Online Access Free SC-200 Exam Questions

You have a Microsoft Sentinel workspace.
You have a KQL query. The query returns Microsoft Sentinel incidents that are stored in the Securitylncident table and occurred during the last 90 days.
You need to create a Microsoft Sentinel workbook that will include a visualization of the query.
To what should you set Data source and Resource type for the workbook? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

When you create a Microsoft Sentinel workbook that visualizes data retrieved using a Kusto Query Language (KQL) query, the workbook must use a data source that supports log analytics queries. According to Microsoft Sentinel and Azure Monitor documentation, Logs (Analytics) is the correct data source type for querying tables stored within a Log Analytics workspace , such as the SecurityIncident table. This table is where Microsoft Sentinel stores incident data.
In the workbook configuration, the Resource type determines which service the query context applies to.
Since you are querying Microsoft Sentinel incidents (not general Azure Monitor logs or metrics), you must set the resource type to Microsoft Sentinel . This ensures that the workbook is connected to Sentinel's analytics schema and can display visualizations (charts, metrics, timelines) based on Sentinel's native data tables.
Alternative resource types such as Log Analytics or Workspace could technically access the same data, but Microsoft Sentinel documentation recommends selecting Microsoft Sentinel when the workbook is designed for security operations and incident analysis. This provides tighter integration with the SOC dashboard experience, Sentinel permissions, and security insights views.
# Therefore, the correct selections are:
* Data source: Logs (Analytics)
* Resource type: Microsoft Sentinel

You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign- events in near real time.
What should you do to route events to the SIEM solution?

• A.Configure the Diagnostics settings in Azure AD to stream to an event hub.
• B.Create an Azure Sentinel workspace that has an Azure Active Directory connector.
• C.Create an Azure Sentinel workspace that has a Security Events connector.
• D.Configure the Diagnostics settings in Azure AD to archive to a storage account.

Your on-premises network contains two Active Directory Domain Services (AD DS) domains named contoso.
com and fabrikam.com. Contoso.com contains a group named Group1. Fabrikam.com contains a group named Group2.
You have a Microsoft Sentinel workspace named WS1 that contains a scheduled query rule named Rule1.
Rule1 generates alerts in response to anomalous AD DS security events. Each alert creates an incident.
You need to implement an incident triage solution that meets the following requirements:
Security incidents from contoso.com must be assigned to Group1.
Security incidents from fabrikam.com must be assigned to Group2.
Administrative effort must be minimized.
What should you include in the solution?

• A.two automation rules assigned to Rule1
• B.one automation rule assigned to Rule1
• C.a playbook that is triggered by the creation of an alert
• D.a playbook that is triggered by the creation of an incident

You receive an alert from Azure Defender for Key Vault.
You discover that the alert is generated from multiple suspicious IP addresses.
You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as possible and must minimize the impact on legitimate users.
What should you do first?

• A.Create an application security group.
• B.Enable the Key Vault firewall.
• C.Modify the access control settings for the key vault.
• D.Modify the access policy for the key vault.

You need to build a KQL query in a Microsoft Sentinel workspace. The query must return the SecurityEvent record for accounts that have the last record with an EventID value of 4624. How should you complete the query ' To answer, select the appropriate options in the answer area.
NOTE: Each coned selection is worth one point

Correct Answer:

Explanation:

SecurityEvent
| where EventID == 4624
| summarize arg_max(TimeGenerated, *) by Account
Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents: = This query is designed for Microsoft Sentinel (Log Analytics) to identify the latest successful logon (Event ID
4624) for each account. Event ID 4624 in the SecurityEvent table indicates a successful logon in Windows security logs.
Let's break down the logic step-by-step:
| where EventID == 4624
This line filters the SecurityEvent table to include only records that correspond to successful logon events.
Filtering first ensures that only relevant events are processed by the summarization step, improving performance and accuracy.
| summarize arg_max(TimeGenerated, *) by Account
The arg_max() aggregation function retrieves the record that has the maximum value of TimeGenerated for each Account.
The * symbol ensures that all columns from that most recent record are returned (not just TimeGenerated and Account).
In this context, this means we get the most recent 4624 logon event per user account.
Why this order matters:
If arg_max() is placed before the where clause, the summarization would occur over all events first, not just
4624, producing incorrect results.
Therefore, the correct logical order is to filter first (where EventID == 4624), and then summarize (arg_max (TimeGenerated, *) by Account).
Alternative incorrect options explained:
summarize make_list(Account) or make_set(Account) by EventID # These aggregate account names for each EventID, not the most recent event per account.
Placing where EventID == 4624 after summarize # Filters after aggregation, which won't return correct results per account.