Microsoft Security Operations Analyst SC-200 Exam Questions

Page: 1 / 14
Total 391 questions
Question 1

Your company uses line-of-business apps that contain Microsoft Office VBA macros.

You plan to enable protection against downloading and running additional payloads from the Office VBA macros as additional child processes.

You need to identify which Office VBA macros might be affected.

Which two commands can you run to achieve the goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.



Answer : B, C


To identify which Office VBA macros could be affected by enabling protection against launching child processes (payloads), you use the Attack Surface Reduction (ASR) rule: ''Block all Office applications from creating child processes'' (Rule ID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A).

Microsoft Defender's PowerShell cmdlets allow you to test ASR effects by running them in Audit Mode before enforcement. Audit Mode records potential rule violations without blocking them, so administrators can assess impact.

To enable ASR rules in Audit Mode, Microsoft documentation provides:

Add-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode

or

Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions AuditMode

Both commands accomplish the same task---one adds new ASR configuration, and the other updates existing settings---so the correct answers are B (Set-MpPreference ... AuditMode) and C (Add-MpPreference ... AuditMode).

This method follows Microsoft's official recommendation to always evaluate ASR rules in Audit Mode first to avoid disrupting legitimate macro-based workflows.

Question 2

You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.

You deploy Azure Sentinel.

You need to use the existing logic app as a playbook in Azure Sentinel. What should you do first?



Answer : D

In Microsoft Sentinel, playbooks are Azure Logic Apps that automate responses to alerts or incidents. To use an existing Logic App as a playbook in Sentinel, it must start with the ''Microsoft Sentinel alert'' trigger. This trigger allows Sentinel to call and pass alert details to the Logic App automatically.

When an existing Logic App has a manual trigger, it cannot be invoked directly by Sentinel. Therefore, the first step is to modify the trigger to replace the manual trigger with the ''When a response to an Azure Sentinel alert is triggered'' trigger. After that, you can link it within Sentinel incidents or automation rules.

This process is detailed in Microsoft Defender XDR and Sentinel documentation under ''Connect a Logic App to Sentinel as a playbook.''

Hence, the correct answer is D. Modify the trigger in the logic app.


Question 3

You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements. Which policy should you modify?



Answer : C

The requirement states that Cloud App Security (Defender for Cloud Apps) must determine whether a user's connection is anomalous based on tenant-level patterns, and the current false positives occur when users connect through two office egress points at the same time. These symptoms align with the Impossible travel anomaly detection policy, which learns normal sign-in geolocation patterns and flags sign-ins from distant locations within an unrealistically short time window. To meet the requirement and reduce false positives, you modify the Impossible travel policy settings---such as excluding trusted corporate IP ranges/VPN egress points and tuning sensitivity---so detections better reflect tenant-wide behavior rather than isolated user hops via different office exits. Policies like Activity from anonymous/suspicious IP addresses rely on threat-intel lists of anonymizers or known-bad sources and don't address the ''two-office'' scenario. Risky sign-in is part of Azure AD Identity Protection, not the MCAS anomaly policy to tune here. Thus, the policy to modify is Impossible travel.


Question 4

You need to configure event monitoring for Server1. The solution must meet the Microsoft Sentinel requirements. What should you create first?



Answer : C

To monitor Windows Security events from Server1 using the Windows Security Events via AMA connector, the first object you must create is a Data Collection Rule (DCR). With the Azure Monitor Agent (AMA) model used by Microsoft Sentinel, data flow is controlled by DCRs, not by the legacy MMA/OMS workspace settings. A DCR defines what to collect (e.g., the Security event log, specific event IDs or XPath queries), from where (the target machines or machine groups), and where to send it (the Sentinel/Log Analytics workspace). After creating the DCR, you associate it with Server1 (Arc-enabled), and the connector will begin streaming Security events to your Sentinel workspace. Creating a Sentinel scheduled rule or an automation rule does not enable collection; those features act after data is already ingested. Event Grid topics are unrelated to Windows event collection. Therefore, the correct first step for meeting the Sentinel requirement to monitor Server1's Security log via AMA is to create a DCR, then assign it to Server1 and the Sentinel workspace.


Question 5

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You use Azure Security Center.

You receive a security alert in Security Center.

You need to view recommendations to resolve the alert in Security Center.

Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.

Does this meet the goal?



Answer : A

In Azure Security Center (now part of Microsoft Defender for Cloud), when you receive a security alert, you can investigate it to understand the cause, impact, and resolution recommendations. The workflow described in the question aligns precisely with Microsoft's documented process for investigating alerts.

From the Security alerts page:

You select the specific alert to open the alert details pane.

Choose Take Action to view remediation options and recommended next steps.

Expand the Prevent future attacks section --- this section provides recommendations and hardening guidance directly related to the alert to help prevent similar issues from occurring again.

This section is specifically mentioned in Microsoft Defender for Cloud documentation:

''In the alert details page, select Take Action to view the remediation steps. Under Prevent future attacks, Defender for Cloud lists relevant security recommendations and actions that can mitigate or prevent the threat.''

Therefore, this solution meets the goal because selecting Take Action and expanding Prevent future attacks directly exposes the recommended remediation steps associated with that alert.

Answe r: A. Yes


Question 6

You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.

You need to mitigate the following device threats:

Microsoft Excel macros that download scripts from untrusted websites

Users that open executable attachments in Microsoft Outlook

Outlook rules and forms exploits

What should you use?



Answer : B

According to official Microsoft Defender for Endpoint documentation, Attack Surface Reduction (ASR) rules are specifically designed to block behaviors commonly used by malware and ransomware, such as malicious macro execution, script downloads from untrusted sources, and the abuse of Office applications to launch harmful executables or exploits.

In this scenario:

Excel macros downloading scripts from untrusted websites are mitigated by the ASR rule: ''Block Office applications from creating child processes'' and ''Block Office communication application from creating child processes.''

Users opening executable attachments in Outlook are covered by: ''Block executable content from email and webmail.''

Outlook rules and forms exploits are addressed by: ''Block Office applications from injecting code into other processes.''

Microsoft's Defender for Endpoint security baseline and documentation highlight that these rules ''reduce the attack surface by minimizing the number of entry points an attacker can use to exploit a system.'' Administrators can configure them through Microsoft Intune, Group Policy, or PowerShell, and monitor their effectiveness in the Microsoft 365 Defender portal under Threat & Vulnerability Management.

Other options like Defender Antivirus (A) focus on detecting known malware after execution rather than blocking risky behaviors preemptively. Windows Defender Firewall (C) controls network traffic, not application-level threats. Adaptive application control in Azure Defender (D) is used for whitelisting applications on Azure VMs, not on Microsoft 365 endpoints.

Therefore, the correct answer is: B. Attack surface reduction rules in Microsoft Defender for Endpoint

o365-worldwide


Question 7

You have five on-premises Linux servers.

You have an Azure subscription that uses Microsoft Defender for Cloud.

You need to use Defender for Cloud to protect the Linux servers.

What should you install on the servers first?



Answer : B

Defender for Cloud depends on the Log Analytics agent.

Use the Log Analytics agent if you need to:

* Collect logs and performance data from Azure virtual machines or hybrid machines hosted outside of Azure

* Etc.


https://docs.microsoft.com/en-us/azure/defender-for-cloud/os-coverage

https://docs.microsoft.com/en-us/azure/azure-monitor/agents/agents-overview#log-analytics-agent

Page:    1 / 14   
Total 391 questions