Microsoft SC-200 Practice Test - Questions Answers, Page 26

You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1.

You need to create a visual based on the SecuntyEvent table. The solution must meet the following requirements:

* Identify the number of security events ingested during the past week.

* Display the count of events by day in a timechart

What should you add to Workbook1?

HOTSPOT

You have a Microsoft 365 subscription

You need to identify all the security principals that submitted requests to change or delete groups. How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

DRAG DROP

You have a Microsoft Sentinel workspace that contains the following Advanced Security Information Model (ASIM) parsers:

* _Im_ProcessCreate

* InProceessCreate

You create a new source-specific parser named vimProcessCreate.

You need to modify the parsers to meet the following requirements:

* Call all the ProcessCreate parsers.

* Standardize fields to the Process schema.

Which parser should you modify to meet each requirement? To answer, drag the appropriate parsers to the correct requirements. tach parser may be used once, more than once, or not at all You may need to drag the split bar between panes or scroll to view content.

NOTE Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a user named User1.

You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege.

Which role should you assign to User1?

HOTSPOT

You have on-premises servers that run Windows Server.

You have a Microsoft Sentinel workspace named SW1. SW1 is configured to collect Windows Security log entries from the servers by using the Azure Monitor Agent data connector.

You plan to limit the scope of collected events to events 4624 and 462S only.

You need to use a PowerShell script to validate the syntax of the filter applied to the connector.

How should you complete the script? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.

What should you configure first?

You have a Microsoft 365 E5 subscription that contains a device named Device 1. Device 1 is enrolled in Microsoft Defender for End point.

Device1 reports an incident that includes a file named File1 exe as evidence.

You initiate the Collect Investigation Package action and download the ZIP file.

You need to identify the first and last time File1.exe was executed.

What should you review in the investigation package?

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.

You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database.

You need to ensure that an incident is created in WS1 when the new attack vector is detected.

What should you configure?

HOTSPOT

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You need to create a custom detection rule that will identify devices that had more than five antivirus detections within the last 24 hours.

how should you complete the query? To answer, select the appropriate options in the answer area.

NOTE Each correct selection is worth one point.