SC-200 Exam Question 11

Hotspot Question
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the following devices:
- Device1: Runs Windows 11 Pro
- Device2: Runs Windows Server
- Device3: Runs Ubuntu Linux
You identify three suspicious files named File1.exe, File2.zip, and File3.ps1.
You need to investigate the files by using deep analysis.
Which devices support deep analysis, and which files can be submitted for deep analysis? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

SC-200 Exam Question 12

Hotspot Question
You have a Microsoft 365 subscription that uses Microsoft Defender XDR and Microsoft Defender for Endpoint. The subscription contains the devices shown in the following table.

You discover the following forensic data:
- During the startup of Device1, a connection is established to Device2 via port 5555.
- Device2 connects to Device3 by using port 5555.
- Device4 connects to Device1 by using port 5555.
You perform the following actions:
- Initiate a live response session on Device1 and run the processes
- From Devices in the Microsoft Defender portal, isolate Device1 and
Device2.
For each of the following statements, select Yes if True. Otherwise select No.
NOTE: Each correct selection is worth one point.

SC-200 Exam Question 13

You have a Microsoft 365 subscription that contains a user named User1 and two Windows devices named Device1 and Device2. Device1 and Device2 are onboarded to Microsoft Defender for Endpoint.
The following events occur.
- User1 signs in to Device1.
- Automatic attack disruption in Microsoft Defender XDR responds to an
attack on Device1 and contains User1.
- User1 attempts to connect to Device2.
Which protocols will Device2 block when User1 attempts to connect to Device2?
  • SC-200 Exam Question 14

    You create an Azure subscription named sub1.
    In sub1, you create a Log Analytics workspace named workspace1.
    You enable Azure Security Center and configure Security Center to use workspace1.
    You need to ensure that Security Center processes events from the Azure virtual machines that report to workspace1.
    What should you do?
  • SC-200 Exam Question 15

    Drag and Drop Question
    You have a Microsoft Sentinel workspace named SW1.
    In SW1, you enable User and Entity Behavior Analytics (UEBA).
    You need to use KQL to perform the following tasks:
    - View the entity data that has fields for each type of entity.
    - Assess the quality of rules by analyzing how well a rule performs.
    Which table should you use in KQL for each task? To answer, drag the appropriate tables to the correct tasks. Each table may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
    NOTE: Each correct selection is worth one point.