Free SC-200 Sample Questions — Microsoft Security Operations Analyst

Your company uses Azure Security Center and Azure Defender. The security operations team at the company informs you that it does NOT receive email notifications for security alerts. What should you configure in Security Center to enable the email notifications?

• A. Security solutions
• B. Security policy
• C. Pricing & settings
• D. Security alerts
• E. Azure Defender

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices. What should you use in the Microsoft 365 Defender portal?

• A. From the History tab in the Action center, revert the actions
• B. From the investigation page, review the AIR processes
• C. From Quarantine from the Review page, modify the rules
• D. From Threat tracker, review the queries

You recently deployed Azure Sentinel. You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled. You need to ensure that the Fusion rule can generate alerts. What should you do?

• A. Disable, and then enable the rule
• B. Add data connectors
• C. Create a new machine learning analytics rule
• D. Add a hunting bookmark

You need to visualize Microsoft Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC). What should you use?

• A. notebooks in Microsoft Sentinel
• B. Microsoft Defender for Cloud Apps
• C. Azure Monitor

You have a Microsoft Sentinel workspace. You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities. The solution must minimize administrative effort. Which rule type should you query?

• A. Fusion
• B. Microsoft Security
• C. ML Behavior Analytics
• D. Scheduled

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You start a Copilot for Security session and enter five prompts that each provide responses. You need to create a promptbook that will use the prompts but will NOT contain the responses. The solution must minimize administrative effort. What should you do?

• A. Select each prompt, and then select Create promptbook
• B. Create a new promptbook and include each prompt
• C. Enter a new prompt that has the following input: Create a promptbook from my session prompts
• D. Share the session, and then select Create promptbook

You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector. You need to create a new near-real-time (NRT) analytics rule that will use the playbook. What should you configure for the rule?

• A. the incident automation settings
• B. the query rule
• C. entity mapping
• D. the Alert automation settings

You have a Microsoft Sentinel workspace. You enable User and Entity Behavior Analytics (UEBA) by using Audit Logs and Signin Logs. The following entities are detected in the Azure AD tenant: • App name: App1 • IP address: 192.168.1.2 • Computer name: Device1 • Used client app: Microsoft Edge • Email address: [email protected] • Sign-in URL: https://www.company.com Which entities can be investigated by using UEBA?

• A. IP address and email address only
• B. app name, computer name, IP address, email address, and used client app only
• C. IP address only
• D. used client app and app name only

You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1. The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll. You need to submit files for deep analysis in Microsoft Defender XDR. Which files can you submit?

• A. File1.ps1 only
• B. File2.exe only
• C. File3.dll only
• D. File2.exe and File3.dll only
• E. File1.ps1 and File2.exe only
• F. File1.ps1, File2.exe, and File3.dll

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1. You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1. You need to identify which blobs were deleted. What should you review?

• A. the activity logs of storage1
• B. the Azure Storage Analytics logs
• C. the alert details
• D. the related entities of the alert

You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements and resolve the reported problem. Which policy should you modify?

• A. Activity from suspicious IP addresses
• B. Activity from anonymous IP addresses
• C. Impossible travel
• D. Risky sign-in

You are investigating a potential attack that deploys a new ransomware strain. You have three custom device groups. The groups contain devices that store highly sensitive information. You plan to perform automated actions on all devices. You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

• A. Assign a tag to the device group
• B. Add the device users to the admin role
• C. Add a tag to the machines
• D. Create a new device group that has a rank of 1
• E. Create a new admin role
• F. Create a new device group that has a rank of 4

You need to complete the query for failed sign-ins to meet the technical requirements. Where can you find the column name to complete the where clause?

• A. Security alerts in Azure Security Center
• B. Activity log in Azure
• C. Azure Advisor
• D. the query windows of the Log Analytics workspace

You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured. You need to identify the impacted entities in an aggregated alert. What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?

• A. the Events tab of the alert
• B. the Sensitive Info Types tab of the alert
• C. Management log
• D. the Details tab of the alert

You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender. You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort. Which blade should you use in the Microsoft 365 Defender portal?

• A. Advanced hunting
• B. Threat analytics
• C. Incidents & alerts
• D. Learning hub

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database. You need to ensure that an incident is created in WS1 when the new attack vector is detected. What should you configure?

• A. a hunting livestream session
• B. a query bookmark
• C. a scheduled query rule
• D. a Fusion rule

You have an Azure Sentinel deployment in the East US Azure region. You create a Log Analytics workspace named LogsWest in the West US Azure region. You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to LogsWest. What should you do first?

• A. Deploy Azure Data Catalog to the West US Azure region
• B. Modify the workspace settings of the existing Azure Sentinel deployment
• C. Add Azure Sentinel to a workspace
• D. Create a data connector in Azure Sentinel

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1. You need to enable Microsoft Defender for Cloud Apps session control for Site1. Which type of policy should you create first?

• A. access
• B. session
• C. app governance
• D. Conditional Access

You have a Microsoft 365 E5 subscription. Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint. You have an incident involving a user that received malware-infected email messages on a managed device. Which action requires manual remediation of the incident?

• A. soft deleting the email message
• B. hard deleting the email message
• C. isolating the device
• D. containing the device

You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector. You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert. What should you create first?

• A. a repository connection
• B. a watchlist
• C. an analytics rule
• D. an automation rule