Microsoft SC-200

Study online at https://quizlet.com/_bratkl

1. You are investigating an incident by us-

ing Microsoft 365 Defender.

You need to create an advanced hunting

query to count failed sign-in authentica-
tions on three devices named CFOLap-
top, CEOLaptop, and COOLaptop.

Complete the query.

2. You need to receive a security alert A. Impossible travel

when a user attempts to sign in from B. Activity from anonymous IP
a location that was never used by the addresses
other users in your organization to sign C. Activity from infrequent coun-
in. try
D. Malware detection
Which anomaly detection policy should
you use?

A. Impossible travel
B. Activity from anonymous IP address-
es
C. Activity from infrequent country
D. Malware detection

3. You have a Microsoft 365 subscription A. SharePoint search

that uses Microsoft Defender for Office B. a hunting query in Microsoft
365. 365 Defender
C. Azure Information Protection
You have Microsoft SharePoint Online D. RegEx pattern matching
sites that contain sensitive documents.

The documents contain customer ac-

count numbers that each consists of 32
alphanumeric characters.

You need to create a data loss preven-

tion (DLP) policy to protect the sensitive
documents.
1 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

What should you use to detect which

documents are sensitive?

A. SharePoint search
B. a hunting query in Microsoft 365 De-
fender
C. Azure Information Protection
D. RegEx pattern matching

4. Your company uses line-of-business

apps that contain Microsoft Office VBA
macros.

You need to prevent users from down-

loading and running additional payloads
from the Office VBA macros as addition-
al child processes.

Which two commands can you run to

achieve the goal? Each correct answer
presents a complete solution.

5. Your company uses Microsoft Defender A. Resolve the alert automatical-

for Endpoint. ly.
B. Hide the alert.
The company has Microsoft Word doc- C. Create a suppression rule
uments that contain macros. The doc- scoped to any device.
uments are used frequently on the D. Create a suppression rule
devices of the company's accounting scoped to a device group.
team. E. Generate the alert.

You need to hide false positive in the B -> C -> E

Alerts queue, while maintaining the ex-
isting security posture.

Which three actions should you per-

form? Each correct answer presents
part of the solution.

2 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

A. Resolve the alert automatically.

B. Hide the alert.
C. Create a suppression rule scoped to
any device.
D. Create a suppression rule scoped to
a device group.
E. Generate the alert.

6. Your environment does NOT have Mi-

crosoft Defender for Endpoint enabled.

You need to remediate the risk for

the Launchpad app.Which four actions
should you perform in sequence? To an-
swer, move the appropriate actions from
the list of actions to the answer area and
arrange them in the correct order.

7. You have a Microsoft 365 E5 subscrip-

tion.

You plan to perform cross-domain inves-

tigations by using Microsoft 365 Defend-
er.

You need to create an advanced hunting

query to identify devices affected by a
malicious email attachment.

How should you complete the query?

8. You have the following advanced hunt- A. Create a detection rule.

ing query in Microsoft 365 Defender. B. Create a suppression rule.
C. Add | order by Timestamp to
You need to receive an alert when any the query.
process disables System Restore on a D. Replace DeviceProcessEv-
device managed by Microsoft Defender ents with DeviceNetworkEvents.
during the last 24 hours.

3 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
E. Add DeviceId and ReportId to
Which two actions should you perform? the output of the query.
Each correct answer presents part of the
solution.

A. Create a detection rule.

B. Create a suppression rule.
C. Add | order by Timestamp to the
query.
D. Replace DeviceProcessEvents with
DeviceNetworkEvents.
E. Add DeviceId and ReportId to the out-
put of the query.

9. You are investigating a potential attack A. Assign a tag to the device

that deploys a new ransomware strain. group.
B. Add the device users to the
You have three custom device groups. admin role.
The groups contain devices that store C. Add a tag to the machines.
highly sensitive information. D. Create a new device group
that has a rank of 1.
You plan to perform automated actions E. Create a new admin role.
on all devices.You need to be able to F. Create a new device group
temporarily group the machines to per- that has a rank of 4.
form actions on the devices.

Which three actions should you per-

form? Each correct answer presents
part of the solution.

A. Assign a tag to the device group.

B. Add the device users to the admin
role.
C. Add a tag to the machines.
D. Create a new device group that has a
rank of 1.
E. Create a new admin role.
F. Create a new device group that has a
rank of 4.
4 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
10. You are configuring Microsoft Defender A. Yes
for Identity integration with Active Direc- B. No
tory.

From the Microsoft Defender for identity

portal, you need to configure several ac-
counts for attackers to exploit.

Solution: From Entity tags, you add the

accounts as Honeytoken accounts.

Does this meet the goal?

11. You are configuring Microsoft Defender A. Yes

for Identity integration with Active Direc- B. No
tory.

From the Microsoft Defender for identity

portal, you need to configure several ac-
counts for attackers to exploit.

Solution: From Azure AD Identity Pro-

tection, you configure the sign-in risk
policy.

Does this meet the goal?

12. You are configuring Microsoft Defender A. Yes

for Identity integration with Active Direc- B. No
tory.

From the Microsoft Defender for identity

portal, you need to configure several ac-
counts for attackers to exploit.

Solution: You add the accounts to an Ac-

tive Directory group and add the group
as a Sensitive group.

5 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

Does this meet the goal?

