Practice Free SC-200 Exam Online Questions – Page 2

Question #11

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You are configuring Microsoft Defender for Identity integration with Active Directory.

From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.

Solution: You add each account as a Sensitive account.

Does this meet the goal?

A . Yes
B . No

Reveal Solution Hide Solution

Question #12

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Teams.

You need to perform a content search of Teams chats for a user by using the Microsoft Purview compliance portal. The solution must minimize the scope of the search.

How should you configure the content search? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #13

HOTSPOT

Your network contains an on-premises Active Directory Domain Services (AD DS) domain that syncs with Azure AD.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

You need to identify all the interactive authentication attempts by the users in the finance department of your company.

How should you complete the KQL query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #14

HOTSPOT

You have a Microsoft Sentinel workspace named sws1.

You need to create a query that will detect when a user creates an unusually large numbers of Azure AD user accounts.

How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #15

You have a Microsoft Sentinel workspace named Workspaces

You need to exclude a built-in. source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.

What should you create in Workspace1?

A . a workbook
B . a hunting query
C . a watchlist
D . an analytic rule

Reveal Solution Hide Solution

Question #16

You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector.

While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query.

By which two components can you group alerts into incidents? Each correct answer presents a complete

solution. NOTE: Each correct selection is worth one point.

A . user
B . resource group
C . IP address
D . computer

Reveal Solution Hide Solution

Question #17

HOTSPOT

You need to implement Microsoft Defender for Cloud to meet the Microsoft Defender for Cloud requirements and the business requirements.

What should you include in the solution? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Question #18

Your company deploys the following services:

✑ Microsoft Defender for Identity

✑ Microsoft Defender for Endpoint

✑ Microsoft Defender for Office 365

You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege.

Which two roles should assign to the analyst? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

A . the Compliance Data Administrator in Azure Active Directory (Azure AD)
B . the Active remediation actions role in Microsoft Defender for Endpoint
C . the Security Administrator role in Azure Active Directory (Azure AD)
D . the Security Reader role in Azure Active Directory (Azure AD)

Reveal Solution Hide Solution

Correct Answer: BD
BD

Explanation:

To allow a security analyst to use the Microsoft 365 security center and also approve or reject pending remediation actions generated by Microsoft Defender for Endpoint, while adhering to the principle of least privilege, you must assign two complementary roles:

In Microsoft Defender for Endpoint, assign the Active remediation actions role. This role explicitly gives permission to take response actions (such as isolation, quarantine, etc.) or to approve or reject pending remediation tasks. Microsoft documentation states that when taking response actions on a device, “you must have at least the Active remediation actions role assigned.” Microsoft Learn

In Azure AD (or Microsoft Entra), assign the Security Reader role. This role grants read-only visibility into the security configuration and alerts in the Microsoft 365 security center without elevating the analyst to full security administration. This ensures the analyst can see what’s happening in the security environment, but not make broad configuration changes.

Here’s why those roles are correct and why the others are not:

The Active remediation actions role is narrowly scoped to remediation operations, which is exactly what is needed to approve or reject pending actions. Any broader role (like Security Administrator) would exceed the principle of least privilege.

The Security Reader role allows the analyst to navigate the Microsoft 365 security center (view incidents, alerts, reports) but does not grant write-level permissions that are unnecessary for their role.

The Security Administrator role (option C) would grant too many permissions―not least privilege― though it might allow the needed actions, it is overly permissive relative to what is needed.

The Compliance Data Administrator (option A) is unrelated to remediation within Defender or endpoint actions; it is designed around compliance and data governance.

Additionally, Microsoft’s role-mapping between Defender XDR unified RBAC and legacy roles confirms that the Active remediation actions permission is mapped to the “Response (manage)” capability in the unified RBAC model. Microsoft Learn

Together, assigning Active remediation actions (in Defender for Endpoint) and Security Reader (in Azure AD/Entra) gives the minimal necessary access: ability to view security data and approve or reject remediation actions, without over-privileging the analyst.

Question #19

You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema. You need to make the 200 parsers available in Workspace1. The solution must minimize administrative effort.

What should you do first?

A . Copy the parsers to the Azure Monitor Logs page.
B . Create a JSON file based on the DNS template.
C . Create an XML file based on the DNS template.
D . Create a YAML file based on the DNS template.

Reveal Solution Hide Solution

Question #20

HOTSPOT

From Azure Sentinel, you open the Investigation pane for a high-severity incident as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

1 2 3 4 5 6 7 8 9 10 11 12 13

Exams