SC-200 Online Practice Questions and Answers

Correct Answer: D

Scenario: Microsoft Defender for Identity Requirements: Minimize the administrative effort required to investigate the false positive alerts.

Defender for Identity raises a high volume of Suspected DCSync attack alerts that are false positives.

Note: Suspected DCSync attack (replication of directory services) (external ID 2006)

Previous name: Malicious replication of directory services.

Description

Active Directory replication is the process by which changes that are made on one domain controller are synchronized with all other domain controllers. Given necessary permissions, attackers can initiate a replication request, allowing them

to retrieve the data stored in Active Directory, including password hashes.

In this detection, an alert is triggered when a replication request is initiated from a computer that isn't a domain controller.

If the source computer is a domain controller, failed or low certainty resolution can prevent Defender for Identity from being able to confirm identification.

Check if the source computer is a domain controller? If the answer is yes, Close the alert as a B-TP activity.

Reference:

https://learn.microsoft.com/en-us/defender-for-identity/domain-dominance-alerts

Correct Answer: B

Correct Answer: ACD

Reference: https://www.drware.com/how-to-use-tagging-effectively-in-microsoft-defender-for-endpoint-part-1/

Correct Answer: C

https://docs.microsoft.com/en-us/azure/sentinel/roles

Correct Answer: AD

To enable auditing for sensitive groups, you need to configure the Advanced Audit Policy Configuration settings for the domain controllers. This can be done by modifying the Default Domain Controllers Policy in the Group Policy Management Console (GPMC) and enabling the "Audit Detailed Directory Service Replication" policy under "Advanced Audit Policy Configuration\DS Access". This will generate audit events when sensitive groups are modified.

Windows Event Forwarding can be used to forward the audit events generated by the domain controllers to Azure Sentinel for analysis. This involves configuring a subscription on the domain controllers and a collection rule in Azure Sentinel to collect the forwarded events.

Reference: https://docs.microsoft.com/en-us/defender-for-identity/configure-windows-event-collection https://docs.microsoft.com/en-us/defender-for-identity/configure-event-collection

Correct Answer: A

There are two methods for avoiding false positives:

Automation rules create exceptions without modifying analytics rules.

Scheduled analytics rules modifications permit more detailed and permanent exceptions.

Automation rules

Can apply to several analytics rules.

Keep an audit trail. Exceptions prevent incident creation, but alerts are still recorded for audit purposes.

Are often generated by analysts.

Allow applying exceptions for a limited time. For example, maintenance work might trigger false positives that outside the maintenance timeframe would be true incidents.

Incorrect:

Not A: Analytics rules modifications

Allow advanced boolean expressions and subnet-based exceptions.

Let you use watchlists to centralize exception management.

Typically require implementation by Security Operations Center (SOC) engineers.

Are the most flexible and complete false positive solution, but are more complex

Reference:

https://docs.microsoft.com/en-us/azure/sentinel/false-positives

Correct Answer: A

Fusion rules in Microsoft Sentinel are rules that are used to detect advanced multistage attacks by combining alerts and activities from different sources. Fusion rules can be used to identify attacks that may not be detectable by a single alert or activity, making them particularly useful for detecting complex attacks that involve multiple stages.

Correct Answer: D

Deploy parsers

Deploy parsers manually by copying them to the Azure Monitor Log page and saving the query as a function. This method is useful for testing.

To deploy a large number of parsers, we recommend using parser ARM templates, as follows:

Create a YAML file based on the relevant template for each schema and include your query in it. Start with the YAML template relevant for your schema and parser type, filtering or parameter-less.

Use the ASIM Yaml to ARM template converter to convert your YAML file to an ARM template.

If deploying an update, delete older versions of the functions using the portal or the function delete PowerShell tool.

Deploy your template using the Azure portal or PowerShell.

Reference:

https://learn.microsoft.com/en-us/azure/sentinel/normalization-develop-parsers

Correct Answer: A

Exclude machines from scanning Agentless scanning applies to all of the eligible machines in the subscription. To prevent specific machines from being scanned, you can exclude machines from agentless scanning based on your pre-existing environment tags. When Defender for Cloud performs the continuous discovery for machines, excluded machines are skipped.

