Practice MS-102 Manage security and threats by using Microsoft Defender XDR questions with full explanations on every answer.
Start practicing
Manage security and threats by using Microsoft Defender XDR — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?
2An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?
3An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?
4A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?
5A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?
6A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?
7A security administrator wants to automatically block malicious IP addresses from sending email to Exchange Online mailboxes. Which Microsoft Defender component should be configured?
8A security analyst investigates a potential data exfiltration incident. The analyst identifies that a user's device has made multiple connections to an unknown external IP address using a custom port. Which Microsoft Defender XDR data source would provide the most detailed network communication logs for this investigation?
9A security administrator wants to automatically block a file that is detected as malware on one endpoint from being executed on all other endpoints in the organization. Which Microsoft Defender for Endpoint capability provides this?
10A security operations team wants to receive real-time alerts when a user is at high risk of having their account compromised based on unusual sign-in patterns. Which Microsoft Defender XDR component should they configure?
11A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?
12A ransomware alert is confirmed in Microsoft Defender XDR on a user device that is still communicating with other endpoints. What should the administrator do first to reduce spread while preserving the ability to investigate?
13A security administrator wants to create a custom detection rule in Microsoft Defender XDR that alerts when a device initiates an outbound TCP connection to a known malicious IP address on a non-standard port (e.g., port 4444). Which advanced hunting table should be queried to find these network connections?
14A security team wants to automatically investigate and remediate alerts generated from Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. Which Microsoft Defender XDR capability should be configured?
15A security analyst wants to create a custom detection rule that triggers when a user receives a phishing email that bypassed Exchange Online Protection, and then clicks a link that leads to a known malicious domain. Which two advanced hunting tables should the analyst combine to detect this chain of events?
16A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a user's device establishes a network connection to a known malicious IP address on a port commonly used by a specific malware. The rule must also include process information such as the filename of the process that initiated the connection. Which advanced hunting table should be the primary data source for this rule?
17A security analyst needs to search for devices that have been communicating with a known malicious command-and-control server over the past 7 days. The analyst wants to identify the process that initiated the connection. Which advanced hunting query would be most efficient?
18A security analyst identifies a malicious file hash on one endpoint. They need to ensure that file is blocked from executing on all other endpoints in the organization immediately. Which Microsoft Defender for Endpoint feature should be used?
19A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and later clicks a link to a known malicious domain from their device. The rule will use advanced hunting queries. Which two tables should be joined to detect the click event from the device?
20A security analyst needs to identify the specific process (filename) that initiated a network connection from a device to a known malicious IP address over the last 24 hours. Which advanced hunting table in Microsoft Defender XDR provides the necessary data including the initiating process filename and the remote IP address?
21A security administrator wants to simulate a realistic phishing attack to train users and measure their susceptibility. The simulation should be run from within Microsoft Defender XDR and provide detailed reporting. Which feature should the administrator use?
22A security administrator wants to prevent malware from using Office macros to spawn malicious processes. Specifically, they want to block Excel, Word, and PowerPoint from creating child processes. Which Microsoft Defender for Endpoint capability should be configured?
23A security administrator wants to automatically isolate a device in Microsoft Defender for Endpoint whenever a high-severity alert is triggered. The isolation should occur without manual intervention. Which Microsoft Defender XDR feature should be configured?
24A security analyst has identified a new malware sample with SHA256 hash 'abc123...'. They need to immediately block this file from executing on any managed endpoint across the organization. Which Microsoft Defender for Endpoint capability should they use?
25A security analyst wants to search for instances where a user received a phishing email that was delivered to their inbox, and then later clicked a link within that email that led to a known malicious domain. Which two advanced hunting tables should be joined to identify both the email delivery and the link click events? (Choose the option that correctly identifies the primary table pair.)
26A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?
27A security administrator needs to view a unified incident queue that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Which console should the administrator open?
28A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and later clicks a link from that email that leads to a known malicious domain. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the query to capture both the email delivery event and the link click event? (Choose two.)
29A security analyst has identified a new malware sample with a specific SHA256 hash. The analyst needs to immediately block this file from executing on any managed endpoint across the organization, including prevention of future execution. Which Microsoft Defender for Endpoint capability should the analyst use?
30A security analyst wants to create a custom detection rule that triggers when a device communicates with a new, unclassified IP address that has been flagged by Microsoft threat intelligence as potentially malicious. The rule should run every hour and create an incident if more than 5 such communications from the same device occur within a 24-hour window. Which advanced hunting tables should be joined in the KQL query for this rule?
31A security administrator needs to create an automated investigation and response (AIR) playbook that automatically isolates a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook should run without requiring manual approval. Which capability in Microsoft 365 Defender should the administrator configure?
32A security analyst is investigating a potential lateral movement attack. They need to identify which processes were created on a compromised device and then which network connections were made by those processes. Which two advanced hunting tables should the analyst join in a KQL query?
33A security administrator wants to configure Automated Investigation and Response (AIR) in Microsoft 365 Defender to automatically isolate a device when a high-severity alert for malware is detected. Which step is required?
34A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a device establishes a network connection to an IP address that has been recently observed in threat intelligence feeds as a new, malicious command-and-control server. The rule should analyze network communication events. Which advanced hunting table should be the primary data source for the Kusto Query Language (KQL) query?
35A user receives an email from an unknown sender with a .zip attachment. The attachment contains a potentially malicious executable file. Microsoft Defender for Office 365 is enabled. Which feature dynamically detonates the attachment in a sandbox environment and blocks it if malicious behavior is detected?
36A security administrator wants to detect unusual user activity, such as a user downloading an abnormally large number of files from SharePoint Online in a short period. Which Microsoft Defender for Cloud Apps feature should be used to create a policy for this behavior?
37A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?
38A security administrator needs to configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender that will automatically isolate a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook must run without requiring manual approval. Which configuration must the administrator set to achieve automatic device isolation?
39A security administrator wants to block executable files from running from writable system directories such as %TEMP% and %APPDATA% on Windows devices. Which attack surface reduction (ASR) rule should be enabled?
40A security administrator needs to block outbound network connections from a compromised Windows device to a known malicious IP address. The solution should be configured in Microsoft Defender for Endpoint and must work at the network layer, not relying on a user-installed client. Which feature should the administrator enable?
