Microsoft SC-200 Exam Dumps & Practice Test Questions

Question 1:

As a security administrator managing Microsoft 365 for your organization, you want to proactively identify suspicious sign-in attempts that may indicate compromised accounts. Specifically, you aim to get alerts when a user signs in from a country where no other user from your organization has ever signed in before. 

Which anomaly detection policy in Microsoft Entra ID Protection or Microsoft 365 Defender should you configure to achieve this?

A. Impossible travel
B. Activity from anonymous IP addresses
C. Activity from infrequent country
D. Malware detection

Correct Answer: C

Explanation:

Microsoft Entra ID Protection (previously Azure AD Identity Protection) and Microsoft 365 Defender include built-in anomaly detection policies designed to identify unusual sign-in behaviors that could signal a security threat.

The "Activity from infrequent country" policy is tailored specifically for detecting sign-ins from countries that are uncommon or new within your organization’s sign-in history. This is important because if a user signs in from a country where no other user has signed in before, it may indicate suspicious activity, such as a hacker attempting to gain unauthorized access from an unusual location.

Let's analyze the options:

• Impossible travel detects when a user signs in from two geographically distant locations within an unrealistically short time frame, making physical travel between the two impossible. It focuses on timing and location inconsistencies, but it doesn't track whether the country itself is new or rare for the organization.

• Activity from anonymous IP addresses alerts on logins originating from anonymizing proxies or TOR exit nodes. While it flags potentially masked or hidden IP addresses, it does not consider whether the location is rare for the organization.

• Malware detection focuses on identifying malicious software rather than monitoring sign-in locations or user access patterns.

Since the requirement is to detect sign-ins from a geographic location that has never been used before by anyone in the organization, "Activity from infrequent country" is the only policy that fits perfectly. It helps to flag potential account compromises at an early stage, especially when attackers access accounts from unfamiliar foreign locations. Using this policy strengthens your organization's security posture by providing timely alerts to suspicious sign-ins from new regions.

Question 2:

Your organization uses Microsoft Defender for Office 365 and manages sensitive documents on SharePoint Online containing customer account numbers formatted as 32-character alphanumeric strings. To prevent unauthorized sharing or access, you want to apply a Data Loss Prevention (DLP) policy that identifies these sensitive documents accurately. 

Which method should you use to detect documents containing such account numbers?

A. SharePoint search
B. A hunting query in Microsoft 365 Defender
C. Azure Information Protection
D. RegEx pattern matching

Correct Answer: D

Explanation:

Data Loss Prevention (DLP) policies in Microsoft 365 help organizations detect, monitor, and protect sensitive information across their cloud services, including SharePoint Online. To enforce DLP effectively, especially when dealing with sensitive data like customer account numbers, you must have precise detection capabilities.

In this scenario, the sensitive data consists of customer account numbers, each exactly 32 alphanumeric characters long. To identify documents containing these numbers, the DLP system needs a way to recognize this specific pattern within documents.

Let's evaluate the options:

• SharePoint search is primarily a content search tool designed to help users find documents or files based on keywords. However, it lacks the capability to scan for specific data patterns or enforce data protection policies, making it unsuitable for sensitive data detection.

• A hunting query in Microsoft 365 Defender is aimed at threat hunting and security incident investigation by analyzing logs and suspicious activities. It’s not designed for detecting or classifying sensitive data within documents.

• Azure Information Protection (AIP) focuses on classifying and protecting documents by applying labels and encryption. While it helps protect sensitive information, it does not inherently detect data patterns such as specific account numbers unless paired with other detection mechanisms.

• RegEx (Regular Expressions) pattern matching is a powerful and flexible technique to define exact data patterns. In DLP policies, you can create custom RegEx rules to identify strings that match a precise format—like a 32-character alphanumeric string. For example, the RegEx pattern ^[A-Z0-9]{32}$ can be used to detect customer account numbers in documents.

Using RegEx pattern matching enables the DLP policy to scan content with pinpoint accuracy, ensuring that documents containing the specific sensitive account numbers are identified. This enables the system to trigger protective actions like blocking sharing, sending alerts, or encrypting files. Such targeted detection is vital for maintaining compliance and safeguarding sensitive customer data in SharePoint Online.

