microsoft sc-200 practice test
microsoft security operations analyst
Question 1
HOTSPOT
You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.
You have an Azure DevOps organization named AzDO1.
You need to integrate Sub1 and AzDO1. The solution must meet the following requirements:
Detect secrets exposed in pipelines by using Defender for Cloud.
Minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Question 2
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.
What should you use to create the visuals?
- A. plotly
- B. TensorFlow
- C. msticpy
- D. matplotlib
Answer:
c
msticpy is a library for InfoSec investigation and hunting in Jupyter Notebooks. It includes functionality to: query log data from multiple sources. enrich the data with Threat Intelligence, geolocations and Azure resource data. extract Indicators of Activity (IoA) from logs and unpack encoded data.
MSTICPy reduces the amount of code that customers need to write for Microsoft Sentinel, and provides:
Data query capabilities, against Microsoft Sentinel tables, Microsoft Defender for Endpoint, Splunk, and other data sources.
Threat intelligence lookups with TI providers, such as VirusTotal and AlienVault OTX.
Enrichment functions like geolocation of IP addresses, Indicator of Compromise (IoC) extraction, and WhoIs lookups.
Visualization tools using event timelines, process trees, and geo mapping.
Advanced analyses, such as time series decomposition, anomaly detection, and clustering.
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/notebook-get-started https://msticpy.readthedocs.io/en/latest/
Question 3
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?
- A. extend
- B. bin
- C. count
- D. workspace
Answer:
c
Reference:
https://docs.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-chart-visualizations
Question 4
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: From Entity tags, you add the accounts as Honeytoken accounts.
Does this meet the goal?
- A. Yes
- B. No
Answer:
a
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
Question 5
HOTSPOT
You have a Microsoft 365 E5 subscription that uses Microsoft Purview and contains a user named User1.
User1 shares a Microsoft Power BI report file from the Microsoft OneDrive folder of your company to an external user by using Microsoft Teams.
You need to identify which Power BI report file was shared.
How should you configure the search? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Question 6
Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.
To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.
At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.
To start the case study To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.
Overview
Fabrikam, Inc. is a financial services company.
The company has branch offices in New York, London, and Singapore. Fabrikam has remote users located across the globe. The remote users access company resources, including cloud resources, by using a VPN connection to a branch office.
Existing Environment
Identity Environment
The network contains an Active Directory Domain Services (AD DS) forest named fabrikam.com that syncs with an Azure AD tenant named fabrikam.com. To sync the forest, Fabrikam uses Azure AD Connect with pass-through authentication enabled and password hash synchronization disabled.
The fabrikam.com forest contains two global groups named Group1 and Group2.
Microsoft 365 Environment
All the users at Fabrikam are assigned a Microsoft 365 E5 license and an Azure Active Directory Premium Plan 2 license.
Fabrikam implements Microsoft Defender for Identity and Microsoft Defender for Cloud Apps and enables log collectors.
Azure Environment
Fabrikam has an Azure subscription that contains the resources shown in the following table.
Amazon Web Services (AWS) Environment
Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and does NOT have any agents installed.
Current Issues
When the users use the VPN connections, Microsoft 365 Defender raises a high volume of impossible travel alerts that are false positives.
Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.
Requirements
Planned changes
Fabrikam plans to implement the following services:
Microsoft Defender for Cloud
Microsoft Sentinel
Business Requirements
Fabrikam identifies the following business requirements:
Use the principle of least privilege, whenever possible.
Minimize administrative effort.
Microsoft Defender for Cloud Apps Requirements
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements:
Ensure that impossible travel alert policies are based on the previous activities of each user.
Reduce the amount of impossible travel alerts that are false positives.
Microsoft Defender for Identity Requirements
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Defender for Cloud Requirements
Fabrikam identifies the following Microsoft Defender for Cloud requirements:
Ensure that the members of Group2 can modify security policies.
Ensure that the members of Group1 can assign regulatory compliance policy initiatives at the Azure subscription level.
Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.
Minimize the administrative effort required to investigate the false positive alerts.
Microsoft Sentinel Requirements
Fabrikam identifies the following Microsoft Sentinel requirements:
Query for NXDOMAIN DNS requests from the last seven days by using built-in Advanced Security Information Model (ASIM) unifying parsers.
From AWS EC2 instances, collect Windows Security event log entries that include local group membership changes.
Identify anomalous activities of Azure AD users by using User and Entity Behavior Analytics (UEBA).
Evaluate the potential impact of compromised Azure AD user credentials by using UEBA.
Ensure that App1 is available for use in Microsoft Sentinel automation rules.
Identify the mean time to triage for incidents generated during the last 30 days.
Identify the mean time to close incidents generated during the last 30 days.
Ensure that the members of Group1 can create and run playbooks.
Ensure that the members of Group1 can manage analytics rules.
Run hunting queries on Pool1 by using Jupyter notebooks.
Ensure that the members of Group2 can manage incidents.
Maximize the performance of data queries.
Minimize the amount of collected data.
You need to ensure that you can run hunting queries to meet the Microsoft Sentinel requirements.
Which type of workspace should you create?
- A. Azure Synapse Analytics
- B. Azure Machine Learning
- C. Log Analytics
- D. Azure Databricks
Answer:
b
Question 7
HOTSPOT
You have an Azure DevOps organization that contains an Azure Repos repository named Repo1 and is onboarded to Microsoft Defender for DevOps.
You create infrastructure as code (IaC) files and store them in Repo1. The IaC files are formatted as Bicep files and Helm charts.
You need to configure Defender for DevOps to identify misconfigurations in the IaC files.
Which scanning tool should you use for each type of files? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Question 8
You need to remediate active attacks to meet the technical requirements.
What should you include in the solution?
- A. Azure Automation runbooks
- B. Azure Logic Apps
- C. Azure Functions
- D. Azure Sentinel livestreams
Answer:
b
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/automate-responses-with-playbooks
Question 9
HOTSPOT
You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.
You need to ensure that the incidents in WS1 include a list of actions that must be performed. The solution must meet the following requirements:
Ensure that you can build a tailored list of actions for each type of incident.
Minimize administrative effort.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Answer:
Question 10
HOTSPOT You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The solution must minimize administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Answer:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-office-365 https://docs.microsoft.com/en-us/azure/sentinel/connect-syslog