Skip Navigation Links
 

Microsoft - SC-200: Microsoft Security Operations Analyst

Sample Questions

Question: 112
Measured Skill: Mitigate threats using Microsoft Sentinel (40-45%)

You have the resources shown in the following table.



You need to prevent duplicate events from occurring in SW1.

What should you use for each action?

(To answer, drag the appropriate resources to the correct actions. Each resource may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AP1: Server1
P2: Server2
B P1: Server2
P2: Server1
C P1: Server2
P2: CEF1
D P1: CEF1
P2: SW1
E P1: CEF1
P2: CEF1
F P1: SW1
P2: Server2

Correct answer: E

Explanation:

To ingest Syslog and CEF logs into Microsoft Sentinel, particularly from devices and appliances onto which you can't install the Log Analytics agent directly, you'll need to designate and configure a Linux machine that will collect the logs from your devices and forward them to your Microsoft Sentinel workspace. This machine can be a physical or virtual machine in your on-premises environment, an Azure VM, or a VM in another cloud.

This machine has two components that take part in this process:

  • A syslog daemon, either rsyslog or syslog-ng, that collects the logs.
  • The Log Analytics Agent (also known as the OMS Agent), that forwards the logs to Microsoft Sentinel.

You can use your existing CEF log forwarder machine to collect and forward logs from plain Syslog sources as well. However, you must perform the following steps to avoid sending events in both formats to Microsoft Sentinel, as that will result in duplication of events.

Having already set up data collection from your CEF sources, and having configured the Log Analytics agent:

  1. On each machine that sends logs in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog.

  2. You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Microsoft Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten.

    sudo -u omsagent python /opt/microsoft/omsconf

References:

Deploy a log forwarder to ingest Syslog and CEF logs to Microsoft Sentinel

Get CEF-formatted logs from your device or appliance into Microsoft Sentinel

Collect data from Linux-based sources using Syslog



Question: 113
Measured Skill: Mitigate threats using Microsoft Defender for Cloud (25-30%)

A security administrator receives email alerts from Microsoft Defender for Cloud for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.

The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in Microsoft Defender for Cloud.

You need to ensure that the security administrator receives email alerts for all the activities.

What should you configure in the Microsoft Defender for Cloud settings?

AThe severity level of email notifications
B A cloud connector
C The Microsoft Defender for Cloud plans
D The integration settings for Threat detection

Correct answer: A

Explanation:

By default, Microsoft Defender for Cloud only sends email notifications for High severity alerts. In order to send email messages for all alerts, we need to set the severity to "Low" in the environment settings.



Question: 114
Measured Skill: Mitigate threats using Microsoft Defender for Cloud (25-30%)

You have an Azure subscription.

You need to delegate permissions to enable administrators to perform the following tasks:
  • Enable and disable Microsoft Defender for Cloud.
  • Apply security recommendations to resources.
The solution must use the principle of least privilege.

Which Microsoft Defender for Cloud role should you use for each task?

(To answer, drag the appropriate roles to the correct requirements. Each role may be used once, more than once, or not at all. NOTE: Each correct selection is worth one point.)

www.cert2brain.com

AEnable and disable Microsoft Defender for Cloud: Security Administrator
Apply security recommendations to resources: Subscription Contributor
B Enable and disable Microsoft Defender for Cloud: Security Administrator
Apply security recommendations to resources: Resource Group Owner
C Enable and disable Microsoft Defender for Cloud: Resource Group Owner
Apply security recommendations to resources: Subscription Owner
D Enable and disable Microsoft Defender for Cloud: Subscription Contributor
Apply security recommendations to resources: Security Administrator
E Enable and disable Microsoft Defender for Cloud: Subscription Owner
Apply security recommendations to resources: Resource Group Owner
F Enable and disable Microsoft Defender for Cloud: Subscription Owner
Apply security recommendations to resources: Subscription Owner

Correct answer: B

Explanation:

Defender for Cloud uses Azure role-based access control (Azure RBAC), which provides built-in roles that can be assigned to users, groups, and services in Azure.

Defender for Cloud assesses the configuration of your resources to identify security issues and vulnerabilities. In Defender for Cloud, you only see information related to a resource when you are assigned the role of Owner, Contributor, or Reader for the subscription or the resource's resource group.

In addition to the built-in roles, there are two roles specific to Defender for Cloud:

  • Security Reader: A user that belongs to this role has viewing rights to Defender for Cloud. The user can view recommendations, alerts, a security policy, and security states, but cannot make changes.
  • Security Admin: A user that belongs to this role has the same rights as the Security Reader and can also update the security policy and dismiss alerts and recommendations.

The following table displays roles and allowed actions in Defender for Cloud.

References:

Permissions in Microsoft Defender for Cloud

Configure auto provisioning for agents and extensions from Microsoft Defender for Cloud



Question: 115
Measured Skill: Mitigate threats using Microsoft Defender for Cloud (25-30%)

You have an Azure subscription that contains a virtual machine named VM1 and uses Microsoft Defender for Cloud. Microsoft Defender for Cloud has automatic provisioning enabled.

You need to create a custom alert suppression rule that will suppress false positive alerts for suspicious use of PowerShell on VM1.

What should you do first?

AFrom Microsoft Defender for Cloud, add a workflow automation.
B On VM1, run the Get-MPThreatCatalog cmdlet.
C On VM1 trigger a PowerShell alert.
D From Microsoft Defender for Cloud, export the alerts to a Log Analytics workspace.

Correct answer: C

Explanation:

The various Microsoft Defender plans detect threats in any area of your environment and generate security alerts.

When a single alert isn't interesting or relevant, you can manually dismiss it. Alternatively, use the suppression rules feature to automatically dismiss similar alerts in the future. Typically, you'd use a suppression rule to:

  • Suppress alerts that you've identified as false positives

  • Suppress alerts that are being triggered too often to be useful

Your suppression rules define the criteria for which alerts should be automatically dismissed.

Suppression rules can only dismiss alerts that have already been triggered on the selected subscriptions. First we have to trigger a PowerShell alert. Then, we can create a suppression rule based on the existing alert.

Reference: Suppress alerts from Microsoft Defender for Cloud



Question: 116
Measured Skill: Mitigate threats using Microsoft Sentinel (40-45%)

You create a hunting query in Microsoft Sentinel.

You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.

What should you use?

AA playbook
B A notebook
C A livestream
D A bookmark

Correct answer: C

Explanation:

Use hunting livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session using any Log Analytics query.

  • Test newly created queries as events occur

    You can test and adjust queries without any conflicts to current rules that are being actively applied to events. After you confirm these new queries work as expected, it's easy to promote them to custom alert rules by selecting an option that elevates the session to an alert.

  • Get notified when threats occur

    You can compare threat data feeds to aggregated log data and be notified when a match occurs. Threat data feeds are ongoing streams of data that are related to potential or current threats, so the notification might indicate a potential threat to your organization. Create a livestream session instead of a custom alert rule when you want to be notified of a potential issue without the overheads of maintaining a custom alert rule.

  • Launch investigations

    If there is an active investigation that involves an asset such as a host or user, you can view specific (or any) activity in the log data as it occurs on that asset. You can be notified when that activity occurs.

Because livestream notifications for new events use Azure portal notifications, you see these notifications whenever you use the Azure portal. 

Reference: Use hunting livestream in Microsoft Sentinel to detect threats





 
Tags: exam, examcollection, exam simulation, exam questions, questions & answers, training course, study guide, vce, braindumps, practice test
 
 

© Copyright 2014 - 2022 by cert2brain.com