SC-200 Exam Question 91
You have a Microsoft Sentinel workspace named Workspacel that contains a table named CommonSecurityLog. You ingest logs into CommonSecurityLog. CommonSecurityLog has an average log ingestion time of five minutes.
You need to create an analytics rule that has a lookback period of seven minutes and uses the data in the CommonSecurityLog table. The solution must meet the following requirements:
* Prevent the same event from being processed twice.
* Minimize the number of missed events due to log ingestion delays.
How should you complete the KQL query that defines the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
You need to create an analytics rule that has a lookback period of seven minutes and uses the data in the CommonSecurityLog table. The solution must meet the following requirements:
* Prevent the same event from being processed twice.
* Minimize the number of missed events due to log ingestion delays.
How should you complete the KQL query that defines the rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
SC-200 Exam Question 92
You have an Azure subscription. The subscription contains 10 virtual machines that are onboarded to Microsoft Defender for Cloud.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification. The solution must generate a test email.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
You need to ensure that when Defender for Cloud detects digital currency mining behavior on a virtual machine, you receive an email notification. The solution must generate a test email.
Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
SC-200 Exam Question 93
Your on-premises network contains a Hyper-V cluster. The cluster contains the virtual machines shown in the following table.
You have a Microsoft Sentinel workspace named SW1.
You have a data collection rule (OCR) that has the following configurations:
* Name: DCR1
* Destination: SW1
* Platform type: All
* Data collection endpoint: None
* Data source: Windows event logs, Linux syslog
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
You have a Microsoft Sentinel workspace named SW1.
You have a data collection rule (OCR) that has the following configurations:
* Name: DCR1
* Destination: SW1
* Platform type: All
* Data collection endpoint: None
* Data source: Windows event logs, Linux syslog
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
SC-200 Exam Question 94
A company wants to analyze by using Microsoft 365 Apps.
You need to describe the connected experiences the company can use.
Which connected experiences should you describe? To answer, drag the appropriate connected experiences to the correct description. Each connected experience may be used once, more than once, or not at all. You may need to drag the split between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
You need to describe the connected experiences the company can use.
Which connected experiences should you describe? To answer, drag the appropriate connected experiences to the correct description. Each connected experience may be used once, more than once, or not at all. You may need to drag the split between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
SC-200 Exam Question 95
You need to modify the anomaly detection policy settings to meet the Microsoft Defender for Cloud Apps requirements and resolve the reported problem.
Which policy should you modify?
Which policy should you modify?