SC-200 Free Practice Test

- (Exam Topic 3)
You recently deployed Azure Sentinel.
You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled. You need to ensure that the Fusion rule can generate alerts.
What should you do?

1. A. Disable, and then enable the rule.
2. B. Add data connectors
3. C. Create a new machine learning analytics rule.
4. D. Add a hunting bookmark.

Correct Answer: B
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources

- (Exam Topic 2)
You need to add notes to the events to meet the Azure Sentinel requirements.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of action to the answer area and arrange them in the correct order.

Solution:
Graphical user interface, text, application Description automatically generated
Reference:
https://docs.microsoft.com/en-us/azure/sentinel/bookmarks

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 3)
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort
Which blade should you use in the Microsoft 365 Defender portal?

1. A. Advanced hunting
2. B. Threat analytics
3. C. Incidents & alerts
4. D. Learning hub

Correct Answer: B
To review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription, you should use the Threat Analytics blade in the Microsoft 365 Defender portal. The Threat Analytics blade provides insights into attack techniques, configuration vulnerabilities, and suspicious activities, and it can help you identify risks and prioritize threats in your environment.
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-365-defender-threat-analyti

- (Exam Topic 3)
You have an Azure Storage account that will be accessed by multiple Azure Function apps during the development of an application.
You need to hide Azure Defender alerts for the storage account.
Which entity type and field should you use in a suppression rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Solution:
Graphical user interface, application Description automatically generated
Reference:
https://techcommunity.microsoft.com/t5/azure-security-center/suppression-rules-for-azure-security-center-alerts

Does this meet the goal?

1. A. Yes
2. B. No

Correct Answer: A

- (Exam Topic 3)
You have a Microsoft Sentinel workspace.
You have a query named Query1 as shown in the following exhibit.

You plan to create a custom parser named Parser 1. You need to use Query1 in Parser1. What should you do first?

1. A. Remove line 2.
2. B. In line 4. remove the TimeGenerated predicate.
3. C. Remove line 5.
4. D. In line 3, replace the 'contains operator with the !has operator.

Correct Answer: C
This can be confirmed by referring to the official Microsoft documentation on creating custom log queries in Azure Sentinel, which states that the “has” operator should not be used in the query, and that it is unnecessary. Reference: https://docs.microsoft.com/en-us/azure/sentinel/query-custom-logs