Microsoft Microsoft Certifications SC-200 Questions & Answers

• Question 181:

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

  You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.

  What should you configure first?

  A. the User enrichment settings

  B. the Azure connector

  C. the Office 365 connector

  D. the Automatic log upload settings

  Correct Answer: C

  How to connect Microsoft 365 to Defender for Cloud Apps

  1.

  In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors.

  2.

  In the App connectors page, select +Connect an app, and then select Microsoft 365.

  3.

  In the Select Microsoft 365 components page, select the options you require, and then select Connect.

  4.

  On the Follow the link page, select Connect Microsoft 365.

  5.

  After Microsoft 365 is displayed as successfully connected, select Done.

  6.

  In the Microsoft 365 Defender portal, select Settings. Then choose Cloud Apps. Under Connected apps, select App Connectors. Make sure the status of the connected App Connector is Connected.

  Reference: https://learn.microsoft.com/en-us/defender-cloud-apps/connect-office-365

• Question 182:

  You have an Azure subscription that uses Microsoft Defender for Servers Plan 1 and contains a server named Server1.

  You enable agentless scanning.

  You need to prevent Server1 from being scanned. The solution must minimize administrative effort.

  What should you do?

  A. Create an exclusion tag.

  B. Upgrade the subscription to Defender for Servers Plan 2.

  C. Create a governance rule.

  D. Create an exclusion group.

  Correct Answer: A

  Exclude machines from scanning Agentless scanning applies to all of the eligible machines in the subscription. To prevent specific machines from being scanned, you can exclude machines from agentless scanning based on your pre-existing environment tags. When Defender for Cloud performs the continuous discovery for machines, excluded machines are skipped.

  To configure machines for exclusion:

  1.

  From Defender for Cloud's menu, open Environment settings.

  2.

  Select the relevant subscription or multicloud connector.

  3.

  For either the Defender Cloud Security Posture Management (CSPM) or Defender for Servers P2 plan, select Settings.

  4.

  For agentless scanning, select Edit configuration.

  5.

  Enter the tag name and value that applies to the machines that you want to exempt. You can enter multiple tag:value pairs.

  6.

  Select Save to apply the changes.

  Note:

  Defender for Servers Plan 1 is entry-level and must be enabled at the subscription level.

  Features include:

  Foundational cloud security posture management (CSPM), which is provided free by Defender for Cloud.

  Defender for Servers Plan 2 provides all features. The plan must be enabled at the subscription level and at the workspace level to get full feature coverage. Features include:

  All the functionality that's provided by Defender for Servers Plan 1.

  More extended detection and response (XDR) capabilities. Reference:

  https://learn.microsoft.com/en-us/azure/defender-for-cloud/enable-agentless-scanning-vms#exclude-machines-from-scanning https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers-select-plan

• Question 183:

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

  You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.

  What should you use in the Microsoft 365 Defender portal?

  A. incidents

  B. Remediation

  C. Investigations

  D. Advanced hunting

  Correct Answer: A

  Investigate incidents in Microsoft 365 Defender

  Microsoft 365 Defender aggregates all related alerts, assets, investigations, and evidence from across your devices, users, and mailboxes into an incident to give you a comprehensive look into the entire breadth of an attack.

  Within an incident, you analyze the alerts that affect your network, understand what they mean, and collate the evidence so that you can devise an effective remediation plan.

  Initial investigation

  Before diving into the details, take a look at the properties and the entire attack story of the incident.

  You can start by selecting the incident from the check mark column.

  When you do, a summary pane opens with key information about the incident, such as severity, to whom it is assigned, and the MITRE ATTandCK

• Question 184:

  You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled for Signin Logs. You need to ensure that failed interactive sign-ins are detected. The solution must minimize administrative effort. What should you use?

  A. a scheduled alert query

  B. the Activity Log data connector

  C. a UEBA activity template

  D. a hunting query

  Correct Answer: C

• Question 185:

  You have 50 Microsoft Sentinel workspaces.

  You need to view all the incidents from all the workspaces on a single page in the Azure portal. The solution must minimize administrative effort.

  Which page should you use in the Azure portal?

  A. Microsoft Sentinel - Incidents

  B. Microsoft Sentinel - Workbooks

  C. Microsoft Sentinel

  D. Log Analytics workspaces

  Correct Answer: A

  When you open Microsoft Sentinel, you are presented with a list of all the workspaces to which you have access rights, across all selected tenants and subscriptions. To the left of each workspace name is a checkbox. Selecting the name of a single workspace will bring you into that workspace. To choose multiple workspaces, select all the corresponding checkboxes, and then select the View incidents button at the top of the page.

  https://learn.microsoft.com/en-us/azure/sentinel/multiple-workspace-view

• Question 186:

  You have an Azure subscription that uses Microsoft Defender for Cloud.

  You have an Amazon Web Services (AWS) subscription. The subscription contains multiple virtual machines that run Windows Server.

  You need to enable Microsoft Defender for Servers on the virtual machines.

  Which two actions should you perform? Each correct answer presents part of the solution.

  NOTE: Each correct answer is worth one point.

  A. From Defender for Cloud, enable agentless scanning.

  B. Install the Azure Virtual Machine Agent (VM Agent) on each virtual machine.

  C. Onboard the virtual machines to Microsoft Defender for Endpoint.

  D. From Defender for Cloud, configure auto-provisioning.

  E. From Defender for Cloud, configure the AWS connector.

  Correct Answer: DE

• Question 187:

  You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365. You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal. Which response action should you use?

  A. Run antivirus scan

  B. Initiate Automated Investigation

  C. Collect investigation package

  D. Initiate Live Response Session

  Correct Answer: D

• Question 188:

  You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

  You need to create a query that will link the Alertlnfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.

  Which operator should you use?

  A. join kind = inner

  B. evaluate hint. Remote =

  C. search *

  D. union kind = inner

  Correct Answer: A

• Question 189:

  You have a Microsoft 365 subscription that uses Microsoft Purview.

  Your company has a project named Project1.

  You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.

  What should you do?

  A. Create a records management disposition.

  B. Perform a user data search.

  C. Perform an audit search.

  D. Perform a content search.

  Correct Answer: D

• Question 190:

  You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps and has Cloud Discovery enabled.

  You need to enrich the Cloud Discovery data. The solution must ensure that usernames in the Cloud Discovery traffic logs are associated with the user principal name (UPN) of the corresponding Microsoft Entra ID user accounts.

  What should you do first?

  A. From Conditional Access App Control, configure User monitoring.

  B. Create a Microsoft 365 app connector.

  C. Enable automatic redirection to Microsoft 365 Defender.

  D. Create an Azure app connector.

  Correct Answer: B