Practice Free SC-200 Exam Online Questions

You have a Microsoft 365 B5 subscription that contains two groups named Group! and Group2 and uses Microsoft Copilot for Security.

You need to configure Copilot for Security role assignments to meet the following requirements:

• Ensure that members of Group1 can run prompts and respond to Microsoft Defender XDR security incidents.

• Ensure that members of Group2 can run prompts.

• Follow the principle of least privilege.

You remove Everyone from the Copilot Contributor role.

Which two actions should you perform next? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

The issue for which team can be resolved by using Microsoft Defender for Office 365?

Reveal Solution Hide Solution

The issue for which team can be resolved by using Microsoft Defender for Office 365?

Reveal Solution Hide Solution

You have two Azure subscriptions that use Microsoft Defender for Cloud.

You need to ensure that specific Defender for Cloud security alerts are suppressed at the root

management group level. The solution must minimize administrative effort.

What should you do in the Azure portal?

Reveal Solution Hide Solution

HOTSPOT

You need to create an advanced hunting query to investigate the executive team issue.

How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

Table: DeviceFileEvents

Aggregation function: count()

In Microsoft Defender XDR advanced hunting, data tables such as DeviceFileEvents, DeviceProcessEvents, and CloudAppEvents are used to investigate various types of activities. Since this query aims to investigate an issue related to file activity―specifically identifying when files have been accessed, modified, or created repeatedly―the correct data source table is DeviceFileEvents. This table contains information about file-level activities recorded by Defender for Endpoint sensors, including file path, file name, action type, and user account involved.

The KQL structure shown in the image follows standard hunting query syntax:

DeviceFileEvents

| where Timestamp > ago(2d)

| summarize activityCount = count() by FolderPath, FileName, ActionType, AccountDisplayName

| where activityCount > 5

Here’s why:

The where Timestamp > ago(2d) clause filters results from the last 2 days, a typical timeframe for immediate investigations.

The summarize operator groups events by FolderPath, FileName, ActionType, and

AccountDisplayName, then uses count() to determine how many times each file was acted upon.

Finally, where activityCount > 5 filters to show only unusually high-frequency activity, which might indicate suspicious or automated file manipulation.

Microsoft Defender XDR documentation highlights that DeviceFileEvents is the correct schema for file activity investigations, while DeviceProcessEvents focuses on process creation and execution, and CloudAppEvents targets cloud application usage.

Thus, the verified and documented correct completions are:

Table: DeviceFileEvents

Aggregation function: count()

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security.

You start a Copilot for Security session and enter five prompts that each provide responses.

You need to create a promptbook that will use the prompts but will NOT contain the responses. The solution must minimize administrative effort.

What should you do?

Reveal Solution Hide Solution

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

You detect malicious activity on Device1.

You initiate a live response session on Device1.

You need to perform the following actions:

• Download a file from the live response library.

• Stop a process that is running on Device1.

Which live response command should you run for each action? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In Microsoft Defender for Endpoint live response sessions, specific commands are provided to perform investigation and remediation tasks directly on a device. According to the official Defender for Endpoint documentation:

The getfile command is used to download a file from the live response library to the local analyst’s session. This command enables investigators to retrieve files that are stored in the Defender live response library for examination or comparison. The command is explicitly documented as “Retrieves a file from the library or from the device.”

The remediate command is used to take action against threats detected on the endpoint, such as stopping processes, deleting files, or quarantining malware. The remediation commands are part of the live response toolkit and provide direct control over running processes or malicious files during an active incident response session.

Other commands serve different purposes:

library lists the available files in the live response library.

putfile uploads files to the library.

analyze runs advanced analysis tasks.

services lists or manages Windows services but is not used to stop arbitrary processes.

Therefore, for this scenario, the correct live response commands are:

Download a file from the live response library: getfile

Stop a process that is running on Device1: remediate

You have a Microsoft 365 E5 subscription that contains two users named User1 and User2 and From the Copilot for Security portal, User1 starts a session and creates the following prompts:

• Prompt1: Provides access to the Entra plugin

• Prompt2: Provides access to the Intune plugin

• Prompt3: Provides access to the Entra plugin User1 shares the session with User2.

User2 does NOT have access to Microsoft Intune.

For which prompts can User2 view results during the shared session?

Reveal Solution Hide Solution

DRAG DROP

You have a Microsoft Sentinel workspace named Workspace1.

You need to run a KQL query as a search job.

Which five actions should you perform in Workspace 1 in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

Reveal Solution Hide Solution

Correct Answer:

You need to correlate data from the SecurityEvent Log Anarytks table to meet the Microsoft Sentinel requirements for using UEBA.

Which Log Analytics table should you use?

Reveal Solution Hide Solution