Practice Free SC-200 Exam Online Questions

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint

You need to create a query that will link the Alertlnfo, AlertEvidence, and DeviceLogonEvents tables.

The solution must return all the rows in the tables.

Which operator should you use?

Reveal Solution Hide Solution

You create a custom analytics rule to detect threats in Azure Sentinel.

You discover that the rule fails intermittently.

What are two possible causes of the failures? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

You create a custom analytics rule to detect threats in Azure Sentinel.

You discover that the rule fails intermittently.

What are two possible causes of the failures? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in.

Which anomaly detection policy should you use?

Reveal Solution Hide Solution

HOTSPOT

You have an Azure subscription named Sub1 that contains a Microsoft Sentinel workspace named

WS1.

You need to create a hunting query in WS1 that meets the following requirements:

• Returns the number of changes performed daily by each Microsoft Entra security principal during a seven-day period

• Identifies all the successful changes to the resources in Sub1

• Substitutes any missing data points with 0

How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

To hunt for resource changes in an Azure subscription via Microsoft Sentinel, the correct telemetry source is the AzureActivity table. Microsoft documents state that Azure Activity logs record control-plane operations against Azure resources (e.g., create/update/delete) and include fields such as OperationNameValue, ActivityStatusValue, Caller, ResourceId, and EventSubmissionTimestamp. Filtering with OperationNameValue endswith "write" captures change operations (create/update), while ActivityStatusValue == "Succeeded" ensures only successful changes are counted. For time-series analysis over fixed intervals and to substitute missing data points with 0, use the KQL make-series operator with the default=0 parameter. This operator builds per-principal daily series using on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller, and dcount(ResourceId) (or count()) returns the number of resource changes each day per Microsoft Entra security principal. This aligns with Sentinel hunting best practices: use AzureActivity for subscription-level changes, filter to succeeded writes, and leverage make-series to produce a 7-day daily series with zero-fill for gaps― minimizing false impressions caused by missing events.

Final KQL:

AzureActivity

| where OperationNameValue endswith "write"

| where ActivityStatusValue == "Succeeded"

| make-series dcount(ResourceId) default=0

on EventSubmissionTimestamp in range(ago(7d), now(), 1d)

by Caller

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1.

What should you do?

Reveal Solution Hide Solution

You have a Microsoft 365 subscription. You have the following KQL query.

DeviceEvents

| where ActionType == "AntivirusDetection*

You need to ensure that you can create a Microsoft Defender XDR custom detection rule by using the query.

What should you add to the query?

Reveal Solution Hide Solution

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365. You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal.

Which response action should you use?

Reveal Solution Hide Solution

You implement Safe Attachments policies in Microsoft Defender for Office 365.

Users report that email messages containing attachments take longer than expected to be received.

You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked.

What should you configure in the Safe Attachments policies?

Reveal Solution Hide Solution

HOTSPOT

You need to use an Azure Resource Manager template to create a workflow automation that will trigger an automatic remediation when specific security alerts are received by Azure Security Center.

How should you complete the portion of the template that will provision the required Azure resources? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In Azure Security Center (now Microsoft Defender for Cloud), Workflow automation is provisioned as an ARM resource of type Microsoft.Security/automations. The automation resource defines one or more actions, and when the action is a Logic App, the actionType is set to LogicApp and the action must reference the Logic App by its resource ID. In ARM, the correct provider namespace for Logic Apps is Microsoft.Logic, so the template uses resourceId(‘Microsoft.Logic/workflows’, <logicAppName>) to populate logicAppResourceId.

To enable the security alert to trigger the Logic App, the automation action includes a callback URL to the Logic App’s manual trigger. In ARM, this is retrieved with listCallbackURL() against the trigger resource ID, which must also use the Microsoft.Logic provider, i.e., resourceId(<subscriptionId>, <resourceGroupName>, ‘Microsoft.Logic/workflows/triggers’, <logicAppName>, ‘manual’), with the Logic Apps API version such as 2019-05-01. This is the documented pattern for Security Center workflow automations: define an automation under Microsoft.Security/automations, specify an action of type LogicApp, reference the workflow by Microsoft.Logic, and obtain the manual trigger callback via listCallbackURL on Microsoft.Logic/workflows/triggers. This wiring ensures that when the specified security alerts are received, the automation invokes the Logic App for automatic remediation on each match.