ExamGecko
Home / Microsoft / SC-200 / List of questions
Ask Question

Microsoft SC-200 Practice Test - Questions Answers, Page 17

List of questions

Question 161

Report
Export
Collapse

You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.

You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort

Which blade should you use in the Microsoft 365 Defender portal?

Advanced hunting

Advanced hunting

Threat analytics

Threat analytics

Incidents & alerts

Incidents & alerts

Learning hub

Learning hub

Suggested answer: B

Explanation:

To review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription, you should use the Threat Analytics blade in the Microsoft 365 Defender portal. The Threat Analytics blade provides insights into attack techniques, configuration vulnerabilities, and suspicious activities, and it can help you identify risks and prioritize threats in your environment.

Reference:Ă‚ https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-365-defenderthreat-analytics

asked 05/10/2024
Edwin Daneel
32 questions

Question 162

Report
Export
Collapse

You have a Microsoft 365 subscription that uses Microsoft 365 Defender A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices. What should you use m the Microsoft 365 Defender portal?

From Threat tracker, review the queries.

From Threat tracker, review the queries.

From the History tab in the Action center, revert the actions.

From the History tab in the Action center, revert the actions.

From the investigation page, review the AIR processes.

From the investigation page, review the AIR processes.

From Quarantine from the Review page, modify the rules.

From Quarantine from the Review page, modify the rules.

Suggested answer: B
asked 05/10/2024
Miquel Triebel
36 questions

Question 163

Report
Export
Collapse

You have a Microsoft Sentinel workspace named Workspaces

You need to exclude a built-in. source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.

What should you create in Workspace1?

a workbook

a workbook

a hunting query

a hunting query

a watchlist

a watchlist

an analytic rule

an analytic rule

Suggested answer: D

Explanation:

To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create an analytic rule in the Microsoft Sentinel workspace.

An analytic rule allows you to customize the behavior of the unified ASIM parser and exclude specific source-specific parsers from being used. Reference:Ă‚ https://docs.microsoft.com/en-us/azure/sentinel/analytics-create-analytic-rule

asked 05/10/2024
Mark Singer
42 questions

Question 164

Report
Export
Collapse

Your company uses Microsoft Sentinel

A new security analyst reports that she cannot assign and resolve incidents in Microsoft Sentinel.

You need to ensure that the analyst can assign and resolve incidents. The solution must use the principle of least privilege.

Which role should you assign to the analyst?

Microsoft Sentinel Responder

Microsoft Sentinel Responder

Logic App Contributor

Logic App Contributor

Microsoft Sentinel Reader

Microsoft Sentinel Reader

Microsoft Sentinel Contributor

Microsoft Sentinel Contributor

Suggested answer: A

Explanation:

The Microsoft Sentinel Responder role allows users to investigate, triage, and resolve security incidents, which includes the ability to assign incidents to other users. This role is designed to provide the necessary permissions for incident management and response while still adhering to the principle of least privilege. Other roles such as Logic App Contributor and Microsoft Sentinel Contributor would have more permissions than necessary and may not be suitable for the analyst's needs. Microsoft Sentinel Reader role is not sufficient as it doesn't have permission to assign and resolve incidents.

Reference:Ă‚ https://docs.microsoft.com/en-us/azure/sentinel/role-based-access-control-rbac

asked 05/10/2024
Yuri Shpovlov
40 questions

Question 165

Report
Export
Collapse

You provision Azure Sentinel for a new Azure subscription.

You are configuring the Security Events connector.

While creating a new rule from a template in the connector, you decide to generate a new alert for every event.

You create the following rule query.

Microsoft SC-200 image Question 47 107934 10052024010847000000

By which two components can you group alerts into incidents? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

a workbook

a workbook

a hunting query

a hunting query

a notebook

a notebook

a playbook

a playbook

Suggested answer: A

Explanation:

A workbook is a data-driven interactive report in Microsoft Sentinel. You can use workbooks to create custom reports based on data from your Azure subscription. Reference:

https://docs.microsoft.com/en-us/azure/sentinel/workbooks-overview

asked 05/10/2024
Cintron, Rigoberto
37 questions

Question 166

Report
Export
Collapse

You create an Azure subscription.

You enable Microsoft Defender for Cloud for the subscription.

You need to use Defender for Cloud to protect on-premises computers.

What should you do on the on-premises computers?

Configure the Hybrid Runbook Worker role.

Configure the Hybrid Runbook Worker role.

Install the Connected Machine agent.

Install the Connected Machine agent.

Install the Log Analytics agent

Install the Log Analytics agent

Install the Dependency agent.

Install the Dependency agent.

Suggested answer: C

Explanation:

https://docs.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboardmachines?pivots=azure-arc

asked 05/10/2024
Francesco Pignalosa
37 questions

Question 167

Report
Export
Collapse

DRAG DROP

You have a Microsoft Sentinel workspace that contains an Azure AD data connector.

You need to associate a bookmark with an Azure AD-related incident.

What should you do? To answer, drag the appropriate blades to the correct tasks. Each blade may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content

NOTE: Each correct selection is worth one point.


Microsoft SC-200 image Question 167 107936 10052024010847000
Correct answer: Microsoft SC-200 image answer Question 167 107936 10052024010847000
asked 05/10/2024
Ahmed Dawoud
41 questions

Question 168

Report
Export
Collapse

DRAG DROP

You have a Microsoft subscription that has Microsoft Defender for Cloud enabled You configure the Azure logic apps shown in the following table.

Microsoft SC-200 image Question 50 107937 10052024010847000000

You need to configure an automatic action that will run if a Suspicious process executed alert is triggered. The solution must minimize administrative effort.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.


Microsoft SC-200 image Question 168 107937 10052024010847000
Correct answer: Microsoft SC-200 image answer Question 168 107937 10052024010847000
asked 05/10/2024
Peter Stones
39 questions

Question 169

Report
Export
Collapse

DRAG DROP

You have 50 on-premises servers.

You have an Azure subscription that uses Microsoft Defender for Cloud. The Defender for Cloud deployment has Microsoft Defender for Servers and automatic provisioning enabled.

You need to configure Defender for Cloud to support the on-premises servers. The solution must meet the following requirements:

• Provide threat and vulnerability management.

• Support data collection rules.

Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.


Microsoft SC-200 image Question 169 107938 10052024010847000
Correct answer: Microsoft SC-200 image answer Question 169 107938 10052024010847000

Explanation:

To configure Defender for Cloud to support the on-premises servers, you should perform the following three actions in sequence:

On the on-premises servers, install the Azure Connected Machine agent.

On the on-premises servers, install the Log Analytics agent.

From the Data controller settings in the Azure portal, create an Azure Arc data controller.

Once these steps are completed, the on-premises servers will be able to communicate with the

Azure Defender for Cloud deployment and will be able to support threat and vulnerability management as well as data collection rules. Reference: https://docs.microsoft.com/enus/azure/security-center/deploy-azure-security-center#on-premises-deployment

asked 05/10/2024
Mihai Stefanescu
35 questions

Question 170

Report
Export
Collapse

HOTSPOT

You have a Microsoft Sentinel workspace.

You need to create a KQL query that will identify successful sign-ins from multiple countries during the last three hours.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE Each correct selection is worth one point


Microsoft SC-200 image Question 170 107939 10052024010847000
Correct answer: Microsoft SC-200 image answer Question 170 107939 10052024010847000
asked 05/10/2024
Ahmed Otmani Amaoui
30 questions
Total 307 questions
Go to page: of 31
Search

Related questions