Microsoft SC-200 Practice Test - Questions Answers, Page 28

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan Z and contains 1,000 Windows devices.

You have a PowerShell script named Script Vps1 that is signed digitally.

You need to ensure that you can run Script1.psl in a live response session on one of the devices.

What should you do first from the live response session?

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table.

You need to search for malicious activities in your organization.

Which tactics can you analyze by using the MicrosoftGraphActivityLogs table?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices. As part of an incident investigation, you identify the following suspected malware files:

* sys

* pdf

* docx

* xlsx

You need to create indicator hashes to block users from downloading the files to the devices. Which files can you block by using the indicator hashes?

DRAG DROP

You have a Microsoft Sentinel workspace named SW1.

In SW1. you enable User and Entity Behavior Analytics (UEBA).

You need to use KQL to perform the following tasks:

* View the entity data that has fields for each type of entity.

* Assess the quality of rules by analyzing how well a rule performs.

Which table should you use in KQL for each task? To answer, drag the appropriate tables to the correct tasks. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.

NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains a user named user1 and a Microsoft 365 group named Group1. All users are assigned a Defender for Endpoint Plan 1 license.

You enable Microsoft Defender XDR Unified role-based access control (RBAC) for Endpoints & Vulnerability Management.

You need to ensure that User1 can configure alerts that will send email notifications to Group1. The solution must follow the principle of least privilege.

Which permissions should you assign to User1?

You have a Microsoft Sentinel workspace named SW1.

You need to identify which anomaly rules are enabled in SW1.

What should you review in Microsoft Sentine1?

HOTSPOT

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device 1. You initiate a live response session on Device1 and launch an executable file named File1.exe in the background. You need to perform the following actions:

* Identify the command ID of File1 exe.

* lnteractwithFile1.exe.

Which live response command should you run for each action? To answer, select the appropriate options in the answer area.

NOTE Each correct selection is worth one point.

HOTSPOT

You have a Microsoft 365 subscription that uses Microsoft Purview and contains a Microsoft SharePoint Online site named Site1. Site1 contains the files shown in the following table.

From Microsoft Purview, you create the content search queries shown in the following table.

For each of the following statements, select Yes if the statement is true. Otherwise, select No.

NOTE; Each correct selection is worth one point.

HOTSPOT

You have a Microsoft Sentine1 workspace that contains a custom workbook named Workbook1.

You need to create a visual in Workbook1 that will display the logon count for accounts that have logon event IDs of 4624 and 4634.

How should you complete the query? To answer, select the appropriate options in the answer area.

NOTE Each correct selection is worth one point.