Online Access Free SC-200 Practice Test

You have a Microsoft 365 E5 subscription that uses Microsoft Exchange Online.
You need to identify phishing email messages.
Which three cmdlets should you run in sequence? To answer, move the appropriate cmdlets from the list of cmdlets to the answer area and arrange them in the correct order.

Correct Answer:

Explanation:
1## Connect-IPPSSession
2## New-ComplianceSearch
3## Start-ComplianceSearch
In Microsoft 365 E5 (which includes Microsoft Purview and Exchange Online), to identify phishing email messages using PowerShell, administrators can perform a compliance content search. The process requires connecting to the Microsoft Purview (Security & Compliance Center) PowerShell and then creating and running a compliance search.
Here's the correct order and purpose of each cmdlet:
1## Connect-IPPSSession
* This cmdlet establishes a remote PowerShell session to the Microsoft Purview Compliance Center (formerly Security & Compliance Center).
* It's required before executing any compliance-related PowerShell commands such as creating or starting a search.
* Example:
* Connect-IPPSSession
2## New-ComplianceSearch
* After connecting, use this cmdlet to create a new compliance content search.
* You can define parameters such as the search name, target locations (e.g., all mailboxes or specific users), and search query (for example, filtering by suspected phishing keywords or sender domains).
* Example:
* New-ComplianceSearch -Name "PhishingSearch" -ExchangeLocation All -ContentMatchQuery
'Subject:"phish" OR Subject:"urgent action required"'
3## Start-ComplianceSearch
* Once the search is defined, this cmdlet initiates the compliance search to scan the selected mailboxes for phishing-related messages.
* Example:
* Start-ComplianceSearch -Identity "PhishingSearch"
Other cmdlets explained:
* Connect-ExchangeOnline is used for managing Exchange Online configuration, not compliance or content searches.
* Search-UnifiedAuditLog searches the unified audit log, which is used for activity auditing, not email content searches.
# Final Correct Sequence:
* Connect-IPPSSession
* New-ComplianceSearch
* Start-ComplianceSearch

You need to implement the Defender for Cloud requirements.
Which subscription-level role should you assign to Group1?

• A.Contributor
• B.Security Assessment Contributor
• C.Owner
• D.Security Admin

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.
You need to create a hunting query in KQL that meets the following requirements:
* Identifies any devices That received an email containing an attachment named File1 .pdf during the last 12 hours and opened the attachment.
* Minimizes the resources required to run the query.
How should you complete the query? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

In Microsoft Defender XDR hunting, EmailAttachmentInfo includes metadata for received attachments (name, subject, and the file's SHA256), while DeviceFileEvents records file operations on endpoints (open
/read/execute) and also carries the SHA256 hash. Microsoft's guidance for efficient joins in KQL recommends correlating artifacts using stable, high-cardinality identifiers (hashes) rather than paths or URLs, because paths can change and URLs may not be preserved on disk; hashes uniquely identify the same file across mail and endpoint telemetry. To minimize query resources, Kusto's join kind=innerunique is preferred when the left side (EmailAttachmentInfo) is expected to have unique keys (one attachment hash per message instance) and you want at most one match per left record. It reduces shuffle/duplication compared to inner, improving performance while returning only devices that actually opened the same file (by matching SHA256) within the last 12 hours.
So the optimal query structure is:
EmailAttachmentInfo
| where Timestamp > ago(12h)
| where Subject == "Document Attachment" and FileName == "File1.pdf"
| join kind=innerunique
(DeviceFileEvents | where Timestamp > ago(12h))
on SHA256
This precisely identifies devices that received the email with File1.pdf and opened that same file, using the most efficient join strategy and a reliable correlation key.

You have a Microsoft 365 subscription that uses Microsoft 365 Defender A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices. What should you use m the Microsoft 365 Defender portal?

• A.From the investigation page, review the AIR processes.
• B.From the History tab in the Action center, revert the actions.
• C.From Quarantine from the Review page, modify the rules.
• D.From Threat tracker, review the queries.

You deploy Azure Sentinel.
You need to implement connectors in Azure Sentinel to monitor Microsoft Teams and Linux virtual machines in Azure. The solution must minimize administrative effort.
Which data connector type should you use for each workload? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.

Correct Answer:

Explanation:

In Microsoft Sentinel (part of Microsoft Defender XDR), data connectors are used to integrate log sources for security analytics and monitoring.
For Microsoft Teams, the correct and most efficient connector is Office 365. Microsoft Teams logs- including user activities, chat events, and team management actions-are part of the Office 365 audit logs.
Microsoft Sentinel provides a built-in Office 365 connector that ingests auditing data from Exchange Online, SharePoint Online, and Microsoft Teams directly from the Microsoft 365 security and compliance center.
This connector requires only minimal configuration (enabling audit logging and connecting the tenant), satisfying the requirement to minimize administrative effort.
For Linux virtual machines hosted in Azure, the appropriate connector is Syslog. Linux systems send their security and operational events via Syslog, and Microsoft Sentinel supports this natively through the Syslog data connector. The Syslog agent (Log Analytics agent or AMA) collects logs and sends them to the Sentinel workspace. This connector is purpose-built for Linux VMs and ensures that authentication, authorization, and system logs are captured for correlation and threat detection.
Therefore:
* Microsoft Teams # Office 365 (because Teams audit data flows via Office 365 logs)
* Linux virtual machines in Azure # Syslog (because Linux uses Syslog for event forwarding) This configuration follows Microsoft's documented best practices for Sentinel data ingestion with minimal setup and maximum native integration.