Microsoft SC-200 Exam Actual Questions |
100% Correct | Verified | 2024 Version
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on
three devices named CFOLaptop, CEOLaptop, and COOLaptop.
Complete the query.
You need to receive a security alert when a user attempts to sign in from a location that
was never used by the other users in your organization to sign in.
Which anomaly detection policy should you use?
A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection
A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents.
The documents contain customer account numbers that each consists of 32
alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive
documents.
What should you use to detect which documents are sensitive?
A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
A. SharePoint search
,B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You need to prevent users from downloading and running additional payloads from the
Office VBA macros as additional child processes.
Which two commands can you run to achieve the goal? Each correct answer presents a
complete solution.
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are
used frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing
security posture.
Which three actions should you perform? Each correct answer presents part of the
solution.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
B -> C -> E
Your environment does NOT have Microsoft Defender for Endpoint enabled.
You need to remediate the risk for the Launchpad app.Which four actions should you
perform in sequence? To answer, move the appropriate actions from the list of actions
to the answer area and arrange them in the correct order.
, You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a
malicious email attachment.
How should you complete the query?
You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device
managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the
solution.
A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.
A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.
You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly
sensitive information.
You plan to perform automated actions on all devices.You need to be able to
temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the
solution.
100% Correct | Verified | 2024 Version
You are investigating an incident by using Microsoft 365 Defender.
You need to create an advanced hunting query to count failed sign-in authentications on
three devices named CFOLaptop, CEOLaptop, and COOLaptop.
Complete the query.
You need to receive a security alert when a user attempts to sign in from a location that
was never used by the other users in your organization to sign in.
Which anomaly detection policy should you use?
A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection
A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents.
The documents contain customer account numbers that each consists of 32
alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive
documents.
What should you use to detect which documents are sensitive?
A. SharePoint search
B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
A. SharePoint search
,B. a hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching
Your company uses line-of-business apps that contain Microsoft Office VBA macros.
You need to prevent users from downloading and running additional payloads from the
Office VBA macros as additional child processes.
Which two commands can you run to achieve the goal? Each correct answer presents a
complete solution.
Your company uses Microsoft Defender for Endpoint.
The company has Microsoft Word documents that contain macros. The documents are
used frequently on the devices of the company's accounting team.
You need to hide false positive in the Alerts queue, while maintaining the existing
security posture.
Which three actions should you perform? Each correct answer presents part of the
solution.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
A. Resolve the alert automatically.
B. Hide the alert.
C. Create a suppression rule scoped to any device.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.
B -> C -> E
Your environment does NOT have Microsoft Defender for Endpoint enabled.
You need to remediate the risk for the Launchpad app.Which four actions should you
perform in sequence? To answer, move the appropriate actions from the list of actions
to the answer area and arrange them in the correct order.
, You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a
malicious email attachment.
How should you complete the query?
You have the following advanced hunting query in Microsoft 365 Defender.
You need to receive an alert when any process disables System Restore on a device
managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the
solution.
A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.
A. Create a detection rule.
B. Create a suppression rule.
C. Add | order by Timestamp to the query.
D. Replace DeviceProcessEvents with DeviceNetworkEvents.
E. Add DeviceId and ReportId to the output of the query.
You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly
sensitive information.
You plan to perform automated actions on all devices.You need to be able to
temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the
solution.
