Microsoft SC-200 Exam Actual Questions

Study online at https://quizlet.com/_azodrl

1. You are investigating an incident by using Microsoft

365 Defender.

You need to create an advanced hunting query to

count failed sign-in authentications on three devices
named CFOLaptop, CEOLaptop, and COOLaptop.

Complete the query.

2. You need to receive a security alert when a user at- A. Impossible trav-
tempts to sign in from a location that was never used el
by the other users in your organization to sign in. B. Activity from
anonymous IP ad-
Which anomaly detection policy should you use? dresses
C. Activity from in-
A. Impossible travel frequent country
B. Activity from anonymous IP addresses D. Malware detec-
C. Activity from infrequent country tion
D. Malware detection

3. You have a Microsoft 365 subscription that uses Mi- A. SharePoint

crosoft Defender for Office 365. search
B. a hunting query
You have Microsoft SharePoint Online sites that con- in Microsoft 365
tain sensitive documents. Defender
C. Azure Informa-
The documents contain customer account numbers tion Protection
that each consists of 32 alphanumeric characters. D. RegEx pattern
matching
You need to create a data loss prevention (DLP) policy
to protect the sensitive documents.

What should you use to detect which documents are

sensitive?

A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
1 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl

4. Your company uses line-of-business apps that con-

tain Microsoft Office VBA macros.

You need to prevent users from downloading and run-

ning additional payloads from the Office VBA macros
as additional child processes.

Which two commands can you run to achieve the

goal? Each correct answer presents a complete solu-
tion.

5. Your company uses Microsoft Defender for Endpoint. A. Resolve the

alert automatically.
The company has Microsoft Word documents that B. Hide the alert.
contain macros. The documents are used frequently C. Create a
on the devices of the company's accounting team. suppression rule
scoped to any de-
You need to hide false positive in the Alerts queue, vice.
while maintaining the existing security posture. D. Create a
suppression rule
Which three actions should you perform? Each cor- scoped to a device
rect answer presents part of the solution. group.
E. Generate the
A. Resolve the alert automatically. alert.
B. Hide the alert.
C. Create a suppression rule scoped to any device. B -> C -> E
D. Create a suppression rule scoped to a device
group.
E. Generate the alert.

6. Your environment does NOT have Microsoft Defender

for Endpoint enabled.

You need to remediate the risk for the Launchpad

app.Which four actions should you perform in se-
quence? To answer, move the appropriate actions
from the list of actions to the answer area and arrange
them in the correct order.

2 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
7. You have a Microsoft 365 E5 subscription.

You plan to perform cross-domain investigations by

using Microsoft 365 Defender.

You need to create an advanced hunting query to iden-

tify devices affected by a malicious email attachment.

How should you complete the query?

8. You have the following advanced hunting query in A. Create a detec-

Microsoft 365 Defender. tion rule.
B. Create a sup-
You need to receive an alert when any process dis- pression rule.
ables System Restore on a device managed by Mi- C. Add | order by
crosoft Defender during the last 24 hours. Timestamp to the
query.
Which two actions should you perform? Each correct D. Replace
answer presents part of the solution. DeviceProcessEv-
ents with
A. Create a detection rule. DeviceNet-
B. Create a suppression rule. workEvents.
C. Add | order by Timestamp to the query. E. Add DeviceId
D. Replace DeviceProcessEvents with DeviceNet- and ReportId to
workEvents. the output of the
E. Add DeviceId and ReportId to the output of the query.
query.

9. You are investigating a potential attack that deploys a A. Assign a tag to

new ransomware strain. the device group.
B. Add the device
You have three custom device groups. The groups users to the admin
contain devices that store highly sensitive informa- role.
tion. C. Add a tag to the
machines.
You plan to perform automated actions on all de- D. Create a new
vices.You need to be able to temporarily group the device group that
machines to perform actions on the devices. has a rank of 1.
E. Create a new

3 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
Which three actions should you perform? Each cor- admin role.
rect answer presents part of the solution. F. Create a new de-
vice group that has
A. Assign a tag to the device group. a rank of 4.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.

10. You are configuring Microsoft Defender for Identity A. Yes

integration with Active Directory. B. No

From the Microsoft Defender for identity portal, you

need to configure several accounts for attackers to
exploit.

Solution: From Entity tags, you add the accounts as

Honeytoken accounts.

Does this meet the goal?

11. You are configuring Microsoft Defender for Identity A. Yes

integration with Active Directory. B. No

From the Microsoft Defender for identity portal, you

need to configure several accounts for attackers to
exploit.

Solution: From Azure AD Identity Protection, you con-

figure the sign-in risk policy.

Does this meet the goal?

12. You are configuring Microsoft Defender for Identity A. Yes

integration with Active Directory. B. No

From the Microsoft Defender for identity portal, you

need to configure several accounts for attackers to

4 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
exploit.

Solution: You add the accounts to an Active Directory

group and add the group as a Sensitive group.

Does this meet the goal?

13. You implement Safe Attachments policies in Microsoft A. Dynamic Deliv-

Defender for Office 365. ery
B. Replace
Users report that email messages containing attach- C. Block and En-
ments take longer than expected to be received. able redirect
D. Monitor and En-
You need to reduce the amount of time it takes to de- able redirect
liver messages that contain attachments without com-
promising security. The attachments must be scanned
for malware, and any messages that contain malware
must be blocked.

What should you configure in the Safe Attachments

policies?

A. Dynamic Delivery
B. Replace
C. Block and Enable redirect
D. Monitor and Enable redirect

14. You are informed of an increase in malicious email

being received by users.

You need to create an advanced hunting query in Mi-

crosoft 365 Defender to identify whether the accounts
of the email recipients were compromised. The query
must return the most recent 20 sign-ins performed by
the recipients within an hour of receiving the known
malicious email.

How should you complete the query?

5 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
15. You receive a security bulletin about a potential attack A. a URL/domain
that uses an image file. indicator that has
Action set to Alert
You need to create an indicator of compromise (IoC) in only
Microsoft Defender for Endpoint to prevent the attack. B. a URL/domain
indicator that has
Which indicator type should you use? Action set to Alert
and block
A. a URL/domain indicator that has Action set to Alert C. a file hash indi-
only cator that has Ac-
B. a URL/domain indicator that has Action set to Alert tion set to Alert
and block and block
C. a file hash indicator that has Action set to Alert and D. a certificate indi-
block cator that has Ac-
D. a certificate indicator that has Action set to Alert tion set to Alert
and block and block

16. Your company deploys the following services: A. the Compliance

Microsoft Defender for Identity Data Administrator
Microsoft Defender for Endpoint in Azure Active Di-
Microsoft Defender for Office 365 rectory (Azure AD)
B. the Active re-
You need to provide a security analyst with the ability mediation actions
to use the Microsoft 365 security center. The analyst role in Microsoft
must be able to approve and reject pending actions Defender for End-
generated by Microsoft Defender for Endpoint. The point
solution must use the principle of least privilege. C. the Security Ad-
ministrator role in
Which two roles should assign to the analyst? Each Azure Active Di-
correct answer presents part of the solution.NOTE: rectory (Azure AD)
Each correct selection is worth one point. D. the Security
Reader role in
A. the Compliance Data Administrator in Azure Active Azure Active Di-
Directory (Azure AD) rectory (Azure AD)
B. the Active remediation actions role in Microsoft
Defender for Endpoint
C. the Security Administrator role in Azure Active Di-
rectory (Azure AD)

6 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
D. the Security Reader role in Azure Active Directory
(Azure AD)

17. You have a Microsoft 365 E5 subscription that uses

Microsoft Defender and an Azure subscription that
uses Azure Sentinel.

You need to identify all the devices that contain files

in emails sent by a known malicious email sender. The
query will be based on the match of the SHA256 hash.

How should you complete the query? To answer, se-

lect the appropriate options in the answer area.

18. You need to configure Microsoft Cloud App Security A. From Set-
to generate alerts and trigger remediation actions in tings, select Infor-
response to external sharing of confidential files. mation Protection,
select Azure Infor-
Which two actions should you perform in the Cloud mation Protection,
App Security portal? Each correct answer presents and then select
part of the solution. Only scan files for
Azure Information
A. From Settings, select Information Protection, select Protection classifi-
Azure Information Protection, and then select Only cation labels and
scan files for Azure Information Protection classifica- content inspection
tion labels and content inspection warnings from this warnings from this
tenant. tenant.
B. Select Investigate files, and then filter App to Office B. Select Investi-
365. gate files, and then
C. Select Investigate files, and then select New policy filter App to Office
from search. 365.
D. From Settings, select Information Protection, select C. Select Investi-
Azure Information Protection, and then select Auto- gate files, and then
matically scan new files for Azure Information Pro- select New policy
tection classification labels and content inspection from search.
warnings. D. From Set-
E. From Settings, select Information Protection, select tings, select Infor-
Files, and then enable file monitoring. mation Protection,
select Azure In-

7 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
F. Select Investigate files, and then filter File Type to formation Protec-
Document. tion, and then se-
lect Automatically
scan new files for
Azure Information
Protection classifi-
cation labels and
content inspection
warnings.
E. From Settings,
select Information
Protection, select
Files, and then en-
able file monitor-
ing.
F. Select Investi-
gate files, and then
filter File Type to
Document.

19. You purchase a Microsoft 365 subscription.

You plan to configure Microsoft Cloud App Security.

You need to create a custom template-based policy

that detects connections to Microsoft 365 apps that
originate from a botnet network.

What should you use? To answer, select the appropri-

ate options in the answer area.

20. Your company has a single office in Istanbul and a A. a fraud alert
Microsoft 365 subscription. B. a user risk poli-
cy
The company plans to use conditional access policies C. a named loca-
to enforce multi-factor authentication (MFA). tion
D. a sign-in user
You need to enforce MFA for all users who work re- policy
motely.

8 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl

What should you include in the solution?

A. a fraud alert
B. a user risk policy
C. a named location
D. a sign-in user policy

21. You are configuring Microsoft Cloud App Security. A. Override auto-
matic data enrich-
You have a custom threat detection policy based ment.
on the IP address ranges of your company's United B. Add the IP
States-based offices. addresses to the
corporate address
You receive many alerts related to impossible travel range category.
and sign-ins from risky IP addresses. C. Increase the
sensitivity level
You determine that 99% of the alerts are legitimate of the impossible
sign-ins from your corporate offices. travel anomaly de-
tection policy.
You need to prevent alerts for legitimate sign-ins from D. Add the IP ad-
known locations. dresses to the oth-
er address range
Which two actions should you perform? Each correct category and add
answer presents part of the solution. a tag.
E. Create an activ-
A. Override automatic data enrichment. ity policy that has
B. Add the IP addresses to the corporate address an exclusion for
range category. the IP addresses.
C. Increase the sensitivity level of the impossible trav-
el anomaly detection policy.
D. Add the IP addresses to the other address range
category and add a tag.
E. Create an activity policy that has an exclusion for
the IP addresses.

22. You are configuring Microsoft Defender for Identity A. Yes

integration with Active Directory. B. No

9 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
From the Microsoft Defender for identity portal, you
need to configure several accounts for attackers to
exploit.

Solution: You add each account as a Sensitive ac-

count.
Does this meet the goal?

23. You use Azure Security Center. A. Yes

B. No
You receive a security alert in Security Center.
You need to re-
You need to view recommendations to resolve the solve the exist-
alert in Security Center. ing alert, not pre-
vent future alerts.
Solution: From Security alerts, you select the alert, Therefore, you
select Take Action, and then expand the Prevent future need to select
attacks section. the 'Mitigate the
Does this meet the goal? threat' option.

24. You receive an alert from Azure Defender for Key A. Modify the ac-
Vault. cess control set-
tings for the key
You discover that the alert is generated from multiple vault.
suspicious IP addresses. B. Enable the Key
Vault firewall.
You need to reduce the potential of Key Vault secrets C. Create an ap-
being leaked while you investigate the issue. The so- plication security
lution must be implemented as soon as possible and group.
must minimize the impact on legitimate users. D. Modify the ac-
cess policy for the
What should you do first? key vault.

A. Modify the access control settings for the key vault.

B. Enable the Key Vault firewall.
C. Create an application security group.
D. Modify the access policy for the key vault.

25.

10 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You have an Azure subscription that has Azure De-
fender enabled for all supported resource types.

You create an Azure logic app named LA1.

You plan to use LA1 to automatically remediate secu-

rity risks detected in Azure Security Center.

You need to test LA1 in Security Center.What should

you do? To answer, select the appropriate options in
the answer area.

26. You have a Microsoft 365 subscription that uses Azure A. the Security
Defender. Reader role for the
subscription
You have 100 virtual machines in a resource group B. the Contributor
named RG1. for the subscrip-
tion
You assign the Security Admin roles to a new user C. the Contributor
named SecAdmin1. role for RG1
D. the Owner role
You need to ensure that SecAdmin1 can apply quick for RG1
fixes to the virtual machines by using Azure Defender.
The solution must use the principle of least privilege.

