Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 259
Measured Skill: Mitigate threats by using Microsoft Sentinel (50–55%)
You have an Azure subscription that contains a user named User1 and a Microsoft Sentinel workspace named WS1.
You need to ensure that User1 can enable User and Entity Behavior Analytics (UEBA) for WS1. The solution must follow the principle of least privilege.
Which roles should you assign to User1?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Microsoft Entra role: Global Administrator
Role for WS1: Contributor |
| B | Microsoft Entra role: Global Administrator
Role for WS1: Microsoft Sentinel Automation Contributor |
| C | Microsoft Entra role: Security Administrator
Role for WS1: Microsoft Sentinel Contributor |
| D | Microsoft Entra role: Security Administrator
Role for WS1: Contributor |
| E | Microsoft Entra role: Security Operator
Role for WS1: Microsoft Sentinel Automation Contributor |
| F | Microsoft Entra role: Security Operator
Role for WS1: Microsoft Sentinel Contributor |
Correct answer: CExplanation:
To enable or disable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel:
Your user must be assigned the Global Administrator or Security Administrator roles in Microsoft Entra ID.
Your user must be assigned at least one of the following Azure roles:
- Microsoft Sentinel Contributor at the workspace or resource group levels.
- Log Analytics Contributor at the resource group or subscription levels.
Your workspace must not have any Azure resource locks applied to it.
Reference: Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
Question: 260
Measured Skill: Mitigate threats by using Microsoft 365 Defender (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps and has Cloud Discovery enabled.
You need to enrich the Cloud Discovery data. The solution must ensure that usernames in the Cloud Discovery traffic logs are associated with the user principal name (UPN) of the corresponding Microsoft Entra ID user accounts.
What should you do first?| A | From Conditional Access App Control, configure User monitoring. |
| B | Create a Microsoft 365 app connector. |
| C | Enable automatic redirection to Microsoft Defender XDR. |
| D | Create a Microsoft Azure app connector. |
Correct answer: BExplanation:
Cloud Discovery data can now be enriched with Microsoft Entra username data. When you enable this feature, the username, received in discovery traffic logs, is matched and replaced by the Microsoft Entra username. Cloud Discovery enrichment enables the following features:
- You can investigate Shadow IT usage by Microsoft Entra user. The user will be shown with its UPN.
- You can correlate the Discovered cloud app use with the API collected activities.
- You can then create custom reports based on Microsoft Entra user groups. For example, a Shadow IT report for a specific Marketing department.
Prerequisites
- Data source must provide username information
- Microsoft 365 app connector connected
References:
Enrich Cloud Discovery data with Microsoft Entra usernames
Connect Microsoft 365 to Microsoft Defender for Cloud Apps
Question: 261
Measured Skill: Mitigate threats by using Microsoft 365 Defender (25–30%)
You have a Microsoft 365 subscription that contains the following resources:
- 100 users that are assigned a Microsoft 365 E5 license.
- 100 Windows 11 devices that are joined to the Microsoft Entra tenant.
The users access their Microsoft Exchange Online mailbox by using Outlook on the web.
You need to ensure that if a user account is compromised, the Outlook on the web session token can be revoked.
What should you configure?| A | Security defaults in Microsoft Entra |
| B | Microsoft Entra Verified ID |
| C | A Conditional Access policy in Microsoft Entra |
| D | Microsoft Entra ID Protection |
Correct answer: DExplanation:
We should configure a Microsoft Entra ID Protection User risk policy to enforce compromised users (users at risk) to change their password. A password change will require re-authentication.
Note: Conditional access app control using a conditional access policy can monitor user sessions and block activities for users but conditional access app control cannot revoke session tokens.
References:
Remediate risks and unblock users
Microsoft Defender for Cloud Apps conditional access app control
Question: 262
Measured Skill: Mitigate threats by using Microsoft 365 Defender (25–30%)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can initiate remote shell connections to Windows servers by using the Microsoft Defender XDR portal.
What should you configure?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Advanced feature: Device discovery
For the device group: The Automation level |
| B | Advanced feature: Device discovery
For the device group: A device tag |
| C | Advanced feature: Enable EDR in block mode
For the device group: A device value |
| D | Advanced feature: Enable EDR in block mode
For the device group: A device tag |
| E | Advanced feature: Live Response for Servers
For the device group: The Automation level |
| F | Advanced feature: Live Response for Servers
For the device group: A device value |
Correct answer: FExplanation:
Live response gives security operations teams instantaneous access to a device (also referred to as a machine) using a remote shell connection. Live response gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.
Live response is designed to enhance investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for emerging threats.
With live response, analysts can do all of the following tasks:
- Run basic and advanced commands to do investigative work on a device.
- Download files such as malware samples and outcomes of PowerShell scripts.
- Download files in the background (new!).
- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
- Take or undo remediation actions.
You need to enable the live response capability in the Advanced features settings page.
To make sure, the device group contains servers only, we should configure the devices matching rule of the device group to include server operating systems only.
References:
Investigate entities on devices using live response
Configure advanced features in Defender for Endpoint
Question: 263
Measured Skill: Mitigate threats by using Microsoft 365 Defender (25–30%)
You have a Microsoft 365 E5 subscription that uses Microsoft Exchange Online.
You need to identify phishing email messages.
Which three cmdlets should you run in sequence?
(To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.)
| A | Sequence: 1, 5, 2 |
| B | Sequence: 3, 5, 2 |
| C | Sequence: 1, 5, 4 |
| D | Sequence: 3, 2, 5 |
Correct answer: AExplanation:
You can use the Content search feature to search for and delete email messages from all mailboxes in your organization. This can help you find and remove potentially harmful or high-risk email, such as:
- Messages that contain dangerous attachments or viruses
- Phishing messages
- Messages that contain sensitive data
Here's an example of using a query to create and start a search by running the New-ComplianceSearch and Start-ComplianceSearch cmdlets to search all mailboxes in the organization:
$Search=New-ComplianceSearch -Name "Remove Phishing Message" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2016..4/14/2016) AND (Subject:"Action required")'
Start-ComplianceSearch -Identity $Search.Identity
To run the compliance search, we need to connect to the Security and Compliance Center using the Connect-IPPSSession cmdlet
References:
Search for and delete email messages
Connect to Security & Compliance PowerShell