41A security analyst is building a custom detection rule in Microsoft 365 Defender to identify when a user clicks a malicious URL in a phishing email and subsequently visits the malicious site from their corporate device. The analyst plans to use advanced hunting with Kusto Query Language (KQL). Which two tables must be joined to capture both the URL click event and the network connection to the malicious site?
42An administrator wants to configure automated investigation and response (AIR) in Microsoft 365 Defender so that when a high-severity malware alert is generated for a device from Microsoft Defender for Endpoint, the device is automatically isolated from the network without requiring a security analyst to approve the action. Which configuration step is required?
43A security administrator needs to block executable files from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?
44A security administrator wants to monitor and control user downloads from a third-party SaaS application (e.g., Box) in real time. The administrator needs to apply session-level policies to block downloads based on risk. Which Microsoft 365 Defender feature should be used?
45A security administrator needs to block outbound network connections from a compromised Windows device to command-and-control servers. The solution must work at the network layer and be centrally managed via Microsoft 365 Defender. Which feature should the administrator enable?
46A security analyst wants to automatically create a Microsoft Teams message in a dedicated security channel whenever a Microsoft 365 Defender incident with severity 'High' is created. Which automation approach should the analyst use?
47A security analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a PowerShell process with suspicious command-line arguments is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP occurs. Which two advanced hunting tables must be joined in the KQL query?
48A security administrator wants to prevent Microsoft Office applications (Word, Excel, PowerPoint) from creating child processes, which is a common technique used by malware to execute malicious code. Which attack surface reduction (ASR) rule should be enabled?
49A security administrator wants to block users from uploading files to personal cloud storage apps (e.g., Dropbox) from managed Windows devices, while allowing access from compliant mobile devices. Which Microsoft 365 Defender feature should be used?
50A security administrator needs to block executable files (e.g., .exe, .ps1) from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?
51A security analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a suspicious PowerShell process (e.g., using -EncodedCommand) is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP address occurs. Which two advanced hunting tables must be joined?
52A security administrator wants to ensure that all email attachments are scanned in a sandbox environment and blocked if malicious, with email delivery delayed until scanning completes. Which Microsoft 365 Defender policy should the administrator configure?
53A security analyst is using Microsoft 365 Defender Advanced Hunting to investigate a potential malware outbreak. The analyst needs to find all devices where a specific signed executable (known to be malicious) was created in the past 24 hours. Which Advanced Hunting table should be queried to detect the creation of the executable file?
54A security administrator wants to prevent users from uploading files to unsanctioned cloud storage apps (e.g., personal Dropbox or Google Drive) from managed Windows devices. The solution must use a reverse proxy to control file uploads in real time. Which Microsoft Defender for Cloud Apps feature should the administrator configure?
55A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should fire when a Windows device exhibits this sequence of events within 3 minutes: 1) A PowerShell process runs with an encoded command, 2) A service is created with a random name, and 3) An outbound network connection to a suspicious IP address is observed. Which three Advanced Hunting tables must be joined in the KQL query to create this detection?
56An organization wants to allow only specific company-approved USB devices (e.g., those with a specific hardware ID) on managed Windows devices. All other USB devices must be blocked. Which Microsoft 365 Defender feature should be configured?
57A security administrator wants to prevent attackers from stealing credentials by blocking access to the Local Security Authority Subsystem Service (LSASS) from untrusted processes. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?
58A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a device makes an outbound connection to a known malicious IP address, and within 10 minutes, a process with suspicious command-line arguments is started on the same device. Which two Advanced Hunting tables must be joined using a KQL query to create this detection?
59A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a process named 'powershell.exe' is launched with command-line arguments containing '-EncodedCommand', and within 5 minutes a service is created on the same device. Which two Advanced Hunting tables must be joined in the KQL query to create this detection?
60A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?
61A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user receives a phishing email containing a malicious URL and then clicks that URL within 10 minutes. Which two Advanced Hunting tables must be joined in the KQL query?
62A security administrator is configuring Microsoft Defender for Cloud Apps. The administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Defender for Cloud Apps features must be configured? (Select the two correct options.)
63A security analyst is investigating a suspected credential theft attack where an attacker attempts to dump credentials from LSASS. Which Attack Surface Reduction (ASR) rule should the administrator enable to block this activity from untrusted processes?
64A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user opens a malicious email attachment, which launches a PowerShell process, and then that PowerShell process makes an outbound connection to a known malicious IP address. Which three Advanced Hunting tables must be joined in the KQL query?
65A security administrator wants to reduce the risk of credential dumping from LSASS on managed Windows endpoints. Which Attack Surface Reduction rule should be enabled?
66A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user opens a malicious Office document, which launches a process named cmd.exe from Microsoft Word, and then that cmd.exe process makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?
67A security administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps features must be configured to meet these requirements? (Select all that apply.)
68A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a user receives a phishing email and clicks a malicious link within 10 minutes. Which two tables must be joined in the KQL query?
69A security administrator needs to block unsanctioned cloud apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps components must be configured?
70A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a process spawned by Microsoft Word (winword.exe) makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?
71A security administrator wants to configure Microsoft Defender for Cloud Apps to block downloads of sensitive files from Salesforce to unmanaged devices in real time. Which Defender for Cloud Apps component must be configured?
72A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user receives a malicious email attachment and then opens the attachment, resulting in a process being created (e.g., .exe file). Which two Advanced Hunting tables must be joined to correlate the email attachment with the resulting process?
73A security analyst is investigating a potential attack where a user received a malicious email with an HTML attachment. The HTML file, when opened, fetched a JavaScript payload from a remote server that then dropped a binary on the user's machine and executed it. The analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when an email contains an HTML attachment with an external link, and that attachment is opened, causing a process creation. Which two tables should the analyst join in the KQL query to correlate the email attachment with the resulting process?
74A security administrator wants to configure Microsoft Defender for Cloud Apps so that when a user accesses a sensitive file in a sanctioned cloud app from an unmanaged device, the user is blocked from downloading the file and a block action is logged in real time. Which type of policy should the administrator configure?
75A company is experiencing a significant number of phishing attempts that target high-level executives by impersonating their email addresses. The security team wants to configure protection against user impersonation in Microsoft Defender for Office 365. Which setting must be enabled in the anti-phishing policy to protect these specific users?
76You are a Microsoft 365 administrator for a multinational organization. You are implementing Microsoft Defender XDR to provide centralized threat management across multiple domains. Which three of the following capabilities are core components of Microsoft Defender XDR? (Choose three.)
