Practice Free SC-200 Exam Online Questions
You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 100 virtual machines that run Windows Server.
You need to configure the collection of Windows Security event logs for ingestion to WS1.
The solution must meet the following requirements:
• Capture a full user audit trail including user sign-in and user sign-out events.
• Minimize the volume of events.
• Minimize administrative effort.
Which event set should you select?
- A . All events
- B . Custom
- C . Minimal
- D . Common
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You plan to investigate suspicious activity in the subscription by using Microsoft Graph activity logs.
You need to search for requests to delete resources from the subscription and identify the users that initiated the requests.
How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
You have a Microsoft Sentinel workspace that contains the following incident.
Brute force attack against Azure Portal analytics rule has been triggered.
You need to identify the geolocation information that corresponds to the incident.
What should you do?
- A . From Overview, review the Potential malicious events map.
- B . From Incidents, review the details of the iP Custom Entity entity associated with the incident.
- C . From Incidents, review the details of the Accounc Cuscom Entity entity associated with the incident.
- D . From Investigation, review insights on the incident entity.
DRAG DROP
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification. The solution must generate a test email.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
DRAG DROP
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification. The solution must generate a test email.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You have a custom analytics rule to detect threats in Azure Sentinel.
You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.
What is a possible cause of the issue?
- A . There are connectivity issues between the data sources and Log Analytics.
- B . The number of alerts exceeded 10,000 within two minutes.
- C . The rule query takes too long to run and times out.
- D . Permissions to one of the data sources of the rule query were modified.
You have a Microsoft Sentinel workspace that has user and Entity Behavior Analytics (UEBA) enabled for Signin Logs.
You need to ensure that failed interactive sign-ins are detected.
The solution must minimize administrative effort.
What should you use?
- A . a scheduled alert query
- B . a UEBA activity template
- C . the Activity Log data connector
- D . a hunting query
You have a Microsoft Sentinel workspace named Workspace1 that contains the AzureActivity table.
You need to configure the retention period for the AzureActivity table.
The solution must meet the following requirements:
• Maximize the period during which you can run interactive queries.
• Minimize retention costs.
To what should you set the retention period? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.
- A . 30 days
- B . 90 days
- C . 180 days
- D . 2 years
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?
- A . the Incident automation settings
- B . entity mapping
- C . the query rule
- D . the Alert automation settings
You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.
The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll.
You need to submit files for deep analysis in Microsoft Defender XDR.
Which files can you submit?
- A . File1.ps1 only
- B . File2.exe only
- C . File3.dll only
- D . File2.exe and File3.dll only
- E . File1.ps1 and File2.exe only
- F . File1.ps1, File2.exe, and File3.dll