Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertificationsSC-200DomainsPerform threat hunting
SC-200Free — No Signup

Perform threat hunting

Practice SC-200 Perform threat hunting questions with full explanations on every answer.

276questions

Start practicing

Perform threat hunting — choose a session length

10 questions~10 min20 questions~20 min30 questions~30 min50 questions~50 min

Free · No account required

SC-200 Domains

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice Perform threat hunting questions

10Q20Q30Q50Q

All SC-200 Perform threat hunting questions (276)

Start session

Click any question to see the full explanation and answer options, or start a focused practice session above.

1

A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?

2

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?

3

During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?

4

A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?

5

A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?

6

A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?

7

A threat hunter wants to proactively search for signs of ransomware activity in the environment using Microsoft Sentinel. Which data source is most likely to provide early indicators of ransomware, such as mass file renaming or encryption?

8

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple servers in the environment. The script connects to an external IP address and downloads a payload. The analyst wants to find all other servers that may have been compromised by the same script. What is the most efficient way to search for this across the environment?

9

A threat hunter is using Microsoft Sentinel to hunt for a potential advanced persistent threat (APT) that is using living-off-the-land binaries (LOLBins). The hunter creates a KQL query that lists all instances of certutil.exe making network connections. The query returns many legitimate results. What is the best way to reduce false positives while still detecting malicious use?

10

A threat hunter is using Microsoft Sentinel to hunt for signs of privilege escalation via Azure AD role assignment changes. Which TWO KQL operators or functions are most useful for identifying changes that added a user to a high-privilege role?

11

A threat hunter is investigating a potential data exfiltration via DNS tunneling using Microsoft Defender for Endpoint advanced hunting. Which THREE columns from the DeviceNetworkEvents table should the hunter include in a query to detect anomalous DNS queries?

12

A security analyst is using Microsoft Sentinel to hunt for signs of a brute-force attack against Azure AD. Which TWO data sources are most relevant for this hunt?

13

A threat hunter runs the KQL query above in Microsoft Sentinel to detect accounts that have experienced multiple failed sign-in attempts due to a disabled account (ResultType 50057) from the same IP. The query returns no results even though the hunter knows that some disabled accounts are being attacked. What is the most likely reason for the false negatives?

14

A threat hunter writes the KQL query above in Microsoft Defender for Endpoint advanced hunting to find devices where a script host process was launched with encoded commands and then connected to an HTTPS endpoint within 10 minutes. The query is syntactically correct but returns no results. The hunter knows that such activity has occurred. What is the most likely reason?

15

A threat hunter in Microsoft Sentinel is reviewing a JSON definition for a scheduled analytics rule as shown in the exhibit. The rule is intended to run daily and alert on any device running powershell.exe with an encoded command. However, no alerts have been generated even though the hunter knows such activity exists. What is the most likely cause?

16

During a threat hunt, you discover that a PowerShell script executed on multiple servers and established outbound connections to an external IP address. Which data source should you query in Microsoft Defender XDR to identify the specific command-line arguments used?

17

Your threat hunt aims to detect possible Kerberoasting attacks. Which KQL query in Microsoft Sentinel would best identify service principal name (SPN) requests from unusual accounts?

18

You are threat hunting for signs of credential dumping via LSASS access. Which Advanced Hunting schema table in Microsoft Defender XDR should you primarily query to find processes that opened a handle to LSASS?

19

Your threat hunt involves correlating alerts from Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint. Which Microsoft Sentinel integration should you use to unify these alerts for hunting?

20

During a hunt, you find that a user account has logged in from an IP address associated with a known command-and-control (C2) server. The hunt also reveals that the same IP accessed a SharePoint site containing sensitive documents. Which Microsoft Purview feature should you use to investigate data exfiltration?

21

You need to create a custom detection rule in Microsoft Sentinel that alerts when an anomalous number of failed logons occur from a single IP address within 5 minutes. Which KQL operator should you use to count failed logons per IP?

22

Your threat hunt identifies that an attacker used a previously unknown malware variant to move laterally. Which Microsoft Defender XDR feature would you use to automatically block the file based on behavioral detection?

23

You are investigating a potential DCSync attack. Which Advanced Hunting query in Microsoft Defender XDR would best detect a process making atypical directory replication requests?

24

You are hunting for signs of pass-the-hash (PtH) attacks. Which Windows Security Event ID should you focus on to detect anomalous NTLM authentication using a hash?

25

Which TWO data sources are most relevant for threat hunting for lateral movement using remote service creation (e.g., WMI, PsExec)?

26

Which THREE techniques would you use in Microsoft Sentinel to hunt for data exfiltration over DNS?

27

Which TWO built-in Microsoft Sentinel hunting queries are useful for detecting signs of compromised credentials?

28

A security analyst is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. Which KQL function is most appropriate to identify anomalous Kerberos service ticket requests?

29

During a threat hunt, you discover a suspicious PowerShell command that decoded a base64 string and executed a script. Which Microsoft Defender for Endpoint advanced hunting table should you query to find the decoded command line?

30

A threat hunter wants to use Microsoft Sentinel's UEBA to identify anomalous behavior. Which data connector must be enabled to provide the necessary Azure Active Directory (now Microsoft Entra ID) sign-in logs for UEBA?

31

During a hunt, you find a device that made successive outbound connections to multiple IP addresses on port 445 (SMB) within a short time. Which type of activity does this pattern most likely indicate?

32

You are hunting for signs of Pass-the-Hash attacks using Microsoft Defender for Identity. Which alert should you look for in Microsoft Defender XDR?

33

To hunt for malicious PowerShell encoded commands, which columns in the DeviceProcessEvents table in Microsoft 365 Defender advanced hunting should you focus on?

34

A threat hunter suspects a data exfiltration attempt via DNS tunneling. Which KQL query would best detect unusual DNS query patterns in Microsoft Sentinel?

35

While hunting, you notice a user account has been created and then immediately added to the Domain Admins group. Which table in Microsoft 365 Defender should you query to find this event?

36

You are hunting for suspicious scheduled tasks that could be used for persistence. Which Microsoft 365 Defender advanced hunting table contains information about scheduled tasks?

37

Which TWO data sources are essential for threat hunting in Microsoft Sentinel to detect lateral movement?

38

Which THREE indicators are commonly associated with ransomware activity in Microsoft Sentinel threat hunting?

39

Which TWO Microsoft Sentinel hunting features can be used to automatically surface suspicious activities without manual query writing?

40

You are reviewing a hunting query that identifies accounts with failed logons followed by successful logons from the same IP. The query returns no results even though you suspect brute force activity. What is the most likely issue?

