SC-200 Flashcards — Free Microsoft Security Operations Analyst SC-200 Study Cards

Microsoft Defender for Office 365 (Threat Explorer)

Threat Explorer in Microsoft Defender for Office 365 (Microsoft 365 Defender portal) allows security analysts to investigate emails, see delivery actions, identify phishing campaigns, and view simulation data. Other options are for different workloads: Defender for Endpoint focuses on endpoints, Defender for Identity on user identities, and Defender for Cloud Apps on cloud application activities.

Secure score

Secure score recommendations in Defender for Cloud include findings for missing system updates, misconfigurations, and other vulnerabilities that affect your security posture. Workload protections focus on threat detection, not missing updates. Regulatory compliance shows compliance standards, and Inventory lists resources.

SigninLogs

SigninLogs from Microsoft Entra ID contain authentication details including failed attempts, timestamps, and user information, which are essential for detecting brute force patterns. Azure Activity Logs are for management plane operations, Office Activity Logs are for Office 365 workloads, and SecurityEvent is for Windows security logs.

Threat Explorer.

Threat Explorer in Defender for Office 365 supports campaign investigation, message details, delivery actions, and remediation workflows for email threats.

Vulnerability Assessment findings

Vulnerability assessment findings provide detailed information about discovered vulnerabilities, including severity, CVSS score, and remediation steps. Secure Score is a higher-level aggregation. Regulatory compliance shows compliance status. Workload protections alerts cover security alerts (e.g., suspicious processes), not vulnerability scan results.

Defender for Containers

The Defender for Containers plan in Microsoft Defender for Cloud provides threat detection for AKS clusters, including runtime threat protection, vulnerability assessment, and security alerts for suspicious activities like privileged containers, host path mounts, and crypto-mining. The Defender for Servers plan (Option A) covers virtual machines and servers, not containers. Defender for Cloud Apps (Option C) is for SaaS applications. Defender for SQL (Option D) covers database servers. Therefore, enabling the Defender for Containers plan is required.

Create a query using KQL to count failed sign-ins. → Set the rule schedule (run every 5 minutes). → Set the alert threshold (e.g., >5 failed sign-ins from same IP in 5 minutes). → Define incident properties (title, severity, tactics). → Configure grouping settings to group alerts into incidents.

The correct order for creating a scheduled analytics rule in Microsoft Sentinel is: first create the KQL query that filters and aggregates events; then configure the schedule (how often the query runs); then set the alert threshold (e.g., >5 failed sign-ins); then define incident properties (title, severity, tactics); and finally configure grouping settings to group alerts into incidents. This ensures the rule is built logically.

Collect investigation package

The 'Collect investigation package' action gathers forensic data from the device, including suspicious files, processes, and registry keys. This package can be downloaded for analysis. 'Run antivirus scan' (Option B) will initiate a scan but not collect specific files. 'Restrict app execution' (Option C) limits running applications. 'Initiate a live response session' (Option D) allows interactive investigation and file collection, but the question asks for a specific action to collect a copy of a file. The 'Collect investigation package' is a specific action that automatically collects relevant files and artifacts. However, if the analyst needs a specific file, they might use live response. But the more direct built-in action for collecting suspicious files is 'Collect investigation package'. Given the scenario, the best answer is 'Collect investigation package' because it is a single-click action that gathers evidence including the suspicious file.

File entity page

The file entity page in Microsoft 365 Defender shows the file's reputation, detection details, and the actions taken by automated investigations (e.g., block, allow, quarantine). The device page shows device-level actions. The user page shows user-related incidents. The email page is for email entities.

Live Response

Live Response allows analysts to remotely connect to a machine and run commands to gather forensic data, including process details like command line and parent process. Fileless attack detection is a detection capability, not an investigation tool. Just-In-Time VM access manages network access. Adaptive application controls define allowed applications but do not provide process visibility.

