Azure Advisor
Correct Answer: D
BehaviorAnalytics
| where ActivityType == "FailedLogOn"
| extend ActivityInsightsArray=parse_json(ActivityInsights)
| extend UnusualFailedSignIns = tostring(parse_json(ActivityInsightsArray).UnusualNumberOfFailedSignInOfThisUser)
| where UnusualFailedSignIns == True
| summarize count() by SourceIPLocation, UserName
| order by count_ desc
upvoted 9 times
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/log-analytics-tutorial#write-a-query
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 267/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 8
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 268/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its
own Azure
AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides
you with the following incomplete query.
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
You need to remediate active attacks to meet the technical requirements.
What should you include in the solution?
C. Azure Functions
Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 269/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 8
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 270/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its
own Azure
AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides
you with the following incomplete query.
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
HOTSPOT -
You need to create an advanced hunting query to investigate the executive team issue.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
The appfileevents had the folderpath column but the updated cloudappevents query did not have the folderpath column as it is not part of
cloudappevents.
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 271/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
"The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021.
Activities involving these applications, including file activities, will be recorded in the new CloudAppEvents table"
upvoted 6 times
fr54fr Highly Voted 1 year, 8 months ago
users hunting through file-related activities in cloud services should use the CloudAppEvents table instead [Column name: ActivityObjects - List of
objects, such as files or folders, that were involved in the recorded activity]
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-cloudappevents-table?view=o365-worldwide
upvoted 13 times
CloudAppEvents
| where timeStamp > ago(2d)
| where ActionType in ("Data Access", "Data Download", "Data Deletion")
| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName
| where activityCount > 5
upvoted 3 times
"The AppFileEvents table, which contains file activities from these applications, will stop getting populated with new data in early 2021. Activities
involving these applications, including file activities, will be recorded in the new CloudAppEvents table."
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 272/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
Contactfornitish 11 months, 4 weeks ago
Cloud app events + Count
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 273/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 8
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The
branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.
Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.
Existing Environment -
End-User Environment -
All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of
the sales team at Contoso.
Current Problems -
The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which
cybersecurity alerts are legitimate threats, and which are not.
The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In
the past, the sales team experienced phishing attacks on their devices.
The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has
had several incidents in which vendors uploaded files that contain malware.
The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities
during the past
48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.
Requirements -
Planned Changes -
Contoso plans to integrate the security operations of both companies and manage all security operations centrally.
Technical Requirements -
Contoso identifies the following technical requirements:
Receive alerts if an Azure virtual machine is under brute force attack.
Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.
Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 274/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its
own Azure
AD applications.
Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides
you with the following incomplete query.
BehaviorAnalytics -
| where ActivityType == "FailedLogOn"
| where ________ == True
Question
HOTSPOT -
You need to implement Azure Sentinel queries for Contoso and Fabrikam to meet the technical requirements.
What should you include in the solution? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 275/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
1, workspace to colocate
upvoted 1 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 276/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Topic 9 - Testlet 6
Question #1 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 277/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Planned Changes -
Litware plans to implement the following changes:
Create and configure Azure Sentinel in the Azure subscription.
Validate Azure Sentinel functionality by using Azure AD test user accounts.
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Question
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements.
Which two configurations should you modify? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.
A. the Onboarding settings from Device management in Microsoft Defender Security Center
Correct Answer: CD
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/mde-govern
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 278/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Nope - the given answers are correct. Check the provided link. It's a two part process:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 279/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #2 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 280/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Question
DRAG DROP -
You need to add notes to the events to meet the Azure Sentinel requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of action to the answer area and
arrange them in the correct order.
Select and Place:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 281/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/bookmarks
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 282/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #3 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 283/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Question
HOTSPOT -
You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 284/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/siem-sentinel
Ref:
https://docs.microsoft.com/en-us/defender-cloud-apps/siem-sentinel
https://docs.microsoft.com/en-us/azure/sentinel/data-connectors-reference#microsoft-defender-for-cloud-apps
https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-cloud-app-security-mcas-activity-log-in-azure-sentinel/ba-p/1849806
upvoted 11 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 285/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #4 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 286/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Question
You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements.
Which role should you assign?
A. Automation Operator
Correct Answer: C
Litware must meet the following requirements:
✑ Ensure that a user named admin1 can configure Azure Sentinel playbooks.
✑ The principle of least privilege must be used whenever possible.
Azure Sentinel Contributor can view data, incidents, workbooks, and other Azure Sentinel resources, manage incidents (assign, dismiss, etc.),
create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles
The below link describes that if you were to give someone Azure Sentinel Contributor(50%) and Logic App Contributor(Other 50%) they can create
and run playbooks.
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 287/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
https://learn.microsoft.com/en-us/azure/sentinel/roles#microsoft-sentinel-roles-permissions-and-allowed-actions
upvoted 2 times
Lion007 7 months, 3 weeks ago
Selected Answer: C
Azure Sentinel Contributor is the only provided correct role. If "Log Analytics Contributor" or "Microsoft Sentinel Automation Contributor" they
would be better suited to meet the business requirement for least privilege.
Contributor: "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure
Blueprints, or share image galleries." Ref https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 288/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #5 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 289/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Question
Which rule setting should you configure to meet the Azure Sentinel requirements?
Correct Answer: C
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom
If you don't map entities, you can't group alerts under "Incident settings" becuase the drop down menu will show "no available items".
upvoted 6 times
https://docs.microsoft.com/en-us/azure/sentinel/map-data-fields-to-entities#how-to-map-entities
upvoted 4 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 290/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
upvoted 3 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 291/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Question #6 Topic 9
Introductory Info
Case study -
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However,
there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions
included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might
contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is
independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to
the next section of the exam. After you begin a new section, you cannot return to this section.
Overview -
Litware Inc. is a renewable energy company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including
cloud resources, the remote users establish a VPN connection to either office.
Existing Environment -
Identity Environment -
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.
Azure Environment -
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as
shown in the following table.
Network Environment -
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.
On-premises Environment -
The on-premises network contains the computers shown in the following table.
Current problems -
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.
Planned Changes and Requirements
Planned Changes -
Litware plans to implement the following changes:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 292/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Business Requirements -
Litware identifies the following business requirements:
The principle of least privilege must be used whenever possible.
Costs must be minimized, as long as all other requirements are met.
Logs collected by Log Analytics must provide a full audit trail of user activities.
All domain controllers must be protected by using Microsoft Defender for Identity.
Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection `" Data
discovery dashboard.
Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.
Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.
Question
HOTSPOT -
You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 293/294
2/20/23, 6:58 PM SC-200 Exam – Free Actual Q&As, Page 1 | ExamTopics
Correct Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-detect-threats-custom#set-automated-responses-and-create-the-rule
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook
None of the playbook options can be used except trigger so it must be trigger.
upvoted 5 times
https://www.examtopics.com/exams/microsoft/sc-200/custom-view/ 294/294