[July-2023]100% Valid SC-200 Exam Dumps in PDF and VCE Free Download from Braindump2go[Q150-Q172] July 17, 2023 lead2pass July/2023 Latest Braindump2go SC-200 Exam Dumps with PDF and VCE Free Updated Today! Following are some new Braindump2go SC-200 Real Exam Questions! QUESTION 150You are using the Microsoft 365 Defender portal to conduct an investigation into a multi-stage incident related to a suspected malicious document. After reviewing all the details, you have determined that the alert tied to the potentially malicious document is also related to another incident in your environment. However, the alert is not currently listed as a part of that second incident.Your investigation into the alert is ongoing, as it is your investigation into the two related incidents. You need to appropriately categorize the alert and ensure that it is associated with the second incident.What two actions should you take in the Manage alert pane to fulfill this part of the investigation? (Choose two) A. Set status to In progressB. Set status to NewC. Set classification to True alertD. Enter the Incident ID of the related incident in the Comment section.E. Select the Link alert to another incident option. Answer: AEExplanation:The correct action to classify the alert would be to set the status to In progress. While the alert may seem to be legitimate as it is linked to another incident, until a final determination is reached, you should set the status to In progress to ensure that others know it is being worked on. Once a determination is reached, you can then change it to Resolved and select the appropriate classification (True alert or False alert).The correct action to correlate the alert to the other incident would be to select the Link alert to another incident option. While ideally, the alert would automatically be included in both incidents that are not always the case. If you notice an alert that is not linked to an incident that it is clearly connected to, using the Link alert to another incident option ensures they are tied together.You should not set the classification to True alert. While a point can be made that it seems this malicious file involved in multiple incidents is likely to be a True alert, you cannot yet make that determination. It is also not the time to classify it as a false alert. The best practice while continuing an investigation would be not to change the classification at all, which means leaving it as the default Not set classification.You should not enter the Incident ID of the related incident in the Comment section. While this might be helpful from an administrative perspective, it creates no link to the other incident.You should not set the status to New. This is the default status of any alert. The question specifically seeks to ensure your peers know the alert is being investigated, so setting (or leaving) the status as New would make it impossible to differentiate from other uninvestigated alerts.All of the actions mentioned in the options can be found in the Manage alert pane, which can be reached via the Alerts tab in the Incidents section of the Microsoft 365 Defender portal.References:https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-alertshttps://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-incidents?view=o365-worldwide QUESTION 151Which of the following choices best defines threat hunting using Microsoft Defender for Endpoint? A. Sensing and blocking apps that are considered unsafe but may not be detected as malware.B. Decrease vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware.C. You can proactively look at events in your network using a powerful search and query tool.D. All of the above. Answer: CExplanation:Option A is incorrect. This is an explanation of advanced protection provided by Windows Defender Antivirus.Options B, D are incorrect. This is an explanation of attack surface reduction.Option C is correct. Microsoft Defender for Endpoint advanced threat hunting is built on top of a query language that gives you flexibility.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/advanced-hunting-overview?view=o365-worldwide QUESTION 152Which of the following is not a component of Microsoft Defender for Endpoint? A. Endpoint detection and responseB. Cloud device managementC. Next generation protectionD. Integrity monitoring Answer: BExplanation:Options A and C are incorrect. Threat and vulnerability management, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and remediation are all components of Microsoft Defender for Endpoint.Option B is correct. Cloud device management is not a component of the security administration of Microsoft Defender for Endpoint.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint?view=o365-worldwide QUESTION 153You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence.You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script.Which type of information is gathered in an Investigation package? A. Prefetch FilesB. Network transactionsC. Command HistoryD. Process History Answer: AExplanation:Network transactions, Process and Command History are not collected. Only Prefetch files are collected.An investigation package contains the following folders when you collect it from a device as part of the investigation process. These can help us identify the present state of devices and methods used by attackers.Autoruns, installed programs, Network Connections, Prefetch files, Prefetch folder, Processes, Scheduled tasks, Security event log, Services, Windows Server Message Block (SMB) sessions, System Information, Temp Directories, Users and Groups, WdSupportLogs, CollectionSummaryReport.xlsReference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide QUESTION 154You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence.You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script.Which one of the below is a Device action? A. Reformat deviceB. Isolate deviceC. RebootD. Reinstall Answer: BExplanation:You can’t issue either reboot, reinstall or reformat action. You can perform isolation devices.Depending on the severity of the attack and the sensitivity of the device, you might want to isolate the device from the network. This action can help prevent the attacker from controlling the compromised device and performing further activities such as data exfiltration and lateral movement.