SC-200 Practice Questions

From Vulnerability Management, select Weaknesses , and search for and select the CV

E.  

Select Go to related security recommendations .

Create the remediation request.

According to Microsoft Defender Vulnerability Management documentation, the correct workflow for responding to a new CVE in your organization—especially when there is an active exploit —is to begin your investigation within the Vulnerability Management sect ion of the Microsoft Defender portal .

From Vulnerability Management, select Weaknesses – Microsoft explains that all known CVEs are listed under Weaknesses in the Defender portal. You search by CVE ID (for example, CVE-2024-xxxx) to view its details, explo itability data, and the devices affected.

Select Go to related security recommendations – After opening the CVE details, the portal shows associated security recommendations that describe how to remediate the issue (such as updating software, removing an a t-risk version, or applying a patch). Selecting Go to related security recommendations links the CVE directly to actionable remediation guidance.

Create the remediation request – Finally, Microsoft Defender for Endpoint allows security teams to formally re quest remediation from IT administrators or system owners. You can create a remediation request directly from the recommendation page, assigning it to the responsible group and specifying a due date.

This sequence aligns with Microsoft’s recommended remedi ation workflow for CVEs as described in Defender Vulnerability Management documentation and ensures that remediation actions are tracked and executed efficiently through the portal.

✅ Therefore, the correct order is:

(1) From Vulnerability Management → Wea knesses → search CVE → (2) Go to related security recommendations → (3) Create remediation request.

< putfile and &

To push (download) a file from the Live Response library onto an endpoint you use the PutFile (often shown as putfile ) Live Response command. Microsoft’s Live Response command set documents that PutFile “puts a file from the library to the device” and the file is saved to a working folder on the endpoint (and removed on restart by default). This is the operation that transfers a tenant-level library file (for example, an executable you uploaded) onto the target machine for execution or inspection. blog.sec-labs.com+1

When you need the transfer to run as a background job so the live-response session is not blocked waiting for command completion, the Live Response shell supports running co mmands asynchronously by appending the ampersand operator. Microsoft’s Live Response guidance and examples show that background execution is used to avoid blocking the interactive session while large files or long-running operations complete; using & runs the command in the background. Combining these two yields the correct command to download a 250-MB executable from the library to Device1 as a background process: use putfile for the library→device transfer and append & to run it in the background.

Therefo re: choose putfile and & .

In Microsoft Defender XDR hunting, EmailAttachmentInfo includes metadata for received attachments (name, subject, and the file’s SHA256 ), while DeviceFileEvents records file operations on endpoints (open/read/execute) and also carries the SHA256 hash. Microsoft’s guidance for efficient joins in KQL recommends correlating artifacts using stable, high-cardinality identifiers (hashes) rather than paths or URLs, becau se paths can change and URLs may not be preserved on disk; hashes uniquely identify the same file across mail and endpoint telemetry. To minimize query resources , Kusto’s join kind=innerunique is preferred when the left side (EmailAttachmentInfo) is expect ed to have unique keys (one attachment hash per message instance) and you want at most one match per left record. It reduces shuffle/duplication compared to inner , improving performance while returning only devices that actually opened the same file (by ma tching SHA256 ) within the last 12 hours.

So the optimal query structure is:

EmailAttachmentInfo

| where Timestamp > ago(12h)

| where Subject == " Document Attachment " and FileName == " File1.pdf "

| join kind=innerunique

(DeviceFileEvents | where Timestamp > ago(12h))

on SHA256

This precisely identifies devices that received the email with File1.pdf and opened that same file, using the most efficient join strategy and a reliable correlation key.

When dealing with frequent false positives in Microsoft Defender for Endpoint alerts, such as those triggered by legitimate Office macros, the best practice is to hide false alerts while maintaining overall protection.

Microsoft Defender documenta tion prescribes the following approach:

Generate the alert (E): The alert must first appear in the queue so it can be reviewed and correctly classified.

Hide the alert (B): Analysts can hide individual alerts to clean up the queue without disabling detections or reducing coverage.

Create a suppression rule scoped to a device group (D): To prevent recurrence, suppression rules should be scoped narrowly (such as to a device group like the accounting team’s devices), maintaining the principle of least p rivilege and minimal impact.

Options A (Resolve automatically) and C (Suppress any device) would reduce visibility or broaden suppression excessively, potentially missing real threats.

This combination of actions aligns with Defender XDR’s alert management best practices , ensuring a balance between reducing noise and preserving security posture.