Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Manage a security operations environment practice sets

SC-200 Manage a security operations environment • Complete Question Bank

SC-200 Manage a security operations environment — All Questions With Answers

Complete SC-200 Manage a security operations environment question bank — all 0 questions with answers and detailed explanations.

554
Questions
Free
No signup
Certifications/SC-200/Practice Test/Manage a security operations environment/All Questions
Question 1mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?

Question 2hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?

Question 3easymultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

Question 4mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?

Question 5hardmultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?

Question 6easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?

Question 7mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender for Cloud to monitor multi-cloud resources. You want to ensure that all critical security recommendations are automatically assigned to the appropriate team leads based on the resource's tags. Which feature should you configure?

Question 8hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has deployed the Microsoft Sentinel Solution for Microsoft Defender XDR. You need to correlate alerts from Microsoft Defender for Endpoint with Microsoft Defender for Office 365 in a single incident. What is the recommended approach?

Question 9easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You need to configure a policy that triggers when a user downloads a large number of files from SharePoint Online within a short period. Which policy type should you use?

Question 10mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Question 11hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE components are required to ingest Microsoft Entra ID (Azure AD) audit logs into Microsoft Sentinel?

Question 12mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO capabilities are provided by Microsoft Copilot for Security within the Microsoft Sentinel experience?

Question 13hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule created via ARM template. You notice that the rule is not triggering the playbook when a high-severity incident is created. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "High Severity Incident Response",
    "order": 1,
    "triggers": [
      {
        "properties": {
          "condition": "incident.severity == 'High'"
        },
        "triggerType": "IncidentCreated"
      }
    ],
    "actions": [
      {
        "order": 1,
        "actionType": "RunPlaybook",
        "properties": {
          "logicAppResourceId": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Logic/workflows/playbook-high"
        }
      }
    ]
  }
}
```
Question 14mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are a security analyst reviewing a KQL query in Microsoft Sentinel. The query is intended to show the count of high-severity malware alerts in the last 24 hours. However, the query returns results only for alerts with exact severity string 'High', but you also need to include 'Informational' severity alerts that are related to malware. What should you modify?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertSeverity == "High"
| where AlertName contains "malware"
| summarize Count = count() by AlertName, AlertSeverity
| order by Count desc
```
Question 15easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are running a PowerShell script to enable the Anomalies setting in Microsoft Sentinel. After running the script, you check the Sentinel settings in the portal and see that Anomalies is still disabled. What is the most likely reason?

Exhibit

Refer to the exhibit.
```powershell
Connect-AzAccount
$workspace = Get-AzOperationalInsightsWorkspace -ResourceGroupName "rg-sentinel" -Name "la-sentinel-prod"
Set-AzSentinelSetting -Workspace $workspace -SettingName "Anomalies" -Enabled $true
```
Question 16mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has deployed Microsoft Sentinel and configured a workspace with data connectors for Microsoft 365 Defender, Azure Activity, and Office 365. You need to ensure that security incidents are automatically assigned to the appropriate analyst based on the incident type. What should you configure?

Question 17hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender for Cloud to assess the security posture of hybrid workloads. You are configuring a governance rule to automatically remediate a specific recommendation that is out of compliance. The recommendation is 'Virtual machines should be migrated to new Azure Resource Manager resources'. You need to ensure that the remediation is applied at scale across all subscriptions in the management group. What should you do?

Question 18easymultiple choice
Read the full Manage a security operations environment explanation →

As a security operations analyst, you receive an alert from Microsoft Defender for Identity about a suspicious Kerberos activity. You need to investigate the alert and determine if it is a true positive. What should you use to pivot from the alert to the related user and device timeline?

Question 19hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Endpoint and has enabled the 'Block at First Sight' feature. You notice that some legitimate executables are being blocked incorrectly. You need to temporarily allow these files while you submit them for analysis. What should you do?

Question 20mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel to manage incidents. You want to improve the efficiency of incident triage by automatically enriching incidents with threat intelligence data from Microsoft Threat Intelligence. What should you configure?

Question 21easymultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst at a company that uses Microsoft Defender for Cloud Apps. You receive an alert that an anomalous activity was detected from a user's device. You need to investigate the activity to determine if it is a true positive. What should you do first?

Question 22mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Sentinel and has a workspace in the East US region. You need to ingest logs from a non-Azure Windows server located in a branch office in Europe. You have limited bandwidth and need to ensure that log ingestion does not impact network performance. What should you use?

Question 23hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has a Microsoft Sentinel workspace that ingests data from multiple sources. You notice that the cost of data ingestion is higher than expected. You need to reduce costs without affecting security visibility. Which action should you take?

Question 24easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves malicious email attachments to quarantine before they reach user mailboxes. What should you configure?

Question 25mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can be performed using automation rules in Microsoft Sentinel? (Select TWO.)

Question 26hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE capabilities are provided by Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select THREE.)

Question 27easymulti select
Read the full Manage a security operations environment explanation →

Which TWO data sources can you connect to Microsoft Sentinel to ingest security logs? (Select TWO.)

Question 28mediummultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing an automation rule in Microsoft Sentinel with the configuration shown in the exhibit. The rule is intended to delete a custom analytics rule when an incident is created. What is the most likely issue with this configuration?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Safely delete custom analytics rule",
    "description": "Deletes a custom analytics rule after verification",
    "trigger": {
      "type": "IncidentCreation",
      "entityType": "Incident",
      "incidentType": "Alert"
    },
    "actions": [
      {
        "actionType": "RunPlaybook",
        "playbookName": "Delete-AnalyticsRule",
        "logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/Delete-AnalyticsRule"
      }
    ]
  }
}
```
Question 29hardmultiple choice
Read the full Manage a security operations environment explanation →

You are analyzing sign-in logs in Microsoft Sentinel. The KQL query shown in the exhibit returns a list of users who have signed into Office 365 Exchange Online more than 10 times in the last 24 hours. You need to identify potential brute-force attacks. What additional information should you add to the query to improve detection?

Exhibit

Refer to the exhibit.

```kql
SigninLogs
| where TimeGenerated > ago(24h)
| where ResultType == "0"
| where AppDisplayName == "Office 365 Exchange Online"
| summarize LoginCount = count() by UserPrincipalName, IPAddress
| where LoginCount > 10
| project UserPrincipalName, IPAddress, LoginCount
```
Question 30easymultiple choice
Read the full Manage a security operations environment explanation →

You run the PowerShell command shown in the exhibit to enable diagnostics on an Azure VM. The VM is running Windows Server 2022. You want to collect security events and send them to a Log Analytics workspace. What should you include in the diagnostics.json configuration file?

Exhibit

Refer to the exhibit.

```powershell
Set-AzVMDiagnosticsExtension -ResourceGroupName "RG1" -VMName "VM1" -DiagnosticsConfigurationPath "C:\Diagnostics\diagnostics.json"
```
Question 31mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel with multiple workspaces across regions. You need to implement a solution that allows analysts to query all workspaces from a single location without moving data. Which feature should you configure?

Question 32hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud with enhanced security features enabled. You need to ensure that all Azure subscriptions are covered by a single Defender for Cloud policy that enforces specific security standards. The policy must be automatically applied to new subscriptions. What should you do?

Question 33easymultiple choice
Read the full Ansible explanation →

You are configuring Microsoft Sentinel SOAR capabilities. You need to create an automated response that, when a critical incident is created, triggers a playbook that sends a message to a Teams channel. Which connector should you use in the playbook?

Question 34mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for identity-related threats. The solution should automatically contain a compromised user by disabling their account. Which setting should you enable?

Question 35hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with UEBA enabled. You notice that the UEBA entity pages are not showing any insights for Azure resources. What is the most likely cause?

Question 36easymultiple choice
Read the full Manage a security operations environment explanation →

You need to grant a junior analyst the ability to view and investigate incidents in Microsoft Sentinel, but not make any changes. Which built-in role should you assign?

Question 37mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel analytics rules. You need to ensure that a scheduled rule runs every hour, but only during business hours (8 AM to 6 PM). What configuration should you use?

Question 38hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Endpoint. You need to configure a device group that automatically assigns devices to the group based on their domain membership. Devices joined to 'contoso.com' should be in the 'Corporate' group, and all others in 'Non-Corporate'. What should you use?

Question 39easymultiple choice
Read the full Manage a security operations environment explanation →

You need to ensure that Microsoft Sentinel can access threat intelligence feeds from external sources like AlienVault OTX. Which data connector should you use?

Question 40mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are valid ways to automate incident response in Microsoft Sentinel?

Question 41mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are required to enable user and entity behavior analytics (UEBA) in Microsoft Sentinel?

Question 42hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are valid methods to reduce the cost of Microsoft Sentinel data ingestion?

Question 43mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security operations team receives an alert from Microsoft Sentinel about a suspicious sign-in from an unfamiliar IP address. You need to investigate the alert by correlating it with user activity and device information. Which data sources should you query first?

Question 44easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel to detect potential ransomware activity. The security team wants to be alerted when a single host contacts multiple suspicious domains within a short time. Which analytic rule type should you create?

Question 45hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to create a custom detection rule that triggers when a user is added to a privileged role in Microsoft Entra ID and within 5 minutes performs a mass download from SharePoint. Which approach should you use?

Question 46mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Sentinel automation rules to respond to incidents. You need to ensure that critical incidents are automatically assigned to a senior analyst in the Americas time zone and that a Teams message is sent to a specific channel. Which configuration should you use?

Question 47easymultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst. You need to review all incidents from the past 24 hours that have a high severity and involve multiple users. In Microsoft Sentinel, which blade should you use?

Question 48hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel in a multi-workspace environment with a central SOC. You need to create a single incident view across all workspaces while minimizing latency. What should you deploy?

Question 49mediummultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel environment is not generating incidents from a custom KQL detection rule. The rule runs successfully in the Log Analytics query editor but no incidents appear. What is the most likely cause?

Question 50easymultiple choice
Read the full Manage a security operations environment explanation →

As a SOC analyst, you need to quickly identify if a specific user account has been involved in any incidents in the past week. Which feature in Microsoft Sentinel allows you to search for user-related incidents?

Question 51hardmultiple choice
Read the full Manage a security operations environment explanation →

Your security operations center uses Microsoft Sentinel and Microsoft Defender XDR. A new type of attack involves a user receiving a malicious email that triggers a macro, which then executes PowerShell to download a payload. You need to create a detection that correlates email, process creation, and network connection events from multiple Microsoft 365 Defender sources. What should you use?

Question 52mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions should you take to improve the performance of Microsoft Sentinel analytics rules that are running slowly? (Choose two.)

Question 53hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE components are required to enable automation in Microsoft Sentinel? (Choose three.)

Question 54easymulti select
Read the full NAT/PAT explanation →

Which TWO data sources are natively supported by Microsoft Sentinel for ingesting security events? (Choose two.)

Question 55hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in ARM template format. The rule is enabled but no incidents are being created even though matching sign-in events exist. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Malicious IP Login Detection",
    "description": "Detects logins from known malicious IPs",
    "severity": "Medium",
    "enabled": true,
    "query": "SigninLogs | where IPAddress in (dynamic(['10.0.0.1', '192.168.1.1'])) | project TimeGenerated, UserPrincipalName, IPAddress",
    "queryFrequency": "PT5H",
    "queryPeriod": "PT5H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "tactics": ["InitialAccess"],
    "techniques": ["T1078"],
    "alertRuleTemplateName": null,
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities",
        "groupByEntities": [],
        "groupByAlertDetails": [],
        "groupByCustomDetails": null
      }
    },
    "eventGroupingSettings": {
      "aggregationKind": "SingleAlert"
    }
  }
}
```
Question 56hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are analyzing a KQL query for a Microsoft Sentinel scheduled rule. The query is intended to detect devices that have both a high number of process executions and network connections to a single IP within an hour. However, the query returns no results even though there are devices meeting the criteria. What is the most likely cause?

Exhibit

Refer to the exhibit.

```kusto
// KQL query in Microsoft Sentinel
let threshold = 10;
DeviceProcessEvents
| where Timestamp > ago(1h)
| summarize ProcessCount = count() by DeviceName, InitiatingProcessFileName
| where ProcessCount > threshold
| join kind=inner (DeviceNetworkEvents
| where Timestamp > ago(1h)
| summarize NetworkCount = count() by DeviceName, RemoteIP
| where NetworkCount > threshold
) on DeviceName
| project DeviceName, InitiatingProcessFileName, RemoteIP, ProcessCount, NetworkCount
```
Question 57mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have a Microsoft Sentinel analytic rule configured to detect brute force attacks. The rule runs every 30 minutes and groups alerts into incidents based on Account and IP. You notice that multiple incidents are created for the same user and IP within a short time. What should you do to reduce the number of incidents?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Brute Force Detection",
    "enabled": true,
    "query": "SigninLogs | where ResultType == '50057' | summarize FailedAttempts = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 5m) | where FailedAttempts > 5",
    "queryFrequency": "PT30M",
    "queryPeriod": "PT30M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": true,
        "lookbackDuration": "PT30M",
        "matchingMethod": "AllEntities",
        "groupByEntities": ["Account", "IP"]
      }
    }
  }
}
```
Question 58easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with a Log Analytics workspace in the East US region. You need to ensure that incident investigation data is retained for two years for compliance. What should you configure?

Question 59mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Defender XDR to investigate incidents. You have a custom detection rule that runs a KQL query every hour. Recently, the rule stopped generating alerts. You verify that the query syntax is correct and that data is being ingested. What is the most likely cause?

Question 60hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company deploys Microsoft Sentinel in a multi-workspace environment. You need to centralize incident management across workspaces while maintaining data residency. You configure Sentinel workspaces in each region. What additional configuration is required to view all incidents from a single pane?

Question 61easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Defender for Cloud Apps enabled. You need to generate an alert when a user downloads more than 100 files from SharePoint in one hour. What should you create?

Question 62mediummultiple choice
Read the full Manage a security operations environment explanation →

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the incident category. What should you configure?

Question 63hardmultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Defender XDR are automatically synchronized to Sentinel. You have enabled the Defender XDR connector. However, some incidents are not appearing. What should you check first?

Question 64easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Purview Data Loss Prevention (DLP). You need to receive an alert when a user attempts to share a credit card number via email. What should you configure?

Question 65mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC is investigating an incident in Microsoft Sentinel. You need to quickly identify all related alerts and entities across the timeline. What Microsoft Sentinel feature should you use?

Question 66hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Sentinel with UEBA enabled. An incident is generated for a user with high risk score. You need to identify if the user's recent behavior deviates from their baseline. Which Sentinel feature should you use?

Question 67mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions should you take to optimize cost in Microsoft Sentinel while maintaining security coverage? (Choose two.)

Question 68hardmulti select
Read the full Ansible explanation →

Which THREE components are required to automate incident response in Microsoft Sentinel using playbooks? (Choose three.)

Question 69easymulti select
Read the full Manage a security operations environment explanation →

Which TWO data connectors can be used to ingest Microsoft 365 audit logs into Microsoft Sentinel? (Choose two.)

Question 70mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are creating a scheduled analytics rule in Microsoft Sentinel using the ARM template snippet. The rule runs every 5 minutes and queries the last 5 minutes of data. The rule is not generating alerts even though malware detections are occurring. What is the most likely issue?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Malware detected on endpoint",
    "severity": "Medium",
    "queryPeriod": "PT5M",
    "queryFrequency": "PT5M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "query": "DeviceEvents | where ActionType == \"AntivirusDetection\" | where Timestamp > ago(5m)"
  }
}
```
Question 71hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are troubleshooting an endpoint that is not receiving real-time protection from Microsoft Defender Antivirus. The output shows RealTimeProtectionEnabled is False. Which command should you run next to enable real-time protection?

