Professional Documents
Culture Documents
2. You need to receive a security alert when a user at- A. Impossible trav-
tempts to sign in from a location that was never used el
by the other users in your organization to sign in. B. Activity from
anonymous IP ad-
Which anomaly detection policy should you use? dresses
C. Activity from in-
A. Impossible travel frequent country
B. Activity from anonymous IP addresses D. Malware detec-
C. Activity from infrequent country tion
D. Malware detection
A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
1 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
2 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
7. You have a Microsoft 365 E5 subscription.
3 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
Which three actions should you perform? Each cor- admin role.
rect answer presents part of the solution. F. Create a new de-
vice group that has
A. Assign a tag to the device group. a rank of 4.
B. Add the device users to the admin role.
C. Add a tag to the machines.
D. Create a new device group that has a rank of 1.
E. Create a new admin role.
F. Create a new device group that has a rank of 4.
4 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
exploit.
A. Dynamic Delivery
B. Replace
C. Block and Enable redirect
D. Monitor and Enable redirect
5 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
15. You receive a security bulletin about a potential attack A. a URL/domain
that uses an image file. indicator that has
Action set to Alert
You need to create an indicator of compromise (IoC) in only
Microsoft Defender for Endpoint to prevent the attack. B. a URL/domain
indicator that has
Which indicator type should you use? Action set to Alert
and block
A. a URL/domain indicator that has Action set to Alert C. a file hash indi-
only cator that has Ac-
B. a URL/domain indicator that has Action set to Alert tion set to Alert
and block and block
C. a file hash indicator that has Action set to Alert and D. a certificate indi-
block cator that has Ac-
D. a certificate indicator that has Action set to Alert tion set to Alert
and block and block
6 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
D. the Security Reader role in Azure Active Directory
(Azure AD)
18. You need to configure Microsoft Cloud App Security A. From Set-
to generate alerts and trigger remediation actions in tings, select Infor-
response to external sharing of confidential files. mation Protection,
select Azure Infor-
Which two actions should you perform in the Cloud mation Protection,
App Security portal? Each correct answer presents and then select
part of the solution. Only scan files for
Azure Information
A. From Settings, select Information Protection, select Protection classifi-
Azure Information Protection, and then select Only cation labels and
scan files for Azure Information Protection classifica- content inspection
tion labels and content inspection warnings from this warnings from this
tenant. tenant.
B. Select Investigate files, and then filter App to Office B. Select Investi-
365. gate files, and then
C. Select Investigate files, and then select New policy filter App to Office
from search. 365.
D. From Settings, select Information Protection, select C. Select Investi-
Azure Information Protection, and then select Auto- gate files, and then
matically scan new files for Azure Information Pro- select New policy
tection classification labels and content inspection from search.
warnings. D. From Set-
E. From Settings, select Information Protection, select tings, select Infor-
Files, and then enable file monitoring. mation Protection,
select Azure In-
7 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
F. Select Investigate files, and then filter File Type to formation Protec-
Document. tion, and then se-
lect Automatically
scan new files for
Azure Information
Protection classifi-
cation labels and
content inspection
warnings.
E. From Settings,
select Information
Protection, select
Files, and then en-
able file monitor-
ing.
F. Select Investi-
gate files, and then
filter File Type to
Document.
20. Your company has a single office in Istanbul and a A. a fraud alert
Microsoft 365 subscription. B. a user risk poli-
cy
The company plans to use conditional access policies C. a named loca-
to enforce multi-factor authentication (MFA). tion
D. a sign-in user
You need to enforce MFA for all users who work re- policy
motely.
8 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
A. a fraud alert
B. a user risk policy
C. a named location
D. a sign-in user policy
21. You are configuring Microsoft Cloud App Security. A. Override auto-
matic data enrich-
You have a custom threat detection policy based ment.
on the IP address ranges of your company's United B. Add the IP
States-based offices. addresses to the
corporate address
You receive many alerts related to impossible travel range category.
and sign-ins from risky IP addresses. C. Increase the
sensitivity level
You determine that 99% of the alerts are legitimate of the impossible
sign-ins from your corporate offices. travel anomaly de-
tection policy.
You need to prevent alerts for legitimate sign-ins from D. Add the IP ad-
known locations. dresses to the oth-
er address range
Which two actions should you perform? Each correct category and add
answer presents part of the solution. a tag.
