https://www.examtopics.

com/exams/microsoft/sc-200/view/

Page 1:

DeviceLogonEvents | where DeviceName in ("CFOLaptop" , "CEOLaptop" ) and ActionType

== "LogonFailed" | summarize LogonFailures=count() by DeviceName , LogonType
Activity from infrequent country is the correct answer.

First, both "Impossible travel" and "Activity from infrequent country" are detection rule
that help prevent breaches from foreign attackers. The difference between the rule is the
type of historical data. "Impossible travel" actually compares between the new location's
sign-in with the last known one. So it basically means if someone already logged into a
location (corporate network with USA-based IP range) and now he is logged into a China
network then it is likely the user is compromised (assume the organization doesn't have
any traffic/record/association with China network). Moreover it is based on geographically
distant locations within a time period shorter. So in my example China is too far from USA.

"Activity from infrequent country" is a bit different. Instead of comparing with the last
known location, it detects if an account is logged in from a country that has never been
accessed by any user in the organization. This rule is based on user behavior using entity
behavioral analytics and machine learning.

-----==========
C is correct
No clear answer

======

A,D.
These are 2 complete solutions on their own. Not a step by step by step.
1) Add the rule and enable it.
2) Add the rule, set the rule to overwrite existing rules, and enable it.

"Set-MpPreference will always overwrite the existing set of rules. If you want to add to the
existing set, use Add-MpPreference instead." https://learn.microsoft.com/en-us/microsoft-
365/security/defender-endpoint/enable-attack-surface-reduction?view=o365-
worldwide#powershell

The command does not need to mention anything about block because the GUID
references a Rule with already set actions.

Configuration Manager name: Block Office application from creating child processes
GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-
surface-reduction-rules-reference?source=recommendations&view=o365-
worldwide#block-all-office-applications-from-creating-child-processes

===============

ABD
You can Hide or Resolve alert and all of those actions you can perform on any device or
device groups or single device. But in question there is accounting team so there will be
device group. Answer should be
ABD

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-alerts?
view=o365-worldwide#suppress-an-alert-and-create-a-new-suppression-rule

1. Select the alert you'd like to suppress. This brings up the Alert
management pane.
2. Select Create a suppression rule.
 You can create a suppression condition using these attributes. An AND
operator is applied between each condition, so suppression occurs only if all
conditions are met.

 File SHA1
 File name - wildcard supported
 Folder path - wildcard supported
 IP address
 URL - wildcard supported
 Command line - wildcard supported

3. Select the Triggering IOC.

4. Specify the action and scope on the alert.

You can automatically resolve an alert or hide it from the portal. Alerts that
are automatically resolved will appear in the resolved section of the alerts
queue, alert page, and device timeline and will appear as resolved across
Defender for Endpoint APIs.

Alerts that are marked as hidden will be suppressed from the entire system,
both on the device's associated alerts and from the dashboard and will not
be streamed across Defender for Endpoint APIs.

5. Enter a rule name and a comment.

6. Click Save.

=======

Pg 2
#7
Correct

EmailAttachmentInfo
| where SenderFromAddress =~ "[email protected]"
//Get emails with attachments identified by a SHA-256
| where isnotempty(SHA256)
| join (
//Check devices for any activity involving the attachments
DeviceFileEvents
| project FileName, SHA256, DeviceName, DeviceId
) on SHA256
| project Timestamp, FileName , SHA256, DeviceName, DeviceId, NetworkMessageId,
SenderFromAddress, RecipientEmailAddress

StormEvents
| join (PopulationData | project Population, State ) on State
| where State == "VIRGINIA"
| project StartTime, State, State1, Population, Source , DamageProperty
StormEvents
| join (
PopulationData
| project Population, State
) on State
| where State == "VIRGINIA"
| project StartTime, State, State1, Population, Source , DamageProperty

Or

StormEvents
| join kind=innerunique (
PopulationData
| project Population, State
) on State
| where State == "VIRGINIA"
| project StartTime, State, State1, Population, Source , DamageProperty

#8

Correct
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules?
view=o365-worldwide
Prepare the query

In the Microsoft Defender portal, go to Advanced hunting and select an existing query
or create a new query. When using a new query, run the query to identify errors and
understand possible results.

