SC-200 Practice Questions — Page 23

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table.

You need to search for malicious activities in your organization.

Which tactics can you analyze by using the MicrosoftGraphActivityLogs table?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device1.

You initiate a live response session on Device1 and launch an executable file named File1.exe in the background.

You need to perform the following actions:

• Identify the command ID of File1.exe.

• Interact with File1.exe.

Which live response command should you run for each action? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

You detect malicious activity on Device1.

You initiate a live response session on Device1.

You need to perform the following actions:

• Download a file from the live response library.

• Stop a process that is running on Device1.

Which live response command should you run for each action? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains the users shown in the following table.

The subscription contains instances of Azure Firewall as shown in the following table.

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have the Copilot for Security role assignments shown in the following table.

Each user runs a Copilot for Security session.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

You have an Azure subscription named Sub1 that contains the resources shown in the following table.

You plan to configure Rule1 to trigger Lapp1 when an incident is generated.

You need to recommend the role-based access control (RBAC) role that you should assign to WS1, and the scope at which should you assign the role. The solution must follow the principle of least privilege.

What should you recommend? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an on-premises Windows 11 Pro device named Device1 that is onboarded to Microsoft Defender for Endpoint.

You have a Microsoft 365 subscription.

You need to identify the processes running on Device1 and which network connections the processes have open. The solution must minimize administrative effort.

Which four actions should you perform in the Microsoft Defender portal in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

You have the Azure subscriptions shown in the following table.

You have a Microsoft Entra tenant that contains the users shown in the following table.

The users have the Azure roles shown in the following table.

You configure Microsoft Copilot for Security capacities as shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

You have an Azure subscription name Sub1 that is linked to a Microsoft Entra tenant named contoso.com. Sub1 contains a Log Analytics workspace named Workspace1. All the logs from contoso.com are streamed to Workspace1.

You have a Microsoft 365 E5 subscription.

You need to query Workspace1 for the following:

• HTTP requests to the Microsoft Graph service of contoso.com

• Third-party app sign-in activities that use certificates or secrets

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.