Medium SC-200 practice questions
Applied — put a concept to work in a realistic situation. 167 medium questions available — no sign-up, always free.
During an incident in Microsoft Defender XDR, an alert from Microsoft Defender for Cloud Apps flags a third-party OAuth application in your Entra ID tenant as malicious. The app was granted delegated Mail.Read and Files.ReadWrite.All permissions by 40 users after a phishing campaign. You must immediately stop the app from accessing tenant data while preserving evidence for further investigation. Which action in the Defender XDR portal best meets this requirement?
Your organization uses Microsoft Defender for Cloud with security alerts streamed into Microsoft Defender XDR. During an incident investigation in the Defender portal, you see a correlated incident that includes a Defender for Cloud alert titled "Suspicious download of multiple files from a storage account." You need to view the affected Azure resource, understand the recommended remediation, and take action on the underlying cloud workload. Where should you go to review the resource's security posture recommendations and apply hardening guidance related to this alert?
You manage Microsoft Defender for Endpoint for a large enterprise. The SOC wants unsanctioned and unmanaged devices discovered on the corporate network to be automatically onboarded and brought under Defender for Endpoint protection without manual intervention. Which advanced feature in the Microsoft Defender portal settings must you enable to achieve this?
Your organization plans to deploy Microsoft Defender for Endpoint attack surface reduction (ASR) rules to block credential stealing from LSASS. The security team is concerned that enabling the rule in Block mode immediately could disrupt legitimate line-of-business applications. What is the recommended first step to safely evaluate the impact of this ASR rule across the environment?
Your organization has enabled the ASR rule "Block Office applications from creating child processes" in Block mode across all Windows devices. A finance team uses a legacy macro-enabled Excel workbook that launches a signed helper executable, and this workbook is now being blocked. You must allow this specific workflow while keeping the ASR rule in Block mode for all other processes and users, using the least-permissive configuration. What should you do?
Your organization uses Microsoft Defender for Endpoint. The SOC team wants critical production servers in a device group named 'Prod-Servers' to have Defender automatically investigate alerts and remediate malicious artifacts without requiring an analyst to approve each action. However, for a device group named 'Executive-Laptops', the team wants Defender to investigate automatically but hold all remediation actions until an analyst manually approves them. What should you configure to meet both requirements?
Your organization uses Microsoft Defender for Endpoint. The SOC lead wants brand-new, never-before-seen executable files that arrive on endpoints to be automatically inspected in the cloud and blocked within seconds if they are determined to be malicious, before the file is allowed to run. Which combination of settings must be configured on the managed devices to enable this capability?
Your organization uses Microsoft Defender for Endpoint. You have created three device groups, each with a machine membership rule and a different automation level. A newly onboarded server matches the membership criteria of two of these device groups: 'Servers-Full-Remediation' (rank 3) and 'Production-Semi-Auto' (rank 1). Both were created before the built-in 'Ungrouped devices' group. Which automation level will apply to this server, and why?
During an incident investigation, you connect a live response session to a compromised Windows server and locate a suspicious executable at C:\Temp\svc-update.exe. Before you decide whether to quarantine it, you want to submit the file to Microsoft's cloud for a deep threat verdict directly from within the live response session, without downloading it to your local machine first. Which live response command should you run?
During an active investigation, a SOC analyst identifies a suspicious executable running on an onboarded Windows device in Microsoft Defender for Endpoint. The analyst needs to retrieve the actual binary from the device for offline malware analysis in a sandbox, while the device remains online. Which action should the analyst take?
During an incident, you need to acquire forensic artifacts from a compromised Windows workstation using Microsoft Defender for Endpoint. The device is currently powered off but is expected to reconnect intermittently over the next few hours. You want the full investigation package (autoruns, scheduled tasks, network connections, prefetch files, and more) collected automatically the next time the device comes online, without keeping a live response console session open. Which action should you take from the device page?
During an incident investigation, you are using a live response session on a compromised Windows device. You need to safely retrieve a suspicious executable from the device's C:\Temp folder so that your malware analysis team can examine it in an isolated sandbox environment. The file must be retrieved in a way that prevents accidental execution when it is downloaded to the analyst's workstation. Which live response action should you use?
During an incident investigation, you connect a live response session to a compromised Windows workstation in Microsoft Defender for Endpoint. You attempt to use the 'getfile' command to retrieve a suspected malware sample located at C:\Users\Public\payload.dll, which is 12 MB in size. The command fails. A colleague suggests the file is too large. What is the maximum file size that the live response 'getfile' command can retrieve, and what is the correct conclusion?
