Microsoft SC-200 Exam Practice Test Instant Access

Question 1

You have an Azure subscription that contains a Microsoft Sentinel workspace named Workspace1 and a user named User1.

You need to ensure that User1 can investigate incidents by using Workspace1. The solution must follow the principle of least privilege.

Which role should you assign to User1?

AMicrosoft Sentinel Responder

BMicrosoft Sentinel Reader

CMicrosoft Sentinel Automation Contributor

DMicrosoft Sentinel Contributor

Answer : A

Question 2

You have a Microsoft 365 subscription. You have the following KQL query.

DeviceEvents

| where ActionType == "AntivirusDetection*

You need to ensure that you can create a Microsoft Defender XDR custom detection rule by using the query.

What should you add to the query?

Asummarize (Timestamp, DeviceHanw)=arg_min(Timestampf DeviceName), count() by Deviceld

Bsumarize (Timestamp, ReportId)>arg_max(Timestanp, Reportld), count{) by Deviceld

Csummarize (Timestamp)=range(Timestatip), count() by Deviceld

Dsumarize (ReportId)=make_set(ReportId), count() by Deviceld

Answer : B

Question 3

You have a Microsoft 365 B5 subscription. You have a PowerShell script that queries the unified audit log.

You discover that the query returns only the first page of results due to server-side paging. You need to ensure that you get all the results. Which property should you query in the results?

A@odata.nextlink

B@odata.deltaLink

C@odata.context

D@odata.count

Answer : A

Question 4

You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint. You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You identify that an attacker performed the following actions on a device:

* Modified the file system path of a registry-based antivirus exclusion

* Downloaded a malicious file to the file system path

You initiate a live response session on the device. You need to undo the registry change. Which command should you run?

Aanalyze

Bregistry

Cremediate

Dscan

Answer : B

Question 5

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You are investigating an incident.

You need to review the incident tasks that were performed. The solution must include a query that will display the incidents in a workbook, and then display the tasks of each incident in another grid.

Which table should you target in the query?

ASecuritylncident

BSecurityEvent

CSentine1Audit

DSecurityAlert

Answer : A

Question 6

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to implement deception rules. The solution must ensure that you can limit the scope of the rules.

What should you create first?

Adevice groups

Bdevice tags

Choneytoken entity tags

Dsensitive entity tags

Answer : A, A

Question 7

You have a Microsoft 365 subscription.

You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode. You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product Solution: You enable automated investigation and response (AIR) Does this meet the goal?

AYes

BNo

Answer : A

Microsoft SC-200 Microsoft Security Operations Analyst Exam Practice Test