13. You implement Safe Attachments poli- A. Dynamic Delivery

cies in Microsoft Defender for Office 365. B. Replace
C. Block and Enable redirect
Users report that email messages con- D. Monitor and Enable redirect
taining attachments take longer than ex-
pected to be received.

You need to reduce the amount of time

it takes to deliver messages that con-
tain attachments without compromis-
ing security. The attachments must be
scanned for malware, and any messages
that contain malware must be blocked.

What should you configure in the Safe

Attachments policies?

A. Dynamic Delivery
B. Replace
C. Block and Enable redirect
D. Monitor and Enable redirect

14. You are informed of an increase in mali-

cious email being received by users.

You need to create an advanced hunting

query in Microsoft 365 Defender to iden-
tify whether the accounts of the email re-
cipients were compromised. The query
must return the most recent 20 sign-ins
performed by the recipients within an
hour of receiving the known malicious
email.

How should you complete the query?

6 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
15. You receive a security bulletin about a A. a URL/domain indicator that
potential attack that uses an image file. has Action set to Alert only
B. a URL/domain indicator that
You need to create an indicator of com- has Action set to Alert and block
promise (IoC) in Microsoft Defender for C. a file hash indicator that has
Endpoint to prevent the attack. Action set to Alert and block
D. a certificate indicator that has
Which indicator type should you use? Action set to Alert and block

A. a URL/domain indicator that has Ac-

tion set to Alert only
B. a URL/domain indicator that has Ac-
tion set to Alert and block
C. a file hash indicator that has Action
set to Alert and block
D. a certificate indicator that has Action
set to Alert and block

16. Your company deploys the following
services:
Microsoft Defender for Identity
Microsoft Defender for Endpoint
Microsoft Defender for Office 365
You need to provide a security analyst
with the ability to use the Microsoft
365 security center. The analyst must be
able to approve and reject pending ac-
tions generated by Microsoft Defender
for Endpoint. The solution must use the
principle of least privilege.
A. the Compliance Data Admin-
istrator in Azure Active Directory
(Azure AD)
B. the Active remediation actions
role in Microsoft Defender for
Endpoint
C. the Security Administrator
role in Azure Active Directory
(Azure AD)
D. the Security Reader role in
Azure Active Directory (Azure
AD)

Which two roles should assign to the

analyst? Each correct answer presents
part of the solution.NOTE: Each correct
selection is worth one point.

A. the Compliance Data Administrator in

Azure Active Directory (Azure AD)
7 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
B. the Active remediation actions role in
Microsoft Defender for Endpoint
C. the Security Administrator role in
Azure Active Directory (Azure AD)
D. the Security Reader role in Azure Ac-
tive Directory (Azure AD)

17. You have a Microsoft 365 E5 subscrip-

tion that uses Microsoft Defender and
an Azure subscription that uses Azure
Sentinel.

You need to identify all the devices that

contain files in emails sent by a known
malicious email sender. The query will
be based on the match of the SHA256
hash.

How should you complete the query? To

answer, select the appropriate options in
the answer area.

18. You need to configure Microsoft Cloud
App Security to generate alerts and trig-
ger remediation actions in response to
external sharing of confidential files.
Which two actions should you perform
in the Cloud App Security portal? Each
correct answer presents part of the so-
lution.
A. From Settings, select Information Pro-
tection, select Azure Information Protec-
tion, and then select Only scan files for
Azure Information Protection classifica-
tion labels and content inspection warn-
ings from this tenant.
B. Select Investigate files, and then filter
A. From Settings, select Infor-
mation Protection, select Azure
Information Protection, and then
select Only scan files for Azure
Information Protection classifi-
cation labels and content in-
spection warnings from this ten-
ant.
B. Select Investigate files, and
then filter App to Office 365.
C. Select Investigate files, and
then select New policy from
search.
D. From Settings, select Infor-
mation Protection, select Azure
Information Protection, and then
select Automatically scan new

8 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
App to Office 365. files for Azure Information Pro-
C. Select Investigate files, and then se- tection classification labels and
lect New policy from search. content inspection warnings.
D. From Settings, select Information Pro- E. From Settings, select Informa-
tection, select Azure Information Protec- tion Protection, select Files, and
tion, and then select Automatically scan then enable file monitoring.
new files for Azure Information Protec- F. Select Investigate files, and
tion classification labels and content in- then filter File Type to Document.
spection warnings.
E. From Settings, select Information Pro-
tection, select Files, and then enable file
monitoring.
F. Select Investigate files, and then filter
File Type to Document.

19. You purchase a Microsoft 365 subscrip-

tion.

You plan to configure Microsoft Cloud

App Security.

You need to create a custom tem-

plate-based policy that detects connec-
tions to Microsoft 365 apps that origi-
nate from a botnet network.

What should you use? To answer, select

the appropriate options in the answer
area.

20. Your company has a single office in Is- A. a fraud alert

tanbul and a Microsoft 365 subscription. B. a user risk policy
C. a named location
The company plans to use conditional D. a sign-in user policy
access policies to enforce multi-factor
authentication (MFA).

You need to enforce MFA for all users

who work remotely.

9 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

What should you include in the solu-

tion?

A. a fraud alert
B. a user risk policy
C. a named location
D. a sign-in user policy

21. You are configuring Microsoft Cloud
App Security.
You have a custom threat detection pol-
icy based on the IP address ranges of
your company's United States-based of-
fices.
You receive many alerts related to im-
possible travel and sign-ins from risky
IP addresses.
You determine that 99% of the alerts are
legitimate sign-ins from your corporate
offices.
A. Override automatic data en-
richment.
B. Add the IP addresses to the
corporate address range cate-
gory.
C. Increase the sensitivity level
of the impossible travel anomaly
detection policy.
D. Add the IP addresses to the
other address range category
and add a tag.
E. Create an activity policy that
has an exclusion for the IP ad-
dresses.

You need to prevent alerts for legitimate

sign-ins from known locations.

Which two actions should you perform?

Each correct answer presents part of the
solution.

A. Override automatic data enrichment.

B. Add the IP addresses to the corporate
address range category.
C. Increase the sensitivity level of the im-
possible travel anomaly detection poli-
cy.
D. Add the IP addresses to the other
10 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
address range category and add a tag.
E. Create an activity policy that has an
exclusion for the IP addresses.

22. You are configuring Microsoft Defender A. Yes

for Identity integration with Active Direc- B. No
tory.

From the Microsoft Defender for identity

portal, you need to configure several ac-
counts for attackers to exploit.

Solution: You add each account as a

Sensitive account.
Does this meet the goal?

23. You use Azure Security Center. A. Yes

B. No
You receive a security alert in Security
Center. You need to resolve the existing
alert, not prevent future alerts.
You need to view recommendations to Therefore, you need to select the
resolve the alert in Security Center. 'Mitigate the threat' option.

Solution: From Security alerts, you se-

lect the alert, select Take Action, and
then expand the Prevent future attacks
section.
Does this meet the goal?

24. You receive an alert from Azure Defend- A. Modify the access control set-
er for Key Vault. tings for the key vault.
B. Enable the Key Vault firewall.
You discover that the alert is generated C. Create an application security
from multiple suspicious IP addresses. group.
D. Modify the access policy for
You need to reduce the potential of Key the key vault.
Vault secrets being leaked while you in-
vestigate the issue. The solution must

11 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
be implemented as soon as possible
and must minimize the impact on legit-
imate users.

What should you do first?

A. Modify the access control settings for

the key vault.
B. Enable the Key Vault firewall.
C. Create an application security group.
D. Modify the access policy for the key
vault.

25. You have an Azure subscription that has

Azure Defender enabled for all support-
ed resource types.

You create an Azure logic app named

LA1.

You plan to use LA1 to automatically re-

mediate security risks detected in Azure
Security Center.

You need to test LA1 in Security Cen-

ter.What should you do? To answer, se-
lect the appropriate options in the an-
swer area.

26. You have a Microsoft 365 subscription A. the Security Reader role for
that uses Azure Defender. the subscription
B. the Contributor for the sub-
You have 100 virtual machines in a re- scription
source group named RG1. C. the Contributor role for RG1
D. the Owner role for RG1
You assign the Security Admin roles to
a new user named SecAdmin1.

You need to ensure that SecAdmin1 can

12 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
apply quick fixes to the virtual machines
by using Azure Defender. The solution
must use the principle of least privilege.

Which role should you assign to SecAd-

min1?

A. the Security Reader role for the sub-

scription
B. the Contributor for the subscription
C. the Contributor role for RG1
D. the Owner role for RG1

27. You provision a Linux virtual machine A. cp /bin/echo

in a new Azure subscription.You enable ./asc_alerttest_662jfi039n
Azure Defender and onboard the virtual B. ./alerttest testing eicar pipe
machine to Azure Defender. C. cp /bin/echo ./alerttest
D. ./asc_alerttest_662jfi039n
You need to verify that an attack on the testing eicar pipe
virtual machine triggers an alert in Azure
Defender.

Which two Bash commands should you

run on the virtual machine? Each cor-
rect answer presents part of the solu-
tion.

A. cp /bin/echo
./asc_alerttest_662jfi039n
B. ./alerttest testing eicar pipe
C. cp /bin/echo ./alerttest
D. ./asc_alerttest_662jfi039n testing
eicar pipe

28. You create an Azure subscription named A. From Security Center, enable
sub1. data collection
B. In sub1, register a provider.
In sub1, you create a Log Analytics C. From Security Center, create
workspace named workspace1. a Workflow automation.

13 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
D. In workspace1, create a work-
You enable Azure Security Center and book.
configure Security Center to use work-
space1.

You need to collect security event logs

from the Azure virtual machines that re-
port to workspace1.

What should you do?

A. From Security Center, enable data col-

lection
B. In sub1, register a provider.
C. From Security Center, create a Work-
flow automation.
D. In workspace1, create a workbook.

29. You create a new Azure subscription

and start collecting logs for Azure Mon-
itor.

You need to configure Azure Security

Center to detect possible threats related
to sign-ins from suspicious IP address-
es to Azure virtual machines. The solu-
tion must validate the configuration.

Which three actions should you perform

in a sequence?

30. Your company uses Azure Security Cen- A. Security solutions

ter and Azure Defender. B. Security policy
C. Pricing & settings
The security operations team at the D. Security alerts
company informs you that it does NOT E. Azure Defender
receive email notifications for security
alerts.

14 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
What should you configure in Security
Center to enable the email notifications?

A. Security solutions
B. Security policy
C. Pricing & settings
D. Security alerts
E. Azure Defender

31. You have resources in Azure and Google

cloud.

You need to ingest Google Cloud Plat-

form (GCP) data into Azure Defender.

In which order should you perform the

actions? To answer, move all actions
from the list of actions to the answer
area and arrange them in the correct or-
der.

