Microsoft SC-200 Practice Test - Questions Answers, Page 27
Question list
List of questions
Related questions
HOTSPOT
You have an Azure subscription that contains the following resources:
* A virtual machine named VM1 that runs Windows Server
* A Microsoft Sentinel workspace named Sentinel1 that has User and Entity Behavior Analytics (UEBA) enabled
You have a scheduled query rule named Rule1 that tracks sign-in attempts to VM1.
You need to update Rule 1 to detect when a user from outside the IT department of your company signs in to VM1. The solution must meet the following requirements:
* Utilize UEBA results.
* Maximize query performance.
* Minimize the number of false positives.
How should you complete the rule definition? To answer select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
The security team at your company detects command and control (C2) agent traffic on the network. Agents communicate once every 50 hours.
You need to create a Microsoft Defender XDR custom detection rule that will identify compromised devices and establish a pattern of communication. The solution must meet the following requirements:
* Identify all the devices that have communicated during the past 14 days.
* Minimize how long it takes to identify the devices.
To what should you set the detection frequency for the rule?
Every three hours
Every 24 hours
Every hour
Every 12 hours
HOTSPOT
You have an Azure subscription named Sub1 and an Azure DevOps organization named AzDO1. AzDO1 uses Defender for Cloud and contains a project that has a YAML pipeline named Pipeline1.
Pipeline1 outputs the details of discovered open source software vulnerabilities to Defender for Cloud.
You need to configure Pipeline1 to output the results of secret scanning to Defender for Cloud,
What should you add to Pipeline1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
HOTSPOT
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area
NOTE: Each correct selection is worth one point.
You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.
You need to assign the PCI DSS 4.0 initiative to Sub1 and have the initiative displayed in the Defender for Cloud Regulatory compliance dashboard.
From Security policies in the Environment settings, you discover that the option to add more industry and regulatory standards is unavailable.
What should you do first?
Enable the Cloud Security Posture Management (CSPM) plan for the subscription.
Disable the Microsoft Cloud Security Benchmark (MCSB) assignment.
Configure the Continuous export settings for Azure Event Hubs.
Configure the Continuous export settings for Log Analytics.
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 1 and contains a macOS device named Device1.
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
* Identify all the active network connections on Device1.
* Identify all the running processes on Device1.
* Retrieve the login history of Device1.
* Minimize administrative effort.
What should you do first from the Microsoft Defender portal?
From Advanced features in Endpoints, disable Authenticated telemetry.
From Advanced features in Endpoints, enable Live Response unsigned script execution.
From Devices, click Collect investigation package for Device 1.
From Devices, initiate a live response session on Device1.
HOTSPOT
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows device named Device1. You need to investigate a suspicious executable file detected on Device1. The solution must meet the following requirements:
* Identify the image file path of the file.
* Identify when the file was first detected on Device1.
What should you review from the timeline of the detection event? To answer, select the appropriate options in the answer are a. NOTE: Each correct selection is worth one point.
HOTSPOT
You have an Azure subscription that contains a Log Analytics workspace named Workspace1.
You configure Azure activity logs and Microsoft Entra ID logs to be forwarded to Workspace1.
You need to identify which Azure resources have been queried or modified by risky users.
How should you complete the KQL query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
HOTSPOT
You have a Microsoft 365 subscription that uses Microsoft Defender XOR and contains a Windows device named Oevice1. You investigate a suspicious process named Prod on Device! by using a live response session. You need to perform the following actions:
* Stop Prod.
* Send Prod for further review.
Which live response command should you run for each action? To answer, select the appropriate options in the answer are a. NOTE: Each correct selection is worth one point.
You have an on-premises network.
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.
From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.
Suspected identity theft (pass-the-ticket) (external ID 2018)
You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.
What should you do?
Disable User 1 only.
Quarantine Device1 only.
Reset the password for all the accounts that previously signed in to Device1.
DisableUser1 and quarantine Device1.
Disable User1, quarantine Device1, and reset the password for all the accounts that previously signed in to Device1.
Question