This page was exported from Braindump2go Free Exam Dumps with PDF and VCE Collection [ https://www.mcitpdump.com ] Export date:Fri May 17 0:48:47 2024 / +0000 GMT ___________________________________________________ Title: [July-2023]Free Download Braindump2go SC-200 Exam PDF and VCE Dumps[Q150-Q172] --------------------------------------------------- July/2023 Latest Braindump2go SC-200 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SC-200 Real Exam Questions!QUESTION 150You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage incident related to a suspected malicious document. After reviewing all the details, you have determined that the alert tied to the potentially malicious document is also related to another incident in your environment. However, the alert is not currently listed as a part of that second incident.Your investigation into the alert is ongoing, as it is your investigation into the two related incidents. You need to appropriately categorize the alert and ensure that it is associated with the second incident.What two actions should you take in the Manage alert pane to fulfill this part of the investigation? (Choose two)A. Set status to In progressB. Set status to NewC. Set classification to True alertD. Enter the Incident ID of the related incident in the Comment section.E. Select the Link alert to another incident option.Answer: AEExplanation:The correct action to classify the alert would be to set the status to In progress. While the alert may seem to be legitimate as it is linked to another incident, until a final determination is reached, you should set the status to In progress to ensure that others know it is being worked on. Once a determination is reached, you can then change it to Resolved and select the appropriate classification (True alert or False alert).The correct action to correlate the alert to the other incident would be to select the Link alert to another incident option. While ideally, the alert would automatically be included in both incidents that are not always the case. If you notice an alert that is not linked to an incident that it is clearly connected to, using the Link alert to another incident option ensures they are tied together.You should not set the classification to True alert. While a point can be made that it seems this malicious file involved in multiple incidents is likely to be a True alert, you cannot yet make that determination. It is also not the time to classify it as a false alert. The best practice while continuing an investigation would be not to change the classification at all, which means leaving it as the default Not set classification.You should not enter the Incident ID of the related incident in the Comment section. While this might be helpful from an administrative perspective, it creates no link to the other incident.You should not set the status to New. This is the default status of any alert. The question specifically seeks to ensure your peers know the alert is being investigated, so setting (or leaving) the status as New would make it impossible to differentiate from other uninvestigated alerts.All of the actions mentioned in the options can be found in the Manage alert pane, which can be reached via the Alerts tab in the Incidents section of the Microsoft 365 Defender portal.References:https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-alertshttps://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwideQUESTION 151Which of the following choices best defines threat hunting using Microsoft Defender for Endpoint?A. Sensing and blocking apps that are considered unsafe but may not be detected as malware.B. Decrease vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware.C. You can proactively look at events in your network using a powerful search and query tool.D. All of the above.Answer: CExplanation:Option A is incorrect. This is an explanation of advanced protection provided by Windows Defender Antivirus.Options B, D are incorrect. This is an explanation of attack surface reduction.Option C is correct. Microsoft Defender for Endpoint advanced threat hunting is built on top of a query language that gives you flexibility.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-overview?view=o365-worldwideQUESTION 152Which of the following is not a component of Microsoft Defender for Endpoint?A. Endpoint detection and responseB. Cloud device managementC. Next generation protectionD. Integrity monitoringAnswer: BExplanation:Options A and C are incorrect. Threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and remediation are all components of Microsoft Defender for Endpoint.Option B is correct. Cloud device management is not a component of the security administration of Microsoft Defender for Endpoint.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwideQUESTION 153You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence.You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script.Which type of information is gathered in an Investigation package?A. Prefetch FilesB. Network transactionsC. Command HistoryD. Process HistoryAnswer: AExplanation:Network transactions, Process and Command History are not collected. Only Prefetch files are collected.An investigation package contains the following folders when you collect it from a device as part of the investigation process. These can help us identify the present state of devices and methods used by attackers.Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes, Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions, System Information, Temp Directories, Users and Groups, WdSupportLogs, CollectionSummaryReport.xlsReference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwideQUESTION 154You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence.You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script.Which one of the below is a Device action?A. Reformat deviceB. Isolate deviceC. RebootD. ReinstallAnswer: BExplanation:You can't issue either reboot, reinstall or reformat action. You can perform isolation devices.Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwideQUESTION 155Which of the below artifact types contains an investigation page?A. DomainB. Threat ActorC. HunterD. AlertAnswer: AExplanation:Option A is correct. Domain contains an investigation page.Option B is incorrect. Threat Actor is not a forensic artifact.Option C is incorrect. Hunter does not have an investigation page.Option D is incorrect. Alert does not have an investigation page.Reference :https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwideQUESTION 156What information is shared by a deep file analysis?A. Registry ModificationsB. Code change historyC. Command historyD. Process historyAnswer: AExplanation:Command history, process and code change history are not reported. Only Registry modifications are reported.Deep file analysis results contain the file's activities, behaviors, and artifacts like dropped files, registry changes and IP communication.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwideQUESTION 157Which information is shared on the user account page?A. Security groupsB. Threat hunt IDC. Associated alertsD. All of the aboveAnswer: CExplanation:The security groups, user accounts belong to and threat hunt ID is not shown.Associated alerts are made available.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-users?view=o365-worldwideQUESTION 158Multiple false positive alerts are generating in a company XYZ. A security operations analyst working for XYZ needs to exclude an executable file to reduce alerts - c:myxyzappmyxyzwinapp.exe, which exclusion type must they use?A. ExtensionB. FolderC. FileD. RegistryAnswer: CExplanation:File will exclude only this specific file, whereas extension would exclude all files with the extensions, and folder would exclude all files in a folder. Registry exclusion doesn't happen.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwideQUESTION 159In advanced features, which setting must be turned on to obstruct files even if a 3rd party AV is used?A. Turn on EDR with block mode.B. Automated InvestigationC. Allow or block fileD. All of the aboveAnswer: AExplanation:Option A is correct. EDR with block mode can be used with third-party AV.Option B is incorrect. The "Allow or block file" feature requires Defender AV.Option C is incorrect. Automated investigations do not block files.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwideQUESTION 160Microsoft Defender for Endpoint gives configuration selections for alerts and detections. These include notifications, custom indicators, and detection rules. Which filter is a part of an Alert notification rule?A. Subject IDsB. Alert SeverityC. AccountD. Alert IDsAnswer: BExplanation:Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-email-notifications?view=o365-worldwideQUESTION 161You are in charge of working with the endpoint team to patch weaknesses reported by Threat Vulnerability Management. Which report keeps an inventory of the vulnerabilities of your systems that are wide-open by listing the CVE IDs?A. WeaknessB. Software InventoryC. Event TimelineD. IncidentAnswer: AExplanation:Option A is correct. This report is enumerated by the CVE ID.Option B is incorrect. The software inventory page contains a list of software installed in your organization.Option C is incorrect. The event timeline is a risk feed that lets you understand how risk is introduced in the organization.Option D is incorrect. The incident report doesn't contain any weaknesses or vulnerabilities.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvm-weaknesses?view=o365-worldwideQUESTION 162Which selection is an ASR (attack surface reduction) rule that can be implemented and blocked?A. Content from mobile devicesB. PowerShell from executingC. Process creations initiating from WMI and PSExec commandsD. None of the aboveAnswer: CExplanation:Option A is incorrect. This is not an ASR rule that can be implemented and blocked.Option B is incorrect. .ps1 execution cannot be blocked with an ASR rule.Option C is correct. This is an ASR rule that can be implemented and blocked.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwideQUESTION 163From which of the following can a SOC (Security Operation Center) analyst make a customized detection?A. AlertB. IncidentC. Advanced HuntingD. RequestAnswer: CExplanation:Advanced hunting gives a choice to save the query as a detection, while Alert and Incident don't provide an option to save as a detection.