Azure Security Benchmark

The 'Azure Security Benchmark' (formerly Azure Security Benchmark) initiative includes policies covering many security controls, including the requirement to enable Advanced Data Security on SQL servers. However, the specific built-in initiative that groups SQL security configurations is the 'Azure Security Benchmark' (initiative ID: 1f3afdf9-d0c9-4c3d-847f-89da540e8a24). The 'Microsoft cloud security benchmark' is the newer name. Option A, 'Enable Azure Monitor for VMs', is not correct because it focuses on virtual machines, not SQL. Option C, 'Deploy Diagnostics Settings for SQL Databases', is a single policy, not a full initiative. Option D, 'Enable Advanced Threat Protection for SQL servers', is also a single policy effect, but the question asks for an initiative. The Azure Security Benchmark initiative includes the policy 'Advanced data security should be enabled on your SQL servers' and 'Vulnerability assessment should be enabled on your SQL servers'.

Assign the 'Configure machines to receive a vulnerability assessment provider' policy with 'DeployIfNotExists' effect and set it to auto-remediate at the management group-level scope.

The built-in Azure policy 'Configure machines to receive a vulnerability assessment provider' with DeployIfNotExists effect automatically installs the VA agent on VMs that do not have it. Assigning this at the management group level covers all current and future subscriptions. The Azure Security Benchmark initiative only includes an audit policy for VA, not automatic remediation. Custom runbooks or automation accounts are not necessary when the DeployIfNotExists policy can handle it natively.

Enable Defender for Servers plan

The built-in vulnerability assessment in Defender for Cloud is part of the Defender for Servers plan. When enabled, Defender for Cloud automatically deploys the Qualys vulnerability assessment agent to supported VMs without manual intervention. Installing the Log Analytics agent is not required for this feature; it uses a dedicated extension. The vulnerability assessment solution from Marketplace is a third-party alternative, not the built-in one. Regulatory compliance dashboard is a separate feature.

Azure Policy's DeployIfNotExists effect

Azure Policy's 'DeployIfNotExists' effect can automatically deploy a configuration if the resource is missing it. Defender for Cloud leverages this effect within its built-in initiatives to automatically fix non-compliant resources.

Azure Policy Guest Configuration

Azure Policy Guest Configuration (now called Guest Configuration) can audit settings inside VMs and, using the 'DeployIfNotExists' effect, automatically deploy a baseline configuration. Defender for Cloud integrates with this to provide recommendations for VM compliance.

Enable Azure Defender for SQL on the server

For SQL IaaS, ATP is enabled via Azure Defender for SQL, which requires the Azure SQL IaaS Agent extension and the SQL servers to be registered with the SQL IaaS resource provider. Enabling Defender for Servers provides host-level security but not SQL-specific ATP. Manual auditing does not provide the built-in detection. Therefore, enabling Azure Defender for SQL at the server level is the prerequisite action.

Regulatory compliance dashboard

The regulatory compliance dashboard in Defender for Cloud provides continuous assessment against various compliance standards, including CIS benchmarks. You can add the CIS benchmark as a policy initiative to track compliance. The security score measures your overall security posture but not specific benchmarks. Azure Policy is the underlying engine used by the dashboard, but the dashboard itself is the feature. Workload protections are for threat detection.

Create an alert suppression rule scoped to the test VM and alert type.

Alert suppression rules can automatically dismiss alerts that match specific criteria such as resource/entity and alert type.

Enable the 'Servers' plan in Defender for Cloud.

The integrated vulnerability assessment is enabled by turning on the 'Servers' plan in Microsoft Defender for Cloud's environment settings. This automatically deploys the Defender Vulnerability Management solution to supported VMs.

Adaptive network hardening

Adaptive network hardening in Microsoft Defender for Cloud uses machine learning to analyze traffic patterns and recommends tightening NSG rules. When enabled, it can automatically apply rules to block malicious outbound traffic. Adaptive application controls allowlist applications, Just-In-Time VM access controls inbound RDP/SSH, and File Integrity Monitoring tracks changes to critical files.

Enable auto-provisioning in the Defender for Cloud environment settings.

In Microsoft Defender for Cloud, auto-provisioning is a setting that enables automatic installation of the Log Analytics agent on new and existing VMs. It is configured in the 'Environment settings' under the specific subscription. When enabled, Defender for Cloud will deploy the agent to any supported Azure VM. Azure Policy can also enforce agent installation, but auto-provisioning is the native mechanism within Defender for Cloud. Azure Automation runbooks can be used but require custom scripting. Update Management is unrelated to agent deployment.