41

You are creating a custom hunting query in Microsoft Sentinel for PowerShell Empire indicators. After deploying, the query never returns results, even though you know empire activity exists in the environment. What is the most likely cause?

42

A threat hunter runs this KQL query to find devices making many outbound SMB connections. The result shows a device 'DC01' connecting to over 100 different IPs on port 445. What is the most likely explanation?

43

You are performing a threat hunt in Microsoft Sentinel and have a KQL query that returns a high number of false positives. You want to reduce the noise without missing real threats. Which approach should you take?

44

During a threat hunt in Microsoft Defender XDR, you notice repeated failed logon attempts from an IP address that belongs to a known anonymizer service. What is the first action you should take?

45

Your threat hunting team is using Microsoft Sentinel with User and Entity Behavior Analytics (UEBA). You want to identify anomalous outbound data transfers that may indicate data exfiltration. Which KQL function should you use to compare current activity against a baseline?

46

You are reviewing a threat hunting KQL query in Microsoft Sentinel. The query references an external CSV containing malicious IPs. The query returns no results despite known malicious activity. What is the most likely issue?

47

You are a threat hunter and you want to identify potential lateral movement in your environment. Which Microsoft Defender XDR hunting table would you query to find network connections from a compromised workstation to other internal devices?

48

You are analyzing the query above in Microsoft 365 Defender advanced hunting. The goal is to identify potentially compromised accounts used only once. The query returns thousands of results including many normal single logons. How can you refine the query to reduce false positives?

49

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a known malicious URL. The script was run on multiple workstations. Which Microsoft Defender XDR action should you take to contain the threat?

50

You are threat hunting for credential dumping activity. Which Windows event ID is commonly associated with the use of tools like Mimikatz?

51

You are creating a custom detection rule in Microsoft Sentinel using the JSON above. The rule does not trigger any alerts despite known PowerShell encoded commands executing. What is the most likely cause?

52

Which TWO Microsoft 365 Defender advanced hunting tables would you use together to investigate a potential data exfiltration via email?

53

Which THREE actions are recommended when conducting a threat hunting exercise in Microsoft Sentinel using the MITRE ATT&CK framework?

54

Which TWO data sources in Microsoft Sentinel are commonly used for threat hunting related to lateral movement?

55

You are a threat hunter using PowerShell on a Windows 10 device. The command returns no output for a known threat ID. What is the most likely reason?

56

You are using Microsoft Sentinel UEBA to hunt for insider threats. Which entity type would you investigate to detect unusual access to sensitive data?

57

You are analyzing the KQL query above in Microsoft Sentinel. The query is designed to find devices with high outbound SMB (port 445) connections to suspicious public IPs. However, the query returns no results. What is the most likely issue?

58

You are a security analyst using Microsoft Sentinel. You want to proactively search for signs of a specific threat actor known to use PowerShell encoded commands. Which hunting technique is most appropriate?

59

Your organization uses Microsoft Defender XDR for threat hunting. You suspect a threat actor is using scheduled tasks for persistence. Which hunting query would you use in Microsoft 365 Defender advanced hunting to find newly created scheduled tasks?

60

During a threat hunting exercise, you need to pivot from a suspicious IP address to find all related alerts and incidents in Microsoft Sentinel. Which feature should you use?

61

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft 365 Defender. What is the primary purpose of this query?

62

You are hunting for signs of Kerberoasting in Microsoft Sentinel. Which hunting query using KQL would you use to identify service principal names (SPNs) being queried via Kerberos TGS requests?

63

Your team is conducting a threat hunt for data exfiltration using Microsoft Defender for Cloud Apps. Which activity is most suspicious and should be included in the hunting query?

64

Which TWO techniques are commonly used in threat hunting with Microsoft Sentinel to identify lateral movement? (Choose two.)

65

Which THREE approaches are effective for hunting threats in Microsoft Defender XDR using advanced hunting? (Choose three.)

66

Which TWO data sources in Microsoft Sentinel are most valuable for hunting for command-and-control (C2) communications? (Choose two.)

67

Refer to the exhibit. This JSON defines a scheduled analytics rule in Microsoft Sentinel. Which type of threat is the rule primarily designed to detect?

68

Refer to the exhibit. This KQL query is used for threat hunting in Microsoft Defender XDR. What is the primary goal of this query?

69

You are threat hunting for signs of Microsoft 365 mailbox compromise. Which hunting query in Microsoft 365 Defender would be most effective for identifying suspicious mailbox forwarding rules?

70

During a threat hunt in Microsoft Sentinel, you find a series of suspicious sign-ins to Microsoft Entra ID from an IP address known to be associated with a threat actor. Which entity should you pivot on to investigate further?

71

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft Defender XDR. What is the most likely scenario this query is designed to detect?

72

You are a SOC analyst using Microsoft Sentinel. You need to create a hunting query that searches for unusual outbound RDP connections from workstations. Which KQL operators or functions would be most essential for this query?

73

An analyst is reviewing a series of alerts in Microsoft Defender XDR indicating potential lateral movement. Which KQL query in Microsoft Sentinel would best identify anomalous RDP connections to servers not typically accessed remotely?

74

You are investigating a potential data exfiltration incident. You notice a user uploading large amounts of data to a cloud storage service that the organization has not approved. Which Microsoft Defender XHR feature would best help you hunt for similar patterns across all users?

75

During a threat hunt, you want to identify processes that have made network connections to known malicious IP addresses. Which data source in Microsoft Defender for Endpoint would provide the necessary information?

76

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to create a hunting query that finds users who have accessed a high number of distinct Azure resources within a short time frame, which may indicate credential theft. Which KQL query would be most effective?

77

You are hunting for signs of credential dumping using Mimikatz. Which process events in Microsoft Defender for Endpoint would most likely indicate this activity?

78

An analyst uses this KQL query in Microsoft Sentinel to hunt for potential brute-force attacks. What is the primary purpose of the join operation?

79

You are hunting for signs of ransomware activity. Which of the following behaviors in Microsoft Defender for Endpoint should you prioritize as a high-confidence indicator?

80

During a threat hunt in Microsoft Sentinel, you find a query that returns a high number of false positives. Which action should you take to refine the hunt?

81

Refer to the exhibit. A custom detection rule in Microsoft Sentinel uses this JSON definition. An analyst notices that the rule is generating alerts for legitimate administrative scripts launched from File Explorer. What is the best way to reduce false positives while retaining detection of malicious Office-based PowerShell launches?

82

Which TWO of the following are valid methods to perform threat hunting in Microsoft Sentinel? (Choose TWO.)

83

Which THREE of the following are key considerations when designing a threat hunting program in Microsoft Defender XDR and Microsoft Sentinel? (Choose THREE.)

84

Which TWO of the following KQL functions are commonly used in threat hunting queries to identify outliers? (Choose TWO.)

85

An analyst runs this PowerShell script to query Microsoft Sentinel data. The query returns no results. What is the most likely reason?

86

Which Microsoft Sentinel feature allows you to query data across multiple workspaces in a single KQL query?

87

You are conducting a threat hunt in Microsoft Defender XDR and want to identify devices that have recently communicated with a known C2 server IP address. Which advanced hunting table should you query?

88

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network traffic from a compromised virtual machine. Which data source should be prioritized for this hunt?

89

During a threat hunt in Microsoft Defender XDR, an analyst discovers that a specific user account has been executing unusual PowerShell commands from a non-corporate device. The analyst wants to investigate the timeline of these activities across all Microsoft 365 services. Which advanced hunting schema should be used to correlate these events?

90

A threat hunter in Microsoft Sentinel wants to detect attempts to disable security logging on Windows servers using a KQL query. Which Windows Event ID should the query filter on to capture security log clearing events?

91

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you find that a user accessed a sensitive SharePoint site from an anonymous IP address. Which hunting method would best identify all users who accessed the same site from similar anonymous IPs?

92

You are threat hunting in Microsoft Sentinel and have enabled UEBA. You want to detect a possible privilege escalation where a user creates a new user account and adds it to a privileged role within minutes. Which UEBA anomaly type should you investigate?

93

A threat hunter is using Microsoft Defender XDR Advanced hunting to find evidence of credential dumping. Which table should be queried to detect use of tools like Mimikatz?

94

During a threat hunt, you find an alert for a suspicious PowerShell script that encoded a payload. You want to decode the script to understand its intent. Which Microsoft Sentinel feature can assist with this task?

95

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You are hunting for signs of a possible Kerberos Golden Ticket attack. Which advanced hunting table should you query to detect anomalous Kerberos ticket-granting ticket (TGT) requests?

96

While threat hunting in Microsoft Defender for Cloud Apps, you notice a user has an unusually high number of failed login attempts from a single IP address. What is the most effective next step to determine if this is a brute-force attack?

97

The KQL query above is used in a threat hunt. What is the most likely scenario this query is designed to detect?

98

The exhibit shows a hunting query definition in Microsoft Sentinel. What is the primary issue with this hunting query?

99

A threat hunter runs the KQL query above in Microsoft Sentinel. What is the main limitation of this query?

100

Which TWO actions are effective when threat hunting for lateral movement using remote desktop protocol (RDP) in Microsoft Defender XDR?

101

Which THREE data sources should be included in a threat hunt to detect data exfiltration via DNS tunneling in Microsoft Sentinel?

102

Which THREE actions are recommended when conducting a threat hunt for compromised identities using Microsoft Sentinel UEBA?

103

During a threat hunt in Microsoft Sentinel, you identify a series of successful logins from an unusual IP address to multiple Azure VM instances. The logins occur outside business hours. Which hunting technique would be most effective to correlate these events with potential lateral movement?

104

A security analyst is hunting for signs of credential dumping using Microsoft Defender for Endpoint. Which advanced hunting query should the analyst use to detect the use of Mimikatz?

105

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During a hunt, you notice that some alerts from Microsoft Defender for Identity are not appearing in Sentinel. You have verified the connector is enabled and data is flowing for other Defender products. What is the most likely cause?

106

Refer to the exhibit. You are reviewing a KQL query used in a threat hunting campaign. What is the primary purpose of this query?

107

You are a threat hunter investigating a potential data exfiltration via Microsoft Teams. You need to identify if any users have shared sensitive files externally. Which hunting approach should you use?

108

During a hunt, you discover that an attacker used a valid but compromised service principal to authenticate to Azure Key Vault and export secrets. Which Microsoft Sentinel hunting query would best identify similar activity across your environment?

109

You are hunting for signs of ransomware in your environment using Microsoft 365 Defender. Which advanced hunting table should you primarily query to detect file encryption events?

110

As a threat hunter, you want to proactively search for signs of privilege escalation using the 'AzureHound' tool within your Microsoft Sentinel environment. Which data source is most relevant to ingest to detect AzureHound usage?

111

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You are hunting for a threat that uses 'process hollowing' to evade detection. Which advanced hunting query in Microsoft Defender for Endpoint would be most effective?

112

Which TWO of the following are valid techniques for threat hunting using Microsoft Sentinel? (Select TWO.)

113

Which THREE of the following are best practices for performing threat hunting in Microsoft Defender XDR? (Select THREE.)

114

Which TWO of the following are valid methods to detect Kerberoasting attacks during a threat hunt? (Select TWO.)

115

You are a threat hunter at Contoso, a multinational company with 10,000 employees. Your production environment includes: Microsoft 365 E5 licenses; Microsoft Sentinel in a central Log Analytics workspace; Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps; and Microsoft Entra ID P2. You are tasked with hunting for a potential advanced persistent threat (APT) that may have compromised a high-privilege account. The threat intelligence team has reported that the APT group uses living-off-the-land binaries (LOLBins) to execute malicious code and uses encrypted tunnels to C2 servers. You need to design a hunting query in Microsoft Sentinel that correlates multiple data sources to identify suspicious LOLBin usage combined with unusual network connections. Which approach should you take?

116

You are a threat hunter at Fabrikam, a mid-sized company with 2,000 users. Your environment uses: Microsoft 365 E3 licenses; Microsoft Sentinel with the Microsoft 365 Defender connector; Microsoft Defender for Office 365; and Microsoft Defender for Endpoint (without Microsoft Defender for Identity). You are investigating a suspicious email campaign where some users received phishing emails with links to a credential harvesting page. You want to proactively search for any users who may have entered credentials on the phishing page. You have no direct logs from the phishing server. Which hunting approach should you use in Microsoft Sentinel?

117

You are a security analyst at Wingtip Toys, a small business with 500 users. You have Microsoft 365 Business Premium licenses and Microsoft Sentinel deployed. You are conducting a threat hunt for signs of brute-force attacks against your Azure AD tenant. You want to identify IP addresses that have attempted multiple failed sign-ins across different user accounts within a short time window. You have access to the SigninLogs table in Microsoft Sentinel. Which KQL query should you use?

118

You are investigating a series of failed logon attempts across multiple on-premises servers. You want to use Microsoft Sentinel to hunt for patterns of brute-force attacks. Which data source should you ingest to capture detailed authentication events from domain controllers?

119

During a threat hunt, you notice an unusual number of DNS queries for randomly generated subdomains from a single workstation. You suspect data exfiltration via DNS tunneling. Which KQL query in Microsoft Sentinel would best help you identify the suspicious domain names?

120

Refer to the exhibit. You are reviewing a custom hunting query in Microsoft Defender XDR. The query aims to identify devices with more than 100 outbound connections in the last 30 days to IPs that appear in active threat intelligence indicators. However, the query returns no results. What is the most likely cause?

121

You are conducting a threat hunt for possible credential dumping using Mimikatz. Which Windows Security Event ID should you focus on in Microsoft Sentinel to detect potential use of Mimikatz?

122

Your organization uses Microsoft Sentinel with custom analytics rules. During a threat hunt, you want to identify lateral movement using pass-the-hash techniques. Which data source combination is most effective?

123

While hunting in Microsoft Sentinel, you find a KQL query that uses the `evaluate` operator with `bag_unpack` to expand JSON properties. The query runs slowly and times out. What is the best practice to optimize this query?

124

You are hunting for signs of ransomware using Microsoft Defender XDR's advanced hunting. Which query pattern would best identify a process that encrypts many files in a short time?

125

Which TWO data sources are most useful for detecting unauthorized lateral movement in a hybrid environment using Microsoft Sentinel?

126

Which THREE techniques are effective for hunting for living-off-the-land (LotL) attacks using Microsoft Sentinel?

127

Which TWO are common indicators of compromise (IOCs) used in threat hunting with Microsoft Sentinel?

128

You are hunting for possible data exfiltration via email in Microsoft 365. Which data source in Microsoft Sentinel provides the most relevant telemetry for email forwarding rules?

129

Refer to the exhibit. You are using a hunting query in Microsoft Defender XDR to find devices generating excessive DNS queries. The query returns many results, but you want to exclude legitimate DNS servers. What is the best approach to refine the query?

130

You are a security analyst at Contoso, a multinational company with 10,000 endpoints. You are using Microsoft Sentinel and Microsoft Defender XDR for threat hunting. In the past week, you have observed an increase in failed logon events (Event ID 4625) from multiple workstations towards a single domain controller, targeting the built-in Administrator account. The source IPs are a mix of internal and external addresses. You suspect a password spraying attack. You need to confirm the attack and identify all affected accounts. You have access to Windows Security Events ingested into Sentinel. Which single KQL query would best identify accounts with repeated failed logons across multiple source IPs, indicating password spraying?

131

You are a security analyst at Fabrikam using Microsoft Sentinel. You are conducting a threat hunt for signs of remote code execution (RCE) via the Windows Event Log. You want to detect suspicious service creation that could indicate lateral movement. Specifically, you want to find events where a service was created (Event ID 7045) on a server, and within 5 minutes, a network connection was established from that server to another internal server. You have SecurityEvent and CommonSecurityLog tables ingested. Which KQL query should you use?

132

You are a security analyst at Wingtip Toys using Microsoft Defender XDR. You are hunting for signs of privilege escalation via the SeDebugPrivilege abuse. You want to find processes that have enabled SeDebugPrivilege and then accessed LSASS (Event ID 10). You have DeviceProcessEvents and DeviceEvents tables available. Which advanced hunting query would best identify this pattern?

133

Which TWO actions are essential for configuring Microsoft Sentinel to support effective threat hunting?

134

A threat hunter wants to use Jupyter Notebooks in Microsoft Sentinel for hypothesis-driven hunting. Which THREE steps should the hunter take to set up and use this capability?

135

Your organization uses Microsoft Sentinel to monitor a hybrid environment consisting of on-premises servers and cloud workloads in Azure. As a threat hunter, you have been tasked with identifying potential lateral movement using pass-the-hash (PtH) attacks. You have enabled UEBA and connected Windows Event Logs, including Event ID 4624 (logon) and 4648 (explicit credentials). You need to create a hunting query that surfaces anomalous remote logons where the same account logon from a non-domain joined machine using NTLM authentication. Which KQL query should you use to start your hunt?

136

Your team is using Microsoft 365 Defender advanced hunting to investigate a possible data exfiltration incident. The security team suspects that an internal attacker used a compromised SharePoint Online account to download sensitive files from multiple sites. You need to build a hunting query that identifies all file download activities from SharePoint Online for a specific user account over the past 7 days, and then calculates the total size of downloaded files. Which KQL query should you use?

137

As a threat hunter at Contoso, you are investigating a potential advanced persistent threat (APT) that may have compromised multiple Azure subscriptions. You have Microsoft Defender for Cloud enabled and Microsoft Sentinel collecting data from all subscriptions. You suspect the attacker is using Azure Resource Manager operations to create malicious resources. You need to create a hunting query that identifies anomalous Azure management operations, specifically focusing on operations that create new resources (e.g., virtual machines, storage accounts) from unusual IP addresses or at unusual times. Which approach should you take?

138

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. As a threat hunter, you receive an alert about a potential DCSync attack. You want to hunt for any other instances of this attack across your domain controllers over the past 30 days. Which hunting query should you run in Microsoft 365 Defender advanced hunting?

139

Your team is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. You have enabled Advanced Security Audit Policy on domain controllers to log Kerberos service ticket operations (Event ID 4769). You need to create a KQL query that identifies potential golden ticket use by looking for service tickets that have anomalous attributes, such as ticket encryption type 0x17 (RC4) combined with a long lifetime or unusual service names. Which KQL query should you use?

140

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector to ingest alerts and incidents from Defender for Endpoint, Defender for Office 365, and Defender for Identity. As a threat hunter, you want to proactively search for devices that may be communicating with known malicious IP addresses that have not yet triggered an alert. You have a list of known malicious IP addresses from an external threat intelligence feed. Which approach should you take to perform this hunt efficiently?

141

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network connections from a compromised workstation. The analyst suspects that a beaconing pattern is present. Which KQL function is most appropriate to detect periodic beaconing behavior over time?

142

During a threat hunt, an analyst discovers that a user's device has been sending large amounts of data to an external IP address associated with a known C2 server. The analyst wants to trace the process responsible for the outbound connections. Which Microsoft Defender for Endpoint advanced hunting table should be queried to find the process that initiated the network connections?

143

A threat hunter wants to use Microsoft Sentinel to hunt for signs of brute-force attacks against Azure AD (now Microsoft Entra ID). Which data connector should be enabled to ingest sign-in logs?

144

A threat hunter is analyzing a suspicious email that bypassed Microsoft Defender for Office 365. The email contains a link to a malicious website. The hunter wants to identify all users who clicked the link. Which hunting query in Microsoft 365 Defender should be used?

145

During a threat hunt, a security analyst uses Microsoft Sentinel and identifies a series of failed logon attempts from a single IP address targeting multiple user accounts. The analyst wants to create a scheduled analytics rule that generates an alert when the same IP address fails to logon to more than 10 different accounts within 5 minutes. Which KQL operator should be used to count distinct accounts per IP?

146

A threat hunter is investigating a potential data exfiltration incident. The hunter suspects that a user is using an unauthorized cloud storage service. Which Microsoft Defender for Cloud Apps signal would be most useful to detect this activity?

147

A threat hunter wants to use KQL in Microsoft Sentinel to find all events from the SecurityEvent table where the event ID is 4625 (failed logon) and the account name is not 'SYSTEM'. Which query achieves this?

148

A threat hunter is using Microsoft Sentinel and wants to leverage machine learning to detect anomalous behavior in Azure subscription activity. Which analytics rule template should the hunter use?

149

A threat hunter wants to correlate alerts from multiple Microsoft security products in Microsoft Sentinel. Which feature should be used to create a unified incident?

150

Which TWO of the following are valid approaches to perform threat hunting using Microsoft Sentinel? (Choose two.)

151

Which THREE of the following are valid sources of data that a threat hunter can use in Microsoft Sentinel for hunting? (Choose three.)

152

Which TWO of the following are effective techniques for identifying lateral movement in Microsoft Defender for Endpoint advanced hunting? (Choose two.)

153

During threat hunting, you identify a suspicious PowerShell process that executed encoded commands. Which Microsoft Defender XDR hunting capability would best help you trace the parent process and command-line arguments across the enterprise?

154

A threat hunter wants to proactively identify devices that may have been compromised by a known adversary using DLL side-loading techniques. Which Microsoft Sentinel solution or feature should the hunter leverage to create custom detection rules based on the latest threat intelligence?

155

Your threat hunting team uses Microsoft Sentinel. They want to search for anomalous network connections to known malicious IP addresses over the past 7 days. Which KQL operator should they use to match the source IP addresses against a watchlist containing the malicious IPs?

156

You are threat hunting in Microsoft Defender for Cloud Apps. You want to identify users who have enabled mailbox forwarding rules to external domains, which could indicate data exfiltration. Which log source should you query?

157

During a threat hunt, you discover a previously unknown malware variant that communicates over HTTPS to a command-and-control (C2) server. You want to create a custom detection in Microsoft Sentinel that triggers when any device in the organization resolves the C2 domain via DNS. Which data connector should you ensure is enabled?

158

Your team uses Microsoft Defender for Endpoint to hunt for signs of credential theft. You want to query for events where a process accesses the LSASS process memory. Which event type should you look for?

159

You are a threat hunter using Microsoft Sentinel. You have ingested syslog data from a Palo Alto firewall. You want to create a scheduled query rule that alerts when more than 10 outbound connections to a known bad IP address occur within 5 minutes. Which KQL function should you use to summarize the count?

160

While threat hunting, you find a suspicious scheduled task that runs a PowerShell script from a temp directory. You want to check if this task exists on other devices in the environment. Which Microsoft Defender for Endpoint advanced hunting table would you query?

161

Your organization uses Microsoft Defender for Office 365. You want to hunt for phishing emails that bypassed the initial filtering. Which feature should you use to manually submit suspicious emails for analysis and then review the results in the Threat Explorer?

162

Which TWO of the following are valid data sources for Microsoft Sentinel threat hunting? (Choose 2)

163

Which THREE of the following are valid techniques for threat hunting using Microsoft Defender for Cloud Apps? (Choose 3)

164

Which TWO of the following are recommended practices when performing threat hunting in Microsoft Sentinel? (Choose 2)

165

You are reviewing a hunting query. What is the primary purpose of this query?

166

You are reviewing a Microsoft Sentinel scheduled analytics rule definition (JSON). What is the purpose of the "triggerThreshold": 0 setting?

167

You executed this Azure CLI command. What is the result?

168

A security analyst is performing threat hunting in Microsoft Sentinel using KQL. The analyst wants to identify all network connections initiated from a specific internal IP address (10.0.0.5) to external IP addresses in the last 24 hours. Which KQL query should the analyst use?

169

During a threat hunt, an analyst notices multiple failed logon events from a single user account across different workstations within a short time window. Which hunting technique is most appropriate to detect potential lateral movement?

170

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to find devices that have a specific file hash associated with a known malware variant. The analyst wants to include devices that have the file in any location, including quarantined items. Which table and column should be used?

171

A threat hunter wants to identify potential command and control (C2) communication by looking for DNS queries to domains with a high entropy and short TTL. Which advanced hunting query in Microsoft Defender XDR should be used?

172

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple workstations with encoded commands. The analyst wants to find all instances of this script across the environment. Which hunting method in Microsoft Sentinel is most effective?

173

A threat hunter wants to investigate a potential data exfiltration event involving large outbound file transfers to an unusual external IP. Which Microsoft Defender XDR advanced hunting table is most appropriate to start the investigation?

174

Which TWO actions are valid when performing threat hunting in Microsoft Sentinel using hunting queries? (Choose two.)

175

Which THREE data sources can be used in Microsoft Sentinel for threat hunting to detect unusual authentication patterns? (Choose three.)

176

Which TWO techniques are commonly used in threat hunting to identify potential malicious activity? (Choose two.)

177

A threat hunter is investigating a potential compromise involving a user account that has been used to sign in from multiple locations within a short time. The hunter wants to use Microsoft Sentinel to find all sign-in events for that user from different IP addresses in the last 24 hours. Which KQL query should be used?

178

A threat hunter is analyzing a potential advanced persistent threat (APT) that uses living-off-the-land binaries (LOLBins) like certutil.exe to download payloads. The hunter wants to find instances where certutil.exe was used to download files from the internet in the last week. Which KQL query in Microsoft Sentinel would be most effective?

179

Refer to the exhibit. You are analyzing a potential C2 communication pattern. The KQL query returns no results despite known malicious IPs being active. What is the most likely cause?

180

Your security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to correlate Azure AD sign-in logs with Microsoft Defender for Cloud Apps alerts. Which KQL operator should they use to join the two tables on the user principal name?

181

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a remote server. Which Microsoft Defender for Endpoint action type would most likely capture this behavior in DeviceEvents?

182

Refer to the exhibit. You are reviewing a custom scheduled analytics rule in Microsoft Sentinel. The rule is enabled but has not fired any alerts despite users having multiple locations in the last day. What is the most likely reason?

183

Your threat hunting team wants to identify all email messages that contained a specific malicious attachment hash in Microsoft 365. Which Microsoft Defender XRB data source should they query in Microsoft Sentinel?

184

While hunting for lateral movement, you want to find out which devices have established remote PowerShell sessions to other devices. Which Microsoft Defender for Endpoint advanced hunting table should you query?

185

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a threat hunt, you want to identify AWS resources that have been compromised by correlating AWS CloudTrail logs with Microsoft Defender for Cloud security alerts. How should you ingest AWS CloudTrail logs into Microsoft Sentinel?

186

You are hunting for privileged account abuse in Microsoft Entra ID. Which table in Microsoft Sentinel contains audit logs for changes to directory roles?

187

Refer to the exhibit. You are investigating a user account that shows multiple logons to the Azure Portal from various countries within a short time. The query returns no results despite known logons. What is the most likely issue?

188

Which TWO actions are part of the threat hunting process in Microsoft Sentinel?

189

Which THREE data sources can be used in Microsoft Sentinel for threat hunting involving network traffic?

190

Which TWO are common techniques used during threat hunting to identify suspicious behavior in Microsoft Defender XDR?

191

Which THREE Microsoft Sentinel features are specifically designed to assist with threat hunting?

192

Which TWO tables in Microsoft Defender XDR advanced hunting provide information about user authentication events?

193

Which THREE are valid methods to create a custom hunting query in Microsoft Sentinel?

194

A security analyst is reviewing a threat hunting query in Microsoft Sentinel that uses the Kusto Query Language (KQL) to identify potential lateral movement. The query returns a large number of false positives. What is the most effective way to reduce false positives while maintaining detection coverage?

195

During a threat hunting exercise, an analyst discovers a suspicious PowerShell process that executed encoded commands and made outbound connections to an unknown IP address. The process tree shows it was spawned by a Microsoft Word instance. What is the most likely attack technique being observed?

196

An organization uses Microsoft Defender for Endpoint (MDE) to hunt for signs of credential dumping. An analyst runs a custom advanced hunting query that searches for processes accessing LSASS.exe. The query uses DeviceProcessEvents and DeviceFileEvents. The analyst notices that some known credential dumping tools are detected, but they want to find previously unknown variants. Which approach should the analyst take to improve the hunt?

197

A threat hunter wants to identify possible data exfiltration over DNS in Microsoft Sentinel. Which KQL function should the analyst use to extract domain names from DNS queries?

198

Refer to the exhibit. The KQL query is used for threat hunting. What is the primary purpose of this query?

199

Refer to the exhibit. An analyst is reviewing a custom detection rule in Microsoft Sentinel. The rule is triggering many false positives from legitimate remote desktop connections. What should the analyst do to reduce false positives while keeping detection of pass-the-hash attacks?

200

A threat hunter is investigating a potential data exfiltration via DNS tunneling. Which Microsoft Defender XDR advanced hunting table should the analyst primarily use to examine DNS queries from endpoints?

201

An analyst is using Microsoft Sentinel to hunt for signs of privilege escalation via token manipulation. Which Windows Security Event ID should the analyst focus on to detect potential token duplication or manipulation?

202

Refer to the exhibit. The query is designed to hunt for potentially compromised accounts that are not on the suspicious list but have many network logons. However, the query returns zero results even though the analyst suspects there should be some hits. What is the most likely issue?

203

Which TWO data sources are commonly used in Microsoft Sentinel for threat hunting related to lateral movement? (Select TWO.)

204

Which THREE techniques are commonly used in Microsoft Sentinel threat hunting to identify command and control (C2) communication? (Select THREE.)

205

Which THREE actions should a threat hunter take when using Microsoft Defender XDR advanced hunting to investigate a potential ransomware outbreak? (Select THREE.)

206

Refer to the exhibit. The query is intended to find devices where PowerShell was used with encoded commands and connected to specific remote IPs. However, the analyst notices that the query returns no results. What is the most likely reason?

207

Refer to the exhibit. An analyst is reviewing this custom detection rule in Microsoft Sentinel. The rule is not generating any alerts even though services are being installed on servers. What is the most likely reason?

208

A threat hunter wants to use Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should the analyst investigate?

209

You are a security analyst performing threat hunting in Microsoft Sentinel. You suspect an adversary is using living-off-the-land binaries (LOLBins) to execute code. Which KQL function should you use to search for processes spawned by a specific parent process across multiple machines?

210

Refer to the exhibit. You are threat hunting for possible lateral movement using cmd.exe. The KQL query returns no results even though you know cmd.exe was executed. What is the most likely reason?

211

A threat hunter wants to identify anomalous DNS queries that may indicate data exfiltration. In Microsoft Sentinel, which data source is most appropriate for ingesting DNS logs from on-premises servers?

212

You are using Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should you look for to detect a potentially malicious app that was granted high privileges by a user?

213

Refer to the exhibit. A threat hunter creates a scheduled analytics rule in Microsoft Sentinel using this query. The rule triggers frequently but generates many false positives. What is the best way to improve the rule's precision?

214

During a threat hunt, you identify a user account that has been logging in from multiple geographic regions within a short time. Which Microsoft Defender for Cloud Apps feature should you use to investigate this anomaly?

215

You are investigating a potential data exfiltration using Microsoft Defender for Cloud Apps. You find that a user downloaded a large number of files from SharePoint Online to a personal device. Which anomaly detection policy type would have detected this?

216

Refer to the exhibit. You are hunting for PowerShell used to launch cmd.exe. The query is intended to find cmd.exe processes that occurred after the first PowerShell execution on the same device. However, it returns no results. What is the most likely issue?

217

As a threat hunter, you want to use MITRE ATT&CK techniques to categorize detected behaviors. In Microsoft Sentinel, which feature allows you to map alerts to MITRE techniques automatically?

218

Which TWO are valid methods for performing threat hunting in Microsoft Sentinel? (Choose two.)

219

Which THREE are essential components of a threat hunting hypothesis in Microsoft Sentinel? (Choose three.)

220

Which TWO are valid KQL operators for performing time-based analysis in threat hunting? (Choose two.)

221

You are investigating a potential brute-force attack against Microsoft 365. Which KQL query in Microsoft Sentinel would best identify failed logon attempts from a single IP address across multiple users?

222

Refer to the exhibit. A threat hunter runs this PowerShell script to query Microsoft Sentinel. The script fails with an error stating that the query language is not recognized. What is the most likely cause?

223

You are threat hunting for signs of credential dumping using Mimikatz. In Microsoft Defender for Identity, which type of alert would you expect to see?

224

During a threat hunting exercise in Microsoft Sentinel, you want to identify all cloud application events where a user accessed a resource from an IP address not previously associated with that user. Which KQL operator should you use to compare current access patterns with a baseline of known IPs?

225

Your threat hunting hypothesis is that a user's credentials were used to sign in from two geographically distant locations within a short time. In Microsoft Defender for Cloud Apps, which log type would you query in Microsoft Sentinel to detect impossible travel?

226

During a threat hunt, you identify a suspicious process execution chain in Microsoft Defender for Endpoint: `powershell.exe` spawned `cmd.exe` which then executed `rundll32.exe`. To investigate the parent-child relationships, which KQL statement should you use in Advanced Hunting?

227

You are reviewing a custom analytics rule in Microsoft Sentinel. The rule is enabled but you notice that no alerts have been generated even though there are many matching events. What is the most likely cause?

228

You are investigating a detection in Microsoft Defender for Endpoint. The PowerShell output shows a threat with ID 2147723152. Which type of threat does this ID represent?

229

A threat hunter runs the above KQL query in Microsoft Defender Advanced Hunting. What is the primary purpose of this query?

230

As part of a threat hunt, you want to find instances where a user successfully authenticated to multiple applications within a short time using different IP addresses. Which Microsoft 365 Defender data source would be most appropriate?

231

During a threat hunt, you suspect a user may have exfiltrated data via email. Which Microsoft 365 Defender advanced hunting table should you query to review email attachments and their file hashes?

232

You are hunting for lateral movement in your environment. In Microsoft Defender for Identity, which activity is a strong indicator of a potential pass-the-hash attack?

233

Which TWO KQL operators are commonly used in threat hunting to join tables based on a key?

234

Which THREE data sources in Microsoft Sentinel are most useful for threat hunting activities related to identity compromise?

235

Which THREE techniques are commonly used in threat hunting within Microsoft Defender XDR to detect privilege escalation?

236

A threat hunter wants to identify all devices that have communicated with a known malicious IP address in the last 7 days. Which table in Microsoft Defender for Endpoint advanced hunting should be queried?

237

You are conducting a threat hunt to find evidence of credential dumping on Windows servers. Which event ID in Windows Security Event Log (SecurityEvent) is most indicative of LSASS process access?

238

During a threat hunt, you find a PowerShell script that decodes a base64-encoded command and executes it. Which MITRE ATT&CK technique is this behavior most associated with?

239

You are performing a threat hunt in Microsoft Sentinel. You want to identify devices that have been communicating with known malicious IP addresses. Which data source should you query?

240

During a threat hunt, you discover suspicious PowerShell commands executed on multiple workstations. Which KQL function in Microsoft Sentinel is most effective for aggregating similar commands to identify a pattern?

241

You run the KQL query above in Microsoft Sentinel. The query returns zero results even though you know some devices have connected to malicious IPs. What is the most likely cause?

242

You are hunting for signs of credential theft in Microsoft Defender XDR. Which advanced hunting table is most appropriate to investigate suspicious logon events?

243

Your threat hunt reveals a series of failed logon attempts from a single IP address across multiple user accounts. Which Microsoft Sentinel analytic rule template is best suited to alert on this brute-force pattern?

244

You are threat hunting for signs of Kerberoasting in Microsoft Sentinel. Which combination of events indicates that a service account's Kerberos ticket was requested and then used?

245

You are using the Microsoft Sentinel Threat Hunting experience to create a new hunting query. Which tab should you select to bookmark a suspicious event for further investigation?

246

Your threat hunt identifies a process that is making outbound connections to an unknown IP address. Which Microsoft Defender for Endpoint action can you take to immediately isolate the device?

247

You are reviewing a custom hunting query in Microsoft Sentinel. The query above returns results, but you suspect it misses low-frequency beaconing. Which modification improves detection while reducing false positives?

248

Which TWO KQL operators are most useful for threat hunting lateral movement in Microsoft Defender XDR? (Select two.)

249

Which THREE of the following are recommended practices for creating effective threat hunting queries in Microsoft Sentinel? (Select three.)

250

Which TWO tables in Microsoft Defender XDR advanced hunting are most useful for detecting data exfiltration attempts? (Select two.)

251

Which THREE of the following are valid sources of threat intelligence that can be ingested into Microsoft Sentinel for threat hunting? (Select three.)

252

Which TWO of the following are key indicators of a potential DCSync attack that a threat hunter should look for in Microsoft Sentinel? (Select two.)

253

You are a security analyst at Contoso. You manage a Microsoft Sentinel workspace with Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID (formerly Azure AD) data connectors. You are performing a proactive threat hunt for potential data exfiltration via external file sharing services like Dropbox and Google Drive. Your organization blocks these services on managed devices but users can access them from personal devices. You want to detect when users log in to these services from a corporate network using Microsoft Entra ID credentials. You have access to CloudAppEvents, AADSignInEventsBeta, and DeviceNetworkEvents tables in Microsoft Defender XDR advanced hunting. You need to create a hunting query that identifies sign-ins to external file sharing apps from corporate IP ranges. The query should also exclude sign-ins from known good service accounts. Which approach should you take?

254

During a threat hunt, you identify a suspicious process that spawned from Microsoft Word with a command-line argument containing ' -enc '. Which hunting technique is most appropriate to investigate this further?

255

You are threat hunting in Microsoft Defender XDR for signs of Kerberoasting. Which hunting query would be most effective in identifying Kerberoasting activity?

256

Refer to the exhibit. The KQL query is used in a threat hunting campaign. Which of the following best describes the hunting activity this query is designed to detect?

257

During a threat hunt, you notice an anomalous number of failed logon attempts from a single IP address across multiple user accounts in Microsoft Entra ID sign-in logs. What is the most effective next step to determine if this is a brute-force attack?

258

You are threat hunting for indicators of compromise related to a known malware family. Which data source in Microsoft Defender XDR would provide the most direct evidence of malware execution on endpoints?

259

In a threat hunt, you discover that a non-admin user account created a scheduled task that executes a PowerShell script to connect to an external IP on port 4444. Which of the following is the most likely interpretation of this activity?

260

While threat hunting in Microsoft Sentinel, you want to create a hunting query that identifies all attempts to disable security controls. Which data table would be most appropriate to query for such activity?

261

Which TWO of the following are common techniques used by attackers to bypass security controls that a threat hunter should look for?

262

Which THREE of the following are key components of a successful threat hunting program in a Microsoft Defender XDR environment?

263

Which TWO of the following KQL operators are most useful when building hunting queries to detect anomalous activities over time?

264

Which THREE of the following are indicators of a potential pass-the-hash attack that a threat hunter should investigate in Microsoft Defender for Identity?

265

You are a security operations analyst for Contoso Ltd. The company uses Microsoft Sentinel as its SIEM and Microsoft Defender for Cloud Apps for SaaS security. You are tasked with threat hunting for potential data exfiltration via Microsoft SharePoint Online. You need to create a hunting query that identifies users who have downloaded an unusually high number of files from SharePoint within a short time window compared to their historical baseline. The query should be run in Microsoft Sentinel using the OfficeActivity table. Which of the following approaches should you take?

266

Your organization uses Microsoft Defender for Endpoint and Microsoft Sentinel. As part of a threat hunting exercise, you need to detect potential lateral movement using remote desktop protocol (RDP). You want to identify devices that have initiated multiple RDP connections to different internal IP addresses within a short time frame. Which hunting query should you use in Microsoft Sentinel's Log Analytics workspace?

267

You are a security analyst at Fabrikam. The company uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you need to identify users who are accessing cloud applications from multiple geographic locations in a short time, which could indicate credential theft or token replay. You want to create a hunting query in Microsoft Sentinel using the CloudAppEvents table. Which approach should you take?

268

You are a threat hunter at Northwind Traders. The organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You suspect a golden ticket attack may have occurred in the domain. You need to create a hunting query in Microsoft Sentinel that leverages data from MDI to detect possible golden ticket usage. Which of the following queries or approaches is most appropriate?

269

Which TWO of the following are valid methods to initiate a threat hunting session in Microsoft Sentinel?

270

Which THREE actions are part of the threat hunting process in Microsoft Defender XDR?

271

You are a security analyst at a company using Microsoft Sentinel. You have been asked to perform a threat hunt to identify potential brute-force attacks against your on-premises Active Directory. The relevant data is ingested into Sentinel from Windows Event Logs (Event ID 4625) and Azure ATP (now Microsoft Defender for Identity). Your hunting query should focus on failed logon attempts with high frequency from the same source IP within a short time window. You need to write a KQL query that returns the top 10 source IPs with the most failed logon attempts in the last 24 hours. Which KQL query should you use?

272

You are a threat hunter for an organization that uses Microsoft Defender XDR. You suspect that an attacker may be using PowerShell to perform reconnaissance on domain controllers. You need to write an advanced hunting query in Microsoft Defender XDR that returns PowerShell commands executed on domain controllers in the last 7 days that contain cmdlets related to Active Directory reconnaissance, such as Get-ADUser or Get-ADGroupMember. The query should also include the device name, account name, and command line. Which query should you use?

273

You are a security analyst using Microsoft Sentinel. During a threat hunt, you need to identify potential data exfiltration via DNS tunneling. You have DNS query logs ingested from your DNS servers via Syslog. The log schema includes fields: TimeGenerated, QueryName, QueryType, ClientIP, ResponseIP. You want to find DNS queries that are unusually long (over 50 characters in the query name) and have a high count of unique responses, which may indicate tunneling. You need to write a KQL query that returns the top 10 client IPs with the most unique response IPs for queries with query name length > 50 in the last 24 hours. Which query should you use?

274

You are a security operations analyst at a company that uses Microsoft Defender for Cloud Apps (now part of Microsoft Defender XDR) and Microsoft Sentinel. During a threat hunt, you suspect that an attacker may be using a compromised user account to access sensitive data in SharePoint Online from an unusual location. You have Microsoft Defender for Cloud Apps logs integrated into Sentinel. The log schema includes fields: TimeGenerated, UserId, AppName, ActivityType, IPAddress, Location, ObjectId (the document ID). You need to write a KQL query that returns a list of users who accessed the same sensitive document (ObjectId == 'SensitiveDocument123') from more than 3 unique IP addresses in the last hour, which could indicate a distributed access pattern. Which KQL query should you use?

275

You are a threat hunter for a company that uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to investigate a potential privilege escalation attack. You have collected process creation events from endpoints and want to identify instances where a process with low integrity level spawned a process with high integrity level. The DeviceProcessEvents table includes fields: DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, ProcessFileName, ProcessIntegrityLevel. You need to write an advanced hunting query that returns the top 10 devices where this escalation occurred most frequently in the last 7 days. Which query should you use?

276

You are a security analyst at a company that uses Microsoft Sentinel and Microsoft Defender for Identity (now part of Microsoft Defender XDR). During a threat hunt, you need to identify potential golden ticket attacks. You have Windows Security Events (Event ID 4672: Special Logon) and Kerberos service ticket events (Event ID 4769) ingested. A golden ticket attack often involves service ticket requests with unusual encryption types or ticket options. You want to find service ticket requests (4769) that have TicketOptions containing '0x40810000' (forwardable, renewable, canonicalize) and TicketEncryptionType == '0x17' (RC4), which are common in attacks. You need to write a KQL query that returns the top 10 accounts requesting such tickets in the last 7 days. Which query should you use?

Practice all 276 Perform threat hunting questions

Other SC-200 exam domains

Manage a security operations environmentRespond to security incidentsMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Frequently asked questions

What does the Perform threat hunting domain cover on the SC-200 exam?

The Perform threat hunting domain covers the key concepts tested in this area of the SC-200 exam blueprint published by Microsoft. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all SC-200 domains — no account required.

How many Perform threat hunting questions are in the SC-200 question bank?

The Courseiva SC-200 question bank contains 276 questions in the Perform threat hunting domain. Click any question to see the full explanation and answer breakdown.

What is the best way to practice Perform threat hunting for SC-200?

Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.

Can I practice only Perform threat hunting questions for SC-200?

Yes — the session launcher on this page draws questions exclusively from the Perform threat hunting domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.

Free forever · No credit card required

Track your SC-200 domain progress

Save your results, see per-domain analytics, and get readiness scores — free, for every certification.

Sign Up Free

Free forever · Every certification included

Practice Session

10 questions20 questions30 questions50 questions

Study Resources

All DomainsPractice TestMock ExamFlashcardsStudy Guide

Related Exams

AZ-500SC-900CS0-003