Which role should you assign to SecAdmin1?

A. the Security Reader role for the subscription

B. the Contributor for the subscription
C. the Contributor role for RG1
D. the Owner role for RG1

27. You provision a Linux virtual machine in a new Azure A. cp /bin/echo

subscription.You enable Azure Defender and onboard ./asc_alerttest_662jfi03
the virtual machine to Azure Defender. B. ./alerttest test-
ing eicar pipe
You need to verify that an attack on the virtual ma- C. cp /bin/echo
chine triggers an alert in Azure Defender. ./alerttest

11 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
Which two Bash commands should you run on the D.
virtual machine? Each correct answer presents part ./asc_alerttest_662jfi03
of the solution.

A. cp /bin/echo ./asc_alerttest_662jfi039n
B. ./alerttest testing eicar pipe
C. cp /bin/echo ./alerttest
D. ./asc_alerttest_662jfi039n testing eicar pipe

28. You create an Azure subscription named sub1. A. From Securi-

ty Center, enable
In sub1, you create a Log Analytics workspace named data collection
workspace1. B. In sub1, register
a provider.
You enable Azure Security Center and configure Se- C. From Security
curity Center to use workspace1. Center, create a
Workflow automa-
You need to collect security event logs from the Azure tion.
virtual machines that report to workspace1. D. In workspace1,
create a work-
What should you do? book.

A. From Security Center, enable data collection

B. In sub1, register a provider.
C. From Security Center, create a Workflow automa-
tion.
D. In workspace1, create a workbook.

29. You create a new Azure subscription and start collect-

ing logs for Azure Monitor.

You need to configure Azure Security Center to detect

possible threats related to sign-ins from suspicious
IP addresses to Azure virtual machines. The solution
must validate the configuration.

Which three actions should you perform in a se-

quence?

12 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
30. Your company uses Azure Security Center and Azure A. Security solu-
Defender. tions
B. Security policy
The security operations team at the company informs C. Pricing & set-
you that it does NOT receive email notifications for tings
security alerts. D. Security alerts
E. Azure Defender
What should you configure in Security Center to en-
able the email notifications?

A. Security solutions
B. Security policy
C. Pricing & settings
D. Security alerts
E. Azure Defender

31. You have resources in Azure and Google cloud.

You need to ingest Google Cloud Platform (GCP) data

into Azure Defender.

In which order should you perform the actions? To

answer, move all actions from the list of actions to the
answer area and arrange them in the correct order.

32. You use Azure Security Center. A. Yes

B. No
You receive a security alert in Security Center.

You need to view recommendations to resolve the

alert in Security Center.

Solution: From Regulatory compliance, you download

the report.
Does this meet the goal?

33. You use Azure Security Center. A. Yes

B. No
You receive a security alert in Security Center.

13 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl

You need to view recommendations to resolve the

alert in Security Center.

Solution: From Security alerts, you select the alert,

select Take Action, and then expand the Mitigate the
threat section.
Does this meet the goal?

34. You have an Azure subscription that has Azure De- A. Azure Cosmos
fender enabled for all supported resource types. DB
B. Azure Event
You need to configure the continuous export of Grid
high-severity alerts to enable their retrieval from a C. Azure Event
third-party security information and event manage- Hubs
ment (SIEM) solution. D. Azure Data
Lake
To which service should you export the alerts?

A. Azure Cosmos DB
B. Azure Event Grid
C. Azure Event Hubs
D. Azure Data Lake

35. You are responsible for responding to Azure Defender A. Key Vault fire-
for Key Vault alerts. walls and virtual
networks
During an investigation of an alert, you discover unau- B. Azure Active Di-
thorized attempts to access a key vault from a Tor exit rectory (Azure AD)
node. permissions
C. role-based
What should you configure to mitigate the threat? access control
(RBAC) for the key
A. Key Vault firewalls and virtual networks vault
B. Azure Active Directory (Azure AD) permissions D. the access pol-
C. role-based access control (RBAC) for the key vault icy settings of the
D. the access policy settings of the key vault key vault

36.

14 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You need to use an Azure Resource Manager template
to create a workflow automation that will trigger an
automatic remediation when specific security alerts
are received by Azure Security Center.

How should you complete the portion of the template

that will provision the required Azure resources? To
answer, select the appropriate options in the answer
area.

NOTE: Each correct selection is worth one point.