Exhibit

Refer to the exhibit.
```powershell
PS C:\> Get-MpComputerStatus | Select-Object AMProductVersion, AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled

AMProductVersion AMServiceEnabled AntivirusEnabled RealTimeProtectionEnabled
--------------- ----------------- ---------------- -----------------------
4.18.2304.9     True              True             False
```
Question 72mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. Your SOC manager runs this KQL query in Microsoft Sentinel to see which analysts have the most active high-severity incidents in the past 7 days. The query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.
```kusto
SecurityIncident
| where Status == "Active" and Severity == "High"
| where CreatedTime > ago(7d)
| summarize Count = count() by Owner
| top 5 by Count desc
```
Question 73mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all cloud security alerts are automatically ingested into Sentinel. What should you configure?

Question 74hardmultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Sentinel UEBA to detect anomalous user behavior. You need to configure UEBA to baseline user activities and generate alerts for deviations. What must you do first?

Question 75easymultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender for Office 365. You want to automatically take action on malicious emails that bypass the filter. What should you configure?

Question 76hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Defender for Endpoint deployed. You need to configure automatic attack disruption for ransomware attacks. What should you enable?

Question 77mediummultiple choice
Read the full Manage a security operations environment explanation →

Your team uses Microsoft Sentinel to investigate incidents. You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. What is the most efficient way to achieve this?

Question 78hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from unmanaged devices for a specific cloud app. What should you configure?

Question 79easymultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You need to ensure that data from a specific source is retained for 2 years while other data remains at the default retention. What should you do?

Question 80mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. What is the most appropriate first step?

Question 81mediummultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel environment uses multiple workspaces. You need to centrally manage incidents from all workspaces in a single interface. What should you use?

Question 82mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions are valid methods to ingest non-Microsoft security logs into Microsoft Sentinel?

Question 83hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE components are part of Microsoft's unified security operations platform (Microsoft Defender XDR)?

Question 84easymulti select
Read the full Manage a security operations environment explanation →

Which TWO features are available in Microsoft Sentinel to automate incident response?

Question 85hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule created via ARM template. What is the effect of the grouping configuration?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Ransomware Detection",
    "description": "Detects ransomware patterns",
    "severity": "High",
    "enabled": true,
    "query": "SecurityAlert | where AlertName contains \"Ransomware\"",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": true,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "entitiesMatchingMethod": "All"
      }
    }
  }
}
```
Question 86mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You run the PowerShell command against Microsoft Defender for Endpoint. What is the result?

Exhibit

Refer to the exhibit.
```powershell
$params = @{
  ActivityFunction = "Run"
  ActionType = "RunAntiMalwareScan"
  MachineId = "machine123"
  Comment = "Scheduled scan"
}
Invoke-MDEDeviceAction @params
```
Question 87easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What does it return?

Exhibit

Refer to the exhibit.
```kql
SecurityIncident
| where TimeGenerated > ago(7d)
| where Severity == "High"
| summarize Count = count() by Owner
| top 5 by Count
```
Question 88hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are configuring Microsoft Defender for Identity to protect against lateral movement attacks. Which configuration should you prioritize to detect pass-the-hash attacks?

Question 89mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel to manage security incidents. You need to ensure that critical incidents are automatically assigned to the senior security analyst on duty. What should you configure?

Question 90easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps to discover shadow IT. You notice that a new cloud app is being used by multiple users but has a risk score of 8. What should you do first to manage the risk?

Question 91mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and you have configured a fusion analytics rule for advanced multistage attack detection. You notice that the rule is generating a high number of false positives. What should you do to reduce the false positives without disabling the rule?

Question 92hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and you are configuring attack surface reduction (ASR) rules. You need to implement a rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion. Which ASR rule should you enable?

Question 93easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and you need to ensure that incidents are automatically closed when a related playbook completes successfully. What should you configure?

Question 94mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud and you need to ensure that security recommendations are automatically remediated for non-compliant resources. You have enabled 'Auto provisioning' for the Log Analytics agent. What additional step is required to enable automatic remediation?

Question 95hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Purview Compliance Manager to manage compliance activities. You need to assign a specific improvement action to a colleague for implementation. What should you do?

Question 96easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and you have a playbook that sends an email notification when a high-severity incident is created. You want to ensure that the playbook only runs for incidents that are not already assigned to a user. What should you configure?

Question 97hardmulti select
Read the full network assurance explanation →

Which TWO actions should you take to ensure that Microsoft Sentinel can properly ingest logs from a Linux server running rsyslog? (Choose two.)

Question 98mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE features are available in Microsoft Defender XDR to help automate incident response? (Choose three.)

Question 99easymulti select
Read the full Manage a security operations environment explanation →

Which TWO are valid methods to connect a non-Azure Windows server to Microsoft Sentinel? (Choose two.)

Question 100mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an Azure Security Center automation (now Microsoft Defender for Cloud) that should automatically trigger a Logic App when an alert is generated. However, the automation is not triggering. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.Security/automations",
  "apiVersion": "2019-01-01-preview",
  "name": "BlockMaliciousIP",
  "properties": {
    "description": "Block malicious IP in firewall",
    "isEnabled": true,
    "actions": [
      {
        "type": "LogicApp",
        "order": 1,
        "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/BlockIP",
        "actionParameters": {
          "@odata.type": "#Microsoft.Azure.Security.AlertSimulator.LogicAppActionParameters"
        }
      }
    ],
    "scopes": [
      "/subscriptions/..."
    ],
    "sources": [
      {
        "eventSource": "Alerts"
      }
    ]
  }
}
```
Question 101hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that returns accounts with more than 10 failed logins within 5 minutes. The query is not returning any results even though you know there have been multiple failed logins. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
SecurityEvent
| where EventID == 4625
| where Account !startswith "ANONYMOUS LOGON"
| summarize FailedLogins = count() by Account, IPAddress, bin(TimeGenerated, 5m)
| where FailedLogins > 10
```
Question 102easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing a custom Azure Policy definition that should block deployments from specific IP addresses. However, the policy does not seem to be evaluating any resources. What is the most likely issue?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block malicious IPs",
    "policyType": "Custom",
    "mode": "All",
    "description": "This policy denies deployment if the source IP is in a predefined list.",
    "metadata": {
      "version": "1.0.0",
      "category": "Network"
    },
    "parameters": {
      "listOfBlockedIPs": {
        "type": "Array",
        "metadata": {
          "displayName": "Blocked IPs",
          "description": "List of IPs to block"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "sourceIP",
        "in": "[parameters('listOfBlockedIPs')]"
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
Question 103mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has a Microsoft Sentinel workspace that ingests logs from Azure resources, Microsoft 365, and third-party firewalls. You need to ensure that data retention for Azure Activity logs complies with a regulatory requirement of 3 years, while keeping costs low for other data types. What should you do?

Question 104hardmultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to investigate incidents. You notice that some alerts from Microsoft Defender for Endpoint are not being automatically correlated into incidents as expected. You have confirmed that the relevant alert sources are enabled in the Microsoft Defender XDR portal. What is the most likely cause?

Question 105easymultiple choice
Read the full network assurance explanation →

You are configuring Microsoft Sentinel to ingest syslog data from a network appliance. After configuring the data connector, you notice that no data is appearing in the CommonSecurityLog table. The syslog server is sending data to the Azure Monitor Agent (AMA) on the log collector. What should you verify first?

Question 106hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You need to ensure that security alerts from on-premises servers running Windows Server 2022 are forwarded to Microsoft Sentinel. The servers are not yet onboarded to Azure Arc. What should you do first?

Question 107mediummultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel environment with multiple workspaces across different regions. You need to centralize incident management and allow security analysts to triage incidents from all workspaces in a single view. What should you configure?

Question 108easymultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace has a Microsoft 365 Defender connector configured. You notice that incidents are being created from Microsoft Defender for Office 365 alerts, but not from Microsoft Defender for Identity alerts. What should you check?

Question 109hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with Azure Monitor Agent (AMA) to collect Windows security events. You need to collect process creation events (Event ID 4688) and include command-line information. The current Data Collection Rule (DCR) collects only basic security events. What should you modify?

Question 110mediummultiple choice
Read the full Ansible explanation →

You are configuring automated responses in Microsoft Sentinel. You have created an automation rule that runs a playbook when an incident is created. The playbook performs actions in Microsoft Entra ID and Microsoft Defender for Cloud. However, the playbook fails with a permissions error. What should you do?

Question 111easymultiple choice
Read the full Manage a security operations environment explanation →

You need to ensure that critical incidents in Microsoft Sentinel are automatically assigned to a senior security analyst. What should you configure?

Question 112hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO actions should you take to reduce the cost of Microsoft Sentinel while maintaining security coverage?

Question 113mediummulti select
Read the full network assurance explanation →

Which THREE components are required to collect syslog messages from a network appliance into Microsoft Sentinel using the Azure Monitor Agent?

Question 114easymulti select
Read the full Manage a security operations environment explanation →

Which TWO Azure services can be used to automate response actions in Microsoft Sentinel when an incident is created?

Question 115hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have an automation rule defined as shown. The rule is enabled but never triggers. What is the most likely reason?

Exhibit

{
  "properties": {
    "displayName": "Test Automation Rule",
    "order": 1,
    "triggers": [
      {
        "type": "IncidentCreated",
        "conditions": [
          {
            "property": "IncidentStatus",
            "operator": "Equals",
            "value": "Active"
          },
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "order": 1,
        "playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/MyPlaybook"
      }
    ]
  }
}
Question 116mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns no results even though you know there are alerts with the name 'Malware detected'. What is the most likely issue?

Exhibit

SecurityAlert
| where AlertName == "Malware detected"
| extend entities = parse_json(Entities)
| mv-expand entities
| where entities.Type == "file"
| project FileHash = entities.FileHash, AlertTime = TimeGenerated
Question 117easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You deploy this ARM template to your subscription. After deployment, you cannot find the saved search 'Test Search' in the Microsoft Sentinel workspace. What is the most likely reason?

Exhibit

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "name": "[concat(parameters('workspaceName'), '/TestSearch')]",
      "apiVersion": "2020-08-01",
      "properties": {
        "displayName": "Test Search",
        "category": "Test",
        "query": "Heartbeat | summarize Count() by Computer",
        "tags": []
      }
    }
  ]
}
Question 118mediummultiple choice
Read the full Ansible explanation →

Your security team is investigating an incident in Microsoft Defender XDR where a user received multiple phishing emails. The team needs to create an automated response that blocks the sender's email address across all mailboxes in the organization. Which action should you configure in an automated investigation and response (AIR) playbook?

Question 119easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring a Microsoft Sentinel analytics rule to detect failed logons from multiple IP addresses. The rule should trigger an incident only when the same user account has failed logons from more than three distinct IP addresses within 5 minutes. Which rule setting should you configure?

Question 120hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and has a custom detection rule that queries DeviceProcessEvents for suspicious PowerShell commands. You notice that the rule is generating a high number of false positives. You need to reduce false positives while still detecting real threats. What should you do?

Question 121mediummultiple choice
Read the full Manage a security operations environment explanation →

Your team uses Microsoft Sentinel to monitor Azure subscriptions. You need to ensure that only users with the 'Microsoft Sentinel Contributor' role can create and edit analytics rules. You want to enforce this using Azure Policy. What should you do?

Question 122easymultiple choice
Read the full Manage a security operations environment explanation →

You are setting up Microsoft Sentinel for the first time. You need to ingest Windows security events from on-premises servers using the Azure Monitor Agent. Which data connector should you enable in Microsoft Sentinel?

Question 123hardmultiple choice
Read the full Ansible explanation →

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. You need to create an automated playbook that, when a Microsoft Sentinel incident is created from a Defender for Cloud Apps alert, automatically suspends the user in Microsoft Entra ID and sends a notification to the security team. Which two connectors should you use in the playbook?

Question 124mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Defender XDR to investigate a potential malware outbreak. You need to collect a full memory dump from an affected Windows 10 device for forensic analysis. Which action should you take from the Microsoft Defender XDR portal?

Question 125easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel to send email notifications to the security team when high-severity incidents are created. Which feature should you use?

Question 126hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS applications. You discover that a user is downloading a large number of files from SharePoint Online to an unmanaged device. You need to automatically block the download and require the user to acknowledge a policy violation. Which action should you configure in a session policy?

Question 127mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions are valid ways to integrate on-premises firewall logs into Microsoft Sentinel for analysis?

Question 128hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE components are required to implement a threat intelligence feed in Microsoft Sentinel using the Threat Intelligence - TAXII data connector?

Question 129easymulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can a Microsoft Sentinel automation rule perform when an incident is created?

Question 130mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in JSON. The rule is intended to trigger an incident when more than 5 sign-ins from anomalous locations occur within an hour. However, the rule is not triggering as expected. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Suspicious Sign-in Detection",
    "description": "Detects sign-ins from anomalous locations",
    "severity": "Medium",
    "query": "SigninLogs | where RiskLevelDuringSignIn == 'medium' | where Location != 'US'",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5
  }
}
```
Question 131hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are analyzing a KQL query used in a custom detection rule in Microsoft Defender XDR. The rule is supposed to detect devices where a parent process launched more than 10 instances of PowerShell or cmd.exe in the last 7 days. However, the query returns no results even though you know such activity exists. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe")
| extend ParentPID = InitiatingProcessParentFileName
| summarize Count = count() by DeviceName, InitiatingProcessFileName
| where Count > 10
```
Question 132mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an Azure Policy definition intended to block malicious IPs by denying the creation of network security group rules that allow traffic from a list of blocked IPs. However, the policy is not working as expected. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block malicious IPs",
    "description": "Blocks IPs from threat intelligence feed",
    "policyType": "Custom",
    "mode": "Microsoft.Network/virtualNetworks",
    "parameters": {
      "listOfBlockedIPs": {
        "type": "Array",
        "metadata": {
          "displayName": "List of blocked IPs",
          "description": "IP addresses to block"
        }
      }
    },
    "policyRule": {
      "if": {
        "field": "type",
        "equals": "Microsoft.Network/networkSecurityGroups/securityRules"
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}
```
Question 133mediummultiple choice
Read the full Manage a security operations environment explanation →

A SOC analyst receives a high-severity alert for a user who downloaded a malicious file from a phishing email. The analyst needs to quickly assess the scope of the incident across endpoints, email, and identities. Which Microsoft Defender XDR feature should the analyst use to get a unified view of the incident?

Question 134easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that critical alerts are automatically assigned to the appropriate SOC tier for investigation. What should you configure in Microsoft Sentinel?

Question 135hardmultiple choice
Read the full Manage a security operations environment explanation →

A SOC manager wants to implement a new workflow where high-severity Microsoft Defender for Cloud Apps alerts are automatically sent to a Teams channel for immediate action. The solution must not require custom code. What should the manager configure?

Question 136mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to ensure that when a device is determined to be compromised, the device is automatically isolated from the network and a Sentinel incident is updated with the isolation status. What is the most efficient way to achieve this?

Question 137easymultiple choice
Read the full Manage a security operations environment explanation →

A junior SOC analyst receives multiple low-severity alerts from Microsoft Sentinel. The alerts are related to failed logon attempts from a single IP address over a short period. The analyst wants to group these alerts into a single incident to reduce noise. What should the analyst do?

Question 138mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all Defender XDR incidents are automatically synchronized into Microsoft Sentinel for a single pane of glass. What should you configure?

Question 139hardmultiple choice
Read the full Manage a security operations environment explanation →

A security operations center (SOC) uses Microsoft Sentinel for log management. The SOC manager wants to reduce storage costs by automatically archiving logs that are older than 90 days to long-term retention, but retains the ability to search them if needed. What should the manager configure?

Question 140easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel incident investigation. An analyst needs to quickly see all related entities (users, IPs, machines) for an incident. Which feature should the analyst use?

Question 141mediummultiple choice
Read the full Manage a security operations environment explanation →

A SOC analyst suspects a user account is compromised based on anomalous sign-in activity detected by Microsoft Entra ID Protection. The analyst needs to confirm and contain the threat. What is the first action the analyst should take?

Question 142mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can be performed using Microsoft Sentinel automation rules? (Select TWO.)

Question 143hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE capabilities are provided by Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select THREE.)

Question 144easymulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can be taken directly from the Microsoft Defender XDR incident queue? (Select TWO.)

Question 145hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an automation rule configuration in Microsoft Sentinel. Based on the JSON snippet, what will happen when a high-severity incident is created?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "High severity incidents to Teams",
    "order": 1,
    "triggers": [
      {
        "type": "IncidentsTrigger",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "order": 1,
        "playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/PostTeamsMessage"
      }
    ]
  }
}
```
Question 146mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are investigating a user entity in Microsoft Sentinel. The entity details show a riskLevel of 'high' and riskState 'atRisk'. What does this indicate?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "entityType": "Account",
    "displayName": "testuser@contoso.com",
    "aadUserId": "00000000-0000-0000-0000-000000000001",
    "riskLevel": "high",
    "riskDetail": "User performed anomalous sign-in from unfamiliar location",
    "riskState": "atRisk",
    "riskLastUpdatedDateTime": "2026-03-15T10:30:00Z"
  }
}
```
Question 147easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

Exhibit

Refer to the exhibit.
```kql
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType !in ("0", "50125")  // exclude success and password change
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > 5
```
Question 148easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel for security operations. You need to ensure that a specific AWS CloudTrail log is ingested into Microsoft Sentinel. Which data connector should you use?

Question 149mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team receives alerts from Microsoft Defender for Cloud. You need to configure automated response to remediate a specific alert type. What should you create in Microsoft Sentinel?

Question 150hardmultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel workspace that ingests data from Microsoft 365 Defender. You notice that some incident creation rules are not generating incidents as expected. What should you check first?

Question 151mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions should you take when configuring Microsoft Sentinel to minimize false positives from an analytics rule?

Question 152hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are valid methods to archive logs in Microsoft Sentinel to reduce costs?

Question 153easymulti select
Read the full Ansible explanation →

Which TWO permissions are required for a user to manage Microsoft Sentinel playbooks?

Question 154mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have created a scheduled analytics rule in Microsoft Sentinel as shown. The rule is not generating any incidents, even though you know Copilot for Microsoft 365 is accessing sensitive files. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Sensitive Data Access Alert",
    "severity": "Medium",
    "query": "OfficeActivity | where Operation == 'FileAccessed' and UserAgent contains 'Microsoft.Copilot' | project TimeGenerated, UserId, FileName",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5
  }
}
```
Question 155hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You run the KQL query in Microsoft Sentinel to identify analysts with high incident assignments. The query returns no results, but you know incidents exist. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
SecurityIncident
| where TimeGenerated > ago(7d)
| summarize TotalIncidents = count() by Owner
| where TotalIncidents > 10
| project Owner, TotalIncidents
```
Question 156easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You execute the Azure CLI command to create an analytics rule in Microsoft Sentinel. The rule is created but never triggers. What is the most likely cause?

Exhibit

Refer to the exhibit.

```azurecli
az sentinel alert-rule create \
  --resource-group rg-sentinel \
  --workspace-name sentinel-workspace \
  --rule-name "Suspicious Sign-in" \
  --rule-type Scheduled \
  --query "SigninLogs | where RiskLevelDuringSignIn == 'high'" \
  --display-name "Suspicious Sign-in" \
  --severity High \
  --enabled true
```
Question 157mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. You want to forward MDI alerts to Microsoft Sentinel. What should you configure?

Question 158hardmultiple choice
Read the full Manage a security operations environment explanation →

You are responsible for Microsoft Sentinel pricing. You notice that data ingestion costs are high due to verbose logs from Windows security events. You need to reduce costs while still collecting critical security events. What should you do?

Question 159easymultiple choice
Read the full Manage a security operations environment explanation →

Your team uses Microsoft Sentinel workbooks to visualize security data. You want to allow team members to customize a workbook without affecting the original. What should you do?

Question 160mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE are valid incident management features in Microsoft Sentinel?

Question 161easymulti select
Read the full network assurance explanation →

Which TWO are supported methods to ingest syslog data into Microsoft Sentinel?

Question 162hardmultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to ensure that when an incident is created from a specific rule, a Teams message is sent to the security team. What should you configure?

Question 163easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with a pay-as-you-go pricing tier. You need to reduce costs by archiving older logs that are rarely accessed. Which action should you take?

Question 164mediummultiple choice
Read the full Manage a security operations environment explanation →

A security analyst reports that a scheduled analytics rule in Microsoft Sentinel has stopped generating incidents after a recent update. The rule still runs but produces no alerts. What should you check first?

Question 165hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You discover that a user is performing unusual bulk downloads from SharePoint. You need to automatically create an incident in Sentinel and suspend the user in Microsoft Entra ID. What should you use?

Question 166easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Defender for Cloud Apps session controls for a SharePoint site containing sensitive data. Which condition must be met to apply real-time monitoring?

Question 167mediummultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace ingests logs from multiple sources but you notice that some custom logs are missing in the Log Analytics workspace. You've confirmed that the data connectors are healthy. What is the most likely cause?

Question 168hardmultiple choice
Read the full Manage a security operations environment explanation →

You are designing an automation rule in Microsoft Sentinel that should automatically assign incidents to the appropriate analyst based on the incident type. However, the rule fails to assign correctly for some incidents. What should you verify?

Question 169easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization is migrating from Azure Active Directory to Microsoft Entra ID. You need to ensure that Microsoft Sentinel continues to receive identity logs. What should you do?

Question 170mediummultiple choice
Read the full Manage a security operations environment explanation →

You have deployed Microsoft Defender for Endpoint and integrated it with Microsoft Sentinel. You notice that alerts from Defender for Endpoint are not appearing in Sentinel. What should you check first?

Question 171hardmultiple choice
Read the full Ansible explanation →

You are configuring an automated investigation and response (AIR) playbook in Microsoft Sentinel. The playbook should automatically block a user in Microsoft Entra ID when a high-severity incident is created. Which action should you include in the playbook?

Question 172mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can reduce the cost of Microsoft Sentinel while maintaining security coverage?

Question 173hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE components are required to use Microsoft Sentinel's automation rules to automatically respond to incidents?

Question 174easymulti select
Read the full Manage a security operations environment explanation →

Which TWO Microsoft Sentinel features allow you to organize and prioritize incidents for better triage?

Question 175mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team receives frequent false positive alerts from Microsoft Defender for Cloud Apps. You need to reduce noise without disabling any threat detection policies. What should you do?

Question 176hardmultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel environment. You need to ensure that incidents are automatically assigned to the appropriate analyst based on the type of attack. The assignment must consider the current workload of each analyst. What should you use?

Question 177easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to ensure that all cloud app alerts are forwarded to Microsoft Sentinel for correlation. What should you configure?

Question 178mediummultiple choice
Read the full Manage a security operations environment explanation →

You are responsible for Microsoft Defender for Identity. The security team reports that some high-confidence alerts are not triggering any automated response. You need to automate the response for these alerts. What should you configure?

Question 179hardmultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to automatically group related incidents from different rules into a single incident to reduce analyst workload. The grouping should occur within 30 minutes of the first incident creation. What should you do?

Question 180easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email, the email is automatically analyzed and remediated. What should you configure?

Question 181mediummultiple choice
Read the full Manage a security operations environment explanation →

You are the security analyst for a company that uses Microsoft Sentinel. You notice that a critical analytics rule has not generated any incidents in the past week, but you know that relevant logs are being ingested. You need to troubleshoot why the rule is not firing. What is the first step you should take?

Question 182hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender XDR. The security team needs to restrict access to the Microsoft Defender portal so that only analysts in the 'Security Operations' group can view incidents. What is the most efficient way to achieve this?

Question 183easymultiple choice
Read the full Manage a security operations environment explanation →

You manage Microsoft Sentinel. You need to ensure that an automated response is triggered when a specific type of incident is created. The response should send an email to the on-call security engineer. What should you use?

Question 184mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions should you take to improve the performance of Microsoft Sentinel analytics rules that query large datasets?

Question 185hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE components are required to enable automated investigation and response (AIR) in Microsoft Defender XDR for alerts from Microsoft Defender for Identity?

Question 186easymulti select
Read the full Manage a security operations environment explanation →

Which TWO tasks can you perform using Microsoft Sentinel automation rules?

Question 187hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You have a Logic Apps playbook that triggers on Microsoft Sentinel alerts. The playbook is not posting messages to Teams. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "id": "playbook-logic-app",
  "triggers": {
    "When_a_response_to_a_Microsoft_Sentinel_alert_is_triggered": {
      "kind": "Microsoft.EventGrid",
      "inputs": {
        "body": {
          "alert": {
            "properties": {
              "providerAlertId": "@triggerBody()?['data']?['essentials']?['alertId']",
              "correlationKey": "@triggerBody()?['data']?['essentials']?['correlationKey']"
            }
          }
        }
      }
    }
  },
  "actions": {
    "Compose_Teams_message": {
      "kind": "Microsoft.Teams.PostMessage",
      "inputs": {
        "message": "Alert ID: @{triggerBody()?['data']?['essentials']?['alertId']}",
        "recipient": "security-team-channel"
      }
    }
  }
}
```
Question 188mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have a KQL query in a Microsoft Sentinel analytics rule. The rule is not generating incidents even though there are 'Suspicious sign-in' alerts from non-contoso.com users. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where TimeGenerated > ago(24h)
| where AlertName == "Suspicious sign-in"
| extend UserPrincipalName = tostring(Entities[0].AccountUpn)
| where UserPrincipalName !endswith "@contoso.com"
| project TimeGenerated, AlertName, UserPrincipalName
```
Question 189easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You deploy this ARM template to deploy a saved search in a Microsoft Sentinel workspace. After deployment, the saved search does not appear in Sentinel. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('workspaceName'), '/TestQuery')]",
      "properties": {
        "displayName": "Test Query",
        "category": "Security",
        "query": "SecurityEvent | where EventID == 4624 | count",
        "tags": []
      }
    }
  ]
}
```
Question 190easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that incident investigation is efficient by automatically grouping related alerts into incidents. Which configuration should you use?

Question 191mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Defender XDR. You need to ensure that a user who is suspected of credential theft is immediately blocked from accessing corporate email and cloud apps, while the investigation continues. What should you do?

Question 192hardmultiple choice
Read the full Manage a security operations environment explanation →

You manage a Microsoft Sentinel workspace that ingests logs from multiple sources. You notice that the workspace is approaching its daily ingestion quota, and some data sources are being dropped. You need to ensure that security-related logs are prioritized and that non-critical logs are not ingested. What should you configure?

Question 193easymultiple choice
Read the full Manage a security operations environment explanation →

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the type of alert. What should you create?

Question 194mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender for Cloud Apps. You discover that a user is accessing sensitive data from an unfamiliar IP address. You need to immediately block the user's access to all cloud apps while preserving the session for investigation. What should you do?

Question 195hardmultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel automation rules to handle incidents from multiple analytics rules. You need to ensure that incidents from a specific rule are automatically assigned to the 'SOC Tier 2' group and have a severity of 'High' regardless of the original severity. What should you do?

Question 196easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to ensure that incidents generated in Microsoft 365 Defender are automatically synchronized to Microsoft Sentinel. What should you configure?

Question 197mediummultiple choice
Read the full Manage a security operations environment explanation →

You are investigating a security incident in Microsoft Sentinel. You need to preserve a snapshot of the investigation including comments, bookmarks, and entities for future reference. What should you do?

Question 198hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a device is identified as compromised by Defender for Endpoint, an incident is automatically created in Sentinel with high severity. What should you configure?

Question 199easymulti select
Read the full network assurance explanation →

Which TWO are valid methods to ingest syslog data into Microsoft Sentinel?

Question 200mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE actions can be performed by automation rules in Microsoft Sentinel?

Question 201hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO are required to enable Microsoft Sentinel to use AI-generated incident summaries?

Question 202easymultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are reviewing a playbook configuration for Microsoft Sentinel. What does this playbook do?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block Malicious IP",
    "logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/BlockIP",
    "triggerConditions": [
      {
        "property": "Microsoft.Security.Incident",
        "condition": "Equals",
        "value": "High"
      }
    ]
  }
}
```
Question 203mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are analyzing high severity alerts from Microsoft Defender for Endpoint in Microsoft Sentinel. What does this KQL query do?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertSeverity == "High"
| where ProviderName == "Microsoft Defender for Endpoint"
| summarize AlertCount = count() by AlertName, bin(TimeGenerated, 1d)
| sort by AlertCount desc
```
Question 204hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. A security administrator runs this PowerShell script. What is the effect?

Exhibit

Refer to the exhibit.

