Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Free Microsoft SC-200 Exam Questions

View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Purview. Your company has a project named Project1.
You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.
What should you do?

  1. Perform a user data search.
  2. Create a records management disposition.
  3. Perform an audit search.
  4. Perform a content search.

Answer(s): D

Explanation:

Content search in Microsoft Purview allows you to search for specific content across user mailboxes, SharePoint sites, and OneDrive locations. In this case, you want to identify email messages that contain the word Project1 in the subject line. A content search will allow you to specify the keyword "Project1" and narrow down the search to the mailboxes of specific users who worked on the project.
User data search is not a feature in Microsoft Purview that matches this requirement.
Records management disposition deals with managing records and their lifecycle (such as retention and deletion), but it is not related to searching email messages.
Audit search allows you to search the audit logs for activities performed by users, but it does not search the content of emails or documents.



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue.
You need to tune the alerts.
Which two actions can an alert tuning rule perform for the alerts? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.

  1. delete
  2. hide
  3. resolve
  4. merge
  5. assign

Answer(s): B,C



View Related Case Study

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third- party antivirus product.
Solution: You configure endpoint detection and response (EDR) in block mode. Does this meet the goal?

  1. Yes
  2. No

Answer(s): A

Explanation:

Enabling EDR in block mode allows Microsoft Defender to provide additional protection by blocking and remediating malicious artifacts that might bypass the third-party antivirus. EDR in block mode works even when Defender Antivirus is in passive mode, providing an effective safety net against threats undetected by the primary antivirus.



View Related Case Study

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third- party antivirus product.
Solution: You configure Controlled folder access. Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Controlled Folder Access is a feature of Microsoft Defender that protects specified folders from unauthorized changes, such as those by ransomware. While it is beneficial for protecting important files, it does not focus on identifying or blocking malicious artifacts undetected by the primary antivirus. This feature does not enhance the detection or blocking capabilities against a wide range of threats that might bypass the third-party antivirus.



View Related Case Study

Note: This section contains one or more sets of questions with the same scenario and problem. Each
question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third- party antivirus product.
Solution: You enable automated investigation and response (AIR). Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Automated Investigation and Response automates the investigation and remediation of alerts, helping security teams respond faster to potential threats. However, AIR primarily addresses post-alert actions rather than actively blocking threats at the endpoint level. It relies on alerts to trigger, so it does not fill the gap for additional real-time threat blocking, unlike EDR in block mode, which proactively blocks and remediates threats that may bypass the primary antivirus.



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You need to implement deception rules. The solution must ensure that you can limit the scope of the rules. What should you create first?

  1. device groups
  2. device tags
  3. honeytoken entity tags
  4. sensitive entity tags

Answer(s): B



View Related Case Study

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.
After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.
You have a Microsoft 365 subscription.
You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.
All Windows devices are onboarded to Microsoft Defender for Endpoint.
You need to ensure that the devices are protected from malicious artifacts that were undetected by the third- party antivirus product.
Solution: You enable Live Response. Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Correct:
You configure endpoint detection and response (EDR) in block mode.
Incorrect:
* You configure Controlled folder access.
* You enable automated investigation and response (AIR).
You enable Live Response.
Note:
You configure endpoint detection and response (EDR) in block mode.
Enabling EDR in block mode allows Microsoft Defender to provide additional protection by blocking and remediating malicious artifacts that might bypass the third-party antivirus. EDR in block mode works even when Defender Antivirus is in passive mode, providing an effective safety net against threats undetected by the primary antivirus.
Incorrect:
You configure Controlled folder access.
Controlled Folder Access is a feature of Microsoft Defender that protects specified folders from unauthorized changes, such as those by ransomware. While it is beneficial for protecting important files, it does not focus on identifying or blocking malicious artifacts undetected by the primary antivirus. This feature does not enhance the detection or blocking capabilities against a wide range of threats that might bypass the third-party antivirus.
* You enable automated investigation and response (AIR).
Automated Investigation and Response automates the investigation and remediation of alerts, helping security teams respond faster to potential threats. However, AIR primarily addresses post-alert actions rather than actively blocking threats at the endpoint level. It relies on alerts to trigger, so it does not fill the gap for additional real-time threat blocking, unlike EDR in block mode, which proactively blocks and remediates threats that may bypass the primary antivirus.


Reference:

https://learn.microsoft.com/en-us/answers/questions/1151652/defender-for-endpoint-enable-edr-in-block-mode



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You need to meet the Microsoft Defender for Cloud Apps requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Low
Fabrikam identifies the following Microsoft Defender for Cloud Apps requirements: Reduce the amount of impossible travel alerts that are false positives.
Ensure that impossible travel alert policies are based on the previous activities of each user.
The sensitivity slider allows you to affect the algorithm and define how strict the detection logic is. The higher the sensitivity level, fewer activities will be suppressed as part of the detection logic. In this way, you can adapt the detection according to your coverage needs and your SNR targets.
Note: In the Impossible Travel policy, you can set the sensitivity slider to determine the level of anomalous behavior needed before an alert is triggered. For example, if you set it to low or medium, it will suppress Impossible Travel alerts from a user's common locations, and if you set it to high, it will surface such alerts. You can choose from the following sensitivity levels:
Low: System, tenant, and user suppressions Medium: System and user suppressions High: Only system suppressions
Box 2: IP address range
Anomalies are detected by scanning user activity. The risk is evaluated by looking at over 30 different risk indicators, grouped into risk factors, as follows:
Risky IP address Login failures Admin activity Inactive accounts Location Impossible travel
Device and user agent Activity rate
Incorrect:
In addition to native Defender for Cloud Apps alerts, you'll also get the following detection alerts based on information received from Azure Active Directory (AD) Identity Protection:
Leaked credentials
Triggered when a user's valid credentials have been leaked.
Risky sign-in: Combines a number of Azure AD Identity Protection sign-in detections into a single detection.


Reference:

https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy



Viewing page 10 of 50



Post your Comments and Discuss Microsoft SC-200 exam prep with other Community members:

SC-200 Exam Discussions & Posts