SC-200 無料問題集「Microsoft Security Operations Analyst」
You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution NOTE: Each correct selection is worth one point.
You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.
You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.
Which two actions should you perform? Each correct answer present part of the solution NOTE: Each correct selection is worth one point.
正解:A、C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.
What should you use to create the visuals?
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.
What should you use to create the visuals?
正解:C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/tutorial-investigate-cases#use-the-investigation-graph-to-deep- dive
You have two Azure subscriptions that use Microsoft Defender for Cloud.
You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must minimize administrative effort.
What should you do in the Azure portal?
You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must minimize administrative effort.
What should you do in the Azure portal?
正解:B
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1. You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted.
What should you review?
You need to identify which blobs were deleted.
What should you review?
正解:C
解答を投票する
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.
You need to create a query that will be used to display a bar graph. What should you include in the query?
You need to create a query that will be used to display a bar graph. What should you include in the query?
正解:C
解答を投票する
解説: (JPNTest メンバーにのみ表示されます)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue. You need to tune the alerts.
Which two actions can an alert tuning rule perform for the alerts?
Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue. You need to tune the alerts.
Which two actions can an alert tuning rule perform for the alerts?
Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
正解:A、C
解答を投票する
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender for Endpoint.
You need to ensure that you can initiate remote shell connections to Windows servers by using the Microsoft
365 Defender portal.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to ensure that you can initiate remote shell connections to Windows servers by using the Microsoft
365 Defender portal.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You have a Microsoft Sentinel workspace.
You plan to visualize data from Microsoft SharePoint Online and OneDrive sites.
You need to create a KQL query for the visual. The solution must meet the following requirements:
* Select all workloads as a single operation.
* Include two parameters named Operations and Users.
* In the results, exclude empty values for the site URLs.
How should you complete the query? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
You plan to visualize data from Microsoft SharePoint Online and OneDrive sites.
You need to create a KQL query for the visual. The solution must meet the following requirements:
* Select all workloads as a single operation.
* Include two parameters named Operations and Users.
* In the results, exclude empty values for the site URLs.
How should you complete the query? To answer, select the appropriate options in the answer area. NOTE:
Each correct selection is worth one point.
正解:
Explanation:
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.
You initiate a live response session on each device.
You need to collect a Defender for Endpoint investigation package from each device.
On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?
You initiate a live response session on each device.
You need to collect a Defender for Endpoint investigation package from each device.
On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?
正解:C
解答を投票する
You have a Microsoft Sentinel workspace.
You need to configure the Fusion analytics rule to temporarily supress incidents generated by a Microsoft Defender connector. The solution must meet the following requirements:
* Minimize impact on the ability to detect multistage attacks.
* Minimize administrative effort.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to configure the Fusion analytics rule to temporarily supress incidents generated by a Microsoft Defender connector. The solution must meet the following requirements:
* Minimize impact on the ability to detect multistage attacks.
* Minimize administrative effort.
How should you configure the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 1 and contains a macOS device named Device1.
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
* Identify all the active network connections on Device1.
* Identify all the running processes on Device1.
* Retrieve the login history of Device1.
* Minimize administrative effort.
What should you do first from the Microsoft Defender portal?
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
* Identify all the active network connections on Device1.
* Identify all the running processes on Device1.
* Retrieve the login history of Device1.
* Minimize administrative effort.
What should you do first from the Microsoft Defender portal?
正解:A
解答を投票する
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You plan to configure Microsoft Cloud App Security.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
Reference:
https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
You need to create the analytics rule to meet the Azure Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
正解:
Explanation:
You create a new Azure subscription and start collecting logs for Azure Monitor.
You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
You need to validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server.
Which three actions should you perform in a sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.
NOTE: More than one order of answer choices is correct. You will receive credit for any of the correct orders you select.
正解:
Explanation:
To validate that Microsoft Defender for Cloud will trigger an alert when a malicious file is present on an Azure virtual machine running Windows Server, you should perform the following three actions in sequence:
* Copy an executable file on a virtual machine and rename the file as ASC_AlertTest_662jfi039N.exe
* Run the executable file and specify the appropriate arguments
* Enable Microsoft Defender for Cloud's enhanced security features for the subscription.
These actions will simulate a malicious activity on the virtual machine and generate an alert in Defender for Cloud. You can then verify the alert details and response recommendations in the Azure portal. For more information, see Alert validation - Microsoft Defender for Cloud.