SC-200試験無料問題集「Microsoft Security Operations Analyst 認定」
You have the resources shown in the following table.

You have an Azure subscription that uses Mictosoft Defender for Cloud.
You need to use Defender for Cloud to protect VM1 and Server1. The solution must meet the following requirements:
* Support Advanced Threat Protection and vulnerability assessment
* Register each SQL Server 2022 instance as a SQL virtual machine.
* Minimize implementation and administrative effort
What should you deploy to each server? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.


You have an Azure subscription that uses Mictosoft Defender for Cloud.
You need to use Defender for Cloud to protect VM1 and Server1. The solution must meet the following requirements:
* Support Advanced Threat Protection and vulnerability assessment
* Register each SQL Server 2022 instance as a SQL virtual machine.
* Minimize implementation and administrative effort
What should you deploy to each server? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

正解:

Explanation:

For SQL Server on Azure VMs (VM1) , Defender for Cloud's Advanced Threat Protection and Vulnerability Assessment for SQL "on machines" are enabled by registering the instance as a SQL virtual machine using the SQL IaaS Agent extension . This single Azure VM extension onboards the SQL workload, exposes SQL VM resource management, and lights up Defender for SQL (ATP + VA) with minimal admin effort-no separate agents are required on Azure VMs beyond this extension for these features.
For on-premises/Arc servers (Server1) , the machine is already Arc-enabled . To protect SQL instances with Defender for Cloud and to surface vulnerability assessment and threat protection signals, you deploy the Azure Arc SQL Server extension (delivered as an Arc "virtual machine extension") to register the instance with Azure. In addition, Arc scenarios use the Azure Monitor Agent (AMA) for data collection and security signal ingestion in Defender for Cloud (the legacy Log Analytics agent is not recommended). This combination satisfies ATP/VA requirements while keeping operations simple and consistent with current agent guidance.
Therefore:
* VM1: only the Azure VM extension (SQL IaaS Agent extension).
* Server1: AMA + an Azure (Arc) extension (Arc SQL Server extension).
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a user named User1.
You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege.
Which role should you assign to User1?
You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege.
Which role should you assign to User1?
正解:A
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.
You detect malicious activity on Device1.
You initiate a live response session on Device1.
You need to perform the following actions:
* Download a file from the live response library.
* Stop a process that is running on Device1.
Which live response command should you run for each action? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You detect malicious activity on Device1.
You initiate a live response session on Device1.
You need to perform the following actions:
* Download a file from the live response library.
* Stop a process that is running on Device1.
Which live response command should you run for each action? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

正解:

Explanation:

In Microsoft Defender for Endpoint live response sessions, specific commands are provided to perform investigation and remediation tasks directly on a device. According to the official Defender for Endpoint documentation:
* The getfile command is used to download a file from the live response library to the local analyst's session. This command enables investigators to retrieve files that are stored in the Defender live response library for examination or comparison. The command is explicitly documented as "Retrieves a file from the library or from the device."
* The remediate command is used to take action against threats detected on the endpoint, such as stopping processes, deleting files, or quarantining malware. The remediation commands are part of the live response toolkit and provide direct control over running processes or malicious files during an active incident response session.
Other commands serve different purposes:
* library lists the available files in the live response library.
* putfile uploads files to the library.
* analyze runs advanced analysis tasks.
* services lists or manages Windows services but is not used to stop arbitrary processes.
Therefore, for this scenario, the correct live response commands are:
* Download a file from the live response library: getfile
* Stop a process that is running on Device1: remediate
You are investigating a potential attack that deploys a new ransomware strain.
You plan to perform automated actions on a group of highly valuable machines that contain sensitive information.
You have three custom device groups.
You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
You plan to perform automated actions on a group of highly valuable machines that contain sensitive information.
You have three custom device groups.
You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.
正解:B,D,E
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
You have a Microsoft 365 E5 subscription.
You need to configure Microsoft Defender XDR automatic attack disruption to use signals generated by Microsoft Defender for Cloud Apps.
Which two actions should you perform for Defender for Cloud Apps in the Microsoft Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
You need to configure Microsoft Defender XDR automatic attack disruption to use signals generated by Microsoft Defender for Cloud Apps.
Which two actions should you perform for Defender for Cloud Apps in the Microsoft Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
正解:A,D
解答を投票する
You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector.
While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query.

