SC-200 Practice Questions — Page 26

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You discover a malicious process that was initiated by a file named File1.exe on a device named Device1.

You need to create a KQL query that will identify when File1.exe was created. The solution must meet the following requirements:

• Return the FileName, InitiatingProcessFileName, and InitiatingProcessCommandLine columns.

• Minimize the volume of data returned.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains a Microsoft Sentinel workspace.

You need to create and customize a workbook for the Microsoft Entra ID Audit Logs.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

You have an Azure subscription named Sub1 that contains a Microsoft Sentinel workspace named WS1.

You need to create a hunting query in WS1 that meets the following requirements:

• Returns the number of changes performed daily by each Microsoft Entra security principal during a seven-day period

• Identifies all the successful changes to the resources in Sub1

• Substitutes any missing data points with 0

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You have an Azure subscription that contains a Log Analytics workspace named Workspace1.

You forward all logs to Workspace1.

You need to identify all the applications and security principals that made requests to modify Microsoft Entra groups during the previous 24 hours.

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription. The subscription contains 500 devices that are onboarded to Microsoft Defender for Endpoint.

You have an Azure subscription that contains a Microsoft Sentinel workspace.

You need to run a pilot on 50 devices that will remediate threats automatically. The solution must meet the following requirements:

• Minimize the impact on devices that are excluded from the pilot.

• Minimize administrative effort.

What should you configure first?

You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You identify that an attacker performed the following actions on a device:

• Modified the file system path of a registry-based antivirus exclusion

• Downloaded a malicious file to the file system path

You initiate a live response session on the device.

You need to remove the malicious file.

Which command should you run?

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. All endpoint devices are onboarded to Microsoft Defender for Endpoint.

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1. All Microsoft Defender XDR events are ingested into Workspace1.

You have a Microsoft Entra tenant.

You create a KQL query named query1 that searches device logs for a known vulnerability.

You need to ensure that query1 runs every hour. The solution must minimize administrative effort.

What should you configure?

You have a Microsoft 365 subscription.

You have the devices shown in the following table.

All the devices are onboarded to Microsoft Defender for Endpoint.

You are investigating a potential malware exploit on the devices.

You need to review the system log of each device. The solution must minimize disruptions to the devices.

What should you do for each device first in the Microsoft Defender portal?