77As a security administrator, you are tuning automated investigation and response (AIR) capabilities in Microsoft Defender XDR. You need to ensure that the system can automatically remediate threats while minimizing false positives. Which three of the following actions can be taken by automated investigation and response in Microsoft Defender XDR? (Choose three.)
78You are a Microsoft 365 administrator responsible for managing security and threats by using Microsoft Defender XDR. Which four of the following are core components or capabilities of Microsoft Defender XDR? (Choose all that apply. There are four correct answers.)
79Drag and drop the steps to configure a Conditional Access policy in Microsoft Entra ID in the correct order.
80Drag and drop the steps to configure a compliance retention policy in Microsoft Purview in the correct order.
81Match each Microsoft 365 compliance feature to its purpose.
82Match each Microsoft 365 threat scenario to the appropriate protection.
83Your organization uses Microsoft Defender for Office 365. You need to ensure that users are warned before opening potentially malicious attachments in Outlook on the web. Which policy setting should you configure?
84Your organization is implementing Microsoft Defender for Cloud Apps. You need to configure anomaly detection policies to alert when a user downloads an unusually large number of files from SharePoint Online. Which data source should you connect to enable this detection?
85Your organization uses Microsoft Defender for Endpoint (MDE). You need to configure an automated investigation and response (AIR) capability that will automatically remediate a confirmed malware infection on endpoints. Which action should you enable?
86Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate which user account is potentially compromised. Which tool should you use to correlate the alert with user activity?
87Your organization has Microsoft Defender for Cloud Apps (MCAS) deployed. You need to create a policy that automatically blocks downloads of files classified as 'Highly Confidential' from SharePoint Online to unmanaged devices. Which policy type should you use?
88Your organization uses Microsoft Defender for Office 365 and wants to simulate a phishing attack to train users. You need to configure a simulation that uses a URL link to a credential harvesting page. Which feature should you use?
89Your organization uses Microsoft Defender for Endpoint. You need to configure a rule that automatically isolates a device from the network when a specific threat is detected, but only if the device is in a specific device group. Which approach should you use?
90Your organization uses Microsoft Defender for Cloud Apps. You need to generate a report of all external users who have shared sensitive files from SharePoint Online. Which feature should you use?
91Your organization uses Microsoft Defender for Identity. You need to configure a honeytoken account to detect attackers trying to use the account. In which location should you place the honeytoken account?
92Your organization uses Microsoft Defender for Endpoint. You need to configure advanced hunting to query device information. Which TWO tables contain device-related data?
93Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user signs in from an unknown IP address and then downloads a large number of files. Which THREE components should you configure?
94Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in email messages. Which TWO features should you configure?
95Refer to the exhibit. You run the KQL query in advanced hunting. What is the primary purpose of this query?
96Refer to the exhibit. What is the effect of this session policy?
97Refer to the exhibit. You deploy this configuration profile to Windows devices. What is the most likely outcome?
98You are investigating a phishing campaign targeting your organization. In Microsoft Defender XDR, you run a KQL query in Advanced Hunting to find all email messages that contain a specific phishing URL. Which table should you query?
99Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malicious attachments to quarantine and notifies the security team. Additionally, you want to allow users to release their own quarantined messages if they are false positives. What should you do?
100You are a security administrator. You need to configure Microsoft Defender for Cloud Apps to detect anomalous user activities such as impossible travel. Which feature should you enable?
101Your organization uses Microsoft Defender for Identity. You receive an alert about a potential DCSync attack. What should you do to investigate this alert in Microsoft Defender XDR?
102Your organization has Microsoft 365 E5 licenses and uses Microsoft Defender for Office 365. You need to ensure that users are warned before clicking on malicious URLs in email messages, even if the URL is clicked after the email is delivered. Which policy should you configure?
103You need to integrate Microsoft Defender XDR with Microsoft Sentinel for centralized monitoring. Which data connector should you use?
104Your organization uses Microsoft Defender for Endpoint. A user reports that their device is not receiving security updates. You need to ensure that the device is properly onboarded to Defender for Endpoint. Which log should you check first?
105You are configuring Microsoft Defender for Office 365 to protect against business email compromise (BEC) attacks. Which policy setting should you enable to analyze email sender behavior and detect impersonation attempts?
106Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads a large number of files from Microsoft SharePoint Online in a short period. What should you create?
107Which TWO actions can you perform using Microsoft Defender XDR's Advanced Hunting? (Choose two.)
108Which THREE features are included in Microsoft Defender for Office 365 Plan 2 but NOT in Plan 1? (Choose three.)
109Which TWO Microsoft Defender XDR components provide protection for email and collaboration tools? (Choose two.)
110You are analyzing a custom detection rule in Microsoft Defender XDR. The rule is designed to alert on suspicious PowerShell execution. However, you notice that the rule is not triggering alerts even though you know such activity is occurring. What is the most likely reason?
111You run the above PowerShell command on a Windows 10 device that is onboarded to Microsoft Defender for Endpoint. The device is reporting as healthy in the portal, but you suspect that some behavioral detection capabilities are turned off. Based on the output, which setting should you modify?
112You run the above KQL query in Microsoft Defender XDR Advanced Hunting. The query returns no results. What is the most likely reason?
113A company's security team needs to investigate a suspicious email that was reported by a user. The email was not blocked by Exchange Online Protection (EOP) and was delivered to the user's inbox. The security team wants to use Microsoft Defender XDR to analyze the email and its attachments. Which feature should they use to submit the email for automated investigation?
114A security administrator needs to configure a policy that automatically blocks high-confidence phishing emails in Microsoft Defender for Office 365. The policy should be applied to all users in the finance department. The administrator wants to ensure that if an email is determined to be high-confidence phishing, it is quarantined and the user is not notified. Which type of policy should the administrator configure?
115Refer to the exhibit. You are reviewing an anti-phishing policy configuration in Microsoft Defender for Office 365. The policy is applied to all users. A user reports that a legitimate email from a known vendor (domain contoso.com) was quarantined. The email contained a link to a rarely visited website. The link was not malicious. Which setting in the policy is most likely causing the false positive?
116Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint Online within 10 minutes. This activity should be considered anomalous. Which type of policy should you create?
117Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR Advanced Hunting. The query returns a list of devices where PowerShell or cmd.exe with encoded commands executed more than 5 times in the last 7 days. The security team suspects that one of the devices is compromised due to excessive use of encoded commands. However, a legitimate administrative script uses encoded commands regularly. How can you refine the query to reduce false positives while still detecting potentially malicious activity?
