Free Practice Questions for Microsoft SC-200 Exam

In Microsoft Defender for Endpoint (M DE) Live Response , security analysts can remotely connect to a device and execute forensic commands. When an executable is launched in the background during a live response session using the run command (for example, run File1.exe -background ), the session creates a job associated with that command.

To identify the command ID of the background process, the correct command is jobs . The jobs command lists all currently running or completed background jobs initiated during the live response session. Each job e ntry includes details such as the job ID, command executed, and current status. This allows analysts to determine which process corresponds to File1.exe and its associated command ID.

Once the background process is identified, you can interact with File1.e xe using the fg (foreground) command. The fg command is used to bring a background job to the foreground, allowing you to interact directly with it — for instance, to send inputs, observe outputs, or terminate it.

This procedure aligns with Microsoft Defen der for Endpoint documentation, which specifies:

Use jobs to view or manage background jobs.

Use fg < JobID > to interact with a specific background process.

Therefore, the correct selections are:

Identify the command ID of File1.exe: jobs

Interact with File1.exe: fg

In Microsoft Defender for Cloud Apps (MCAS) , Cloud Discovery collects traffic logs to identify shadow IT usage and cloud app activiti es. To enrich this discovery data and map the usernames in traffic logs to actual Microsoft Entra ID (Azure AD) users, Defender for Cloud Apps must correlate the username with the user’s User Principal Name (UPN) .

According to Microsoft Defender for Cloud Apps documentation, this correlation happens automatically when you connect Microsoft 365 (formerly Office 365) through a Microsoft 365 app connector .

The connector integrates MCAS with Microsoft 365, allowing it to:

Normalize usernames from discovery logs to match UPNs.

Provide enriched identity details and activities across Microsoft 365 apps.

Enable cross-app investigation, alert correlation, and conditional access governance.

Other options explained:

Conditional Access App Control – Used for real-time s ession control, not Cloud Discovery enrichment.

Enable automatic redirection to Microsoft 365 Defender – Used for portal integration, not data enrichment.

Azure app connector – Used to connect third-party or Azure-hosted applications, not for UPN enrichmen t.

✅ Therefore, to enrich Cloud Discovery data with UPN mapping, you must create a Microsoft 365 app connector .

 First table: BehaviorAnalytics

 Joined table: AuditLogs

To detect when a user creates an unusually large number of Azure AD user accounts in Microsoft Sentine l, you should leverage UEBA signals from the BehaviorAnalytics table and enrich them with Azure AD audit data from AuditLogs . The BehaviorAnalytics table contains UEBA-derived insights (for example, the ActivityInsights flag and UsersInsights ) and normaliz ed activity fields such as ActionType (e.g., " Add user " ). Filtering BehaviorAnalytics for ActionType == " Add user " and ActivityInsights has " True " targets activities that the UEBA engine already assessed as anomalous, reducing noise and focusing on outlier s.

Then, join these anomalies to the AuditLogs table to pull authoritative Azure AD audit details (target object, initiator, correlation, and operation context). This combination aligns with Sentinel guidance: use BehaviorAnalytics for anomaly detection an d AuditLogs for the Azure AD operational record. Sorting by TimeGenerated and projecting user and insight fields completes the hunting query so analysts can review who triggered unusual “Add user” bursts and with what context.

Therefore, complete the query by selecting BehaviorAnalytics as the primary dataset and AuditLogs in the join(...) .

In Microsoft Defender for Endpoint live response sessions, specific commands are provided to perform investigation and remediation tasks directly on a device. According to the official Defender for Endpoint documentation:

The getfile command is used to download a file from the live response library to the local analyst’s session. This command enables investigators to retrieve files that are stored in the Defender live response library for examination or comparison. The command is explicitly documented as “Retrieves a file from the library or from the device.”

The remediate command is used to take action against threats detected on the endpoint, such as stopping processes, deleting files, or quarantining malware. The remediation commands are part of the live response toolkit and provide direct control over running processes or malicious files during an active incident response session.

Other commands serve different purposes:

library lists th e available files in the live response library.

putfile uploads files to the library.

analyze runs advanced analysis tasks.

services lists or manages Windows services but is not used to stop arbitrary processes.

Therefore, for this scenario, the correct li ve response commands are:

Download a file from the live response library: getfile

Stop a process that is running on Device1: remediate

AzureActivity Extend

Explanation = Use AzureActivity because NSG rule changes (operations like Microsoft.Network/networkSecurityGroups/securityRules/write ) are re corded in the Azure Activity logs. To automatically associate the security principal (the caller) with a Sentinel entity you create a new column AccountCustomEntity and set it to Caller — that is done with the extend operator.

