SC-200 Practice Questions — Page 24

Question 231

Open question ↗

You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1.

In Site1, you identify the suspicious files shown in the following table.

In Microsoft Purview, you create the content searches shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE: Each correct selection is worth one point.

Question 232

Open question ↗

You have a Microsoft 365 E5 subscription that contains a device named Device1.

From the Microsoft Defender portal, you discover that an alert was triggered for Device1.

From the Device inventory page, you isolate Device1.

You need to collect a list of installed programs on Device1.

What should you do?

A.Initiate a live response session and run the processes command.
B.Initiate an automated investigation and view the results in the Action center.
C.Initiate a live response session and run the analyze command.
D.Run an advanced hunting query against the DeviceTvmSoftwareInventory table.

Question 233

Open question ↗

You have a Microsoft 365 E5 subscription that contains a device named Device1.

From the Microsoft Defender portal, you discover that an alert was triggered for Device1.

From the Device inventory page, you isolate Device1.

You need to collect a list of installed programs on Device1.

What should you do?

A.Collect an investigation package and download the results from the Action center.
B.Initiate a live response session and run the analyze command.
C.Run an advanced hunting query against the DeviceProcessEvents table.
D.Run an advanced hunting query against the DeviceTvmInfoGathering table.

Question 234

Open question ↗

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You have an Azure subscription that uses Microsoft Security Copilot.

You need to create a custom promptbook in Security Copilot that will gather the following information about an incident ID:

• An incident summary

• Threat intelligence on the identified threat actors

• A detailed analysis of the users affected by the incident

• A detailed analysis of the devices affected by the incident

Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Question 235

Open question ↗

You have a Microsoft 365 subscription. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint.

You have 500 devices that run Linux.

Users sign in to the Windows and Linux devices by using their Microsoft Entra credentials.

You need to recommend a response process for Microsoft Defender XDR security incidents associated with a compromised Linux endpoint. The solution must ensure that the compromised device is prevented from communicating with all devices onboarded to Defender for Endpoint.

Which response action should you include in the recommendation?

A.Contain user
B.Contain device
C.Isolate device
D.Confirm user compromised

Question 236

Open question ↗

You have an Azure subscription that contains a user named User1 and a Microsoft Sentinel workspace named WS1.

You need to ensure that User1 can enable User and Entity Behavior Analytics (UEBA) for WS1. The solution must follow the principle of least privilege.

Which roles should you assign to User1? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 237

Open question ↗

You have a Microsoft Sentinel workspace named SW1.

In SW1, you enable User and Entity Behavior Analytics (UEBA).

You need to use KQL to perform the following tasks:

• View the entity data that has fields for each type of entity.

• Assess the quality of rules by analyzing how well a rule performs.

Which table should you use in KQL for each task? To answer, drag the appropriate tables to the correct tasks. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

Question 238

Open question ↗

Your on-premises network contains an Active Directory Domain Services (AD DS) forest.

You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.

You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.

Which table should you query?

A.AADServicePrincipalRiskEvents
B.AADDomainServicesAccountLogon
C.SigninLogs
D.IdentityLogonEvents

Question 239

Open question ↗

You have a Microsoft 365 subscription.

You need to identify all the security principals that submitted requests to change or delete groups.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Question 240

Open question ↗

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.

You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:

• Identify all the active network connections on Device1.

• Identify all the running processes on Device1.

• Retrieve the login history of Device1.

• Minimize administrative effort.

What should you do first from the Microsoft Defender portal?

A.From Devices, click Collect investigation package for Device1.
B.From Advanced features in Endpoints, enable Live Response unsigned script execution.
C.From Devices, initiate a live response session on Device1.
D.From Advanced features in Endpoints, disable Authenticated telemetry.