最新的Microsoft Security Operations Analyst (SC-200日本語版) - SC-200日本語免費考試真題

Explanation:

In Microsoft Defender for Cloud (formerly Azure Security Center), workflow automation is used to run Logic Apps in response to recommendations or alerts . Because your goal is to automatically remediate security risks (which are surfaced as recommendations -secure score items like missing configurations or hardening tasks), the Logic App should be wired to the Recommendation trigger. The workflow automation rule monitors recommendation events and calls your Logic App with the recommendation payload, enabling parameterized remediation. To test the Logic App from within Defender for Cloud, you use the Recommendations blade: open any applicable recommendation and choose the action to run the associated Logic App. This directly invokes LA1 with the correct context (affected resource, subscription, control ID), allowing you to validate inputs, connections, and remediation steps on demand. Options like Automation rules (alerts) or Workflow automation page "Run" aren't suited for validating recommendation-driven remediation scenarios because they either act on alerts or don't pass the full recommendation context needed for remediation. Therefore, select the Recommendation trigger and test execution from Recommendations .

Explanation:

To attach notes that you can later see during investigations and hunting, you use Bookmarks in Microsoft Sentinel. Bookmarks are created from the Hunting (or Logs) experience inside the Sentinel workspace and let you pin a specific query result (including IPs, accounts, hosts) with notes, tags, and mapped entities so it appears in the investigation graph and is easily referenceable. The correct workflow is: first, run your KQL query from the Microsoft Sentinel workspace (not from generic Azure Monitor), because Sentinel's hunting experience is where bookmarks integrate with incidents and the investigation graph. Next, select a specific query result that represents the suspicious activity (e.g., a data access event from the target IP). Finally, create a Bookmark and map the relevant entity (IP address, Account, etc.) while adding your notes . Mapping the entity ensures the bookmarked event is connected in the investigation graph; the notes provide the narrative
/context you need when pivoting later. Adding the query to favorites is optional for convenience but does not attach notes to a specific event, and running the query from Azure Monitor would not place the bookmark within Sentinel's investigation context.

說明：（僅 VCESoft 成員可見）

Explanation:

In Microsoft Sentinel , data connectors are the mechanisms that collect logs and telemetry from various Azure and non-Azure sources into a Log Analytics workspace .
When your goal is to automatically connect multiple Azure subscriptions (both existing and new resources ) to Sentinel, the correct approach is to use Azure Policy with connectors that rely on diagnostic settings .
Why Diagnostic Settings Many Azure resources (e.g., Key Vaults, Storage Accounts, Azure Firewall, and Activity Logs) send logs to Sentinel via diagnostic settings . This connector type allows logs to be exported directly to the Sentinel workspace without requiring agents or manual configuration.
By using Azure Policy , you can automatically enforce and deploy these diagnostic settings across all current and future resources - ensuring continuous log ingestion with minimal administrative overhead.
Why a Remediation Task When applying the Azure Policy, existing resources might not yet have diagnostic settings configured. To fix this, you create a remediation task . This instructs Azure Policy to apply the compliance settings to existing resources , not just new ones. Without a remediation task, only newly created resources would comply automatically.
* Connector type: Diagnostic settings # used for policy-based deployment across subscriptions.
* Use: A remediation task # ensures policy applies to both existing and new resources for full coverage.
Therefore: # Final Answer:
* Connector type: Diagnostic settings
* Use: A remediation task

Explanation:
Step 1: From Logic App Designer, create a logic app.
Create a logic app and define when it should automatically run
1. From Defender for Cloud ' s sidebar, select Workflow automation.
2. To define a new workflow, click Add workflow automation. The options pane for your new automation opens.

Here you can enter:
A name and description for the automation.
The triggers that will initiate this automatic workflow. For example, you might want your Logic App to run when a security alert that contains " SQL " is generated.
The Logic App that will run when your trigger conditions are met.
3. From the Actions section, select visit the Logic Apps page to begin the Logic App creation process.
4. Etc.
Step 2: From Logic App Designer, run a trigger.
Manually trigger a Logic App
You can also run Logic Apps manually when viewing any security alert or recommendation.
Step 3: From Workflow automation in Defender for cloud, add a workflow automation.
Configure workflow automation at scale using the supplied policies
Automating your organization ' s monitoring and incident response processes can greatly improve the time it takes to investigate and mitigate security incidents.

Reference: https://docs.microsoft.com/en -us/azure/defender-for-cloud/workflow-automation

說明：（僅 VCESoft 成員可見）

Explanation:

In Microsoft Sentinel (Log Analytics), table retention uses two tiers: Interactive retention (hot, immediately queryable) and Archive (cold, queryable via Search/Restore). Sentinel includes up to 90 days of interactive retention at no additional cost ; extending interactive retention beyond 90 days incurs standard Log Analytics retention charges. To minimize cost , you should keep the interactive period at 90 days (the free tier).
For longer-term availability of data while still controlling costs, you set a higher Total retention so that, after the interactive window, data is moved to Archive storage at a significantly lower price per GB . Archived data remains available to analysts using Search jobs or temporary Restore to hot for detailed queries.
Therefore, to maximize the period during which the table data remains available at the lowest cost, select the longest offered total retention, 2 years , which keeps older data in Archive instead of deleting it.
Thus, the optimal cost/availability configuration is Interactive = 90 days and Total = 2 years .

說明：（僅 VCESoft 成員可見）

說明：（僅 VCESoft 成員可見）

Explanation:

According to Microsoft Sentinel and Azure Monitor Agent (AMA) documentation, when configuring data collection from Windows Security logs, you can use XPath filtering to limit which event IDs are collected.
This helps optimize data ingestion by filtering out unnecessary events.
In this scenario, the requirement is to collect only event IDs 4624 (successful sign-in) and 4625 (failed sign- in) . The PowerShell cmdlet Get-WinEvent supports several filtering methods: -FilterXPath , -FilterHashtable
, and -FilterXml . To test the same XPath syntax used by the connector, you must use -FilterXPath , because this option accepts the same XPath query string format as used in the AMA data collection rule (DCR).
The correct XPath syntax for filtering specific event IDs from the Security log is:
Security!*[System[(EventID=4624 or EventID=4625)]]
This expression instructs the event query to return only events from the Security log whose EventID equals
4624 or 4625.
Finally, to validate the filter, you run:
Get-WinEvent -LogName ' Security ' -FilterXPath $events
This command executes the filter locally and confirms that the syntax correctly retrieves the intended events.
Therefore, the correct completed script is:
# $events = ' Security!*[System[(EventID=4624 or EventID=4625)]] '
# Get-WinEvent -LogName ' Security ' -FilterXPath $events