E. Create an activ-
A. Override automatic data enrichment. ity policy that has
B. Add the IP addresses to the corporate address an exclusion for
range category. the IP addresses.
C. Increase the sensitivity level of the impossible trav-
el anomaly detection policy.
D. Add the IP addresses to the other address range
category and add a tag.
E. Create an activity policy that has an exclusion for
the IP addresses.
9 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
From the Microsoft Defender for identity portal, you
need to configure several accounts for attackers to
exploit.
24. You receive an alert from Azure Defender for Key A. Modify the ac-
Vault. cess control set-
tings for the key
You discover that the alert is generated from multiple vault.
suspicious IP addresses. B. Enable the Key
Vault firewall.
You need to reduce the potential of Key Vault secrets C. Create an ap-
being leaked while you investigate the issue. The so- plication security
lution must be implemented as soon as possible and group.
must minimize the impact on legitimate users. D. Modify the ac-
cess policy for the
What should you do first? key vault.
25.
10 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You have an Azure subscription that has Azure De-
fender enabled for all supported resource types.
26. You have a Microsoft 365 subscription that uses Azure A. the Security
Defender. Reader role for the
subscription
You have 100 virtual machines in a resource group B. the Contributor
named RG1. for the subscrip-
tion
You assign the Security Admin roles to a new user C. the Contributor
named SecAdmin1. role for RG1
D. the Owner role
You need to ensure that SecAdmin1 can apply quick for RG1
fixes to the virtual machines by using Azure Defender.
The solution must use the principle of least privilege.
11 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
Which two Bash commands should you run on the D.
virtual machine? Each correct answer presents part ./asc_alerttest_662jfi03
of the solution.
A. cp /bin/echo ./asc_alerttest_662jfi039n
B. ./alerttest testing eicar pipe
C. cp /bin/echo ./alerttest
D. ./asc_alerttest_662jfi039n testing eicar pipe
12 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
30. Your company uses Azure Security Center and Azure A. Security solu-
Defender. tions
B. Security policy
The security operations team at the company informs C. Pricing & set-
you that it does NOT receive email notifications for tings
security alerts. D. Security alerts
E. Azure Defender
What should you configure in Security Center to en-
able the email notifications?
A. Security solutions
B. Security policy
C. Pricing & settings
D. Security alerts
E. Azure Defender
13 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
34. You have an Azure subscription that has Azure De- A. Azure Cosmos
fender enabled for all supported resource types. DB
B. Azure Event
You need to configure the continuous export of Grid
high-severity alerts to enable their retrieval from a C. Azure Event
third-party security information and event manage- Hubs
ment (SIEM) solution. D. Azure Data
Lake
To which service should you export the alerts?
A. Azure Cosmos DB
B. Azure Event Grid
C. Azure Event Hubs
D. Azure Data Lake
35. You are responsible for responding to Azure Defender A. Key Vault fire-
for Key Vault alerts. walls and virtual
networks
During an investigation of an alert, you discover unau- B. Azure Active Di-
thorized attempts to access a key vault from a Tor exit rectory (Azure AD)
node. permissions
C. role-based
What should you configure to mitigate the threat? access control
(RBAC) for the key
A. Key Vault firewalls and virtual networks vault
B. Azure Active Directory (Azure AD) permissions D. the access pol-
C. role-based access control (RBAC) for the key vault icy settings of the
D. the access policy settings of the key vault key vault
36.
14 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You need to use an Azure Resource Manager template
to create a workflow automation that will trigger an
automatic remediation when specific security alerts
are received by Azure Security Center.
37. You have an Azure subscription that contains a Log A. at the subscrip-
Analytics workspace. tion level
B. at the work-
You need to enable just-in-time (JIT) VM access and space level
network detections for Azure resources. C. at the resource
level
Where should you enable Azure Defender?
15 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
tomation. E. From Azure
B. Create an Azure logic app that has a manual trigger. Active Directory
C. Create an Azure logic app that has an Azure Secu- (Azure AD), add
rity Center alert trigger. an app registra-
D. Create an Azure logic app that has an HTTP trigger. tion.
E. From Azure Active Directory (Azure AD), add an app
registration.
