Skip Navigation Links
 

Microsoft - SC-200: Microsoft Security Operations Analyst

Sample Questions

Question: 71
Measured Skill: Mitigate threats using Azure Defender (25-30%)

You need to use an Azure Resource Manager template to create a workflow automation that will trigger an automatic remediation when specific security alerts are received by Azure Security Center.

How should you complete the portion of the template that will provision the required Azure resources?

(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AP1: Microsoft.Automation
P2: Microsoft.Security
B P1: Microsoft.Automation
P2: Microsoft.Logic
C P1: Microsoft.Logic
P2: Microsoft.Security
D P1: Microsoft.Logic
P2: Microsoft.Automation
E P1: Microsoft.Security
P2: Microsoft.Logic
F P1: Microsoft.Security
P2: Microsoft.Automation

Correct answer: E

Explanation:

The following quickstart provides a sample on how to use an Azure Resource Manager template (ARM template) to create a workflow automation that triggers a logic app when specific security alerts are received by Azure Security Center.

Quickstart: Create an automatic response to a specific security alert using an ARM templatek



Question: 72
Measured Skill: Mitigate threats using Azure Sentinel (40-45%)

You are an administrator for a company. Your company deploys Azure Sentinel.

You plan to delegate the administration of Azure Sentinel to various groups.

You need to delegate the following tasks:
  • Create and run playbooks.
  • Create workbooks and analytic rules.
The solution must use the principle of least privilege.

Which role should you assign for each task?

(To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

ACreate and run playbooks: Azure Sentinel Contributor
Create workbooks and analytic rules: Azure Sentinel Reader
B Create and run playbooks: Azure Sentinel Contributor
Create workbooks and analytic rules: Azure Sentinel Contributor
C Create and run playbooks: Azure Sentinel Responder
Create workbooks and analytic rules: Logic App Contributor
D Create and run playbooks: Azure Sentinel Reader
Create workbooks and analytic rules: Logic App Contributor
E Create and run playbooks: Logic App Contributor
Create workbooks and analytic rules: Azure Sentinel Contributor
F Create and run playbooks: Logic App Contributor
Create workbooks and analytic rules: Azure Sentinel Reader

Correct answer: E

Explanation:

Azure Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure.

Use Azure RBAC to create and assign roles within your security operations team to grant appropriate access to Azure Sentinel. The different roles give you fine-grained control over what users of Azure Sentinel can see and do. Azure roles can be assigned in the Azure Sentinel workspace directly (see note below), or in a subscription or resource group that the workspace belongs to, which Azure Sentinel will inherit.

Azure Sentinel-specific roles

All Azure Sentinel built-in roles grant read access to the data in your Azure Sentinel workspace.

  • Azure Sentinel Reader can view data, incidents, workbooks, and other Azure Sentinel resources.

  • Azure Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.)

  • Azure Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Azure Sentinel resources.

  • Azure Sentinel Automation Contributor allows Azure Sentinel to add playbooks to automation rules. It is not meant for user accounts.

Note

  • For best results, these roles should be assigned on the resource group that contains the Azure Sentinel workspace. This way, the roles will apply to all the resources that are deployed to support Azure Sentinel, as those resources should also be placed in that same resource group.

  • Another option is to assign the roles directly on the Azure Sentinel workspace itself. If you do this, you must also assign the same roles on the SecurityInsights solution resource in that workspace. You may need to assign them on other resources as well, and you will need to be constantly managing role assignments on resources.

Reference: Permissions in Azure Sentinel



Question: 73
Measured Skill: Mitigate threats using Azure Sentinel (40-45%)

You use Azure Sentinel to monitor irregular Azure activity.

You create custom analytics rules to detect threats as shown in the following exhibit.



You do NOT define any incident settings as part of the rule definition.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AIf a user deploys three Azure virtual machines simultaneously, you will receive 0 alerts in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes, you will receive 0 alerts.
B If a user deploys three Azure virtual machines simultaneously, you will receive 0 alerts in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes, you will receive 1 alert.
C If a user deploys three Azure virtual machines simultaneously, you will receive 1 alert in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes, you will receive 1 alert.
D If a user deploys three Azure virtual machines simultaneously, you will receive 1 alert in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes, you will receive 2 alerts.
E If a user deploys three Azure virtual machines simultaneously, you will receive 2 alerts in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes, you will receive 2 alerts.
F If a user deploys three Azure virtual machines simultaneously, you will receive 3 alerts in the next five hours.
If three separate users deploy one Azure virtual machine each within five minutes, you will receive 3 alerts .

Correct answer: A

Explanation:

The rule runs every five minutes and combines the events it detects during execution into a single alert. An alert is only generated if at least three events have been found that match the rule query. If the rule generates an alert when it runs, rule execution is suspended for five hours. The query only searches the last five hours of data.

The make-series operator in the query aggregates the events within a day and counts the number of events based on the resource ID. The dcount() function only counts unique (d for distinct) values.

If several events occur within a day that match the rule query, the events are aggregated into a single event by the make-series operator of the query. Since the query only examines the data for the last five hours, the query never generates more than one event and accordingly never triggers an alert.

Without the make-series statement, the analytics query would generate one alert for each scenario.

References:

Create custom analytics rules to detect threats

make-series operator



Question: 74
Measured Skill: Mitigate threats using Microsoft 365 Defender (25-30%)

You implement Safe Attachments policies in Microsoft Defender for Office 365.

Users report that email messages containing attachments take longer than expected to be received.

You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked.

What should you configure in the Safe Attachments policies?

ADynamic Delivery
B Replace
C Block and Enable redirect
D Monitor and Enable redirect

Correct answer: A

Explanation:

Safe Attachments in Microsoft Defender for Office 365 provides an additional layer of protection for email attachments that have already been scanned by anti-malware protection in Exchange Online Protection (EOP). Specifically, Safe Attachments uses a virtual environment to check attachments in email messages before they're delivered to recipients (a process known as detonation).

Safe Attachments protection for email messages is controlled by Safe Attachments policies. There is no default Safe Attachments policy, so to get the protection of Safe Attachments, you need to create one or more Safe Attachments policies.

The Dynamic Delivery action in Safe Attachments policies seeks to eliminate any email delivery delays that might be caused by Safe Attachments scanning. The body of the email message is delivered to the recipient with a placeholder for each attachment. The placeholder remains until the attachment is found to be safe, and then the attachment becomes available to open or download.

If an attachment is found to be malicious, the message is quarantined. Only admins (not users) can review, release, or delete messages that were quarantined by Safe Attachments scanning.

Reference: Safe Attachments in Microsoft Defender for Office 365



Question: 75
Measured Skill: Mitigate threats using Azure Defender (25-30%)

You are responsible for responding to Azure Defender for Key Vault alerts.

During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node.

What should you configure to mitigate the threat?

AKey Vault firewalls and virtual networks
B Azure Active Directory (Azure AD) permissions
C Role-based access control (RBAC) for the key vault
D The access policy settings of the key vault

Correct answer: A

Explanation:

By default, all networks and IP addresses can connect to an Azure key vault.

Under Firewalls and virtual networks, access to the key vault can be restricted to connections originating from selected networks or from defined private endpoints. This configuration option allows to block connections via anonymous Tor exit nodes.





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2021 by cert2brain.com