SC-200 Certification Practice Question #240

Question

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.

You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:

•	Identify all the active network connections on Device1.
•	Identify all the running processes on Device1.
•	Retrieve the login history of Device1.
•	Minimize administrative effort.

What should you do first from the Microsoft Defender portal?

Accepted Answer

All four requirements — active network connections, running processes, and login (sign-in) history — are captured in a single Defender for Endpoint investigation package, and MS Learn's macOS package-contents table explicitly lists "Network connections (Active connections)", "Processes (a list of all running processes)", and "Users and groups (Sign-in history)". Collecting the package is one click and one download, which satisfies "minimize administrative effort," whereas a live response session (C) requires establishing a remote shell and running multiple commands interactively — and on macOS the live-response command set is more limited. The official Suggested Answer and a dominant 21-vote Most Voted both back A, reinforced by the top 12-👍 comment. The C camp is real but consists of low-vote/AI-generated opinions that overlook the "minimize effort" constraint, so confidence is set at 86 rather than higher to reflect that genuine community split.

More SC-200 practice questions