Practice SC-200 Perform threat hunting questions with full explanations on every answer.
Start practicing
Perform threat hunting — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?
2A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?
3During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?
4A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?
5A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?
6A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?
7A threat hunter wants to proactively search for signs of ransomware activity in the environment using Microsoft Sentinel. Which data source is most likely to provide early indicators of ransomware, such as mass file renaming or encryption?
8During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple servers in the environment. The script connects to an external IP address and downloads a payload. The analyst wants to find all other servers that may have been compromised by the same script. What is the most efficient way to search for this across the environment?
9A threat hunter is using Microsoft Sentinel to hunt for a potential advanced persistent threat (APT) that is using living-off-the-land binaries (LOLBins). The hunter creates a KQL query that lists all instances of certutil.exe making network connections. The query returns many legitimate results. What is the best way to reduce false positives while still detecting malicious use?
10A threat hunter is using Microsoft Sentinel to hunt for signs of privilege escalation via Azure AD role assignment changes. Which TWO KQL operators or functions are most useful for identifying changes that added a user to a high-privilege role?
11A threat hunter is investigating a potential data exfiltration via DNS tunneling using Microsoft Defender for Endpoint advanced hunting. Which THREE columns from the DeviceNetworkEvents table should the hunter include in a query to detect anomalous DNS queries?
12A security analyst is using Microsoft Sentinel to hunt for signs of a brute-force attack against Azure AD. Which TWO data sources are most relevant for this hunt?
13A threat hunter runs the KQL query above in Microsoft Sentinel to detect accounts that have experienced multiple failed sign-in attempts due to a disabled account (ResultType 50057) from the same IP. The query returns no results even though the hunter knows that some disabled accounts are being attacked. What is the most likely reason for the false negatives?
14A threat hunter writes the KQL query above in Microsoft Defender for Endpoint advanced hunting to find devices where a script host process was launched with encoded commands and then connected to an HTTPS endpoint within 10 minutes. The query is syntactically correct but returns no results. The hunter knows that such activity has occurred. What is the most likely reason?
15A threat hunter in Microsoft Sentinel is reviewing a JSON definition for a scheduled analytics rule as shown in the exhibit. The rule is intended to run daily and alert on any device running powershell.exe with an encoded command. However, no alerts have been generated even though the hunter knows such activity exists. What is the most likely cause?
16During a threat hunt, you discover that a PowerShell script executed on multiple servers and established outbound connections to an external IP address. Which data source should you query in Microsoft Defender XDR to identify the specific command-line arguments used?
17Your threat hunt aims to detect possible Kerberoasting attacks. Which KQL query in Microsoft Sentinel would best identify service principal name (SPN) requests from unusual accounts?
18You are threat hunting for signs of credential dumping via LSASS access. Which Advanced Hunting schema table in Microsoft Defender XDR should you primarily query to find processes that opened a handle to LSASS?
19Your threat hunt involves correlating alerts from Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint. Which Microsoft Sentinel integration should you use to unify these alerts for hunting?
20During a hunt, you find that a user account has logged in from an IP address associated with a known command-and-control (C2) server. The hunt also reveals that the same IP accessed a SharePoint site containing sensitive documents. Which Microsoft Purview feature should you use to investigate data exfiltration?
21You need to create a custom detection rule in Microsoft Sentinel that alerts when an anomalous number of failed logons occur from a single IP address within 5 minutes. Which KQL operator should you use to count failed logons per IP?
22Your threat hunt identifies that an attacker used a previously unknown malware variant to move laterally. Which Microsoft Defender XDR feature would you use to automatically block the file based on behavioral detection?
23You are investigating a potential DCSync attack. Which Advanced Hunting query in Microsoft Defender XDR would best detect a process making atypical directory replication requests?
24You are hunting for signs of pass-the-hash (PtH) attacks. Which Windows Security Event ID should you focus on to detect anomalous NTLM authentication using a hash?
25Which TWO data sources are most relevant for threat hunting for lateral movement using remote service creation (e.g., WMI, PsExec)?
26Which THREE techniques would you use in Microsoft Sentinel to hunt for data exfiltration over DNS?
27Which TWO built-in Microsoft Sentinel hunting queries are useful for detecting signs of compromised credentials?
28A security analyst is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. Which KQL function is most appropriate to identify anomalous Kerberos service ticket requests?
29During a threat hunt, you discover a suspicious PowerShell command that decoded a base64 string and executed a script. Which Microsoft Defender for Endpoint advanced hunting table should you query to find the decoded command line?
30A threat hunter wants to use Microsoft Sentinel's UEBA to identify anomalous behavior. Which data connector must be enabled to provide the necessary Azure Active Directory (now Microsoft Entra ID) sign-in logs for UEBA?
31During a hunt, you find a device that made successive outbound connections to multiple IP addresses on port 445 (SMB) within a short time. Which type of activity does this pattern most likely indicate?
32You are hunting for signs of Pass-the-Hash attacks using Microsoft Defender for Identity. Which alert should you look for in Microsoft Defender XDR?
33To hunt for malicious PowerShell encoded commands, which columns in the DeviceProcessEvents table in Microsoft 365 Defender advanced hunting should you focus on?
34A threat hunter suspects a data exfiltration attempt via DNS tunneling. Which KQL query would best detect unusual DNS query patterns in Microsoft Sentinel?
35While hunting, you notice a user account has been created and then immediately added to the Domain Admins group. Which table in Microsoft 365 Defender should you query to find this event?
36You are hunting for suspicious scheduled tasks that could be used for persistence. Which Microsoft 365 Defender advanced hunting table contains information about scheduled tasks?
37Which TWO data sources are essential for threat hunting in Microsoft Sentinel to detect lateral movement?
38Which THREE indicators are commonly associated with ransomware activity in Microsoft Sentinel threat hunting?
39Which TWO Microsoft Sentinel hunting features can be used to automatically surface suspicious activities without manual query writing?
40You are reviewing a hunting query that identifies accounts with failed logons followed by successful logons from the same IP. The query returns no results even though you suspect brute force activity. What is the most likely issue?
41You are creating a custom hunting query in Microsoft Sentinel for PowerShell Empire indicators. After deploying, the query never returns results, even though you know empire activity exists in the environment. What is the most likely cause?
