Free Microsoft SC-200 Practice Test Questions MCQs

Explanation:

✅ Why registry is correct
The attacker modified a registry-based antivirus exclusion path. The registry command provides direct access to query and modify registry entries on the remote device during a live response session. For example:

registry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

After identifying the malicious registry value, you can delete or modify it using the same command, effectively undoing the attacker's change.

❌ Why other options are incorrect

A. analyze:
This command performs forensic analysis on files or processes (e.g., analyze file malware.txt) and returns a verdict (malicious/clean). It does not modify, delete, or restore registry settings .

C. remediate:
While capable of deleting registry entries, remediate is typically used for files, processes, or services. The Microsoft documentation explicitly notes that remediate registry currently has known limitations (e.g., HKEY_USERS hive is not supported), making registry the direct and reliable choice for viewing and undoing changes interactively .

D. scan:
The scan command runs an antivirus scan on the device. It identifies and removes malware but does not modify registry paths or undo configuration changes .


Reference:
Live response command examples - Microsoft Defender for Endpoint

Explanation:

✅ Why this order is correct
Step 1 – summarize arg_max(TimeGenerated, *) by Account This finds the most recent SecurityEvent record for each unique Account (user). It returns the full row (*) of that latest event for each account. This step identifies "the last record" per account as required.

Step 2 – | where EventID == 4624
After obtaining the latest record per account, this filters the results to only those accounts whose most recent event is a successful logon (EventID 4624). Accounts whose latest event is something else are excluded.

❌ Why other options are incorrect

where EventID == 4624 firstThis would first filter all events to only 4624, then take the latest per account. That would return accounts where any recent 4624 exists, not necessarily the last record being 4624.

make_list or make_setThese aggregate accounts into arrays but do not identify the latest record per account. They cannot determine which event is most recent.

📌 References
Microsoft Learn: arg_max() function – Returns the row with the maximum value of a specified column (e.g., TimeGenerated) per group
EventID 4624 – Windows security event for successful logon

Explanation:

✅ Why these are correct

union (first dropdown): The union operator is required to combine results from multiple data sources (subscriptions and workspaces). The query needs to check table existence across workspaces, which union supports with cross-workspace queries using the workspace() expression. datatable, extend, and makelist cannot perform cross-resource table existence checks.

isFuzzy=true (second dropdown): isFuzzy=true is a critical setting for this scenario. When set to true, union continues execution even if one of the referenced tables or workspaces is missing or has schema issues, returning whatever data is available. Without fuzzy matching, a single missing table would cause the entire query to fail.

kind=outer (third dropdown): The union kind=outer ensures that even if one side of the union returns no rows (because the table doesn't exist in a particular workspace), the query still generates a result row. This is essential to return a 1 for missing tables, rather than no output at all.

withSource=isMissing (fourth dropdown): The withSource parameter adds a column (named isMissing) indicating which source each row came from. Combined with the later logic (project isMissing=iff(c > 0, 0, 1)), this enables the query to determine table existence per workspace.

❌ Why other options are incorrect

datatableCan only define static tables, cannot check existence of real tables across workspaces

extendAdds computed columns to existing rows, cannot check table existence or combine multiple sources

makelistCreates a dynamic array – not relevant for table existence checking

isFuzzy=falseWould cause the query to fail completely if any referenced table is missing, which is the opposite of the requirement

kind=innerOnly returns rows when matching records exist in all sources – would not return 1 for missing tables

📌 References
Microsoft Learn: union operator and fuzzy matching
Microsoft Kusto documentation: union with isFuzzy and kind=outer for schema mismatches
Microsoft Learn: Cross-resource queries with workspace() and union

Explanation:

✅ Why these are correct

Enable Defender for Servers (User1 – Security administrator): Enabling Defender for Servers on virtual machines requires modifying security policies and turning on Defender plans at the subscription level. Microsoft documentation states that the Security administrator role "can update the security policy, dismiss alerts and recommendations" . This role has the necessary write permissions to enable Defender plans without granting full subscription management rights (like Contributor or Owner). The Security administrator is the least privileged role that can perform this task.

Review recommendations and enable vulnerability scans (User2 – Security reader): Reviewing security recommendations (read-only) is permitted by the Security reader role. However, enabling vulnerability scans requires write permissions to deploy the integrated vulnerability scanner (e.g., Microsoft Defender vulnerability management or Qualys). This action falls under "remediation" or "apply recommendations," which requires Contributor permissions.

