Get Microsoft SC-200 Exam Practice Questions - Real and Updated

Answer : A

If you manually install the Log Analytics agent on your AWS Linux VMs and connect them to your Azure Log Analytics workspace, Defender for Cloud can begin collecting telemetry data from those machines. Once connected, Azure Defender automatically protects and monitors them, even if they are hosted outside Azure.

Microsoft Defender for Cloud documentation explains:

''You can manually install the Log Analytics agent on non-Azure machines and connect them to your workspace. Once connected, Defender for Servers will begin applying protections and generating alerts.''

Although Azure Arc provides centralized management and auto-provisioning, manually installing the Log Analytics agent is a valid and supported alternative method. Therefore, this solution also meets the goal.

Correct answer: A. Yes

Answer : B, D

To allow a security analyst to use the Microsoft 365 security center and also approve or reject pending remediation actions generated by Microsoft Defender for Endpoint, while adhering to the principle of least privilege, you must assign two complementary roles:

In Microsoft Defender for Endpoint, assign the Active remediation actions role. This role explicitly gives permission to take response actions (such as isolation, quarantine, etc.) or to approve or reject pending remediation tasks. Microsoft documentation states that when taking response actions on a device, ''you must have at least the Active remediation actions role assigned.'' Microsoft Learn

In Azure AD (or Microsoft Entra), assign the Security Reader role. This role grants read-only visibility into the security configuration and alerts in the Microsoft 365 security center without elevating the analyst to full security administration. This ensures the analyst can see what's happening in the security environment, but not make broad configuration changes.

Here's why those roles are correct and why the others are not:

The Active remediation actions role is narrowly scoped to remediation operations, which is exactly what is needed to approve or reject pending actions. Any broader role (like Security Administrator) would exceed the principle of least privilege.

The Security Reader role allows the analyst to navigate the Microsoft 365 security center (view incidents, alerts, reports) but does not grant write-level permissions that are unnecessary for their role.

The Security Administrator role (option C) would grant too many permissions---not least privilege---though it might allow the needed actions, it is overly permissive relative to what is needed.

The Compliance Data Administrator (option A) is unrelated to remediation within Defender or endpoint actions; it is designed around compliance and data governance.

Additionally, Microsoft's role-mapping between Defender XDR unified RBAC and legacy roles confirms that the Active remediation actions permission is mapped to the ''Response (manage)'' capability in the unified RBAC model. Microsoft Learn

Together, assigning Active remediation actions (in Defender for Endpoint) and Security Reader (in Azure AD/Entra) gives the minimal necessary access: ability to view security data and approve or reject remediation actions, without over-privileging the analyst.

Answer : A

Microsoft Sentinel ''Microsoft security'' analytics rules (for products like Defender for Cloud) create incidents from alerts generated by that product. Even if multiple identical Microsoft security rules exist for the same product, a single incoming alert will result in one incident in the workspace, not one per rule.

Answer : C

In a Microsoft 365 E5 subscription with a hybrid Azure AD environment, monitoring changes to privileged Active Directory groups (like Domain Admins) is handled by Microsoft Defender for Identity. The ''Modifications of sensitive groups'' report provides visibility into all changes made to sensitive AD groups such as Domain Admins, Enterprise Admins, and Schema Admins.

According to Microsoft Defender for Identity documentation:

''The Modifications of sensitive groups report identifies all changes to highly privileged groups, including additions and removals of members. It helps detect potential privilege escalation and insider threats.''

This report displays all relevant group modification activities within a defined time range (for example, the last 30 days), fulfilling the requirement.

Correct answer: C. the Modifications of sensitive groups report in Microsoft Defender for Identity

Answer : A, C

To run a PowerShell script when a suspicious-IP access alert is raised for Storage, use Workflow automation in Defender for Cloud to trigger a Logic App whenever a matching security alert occurs. The Logic App should use the Azure Security Center (Defender for Cloud) alert trigger, and from there you can call an Automation Runbook (PowerShell) or another action to execute your script. A manual or HTTP trigger isn't needed because the flow must start automatically from the security alert, and an AAD app registration is not required for the basic alert-triggered flow.