42A threat hunter runs this KQL query to find devices making many outbound SMB connections. The result shows a device 'DC01' connecting to over 100 different IPs on port 445. What is the most likely explanation?
43You are performing a threat hunt in Microsoft Sentinel and have a KQL query that returns a high number of false positives. You want to reduce the noise without missing real threats. Which approach should you take?
44During a threat hunt in Microsoft Defender XDR, you notice repeated failed logon attempts from an IP address that belongs to a known anonymizer service. What is the first action you should take?
45Your threat hunting team is using Microsoft Sentinel with User and Entity Behavior Analytics (UEBA). You want to identify anomalous outbound data transfers that may indicate data exfiltration. Which KQL function should you use to compare current activity against a baseline?
46You are reviewing a threat hunting KQL query in Microsoft Sentinel. The query references an external CSV containing malicious IPs. The query returns no results despite known malicious activity. What is the most likely issue?
47You are a threat hunter and you want to identify potential lateral movement in your environment. Which Microsoft Defender XDR hunting table would you query to find network connections from a compromised workstation to other internal devices?
48You are analyzing the query above in Microsoft 365 Defender advanced hunting. The goal is to identify potentially compromised accounts used only once. The query returns thousands of results including many normal single logons. How can you refine the query to reduce false positives?
49During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a known malicious URL. The script was run on multiple workstations. Which Microsoft Defender XDR action should you take to contain the threat?
50You are threat hunting for credential dumping activity. Which Windows event ID is commonly associated with the use of tools like Mimikatz?
51You are creating a custom detection rule in Microsoft Sentinel using the JSON above. The rule does not trigger any alerts despite known PowerShell encoded commands executing. What is the most likely cause?
52Which TWO Microsoft 365 Defender advanced hunting tables would you use together to investigate a potential data exfiltration via email?
53Which THREE actions are recommended when conducting a threat hunting exercise in Microsoft Sentinel using the MITRE ATT&CK framework?
54Which TWO data sources in Microsoft Sentinel are commonly used for threat hunting related to lateral movement?
55You are a threat hunter using PowerShell on a Windows 10 device. The command returns no output for a known threat ID. What is the most likely reason?
56You are using Microsoft Sentinel UEBA to hunt for insider threats. Which entity type would you investigate to detect unusual access to sensitive data?
57You are analyzing the KQL query above in Microsoft Sentinel. The query is designed to find devices with high outbound SMB (port 445) connections to suspicious public IPs. However, the query returns no results. What is the most likely issue?
58You are a security analyst using Microsoft Sentinel. You want to proactively search for signs of a specific threat actor known to use PowerShell encoded commands. Which hunting technique is most appropriate?
59Your organization uses Microsoft Defender XDR for threat hunting. You suspect a threat actor is using scheduled tasks for persistence. Which hunting query would you use in Microsoft 365 Defender advanced hunting to find newly created scheduled tasks?
60During a threat hunting exercise, you need to pivot from a suspicious IP address to find all related alerts and incidents in Microsoft Sentinel. Which feature should you use?
61Refer to the exhibit. The KQL query is used for threat hunting in Microsoft 365 Defender. What is the primary purpose of this query?
62You are hunting for signs of Kerberoasting in Microsoft Sentinel. Which hunting query using KQL would you use to identify service principal names (SPNs) being queried via Kerberos TGS requests?
63Your team is conducting a threat hunt for data exfiltration using Microsoft Defender for Cloud Apps. Which activity is most suspicious and should be included in the hunting query?
64Which TWO techniques are commonly used in threat hunting with Microsoft Sentinel to identify lateral movement? (Choose two.)
65Which THREE approaches are effective for hunting threats in Microsoft Defender XDR using advanced hunting? (Choose three.)
66Which TWO data sources in Microsoft Sentinel are most valuable for hunting for command-and-control (C2) communications? (Choose two.)
67Refer to the exhibit. This JSON defines a scheduled analytics rule in Microsoft Sentinel. Which type of threat is the rule primarily designed to detect?
68Refer to the exhibit. This KQL query is used for threat hunting in Microsoft Defender XDR. What is the primary goal of this query?
69You are threat hunting for signs of Microsoft 365 mailbox compromise. Which hunting query in Microsoft 365 Defender would be most effective for identifying suspicious mailbox forwarding rules?
70During a threat hunt in Microsoft Sentinel, you find a series of suspicious sign-ins to Microsoft Entra ID from an IP address known to be associated with a threat actor. Which entity should you pivot on to investigate further?
71Refer to the exhibit. The KQL query is used for threat hunting in Microsoft Defender XDR. What is the most likely scenario this query is designed to detect?
72You are a SOC analyst using Microsoft Sentinel. You need to create a hunting query that searches for unusual outbound RDP connections from workstations. Which KQL operators or functions would be most essential for this query?
73An analyst is reviewing a series of alerts in Microsoft Defender XDR indicating potential lateral movement. Which KQL query in Microsoft Sentinel would best identify anomalous RDP connections to servers not typically accessed remotely?
74You are investigating a potential data exfiltration incident. You notice a user uploading large amounts of data to a cloud storage service that the organization has not approved. Which Microsoft Defender XHR feature would best help you hunt for similar patterns across all users?
75During a threat hunt, you want to identify processes that have made network connections to known malicious IP addresses. Which data source in Microsoft Defender for Endpoint would provide the necessary information?
76Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to create a hunting query that finds users who have accessed a high number of distinct Azure resources within a short time frame, which may indicate credential theft. Which KQL query would be most effective?
77You are hunting for signs of credential dumping using Mimikatz. Which process events in Microsoft Defender for Endpoint would most likely indicate this activity?
78An analyst uses this KQL query in Microsoft Sentinel to hunt for potential brute-force attacks. What is the primary purpose of the join operation?
79You are hunting for signs of ransomware activity. Which of the following behaviors in Microsoft Defender for Endpoint should you prioritize as a high-confidence indicator?
80During a threat hunt in Microsoft Sentinel, you find a query that returns a high number of false positives. Which action should you take to refine the hunt?
81Refer to the exhibit. A custom detection rule in Microsoft Sentinel uses this JSON definition. An analyst notices that the rule is generating alerts for legitimate administrative scripts launched from File Explorer. What is the best way to reduce false positives while retaining detection of malicious Office-based PowerShell launches?
82Which TWO of the following are valid methods to perform threat hunting in Microsoft Sentinel? (Choose TWO.)
83Which THREE of the following are key considerations when designing a threat hunting program in Microsoft Defender XDR and Microsoft Sentinel? (Choose THREE.)
84Which TWO of the following KQL functions are commonly used in threat hunting queries to identify outliers? (Choose TWO.)
85An analyst runs this PowerShell script to query Microsoft Sentinel data. The query returns no results. What is the most likely reason?
86Which Microsoft Sentinel feature allows you to query data across multiple workspaces in a single KQL query?
87You are conducting a threat hunt in Microsoft Defender XDR and want to identify devices that have recently communicated with a known C2 server IP address. Which advanced hunting table should you query?
88A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network traffic from a compromised virtual machine. Which data source should be prioritized for this hunt?
89During a threat hunt in Microsoft Defender XDR, an analyst discovers that a specific user account has been executing unusual PowerShell commands from a non-corporate device. The analyst wants to investigate the timeline of these activities across all Microsoft 365 services. Which advanced hunting schema should be used to correlate these events?
90A threat hunter in Microsoft Sentinel wants to detect attempts to disable security logging on Windows servers using a KQL query. Which Windows Event ID should the query filter on to capture security log clearing events?
91Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you find that a user accessed a sensitive SharePoint site from an anonymous IP address. Which hunting method would best identify all users who accessed the same site from similar anonymous IPs?
92You are threat hunting in Microsoft Sentinel and have enabled UEBA. You want to detect a possible privilege escalation where a user creates a new user account and adds it to a privileged role within minutes. Which UEBA anomaly type should you investigate?
93A threat hunter is using Microsoft Defender XDR Advanced hunting to find evidence of credential dumping. Which table should be queried to detect use of tools like Mimikatz?
94During a threat hunt, you find an alert for a suspicious PowerShell script that encoded a payload. You want to decode the script to understand its intent. Which Microsoft Sentinel feature can assist with this task?
95Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You are hunting for signs of a possible Kerberos Golden Ticket attack. Which advanced hunting table should you query to detect anomalous Kerberos ticket-granting ticket (TGT) requests?
96While threat hunting in Microsoft Defender for Cloud Apps, you notice a user has an unusually high number of failed login attempts from a single IP address. What is the most effective next step to determine if this is a brute-force attack?
97The KQL query above is used in a threat hunt. What is the most likely scenario this query is designed to detect?
98The exhibit shows a hunting query definition in Microsoft Sentinel. What is the primary issue with this hunting query?
99A threat hunter runs the KQL query above in Microsoft Sentinel. What is the main limitation of this query?
100Which TWO actions are effective when threat hunting for lateral movement using remote desktop protocol (RDP) in Microsoft Defender XDR?
101Which THREE data sources should be included in a threat hunt to detect data exfiltration via DNS tunneling in Microsoft Sentinel?
102Which THREE actions are recommended when conducting a threat hunt for compromised identities using Microsoft Sentinel UEBA?
103During a threat hunt in Microsoft Sentinel, you identify a series of successful logins from an unusual IP address to multiple Azure VM instances. The logins occur outside business hours. Which hunting technique would be most effective to correlate these events with potential lateral movement?
104A security analyst is hunting for signs of credential dumping using Microsoft Defender for Endpoint. Which advanced hunting query should the analyst use to detect the use of Mimikatz?
105Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During a hunt, you notice that some alerts from Microsoft Defender for Identity are not appearing in Sentinel. You have verified the connector is enabled and data is flowing for other Defender products. What is the most likely cause?
106Refer to the exhibit. You are reviewing a KQL query used in a threat hunting campaign. What is the primary purpose of this query?
107You are a threat hunter investigating a potential data exfiltration via Microsoft Teams. You need to identify if any users have shared sensitive files externally. Which hunting approach should you use?
108During a hunt, you discover that an attacker used a valid but compromised service principal to authenticate to Azure Key Vault and export secrets. Which Microsoft Sentinel hunting query would best identify similar activity across your environment?
109You are hunting for signs of ransomware in your environment using Microsoft 365 Defender. Which advanced hunting table should you primarily query to detect file encryption events?
110As a threat hunter, you want to proactively search for signs of privilege escalation using the 'AzureHound' tool within your Microsoft Sentinel environment. Which data source is most relevant to ingest to detect AzureHound usage?
111Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You are hunting for a threat that uses 'process hollowing' to evade detection. Which advanced hunting query in Microsoft Defender for Endpoint would be most effective?
112Which TWO of the following are valid techniques for threat hunting using Microsoft Sentinel? (Select TWO.)
113Which THREE of the following are best practices for performing threat hunting in Microsoft Defender XDR? (Select THREE.)
114Which TWO of the following are valid methods to detect Kerberoasting attacks during a threat hunt? (Select TWO.)
115You are a threat hunter at Contoso, a multinational company with 10,000 employees. Your production environment includes: Microsoft 365 E5 licenses; Microsoft Sentinel in a central Log Analytics workspace; Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps; and Microsoft Entra ID P2. You are tasked with hunting for a potential advanced persistent threat (APT) that may have compromised a high-privilege account. The threat intelligence team has reported that the APT group uses living-off-the-land binaries (LOLBins) to execute malicious code and uses encrypted tunnels to C2 servers. You need to design a hunting query in Microsoft Sentinel that correlates multiple data sources to identify suspicious LOLBin usage combined with unusual network connections. Which approach should you take?
116You are a threat hunter at Fabrikam, a mid-sized company with 2,000 users. Your environment uses: Microsoft 365 E3 licenses; Microsoft Sentinel with the Microsoft 365 Defender connector; Microsoft Defender for Office 365; and Microsoft Defender for Endpoint (without Microsoft Defender for Identity). You are investigating a suspicious email campaign where some users received phishing emails with links to a credential harvesting page. You want to proactively search for any users who may have entered credentials on the phishing page. You have no direct logs from the phishing server. Which hunting approach should you use in Microsoft Sentinel?
117You are a security analyst at Wingtip Toys, a small business with 500 users. You have Microsoft 365 Business Premium licenses and Microsoft Sentinel deployed. You are conducting a threat hunt for signs of brute-force attacks against your Azure AD tenant. You want to identify IP addresses that have attempted multiple failed sign-ins across different user accounts within a short time window. You have access to the SigninLogs table in Microsoft Sentinel. Which KQL query should you use?
118You are investigating a series of failed logon attempts across multiple on-premises servers. You want to use Microsoft Sentinel to hunt for patterns of brute-force attacks. Which data source should you ingest to capture detailed authentication events from domain controllers?
119During a threat hunt, you notice an unusual number of DNS queries for randomly generated subdomains from a single workstation. You suspect data exfiltration via DNS tunneling. Which KQL query in Microsoft Sentinel would best help you identify the suspicious domain names?
120Refer to the exhibit. You are reviewing a custom hunting query in Microsoft Defender XDR. The query aims to identify devices with more than 100 outbound connections in the last 30 days to IPs that appear in active threat intelligence indicators. However, the query returns no results. What is the most likely cause?
121You are conducting a threat hunt for possible credential dumping using Mimikatz. Which Windows Security Event ID should you focus on in Microsoft Sentinel to detect potential use of Mimikatz?
122Your organization uses Microsoft Sentinel with custom analytics rules. During a threat hunt, you want to identify lateral movement using pass-the-hash techniques. Which data source combination is most effective?
123While hunting in Microsoft Sentinel, you find a KQL query that uses the `evaluate` operator with `bag_unpack` to expand JSON properties. The query runs slowly and times out. What is the best practice to optimize this query?
124You are hunting for signs of ransomware using Microsoft Defender XDR's advanced hunting. Which query pattern would best identify a process that encrypts many files in a short time?
125Which TWO data sources are most useful for detecting unauthorized lateral movement in a hybrid environment using Microsoft Sentinel?
126Which THREE techniques are effective for hunting for living-off-the-land (LotL) attacks using Microsoft Sentinel?
127Which TWO are common indicators of compromise (IOCs) used in threat hunting with Microsoft Sentinel?
128You are hunting for possible data exfiltration via email in Microsoft 365. Which data source in Microsoft Sentinel provides the most relevant telemetry for email forwarding rules?
129Refer to the exhibit. You are using a hunting query in Microsoft Defender XDR to find devices generating excessive DNS queries. The query returns many results, but you want to exclude legitimate DNS servers. What is the best approach to refine the query?
130You are a security analyst at Contoso, a multinational company with 10,000 endpoints. You are using Microsoft Sentinel and Microsoft Defender XDR for threat hunting. In the past week, you have observed an increase in failed logon events (Event ID 4625) from multiple workstations towards a single domain controller, targeting the built-in Administrator account. The source IPs are a mix of internal and external addresses. You suspect a password spraying attack. You need to confirm the attack and identify all affected accounts. You have access to Windows Security Events ingested into Sentinel. Which single KQL query would best identify accounts with repeated failed logons across multiple source IPs, indicating password spraying?
131You are a security analyst at Fabrikam using Microsoft Sentinel. You are conducting a threat hunt for signs of remote code execution (RCE) via the Windows Event Log. You want to detect suspicious service creation that could indicate lateral movement. Specifically, you want to find events where a service was created (Event ID 7045) on a server, and within 5 minutes, a network connection was established from that server to another internal server. You have SecurityEvent and CommonSecurityLog tables ingested. Which KQL query should you use?
132You are a security analyst at Wingtip Toys using Microsoft Defender XDR. You are hunting for signs of privilege escalation via the SeDebugPrivilege abuse. You want to find processes that have enabled SeDebugPrivilege and then accessed LSASS (Event ID 10). You have DeviceProcessEvents and DeviceEvents tables available. Which advanced hunting query would best identify this pattern?
133Which TWO actions are essential for configuring Microsoft Sentinel to support effective threat hunting?
134A threat hunter wants to use Jupyter Notebooks in Microsoft Sentinel for hypothesis-driven hunting. Which THREE steps should the hunter take to set up and use this capability?
135Your organization uses Microsoft Sentinel to monitor a hybrid environment consisting of on-premises servers and cloud workloads in Azure. As a threat hunter, you have been tasked with identifying potential lateral movement using pass-the-hash (PtH) attacks. You have enabled UEBA and connected Windows Event Logs, including Event ID 4624 (logon) and 4648 (explicit credentials). You need to create a hunting query that surfaces anomalous remote logons where the same account logon from a non-domain joined machine using NTLM authentication. Which KQL query should you use to start your hunt?
136Your team is using Microsoft 365 Defender advanced hunting to investigate a possible data exfiltration incident. The security team suspects that an internal attacker used a compromised SharePoint Online account to download sensitive files from multiple sites. You need to build a hunting query that identifies all file download activities from SharePoint Online for a specific user account over the past 7 days, and then calculates the total size of downloaded files. Which KQL query should you use?
137As a threat hunter at Contoso, you are investigating a potential advanced persistent threat (APT) that may have compromised multiple Azure subscriptions. You have Microsoft Defender for Cloud enabled and Microsoft Sentinel collecting data from all subscriptions. You suspect the attacker is using Azure Resource Manager operations to create malicious resources. You need to create a hunting query that identifies anomalous Azure management operations, specifically focusing on operations that create new resources (e.g., virtual machines, storage accounts) from unusual IP addresses or at unusual times. Which approach should you take?
138Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. As a threat hunter, you receive an alert about a potential DCSync attack. You want to hunt for any other instances of this attack across your domain controllers over the past 30 days. Which hunting query should you run in Microsoft 365 Defender advanced hunting?
139Your team is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. You have enabled Advanced Security Audit Policy on domain controllers to log Kerberos service ticket operations (Event ID 4769). You need to create a KQL query that identifies potential golden ticket use by looking for service tickets that have anomalous attributes, such as ticket encryption type 0x17 (RC4) combined with a long lifetime or unusual service names. Which KQL query should you use?
140Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector to ingest alerts and incidents from Defender for Endpoint, Defender for Office 365, and Defender for Identity. As a threat hunter, you want to proactively search for devices that may be communicating with known malicious IP addresses that have not yet triggered an alert. You have a list of known malicious IP addresses from an external threat intelligence feed. Which approach should you take to perform this hunt efficiently?
141A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network connections from a compromised workstation. The analyst suspects that a beaconing pattern is present. Which KQL function is most appropriate to detect periodic beaconing behavior over time?
142During a threat hunt, an analyst discovers that a user's device has been sending large amounts of data to an external IP address associated with a known C2 server. The analyst wants to trace the process responsible for the outbound connections. Which Microsoft Defender for Endpoint advanced hunting table should be queried to find the process that initiated the network connections?
143A threat hunter wants to use Microsoft Sentinel to hunt for signs of brute-force attacks against Azure AD (now Microsoft Entra ID). Which data connector should be enabled to ingest sign-in logs?
144A threat hunter is analyzing a suspicious email that bypassed Microsoft Defender for Office 365. The email contains a link to a malicious website. The hunter wants to identify all users who clicked the link. Which hunting query in Microsoft 365 Defender should be used?
145During a threat hunt, a security analyst uses Microsoft Sentinel and identifies a series of failed logon attempts from a single IP address targeting multiple user accounts. The analyst wants to create a scheduled analytics rule that generates an alert when the same IP address fails to logon to more than 10 different accounts within 5 minutes. Which KQL operator should be used to count distinct accounts per IP?
146A threat hunter is investigating a potential data exfiltration incident. The hunter suspects that a user is using an unauthorized cloud storage service. Which Microsoft Defender for Cloud Apps signal would be most useful to detect this activity?
147A threat hunter wants to use KQL in Microsoft Sentinel to find all events from the SecurityEvent table where the event ID is 4625 (failed logon) and the account name is not 'SYSTEM'. Which query achieves this?
148A threat hunter is using Microsoft Sentinel and wants to leverage machine learning to detect anomalous behavior in Azure subscription activity. Which analytics rule template should the hunter use?
149A threat hunter wants to correlate alerts from multiple Microsoft security products in Microsoft Sentinel. Which feature should be used to create a unified incident?
150Which TWO of the following are valid approaches to perform threat hunting using Microsoft Sentinel? (Choose two.)
151Which THREE of the following are valid sources of data that a threat hunter can use in Microsoft Sentinel for hunting? (Choose three.)
152Which TWO of the following are effective techniques for identifying lateral movement in Microsoft Defender for Endpoint advanced hunting? (Choose two.)
153During threat hunting, you identify a suspicious PowerShell process that executed encoded commands. Which Microsoft Defender XDR hunting capability would best help you trace the parent process and command-line arguments across the enterprise?
154A threat hunter wants to proactively identify devices that may have been compromised by a known adversary using DLL side-loading techniques. Which Microsoft Sentinel solution or feature should the hunter leverage to create custom detection rules based on the latest threat intelligence?
155Your threat hunting team uses Microsoft Sentinel. They want to search for anomalous network connections to known malicious IP addresses over the past 7 days. Which KQL operator should they use to match the source IP addresses against a watchlist containing the malicious IPs?
156You are threat hunting in Microsoft Defender for Cloud Apps. You want to identify users who have enabled mailbox forwarding rules to external domains, which could indicate data exfiltration. Which log source should you query?
157During a threat hunt, you discover a previously unknown malware variant that communicates over HTTPS to a command-and-control (C2) server. You want to create a custom detection in Microsoft Sentinel that triggers when any device in the organization resolves the C2 domain via DNS. Which data connector should you ensure is enabled?
158Your team uses Microsoft Defender for Endpoint to hunt for signs of credential theft. You want to query for events where a process accesses the LSASS process memory. Which event type should you look for?
159You are a threat hunter using Microsoft Sentinel. You have ingested syslog data from a Palo Alto firewall. You want to create a scheduled query rule that alerts when more than 10 outbound connections to a known bad IP address occur within 5 minutes. Which KQL function should you use to summarize the count?
160While threat hunting, you find a suspicious scheduled task that runs a PowerShell script from a temp directory. You want to check if this task exists on other devices in the environment. Which Microsoft Defender for Endpoint advanced hunting table would you query?
161Your organization uses Microsoft Defender for Office 365. You want to hunt for phishing emails that bypassed the initial filtering. Which feature should you use to manually submit suspicious emails for analysis and then review the results in the Threat Explorer?
162Which TWO of the following are valid data sources for Microsoft Sentinel threat hunting? (Choose 2)
163Which THREE of the following are valid techniques for threat hunting using Microsoft Defender for Cloud Apps? (Choose 3)
164Which TWO of the following are recommended practices when performing threat hunting in Microsoft Sentinel? (Choose 2)
165You are reviewing a hunting query. What is the primary purpose of this query?
166You are reviewing a Microsoft Sentinel scheduled analytics rule definition (JSON). What is the purpose of the "triggerThreshold": 0 setting?
167You executed this Azure CLI command. What is the result?
168A security analyst is performing threat hunting in Microsoft Sentinel using KQL. The analyst wants to identify all network connections initiated from a specific internal IP address (10.0.0.5) to external IP addresses in the last 24 hours. Which KQL query should the analyst use?
169During a threat hunt, an analyst notices multiple failed logon events from a single user account across different workstations within a short time window. Which hunting technique is most appropriate to detect potential lateral movement?
170A threat hunter is using Microsoft Defender for Endpoint advanced hunting to find devices that have a specific file hash associated with a known malware variant. The analyst wants to include devices that have the file in any location, including quarantined items. Which table and column should be used?
171A threat hunter wants to identify potential command and control (C2) communication by looking for DNS queries to domains with a high entropy and short TTL. Which advanced hunting query in Microsoft Defender XDR should be used?
172During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple workstations with encoded commands. The analyst wants to find all instances of this script across the environment. Which hunting method in Microsoft Sentinel is most effective?
173A threat hunter wants to investigate a potential data exfiltration event involving large outbound file transfers to an unusual external IP. Which Microsoft Defender XDR advanced hunting table is most appropriate to start the investigation?
174Which TWO actions are valid when performing threat hunting in Microsoft Sentinel using hunting queries? (Choose two.)
175Which THREE data sources can be used in Microsoft Sentinel for threat hunting to detect unusual authentication patterns? (Choose three.)
176Which TWO techniques are commonly used in threat hunting to identify potential malicious activity? (Choose two.)
177A threat hunter is investigating a potential compromise involving a user account that has been used to sign in from multiple locations within a short time. The hunter wants to use Microsoft Sentinel to find all sign-in events for that user from different IP addresses in the last 24 hours. Which KQL query should be used?