32. You use Azure Security Center. A. Yes

B. No
You receive a security alert in Security
Center.

You need to view recommendations to

resolve the alert in Security Center.

Solution: From Regulatory compliance,

you download the report.
Does this meet the goal?

33. You use Azure Security Center. A. Yes

B. No
You receive a security alert in Security
Center.

You need to view recommendations to

15 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
resolve the alert in Security Center.

Solution: From Security alerts, you se-

lect the alert, select Take Action, and
then expand the Mitigate the threat sec-
tion.
Does this meet the goal?

34. You have an Azure subscription that has A. Azure Cosmos DB

Azure Defender enabled for all support- B. Azure Event Grid
ed resource types. C. Azure Event Hubs
D. Azure Data Lake
You need to configure the continuous
export of high-severity alerts to enable
their retrieval from a third-party securi-
ty information and event management
(SIEM) solution.

To which service should you export the

alerts?

A. Azure Cosmos DB
B. Azure Event Grid
C. Azure Event Hubs
D. Azure Data Lake

35. You are responsible for responding to A. Key Vault firewalls and virtual
Azure Defender for Key Vault alerts. networks
B. Azure Active Directory (Azure
During an investigation of an alert, you AD) permissions
discover unauthorized attempts to ac- C. role-based access control
cess a key vault from a Tor exit node. (RBAC) for the key vault
D. the access policy settings of
What should you configure to mitigate the key vault
the threat?

A. Key Vault firewalls and virtual net-

works
B. Azure Active Directory (Azure AD)

16 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
permissions
C. role-based access control (RBAC) for
the key vault
D. the access policy settings of the key
vault

36. You need to use an Azure Resource

Manager template to create a workflow
automation that will trigger an automat-
ic remediation when specific security
alerts are received by Azure Security
Center.

How should you complete the portion

of the template that will provision the
required Azure resources? To answer,
select the appropriate options in the an-
swer area.

NOTE: Each correct selection is worth

one point.

37. You have an Azure subscription that A. at the subscription level

contains a Log Analytics workspace. B. at the workspace level
C. at the resource level
You need to enable just-in-time (JIT)
VM access and network detections for
Azure resources.

Where should you enable Azure Defend-

er?

A. at the subscription level

B. at the workspace level
C. at the resource level

38. You use Azure Defender. A. From Azure Security Center,

enable workflow automation.
You have an Azure Storage account that B. Create an Azure logic app that

17 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
contains sensitive information. has a manual trigger.
C. Create an Azure logic app that
You need to run a PowerShell script if has an Azure Security Center
someone accesses the storage account alert trigger.
from a suspicious IP address. D. Create an Azure logic app that
has an HTTP trigger.
Which two actions should you perform? E. From Azure Active Directory
Each correct answer presents part of the (Azure AD), add an app registra-
solution. tion.

NOTE: Each correct selection is worth

one point.

A. From Azure Security Center, enable

workflow automation.
B. Create an Azure logic app that has a
manual trigger.
C. Create an Azure logic app that has an
Azure Security Center alert trigger.
D. Create an Azure logic app that has an
HTTP trigger.
E. From Azure Active Directory (Azure
AD), add an app registration.

39. You are informed of a new common vul-

nerabilities and exposures (CVE) vulner-
ability that affects your environment.

You need to use Microsoft Defender

Security Center to request remediation
from the team responsible for the affect-
ed systems if there is a documented ac-
tive exploit available.

Which three actions should you perform

in sequence? To answer, move the ap-
propriate actions from the list of actions
to the answer area and arrange them in
the correct order.
18 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
40. You use Azure Security Center. A. From Security alerts, select
the alert, select Take Action, and
You receive a security alert in Security then expand the Prevent future
Center. attacks section.
B. From Security alerts, select
You need to view recommendations to Take Action, and then expand
resolve the alert in Security Center. the Mitigate the threat section.
C. From Regulatory compliance,
What should you do? download the report.
D. From Recommendations,
A. From Security alerts, select the alert, download the CSV report.
select Take Action, and then expand the
Prevent future attacks section.
B. From Security alerts, select Take Ac-
tion, and then expand the Mitigate the
threat section.
C. From Regulatory compliance, down-
load the report.
D. From Recommendations, download
the CSV report.

41. You have a suppression rule in Azure A. Change the rule expiration
Security Center for 10 virtual machines date of the suppression rule.
that are used for testing. The virtual ma-
B. Change the state of the sup-
chines run Windows Server. pression rule to Disabled.
C. Modify the filter for the Secu-
You are troubleshooting an issue on the rity alerts page.
virtual machines. D. View the Windows event logs
on the virtual machines.
In Security Center, you need to view the
alerts generated by the virtual machines
during the last five days.

What should you do?

A. Change the rule expiration date of the

suppression rule.
B. Change the state of the suppression
rule to Disabled.
19 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
C. Modify the filter for the Security alerts
page.
D. View the Windows event logs on the
virtual machines.

42. You have an Azure Storage account that

will be accessed by multiple Azure Func-
tion apps during the development of an
application.

You need to hide Azure Defender alerts

for the storage account.

Which entity type and field should you

use in a suppression rule? To answer,
select the appropriate options in the an-
swer area.

NOTE: Each correct selection is worth

one point.

43. You create an Azure subscription. A. Install the Log Analytics

agent.
You enable Azure Defender for the sub- B. Install the Dependency agent.
scription. C. Configure the Hybrid Run-
book Worker role.
You need to use Azure Defender to pro- D. Install the Connected Ma-
tect on-premises computers. chine agent.

