Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Manage security and threats by using Microsoft Defender XDR practice sets

MS-102 Manage security and threats by using Microsoft Defender XDR • Complete Question Bank

MS-102 Manage security and threats by using Microsoft Defender XDR — All Questions With Answers

Complete MS-102 Manage security and threats by using Microsoft Defender XDR question bank — all 0 questions with answers and detailed explanations.

284
Questions
Free
No signup
Certifications/MS-102/Practice Test/Manage security and threats by using Microsoft Defender XDR/All Questions
Question 1easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

Question 2mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?

Question 3easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

Question 4easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

Question 5hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

Question 6hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

Question 7mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to automatically block malicious IP addresses from sending email to Exchange Online mailboxes. Which Microsoft Defender component should be configured?

Question 8mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst investigates a potential data exfiltration incident. The analyst identifies that a user's device has made multiple connections to an unknown external IP address using a custom port. Which Microsoft Defender XDR data source would provide the most detailed network communication logs for this investigation?

Question 9mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to automatically block a file that is detected as malware on one endpoint from being executed on all other endpoints in the organization. Which Microsoft Defender for Endpoint capability provides this?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A security operations team wants to receive real-time alerts when a user is at high risk of having their account compromised based on unusual sign-in patterns. Which Microsoft Defender XDR component should they configure?

Question 11mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?

Question 12hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A ransomware alert is confirmed in Microsoft Defender XDR on a user device that is still communicating with other endpoints. What should the administrator do first to reduce spread while preserving the ability to investigate?

Question 13hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to create a custom detection rule in Microsoft Defender XDR that alerts when a device initiates an outbound TCP connection to a known malicious IP address on a non-standard port (e.g., port 4444). Which advanced hunting table should be queried to find these network connections?

Question 14mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security team wants to automatically investigate and remediate alerts generated from Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. Which Microsoft Defender XDR capability should be configured?

Question 15hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule that triggers when a user receives a phishing email that bypassed Exchange Online Protection, and then clicks a link that leads to a known malicious domain. Which two advanced hunting tables should the analyst combine to detect this chain of events?

Question 16hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a user's device establishes a network connection to a known malicious IP address on a port commonly used by a specific malware. The rule must also include process information such as the filename of the process that initiated the connection. Which advanced hunting table should be the primary data source for this rule?

Question 17mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst needs to search for devices that have been communicating with a known malicious command-and-control server over the past 7 days. The analyst wants to identify the process that initiated the connection. Which advanced hunting query would be most efficient?

Question 18easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst identifies a malicious file hash on one endpoint. They need to ensure that file is blocked from executing on all other endpoints in the organization immediately. Which Microsoft Defender for Endpoint feature should be used?

Question 19hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and later clicks a link to a known malicious domain from their device. The rule will use advanced hunting queries. Which two tables should be joined to detect the click event from the device?

Question 20hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst needs to identify the specific process (filename) that initiated a network connection from a device to a known malicious IP address over the last 24 hours. Which advanced hunting table in Microsoft Defender XDR provides the necessary data including the initiating process filename and the remote IP address?

Question 21mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to simulate a realistic phishing attack to train users and measure their susceptibility. The simulation should be run from within Microsoft Defender XDR and provide detailed reporting. Which feature should the administrator use?

Question 22hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to prevent malware from using Office macros to spawn malicious processes. Specifically, they want to block Excel, Word, and PowerPoint from creating child processes. Which Microsoft Defender for Endpoint capability should be configured?

Question 23mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to automatically isolate a device in Microsoft Defender for Endpoint whenever a high-severity alert is triggered. The isolation should occur without manual intervention. Which Microsoft Defender XDR feature should be configured?

Question 24hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst has identified a new malware sample with SHA256 hash 'abc123...'. They need to immediately block this file from executing on any managed endpoint across the organization. Which Microsoft Defender for Endpoint capability should they use?

Question 25mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to search for instances where a user received a phishing email that was delivered to their inbox, and then later clicked a link within that email that led to a known malicious domain. Which two advanced hunting tables should be joined to identify both the email delivery and the link click events? (Choose the option that correctly identifies the primary table pair.)

Question 26hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?

Question 27easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to view a unified incident queue that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Which console should the administrator open?

Question 28mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and later clicks a link from that email that leads to a known malicious domain. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the query to capture both the email delivery event and the link click event? (Choose two.)

Question 29mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst has identified a new malware sample with a specific SHA256 hash. The analyst needs to immediately block this file from executing on any managed endpoint across the organization, including prevention of future execution. Which Microsoft Defender for Endpoint capability should the analyst use?

Question 30hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule that triggers when a device communicates with a new, unclassified IP address that has been flagged by Microsoft threat intelligence as potentially malicious. The rule should run every hour and create an incident if more than 5 such communications from the same device occur within a 24-hour window. Which advanced hunting tables should be joined in the KQL query for this rule?

Question 31hardmultiple choice
Read the full Ansible explanation →

A security administrator needs to create an automated investigation and response (AIR) playbook that automatically isolates a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook should run without requiring manual approval. Which capability in Microsoft 365 Defender should the administrator configure?

Question 32mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is investigating a potential lateral movement attack. They need to identify which processes were created on a compromised device and then which network connections were made by those processes. Which two advanced hunting tables should the analyst join in a KQL query?

Question 33mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to configure Automated Investigation and Response (AIR) in Microsoft 365 Defender to automatically isolate a device when a high-severity alert for malware is detected. Which step is required?

Question 34mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a device establishes a network connection to an IP address that has been recently observed in threat intelligence feeds as a new, malicious command-and-control server. The rule should analyze network communication events. Which advanced hunting table should be the primary data source for the Kusto Query Language (KQL) query?

Question 35easymultiple choice
Read the full NAT/PAT explanation →

A user receives an email from an unknown sender with a .zip attachment. The attachment contains a potentially malicious executable file. Microsoft Defender for Office 365 is enabled. Which feature dynamically detonates the attachment in a sandbox environment and blocks it if malicious behavior is detected?

Question 36easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to detect unusual user activity, such as a user downloading an abnormally large number of files from SharePoint Online in a short period. Which Microsoft Defender for Cloud Apps feature should be used to create a policy for this behavior?

Question 37mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?

Question 38hardmultiple choice
Read the full Ansible explanation →

A security administrator needs to configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender that will automatically isolate a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook must run without requiring manual approval. Which configuration must the administrator set to achieve automatic device isolation?

Question 39hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to block executable files from running from writable system directories such as %TEMP% and %APPDATA% on Windows devices. Which attack surface reduction (ASR) rule should be enabled?

Question 40mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to block outbound network connections from a compromised Windows device to a known malicious IP address. The solution should be configured in Microsoft Defender for Endpoint and must work at the network layer, not relying on a user-installed client. Which feature should the administrator enable?

Question 41hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify when a user clicks a malicious URL in a phishing email and subsequently visits the malicious site from their corporate device. The analyst plans to use advanced hunting with Kusto Query Language (KQL). Which two tables must be joined to capture both the URL click event and the network connection to the malicious site?

Question 42mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

An administrator wants to configure automated investigation and response (AIR) in Microsoft 365 Defender so that when a high-severity malware alert is generated for a device from Microsoft Defender for Endpoint, the device is automatically isolated from the network without requiring a security analyst to approve the action. Which configuration step is required?

Question 43hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to block executable files from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

Question 44mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to monitor and control user downloads from a third-party SaaS application (e.g., Box) in real time. The administrator needs to apply session-level policies to block downloads based on risk. Which Microsoft 365 Defender feature should be used?

Question 45hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to block outbound network connections from a compromised Windows device to command-and-control servers. The solution must work at the network layer and be centrally managed via Microsoft 365 Defender. Which feature should the administrator enable?