❌ Why other assignments are incorrect

Enable Defender for ServersUser2 (Security reader) Read-only access – cannot modify policies or enable Defender plans

Enable Defender for ServersUser3 (Contributor) Can enable plans but violates least privilege (more permissions than needed)

User1 (Security administrator) Overly permissive – Security reader should review; Security admin would be for enabling

Enable vulnerability scansUser2 (Security reader) Read-only – cannot perform write actions like deploying scanners

📌 References
Microsoft Learn: "Security Admin can update the security policy, dismiss alerts and recommendations"
Microsoft Learn: "Security Reader can view recommendations, alerts, and security policy"
Microsoft Learn: To apply recommendations (remediation), "you need Contributor or Owner permissions to the affected resource"

Explanation:

✅ Why BIN is Correct for the File Type
The correct answer is BIN. The official Microsoft documentation states: "Custom lures can be any file type (except .DLL and .EXE files)" . This means the only file types explicitly prohibited are DLL and EXE files.

While some discussion around the exam suggests BIN is the most suitable file type for Linux compatibility, the key factor is that EXE and LNK are invalid choices because:

📄 EXE is explicitly forbidden for custom lures according to Microsoft's own documentation
📄 LNK files are not mentioned as supported for custom lures in the official guidance
💻 BIN files are compatible with both Windows and Linux (CentOS) systems and can act as executable binaries, making them effective as lures in a mixed environment

The question specifies you have both Windows 11 and Linux CentOS devices, so you need a file type that works on CentOS. EXE and LNK are primarily Windows-specific formats and would not work well in a Linux environment .

✅ Why {HOME} is Correct for the Planting Path

The correct answer is {HOME}. Several official Microsoft documentation pages confirm that when setting up a Deception rule in Defender XDR, you can "Provide a lure name and a path where the lure will be planted" . The variable {HOME} represents the user's home directory on the target device.

When you set the planting path to {HOME}, the deception files are placed in the home directory of the active user on the device . This ensures the lure files are visible during an interactive session and accessible to adversaries using that account—precisely where attackers are most likely to browse or exfiltrate files .

The alternative options are incorrect because:
\\server1\share1 is a network share path (requires specific configuration and network connectivity)
/usr/tmp is a Linux system temp directory (less likely to be targeted by attackers for lateral movement)
The {HOME} variable works across both Windows and Linux systems, mapping to C:\Users\[User] on Windows and /home/[User] on Linux.

❌ Why the Other Options Are Incorrect

EXECustom lures cannot be .EXE files—Microsoft explicitly prohibits using EXE and DLL file types for custom lures

LNKNot validated as a supported custom lure file type in the official Microsoft documentation; no official guidance supports using .LNK files

\server1\share1Network share path is not the standard planting path—the {HOME} variable is the documented option for placing lures in user directories

/usr/tmpThis is a temporary system directory, not the standard home directory planting location

📌 References

Microsoft Learn: "Custom lures can be any file type (except .DLL and .EXE files)"
Exam SC-200: "BIN would be the most suitable choice for CentOS devices. BIN files are compatible with Linux and Windows systems"
Microsoft Learn: "Provide a lure name and a path where the lure will be planted"

Explanation:

✅Why D is correct

Uses the correct table: AuditLogs is the table within Microsoft Purview containing records of file activities (uploaded, accessed, modified, deleted) across workloads like SharePoint (which powers Teams team sites).

Correct date filtering: The where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10)) precisely defines the 10-day range. This is the standard KQL syntax for inclusive yet bounded time periods.

Correct file filtering: where FileName contains "Project1" searches for any stored file on the team site with "Project1" in its name.

Correct scope: A Microsoft Teams team site is a SharePoint Online site. Queries against the AuditLogs table with Workload = "SharePoint" can be filtered by SiteUrl or SiteId to isolate Team1's specific site.

❌ Why other options are incorrect

A & B: These appear to be invalid/incomplete snippets. The documentation contains no such KQL syntax where a table name AuditLogs is omitted.

C: Using ago(10d) is not sufficiently precise to restrict the range to the exact 10-day window (2023-02-01 to 2023-02-10). If run on a different date (e.g., today), ago(10d) would retrieve 10 days prior to the current date, not the specified historical range.

📌 References

Microsoft Learn: Search the audit log in the compliance portal: describes reading AuditData/AuditLogs content.
Microsoft Learn: KQL between operator: confirms

Explanation:

✅ Why these are correct

LOG_DAEMON (Facility): The question states that App1 runs as a background process on the Linux server. The standard Syslog facility for such system services and background processes is LOG_DAEMON . This is directly supported in the facilityNames parameter when configuring a DCR . Selecting this ensures you target the messages generated specifically by App1 and the system daemons associated with it, minimizing the collection of irrelevant logs.

LOG_ERR (Log level): The requirement is to "collect messages that have a priority level of critical." . However, when configuring a Data Collection Rule via the Azure portal, you cannot select a single severity level. Microsoft's official documentation states: "When you select a log level, Microsoft Sentinel collects logs for the selected level and other levels with higher severity" . Since LOG_CRIT (specific to critical) is not an available selection in the UI, and to avoid collecting higher volumes of less severe data (Warning, Notice, Info), the closest option is LOG_ERR. Selecting LOG_ERR will collect LOG_ERR (Error), LOG_CRIT (Critical), LOG_ALERT (Alert), and LOG_EMERG (Emergency) . This satisfies the "priority level of critical" requirement and best meets the requirement to "minimize the volume of data collected" by excluding levels lower than Error.

