Free Microsoft SC-200 Practice Test & Real Exam Questions
You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint.
You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege.
What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:
Box 1: Turn on Live Response
Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the power to do in-depth investigative work and take immediate response actions.
Box: 2 : Add a network assessment job
Network assessment jobs allow you to choose network devices to be scanned regularly and added to the device inventory.
Reference:
htt ps://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?
view=o365-worldwide
https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-devices?view=o365- worldwide
You have a Microsoft Sentinel workspace named Workspacel that contains a table named CommonSecurityLog. You ingest logs into CommonSecurityLog. CommonSecurityLog has an average log ingestion time of five minutes.
You need to create an analytics rule that has a lookback period of seven minutes and uses the data in the CommonSecurityLog table. The solution must meet the following requirements:
* Prevent the same event from being processed twice.
* Minimize the number of missed events due to log ingestion delays.
How should you complete the KQL query that defines the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You need to create an analytics rule that has a lookback period of seven minutes and uses the data in the CommonSecurityLog table. The solution must meet the following requirements:
* Prevent the same event from being processed twice.
* Minimize the number of missed events due to log ingestion delays.
How should you complete the KQL query that defines the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

When creating scheduled analytics rules in Microsoft Sentinel, you should account for ingestion delay so late-arriving events aren't missed, while also avoiding reprocessing the same events. The recommended pattern is to widen the TimeGenerated window by the expected delay and then gate results by ingestion_time() to include only data that actually arrived within the delay window:
let ingestion_delay = 5min;
let rule_look_back = 7min;
CommonSecurityLog
| where TimeGenerated > = ago(ingestion_delay + rule_look_back) // cover late arrivals
| where ingestion_time() > ago(ingestion_delay) // only newly ingested data
* TimeGenerated > = ago(ingestion_delay + rule_look_back) ensures the query looks back 7 + 5 = 12 minutes , so events that were generated up to 7 minutes ago but arrived up to 5 minutes late are still captured.
* ingestion_time() > ago(ingestion_delay) limits results to items ingested in the last 5 minutes , preventing the same already-processed events from being picked up again on the next run, while minimizing misses due to late ingestion.
Thus, choose (ingestion_delay + rule_look_back) for the first blank and (ingestion_delay) for the second.
Your company deploys Azure Sentinel.
You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
* Create and run playbooks
* Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

You plan to delegate the administration of Azure Sentinel to various groups.
You need to delegate the following tasks:
* Create and run playbooks
* Create workbooks and analytic rules.
The solution must use the principle of least privilege.
Which role should you assign for each task? To answer, drag the appropriate roles to the correct tasks. Each role may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