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide QUESTION 155Which of the below artifact types contains an investigation page? A. DomainB. Threat ActorC. HunterD. Alert Answer: AExplanation:Option A is correct. Domain contains an investigation page.Option B is incorrect. Threat Actor is not a forensic artifact.Option C is incorrect. Hunter does not have an investigation page.Option D is incorrect. Alert does not have an investigation page.Reference :https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-machines?view=o365-worldwide QUESTION 156What information is shared by a deep file analysis? A. Registry ModificationsB. Code change historyC. Command historyD. Process history Answer: AExplanation:Command history, process and code change history are not reported. Only Registry modifications are reported.Deep file analysis results contain the file’s activities, behaviors, and artifacts like dropped files, registry changes and IP communication.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-file-alerts?view=o365-worldwide QUESTION 157Which information is shared on the user account page? A. Security groupsB. Threat hunt IDC. Associated alertsD. All of the above Answer: CExplanation:The security groups, user accounts belong to and threat hunt ID is not shown.Associated alerts are made available.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender/investigate-users?view=o365-worldwide QUESTION 158Multiple false positive alerts are generating in a company XYZ. A security operations analyst working for XYZ needs to exclude an executable file to reduce alerts – c:\myxyzapp\myxyzwinapp.exe, which exclusion type must they use? A. ExtensionB. FolderC. FileD. Registry Answer: CExplanation:File will exclude only this specific file, whereas extension would exclude all files with the extensions, and folder would exclude all files in a folder. Registry exclusion doesn’t happen.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide QUESTION 159In advanced features, which setting must be turned on to obstruct files even if a 3rd party AV is used? A. Turn on EDR with block mode.B. Automated InvestigationC. Allow or block fileD. All of the above Answer: AExplanation:Option A is correct. EDR with block mode can be used with third-party AV.Option B is incorrect. The “Allow or block file” feature requires Defender AV.Option C is incorrect. Automated investigations do not block files.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide QUESTION 160Microsoft Defender for Endpoint gives configuration selections for alerts and detections. These include notifications, custom indicators, and detection rules. Which filter is a part of an Alert notification rule? A. Subject IDsB. Alert SeverityC. AccountD. Alert IDs Answer: BExplanation:Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-email-notifications?view=o365-worldwide QUESTION 161You are in charge of working with the endpoint team to patch weaknesses reported by Threat Vulnerability Management. Which report keeps an inventory of the vulnerabilities of your systems that are wide-open by listing the CVE IDs? A. WeaknessB. Software InventoryC. Event TimelineD. Incident Answer: AExplanation:Option A is correct. This report is enumerated by the CVE ID.Option B is incorrect. The software inventory page contains a list of software installed in your organization.Option C is incorrect. The event timeline is a risk feed that lets you understand how risk is introduced in the organization.Option D is incorrect. The incident report doesn’t contain any weaknesses or vulnerabilities.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/tvm-weaknesses?view=o365-worldwide QUESTION 162Which selection is an ASR (attack surface reduction) rule that can be implemented and blocked? A. Content from mobile devicesB. PowerShell from executingC. Process creations initiating from WMI and PSExec commandsD. None of the above Answer: CExplanation:Option A is incorrect. This is not an ASR rule that can be implemented and blocked.Option B is incorrect. .ps1 execution cannot be blocked with an ASR rule.Option C is correct. This is an ASR rule that can be implemented and blocked.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide QUESTION 163From which of the following can a SOC (Security Operation Center) analyst make a customized detection? A. AlertB. IncidentC. Advanced HuntingD. Request Answer: CExplanation:Advanced hunting gives a choice to save the query as a detection, while Alert and Incident don’t provide an option to save as a detection.