SC-200 Exam Question 61
Hotspot Question
You have an Azure subscription that contains a guest user named User1 and a Microsoft Sentinel workspace named workspace1.
You need to ensure that User1 can triage Microsoft Sentinel incidents in workspace1. The solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You have an Azure subscription that contains a guest user named User1 and a Microsoft Sentinel workspace named workspace1.
You need to ensure that User1 can triage Microsoft Sentinel incidents in workspace1. The solution must use the principle of least privilege.
Which roles should you assign to User1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

SC-200 Exam Question 62
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?
You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters.
You need to create a data loss prevention (DLP) policy to protect the sensitive documents.
What should you use to detect which documents are sensitive?
SC-200 Exam Question 63
Hotspot Question
You have an Azure subscription named Sub1. Sub1 contains a Microsoft Sentinel workspace named SW1 and a virtual machine named VM1 that runs Windows Server. SW1 collects security logs from VM1 by using the Windows Security Events via AMA connector.
You need to limit the scope of events collected from VM1. The solution must ensure that only audit failure events are collected.
How should you complete the filter expression for the connector? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You have an Azure subscription named Sub1. Sub1 contains a Microsoft Sentinel workspace named SW1 and a virtual machine named VM1 that runs Windows Server. SW1 collects security logs from VM1 by using the Windows Security Events via AMA connector.
You need to limit the scope of events collected from VM1. The solution must ensure that only audit failure events are collected.
How should you complete the filter expression for the connector? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

SC-200 Exam Question 64
Hotspot Question
You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

You have an Azure subscription that uses Microsoft Defender for Cloud and contains an Azure logic app named app1.
You need to ensure that app1 launches when a specific Defender for Cloud security alert is generated.
How should you complete the Azure Resource Manager (ARM) template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

SC-200 Exam Question 65
You have a Microsoft Sentinel workspace.
You are investigating an incident that involves the following entities:
- A host named Host1
- A user account named User1
- An IP address of 175.45.176.99
You need to update the threat intelligence list to include the entities.
Which entities can you add on the Incident page?
You are investigating an incident that involves the following entities:
- A host named Host1
- A user account named User1
- An IP address of 175.45.176.99
You need to update the threat intelligence list to include the entities.
Which entities can you add on the Incident page?



