Microsoft SC-200 Exam Questions and Answers comprehensive A Score

Microsoft SC-200 Exam Questions and Answers comprehensive A Score 1. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to config- ure several accounts for attackers to exploit. Solution: From Entity tags, you add the accounts as Honeytoken accounts. Does this meet the goal? A. Yes B. No: A. Yes 2. You are investigating a potential attack that deploys a new ransomware strain. You have three custom device groups. The groups contain devices that store highly sensitive information. You plan to perform automated actions on all devices. You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Assign a tag to the device group. B. Add the device users to the admin role. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. E. Create a new admin role. F. Create a new device group that has a rank of 4.: A. Assign a tag to the device group. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. 3. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to config- ure several accounts for attackers to exploit. Solution: From Azure AD Identity Protection, you configure the sign-in risk policy. Does this meet the goal? A. Yes B. No: B. No 4. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to config- ure several accounts for attackers to exploit. Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group. Does this meet the goal? A. Yes B. No: B. No 5. Your company uses Microsoft Defender for Endpoint 6. . The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team. You need to hide false positive in the Alerts queue, while maintaining the existing security pos- ture. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.: B. Hide the alert. C. Create a suppression rule scoped to any device. E. Generate the alert. 7. You implement Safe Attachments policies in Microsoft Defender for Office 365.Users report that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked. What should you configure in the Safe Attachments policies? A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect: A. Dynamic Delivery 8. You receive a security bulletin about a potential attack that uses an image file.You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack. Which indicator type should you use? A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a file hash indicator that has Action set to Alert and block D. a certificate indicator that has Action set to Alert and block: C. a file hash indicator that has Action set to Alert and block 9. Your company deploys the following services: Microsoft Defender for Identity Microsoft Defender for Endpoint Microsoft Defender for Office 365 You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege. Which two roles should you assign to the analyst? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD): B. the Active remediation actions role in Microsoft Defender for Endpoint D. the Security Reader role in Azure Active Directory (Azure AD) 10. You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of confidential files. Which two actions should you perform in the Cloud App Security por- tal? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. D. From Settings, select Information Protection, select Azure Information Pro- tection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring.: D. From Settings, select Information Protection, select Azure Infor- mation Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring. 11. Your company has a single office in Istanbul and a Microsoft 365 sub- scription. The company plans to use conditional access policies to enforce multi-factor authentication (MFA).You need to enforce MFA for all users who work remotely. What should you include in the solution? A. a fraud alert B. a user risk policy C. a named location D. a sign-in user policy: C. a named location 12. You are configuring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Configure automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. E. Create an activity policy that has an exclusion for the IP addresses.: A. Configure automatic data enrichment. D. Add the IP addresses to the other address range category and add a tag. 13. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to config- ure several accounts for attackers to exploit. Solution: You add each account as a Sensitive account. Does this meet the goal? A. Yes B. No: B. No 14. You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user? A. the Threat Protection Status report in Microsoft Defender for Office 365 B. the mailbox audit log in Exchange C. the Safe Attachments file types report in Microsoft Defender for Office 365 D. the mail flow report in Exchange: A. the Threat Protection Status report in Microsoft Defender for Office 365 15. You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed. You need to mitigate the following device threats: Microsoft Excel macros that download scripts from untrusted websites Users that open executable attachments in Microsoft Outlook Outlook rules and forms exploits What should you use? A. Microsoft Defender Antivirus B. attack surface reduction rules in Microsoft Defender for Endpoint C. Windows Defender Firewall D. adaptive application control in Azure Defender: B. attack surface reduction rules in Microsoft Defender for Endpoint 16. You have a third-party security information and event management (SIEM) solution. You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time. What should you do to route events to the SIEM solution? A. Create an Azure Sentinel workspace that has a Security Events connector. B. Configure the Diagnostics settings in Azure AD to stream to an event hub. C. Create an Azure Sentinel workspace that has an Azure Active Directory connector. D. Configure the Diagnostics settings in Azure AD to archive to a storage account.: B. Configure the Diagnostics settings in Azure AD to stream to an event hub. 17. You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online. You delete users from the subscription. You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted. What should you use? A. a file policy in Microsoft Defender for Cloud Apps B. an access review policy C. an alert policy in Microsoft Defender for Office 365 D. an insider risk policy: C. an alert policy in Microsoft Defender for Office 365 18. You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled. You need to identify all the changes made to sensitivity labels during the past seven days. What should you use? A. the Incidents blade of the Microsoft 365 Defender portal B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center C. Activity explorer in the Microsoft 365 compliance center D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal: C. Activity explorer in the Microsoft 365 compliance center 19. You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You need to identify all the entities affected by an incident. Which tab should you use in the Microsoft 365 Defender portal? A. Investigations B. Devices C. Evidence and Response D. Alerts: C. Evidence and Response 20. You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant. You need to identify all the changes made to Domain Admins group during the past 30 days. What should you use? A. the Modifications of sensitive groups report in Microsoft Defender for Identity B. the identity security posture assessment in Microsoft Defender for Cloud Apps C. the Azure Active Directory Provisioning Analysis workbook D. the Overview settings of Insider risk management: A. the Modifications of sensitive groups report in Microsoft Defender for Identity 21. You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregat- ed alerts configured. You need to identify the impacted entities in an aggregated alert. What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center? A. the Events tab of the alert B. the Sensitive Info Types tab of the alert C. Management log D. the Details tab of the alert: A. the Events tab of the alert 22. You have a Microsoft 365 subscription that uses Microsoft 365 Defender. You plan to create a hunting query from Microsoft Defender. You need to create a custom tracked query that will be used to assess the threat status of the subscription. From the Microsoft 365 Defender portal, which page should you use to create the query?