Question 3:

Your organization uses Microsoft Defender for Endpoint to protect its computers. The accounting team frequently works with Microsoft Word documents that include macros. These macro-enabled documents are causing false positive alerts in the security Alerts queue.
How can you configure Microsoft Defender for Endpoint to suppress these false positive alerts related to macros without weakening your organization's security stance? 

Which three of the following actions should you take?

A. Automatically resolve the alert
B. Hide the alert
C. Create a suppression rule that applies to all devices
D. Create a suppression rule that applies to a specific device group
E. Generate the alert

Correct Answer: B, C, D

Explanation:

Effectively managing false positives in Microsoft Defender for Endpoint is essential for maintaining an actionable and focused security alert system. In your scenario, macro-enabled Word documents used regularly by the accounting team are triggering alerts that are not actual threats but false positives. The objective is to minimize these distracting alerts while still protecting your environment from genuine risks.

The best approach combines hiding alerts and applying suppression rules. Hiding the alert (B) ensures these known false positives do not clutter the Alerts queue, allowing the security team to focus on real threats. However, hiding is a visual filter rather than a permanent fix—it simply prevents the alert from displaying in the list.

Creating suppression rules scoped to any device (C) allows you to suppress alerts related to macros across the entire device fleet. This approach is suitable when macro use is widespread and generally safe, making those alerts irrelevant to security teams.

Alternatively, creating suppression rules scoped to a device group (D) is more targeted. By limiting the suppression to the accounting team’s devices, you reduce noise only for those endpoints known to routinely handle macro documents, while still monitoring other devices for potential threats.

Options A (auto-resolve) and E (generate alert) are inappropriate. Auto-resolving can prematurely close alerts that may still require human review, risking missed threats. Generating alerts contradicts the goal of reducing false positives.

By combining hiding alerts and well-scoped suppression rules, you maintain a clean and effective security alert system, reducing unnecessary distractions while preserving your overall security posture.

Question 4:

Within Microsoft 365 Defender, you need to set up an alert for a particular security event—when System Restore is disabled on any managed device. You have an advanced hunting query that identifies this event and want to trigger an alert if it occurs within the past 24 hours.

Which two actions should you perform to correctly configure this alert using the advanced hunting query?

A. Create a detection rule
B. Create a suppression rule
C. Append "| order by Timestamp" to the query
D. Replace DeviceProcessEvents with DeviceNetworkEvents in the query
E. Add DeviceId and ReportId to the query’s output

Correct Answer: A, C

Explanation:

Microsoft 365 Defender’s advanced hunting is a powerful tool for querying and investigating security events across devices. However, to receive notifications (alerts) when specific conditions like disabling System Restore occur, you must combine proper query construction with alert rule configuration.

The first necessary step is to create a detection rule (A) based on your advanced hunting query. While the query itself identifies the events, detection rules continuously monitor query results and trigger alerts when matching activity is detected within the defined timeframe. This ensures that you receive timely notifications about critical security events like System Restore being disabled.

Next, adding "| order by Timestamp" (C) to the query sorts the results by event time, showing the most recent events first. This is important because alerts should reflect the latest data, and sorting helps focus on relevant events within the last 24 hours. It improves the query’s clarity and efficiency by prioritizing fresh activity, which is essential for timely incident response.

Options B (create suppression rule) and D (replace DeviceProcessEvents with DeviceNetworkEvents) are incorrect. Suppression rules prevent alerts rather than generate them, so they do not help with alerting on this event. DeviceNetworkEvents relate to network data, which is irrelevant when tracking system process changes like disabling System Restore—DeviceProcessEvents is the appropriate table.

Adding DeviceId and ReportId to the output (E) can add context but is not mandatory for setting up alerts. The core requirements remain the detection rule and sorting by timestamp.

Following these steps ensures that your alerting system in Microsoft 365 Defender reliably notifies you about critical system changes, enabling swift investigation and response.

Question 5:

During an investigation of a ransomware attack involving devices from three custom device groups containing highly sensitive data, you need to quickly perform automated mitigation actions on these devices. To simplify this process, you want to temporarily group these devices so you can act on them collectively. 

Which three steps should you take to accomplish this task? Choose three.

A. Assign a tag to the device group.
B. Add the device users to an admin role.
C. Apply a tag directly to the devices.
D. Create a new device group with a priority rank of 1.
E. Establish a new admin role.
F. Create a new device group with a priority rank of 4.

