Microsoft Security Operations Analyst - SC-200무료 덤프문제 풀어보기

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue. You need to tune the alerts.
Which two actions can an alert tuning rule perform for the alerts?
Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

정답: A,C
설명: (Fast2test 회원만 볼 수 있음)
You open the Cloud App Security portal as shown in the following exhibit.

You need to remediate the risk for the Launchpad app.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
정답:

Explanation:

According to Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security) documentation, when an application discovered by Cloud Discovery is deemed risky or non-compliant, the recommended remediation process is to unsanction it and enforce blocking through your network security devices or firewalls.
The process follows these four exact steps:
* Select the app - In the Discovered apps tab, security analysts must first locate and select the risky application (in this case, Launchpad ). Microsoft documentation states: "Select the discovered app that you want to remediate to open available actions."
* Tag the app as Unsanctioned - Marking an app as Unsanctioned flags it as not allowed for organizational use. This designation helps track and automatically block or monitor it through connected security controls. Reference guidance: "Unsanction apps that you want to block across your network to prevent user access."
* Generate a block script - Once an app is tagged as Unsanctioned , you can generate a block script compatible with your firewall or proxy device (such as Palo Alto, Cisco ASA, or Zscaler). Microsoft documentation explains: "From the unsanctioned app menu, select Generate block script to create a script for your appliance type."
* Run the script on the source appliance - Finally, to enforce blocking, the generated script must be executed on the network appliance or proxy device that is integrated with Cloud Discovery. Official description: "Run the generated script on your network appliance to block unsanctioned apps." This sequence ensures compliance and reduces data exposure by automatically restricting high-risk apps, aligning with Microsoft SecOps best practices of proactive risk mitigation and least privilege.
# Final Correct Order:
1. Select the app # 2. Tag the app as Unsanctioned # 3. Generate a block script # 4. Run the script on the source appliance
You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to implement deception rules. The solution must ensure that you can limit the scope of the rules.
What should you create first? A. device groups

정답: B
설명: (Fast2test 회원만 볼 수 있음)
You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
정답:

According to Microsoft Security Operations (SecOps) and Azure Sentinel documentation, when you need to create an analytics rule that executes a custom KQL query and automatically initiates a playbook , the correct configuration is to create a Scheduled rule and ensure the playbook includes a trigger .
Here's why:
* A Scheduled analytics rule in Microsoft Sentinel (Microsoft Defender XDR portal) is designed for running custom KQL queries at defined intervals (for example, every hour or every few minutes) to detect specific patterns of suspicious activity. When the rule's conditions are met, Sentinel generates alerts that can automatically trigger a playbook for response and automation.
* A playbook in Sentinel is an Azure Logic App that automates responses to incidents or alerts. To connect a playbook to an analytics rule, it must include a trigger -specifically, the "Microsoft Sentinel Alert" or "Incident trigger." This allows the rule to start the playbook automatically when the defined condition is met.
The other options are incorrect because:
* Fusion rules are built-in and use Microsoft's machine learning to correlate signals automatically; they can't be used for custom queries.
* Microsoft incident creation rules are also built-in and handle alert-to-incident grouping logic, not custom query execution.
* A service principal would be needed for permissions (e.g., admin1 configuring playbooks), but not inside the playbook itself.
* Diagnostics settings apply to log collection and retention, not rule automation.
Therefore, based on Microsoft Sentinel best practices and documentation:
# Create the rule of type: Scheduled
# Configure the playbook to include: A trigger
You have a Microsoft Sentinel workspace.
You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
정답:

Explanation:

Below is the completed KQL that meets the requirement (successful sign-ins from multiple countries in the last 3 hours), using the ASIM authentication schema commonly used in Microsoft Sentinel:
let timeframe = ago(3h);
let threshold = 5;
imAuthentication
| where TimeGenerated > timeframe
| where EventType == " Logon " and EventResult == " Success "
| where isnotempty(SrcGeoCountry)
| summarize
StartTime = min(TimeGenerated),
EndTime = max(TimeGenerated),
Vendors = make_set(EventVendor),
Products = make_set(EventProduct),
NumOfCountries = dcount(SrcGeoCountry)
by TargetUserId, TargetUserPrincipalName, TargetUserType
| where NumOfCountries > threshold
* Blade/source: imAuthentication (ASIM parser) normalizes authentication data across sources in Sentinel, letting you query sign-ins consistently.
* Filters: EventType == " Logon " and EventResult == " Success " restrict to successful logons.
* Geo dimension: SrcGeoCountry is the normalized source country field for the sign-in.
* Logic: We look back 3 hours , count distinct countries per user with dcount(SrcGeoCountry) , and keep only users exceeding a chosen threshold (e.g., > 5 ).
This delivers exactly "successful sign-ins from multiple countries during the last three hours," ready for use in a hunting query or to form a scheduled analytics rule.
You have 100 Azure subscriptions that have enhanced security features m Microsoft Defender for Cloud enabled.
All the subscriptions are linked to a single Azure AD tenant. You need to stream the Defender for Cloud togs to a syslog server.
The solution must minimize administrative effort What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point
정답:
Export logs to: # Azure event hub
* Configure streaming by: # Configuring continuous export in Defender for Cloud for each subscription In Microsoft Defender for Cloud , if you need to stream security alerts and recommendations to an external SIEM or syslog server , the supported approach is to export data to an Azure Event Hub , which acts as a streaming pipeline. The syslog server or SIEM solution can then pull data from the Event Hub in real time using connectors or custom listeners.
The configuration method for sending Defender for Cloud data to an Event Hub is known as continuous export . According to Microsoft's official Defender for Cloud documentation, continuous export lets you automatically stream alerts and security recommendations to Event Hubs or Log Analytics workspaces .
However, when your target is a syslog server , Event Hub is required because it supports continuous streaming outside Azure.
To minimize administrative effort across multiple subscriptions (100 in this case) , you can use Azure Policy or a script to apply continuous export settings per subscription , but the feature must still be enabled individually for each subscription - hence the correct configuration step is:
"Configuring continuous export in Defender for Cloud for each subscription." Why not other options:
* Log Analytics workspace: used for querying within Azure, not for streaming to external syslog servers.
* Azure Storage account: suitable for archival, not streaming.
* Modifying diagnostic settings of the tenant: applies only to Azure AD logs, not Defender for Cloud data.
You have a Microsoft 365 E5 subscription.
Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint.
You have an incident involving a user that received maIware-infected email messages on a managed device.
Which action requires manual remediation of the incident?

정답: B
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?

정답: B
설명: (Fast2test 회원만 볼 수 있음)

우리와 연락하기

문의할 점이 있으시면 메일을 보내오세요. 12시간이내에 답장드리도록 하고 있습니다.

근무시간: ( UTC+9 ) 9:00-24:00
월요일~토요일

서포트: 바로 연락하기 

English Deutsch 繁体中文 日本語