37. You have an Azure subscription that contains a Log A. at the subscrip-
Analytics workspace. tion level
B. at the work-
You need to enable just-in-time (JIT) VM access and space level
network detections for Azure resources. C. at the resource
level
Where should you enable Azure Defender?

A. at the subscription level

B. at the workspace level
C. at the resource level

38. You use Azure Defender. A. From Azure Se-

curity Center, en-
You have an Azure Storage account that contains sen- able workflow au-
sitive information. tomation.
B. Create an Azure
You need to run a PowerShell script if someone ac- logic app that has
cesses the storage account from a suspicious IP ad- a manual trigger.
dress. C. Create an Azure
logic app that has
Which two actions should you perform? Each correct an Azure Securi-
answer presents part of the solution. ty Center alert trig-
ger.
NOTE: Each correct selection is worth one point. D. Create an Azure
logic app that has
A. From Azure Security Center, enable workflow au- an HTTP trigger.

15 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
tomation. E. From Azure
B. Create an Azure logic app that has a manual trigger. Active Directory
C. Create an Azure logic app that has an Azure Secu- (Azure AD), add
rity Center alert trigger. an app registra-
D. Create an Azure logic app that has an HTTP trigger. tion.
E. From Azure Active Directory (Azure AD), add an app
registration.

39. You are informed of a new common vulnerabilities

and exposures (CVE) vulnerability that affects your
environment.

You need to use Microsoft Defender Security Center

to request remediation from the team responsible for
the affected systems if there is a documented active
exploit available.

Which three actions should you perform in sequence?

To answer, move the appropriate actions from the list
of actions to the answer area and arrange them in the
correct order.

40. You use Azure Security Center. A. From Security

alerts, select the
You receive a security alert in Security Center. alert, select Take
Action, and then
You need to view recommendations to resolve the expand the Pre-
alert in Security Center. vent future attacks
section.
What should you do? B. From Securi-
ty alerts, select
A. From Security alerts, select the alert, select Take Take Action, and
Action, and then expand the Prevent future attacks then expand the
section. Mitigate the threat
B. From Security alerts, select Take Action, and then section.
expand the Mitigate the threat section. C. From Regu-
C. From Regulatory compliance, download the report. latory compliance,
D. From Recommendations, download the CSV report. download the re-
port.

16 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
D. From
Recommenda-
tions, download
the CSV report.

41. You have a suppression rule in Azure Security Center A. Change the rule
for 10 virtual machines that are used for testing. The expiration date of
virtual machines run Windows Server. the suppression
rule.
You are troubleshooting an issue on the virtual ma- B. Change the
chines. state of the sup-
pression rule to
In Security Center, you need to view the alerts gener- Disabled.
ated by the virtual machines during the last five days. C. Modify the fil-
ter for the Security
What should you do? alerts page.
D. View the Win-
A. Change the rule expiration date of the suppression dows event logs
rule. on the virtual ma-
B. Change the state of the suppression rule to Dis- chines.
abled.
C. Modify the filter for the Security alerts page.
D. View the Windows event logs on the virtual ma-
chines.

42. You have an Azure Storage account that will be ac-

cessed by multiple Azure Function apps during the
development of an application.

You need to hide Azure Defender alerts for the storage

account.

Which entity type and field should you use in a sup-

pression rule? To answer, select the appropriate op-
tions in the answer area.

NOTE: Each correct selection is worth one point.

43.

17 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You create an Azure subscription. A. Install the Log
Analytics agent.
You enable Azure Defender for the subscription. B. Install the De-
pendency agent.
You need to use Azure Defender to protect on-premis- C. Configure the
es computers. Hybrid Runbook
Worker role.
What should you do on the on-premises computers? D. Install the Con-
nected Machine
A. Install the Log Analytics agent. agent.
B. Install the Dependency agent.
C. Configure the Hybrid Runbook Worker role.
D. Install the Connected Machine agent.

44. A security administrator receives email alerts from A. the severity lev-
Azure Defender for activities such as potential mal- el of email notifica-
ware uploaded to a storage account and potential tions
successful brute force attacks. B. a cloud connec-
tor
The security administrator does NOT receive email C. the Azure De-
alerts for activities such as antimalware action failed fender plans
and suspicious network activity. The alerts appear in D. the integration
Azure Security Center. settings for Threat
detection
You need to ensure that the security administrator
receives email alerts for all the activities.

What should you configure in the Security Center

settings?