By which two components can you group alerts into incidents? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query.

By which two components can you group alerts into incidents? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
正解:A,B
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You are investigating an incident.
You need to review the incident tasks that were performed. The solution must include a query that will display the incidents in a workbook, and then display the tasks of each incident in another grid.
Which table should you target in the query?
You are investigating an incident.
You need to review the incident tasks that were performed. The solution must include a query that will display the incidents in a workbook, and then display the tasks of each incident in another grid.
Which table should you target in the query?
正解:D
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
Your on-premises network contains 100 servers that run Windows Server.
You have an Azure subscription that uses Microsoft Sentinel.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options m the answer area.

You have an Azure subscription that uses Microsoft Sentinel.
You need to upload custom logs from the on-premises servers to Microsoft Sentinel.
What should you do? To answer, select the appropriate options m the answer area.

正解:

Explanation:

To ingest custom logs from on-premises servers into Microsoft Sentinel , the logs must first be collected through the Log Analytics workspace that Sentinel is built on. According to Microsoft Sentinel and Azure Monitor documentation, the required steps are:
* Install the Log Analytics agent (MMA/OMS agent) on each on-premises Windows Server that will send logs.
* This agent securely forwards Windows event logs, performance data, and custom log files to the Log Analytics workspace in Azure Monitor.
* Although Azure Monitor Agent (AMA) is the newer option, custom log collection is still supported primarily via the Log Analytics agent until full parity is achieved.
* The Microsoft Dependency agent is used only for service map and dependency data, not for log ingestion.
* The Azure Connected Machine agent (for Azure Arc) can onboard machines for management but does not directly handle custom log configuration for Sentinel.
* Configure custom log ingestion by defining custom log collection rules in the Log Analytics workspace settings .
* In Sentinel, navigate to the underlying workspace # Advanced settings # Data # Custom Logs to define the log format, file path, and collection parameters.
* The custom log configuration is always managed at the workspace level , since Sentinel queries data from the connected workspace's tables.
Other options, like the Data connectors page or Logs blade of Sentinel, are used for connecting integrated services or for querying data, not for defining custom ingestion sources.
Therefore, based on official Microsoft Defender XDR and Sentinel integration guidance, the correct configuration steps are:
# On the servers, install the: Log Analytics agent
# Configure custom log settings by using the: Log Analytics workspace settings of Microsoft Sentinel
You have on-premises servers that run Windows Server.
You have a Microsoft Sentinel workspace named SW1. SW1 is configured to collect Windows Security log entries from the servers by using the Azure Monitor Agent data connector.
You plan to limit the scope of collected events to events 4624 and 462S only.
You need to use a PowerShell script to validate the syntax of the filter applied to the connector.
How should you complete the script? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You have a Microsoft Sentinel workspace named SW1. SW1 is configured to collect Windows Security log entries from the servers by using the Azure Monitor Agent data connector.
You plan to limit the scope of collected events to events 4624 and 462S only.
You need to use a PowerShell script to validate the syntax of the filter applied to the connector.
How should you complete the script? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

正解:

Explanation:

According to Microsoft Sentinel and Azure Monitor Agent (AMA) documentation, when configuring data collection from Windows Security logs, you can use XPath filtering to limit which event IDs are collected.
This helps optimize data ingestion by filtering out unnecessary events.
In this scenario, the requirement is to collect only event IDs 4624 (successful sign-in) and 4625 (failed sign- in) . The PowerShell cmdlet Get-WinEvent supports several filtering methods: -FilterXPath , -FilterHashtable
, and -FilterXml . To test the same XPath syntax used by the connector, you must use -FilterXPath , because this option accepts the same XPath query string format as used in the AMA data collection rule (DCR).
The correct XPath syntax for filtering specific event IDs from the Security log is:
Security!*[System[(EventID=4624 or EventID=4625)]]
This expression instructs the event query to return only events from the Security log whose EventID equals
4624 or 4625.
Finally, to validate the filter, you run:
Get-WinEvent -LogName ' Security ' -FilterXPath $events
This command executes the filter locally and confirms that the syntax correctly retrieves the intended events.
Therefore, the correct completed script is:
# $events = ' Security!*[System[(EventID=4624 or EventID=4625)]] '
# Get-WinEvent -LogName ' Security ' -FilterXPath $events
You create a custom analytics rule to detect threats in Azure Sentinel.
You discover that the rule fails intermittently.
What are two possible causes of the failures? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
You discover that the rule fails intermittently.
What are two possible causes of the failures? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
正解:C,D
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365. You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal. Which response action should you use?
正解:D
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender for Endpoint.
You need to ensure that you can initiate remote shell connections to Windows servers by using the Microsoft
365 Defender portal.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You need to ensure that you can initiate remote shell connections to Windows servers by using the Microsoft
365 Defender portal.
What should you configure? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