What should you do on the on-premises

computers?

A. Install the Log Analytics agent.

B. Install the Dependency agent.
C. Configure the Hybrid Runbook Work-
er role.
D. Install the Connected Machine agent.

44.

20 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
A security administrator receives email A. the severity level of email no-
alerts from Azure Defender for activities tifications
such as potential malware uploaded to a B. a cloud connector
storage account and potential success- C. the Azure Defender plans
ful brute force attacks. D. the integration settings for
Threat detection
The security administrator does NOT
receive email alerts for activities such
as antimalware action failed and suspi-
cious network activity. The alerts appear
in Azure Security Center.

You need to ensure that the security ad-

ministrator receives email alerts for all
the activities.

What should you configure in the Secu-

rity Center settings?

A. the severity level of email notifica-

tions
B. a cloud connector
C. the Azure Defender plans
D. the integration settings for Threat de-
tection

45. You have an Azure Functions app that

generates thousands of alerts in Azure
Security Center each day for normal ac-
tivity.

You need to hide the alerts automatically

in Security Center.

Which three actions should you perform

in sequence in Security Center? Each
correct answer presents part of the so-
lution.

21 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
NOTE: Each correct selection is worth
one point.

46. You have an Azure subscription.

You need to delegate permissions to

meet the following requirements:

Enable and disable Azure Defender.

Apply security recommendations to re-
source.

The solution must use the principle of

least privilege.

Which Azure Security Center role

should you use for each requirement?

47. You plan to connect an external solution

that will send Common Event Format
(CEF) messages to Azure Sentinel.

You need to deploy the log forwarder.

Which three actions should you perform

in sequence?

48. From Azure Sentinel, you open the In-

vestigation pane for a high-severity inci-
dent.

If you hover over the VM you can view

_____:

if you select _____ you can view the

items related to the incident.

49. You have an Azure Sentinel deployment.

22 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
You need to query for all suspicious cre-
dential access activities.

Which three actions should you perform

in sequence?

50. You have an existing Azure logic app A. And a new scheduled query
that is used to block Azure Active Direc- rule.
tory (Azure AD) users. The logic app is B. Add a data connector to Azure
triggered manually. Sentinel.
C. Configure a custom Threat
You deploy Azure Sentinel. Intelligence connector in Azure
Sentinel.
You need to use the existing logic app as D. Modify the trigger in the logic
a playbook in Azure Sentinel. app.

What should you do first?

A. And a new scheduled query rule.

B. Add a data connector to Azure Sen-
tinel.
C. Configure a custom Threat Intelli-
gence connector in Azure Sentinel.
D. Modify the trigger in the logic app.

51. Your company uses Azure Sentinel to A. built-in queries

manage alerts from more than 10,000 B. livestream
IoT devices. C. notebooks
D. bookmarks
A security manager at the company re-
ports that tracking security threats is in-
creasingly difficult due to the large num-
ber of incidents.

You need to recommend a solution to

provide a custom visualization to sim-
plify the investigation of threats and to
infer threats by using machine learning.

23 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
What should you include in the recom-
mendation?

A. built-in queries
B. livestream
C. notebooks
D. bookmarks

52. You have a playbook in Azure Sentinel. A. Add a parameter and modify
the trigger.
When you trigger the playbook, it sends B. Add a custom data connector
an email to a distribution group. and modify the trigger.
C. Add a condition and modify
You need to modify the playbook to send the action.
the email to the owner of the resource D. Add a parameter and modify
instead of the distribution group. the action.

What should you do?

A. Add a parameter and modify the trig-

ger.
B. Add a custom data connector and
modify the trigger.
C. Add a condition and modify the ac-
tion.
D. Add a parameter and modify the ac-
tion.

53. You provision Azure Sentinel for a new A. user

Azure subscription. B. resource group
C. IP address
You are configuring the Security Events D. computer
connector.

While creating a new rule from a tem-

plate in the connector, you decide to
generate a new alert for every event.

You create the following rule query.By

24 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
which two components can you group
alerts into incidents?

54. Your company stores the data of every A. Add the Security Events con-
project in a different Azure subscrip- nector to the Azure Sentinel
tion. All the subscriptions use the same workspace.
Azure Active Directory (Azure AD) ten- B. Create a query that uses the
ant. workspace expression and the
union operator.
Every project consists of multiple Azure C. Use the alias statement.
virtual machines that run Windows Serv- D. Create a query that uses
er. The Windows events of the virtual the resource expression and the
machines are stored in a Log Analytics alias operator.
workspace in each machine's respective E. Add the Azure Sentinel solu-
subscription. tion to each workspace.

You deploy Azure Sentinel to a new

Azure subscription.

You need to perform hunting queries in

Azure Sentinel to search across all the
Log Analytics workspaces of all the sub-
scriptions.

Which two actions should you perform?

A. Add the Security Events connector to

the Azure Sentinel workspace.
B. Create a query that uses the work-
space expression and the union opera-
tor.
C. Use the alias statement.
D. Create a query that uses the resource
expression and the alias operator.
E. Add the Azure Sentinel solution to
each workspace.

55. You have an Azure Sentinel workspace. A. Playbooks

B. Analytics

25 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
You need to test a playbook manually in C. Threat intelligence
the Azure portal. D. Incidents

From where can you run the test in

Azure Sentinel?

