MS-102 Manage security and threats by using Microsoft Defender XDR • Complete Question Bank
Complete MS-102 Manage security and threats by using Microsoft Defender XDR question bank — all 0 questions with answers and detailed explanations.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag a concept onto its matching description — or click a concept then click the description.
Prevents sensitive data from being shared
Searches and exports content for legal cases
Keeps or deletes content based on rules
Classifies and protects data
Records user and admin activities
Drag a concept onto its matching description — or click a concept then click the description.
Anti-phishing policy in Defender for Office 365
Safe Attachments policy
Safe Links policy
Identity Protection and Conditional Access
Data Loss Prevention policy
Refer to the exhibit.
```kusto
// KQL query in Microsoft Defender XDR advanced hunting
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| summarize Count = count() by DeviceName
| where Count > 10
```Refer to the exhibit.
```json
// Microsoft Defender for Cloud Apps session policy configuration snippet
{
"policyType": "session",
"name": "Block Download for Unmanaged Devices",
"conditions": {
"clientType": {
"include": ["browser", "nativeClient"]
},
"deviceTag": {
"include": ["unmanaged"]
},
"app": {
"include": ["SharePoint Online", "OneDrive for Business"]
}
},
"actions": {
"block": ["download"]
}
}
```Refer to the exhibit.
```json
{
"displayName": "Custom Detection Rule",
"query": "DeviceProcessEvents | where Timestamp > ago(7d) | where FileName has_any ('powershell.exe', 'cmd.exe') | where ProcessCommandLine contains 'Invoke-Expression'",
"action": {
"type": "Alerting",
"severity": "Medium",
"category": "Execution",
"description": "Suspicious PowerShell execution detected"
}
}
```Refer to the exhibit. ```powershell Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring, DisableBehaviorMonitoring, DisableBlockAtFirstSeen ``` Output: ``` DisableRealtimeMonitoring : False DisableBehaviorMonitoring : True DisableBlockAtFirstSeen : False ```
Refer to the exhibit. ```kusto EmailEvents | where Timestamp > ago(30d) | where EmailDirection == "Inbound" | where DeliveryAction == "Blocked" | summarize BlockedCount = count() by SenderDomain | top 10 by BlockedCount ```
{
"PolicyName": "HighConfPhishing",
"RecommendedPolicyType": "AntiPhishBuiltIn",
"Policy": {
"PhishThresholdLevel": 2,
"Action": "Quarantine",
"QuarantineTag": "AdminOnlyAccess",
"EnableFirstContactSafetyTips": false,
"EnableUnusualCharactersSafetyTips": false,
"EnableMailboxIntelligence": true,
"EnableMailboxIntelligenceProtection": true,
"MailboxIntelligenceProtectionAction": "Quarantine",
"EnableOrganizationDomainsProtection": true,
"EnableSimilarUsersSafetyTips": true,
"EnableTargetedUserProtection": true,
"TargetedUserProtectionAction": "Quarantine",
"EnableSimilarDomainsSafetyTips": true,
"EnableTargetedDomainProtection": true,
"TargetedDomainProtectionAction": "Quarantine"
}
}KQL query:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("-EncodedCommand", "-e", "-enc")
| summarize Count = count() by DeviceName, FileName
| where Count > 5Refer to the exhibit.
```json
{
"DeviceConfiguration": {
"Antivirus": {
"DisableRealtimeMonitoring": false,
"PUAProtection": "AuditMode",
"CloudBlockLevel": "High",
"CloudTimeout": 50
}
}
}
```Refer to the exhibit.
```kusto
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AntivirusDetection"
| where FileName has_any ("ransomware", "encrypt")
| summarize ThreatCount = count() by DeviceName
| top 10 by ThreatCount
```Refer to the exhibit.
```powershell
$config = @{
TenantId = "contoso.onmicrosoft.com"
PolicyName = "Strict Security"
UserRiskLevels = @("high", "medium")
SignInRiskLevels = @("high")
ExcludePlatforms = @("iOS", "Android")
IncludeApplications = @("All")
GrantControls = @{
BuiltInControls = @("mfa", "compliantDevice")
TermsOfUse = @("TOU1")
}
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $config
```Refer to the exhibit.
