Microsoft (SC-200): Security Operations Analyst Sample Questions
Advanced Sample Questions
What is the primary objective of a security operations center (SOC)?
- A) To prevent security breaches and unauthorized access
- B) To detect and respond to security incidents
- C) To design and implement security policies
- D) To train employees on security best practices
Answer: B) To detect and respond to security incidents
Explanation: The primary objective of a security operations center (SOC) is to detect and respond to security incidents in a timely and effective manner. The SOC is responsible for monitoring network activity, detecting security incidents, and responding to them to minimize the impact of security breaches.
What type of attack is the most common in a cyber-attack?
- A) SQL injection attack
- B) Cross-site scripting attack
- C) Distributed denial of service (DDoS) attack
- D) Remote code execution attack
Answer: C) Distributed denial of service (DDoS) attack
Explanation: A distributed denial of service (DDoS) attack is the most common type of cyber-attack. In a DDoS attack, multiple systems are used to overwhelm a single target, such as a website or server, causing it to become unavailable to users. DDoS attacks are often used to disrupt services or as a smokescreen for more targeted attacks.
What is the process of identifying and remediating security vulnerabilities known as?
- A) Penetration testing
- B) Security assessment
- C) Vulnerability scanning
- D) Risk management
Answer: C) Vulnerability scanning
Explanation: Vulnerability scanning is the process of identifying and remedying security vulnerabilities in a network or system. This process involves using automated tools to identify known vulnerabilities in systems and applications, as well as other weaknesses that could be exploited by attackers. The results of a vulnerability scan can be used to prioritize remediation efforts and improve the overall security posture of an organization.
What is the purpose of an incident response plan?
- A) To prevent security incidents from happening
- B) To minimize the impact of security incidents
- C) To respond to security incidents in a timely and effective manner
- D) To determine the cause of security incidents
Answer: C) To respond to security incidents in a timely and effective manner
Explanation: An incident response plan is a documented set of procedures and processes that outlines how an organization will respond to security incidents. The purpose of an incident response plan is to ensure that security incidents are responded to in a timely and effective manner, minimizing the impact on the organization and its customers. The plan should include a clear definition of roles and responsibilities, procedures for responding to specific types of incidents, and guidance for communicating with stakeholders during an incident.
What is the purpose of a disaster recovery plan?
- A) To prevent disasters from happening
- B) To minimize the impact of disasters
- C) To respond to disasters in a timely and effective manner
- D) To ensure the continuation of critical business processes in the event of a disaster
Answer: D) To ensure the continuation of critical business processes in the event of a disaster
Explanation: A disaster recovery plan is a documented set of procedures and processes that outlines how an organization will respond to a disaster, such as a natural disaster, cyber-attack, or data center failure. The purpose of a disaster recovery plan is to ensure the continuation of critical business processes in the event of a disaster, minimizing the impact on the organization and its customers. The plan should include procedures for data backup and recovery, communication and notification procedures, and guidance for restoring critical systems and applications.
What is the primary purpose of a security information and event management (SIEM) system?
- A) To monitor network activity in real-time
- B) To automate the response to security incidents
- C) To enforce security policies
- D) To provide visibility into security events and alerts
Answer: D) To provide visibility into security events and alerts
Explanation: The primary purpose of a security information and event management (SIEM) system is to provide visibility into security events and alerts generated by network devices, security tools, and other sources. SIEM systems collect, correlate, and analyze security events in real-time to identify potential threats and assist in incident response. SIEM systems provide a centralized view of security events, making it easier to identify and respond to security incidents.
What type of security control is used to detect and prevent unauthorized access to sensitive information?
- A) Encryption
- B) Firewall
- C) Access control
- D) Intrusion detection system
Answer: C) Access control
Explanation: Access control is a type of security control that is used to detect and prevent unauthorized access to sensitive information. Access control systems are used to enforce security policies by controlling who is able to access specific resources, such as network systems, applications, or data. Access control systems can be based on roles, permissions, or other factors, and can include mechanisms such as authentication, authorization, and auditing.
What type of security control is used to protect against malware?
- A) Antivirus software
- B) Network firewall
- C) Data encryption
- D) Access control
Answer: A) Antivirus software
Explanation: Antivirus software is a type of security control that is used to protect against malware, such as viruses, Trojans, and other malicious code. Antivirus software scans incoming files and emails for known malware patterns, and can also scan the system for any malicious software that may have been installed. Antivirus software is an important tool for protecting against malware, and is often used in conjunction with other security controls, such as firewalls, access control systems, and data encryption.
What is the primary objective of a security audit?
- A) To prevent security incidents
- B) To determine the cause of security incidents
- C) To assess the effectiveness of security controls
- D) To respond to security incidents
Answer: C) To assess the effectiveness of security controls
Explanation: The primary objective of a security audit is to assess the effectiveness of security controls and identify any vulnerabilities in an organization’s security posture. Security audits can include assessments of network security, application security, data security, and other areas, and can be performed using a variety of methods, including manual assessments, automated scans, and penetration testing. The results of a security audit can be used to prioritize remediation efforts and improve the overall security posture of an organization.