Correct Answers: A, C, F

Explanation:

In scenarios where devices belonging to multiple groups require rapid, coordinated response—such as during a ransomware attack—it’s essential to use Microsoft Defender for Endpoint’s device grouping and tagging features for efficient management. The goal is to consolidate affected devices into a temporary, high-priority group for automated remediation.

First, assigning a tag to the existing device groups (Option A) allows you to label these collections with meaningful identifiers. This categorization helps in filtering and managing devices based on shared attributes or investigation needs.

Second, adding tags directly to individual devices (Option C) ensures that you can target specific machines regardless of their original groupings. Tagging at both group and device levels offers flexible, dynamic classification, which is crucial for responsive incident handling.

Third, creating a new device group with a rank of 4 (Option F) prioritizes these devices within Defender for Endpoint. In this system, higher ranks (like 4) signal higher importance for automated workflows and alert handling. This elevated priority ensures swift, focused action on the ransomware-affected devices.

Why exclude other options?

• Option B (adding users to an admin role) concerns user permissions rather than device grouping and doesn’t facilitate collective automated actions on devices.

• Option D (creating a device group with rank 1) assigns a lower priority, counterproductive in urgent situations requiring rapid response.

• Option E (creating a new admin role) is unnecessary because admin roles govern permissions, not device grouping or automated action prioritization.

In summary, by tagging device groups and individual machines and creating a new high-rank device group, you streamline incident response. This strategy helps prioritize and automate protective actions effectively against ransomware on critical devices.

Question 6:

You are setting up Microsoft Defender for Identity integration with Active Directory. From the Defender for Identity portal, you want to configure specific accounts so that attackers can exploit them, triggering alerts. You decide to add these accounts as Honeytoken accounts in the Entity Tags section. 

Does this configuration achieve your goal?

A. Yes
B. No

Correct Answer: A

Explanation:

Microsoft Defender for Identity is designed to strengthen Active Directory security by detecting suspicious activities and advanced persistent threats. A key defensive tactic is the use of Honeytoken accounts—decoy accounts created solely to attract attackers. These accounts are not used for any legitimate business purpose, so any interaction with them is inherently suspicious.

When you configure accounts as Honeytokens within Defender for Identity by adding them in the Entity Tags section, you effectively mark them for special monitoring. The system treats any access or manipulation attempts on these tagged accounts as potential attack indicators, immediately generating alerts for your security team.

The primary goal of this setup is to create “tripwires” that alert defenders to unauthorized access attempts. Since attackers often seek to escalate privileges or move laterally within a network by exploiting accounts, Honeytoken accounts act as bait to catch these behaviors early.

This approach aligns perfectly with the goal of configuring accounts that attackers can exploit—but crucially, in a controlled manner that enhances detection rather than increasing risk. The Honeytoken accounts function as traps, providing early warning of malicious activity without exposing actual sensitive resources.

Other configurations, such as creating admin roles or unrelated tagging, wouldn’t offer this targeted detection capability. By leveraging Honeytoken accounts, Defender for Identity proactively monitors for attacker interactions with decoy accounts, helping security teams to detect, investigate, and mitigate threats faster.

Therefore, the action of adding accounts as Honeytoken accounts via Entity Tags directly fulfills the intended goal, making Answer A (Yes) correct.

Question 7:

You are a security analyst using Microsoft Sentinel. You want to create an alert rule that triggers when multiple failed login attempts occur from the same IP address within a short period. 

Which type of analytics rule should you configure in Microsoft Sentinel?

A. Scheduled rule
B. Fusion rule
C. Machine learning behavioral analytics rule
D. Microsoft Defender alert rule

Correct Answer: A

Explanation:

Microsoft Sentinel uses analytics rules to detect suspicious activities by processing security data. To detect multiple failed login attempts from the same IP within a short timeframe, you want to configure an alert rule that scans logs periodically and identifies this pattern.

• Scheduled rules run queries on a schedule (e.g., every 5 minutes) over recent data, perfect for detecting repeated events like multiple failed logins. You can define thresholds and specify the query logic to aggregate failed login attempts per IP address.

• Fusion rules in Sentinel correlate alerts and anomalies from multiple sources using AI and machine learning to detect complex, multistage attacks, which might be overkill for simple failed login attempts.

• Machine learning behavioral analytics rules use machine learning models to detect deviations in user or entity behavior over time. While useful for anomaly detection, they are not best for specific repeated event counts like multiple failed login attempts.