Question 46hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to automatically create a Microsoft Teams message in a dedicated security channel whenever a Microsoft 365 Defender incident with severity 'High' is created. Which automation approach should the analyst use?

Question 47mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a PowerShell process with suspicious command-line arguments is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP occurs. Which two advanced hunting tables must be joined in the KQL query?

Question 48mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to prevent Microsoft Office applications (Word, Excel, PowerPoint) from creating child processes, which is a common technique used by malware to execute malicious code. Which attack surface reduction (ASR) rule should be enabled?

Question 49mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to block users from uploading files to personal cloud storage apps (e.g., Dropbox) from managed Windows devices, while allowing access from compliant mobile devices. Which Microsoft 365 Defender feature should be used?

Question 50hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to block executable files (e.g., .exe, .ps1) from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

Question 51hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a suspicious PowerShell process (e.g., using -EncodedCommand) is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP address occurs. Which two advanced hunting tables must be joined?

Question 52easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to ensure that all email attachments are scanned in a sandbox environment and blocked if malicious, with email delivery delayed until scanning completes. Which Microsoft 365 Defender policy should the administrator configure?

Question 53hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is using Microsoft 365 Defender Advanced Hunting to investigate a potential malware outbreak. The analyst needs to find all devices where a specific signed executable (known to be malicious) was created in the past 24 hours. Which Advanced Hunting table should be queried to detect the creation of the executable file?

Question 54hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to prevent users from uploading files to unsanctioned cloud storage apps (e.g., personal Dropbox or Google Drive) from managed Windows devices. The solution must use a reverse proxy to control file uploads in real time. Which Microsoft Defender for Cloud Apps feature should the administrator configure?

Question 55hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should fire when a Windows device exhibits this sequence of events within 3 minutes: 1) A PowerShell process runs with an encoded command, 2) A service is created with a random name, and 3) An outbound network connection to a suspicious IP address is observed. Which three Advanced Hunting tables must be joined in the KQL query to create this detection?

Question 56hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

An organization wants to allow only specific company-approved USB devices (e.g., those with a specific hardware ID) on managed Windows devices. All other USB devices must be blocked. Which Microsoft 365 Defender feature should be configured?

Question 57mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to prevent attackers from stealing credentials by blocking access to the Local Security Authority Subsystem Service (LSASS) from untrusted processes. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

Question 58mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a device makes an outbound connection to a known malicious IP address, and within 10 minutes, a process with suspicious command-line arguments is started on the same device. Which two Advanced Hunting tables must be joined using a KQL query to create this detection?

Question 59mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a process named 'powershell.exe' is launched with command-line arguments containing '-EncodedCommand', and within 5 minutes a service is created on the same device. Which two Advanced Hunting tables must be joined in the KQL query to create this detection?

Question 60hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

Question 61mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user receives a phishing email containing a malicious URL and then clicks that URL within 10 minutes. Which two Advanced Hunting tables must be joined in the KQL query?

Question 62hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator is configuring Microsoft Defender for Cloud Apps. The administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Defender for Cloud Apps features must be configured? (Select the two correct options.)

Question 63hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is investigating a suspected credential theft attack where an attacker attempts to dump credentials from LSASS. Which Attack Surface Reduction (ASR) rule should the administrator enable to block this activity from untrusted processes?

Question 64hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user opens a malicious email attachment, which launches a PowerShell process, and then that PowerShell process makes an outbound connection to a known malicious IP address. Which three Advanced Hunting tables must be joined in the KQL query?

Question 65mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to reduce the risk of credential dumping from LSASS on managed Windows endpoints. Which Attack Surface Reduction rule should be enabled?

Question 66mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user opens a malicious Office document, which launches a process named cmd.exe from Microsoft Word, and then that cmd.exe process makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

Question 67hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps features must be configured to meet these requirements? (Select all that apply.)

Question 68easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a user receives a phishing email and clicks a malicious link within 10 minutes. Which two tables must be joined in the KQL query?

Question 69mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to block unsanctioned cloud apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps components must be configured?

Question 70mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a process spawned by Microsoft Word (winword.exe) makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

Question 71mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to configure Microsoft Defender for Cloud Apps to block downloads of sensitive files from Salesforce to unmanaged devices in real time. Which Defender for Cloud Apps component must be configured?

Question 72mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user receives a malicious email attachment and then opens the attachment, resulting in a process being created (e.g., .exe file). Which two Advanced Hunting tables must be joined to correlate the email attachment with the resulting process?

Question 73hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst is investigating a potential attack where a user received a malicious email with an HTML attachment. The HTML file, when opened, fetched a JavaScript payload from a remote server that then dropped a binary on the user's machine and executed it. The analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when an email contains an HTML attachment with an external link, and that attachment is opened, causing a process creation. Which two tables should the analyst join in the KQL query to correlate the email attachment with the resulting process?

Question 74hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to configure Microsoft Defender for Cloud Apps so that when a user accesses a sensitive file in a sanctioned cloud app from an unmanaged device, the user is blocked from downloading the file and a block action is logged in real time. Which type of policy should the administrator configure?

Question 75mediummultiple choice
Read the full NAT/PAT explanation →

A company is experiencing a significant number of phishing attempts that target high-level executives by impersonating their email addresses. The security team wants to configure protection against user impersonation in Microsoft Defender for Office 365. Which setting must be enabled in the anti-phishing policy to protect these specific users?

Question 76mediummulti select
Read the full NAT/PAT explanation →

You are a Microsoft 365 administrator for a multinational organization. You are implementing Microsoft Defender XDR to provide centralized threat management across multiple domains. Which three of the following capabilities are core components of Microsoft Defender XDR? (Choose three.)

Question 77mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

As a security administrator, you are tuning automated investigation and response (AIR) capabilities in Microsoft Defender XDR. You need to ensure that the system can automatically remediate threats while minimizing false positives. Which three of the following actions can be taken by automated investigation and response in Microsoft Defender XDR? (Choose three.)

Question 78mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a Microsoft 365 administrator responsible for managing security and threats by using Microsoft Defender XDR. Which four of the following are core components or capabilities of Microsoft Defender XDR? (Choose all that apply. There are four correct answers.)

Question 79mediumdrag order
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Drag and drop the steps to configure a Conditional Access policy in Microsoft Entra ID in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 80mediumdrag order
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Drag and drop the steps to configure a compliance retention policy in Microsoft Purview in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 81mediummatching
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Match each Microsoft 365 compliance feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents sensitive data from being shared

Searches and exports content for legal cases

Keeps or deletes content based on rules

Classifies and protects data

Records user and admin activities

Question 82mediummatching
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Match each Microsoft 365 threat scenario to the appropriate protection.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anti-phishing policy in Defender for Office 365

Safe Attachments policy

Safe Links policy

Identity Protection and Conditional Access

Data Loss Prevention policy

Question 83mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that users are warned before opening potentially malicious attachments in Outlook on the web. Which policy setting should you configure?

Question 84hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization is implementing Microsoft Defender for Cloud Apps. You need to configure anomaly detection policies to alert when a user downloads an unusually large number of files from SharePoint Online. Which data source should you connect to enable this detection?

Question 85easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint (MDE). You need to configure an automated investigation and response (AIR) capability that will automatically remediate a confirmed malware infection on endpoints. Which action should you enable?

Question 86mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate which user account is potentially compromised. Which tool should you use to correlate the alert with user activity?

Question 87hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Cloud Apps (MCAS) deployed. You need to create a policy that automatically blocks downloads of files classified as 'Highly Confidential' from SharePoint Online to unmanaged devices. Which policy type should you use?

Question 88mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and wants to simulate a phishing attack to train users. You need to configure a simulation that uses a URL link to a credential harvesting page. Which feature should you use?

Question 89hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. You need to configure a rule that automatically isolates a device from the network when a specific threat is detected, but only if the device is in a specific device group. Which approach should you use?

Question 90easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to generate a report of all external users who have shared sensitive files from SharePoint Online. Which feature should you use?

Question 91mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You need to configure a honeytoken account to detect attackers trying to use the account. In which location should you place the honeytoken account?

Question 92mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. You need to configure advanced hunting to query device information. Which TWO tables contain device-related data?

Question 93hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user signs in from an unknown IP address and then downloads a large number of files. Which THREE components should you configure?

Question 94easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in email messages. Which TWO features should you configure?

Question 95hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. You run the KQL query in advanced hunting. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.

```kusto
// KQL query in Microsoft Defender XDR advanced hunting
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| summarize Count = count() by DeviceName
| where Count > 10
```
Question 96mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. What is the effect of this session policy?

Exhibit

Refer to the exhibit.

```json
// Microsoft Defender for Cloud Apps session policy configuration snippet
{
  "policyType": "session",
  "name": "Block Download for Unmanaged Devices",
  "conditions": {
    "clientType": {
      "include": ["browser", "nativeClient"]
    },
    "deviceTag": {
      "include": ["unmanaged"]
    },
    "app": {
      "include": ["SharePoint Online", "OneDrive for Business"]
    }
  },
  "actions": {
    "block": ["download"]
  }
}
```
Question 97easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. You deploy this configuration profile to Windows devices. What is the most likely outcome?

Network Topology
Microsoft Defender for Endpoint device configuration profile<!>Refer to the exhibit.```xml<DeviceConfiguration><DefenderForEndpoint><EnableAutomatedInvestigation>true</EnableAutomatedInvestigation><AlertSeverityForAutomatedInvestigation>Medium</AlertSeverityForAutomatedInvestigation><EmailNotification><Enabled>true</Enabled><Recipients>admin@contoso.com</Recipients></EmailNotification></DefenderForEndpoint></DeviceConfiguration>```
Question 98mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating a phishing campaign targeting your organization. In Microsoft Defender XDR, you run a KQL query in Advanced Hunting to find all email messages that contain a specific phishing URL. Which table should you query?

Question 99hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malicious attachments to quarantine and notifies the security team. Additionally, you want to allow users to release their own quarantined messages if they are false positives. What should you do?

Question 100easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator. You need to configure Microsoft Defender for Cloud Apps to detect anomalous user activities such as impossible travel. Which feature should you enable?

Question 101mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a potential DCSync attack. What should you do to investigate this alert in Microsoft Defender XDR?

Question 102hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft 365 E5 licenses and uses Microsoft Defender for Office 365. You need to ensure that users are warned before clicking on malicious URLs in email messages, even if the URL is clicked after the email is delivered. Which policy should you configure?

Question 103easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You need to integrate Microsoft Defender XDR with Microsoft Sentinel for centralized monitoring. Which data connector should you use?

Question 104mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is not receiving security updates. You need to ensure that the device is properly onboarded to Defender for Endpoint. Which log should you check first?

Question 105hardmultiple choice
Read the full NAT/PAT explanation →

You are configuring Microsoft Defender for Office 365 to protect against business email compromise (BEC) attacks. Which policy setting should you enable to analyze email sender behavior and detect impersonation attempts?

Question 106easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads a large number of files from Microsoft SharePoint Online in a short period. What should you create?

Question 107mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which TWO actions can you perform using Microsoft Defender XDR's Advanced Hunting? (Choose two.)

Question 108hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which THREE features are included in Microsoft Defender for Office 365 Plan 2 but NOT in Plan 1? (Choose three.)

Question 109mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which TWO Microsoft Defender XDR components provide protection for email and collaboration tools? (Choose two.)

Question 110hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are analyzing a custom detection rule in Microsoft Defender XDR. The rule is designed to alert on suspicious PowerShell execution. However, you notice that the rule is not triggering alerts even though you know such activity is occurring. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "displayName": "Custom Detection Rule",
  "query": "DeviceProcessEvents | where Timestamp > ago(7d) | where FileName has_any ('powershell.exe', 'cmd.exe') | where ProcessCommandLine contains 'Invoke-Expression'",
  "action": {
    "type": "Alerting",
    "severity": "Medium",
    "category": "Execution",
    "description": "Suspicious PowerShell execution detected"
  }
}
```
Question 111mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You run the above PowerShell command on a Windows 10 device that is onboarded to Microsoft Defender for Endpoint. The device is reporting as healthy in the portal, but you suspect that some behavioral detection capabilities are turned off. Based on the output, which setting should you modify?

Exhibit

Refer to the exhibit.

```powershell
Get-MpPreference | Select-Object -Property DisableRealtimeMonitoring, DisableBehaviorMonitoring, DisableBlockAtFirstSeen
```

Output:
```
DisableRealtimeMonitoring : False
DisableBehaviorMonitoring : True
DisableBlockAtFirstSeen : False
```
Question 112easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You run the above KQL query in Microsoft Defender XDR Advanced Hunting. The query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
EmailEvents
| where Timestamp > ago(30d)
| where EmailDirection == "Inbound"
| where DeliveryAction == "Blocked"
| summarize BlockedCount = count() by SenderDomain
| top 10 by BlockedCount
```
Question 113mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company's security team needs to investigate a suspicious email that was reported by a user. The email was not blocked by Exchange Online Protection (EOP) and was delivered to the user's inbox. The security team wants to use Microsoft Defender XDR to analyze the email and its attachments. Which feature should they use to submit the email for automated investigation?

Question 114mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator needs to configure a policy that automatically blocks high-confidence phishing emails in Microsoft Defender for Office 365. The policy should be applied to all users in the finance department. The administrator wants to ensure that if an email is determined to be high-confidence phishing, it is quarantined and the user is not notified. Which type of policy should the administrator configure?

Question 115hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. You are reviewing an anti-phishing policy configuration in Microsoft Defender for Office 365. The policy is applied to all users. A user reports that a legitimate email from a known vendor (domain contoso.com) was quarantined. The email contained a link to a rarely visited website. The link was not malicious. Which setting in the policy is most likely causing the false positive?

Exhibit

{
  "PolicyName": "HighConfPhishing",
  "RecommendedPolicyType": "AntiPhishBuiltIn",
  "Policy": {
    "PhishThresholdLevel": 2,
    "Action": "Quarantine",
    "QuarantineTag": "AdminOnlyAccess",
    "EnableFirstContactSafetyTips": false,
    "EnableUnusualCharactersSafetyTips": false,
    "EnableMailboxIntelligence": true,
    "EnableMailboxIntelligenceProtection": true,
    "MailboxIntelligenceProtectionAction": "Quarantine",
    "EnableOrganizationDomainsProtection": true,
    "EnableSimilarUsersSafetyTips": true,
    "EnableTargetedUserProtection": true,
    "TargetedUserProtectionAction": "Quarantine",
    "EnableSimilarDomainsSafetyTips": true,
    "EnableTargetedDomainProtection": true,
    "TargetedDomainProtectionAction": "Quarantine"
  }
}
Question 116easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint Online within 10 minutes. This activity should be considered anomalous. Which type of policy should you create?

Question 117hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR Advanced Hunting. The query returns a list of devices where PowerShell or cmd.exe with encoded commands executed more than 5 times in the last 7 days. The security team suspects that one of the devices is compromised due to excessive use of encoded commands. However, a legitimate administrative script uses encoded commands regularly. How can you refine the query to reduce false positives while still detecting potentially malicious activity?

Exhibit

KQL query:
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| where ProcessCommandLine has_any ("-EncodedCommand", "-e", "-enc")
| summarize Count = count() by DeviceName, FileName
| where Count > 5
Question 118mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company is implementing Microsoft Defender for Identity (MDI) to protect its on-premises Active Directory environment. The security team needs to ensure that MDI can monitor all domain controllers. They have installed the MDI sensor on all domain controllers. However, they notice that some suspicious activities are not being detected. Which additional configuration should the team verify to ensure comprehensive coverage?

Question 119easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint (MDE). A security analyst needs to investigate a file that was detected as malicious on several devices. The analyst wants to see the file's prevalence across the organization and other related events. Which feature in MDE should the analyst use?

Question 120mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company is planning to deploy Microsoft Defender for Endpoint to its Windows 10 devices. The devices are managed by Microsoft Intune. The security team wants to ensure that the MDE sensor is installed automatically on new devices that are enrolled in Intune. Which method should the team use?

Question 121hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator is configuring Microsoft Defender for Office 365 to protect against zero-day malware in attachments. The administrator wants to use dynamic delivery so that users can view the email body while the attachment is being analyzed. However, the administrator is concerned about false positives and wants to ensure that if a benign attachment is later found to be malicious, it is removed from the user's inbox. What should the administrator configure?

Question 122mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator is configuring Microsoft Defender for Cloud Apps to protect against data exfiltration from SaaS apps. The administrator wants to create a policy that alerts when a user attempts to download more than 50 files from SharePoint Online within 5 minutes. Which two components must be configured to achieve this? (Choose two.)

Question 123hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security team is investigating a potential ransomware outbreak using Microsoft Defender XDR. They have identified a suspicious PowerShell command that was executed on several devices. The team wants to use Advanced Hunting to find all other activities associated with the same command. Which three columns should they include in their KQL query to effectively correlate the activities? (Choose three.)

Question 124easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company is deploying Microsoft Defender for Office 365 to protect against advanced threats. Which two features are available only in Defender for Office 365 Plan 2 and not in Plan 1? (Choose two.)

Question 125hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator is configuring Microsoft Defender for Endpoint (MDE) to automatically remediate threats. The administrator wants to ensure that when a high-severity alert is triggered, the affected device is isolated from the network. Which three components must be configured to achieve this? (Choose three.)

Question 126easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from an anonymous IP address. Which type of policy should you create?

Question 127mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company is using Microsoft Defender for Identity (MDI) and wants to receive alerts when a user account is involved in a suspicious network connection. The security team has enabled MDI alerts but is not receiving any alerts for a specific account that is showing anomalous behavior. What should the team check first?

Question 128mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to ensure that when a user reports a phishing email via the Microsoft Report Message add-in, the URL in the email is automatically blocked on all endpoints. What should you configure?

Question 129hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has deployed Microsoft Defender for Cloud Apps. You need to ensure that all external file sharing to untrusted domains is automatically blocked. The solution must not affect internal sharing. What should you configure?

Question 130easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You need to configure Microsoft Defender for Identity to alert when a user account is assigned a high number of group memberships in Active Directory. Which attack type does this correspond to?

Question 131mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device is onboarded, it automatically receives all current threat intelligence signatures. What should you verify is configured?

Question 132mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Office 365. Users report that legitimate emails from a partner domain are being quarantined. You need to ensure these emails are delivered while maintaining security. What should you do?

Question 133easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You need to configure Microsoft Defender for Cloud Apps to detect anomalous user behavior such as impossible travel. Which type of policy should you create?

Question 134mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a user clicks a malicious link in an email, the endpoint is automatically isolated. What should you configure?

Question 135mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization is implementing Microsoft Defender XDR. Which TWO actions should you take to ensure that alerts from different workloads are correlated into incidents?

Question 136hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating a security incident in Microsoft 365 Defender. The incident involves a user who received a phishing email that contained a link to a malicious website. The user clicked the link and entered credentials. Which THREE components of Microsoft Defender XDR would generate alerts that contribute to this incident?

Question 137easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which TWO features in Microsoft Defender for Office 365 help protect against zero-day malware in email attachments?

Question 138easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from a risky IP address. What should you configure?

Question 139mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to configure automatic investigation and response (AIR) to handle a phishing email that was delivered to a user's inbox and the user clicked a link that downloaded a malicious file. What should you configure?

Question 140hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization deploys Microsoft Defender XDR and wants to use advanced hunting to detect lateral movement by an attacker who uses RDP from a compromised workstation to a domain controller. Which KQL query should you use in advanced hunting?

Question 141easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically alerts when a user downloads more than 100 files from SharePoint Online in 10 minutes. What type of policy should you create?

Question 142mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious LDAP query from a domain controller. After investigating, you determine the query is legitimate. How should you prevent future alerts for this activity?

Question 143hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to stream advanced hunting data from Defender XDR to Sentinel to run analytics rules. What should you configure?

Question 144mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device with a high-risk vulnerability is detected, it is automatically isolated from the network. What should you configure?

Question 145easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the built-in anti-phishing policy. You need to analyze the email headers to determine why it was not detected. What should you use?

Question 146hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Entra ID. You need to block access to a third-party cloud app that is not sanctioned. The app uses OAuth and users have already granted consent. What should you configure?

Question 147mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. You need to collect investigation packages from multiple devices for forensic analysis. What is the most efficient method?

Question 148mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You need to ensure that when an incident is created, it is automatically assigned to the appropriate analyst team based on the incident category. Which TWO actions should you configure? (Choose two.)

Question 149hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block the use of a newly discovered cloud app that is classified as 'high risk' by the Cloud App Catalog. Which THREE actions should you take? (Choose three.)

Question 150easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to create a Safe Attachments policy that will block all attachments with a specific file type. Which TWO elements must you configure? (Choose two.)

Question 151mediummultiple choice
Read the full NAT/PAT explanation →

A company uses Microsoft Defender for Office 365. Users report that phishing emails with malicious links are occasionally delivered to their inboxes. The security team wants to ensure that suspicious URLs are detonated in a sandbox before delivery for all recipients. What should the security team configure?

Question 152hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Contoso uses Microsoft Defender XDR and has a Microsoft 365 E5 license. The security team wants to automate incident response when a user is compromised. They create a custom automation rule in the Microsoft 365 Defender portal. The rule should automatically isolate the user's device, disable the user account, and reset the user's password. Which action type should they configure in the rule?

Question 153easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company wants to receive alerts when a user account is used from an unauthorized location. They have Microsoft Defender for Cloud Apps (MDA). Which policy type should they create?

Question 154mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which TWO actions can be performed by Microsoft Defender for Identity? (Select TWO.)

Question 155mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which THREE features are part of Microsoft Defender XDR? (Select THREE.)

Question 156hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company experiences a ransomware attack that encrypts files on several endpoints. The security team wants to use automated investigation and response (AIR) capabilities in Microsoft Defender XDR to contain the threat. Which TWO actions can be taken automatically by AIR? (Select TWO.)

Question 157hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

An administrator deployed the above Intune device configuration policy for Microsoft Defender for Endpoint on Windows 10 devices. Users report that some potentially unwanted applications (PUA) are still being installed. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "DeviceConfiguration": {
    "Antivirus": {
      "DisableRealtimeMonitoring": false,
      "PUAProtection": "AuditMode",
      "CloudBlockLevel": "High",
      "CloudTimeout": 50
    }
  }
}
```
Question 158mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security analyst runs the above KQL query in Microsoft 365 Defender. The query returns an empty result set. Which is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AntivirusDetection"
| where FileName has_any ("ransomware", "encrypt")
| summarize ThreatCount = count() by DeviceName
| top 10 by ThreatCount
```
Question 159hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A tenant administrator runs the above PowerShell command to create a Conditional Access policy. Users on iOS and Android devices report that they are still prompted for MFA, but the policy is intended to exclude those platforms. What is the issue?

Exhibit

Refer to the exhibit.

```powershell
$config = @{
    TenantId = "contoso.onmicrosoft.com"
    PolicyName = "Strict Security"
    UserRiskLevels = @("high", "medium")
    SignInRiskLevels = @("high")
    ExcludePlatforms = @("iOS", "Android")
    IncludeApplications = @("All")
    GrantControls = @{
        BuiltInControls = @("mfa", "compliantDevice")
        TermsOfUse = @("TOU1")
    }
}
New-MgIdentityConditionalAccessPolicy -BodyParameter $config
```
Question 160easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A security administrator wants to review email messages that were blocked due to a malware detection in Microsoft Defender for Office 365. Which report should they use?

Question 161mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company uses Microsoft Defender for Cloud Apps to monitor cloud app usage. They want to receive alerts when a user downloads a large number of files from SharePoint Online in a short time, which could indicate data exfiltration. What should they configure?

Question 162hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

An organization uses Microsoft Defender for Endpoint and wants to allow only certain applications to run on managed devices. They create a custom indicator (IoA) to allow a specific application by its certificate thumbprint. However, after deployment, the application is still blocked by default Windows Defender Application Control (WDAC) policy. What is the most likely reason?

Question 163easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company wants to use Microsoft Defender XDR to automatically investigate and remediate threats across email, endpoints, and identities. Which role is required to configure automation settings in the Microsoft 365 Defender portal?

Question 164mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A company uses Microsoft Defender for Office 365. They want to ensure that users cannot ignore warning messages when clicking on a malicious link in an email. What should they configure?

Question 165hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Contoso has a hybrid identity environment with Microsoft Defender for Identity deployed. They suspect a compromised account is being used to perform reconnaissance against domain controllers. Which Defender for Identity alert type would most likely trigger?

Question 166easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a Microsoft 365 E5 organization. You need to configure a policy that automatically blocks execution of files that have a low reputation score in Microsoft Defender for Endpoint. Which policy type should you configure?

Question 167mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft 365 Defender. You need to ensure that when a user reports a phishing email via the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. What should you configure?

Question 168hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malicious link in an email and clicked it. The link led to a credential phishing page. You need to identify which user accounts might have been compromised. Which Microsoft 365 Defender feature should you use?

Question 169easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that all email messages containing encrypted attachments are automatically scanned for malware before delivery. What should you configure?

Question 170mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator. You need to configure a policy that automatically blocks sign-ins from anonymous IP addresses for all users in your Microsoft 365 tenant. Which policy should you configure in Microsoft Entra ID?

Question 171hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing sensitive data from an unmanaged device. You need to automatically restrict the user's access to sensitive data until the device is compliant. What should you configure?

Question 172easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring Microsoft Defender for Identity to monitor on-premises Active Directory. You need to ensure that honeytoken accounts are configured to detect attackers attempting to use them. What is a honeytoken account?

Question 173mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft 365 Defender. You need to configure automated investigation and response (AIR) to automatically remediate high-confidence phishing emails. What should you configure?

Question 174hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator. You need to configure a Microsoft Defender for Endpoint policy that prevents users from running executables from the Temp folder. Which Attack Surface Reduction (ASR) rule should you enable?

Question 175easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You need to configure Microsoft Defender for Office 365 to protect users from malicious links in email. Which TWO actions should you configure?

Question 176mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malware attachment. Which THREE actions can you take from the incident page?

Question 177hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You need to configure honeytoken accounts. Which THREE attributes should you ensure are NOT set for honeytoken accounts?

Question 178mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are reviewing a Microsoft Defender for Cloud Apps file policy. The exhibit shows a policy snippet. What is the effect of this policy?

Exhibit

Refer to the exhibit.
```json
{
  "Action": "Allow",
  "Conditions": {
    "FileSize": {
      "GreaterThan": 10485760,
      "LessThan": 104857600
    },
    "FileType": "docx, xlsx, pptx",
    "FromLocation": "Internet"
  },
  "Name": "BlockLargeOfficeFiles"
}
```
Question 179hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are hunting for malicious activity in Microsoft 365 Defender. The exhibit shows a KQL query. What is the query searching for?

Exhibit

Refer to the exhibit.
```kql
DeviceProcessEvents
| where Timestamp between (datetime(2024-01-01) .. datetime(2024-01-02))
| where FileName == "powershell.exe"
| where ProcessCommandLine has "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
```
Question 180easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring a mail flow rule in Exchange Online. The exhibit shows a snippet. What will this rule do?

Exhibit

Refer to the exhibit.
```xml
<Policy>
  <Rule>
    <Name>Block High Risk</Name>
    <Condition>RecipientDomain is "example.com"</Condition>
    <Action>Quarantine</Action>
  </Rule>
</Policy>
```
Question 181mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft 365 E5 and has Microsoft Defender for Office 365 enabled. Users report that legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives while maintaining security. What should you do?

Question 182hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your company has deployed Microsoft Defender for Endpoint on all Windows devices. You are investigating an alert for a suspicious PowerShell command that was blocked by Attack Surface Reduction (ASR) rules. The alert shows the command was executed from a script embedded in a Word document. You need to identify the ASR rule that blocked this activity. Which rule is most likely responsible?

Question 183easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) for email and collaboration content. Which policy type should you configure in the Microsoft 365 Defender portal?

Question 184mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user account that is exhibiting suspicious behavior: unusual login times from an IP address that is not in the user's typical location. The alert recommends action. You need to determine if the account is compromised. What is the best next step?

Question 185hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Endpoint deployed. You are investigating a potential ransomware incident. The device timeline shows a series of events: a user downloaded a malicious attachment from an email, which then executed a script that encrypted files and attempted to propagate to other devices via SMB. You need to configure a custom detection rule to alert on similar behavior in the future. Which KQL query should you use as a basis?

Question 186easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You need to configure a policy that automatically blocks high-risk user activities in Microsoft Defender for Cloud Apps. Which feature should you configure?

Question 187mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You receive a report that users are receiving spoofed email messages that appear to come from your own domain. The spoofed messages are not being filtered. You need to ensure that spoofed messages from your domain are blocked. What should you do?

Question 188hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint and Microsoft Defender for Identity. A user reports that their account was used to send a large volume of email messages to internal recipients, which appears to be a potential account compromise. You need to determine if the account is compromised and if any lateral movement occurred. Which data sources should you analyze in Microsoft Defender XDR?

Question 189easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for SaaS applications. Which Microsoft 365 security solution provides this capability?

Question 190mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You are configuring a custom detection rule to detect a specific behavior: a user runs a PowerShell script that connects to a known malicious IP address. Which TWO advanced hunting tables should you use in your KQL query to detect this behavior?

Question 191hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Endpoint deployed on all devices. You are investigating an incident where a user received a phishing email containing a link that led to a drive-by download. The download executed a script that attempted to modify registry run keys for persistence. Which THREE advanced hunting tables should you use to investigate this attack chain?

Question 192easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You need to configure automated actions for high-confidence phishing emails. Which TWO actions can be automatically taken by Microsoft Defender for Office 365?

Question 193easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You run the KQL query shown in the exhibit in Microsoft Defender XDR advanced hunting. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.
```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| take 10
```
Question 194mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are reviewing a conditional access policy in Microsoft Entra ID as shown in the exhibit. The policy is intended to block sign-ins that are considered risky. However, some high-risk users are still able to sign in. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "policy": {
    "name": "Block risky sign-ins",
    "conditions": {
      "userRiskLevels": ["high"],
      "signInRiskLevels": ["medium", "high"]
    },
    "grantControls": {
      "builtInControls": ["block"]
    }
  }
}
```
Question 195hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You create a custom detection rule in Microsoft Defender XDR using the KQL query shown in the exhibit. The rule is intended to detect lateral movement via SMB. After deploying the rule, you notice that it generates many false positives from legitimate administrative activity. What is the most effective way to reduce false positives?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Custom Detection - Lateral Movement via SMB",
  "queryText": "DeviceNetworkEvents | where RemotePort == 445 and ActionType == 'ConnectionSuccess' | join kind=inner (DeviceProcessEvents | where FileName == 'powershell.exe') on DeviceId | project Timestamp, DeviceName, AccountName, RemoteIP"
}
```
Question 196mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure a policy to automatically remediate high-severity incidents involving ransomware on Windows 10 devices. The solution must minimize manual intervention. Which automation level should you configure in the automated investigation and response (AIR) capabilities?

Question 197hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You discover that a user's credentials were compromised and used to access sensitive data in SharePoint Online from an unusual location. You need to automatically suspend the user and prevent further access to cloud apps. What should you configure?

Question 198easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your company uses Microsoft Defender XDR. You need to review the list of incidents that were investigated automatically by the system. Where should you navigate in the Microsoft Defender portal?

Question 199mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security analyst. You need to create a custom detection rule in Microsoft Defender XDR that triggers an alert when a user account is created and then added to a privileged role within 24 hours. Which advanced hunting table should you primarily use?

Question 200hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Cloud Apps deployed. You need to be alerted when a user performs more than 50 failed login attempts in an hour from a non-corporate IP address. Which type of policy should you create?

Question 201easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator. You need to ensure that email messages containing malicious attachments are automatically removed from all mailboxes in your organization after delivery. Which Microsoft Defender for Office 365 feature should you configure?

Question 202mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from SharePoint Online to an unmanaged device. You need to automatically block the download and alert the security team. What should you configure?

Question 203hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You need to investigate an alert indicating a suspected lateral movement using pass-the-hash from a compromised workstation. Which entity should you prioritize examining in the investigation timeline?

Question 204easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring policies in Microsoft Defender for Office 365. You need to ensure that users cannot click through to a malicious website that is hosted on a newly registered domain. Which policy setting should you enable?

Question 205mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure an automated investigation and response (AIR) policy to automatically remediate threats on devices. Which two actions can be taken automatically without requiring administrator approval? (Choose two.)

Question 206hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user shares a file containing sensitive data with an external domain. Which three components must you configure in the policy? (Choose three.)

Question 207easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security analyst. You need to investigate a potential malware outbreak on a device using Microsoft Defender XDR. Which three data sources can you include in an advanced hunting query to gather relevant information? (Choose three.)

Question 208mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. Users report that legitimate emails from a specific partner domain are being moved to Junk Email folder. You verify that the partner's SPF, DKIM, and DMARC records are correctly configured. Which two actions should you take to resolve this issue?

Question 209mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating an incident in Microsoft Defender XDR where a user received a phishing email that contained a link to a malicious site. The user clicked the link but did not enter credentials. Which actions would be most effective to remediate the incident?

Question 210hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive files from a specific cloud app if the user's risk score is high. Which integration and policy type should you use?

Question 211mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A user reports that they are unable to access a file in SharePoint Online. You check the audit log and see that the file was quarantined by Microsoft Defender for Office 365. What is the most likely reason?

Question 212easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator. You need to investigate a suspicious logon from an anonymous IP address. Which Microsoft Defender XDR data source should you query first?

Question 213hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user who is performing an unusual number of failed logon attempts from a non-corporate IP address. The user is a member of the Finance group. What is the recommended first step?

Question 214easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Office 365 Plan 2. You want to set up a policy that automatically moves messages containing malware to quarantine and notifies the security team. Which policy should you configure?

Question 215mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring Microsoft Defender for Cloud Apps to detect anomalous behavior. You need to set up a policy that triggers an alert when a user downloads more than 100 files from SharePoint Online in 10 minutes. Which policy template should you use?

Question 216hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You run the KQL query in Microsoft Defender XDR. The query returns a list of users who logged into Exchange Online more than 10 times in the last day from a single IP address. However, you notice that some IP addresses are internal corporate IPs. What should you add to the query to focus on suspicious logons from external IPs?

Exhibit

Refer to the exhibit.
```kusto
// KQL query in Microsoft Defender XDR
IdentityLogonEvents
| where Timestamp > ago(1d)
| where Application == "Exchange Online"
| summarize TotalLogons = count() by AccountUpn, IPAddress
| where TotalLogons > 10
| project AccountUpn, IPAddress, TotalLogons
```
Question 217easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block access to Exchange Online for users with high risk level. However, users with high risk are still able to access Exchange Online. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "High Risk Users",
  "conditions": {
    "applications": {
      "includeApplications": ["Office 365 Exchange Online"]
    },
    "users": {
      "includeUsers": ["All"]
    },
    "riskLevels": ["high"]
  },
  "grantControls": {
    "builtInControls": ["block"],
    "operator": "OR"
  }
}
```
Question 218mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring a network security policy in Microsoft Defender for Cloud Apps. The exhibit shows a policy to block traffic from known Tor exit nodes. However, the policy is not blocking traffic from IP 185.220.101.5. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block Tor IPs",
    "priority": 100,
    "policyOrder": 0,
    "rules": [
      {
        "displayName": "Tor Exit Nodes",
        "action": "AlertAndBlock",
        "conditions": {
          "sourceAddresses": ["185.220.101.0/24", "185.220.102.0/24"],
          "protocols": ["Any"]
        }
      }
    ]
  }
}
```
Question 219hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. A user receives an email with a link that leads to a malicious website. The user clicks the link, but the browser is protected by Microsoft Defender SmartScreen. However, the user is still able to download a file from the site. What should you configure to prevent this?

Question 220mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring Microsoft Defender for Identity (MDI) to monitor for lateral movement attacks. Which of the following activities would MDI alert on as a potential lateral movement?

Question 221easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You want to create a custom detection rule that triggers an alert when a specific process is created on multiple endpoints. Which advanced hunting table should you use?

Question 222hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization is using Microsoft Defender for Cloud Apps. You want to generate an alert when a user shares a file containing sensitive information with an external domain. You have configured a file policy with the condition: 'Inspection method: Data Classification Service' and 'Inspection type: Sensitive information type'. However, no alerts are triggered. What is the most likely reason?

Question 223easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. Users report that some phishing emails are still reaching inboxes despite the anti-phish policy being enabled. You need to reduce the number of phishing emails that bypass the filter. What should you configure?

Question 224mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You manage a Microsoft Defender for Endpoint environment. A device onboarded to Defender for Endpoint is not reporting alerts. You run the Microsoft Defender for Endpoint client analyzer and see that the service is running. Which log should you review to troubleshoot the issue?

Question 225hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has deployed Microsoft Defender for Cloud Apps. You want to detect anomalous behavior such as impossible travel for users accessing cloud apps. You need to configure the appropriate policy. Which policy type should you create?

Question 226easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

A user reports that they cannot access a legitimate external website because Microsoft Defender for Endpoint is blocking it. The website is required for business. What should you do to allow access while maintaining security?

Question 227mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate the alert. Which log should you analyze in Microsoft Defender for Identity?

