Practice Free SC-200 Exam Online Questions – Page 9

Question #81

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.

You initiate a live response session on each device.

You need to collect a Defender for Endpoint investigation package from each device.

On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?

A . Device1 and Device2 only
B . Device1, Device2, and Device3 only
C . Device3 and Device4 only
D . Device1, Devke2, Device3, and Device4

Reveal Solution Hide Solution

Question #82

HOTSPOT

You have an Azure subscription that is linked to a hybrid Azure AD tenant and contains a Microsoft Sentinel workspace named Sentinel1.

You need to enable User and Entity Behavior Analytics (UEBA) for Sentinel 1 and configure UEBA to use data collected from Active Directory Domain Services (AD OS).

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

To the AD DS domain controllers, deploy: Microsoft Defender for Identity sensors

For Sentinel1, configure: The Security Events data source

To enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel using data from on-premises Active Directory Domain Services (AD DS), you must collect detailed identity and authentication events. This requires integration with Microsoft Defender for Identity (MDI) ― the native tool designed to monitor domain controller traffic and send identity telemetry to Microsoft Sentinel.

Step 1: Deploy Microsoft Defender for Identity sensors

According to Microsoft documentation:

“To collect signals from your on-premises Active Directory domain controllers, install Microsoft Defender for Identity sensors directly on each domain controller or on a dedicated server.”

These sensors capture Windows event logs and network authentication data (Kerberos, NTLM, LDAP) and send the information securely to Defender for Identity cloud service.

The Azure Connected Machine agent and Azure Monitor agent do not provide the specialized identity telemetry required by UEBA. Therefore, the correct deployment is the Microsoft Defender for Identity sensors.

Step 2: Configure the Security Events data source in Sentinel

After integrating Defender for Identity, you must connect the right data source in Microsoft Sentinel.

The Security Events data source ingests domain controller event logs (such as sign-ins, account management, and group membership changes) that UEBA relies on for behavioral baselines and anomaly detection.

Microsoft Sentinel UEBA documentation confirms:

“UEBA uses data from identity-related data sources, such as SecurityEvents and Azure Active Directory sign-ins, to build user and entity profiles and detect anomalies.”

The Audit Logs and Signin Logs tables are specific to Azure AD and cloud identity events ― not on-premises AD DS domain controllers.

✅ Final Configuration:

Deploy Microsoft Defender for Identity sensors to the domain controllers.

Configure The Security Events data source for Sentinel1.

Question #83

You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements.

Which role should you assign?

A . Automation Operator
B . Automation Runbook Operator
C . Azure Sentinel Contributor
D . Logic App Contributor

Reveal Solution Hide Solution

Question #84

You need to recommend a solution to meet the technical requirements for the Azure virtual machines.

What should you include in the recommendation?

A . just-in-time (JIT) access
B . Azure Defender
C . Azure Firewall
D . Azure Application Gateway

Reveal Solution Hide Solution

Question #85

You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector. You need to customize which details will be included when an alert is created for a specific event.

What should you do?

A . Modify the properties of the connector.
B . Create a Data Collection Rule (DCR).
C . Create a scheduled query rule.
D . Enable User and Entity Behavior Analytics (UEBA)

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

The core requirement is to customize details included when an alert is created for a specific event. In Microsoft Sentinel, the most effective and granular way to enrich, map, and customize alert fields is by using a Scheduled Query Rule within the Analytics section.

Customization for Microsoft Defender Alerts

Defender for Cloud Data Connector: This connector, categorized as a Microsoft Security rule type, automatically imports alerts and incidents generated by Microsoft Defender for Cloud into the Microsoft Sentinel SecurityAlert table. These imported alerts have a predefined schema and initial set of details.

Customization Limitation: You cannot modify the alert schema or customize the details directly on the Microsoft Defender for Cloud data connector itself (Option A).

Scheduled Query Rule for Enrichment: To customize the alert details, an analyst must run a custom Kusto Query Language (KQL) query against the ingested security alerts (in the SecurityAlert table) or related raw log events. This query is packaged within a Scheduled Query Rule (Option C).

The Role of a Scheduled Query Rule

Scheduled query rules provide the necessary Alert enrichment features to customize alert properties:

Custom Details (Surface Custom Event Details): This feature allows an analyst to pull any field from the KQL query result and display it prominently in the resulting Sentinel alert and incident.

Customize Alert Details: This feature allows an analyst to override the default properties of the alert, such as:

Alert Name Format: Dynamically change the alert title to include specific event values (e.g., Alert

from {{ProviderName}}: {{AccountName}} failed to sign in to computer {{ComputerName}}).

Alert Description Format: Embed custom messages or specific log data into the description.

AlertSeverity, Tactics, ConfidenceScore, AlertLink, and other key fields: Use values from the query results to set these properties dynamically for each alert instance.

By creating a scheduled query rule that specifically queries the Defender for Cloud alerts and uses KQL to extract or calculate the required custom information, an analyst can then apply the Alert details and Custom details features on the rule’s Set rule logic tab to meet the customization requirement.

Question #86

You have a Microsoft 365 subscription that uses Microsoft Purview.

Your company has a project named Project1.

You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.

What should you do?

A . Create a records management disposition.
B . Perform a user data search.
C . Perform an audit search.
D . Perform a content search.

Reveal Solution Hide Solution

Question #87

You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.

You need to assign the PCI DSS 4.0 initiative to Sub1 and have the initiative displayed in the Defender for Cloud Regulatory compliance dashboard.

From Security policies in the Environment settings, you discover that the option to add more industry and regulatory standards is unavailable.

What should you do first?

A . Enable the Cloud Security Posture Management (CSPM) plan for the subscription.
B . Disable the Microsoft Cloud Security Benchmark (MCSB) assignment.
C . Configure the Continuous export settings for Azure Event Hubs.
D . Configure the Continuous export settings for Log Analytics.

Reveal Solution Hide Solution

Question #88

You have a Microsoft Sentinel workspace.

You enable User and Entity Behavior Analytics (UFBA) by using Audit logs and Signin logs.

The following entities are detected in the Azure AD tenant:

• App name: App1

• IP address: 192.168.1.2

• Computer name: Device1

• Used client app: Microsoft Edge

• Email address: [email protected]

• Sign-in URL: https://www.company.com

Which entities can be investigated by using UEBA?

A . app name, computer name, IP address, email address, and used client app only
B . IP address and email address only
C . used client app and app name only
D . IP address only

Reveal Solution Hide Solution

Question #89

HOTSPOT

You have a Microsoft Sentinel workspace.

You plan to visualize data from Microsoft SharePoint Online and OneDrive sites.

You need to create a KQL query for the visual.

The solution must meet the following requirements:

• Select all workloads as a single operation.

• Include two parameters named Operations and Users.

• In the results, exclude empty values for the site URLs.

How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #90

HOTSPOT

You have the resources shown in the following table.

You have an Azure subscription that uses Mictosoft Defender for Cloud.

You need to use Defender for Cloud to protect VM1 and Server1.

The solution must meet the following requirements:

• Support Advanced Threat Protection and vulnerability assessment

• Register each SQL Server 2022 instance as a SQL virtual machine.

• Minimize implementation and administrative effort

What should you deploy to each server? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

1 2 3 4 5 6 7 8 9 10 11 12 13

Exams