```powershell
$params = @{
    ResourceGroupName = "SOC-RG"
    WorkspaceName = "sentinel-workspace"
    Name = "DailySummaryReport"
    Enabled = $true
    Description = "Generates daily incident summary"
    DisplayName = "Daily Summary"
    LogicAppResourceId = "/subscriptions/.../resourceGroups/SOC-RG/providers/Microsoft.Logic/workflows/DailySummary"
    TriggerConditions = @(
        @{
            Property = "Microsoft.Security.Incident"
            Condition = "Equals"
            Value = "Medium"
        }
    )
}
New-AzSentinelAutomationRule @params
```
Question 205easymultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst at a company that uses Microsoft Sentinel. You need to ensure that only users with a specific tag in Microsoft Entra ID can access the Sentinel workspace. Which Azure feature should you use?

Question 206mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You notice that automated investigations are being blocked for certain devices due to high-severity alerts. You need to ensure that automated actions can proceed for devices with a risk score below 30. What should you configure?

Question 207hardmultiple choice
Read the full network assurance explanation →

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. The data connector shows 'Connected' but no events are being received. You have verified network connectivity and firewall configuration. What should you check next?

Question 208easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to assign a custom initiative to a specific management group to track compliance. Which two components must you create?

Question 209mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst at a company that uses Microsoft Sentinel. You have enabled User and Entity Behavior Analytics (UEBA) to detect anomalies. A new alert fires indicating a user is logging in from an unusual location. However, the user is a known traveler. How can you reduce false positives without disabling the UEBA rule?

Question 210hardmultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing an analytics rule in Microsoft Sentinel. The rule is supposed to alert when a Confidential sensitivity label file is accessed. However, no alerts have been generated despite known accesses. What is the most likely reason?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "Sensitive Data Access",
    "description": "Detect access to sensitive data",
    "severity": "Medium",
    "query": "SensitivityLabelEvent | where SensitivityLabelName contains \"Confidential\" | where OperationName == \"FileAccessed\"",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "tactics": ["Collection"],
    "alertRuleTemplateName": null
  }
}
Question 211easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malware to quarantine before delivery. Which policy type should you use?

Question 212mediummultiple choice
Read the full Manage a security operations environment explanation →

You are managing Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from a sanctioned cloud app. You need to automatically suspend the user's access when the download exceeds 5 GB in 10 minutes. What should you create?

Question 213hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that runs an automation rule to create a support ticket in ServiceNow. The playbook fails intermittently with a timeout error. You have verified that the playbook's managed identity has the correct permissions. What should you check next?

Question 214easymulti select
Read the full Manage a security operations environment explanation →

Which TWO permissions are required to configure a data connector in Microsoft Sentinel?

Question 215mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE components are part of the Microsoft Defender XDR incident management process?

Question 216mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Question 217hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE conditions can you use to trigger a Microsoft Sentinel scheduled analytics rule?

Question 218mediummultiple choice
Read the full NAT/PAT explanation →

You are a security analyst for a multinational company with Microsoft Sentinel deployed in a central workspace. You need to grant a team of analysts in the European branch the ability to view incidents and run queries, but they should not be able to modify analytics rules or data connectors. The team already has Microsoft Sentinel Reader role assigned. However, they report that they cannot run KQL queries in the Logs blade. You need to provide the minimum additional permissions. What should you do?

Question 219hardmultiple choice
Read the full Ansible explanation →

You are a security operations analyst at a company that uses Microsoft Defender XDR and Microsoft Sentinel. You have configured a custom detection rule in Microsoft Defender XDR that uses a KQL query to detect suspicious PowerShell activity. The rule triggers an alert, but you want to automatically create an incident in Microsoft Sentinel and run a playbook that isolates the affected device. You have already set up the Microsoft Defender XDR connector in Sentinel and enabled incident creation from Defender XDR alerts. However, the playbook does not run automatically when a Defender XDR incident is created. You have verified that the playbook is properly configured and has the correct permissions. What should you do?

Question 220easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The security team wants to automatically create an incident in Microsoft Sentinel when a Microsoft Defender for Endpoint alert is triggered. What should you configure?

Question 221mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security operations team uses Microsoft Sentinel workbooks to monitor security posture. You notice that a workbook query is timing out when run against a large workspace. What is the best way to optimize the query without changing its results?

Question 222hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization is implementing Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. The SOC team needs to investigate incidents across all tenants from a single interface. Which configuration is required?

Question 223mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Defender for Cloud Apps (MDA) connected to Microsoft Sentinel. The SOC team wants to receive alerts when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

Question 224easymultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace is experiencing high ingestion costs. Which of the following actions will most effectively reduce costs while maintaining security visibility?

Question 225hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics) enabled. The SOC team notices that UEBA is not generating any anomalies for a specific user group. What is the most likely cause?

Question 226mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You want to automatically isolate a user's mailbox if a high-confidence phishing email is detected. Which Microsoft Sentinel automation should you use?

Question 227easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel incident management. They want to automatically assign high-severity incidents to a senior analyst and send a notification to Microsoft Teams. What should you use?

Question 228hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization is migrating to Microsoft Sentinel. You need to ensure that the workspace retains data for 2 years for compliance, but you want to reduce costs by using cheaper storage for data older than 90 days. What should you configure?

Question 229mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The SOC team needs to investigate a cross-tenant incident. Which TWO actions should you take? (Choose two.)

Question 230hardmulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Copilot for Security. You want to improve incident response efficiency. Which THREE features should you implement? (Choose three.)

Question 231easymulti select
Read the full Manage a security operations environment explanation →

Your organization plans to implement Microsoft Sentinel. Which THREE components are required for a basic deployment? (Choose three.)

Question 232mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an Azure Resource Manager (ARM) template for a Microsoft Sentinel analytics rule. Based on the exhibit, which statement is true?

Exhibit

{"type": "Microsoft.SecurityInsights/alertRules", "apiVersion": "2023-02-01-preview", "properties": { "displayName": "MFA Disabled", "query": "IdentityInfo | where Timestamp > ago(5h) | where IsMfaRegistered == false", "triggerOperator": "gt", "triggerThreshold": 0, "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "incidentConfiguration": { "createIncident": true, "groupingConfiguration": { "enabled": false } } } }
Question 233hardmultiple choice
Read the full Ansible explanation →

Your organization, Contoso, uses Microsoft Sentinel in a single Log Analytics workspace. You have ingested logs from Microsoft Defender XDR, Microsoft Entra ID, and Azure Firewall. The SOC team needs to investigate an incident where a user's account was compromised and used to access sensitive data from an external IP address. The incident was created from a Microsoft Defender for Cloud Apps alert. The SOC team wants to automatically block the user from further access and disable the user account in Microsoft Entra ID. You need to design an automated response using Microsoft Sentinel playbooks. The solution must minimize manual intervention. You have the following options: A) Create a playbook that triggers on the incident and uses the Microsoft Graph API to disable the user account and revoke sessions. Configure the playbook to run automatically from an automation rule. B) Create a playbook that triggers on the alert and uses the Defender for Cloud Apps API to suspend the user. Configure the automation rule to run the playbook on incident creation. C) Create a playbook that sends an email to the SOC team to manually disable the user. D) Create an automation rule that automatically changes the incident status to 'Active' and assigns it to a senior analyst. Which option should you choose?

Question 234mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization, Fabrikam, has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are using Microsoft Sentinel and Microsoft Defender XDR. You have enabled Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. Recently, you received an incident in Microsoft Sentinel indicating a potential DCSync attack from a domain controller. The incident was generated from an MDI alert. You need to investigate the incident and determine if the attack was successful. You have the following options: A) Use the Microsoft Sentinel incident investigation graph to view entities and relationships. Then query the IdentityDirectoryEvents table for the domain controller to see if any directory replication requests were made. B) Use the Microsoft Defender XDR advanced hunting to query the IdentityLogonEvents table for the domain controller. C) Use the Microsoft Sentinel workbook for MDI to visualize the attack timeline. D) Use the Microsoft Defender for Cloud Apps activity log to review the domain controller's activities. Which option should you choose?

Question 235mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that an external user from a partner organization can access a specific Sentinel workbook without having access to the entire Log Analytics workspace. What should you do?

Question 236hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. An automation rule in Microsoft Sentinel is configured as shown. When a high-severity incident is created, what is the expected behavior?

Exhibit

{
  "properties": {
    "displayName": "SOC Automation Rules",
    "rules": [
      {
        "name": "High Severity Incidents",
        "description": "Assign incidents with severity High to tier1 group and run a playbook.",
        "actions": [
          { "order": 1, "actionType": "AddIncidentTask", "taskName": "Notify SOC Lead" },
          { "order": 2, "actionType": "RunPlaybook", "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/NotifySOC" },
          { "order": 3, "actionType": "ModifyIncident", "status": "Active", "owner": "SOC-Tier1@contoso.com" }
        ]
      }
    ]
  }
}
Question 237easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization wants to use Microsoft Copilot for Security to generate incident summaries. What is the minimum license required?

Question 238mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel. You need to configure a playbook that automatically responds to incidents by creating a support ticket in ServiceNow. Which connector should you use?

Question 239hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. A KQL query is used in a Microsoft Sentinel scheduled analytics rule to detect unhealthy agents. The rule runs every 5 minutes and has a lookback period of 5 minutes. What is the potential issue?

Exhibit

let HeartbeatThreshold = 5m;
Heartbeat
| summarize LastHeartbeat = max(TimeGenerated) by Computer
| where LastHeartbeat < ago(HeartbeatThreshold)
| project Computer, LastHeartbeat, Status = 'Unhealthy'
Question 240easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud. You need to view a list of all security recommendations for your Azure subscriptions. Which blade should you use?

Question 241mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Defender XDR. You want to ensure that all incidents with severity 'High' are automatically assigned to the 'Tier1' group and have a playbook executed. What should you use?

Question 242hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has deployed Microsoft Sentinel in multiple regions. You need to ensure that incidents created in one workspace are available for correlation in a central workspace. What should you implement?

Question 243easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity. You need to create a role that allows analysts to view security alerts but not modify them. Which built-in role should you assign?

Question 244mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can you perform using Microsoft Sentinel automation rules? (Select two.)

Question 245hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Select three.)

Question 246easymulti select
Read the full Manage a security operations environment explanation →

Which TWO roles in Microsoft Entra ID can manage Microsoft Defender for Cloud Apps? (Select two.)

Question 247hardmultiple choice
Read the full Ansible explanation →

You are a SOC analyst at Contoso. The environment includes Microsoft Sentinel in a single workspace, Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps), Microsoft Entra ID, and Microsoft Intune. You need to design a solution to automatically triage and respond to phishing incidents detected by Defender for Office 365. The requirements are: 1) When a phishing alert is generated with high confidence, an incident should be automatically created in Sentinel. 2) The incident should be assigned to the 'Phishing' team and have a severity of High. 3) A playbook should run that will send a Teams message to the Phishing team and also block the sender in Exchange Online. 4) The incident should be automatically closed if the playbook successfully executes. What should you do?

Question 248mediummultiple choice
Read the full Ansible explanation →

Your organization has recently deployed Microsoft Sentinel and wants to ensure that all critical Azure resources are monitored for security misconfigurations. You have already enabled Microsoft Defender for Cloud on all subscriptions. You need to configure a solution that will automatically create a Sentinel incident whenever a new security recommendation with severity 'High' is generated in Defender for Cloud. The incident should be assigned to the 'Infrastructure' team. Additionally, you want to run a playbook that will open a ticket in your IT Service Management (ITSM) tool. What should you do?

Question 249easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel. You need to ensure that all incidents are classified and resolved within 72 hours. Currently, analysts manually update the incident status and classification. You want to automate the following: 1) If an incident is not updated within 48 hours, send a reminder to the assigned analyst via email. 2) If an incident remains open after 72 hours, automatically escalate it to the SOC manager and increase its severity. What should you implement?

Question 250mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that a new SOC analyst can triage incidents without being able to delete or modify analytics rules. Which role should you assign?

Question 251hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to reduce data ingestion costs while retaining security events for one year. You have enabled Azure Monitor Agent on all servers. What should you do?

Question 252easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring a Microsoft Sentinel automation rule to automatically assign incidents to a specific owner based on a custom property. Which action type should you use?

Question 253easymulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can be performed using Microsoft Sentinel automation rules? (Choose two.)

Question 254mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO conditions must be met to enable Microsoft Sentinel UEBA? (Choose two.)

Question 255hardmulti select
Read the full Ansible explanation →

Which THREE permissions are required for a user to manage Microsoft Sentinel playbooks using Azure Logic Apps? (Choose three.)

Question 256hardmultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing a Microsoft Sentinel analytics rule configuration. The rule is not generating incidents as expected. What is the most likely cause?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "MFA Disabled Alert",
    "description": "Alert when MFA is disabled for a user.",
    "severity": "Medium",
    "enabled": true,
    "query": "IdentityLogonEvents | where Application == 'Microsoft Entra ID' | where ActionType == 'MFA disabled' | summarize Count=count() by AccountUpn",
    "queryFrequency": "PT5H",
    "queryPeriod": "PT5H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false
  }
}
Question 257easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization has recently deployed Microsoft Sentinel and Microsoft Defender XDR. You are tasked with configuring the environment to ensure that incidents created by Microsoft Defender for Cloud Apps are automatically synchronized to Microsoft Sentinel. The security operations team wants to manage all incidents from within Sentinel. You have already connected the Microsoft Defender XDR connector to Sentinel. However, you notice that incidents from Defender for Cloud Apps are not appearing in Sentinel. You verify that the Defender for Cloud Apps connector is not listed in the data connectors blade. What should you do to resolve this issue?

Question 258mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with multiple workspaces for different business units. You need to provide a single-pane-of-glass view for incident management across all workspaces. You have deployed Azure Lighthouse to manage multiple workspaces from a single portal. The SOC team is able to see incidents from all workspaces, but when they try to investigate an incident by clicking on it, they receive a 'Resource not found' error. The team has the necessary permissions on the Sentinel resources. What is the most likely cause of this error?

Question 259hardmultiple choice
Read the full NAT/PAT explanation →

You are the security operations lead for a multinational company using Microsoft Sentinel. You have deployed a custom analytics rule that uses a KQL query to detect anomalous outbound network traffic. The rule runs every hour and looks back 24 hours. Recently, the rule has been generating a high number of false positives. You need to tune the rule to reduce false positives without missing genuine threats. The rule currently triggers when the count of outbound connections to a single IP exceeds 100 in an hour. You analyze the data and find that legitimate cloud services often trigger the rule. What should you do?

Question 260hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with UEBA enabled. You are investigating a suspicious incident where a user's account is reported to have accessed an unusual amount of data from a SharePoint site. The incident alert points to the user 'jdoe@contoso.com'. You open the incident and see that the entity timeline for jdoe shows several activities, including file downloads. However, you notice that the timeline does not include any Azure AD sign-in events for this user. You need to include sign-in events in the entity timeline to get a complete picture. What should you do?

Question 261mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst at a company that uses Microsoft Defender XDR. You receive an alert about a potential ransomware activity on a workstation. The alert is generated by Microsoft Defender for Endpoint. You need to contain the threat by isolating the workstation from the network while allowing forensic analysis to proceed. You want to use Microsoft Defender XDR's built-in actions. What should you do?

Question 262easymultiple choice
Read the full Ansible explanation →

Your company uses Microsoft Sentinel to monitor security events. You have configured a daily email report that summarizes the top 10 incidents from the past 24 hours. The report is sent using a Logic App playbook triggered by a scheduled query. Recently, the report has stopped being delivered. You check the Logic App run history and see that the last run failed with an HTTP 403 error when connecting to the Microsoft Sentinel API. The Logic App uses a managed identity for authentication. What is the most likely cause of the failure?

Question 263mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Sentinel deployed in a single workspace. You need to implement role-based access control (RBAC) so that only senior analysts can modify analytics rules, while junior analysts can only view incidents. You have created custom roles in Azure. You assign the junior analysts the 'Microsoft Sentinel Reader' role. However, you find that junior analysts can still create and modify analytics rules. What is the most likely reason?

Question 264hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Defender for Cloud Apps to monitor cloud applications. You have discovered that a user is accessing a sanctioned cloud storage app from an IP address that belongs to a known malicious botnet. You need to automatically block the user's access to the app and require them to re-authenticate. You have already configured session policies in Defender for Cloud Apps. What should you do next?

Question 265easymulti select
Read the full Manage a security operations environment explanation →

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to ensure that incidents are automatically assigned to the appropriate team based on the incident type. Which two actions should you take?

Question 266mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that high-severity incidents are automatically escalated to the on-call security engineer via Microsoft Teams. Which three components should you configure?

Question 267hardmulti select
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel workspace that ingests data from multiple sources. You need to reduce the cost of log ingestion while maintaining security visibility. Which two actions should you take?

Question 268mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to ensure that security alerts from Defender for Cloud are automatically synchronized to Sentinel and assigned to the cloud security team. Which three actions should you take?

Question 269easymulti select
Read the full Manage a security operations environment explanation →

You are a security analyst at a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects failed logon attempts from multiple IP addresses within 5 minutes. Which two KQL operators should you use?

Question 270hardmulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with UEBA enabled. You need to investigate a potential insider threat where a user is accessing sensitive data outside of business hours. Which three built-in UEBA entities should you review?

Question 271mediummulti select
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Defender for Identity (MDI) in your on-premises Active Directory environment. You need to ensure that MDI can detect lateral movement attacks. Which two configurations are required?

Question 272hardmultiple choice
Read the full NAT/PAT explanation →

You are the security operations lead for a multinational company that uses Microsoft Sentinel in a single workspace. You have recently onboarded 10 new business units, each with their own analytics rules and automation. The security team is overwhelmed by the number of low-fidelity incidents generated. You need to reduce noise without disabling critical detections. You must ensure that each business unit retains ownership of their incidents and can customize their own suppression rules. You also need centralized reporting on incident trends across all business units. You have identified that many low-fidelity alerts come from a common set of data sources. What should you do?

Question 273mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst for a company that uses Microsoft Defender XDR. You receive a high-severity incident indicating that a user's device has been compromised with a remote access trojan (RAT). The incident is automatically generated by Microsoft Defender XDR. You need to contain the threat immediately while preserving forensic data. You also need to ensure that the user can continue working with minimal disruption. What should you do?

Question 274easymultiple choice
Read the full NAT/PAT explanation →

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user account is created and then deleted within 24 hours, which could indicate a test account used for malicious purposes. The rule should only run on the SecurityEvent table. You have written the KQL query and now need to configure the rule settings. Which alert scheduling configuration should you set to minimize latency while ensuring that the rule catches the pattern?

Question 275mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst for a company that uses Microsoft Sentinel and Microsoft Defender for Cloud. You have configured the Microsoft Defender for Cloud connector to stream security alerts into Sentinel. However, you notice that some alerts from Defender for Cloud are not appearing in Sentinel. You have verified that the connector is enabled and the subscription is connected. The missing alerts are of the type 'Security misconfiguration' from Azure Policy. You need to ensure all alerts appear in Sentinel. What should you do?

Question 276hardmultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations architect for a company that uses Microsoft Sentinel in a hybrid environment with multiple workspaces. The company has a central SOC team that needs to view incidents from all workspaces in a single pane of glass. Each workspace belongs to a different business unit and has its own retention and access policies. You need to design a solution that provides centralized incident management without duplicating data or requiring users to switch workspaces. You also need to ensure that the SOC team can perform actions on incidents across workspaces. What should you do?

Question 277mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst for a company that uses Microsoft Defender for Office 365. You receive an incident indicating that a user reported a phishing email. You need to investigate the email and determine if it was delivered to other users. You also need to ensure that similar emails are blocked in the future. What should you do?

Question 278easymultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a workbook that displays the top 10 most common alert types over the last 7 days. The workbook will be used by the SOC manager to identify trends. You have already created a new workbook and added a query step. Which KQL query should you use in the query step?

Question 279hardmultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations engineer for a company that uses Microsoft Defender XDR. You need to create a custom detection rule that alerts when a user performs more than 10 failed logon attempts within 5 minutes from different IP addresses. The rule should use the IdentityLogonEvents table. You have written the KQL query and now need to configure the rule settings in Microsoft 365 Defender. Which configuration should you use for the rule frequency and lookback period to minimize false positives while ensuring timely detection?

Question 280mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Defender for Cloud are automatically ingested into Sentinel with the least latency. What should you configure?

Question 281hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. The rule does not trigger as expected for newly created incidents with High severity. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "SOC Automation",
    "description": "Playbook for automated incident response",
    "state": "Enabled",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/Incident",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          },
          {
            "property": "Status",
            "operator": "Equals",
            "value": "New"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "/subscriptions/sub-123/resourceGroups/rg-sentinel/providers/Microsoft.Logic/workflows/playbook-assign-incident"
      }
    ]
  }
}
```
Question 282easymultiple choice
Read the full Manage a security operations environment explanation →

Your team uses Microsoft Defender XDR to manage incidents. You need to ensure that all incidents with a severity of 'High' are automatically assigned to a specific SOC analyst group. What should you configure?

Question 283hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with a hybrid environment including on-premises servers and Azure VMs. You notice that some Windows events from on-premises servers are not being collected in Sentinel. Log Analytics agent is installed on all servers. Other events are collected. What should you check first?

Question 284mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You need to create a custom alert that triggers when users receive external emails with attachments from untrusted domains. What should you configure?

Question 285hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule is enabled but never runs. The playbook exists and is in the same resource group. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Investigate Malware",
    "description": "Playbook to investigate malware alerts",
    "state": "Enabled",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/AlertRule",
        "conditions": [
          {
            "property": "AlertProvider",
            "operator": "Contains",
            "value": "Microsoft Defender for Endpoint"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "/subscriptions/sub-1/resourceGroups/rg-sentinel/providers/Microsoft.Logic/workflows/playbook-malware-investigation"
      }
    ]
  }
}
```
Question 286mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to receive alerts when a user accesses a cloud app from a location that is not whitelisted. What should you configure?

Question 287easymultiple choice
Read the full Ansible explanation →

Your SOC team uses Microsoft Sentinel incident management. You need to ensure that when an incident is created, it automatically runs a playbook to gather additional context from threat intelligence sources. What should you create?

Question 288mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity. You need to receive alerts when suspicious LDAP queries are detected. What should you configure?

Question 289hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO actions are valid for automation rules in Microsoft Sentinel? (Choose two.)

Question 290mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE components are part of Microsoft Sentinel's SOAR capabilities? (Choose three.)

Question 291easymulti select
Read the full Manage a security operations environment explanation →

Which TWO roles can be used to manage Microsoft Sentinel? (Choose two.)

Question 292hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel. The rule is enabled but does not assign incidents. What is the most likely issue?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Incident Response Workflow",
    "description": "Automates incident response",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/Incident",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "Medium"
          },
          {
            "property": "Owner",
            "operator": "Equals",
            "value": "Unassigned"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "AssignIncident",
        "assignedTo": "soc-team@contoso.com"
      }
    ]
  }
}
```
Question 293easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to provide a SOC analyst with the ability to create and modify incident comments but not delete incidents. Which role should you assign?

Question 294mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to ensure that when a user reports a phishing email in Outlook, it automatically triggers an investigation in Microsoft Defender XDR. What should you configure?

Question 295mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with multiple workspaces. You need to ensure that incidents involving the same alert in different workspaces are automatically grouped into a single incident. What should you configure?

Question 296hardmultiple choice
Read the full Manage a security operations environment explanation →

You are managing Microsoft Defender XDR. The security team reports that some automated investigations are closing prematurely without sufficient evidence. You need to ensure that investigations only close when a minimum confidence level is reached. What should you modify?

Question 297easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that an incident is automatically assigned to a specific analyst when it is created. What should you create?

Question 298hardmultiple choice
Read the full Ansible explanation →

You have a Microsoft Sentinel automation rule that triggers a playbook. The playbook definition is shown in the exhibit. The playbook runs but no email is sent. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "DailyReport",
    "description": "Sends daily security report",
    "triggers": [
      {
        "type": "Recurrence",
        "recurrence": {
          "frequency": "Day",
          "interval": 1,
          "schedule": {
            "hours": [8],
            "minutes": [0]
          }
        }
      }
    ],
    "actions": [
      {
        "type": "SendEmail",
        "inputs": {
          "host": {
            "connectionName": "office365",
            "operationId": "SendEmailV2"
          },
          "parameters": {
            "to": "security@contoso.com",
            "subject": "Daily Security Report",
            "body": "Report generated."
          }
        }
      }
    ]
  }
}
```
Question 299mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security alerts from Defender for Cloud are automatically ingested into Sentinel. What should you configure?

Question 300easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a malware alert is generated, an automated investigation is triggered. What should you configure?

Question 301hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with Azure Policy. You need to ensure that new Log Analytics workspaces are automatically connected to Sentinel and configured with a standard set of data connectors. What should you use?

Question 302mediummultiple choice
Read the full Ansible explanation →

You have a Microsoft Sentinel automation rule as shown in the exhibit. The rule triggers a playbook that blocks a user in Microsoft Entra ID. The rule is enabled but never fires. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block High-Risk User",
    "triggers": [
      {
        "type": "MicrosoftSentinelIncident",
        "incident": {
          "severity": "High",
          "status": "New"
        }
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbook": {
          "id": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/BlockUser"
        }
      }
    ]
  }
}
```
Question 303easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that suspicious email messages are automatically moved to quarantine and an incident is raised in Microsoft Sentinel. What should you configure?

Question 304mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that incident response times are monitored and reported. Which TWO capabilities should you use?

Question 305hardmulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to delegate incident management tasks to a team of analysts without granting full global admin permissions. Which THREE roles in Microsoft 365 Defender should you assign?

Question 306mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to automatically classify incidents based on MITRE ATT&CK techniques. Which THREE methods can be used to accomplish this?

Question 307hardmulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with multiple workspaces. You need to create a unified incident queue across all workspaces. Which TWO solutions should you consider?

Question 308easymulti select
Read the full Manage a security operations environment explanation →

You are managing Microsoft Defender for Cloud Apps. Which TWO actions can be performed using the Microsoft Defender XDR integration?

Question 309easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that an alert is created when a user accesses a sensitive SharePoint site from an unusual location. What should you create?

Question 310easymultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. The security operations center (SOC) team frequently receives false positive alerts for a specific user login pattern from a legacy application. You need to reduce alert fatigue without disabling the underlying detection rule. What should you configure?

Question 311mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company is deploying Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. You need to ensure that SOC analysts can triage incidents across all tenants from a single workspace. What is the minimum configuration required?

Question 312hardmultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. An incident is generated from a Microsoft Defender for Identity alert about a suspicious Kerberos ticket request. The incident is assigned the 'Medium' severity. You want to automatically increase the severity to 'High' if the user is in a privileged role, based on data from Microsoft Entra ID. What is the most efficient way to achieve this?

Question 313mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You notice that a large number of log entries from Defender for Cloud Apps are being dropped at ingestion due to 'malformed data' errors. The data connector shows a healthy status. What is the most likely cause?

Question 314hardmultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. An incident is created from a Defender for Endpoint alert about a malware detection on a device. The incident has low priority, but you want to automatically isolate the device from the network if the alert is confirmed as a true positive by the SOC. What is the recommended approach?

Question 315easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Microsoft Defender XDR are synchronized to Microsoft Sentinel with the same status (e.g., 'Active', 'Resolved'). What should you configure?

Question 316hardmultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Sentinel with multiple workspaces for different business units. You want to create a single dashboard that shows key performance indicators (KPIs) across all workspaces. Which approach minimizes complexity and query latency?

Question 317mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365 and Microsoft Sentinel. You discover that phishing emails are bypassing Defender for Office 365 and being reported by users. You need to ensure that user-reported emails are automatically analyzed and incidents are created in Sentinel for high-confidence phishing. What should you configure?

Question 318easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel and Microsoft Defender XDR. A junior analyst creates a custom analytics rule in Sentinel that generates an excessive number of incidents. The rule appears to be running but not producing any results. What is the most likely cause?

Question 319mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions are valid ways to reduce the number of false positive incidents in Microsoft Sentinel without disabling analytics rules?

Question 320hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE are valid components of a Microsoft Sentinel automation rule?

Question 321easymulti select
Read the full Manage a security operations environment explanation →

Which TWO are supported data sources for Microsoft Sentinel?

Question 322mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that incidents created in Microsoft Defender XDR are automatically synchronized to Microsoft Sentinel with the least administrative effort. What should you configure?

Question 323hardmultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing an analytics rule configuration in Microsoft Sentinel using ARM template JSON. The rule is enabled and incident creation is set to true. However, when alerts are generated, they are not being grouped into a single incident. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities",
        "groupByEntities": [],
        "groupByAlertDetails": [],
        "groupByCustomDetails": []
      }
    },
    "alertRuleTemplateName": "Template101",
    "enabled": true,
    "displayName": "Test Rule"
  }
}
```
Question 324easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel. You need to ensure that only users with the appropriate permissions can run playbooks from within the incident investigation interface. What role should you assign to the security operations team?

Question 325hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Sentinel and has enabled the Microsoft Defender XDR connector. You notice that incidents from Microsoft Defender for Cloud Apps are not appearing in Microsoft Sentinel. All other Defender XDR incidents appear correctly. What is the most likely cause?

Question 326mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization is using Microsoft Sentinel and you are responsible for managing the security operations environment. You need to ensure that a new security analyst can triage incidents but cannot modify analytics rules. Which role should you assign?

Question 327hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to configure a custom detection rule that runs every hour and alerts when a specific process is executed on multiple devices within 10 minutes. Which type of rule should you create?

Question 328easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that an incident is automatically assigned to the appropriate team based on the type of alert. What should you configure?

Question 329mediummultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing a KQL query used in a Microsoft Sentinel analytics rule. The query is intended to alert when there are more than 5 alerts of the same name for the same entity type within the last hour. However, the rule is not triggering as expected. What is the most likely issue?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(1h)
| summarize AlertCount = count() by AlertName, tostring(parse_json(Entities)[0].Type)
| where AlertCount > 5
```
Question 330hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You need to ensure that anomalous behavior alerts from Defender for Cloud Apps are automatically converted to incidents in Sentinel. What should you configure?