To configure machines for exclusion:

1.

From Defender for Cloud's menu, open Environment settings.

2.

Select the relevant subscription or multicloud connector.

3.

For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, select Settings.

4.

For agentless scanning, select Edit configuration.

5.

Enter the tag name and value that applies to the machines that you want to exempt. You can enter multiple tag:value pairs.

6.

Select Save to apply the changes.

Note:

Defender for Servers Plan 1 is entry-level and must be enabled at the subscription level.

Features include:

Foundational cloud security posture management (CSPM), which is provided free by Defender for Cloud.

Defender for Servers Plan 2 provides all features. The plan must be enabled at the subscription level and at the workspace level to get full feature coverage. Features include:

All the functionality that's provided by Defender for Servers Plan 1.

More extended detection and response (XDR) capabilities. Reference:

https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-agentless-scanning-vms#exclude-machines-from-scanning https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan

Correct Answer:

Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide

Correct Answer:

Box 1: _Im_Dns

Example:

If your data source supports full DNS logging and you've chosen to log multiple segments, adjust your queries to prevent data duplication in Microsoft Sentinel.

For example, you might modify your query with the following normalization:

KQL

_Im_Dns | where SrcIpAddr != "127.0.0.1" and EventSubType == "response"

Box 2: | where TimeGenerated > ago(1d) | where ResponseCodeName =~ "NXDOMAIN" Example without filtering parameters would look like this:

Kusto

_Im_Dns | where TimeGenerated > ago(1d) | where ResponseCodeName =~ "NXDOMAIN" | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

Incorrect:

(starttime=ago(1d), responsecodename='NXDOMAIN'

Closing parantheses missing.

Correct would be: (starttime=ago(1d), responsecodename='NXDOMAIN') as in the following code:

_Im_Dns(starttime=ago(1d), responsecodename='NXDOMAIN') | summarize count() by SrcIpAddr, bin(TimeGenerated,15m)

Reference: https://learn.microsoft.com/en-us/azure/sentinel/normalization-schema-dns

Correct Answer:

Microsoft Sentinel hunting query OperationNameValue ActivityStatusValue EventSubmissionTimeStamp

Microsoft Sentinel hunting query AccountCustomEntity

Box 1: AzureActivity

The AzureActivity table includes data from many services, including Microsoft Sentinel. To filter in only data from Microsoft Sentinel, start your query with the following code:

| where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS"

For example, to find out who was the last user to edit a particular analytics rule, use the following query (replacing xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx with the rule ID of the rule you want to check):

AzureActivity

| where OperationNameValue startswith "MICROSOFT.SECURITYINSIGHTS/ALERTRULES/WRITE"

| where Properties contains "alertRules/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"

| project Caller , TimeGenerated , Properties

Box 2: where

Example:

Find all actions taken by a specific user in the last 24 hours

The following AzureActivity table query lists all actions taken by a specific Azure AD user in the last 24 hours.

AzureActivity

| where OperationNameValue contains "SecurityInsights"

| where Caller == "[AzureAD username]"

| where TimeGenerated > ago(1d)

Reference:

https://learn.microsoft.com/en-us/azure/sentinel/audit-sentinel-data

Correct Answer:

Box 1: Investigate

1.

To begin an investigation, select a specific incident. On the right, you can see detailed information for the incident including its severity, summary of the number of entities involved, the raw events that triggered this incident, the incident's unique ID, and any mapped MITRE ATTandCK tactics or techniques.

2.

To view more details about the alerts and entities in the incident, select View full details in the incident page and review the relevant tabs that summarize the incident information.

A page similar to the exhibit will be shown.

3.

Select Investigate to view the investigation map.

Incorrect:

Entities

In the Entities tab, you can see all the entities that you mapped as part of the alert rule definition. These are the objects that played a role in the incident, whether they be users, devices, addresses, files, or any other types.

Alerts

In the Alerts tab, review the alerts included in this incident. You'll see all relevant information about the alerts

Correct Answer:

Correct Answer:

Reference: https://docs.microsoft.com/en-us/azure/security-center/quickstart-onboard-gcp