178A threat hunter is analyzing a potential advanced persistent threat (APT) that uses living-off-the-land binaries (LOLBins) like certutil.exe to download payloads. The hunter wants to find instances where certutil.exe was used to download files from the internet in the last week. Which KQL query in Microsoft Sentinel would be most effective?
179Refer to the exhibit. You are analyzing a potential C2 communication pattern. The KQL query returns no results despite known malicious IPs being active. What is the most likely cause?
180Your security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to correlate Azure AD sign-in logs with Microsoft Defender for Cloud Apps alerts. Which KQL operator should they use to join the two tables on the user principal name?
181During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a remote server. Which Microsoft Defender for Endpoint action type would most likely capture this behavior in DeviceEvents?
182Refer to the exhibit. You are reviewing a custom scheduled analytics rule in Microsoft Sentinel. The rule is enabled but has not fired any alerts despite users having multiple locations in the last day. What is the most likely reason?
183Your threat hunting team wants to identify all email messages that contained a specific malicious attachment hash in Microsoft 365. Which Microsoft Defender XRB data source should they query in Microsoft Sentinel?
184While hunting for lateral movement, you want to find out which devices have established remote PowerShell sessions to other devices. Which Microsoft Defender for Endpoint advanced hunting table should you query?
185Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a threat hunt, you want to identify AWS resources that have been compromised by correlating AWS CloudTrail logs with Microsoft Defender for Cloud security alerts. How should you ingest AWS CloudTrail logs into Microsoft Sentinel?
186You are hunting for privileged account abuse in Microsoft Entra ID. Which table in Microsoft Sentinel contains audit logs for changes to directory roles?
187Refer to the exhibit. You are investigating a user account that shows multiple logons to the Azure Portal from various countries within a short time. The query returns no results despite known logons. What is the most likely issue?
188Which TWO actions are part of the threat hunting process in Microsoft Sentinel?
189Which THREE data sources can be used in Microsoft Sentinel for threat hunting involving network traffic?
190Which TWO are common techniques used during threat hunting to identify suspicious behavior in Microsoft Defender XDR?
191Which THREE Microsoft Sentinel features are specifically designed to assist with threat hunting?
192Which TWO tables in Microsoft Defender XDR advanced hunting provide information about user authentication events?
193Which THREE are valid methods to create a custom hunting query in Microsoft Sentinel?
194A security analyst is reviewing a threat hunting query in Microsoft Sentinel that uses the Kusto Query Language (KQL) to identify potential lateral movement. The query returns a large number of false positives. What is the most effective way to reduce false positives while maintaining detection coverage?
195During a threat hunting exercise, an analyst discovers a suspicious PowerShell process that executed encoded commands and made outbound connections to an unknown IP address. The process tree shows it was spawned by a Microsoft Word instance. What is the most likely attack technique being observed?
196An organization uses Microsoft Defender for Endpoint (MDE) to hunt for signs of credential dumping. An analyst runs a custom advanced hunting query that searches for processes accessing LSASS.exe. The query uses DeviceProcessEvents and DeviceFileEvents. The analyst notices that some known credential dumping tools are detected, but they want to find previously unknown variants. Which approach should the analyst take to improve the hunt?
197A threat hunter wants to identify possible data exfiltration over DNS in Microsoft Sentinel. Which KQL function should the analyst use to extract domain names from DNS queries?
198Refer to the exhibit. The KQL query is used for threat hunting. What is the primary purpose of this query?
199Refer to the exhibit. An analyst is reviewing a custom detection rule in Microsoft Sentinel. The rule is triggering many false positives from legitimate remote desktop connections. What should the analyst do to reduce false positives while keeping detection of pass-the-hash attacks?
200A threat hunter is investigating a potential data exfiltration via DNS tunneling. Which Microsoft Defender XDR advanced hunting table should the analyst primarily use to examine DNS queries from endpoints?
201An analyst is using Microsoft Sentinel to hunt for signs of privilege escalation via token manipulation. Which Windows Security Event ID should the analyst focus on to detect potential token duplication or manipulation?
202Refer to the exhibit. The query is designed to hunt for potentially compromised accounts that are not on the suspicious list but have many network logons. However, the query returns zero results even though the analyst suspects there should be some hits. What is the most likely issue?
203Which TWO data sources are commonly used in Microsoft Sentinel for threat hunting related to lateral movement? (Select TWO.)
204Which THREE techniques are commonly used in Microsoft Sentinel threat hunting to identify command and control (C2) communication? (Select THREE.)
205Which THREE actions should a threat hunter take when using Microsoft Defender XDR advanced hunting to investigate a potential ransomware outbreak? (Select THREE.)
206Refer to the exhibit. The query is intended to find devices where PowerShell was used with encoded commands and connected to specific remote IPs. However, the analyst notices that the query returns no results. What is the most likely reason?
207Refer to the exhibit. An analyst is reviewing this custom detection rule in Microsoft Sentinel. The rule is not generating any alerts even though services are being installed on servers. What is the most likely reason?
208A threat hunter wants to use Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should the analyst investigate?
209You are a security analyst performing threat hunting in Microsoft Sentinel. You suspect an adversary is using living-off-the-land binaries (LOLBins) to execute code. Which KQL function should you use to search for processes spawned by a specific parent process across multiple machines?
210Refer to the exhibit. You are threat hunting for possible lateral movement using cmd.exe. The KQL query returns no results even though you know cmd.exe was executed. What is the most likely reason?
211A threat hunter wants to identify anomalous DNS queries that may indicate data exfiltration. In Microsoft Sentinel, which data source is most appropriate for ingesting DNS logs from on-premises servers?
212You are using Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should you look for to detect a potentially malicious app that was granted high privileges by a user?
213Refer to the exhibit. A threat hunter creates a scheduled analytics rule in Microsoft Sentinel using this query. The rule triggers frequently but generates many false positives. What is the best way to improve the rule's precision?
214During a threat hunt, you identify a user account that has been logging in from multiple geographic regions within a short time. Which Microsoft Defender for Cloud Apps feature should you use to investigate this anomaly?
215You are investigating a potential data exfiltration using Microsoft Defender for Cloud Apps. You find that a user downloaded a large number of files from SharePoint Online to a personal device. Which anomaly detection policy type would have detected this?
216Refer to the exhibit. You are hunting for PowerShell used to launch cmd.exe. The query is intended to find cmd.exe processes that occurred after the first PowerShell execution on the same device. However, it returns no results. What is the most likely issue?
217As a threat hunter, you want to use MITRE ATT&CK techniques to categorize detected behaviors. In Microsoft Sentinel, which feature allows you to map alerts to MITRE techniques automatically?
218Which TWO are valid methods for performing threat hunting in Microsoft Sentinel? (Choose two.)
219Which THREE are essential components of a threat hunting hypothesis in Microsoft Sentinel? (Choose three.)
220Which TWO are valid KQL operators for performing time-based analysis in threat hunting? (Choose two.)
221You are investigating a potential brute-force attack against Microsoft 365. Which KQL query in Microsoft Sentinel would best identify failed logon attempts from a single IP address across multiple users?
222Refer to the exhibit. A threat hunter runs this PowerShell script to query Microsoft Sentinel. The script fails with an error stating that the query language is not recognized. What is the most likely cause?
223You are threat hunting for signs of credential dumping using Mimikatz. In Microsoft Defender for Identity, which type of alert would you expect to see?
224During a threat hunting exercise in Microsoft Sentinel, you want to identify all cloud application events where a user accessed a resource from an IP address not previously associated with that user. Which KQL operator should you use to compare current access patterns with a baseline of known IPs?
225Your threat hunting hypothesis is that a user's credentials were used to sign in from two geographically distant locations within a short time. In Microsoft Defender for Cloud Apps, which log type would you query in Microsoft Sentinel to detect impossible travel?
226During a threat hunt, you identify a suspicious process execution chain in Microsoft Defender for Endpoint: `powershell.exe` spawned `cmd.exe` which then executed `rundll32.exe`. To investigate the parent-child relationships, which KQL statement should you use in Advanced Hunting?
227You are reviewing a custom analytics rule in Microsoft Sentinel. The rule is enabled but you notice that no alerts have been generated even though there are many matching events. What is the most likely cause?
228You are investigating a detection in Microsoft Defender for Endpoint. The PowerShell output shows a threat with ID 2147723152. Which type of threat does this ID represent?
229A threat hunter runs the above KQL query in Microsoft Defender Advanced Hunting. What is the primary purpose of this query?
230As part of a threat hunt, you want to find instances where a user successfully authenticated to multiple applications within a short time using different IP addresses. Which Microsoft 365 Defender data source would be most appropriate?
231During a threat hunt, you suspect a user may have exfiltrated data via email. Which Microsoft 365 Defender advanced hunting table should you query to review email attachments and their file hashes?
232You are hunting for lateral movement in your environment. In Microsoft Defender for Identity, which activity is a strong indicator of a potential pass-the-hash attack?
233Which TWO KQL operators are commonly used in threat hunting to join tables based on a key?
234Which THREE data sources in Microsoft Sentinel are most useful for threat hunting activities related to identity compromise?
235Which THREE techniques are commonly used in threat hunting within Microsoft Defender XDR to detect privilege escalation?
236A threat hunter wants to identify all devices that have communicated with a known malicious IP address in the last 7 days. Which table in Microsoft Defender for Endpoint advanced hunting should be queried?
237You are conducting a threat hunt to find evidence of credential dumping on Windows servers. Which event ID in Windows Security Event Log (SecurityEvent) is most indicative of LSASS process access?
238During a threat hunt, you find a PowerShell script that decodes a base64-encoded command and executes it. Which MITRE ATT&CK technique is this behavior most associated with?
239You are performing a threat hunt in Microsoft Sentinel. You want to identify devices that have been communicating with known malicious IP addresses. Which data source should you query?
240During a threat hunt, you discover suspicious PowerShell commands executed on multiple workstations. Which KQL function in Microsoft Sentinel is most effective for aggregating similar commands to identify a pattern?
241You run the KQL query above in Microsoft Sentinel. The query returns zero results even though you know some devices have connected to malicious IPs. What is the most likely cause?
242You are hunting for signs of credential theft in Microsoft Defender XDR. Which advanced hunting table is most appropriate to investigate suspicious logon events?
243Your threat hunt reveals a series of failed logon attempts from a single IP address across multiple user accounts. Which Microsoft Sentinel analytic rule template is best suited to alert on this brute-force pattern?
244You are threat hunting for signs of Kerberoasting in Microsoft Sentinel. Which combination of events indicates that a service account's Kerberos ticket was requested and then used?
245You are using the Microsoft Sentinel Threat Hunting experience to create a new hunting query. Which tab should you select to bookmark a suspicious event for further investigation?
246Your threat hunt identifies a process that is making outbound connections to an unknown IP address. Which Microsoft Defender for Endpoint action can you take to immediately isolate the device?
247You are reviewing a custom hunting query in Microsoft Sentinel. The query above returns results, but you suspect it misses low-frequency beaconing. Which modification improves detection while reducing false positives?
248Which TWO KQL operators are most useful for threat hunting lateral movement in Microsoft Defender XDR? (Select two.)
249Which THREE of the following are recommended practices for creating effective threat hunting queries in Microsoft Sentinel? (Select three.)
250Which TWO tables in Microsoft Defender XDR advanced hunting are most useful for detecting data exfiltration attempts? (Select two.)
251Which THREE of the following are valid sources of threat intelligence that can be ingested into Microsoft Sentinel for threat hunting? (Select three.)
252Which TWO of the following are key indicators of a potential DCSync attack that a threat hunter should look for in Microsoft Sentinel? (Select two.)
253You are a security analyst at Contoso. You manage a Microsoft Sentinel workspace with Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID (formerly Azure AD) data connectors. You are performing a proactive threat hunt for potential data exfiltration via external file sharing services like Dropbox and Google Drive. Your organization blocks these services on managed devices but users can access them from personal devices. You want to detect when users log in to these services from a corporate network using Microsoft Entra ID credentials. You have access to CloudAppEvents, AADSignInEventsBeta, and DeviceNetworkEvents tables in Microsoft Defender XDR advanced hunting. You need to create a hunting query that identifies sign-ins to external file sharing apps from corporate IP ranges. The query should also exclude sign-ins from known good service accounts. Which approach should you take?
254During a threat hunt, you identify a suspicious process that spawned from Microsoft Word with a command-line argument containing ' -enc '. Which hunting technique is most appropriate to investigate this further?
255You are threat hunting in Microsoft Defender XDR for signs of Kerberoasting. Which hunting query would be most effective in identifying Kerberoasting activity?
