Practice Free SC-200 Exam Online Questions

Explanation:

In Azure Security Center (now Microsoft Defender for Cloud), Workflow automation is provisioned as an ARM resource of type Microsoft.Security/automations. The automation resource defines one or more actions, and when the action is a Logic App, the actionType is set to LogicApp and the action must reference the Logic App by its resource ID. In ARM, the correct provider namespace for Logic Apps is Microsoft.Logic, so the template uses resourceId(‘Microsoft.Logic/workflows’, <logicAppName>) to populate logicAppResourceId.

To enable the security alert to trigger the Logic App, the automation action includes a callback URL to the Logic App’s manual trigger. In ARM, this is retrieved with listCallbackURL() against the trigger resource ID, which must also use the Microsoft.Logic provider, i.e., resourceId(<subscriptionId>, <resourceGroupName>, ‘Microsoft.Logic/workflows/triggers’, <logicAppName>, ‘manual’), with the Logic Apps API version such as 2019-05-01. This is the documented pattern for Security Center workflow automations: define an automation under Microsoft.Security/automations, specify an action of type LogicApp, reference the workflow by Microsoft.Logic, and obtain the manual trigger callback via listCallbackURL on Microsoft.Logic/workflows/triggers. This wiring ensures that when the specified security alerts are received, the automation invokes the Logic App for automatic remediation on each match.

Explanation:

When configuring the Syslog via Azure Monitor Agent (AMA) connector in Microsoft Sentinel, the Data Collection Rule (DCR) determines which Linux system logs are ingested. Syslog messages are filtered based on facility (the subsystem that generated the message) and severity level (priority).

According to Microsoft’s “Collect Syslog data sources using Azure Monitor Agent” documentation:

“Syslog facilities define which type of process generated the log (e.g., authentication, cron, daemon), and log levels define the severity (0=emerg, 1=alert, 2=crit, 3=err, etc.). To minimize data ingestion and cost, select only the facility and the highest severity level required for your investigation.”

In this scenario:

You need to collect logs related to App1, a background process (non-kernel, non-authentication, non-cron). Typically, such custom or application-level processes send logs to LOG_AUTH or LOG_DAEMON, depending on configuration. If App1 is an application that uses authentication or security features, the LOG_AUTH facility is appropriate.

You must collect only logs with a critical priority, which corresponds to Syslog severity 2 (critical). In Syslog terminology, that maps to the LOG_EMERG or “emergency” level and above.

However, to ensure minimum data collection while still capturing critical events, Sentinel’s best practice is to configure the Syslog DCR to collect only the specific facility associated with the application and the exact required severity level. For “critical only,” LOG_EMERG is the correct choice because it ensures that only the most urgent (critical/emergency) events are ingested, reducing data volume and cost.

✅ Final Configuration:

Setting Correct Option Facility LOG_AUTH

Log level LOG_EMERG

Purpose

Collects security/authentication-related logs for App1

Collects only critical/emergency events (priority ≤ 0) to minimize ingestion volume

In summary:

Selecting LOG_AUTH and LOG_EMERG satisfies both requirements ― capturing only the highest-severity logs relevant to App1 while keeping the ingestion volume minimal, in line with Microsoft Sentinel Syslog DCR configuration guidance.

Explanation:

First blank (create a stub table): datatable

Second blank (union option): isfuzzy=true

In KQL for Microsoft Sentinel, a safe way to test whether a table exists across multiple workspaces (without throwing an error when it doesn’t) is to union a guaranteed single-row “stub” table with a query against the target table, and use union isfuzzy=true. The stub is created with datatable, e.g., let mtable = datatable(isMissing:int) [1]; which always yields one row (isMissing=1). The second branch queries the real table and, if it exists, emits a row with isMissing=0. When the table is missing, that branch returns no rows, but because isfuzzy=true is used, the reference to a potentially missing table is treated as an empty input rather than an error. Finally, selecting a single row (e.g., | top 1 by isMissing asc) ensures you return 0 if the table exists (preferred), otherwise 1 from the stub.

A complete pattern for the answer area is:

let mtable = datatable(isMissing:int) [1];

union isfuzzy=true

mtable,

(AzureActivity | getschema | project isMissing=0)

| top 1 by isMissing asc

This meets the requirements: it checks existence per workspace, returns one row with isMissing=0 if the table exists, or one row with isMissing=1 if it does not, with minimal overhead and no failures when the table is absent.

Explanation:

In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation allows you to automatically respond to security alerts and recommendations by triggering remediation actions.

When you create an Azure Policy to enforce automatic remediation based on Defender alerts or recommendations, the effect determines what the policy does when a resource is found noncompliant:

DeployIfNotExists is the correct effect to use for automatic remediation. This effect automatically deploys a remediation task (such as a Logic App or other automation) when a matching noncompliant resource is detected. It’s commonly used in Defender for Cloud to deploy missing security configurations or initiate an automated remediation workflow.