Question 331mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can be performed using automation rules in Microsoft Sentinel?

Question 332hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are valid ways to ingest logs into Microsoft Sentinel?

Question 333mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO roles are included in Microsoft Sentinel built-in roles? (Choose two.)

Question 334hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are features of Microsoft Defender XDR that help manage a security operations environment?

Question 335hardmultiple choice
Read the full Manage a security operations environment explanation →

You are the security operations analyst for a large enterprise that uses Microsoft Sentinel and Microsoft Defender XDR. The environment includes:

- 10,000 Windows 11 devices managed by Microsoft Intune - 5,000 macOS devices managed by Jamf Pro - 2,000 Linux servers running Ubuntu 22.04 - Microsoft 365 E5 licenses for all users - Microsoft Sentinel in the East US region - Microsoft Defender for Cloud Apps enabled - Microsoft Defender for Identity deployed - Microsoft Defender for Office 365 configured

You need to design a solution to meet the following requirements:

1. Ingest security events from all devices (Windows, macOS, Linux) into Microsoft Sentinel. 2. Ensure that all alerts from Microsoft Defender XDR components (including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps) are automatically correlated into incidents in Microsoft Sentinel. 3. Minimize latency between alert generation in Defender XDR and incident creation in Sentinel. 4. Use the least amount of administrative overhead.

What should you implement?

Question 336easymultiple choice
Read the full Manage a security operations environment explanation →

You are deploying an ARM template to create a saved search in a Log Analytics workspace. The template fails with an error that the resource type is not valid for Microsoft Sentinel. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2021-06-01",
      "name": "[concat(parameters('workspaceName'), '/MyRule')]",
      "properties": {
        "displayName": "My Rule",
        "category": "Security",
        "query": "SecurityEvent | where EventID == 4625",
        "tags": []
      }
    }
  ]
}
```
Question 337easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that an Azure function app can send custom logs to a Log Analytics workspace. What should you configure?

Question 338mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud. You need to recommend a solution to automatically remediate misconfigurations in Azure VMs without manual intervention. What should you use?

Question 339hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has multiple workspaces for different business units. You need to enable cross-workspace querying for the security operations center (SOC) analysts. What should you do?

Question 340mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to ensure that alerts from Microsoft Defender for Identity are automatically correlated with alerts from Microsoft Defender for Endpoint in the unified incidents queue. What should you verify?

Question 341easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. An analyst reports that a scheduled analytics rule is not firing. You verify that the rule is enabled and the query returns results when run manually. What is the most likely cause?

Question 342hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with UEBA enabled. You need to identify anomalous user behavior that indicates a potential compromise. Which entity behavior analytics feature should you use?

Question 343mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from a specific app for users outside the corporate network. What should you configure?

Question 344easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate SOC tier based on severity. What should you create?

Question 345hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with multiple watchlists. You need to create a KQL query that joins log data with a watchlist to enrich alerts. Which KQL operator should you use?

Question 346mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions are part of managing a security operations environment in Microsoft Sentinel? (Select two.)

Question 347easymulti select
Read the full Manage a security operations environment explanation →

Which THREE components are part of Microsoft Defender XDR? (Select three.)

Question 348hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO features in Microsoft Sentinel can help reduce alert fatigue by grouping related alerts into incidents? (Select two.)

Question 349mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident is created?

Exhibit

Refer to the exhibit.

{
  "properties": {
    "displayName": "Block malicious IPs",
    "description": "Automatically block IPs from threat intelligence.",
    "triggers": [
      {
        "type": "IncidentCreated"
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookResourceId": "/subscriptions/sub-id/resourceGroups/rg/providers/Microsoft.Logic/workflows/BlockIPPlaybook"
      }
    ]
  }
}
Question 350hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You run a PowerShell command to retrieve incidents from Microsoft Sentinel. How many active incidents are there?

Exhibit

Refer to the exhibit.

PowerShell output:

PS C:\> Get-AzSentinelIncident -ResourceGroupName MyRG -WorkspaceName MyWorkspace | Select-Object -Property IncidentNumber, Status, Severity

IncidentNumber Status    Severity
-------------- ------    --------
1001           Active    High
1002           Closed    Medium
1003           Active    Low
1004           New       High
Question 351easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the purpose of the query?

Exhibit

Refer to the exhibit.

KQL query:

SecurityAlert
| where TimeGenerated > ago(7d)
| summarize TotalAlerts = count() by AlertSeverity
| order by AlertSeverity desc
Question 352mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A security analyst reports that incidents related to ransomware are not being automatically triaged by the SOC automation playbook. You confirm that the playbook is enabled and connected to the analytics rule. What is the most likely cause of the issue?

Question 353hardmultiple choice
Read the full NAT/PAT explanation →

You are designing a Microsoft Sentinel deployment for a multinational organization that must comply with GDPR and local data residency requirements. They have offices in the US, EU, and Asia. They want to use a single Microsoft Sentinel workspace for global visibility but need to ensure that data from EU sources remains within the EU. What is the best approach to meet these requirements?

Question 354easymultiple choice
Read the full Ansible explanation →

A security operations center (SOC) uses Microsoft Sentinel. They want to automatically block a user's account when a high-severity incident is created. Which automation action should you use in a playbook?

Question 355mediummultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace is ingesting logs from multiple sources. You notice that the data ingestion cost is higher than expected. You want to reduce costs without losing security value. Which action should you take?

Question 356hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR incident queue. You want to automatically assign incidents related to a specific campaign to a dedicated SOC group. What should you create?

Question 357easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel to send email notifications to the SOC manager when a high-severity incident is created. What should you use?

Question 358mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Defender XDR. You want to ensure that all incidents are automatically classified and determined by the built-in AI before any manual review. What should you configure?

Question 359hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that only specific IP addresses from your corporate network can access the Sentinel workspace via the Azure portal. What should you configure?

Question 360easymultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel environment. An analyst reports that a scheduled analytics rule is not generating alerts. The rule has been enabled for a week. What is the most likely cause?

Question 361mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are valid methods to reduce Microsoft Sentinel data ingestion costs?

Question 362hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are capabilities of Microsoft Copilot for Security?

Question 363easymulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are required to enable Microsoft Sentinel UEBA (User and Entity Behavior Analytics)?

Question 364hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. An analyst reports that low-severity incidents are not being closed automatically. The rule is enabled and has the highest order. What is the most likely reason?

Exhibit

{
  "type": "Microsoft.SecurityInsights/automationRules",
  "apiVersion": "2023-02-01-preview",
  "name": "Auto-Close Low Severity",
  "properties": {
    "displayName": "Auto-Close Low Severity Incidents",
    "order": 1,
    "triggeringLogic": {
      "conditions": [
        {
          "conditionProperties": {
            "propertyName": "Severity",
            "operator": "Equals",
            "propertyValues": ["Low"]
          },
          "conditionType": "Property"
        }
      ],
      "triggersOn": "Incidents",
      "triggersWhen": "Created"
    },
    "actions": [
      {
        "actionType": "ModifyProperties",
        "actionConfiguration": {
          "status": "Closed",
          "classification": "TruePositive",
          "classificationComment": "Auto-closed due to low severity."
        }
      }
    ]
  }
}
Question 365mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are using this KQL query in a Microsoft Sentinel scheduled analytics rule to detect brute-force attacks. The rule has been running for a week but has never triggered an alert. What is the most likely reason?

Exhibit

SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(24h) | summarize Count = count() by Account | where Count > 10
Question 366easymultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You have a Microsoft Sentinel playbook created as shown. When you test the playbook manually, it sends an email successfully. However, when an incident triggers the playbook via an automation rule, the email is not sent. What is the most likely cause?

Exhibit

{
  "properties": {
    "displayName": "Incident Response Playbook",
    "trigger": {
      "type": "HttpTrigger",
      "kind": "Default"
    },
    "definitions": {
      "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/workflows/definitions/2019-01-01-preview/schema.json",
      "actions": {
        "Send_email": {
          "type": "ApiConnection",
          "inputs": {
            "host": {
              "connectionName": "office365"
            },
            "method": "post",
            "path": "/v2/Mail"
          }
        }
      }
    }
  }
}
Question 367easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to ensure that alerts from Defender for Cloud Apps are forwarded to Microsoft Sentinel. Which connector should you use in Sentinel?

Question 368mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel. You receive a high volume of false positive incidents from a specific analytics rule. The rule uses a scheduled query that runs every 5 minutes. What is the most efficient way to reduce false positives without disabling the rule?

Question 369hardmultiple choice
Read the full Ansible explanation →

You are configuring Microsoft Sentinel to use automation rules for incident response. You need to ensure that when an incident is created with a severity of High, a playbook is triggered to isolate the affected device. However, the playbook should not run if the incident is created by a specific analytics rule (RuleID: '12345'). What is the best way to implement this?

Question 370mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Defender for Office 365. You need to review a user's reported phishing email in Microsoft Defender XDR. Which section of the Microsoft Defender portal should you check?

Question 371hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has a large number of incidents daily. You need to automatically assign incidents to the correct SOC tier based on severity: Low severity to Tier 1, Medium to Tier 2, High and Critical to Tier 3. Which approach should you use?

Question 372easymultiple choice
Read the full Manage a security operations environment explanation →

You are a SOC analyst using Microsoft Sentinel. You receive an incident with high severity. You need to quickly gather additional context about the affected user account, including recent sign-in logs and role assignments. Which feature should you use?

Question 373mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You notice that MDI alerts are not appearing in Sentinel. You have already installed the MDI data connector and configured the workspace. What is the most likely cause?

Question 374hardmultiple choice
Read the full Manage a security operations environment explanation →

You are designing a Microsoft Sentinel deployment. You need to minimize ingestion costs while ensuring that all security-relevant events are collected. Which strategy should you use?

Question 375mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC uses Microsoft Defender XDR. You need to create a custom detection rule that triggers when a specific process is executed on multiple devices within an hour. Which feature should you use?

Question 376easymulti select
Read the full Manage a security operations environment explanation →

Which TWO actions can you perform in the Microsoft Defender XDR unified alert queue? (Select TWO.)

Question 377mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE components are part of the Microsoft Sentinel SOAR capabilities? (Select THREE.)

Question 378hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO are valid methods to ingest logs into Microsoft Sentinel from a non-Azure virtual machine? (Select TWO.)

Question 379easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are viewing an incident in Microsoft Sentinel via the API. The incident is missing an owner. Which automation rule action would assign this incident to the SOC manager?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Malware detected on endpoint",
    "description": "This incident indicates malware was detected on an endpoint.",
    "severity": "High",
    "status": "New",
    "owner": {
      "assignedTo": null,
      "email": null
    },
    "labels": ["Malware", "Endpoint"],
    "firstActivityTimeUtc": "2024-01-15T10:00:00Z",
    "lastActivityTimeUtc": "2024-01-15T10:30:00Z"
  }
}
```
Question 380mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing a KQL query used in a Microsoft Sentinel scheduled analytics rule. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertName == "Suspicious process execution"
| extend Entities = parse_json(Entities)
| mv-expand Entities
| where Entities.Type == "account"
| project AccountUpn = Entities.Upn, AlertName, TimeGenerated
| summarize Count = count() by AccountUpn
| where Count > 5
```
Question 381hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are deploying an Azure Resource Manager (ARM) template to create a saved search in Microsoft Sentinel. However, the template does not create an analytics rule. What is missing to turn this saved search into a scheduled analytics rule?

Exhibit

Refer to the exhibit.
```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('workspaceName'), '/', parameters('ruleName'))]",
      "properties": {
        "category": "Security",
        "displayName": "[parameters('ruleName')]",
        "query": "SecurityEvent | where EventID == 4688 | where ProcessName endswith '\\powershell.exe'",
        "tags": [
          { "name": "AlertSeverity", "value": "Medium" }
        ]
      }
    }
  ]
}
```
Question 382mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents generated by Microsoft Defender for Cloud are automatically assigned to the security operations team. What should you configure in Microsoft Sentinel?

Question 383hardmulti select
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace ingests logs from multiple regions. You need to reduce data ingestion costs while ensuring that all security events are retained for at least one year for compliance. Which two actions should you take? (Choose two.)

Question 384easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What is the effect of this rule?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "displayName": "SOC Automation Rule",
    "order": 1,
    "triggeringLogic": {
      "triggersOn": "Incidents",
      "triggersWhen": "Created",
      "conditions": [
        {
          "property": "Status",
          "operator": "Equals",
          "value": "New"
        }
      ]
    },
    "actions": [
      {
        "actionType": "ChangeStatus",
        "status": "Active"
      }
    ]
  }
}
Question 385hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to configure a solution that automatically blocks a user's account when a high-severity incident is generated. The solution must use built-in capabilities without custom code. What should you do?

Question 386mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst. You notice that Microsoft Sentinel is not receiving logs from Microsoft 365 Defender incidents. The diagnostic settings in Microsoft 365 Defender are configured to send data to the Sentinel workspace. What should you check first?

Question 387hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are deploying this ARM template to create a saved search in Microsoft Sentinel. What is the purpose of this saved search?

Exhibit

Refer to the exhibit.
{
  "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
  "apiVersion": "2021-06-01",
  "name": "[concat(parameters('workspaceName'), '/MaliciousIPDetection')]",
  "properties": {
    "category": "Security",
    "displayName": "Malicious IP Detection",
    "query": "Heartbeat | where TimeGenerated > ago(1d) | summarize Count=count() by Computer | where Count > 100"
  }
}
Question 388easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to ensure that incidents are automatically classified as 'True positive' when a specific indicator of compromise (IOC) is detected. What should you configure?

Question 389mediummultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel environment. You need to ensure that only security analysts with specific roles can modify automation rules. The solution must use least privilege. What should you do?

Question 390hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to ingest security logs from Azure resources in the West Europe region. The solution must minimize data transfer costs. What should you configure?

Question 391mediummulti select
Read the full Manage a security operations environment explanation →

You need to configure Microsoft Sentinel to comply with a regulatory requirement that all security incidents must be retained for 7 years. Which TWO actions should you take?

Question 392hardmulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a user reports a phishing email in Microsoft 365 Defender, the incident in Microsoft Sentinel is automatically updated with the user's comments. Which THREE components are required?

Question 393easymulti select
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel to use Microsoft Copilot for Security. Which TWO prerequisites must be met?

Question 394mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You run this PowerShell script. What is the effect on the SecurityEvent table in the SOC-Workspace Log Analytics workspace?

Exhibit

Refer to the exhibit.
$table = Get-AzOperationalInsightsTable -ResourceGroupName 'SOC-RG' -WorkspaceName 'SOC-Workspace' | Where-Object {$_.Name -eq 'SecurityEvent'}
$table.RetentionInDays = 365
$table.TotalRetentionInDays = 730
Set-AzOperationalInsightsTable -ResourceGroupName 'SOC-RG' -WorkspaceName 'SOC-Workspace' -Table $table
Question 395hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with multiple workspaces across different regions. You need to centrally manage all security incidents from a single pane of glass. The solution must allow analysts to investigate incidents across workspaces without switching contexts. What should you configure?

Question 396easymultiple choice
Read the full Manage a security operations environment explanation →

A junior security analyst reports that they cannot create a new analytics rule in Microsoft Sentinel. They have the 'Microsoft Sentinel Contributor' role on the workspace. What could be the issue?

Question 397mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a SOC analyst investigating a high-severity incident. The incident involves a user who received a phishing email and clicked a link. Microsoft Defender for Office 365 detected the email as phishing and blocked the URL at time of click, but a follow-up investigation reveals that the user's mailbox has suspicious forwarding rules. You need to ensure that similar incidents are automatically remediated in the future. What should you configure in Microsoft Sentinel?

Question 398hardmultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst for a company that uses Azure Firewall. You are reviewing a custom rule deployed via Azure Firewall Manager. The exhibit shows the rule configuration. The rule is intended to block inbound traffic from known Tor exit nodes. However, a recent incident involved an attacker using a Tor exit node with IP 138.197.5.5 to access an internal web server on port 8080. The log shows the traffic was ALLOWED. What is the most likely reason the rule did not block the traffic?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block Tor IPs",
    "description": "Blocks traffic from known Tor exit nodes.",
    "ruleType": "Prevention",
    "action": "Block",
    "priority": 100,
    "sourceAddress": ["138.197.0.0/16", "104.131.0.0/16"],
    "destinationAddress": ["*"],
    "sourcePorts": ["*"],
    "destinationPorts": ["443", "80"],
    "protocol": "TCP",
    "direction": "Inbound"
  }
}
```
Question 399easymulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel as the primary SIEM. The SOC team reports that many low-severity incidents are overwhelming the queue. You need to reduce noise while ensuring that high-severity incidents are not missed. Which two actions should you take? (Choose two.)

