Free preview mode

Enjoy the free questions and consider upgrading to gain full access!

SC-200Free trialFree trial

By microsoft
Aug, 2025

Verified

25Q per page

Question 51

You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices.

You onboard the devices to Microsoft Defender 365.

You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.

What should you do first?

  • A: Modify the permissions for Microsoft 365 Defender.
  • B: Create a device group.
  • C: From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.
  • D: Configure role-based access control (RBAC).

Question 52

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to create a detection rule that meets the following requirements:

• Is triggered when a device that has critical software vulnerabilities was active during the last hour
• Limits the number of duplicate results

How should you complete the KQL query? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Image 1

Question 53

HOTSPOT

You have a Microsoft 365 E5 subscription that uses Microsoft Teams.

You need to perform a content search of Teams chats for a user by using the Microsoft Purview compliance portal. The solution must minimize the scope of the search.

How should you configure the content search? To answer, select the appropriate options in the answer area.

NOTE: Each correct selection is worth one point.

Image 1

Question 54

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365.

You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal.

Which response action should you use?

  • A: Run antivirus scan
  • B: Initiate Automated Investigation
  • C: Collect investigation package
  • D: Initiate Live Response Session

Question 55

You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.

Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

  • A: From Settings, select Cloud App, select Microsoft Information Protection, and then select Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.
  • B: From Cloud apps, select Files, and then filter File Type to Document.
  • C: From Settings, select Cloud App, select Microsoft Information Protection, select Files, and then enable file monitoring.
  • D: From Cloud apps, select Files, and then filter App to Office 365.
  • E: From Cloud apps, select Files, and then select New policy from search.
  • F: From Settings, select Cloud App, select Microsoft Information Protection, and then select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.

Question 56

DRAG DROP -
You open the Cloud App Security portal as shown in the following exhibit.

Image 1

Your environment does NOT have Microsoft Defender for Endpoint enabled.
You need to remediate the risk for the Launchpad app.
Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:

Image 2

Question 57

You have a Microsoft 365 subscription that uses Microsoft Purview.

Your company has a project named Project1.

You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1.

What should you do?

  • A: Perform a user data search.
  • B: Create a records management disposition.
  • C: Perform an audit search.
  • D: Perform a content search.

Question 58

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue.

You need to tune the alerts.

Which two actions can an alert tuning rule perform for the alerts? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

  • A: delete
  • B: hide
  • C: resolve
  • D: merge
  • E: assign

Question 59

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft 365 subscription.

You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.

You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.

Solution: You configure endpoint detection and response (EDR) in block mode.

Does this meet the goal?

  • A: Yes
  • B: No

Question 60

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft 365 subscription.

You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.

You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.

Solution: You configure Controlled folder access.

Does this meet the goal?

  • A: Yes
  • B: No

Question 61

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft 365 subscription.

You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.

You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.

Solution: You enable automated investigation and response (AIR).

Does this meet the goal?

  • A: Yes
  • B: No

Question 62

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You need to implement deception rules. The solution must ensure that you can limit the scope of the rules.

What should you create first?

  • A: device groups
  • B: device tags
  • C: honeytoken entity tags
  • D: sensitive entity tags

Question 63

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem.

After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen.

You have a Microsoft 365 subscription.

You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode.

All Windows devices are onboarded to Microsoft Defender for Endpoint.

You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product.

Solution: You enable Live Response.

Does this meet the goal?

  • A: Yes
  • B: No

Question 64

HOTSPOT -
You have a Microsoft 365 E5 subscription.
You plan to perform cross-domain investigations by using Microsoft 365 Defender.
You need to create an advanced hunting query to identify devices affected by a malicious email attachment.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Image 1

Question 65

You have the following advanced hunting query in Microsoft 365 Defender.

Image 1

You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A: Create a detection rule.
  • B: Create a suppression rule.
  • C: Add | order by Timestamp to the query.
  • D: Replace DeviceProcessEvents with DeviceNetworkEvents.
  • E: Add DeviceId and ReportId to the output of the query.

Question 66

You are investigating a potential attack that deploys a new ransomware strain.
You have three custom device groups. The groups contain devices that store highly sensitive information.
You plan to perform automated actions on all devices.
You need to be able to temporarily group the machines to perform actions on the devices.
Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A: Assign a tag to the device group.
  • B: Add the device users to the admin role.
  • C: Add a tag to the machines.
  • D: Create a new device group that has a rank of 1.
  • E: Create a new admin role.
  • F: Create a new device group that has a rank of 4.

Question 67

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section.
Does this meet the goal?

  • A: Yes
  • B: No

Question 68

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Regulatory compliance, you download the report.
Does this meet the goal?

  • A: Yes
  • B: No

Question 69

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You use Azure Security Center.
You receive a security alert in Security Center.
You need to view recommendations to resolve the alert in Security Center.
Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section.
Does this meet the goal?

  • A: Yes
  • B: No

Question 70

You have an Azure subscription that has Azure Defender enabled for all supported resource types.
You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event management (SIEM) solution.
To which service should you export the alerts?

  • A: Azure Cosmos DB
  • B: Azure Event Grid
  • C: Azure Event Hubs
  • D: Azure Data Lake

Question 71

You are responsible for responding to Azure Defender for Key Vault alerts.
During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node.
What should you configure to mitigate the threat?

  • A: Key Vault firewalls and virtual networks
  • B: Azure Active Directory (Azure AD) permissions
  • C: role-based access control (RBAC) for the key vault
  • D: the access policy settings of the key vault

Question 72

HOTSPOT -
You need to use an Azure Resource Manager template to create a workflow automation that will trigger an automatic remediation when specific security alerts are received by Azure Security Center.
How should you complete the portion of the template that will provision the required Azure resources? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:

Image 1

Question 73

You have an Azure subscription that contains a Log Analytics workspace.
You need to enable just-in-time (JIT) VM access and network detections for Azure resources.
Where should you enable Azure Defender?

  • A: at the subscription level
  • B: at the workspace level
  • C: at the resource level

Question 74

You use Azure Defender.
You have an Azure Storage account that contains sensitive information.
You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

  • A: From Azure Security Center, enable workflow automation.
  • B: Create an Azure logic app that has a manual trigger.
  • C: Create an Azure logic app that has an Azure Security Center alert trigger.
  • D: Create an Azure logic app that has an HTTP trigger.
  • E: From Azure Active Directory (Azure AD), add an app registration.

Question 75

HOTSPOT -
You manage the security posture of an Azure subscription that contains two virtual machines name vm1 and vm2.
The secure score in Azure Security Center is shown in the Security Center exhibit. (Click the Security Center tab.)

Image 1

Azure Policy assignments are configured as shown in the Policies exhibit. (Click the Policies tab.)

Image 2

For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

Image 3
Page 3 of 16 • Questions 51-75 of 388
12345

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!