Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Free Microsoft SC-200 Exam Questions (page: 6)

Page 6 of 50
PDF with 389 Questions
View Related Case Study

DRAG DROP (Drag and Drop is not supported)
You have an Azure subscription linked to a Microsoft Entra tenant. The tenant contains two users named User1 and User2.
You plan to deploy Microsoft Defender for Cloud.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.


The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or
scroll to view content.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Owner
Only the Owner can assign initiatives.
Box 2: Contributor
Only the Contributor or the Owner can apply security recommendations.


Reference:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft
Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Turn on Live Response
Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.
Box: 2
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts? view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365- worldwide



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1. You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: join An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.
DeviceInfo
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
DeviceInfo LoggedOnUsers AlertEvidence "project AlertID" Box 2: project


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails- devices?view=o365-worldwide



View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online. You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.
What should you use?

  1. a file policy in Microsoft Defender for Cloud Apps
  2. an access review policy
  3. an alert policy in Microsoft Defender for Office 365
  4. an insider risk management policy

Answer(s): D



View Related Case Study

Your organization has a Microsoft 365 subscription and uses Microsoft Defender XDR and Microsoft Purview. You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?

  1. the Incidents blade of the Microsoft Defender portal
  2. the Alerts settings on the Data Loss Prevention blade of the Microsoft Purview compliance portal
  3. Activity explorer in the Microsoft Purview compliance portal
  4. the Explorer settings on the Email & collaboration blade of the Microsoft Defender portal

Answer(s): C

Explanation:

Labeling activities are available in Activity explorer.
For example:
Sensitivity label applied
This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.
It is captured at the time of save in Office native applications and web applications. It is captured at the time of occurrence in Azure Information protection add-ins.
Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer- available-events?view=o365-worldwide



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?

  1. Investigations
  2. Devices
  3. Evidence and Response
  4. Alerts

Answer(s): C

Explanation:

The Evidence and Response tab shows all the supported events and suspicious entities in the alerts in the incident.
Incorrect:
* The Investigations tab lists all the automated investigations triggered by alerts in this incident. Automated investigations will perform remediation actions or wait for analyst approval of actions, depending on how you configured your automated investigations to run in Defender for Endpoint and Defender for Office 365.
* Devices
The Devices tab lists all the devices related to the incident.


Reference:

https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents



View Related Case Study

You have a Microsoft 365 E5 subscription that is linked to a hybrid Microsoft Entra tenant. You need to identify all the changes made to Domain Admins group during the past 30 days. What should you use?

  1. the Modifications of sensitive groups report in Microsoft Defender for Identity
  2. the identity security posture assessment in Microsoft Defender for Cloud Apps
  3. the Microsoft Entra ID Provisioning Analysis workbook
  4. the Overview settings of Insider risk management

Answer(s): A

Explanation:

Track changes to sensitive groups with Advanced Hunting in Microsoft 365 Defender.
In my role working with Defender for Identity (MDI) customers, I'm often asked if MDI can help them answer questions about activities taking place within the environment. MDI does have a lot of information around the activities taking place in Active Directory and now combined with the power of Advanced Hunting in Microsoft 365 Defender, we can help customers answer some these questions with ease and efficiency.
MDI tracks the changes made to Active Directory group memberships. These changes are recorded by MDI as an activity and are available in the Microsoft 365 Defender Advanced Hunting, IdentityDirectoryEvents. MDI records these changes from two different sources:
2. Tracking changes made to an entity by the Active Directory Update Sequence Number (USN). In the case of a group, MDI can see who has been added or removed from a group, but we don’t see the actor who made the change or which domain controller the change was made on.
Tracking changes to a group, including who performed the action. MDI requires specific Windows events to be recorded on the domain controller.


Reference:

https://techcommunity.microsoft.com/t5/security-compliance-and-identity/track-changes-to- sensitive-groups-with-advanced-hunting-in/ba-p/3275198



View Related Case Study

You have a Microsoft 365 subscription. The subscription uses Microsoft Purview and has data loss prevention (DLP) policies that have aggregated alerts configured.
You need to identify the impacted entities in an aggregated alert.
What should you review in the DLP alert management dashboard of the Microsoft Purview compliance portal?

  1. the Events tab of the alert
  2. the Sensitive Info Types tab of the alert
  3. Management log
  4. the Details tab of the alert

Answer(s): A



Viewing page 6 of 50



Post your Comments and Discuss Microsoft SC-200 exam prep with other Community members:

SC-200 Exam Discussions & Posts