Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 322
Measured Skill: Mitigate threats by using Microsoft Defender (25–30%)
You have an on-premises datacenter that contains a custom web app named App1. App1 uses Active Directory Domain Services (AD DS) authentication and is accessible by using Microsoft Entra application proxy.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You receive an alert that a user downloaded highly confidential documents.
You need to remediate the risk associated with the alert by requiring multi-factor authentication (MFA) when users use App1 to initiate the download of documents that have a Highly Confidential sensitivity label applied.
What should you do?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | For App1 to require MFA, use: Conditional Access
To implement a session policy, use: Microsoft Defender for Office 365 |
| B | For App1 to require MFA, use: Conditional Access
To implement a session policy, use: Microsoft Defender for Cloud Apps |
| C | For App1 to require MFA, use: Microsoft Entra Domain Services
To implement a session policy, use: Microsoft Defender for Identity |
| D | For App1 to require MFA, use: Microsoft Entra Domain Services
To implement a session policy, use: Microsoft Defender for Cloud Apps |
| E | For App1 to require MFA, use: Microsoft Entra ID Protection
To implement a session policy, use: Microsoft Defender for Office 365 |
| F | For App1 to require MFA, use: Microsoft Entra ID Protection
To implement a session policy, use: Microsoft Defender for Identity |
Correct answer: BExplanation:
Microsoft Entra multifactor authentication helps safeguard access to data and applications, providing another layer of security by using a second form of authentication. Organizations can enable multifactor authentication with Conditional Access to make the solution fit their specific needs. Because App1 uses Active Directory Domain Services (AD DS) authentication the Microsoft Entra application proxy must be configured to use Passthrough authentication in this case.
Microsoft Defender for Cloud Apps session policies provide granular visibility into cloud apps with real-time, session-level monitoring. Use session policies to take various actions, depending on the policy you set for a user session.
For example, you may want to allow users to access an app from unmanaged devices, or from specific locations. However, you may want to limit the download of sensitive files during those sessions or require that specific documents are protected from downloading, uploading, or copying when exiting the app.
References:
Create Microsoft Defender for Cloud Apps session policies
Plan a Microsoft Entra multifactor authentication deployment
Add an on-premises application for remote access through application proxy in Microsoft Entra ID
Question: 323
Measured Skill: Mitigate threats by using Microsoft Defender (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You have a query that contains the following statements.
union DeviceEvents, DeviceProcessEvents
| where ingestion_time() > ago(1d)
...
You need to configure a custom detection rule that will use the query. The solution must minimize how long it takes to be notified about events that match the query.
Which frequency should you select for the rule?| A | Every hour |
| B | Continuous (NRT) |
| C | Every 12 hours |
| D | Every 3 hours |
Correct answer: BExplanation:
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
When you save a new rule, it runs and checks for matches from the past 30 days of data. The rule then runs again at fixed intervals, applying a lookback duration based on the frequency you choose:
- Every 24 hours - Runs every 24 hours, checking data from the past 30 days.
- Every 12 hours - Runs every 12 hours, checking data from the past 48 hours.
- Every 3 hours - Runs every 3 hours, checking data from the past 12 hours.
- Every hour - Runs hourly, checking data from the past 4 hours.
- Continuous (NRT) - Runs continuously, checking data from events as they're collected and processed in near real-time (NRT).
Setting a custom detection to run in Continuous (NRT) frequency allows you to increase your organization's ability to identify threats faster. Using the Continuous (NRT) frequency has minimal to no impact to your resource usage and should thus be considered for any qualified custom detection rule in your organization.
Reference: Create and manage custom detections rules
Question: 324
Measured Skill: Mitigate threats by using Microsoft Defender (25–30%)
You have a Microsoft 365 E5 subscription that contains the hosts shown in the following table.
You have indicators in Microsoft Defender for Endpoint as shown in the following table.
