FEFreeExamDumps.in

SC-200 Practice Questions — Page 13

Question 121

Open question ↗

You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named User1.

You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.

Which role should you assign to User1?

  • A.User Access Administrator
  • B.Owner
  • C.Contributor
  • D.Reader

Question 122

Open question ↗

You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.

You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.

What should you create first?

  • A.a repository connection
  • B.a watchlist
  • C.an analytics rule
  • D.an automation rule

Question 123

Open question ↗

You have an Azure subscription that contains 100 Linux virtual machines.

You need to configure Microsoft Sentinel to collect event logs from the virtual machines.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Select and Place:

Question 123

Question 124

Open question ↗

You have a Microsoft Sentinel workspace.

You have a query named Query1 as shown in the following exhibit.

You plan to create a custom parser named Parser1.

You need to use Query1 in Parser1.

What should you do first?

Question 124
  • A.Remove line 5.
  • B.Remove line 2.
  • C.In line 3, replace the !contains operator with the !has operator.
  • D.In line 4, remove the TimeGenerated predicate.

Question 125

Open question ↗

You have a Microsoft 365 E5 subscription that contains two users named User1 and User2.

You have the hunting query shown in the following exhibit.

The users perform the following actions:

• User1 assigns User2 the Global administrator role.

• User1 creates a new user named User3 and assigns the user a Microsoft Teams license.

• User2 creates a new user named User4 and assigns the user the Security reader role.

• User2 creates a new user named User5 and assigns the user the Security operator role.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Question 125

Question 126

Open question ↗

You have a Microsoft Sentinel workspace.

You develop a custom Advanced Security Information Model (ASIM) parser named Parser1 that produces a schema named Schema1.

You need to validate Schema1.

How should you complete the command? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 126

Question 127

Open question ↗

You have an Azure subscription.

You plan to implement a Microsoft Sentinel workspace. You anticipate that you will ingest 20 GB of security log data per day.

You need to configure storage for the workspace. The solution must meet the following requirements:

• Minimize costs for daily ingested data.

• Maximize the data retention period without incurring extra costs.

What should you do for each requirement? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 127

Question 128

Open question ↗

You have a Microsoft Sentinel workspace named sws1.

You plan to create an Azure logic app that will raise an incident in an on-premises IT service management system when an incident is generated in sws1.

You need to configure the Microsoft Sentinel connector credentials for the logic app. The solution must meet the following requirements:

• Minimize administrative effort.

• Use the principle of least privilege.

How should you configure the credentials? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 128

Question 129

Open question ↗

You have a Microsoft Sentinel workspace.

You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.

What are two ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

  • A.Create a hunting query that references the built-in parser.
  • B.Build a custom unifying parser and include the built-in parser version.
  • C.Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.
  • D.Redeploy the built-in parser and specify a CallerContext parameter of Built-in.
  • E.Create an analytics rule that includes the built-in parser.

Question 130

Open question ↗

You have a Microsoft Sentinel workspace named SW1.

You plan to create a custom workbook that will include a time chart.

You need to create a query that will identify the number of security alerts per day for each provider.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 130