Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Free Microsoft SC-200 Exam Questions (page: 7)

Page 7 of 50
PDF with 389 Questions
View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription. From the Microsoft 365 Defender portal, which page should you use to create the query?

  1. Threat analytics
  2. Advanced Hunting
  3. Explorer
  4. Policies & rules

Answer(s): B

Explanation:

Advanced hunting is based on the Kusto query language. You can use Kusto operators and statements to construct queries that locate information in a specialized schema.
Custom detection rules are rules you can design and tweak using advanced hunting queries. These rules let you proactively monitor various events and system states, including suspected breach activity and misconfigured endpoints. You can set them to run at regular intervals, generating alerts and taking response actions whenever there are matches.
Note: Create a custom detection rule
Prepare the query.
In the Microsoft 365 Defender portal, go to Advanced hunting and select an existing query or create a new query. When using a new query, run the query to identify errors and understand possible results.
Create new rule and provide alert details.
With the query in the query editor, select Create detection rule and specify the following alert details
Choose the impacted entities.
Identify the columns in your query results where you expect to find the main affected or impacted entity.
4. Specify actions.
Your custom detection rule can automatically take actions on devices, files, or users that are returned by the query.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query- language
https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.
You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort.
What should you do in the Microsoft 365 Defender portal?

  1. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.
  2. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.
  3. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.
  4. Select Add indicator and set the IP address to 171.23.34.32/27.

Answer(s): A

Explanation:

Import a list of IoCs
You can choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the tab of the entity type you'd like to import indicators for.
Select Import > Choose file.
Select Import. Do this for all the files you'd like to import.
6. Select Done.
Note: You can create an indicator for:
Files
IP addresses URLs/domains Certificates
Incorrect:
Not B: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
Not C: Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators. Not D: Classless Inter-Domain Routing (CIDR) notation for IP addresses is not supported.
Note 2: Create an indicator for IPs, URLs, or domains from the settings page
In the navigation pane, select Settings > Endpoints > Indicators (under Rules).
Select the IP addresses or URLs/Domains tab.
Only single IP addresses are supported (no CIDR blocks or IP ranges) in custom indicators
Select Add item.
Specify the following details:
Indicator - Specify the entity details and define the expiration of the indicator. Action - Specify the action to be taken and provide a description.
Scope - Define the scope of the machine group.
5. Review the details in the Summary tab, then select Save.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-manage https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/manage-indicators https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain



View Related Case Study

You have an Azure subscription that uses Microsoft Defender for Endpoint.
You need to ensure that you can allow or block user-specified IP addresses and URLs.
What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft Defender portal?

  1. custom network indicators
  2. live response for servers
  3. endpoint detection and response (EDR) in block mode
  4. web content filtering

Answer(s): A

Explanation:

Custom network indicators
Turning on this feature allows you to create indicators for IP addresses, domains, or URLs, which determine whether they'll be allowed or blocked based on your custom indicator list.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-features



View Related Case Study

DRAG DROP (Drag and Drop is not supported)
You have an Azure subscription that contains the users shown in the following table.


You need to delegate the following tasks:
Enable Microsoft Defender for Servers on virtual machines.
Review security recommendations and enable server vulnerability scans.
The solution must use the principle of least privilege.
Which user should perform each task? To answer, drag the appropriate users to the correct tasks. Each user may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: User1
Enable Microsoft Defender for Servers on virtual machines.
User1 is Security Admin. Security Admin
View and update permissions for Microsoft Defender for Cloud. Same permissions as the Security Reader role and can also update the security policy and dismiss alerts and recommendations.
Box 2: User2
Review security recommendations and enable server vulnerability scans.
User2 is Security Reader. Security Reader
View permissions for Microsoft Defender for Cloud. Can view recommendations, alerts, a security policy, and security states, but cannot make changes.
Defender for Cloud's integrated Qualys vulnerability scanner for Azure and hybrid machines Required roles and permissions:
Owner (resource group level) can deploy the scanner Security Reader can view findings
Incorrect:
* Contributor (User3)
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles https://learn.microsoft.com/en-us/azure/defender-for-cloud/deploy-vulnerability-assessment-vm