Question 228hardmultiple choice
Read the full NAT/PAT explanation →

You are configuring Microsoft Defender for Office 365 anti-phish policy. You want to protect against user impersonation attacks. The CEO and CFO are frequent targets. What should you configure in the anti-phish policy?

Question 229easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing a sanctioned cloud app from an unknown IP address. You want to require multi-factor authentication (MFA) for this access. What should you configure?

Question 230mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You manage Microsoft Defender for Endpoint. A device is showing as 'Inactive' in the device inventory. The device is turned on and connected to the network. What is the most likely cause?

Question 231hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are designing an incident response plan using Microsoft Defender XDR. You want to automate the containment of compromised devices when a high-severity incident is detected. What should you configure?

Question 232easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which TWO actions can you perform in the Microsoft Defender XDR portal to investigate a security incident?

Question 233mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which THREE settings can you configure in a Microsoft Defender for Office 365 anti-phish policy?

Question 234hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Which TWO components are part of Microsoft Defender XDR?

Question 235mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are reviewing a Microsoft Defender for Cloud Apps policy JSON. What does this policy do?

Exhibit

Refer to the exhibit.

{
  "Name": "Test policy",
  "PolicyType": "ActivityPolicy",
  "Severity": "High",
  "Filter": {
    "Activity": "Sign-in",
    "IpAddress": {
      "Category": "AnonymousProxy"
    }
  },
  "Action": {
    "Block": true
  }
}
Question 236hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You run the above KQL query in Microsoft Defender for Endpoint advanced hunting. What is the purpose of this query?

Exhibit

Refer to the exhibit.

```kql
DeviceAlertEvents
| where Timestamp > ago(7d)
| where AlertTitle == "Suspicious process injection"
| summarize AlertCount = count() by DeviceName
| top 10 by AlertCount
```
Question 237hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a large enterprise with 10,000 users. The company uses Microsoft 365 E5 licenses, which include Microsoft Defender XDR. The company has recently experienced a series of ransomware attacks where attackers gained initial access through phishing emails, then moved laterally using compromised credentials, and finally deployed ransomware on file servers. The CISO wants to implement a comprehensive defense strategy that reduces the attack surface and automates response. The requirements are: 1) Prevent phishing emails from reaching users, especially those targeting executives. 2) Detect and block lateral movement using compromised credentials. 3) Automatically contain compromised devices during an incident. 4) Provide a unified incident view across email, endpoints, and identities. You need to recommend a solution that meets all requirements with minimal manual effort. What should you do?

Question 238hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Contoso uses Microsoft 365 E5 and has enabled Microsoft Defender for Office 365. Users report that legitimate external emails are being quarantined. You need to reduce false positives without reducing protection. What should you do?

Question 239mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint. A security analyst reports that a critical file was quarantined on several devices, but the file is a trusted application. You need to restore the file and prevent future false positives. What should you do?

Question 240easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

As a Microsoft 365 administrator, you need to ensure that sensitive data is not shared externally via email. You configure Data Loss Prevention (DLP) policies in Microsoft Purview. What is the primary purpose of a DLP policy?

Question 241mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large amounts of data from a sanctioned cloud app from an unusual location. You need to automatically suspend the user's access when such activity is detected. What should you configure?

Question 242hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating a potential security incident in Microsoft Defender XDR. The incident involves a user who received a phishing email and clicked a link that executed a PowerShell script. You need to perform a detailed investigation of the PowerShell script's behavior across all affected devices. Which feature should you use?

Question 243easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that malicious links in email messages are blocked at the time of click by checking the link reputation in real time. What should you enable?

Question 244mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a Microsoft 365 administrator. A user reports that they received a Microsoft Teams message from an external user containing a link to a malicious website. The user clicked the link but did not enter any credentials. You need to prevent similar incidents in the future. What should you configure?

Question 245hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt from a domain controller. You need to determine if the account was compromised by checking for lateral movement. What should you do in the Microsoft 365 Defender portal?

Question 246mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft 365 E5 and uses Microsoft Defender for Cloud Apps. You want to block downloads from an unsanctioned cloud app that is used by some employees. What should you configure?

Question 247mediummulti select
Read the full NAT/PAT explanation →

You are configuring Microsoft Defender for Office 365. Which TWO actions should you take to protect users from phishing attacks that use impersonation?

Question 248hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different sources. Which THREE actions should you take during the investigation?

Question 249mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You want to control the use of personal cloud storage apps. Which TWO actions should you take?

Question 250hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring Microsoft Defender for Identity. Which THREE capabilities does it provide?

Question 251mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. You are configuring a session policy in Microsoft Defender for Cloud Apps. The policy must block downloads when both the app risk is high and the user risk is high. Based on the exhibit, which additional condition should you add to ensure the policy only applies to unsanctioned apps?

Exhibit

{
  "rules": [
    {
      "name": "Block high-risk downloads",
      "action": "block",
      "conditions": {
        "appRiskScore": "high",
        "activity": "download",
        "userRiskScore": "high"
      }
    }
  ]
}
Question 252hardmultiple choice
Read the full NAT/PAT explanation →

You are the security administrator for a multinational organization using Microsoft 365 E5. The organization has 10,000 users across three regions: North America, Europe, and Asia. You have deployed Microsoft Defender for Endpoint on all Windows devices and enabled Microsoft Defender for Office 365. Recently, a sophisticated phishing campaign targeted executives in Europe, using a custom domain that closely resembles your legitimate domain (e.g., contoso.com vs. contos0.com). The emails bypassed anti-spam and anti-phishing policies. You need to configure protection to block these impersonation attempts without affecting legitimate emails from the actual domain. You must also ensure that any similar future attempts using different variations are automatically detected. What should you do?

Question 253mediummultiple choice
Read the full VPN explanation →

Your company uses Microsoft Defender for Endpoint and Microsoft Intune. You have a group of remote users who connect to the corporate network via VPN. Recently, several of these devices were compromised due to unpatched vulnerabilities. You need to ensure that devices that are missing critical security updates are automatically blocked from accessing corporate resources. The solution must integrate with Microsoft Defender for Endpoint's threat and vulnerability management (TVM) data. What should you configure?

Question 254hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft 365 E5 and has deployed Microsoft Defender for Cloud Apps. You discover that a user in the finance department is using a personal cloud storage app to store sensitive financial data. The app is unsanctioned. You need to prevent any further uploads of sensitive data to this app. Additionally, you want to automatically alert when users attempt to access this app from unmanaged devices. You must not block access entirely, as some users need to read data already stored there. What should you configure?

Question 255mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You need to configure automated remediation for a confirmed phishing email that was delivered to a user's inbox. The remediation should also block the sender's domain across the tenant. Which action should you include in the automation playbook?

Question 256hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A user reports that their device is running slowly and exhibiting unusual network traffic. You investigate in Microsoft Defender XDR and see a high number of alerts for the device. You need to determine if the device is compromised and, if so, initiate an automated investigation. What should you do first?

Question 257easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You want to detect when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

Question 258mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Office 365 Plan 2. You need to ensure that when a user reports a phishing email using the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the result. What should you configure?

Question 259hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A security analyst reports that several domain controllers are generating alerts for anomalous logon activity. You need to investigate the scope of the potential compromise across the entire environment, including endpoints, identities, and cloud apps. What is the most efficient approach?

Question 260easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads more than 100 files from SharePoint Online within 10 minutes. What should you configure?

Question 261mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A user reports receiving a suspicious email with a link to a known phishing site. You need to prevent other users from clicking similar links in the future. What should you configure?

Question 262hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization has Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A critical server is showing signs of a ransomware attack. You need to contain the threat while preserving forensic evidence for analysis. What should you do first?

Question 263easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that emails containing malicious attachments are automatically removed from users' inboxes after detection. What should you configure?

Question 264mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR. You need to configure automatic response actions for a high-severity incident. Which TWO options are available in the Microsoft Defender XDR automated investigation and response capabilities?

Question 265hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A security incident involves a user who accessed a malicious link from an email and then uploaded sensitive data to an external cloud app. Which THREE Microsoft Defender XDR components would provide relevant alerts and insights for this incident?

Question 266easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender for Endpoint (Plan 2). You need to configure a custom detection rule that alerts when a specific process attempts to access the internet. Which TWO components are required to create this custom detection?

Question 267hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Refer to the exhibit. You run the KQL query and see that a device named 'WORKSTATION42' has made 1500 connections to a public IP address 203.0.113.55 in the last day. You suspect the device may be compromised. What should you do next to gain the most context?

Exhibit

{
  "exhibit_text": "You run the following KQL query in Microsoft Defender XDR Advanced Hunting:\n\n`DeviceNetworkEvents`\n`| where Timestamp > ago(1d)`\n`| where ActionType == "ConnectionSuccess"`\n`| where RemoteIPType == "Public"`\n`| summarize Count = count() by DeviceName, RemoteIP`\n`| where Count > 100`\n`| order by Count desc`\n\nThe query returns a list of devices that have made over 100 successful connections to public IPs in the last day. You need to investigate further."
Question 268mediummultiple choice
Read the full NAT/PAT explanation →

Your organization is a multinational company with 10,000 users. You use Microsoft Defender for Office 365 Plan 2, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Recently, a sophisticated phishing campaign targeted your executives. The campaign used personalized emails with malicious links that bypassed Safe Links protection. Several executives clicked the links and entered their credentials on a fake login page. The attackers then used those credentials to access the executives' mailboxes and exfiltrate sensitive data. You need to implement a solution that prevents similar attacks in the future by automatically blocking access to newly discovered phishing sites and providing real-time protection when users click unknown URLs. The solution should also allow you to simulate phishing campaigns to train users. What should you do?

Question 269hardmultiple choice
Read the full NAT/PAT explanation →

Your organization is a financial services company with 5,000 users. You use Microsoft Defender XDR, including Defender for Endpoint Plan 2, Defender for Identity, Defender for Office 365 Plan 2, and Defender for Cloud Apps. You have recently deployed Microsoft Copilot for Security to assist your security operations center (SOC) analysts. A high-severity incident is generated: 'A user named jdoe accessed a malicious IP address from their device, and then logged into Azure Portal from an anonymous IP address. Defender for Identity detected a suspicious Kerberos ticket request from the same user's domain controller. The SOC analysts are overwhelmed with alerts and need to quickly understand the full scope of the incident, including related alerts, impacted assets, and recommended actions. They also want to use natural language to ask questions about the incident. What should you do to enable the analysts to efficiently investigate this incident?

Question 270easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization is a small business with 200 users. You use Microsoft 365 Business Premium, which includes Microsoft Defender for Business (the small business version of Defender for Endpoint) and Microsoft Defender for Office 365 Plan 1. You want to protect against ransomware by blocking malicious processes and behaviors on endpoints. You also need to enable automated investigation and response for common threats. However, your IT team has limited security expertise and wants a simple configuration that provides out-of-the-box protection without custom policies. What should you do?

Question 271easymulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) to automatically remediate threats. Which two actions should you take?

Question 272mediummulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are investigating an alert in Microsoft Defender XDR that indicates a user clicked a malicious link in an email. You need to gather additional information to determine the scope of the attack. Which three sources should you examine?

Question 273hardmulti select
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are configuring Microsoft Defender for Office 365 to protect against sophisticated phishing attacks. You need to ensure that users are warned about potentially malicious messages that bypass other filters. Which two policies should you configure?

Question 274hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel in a hybrid deployment. You are the security operations lead. A new regulation requires that all security alerts be automatically enriched with threat intelligence indicators from an external feed before being sent to Sentinel. You need to implement this enrichment with minimal latency and without writing custom code. What should you do?

Question 275mediummultiple choice
Read the full NAT/PAT explanation →

You are a security administrator for a multinational company that uses Microsoft Defender XDR. You have deployed Microsoft Defender for Endpoint on all devices. The company has a strict policy that any device with a high-severity alert must be isolated from the network immediately. You need to configure an automated response that isolates the device as soon as a high-severity alert is generated. What should you do?

Question 276hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your company uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are the security administrator. The company's incident response team receives hundreds of low-severity alerts daily, causing alert fatigue. You need to reduce noise by automatically closing low-severity alerts that are determined to be false positives by Microsoft's threat intelligence. You want to minimize manual effort and ensure that only alerts with high confidence of being false positives are closed. What should you do?

Question 277easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for an organization that uses Microsoft Defender XDR. You want to provide your security operations team with a unified view of all incidents across endpoints, email, and identities. You also want to automate the creation of incidents when correlated alerts are detected. What should you do?

Question 278mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user reports a phishing email using the Microsoft Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. You want to minimize administrative effort. What should you do?

Question 279hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your company uses Microsoft Defender XDR and Microsoft Defender for Cloud Apps. You have discovered that a user's credentials were compromised and used to access a SaaS application from an unusual location. You need to automatically suspend the user's access to all cloud apps and require a password reset. The suspension should be immediate upon detection. What should you do?

Question 280easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a company that uses Microsoft Defender XDR. You need to generate a report that shows the number of incidents closed as true positive, false positive, and benign in the last 30 days. You want to use built-in features without writing custom queries. What should you do?

Question 281mediummultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are a security administrator. The security team wants to receive email notifications for high-severity incidents only. You need to configure the notification settings. What should you do?

Question 282hardmultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

Your company uses Microsoft Defender XDR and Microsoft Defender for Identity. You have detected that a domain controller is communicating with a known malicious IP address. You need to immediately contain the threat by isolating the domain controller from the network while preserving forensic data. However, you cannot afford downtime for authentication services. What should you do?

Question 283mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user is determined to be compromised (e.g., due to a leaked credential), all active sessions are terminated and the user is required to re-authenticate with multi-factor authentication (MFA). You want to automate this process as much as possible. What should you do?

Question 284easymultiple choice
Read the full Manage security and threats by using Microsoft Defender XDR explanation →

You are a security administrator for a company that uses Microsoft Defender XDR. You need to investigate a suspicious email that was reported by a user. You want to see the full email details, including headers, attachments, and URLs. Where should you look?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

MS-102 Practice Test 1 — 10 Questions→MS-102 Practice Test 2 — 10 Questions→MS-102 Practice Test 3 — 10 Questions→MS-102 Practice Test 4 — 10 Questions→MS-102 Practice Test 5 — 10 Questions→MS-102 Practice Exam 1 — 20 Questions→MS-102 Practice Exam 2 — 20 Questions→MS-102 Practice Exam 3 — 20 Questions→MS-102 Practice Exam 4 — 20 Questions→Free MS-102 Practice Test 1 — 30 Questions→Free MS-102 Practice Test 2 — 30 Questions→Free MS-102 Practice Test 3 — 30 Questions→MS-102 Practice Questions 1 — 50 Questions→MS-102 Practice Questions 2 — 50 Questions→MS-102 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Deploy and manage a Microsoft 365 tenantImplement and manage Microsoft Entra identity and accessManage security and threats by using Microsoft Defender XDRManage compliance by using Microsoft PurviewManage users, groups, licensing, and supportImplement and manage identity and access in Microsoft Entra ID

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Manage security and threats by using Microsoft Defender XDR setsAll Manage security and threats by using Microsoft Defender XDR questionsMS-102 Practice Hub