Free Microsoft SC-200 Exam Questions

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table.You initiate a live response session on each device. You need to collect a Defender for Endpoint investigation package from each device.On which devices can you collect the package by running advanced live response commands from the command-line interface (CLI)?  

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1. You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database. You need to ensure that an incident is created in WS1 when the new attack vector is detected. What should you configure?

You have a Microsoft Sentinel workspace named Workspace1 that contains the AzureActivity table. You need to configure the retention period for the AzureActivity table. The solution must meet the following requirements: Maximize the period during which you can run interactive queries. Minimize retention costs. To what should you set the retention period? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. 

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have a Copilot for Security workspace that uses the following plugins: Microsoft Entra Microsoft Defender XDR From the Microsoft Defender portal, you use Copilot for Security to investigate a reported incident. You need to run a promptbook that will include information from Microsoft Entra ID Protection in the investigation. What should you do first?