Question 400hardmultiple choice
Read the full Manage a security operations environment explanation →

The exhibit shows a KQL query used in a Microsoft 365 Defender custom detection rule. The query is intended to detect encoded PowerShell commands executed in the last hour. However, the detection rule is not generating any alerts even though the SOC knows that encoded PowerShell commands are being executed. Which modification would most likely fix the detection rule?

Exhibit

Refer to the exhibit.

```kusto
DeviceProcessEvents
| where Timestamp >= ago(1h)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-e" 
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
```
Question 401easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization is planning to deploy Microsoft Sentinel. You need to ensure that security events from on-premises servers are sent to Sentinel. Which connector should you use?

Question 402mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a SOC analyst using Microsoft Defender XDR. You notice that a user's account has been compromised and is being used to send phishing emails. You need to prevent the user from sending any more emails while preserving the ability to receive emails for investigation. What should you do?

Question 403hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that escalates incidents to ServiceNow. Due to compliance requirements, all data must remain in the West Europe region. You need to ensure that the playbook execution and any data it processes stays within West Europe. What should you do?

Question 404easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). Which of the following connectors should you use to collect sign-in logs and audit logs?

Question 405mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a SOC analyst investigating an incident where a user's credentials were used to access a sensitive SharePoint site from an unusual location. Microsoft Defender for Cloud Apps detected the activity as a suspicious sign-in. You need to create a detection rule that alerts whenever a user accesses SharePoint from a location not in the allowed list. What type of rule should you create in Microsoft Defender for Cloud Apps?

Question 406mediummultiple choice
Read the full Manage a security operations environment explanation →

The exhibit shows a Conditional Access policy configuration in Microsoft Entra ID. The policy is intended to require MFA and compliant device for all users accessing all applications from trusted locations. However, users are reporting that they are being prompted for MFA even when accessing from the office (which is a trusted location). What is the most likely issue?

Exhibit

Refer to the exhibit.

```json
{
  "name": "IT-AAD-001",
  "assignments": [
    {
      "group": "All Users",
      "exclude": ["Emergency Break-Glass Accounts"]
    }
  ],
  "conditions": {
    "applications": ["All applications"],
    "users": ["All users"],
    "locations": {
      "include": ["All trusted locations"],
      "exclude": ["All untrusted locations"]
    }
  },
  "grantControls": {
    "builtInControls": ["mfa", "requireCompliantDevice"]
  }
}
```
Question 407hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with User and Entity Behavior Analytics (UEBA) enabled. You notice that the UEBA is not generating any anomalies for a particular user who has been inactive for 30 days. You have verified that the user's data is being ingested into the workspace. What is the most likely reason?

Question 408mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a SOC analyst using Microsoft Defender for Endpoint. You need to investigate a device that is suspected of being compromised. You want to collect a memory dump for offline analysis. Which action should you take from the Microsoft Defender XDR portal?

Question 409easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization wants to use Microsoft Sentinel's built-in threat intelligence feeds to enrich alerts. Which data connector should you enable?

Question 410hardmultiple choice
Read the full NAT/PAT explanation →

The exhibit shows a KQL query used in a Microsoft Sentinel analytics rule. The rule is intended to detect brute-force attacks by identifying IP addresses that have more than 10 failed sign-ins (result code 50057) followed by a successful sign-in (result code 0) within an hour. However, the rule is not triggering alerts even though you are confident such patterns exist. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kusto
let TimeWindow = 1h;
let Threshold = 10;
SigninLogs
| where TimeGenerated >= ago(TimeWindow)
| where ResultType == "50057"
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > Threshold
| join kind=inner (
    SigninLogs
    | where TimeGenerated >= ago(TimeWindow)
    | where ResultType == "0"
    | summarize SuccessfulSignIns = count() by UserPrincipalName, IPAddress
) on UserPrincipalName, IPAddress
| project UserPrincipalName, IPAddress, FailedAttempts, SuccessfulSignIns
```
Question 411mediummultiple choice
Read the full Manage a security operations environment explanation →

You are configuring a Microsoft Sentinel workbook to display incident metrics. You want to show the average time to triage incidents over the last 30 days. Which data source should you use?

Question 412easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel to manage security incidents. The security team wants to automatically assign incidents to the appropriate analyst based on the incident’s severity and category. Which feature should you configure?

Question 413mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. The security team wants to receive alerts when a user's activity from an anonymous IP address exceeds a certain risk score. What should you configure in Defender for Cloud Apps?

Question 414hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR for threat detection and response. The security team wants to automatically isolate a compromised device when a specific malware alert is triggered, but only if the device is not a critical server. What is the most efficient way to achieve this?

Question 415easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and wants to ensure that all incident-related data is retained for at least 90 days for compliance purposes. Which configuration should you check?

Question 416mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization is using Microsoft Defender for Identity (MDI) and Microsoft Sentinel. The security team wants to correlate alerts from MDI with other data sources in Sentinel. What is the recommended approach?

Question 417hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Sentinel deployed across multiple workspaces for different business units. The security team wants to view a unified incident queue across all workspaces. What should you implement?

Question 418easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel to manage security incidents. The security team wants to automatically close low-severity incidents after 24 hours if no activity has occurred. Which feature should you use?

Question 419mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization is using Microsoft Defender for Cloud Apps to protect cloud applications. The security team wants to be alerted when a user shares a sensitive file with an external user. What should you configure?

Question 420hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has multiple workspaces for different regions. The security team wants to use a single workbook to display data from all workspaces. What is the correct approach?

Question 421easymulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are valid data connectors in Microsoft Sentinel? (Select two.)

Question 422mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are valid actions that can be performed by an automation rule in Microsoft Sentinel? (Select two.)

Question 423hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are valid components of Microsoft Defender XDR? (Select three.)

Question 424easymultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing the automation rule configuration shown in the exhibit. What is the purpose of this rule?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Malware Alert Auto-Isolate",
    "triggers": [
      {
        "type": "Incident",
        "conditions": [
          {
            "condition": "AlertTitle",
            "operator": "Contains",
            "value": "Malware"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookName": "IsolateDevice"
      }
    ]
  }
}
```
Question 425mediummultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing the KQL query shown in the exhibit. What is the purpose of this query?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where AlertSeverity == "High"
| where TimeGenerated > ago(24h)
| summarize AlertCount = count() by AlertName
| where AlertCount > 10
| project AlertName, AlertCount
```
Question 426hardmultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing the ARM template snippet shown in the exhibit. What is the purpose of this template?

Exhibit

Refer to the exhibit.
```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('workspaceName'), '/SampleSavedSearch')]",
      "properties": {
        "displayName": "Sample Saved Search",
        "category": "Security",
        "query": "SecurityEvent | where EventID == 4625 | where TimeGenerated > ago(1h)",
        "tags": []
      }
    }
  ]
}
```
Question 427easymultiple choice
Read the full Manage a security operations environment explanation →

Your security team needs to assign a custom role in Microsoft Sentinel that allows read and write access to incidents but not to analytics rules. Which built-in role should you use as a base for the custom role?

Question 428mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You need to ensure that security alerts from on-premises servers are sent to Microsoft Sentinel. What should you configure?

Question 429hardmultiple choice
Read the full Manage a security operations environment explanation →

Your Microsoft Defender XDR environment is experiencing high false positive rates for a specific type of alert. You need to reduce the noise without completely disabling the alert. What is the most effective method?

Question 430easymultiple choice
Read the full Manage a security operations environment explanation →

Your security operations center (SOC) uses Microsoft Sentinel. Analysts need to collaborate on incidents by adding comments and changing severity. Which feature should they use?

Question 431mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has Microsoft Defender for Office 365 enabled. Users report that phishing emails are being delivered to their inboxes. You need to improve the filtering. What should you do first?

Question 432hardmulti select
Read the full Manage a security operations environment explanation →

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You notice that the cost is higher than expected. You need to reduce costs without losing critical security data. Which two actions should you take? (Choose two.)

Question 433mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint in 5 minutes. What type of policy should you create?

Question 434hardmultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel's UEBA to detect insider threats. You want to ensure that UEBA can correlate activities across multiple data sources. Which data source must be enabled for UEBA to function properly?

Question 435easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization is implementing Microsoft Sentinel. You need to ensure that security events from AWS CloudTrail are collected. What should you configure?

Question 436mediummulti select
Read the full Manage a security operations environment explanation →

Which THREE actions are recommended practices for managing Microsoft Sentinel costs?

Question 437hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO permissions are required to create and manage automation rules in Microsoft Sentinel?

Question 438easymulti select
Read the full Manage a security operations environment explanation →

Which TWO data connectors are available in Microsoft Sentinel to ingest data from Microsoft 365 services?

Question 439hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You create an automation rule in Microsoft Sentinel using the ARM template snippet shown. However, the rule does not trigger when a high-severity incident is created. What is the most likely cause?

Exhibit

{"type": "Microsoft.SecurityInsights/automationRules", "properties": { "displayName": "High Severity Incident Response", "order": 1, "triggeringLogic": { "triggersOn": "Incidents", "triggersWhen": "Created", "conditions": [ { "operator": "Equals", "property": "Severity", "value": "High" } ] }, "actions": [ { "order": 1, "actionType": "RunPlaybook", "actionConfiguration": { "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/Playbook1" } } ] } }
Question 440mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. A SOC analyst runs the KQL query in Microsoft Sentinel to identify the top 10 alert names by count. They notice the results include alerts with low severity that are not relevant. What should they add to the query to focus on high-severity alerts only?

Exhibit

{"query": "SecurityAlert | where TimeGenerated > ago(7d) | summarize AlertCount = count() by AlertName, Severity | order by AlertCount desc | take 10"}
Question 441mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are configuring a Microsoft Sentinel Windows Security Events via AMA connector using an ARM template. After deployment, you notice that no Windows events are being ingested. The AMA agent is installed on the Windows servers. What is the most likely issue?

Exhibit

{"properties": { "enabled": true, "dataTypes": { "WindowsEvent": { "state": "Enabled" }, "SecurityEvent": { "state": "Enabled" } }, "workspaceId": "<workspace-id>" } }
Question 442mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has enabled UEBA. You notice that many low-severity incidents are being created from high-volume informational alerts. You want to reduce noise without disabling data connectors. What should you do?

Question 443easymultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst. You need to ensure that when a suspicious sign-in is detected by Microsoft Entra ID Protection, an incident is automatically created in Microsoft Sentinel and assigned to the Tier 1 SOC team. What should you configure in Microsoft Sentinel?

Question 444hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has deployed Microsoft Defender XDR and Microsoft Sentinel in a hybrid environment. You need to ensure that incidents from Microsoft Defender for Endpoint are synchronized to Microsoft Sentinel with full alert details. You have already connected the Microsoft Defender XDR connector. What additional step must you take?

Question 445mediummultiple choice
Read the full Ansible explanation →

A security incident in Microsoft Sentinel has been classified as a true positive and remediated. According to your SOC playbook, the incident should be closed with a classification of 'True Positive' and a sub-classification of 'Confirmed activity'. What is the correct way to close the incident in Microsoft Sentinel?

Question 446hardmultiple choice
Read the full Ansible explanation →

Your SOC team uses Microsoft Sentinel and Microsoft Defender XDR. You have configured automated responses using playbooks. However, some playbooks fail to execute when triggered from Microsoft Defender XDR incidents. You need to ensure that the playbooks run successfully. What should you verify?

Question 447mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has a Microsoft Sentinel workspace that ingests logs from multiple sources. You need to implement a process to review and approve changes to analytics rules before they are deployed to production. What should you use?

Question 448easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team receives a high-priority incident related to a potential malware outbreak. You need to quickly identify all affected devices and users across the environment. What Microsoft Defender XDR feature should you use?

Question 449hardmultiple choice
Read the full Manage a security operations environment explanation →

You have a Microsoft Sentinel workspace that uses Customer-Managed Keys (CMK). A security audit requires that all data at rest be encrypted with the CMK. You recently onboarded a new data connector that sends logs to a Log Analytics workspace in a different region. You need to ensure the new workspace uses CMK. What should you do?

Question 450mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has deployed multiple analytics rules. You need to evaluate the effectiveness of these rules by identifying which rules generate the most incidents and have the highest false positive rate. What should you use?

Question 451mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions should you take to ensure that Microsoft Sentinel can detect and respond to threats across your multicloud environment, including AWS and GCP?

Question 452easymulti select
Read the full Manage a security operations environment explanation →

Which THREE are valid incident classification options in Microsoft Sentinel?

Question 453hardmulti select
Read the full Manage a security operations environment explanation →

Which TWO steps are necessary to configure Microsoft Sentinel to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created?

Question 454easymultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing an automation rule ARM template for Microsoft Sentinel. What is the result of deploying this automation rule?

Exhibit

Refer to the exhibit.

{
  "type": "Microsoft.SecurityInsights/automationRules",
  "apiVersion": "2023-02-01-preview",
  "properties": {
    "displayName": "Auto-assign critical incidents",
    "order": 1,
    "triggeringLogic": {
      "triggersOn": "Incidents",
      "triggersWhen": "Created",
      "conditions": [
        {
          "property": "Severity",
          "operator": "Equals",
          "value": "High"
        }
      ]
    },
    "actions": [
      {
        "order": 1,
        "actionType": "ModifyProperties",
        "actionConfiguration": {
          "severity": "Medium",
          "owner": {
            "assignedTo": "SOC-Tier2"
          }
        }
      }
    ]
  }
}
Question 455hardmultiple choice
Read the full Manage a security operations environment explanation →

You run the above KQL query in Microsoft Sentinel. The query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.

SecurityAlert
| where AlertName has "Malware"
| summarize count() by AlertSeverity
| project AlertSeverity, Count
Question 456mediummultiple choice
Read the full Manage a security operations environment explanation →

You are reviewing a PowerShell script used for automated response on a Windows 10 device managed by Microsoft Defender for Endpoint. What is the intended outcome of this script?

Exhibit

Refer to the exhibit.

$alert = Get-MpThreatDetection | Where-Object {$_.ThreatName -like "*Trojan*"}
if ($alert) {
    Start-MpScan -ScanType QuickScan
}
Question 457mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst at a company that uses Microsoft Sentinel. You need to ensure that all incidents generated from Microsoft Defender for Cloud Apps are automatically assigned to the same SOC team. The team uses Microsoft Teams to collaborate. Which configuration should you implement?

Question 458hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to ensure that when a user reports a phishing email using the built-in Outlook add-in, the incident is automatically created in Microsoft Sentinel with high severity and a custom tag 'Phishing-Reported'. What is the most efficient way to achieve this?

Question 459easymultiple choice
Read the full Ansible explanation →

Your team uses Microsoft Sentinel to monitor multiple Azure subscriptions. You need to grant a junior analyst the ability to view incidents and run playbooks, but not modify analytics rules or data connectors. Which built-in role should you assign?

Question 460easymultiple choice
Read the full network assurance explanation →

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. After configuring the data connector, you notice that no logs are appearing. You verify that the firewall is sending logs to the Syslog collector. What is the most likely cause?

Question 461hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to ensure that any new Azure subscription automatically has Microsoft Defender for Cloud enabled with the 'Defender for Cloud (CSPM)' plan active. What should you do?

Question 462mediummultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel to manage incidents. You want to categorize incidents based on the MITRE ATT&CK technique. You notice that some incidents are not being tagged with the correct technique. What should you check first?

Question 463easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Purview Data Loss Prevention (DLP) policies. You need to investigate an incident where sensitive data was shared externally. You want to view the details in Microsoft Sentinel. What should you ensure is configured?

Question 464mediummultiple choice
Read the full Manage a security operations environment explanation →

You are configuring a Microsoft Sentinel analytics rule to detect brute-force attacks on your Azure Virtual Machines. The rule uses the 'SecurityEvent' table. You notice that the rule is not generating incidents even though you see failed logon events in the logs. What should you check?

Question 465mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are valid methods to ingest custom logs into Microsoft Sentinel? (Choose two.)

Question 466hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE of the following are capabilities of Microsoft Defender XDR's automated investigation and response (AIR) that can be enabled or configured by a security operations analyst? (Choose three.)

Question 467easymulti select
Read the full Manage a security operations environment explanation →

Which TWO of the following are required to enable Microsoft Sentinel to receive alerts from Microsoft Defender for Cloud? (Choose two.)

Question 468mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security incidents from Defender for Cloud are automatically sent to Sentinel. What should you configure?

Question 469hardmultiple choice
Read the full Ansible explanation →

A security analyst receives a high-severity incident in Microsoft Sentinel for a user who is suspected of lateral movement. The analyst wants to automatically run a playbook that isolates the user's machine and disables their account when such an incident is created. What is the most efficient way to achieve this?

Question 470easymultiple choice
Read the full Manage a security operations environment explanation →

Your company is deploying Microsoft Defender for Endpoint. You need to ensure that all devices report their security baseline compliance to Microsoft Intune. Which configuration should you use?

Question 471mediummultiple choice
Read the full Manage a security operations environment explanation →

You manage a Microsoft Sentinel workspace with multiple analytics rules. You notice that an analytics rule has not generated any alerts in the past month despite relevant data being ingested. The rule uses a custom KQL query that joins two tables. What is the most likely cause?

Question 472hardmultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 100 files in 10 minutes from SharePoint. Which policy type should you use?

Question 473easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to use a Microsoft Copilot for Security to summarize an incident in Microsoft Defender XDR. What is the minimum role required?

Question 474hardmultiple choice
Read the full Manage a security operations environment explanation →

You have a Microsoft Sentinel workspace that ingests logs from multiple sources. The log analytics workspace is in the East US region. You have a requirement to keep logs for 90 days for active investigation, then archive them to an Azure storage account for compliance for 5 years. What should you configure?

Question 475mediummultiple choice
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that all virtual machines have endpoint protection enabled. Which policy initiative should you assign?

Question 476mediummultiple choice
Read the full Manage a security operations environment explanation →

You are a security analyst. An incident in Microsoft Sentinel is assigned to you. The incident contains multiple alerts. You want to group related alerts into a single incident to reduce noise. What feature should you use?

Question 477mediummulti select
Read the full Manage a security operations environment explanation →

Which TWO actions require the Global Administrator role in Microsoft 365?

Question 478hardmulti select
Read the full Manage a security operations environment explanation →

Which THREE actions can you perform using Microsoft Sentinel automation rules?

Question 479easymulti select
Read the full Manage a security operations environment explanation →

Which TWO Microsoft 365 security solutions include capabilities for managing security incidents?

Question 480hardmultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are reviewing an analytics rule in Microsoft Sentinel. The rule is enabled but has not generated any alerts in the past 24 hours. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "ruleId": "6b1c0a1e-0e1f-4b1a-8e1f-1a2b3c4d5e6f",
    "displayName": "Suspicious Sign-in from Anonymous IP",
    "enabled": true,
    "query": "SigninLogs
    | where Location == 'Unknown'
    | where TimeGenerated > ago(7d)
    | summarize count() by UserPrincipalName
    | where count_ > 3",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT7D",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "severity": "Medium",
    "suppressionDuration": "PT6H",
    "suppressionEnabled": true
  }
}
```
Question 481mediummultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You are deploying a Microsoft Sentinel workspace using an ARM template. After deployment, you notice the workspace is in a disabled state for ingesting data. Which parameter is most likely causing this?

