Microsoft - SC-200: Microsoft Security Operations Analyst
Sample Questions
Question: 371
Measured Skill: Configure protections and detections (15–20%)
You have a Microsoft 365 subscription that contains three users named User1, User2 and User3 and the resources shown in the following table.
You have a Microsoft Defender XDR detection rule named Rule1 that has the following configurations:
- Scope: DevGroup1
- File hash: File1.exe
- Actions
- Devices: Collect investigation package
- User: Mark as compromised
- Files: Block
Each user attempts to run File1.exe on their device.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
(NOTE: Each correct selection is worth one point.)
| A | File1.exe will be blocked on Device3: Yes
User2 will be marked with a risk level of medium: Yes
An investigation package will be collected from Device1: Yes |
| B | File1.exe will be blocked on Device3: Yes
User2 will be marked with a risk level of medium: No
An investigation package will be collected from Device1: No |
| C | File1.exe will be blocked on Device3: No
User2 will be marked with a risk level of medium: Yes
An investigation package will be collected from Device1: No |
| D | File1.exe will be blocked on Device3: No
User2 will be marked with a risk level of medium: Yes
An investigation package will be collected from Device1: Yes |
| E | File1.exe will be blocked on Device3: No
User2 will be marked with a risk level of medium: No
An investigation package will be collected from Device1: Yes |
| F | File1.exe will be blocked on Device3: No
User2 will be marked with a risk level of medium: No
An investigation package will be collected from Device1: No |
Correct answer: EExplanation:
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
You can set the scope of a detection rule to specify which devices are covered by the rule. Only data from devices in the scope will be queried. Also, actions are taken only on those devices. Rule1 is scoped to DevGroup1 which contains Device1 only.
References:
Custom detections overview
Create and manage custom detections rules
Question: 372
Measured Skill: Configure protections and detections (15–20%)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You are implementing a deception rule.
You need to provide a custom lure file.
For the custom lure, you set Planting path to HOME.
Which types of files can you use for the custom lure, and in which home directory should the file be located on a device?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | File types: EXE only
The home directory of: The Active Directory user |
| B | File types: XLSX only
The home directory of: The local user |
| C | File types: PDF only
The home directory of: The active user |
| D | File types: EXE and XLSX onl
The home directory of: The planted cached user |
| E | File types: XLSX and PDF only
The home directory of: The Active Directory user |
| F | File types: EXE, XLSX, and PDF
The home directory of: The planted cached user |
Correct answer: EExplanation:
Deception technology is a security measure that provides immediate alerts of a potential attack to security teams, allowing them to respond in real-time. Deception technology creates fake assets like devices, users, and hosts that appear to belong to your network.
The built-in deception capability in the Microsoft Defender portal uses rules to make decoys and lures that match your environment. The feature applies machine learning to suggest decoys and lures that are tailored to your network. You can also use the deception feature to manually create the decoys and lures. These decoys and lures are then automatically deployed to your network and planted to devices you specify using PowerShell.
Decoys are fake devices and accounts that appear to belong to your network. Lures are fake content planted on specific devices or accounts and are used to attract an attacker. The content can be a document, a configuration file, cached credentials, or any content that an attacker can likely read, steal, or interact with. Lures imitate important company information, settings, or credentials.
Custom lures can be any file type (except .DLL and .EXE files) and are limited to 10 MB each. The deception capability mimics the User Principal Name (UPN) in Active Directory.
References:
Manage the deception capability in Microsoft Defender XDR
Configure the deception capability in Microsoft Defender XDR
Question: 373
Measured Skill: Manage a security operations environment (20–25%)
You have an Azure subscription named Sub1 that contains a resource group named RG1. RG1 contains two Azure key vaults named KV1 and KV2 that use Azure role-based access control
(Azure RBAC).
The subscription contains the users shown in the following table.
KV1 contains a secret named Secret1. KV2 contains a secret named Secret2.
Which users can read the values of each secret?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Secret1: User1 only
Secret2: User1 and User3 only |
| B | Secret1: User2 only
Secret2: User2 and User3 only |
| C | Secret1: User3 only
Secret2: User2 only |
| D | Secret1: User1 and User3 only
Secret2: User1 only |
| E | Secret1: User2 and User3 only
Secret2: User3 only |
| F | Secret1: User1, User2, and User3
Secret2: User1, User2, and User3 |
Correct answer: DExplanation:
Only User1 and User3 have permissions to read the values of secrets. User1 has permissions for both, KV1 and KV2. User3 has permissions for KV2 only.
