Microsoft SC-200 Exam Questions Instant Access

Question 1

Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.

A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.

You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.

What should you include in the recommendation?

Abuilt-in queries

Blivestream

Cnotebooks

Dbookmarks

Answer : C

https://docs.microsoft.com/en-us/azure/sentinel/notebooks

Question 2

You have a Microsoft 365 E5 subscription and a Microsoft Sentinel workspace. You need to create a KQL query that will combine data from the following sources:

* Microsoft Graph

* Risky users detected by using Microsoft Entra ID Protection

The solution must minimize the volume of data returned. How should the query start?

AMicrosoftGraphActivityLogs
lookup kind=leftouter AADRiskyUsers on $left.Userld == $right.Id

BMicrosoftGraphActivityLogs
join AADRiskyUsers on $left.Userld == $right.Id

CMicrosoftGraphActivityLogs
join AADUserRiskEvents on $left.Userld == $right.Id

Dfind in (MicrosoftGraphActivityLogs, AADUserRiskEvents) where

Answer : B

Question 3

You have a Microsoft 365 E5 subscription that contains a device named Device1. From the Microsoft Defender portal, you discover that an alert was triggered for Device1. From the Device inventory page, you isolate Device1. You need to collect a list of installed programs on Device1. What should you do?

ARun an advanced hunting query against the DeviceTvmlnfoGathering table.

BInitiate a live response session and run the processes command.

CRun an advanced hunting query against the DeviceTvmSoftwarelnventory table.

DRun an advanced hunting query against the DeviceProcessEvents table.

Answer : C

Question 4

You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.

What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?

Athe Threat Protection Status report in Microsoft Defender for Office 365

Bthe mailbox audit log in Exchange

Cthe Safe Attachments file types report in Microsoft Defender for Office 365

Dthe mail flow report in Exchange

Answer : A

To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide

Question 5

You have a Microsoft 365 E5 subscription that contains two users named Userl and User2 and From the Copilot for Security portal, User1 starts a session and creates the following prompts:

* Prompt1: Provides access to the Entra plugin

* Prompt2: Provides access to the Intune plugin

* Prompt3: Provides access to the Entra plugin

User1 shares the session with User2.

User2 does NOT have access to Microsoft Intune.

For which prompts can User2 view results during the shared session?

APrompt1 only

BPrompt1 and Prompt2 only

CPrompt3 only

DPrompt1 and Prompt3 only

EPrompt1, Prompt2, and Prompt3

Answer : D

Question 6

You have a Microsoft Sentinel workspace.

You receive multiple alerts for failed sign in attempts to an account.

You identify that the alerts are false positives.

You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements.

* Ensure that failed sign-in alerts are generated for other accounts.

* Minimize administrative effort

What should do?

ACreate an automation rule.

BCreate a watchlist.

CModify the analytics rule.

DAdd an activity template to the entity behavior.

Answer : A

An automation rule will allow you to specify which alerts should be suppressed, ensuring that failed sign-in alerts are generated for other accounts while minimizing administrative effort. To create an automation rule, navigate to the Automation Rules page in the Microsoft Sentinel workspace and configure the rule parameters to suppress the false positive alerts.

Question 7

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. WS1 has the Azure Activity connector and the Microsoft Entra ID connector configured.

You need to investigate which accounts have the most alerts and any corresponding incident information for each alert. The solution must minimize administrative effort What should you do first in WS1?

AEnable User and Entity Behavior Analytics (UEBA).

BFrom Content hub, install Cloud Identity Threat Protection Essentials.

CFrom Content hub, install the Microsoft Purview insider risk management solution.

DUse User and Entity Behavior Analytics (UEBA) to detect anomalies.

Answer : A

Microsoft Security Operations Analyst SC-200 Exam Questions