• Microsoft Defender alert rules are specific to Defender products and are created within those platforms; they are not configured directly in Sentinel for custom queries.

Thus, for the use case of detecting repeated failed logins from the same IP, a scheduled analytics rule is the most straightforward and efficient choice. It enables periodic scanning with custom queries and alerts on threshold breaches, providing timely detection of brute-force or password spraying attempts.

Question 8:

You want to investigate an alert in Microsoft 365 Defender related to a suspicious email attachment. Which tool allows you to analyze the attachment's behavior in a sandbox environment to determine if it is malicious?

A. Microsoft Defender Antivirus
B. Microsoft Defender for Endpoint
C. Microsoft Defender for Office 365 Safe Attachments
D. Microsoft Cloud App Security

Correct Answer: C

Explanation:

Microsoft Defender for Office 365 includes a feature called Safe Attachments designed to scan and analyze email attachments in a sandbox environment before they reach the user.

• When an email arrives with an attachment, Safe Attachments opens the file in a virtual environment to observe its behavior (e.g., if it attempts to execute malicious code, drop malware, or perform suspicious actions).

• If the attachment is found to be malicious, the system blocks delivery or removes the attachment, preventing infection.

Other options:

• Microsoft Defender Antivirus provides real-time protection on endpoints but doesn’t sandbox attachments during email delivery.

• Microsoft Defender for Endpoint focuses on endpoint detection and response, analyzing threats on devices rather than sandboxing email attachments at the gateway.

• Microsoft Cloud App Security provides cloud access security broker (CASB) capabilities but doesn’t sandbox email attachments directly.

Therefore, to analyze suspicious email attachments before users open them, Microsoft Defender for Office 365 Safe Attachments is the right tool, enabling proactive threat blocking and minimizing email-borne malware risks.

Question 9:

During an investigation, you discover a compromised account in your Azure AD environment. You want to quickly disable the user’s account and revoke all their active sessions across Microsoft 365 services. 

Which tool or portal should you use?

A. Microsoft 365 Security & Compliance Center
B. Azure AD portal (Identity Protection)
C. Microsoft Defender for Endpoint
D. Microsoft Teams Admin Center

Correct Answer: B

Explanation:

When responding to a compromised account in Azure Active Directory (Azure AD), it is crucial to immediately block access and revoke sessions to prevent further damage.

• The Azure AD portal, especially under the Identity Protection section, allows you to investigate risky users and sign-ins and provides options to block user accounts, reset passwords, and revoke refresh tokens (which effectively logs users out of active sessions).

• The Microsoft 365 Security & Compliance Center primarily focuses on compliance management and alert investigation but does not offer granular controls to disable Azure AD user sessions quickly.

• Microsoft Defender for Endpoint manages endpoint security and device-related threats but doesn’t manage user sessions or account status in Azure AD.

• Microsoft Teams Admin Center manages Teams-specific settings and users but cannot disable accounts or revoke sign-in tokens at the directory level.

Thus, the Azure AD portal is the most effective place to rapidly disable compromised accounts and revoke active sessions across Microsoft 365, helping contain potential breaches.

Question 10:

You are tasked with creating a workbook in Microsoft Sentinel to visualize suspicious sign-in attempts by country over time. 

Which language will you use to query the data and prepare it for visualization?

A. KQL (Kusto Query Language)
B. SQL (Structured Query Language)
C. PowerShell
D. Python

Correct Answer: A

Explanation:

Microsoft Sentinel uses Kusto Query Language (KQL) as the primary language for querying and analyzing security data stored in Azure Data Explorer (the backend database).

• KQL is designed for fast, efficient querying of large datasets, enabling analysts to filter, aggregate, and summarize data quickly.

• Workbooks in Sentinel use KQL queries to retrieve data and generate charts, graphs, and other visualizations.

• SQL is widely used in relational databases but is not the query language for Azure Sentinel logs.

• PowerShell is a scripting language used for automation and administration, not for interactive querying in Sentinel workbooks.

• Python is a general-purpose programming language often used for automation and data science, but it’s not native to Sentinel query workbooks.

Therefore, to create insightful visualizations of suspicious sign-ins by country over time in Microsoft Sentinel, you must write your queries in KQL, making it the essential skill for security analysts using Sentinel.