Azure built-in roles for Key Vault data plane operations
Reference: Provide access to Key Vault keys, certificates, and secrets with Azure role-based access control
Question: 374
Measured Skill: Manage incident response (25–30%)
You have an Azure subscription named Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Contoso.com contains a user named User1. Sub1 contains a Microsoft Sentinel workspace.
You provision a Microsoft Copilot for Security capacity.
You need to ensure that User1 can use Copilot for Security to perform the following tasks:
- Update the data sharing and feedback options.
- Investigate Microsoft Sentinel incidents.
The solution must follow the principle of least privilege.
Which role should you assign to User1 for each task?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | Update the data sharing and feedback options: Global Administrator
Investigate Microsoft Sentinel incidents: Microsoft Sentinel Reader |
| B | Update the data sharing and feedback options: Global Administrator
Investigate Microsoft Sentinel incidents: Cloud App Security Administrator |
| C | Update the data sharing and feedback options: Security Administrator
Investigate Microsoft Sentinel incidents: Microsoft Sentinel Reader |
| D | Update the data sharing and feedback options: Security Administrator
Investigate Microsoft Sentinel incidents: Microsoft Sentinel Responder |
| E | Update the data sharing and feedback options: Security Operator
Investigate Microsoft Sentinel incidents: Cloud App Security Administrator |
| F | Update the data sharing and feedback options: Security Operator
Investigate Microsoft Sentinel incidents: Microsoft Sentinel Responder |
Correct answer: DExplanation:
Data sharing is turned on by default. Global Administrators and Security Administrators with the Capacity Contributor role (for example, capacity write access) for the capacity linked to a workspace, can configure Customer Data sharing settings. Administrators can do this during the first run experience and at any time afterward.
Microsoft Sentinel uses Azure role-based access control (Azure RBAC) to provide built-in roles that can be assigned to users, groups, and services in Azure. A Microsoft Sentinel Reader can view data, incidents, workbooks, and other Microsoft Sentinel resources. A Microsoft Sentinel Responder can, in addition to the permissions for Microsoft Sentinel Reader, manage incidents like assign, dismiss, and change incidents.
References:
Privacy and data security in Microsoft Security Copilot
Roles and permissions in Microsoft Sentinel
Question: 375
Measured Skill: Manage a security operations environment (20–25%)
You have a Microsoft 365 E5 subscription that contains Windows 11 and Linux CentOS devices.
In Microsoft Defender XDR, Deception is set to On.
You plan to create a deception rule that will use a custom lure.
You need to specify the type of file, and the planting path for the custom lure.
What should you specify?
(To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.)
| A | File type: BIN
Planting path: \\server1\share1 |
| B | File type: BIN
Planting path: {HOME} |
| C | File type: EXE
Planting path: /usr/tmp |
| D | File type: EXE
Planting path: \\server1\share1 |
| E | File type: LNK
Planting path: /usr/tmp |
| F | File type: LNK
Planting path: {HOME} |
Correct answer: FExplanation:
Lures are fake content planted on specific devices or accounts and are used to attract an attacker. The content can be a document, a configuration file, cached credentials, or any content that an attacker can likely read, steal, or interact with. Lures imitate important company information, settings, or credentials.
There are two types of lures available in the deception feature:
- Basic lures – planted documents, link files, and the like that have no or minimal interaction with the customer environment.
- Advanced lures – planted content like cached credentials and interceptions that respond or interact with the customer environment. For example, attackers might interact with decoy credentials that were injected responses to Active Directory queries, which can be used to sign in.
Custom lures can be any file type (except .DLL and .EXE files) and are limited to 10 MB each. You can add custom lures such as documents, config files and link files. These lures will automatically be planted on devices in your organization.
For the planting path, you can use {HOME} as the active user's home folder or a regular Windows path. Network paths are not supported.
References:
Manage the deception capability in Microsoft Defender XDR
Configure the deception capability in Microsoft Defender XDR