Question 1easymultiple choice
Read the full Design security operations, identity, and compliance capabilities explanation →SC-100 Design security operations, identity, and compliance capabilities • Complete Question Bank
Complete SC-100 Design security operations, identity, and compliance capabilities question bank — all 0 questions with answers and detailed explanations.
{
"properties": {
"displayName": "Block legacy authentication",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": ["All"]
},
"users": {
"includeUsers": ["All"]
},
"clientAppTypes": ["exchangeActiveSync", "otherClients"]
},
"grantControls": {
"builtInControls": ["block"]
}
}
}SecurityEvent | where EventID == 4625 | summarize FailureCount = count() by Account, IPAddress | where FailureCount > 10 | project Account, IPAddress, FailureCount
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2021-02-01",
"name": "[parameters('storageName')]",
"location": "[resourceGroup().location]",
"kind": "StorageV2",
"properties": {
"supportsHttpsTrafficOnly": true,
"minimumTlsVersion": "TLS1_2",
"networkAcls": {
"bypass": "AzureServices",
"defaultAction": "Deny"
}
}
}
]
}Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block high-risk sign-ins",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": []
},
"grantControls": {
"builtInControls": ["block"]
}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Microsoft Sentinel Analytics Rule",
"query": "SecurityEvent
| where EventID == 4625
| summarize Count = count() by Account, bin(TimeGenerated, 5m)
| where Count > 10",
"frequency": "PT5M",
"period": "PT10M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Sensitivity label: Confidential",
"encryption": {
"encryptionEnabled": true,
"protectWithDoNotForward": true
}
}
}
```KQL query: ```kusto let threshold = 5; SigninLogs | where TimeGenerated >= ago(1h) | where ResultType == "50057" | summarize Count = count() by UserPrincipalName, IPAddress | where Count > threshold ```
JSON policy snippet:
```json
{
"policyType": "AccessReview",
"displayName": "Review guest access",
"scope": {
"@odata.type": "#microsoft.graph.accessReviewScope",
"query": "/users?$filter=userType eq 'Guest' and createdDateTime ge 2025-01-01",
"queryType": "MicrosoftGraph"
},
"reviewers": [
{
"query": "/users?$filter=jobTitle eq 'Manager'",
"queryType": "MicrosoftGraph"
}
],
"settings": {
"mailNotificationsEnabled": true,
"reminderNotificationsEnabled": true,
"autoReviewEnabled": false,
"autoApplyReviewEnabled": false,
"instanceDurationInDays": 30
}
}
```PowerShell script output:
```powershell
Get-MgPolicyAccessReview -Filter "displayName eq 'Quarterly Access Review'" | Select-Object -Property Id, DisplayName, Scope, Reviewers, Settings
Id : 12345678-1234-1234-1234-123456789abc
DisplayName : Quarterly Access Review
Scope : @{query=/groups; queryType=MicrosoftGraph}
Reviewers : {@{query=/users/abc123; queryType=MicrosoftGraph}}
Settings : @{instanceDurationInDays=30; recurrence=; autoReviewEnabled=False; autoApplyReviewEnabled=False}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block risky sign-ins",
"conditions": {
"userRiskLevels": ["medium","high"],
"applications": {"includeApplications": ["All"]}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["block"]
}
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(7d) | where Severity == "High" | summarize AlertCount = count() by AlertName, CompromisedEntity | where AlertCount > 5 | project AlertName, CompromisedEntity, AlertCount ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Mark email as spam",
"conditions": {
"subjectContains": ["FREE"]
},
"actions": {
"markAsSpam": true
}
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block high-risk sign-ins",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": [],
"applications": {
"includeApplications": ["All"]
}
},
"grantControls": {
"builtInControls": ["block"],
"operator": "OR"
}
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where AlertName == "Malware detected" | where TimeGenerated > ago(1d) | extend ThreatFamily = tostring(parse_json(ExtendedProperties).ThreatFamily) | where ThreatFamily == "Ransomware" | project TimeGenerated, AlertName, Computer, ThreatFamily ```
Refer to the exhibit.
```powershell
Get-AzureADMSRoleDefinition | Where-Object {$_.DisplayName -like "*Compliance*"} | Select-Object DisplayName, Id
DisplayName Id
---------------------------------- ------------------------------------
Compliance Administrator 173a97e2-97f2-4c7a-8e7c-7e2f1c1e2f1c
Compliance Data Administrator e9b6a4e1-1c1e-4b1e-9c1e-1e2f1c1e2f1c
```Refer to the exhibit.
```bicep
resource defenderForCloudSettings 'Microsoft.Security/pricings@2023-01-01' = {
name: 'VirtualMachines'
properties: {
pricingTier: 'Standard'
extensions: [
{
name: 'AgentlessVmScanning'
isEnabled: true
}
]
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(7d) | where AlertSeverity == "High" | summarize AlertCount = count() by AlertName, bin(TimeGenerated, 1d) | order by AlertCount desc ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block all apps except Microsoft 365",
"state": "enabled",
"conditions": {
"applications": {
"includeApplications": ["All"],
"excludeApplications": ["Office365"]
},
"users": {
"includeUsers": ["All"]
},
"clientAppTypes": ["All"]
},
"grantControls": {
"builtInControls": ["block"]
}
}
}Refer to the exhibit.
