Online Access Free SC-200 Exam Questions

No.# Correct Answer are.
AzureActivity & Extend.

No.# C. Common Event Format connector.

Minimize the parsing required to read fog data. CEF connector sends Common Event Format data which means easy to read. As for administrative effort. You only need to configure the CEF server to listen for syslog from all the linux vms and then send the CEF data to Sentinel.

No.# Policy template type: Activity Policy
Filter based on: IP address tag

Tested on the MCAS portal. When you select Activity policy only you get to filter from IP address.

No.# C. authorization

No.# D. entity mapping

No.# B. Advanced hunting

No.# A. Azure Sentinel Contributor

No.# I would say B & D as you need the playbook to be created first then associated.

No.# B. Identityinfo

No.# D. the Alert automation settings

As of June 2023, you can no longer select playbooks to run directly from an analytics rule by adding it to the following list. Playbooks already in the list will continue to run until March 2026, when this method will be deprecated.
Instead, to run a playbook in response to an alert generated by this analytics rule, create an Automation rule.

No.# Microsoft 365 app connector has to be connected first before you can enrich Cloud Discovery data:
https://learn.microsoft.com/en-us/defender-cloud-apps/cloud-discovery-aad-enrichment

No.# Answer is:
1. Live Response for server
2. Automation Level
It is explained here: https://learn.microsoft.com/en-us/defender-endpoint/automation-levels
"With no automation, automated investigation doesn't run on your organization's devices. As a result, no remediation actions are taken or pending as a result of automated investigation"

No.# B. In the grid query, include the take operator.

The take operator allows you to limit the number of rows returned by a query. By including the take operator in the grid query and specifying a maximum of 100 rows, you can ensure that the grid in Workbook1 contains a maximum of 100 rows.

For example, you could use the following query:
| take 100

No.# Azure Sentinel Contributor is the only provided correct role. If "Log Analytics Contributor" or "Microsoft Sentinel Automation Contributor" they would be better suited to meet the business requirement for least privilege.

Contributor: "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries." Ref https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor

No.# LAA is being expired and Microsoft suggesting to use AMA
https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-migration
Requirement is "Minimize the amount of collected data". Should be Azure Monitoring Agent and KQL.

No.# C
In order to identify the impacted entities in an aggregated alert, you should review the "Events" tab of the DLP alert management dashboard in the Microsoft 365 compliance center. This tab will display a list of all the events that triggered the alert, including the specific entities (e.g. files, emails, etc.) that were affected. You can further investigate each event to identify the specific user, device and action that caused the alert to be triggered.

No.# C. Create a Microsoft Cloud App Security connector

Explanation: The Microsoft Cloud App Security (MCAS) connector provides data about anomalous activities, including suspicious behavior within Microsoft 365 applications. This is essential for detecting the second stage of the attack (anomalous Office 365 activity) as part of the Fusion rule.
Reference: Connect Microsoft Cloud App Security to Microsoft Sentinel.
D. Create an Azure AD Identity Protection connector

Explanation: The Azure AD Identity Protection connector is crucial for detecting the first stage of the attack (suspicious sign-ins to contoso.com). Identity Protection provides data about risky sign-ins and user activities, which are needed for Fusion rules to correlate and identify multi-staged attacks.
Reference: Connect Azure AD Identity Protection to Microsoft Sentinel.

No.# To complement the SecurityIncidents table, we’ve provided you with an out-of-the-box security operations efficiency workbook template that you can use to monitor your SOC operations. The workbook contains the following metrics:

Incident created over time
Incidents created by closing classification, severity, owner, and status
Mean time to triage
Mean time to closure
Incidents created by severity, owner, status, product, and tactics over time
Time to triage percentiles
Time to closure percentiles
Mean time to triage per owner
Recent activities
Recent closing classifications

No.# D should be correct on the basis that DCR rules can decide on an AMA what events are gathered on an endpoint.
https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/data-collection-rule-overview?tabs=portal#data-collection-rule-associations-dcras

No.# C. Not correct syntax.
B. Correct Answer. Union takes two or more tables and returns the rows of all of them.
D. Join Kind inner will not produce every row as inner means output has one row for every combination of left and right. So only if the columns appears in both tables will we get a hit. This doesn't meet the ask.
A. Evaluate in KQL calls a plugin this is not relevant to the question