SC-200 Exam Dumps : Microsoft Security Operations Analyst

In Microsoft Defender for Endpoint (Plan 2), you can use indicator file hashes (IoC file hashes) to block files from executing or being downloaded. When you create a file hash indicator, you specify the exact file hash (for example, SHA-256 or MD5) and choose actions such as “block” or “remediate.”

However, an important detail is that file hash indicators are applied to specific files—that is, for a given executable or file content. You cannot use a hash indicator to block all files of a certain extension generically. If a given file has a different hash, it will not be blocked unless you add its specific hash. Because the question says you found suspected malware files sys, pdf, docx, xlsx, and you need to block users from downloading those files, only those files for which you can compute and apply a specific hash indicator can be blocked. The question implies you can create indicator hashes for each of those file names (assuming each has a unique hash).

Thus you can block all four (File1.sys, File2.pdf, File3.docx, File4.xlsx) by adding each as an indicator hash. The choice E lists all four. That is consistent with Microsoft’s statements that “you can create indicators that define detection, prevention, or exclusion of entities,” and file hash indicators specifically apply to those files. Microsoft Learn+3Microsoft Learn+3Microsoft Learn+3

Options that exclude some file types (e.g. only blocking sys and docx but not pdf or xlsx) would leave gaps, which doesn’t satisfy the requirement of blocking all those suspected files. Hence E is the correct answer.

In Microsoft Sentinel (built on Azure Monitor Logs), analytics and hunting queries are executed within a Log Analytics workspace. To run Sentinel queries for Fabrikam, the tenant must have at least one workspace (with Sentinel enabled) in its subscription to host rules, incidents, hunting queries, and workbooks. Sentinel’s cross-workspace/tenant capability is provided by cross-resource queries in Kusto Query Language (KQL). The key construct for reaching outside the current workspace is the workspace() function, which lets you reference another Log Analytics workspace by name or resource ID—even across subscriptions or tenants when proper permissions (often via Azure Lighthouse or guest access) are in place.

Typical correlation looks like:

union workspace('Fabrikam-WS').SecurityEvent, workspace('Contoso-WS').SecurityEvent | …

Here, workspace() is the required element to bring together data sets from multiple tenants; operators like extend and project only shape columns and do not establish cross-tenant scope. Therefore, to meet the requirements with minimal overhead: Fabrikam needs one workspace to host its Sentinel content, and you use workspace() in your KQL to correlate Contoso and Fabrikam data.