118A company is implementing Microsoft Defender for Identity (MDI) to protect its on-premises Active Directory environment. The security team needs to ensure that MDI can monitor all domain controllers. They have installed the MDI sensor on all domain controllers. However, they notice that some suspicious activities are not being detected. Which additional configuration should the team verify to ensure comprehensive coverage?
119Your organization uses Microsoft Defender for Endpoint (MDE). A security analyst needs to investigate a file that was detected as malicious on several devices. The analyst wants to see the file's prevalence across the organization and other related events. Which feature in MDE should the analyst use?
120A company is planning to deploy Microsoft Defender for Endpoint to its Windows 10 devices. The devices are managed by Microsoft Intune. The security team wants to ensure that the MDE sensor is installed automatically on new devices that are enrolled in Intune. Which method should the team use?
121A security administrator is configuring Microsoft Defender for Office 365 to protect against zero-day malware in attachments. The administrator wants to use dynamic delivery so that users can view the email body while the attachment is being analyzed. However, the administrator is concerned about false positives and wants to ensure that if a benign attachment is later found to be malicious, it is removed from the user's inbox. What should the administrator configure?
122A security administrator is configuring Microsoft Defender for Cloud Apps to protect against data exfiltration from SaaS apps. The administrator wants to create a policy that alerts when a user attempts to download more than 50 files from SharePoint Online within 5 minutes. Which two components must be configured to achieve this? (Choose two.)
123A security team is investigating a potential ransomware outbreak using Microsoft Defender XDR. They have identified a suspicious PowerShell command that was executed on several devices. The team wants to use Advanced Hunting to find all other activities associated with the same command. Which three columns should they include in their KQL query to effectively correlate the activities? (Choose three.)
124A company is deploying Microsoft Defender for Office 365 to protect against advanced threats. Which two features are available only in Defender for Office 365 Plan 2 and not in Plan 1? (Choose two.)
125A security administrator is configuring Microsoft Defender for Endpoint (MDE) to automatically remediate threats. The administrator wants to ensure that when a high-severity alert is triggered, the affected device is isolated from the network. Which three components must be configured to achieve this? (Choose three.)
126Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from an anonymous IP address. Which type of policy should you create?
127A company is using Microsoft Defender for Identity (MDI) and wants to receive alerts when a user account is involved in a suspicious network connection. The security team has enabled MDI alerts but is not receiving any alerts for a specific account that is showing anomalous behavior. What should the team check first?
128Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to ensure that when a user reports a phishing email via the Microsoft Report Message add-in, the URL in the email is automatically blocked on all endpoints. What should you configure?
129Your organization has deployed Microsoft Defender for Cloud Apps. You need to ensure that all external file sharing to untrusted domains is automatically blocked. The solution must not affect internal sharing. What should you configure?
130You need to configure Microsoft Defender for Identity to alert when a user account is assigned a high number of group memberships in Active Directory. Which attack type does this correspond to?
131Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device is onboarded, it automatically receives all current threat intelligence signatures. What should you verify is configured?
132Your organization has Microsoft Defender for Office 365. Users report that legitimate emails from a partner domain are being quarantined. You need to ensure these emails are delivered while maintaining security. What should you do?
133You need to configure Microsoft Defender for Cloud Apps to detect anomalous user behavior such as impossible travel. Which type of policy should you create?
134Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a user clicks a malicious link in an email, the endpoint is automatically isolated. What should you configure?
135Your organization is implementing Microsoft Defender XDR. Which TWO actions should you take to ensure that alerts from different workloads are correlated into incidents?
136You are investigating a security incident in Microsoft 365 Defender. The incident involves a user who received a phishing email that contained a link to a malicious website. The user clicked the link and entered credentials. Which THREE components of Microsoft Defender XDR would generate alerts that contribute to this incident?
137Which TWO features in Microsoft Defender for Office 365 help protect against zero-day malware in email attachments?
138Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from a risky IP address. What should you configure?
139Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to configure automatic investigation and response (AIR) to handle a phishing email that was delivered to a user's inbox and the user clicked a link that downloaded a malicious file. What should you configure?
140Your organization deploys Microsoft Defender XDR and wants to use advanced hunting to detect lateral movement by an attacker who uses RDP from a compromised workstation to a domain controller. Which KQL query should you use in advanced hunting?
141Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically alerts when a user downloads more than 100 files from SharePoint Online in 10 minutes. What type of policy should you create?
142Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious LDAP query from a domain controller. After investigating, you determine the query is legitimate. How should you prevent future alerts for this activity?
143Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to stream advanced hunting data from Defender XDR to Sentinel to run analytics rules. What should you configure?
144Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device with a high-risk vulnerability is detected, it is automatically isolated from the network. What should you configure?
145Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the built-in anti-phishing policy. You need to analyze the email headers to determine why it was not detected. What should you use?
146Your organization uses Microsoft Defender for Cloud Apps and Microsoft Entra ID. You need to block access to a third-party cloud app that is not sanctioned. The app uses OAuth and users have already granted consent. What should you configure?
147Your organization uses Microsoft Defender for Endpoint. You need to collect investigation packages from multiple devices for forensic analysis. What is the most efficient method?
148Your organization uses Microsoft Defender XDR. You need to ensure that when an incident is created, it is automatically assigned to the appropriate analyst team based on the incident category. Which TWO actions should you configure? (Choose two.)
149Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block the use of a newly discovered cloud app that is classified as 'high risk' by the Cloud App Catalog. Which THREE actions should you take? (Choose three.)
150Your organization uses Microsoft Defender for Office 365. You need to create a Safe Attachments policy that will block all attachments with a specific file type. Which TWO elements must you configure? (Choose two.)
151A company uses Microsoft Defender for Office 365. Users report that phishing emails with malicious links are occasionally delivered to their inboxes. The security team wants to ensure that suspicious URLs are detonated in a sandbox before delivery for all recipients. What should the security team configure?
152Contoso uses Microsoft Defender XDR and has a Microsoft 365 E5 license. The security team wants to automate incident response when a user is compromised. They create a custom automation rule in the Microsoft 365 Defender portal. The rule should automatically isolate the user's device, disable the user account, and reset the user's password. Which action type should they configure in the rule?
153A company wants to receive alerts when a user account is used from an unauthorized location. They have Microsoft Defender for Cloud Apps (MDA). Which policy type should they create?
154Which TWO actions can be performed by Microsoft Defender for Identity? (Select TWO.)
155Which THREE features are part of Microsoft Defender XDR? (Select THREE.)
156A company experiences a ransomware attack that encrypts files on several endpoints. The security team wants to use automated investigation and response (AIR) capabilities in Microsoft Defender XDR to contain the threat. Which TWO actions can be taken automatically by AIR? (Select TWO.)
157An administrator deployed the above Intune device configuration policy for Microsoft Defender for Endpoint on Windows 10 devices. Users report that some potentially unwanted applications (PUA) are still being installed. What is the most likely cause?
158A security analyst runs the above KQL query in Microsoft 365 Defender. The query returns an empty result set. Which is the most likely reason?
159A tenant administrator runs the above PowerShell command to create a Conditional Access policy. Users on iOS and Android devices report that they are still prompted for MFA, but the policy is intended to exclude those platforms. What is the issue?
160A security administrator wants to review email messages that were blocked due to a malware detection in Microsoft Defender for Office 365. Which report should they use?
161A company uses Microsoft Defender for Cloud Apps to monitor cloud app usage. They want to receive alerts when a user downloads a large number of files from SharePoint Online in a short time, which could indicate data exfiltration. What should they configure?
162An organization uses Microsoft Defender for Endpoint and wants to allow only certain applications to run on managed devices. They create a custom indicator (IoA) to allow a specific application by its certificate thumbprint. However, after deployment, the application is still blocked by default Windows Defender Application Control (WDAC) policy. What is the most likely reason?
163A company wants to use Microsoft Defender XDR to automatically investigate and remediate threats across email, endpoints, and identities. Which role is required to configure automation settings in the Microsoft 365 Defender portal?
164A company uses Microsoft Defender for Office 365. They want to ensure that users cannot ignore warning messages when clicking on a malicious link in an email. What should they configure?
165Contoso has a hybrid identity environment with Microsoft Defender for Identity deployed. They suspect a compromised account is being used to perform reconnaissance against domain controllers. Which Defender for Identity alert type would most likely trigger?
166You are a security administrator for a Microsoft 365 E5 organization. You need to configure a policy that automatically blocks execution of files that have a low reputation score in Microsoft Defender for Endpoint. Which policy type should you configure?
167Your organization uses Microsoft 365 Defender. You need to ensure that when a user reports a phishing email via the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. What should you configure?
168You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malicious link in an email and clicked it. The link led to a credential phishing page. You need to identify which user accounts might have been compromised. Which Microsoft 365 Defender feature should you use?
169Your organization uses Microsoft Defender for Office 365. You need to ensure that all email messages containing encrypted attachments are automatically scanned for malware before delivery. What should you configure?
170You are a security administrator. You need to configure a policy that automatically blocks sign-ins from anonymous IP addresses for all users in your Microsoft 365 tenant. Which policy should you configure in Microsoft Entra ID?
171Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing sensitive data from an unmanaged device. You need to automatically restrict the user's access to sensitive data until the device is compliant. What should you configure?
172You are configuring Microsoft Defender for Identity to monitor on-premises Active Directory. You need to ensure that honeytoken accounts are configured to detect attackers attempting to use them. What is a honeytoken account?
173Your organization uses Microsoft 365 Defender. You need to configure automated investigation and response (AIR) to automatically remediate high-confidence phishing emails. What should you configure?
174You are a security administrator. You need to configure a Microsoft Defender for Endpoint policy that prevents users from running executables from the Temp folder. Which Attack Surface Reduction (ASR) rule should you enable?
175You need to configure Microsoft Defender for Office 365 to protect users from malicious links in email. Which TWO actions should you configure?
176You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malware attachment. Which THREE actions can you take from the incident page?
177Your organization uses Microsoft Defender for Identity. You need to configure honeytoken accounts. Which THREE attributes should you ensure are NOT set for honeytoken accounts?
178You are reviewing a Microsoft Defender for Cloud Apps file policy. The exhibit shows a policy snippet. What is the effect of this policy?
179You are hunting for malicious activity in Microsoft 365 Defender. The exhibit shows a KQL query. What is the query searching for?
180You are configuring a mail flow rule in Exchange Online. The exhibit shows a snippet. What will this rule do?
181Your organization uses Microsoft 365 E5 and has Microsoft Defender for Office 365 enabled. Users report that legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives while maintaining security. What should you do?
182Your company has deployed Microsoft Defender for Endpoint on all Windows devices. You are investigating an alert for a suspicious PowerShell command that was blocked by Attack Surface Reduction (ASR) rules. The alert shows the command was executed from a script embedded in a Word document. You need to identify the ASR rule that blocked this activity. Which rule is most likely responsible?
183Your organization uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) for email and collaboration content. Which policy type should you configure in the Microsoft 365 Defender portal?
184Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user account that is exhibiting suspicious behavior: unusual login times from an IP address that is not in the user's typical location. The alert recommends action. You need to determine if the account is compromised. What is the best next step?
185Your organization has Microsoft Defender for Endpoint deployed. You are investigating a potential ransomware incident. The device timeline shows a series of events: a user downloaded a malicious attachment from an email, which then executed a script that encrypted files and attempted to propagate to other devices via SMB. You need to configure a custom detection rule to alert on similar behavior in the future. Which KQL query should you use as a basis?
186Your organization uses Microsoft Defender XDR. You need to configure a policy that automatically blocks high-risk user activities in Microsoft Defender for Cloud Apps. Which feature should you configure?
187Your organization uses Microsoft Defender for Office 365. You receive a report that users are receiving spoofed email messages that appear to come from your own domain. The spoofed messages are not being filtered. You need to ensure that spoofed messages from your domain are blocked. What should you do?
188Your organization uses Microsoft Defender for Endpoint and Microsoft Defender for Identity. A user reports that their account was used to send a large volume of email messages to internal recipients, which appears to be a potential account compromise. You need to determine if the account is compromised and if any lateral movement occurred. Which data sources should you analyze in Microsoft Defender XDR?
189Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for SaaS applications. Which Microsoft 365 security solution provides this capability?
190Your organization uses Microsoft Defender XDR. You are configuring a custom detection rule to detect a specific behavior: a user runs a PowerShell script that connects to a known malicious IP address. Which TWO advanced hunting tables should you use in your KQL query to detect this behavior?
