Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. SC-200

Free Microsoft SC-200 Exam Questions (page: 9)

Page 9 of 50
PDF with 389 Questions
View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Purview and contains a user named User1.
User1 shares a Microsoft Power BI report file from the Microsoft OneDrive folder of your company to an external user by using Microsoft Teams.
You need to identify which Power BI report file was shared.
How should you configure the search? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Share file, folder, or site Activities
Box 2: Shared Power BI report Record type
Box 3: Microsoft teams Workload
Note: Search-UnifiedAuditLog Applies to:
Exchange Online, Exchange Online Protection
This cmdlet is available only in the cloud-based service.
Use the Search-UnifiedAuditLog cmdlet to search the unified audit log. This log contains events from Exchange Online, SharePoint Online, OneDrive for Business, Azure Active Directory, Microsoft Teams, Power BI, and other Microsoft 365 services. You can search for all events in a specified date range, or you can filter the results based on specific criteria, such as the user who performed the action, the action, or the target object.
Example:
Search-UnifiedAuditLog -StartDate 5/1/2018 -EndDate 5/8/2018 -RecordType SharePointFileOperation - Operations FileAccessed -SessionId "WordDocs_SharepointViews"-SessionCommand ReturnLargeSet
This example searches the unified audit log for any files accessed in SharePoint Online from May 1, 2018 to
May 8, 2018. The data is returned in pages as the command is rerun sequentially while using the same SessionId value.


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/auditing https://learn.microsoft.com/en-us/powershell/module/exchange/search-unifiedauditlog



View Related Case Study

You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams. You have a team named Team1 that has a project named Project1.
You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.
Which KQL query should you run?

  1. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))
  2. AuditLogs
    | where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))
    | where FileName contains “Project1”
  3. Project1(c:c)(date=2023-02-01..2023-02-10)
  4. AuditLogs
    | where Timestamp > ago(10d)
    | where FileName contains “Project1”

Answer(s): C



View Related Case Study

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.
Which operator should you use?

  1. search *
  2. union kind = inner
  3. join kind = inner
  4. evaluate hint.remote =

Answer(s): B

Explanation:

KQL, union operator
Takes two or more tables and returns the rows of all of them.
Syntax
[ T | ] union [ UnionParameters ] [kind= inner|outer] [withsource= ColumnName] [isfuzzy= true|false] Tables


Reference:

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/unionoperator



View Related Case Study

You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices. You onboard the devices to Microsoft Defender 365.
You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.
What should you do first?

  1. Modify the permissions for Microsoft 365 Defender.
  2. Create a device group.
  3. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.
  4. Configure role-based access control (RBAC).

Answer(s): D

Explanation:

Live Response session
Live Response is a feature in Defender for Endpoint that provides security analysts a remote shell connection to access a device. This allows a security analyst to perform in-depth investigation on an affected device.
First, we need to ensure that the following settings are enabled.


After we have enabled these two settings, we can start initiate a live response session on an affected device.


Reference:

https://m365internals.com/2021/05/14/using-microsoft-defender-for-endpoint-during-investigation/



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint. You need to create a detection rule that meets the following requirements:
Is triggered when a device that has critical software vulnerabilities was active during the last hour Limits the number of duplicate results
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: distinct DeviceID
The DeviceTvmSoftwareVulnerabilities table in the advanced hunting schema contains the Microsoft Defender Vulnerability Management list of vulnerabilities in installed software products. This table also includes operating system information, CVE IDs, and vulnerability severity information. You can use this table, for example, to hunt for events involving devices that have severe vulnerabilities in their software. Use this reference to construct queries that return information from the table.
The table includes:
DeviceId
Unique identifier for the machine in the service
CveID
Unique identifier assigned to the security vulnerability under the Common Vulnerabilities and Exposures (CVE) system
Etc.
Note: distinct operator
Produces a table with the distinct combination of the provided columns of the input table.
Syntax
T | distinct ColumnName[,ColumnName2, ...] Box 2: project Timestamp, DeviceId, ReportId
Incorrect:
project-keep
Select what columns from the input to keep in the output. Only the columns that are specified as arguments will be shown in the result. The other columns are excluded.
Example
The following query returns columns from the ConferenceSessions table that contain the word "session".
ConferenceSessions
| project-keep session*
Syntax
T | project-keep ColumnNameOrPattern [, ...]
* project-away operator
Select what columns from the input table to exclude from the output table.
Syntax
T | project-away ColumnNameOrPattern [, ...]
Examples
The input table PopulationData has 2 columns: State and Population. Project-away the Population column and you're left with a list of state names.
PopulationData
| project-away Population


Reference:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting- devicetvmsoftwarevulnerabilities-table



View Related Case Study

HOTSPOT (Drag and Drop is not supported)
You have a Microsoft 365 E5 subscription that uses Microsoft Teams.
You need to perform a content search of Teams chats for a user by using the Microsoft Purview compliance portal. The solution must minimize the scope of the search.
How should you configure the content search? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:




Box 1: Exchange mailboxes Locations
Searching for and exporting Teams chat content
Here's how to use Content search in the Microsoft Purview compliance portal to search
In the Microsoft Purview compliance portal, go to Content search.
On the Searches tab, select New search, and name the new search.
On the Locations page, choose the content locations that you want to search. You can search mailboxes,
sites, and public folders.


