Online Access Free SC-200 Practice Test

You have a Microsoft 365 E5 subscription.
You need to configure Microsoft Defender XDR automatic attack disruption to use signals generated by Microsoft Defender for Cloud Apps.
Which two actions should you perform for Defender for Cloud Apps in the Microsoft Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

• A.Enable the Microsoft 365 connector.
• B.From Information protection, enable file monitoring.
• C.Add a log collector for automatic log upload.
• D.Turn on app governance.
• E.Deploy Cloud Discovery user enrichment.

You have a Microsoft Sentinel workspace named sws1.
You need to create a hunting query to identify users that list storage keys of multiple Azure Storage accounts.
The solution must exclude users that list storage keys for a single storage account.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:
Box 1: AzureActivity
The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:
Box 2: autocluster()
Example: description: |
' Listing of storage keys is an interesting operation in Azure which might expose additional secrets and PII to callers as well as granting access to VMs. While there are many benign operations of this type, it would be interesting to see if the account performing this activity or the source IP address from which it is being done is anomalous.
The query below generates known clusters of ip address per caller, notice that users which only had single operations do not appear in this list as we cannot learn from it their normal activity (only based on a single event). The activities for listing storage account keys is correlated with this learned clusters of expected activities and activity which is not expected is returned. ' AzureActivity
| where OperationNameValue =~ " microsoft.storage/storageaccounts/listkeys/action "
| where ActivityStatusValue == " Succeeded "
| join kind= inner (
AzureActivity
| where OperationNameValue =~ " microsoft.storage/storageaccounts/listkeys/action "
| where ActivityStatusValue == " Succeeded "
| project ExpectedIpAddress=CallerIpAddress, Caller
| evaluate autocluster()
) on Caller
| where CallerIpAddress != ExpectedIpAddress
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), ResourceIds = make_set (ResourceId), ResourceIdCount = dcount(ResourceId) by OperationNameValue, Caller, CallerIpAddress
| extend timestamp = StartTime, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress Reference: https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/AzureActivity
/Anomalous_Listing_Of_Storage_Keys.ya ml

You need to correlate data from the SecurityEvent Log Anarytks table to meet the Microsoft Sentinel requirements for using UEBA. Which Log Analytics table should you use?

• A.Identityinfo
• B.SentwlAuoNt
• C.IdentityOirectoryEvents
• D.AADRiskyUsers

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 1 and contains a macOS device named Device1.
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
* Identify all the active network connections on Device1.
* Identify all the running processes on Device1.
* Retrieve the login history of Device1.
* Minimize administrative effort.
What should you do first from the Microsoft Defender portal?

• A.From Devices, click Collect investigation package for Device 1.
• B.From Devices, initiate a live response session on Device1.
• C.From Advanced features in Endpoints, enable Live Response unsigned script execution.
• D.From Advanced features in Endpoints, disable Authenticated telemetry.

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1. You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.
You need to identify which blobs were deleted.
What should you review?

• A.the activity logs of storage1
• B.the Azure Storage Analytics logs
• C.the alert details
• D.the related entities of the alert