Free SC-200 Exam Braindumps (page: 20)

Page 19 of 79

You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
Note: Each correct selection is worth one point.

  1. Create a detection rule.
  2. Create a suppression rule.
  3. Add | order by Timestamp to the query.
  4. Replace DeviceProcessEvents with DeviceNetworkEvents.
  5. Add DeviceId and ReportId to the output of the query.

Answer(s): A,E


Reference:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules



Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant.
Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription.
You deploy Azure Sentinel to a new Azure subscription.
You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.
Which two actions should you perform? Each correct answer presents part of the solution.
Note: Each correct selection is worth one point.

  1. Add the Security Events connector to the Azure Sentinel workspace.
  2. Create a query that uses the workspace expression and the union operator.
  3. Use the alias statement.
  4. Create a query that uses the resource expression and the alias operator.
  5. Add the Azure Sentinel solution to each workspace.

Answer(s): B,E


Reference:

https://docs.microsoft.com/en-us/azure/sentinel/extend-sentinel-across-workspaces-tenants



HOTSPOT
-
You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1.
You need to create a visual in Workbook1 that will display the logon count for accounts that have logon event IDs of 4624 and 4634.
How should you complete the query? To answer, select the appropriate options in the answer area.
Note: Each correct selection is worth one point.

  1. See Explanation section for answer.

Answer(s): A

Explanation:



You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table.



You need to search for malicious activities in your organization.
Which tactics can you analyze by using the MicrosoftGraphActivityLogs table?

  1. Tactic2 only
  2. Tactic1 and Tactic2 only
  3. Tactic2 and Tactic3 only
  4. Tactic1, Tactic2, and Tactic3

Answer(s): D






Post your Comments and Discuss Microsoft SC-200 exam with other Community members:

SC-200 Discussions & Posts