Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 309
Measured Skill: Mitigate threats by using Microsoft Defender XDR (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.
The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll.
You need to submit files for deep analysis in Microsoft Defender XDR.
Which files can you submit?| A | File1.ps1 only |
| B | File2.exe only |
| C | File3.dll only |
| D | File2.exe and File3.dll only |
| E | File1.ps1 and File2.exe only |
| F | File1.ps1, File2.exe, and File3.dll |
Correct answer: DExplanation:
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Selecting a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files (including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab updates to display a summary and the date and time of the latest available results.
The deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk. If nothing was found, these sections display a brief message.
Results of deep analysis are matched against threat intelligence and any matches generate appropriate alerts.
Use the deep analysis feature to investigate the details of any file, usually during an investigation of an alert or for any other reason where you suspect malicious behavior. This feature is available at the top of the file's page. Select the three dots to access the Deep analysis action.
Reference: Take response actions on a file
Question: 310
Measured Skill: Mitigate threats by using Microsoft Defender XDR (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Purview and contains a Microsoft SharePoint Online site named Site1.
Site1 contains the files shown in the following table.
From Microsoft Purview, you create the content search queries shown in the following table.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | Search1 will return File3: Yes
Search2 will return File1: Yes
Search3 will return File2: Yes |
| B | Search1 will return File3: Yes
Search2 will return File1: No
Search3 will return File2: No |
| C | Search1 will return File3: No
Search2 will return File1: Yes
Search3 will return File2: No |
| D | Search1 will return File3: No
Search2 will return File1: Yes
Search3 will return File2: Yes |
| E | Search1 will return File3: No
Search2 will return File1: No
Search3 will return File2: Yes |
| F | Search1 will return File3: No
Search2 will return File1: No
Search3 will return File2: No |
Correct answer: AExplanation:
On the Conditions page of Content search in Microsoft Purview, you can enter a keyword query and add conditions to the search query if necessary.
You can specify keywords, message properties such as sent and received dates, or document properties such as file names or the date that a document was last changed. You can use more complex queries that use a Boolean operator, such as AND, OR, NOT, and NEAR.
Alternatively, you can select the Show keyword list checkbox and the enter a keyword in each row. If you do this, the keywords on each row are connected by a logical operator (c:s) that is similar in functionality to the OR operator in the search query that's created.
References:
Get started with Content search
Feature reference for Content search
Question: 311
Measured Skill: Mitigate threats by using Microsoft Sentinel (50–55%)
You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1.
You need to create a visual in Workbook1 that will display the logon count for accounts that have logon event IDs of 4624 and 4634.
How should you complete the query?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: join
P2: inner |
| B | P1: join
P2: full |
| C | P1: project
P2: left |
| D | P1: summarize
P2: right |
| E | P1: union
P2: full |
| F | P1: union
P2: left |
Correct answer: AExplanation:
The join operator merges the rows of two tables or two queries to form a new table by matching values of the specified columns from each table.
Kusto Query Language (KQL) offers many kinds of joins that each affect the schema and rows in the resultant table in different ways.
The following image provides a visual representation of the operation performed by each join. The color of the shading represents the columns returned, and the areas shaded represent the rows returned.
Reference: join operator
Question: 312
Measured Skill: Mitigate threats by using Microsoft Defender XDR (25–30%)
You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint.
You enable Network device discovery.
You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device.
Which built-in function should you use?| A | SeenBy() |
| B | DeviceFromIP() |
| C | next() |
| D | current_cluster_endpoint() |
Correct answer: AExplanation:
Microsoft Defender for Endpoint provides a device discovery capability that helps you find unmanaged devices connected to your corporate network without the need for extra appliances or cumbersome process changes. Device discovery uses onboarded endpoints, in your network to collect, probe, or scan your network to discover unmanaged devices.
By invoking the SeenBy function, in your advanced hunting query, you can get detail on which onboarded device a discovered device was seen by. This information can help determine the network location of each discovered device and subsequently, help to identify it in the network.
DeviceInfo
| where OnboardingStatus != "Onboarded"
| summarize arg_max(Timestamp, *) by DeviceId
| where isempty(MergedToDeviceId)
| limit 100
| invoke SeenBy()
| project DeviceId, DeviceName, DeviceType, SeenBy
Reference: Device discovery overview
Question: 313
Measured Skill: Mitigate threats by using Microsoft Defender XDR (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You need to create a custom detection rule that will identify devices that had more than five antivirus detections within the last 24 hours.
How should you complete the query?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | P1: DeviceId
P2: ReportId |
| B | P1: DeviceId
P2: InitiatingProcessAccountObjectId |
| C | P1: InitiatingProcessAccountObjectId
P2: DeviceId |
| D | P1: ReportId
P2: TimeGenerated |
| E | P1: ReportId
P2: ReportId |
| F | P1: TimeGenerated
P2: DeviceId |
Correct answer: EExplanation:
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
The sample query below counts the number of unique devices (DeviceId) with antivirus detections and uses this count to find only the devices with more than five detections. To return the latest Timestamp and the corresponding ReportId, it uses the summarize operator with the arg_max function.
DeviceEvents
| where ingestion_time() > ago(1d)
| where ActionType == "AntivirusDetection"
| summarize (Timestamp, ReportId)=arg_max(Timestamp, ReportId), count() by DeviceId
| where count_ > 5
Reference: Create and manage custom detections rules