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription.
You need to create a hunting query that will return every email that contains an attachment named Document.pdf. The query must meet the following requirements:
Only show emails sent during the last hour. Optimize query performance.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: | where Timestamp > ago(1h)
Only show emails sent during the last hour. Optimize query performance.
Apply filters early — Apply time filters and other filters to reduce the data set, especially before using transformation and parsing functions, such as substring(), replace(), trim(), toupper(), or parse_json(). In the example below, the parsing function extractjson() is used after filtering operators have reduced the number of records.
DeviceEvents
| where Timestamp > ago(1d)
| where ActionType == "UsbDriveMount"
| where DeviceName == "user-desktop.domain.com"
| extend DriveLetter = extractjson("$.DriveLetter", AdditionalFields)
Box 2: | join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256
The DeviceFileEvents table in the advanced hunting schema contains information about file creation, modification, and other file system events.
Optimize the join operator
The join operator merges rows from two tables by matching values in specified columns. Apply these tips to optimize queries that use this operator.
* Use the inner-join flavor
The default join flavor or the innerunique-join deduplicates rows in the left table by the join key before returning a row for each match to the right table. If the left table has multiple rows with the same value for the join key, those rows will be deduplicated to leave a single random row for each unique value.
This default behavior can leave out important information from the left table that can provide useful insight. For example, the query below will only show one email containing a particular attachment, even if that same attachment was sent using multiple emails messages
To address this limitation, we apply the inner-join flavor by specifying kind=inner to show all rows in the left table with matching values in the right:
| where Timestamp > ago(1h)
| where Subject == "Document Attachment" and FileName == "Document.pdf"
| join kind=inner (DeviceFileEvents | where Timestamp > ago(1h)) on SHA256


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-best-practices



View Related Case Study

Your company has an on-premises network that uses Microsoft Defender for Identity.
The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.
You need remediate the security risk. What should you do?

  1. Disable legacy protocols on the computers listed as exposed entities.
  2. Enforce LDAP signing on the computers listed as exposed entities.
  3. Modify the properties of the computer objects listed as exposed entities.
  4. Install the Windows Local Administrator Password Solution (Windows LAPS) extension on the computers listed as exposed entities.

Answer(s): C

Explanation:

Security assessment: Unsecure Kerberos delegation
Remediation
Use the remediation appropriate to your delegation type.
Unconstrained delegation
Either disable delegation or use one of the following Kerberos constrained delegation (KCD) types: Constrained delegation: Restricts which services this account can impersonate.
Select Trust this computer for delegation to specified services only.
How do I use this security assessment?
Review the recommended action at https://security.microsoft.com/securescore?viewid=actions to discover which of your non-domain controller entities are configured for unsecure Kerberos delegation.


2. Take appropriate action on those at-risk users, such as removing their unconstrained attribute or changing it to a more secure constrained delegation.
Incorrect:
* LAPS
Microsoft's "Local Administrator Password Solution" (LAPS) provides management of local administrator account passwords for domain-joined computers. Passwords are randomized and stored in Active Directory (AD), protected by ACLs, so only eligible users can read it or request its reset.
What risk does not implementing LAPS pose to an organization?
LAPS provide a solution to the issue of using a common local account with an identical password on every computer in a domain. LAPS resolve this issue by setting a different, rotated random password for the common local administrator account on every computer in the domain.


Reference:

https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-unconstrained-kerberos



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices.
What should you use in the Microsoft 365 Defender portal?

  1. From the History tab in the Action center, revert the actions.
  2. From the investigation page, review the AIR processes.
  3. From Quarantine from the Review page, modify the rules.
  4. From Threat tracker, review the queries.

Answer(s): A

Explanation:

View and manage actions in the Action center Applies to: Microsoft 365 Defender
To remove a file from quarantine across multiple devices
1. Go to the Action center (https://security.microsoft.com/action-center) and sign in.
On the History tab, select a file that has a Quarantine file Action type.
3. In the pane on the right side of the screen, select Apply to X more instances of this file, and then select Undo.
4.


Reference:

Microsoft 365 Defender remove quarantine file


https://learn.microsoft.com/en-us/microsoft-365/security/defender/m365d-autoir-actions



View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.
Which blade should you use in the Microsoft Defender portal?

  1. Advanced hunting
  2. Threat analytics
  3. Incidents & alerts
  4. Learning hub

Answer(s): B

Explanation:

Threat analytics
Track and respond to emerging threats with the following Microsoft 365 Defender threat analytics: Threat analytics is the Microsoft 365 Defender threat intelligence solution from expert Microsoft security researchers. It's designed to assist security teams to be as efficient as possible while facing emerging threats, such as:
Active threat actors and their campaigns Popular and new attack techniques Critical vulnerabilities
Common attack surfaces Prevalent malware
Incorrect:
Advanced hunting
You can build custom detection rules and hunt for specific threats in your environment. Hunting uses a query- based threat hunting tool that lets you proactively inspect events in your organization to locate threat indicators and entities. These rules run automatically to check for, and then respond to, suspected breach activity, misconfigured machines, and other findings.
* Learning Hub
Microsoft 365 Defender portal includes a learning hub that provides guidance from resources such as the Microsoft security blog, the Microsoft security community on YouTube, and the official documentation.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-365-defender-portal



Viewing page 7 of 50



Post your Comments and Discuss Microsoft SC-200 exam prep with other Community members:

SC-200 Exam Discussions & Posts