SC-200 Exam Question 41
You have the resources shown in the following table.

You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to enable Microsoft Defender for Servers on each resource.
Which resources will require the installation of the Azure Arc agent?

You have an Azure subscription that uses Microsoft Defender for Cloud.
You need to enable Microsoft Defender for Servers on each resource.
Which resources will require the installation of the Azure Arc agent?
SC-200 Exam Question 42
Drag and Drop Question
You are threat hunting using Azure Sentinel. You have created a query designed to identify a specific event on your domain controller.
You need to create several similar queries because you have multiple domain controllers and want to keep each query separate. The solution should minimize administrative effort.
Which three actions should you perform in sequence to clone a query? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.

You are threat hunting using Azure Sentinel. You have created a query designed to identify a specific event on your domain controller.
You need to create several similar queries because you have multiple domain controllers and want to keep each query separate. The solution should minimize administrative effort.
Which three actions should you perform in sequence to clone a query? To answer, move the appropriate actions from the list of possible actions to the answer area and arrange them in the correct order.

SC-200 Exam Question 43
You have a Microsoft Sentinel workspace.
You have a query named Query1 as shown in the following exhibit.

You plan to create a custom parser named Parser1.
You need to use Query1 in Parser1.
What should you do first?
You have a query named Query1 as shown in the following exhibit.

You plan to create a custom parser named Parser1.
You need to use Query1 in Parser1.
What should you do first?
SC-200 Exam Question 44
You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence.
You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script.
Which type of information is gathered in an Investigation package?
You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script.
Which type of information is gathered in an Investigation package?
SC-200 Exam Question 45
Hotspot Question
You have an Azure subscription that contains the users shown in the following table.

The subscription contains instances of Azure Firewall as shown in the following table.

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have the Copilot for Security role assignments shown in the following table.

Each user runs a Copilot for Security session.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains the users shown in the following table.

The subscription contains instances of Azure Firewall as shown in the following table.

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have the Copilot for Security role assignments shown in the following table.

Each user runs a Copilot for Security session.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.