❌ Why other options are incorrect

Facility Options:

LOG_AUTH: Used for security and authorization related messages (e.g., sshd, sudo), not standard background application processes .

LOG_CRON: Specific to the Cron scheduling daemon, not a general background process App1.

LOG_KERN: Reserved for kernel messages, not user-space application logs .

LOG_SYSLOG: Typically used for messages generated internally by the Syslog daemon itself, not for third-party applications.

Log Level Options:

LOG_EMERG: Only collects the highest severity (Emergency), which would miss the specific Critical level messages .

LOG_DEBUG: This collects every message severity level (from Debug up to Emergency), which would violate the "minimize the volume of data collected" requirement. It includes levels with lower severity than Critical (Warning, Notice, Info, Debug) which are undesirable .

LOG_WARN: Collects Warning, Error, Critical, Alert, and Emergency. It includes "Warning" messages which are generally lower severity than "Critical" and add unwanted noise to the log volume .

📌 References

Microsoft Learn: Syslog data collection with AMA. "When you select a log level, Microsoft Sentinel collects logs for the selected level and other levels with higher severity" .
Microsoft Learn: Facility names support LOG_DAEMON for background processes .
Syslog Priority levels: Confirms LOG_CRIT is specifically critical, but UI selections start at LOG_ERR .

Explanation:

✅ Why these are correct

distinct DeviceId (first dropdown):
The requirement is to limit duplicate results. The distinct DeviceId operator ensures each device appears only once in the result set, even if a device has multiple critical vulnerabilities . This prevents the rule from triggering multiple times for the same device. The search result confirms: "Distinct DeviceID because DeviceID is required to successfully join the tables and distinct to limit the returns to unique devices" .

project Timestamp, DeviceId, ReportId (second dropdown):
Microsoft's official documentation for custom detection rules explicitly states that query results must include three required columns: Timestamp, DeviceId, and ReportId . Without these columns, the detection rule cannot be created. The search result confirms: "You need Timestamp, DeviceID and ReportID in the return to create a custom detection rule" . Additionally, for device that has critical vulnerabilities and was active during the last hour, the DeviceInfo join provides the activity timestamp, which must be projected to meet the requirement.

❌ Why other options are incorrect

distinct CveId
CveId column is not available in the DeviceInfo table, making the subsequent join impossible. The join condition in the detection rule requires DeviceId to correlate the two tables .

project-away / project-keep / distinct with ReportId
These operators do not correctly limit duplicate results per device. The distinct DeviceId is specifically needed to ensure each device appears only once .

summarize count()
The question requires limiting duplicate results, not counting them. A custom detection rule does not require a summarize count() operation .

distinct DeviceId, ReportId
This would create unique combinations of DeviceId and ReportId, which could still allow multiple rows per device if ReportId differs. The requirement is to limit duplicates at the device level .

📌 References
Microsoft Learn: Custom detection rules require Timestamp, DeviceId, and ReportId in query results
Exam SC-200 discussion: "Distinct DeviceID" and "project Timestamp, DeviceID, ReportID" are correct

Explanation:

✅ Why these are correct

summarize (first dropdown):
The summarize operator is required to aggregate data. It groups raw security alerts into meaningful statistical results, such as counting the number of alerts per day. The project operator would just select columns without aggregation, and lookup or render are not appropriate as the first aggregation step.

bin(TimeGenerated, 1d) (second dropdown): The requirement is to display results by day (number of daily security alerts). The bin() function groups timestamps into fixed-size buckets (1-day intervals). Using bin(TimeGenerated, 1d) ensures that each day is treated as a single time unit in the timechart. The range function is not used for grouping timestamps, and make-series is typically used when you need to fill empty bins with default values—not required for a straight daily count.

timechart (third dropdown): The render timechart command explicitly creates a line or column chart with time on the x-axis and aggregated values on the y-axis. The question states: "Display the results in a timechart," so render timechart is the correct visualization command.

❌ Why other options are incorrect

project
Selects specific columns but does not aggregate data. Cannot produce a daily count.

lookup
Correlates two tables by matching columns. This query uses only one table (SecurityAlert).

range
Generates a series of numeric values. Cannot bin timestamps into 1-day intervals.

make-series
Creates time series with empty bins filled with a default value. More complex and not required for a simple daily count.

📌 References

Microsoft Learn: summarize operator documentation
Microsoft Learn: bin() function for grouping timestamps
Microsoft Learn: render timechart for time-based visualizations