Skip Navigation Links
 

Microsoft - SC-200: Microsoft Security Operations Analyst

Sample Questions

Question: 47
Measured Skill: Mitigate threats using Azure Defender (25-30%)

You create a new Azure subscription and start collecting logs for Azure Monitor.

You need to configure Azure Security Center to detect possible threats related to sign-ins from suspicious IP addresses to Azure virtual machines. The solution must validate the configuration.

Which three actions should you perform in a sequence?

(To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.)

www.cert2brain.com

ASequence: 3, 2, 5
B Sequence: 3, 4, 2
C Sequence: 1, 3, 2
D Sequence: 2, 6, 5

Correct answer: A

Explanation:

Alerts are the notifications that Security Center generates when it detects threats on your resources. It prioritizes and lists the alerts along with the information needed to quickly investigate the problem. Security Center also provides recommendations for how you can remediate an attack.

If you're using the new, preview alerts experience, you can create sample alerts in a few clicks from the security alerts page in the Azure portal.

Use sample alerts to:

  • evaluate the value and capabilities of Azure Defender
  • validate any configurations you've made for your security alerts (such as SIEM integrations, workflow automation, and email notifications)

Simulate alerts on your Azure VMs (Windows)

After Security Center agent is installed on your computer, follow these steps from the computer where you want to be the attacked resource of the alert:

  1. Copy an executable (for example calc.exe) to the computer's desktop, or other directory of your convenience, and rename it as ASC_AlertTest_662jfi039N.exe.
  2. Open the command prompt and execute this file with an argument (just a fake argument name), such as: ASC_AlertTest_662jfi039N.exe -foo
  3. Wait 5 to 10 minutes and open Security Center Alerts. An alert should appear.

Reference: Alert validation in Azure Security Center



Question: 48
Measured Skill: Mitigate threats using Azure Sentinel (40-45%)

From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit.



Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.

(NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AIf you hover over the virtual machine named vm1, you can view the inbound network security group (NSG) rules .
If you select Info, you can navigate to the bookmarks related to the incident.
B If you hover over the virtual machine named vm1, you can view the last five Windows security log events.
If you select Entities, you can navigate to the bookmarks related to the incident.
C If you hover over the virtual machine named vm1, you can view the last five Windows security log events.
If you select Timeline, you can navigate to the bookmarks related to the incident.
D If you hover over the virtual machine named vm1, you can view the open ports on the host.
If you select Insights, you can navigate to the bookmarks related to the incident.
E If you hover over the virtual machine named vm1, you can view the open ports on the host.
If you select Info, you can navigate to the bookmarks related to the incident.
F If you hover over the virtual machine named vm1, you can view the running processes.
If you select Timeline, you can navigate to the bookmarks related to the incident.

Correct answer: F

Explanation:

The investigation graph enables analysts to ask the right questions for each investigation. The investigation graph helps you understand the scope, and identify the root cause, of a potential security threat by correlating relevant data with any involved entity. You can dive deeper and investigate any entity presented in the graph by selecting it and choosing between different expansion options.

The investigation graph provides you with:

  • Visual context from raw data: The live, visual graph displays entity relationships extracted automatically from the raw data. This enables you to easily see connections across different data sources.

  • Full investigation scope discovery: Expand your investigation scope using built-in exploration queries to surface the full scope of a breach.

  • Built-in investigation steps: Use predefined exploration options to make sure you are asking the right questions in the face of a threat.

On how to use the investigation graph and to see what information are provided, refer to the following Microsoft Docs article.

Use the investigation graph to deep dive



Question: 49
Measured Skill: Mitigate threats using Azure Sentinel (40-45%)

You have a custom analytics rule to detect threats in Azure Sentinel.

You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.

What is a possible cause of the issue?

AThere are connectivity issues between the data sources and Log Analytics.
B The number of alerts exceeded 10,000 within two minutes.
C The rule query takes too long to run and times out.
D Permissions to one of the data sources of the rule query were modified.

Correct answer: D

Explanation:

It's a rare occurrence that a scheduled query rule fails to run, but it can happen. Azure Sentinel classifies failures up front as either transient or permanent, based on the specific type of the failure and the circumstances that led to it.

Transient failure 

A transient failure occurs due to a circumstance which is temporary and will soon return to normal, at which point the rule execution will succeed. Some examples of failures that Azure Sentinel classifies as transient are:

  • A rule query takes too long to run and times out.
  • Connectivity issues between data sources and Log Analytics, or between Log Analytics and Azure Sentinel.
  • Any other new and unknown failure is considered transient.

In the event of a transient failure, Azure Sentinel continues trying to execute the rule again after predetermined and ever-increasing intervals, up to a point. After that, the rule will run again only at its next scheduled time. A rule will never be auto-disabled due to a transient failure.

Permanent failure - rule auto-disabled

A permanent failure occurs due to a change in the conditions that allow the rule to run, which without human intervention will not return to their former status. The following are some examples of failures that are classified as permanent:

  • The target workspace (on which the rule query operated) has been deleted.
  • The target table (on which the rule query operated) has been deleted.
  • Azure Sentinel had been removed from the target workspace.
  • A function used by the rule query is no longer valid; it has been either modified or removed.
  • Permissions to one of the data sources of the rule query were changed.
  • One of the data sources of the rule query was deleted or disconnected.

In the event of a predetermined number of consecutive permanent failures, of the same type and on the same rule, Azure Sentinel stops trying to execute the rule, and also takes the following steps:

  • Disables the rule.
  • Adds the words "AUTO DISABLED" to the beginning of the rule's name.
  • Adds the reason for the failure (and the disabling) to the rule's description.

You can easily determine the presence of any auto-disabled rules, by sorting the rule list by name. The auto-disabled rules will be at or near the top of the list.

SOC managers should be sure to check the rule list regularly for the presence of auto-disabled rules.

Reference: Issue: A scheduled rule failed to execute, or appears with AUTO DISABLED added to the name



Question: 50
Measured Skill: Mitigate threats using Azure Sentinel (40-45%)

You are an administrator for a company. Your company uses Azure Sentinel.

A new security analyst reports that she cannot assign and dismiss incidents in Azure Sentinel.

You need to resolve the issue for the analyst. The solution must use the principle of least privilege.

Which role should you assign to the analyst?

AAzure Sentinel Responder
B Logic App Contributor
C Azure Sentinel Contributor
D Azure Sentinel Reader

Correct answer: A

Explanation:

Azure Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure.

All Azure Sentinel built-in roles grant read access to the data in your Azure Sentinel workspace.

  • Azure Sentinel Reader can view data, incidents, workbooks, and other Azure Sentinel resources.

  • Azure Sentinel Responder can, in addition to the above, manage incidents (assign, dismiss, etc.)

  • Azure Sentinel Contributor can, in addition to the above, create and edit workbooks, analytics rules, and other Azure Sentinel resources.

  • Azure Sentinel Automation Contributor allows Azure Sentinel to add playbooks to automation rules. It is not meant for user accounts.

Reference: Permissions in Azure Sentinel



Question: 51
Measured Skill: Mitigate threats using Microsoft 365 Defender (25-30%)

You are informed of a new common vulnerabilities and exposures (CVE) vulnerability that affects your environment.

You need to use Microsoft Defender Security Center to request remediation from the team responsible for the affected systems if there is a documented active exploit available.

Which three actions should you perform in sequence?

(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)

www.cert2brain.com

ASequence: 4, 6, 5
B Sequence: 3, 6, 5
C Sequence: 1, 6, 5
D Sequence: 2, 6, 5

Correct answer: B

Explanation:

The Weaknesses page lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID. You can also view the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, threat insights, and more.

If you select a CVE, you can view security recommendations. You can request remediation for each security recommendation. The remediation requests will then be listed under Remediation.

References:

Vulnerabilities in my organization - threat and vulnerability management

Security recommendations - threat and vulnerability management

Remediate vulnerabilities with threat and vulnerability management





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2021 by cert2brain.com