A completed/cleaned-up versio n of the query (showing the filled choices) would look like:

AzureActivity

| where OperationNameValue in ( " Microsoft.Network/networkSecurityGroups/securityRules/write " )

| where ActivityStatusValue == " Succeeded "

| make-series dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(ago(7d), now(), 1d) by Caller

| extend timestamp = todatetime(EventSubmissionTimestamp[0])

| extend AccountCustomEntity = Caller

This produces the anomaly/hunting results grouped by the caller and makes Sentinel treat the Caller value as an account entity for investigations and alert enrichment.

Streaming Microsoft Graph activity logs to third-party SIEMs is best done via Azure Event Hubs , which is designed for real-time streaming/ingestion and is the recommended sink for forwarding Microsoft Entra/Microsoft Graph logs to external SIEM platforms with minimal administrative overhead.

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud controls inbound traffic to virtual machines, reducing exposure to attacks. Microsoft’s guidance allows JIT policies to be centrally configured and applied automatically across a resource group using Azure Policy , which provides the lowest administrative overhead.

To meet the requir ements:

Limit request time to two hours: Defender for Cloud JIT policy allows defining a maximum allowed access duration per request.

Limit protocol to RDP only: The JIT configuration can restrict the protocol and port (TCP/3389 for RDP).

Minimize administrative effort: Azure Policy can automatically enforce this configuration for all VMs in RG1 without manually setting up each VM.

Other options are less suitable:

A. PIM controls user privileges, not network access.

C. Azure Front Door handles web application traffic.

D. Azure Bastion provides secure RDP/SSH via portal but doesn’t manage just-in-time network policies.

✅ Correct Answer: B. Azure Policy

When Azure Defender for Key Vault (now part of Microsoft Defender for Cloud ) raises an alert about suspicious access attempts from multiple unknown IP addresses, the immediate mitigation step—before deeper investigation—is to restrict network access to the Key Vault to reduce exposure.

The Azure Key Vault firewall allows you to restrict access by:

Allowing access only from trusted IP addresses , VNets , or private endpoints .

Blocking all other traffic by enabling the firewall and disabling “Allow access from all networks.”

Microsoft’s official recommendation states:

“To reduce the likelihood of secrets being compromised while you investigate an alert, enable the Key Vault fire wall and restrict access to trusted networks or specific virtual networks.”

“Firewall and virtual network configuration can be applied immediately without affecting existing permissions or access policies.”

This step:

Minimizes exposure to malicious IP add resses.

Is quick to implement (through the Azure Portal or CLI).

Has minimal impact on legitimate users if you properly whitelist trusted networks or VNets.

Other options:

A (Modify access control settings) or D (Modify access policy) would affect permissi ons and could disrupt legitimate users or service principals.

C (Create an application security group) applies to network interfaces, not directly to Key Vault.

✅ Answer: B. Enable the Key Vault firewall

To combine sign-in attempts from endpoints and on-premises AD DS domain controllers in Microsoft 365 Defender advanced hunting, you should query the tables that record those events and union them. DeviceLogonEvent s contains interactive and network logon activity collected from devices onboarded to Microsoft Defender for Endpoint , while IdentityLogonEvents contains sign-in activity observed by Microsoft Defender for Identity sensors on domain controllers . Using unio n appends the rows from both sources into a single result set while preserving columns such as Timestamp , AccountDomain , AccountName , AccountUpn , and AccountSid . This is preferable to a join because the goal is to list sign-in attempts (not correlate rows between tables). Applying take 100 to each table segment ensures you’re pulling the 100 most recent entries from each source before unioning, then you can reorder and sort by Timestamp to review the consolidated timeline.

Therefore, to meet the requirement — identify the 100 most recent sign-in attempts recorded on devices and AD DS domain controllers —complete the KQL with union and IdentityLogonEvents .

In Microsoft Defender for Endpoint, the quickest way to enumerate running processes and their open network connections on a Windows device is to use the built-in Investigation package feature from the device page. Collecting an investigation package executes a set of diagnostics on the endpoint and bundles artifacts—including process lists , network connections (netstat ou tput) , services, autoruns, scheduled tasks, and other forensic logs— into a ZIP file. After you trigger Collect investigation package on the device page , the job appears in the Action center ; once completed, you open that action and download the package. Finally, extract the ZIP to review the CSV/TXT outputs that show active processes and network connectivity, satisfying the requirement with minimal administrative effort and without initiating a live response session or running interactive commands manually.