Incident Response in Microsoft Environments Flashcards
Microsoft Security Operations Analyst Associate SC-200 Flashcards
| Front | Back |
| How can you isolate a compromised device in Microsoft Defender | Use the "Device Isolation" feature in Microsoft Defender Security Center. |
| How do you identify compromised Azure AD accounts | Review Azure AD sign-in logs for suspicious activity. |
| How do you monitor security alerts for Azure resources | Use Azure Security Center or Azure Monitor. |
| What does the attack surface reduction rule in Microsoft Defender do | It minimizes exposure to advanced threats. |
| What does the term "least privilege" mean in access control | Providing users with the minimal access required to perform their tasks. |
| What feature in Azure can help investigate activity history | Azure Activity Log. |
| What is a key benefit of enabling Multi-Factor Authentication (MFA) | It adds an extra layer of security to user authentication. |
| What is a remediation step for compromised credentials in Microsoft environments | Force a password reset and investigate account activity. |
| What is the best practice for storing security logs | Store them in a centralized and secure location for analysis. |
| What is the first step in responding to a security incident | Identify and contain the threat. |
| What is the importance of a Post-Incident Analysis | It helps identify root causes and opportunities to improve security practices. |
| What is the importance of Threat Intelligence in incident response | It guides proactive defenses and informs response strategies. |
| What is the purpose of a triage process during incident response | Prioritize incidents based on severity and impact. |
| What is the purpose of creating a communication plan during incident response | Ensure clear updates to stakeholders and maintain coordination. |
| What is the purpose of enabling audit logging in Microsoft environments | Track and analyze changes for security and compliance. |
| What is the role of Security Groups in Microsoft AD environments | Manage user access and permissions systematically. |
| What role does Data Loss Prevention (DLP) play in incident response | Prevents sensitive information from being leaked or exfiltrated. |
| What type of security does Just-in-Time (JIT) access provide | Temporary elevated access to reduce attack surfaces. |
| Where can you configure Conditional Access policies in Microsoft environments | Microsoft Entra or Azure AD portal. |
| Where should you review and manage user session risks | Microsoft Entra Identity Protection. |
| Which Microsoft tool can assist in endpoint detection and response (EDR) | Microsoft Defender for Endpoint. |
| Which PowerShell cmdlet is used to retrieve Azure AD logs | Get-AzureADAuditDirectoryLogs. |
| Which tool helps automate responses to security incidents in Microsoft environments | Microsoft Sentinel Playbooks. |
| Which tool helps monitor logs and events across Microsoft environments | Microsoft Sentinel. |
About the Flashcards
Flashcards for the Microsoft Security Operations Analyst Associate exam give you a concise way to master the incident-response workflow, from identifying and containing threats to post-incident analysis and clear stakeholder communication. Key terms such as triage, least privilege, and attack-surface reduction are reinforced so you can quickly recall correct actions during scenario-based questions.
The deck also familiarizes you with the Microsoft security toolkit featured on the exam: Microsoft Sentinel for log correlation and automated playbooks, Defender for Endpoint EDR and device isolation, Azure AD and Entra Conditional Access, plus PowerShell cmdlets for auditing. You'll review MFA benefits, JIT access, DLP safeguards, and centralized logging practices essential for protecting cloud and hybrid environments.
Topics covered in this flashcard deck:
- Incident response lifecycle
- Microsoft Sentinel operations
- Defender for Endpoint
- Azure AD access controls
- MFA and JIT principles
- Logging, DLP, threat intel