```json
{
"properties": {
"policyType": "IdentityProtection",
"displayName": "MFA for risky sign-ins",
"conditions": {
"userRiskLevels": ["medium", "high"],
"signInRiskLevels": ["high"]
},
"grantControls": {
"builtInControls": ["mfa"]
}
}
}{
"properties": {
"displayName": "Block high-risk sign-ins",
"state": "enabled",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": ["high"],
"applications": {
"includeApplications": ["All"]
}
},
"grantControls": {
"builtInControls": ["block"]
}
}
}SecurityEvent | where EventID == 4625 | where Account !contains "$" | summarize FailedLogins = count() by Account, IPAddress, bin(TimeGenerated, 1h) | where FailedLogins > 10
{
"type": "Microsoft.Security/automations",
"apiVersion": "2021-01-01-preview",
"properties": {
"description": "Automation to isolate compromised devices",
"sources": [
{
"eventSource": "Assessments",
"ruleSets": [
{
"rules": [
{
"propertyJPath": "properties.metadata.severity",
"operator": "Equals",
"expectedValue": "High"
}
]
}
]
}
],
"actions": [
{
"type": "EventHub",
"actionConfiguration": {
"eventHubResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.EventHub/namespaces/.../eventhubs/...",
"connectionString": "..."
}
}
]
}
}KQL query: let TimeRange = 7d; DeviceEvents | where Timestamp > ago(TimeRange) | where ActionType == "ProcessCreate" | where FileName endswith ".exe" | summarize Count = count() by bin(Timestamp, 1h), DeviceName | order by Count desc | take 10
{
"properties": {
"displayName": "GDPR Compliance Policy",
"description": "Ensure resources meet GDPR requirements",
"policyType": "BuiltIn",
"mode": "Indexed",
"parameters": {},
"policyRule": {
"if": {
"field": "type",
"equals": "Microsoft.Storage/storageAccounts"
},
"then": {
"effect": "auditIfNotExists",
"details": {
"type": "Microsoft.Storage/storageAccounts/...",
"existenceCondition": {
"field": "Microsoft.Storage/storageAccounts/encryption",
"exists": "true"
}
}
}
}
}
}Refer to the exhibit.
{
"alertRuleTemplate": "Suspicious process execution",
"displayName": "Custom Rule - Suspicious PowerShell",
"description": "Detects suspicious PowerShell commands",
"query": "DeviceProcessEvents | where FileName in~ ('powershell.exe', 'pwsh.exe') | where ProcessCommandLine has_any ('-EncodedCommand', '-e ', 'Invoke-Expression')",
"severity": "High",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5
}{
"properties": {
"displayName": "Block high-risk sign-ins",
"state": "enabled",
"conditions": {
"signInRiskLevels": ["high"],
"applications": {
"includeApplications": ["All"]
},
"users": {
"includeUsers": ["All"]
}
},
"grantControls": {
"builtInControls": ["block"],
"operator": "OR"
}
}
}SecurityAlert
| where AlertName == "Mimikatz detected"
| extend CompromisedEntity = tostring(CompromisedEntity)
| join kind=inner (
IdentityInfo
| where TimeGenerated > ago(7d)
| project AccountUPN, AccountName
) on $left.CompromisedEntity == $right.AccountUPN
| project AlertName, AccountName, TimeGeneratedresource-graph {
pattern: "*.onmicrosoft.com"
locations: ["Global", "USGov"]
sensitivity-labels: ["Confidential", "Highly Confidential"]
}{
"type": "Microsoft.Security/automations",
"apiVersion": "2023-01-01-preview",
"properties": {
"description": "Automation for high severity incidents",
"actions": [
{
"type": "LogicApp",
"logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/CloseIncident"
}
],
"sources": [
{
"eventSource": "Alerts"
}
],
"triggers": [
{
"name": "HighSeverity",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "High"
}
]
}
]
}
}{
"alert": {
"title": "Suspicious sign-in activity",
"severity": "Medium",
"description": "User 'jdoe@contoso.com' signed in from an anonymous IP address (111.222.333.444) using a new browser.",
"source": "Microsoft Defender for Cloud Apps",
"entities": [
{"type": "account", "name": "jdoe@contoso.com"},
{"type": "ip", "address": "111.222.333.444"}
]
}
}{
"properties": {
"displayName": "Block legacy authentication",
"state": "enabled",
"conditions": {
"clientAppTypes": ["exchangeActiveSync", "otherClients"],
"signInRiskLevels": [],
"userRiskLevels": []
},
"grantControls": {
"builtInControls": ["block"]
}
}
}{
"properties": {
"displayName": "Block high-risk sign-ins for external users",
"state": "enabled",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": ["high"],
"clientAppTypes": ["all"],
"applications": {
"includeApplications": ["All"]
},
"users": {
"includeUsers": ["All"],
"excludeUsers": [],
"includeRoles": [],
"excludeRoles": [],
"includeGuestsOrExternalUsers": ["All"]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": ["block"]
}
}
}