191Your organization has Microsoft Defender for Endpoint deployed on all devices. You are investigating an incident where a user received a phishing email containing a link that led to a drive-by download. The download executed a script that attempted to modify registry run keys for persistence. Which THREE advanced hunting tables should you use to investigate this attack chain?
192Your organization uses Microsoft Defender XDR. You need to configure automated actions for high-confidence phishing emails. Which TWO actions can be automatically taken by Microsoft Defender for Office 365?
193You run the KQL query shown in the exhibit in Microsoft Defender XDR advanced hunting. What is the primary purpose of this query?
194You are reviewing a conditional access policy in Microsoft Entra ID as shown in the exhibit. The policy is intended to block sign-ins that are considered risky. However, some high-risk users are still able to sign in. What is the most likely reason?
195You create a custom detection rule in Microsoft Defender XDR using the KQL query shown in the exhibit. The rule is intended to detect lateral movement via SMB. After deploying the rule, you notice that it generates many false positives from legitimate administrative activity. What is the most effective way to reduce false positives?
196You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure a policy to automatically remediate high-severity incidents involving ransomware on Windows 10 devices. The solution must minimize manual intervention. Which automation level should you configure in the automated investigation and response (AIR) capabilities?
197Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You discover that a user's credentials were compromised and used to access sensitive data in SharePoint Online from an unusual location. You need to automatically suspend the user and prevent further access to cloud apps. What should you configure?
198Your company uses Microsoft Defender XDR. You need to review the list of incidents that were investigated automatically by the system. Where should you navigate in the Microsoft Defender portal?
199You are a security analyst. You need to create a custom detection rule in Microsoft Defender XDR that triggers an alert when a user account is created and then added to a privileged role within 24 hours. Which advanced hunting table should you primarily use?
200Your organization has Microsoft Defender for Cloud Apps deployed. You need to be alerted when a user performs more than 50 failed login attempts in an hour from a non-corporate IP address. Which type of policy should you create?
201You are a security administrator. You need to ensure that email messages containing malicious attachments are automatically removed from all mailboxes in your organization after delivery. Which Microsoft Defender for Office 365 feature should you configure?
202Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from SharePoint Online to an unmanaged device. You need to automatically block the download and alert the security team. What should you configure?
203Your organization uses Microsoft Defender for Identity. You need to investigate an alert indicating a suspected lateral movement using pass-the-hash from a compromised workstation. Which entity should you prioritize examining in the investigation timeline?
204You are configuring policies in Microsoft Defender for Office 365. You need to ensure that users cannot click through to a malicious website that is hosted on a newly registered domain. Which policy setting should you enable?
205You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure an automated investigation and response (AIR) policy to automatically remediate threats on devices. Which two actions can be taken automatically without requiring administrator approval? (Choose two.)
206Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user shares a file containing sensitive data with an external domain. Which three components must you configure in the policy? (Choose three.)
207You are a security analyst. You need to investigate a potential malware outbreak on a device using Microsoft Defender XDR. Which three data sources can you include in an advanced hunting query to gather relevant information? (Choose three.)
208Your organization uses Microsoft Defender for Office 365. Users report that legitimate emails from a specific partner domain are being moved to Junk Email folder. You verify that the partner's SPF, DKIM, and DMARC records are correctly configured. Which two actions should you take to resolve this issue?
209You are investigating an incident in Microsoft Defender XDR where a user received a phishing email that contained a link to a malicious site. The user clicked the link but did not enter credentials. Which actions would be most effective to remediate the incident?
210Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive files from a specific cloud app if the user's risk score is high. Which integration and policy type should you use?
211A user reports that they are unable to access a file in SharePoint Online. You check the audit log and see that the file was quarantined by Microsoft Defender for Office 365. What is the most likely reason?
212You are a security administrator. You need to investigate a suspicious logon from an anonymous IP address. Which Microsoft Defender XDR data source should you query first?
213Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user who is performing an unusual number of failed logon attempts from a non-corporate IP address. The user is a member of the Finance group. What is the recommended first step?
214Your organization has Microsoft Defender for Office 365 Plan 2. You want to set up a policy that automatically moves messages containing malware to quarantine and notifies the security team. Which policy should you configure?
215You are configuring Microsoft Defender for Cloud Apps to detect anomalous behavior. You need to set up a policy that triggers an alert when a user downloads more than 100 files from SharePoint Online in 10 minutes. Which policy template should you use?
216You run the KQL query in Microsoft Defender XDR. The query returns a list of users who logged into Exchange Online more than 10 times in the last day from a single IP address. However, you notice that some IP addresses are internal corporate IPs. What should you add to the query to focus on suspicious logons from external IPs?
217You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block access to Exchange Online for users with high risk level. However, users with high risk are still able to access Exchange Online. What is the most likely cause?
218You are configuring a network security policy in Microsoft Defender for Cloud Apps. The exhibit shows a policy to block traffic from known Tor exit nodes. However, the policy is not blocking traffic from IP 185.220.101.5. What is the most likely reason?
219Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. A user receives an email with a link that leads to a malicious website. The user clicks the link, but the browser is protected by Microsoft Defender SmartScreen. However, the user is still able to download a file from the site. What should you configure to prevent this?
220You are configuring Microsoft Defender for Identity (MDI) to monitor for lateral movement attacks. Which of the following activities would MDI alert on as a potential lateral movement?
221Your organization uses Microsoft Defender XDR. You want to create a custom detection rule that triggers an alert when a specific process is created on multiple endpoints. Which advanced hunting table should you use?
222Your organization is using Microsoft Defender for Cloud Apps. You want to generate an alert when a user shares a file containing sensitive information with an external domain. You have configured a file policy with the condition: 'Inspection method: Data Classification Service' and 'Inspection type: Sensitive information type'. However, no alerts are triggered. What is the most likely reason?
223Your organization uses Microsoft Defender for Office 365. Users report that some phishing emails are still reaching inboxes despite the anti-phish policy being enabled. You need to reduce the number of phishing emails that bypass the filter. What should you configure?
224You manage a Microsoft Defender for Endpoint environment. A device onboarded to Defender for Endpoint is not reporting alerts. You run the Microsoft Defender for Endpoint client analyzer and see that the service is running. Which log should you review to troubleshoot the issue?
225Your organization has deployed Microsoft Defender for Cloud Apps. You want to detect anomalous behavior such as impossible travel for users accessing cloud apps. You need to configure the appropriate policy. Which policy type should you create?
