Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 409
Measured Skill: Manage incident response (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2. The subscription contains 1,000 Windows 11 devices that run a third-party antivirus software and have Smart App Control enabled.
You need to ensure that if Defender for Endpoint detects a malicious artifact that was missed by the third-party software, it will remediate the artifact automatically.
What should you configure?| A | Endpoint detection and response (EDR) in block mode |
| B | Allow or block file |
| C | Automatically resolve alerts |
| D | Tamper protection |
Correct answer: AExplanation:
Endpoint detection and response (EDR) in block mode provides added protection from malicious artifacts when Microsoft Defender Antivirus is not the primary antivirus product and is running in passive mode. EDR in block mode is available in Defender for Endpoint Plan 2.
The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product. Microsoft recommends disabling EDR in block mode, when the primary antivirus software on the system is Microsoft Defender Antivirus.
References:
Endpoint detection and response in block mode
Endpoint detection and response (EDR) in block mode frequently asked questions (FAQ)
Question: 410
Measured Skill: Manage a security operations environment (20–25%)
You have a Microsoft 365 subscription. The subscription contains 500 devices that are onboarded to Microsoft Defender for Endpoint.
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to run a pilot on 50 devices that will remediate threats automatically. The solution must meet the following requirements:
- Minimize the impact on devices that are excluded from the pilot.
- Minimize administrative effort.
What should you configure first?| A | A playbook |
| B | An endpoint security policy |
| C | A device group |
| D | An automation rule |
Correct answer: CExplanation:
Automated investigation and remediation (AIR) capabilities in Microsoft Defender for Business are preconfigured and aren't configurable. In Microsoft Defender for Endpoint, you can configure AIR to one of several levels of automation. Your automation level affects whether remediation actions following AIR investigations are taken automatically or only upon approval.
- Full automation (recommended) means remediation actions are taken automatically on artifacts determined to be malicious. (Full automation is set by default in Defender for Business.)
- Semi-automation means some remediation actions are taken automatically, but other remediation actions await approval before being taken.
- All remediation actions, whether pending or completed, are tracked in the Action Center (https://security.microsoft.com).
To automatically remediate threats for a selected group of devices in Microsoft Defender for Endpoint, we should create a device group in the Microsoft Defender portal and set its Automation level to Full - remediate threats automatically. This configuration enables automated actions to be performed on entities considered malicious within that specific device group.
References:
Configure automated investigation and remediation capabilities in Microsoft Defender for Endpoint
Automation levels in automated investigation and remediation capabilities
Question: 411
Measured Skill: Manage security threats (15–20%)
You have a Microsoft Sentinel workspace.
You have a KQL query. The query returns Microsoft Sentinel incidents that are stored in the SecurityIncident table and occurred during the last 90 days.
You need to create a Microsoft Sentinel workbook that will include a visualization of the query.
To what should you set Data source and Resource type for the workbook?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Data source: Azure Data Explorer
Resource type: Security Alert |
| B | Data source: Azure Resource Graph
Resource type: Log Analytics |
| C | Data source: Azure Resource Graph
Resource type: Application Insights |
| D | Data source: Azure Resource Manager
Resource type: Workspace |
| E | Data source: Logs (Analytics)
Resource type: Log Analytics |
| F | Data source: Logs (Basic)
Resource type: Microsoft Sentinel |
Correct answer: EExplanation:
The SecurityIncident table is an audit (log) table—it stores not the incidents themselves, but rather records of the life of an incident: its creation and any changes made to it. Any time an incident is created or a change is made to an incident, a record is generated in this table showing the now-current state of the incident.
All tables support the Analytics table plan and some Azure tables support the Basic log plan. You can switch between the Analytics and Basic plans, the change takes effect on existing data in the table immediately.
Basic log tables support a time range up to the past 30 days. The analytics log storage tier keeps data in the interactive retention state for 90 days by default and is extensible for up to two years.
For a Microsoft Sentinel workbook, the data source "resource type" is Log Analytics, which you select when configuring the data source for your query. You then specify one or more Log Analytics workspaces as the source for the data within that resource type.
References:
Azure Workbooks data sources
Log retention tiers in Microsoft Sentinel
Select a table plan based on data usage in a Log Analytics workspace
Question: 412
Measured Skill: Configure protections and detections (15–20%)
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the following devices:
- Device1: Runs Windows 11 Pro
- Device2: Runs Windows Server
- Device3: Runs Ubuntu Linux
You identify three suspicious files named File1.exe, File2.zip, and File3.ps1.
You need to investigate the files by using deep analysis.
Which devices support deep analysis, and which files can be submitted for deep analysis?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Files: File1.exe only
Devices: Device1, Device2, and Device3 |
| B | Files: File1.exe and File2.zip only
Devices: Device3 only |
| C | Files: File1.exe and File3.ps1 only
Devices: Device1 only |
| D | Files: File1.exe and File3.ps1 only
Devices: Device1 and Device2 only |
| E | Files: File1.exe, File2.zip, and File3.ps1
Devices: Device2 only |
| F | Files: File1.exe, File2.zip, and File3.ps1
Devices: Device1, Device2, and Device3 |
Correct answer: AExplanation:
Cyber security investigations are typically triggered by an alert. Alerts are related to one or more observed files that are often new or unknown. Selecting a file takes you to the file view where you can see the file's metadata. To enrich the data related to the file, you can submit the file for deep analysis.
The Deep analysis feature executes a file in a secure, fully instrumented cloud environment. Deep analysis results show the file's activities, observed behaviors, and associated artifacts, such as dropped files, registry modifications, and communication with IPs. Deep analysis currently supports extensive analysis of portable executable (PE) files (including .exe and .dll files).
Deep analysis of a file takes several minutes. Once the file analysis is complete, the Deep Analysis tab updates to display a summary and the date and time of the latest available results.
The deep analysis summary includes a list of observed behaviors, some of which can indicate malicious activity, and observables, including contacted IPs and files created on the disk. If nothing was found, these sections display a brief message.
Results of deep analysis are matched against threat intelligence and any matches generate appropriate alerts.
Microsoft Defender for Endpoint supports deep analysis on Windows 10 & 11, Windows Server, macOS, and Linux. All three devices are supported.
References:
Supported Microsoft Defender for Endpoint capabilities by platform
Deep analysis
Question: 413
Measured Skill: Manage incident response (25–30%)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You have an Azure subscription that uses Microsoft Security Copilot.
You need to create a custom promptbook in Security Copilot that will gather the following information about an incident ID:
- An incident summary
- Threat intelligence on the identified threat actors
- A detailed analysis of the users affected by the incident
- A detailed analysis of the devices affected by the incident
Which four actions should you perform in sequence?
(To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.)
| A | Sequence: 1, 2, 4, 6 |
| B | Sequence: 5, 6, 3, 2 |
| C | Sequence: 5, 2, 4, 6 |
| D | Sequence: 1, 6, 4, 2 |
Correct answer: DExplanation:
Promptbooks in Microsoft Security Copilot contain one or more prompts that were together to accomplish specific security-related tasks. They run one prompt after another, building on previous responses.
You can create your own promptbook with the promptbook builder to automate investigation flows and optimize repetitive steps in Copilot that’s customized to your needs and requirements.
You can also share the promptbooks you’ve created with other users like your team mates so they can also benefit from your work.
To create your own promptbook, you can start with an existing session that contains the prompts you want to work with.
Select the checkboxes beside the prompts to include them or select the top box to include all prompts in the session. Selecting any, or all, of the prompts light up the Create promptbook button.
Reference: Build your own promptbooks