16 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
D. From
Recommenda-
tions, download
the CSV report.
41. You have a suppression rule in Azure Security Center A. Change the rule
for 10 virtual machines that are used for testing. The expiration date of
virtual machines run Windows Server. the suppression
rule.
You are troubleshooting an issue on the virtual ma- B. Change the
chines. state of the sup-
pression rule to
In Security Center, you need to view the alerts gener- Disabled.
ated by the virtual machines during the last five days. C. Modify the fil-
ter for the Security
What should you do? alerts page.
D. View the Win-
A. Change the rule expiration date of the suppression dows event logs
rule. on the virtual ma-
B. Change the state of the suppression rule to Dis- chines.
abled.
C. Modify the filter for the Security alerts page.
D. View the Windows event logs on the virtual ma-
chines.
43.
17 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You create an Azure subscription. A. Install the Log
Analytics agent.
You enable Azure Defender for the subscription. B. Install the De-
pendency agent.
You need to use Azure Defender to protect on-premis- C. Configure the
es computers. Hybrid Runbook
Worker role.
What should you do on the on-premises computers? D. Install the Con-
nected Machine
A. Install the Log Analytics agent. agent.
B. Install the Dependency agent.
C. Configure the Hybrid Runbook Worker role.
D. Install the Connected Machine agent.
44. A security administrator receives email alerts from A. the severity lev-
Azure Defender for activities such as potential mal- el of email notifica-
ware uploaded to a storage account and potential tions
successful brute force attacks. B. a cloud connec-
tor
The security administrator does NOT receive email C. the Azure De-
alerts for activities such as antimalware action failed fender plans
and suspicious network activity. The alerts appear in D. the integration
Azure Security Center. settings for Threat
detection
You need to ensure that the security administrator
receives email alerts for all the activities.
18 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You need to hide the alerts automatically in Security
Center.
49.
19 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
You have an Azure Sentinel deployment.
50. You have an existing Azure logic app that is used to A. And a new
block Azure Active Directory (Azure AD) users. The scheduled query
logic app is triggered manually. rule.
B. Add a data con-
You deploy Azure Sentinel. nector to Azure
Sentinel.
You need to use the existing logic app as a playbook C. Configure a
in Azure Sentinel. custom Threat In-
telligence connec-
What should you do first? tor in Azure Sen-
tinel.
A. And a new scheduled query rule. D. Modify the trig-
B. Add a data connector to Azure Sentinel. ger in the logic
C. Configure a custom Threat Intelligence connector app.
in Azure Sentinel.
D. Modify the trigger in the logic app.
51. Your company uses Azure Sentinel to manage alerts A. built-in queries
from more than 10,000 IoT devices. B. livestream
C. notebooks
A security manager at the company reports that track- D. bookmarks
ing security threats is increasingly difficult due to the
large number of incidents.
A. built-in queries
B. livestream
20 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
C. notebooks
D. bookmarks
53. You provision Azure Sentinel for a new Azure sub- A. user
scription. B. resource group
C. IP address
You are configuring the Security Events connector. D. computer
54. Your company stores the data of every project in a A. Add the Se-
different Azure subscription. All the subscriptions use curity Events con-
the same Azure Active Directory (Azure AD) tenant. nector to the
Azure Sentinel
Every project consists of multiple Azure virtual ma- workspace.
chines that run Windows Server. The Windows events B. Create a query
of the virtual machines are stored in a Log Analytics that uses the work-
21 / 22
Microsoft SC-200 Exam Actual Questions
Study online at https://quizlet.com/_azodrl
workspace in each machine's respective subscrip- space expression
tion. and the union op-
erator.
You deploy Azure Sentinel to a new Azure subscrip- C. Use the alias
tion. statement.
D. Create a query
You need to perform hunting queries in Azure Sentinel that uses the re-
to search across all the Log Analytics workspaces of source expression
all the subscriptions. and the alias oper-
ator.
Which two actions should you perform? E. Add the Azure
Sentinel solution
A. Add the Security Events connector to the Azure to each work-
Sentinel workspace. space.
B. Create a query that uses the workspace expression
and the union operator.
C. Use the alias statement.
D. Create a query that uses the resource expression
and the alias operator.
E. Add the Azure Sentinel solution to each workspace.
A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents
22 / 22