A. the severity level of email notifications

B. a cloud connector
C. the Azure Defender plans
D. the integration settings for Threat detection

45. You have an Azure Functions app that generates thou-

sands of alerts in Azure Security Center each day for
normal activity.

18 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You need to hide the alerts automatically in Security
Center.

Which three actions should you perform in sequence

in Security Center? Each correct answer presents part
of the solution.

NOTE: Each correct selection is worth one point.

46. You have an Azure subscription.

You need to delegate permissions to meet the follow-

ing requirements:

Enable and disable Azure Defender.

Apply security recommendations to resource.

The solution must use the principle of least privilege.

Which Azure Security Center role should you use for

each requirement?

47. You plan to connect an external solution that will send

Common Event Format (CEF) messages to Azure Sen-
tinel.

You need to deploy the log forwarder.

Which three actions should you perform in sequence?

48. From Azure Sentinel, you open the Investigation pane

for a high-severity incident.

If you hover over the VM you can view _____:

if you select _____ you can view the items related to

the incident.

49.
19 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You have an Azure Sentinel deployment.

You need to query for all suspicious credential access

activities.

Which three actions should you perform in sequence?

50. You have an existing Azure logic app that is used to A. And a new
block Azure Active Directory (Azure AD) users. The scheduled query
logic app is triggered manually. rule.
B. Add a data con-
You deploy Azure Sentinel. nector to Azure
Sentinel.
You need to use the existing logic app as a playbook C. Configure a
in Azure Sentinel. custom Threat In-
telligence connec-
What should you do first? tor in Azure Sen-
tinel.
A. And a new scheduled query rule. D. Modify the trig-
B. Add a data connector to Azure Sentinel. ger in the logic
C. Configure a custom Threat Intelligence connector app.
in Azure Sentinel.
D. Modify the trigger in the logic app.

51. Your company uses Azure Sentinel to manage alerts A. built-in queries
from more than 10,000 IoT devices. B. livestream
C. notebooks
A security manager at the company reports that track- D. bookmarks
ing security threats is increasingly difficult due to the
large number of incidents.

You need to recommend a solution to provide a

custom visualization to simplify the investigation of
threats and to infer threats by using machine learning.

What should you include in the recommendation?

A. built-in queries
B. livestream

20 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
C. notebooks
D. bookmarks

52. You have a playbook in Azure Sentinel. A. Add a parame-

ter and modify the
When you trigger the playbook, it sends an email to a trigger.
distribution group. B. Add a cus-
tom data connec-
You need to modify the playbook to send the email to tor and modify the
the owner of the resource instead of the distribution trigger.
group. C. Add a condition
and modify the ac-
What should you do? tion.
D. Add a parame-
A. Add a parameter and modify the trigger. ter and modify the
B. Add a custom data connector and modify the trig- action.
ger.
C. Add a condition and modify the action.
D. Add a parameter and modify the action.

53. You provision Azure Sentinel for a new Azure sub- A. user
scription. B. resource group
C. IP address
You are configuring the Security Events connector. D. computer

While creating a new rule from a template in the con-

nector, you decide to generate a new alert for every
event.

You create the following rule query.By which two com-

ponents can you group alerts into incidents?

54. Your company stores the data of every project in a A. Add the Se-
different Azure subscription. All the subscriptions use curity Events con-
the same Azure Active Directory (Azure AD) tenant. nector to the
Azure Sentinel
Every project consists of multiple Azure virtual ma- workspace.
chines that run Windows Server. The Windows events B. Create a query
of the virtual machines are stored in a Log Analytics that uses the work-

21 / 22
 Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
workspace in each machine's respective subscrip- space expression
tion. and the union op-
erator.
You deploy Azure Sentinel to a new Azure subscrip- C. Use the alias
tion. statement.
D. Create a query
You need to perform hunting queries in Azure Sentinel that uses the re-
to search across all the Log Analytics workspaces of source expression
all the subscriptions. and the alias oper-
ator.
Which two actions should you perform? E. Add the Azure
Sentinel solution
A. Add the Security Events connector to the Azure to each work-
Sentinel workspace. space.
B. Create a query that uses the workspace expression
and the union operator.
C. Use the alias statement.
D. Create a query that uses the resource expression
and the alias operator.
E. Add the Azure Sentinel solution to each workspace.

55. You have an Azure Sentinel workspace. A. Playbooks

B. Analytics
You need to test a playbook manually in the Azure C. Threat intelli-
portal. gence
D. Incidents
From where can you run the test in Azure Sentinel?

A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents

22 / 22