Exchange mailboxes: Set the toggle to On. The option to search all Exchange mailboxes is automatically selected. If needed, select Choose users, groups, or teams to specify the mailboxes to search. Use the search box to find user mailboxes and distribution groups. You can also search the mailbox associated with a Microsoft Team (for channel messages), Microsoft 365 Group, and Viva Engage Group.
SharePoint sites: Set the toggle to On. The option to search all SharePoint sites is automatically selected. Select Choose sites to specify SharePoint sites and OneDrive sites to search. Enter the URL for each site that you want to search. You can also add the URL for the SharePoint site for a Microsoft Team, Microsoft 365 Group, or Viva Engage Group.
Exchange public folders: Set the toggle to On. The option to search all Exchange public folders is automatically selected to search all public folders in your Exchange Online organization. You can't choose specific public folders to search. Leave the toggle switch off if you don't want search all public folders.
Keep this checkbox selected to search for Teams content for on-premises users. For example, if you search all Exchange mailboxes in the organization and this checkbox is selected, the cloud-based storage used to store Teams chat data for on-premises users will be included in the scope of the search. For more information, see Search for Teams chat data for on-premises users.
Box 2: kind Keywords
On the Define your search conditions page, create a keyword query and add conditions to the search query if necessary. To only search for Team chats data, you can add the following query in the Keywords box:
kind:im AND kind:microsoftteams
5. Submit and run the search. Any search results for on-premises users can be previewed like any other search results. You can also export the search results (including any Teams chat data) to a PST file.


Reference:

https://learn.microsoft.com/en-us/purview/ediscovery-search-cloud-based-mailboxes-for-on-premises-users https://learn.microsoft.com/en-us/purview/ediscovery-content-search



View Related Case Study

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender XDR.
You need to initiate the collection of investigation packages from the devices by using the Microsoft Defender
portal.
Which response action should you use?

  1. Run antivirus scan
  2. Initiate Automated Investigation
  3. Collect investigation package
  4. Initiate Live Response Session

Answer(s): C



View Related Case Study

You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.
Which two actions should you perform in the Microsoft Defender portal? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  1. From Settings, select Cloud Apps, select Microsoft Information Protection, and then select Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.
  2. From Cloud apps, select Files, and then filter File Type to Document.
  3. From Settings, select Cloud Apps, select Microsoft Information Protection, select Files, and then enable file monitoring.
  4. From Cloud apps, select Files, and then filter App to Microsoft 365.
  5. From Cloud apps, select Files, and then select New policy from search.
  6. From Settings, select Cloud Apps, select Microsoft Information Protection, and then select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.

Answer(s): C,F

Explanation:

Discover and protect sensitive information in your organization
Phase 1: Discover your data Details omitted.
(F) Phase 2: Classify sensitive informationDefine which information is sensitive. Details omitted.Enable Microsoft Information Protection integrationIn the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps.Under Information Protection, go to Microsoft Information Protection. Select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.Etc.
Phase 3: Protect your data
Phase 4: Monitor and report on your data
C: File filters in Microsoft Defender for Cloud Apps
File monitoring should be enabled in Settings. In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Information Protection, select Files. Select Enable file monitoring and then select Save.
Note: To provide data protection, Microsoft Defender for Cloud Apps gives you visibility into all the files from your connected apps. After you connect Microsoft Defender for Cloud Apps to an app using the App connector, Microsoft Defender for Cloud Apps scans all the files, for example all the files stored in OneDrive and Salesforce. Then, Defender for Cloud Apps rescans each file every time it's modified – the modification can be to content, metadata, or sharing permissions. Scanning times depend on the number of files stored in your app. You can also use the Files page to filter files to investigate what kind of data is saved in your cloud apps.
('Microsoft 365 Defender' and 'Microsoft Defender XDR' are just terminologies used to group different platforms together.)


Reference:

https://docs.microsoft.com/en-us/cloud-app-security/tutorial-dlp https://docs.microsoft.com/en-us/cloud-app-security/azip-integration https://learn.microsoft.com/en-us/defender-cloud-apps/file-filters



Viewing page 9 of 50



Post your Comments and Discuss Microsoft SC-200 exam prep with other Community members:

SC-200 Exam Discussions & Posts