What is the process of identifying and mitigating potential security threats known as?
- A) Risk assessment
- B) Penetration testing
- C) Vulnerability scanning
- D) Incident response
Answer: A) Risk assessment
Explanation: Risk assessment is the process of identifying and mitigating potential security threats to an organization. This process involves evaluating the likelihood and impact of potential security incidents, and determining the appropriate controls to mitigate those risks. Risk assessments can be performed on a regular basis, and can include assessments of technology, people, processes, and other factors that can impact the security of an organization. The results of a risk assessment can be used to prioritize remediation efforts and improve the overall security posture of an organization.
Basic Sample Questions
Question 1 – A virtual machine named VM1 is using Azure Defender in your Azure subscription. Azure Defender will receive false positive alerts if it detects suspicious behavior when using PowerShell on VM1. Accordingly, an alert suppression rule must be created. How will you proceed?
- A. adding workflow automation, from Azure Security Center
- B. running the Get-MPThreatCatalog cmdlet, on VM1
- C. triggering a PowerShell alert, on VM1
- D. exporting the alerts to a Log Analytics workspace, from Azure Security Center
Correct Answer: C
Question 2 – You are using Linux virtual machines on Amazon Web Services (AWS), and have deployed Azure Defender and enabled auto-provisioning. You are required to monitor the virtual machines by using Azure Defender.
Solution: Enabling Azure Arc and onboarding the virtual machines to Azure Arc.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Question 3 – You are using Linux virtual machines on Amazon Web Services (AWS), and have deployed Azure Defender and enabled auto-provisioning. You are required to monitor the virtual machines by using Azure Defender.
Solution: Manually install the Log Analytics agent on the virtual machines.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Question 4 – If a user tries to sign in from a location that has never been used by your organization’s other users previously, you should receive a security alert. Which of the given anomaly detection policy would you use?
- A. Impossible travel
- B. Activity from anonymous IP addresses
- C. Activity from infrequent country
- D. Malware detection
Correct Answer: C
Reference: https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
Question 5 – Among the Microsoft 365 subscriptions that you have, you have an Office 365 subscription that includes Microsoft Defender, and you have a SharePoint Online subscription that contains sensitive documents. Customer account numbers are comprised of 32 alphanumeric characters per document. You are required to create a data loss prevention (DLP) policy for protecting sensitive documents. What will you be using for detecting which documents are sensitive?
- A. SharePoint search
- B. a hunting query in Microsoft 365 Defender
- C. Azure Information Protection
- D. RegEx pattern matching
Correct Answer: C
Reference: https://docs.microsoft.com/en-us/azure/information-protection/what-is-information-protection
Question 6 – You use Microsoft Defender for Endpoint, and your documents contain macros in Microsoft Word. Documents are frequently accessed by accounting staff on their devices. In order to maintain the existing security posture, it’s important to hide false positives in the Alerts queue. Which three of the given actions would you perform?
- A. Resolving the alert automatically.
- B. Hiding the alert.
- C. Creating a suppression rule scoped to any device.
- D. Creating a suppression rule scoped to a device group.
- E. Generating the alert.
Correct Answer: BCE
Reference:
Question 7- During the course of your investigation, you discover three custom device groups that contain highly sensitive data, and you are investigating a potential ransomware attack that deploys a new strain of ransomware. The plan is to automate all devices, and you need to be able to temporarily group them in order to automate the actions. Which three of the given actions would you perform?
- A. Assigning a tag to the device group.
- B. Adding the device users to the admin role.
- C. Adding a tag to the machines.
- D. Creating a new device group that has a rank of 1.
- E. Creating a new admin role.
- F. Creating a new device group that has a rank of 4.
Correct Answer: ACD
Question 8 – As part of your Microsoft Defender integration with Active Directory, you are configuring Microsoft Defender. It is necessary to configure several accounts for attackers to exploit via the Microsoft Defender for identity portals.
Solution: adding the accounts as Honeytoken accounts, from Entity tags
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: A
Reference: https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
Question 9 – As part of your Microsoft Defender integration with Active Directory, you are configuring Microsoft Defender. It is necessary to configure several accounts for attackers to exploit via the Microsoft Defender for identity portals.
Solution: configuring the sign-in risk policy, from Azure AD Identity Protection
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Reference: https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
Question 10 – As part of your Microsoft Defender integration with Active Directory, you are configuring Microsoft Defender. It is necessary to configure several accounts for attackers to exploit via the Microsoft Defender for identity portals.
Solution: adding the accounts to an Active Directory group and then the group as a Sensitive group.
Does this meet the goal?