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-query-results?view=o365-worldwide QUESTION 164Microsoft Defender for Endpoint gives a purpose based UI to manage and inspect security incidents and alerts. Which option can’t be accomplished in the Action Center? A. Review completed actions.B. Configure action email notifications.C. Manage pending actions.D. None of the above Answer: BExplanation:Reference:https://docs.microsoft.com/en-us/azure/security-center/security-center-provide-security-contact-details QUESTION 165A SOC analyst found out about an event of interest. What is the next step to take it forward for further review? A. FlagB. TagC. HighlightD. Close Answer: AExplanation:While looking into the device timeline for suspicious activity, we can search and filter for specific events. We can set event flags by:– Highlighting the most important events– Marking events that require a deep dive– Building a clean breach timelineFind the event that we want to flag. Select the flag icon in the Flag column.Once events are flagged, we can filter suspicious events more easily. In the timeline Filters section, enable Flagged events. Only flagged events are displayed. You can apply more filters that will only show events prior to the flagged event.Reference:https://docs.microsoft.com/en-us/defender-for-identity/investigate-entity QUESTION 166What type of Behavioural blocking can be utilized with 3rd-party AVs? A. EDR with block modeB. Feedback-loop blockingC. Client behavior blockingD. Malicious behavior blocking Answer: AExplanation:Option A is correct. EDR with Block mode allows you for blocking even when another AV is in use.Options B, C, D are incorrect. Feedback-loop and Client behavior blocking are used with Defender AV.Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/edr-in-block-mode?view=o365-worldwide QUESTION 167A Windows 10 system is not showing in the device inventory list. What may be the problem? A. System is not having the latest KB’sB. System has no alerts in the past 30 days.C. System was renamed.D. None of the above Answer: BExplanation:Options A, C, D are incorrect. Neither renaming any device nor KB’s has any impact on the Device inventory list.Option B is correct. We can modify the “time setting” to find the system.Reference:https://docs.microsoft.com/en-us/azure/security-center/asset-inventory QUESTION 168Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and alerts across Microsoft 365 services.You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security.You are required to monitor related alerts across all the solutions as a single incident to observe the incident’s full impact and do an RCA (root cause investigation). The Microsoft Security center portal has a fused view of incidents and actions are taken on them.Which tab is present on the incident page when investigating a particular incident? A. MachinesB. MailboxesC. NetworksD. Incidents Answer: BExplanation:Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-worldwide QUESTION 169Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and alerts across Microsoft 365 services.You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security.You are required to monitor related alerts across all the solutions as a single incident to observe the incident’s full impact and do an RCA (root cause investigation). The Microsoft Security center portal has a fused view of incidents and actions taken on them.Which of the following can be classified as an Incident? A. Test alertB. True alertC. High alertD. Positive alert Answer: BExplanation:Reference:https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/investigate-incidents?view=o365-worldwide QUESTION 170You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.You need to identify the impacted entities in an aggregated alert.What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center? A. the Events tab of the alertB. the Sensitive Info Types tab of the alertC. Management logD. the Details tab of the alert Answer: AExplanation:In order to identify the impacted entities in an aggregated alert, you should review the “Events” tab of the DLP alert management dashboard in the Microsoft 365 compliance center. This tab will display a list of all the events that triggered the alert, including the specific entities (e.g. files, emails, etc.) that were affected. You can further investigate each event to identify the specific user, device and action that caused the alert to be triggered.https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-configure-view-alerts-policies?view=o365-worldwide QUESTION 171You have a Microsoft 365 subscription that uses Microsoft 365 Defender.You plan to create a hunting query from Microsoft Defender.You need to create a custom tracked query that will be used to assess the threat status of the subscription.From the Microsoft 365 Defender portal, which page should you use to create the query? A. Threat analyticsB. Advanced HuntingC. ExplorerD. Policies & rules Answer: BExplanation:“Use Advance mode if you’re comfortable creating custom queries.”https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-overview?view=o365-worldwidehttps://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-modes?view=o365-worldwide#get-started-with-guided-hunting-mode QUESTION 172You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.You need to add threat indicators for all the IP addresses in a range of 18.104.22.168-22.214.171.124. The solution must minimize administrative effort.What should you do in the Microsoft 365 Defender portal? A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.B. Create an import file that contains the IP address of 126.96.36.199/27. Select Import and import the file.C. Select Add indicator and set the IP address to 188.8.131.52-184.108.40.206.D. Select Add indicator and set the IP address to 220.127.116.11/27. Answer: A Resources From: 1.2023 Latest Braindump2go SC-200 Exam Dumps (PDF & VCE) Free Share:https://www.braindump2go.com/sc-200.html 2.2023 Latest Braindump2go SC-200 PDF and SC-200 VCE Dumps Free Share:https://drive.google.com/drive/folders/1IE9DMPPLO4DhDEbH-R7ugD_zKUjJxFsH?usp=sharing 3.2023 Free Braindump2go SC-200 Exam Questions Download:https://www.braindump2go.com/free-online-pdf/SC-200-PDF-Dumps(150-172).pdf Free Resources from Braindump2go,We Devoted to Helping You 100% Pass All Exams!