A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents

56. You have an Azure subscription that

uses Azure Defender.You plan to use
Azure Security Center workflow automa-
tion to respond to Azure Defender threat
alerts.You need to create an Azure pol-
icy that will perform threat remediation
automatically.What should you include
in the solution? To answer, select the
appropriate options in the answer area.

57. You have an Azure subscription that A. From Azure Security Center,
contains a virtual machine named VM1 add a workflow automation.
and uses Azure Defender. Azure De- B. On VM1, run the
fender has automatic provisioning en- Get-MPThreatCatalog cmdlet.
abled.You need to create a custom alert C. On VM1 trigger a PowerShell
suppression rule that will supress false alert.
positive alerts for suspicious use of D. From Azure Security Center,
PowerShell on VM1.What should you do export the alerts to a Log Analyt-
first? ics workspace.
A. From Azure Security Center, add a
workflow automation.
B. On VM1, run the Get-MPThreatCatalog
cmdlet.
C. On VM1 trigger a PowerShell alert.
D. From Azure Security Center, export
the alerts to a Log Analytics workspace.

58. B. No

26 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
You have Linux virtual machines
on Amazon Web Services (AWS).You
deploy Azure Defender and enable
auto-provisioning. You need to monitor
the virtual machines by using Azure De-
fender.
Solution: You enable Azure Arc and on-
board the virtual machines to Azure Arc.
Does this meet the goal?
A. Yes
B. No

59. You have Linux virtual machines B. No

on Amazon Web Services (AWS).You
deploy Azure Defender and enable
auto-provisioning.You need to monitor
the virtual machines by using Azure De-
fender.Solution: You manually install the
Log Analytics agent on the virtual ma-
chines.Does this meet the goal?
A. Yes
B. No

60. Identify all cases of users who failed to D. the query windows of the Log
sign in to an Azure resource for the first Analytics workspace
time from a given country.
A junior security administrator provides
you with the following incomplete query.

BehaviorAnalytics -| where ActivityType

== "FailedLogOn"| where ________ ==
True

You need to complete the query for

failed sign-ins to meet the technical re-
quirements.

Where can you find the column name to

complete the where clause?

27 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

A. Security alerts in Azure Security Cen-

ter
B. Activity log in Azure
C. Azure Advisor
D. the query windows of the Log Analyt-
ics workspace

61. Identify all cases of users who failed to B. Azure Logic Apps
sign in to an Azure resource for the first
time from a given country.
A junior security administrator pro-
vides you with the following incomplete
query.

BehaviorAnalytics -| where ActivityType

== "FailedLogOn"| where ________ ==
True

You need to remediate active attacks to

meet the technical requirements.

What should you include in the solu-

tion?

A. Azure Automation runbooks

B. Azure Logic Apps
C. Azure Functions
D. Azure Sentinel livestreams

62. Identify all cases of users who failed to

sign in to an Azure resource for the first
time from a given country.
A junior security administrator provides
you with the following incomplete query.

BehaviorAnalytics -| where ActivityType

== "FailedLogOn"| where ________ ==
True

28 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

You need to create an advanced hunting

query to investigate the executive team
issue.
How should you complete the query?

63. Identify all cases of users who failed to

sign in to an Azure resource for the first
time from a given country.
A junior security administrator provides
you with the following incomplete query.

BehaviorAnalytics -| where ActivityType

== "FailedLogOn"| where ________ ==
True

You need to implement Azure Sentinel

queries for Contoso and Fabrikam to
meet the technical requirements. What
should you include in the solution?

64. You need to restrict cloud apps run-
ning on CLIENT1 to meet the Microsoft
Defender for Endpoint requirements.
Which two configurations should you
modify?
C. Advanced features from Set-
tings in Microsoft Defender Se-
curity Center
D. the Cloud Discovery settings
in Cloud App Security

A. the Onboarding settings from Device

management in Microsoft Defender Se-
curity Center
B. Cloud App Security anomaly detec-
tion policies
C. Advanced features from Settings in
Microsoft Defender Security Center
D. the Cloud Discovery settings in Cloud
App Security

65. You need to add notes to the events to

meet the Azure Sentinel requirements.

29 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
Which three actions should you perform
in sequence?

66. You need to configure the Azure Sen-

tinel integration to meet the Azure Sen-
tinel requirements. What should you do?

In the Cloud App Security portal:

-Add a security extension
-Configure app connectors
-Configure log collectors

From Azure Sentinel in the Azure portal:

-Add a data connector
-Add a workbook
-Configure the Logs settings

67. You need to assign a role-based ac- C. Azure Sentinel Contributor

cess control (RBAC) role to admin1 to
meet the Azure Sentinel requirements
and the business requirements. Which
role should you assign?

A. Automation Operator
B. Automation Runbook Operator
C. Azure Sentinel Contributor
D. Azure Sentinel Responder

68. Which rule setting should you config- C. From Set rule logic, map the
ure to meet the Azure Sentinel require- entities.
ments?

A. From Set rule logic, turn off suppres-

sion.
B. From Analytics rule details, configure
the tactics.
C. From Set rule logic, map the entities.

30 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
D. From Analytics rule details, configure
the severity.

69. You need to create the analytics rule to

meet the Azure Sentinel requirements.
What should you do?

Create the rule of type:

-Fusion
-Microsoft incident creation
-Scheduled

Configure the playbook to include:

-Diagnostic settings
-A service principal
-A trigger

70. You plan to connect an external solution

that will send Common Event Format
(CEF) messages to Azure Sentinel. You
need to deploy the log forwarder.
Which three actions should you perform
in sequence?

71. Identify all cases of users who failed to B

sign in to an Azure resource for the first
time from a given country. A junior secu-
rity administrator provides you with the
following incomplete query.

BehaviorAnalytics -| where ActivityType

== "FailedLogOn"| where ________ ==
True

The issue for which team can be re-

solved by using Microsoft Defender for
Endpoint?
A. executive

31 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
B. sales
C. marketing

72. Identify all cases of users who failed to B

sign in to an Azure resource for the first
time from a given country. A junior secu-
rity administrator provides you with the
following incomplete query.

BehaviorAnalytics -| where ActivityType

== "FailedLogOn"| where ________ ==
True

The issue for which team can be re-

solved by using Microsoft Defender for
Office 365?
A. executive
B. marketing
C. security
D. sales

73. You need to implement the Azure Infor- D

mation Protection requirements.What
should you configure first?

A. Device health and compliance reports

settings in Microsoft Defender Security
Center
B. scanner clusters in Azure Information
Protection from the Azure portal
C. content scan jobs in Azure Informa-
tion Protection from the Azure portal
D. Advanced features from Settings in
Microsoft Defender Security Center

74. You need to modify the anomaly de- C

tection policy settings to meet the
Cloud App Security requirements and
resolve the reported problem.Which pol-

32 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
icy should you modify?

A. Activity from suspicious IP addresses

B. Activity from anonymous IP address-
es
C. Impossible travel
D. Risky sign-in

75. You need to configure DC1 to meet the

business requirements.
Which four actions should you perform
in sequence?

-Provide domain administrator creds to

the liteware.com AD domain
-Create instance of Microsoft Defender
for Identity
-Provide global admin creds to the lite-
ware.com Azure AD tenant
-Install the sensor on DC1
-Install the standalone sensor on DC1

76. You are a SOC Analyst of a company A

XYZ that has implemented Microsoft De-
fender for Endpoint. You are allocated an
incident with alerts related to a doubtful
PowerShell command line. You start by
going through the incident and appre-
hend all the related alerts, devices, and
evidence.
You open the alert page to evaluate
the Alert and choose to perform further
analysis on the device. You open the De-
vice page and decide that you require
remote access to the device to collect
more forensics information using a cus-
tom .ps1 script.

Which type of information is gathered in

33 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
an Investigation package?

A. Prefetch Files
B. Network transactions
C. Command History
D. Process History

77. Which information is shared on the user C

account page?
A. Security groups
B. Threat hunt ID
C. Associated alerts
D. All of the above

78. Microsoft Defender for Endpoint gives B

configuration selections for alerts and
detections. These include notifications,
custom indicators, and detection rules.
Which filter is a part of an Alert notifica-
tion rule?

A. Subject IDs
B. Alert Severity
C. Account
D. Alert IDs

79. From which of the following can a C

SOC (Security Operation Center) analyst
make a customized detection?
A. Alert
B. Incident
C. Advanced Hunting
D. Request

80. Microsoft 365 Defender gives a pur- B

pose-based UI to manage and examine
security incidents and alerts across Mi-
crosoft 365 services. You are a SOC An-
alyst working at a company XYZ that has
configured Microsoft 365 Defender solu-
34 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
tions, including Defender for Endpoint,
Defender for Identity, Defender for Office
365, and Cloud App Security. You are re-
quired to monitor related alerts across
all the solutions as a single incident to
observe the incident's full impact and do
an RCA (root cause investigation). The
Microsoft Security center portal has a
fused view of incidents and actions are
taken on them.

Which tab is present on the incident

page when investigating a particular in-
cident?
A. Machines
B. Mailboxes
C. Networks
D. Incidents

81. Insider risk management in Microsoft D

365 benefits organizations by address-
ing internal risks, such as Intellectual
Property theft, fraud, sabotage, etc. A
credit card database admin's unencrypt-
ed work laptop got stolen at a home in
a burglary. Sensitive data for 1000 users
was on the laptop.
Which type of internal risk is this an ex-
ample of?
A. Sabotage
B. Data leak
C. IP Theft
D. Regulatory compliance violation

82. You are using Azure Defender and Azure A

Sentinel to protect your cloud work-
loads and monitor your environment.
You need to use the Kusto Query Lan-
guage (KQL) to construct a query that

35 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
identifies Azure Defender alerts. What
query should you write to meet this re-
quirements?

To answer, complete the query by se-

lecting the correct options from the drop
down menus.| where ProductName ==
"________________________"

A. Azure Security Center

B. Azure Security Sentinel
C. Security Alert
D. Security Events

83. You are threat hunting using Azure Sen- D

tinel. You have created a query designed
to identify a specific event on your do-
main controller. You need to create sev-
eral similar queries because you have
multiple domain controllers and want to
keep each query separate. The solution
should minimize administrative effort.

Which three actions should you perform

in sequence to clone a query?
Create a list in the correct order.

a)Choose Clone query by clicking the

ellipsis icon at the end of the row.
b)On the Hunting page of Azure Sen-
tinel. Select New query.
c)On the Create Custom query, make
your edits then click the Create button.
d)Select the ellipsis in the line of the
query you want to modify, and select
Edit query.
e)On the Hunting page of the Azure Sen-
tinel, find the query you wish to clone.

