Absolute Free SC-200 Exam Practice for Comprehensive Preparation 

You have an on-premises network. You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity. From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert. Suspected identity theft (pass-the-ticket) (external ID 2018) You need to contain the incident without affecting users and devices. The solution must minimize administrative effort. What should you do? 

You need to ensure that you can run hunting queries to meet the Microsoft Sentinel requirements. Which type of workspace should you create?

You use Azure Sentinel. You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege. Which role should you assign to the analyst?

You have a Microsoft 365 E5 subscription that contains a device named Device 1. Device 1 is enrolled in Microsoft Defender for End point. Device1 reports an incident that includes a file named File1 exe as evidence. You initiate the Collect Investigation Package action and download the ZIP file. You need to identify the first and last time File1.exe was executed. What should you review in the investigation package? 

You need to identify which mean time metrics to use to meet the Microsoft Sentinel requirements. Which workbook should you use?