SC-200 Exam Past Paper PDF

Question #25 Topic 1 You have a third-party security information and event management (SIEM) solution....

Question #25 Topic 1 You have a third-party security information and event management (SIEM) solution. - Expert Veri+ed, Online, Free. You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time. What should you do to route events to the SIEM solution? A. Create an Azure Sentinel workspace that has a Security Events connector. B. Con+gure the Diagnostics settings in Azure AD to stream to an event hub. C. Create an Azure Sentinel workspace that has an Azure Active Directory connector. D. Con+gure the Diagnostics settings in Azure AD to archive to a storage account. Get PDF for Microsoft SC-200 Exam Download PDF - $29.99 Including Answers & Discussions Next Questions   Custom View Settings Topic 1 - Question Set 1 https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 16 of 16 Page 1 of 16 Question #1 Topic 1 Question #22 Topic 1 DRAG DROP - Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that You are investigating an incident by using Microsoft 365 Defender. might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. COOLaptop. You are con+guring Microsoft Defender for Identity integration with Active Directory. How should you complete the query? To answer, select the appropriate options in the answer area. From the Microsoft Defender for identity portal, you need to con+gure several accounts for attackers to exploit. NOTE: Each correct selection is worth one point. Solution: You add each account as a Sensitive account. Select and Place: Does this meet the goal? A. Yes B. No Question #23 Topic 1 You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for O[ce 365. What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user? A. the Threat Protection Status report in Microsoft Defender for O[ce 365 B. the mailbox audit log in Exchange C. the Safe Attachments +le types report in Microsoft Defender for O[ce 365 D. the mail kow report in Exchange Question #24 Topic 1 You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft O[ce 365 installed. Question #2 Topic 1 You need to mitigate the following device threats: ✑ Microsoft Excel macros that download scripts from untrusted websites You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to ✑ Users that open executable attachments in Microsoft Outlook sign in. ✑ Outlook rules and forms exploits Which anomaly detection policy should you use? What should you use? A. Impossible travel A. Microsoft Defender Antivirus B. Activity from anonymous IP addresses B. attack surface reduction rules in Microsoft Defender for Endpoint C. Activity from infrequent country C. Windows Defender Firewall D. Malware detection D. adaptive application control in Azure Defender https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 2 of 16 Page 15 of 16 Question #20 Topic 1 Question #3 Topic 1 Your company has a single o[ce in Istanbul and a Microsoft 365 subscription. You have a Microsoft 365 subscription that uses Microsoft Defender for O[ce 365. The company plans to use conditional access policies to enforce multi-factor authentication (MFA). You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each You need to enforce MFA for all users who work remotely. consists of 32 alphanumeric characters. What should you include in the solution? You need to create a data loss prevention (DLP) policy to protect the sensitive documents. What should you use to detect which documents are sensitive? A. a fraud alert A. SharePoint search B. a user risk policy B. a hunting query in Microsoft 365 Defender C. a named location C. Azure Information Protection D. a sign-in user policy D. RegEx pattern matching Question #21 Topic 1 Question #4 Topic 1 You are con+guring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company's United States-based o[ces. Your company uses line-of-business apps that contain Microsoft O[ce VBA macros. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You need to prevent users from downloading and running additional payloads from the O[ce VBA macros as additional child processes. You determine that 99% of the alerts are legitimate sign-ins from your corporate o[ces. Which two commands can you run to achieve the goal? Each correct answer presents a complete solution. You need to prevent alerts for legitimate sign-ins from known locations. NOTE: Each correct selection is worth one point. Which two actions should you perform? Each correct answer presents part of the solution. A. NOTE: Each correct selection is worth one point. B. A. Con+gure automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. D. E. Create an activity policy that has an exclusion for the IP addresses. https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 14 of 16 Page 3 of 16 Question #5 Topic 1 Question #18 Topic 1 Your company uses Microsoft Defender for Endpoint. You need to con+gure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's con+dential +les. accounting team. Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution. You need to hide false positive in the Alerts queue, while maintaining the existing security posture. NOTE: Each correct selection is worth one point. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan +les for Azure Information Protection classi+cation labels and content inspection warnings from this tenant. A. Resolve the alert automatically. B. Select Investigate +les, and then +lter App to O[ce 365. B. Hide the alert. C. Select Investigate +les, and then select New policy from search. C. Create a suppression rule scoped to any device. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new +les for Azure D. Create a suppression rule scoped to a device group. Information Protection classi+cation labels and content inspection warnings. E. Generate the alert. E. From Settings, select Information Protection, select Files, and then enable +le monitoring. F. Select Investigate +les, and then +lter File Type to Document. Question #19 Topic 1 HOTSPOT - You purchase a Microsoft 365 subscription. You plan to con+gure Microsoft Cloud App Security. You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network. What should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 4 of 16 Page 13 of 16 Question #17 Topic 1 Question #6 Topic 1 HOTSPOT - DRAG DROP - You have a Microsoft 365 E5 subscription that uses Microsoft Defender and an Azure subscription that uses Azure Sentinel. You open the Cloud App Security portal as shown in the following exhibit. You need to identify all the devices that contain +les in emails sent by a known malicious email sender. The query will be based on the match of the SHA256 hash. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Your environment does NOT have Microsoft Defender for Endpoint enabled. You need to remediate the risk for the Launchpad app. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place: Question #7 Topic 1 HOTSPOT - https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 12 of 16 Page 5 of 16 HOTSPOT - You have a Microsoft 365 E5 subscription. Question #16 Topic 1 You plan to perform cross-domain investigations by using Microsoft 365 Defender. You need to create an advanced hunting query to identify devices affected by a malicious email attachment. Your company deploys the following services: How should you complete the query? To answer, select the appropriate options in the answer area. ✑ Microsoft Defender for Identity NOTE: Each correct selection is worth one point. ✑ Microsoft Defender for Endpoint Hot Area: ✑ Microsoft Defender for O[ce 365 You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege. Which two roles should assign to the analyst? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD) https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 6 of 16 Page 11 of 16 Question #14 Topic 1 HOTSPOT - You are informed of an increase in malicious email being received by users. You need to create an advanced hunting query in Microsoft 365 Defender to identify whether the accounts of the email recipients were compromised. The query must return the most recent 20 sign-ins performed by the recipients within an hour of receiving the known malicious email. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area: Question #8 Topic 1 You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query. Question #15 Topic 1 You receive a security bulletin about a potential attack that uses an image +le. You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack. Which indicator type should you use? A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a +le hash indicator that has Action set to Alert and block D. a certi+cate indicator that has Action set to Alert and block https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 10 of 16 Page 7 of 16 Question #9 Topic 1 Question #11 Topic 1 You are investigating a potential attack that deploys a new ransomware strain. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that You have three custom device groups. The groups contain devices that store highly sensitive information. might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. You plan to perform automated actions on all devices. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You need to be able to temporarily group the machines to perform actions on the devices. You are con+guring Microsoft Defender for Identity integration with Active Directory. Which three actions should you perform? Each correct answer presents part of the solution. From the Microsoft Defender for identity portal, you need to con+gure several accounts for attackers to exploit. NOTE: Each correct selection is worth one point. Solution: From Azure AD Identity Protection, you con+gure the sign-in risk policy. Does this meet the goal? A. Assign a tag to the device group. A. Yes B. Add the device users to the admin role. C. Add a tag to the machines. B. No D. Create a new device group that has a rank of 1. E. Create a new admin role. Question #12 Topic 1 F. Create a new device group that has a rank of 4. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. Question #10 Topic 1 After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are con+guring Microsoft Defender for Identity integration with Active Directory. Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that From the Microsoft Defender for identity portal, you need to con+gure several accounts for attackers to exploit. might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. Does this meet the goal? You are con+guring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to con+gure several accounts for attackers to exploit. A. Yes Solution: From Entity tags, you add the accounts as Honeytoken accounts. B. No Does this meet the goal? A. Yes Question #13 Topic 1 B. No You implement Safe Attachments policies in Microsoft Defender for O[ce 365. Users report that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked. What should you con+gure in the Safe Attachments policies? A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM https://www.examtopics.com/exams/microsoft/sc-200/view/ 2024-03-24, 5:27 PM Page 8 of 16 Page 9 of 16

SC-200 Exam Past Paper PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue