Practice Free SC-200 Exam Online Questions

You create an Azure subscription.

You enable Microsoft Defender for Cloud for the subscription.

You need to use Defender for Cloud to protect on-premises computers.

What should you do on the on-premises computers?

Reveal Solution Hide Solution

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.

After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.

You are configuring Microsoft Defender for Identity integration with Active Directory.

From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.

Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group.

Does this meet the goal?

Reveal Solution Hide Solution

You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.

You need to identify the impacted entities in an aggregated alert.

What should you review in the DIP alert management dashboard of the Microsoft Purview compliance portal?

Reveal Solution Hide Solution

HOTSPOT

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.

You need to ensure that the incidents in WS1 include a list of actions that must be performed.

The solution must meet the following requirements:

• Ensure that you can build a tailored list of actions for each type of incident.

• Minimize administrative effort.

What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

You use Azure Sentinel.

You need to receive an immediate alert whenever Azure Storage account keys are enumerated.

Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

HOTSPOT

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device 1. You initiate a live response session on Device1 and launch an executable file named File1.exe in the background.

You need to perform the following actions:

• Identify the command ID of File1 exe.

• lnteractwithFile1.exe.

Which live response command should you run for each action? To answer, select the appropriate options in the answer area. NOTE Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

In Microsoft Defender for Endpoint (MDE) Live Response, security analysts can remotely connect to a device and execute forensic commands. When an executable is launched in the background during a live response session using the run command (for example, run File1.exe -background), the session creates a job associated with that command.

To identify the command ID of the background process, the correct command is jobs. The jobs command lists all currently running or completed background jobs initiated during the live response session. Each job entry includes details such as the job ID, command executed, and current status. This allows analysts to determine which process corresponds to File1.exe and its associated command ID.

Once the background process is identified, you can interact with File1.exe using the fg (foreground) command. The fg command is used to bring a background job to the foreground, allowing you to interact directly with it ― for instance, to send inputs, observe outputs, or terminate it.

This procedure aligns with Microsoft Defender for Endpoint documentation, which specifies:

Use jobs to view or manage background jobs.

Use fg <JobID> to interact with a specific background process.

Therefore, the correct selections are:

Identify the command ID of File1.exe: jobs

Interact with File1.exe: fg

You have an Azure subscription that uses Microsoft Defender for Cloud.

You need to configure Defender for Cloud to mitigate the following risks:

• Vulnerabilities within the application source code

• Exploitation toolkits in declarative templates

• Operations from malicious IP addresses

• Exposed secrets

Which two Defender for Cloud services should you use? Each correct answer presents part of the solution. NOTE: Each correct answer is worth one point.

Reveal Solution Hide Solution

HOTSPOT

You need to build a KQL query in a Microsoft Sentinel workspace. The query must return the SecurityEvent record for accounts that have the last record with an EventID value of 4624.

How should you complete the query’ To answer, select the appropriate options in the answer area. NOTE: Each coned selection is worth one point

Reveal Solution Hide Solution

Correct Answer:

Explanation:

SecurityEvent

| where EventID == 4624

| summarize arg_max(TimeGenerated, *) by Account

Comprehensive and Detailed Explanation with all Microsoft Security Operations (SecOps)

documents: =

This query is designed for Microsoft Sentinel (Log Analytics) to identify the latest successful logon (Event ID 4624) for each account. Event ID 4624 in the SecurityEvent table indicates a successful logon in Windows security logs.

Let’s break down the logic step-by-step:

| where EventID == 4624

This line filters the SecurityEvent table to include only records that correspond to successful logon events.

Filtering first ensures that only relevant events are processed by the summarization step, improving performance and accuracy.

| summarize arg_max(TimeGenerated, *) by Account

The arg_max() aggregation function retrieves the record that has the maximum value of TimeGenerated for each Account.

The * symbol ensures that all columns from that most recent record are returned (not just TimeGenerated and Account).

In this context, this means we get the most recent 4624 logon event per user account.

Why this order matters:

If arg_max() is placed before the where clause, the summarization would occur over all events first, not just 4624, producing incorrect results.

Therefore, the correct logical order is to filter first (where EventID == 4624), and then summarize (arg_max(TimeGenerated, *) by Account).

Alternative incorrect options explained:

summarize make_list(Account) or make_set(Account) by EventID → These aggregate account names for each EventID, not the most recent event per account.

Placing where EventID == 4624 after summarize → Filters after aggregation, which won’t return correct results per account.

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You are implementing a deception rule.

You need to provide a custom lure file.

For the custom lure, you set Planting path to HOME.

Which types of files can you use for the custom lure, and in which home directory should the file be located on a device? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

Reveal Solution Hide Solution

Correct Answer:

Explanation:

You’re configuring a Deception rule in Microsoft Defender XDR and need to provide a custom lure file.

You set the Planting path to HOME, which means the file will be deployed into user home directories.

You must determine:

Which file types are supported for custom lure files.

Which home directory the file should reside in.

You need to implement the Defender for Cloud requirements.

Which subscription-level role should you assign to Group1?

Reveal Solution Hide Solution