Microsoft SC-200 Exam Dumps

You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint You enable Network device discovery. You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device. Which built-in function should you use?

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. Copilot for Security has the default settings configured. You need to ensure that a user named User1 can use Copilot for Security to perform the following tasks: • Upload files. • View the usage dashboard. • Share promptbooks with all users. The solution must follow the principle of least privilege. Which role should you assign to User1?

You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace. You need to create a KQL query that will combine data from the following sources: • Microsoft Graph • Risky users detected by using Microsoft Entra ID Protection The solution must minimize the volume of data returned. How should the query start?

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You are investigating an incident. You need to review the incident tasks that were performed. The solution must include a query that will display the incidents in a workbook, and then display the tasks of each incident in another grid. Which table should you target in the query?

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. All endpoint devices are onboarded to Microsoft Defender for Endpoint. You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace 1. All Microsoft Defender XDR events are ingested into Workspace1. You have a Microsoft Entra tenant. You create a KQL query named query1 that searches device logs for a known vulnerability. You need to ensure that query1 runs every hour. The solution must minimize administrative effort. What should you configure?

You have a Microsoft 365 B5 subscription. You have a PowerShell script that queries the unified audit log. You discover that the query returns only the first page of results due to server-side paging. You need to ensure that you get all the results. Which property should you query in the results? 

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 100 virtual machines that run Windows Server. You need to configure the collection of Windows Security event logs for ingestion to WS1. The solution must meet the following requirements: • Capture a full user audit trail including user sign-in and user sign-out events. • Minimize the volume of events. • Minimize administrative effort. Which event set should you select?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan Z and contains 1,000 Windows devices. You have a PowerShell script named Script Vps1 that is signed digitally. You need to ensure that you can run Script1.psl in a live response session on one of the devices. What should you do first from the live response session?

Your on-premises network contains an Active Directory Domain Services (AD DS) forest. You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers. Which table should you query?

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database. You need to ensure that an incident is created in WS1 when the new attack vector is detected. What should you configure?

You have a Microsoft 365 E5 subscription that contains a device named Device 1. Device 1 is enrolled in Microsoft Defender for End point. Device1 reports an incident that includes a file named File1 exe as evidence. You initiate the Collect Investigation Package action and download the ZIP file. You need to identify the first and last time File1.exe was executed. What should you review in the investigation package?

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You have a custom detection rule named Rule1 that generates an alert if more than five antivirus detections are identified on a device. Rule1 has a loopback period of 12 hours. You need to change the loopback period to 48 hours. What should you modify for Rule1? 

You have a Microsoft Sentinel workspace named SW1. You need to identify which anomaly rules are enabled in SW1. What should you review in Microsoft Sentine1?

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1 and a user named User1. You need to ensure that User1 can investigate incidents by using Workspace1. The solution must follow the principle of least privilege. Which role should you assign to User1?

You have a Microsoft Sentinel workspace named SW1. In SW1, you investigate an incident that is associated with the following entities: • Host • IP address • User account • Malware name Which entity can be labeled as an indicator of compromise (loC) directly from the incident s page?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 1 and contains a macOS device named Device1. You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements: • Identify all the active network connections on Device1. • Identify all the running processes on Device1. • Retrieve the login history of Device1. • Minimize administrative effort. What should you do first from the Microsoft Defender portal?

You have a Microsoft 365 subscription. You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode. You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product. Solution: You configure Controlled folder access. Does this meet the goal?

You have a Microsoft Sentinel workspace that contains a custom workbook named Workbook1. You need to create a visual based on the SecuntyEvent table. The solution must meet the following requirements: • Identify the number of security events ingested during the past week. • Display the count of events by day in a timechart What should you add to Workbook1?

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. The security team at your company detects command and control (C2) agent traffic on the network. Agents communicate once every 50 hours. You need to create a Microsoft Defender XDR custom detection rule that will identify compromised devices and establish a pattern of communication. The solution must meet the following requirements: • Identify all the devices that have communicated during the past 14 days. • Minimize how long it takes to identify the devices. To what should you set the detection frequency for the rule?

You have a Microsoft 365 subscription that uses Microsoft Purview. Your company has a project named Project1. You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1. What should you do?

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains a user named user1 and a Microsoft 365 group named Group1. All users are assigned a Defender for Endpoint Plan 1 license. You enable Microsoft Defender XDR Unified role-based access control (RBAC) for Endpoints & Vulnerability Management. You need to ensure that User1 can configure alerts that will send email notifications to Group1. The solution must follow the principle of least privilege. Which permissions should you assign to User1?

You have a Microsoft 365 B5 subscription that contains two groups named Group! and Group2 and uses Microsoft Copilot for Security. You need to configure Copilot for Security role assignments to meet the following requirements: • Ensure that members of Group1 can run prompts and respond to Microsoft Defender XDR security incidents. • Ensure that members of Group2 can run prompts. • Follow the principle of least privilege. You remove Everyone from the Copilot Contributor role. Which two actions should you perform next? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1. The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll. You need to submit files for deep analysis in Microsoft Defender XDR. Which files can you submit?

You have an Azure subscription that use Microsoft Defender for Cloud and contains a user named User1. You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege. Which role should you assign to User1?

You have an on-premises network. You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity. From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert. Suspected identity theft (pass-the-ticket) (external ID 2018) You need to contain the incident without affecting users and devices. The solution must minimize administrative effort. What should you do?