正解:

Explanation:

In Microsoft Defender for Endpoint , the Live Response feature enables security analysts to remotely connect to devices (including servers) via a secure shell session directly from the Microsoft 365 Defender portal . This feature allows real-time investigation, evidence collection, and remediation commands without requiring direct network access to the device.
To enable this capability for Windows servers , you must first enable the "Live Response for Servers" advanced feature within Defender for Endpoint settings. Microsoft's documentation explicitly states that this setting allows remote shell access to onboarded Windows Server devices, which is disabled by default for security reasons.
Once the advanced feature is enabled, Live Response permissions and functionality are managed at the device group level. Device groups in Defender for Endpoint are typically configured using device tags , which classify and organize endpoints (e.g., by department, OS type, or role). Tag-based grouping allows administrators to apply policies or features (like Live Response) efficiently to specific sets of devices, such as only production servers.
Alternative options such as "Automation level" or "device value" are unrelated - automation level controls auto-remediation, while device value assigns importance for alert prioritization.
Thus, the correct configuration steps are:
* Enable Live Response for Servers under advanced features.
* Apply the configuration to the target device group identified by a device tag .
# Final Answer:
* Advanced feature: Live Response for Servers
* For the device group: A device tag
You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1. You need to configure just in time (JIT) VM access for the virtual machines in RG1. The solution must meet the following
* Limit the maximum request time to two hours.
* Limit protocol access to Remote Desktop Protocol (RDP) only.
* Minimize administrative effort.
What should you use?
* Limit the maximum request time to two hours.
* Limit protocol access to Remote Desktop Protocol (RDP) only.
* Minimize administrative effort.
What should you use?
正解:A
解答を投票する
解説: (GoShiken メンバーにのみ表示されます)
You need to use an Azure Sentinel analytics rule to search for specific criteria in Amazon Web Services (AWS) logs and to generate incidents.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
a Microsoft 365 E5

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
a Microsoft 365 E5

正解:

Explanation:

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps) documents :
=
To search for specific criteria in Amazon Web Services (AWS) logs and generate incidents using Microsoft Sentinel , the configuration process follows a structured sequence according to Microsoft Sentinel documentation and the Azure Sentinel playbook for AWS integration.
* Add the Amazon Web Services (AWS) connector
* Before Sentinel can analyze AWS data, you must integrate AWS logs using the Amazon Web Services data connector . This connector streams AWS CloudTrail and other AWS log data into your Sentinel workspace. Microsoft's documentation states: "Use the Amazon Web Services (AWS) connector to stream CloudTrail events and security logs into Microsoft Sentinel for analysis and alerting."
* Without this connector, Sentinel cannot query or detect AWS-specific activities.
* Create a custom analytics rule that uses a scheduled query
* Once data ingestion is established, you create an analytics rule in Sentinel using a scheduled query to continuously search for specific conditions (e.g., unauthorized access attempts, changes to VPC settings, etc.).
* Microsoft specifies: "Custom analytics rules run KQL queries on a schedule to detect specific patterns or anomalies across ingested data sources."
* Set the alert logic
* After defining your rule, you configure the alert logic to determine when Sentinel should trigger an alert or incident. This includes setting thresholds, event frequency, severity levels, and entity mappings.
* Microsoft Sentinel's official guidance notes: "Alert logic defines the conditions under which an alert is generated from the query results."