In Microsoft Sentinel (Defender XDR SIEM), access control is based on Azure RBAC (Role-Based Access Control) to ensure least privilege operations. According to Microsoft's Sentinel role documentation:
* Logic App Contributor: This role is required to create and run playbooks (automated workflows built on Azure Logic Apps). Although Sentinel integrates with Logic Apps, playbook creation and execution permissions are governed by the Logic App Contributor role at the resource group or subscription level where playbooks are deployed. Without this role, a user cannot design or execute automated responses.
* Azure Sentinel Contributor: This role grants permission to create, edit, and delete analytic rules, workbooks, and hunting queries within the Sentinel workspace. It does not allow modifying playbooks or executing automation unless combined with Logic App Contributor. It's the appropriate role for analysts or engineers who manage detection content (rules and visualizations).
The Azure Sentinel Reader role only allows viewing incidents, workbooks, and rules but not editing or creating them. The Sentinel Responder role focuses on handling and closing incidents, not authoring content or automation.
# Final Mapping:
* Create and run playbooks # Logic App Contributor
* Create workbooks and analytic rules # Azure Sentinel Contributor
You have a Microsoft Sentinel workspace named SW1.
In SW1, you investigate an incident that is associated with the following entities:
* Host
* IP address
* User account
* Malware name
Which entity can be labeled as an indicator of compromise (loC) directly from the incident s page?
In SW1, you investigate an incident that is associated with the following entities:
* Host
* IP address
* User account
* Malware name
Which entity can be labeled as an indicator of compromise (loC) directly from the incident s page?
Correct Answer: A
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
You have a Microsoft Sentinel workspace.
You enable User and Entity Behavior Analytics (UFBA) by using Audit logs and Signin logs. The following entities are detected in the Azure AD tenant:
* App name: App1
* IP address: 192.168.1.2
* Computer name: Device1
* Used client app: Microsoft Edge
* Email address: [email protected]
* Sign-in URL: https://www.company.com
Which entities can be investigated by using UEBA?
You enable User and Entity Behavior Analytics (UFBA) by using Audit logs and Signin logs. The following entities are detected in the Azure AD tenant:
* App name: App1
* IP address: 192.168.1.2
* Computer name: Device1
* Used client app: Microsoft Edge
* Email address: [email protected]
* Sign-in URL: https://www.company.com
Which entities can be investigated by using UEBA?
Correct Answer: C
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365. You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal. Which response action should you use?
Correct Answer: C
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines.
You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the fallowing requirements:
* Minimize administrative effort
* Minimize the parsing required to read log data
What should you configure?
You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the fallowing requirements:
* Minimize administrative effort
* Minimize the parsing required to read log data
What should you configure?
Correct Answer: B
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
You create an Azure subscription named sub1.
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1.
What should you do?
In sub1, you create a Log Analytics workspace named workspace1.
You enable Azure Security Center and configure Security Center to use workspace1.
You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1.
What should you do?
Correct Answer: A
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a hunting bookmark.
Does this meet the goal?
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You are configuring Azure Sentinel.
You need to create an incident in Azure Sentinel when a sign-in to an Azure virtual machine from a malicious IP address is detected.
Solution: You create a hunting bookmark.
Does this meet the goal?
Correct Answer: A
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
You need to monitor the password resets. The solution must meet the Microsoft Sentinel requirements.
What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

What should you do? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

To monitor and detect higher-than-normal volumes of password resets, you need to gather password reset event data both from Azure Active Directory (cloud identities) and from on-premises Active Directory (domain accounts) . Microsoft's official Defender XDR and Sentinel integration guidance describes that:
* Azure AD Password Protection enforces and monitors password policies in both cloud and hybrid environments. It can detect weak, commonly used, or compromised passwords and logs related password change/reset activities. Deploying Azure AD Password Protection extends password reset visibility to on-premises domain controllers through the Password Protection proxy and DC agent. This makes it the correct choice for implementing monitoring at the identity environment level.
* In Microsoft Sentinel , to ingest and analyze password reset activities from on-premises servers (e.g., domain controllers), you must use the Windows Security Events via AMA connector . This connector collects Event ID 4723 (password change) , 4724 (password reset) , and related security logs directly from Windows Servers into the Sentinel Log Analytics workspace through the Azure Monitor Agent (AMA) . Once the events are available in Sentinel, they can be correlated with other identity or behavioral analytics to detect abnormal reset volumes or potential compromise attempts.
The other options are not suitable:
* Microsoft Defender for Identity focuses on identity compromise detection, not specifically on password reset volume monitoring.
* Smart lockout protects against brute-force sign-in attempts but doesn't generate detailed reset event telemetry.
* Microsoft security rule and UEBA are higher-level analytic configurations, not data ingestion mechanisms.
Therefore, to meet the Sentinel requirements for monitoring password reset anomalies:
# Implement in the identity environment: Azure AD Password Protection
# Configure in Microsoft Sentinel: The Windows Security Events via AMA connector
You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.
You need to mitigate the following device threats:
* Microsoft Excel macros that download scripts from untrusted websites
* Users that open executable attachments in Microsoft Outlook
* Outlook rules and forms exploits
What should you use?
You need to mitigate the following device threats:
* Microsoft Excel macros that download scripts from untrusted websites
* Users that open executable attachments in Microsoft Outlook
* Outlook rules and forms exploits
What should you use?
Correct Answer: D
Vote an answer
Explanation: Only visible for Pass4Leader members. You can sign-up / login (it's free).