ID1 and ID2 reference the same file as ID3.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Host1 will block the execution of a file that has the SHA-1 hash value of 2aae6c35c94fcfb415db395f408b9c391ee846ed: Yes
Host2 will block and remediate a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: Yes
Host3 will block the execution of a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: Yes |
| B | Host1 will block the execution of a file that has the SHA-1 hash value of 2aae6c35c94fcfb415db395f408b9c391ee846ed: Yes
Host2 will block and remediate a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: Yes
Host3 will block the execution of a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: No |
| C | Host1 will block the execution of a file that has the SHA-1 hash value of 2aae6c35c94fcfb415db395f408b9c391ee846ed: Yes
Host2 will block and remediate a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: No
Host3 will block the execution of a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: Yes |
| D | Host1 will block the execution of a file that has the SHA-1 hash value of 2aae6c35c94fcfb415db395f408b9c391ee846ed: No
Host2 will block and remediate a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: Yes
Host3 will block the execution of a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: No |
| E | Host1 will block the execution of a file that has the SHA-1 hash value of 2aae6c35c94fcfb415db395f408b9c391ee846ed: No
Host2 will block and remediate a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: No
Host3 will block the execution of a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: Yes |
| F | Host1 will block the execution of a file that has the SHA-1 hash value of 2aae6c35c94fcfb415db395f408b9c391ee846ed: No
Host2 will block and remediate a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: No
Host3 will block the execution of a file that has the SHA-256 hash value of 88f4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589: No |
Correct answer: CExplanation:
File indicators prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on devices in your organization.
When your security team creates a new indicator (IoC), the following actions are available:
- Allow: the IoC is allowed to run on your devices.
- Audit: an alert is triggered when the IoC runs.
- Warn: the IoC prompts a warning that the user can bypass
- Block execution: the IoC won't be allowed to run.
- Block and remediate: the IoC won't be allowed to run and a remediation action will be applied to the IoC.
If multiple indicator rules apply to a single file, a block action always takes precedence over an allow action.
References:
Overview of indicators in Microsoft Defender for Endpoint
Create indicators for files
Question: 325
Measured Skill: Mitigate threats by using Microsoft Defender (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.
You initiate a live response session on each device.
You need to collect a Defender for Endpoint investigation package from each device.
On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?| A | Device1 and Device2 only |
| B | Device1, Device2, and Device3 only |
| C | Device3 and Device4 only |
| D | Device1, Device2, Device3, and Device4 |
Correct answer: CExplanation:
Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. Live response gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.
The following commands are available for user roles that are granted the ability to run advanced live response commands.
With live response, analysts can do all of the following tasks:
- Run basic and advanced commands to do investigative work on a device.
- Download files such as malware samples and outcomes of PowerShell scripts.
- Download files in the background (new!).
- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
- Take or undo remediation actions.
Note: For Windows devices you can collect a Defender for Endpoint investigation package directly from the Microsoft Defender portal.
Reference: Investigate entities on devices using live response
Question: 326
Measured Skill: Mitigate threats by using Microsoft Sentinel (50–55%)
You need to build a KQL query in a Microsoft Sentinel workspace. The query must return the SecurityEvent record for accounts that have the last record with an EventID value of 4624.
How should you complete the query?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | SecurityEvent
| summarize arg_max(TimeGenerated, *) by Account
| summarize make_list(Account) by EventID |
| B | SecurityEvent
| summarize make_list(Account) by EventID
| where EventID == 4624 |
| C | SecurityEvent
| summarize make_list(Account) by EventID
| where EventID == 4624 |
| D | SecurityEvent
| summarize make_set(Account) by EventID
| summarize arg_max(TimeGenerated, *) by Account |
| E | SecurityEvent
| where EventID == 4624
| summarize arg_max(TimeGenerated, *) by Account |
| F | SecurityEvent
| where EventID == 4624
| summarize make_set(Account) by EventID |
Correct answer: EExplanation:
Kusto Query Language is the language you use to work with and manipulate data in Microsoft Sentinel.
The 4624 event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
The arg_max() aggregation function finds a row in the table that maximizes the specified expression (TimeGenerated). It returns all columns of the input table or specified columns.
For performance reasons we should first filter the rowset and then aggregate the resultset to find the last record for each account.
References:
Kusto Query Language in Microsoft Sentinel
arg_max() (aggregation function)
Queries for the SecurityEvent table