Question 10 - Microsoft SC-200 Security Operations Analyst Real Exam Questions [Jan 2026 Update]

Q: 10

You receive a security bulletin about a potential attack that uses an image file. You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack. Which indicator type should you use?

Options

Correct Answer:

Explanation

The security bulletin identifies a specific image file as the attack vector. In Microsoft Defender for Endpoint, the most direct and precise method to identify and block a specific file is by using its unique hash (e.g., SHA-256, SHA-1, or MD5). Creating a file hash indicator of compromise (IoC) and setting the action to "Alert and block" instructs Defender for Endpoint to prevent the file from being read, written, or executed on any managed device. This action directly fulfills the requirement to prevent the attack.

Why Incorrect

A. A URL/domain indicator targets network addresses, not files. Additionally, the "Alert only" action would not prevent the attack; it would only generate a notification.

B. A URL/domain indicator is inappropriate because the threat is a specific file, not a website or network location.

D. A certificate indicator blocks all files signed with a specific certificate. This is less precise than a file hash and could cause unintended consequences by blocking legitimate files signed with the same certificate.

References

1. Microsoft Learn. (2023). Create indicators. Microsoft Defender for Endpoint.

Section: "File indicators"

Content: "You can create an indicator for a file hash. ... When you create an indicator for a file

you can choose from the following actions: Allow

Audit

Warn

Block and remediate

and Alert and block." The "Alert and block" action is described as preventing the file from being read

written

and executed. This directly supports using a file hash to block a malicious file.

2. Microsoft Learn. (2023). Create indicators. Microsoft Defender for Endpoint.

Section: "URL and domain indicators"

Content: "URL/domain indicators prevent users from accessing the URL/domain through the web browser." This confirms that URL/domain indicators are for network locations

not local files.

3. Microsoft Learn. (2023). Create indicators. Microsoft Defender for Endpoint.

Section: "Certificate indicators"

Content: "You can create indicators for certificates that will block files that are signed with the blocked certificate from being run in your organization." This shows that certificate indicators are for blocking based on the signer

which is a broader and less specific method than blocking a single file by its hash.

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE