Amazon
Avaya
Checkpoint
Cisco®
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL®
Juniper
Microsoft
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Microsoft
  3. SC-200

Microsoft SC-200 Exam (page: 4)
Microsoft Security Operations Analyst
Updated on: 25-Dec-2025

Viewing Page 4 of 50
SC-200 PDF 408 Questions

Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft Defender for Cloud Apps portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.
  2. Select Investigate files, and then filter App to Office 365.
  3. Select Investigate files, and then select New policy from search.
  4. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.
  5. From Settings, select Information Protection, select Files, and then enable file monitoring.
  6. Select Investigate files, and then filter File Type to Document.

Answer(s): D,E

Explanation:

Discover and protect sensitive information in your organization
Phase 1: Discover your data Details omitted.
(D) Phase 2: Classify sensitive informationDefine which information is sensitive. Details omitted.Enable Microsoft Information Protection integrationIn the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps.Under Information Protection, go to Microsoft Information Protection. Select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.Etc.
Phase 3: Protect your data
Phase 4: Monitor and report on your data
E: File filters in Microsoft Defender for Cloud Apps
File monitoring should be enabled in Settings. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Information Protection, select Files. Select Enable file monitoring and then select Save.
Note: To provide data protection, Microsoft Defender for Cloud Apps gives you visibility into all the files from your connected apps. After you connect Microsoft Defender for Cloud Apps to an app using the App connector, Microsoft Defender for Cloud Apps scans all the files, for example all the files stored in OneDrive and Salesforce. Then, Defender for Cloud Apps rescans each file every time it's modified – the modification can be to content, metadata, or sharing permissions. Scanning times depend on the number of files stored in your app. You can also use the Files page to filter files to investigate what kind of data is saved in your cloud apps.


Reference:

https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp https://docs.microsoft.com/en-us/cloud-app-security/azip-integration https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

HOTSPOT (Drag and Drop is not supported)
You purchase a Microsoft 365 subscription.
You plan to configure Microsoft Defender for Cloud Apps.
You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network.
What should you use? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:


Reference:

https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

Your company has a single office in Istanbul and a Microsoft 365 subscription.
The company plans to use conditional access policies to enforce multi-factor authentication (MFA). You need to enforce MFA for all users who work remotely.
What should you include in the solution?

  1. a fraud alert
  2. a user risk policy
  3. a named location
  4. a sign-in user policy

Answer(s): C


Reference:

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You are configuring Microsoft Defender for Cloud Apps.
You have a custom threat detection policy based on the IP address ranges of your company’s United States- based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. Configure automatic data enrichment.
  2. Add the IP addresses to the corporate address range category.
  3. Increase the sensitivity level of the impossible travel anomaly detection policy.
  4. Add the IP addresses to the other address range category and add a tag.
  5. Create an activity policy that has an exclusion for the IP addresses.

Answer(s): A,B




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender portal, you need to configure several accounts for attackers to exploit. Solution: You add each account as a Sensitive account.
Does this meet the goal?

  1. Yes
  2. No

Answer(s): B


Reference:

https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?

  1. the Threat Protection Status report in Microsoft Defender for Office 365
  2. the mailbox audit log in Exchange
  3. the Safe Attachments file types report in Microsoft Defender for Office 365
  4. the mail flow report in Exchange

Answer(s): A

Explanation:

To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365- worldwide




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You have a Microsoft 365 subscription that contains 1,000 Windows 11 devices.
The devices have Microsoft 365 Apps installed and are onboarded to Microsoft Defender for Endpoint. You need to mitigate the following device threats:
Microsoft Excel macros that download scripts from untrusted websites Users that open executable attachments in Microsoft Outlook
Outlook rules and forms exploits What should you use?

  1. antivirus exclusions of Microsoft Defender for Endpoint.
  2. attack surface reduction rules in Microsoft Defender for Endpoint
  3. Windows Defender Firewall rules
  4. adaptive application control in Microsoft Defender for Cloud

Answer(s): B

Explanation:

Attack surfaces are all the places where your organization is vulnerable to cyberthreats and attacks. Defender for Endpoint includes several capabilities to help reduce your attack surfaces.
Incorrect:
* antivirus exclusions of Microsoft Defender for Endpoint Exclusions would reduce the protection.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction? view=o365-worldwide




Case study
This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study
To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the question button to return to the question.

Overview
Litware Inc. is a renewable company.
Litware has offices in Boston and Seattle. Litware also has remote users located across the United States. To access Litware resources, including cloud resources, the remote users establish a VPN connection to either office.

Existing Environment

Identity Environment
The network contains an Active Directory forest named litware.com that syncs to an Azure Active Directory (Azure AD) tenant named litware.com.

Microsoft 365 Environment
Litware has a Microsoft 365 E5 subscription linked to the litware.com Azure AD tenant. Microsoft Defender for Endpoint is deployed to all computers that run Windows 10. All Microsoft Cloud App Security built-in anomaly detection policies are enabled.

Azure Environment
Litware has an Azure subscription linked to the litware.com Azure AD tenant. The subscription contains resources in the East US Azure region as shown in the following table.


Network Environment
Each Litware office connects directly to the internet and has a site-to-site VPN connection to the virtual networks in the Azure subscription.

On-premises Environment
The on-premises network contains the computers shown in the following table.



Current problems
Cloud App Security frequently generates false positive alerts when users connect to both offices simultaneously.

Planned Changes
Litware plans to implement the following changes:

-Create and configure Azure Sentinel in the Azure subscription.
-Validate Azure Sentinel functionality by using Azure AD test user accounts.

Business Requirements
Litware identifies the following business requirements:

-The principle of least privilege must be used whenever possible.
-Costs must be minimized, as long as all other requirements are met.
-Logs collected by Log Analytics must provide a full audit trail of user activities.
-All domain controllers must be protected by using Microsoft Defender for Identity.

Azure Information Protection Requirements
All files that have security labels and are stored on the Windows 10 computers must be available from the Azure Information Protection – Data discovery dashboard.

Microsoft Defender for Endpoint requirements
All Cloud App Security unsanctioned apps must be blocked on the Windows 10 computers by using Microsoft Defender for Endpoint.

Microsoft Cloud App Security requirements
Cloud App Security must identify whether a user connection is anomalous based on tenant-level data.

Azure Defender Requirements
All servers must send logs to the same Log Analytics workspace.

Azure Sentinel Requirements
Litware must meet the following Azure Sentinel requirements:

-Integrate Azure Sentinel and Cloud App Security.
-Ensure that a user named admin1 can configure Azure Sentinel playbooks.
-Create an Azure Sentinel analytics rule based on a custom query. The rule must automatically initiate the execution of a playbook.
-Add notes to events that represent data access from a specific IP address to provide the ability to reference the IP address when navigating through an investigation graph while hunting.
-Create a test rule that generates alerts when inbound access to Microsoft Office 365 by the Azure AD test user accounts is detected. Alerts generated by the rule must be grouped into individual incidents, with one incident per test user account.

You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign- events in near real time.
What should you do to route events to the SIEM solution?

  1. Create an Microsoft Sentinel workspace that has a Security Events connector.
  2. Configure the Diagnostics settings in Azure AD to stream to an event hub.
  3. Create an Microsoft Sentinel workspace that has an Azure Active Directory connector.
  4. Configure the Diagnostics settings in Azure AD to archive to a storage account.

Answer(s): B


Reference:

https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring



Viewing Page 4 of 50



Share your comments for Microsoft SC-200 exam with other users:

Brijesh kr 6/29/2023 4:07:00 AM

awesome contents
INDIA