```json
{
"Action": "Allow",
"Conditions": {
"FileSize": {
"GreaterThan": 10485760,
"LessThan": 104857600
},
"FileType": "docx, xlsx, pptx",
"FromLocation": "Internet"
},
"Name": "BlockLargeOfficeFiles"
}
```Refer to the exhibit. ```kql DeviceProcessEvents | where Timestamp between (datetime(2024-01-01) .. datetime(2024-01-02)) | where FileName == "powershell.exe" | where ProcessCommandLine has "-EncodedCommand" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ```
Refer to the exhibit.
```xml
<Policy>
<Rule>
<Name>Block High Risk</Name>
<Condition>RecipientDomain is "example.com"</Condition>
<Action>Quarantine</Action>
</Rule>
</Policy>
```Refer to the exhibit. ```kusto DeviceProcessEvents | where Timestamp > ago(7d) | where FileName == "powershell.exe" | where ProcessCommandLine has "-EncodedCommand" | project Timestamp, DeviceName, AccountName, ProcessCommandLine | take 10 ```
Refer to the exhibit.
```json
{
"policy": {
"name": "Block risky sign-ins",
"conditions": {
"userRiskLevels": ["high"],
"signInRiskLevels": ["medium", "high"]
},
"grantControls": {
"builtInControls": ["block"]
}
}
}
```Refer to the exhibit.
```json
{
"displayName": "Custom Detection - Lateral Movement via SMB",
"queryText": "DeviceNetworkEvents | where RemotePort == 445 and ActionType == 'ConnectionSuccess' | join kind=inner (DeviceProcessEvents | where FileName == 'powershell.exe') on DeviceId | project Timestamp, DeviceName, AccountName, RemoteIP"
}
```Refer to the exhibit. ```kusto // KQL query in Microsoft Defender XDR IdentityLogonEvents | where Timestamp > ago(1d) | where Application == "Exchange Online" | summarize TotalLogons = count() by AccountUpn, IPAddress | where TotalLogons > 10 | project AccountUpn, IPAddress, TotalLogons ```
Refer to the exhibit.
```json
{
"displayName": "High Risk Users",
"conditions": {
"applications": {
"includeApplications": ["Office 365 Exchange Online"]
},
"users": {
"includeUsers": ["All"]
},
"riskLevels": ["high"]
},
"grantControls": {
"builtInControls": ["block"],
"operator": "OR"
}
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block Tor IPs",
"priority": 100,
"policyOrder": 0,
"rules": [
{
"displayName": "Tor Exit Nodes",
"action": "AlertAndBlock",
"conditions": {
"sourceAddresses": ["185.220.101.0/24", "185.220.102.0/24"],
"protocols": ["Any"]
}
}
]
}
}
```Refer to the exhibit.
{
"Name": "Test policy",
"PolicyType": "ActivityPolicy",
"Severity": "High",
"Filter": {
"Activity": "Sign-in",
"IpAddress": {
"Category": "AnonymousProxy"
}
},
"Action": {
"Block": true
}
}Refer to the exhibit. ```kql DeviceAlertEvents | where Timestamp > ago(7d) | where AlertTitle == "Suspicious process injection" | summarize AlertCount = count() by DeviceName | top 10 by AlertCount ```
{
"rules": [
{
"name": "Block high-risk downloads",
"action": "block",
"conditions": {
"appRiskScore": "high",
"activity": "download",
"userRiskScore": "high"
}
}
]
}{
"exhibit_text": "You run the following KQL query in Microsoft Defender XDR Advanced Hunting:\n\n`DeviceNetworkEvents`\n`| where Timestamp > ago(1d)`\n`| where ActionType == "ConnectionSuccess"`\n`| where RemoteIPType == "Public"`\n`| summarize Count = count() by DeviceName, RemoteIP`\n`| where Count > 100`\n`| order by Count desc`\n\nThe query returns a list of devices that have made over 100 successful connections to public IPs in the last day. You need to investigate further."