Required columns in the query results

To create a custom detection rule, the query must return the following columns:

 Timestamp—used to set the timestamp for generated alerts

 ReportId—enables lookups for the original records
 One of the following columns that identify specific devices, users, or
mailboxes:
o DeviceId
o DeviceName
o RemoteDeviceName
o RecipientEmailAddress
o SenderFromAddress (envelope sender or Return-Path address)
o SenderMailFromAddress (sender address displayed by email client)
o RecipientObjectId
o AccountObjectId
o AccountSid
o AccountUpn
o InitiatingProcessAccountSid
o InitiatingProcessAccountUpn
o InitiatingProcessAccountObjectId

#9
 Selected Answer: ACD
Setting the scene:
There are 3 device groups.
You want to take action on all devices. Meaning you want 1(One) Device group with all
devices.
--> A: So you create this custom group(AllDeviceTempGroup) and add a Tag
filter(RansomIRTag) to group devices into this device group. You see that there are no
devices in this group. Why? You have not tagged your devices yet.

--> B: You add the tag, RansomIRTag, to all devices. You notice that your devices have not
populated your new device group, AllDeviceTempGroup. Why? In the details of the
question, you are informed that these devices already have a group. Which means if your
group is not promoted to highest rank, then the devices will choose their original group
instead.

-->C: Promote AllDeviceTempGroup to highest rank.

===========
#10

correct answer is A:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-
accounts

=====================================================================
Pg 3
#11
#12

¡#13
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/safe-attachments?
view=o365-worldwide

#14
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-
emails-devices?view=o365-worldwide#review-logon-attempts-after-receipt-of-malicious-emails

#15

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators?
view=o365-worldwide

You can create an indicator for:

  Files ---- File hash indicators. - Prevent further propagation of an attack in
your organization by banning potentially malicious files or suspected malware
 IP addresses By creating indicators for IPs and URLs or domains, you can now
allow or block IPs, URLs, or domains based on your own threat intelligence. You
can also warn users with a prompt if they open a risky app
 URLs/domains
 Certificates
o Scenarios when you need to deploy blocking technologies, such as attack
surface reduction rules and controlled folder access but need to allow
behaviors from signed applications by adding the certificate in the allow
list.
o Blocking the use of a specific signed application across your organization.
By creating an indicator to block the certificate of the application
o

=======================

Pg 4
#16

#17
https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-
emails-devices?view=o365-worldwide#check-if-files-from-a-known-malicious-sender-are-on-
your-devices
#18
https://www.microsoft.com/en-us/videoplayer/embed/RE4CMYG?postJsllMsg=true

#19

Efficia
Highly Voted 2 years, 1 month ago
Policy template type: Activity Policy
Filter based on: IP address tag

=======
#20

==============
Pg 5
#21

https://learn.microsoft.com/en-us/defender-cloud-apps/api-data-enrichment

# 22 dublicate
#23

https://learn.microsoft.com/en-us/microsoft-365/security/office-365-security/reports-email-
security?view=o365-worldwide#threat-protection-status-report

#24

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-
reduction-rules-reference?view=o365-worldwide

#25
https://learn.microsoft.com/en-us/entra/identity/monitoring-health/howto-stream-logs-to-event-
hub?tabs=splunk

============
Pg 6
#26
Answer is correct,
but the justification provided is not quite accurate.
User1: Owner
User2: Contributor
You can't choose 'Security Admin' because the key in the questions is 'at the subscription
level'. Read the Security Admin section in the documentation
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions

At the Subscription Level, only Contributor and Owner can : -

Apply security recommendations –
Add/Assign initiatives –
Edit security policy –
Dismiss alerts

However, only the Owner can 'Enable auto provisioning'. Edit security policy. Add/assign
initiatives... to be the owner of the extension you're deploying. "For auto provisioning, the
specific role required depends on the extension you're deploying." Check the section
under the roles table
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions

======
#27

Box 1: Turn on Live Response Fact:

Live response requires Automated investigation to be turned on before you can enable it
in the advanced settings section in the Microsoft Defender for Endpoint portal. - this also
gives the answer to Box 2

Box 2: Create a device group that contains the devices and set Automation level to Full

"With no automation, automated investigation doesn't run on your organization's

devices." no automation = automated investigation is off, not on, and it needs to be on
(Full Remediation) for Live Response to work

=======
#28
DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-
emails-devices?view=o365-worldwide#get-device-information

======

D: Insider risk policy.