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-results?view=o365-worldwideQUESTION 164Microsoft Defender for Endpoint gives a purpose based UI to manage and inspect security incidents and alerts. Which option can't be accomplished in the Action Center?A. Review completed actions.B. Configure action email notifications.C. Manage pending actions.D. None of the aboveAnswer: BExplanation:Reference:https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-detailsQUESTION 165A SOC analyst found out about an event of interest. What is the next step to take it forward for further review?A. FlagB. TagC. HighlightD. CloseAnswer: AExplanation:While looking into the device timeline for suspicious activity, we can search and filter for specific events. We can set event flags by:- Highlighting the most important events- Marking events that require a deep dive- Building a clean breach timelineFind the event that we want to flag. Select the flag icon in the Flag column.Once events are flagged, we can filter suspicious events more easily. In the timeline Filters section, enable Flagged events. Only flagged events are displayed. You can apply more filters that will only show events prior to the flagged event.Reference:https://docs.microsoft.com/en-us/defender-for-identity/investigate-entityQUESTION 166What type of Behavioural blocking can be utilized with 3rd-party AVs?A. EDR with block modeB. Feedback-loop blockingC. Client behavior blockingD. Malicious behavior blockingAnswer: AExplanation:Option A is correct. EDR with Block mode allows you for blocking even when another AV is in use.Options B, C, D are incorrect. Feedback-loop and Client behavior blocking are used with Defender AV.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwideQUESTION 167A Windows 10 system is not showing in the device inventory list. What may be the problem?A. System is not having the latest KB'sB. System has no alerts in the past 30 days.C. System was renamed.D. None of the aboveAnswer: BExplanation:Options A, C, D are incorrect. Neither renaming any device nor KB's has any impact on the Device inventory list.Option B is correct. We can modify the "time setting" to find the system.Reference:https://docs.microsoft.com/en-us/azure/security-center/asset-inventoryQUESTION 168Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and alerts across Microsoft 365 services.You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security.You are required to monitor related alerts across all the solutions as a single incident to observe the incident's full impact and do an RCA (root cause investigation). The Microsoft Security center portal has a fused view of incidents and actions are taken on them.Which tab is present on the incident page when investigating a particular incident?A. MachinesB. MailboxesC. NetworksD. IncidentsAnswer: BExplanation:Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-worldwideQUESTION 169Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and alerts across Microsoft 365 services.You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security.You are required to monitor related alerts across all the solutions as a single incident to observe the incident's full impact and do an RCA (root cause investigation). The Microsoft Security center portal has a fused view of incidents and actions taken on them.Which of the following can be classified as an Incident?A. Test alertB. True alertC. High alertD. Positive alertAnswer: BExplanation:Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-worldwideQUESTION 170You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.You need to identify the impacted entities in an aggregated alert.What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?A. the Events tab of the alertB. the Sensitive Info Types tab of the alertC. Management logD. the Details tab of the alertAnswer: AExplanation:In order to identify the impacted entities in an aggregated alert, you should review the "Events" tab of the DLP alert management dashboard in the Microsoft 365 compliance center. This tab will display a list of all the events that triggered the alert, including the specific entities (e.g. files, emails, etc.) that were affected. You can further investigate each event to identify the specific user, device and action that caused the alert to be triggered.https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alerts-policies?view=o365-worldwideQUESTION 171You have a Microsoft 365 subscription that uses Microsoft 365 Defender.You plan to create a hunting query from Microsoft Defender.You need to create a custom tracked query that will be used to assess the threat status of the subscription.From the Microsoft 365 Defender portal, which page should you use to create the query?A. Threat analyticsB. Advanced HuntingC. ExplorerD. Policies & rulesAnswer: BExplanation:"Use Advance mode if you're comfortable creating custom queries."https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwidehttps://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-modes?view=o365-worldwide#get-started-with-guided-hunting-modeQUESTION 172You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort.What should you do in the Microsoft 365 Defender portal?A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.D. Select Add indicator and set the IP address to 171.23.34.32/27.Answer: AResources From:1.2023 Latest Braindump2go SC-200 Exam Dumps (PDF & VCE) Free Share:https://www.braindump2go.com/sc-200.html2.2023 Latest Braindump2go SC-200 PDF and SC-200 VCE Dumps Free Share:https://drive.google.com/drive/folders/1IE9DMPPLO4DhDEbH-R7ugD_zKUjJxFsH?usp=sharing3.2023 Free Braindump2go SC-200 Exam Questions Download:https://www.braindump2go.com/free-online-pdf/SC-200-PDF-Dumps(150-172).pdfFree Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams! --------------------------------------------------- Images: --------------------------------------------------- --------------------------------------------------- Post date: 2023-07-14 06:49:44 Post date GMT: 2023-07-14 06:49:44 Post modified date: 2023-07-14 06:49:44 Post modified date GMT: 2023-07-14 06:49:44 ____________________________________________________________________________________________ Export of Post and Page as text file has been powered by [ Universal Post Manager ] plugin from www.gconverters.com