During an active incident, a SOC analyst confirms a compromised Windows workstation is exhibiting suspicious PowerShell activity that appears to still be running. The analyst needs to capture the current running processes, network connections, scheduled tasks, and autoruns as a single consolidated snapshot for the forensics team, without deciding in advance which individual files to retrieve. Which Microsoft Defender for Endpoint response action best meets this requirement?
During investigation of a Microsoft Defender XDR incident, you confirm that a Windows 11 workstation is actively communicating with a known command-and-control server and executing a malicious PowerShell process. You need to immediately stop the outbound C2 traffic while preserving the ability to continue collecting forensic evidence from the device using live response. Which action should you take from the device page in the Microsoft Defender portal?
A SOC analyst is investigating a Defender for Endpoint incident on a Windows server that shows signs of an in-memory (fileless) attack. The analyst needs to capture the volatile memory contents of a suspicious running process for later forensic analysis, without terminating the process or taking the whole device offline. Which live response action should the analyst use?
During an active investigation, a SOC analyst suspects that a compromised Windows workstation (already onboarded to Microsoft Defender for Endpoint) is beaconing to a command-and-control server. The analyst needs to view the current active TCP/IP connections and listening ports on the live device to confirm the suspicious outbound session before deciding whether to isolate it. The analyst has an active Live Response session on the device. Which action provides the fastest way to obtain this information directly from the live endpoint?
During an incident investigation, a device timeline in Microsoft Defender for Endpoint shows that a suspicious process wrote a value to HKCU\Software\Microsoft\Windows\CurrentVersion\Run pointing to an executable in the user's AppData folder. You start a live response session on the affected device to remove this persistence mechanism and confirm the malicious binary is no longer set to auto-start. Which sequence of live response actions accomplishes this?
During an incident investigation, you connect a live response session to a compromised Windows server in Microsoft Defender for Endpoint. The attacker installed a malicious Windows service named 'SvcHostUpdater' that re-launches a backdoor after every reboot. You have already stopped and quarantined the running backdoor process, but you must prevent the service from restarting the backdoor while forensics continues. Which live response command should you use to inspect and act on this persistence mechanism?
During an incident in Microsoft Defender for Endpoint, you are reviewing the device timeline of a workstation flagged for a suspicious PowerShell process that beaconed to an external IP. You need to prevent the device from communicating with anything other than the Defender for Endpoint cloud service while still allowing the SOC to run live response commands and investigation packages on it. Which response action should you take on the device?
During an active incident, a Defender for Endpoint device timeline shows a suspicious unsigned binary launching PowerShell repeatedly on a critical file server. Your SOC lead does not want to fully isolate the server because it hosts a business-critical database that other systems depend on, but wants to stop any untrusted, unsigned executables from running while the investigation continues. Which single Defender for Endpoint response action best meets this requirement?
During an incident investigation, a SOC analyst connects a live response session to a compromised Windows server. The analyst wants to identify all currently loaded drivers on the device to detect a suspected rootkit, but the built-in live response commands do not include a driver-enumeration command. The analyst has a PowerShell script named 'Get-LoadedDrivers.ps1' that produces the needed output. What must the analyst do before this script can be executed in the live response session?
During an active incident, you connect a live response session to a compromised Windows server. Your SOC has a vetted PowerShell remediation script named CleanupPersistence.ps1 that must be executed on the device. When you attempt to use the runscript command, live response reports that the script cannot be found. What must you do so the script can be executed through runscript?
During an active incident in Microsoft Defender for Endpoint, a SOC analyst identifies a persistence mechanism on an onboarded Windows server: a malicious scheduled task that re-downloads a payload. The analyst wants to remediate the task on the live device without waiting for a full reimage, using a PowerShell script that the SOC team has already validated and stored centrally so it can be reused across future live response sessions. Which action allows the analyst to execute this pre-approved script during a live response session?
During investigation of a Defender for Endpoint incident, you connect a live response session to a compromised Windows server. The device timeline shows a suspicious scheduled task named 'SysHealthCheck' that re-launches a malicious PowerShell payload every 30 minutes. You have already isolated the device. You need to identify the exact command line and trigger configuration of this scheduled task directly from within the live response session, without downloading and analyzing a full investigation package offline. Which live response command should you use?