microsoft sc-200 practice test

Microsoft Security Operations Analyst

Note: Test Case questions are at the end of the exam
Last exam update: Jun 18 ,2024
Page 1 out of 8. Viewing questions 1-15 out of 110

Question 1 Topic 6, Mixed Questions

DRAG DROP
You have the resources shown in the following table.

You need to prevent duplicate events from occurring in SW1.
What should you use for each action? To answer, drag the appropriate resources to the correct actions. Each resource may
be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

Mark Question:
Answer:


Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/connect-log-forwarder?tabs=rsyslog

Discussions
0 / 1000

Question 2 Topic 6, Mixed Questions

HOTSPOT
You need to create a query for a workbook. The query must meet the following requirements:
List all incidents by incident number.

Only include the most recent log for each incident.

How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Mark Question:
Answer:


Explanation:
Reference:
https://www.drware.com/whats-new-soc-operational-metrics-now-available-in-sentinel/

Discussions
0 / 1000

Question 3 Topic 6, Mixed Questions

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a
unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while
others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in
the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is
detected.
Solution: You create a livestream from a query.
Does this meet the goal?

  • A. Yes
  • B. No
Mark Question:
Answer:

B

User Votes:
A
50%
B
50%

Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-azure-security-center

Discussions
vote your answer:
A
B
0 / 1000

Question 4 Topic 6, Mixed Questions

You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory
(Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for
contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by
anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Create custom rule based on the Office 365 connector templates.
  • B. Create a Microsoft incident creation rule based on Azure Security Center.
  • C. Create a Microsoft Cloud App Security connector.
  • D. Create an Azure AD Identity Protection connector.
Mark Question:
Answer:

A B

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
fezaan
8 months, 3 weeks ago

Wrong. Its C and D.


Question 5 Topic 6, Mixed Questions

You create a hunting query in Azure Sentinel.
You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The
solution must minimize effort.
What should you use?

  • A. a playbook
  • B. a notebook
  • C. a livestream
  • D. a bookmark
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Use livestream to run a specific query constantly, presenting results as they come in.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/hunting

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6 Topic 6, Mixed Questions

You use Azure Sentinel.
You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel
workbooks. The solution must use the principle of least privilege.
Which role should you assign to the analyst?

  • A. Azure Sentinel Contributor
  • B. Security Administrator
  • C. Azure Sentinel Responder
  • D. Logic App Contributor
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Azure Sentinel Contributor can create and edit workbooks, analytics rules, and other Azure Sentinel resources.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/roles

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7 Topic 6, Mixed Questions

You have the following environment:
Azure Sentinel

A Microsoft 365 subscription

Microsoft Defender for Identity

An Azure Active Directory (Azure AD) tenant

You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers.
You deploy Microsoft Defender for Identity by using standalone sensors.
You need to ensure that you can detect when sensitive groups are modified in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.
  • B. Modify the permissions of the Domain Controllers organizational unit (OU).
  • C. Configure auditing in the Microsoft 365 compliance center.
  • D. Configure Windows Event Forwarding on the domain controllers.
Mark Question:
Answer:

A D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection https://docs.microsoft.com/en-
us/defender-for-identity/configure-event-collection

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8 Topic 6, Mixed Questions

DRAG DROP
You need to use an Azure Sentinel analytics rule to search for specific criteria in Amazon Web Services (AWS) logs and to
generate incidents.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the
answer area and arrange them in the correct order.
Select and Place:

Mark Question:
Answer:


Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/detect-threats-custom

Discussions
0 / 1000

Question 9 Topic 6, Mixed Questions

You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is
activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Enable Entity behavior analytics.
  • B. Associate a playbook to the analytics rule that triggered the incident.
  • C. Enable the Fusion rule.
  • D. Add a playbook.
  • E. Create a workbook.
Mark Question:
Answer:

A B

User Votes:
A
50%
B
50%
C
50%
D
50%
E
50%

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/enable-entity-behavior-analytics https://docs.microsoft.com/en-
us/azure/sentinel/automate-responses-with-playbooks

Discussions
vote your answer:
A
B
C
D
E
0 / 1000
fezaan
8 months, 3 weeks ago

Wrong. Its B and D


Question 10 Topic 6, Mixed Questions

You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?

  • A. Create a Microsoft incident creation rule
  • B. Share the incident URL
  • C. Create a scheduled query rule
  • D. Assign the incident
Mark Question:
Answer:

D

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/investigate-cases

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11 Topic 6, Mixed Questions

HOTSPOT
You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The
solution must minimize administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Mark Question:
Answer:


Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 https://docs.microsoft.com/en-us/azure/sentinel/connect-
syslog

Discussions
0 / 1000

Question 12 Topic 6, Mixed Questions

You use Azure Sentinel.
You need to receive an alert in near real-time whenever Azure Storage account keys are enumerated.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Create a livestream
  • B. Add a data connector
  • C. Create an analytics rule
  • D. Create a hunting query.
  • E. Create a bookmark.
Mark Question:
Answer:

B D

User Votes:
A
50%
B
50%
C
50%
D
50%
E
50%

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/livestream

Discussions
vote your answer:
A
B
C
D
E
0 / 1000

Question 13 Topic 6, Mixed Questions

You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by
Azure Security Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?

  • A. extend
  • B. bin
  • C. count
  • D. workspace
Mark Question:
Answer:

C

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14 Topic 6, Mixed Questions

You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of
compromise (IoC).
What should you use?

  • A. notebooks in Azure Sentinel
  • B. Microsoft Cloud App Security
  • C. Azure Monitor
  • D. hunting queries in Azure Sentinel
Mark Question:
Answer:

A

User Votes:
A
50%
B
50%
C
50%
D
50%

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/notebooks

Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15 Topic 6, Mixed Questions

You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A. Add a playbook.
  • B. Associate a playbook to an incident.
  • C. Enable Entity behavior analytics.
  • D. Create a workbook.
  • E. Enable the Fusion rule.
Mark Question:
Answer:

A B

User Votes:
A
50%
B
50%
C
50%
D
50%
E
50%

Explanation:
Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

Discussions
vote your answer:
A
B
C
D
E
0 / 1000
To page 2