sc200
Your company uses line-of-business apps that contain Microsoft Office VBA macros. You need to prevent users from downloading and running additional payloads from the Office VBA macros as additional child processes. Which two commands can you run to achieve the goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Add-MpPreference-AttackSurfaceReductionRules_IDs D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_ActionsEnabled B. Set-MpPreference-AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsAuditMode C. Add-MpPreference-AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsAuditMode D. Set-MpPreference-AttackSurfaceReductionRules_IdsD4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfD. Set-MpPreference-AttackSurfaceReductionRules_IdsD4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsEnabledaceReductionRules_ActionsEnabled
A. Add-MpPreference-AttackSurfaceReductionRules_IDs D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_ActionsEnabled D. Set-MpPreference-AttackSurfaceReductionRules_IdsD4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfD. Set-MpPreference-AttackSurfaceReductionRules_IdsD4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsEnabledaceReductionRules_ActionsEnabled
You create an Azure subscription. You enable Azure Defender for the subscription. You need to use Azure Defender to protect on-premises computers. What should you do on the on-premises computers? A. Install the Log Analytics agent. B. Install the Dependency agent. C. Configure the Hybrid Runbook Worker role. D. Install the Connected Machine agent.
A. Install the Log Analytics agent.
Your company uses Microsoft Defender for Endpoint. The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team. You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.
B. Hide the alert. D. Create a suppression rule scoped to a device group. E. Generate the alert.
Your company uses line-of-business apps that contain Microsoft Office VBA macros. You plan to enable protection against downloading and running additional payloads from the Office VBA macros as additional child processes. Which two commands can you run to achieve the goal? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A. Add-MpPreference-AttackSurfaceReductionRules_IDs D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_ActionsEnabled B. Set-MpPreference-AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsAuditMode C. Add-MpPreference-AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsAuditMode D. Set-MpPreference-AttackSurfaceReductionRules_IdsD4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfD. Set-MpPreference-AttackSurfaceReductionRules_IdsD4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsEnabledaceReductionRules_ActionsEnabled
B. Set-MpPreference-AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsAuditMode C. Add-MpPreference-AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC -AD5F3C50688A-AttackSurfaceReductionRules_ActionsAuditMode
The issue for which team can be resolved by using Microsoft Defender for Endpoint? A. executive B. sales C. marketing D. security
B. sales
You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in. Which anomaly detection policy should you use? A. Impossible travel B. Activity from anonymous IP addresses C. Activity from infrequent country D. Malware detection
C. Activity from infrequent country
You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements. Which two configurations should you modify? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. the Onboarding settings from Device management in Microsoft Defender Security Center B. Cloud App Security anomaly detection policies C. Advanced features from Settings in Microsoft Defender Security Center D. the Cloud Discovery settings in Cloud App Security
C. Advanced features from Settings in Microsoft Defender Security Center D. the Cloud Discovery settings in Cloud App Security
You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365. You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters. You need to create a data loss prevention (DLP) policy to protect the sensitive documents. What should you use to detect which documents are sensitive? A. SharePoint search B. a hunting query in Microsoft 365 Defender C. Azure Information Protection D. RegEx pattern matching
C. Azure Information Protection
You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements. Which role should you assign? A. Automation Operator B. Automation Runbook Operator C. Azure Sentinel Contributor D. Logic App Contributor
C. Azure Sentinel Contributor
You need to complete the query for failed sign-ins to meet the technical requirements. Where can you find the column name to complete the where clause? A. Security alerts in Azure Security Center B. Activity log in Azure C. Azure Advisor D. the query windows of the Log Analytics workspace
D. the query windows of the Log Analytics workspace
You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. From Azure Sentinel in the Azure portal: · Add a data connector · Add a workbook · Configure the Logs settings
· Add a data connector
You need to configure the Azure Sentinel integration to meet the Azure Sentinel requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. In the Cloud App Security portal: · Add a security extension · Configure app connectors · Configure log collectors
· Add a security extension
You need to create the analytics rule to meet the Azure Sentinel requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Configure the playbook to include: · Diagnostic settings · A service principal · A trigger
· A trigger
You have an Azure subscription that uses Azure Defender. You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts. You need to create an Azure policy that will perform threat remediation automatically. What should you include in the solution? To answer, select the appropriate options in the answer area. To perform remediation use: · An Azure Automation runbook that has a webhook · An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered · An Azure Logic Apps app that has the trigger set to When a response to an Azure Security Center alert is triggered
· An Azure Logic Apps app that has the trigger set to When an Azure Security Center Alert is created or triggered
You have an Azure subscription that uses Azure Defender. You plan to use Azure Security Center workflow automation to respond to Azure Defender threat alerts. You need to create an Azure policy that will perform threat remediation automatically. What should you include in the solution? To answer, select the appropriate options in the answer area. Set available effects to: · Append · DeployIfNotExists · EnforceRegoPolicy
· DeployIfNotExists
You are investigating an incident by using Microsoft 365 Defender. You need to create an advanced hunting query to count failed sign-in authentications on three devices named CFOLaptop, CEOLaptop, and COOLaptop. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Select and Place: · project LogonFailures=count () · summarize LogonFailures=count () by DeviceName, LogonType · where ActionType == FailureReason · where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") · ActionType == "LogonFailed" · ActionType == FailureReason · DeviceEvents · DeviceLogonEvents
· DeviceLogonEvents · where DeviceName in ("CFOLaptop", "CEOLaptop", "COOLaptop") · ActionType == "LogonFailed" · summarize LogonFailures=count () by DeviceName, LogonType
You open the Cloud App Security portal as shown in the following exhibit. *Cloud Discovery-Cloud App Security TAB* Your environment does NOT have Microsoft Defender for Endpoint enabled. You need to remediate the risk for the Launchpad app. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place: · Tag the app as Unsanctioned. · Run the script on the source appliance. · Run the script in Azure Cloud Shell. · Select the app. · Tag the app as Sanctioned. · Generate a block script.
· Select the app. · Tag the app as Unsanctioned. · Generate a block script. · Run the script on the source appliance.
You need to create the analytics rule to meet the Azure Sentinel requirements. What should you do? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Create the rule of type: • Fusion • Microsoft incident creation • Scheduled
• Scheduled