Data theft by departing users:
https://learn.microsoft.com/en-us/microsoft-365/compliance/insider-risk-management-
policies?view=o365-worldwide#data-theft-by-departing-users

When users leave your organization, there are specific risk indicators typically associated
with data theft by departing users. This policy template uses exfiltration indicators for risk
scoring and focuses on detection and alerts in this risk area.

======
https://learn.microsoft.com/en-us/purview/data-classification-activity-explorer?view=o365-
worldwide

There are more than 30 different filters available for use, some are:

 Date range
 Activity type
 Location
 User
 Sensitivity label
 Retention label
 File path
 DLP policy

Activity types

Activity explorer gathers information from the audit logs of multiple sources of activities.

Some examples of the Sensitivity label activities and Retention labeling

activities from applications native to Microsoft Office, the Azure Information Protection
(AIP) unified labeling client and scanner, SharePoint, Exchange (sensitivity labels only),
and OneDrive include:

 Label applied
 Label changed (upgraded, downgraded, or removed)
 Autolabeling simulation
 File read
==========================================
Pg 7

#31

Correct Answer - C, Evidence and Response.

Question emphasizes on 'incident'.
Though you can view affected entities by clicking on Alerts tab > Alert list, it will be for that
particular alert one alert doesn't necessarily be an incident. An incident can have multiple
alerts. So you need to click on Incidents tab, open the Incident, go to Evidences and
Response tab and look there.

=====
https://learn.microsoft.com/en-us/previous-versions/defender-for-identity/classic-reports

 Modification of sensitive groups: This report lists every time a

modification is made to sensitive groups (such as admins, or manually
tagged accounts or groups). If you're using Defender for Identity standalone
sensors, in order to receive a full report about your sensitive groups, make
sure that events are forwarded from your domain controllers to the
standalone sensors.


=========
D : the details tab as per dlp link

https://learn.microsoft.com/en-us/purview/dlp-alerts-get-started?view=o365-worldwide

https://learn.microsoft.com/en-us/purview/dlp-learn-about-dlp?view=o365-worldwide

=================
==============

Selected Answer: A
it doesn't recognize ranges or cidr notation

Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?
view=o365-worldwide

====================================================================

Page 8 :
Correct :
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?
view=o365-worldwide
Correct

EmailAttachmentInfo
| where Timestamp > ago(1h)
| where Subject == "Document Attachment" and FileName == "Document.pdf"
| join (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256

EmailAttachmentInfo
| where Timestamp > ago(1h)
| where Subject == "Document Attachment" and FileName == "Document.pdf"
| join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-
practices?view=o365-worldwide

Correct answer

https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unconstrained-
kerberos

https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-actions?
view=o365-worldwide#undo-completed-actions
Correct.

Pg 9

Correct
correct

DeviceLogonEvents
| extend Table = 'table1'
| take 100
| union IdentityLogonEvents
| extend table = 'table2' | take 100
| project-reorder Timestamp, Table, AccountDomain, AccountName, AccountUpn,
AccountSid
| order by Timestamp asc
Correct
Correct

https://learn.microsoft.com/en-us/defender-cloud-apps/connect-office-365

pg 10
NO –
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-
rules?view=o365-worldwide#actions-on-emails

"The columns NetworkMessageId and RecipientEmailAddress must be present in the

output results of the query to apply actions to email messages." Since NetworkMessageID
is not mentioned in the sumarize, it won't work

YES –
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-
rules?view=o365-worldwide#actions-on-devices

YES - https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-
detection-rules?view=o365-worldwide#actions-on-files
 A. Create an exclusion tag. https://learn.microsoft.com/en-us/azure/defender-for-
cloud/enable-agentless-scanning-vms#exclude-machines-from-scanning

smanzana
4 weeks, 1 day ago
B. From Settings, select Information Protection, select Files, and then enable file
monitoring.
F. From Settings, select Information Protection, select Azure Information Protection, and
then select Automatically scan new files for Azure Information

Yes, I agree too. IdentityInfo => to get Department and AccountObjectId

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-
hunting-identityinfo-table?view=o365-worldwide

This table was renamed from AccountInfo

and IdentityLogonEvents => for the interactive singings.

The IdentityLogonEvents table in the advanced hunting schema contains

information about authentication activities made through your on-premises
Active Directory captured by Microsoft Defender for Identity and authentication
activities

===========
Incidents

Pg 11
COOORECT
Correct

Correct

A. Not correct syntax.

B. Correct Answer. Union takes two or more tables and returns the rows of all of them.
C. Join Kind inner will not produce every row as inner means output has one row for every
combination of left and right. So only if the columns appears in both tables will we get a
hit. This doesn't meet the ask.
D. Evaluate in KQL calls a plugin this is not relevant to the question

Correct

Pg12
Correct

The answer is Correct –

Exchange Mailbox to check in Users group and Teams and other and specify which among
the 3 should we search
Option 1 - https://learn.microsoft.com/en-us/purview/ediscovery-content-search
Option 2 - https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-
search-conditions
Microsoft Sentinel provides a table to store indicator data accessible to Kusto Query
Language (KQL) queries. The Threat intelligence page in Microsoft Sentinel provides the
management options to maintain the indicators.

You're a Security Operations Analyst working at a company that implemented Microsoft

Sentinel. You receive threat indicators from threat intelligence providers and your threat
hunting team. The Indicators include IP addresses, domains, and file hashes that can be
utilized by many components within Microsoft Sentinel.

The indicators from the threat intelligence providers are automatically imported into the
workspace using connectors. You're tasked with adding the indicators from the threat
hunting team. You use the Threat Intelligence page to add the indicators for use by the
detection KQL queries.

\
Option 1 - https://learn.microsoft.com/en-us/purview/ediscovery-content-search

Exchange mailboxes: Set the toggle to On. The option to search all Exchange
mailboxes is automatically selected. If needed, select Choose users, groups, or teams

Option 2 - https://learn.microsoft.com/en-us/purview/ediscovery-keyword-queries-and-
search-conditions
========
Correct because of linux
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-
machine-alerts?view=o365-worldwide#initiate-live-response-session

Collect investigation package from devices

As part of the investigation or response process, you can collect an investigation

package from a device. By collecting the investigation package, you can identify the
current state of the device and further understand the tools and techniques used by the
attacker.

Important

These actions are not currently supported for devices running macOS or Linux. Use live
response to run the action. For more information on live response, see Investigate
entities on devices using live response

========
=====================

Azure security centre become Microsoft Defender for Cloud

Answer yes
https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-alerts

=============

https://learn.microsoft.com/en-us/azure/defender-for-cloud/defender-for-key-vault-
introduction#step-2-respond-accordingly

==================
1. When an Azure Security Centre Recommendation is created or triggered
2. Security Alerts

https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation

https://security.packt.com/setting-up-automated-threat-response-in-microsoft-defender-for-
cloud-azure-security-center/

==================================================
https://docs.microsoft.com/en-us/azure/security-center/security-center-alert-validation#simulate-
alerts-on-your-azure-vms-linux

=
===========================================
https://learn.microsoft.com/en-us/azure/defender-for-cloud/monitoring-components

=============================

Pg 14

==========

Wrong questions
==========================================

Wrong – old question

https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications

========================
Configure Google Cloud latform
Create a dedicated project in GCP
Enable required APIs
Create a dedicated service account for the security auditing integration
Create a private key for the dedicated service account
Retrieve your Organization ID
Connect Google Cloud Platform auditing to Defender for Cloud Apps

https://learn.microsoft.com/en-us/defender-cloud-apps/connect-google-gcp

https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-gcp?
pivots=classic-connector#connect-your-gcp-project

https://learn.microsoft.com/en-us/training/modules/connect-non-azure-machines-to-
azure-defender/5-connect-gcp-accounts

Set up GCP Security Command Center with Security Health Analytics

Enable GCP Security Command Center API
Create a dedicated service account for the security configuration integration
Create a private key for the dedicated service account
Connect GCP to Defender for Cloud
=========

