SC-200 Online Practice Questions and Answers

Correct Answer: D

Correct Answer: A

Dynamic scaled onboarding of AWS EC2 instances to Azure Arc using Ansible

Create an AWS identity

In order for Terraform to create resources in AWS, we will need to create a new AWS IAM role with appropriate permissions and configure Terraform to use it.

Scenario: Automate the deployment of the Azure Connected Machine agent for Azure Arc-enabled servers to the existing and future resources of Account1.

Fabrikam has an Amazon Web Services (AWS) account named Account1. Account1 contains 100 Amazon Elastic Compute Cloud (EC2) instances that run a custom Windows Server 2022. The image includes Microsoft SQL Server 2019 and

does NOT have any agents installed.

Reference:

https://github.com/microsoft/azure_arc/blob/main/docs/azure_arc_jumpstart/azure_arc_servers/scaled_deployment/aws_scaled_ansible/_index.md

Correct Answer: C

Activity from a country/region that could indicate malicious activity. This policy profiles your environment and triggers alerts when activity is detected from a location that was not recently or was never visited by any user in the organization.

Activity from the same user in different locations within a time period that is shorter than the expected travel time between the two locations. This can indicate a credential breach, however, it's also possible that the user's actual location is

masked, for example, by using a VPN.

Reference:

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy

Correct Answer: D

Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#run-a-playbook-on-demand

Correct Answer: B

Reference: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook

Correct Answer: A

There are two methods for avoiding false positives:

Automation rules create exceptions without modifying analytics rules.

Scheduled analytics rules modifications permit more detailed and permanent exceptions.

Automation rules

Can apply to several analytics rules.

Keep an audit trail. Exceptions prevent incident creation, but alerts are still recorded for audit purposes.

Are often generated by analysts.

Allow applying exceptions for a limited time. For example, maintenance work might trigger false positives that outside the maintenance timeframe would be true incidents.

Incorrect:

Not A: Analytics rules modifications

Allow advanced boolean expressions and subnet-based exceptions.

Let you use watchlists to centralize exception management.

Typically require implementation by Security Operations Center (SOC) engineers.

Are the most flexible and complete false positive solution, but are more complex

Reference:

https://docs.microsoft.com/en-us/azure/sentinel/false-positives

Correct Answer: A

The Microsoft Sentinel Responder role allows users to investigate, triage, and resolve security incidents, which includes the ability to assign incidents to other users. This role is designed to provide the necessary permissions for incident management and response while still adhering to the principle of least privilege. Other roles such as Logic App Contributor and Microsoft Sentinel Contributor would have more permissions than necessary and may not be suitable for the analyst's needs. Microsoft Sentinel Reader role is not sufficient as it doesn't have permission to assign and resolve incidents.

Reference: https:// docs.microsoft.com/en-us/azure/sentinel/role-based-access-control-rbac

Correct Answer: D

To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create an analytic rule in the Microsoft Sentinel workspace. An analytic rule allows you to customize the behavior of the unified ASIM parser and exclude specific source-specific parsers from being used. Reference: https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-analytic-rule

Correct Answer: B

Correct Answer:

Box 1: AzureActivity

The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

Box 2: autocluster()

Example: description: |

'Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this

type, it would be interesting to see if the account performing this activity or the source IP address from

which it is being done is anomalous.

The query below generates known clusters of ip address per caller, notice that users which only had single

operations do not appear in this list as we cannot learn from it their normal activity (only based on a single

event). The activities for listing storage account keys is correlated with this learned clusters of expected activities and activity which is not expected is returned.'

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" | where ActivityStatusValue == "Succeeded"

| join kind= inner (

AzureActivity

| where OperationNameValue =~ "microsoft.storage/storageaccounts/listkeys/action" | where ActivityStatusValue == "Succeeded"

| project ExpectedIpAddress=CallerIpAddress, Caller | evaluate autocluster()

) on Caller

| where CallerIpAddress != ExpectedIpAddress

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set(ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress

| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress