Practice Free SC-200 Exam Online Questions

HOTSPOT

You have a Microsoft 365 E5 subscription that contains Windows 11 and Linux CentOS devices.

In Microsoft Defender XDR, Deception is set to On.

You plan to create a deception rule that will use a custom lure.

You need to specify the type of file, and the planting path for the custom lure.

What should you specify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In Microsoft Defender XDR Deception, lures (also known as decoy files) are strategically planted within endpoints to attract attackers and detect credential theft or lateral movement attempts. When configuring a custom lure, you must align the file type and planting path with the operating system environment of the targeted devices.

Since the environment in this question includes Windows 11 and Linux CentOS devices, the chosen configuration must be valid across both OS types. The BIN file type is a binary executable type commonly recognized on Linux systems (for example, *.bin files) and supported by the deception engine for non-Windows environments. Microsoft documentation for Defender Deception specifies that BIN files are the appropriate lure type for Linux-based devices, whereas EXE or LNK files are specific to Windows-only deception scenarios.

For the planting path, {HOME} is the correct choice. Defender Deception automatically resolves {HOME} to the user’s home directory, which is a standard, writable, and expected location across both Windows (C:Users<username>) and Linux (/home/<username>) environments. This ensures consistent deployment and operation of the lure without requiring administrative customization of shared or temporary directories.

Therefore, to meet cross-platform coverage and minimal configuration effort:

✅ File type: BIN

✅ Planting path: {HOME}

HOTSPOT

You have a Microsoft Sentinel workspace.

A Microsoft Sentinel incident is generated as shown in the following exhibit.

Use the drop-down menus to select the answer choice that completes each statement based on the information presented in [the graphic. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

You have a Microsoft 365 subscription that uses Microsoft Copilot for Security.

You create a promptbook named Book1.

For Book1, you need to create a prompt that contains an input named IncidentID.

How should you format IncidentID?

Reveal Solution Hide Solution

DRAG DROP

You have a Microsoft Sentinel workspace named SW1.

In SW1. you enable User and Entity Behavior Analytics (UEBA).

You need to use KQL to perform the following tasks:

• View the entity data that has fields for each type of entity.

• Assess the quality of rules by analyzing how well a rule performs.

Which table should you use in KQL for each task? To answer, drag the appropriate tables to the correct tasks. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

When User and Entity Behavior Analytics (UEBA) is enabled in Microsoft Sentinel, it creates several dedicated tables within the Log Analytics workspace to store processed data for behavioral analytics and anomaly detection. Each table serves a specific purpose according to Microsoft documentation.

BehaviorAnalytics Table ― for viewing entity data

The BehaviorAnalytics table stores enriched information about entities (such as users, hosts, IP addresses, and applications) and their observed behaviors. Each record includes multiple fields that describe user or entity activities, risk scores, and behavioral baselines. Microsoft Sentinel documentation states:

“Use the BehaviorAnalytics table to view the entity data collected and analyzed by UEBA. This table contains fields for each type of entity, including account, host, and IP data.”

Therefore, to view the entity data with detailed attributes for each type, you query the BehaviorAnalytics table in KQL.

Anomalies Table ― for assessing rule quality

The Anomalies table is used to analyze the results of anomaly detection rules and evaluate their effectiveness. Each record represents an anomaly event generated by UEBA’s machine learning or statistical models. Microsoft’s UEBA and Sentinel analytics documentation explains:

“Use the Anomalies table to assess the performance and quality of your anomaly detection rules. The table helps you identify how well each rule detects unusual activities and whether it produces false positives.”

Thus, when you need to measure how well your rules perform (i.e., their quality, hit rate, or alert effectiveness), you use the Anomalies table.

Summary Mapping:

View entity data → BehaviorAnalytics

Assess rule quality → Anomalies

This mapping aligns directly with the functionality of UEBA-related tables in Microsoft Sentinel and follows official documentation for analyzing entity behaviors and anomaly rule performance.

Topic 1, Contoso Ltd

Case study

Overview

This is a case study. Case studies are not timed separately. You can use as much exam time as you would like to complete each case. However, there may be additional case studies and sections on this exam. You must manage your time to ensure that you are able to complete all questions included on this exam in the time provided.

To answer the questions included in a case study, you will need to reference information that is provided in the case study. Case studies might contain exhibits and other resources that provide more information about the scenario that is described in the case study. Each question is independent of the other questions in this case study.

At the end of this case study, a review screen will appear. This screen allows you to review your answers and to make changes before you move to the next section of the exam. After you begin a new section, you cannot return to this section.

To start the case study

To display the first question in this case study, click the Next button. Use the buttons in the left pane to explore the content of the case study before you answer the questions. Clicking these buttons displays information such as business requirements, existing environment, and problem statements. If the case study has an All Information tab, note that the information displayed is identical to the information displayed on the subsequent tabs. When you are ready to answer a question, click the Question button to return to the question.

Overview

A company named Contoso Ltd. has a main office and five branch offices located throughout North America. The main office is in Seattle. The branch offices are in Toronto, Miami, Houston, Los Angeles, and Vancouver.

Contoso has a subsidiary named Fabrikam, Ltd. that has offices in New York and San Francisco.

Existing Environment

End-User Environment

All users at Contoso use Windows 10 devices. Each user is licensed for Microsoft 365. In addition, iOS devices are distributed to the members of the sales team at Contoso.

Cloud and Hybrid Infrastructure

All Contoso applications are deployed to Azure.

You enable Microsoft Cloud App Security.

Contoso and Fabrikam have different Azure Active Directory (Azure AD) tenants. Fabrikam recently purchased an Azure subscription and enabled Azure Defender for all supported resource types.

Current Problems

The security team at Contoso receives a large number of cybersecurity alerts. The security team spends too much time identifying which cybersecurity alerts are legitimate threats, and which are not.

The Contoso sales team uses only iOS devices. The sales team members exchange files with customers by using a variety of third-party tools. In the past, the sales team experienced various attacks on their devices.

The marketing team at Contoso has several Microsoft SharePoint Online sites for collaborating with external vendors. The marketing team has had several incidents in which vendors uploaded files that contain malware.

The executive team at Contoso suspects a security breach. The executive team requests that you identify which files had more than five activities during the past 48 hours, including data access, download, or deletion for Microsoft Cloud App Security-protected applications.

Requirements

Planned Changes

Contoso plans to integrate the security operations of both companies and manage all security operations centrally.

Technical Requirements

Contoso identifies the following technical requirements:

✑ Receive alerts if an Azure virtual machine is under brute force attack.

✑ Use Azure Sentinel to reduce organizational risk by rapidly remediating active attacks on the environment.

✑ Implement Azure Sentinel queries that correlate data across the Azure AD tenants of Contoso and Fabrikam.

✑ Develop a procedure to remediate Azure Defender for Key Vault alerts for Fabrikam in case of external attackers and a potential compromise of its own Azure AD applications.

✑ Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides you with the following incomplete query.

BehaviorAnalytics

| where ActivityType == "FailedLogOn"

| where ________ == True

The issue for which team can be resolved by using Microsoft Defender for Endpoint?

Reveal Solution Hide Solution

You provision a Linux virtual machine in a new Azure subscription.

You enable Azure Defender and onboard the virtual machine to Azure Defender.

You need to verify that an attack on the virtual machine triggers an alert in Azure Defender.

Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You have the on-premises devices shown in the following table.

You are preparing an incident response plan for devices infected by malware.

You need to recommend response actions that meet the following requirements:

• Block malware from communicating with and infecting managed devices.

• Do NOT affect the ability to control managed devices.

Which actions should you use for each device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In Microsoft Defender for Endpoint (MDE), the actions available for a device depend on its onboarding and management state. These actions are part of the incident response toolkit used by SecOps analysts to contain, isolate, or investigate devices during malware incidents.

Device1 C Windows Server 2022 (Managed)

Device1 is onboarded and managed through Microsoft Defender for Endpoint, meaning it supports the full range of response actions, including:

Isolate device C disconnects the device from the network while maintaining Defender for Endpoint connectivity for command and control.

Contain device C blocks communication between this device and other devices, reducing lateral movement.

Initiate Automated Investigation (AIR) C triggers Defender’s automated threat investigation and remediation process.

According to Microsoft’s official Defender for Endpoint documentation:

“For devices onboarded and managed by Microsoft Defender for Endpoint, SecOps can initiate automated investigations, isolate or contain devices, and perform live response actions.”

Thus, Device1 supports all three response actions.

✅ Answer for Device1: Isolate device, Initiate Automated Investigation, and Contain device

Device2 C Linux (Unmanaged)

Device2 is discovered but unmanaged, meaning it has not been onboarded to Defender for Endpoint. For unmanaged or discovered-only devices, the available actions are limited.

Microsoft documentation clearly states:

“For unmanaged devices discovered by Defender for Endpoint, response actions such as containment or investigation are unavailable. Only isolation recommendations can be made if supported.”

Because Device2 is a Linux device and not onboarded, the platform cannot perform full remediation or containment. The only applicable action that aligns with incident containment (but not management interference) is isolating the device from the network to prevent malware spread.

✅ Answer for Device2: Isolate device only

✅ Final Answers Summary:

Device1: Isolate device, Initiate Automated Investigation, and Contain device

Device2: Isolate device only

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Office 365.

You need to build a hunting query that will list events involving potentially malicious emails that were detected but NOT removed successfully from mailboxes after delivery. The solution must ensure that the events are correlated with the sign-in events of the email recipients.

How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In advanced hunting, EmailPostDeliveryEvents records post-delivery actions taken on messages (e.g., Zero-hour Auto Purge C ZAP, Automated Investigation and Response). To find emails that were detected but not removed, filter for the post-delivery action with ActionType has "ZAP" and ActionResult == "Error", which indicates ZAP attempted to remove the item but failed.

To correlate these mailbox events with recipient sign-ins, join to SigninLogs. The mailbox recipient field is RecipientEmailAddress; the corresponding identity field in sign-in data is the user principal name, exposed in normalized hunting schemas as AccountUpn. Therefore, use: join kind=inner (…) on $left.RecipientEmailAddress == $right.AccountUpn

A complete pattern looks like:

EmailPostDeliveryEvents

| where Timestamp >= ago(7d)

| where ActionType has "ZAP" and ActionResult == "Error"

| project ErrorTime=Timestamp, ActionType, NetworkMessageId, RecipientEmailAddress | join kind=inner (

SigninLogs

| project AccountUpn=UserPrincipalName, AppDisplayName, Protocol, DeviceDetail

) on $left.RecipientEmailAddress == $right.AccountUpn

| project ErrorTime, ActionType, NetworkMessageId, RecipientEmailAddress, AppDisplayName, Protocol, DeviceDetail

This returns failed ZAP removals and the associated recipient sign-in context.

You have an on-premises network.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.

From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.

Suspected identity theft (pass-the-ticket) (external ID 2018)

You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.

What should you do?

Reveal Solution Hide Solution

Which rule setting should you configure to meet the Microsoft Sentinel requirements?

Reveal Solution Hide Solution