=============

https://learn.microsoft.com/en-us/azure/defender-for-cloud/managing-and-responding-
alerts

Selected Answer: B
Based on the link, once you are on the full details page of one of the alerts, 1. Click on
“Next: Take Action” 2. Select: “Prevent future attacks” - as this provides security
recommendations

===================

========

==================

The answer is correct. Azure Event Hubs. "Third-party SIEMs - Send data to Azure Event
Hubs." https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-schemas?
tabs=schema-sentinel

=========
========

==========
correct, in the provided link you can find the json with this script.
https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/
quickstarts/microsoft.security/securitycenter-create-automation-for-alertnamecontains/
azuredeploy.json
=======

https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-
select-plan#plan-features
=========

C. Create a logic app that you will be triggered in workflow automation

A. Microsoft Defender for Cloud > Workflow automation > Add workflow automation, on
the Action choose the Logic app you have created

https://learn.microsoft.com/en-us/azure/defender-for-cloud/workflow-automation#create-
a-logic-app-and-define-when-it-should-automatically-run

===============
https://www.examtopics.com/exams/microsoft/sc-200/view/16/

=========
Nvm, JIT remediation only applies to "Security Control: Secure Management Ports", not to
"Security Control: Restrict Unauthorized Network Access", which indicates, for example,
that the VM doesn't have an NSG:
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-restrict-
unauthorized-network-access/ba-p/1593833
https://techcommunity.microsoft.com/t5/azure-security-center/security-control-secure-
management-ports/ba-p/1505770

==========
Azure Security Center and Azure Defender are now called Microsoft Defender for Cloud.
We've also renamed Azure Defender plans to Microsoft Defender plans. The answers in
this are based on Azure Security Center. Correct answer is as shown. Open
Security.microsoft.com --> Enpoints --> Vulnerabilty Management --> Weakness
Search/select CVE and click "Go to related security recommendations" Click on Security
recommendation task i.e. "update putty to version x.x.x" Click on Request Remediation.

========

=================================
===================
=====================

https://www.examtopics.com/exams/microsoft/sc-200/view/17/

==========================
======================

https://learn.microsoft.com/en-us/azure/defender-for-cloud/configure-email-notifications

========
===============

Correct Answer
Box1 : Security Admin
Box2 : Resource Group Owner

https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions#roles-and-
allowed-actions

=============================
Correct

=========

https://www.examtopics.com/exams/microsoft/sc-200/view/18/
Correct asnswer. Microsoft docs say: "For a rule to suppress an alert on a specific
subscription, that alert type has to have been triggered at least once before the rule is
created.
" https://docs.microsoft.com/en-us/azure/defender-for-cloud/alerts-suppression-
rules#create-a-suppression-rule

=========

Yes
===========

No,

B. No
Enabling auto-provisioning for Azure Defender means that the required monitoring
agents, including the Log Analytics agent, will be automatically installed on the virtual
machines. Therefore, there is no need to manually install the Log Analytics agent if auto-
provisioning is enabled. The correct answer is "B. No."

=========
: Azure Connect machine agent --- Arc

Answer B :

As this question has nothing mentioned about Azure ARC and there is an option to
onbaord Linux VMs onprem without ARC, I go with B - Log Analytics.

https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-
machines#onboard-your-linux-server

========
Correct
==========

18 --- 24
https://www.examtopics.com/exams/microsoft/sc-200/view/24/
======
For me the correct answers are:
C. From Defender for Cloud, configure the AWS connector.
E. From Defender for Cloud, configure auto-provisioning.

================
Correct
To add secret scanning to Azure DevOps build process:
Sign in to Azure DevOps Navigate to Pipeline.
\Locate the pipeline with MSDO Azure DevOps Extension is configured.

Select Edit. Add the following lines to the YAML file

yml
Copy
inputs:
categories: 'secrets'

=======
A correct
Enable server plan to collect logs

========

CASE Study

=========
Resource tag; To configure agentless scanning for machines, select Edit configuration.
Enter the tag name and tag value that applies to the machines that you want to exempt.
You can enter multiple tag:value pairs.
Abswer Security admin