Nest 0 Cart
Nest Account
Popular Exams
All Categories...
Nest
Nest 0
Contact
Log In / Sign Up
Copyright 2024 © store. All rights reserved.
Home Microsoft SC-200

Microsoft SC-200 Exam Practice Questions (P. 3)

  • Full Access (378 questions)
  • Six months of Premium Access
  • Access to one million comments
  • Seamless ChatGPT Integration
  • Ability to download PDF files
  • Anki Flashcard files for revision
  • No Captcha & No AdSense
  • Advanced Exam Configuration
Get Contributor Access
Question #21
You are configuring Microsoft Cloud App Security.
You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices.
You receive many alerts related to impossible travel and sign-ins from risky IP addresses.
You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.
You need to prevent alerts for legitimate sign-ins from known locations.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
  1. A
    Configure automatic data enrichment.
  2. B
    Add the IP addresses to the corporate address range category.
  3. C
    Increase the sensitivity level of the impossible travel anomaly detection policy.
  4. D
    Add the IP addresses to the other address range category and add a tag.
  5. E
    Create an activity policy that has an exclusion for the IP addresses.

Correct Answer:
AD
chatbot-img GPT-4o - Answer
To effectively manage false positive alerts in Microsoft Cloud App Security when legitimate sign-ins are flagged from known company locations, configuring automatic data enrichment (Choice A) and tagging IP addresses to the other address range category (Choice D) are pivotal. By enriching data automatically, you can specify and customize information tied to your IP addresses, overriding default settings that might misclassify them. Adding these IP addresses to a dedicated category with a specific tag ensures that the system correctly identifies them as trusted, bypassing unnecessary alerts for known legitimate activities. This focused approach streamlines alert accuracy and enhances security operation efficiency.

Question #22
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Microsoft Defender for Identity integration with Active Directory.
From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit.
Solution: You add each account as a Sensitive account.
Does this meet the goal?
  1. A
    Yes
  2. B
    No

Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/defender-for-identity/manage-sensitive-honeytoken-accounts

Question #23
You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.
What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?
  1. A
    the Threat Protection Status report in Microsoft Defender for Office 365
  2. B
    the mailbox audit log in Exchange
  3. C
    the Safe Attachments file types report in Microsoft Defender for Office 365
  4. D
    the mail flow report in Exchange

Correct Answer:
A
To determine if ZAP moved your message, you can use either the Threat Protection Status report or Threat Explorer (and real-time detections).
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/zero-hour-auto-purge?view=o365-worldwide

Question #24
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
✑ Microsoft Excel macros that download scripts from untrusted websites
✑ Users that open executable attachments in Microsoft Outlook
✑ Outlook rules and forms exploits
What should you use?
  1. A
    Microsoft Defender Antivirus
  2. B
    attack surface reduction rules in Microsoft Defender for Endpoint
  3. C
    Windows Defender Firewall
  4. D
    adaptive application control in Azure Defender

Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction?view=o365-worldwide

Question #25
You have a third-party security information and event management (SIEM) solution.
You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.
What should you do to route events to the SIEM solution?
  1. A
    Create an Azure Sentinel workspace that has a Security Events connector.
  2. B
    Configure the Diagnostics settings in Azure AD to stream to an event hub.
  3. C
    Create an Azure Sentinel workspace that has an Azure Active Directory connector.
  4. D
    Configure the Diagnostics settings in Azure AD to archive to a storage account.

Correct Answer:
B
Reference:
https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/overview-monitoring

Question #26
DRAG DROP -
You have an Azure subscription linked to an Azure Active Directory (Azure AD) tenant. The tenant contains two users named User1 and User2.
You plan to deploy Azure Defender.
You need to enable User1 and User2 to perform tasks at the subscription level as shown in the following table.

The solution must use the principle of least privilege.
Which role should you assign to each user? To answer, drag the appropriate roles to the correct users. Each role may be used once, more than once, or not at all.
You may need to drag the split bar between panes or scroll to view content.
Select and Place:


Correct Answer:

 Box 1: Owner -
Only the Owner can assign initiatives.

Box 2: Contributor -
Only the Contributor or the Owner can apply security recommendations.
Reference:
https://docs.microsoft.com/en-us/azure/defender-for-cloud/permissions

Question #27
HOTSPOT -
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Box 1: Turn on Live Response -
Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.

Box: 2 -
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365-worldwide

Question #28
HOTSPOT -
You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1.
You are notified that the account of User1 is compromised.
You need to review the alerts triggered on the devices to which User1 signed in.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:


Correct Answer:

 Box 1: join -
An inner join.
This query uses kind=inner to specify an inner-join, which prevents deduplication of left side values for DeviceId.
This query uses the DeviceInfo table to check if a potentially compromised user (<account-name>) has logged on to any devices and then lists the alerts that have been triggered on those devices.

DeviceInfo -
//Query for devices that the potentially compromised account has logged onto
| where LoggedOnUsers contains '<account-name>'
| distinct DeviceId
//Crosscheck devices against alert records in AlertEvidence and AlertInfo tables
| join kind=inner AlertEvidence on DeviceId
| project AlertId
//List all alerts on devices that user has logged on to
| join AlertInfo on AlertId
| project AlertId, Timestamp, Title, Severity, Category
DeviceInfo LoggedOnUsers AlertEvidence "project AlertID"

Box 2: project -
Reference:
https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-emails-devices?view=o365-worldwide

Question #29
You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.
You delete users from the subscription.
You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.
What should you use?
  1. A
    a file policy in Microsoft Defender for Cloud Apps
  2. B
    an access review policy
  3. C
    an alert policy in Microsoft Defender for Office 365
  4. D
    an insider risk policy

Correct Answer:
C
Alert policies let you categorize the alerts that are triggered by a policy, apply the policy to all users in your organization, set a threshold level for when an alert is triggered, and decide whether to receive email notifications when alerts are triggered.
Default alert policies include:
Unusual external user file activity - Generates an alert when an unusually large number of activities are performed on files in SharePoint or OneDrive by users outside of your organization. This includes activities such as accessing files, downloading files, and deleting files. This policy has a High severity setting.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/alert-policies

Question #30
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.
You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?
  1. A
    the Incidents blade of the Microsoft 365 Defender portal
  2. B
    the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center
  3. C
    Activity explorer in the Microsoft 365 compliance center
  4. D
    the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal

Correct Answer:
C
Labeling activities are available in Activity explorer.
For example:

Sensitivity label applied -
This event is generated each time an unlabeled document is labeled or an email is sent with a sensitivity label.
It is captured at the time of save in Office native applications and web applications.
It is captured at the time of occurrence in Azure Information protection add-ins.
Upgrade and downgrade labels actions can also be monitored via the Label event type field and filter.
Reference:
https://docs.microsoft.com/en-us/microsoft-365/compliance/data-classification-activity-explorer-available-events?view=o365-worldwide

Previous Questions Next Questions

All Pages