36 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
A. A->C->E
B. D -> C -> A
C. C -> E -> A
D. E -> A -> C

84. By which of the following Azure Defend- C

er's main role can be described?
A. Cloud configuration management
B. Cloud security posture management
C. Cloud workload protection
D. Cloud Security Management

85. Which selection helps you ensure Azure C

Defender is enabled over all the re-
sources in a Subscription?
A. Continuous assessments
B. Coverage type
C. Automatic provisioning
D. Azure Arc

86. You are a SOC (Security Operations A

Center) Analyst working at a company
that is in the process of deploying cloud
workload protection with Azure Defend-
er. You are the SOC team member work-
ing with the application and infrastruc-
ture teams to architect the resource ar-
chitecture for the new web application
that uses containers and Azure SQL. You
are accountable for ensuring the work-
loads are secure with Azure Defend-
er and offer options for non-protected
workloads.
Which attribute of Azure Defender in-
spects registries and files of application
software, operating system, and others
for any changes that might point out an
attack?
A. File integrity monitoring

37 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
B. Adaptive application controls
C. Adaptive network hardening
D. Log Inspection

87. You are a SOC Analyst for company XYZ C

that is deploying cloud workload protec-
tion with Azure Defender. Your work is
to ensure Azure Defender automatically
protects the Azure resources. Your orga-
nization has a small number of Azure
virtual machines that are not part of
the auto-provisioning scheme. You must
manually configure protection for these
Azure resources.
Which of the below is an extension of
auto-provisioning?
A. Windows Events
B. Policy for Azure Policy
C. Policy Add-on for Kubernetes
D. Policy for DNS

88. You are a SOC Analyst employed at a B

company that has set up cloud workload
protection with Azure Defender. You are
in charge of remediating security alerts
created by Azure Defender detections.
You get an alert regarding a container;
the alert offers information to manually
remediate the issue and what you can do
in the future to stop further attacks. You
work with the infra team to resolve the
issue. The infrastructure team provides
recommendations for making automat-
ed remediation tasks for future alerts
regarding the same problem. You are re-
quested to provide a report containing
tools, tactics and procedures.
Which of the following feature will you
use to leverage to do the same?

38 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
A. Incident
B. Threat Intelligence
C. Secure Score
D. Threat Score

89. You need to give a manager, jdoe@Con- B

toso.onmicrosoft.com, the ability to
read events in the security center, but
prevent them from making any changes.
Which command should you use?

A. Add-MsolRoleMember -RoleName
"Security Administrator" -RoleMem-
berEmailAddress [email protected]
crosoft.com

B. Add-MsolRoleMember -Role-
Name "Security Reader" -RoleMem-
berEmailAddress [email protected]
crosoft.com

C. Add-MsolRoleMember -RoleName
"Global Administrator" -RoleMem-
berEmailAddress [email protected]
crosoft.com

D. Add-MsolRoleMember -RoleName
"Global Reader" -RoleMemberEmailAd-
dress [email protected]

90. If you have a security recommendation B

that is not applicable for your environ-
ment, and you don't want to negatively
affect your secure score, which option is
the most appropriate to use?
A. Create an exemption for the recom-
mendation
B. Disable the recommendation
C. Create a new resource group and ex-

39 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
empt the recommendation from the re-
source group
D. Create a custom recommendation

91. When configuring GCP Connector in A

Azure Defender, which component is
mandatory to have already configured in
GCP?
A. GCP Security Command Center
B. Security Hub
C. Google Cloud Console API
D. All the options above

92. When reviewing Just-in-Time VM ac- A,B

cess, you noticed that some VMs ap-
pear under "Not Applicable". What are
the reasons that must be present for a
VM to be considered not applicable?
A. The VM is not assigned to a network
security group
B. The VM is not protected by a Firewall
C. The VM has JIT already enabled
D. VM has been deployed through ARM
(Azure Resource Manager)

93. What capabilities given below are part of A, B, C, D

Azure Defender for Servers?
A. Adaptive Application Control
B. Integration with Qualys for Vulnerabil-
ity Assessment
C. Adaptive Network Hardening
D. Fileless attack detection for Windows
E. Vulnerability assessment for Azure
Container Registries

94. Azure Sentinel for SAP only supports B

cloud-based implementations of SAP.
A. True
B. False

40 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl
95. Which of the following APIs should be C
used to assist with managing content
through a CI/CD pipeline?
A. Security Graph API
B. Query API
C. Azure Sentinel Management API
D. Threat intelligence API

96. What does the "h" in front of a string C

literal such as h'my string' mean?
A. The string is considered hot path data
B. The string is a hyperlink
C. The string is obfuscated
D. Nothing - this character is always ig-
nored

97. Additional permissions are required to A

launch a playbook from automation
rules.
A. True
B. False

98. Which of the following data connectors C, D, E

have automation support in the Azure
Sentinel PowerShell Module, Az.Securi-
tyInsights?
A. Dynamics 365
B. Cisco ASA
C. AWS Cloudtrail
D. Office 365
E. Azure Active Directory

99. In the query A

"extend ProcessEntropy
= -log2(PCoHValue/TPCoHValue)*(PCo-
HValue/TPCoHValue)"

PCoHValue means the ProcessCoun-

tOnHost value.
41 / 42
 Microsoft SC-200
Study online at https://quizlet.com/_bratkl

A. True
B. False

100. Which of the following are valid parsers A

in the ASIM?
A. Source-agnostic
B. All of the options listed
C. Source-explicit
D. source-gnostic

42 / 42