Online Access Free SC-200 Exam Questions

No.# Group 1: Owner, as only the Owner can "Add/assign initiatives (including) regulatory compliance standards)" at subscription level, as requested.

Source: https://learn.microsoft.com/en-us/azure/defender-for-cloud/permissions

Group 2: Security Admin

No.# 1. Enable Microsoft Defender for Servers on virtual machines:
This requires permissions to manage resources or security configurations.
Both User1 (Security Administrator) and User3 (Contributor) can perform this task.
However, based on the principle of least privilege, assign this to User3 (Contributor).
2. Review security recommendations and enable server vulnerability scans:
Reviewing recommendations: Requires viewing permissions, which the Security Reader can perform.
Enabling server vulnerability scans: Requires resource management permissions, which only User3 (Contributor) can perform.
Since User3 has the required permissions for both parts of this task, assign it to User3.

No.# C. Add an environment.

No.# B--C.

No.# Option D, is the right choice because it focuses on making sure we are very sure about where the alerts are coming from in Microsoft Defender for Identity. This helps us save time and effort when dealing with false alarms. It also allows us to respond faster to real threats.

No.# B: Attack Surface Reduction rules.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference?view=o365-worldwide

Block all Office applications from creating child processes
Block executable content from email client and webmail

No.# First table: BehaviorAnalytics
Reason: To filter on ActivityInsights, identifying unusual patterns.
Second table: AuditLogs
Reason: To join with TargetResources and correlate user creation actions.

No.# Option B, "Live response for servers," is not relevant to the question since it's a feature that allows you to perform remote live investigations and remediation actions on servers.

Option D, "Endpoint detection and response (EDR) in block mode," is also not relevant to the question as it is a setting that enables EDR to automatically block malicious files and processes detected on endpoints.

Option C, "Web content filtering," is also not relevant as it is a feature that allows you to block access to specific websites or web content.

Therefore, the correct answer is A. Custom network indicators.

No.# Answers:
From Security Center, enable data collection
From Defender for Cloud, modify Microsoft Defender for Servers plan settings.

No.# The first answer is correct, but the second answer is wrong.
The network assessment job has nothing to do with the question. It is a feature to scan networks and discover network devices for vulnerability management. The correct answer should be "Automation in Full mode", because it is the only correct answer since the last provided answer is to set Automation to "Not automated" which is not correct as per Microsoft docs on Live Response, check it out here "Ensure that the device has an Automation Remediation level assigned to it." https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide

No.# UEBA activity templates in Microsoft Sentinel offer pre-built detection logic specifically designed for security scenarios like failed sign-ins.

No.# To onboard an Amazon Elastic Compute Cloud (EC2) instance to Microsoft Defender for Cloud, you should install the Azure Connected Machine agent on the instance. Therefore, the correct answer is B.

No.# You can Hide or Resolve alert and all of those actions you can perform on any device or device groups or single device. But in question there is accounting team so there will be device group.
Answer should be BDE

No.# Solution is : You create a Microsoft incident creation rule for a data connector.
Solution: You create a scheduled query rule for a data connector. (not sure)

No.# N-Y-N

No.# D
In order to identify the impacted entities in an aggregated alert, you should review the "Events" tab of the DLP alert management dashboard in the Microsoft 365 compliance center. This tab will display a list of all the events that triggered the alert, including the specific entities (e.g. files, emails, etc.) that were affected. You can further investigate each event to identify the specific user, device and action that caused the alert to be triggered.

No.# Join & make-series are the correct answers

No.# You need D for Azure AD information

No.# Correct - every sentinel deployment must have a workspace - and the union command is used to join multiple workspaces together.

No.# it's reversed:

1. From the details pane of the incident, select Investigate.
2. From the Investigation blade, select the entity that represents VM1.
3. From the Investigation blade, select Insights