226A user reports that they cannot access a legitimate external website because Microsoft Defender for Endpoint is blocking it. The website is required for business. What should you do to allow access while maintaining security?
227Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate the alert. Which log should you analyze in Microsoft Defender for Identity?
228You are configuring Microsoft Defender for Office 365 anti-phish policy. You want to protect against user impersonation attacks. The CEO and CFO are frequent targets. What should you configure in the anti-phish policy?
229Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing a sanctioned cloud app from an unknown IP address. You want to require multi-factor authentication (MFA) for this access. What should you configure?
230You manage Microsoft Defender for Endpoint. A device is showing as 'Inactive' in the device inventory. The device is turned on and connected to the network. What is the most likely cause?
231You are designing an incident response plan using Microsoft Defender XDR. You want to automate the containment of compromised devices when a high-severity incident is detected. What should you configure?
232Which TWO actions can you perform in the Microsoft Defender XDR portal to investigate a security incident?
233Which THREE settings can you configure in a Microsoft Defender for Office 365 anti-phish policy?
234Which TWO components are part of Microsoft Defender XDR?
235You are reviewing a Microsoft Defender for Cloud Apps policy JSON. What does this policy do?
236You run the above KQL query in Microsoft Defender for Endpoint advanced hunting. What is the purpose of this query?
237You are a security administrator for a large enterprise with 10,000 users. The company uses Microsoft 365 E5 licenses, which include Microsoft Defender XDR. The company has recently experienced a series of ransomware attacks where attackers gained initial access through phishing emails, then moved laterally using compromised credentials, and finally deployed ransomware on file servers. The CISO wants to implement a comprehensive defense strategy that reduces the attack surface and automates response. The requirements are: 1) Prevent phishing emails from reaching users, especially those targeting executives. 2) Detect and block lateral movement using compromised credentials. 3) Automatically contain compromised devices during an incident. 4) Provide a unified incident view across email, endpoints, and identities. You need to recommend a solution that meets all requirements with minimal manual effort. What should you do?
238Contoso uses Microsoft 365 E5 and has enabled Microsoft Defender for Office 365. Users report that legitimate external emails are being quarantined. You need to reduce false positives without reducing protection. What should you do?
239Your organization uses Microsoft Defender for Endpoint. A security analyst reports that a critical file was quarantined on several devices, but the file is a trusted application. You need to restore the file and prevent future false positives. What should you do?
240As a Microsoft 365 administrator, you need to ensure that sensitive data is not shared externally via email. You configure Data Loss Prevention (DLP) policies in Microsoft Purview. What is the primary purpose of a DLP policy?
241Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large amounts of data from a sanctioned cloud app from an unusual location. You need to automatically suspend the user's access when such activity is detected. What should you configure?
242You are investigating a potential security incident in Microsoft Defender XDR. The incident involves a user who received a phishing email and clicked a link that executed a PowerShell script. You need to perform a detailed investigation of the PowerShell script's behavior across all affected devices. Which feature should you use?
243Your organization uses Microsoft Defender for Office 365. You need to ensure that malicious links in email messages are blocked at the time of click by checking the link reputation in real time. What should you enable?
244You are a Microsoft 365 administrator. A user reports that they received a Microsoft Teams message from an external user containing a link to a malicious website. The user clicked the link but did not enter any credentials. You need to prevent similar incidents in the future. What should you configure?
245Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt from a domain controller. You need to determine if the account was compromised by checking for lateral movement. What should you do in the Microsoft 365 Defender portal?
246Your organization has Microsoft 365 E5 and uses Microsoft Defender for Cloud Apps. You want to block downloads from an unsanctioned cloud app that is used by some employees. What should you configure?
247You are configuring Microsoft Defender for Office 365. Which TWO actions should you take to protect users from phishing attacks that use impersonation?
248You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different sources. Which THREE actions should you take during the investigation?
249Your organization uses Microsoft Defender for Cloud Apps. You want to control the use of personal cloud storage apps. Which TWO actions should you take?
250You are configuring Microsoft Defender for Identity. Which THREE capabilities does it provide?
251Refer to the exhibit. You are configuring a session policy in Microsoft Defender for Cloud Apps. The policy must block downloads when both the app risk is high and the user risk is high. Based on the exhibit, which additional condition should you add to ensure the policy only applies to unsanctioned apps?
252You are the security administrator for a multinational organization using Microsoft 365 E5. The organization has 10,000 users across three regions: North America, Europe, and Asia. You have deployed Microsoft Defender for Endpoint on all Windows devices and enabled Microsoft Defender for Office 365. Recently, a sophisticated phishing campaign targeted executives in Europe, using a custom domain that closely resembles your legitimate domain (e.g., contoso.com vs. contos0.com). The emails bypassed anti-spam and anti-phishing policies. You need to configure protection to block these impersonation attempts without affecting legitimate emails from the actual domain. You must also ensure that any similar future attempts using different variations are automatically detected. What should you do?
253Your company uses Microsoft Defender for Endpoint and Microsoft Intune. You have a group of remote users who connect to the corporate network via VPN. Recently, several of these devices were compromised due to unpatched vulnerabilities. You need to ensure that devices that are missing critical security updates are automatically blocked from accessing corporate resources. The solution must integrate with Microsoft Defender for Endpoint's threat and vulnerability management (TVM) data. What should you configure?
254Your organization uses Microsoft 365 E5 and has deployed Microsoft Defender for Cloud Apps. You discover that a user in the finance department is using a personal cloud storage app to store sensitive financial data. The app is unsanctioned. You need to prevent any further uploads of sensitive data to this app. Additionally, you want to automatically alert when users attempt to access this app from unmanaged devices. You must not block access entirely, as some users need to read data already stored there. What should you configure?
255Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You need to configure automated remediation for a confirmed phishing email that was delivered to a user's inbox. The remediation should also block the sender's domain across the tenant. Which action should you include in the automation playbook?
256Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A user reports that their device is running slowly and exhibiting unusual network traffic. You investigate in Microsoft Defender XDR and see a high number of alerts for the device. You need to determine if the device is compromised and, if so, initiate an automated investigation. What should you do first?
257Your organization uses Microsoft Defender for Cloud Apps. You want to detect when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?
258Your organization has Microsoft Defender for Office 365 Plan 2. You need to ensure that when a user reports a phishing email using the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the result. What should you configure?
259Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A security analyst reports that several domain controllers are generating alerts for anomalous logon activity. You need to investigate the scope of the potential compromise across the entire environment, including endpoints, identities, and cloud apps. What is the most efficient approach?
260Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads more than 100 files from SharePoint Online within 10 minutes. What should you configure?
261Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A user reports receiving a suspicious email with a link to a known phishing site. You need to prevent other users from clicking similar links in the future. What should you configure?
262Your organization has Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A critical server is showing signs of a ransomware attack. You need to contain the threat while preserving forensic evidence for analysis. What should you do first?
263Your organization uses Microsoft Defender for Office 365. You need to ensure that emails containing malicious attachments are automatically removed from users' inboxes after detection. What should you configure?
264Your organization uses Microsoft Defender XDR. You need to configure automatic response actions for a high-severity incident. Which TWO options are available in the Microsoft Defender XDR automated investigation and response capabilities?
265Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A security incident involves a user who accessed a malicious link from an email and then uploaded sensitive data to an external cloud app. Which THREE Microsoft Defender XDR components would provide relevant alerts and insights for this incident?
266Your organization uses Microsoft Defender for Endpoint (Plan 2). You need to configure a custom detection rule that alerts when a specific process attempts to access the internet. Which TWO components are required to create this custom detection?
267Refer to the exhibit. You run the KQL query and see that a device named 'WORKSTATION42' has made 1500 connections to a public IP address 203.0.113.55 in the last day. You suspect the device may be compromised. What should you do next to gain the most context?
268Your organization is a multinational company with 10,000 users. You use Microsoft Defender for Office 365 Plan 2, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Recently, a sophisticated phishing campaign targeted your executives. The campaign used personalized emails with malicious links that bypassed Safe Links protection. Several executives clicked the links and entered their credentials on a fake login page. The attackers then used those credentials to access the executives' mailboxes and exfiltrate sensitive data. You need to implement a solution that prevents similar attacks in the future by automatically blocking access to newly discovered phishing sites and providing real-time protection when users click unknown URLs. The solution should also allow you to simulate phishing campaigns to train users. What should you do?
269Your organization is a financial services company with 5,000 users. You use Microsoft Defender XDR, including Defender for Endpoint Plan 2, Defender for Identity, Defender for Office 365 Plan 2, and Defender for Cloud Apps. You have recently deployed Microsoft Copilot for Security to assist your security operations center (SOC) analysts. A high-severity incident is generated: 'A user named jdoe accessed a malicious IP address from their device, and then logged into Azure Portal from an anonymous IP address. Defender for Identity detected a suspicious Kerberos ticket request from the same user's domain controller. The SOC analysts are overwhelmed with alerts and need to quickly understand the full scope of the incident, including related alerts, impacted assets, and recommended actions. They also want to use natural language to ask questions about the incident. What should you do to enable the analysts to efficiently investigate this incident?
270Your organization is a small business with 200 users. You use Microsoft 365 Business Premium, which includes Microsoft Defender for Business (the small business version of Defender for Endpoint) and Microsoft Defender for Office 365 Plan 1. You want to protect against ransomware by blocking malicious processes and behaviors on endpoints. You also need to enable automated investigation and response for common threats. However, your IT team has limited security expertise and wants a simple configuration that provides out-of-the-box protection without custom policies. What should you do?
271You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) to automatically remediate threats. Which two actions should you take?
272You are investigating an alert in Microsoft Defender XDR that indicates a user clicked a malicious link in an email. You need to gather additional information to determine the scope of the attack. Which three sources should you examine?
273You are configuring Microsoft Defender for Office 365 to protect against sophisticated phishing attacks. You need to ensure that users are warned about potentially malicious messages that bypass other filters. Which two policies should you configure?
274Your organization uses Microsoft Defender XDR and Microsoft Sentinel in a hybrid deployment. You are the security operations lead. A new regulation requires that all security alerts be automatically enriched with threat intelligence indicators from an external feed before being sent to Sentinel. You need to implement this enrichment with minimal latency and without writing custom code. What should you do?
275You are a security administrator for a multinational company that uses Microsoft Defender XDR. You have deployed Microsoft Defender for Endpoint on all devices. The company has a strict policy that any device with a high-severity alert must be isolated from the network immediately. You need to configure an automated response that isolates the device as soon as a high-severity alert is generated. What should you do?
276Your company uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are the security administrator. The company's incident response team receives hundreds of low-severity alerts daily, causing alert fatigue. You need to reduce noise by automatically closing low-severity alerts that are determined to be false positives by Microsoft's threat intelligence. You want to minimize manual effort and ensure that only alerts with high confidence of being false positives are closed. What should you do?
277You are a security administrator for an organization that uses Microsoft Defender XDR. You want to provide your security operations team with a unified view of all incidents across endpoints, email, and identities. You also want to automate the creation of incidents when correlated alerts are detected. What should you do?
278Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user reports a phishing email using the Microsoft Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. You want to minimize administrative effort. What should you do?
279Your company uses Microsoft Defender XDR and Microsoft Defender for Cloud Apps. You have discovered that a user's credentials were compromised and used to access a SaaS application from an unusual location. You need to automatically suspend the user's access to all cloud apps and require a password reset. The suspension should be immediate upon detection. What should you do?
280You are a security administrator for a company that uses Microsoft Defender XDR. You need to generate a report that shows the number of incidents closed as true positive, false positive, and benign in the last 30 days. You want to use built-in features without writing custom queries. What should you do?
281Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are a security administrator. The security team wants to receive email notifications for high-severity incidents only. You need to configure the notification settings. What should you do?
282Your company uses Microsoft Defender XDR and Microsoft Defender for Identity. You have detected that a domain controller is communicating with a known malicious IP address. You need to immediately contain the threat by isolating the domain controller from the network while preserving forensic data. However, you cannot afford downtime for authentication services. What should you do?
283Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user is determined to be compromised (e.g., due to a leaked credential), all active sessions are terminated and the user is required to re-authenticate with multi-factor authentication (MFA). You want to automate this process as much as possible. What should you do?
284You are a security administrator for a company that uses Microsoft Defender XDR. You need to investigate a suspicious email that was reported by a user. You want to see the full email details, including headers, attachments, and URLs. Where should you look?
The Manage security and threats by using Microsoft Defender XDR domain covers the key concepts tested in this area of the MS-102 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all MS-102 domains — no account required.
The Courseiva MS-102 question bank contains 284 questions in the Manage security and threats by using Microsoft Defender XDR domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Manage security and threats by using Microsoft Defender XDR domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included