256Refer to the exhibit. The KQL query is used in a threat hunting campaign. Which of the following best describes the hunting activity this query is designed to detect?
257During a threat hunt, you notice an anomalous number of failed logon attempts from a single IP address across multiple user accounts in Microsoft Entra ID sign-in logs. What is the most effective next step to determine if this is a brute-force attack?
258You are threat hunting for indicators of compromise related to a known malware family. Which data source in Microsoft Defender XDR would provide the most direct evidence of malware execution on endpoints?
259In a threat hunt, you discover that a non-admin user account created a scheduled task that executes a PowerShell script to connect to an external IP on port 4444. Which of the following is the most likely interpretation of this activity?
260While threat hunting in Microsoft Sentinel, you want to create a hunting query that identifies all attempts to disable security controls. Which data table would be most appropriate to query for such activity?
261Which TWO of the following are common techniques used by attackers to bypass security controls that a threat hunter should look for?
262Which THREE of the following are key components of a successful threat hunting program in a Microsoft Defender XDR environment?
263Which TWO of the following KQL operators are most useful when building hunting queries to detect anomalous activities over time?
264Which THREE of the following are indicators of a potential pass-the-hash attack that a threat hunter should investigate in Microsoft Defender for Identity?
265You are a security operations analyst for Contoso Ltd. The company uses Microsoft Sentinel as its SIEM and Microsoft Defender for Cloud Apps for SaaS security. You are tasked with threat hunting for potential data exfiltration via Microsoft SharePoint Online. You need to create a hunting query that identifies users who have downloaded an unusually high number of files from SharePoint within a short time window compared to their historical baseline. The query should be run in Microsoft Sentinel using the OfficeActivity table. Which of the following approaches should you take?
266Your organization uses Microsoft Defender for Endpoint and Microsoft Sentinel. As part of a threat hunting exercise, you need to detect potential lateral movement using remote desktop protocol (RDP). You want to identify devices that have initiated multiple RDP connections to different internal IP addresses within a short time frame. Which hunting query should you use in Microsoft Sentinel's Log Analytics workspace?
267You are a security analyst at Fabrikam. The company uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you need to identify users who are accessing cloud applications from multiple geographic locations in a short time, which could indicate credential theft or token replay. You want to create a hunting query in Microsoft Sentinel using the CloudAppEvents table. Which approach should you take?
268You are a threat hunter at Northwind Traders. The organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You suspect a golden ticket attack may have occurred in the domain. You need to create a hunting query in Microsoft Sentinel that leverages data from MDI to detect possible golden ticket usage. Which of the following queries or approaches is most appropriate?
269Which TWO of the following are valid methods to initiate a threat hunting session in Microsoft Sentinel?
270Which THREE actions are part of the threat hunting process in Microsoft Defender XDR?
271You are a security analyst at a company using Microsoft Sentinel. You have been asked to perform a threat hunt to identify potential brute-force attacks against your on-premises Active Directory. The relevant data is ingested into Sentinel from Windows Event Logs (Event ID 4625) and Azure ATP (now Microsoft Defender for Identity). Your hunting query should focus on failed logon attempts with high frequency from the same source IP within a short time window. You need to write a KQL query that returns the top 10 source IPs with the most failed logon attempts in the last 24 hours. Which KQL query should you use?
272You are a threat hunter for an organization that uses Microsoft Defender XDR. You suspect that an attacker may be using PowerShell to perform reconnaissance on domain controllers. You need to write an advanced hunting query in Microsoft Defender XDR that returns PowerShell commands executed on domain controllers in the last 7 days that contain cmdlets related to Active Directory reconnaissance, such as Get-ADUser or Get-ADGroupMember. The query should also include the device name, account name, and command line. Which query should you use?
273You are a security analyst using Microsoft Sentinel. During a threat hunt, you need to identify potential data exfiltration via DNS tunneling. You have DNS query logs ingested from your DNS servers via Syslog. The log schema includes fields: TimeGenerated, QueryName, QueryType, ClientIP, ResponseIP. You want to find DNS queries that are unusually long (over 50 characters in the query name) and have a high count of unique responses, which may indicate tunneling. You need to write a KQL query that returns the top 10 client IPs with the most unique response IPs for queries with query name length > 50 in the last 24 hours. Which query should you use?
274You are a security operations analyst at a company that uses Microsoft Defender for Cloud Apps (now part of Microsoft Defender XDR) and Microsoft Sentinel. During a threat hunt, you suspect that an attacker may be using a compromised user account to access sensitive data in SharePoint Online from an unusual location. You have Microsoft Defender for Cloud Apps logs integrated into Sentinel. The log schema includes fields: TimeGenerated, UserId, AppName, ActivityType, IPAddress, Location, ObjectId (the document ID). You need to write a KQL query that returns a list of users who accessed the same sensitive document (ObjectId == 'SensitiveDocument123') from more than 3 unique IP addresses in the last hour, which could indicate a distributed access pattern. Which KQL query should you use?
275You are a threat hunter for a company that uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to investigate a potential privilege escalation attack. You have collected process creation events from endpoints and want to identify instances where a process with low integrity level spawned a process with high integrity level. The DeviceProcessEvents table includes fields: DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, ProcessFileName, ProcessIntegrityLevel. You need to write an advanced hunting query that returns the top 10 devices where this escalation occurred most frequently in the last 7 days. Which query should you use?
276You are a security analyst at a company that uses Microsoft Sentinel and Microsoft Defender for Identity (now part of Microsoft Defender XDR). During a threat hunt, you need to identify potential golden ticket attacks. You have Windows Security Events (Event ID 4672: Special Logon) and Kerberos service ticket events (Event ID 4769) ingested. A golden ticket attack often involves service ticket requests with unusual encryption types or ticket options. You want to find service ticket requests (4769) that have TicketOptions containing '0x40810000' (forwardable, renewable, canonicalize) and TicketEncryptionType == '0x17' (RC4), which are common in attacks. You need to write a KQL query that returns the top 10 accounts requesting such tickets in the last 7 days. Which query should you use?
The Perform threat hunting domain covers the key concepts tested in this area of the SC-200 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-200 domains — no account required.
The Courseiva SC-200 question bank contains 276 questions in the Perform threat hunting domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Perform threat hunting domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included