- A. Yes
- B. No
Correct Answer: B
Reference: https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts
Question 11 – You are working on the implementation of the Safe Attachments policies in Microsoft Defender for Office 365. Users have reported that email messages containing attachments are taking longer time to be received than expected. Delivering messages that contain attachments needs to be speeded up without compromising security, and attachments and messages with malware need to be scanned and blocked. What will you be configuring in the Safe Attachments policies?
- A. Dynamic Delivery
- B. Replace
- C. Block and Enable redirect
- D. Monitor and Enable redirect
Correct Answer: A
Question 12 – As a result of a security bulletin regarding a potential attack using an image file, Microsoft Defender for Endpoint must be configured to create an indicator of compromise (IoC) in order to block the attack. Which of the following indicator type will you use?
- A. a URL/domain indicator that has Action set to Alert only
- B. a URL/domain indicator that has Action set to Alert and block
- C. a file hash indicator that has Action set to Alert and block
- D. a certificate indicator that has Action set to Alert and block
Correct Answer: C
Question 13 – Your company has deployed the following services:
- ✑ Microsoft Defender for Identity
- ✑ Microsoft Defender for Endpoint
- ✑ Microsoft Defender for Office 365
You must provide a security analyst with Microsoft 365 security center access, and he or she must be able to approve and reject pending actions generated by Microsoft Defender for Endpoints. In order to solve the problem, the principle of least privilege must be used.
What are the two roles that should be assigned to the analyst?
- A. the Compliance Data Administrator in Azure Active Directory (Azure AD)
- B. the Active remediation actions role in Microsoft Defender for Endpoint
- C. the Security Administrator role in Azure Active Directory (Azure AD)
- D. the Security Reader role in Azure Active Directory (Azure AD)
Correct Answer: BD
Reference: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/rbac?view=o365-worldwide
Question 16 – When confidential documents are externally shared, Microsoft Cloud App Security needs to generate alerts and take remediation actions. Which two of the following actions would you perform in the Cloud App Security portal?
- A. From Settings, selecting Information Protection, selecting Azure Information Protection, and then selecting Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.
- B. Selecting Investigate files and then filtering App to Office 365.
- C. Selecting Investigate files and then selecting New policy from search.
- D. From Settings, selecting Information Protection, selecting Azure Information Protection, and then selecting Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.
- E. selecting Information Protection, Files, and then enabling file monitoring, from Settings
- F. Selecting Investigate files and then filtering File Type to Document.
Correct Answer: DE
Reference: https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp
https://docs.microsoft.com/en-us/cloud-app-security/azip-integration
Question 18 – There is a single office in Istanbul, and the company uses Microsoft 365. The company will use conditional access policies to enforce multi-factor authentication (MFA). It is your responsibility to enforce MFA for all users working remotely. Is there anything from the given options which you need to include in your solution?
- A. a fraud alert
- B. a user risk policy
- C. a named location
- D. a sign-in user policy
Correct Answer: C
Reference: https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition
Question 19 – HOTSPOT –
In the course of configuring Microsoft Cloud App Security, you purchase a Microsoft 365 subscription. Using a template-based policy, you can detect connections to Microsoft 365 apps coming from botnets. What would you use?
HOT AREA:
Policy template type: | |
Access policy | |
Activity policy | |
Anomaly detection policy | |
Filter based on: | |
IP address tag | |
Source | |
User-agent string |
Correct Answer:
Policy template type: | |
Access policy | |
Activity policy | |
Anomaly detection policy | |
Filter based on: | |
IP address tag | |
Source | |
User-agent string |
Reference: https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
Question 20 – DRAG DROP –
As part of an investigation using Microsoft 365 Defender, you need to build a hunting query that counts failed login authentications on three laptops named CFOLaptop, CEOLaptop, and COOLaptop. What is the best way to complete the query?
HOT AREA:
Values | Answer Area |
| project LogonFailures=count () | |
| summarize LogonFailures=count () by DeviceName, LogonType | |
| where ActionType == FailureReason | |
| where DeviceName in (“CFOLaptop”, “CEOLaptop” ,, “COOLaptop”) | |
ActionType == “LogonFailed” | |
ActionType == FailureReason | |
DeviceEvents | |
DeviceLogonEvents |
Correct Answer:
Values | Answer Area |
| project LogonFailures=count () | |
| summarize LogonFailures=count () by DeviceName, LogonType | |
| where ActionType == FailureReason | DeviceLogonEvents |
| where DeviceName in (“CFOLaptop”, “CEOLaptop” ,, “COOLaptop”) | | where DeviceName in (“CFOLaptop”, “CEOLaptop” ,, “COOLaptop”) |
ActionType == “LogonFailed” | ActionType == FailureReason |
ActionType == FailureReason | | summarize LogonFailures=count () by DeviceName, LogonType |
DeviceEvents | |
DeviceLogonEvents |