Append only adds metadata or parameters to resources―it does not enforce or deploy remediation actions.

EnforceRegoPolicy is used for container compliance with Gatekeeper policies (Kubernetes), not for Defender workflows.

For the automation mechanism:

An Azure Logic Apps app with the trigger “When an Azure Security Center alert is created or triggered” is the correct choice. This Logic App acts as the workflow automation engine that runs whenever a new alert is raised. It can perform actions such as isolating VMs, disabling users, or notifying SOC teams.

Using a trigger for “When a response to an Azure Security Center alert is triggered” would only activate after a manual response, not automatically.

Automation runbooks with webhooks can be used for custom automation, but Defender workflow automation integrates natively with Logic Apps and not directly with runbooks.

✅ Final Answer. Set available effects to: DeployIfNotExists

To perform remediation use: An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered

Explanation:

Reference: For CEF ingestion, Microsoft Sentinel uses a Linux “log forwarder” that runs the Log Analytics agent (OMS agent) and a syslog daemon (rsyslog/syslog-ng). The documented deployment flow is: first install the Log Analytics agent on the forwarder and connect it to your Sentinel workspace (Workspace ID/Key). Next, configure the agent to listen on TCP/UDP port 25226―the port the OMS agent uses to receive CEF-translated syslog messages locally―and forward them to the connected workspace (this forwarding is inherent once the agent is connected). Then configure the syslog daemon to receive the external product’s CEF events on the chosen syslog port (commonly 514) and forward them locally to 127.0.0.1:25226. Finally, restart rsyslog/syslog-ng and the OMS agent to apply changes. You do not forward events “directly to Sentinel” from syslog; the agent handles transport to the workspace. An OMS Gateway is only required when the forwarder has no direct Internet access and isn’t part of the standard, minimal-effort path. This sequence ensures reliable, supported ingestion of CEF messages into Microsoft Sentinel with the least administrative overhead.

Explanation:

Microsoft Entra role: Security Administrator

Role for WS1: Microsoft Sentinel Contributor

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel, a user must have permission to configure data connectors that access Microsoft Entra ID (Azure AD) identity data and to manage Sentinel settings for the workspace.

This requires roles in two scopes:

1️ ⃣ Microsoft Entra ID (directory) level C for identity data access.

2️ ⃣ Sentinel workspace level C for Sentinel feature management.

Step 1: Microsoft Entra (Azure AD) Role → Security Administrator

According to Microsoft documentation, enabling UEBA requires connecting Microsoft Sentinel to Microsoft Entra ID to import user and identity behavior data.

The Security Administrator role grants the necessary read permissions to user and sign-in data while still adhering to the principle of least privilege.

The Global Administrator role would also work but provides excessive privileges beyond what’s required for UEBA configuration.

The Security Operator role is limited to viewing alerts and cannot configure Sentinel connectors. Hence, Security Administrator is the correct least-privilege directory role. Step 2: Role for WS1 (Sentinel Workspace) → Microsoft Sentinel Contributor

To manage Sentinel configuration and enable features such as UEBA, data connectors, and analytics rules, the Microsoft Sentinel Contributor role is required at the workspace level.

The Sentinel Contributor role allows enabling/disabling features, managing playbooks, and configuring connectors.

The Sentinel Automation Contributor role is only for playbook automation permissions.

The basic Contributor role can manage Azure resources but doesn’t grant Sentinel-specific privileges.

✅ Final Answer. Microsoft Entra role: Security Administrator

Role for WS1: Microsoft Sentinel Contributor

Explanation:

In Microsoft Defender for DevOps, IaC misconfiguration scanning uses purpose-built analyzers per template type. For Azure Resource Manager (ARM) and Bicep templates, Defender leverages Template Analyzer, which evaluates security best practices and policy compliance specific to Azure resource definitions. Template Analyzer parses Bicep (and ARM JSON) and flags insecure defaults such as overly permissive network rules, missing encryption settings, insecure identity assignments, and more―making it the correct choice for Bicep files.

For container and Kubernetes ecosystem artifacts, including Helm charts, Defender integrates

Terrascan, an open-source static analysis tool that scans Helm/Kubernetes manifests (and Terraform) against hundreds of policies. Terrascan inspects rendered Helm templates to detect issues like privileged containers, hostPath mounts, missing resource limits, and insecure service exposures.

By contrast, CredScan (Credential Scanner) is aimed at finding embedded secrets (keys/passwords) in code and isn’t the primary IaC misconfiguration engine for either Bicep or Helm in Defender for DevOps.

Therefore, to detect IaC misconfigurations: use Template Analyzer for Bicep and Terrascan for Helm charts.