Exhibit

Refer to the exhibit.
```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "SentinelWorkspace"
    },
    "location": {
      "value": "eastus"
    },
    "sku": {
      "value": "PerGB2018"
    },
    "retentionInDays": {
      "value": 90
    },
    "dataRetentionForDailyQuotaInGB": {
      "value": 5
    },
    "dailyQuotaInGB": {
      "value": 10
    }
  }
}
```
Question 482easymultiple choice
Read the full Manage a security operations environment explanation →

Refer to the exhibit. You have an analytics rule in Microsoft Sentinel that uses this KQL query. The rule is configured to run every hour and alert when the result count is greater than 0. Which type of attack is this rule most likely detecting?

Exhibit

Refer to the exhibit.
```kusto
SigninLogs
| where TimeGenerated > ago(1d)
| where RiskLevelDuringSignIn == "high"
| where RiskLevelAggregated == "high"
| project UserPrincipalName, IPAddress, RiskLevelDuringSignIn, RiskLevelAggregated
| summarize count() by UserPrincipalName
| where count_ > 5
```
Question 483mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel in a hybrid environment with on-premises servers and Azure VMs. You need to ensure that all Windows servers forward their security events to Sentinel. The security team wants to use Windows Security Events via AMA connector. Windows servers are not domain-joined and are managed by a third-party RMM tool. What is the most efficient way to deploy the AMA agent?

Question 484hardmultiple choice
Read the full Manage a security operations environment explanation →

You are a SOC analyst using Microsoft Sentinel. You have a scheduled analytics rule that generates incidents from KQL queries. Recently, incidents are being created but automatically closed within minutes without any actions taken. You suspect a configuration issue. What should you check first?

Question 485easymultiple choice
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Defender for Cloud Apps to enhance visibility into your organization's SaaS app usage. You need to ensure that risky user activities are automatically suspended. What should you configure?

Question 486hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with a Log Analytics workspace in the East US region. You have deployed the Microsoft Defender for Cloud connector. You notice that security alerts from Defender for Cloud are not appearing as incidents in Sentinel. You have confirmed that the connector is enabled and data is flowing. What is the most likely cause?

Question 487mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email via the built-in Outlook add-in, an automated investigation is triggered in Microsoft 365 Defender. What should you configure?

Question 488hardmultiple choice
Read the full NAT/PAT explanation →

You are a security administrator for a multinational company using Microsoft Sentinel. You need to ensure that critical incidents are automatically escalated to the on-call team via email and SMS. The on-call schedule uses Microsoft Teams channel. What is the most efficient way to achieve this?

Question 489easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a high severity alert is generated, an automated investigation is launched immediately. What is the correct configuration?

Question 490mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has enabled UEBA (User and Entity Behavior Analytics). You notice that the UEBA timeline is not populating for some users. You have verified that the data sources are connected and the UEBA feature is enabled. What could be the issue?

Question 491hardmulti select
Read the full Ansible explanation →

Your organization is implementing Microsoft Sentinel and needs to ensure that incident response activities are compliant with regulatory requirements. You need to track and document all changes made to analytics rules and playbooks. Which TWO features should you enable?

Question 492easymulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR (formerly Microsoft 365 Defender). You need to configure role-based access control (RBAC) for the security team. Which TWO built-in roles can be assigned in Microsoft 365 Defender to manage incidents and alerts?

Question 493mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and you are designing a data retention strategy. You have a Log Analytics workspace with the following tables: SecurityEvent, SigninLogs, and CommonSecurityLog. The compliance team requires that SigninLogs be retained for 7 years, while other tables can be retained for 1 year. Which THREE steps must you take to meet this requirement?

Question 494hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization has multiple offices across the globe and uses Microsoft Sentinel as the primary SIEM. You have deployed Azure Arc on all on-premises servers to manage them centrally. The security team needs to collect Windows Security Events from all servers, including domain controllers, and forward them to Sentinel using the Windows Security Events via AMA connector. The team also wants to minimize administrative overhead when adding new servers. The current environment includes: 500 on-premises Windows servers (200 domain controllers, 300 member servers) managed via Azure Arc, 200 Azure VMs running Windows Server, and a centralized Log Analytics workspace named 'LAW-Security' in the East US region. You have already installed the Azure Monitor Agent (AMA) on all servers via Azure Arc and Azure VMs. However, you notice that security events from domain controllers are not appearing in Sentinel. You have verified that the AMA agent is running and the data collection rule (DCR) is correctly configured to collect Security events. No other issues are present. You need to ensure that security events from domain controllers are collected. What should you do?

Question 495mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You have configured the Microsoft Defender for Endpoint connector in Sentinel to ingest alerts and incidents. The security team wants to automatically create a Sentinel incident when an MDE alert of severity 'High' or 'Critical' is generated. Additionally, they want to assign the incident to a specific SOC tier based on the alert title. For example, if the alert title contains 'Ransomware', assign to Tier 3; otherwise assign to Tier 2. You need to implement this automation efficiently. You have already enabled the connector and verified that MDE alerts are flowing into Sentinel. What is the best approach?

Question 496mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud Apps to monitor cloud application usage. You have a custom analytics rule that detects multiple failed login attempts from different IP addresses for the same user within 5 minutes. This rule generates an incident. The security team wants to automatically suspend the user in Microsoft Entra ID (formerly Azure AD) when such an incident is created, but only if the user is not a member of the 'Emergency Access' group. You need to implement this automation. You have already created the analytics rule. What should you do next?

Question 497mediummultiple choice
Read the full Ansible explanation →

You are configuring Microsoft Sentinel automation rules to handle incidents generated from Microsoft Defender for Cloud. You need to ensure that when a high-severity security alert is triggered, an automated response runs a playbook that creates a support ticket in ServiceNow. However, the playbook fails to execute for some alerts. Upon investigation, you find that the automation rule is triggered only when the incident is created. What is the most likely cause of the failure?

Question 498hardmultiple choice
Read the full NAT/PAT explanation →

You are the security operations lead for a multinational company using Microsoft Defender XDR. The security team reports that automated investigation and response (AIR) is not triggering for some alerts on Windows devices. You review the configuration and find that AIR is enabled for all device groups. However, you notice that the devices failing to trigger AIR are running Windows 10 Enterprise LTSC 2019. What is the most likely reason AIR is not working on these devices?

Question 499easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to ensure that all incidents from a specific analytics rule are automatically assigned to the 'SOC Tier 1' team. What should you configure in Microsoft Sentinel?

Question 500hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are reviewing a playbook configuration in Microsoft Sentinel. The playbook is supposed to create a task to generate a ServiceNow ticket and notify the SOC manager when a high-severity alert is triggered. However, when a high-severity alert occurs, only the notification task is created, and the ticket creation task is missing. What is the most likely cause?

Exhibit

{
  "properties": {
    "displayName": "SOC_IR_Playbook",
    "trigger": {
      "type": "Microsoft.SecurityInsights/AlertRule",
      "inputs": {
        "alertRuleId": "a8144c0a-...",
        "severity": ["High"]
      }
    },
    "actions": [
      {
        "type": "Microsoft.SecurityInsights/IncidentTask",
        "inputs": {
          "title": "Create ServiceNow ticket",
          "description": "Create a ticket in ServiceNow for this incident"
        }
      },
      {
        "type": "Microsoft.SecurityInsights/IncidentTask",
        "inputs": {
          "title": "Notify SOC manager",
          "description": "Send email notification"
        }
      }
    ]
  }
}
Question 501mediummultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Defender XDR environment. The security team wants to receive email notifications when a new incident is created with severity 'High' or 'Medium'. They also want to ensure that notifications are sent only for incidents that are not automatically resolved by AIR. What should you configure?

Question 502easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization has deployed Microsoft Sentinel. You need to ensure that user and entity behavior analytics (UEBA) is enabled for all data sources. What is the minimum role required to enable UEBA in Microsoft Sentinel?

Question 503hardmultiple choice
Read the full Manage a security operations environment explanation →

You are responsible for Microsoft Defender for Cloud Apps. The security team reports that they are not receiving alerts for suspicious activities from a specific connected app (Salesforce). You verify that the app is connected and the log collection is working. What should you check next?

Question 504mediummultiple choice
Read the full Manage a security operations environment explanation →

You are using Microsoft Sentinel to manage incidents. You want to automatically close incidents that are older than 90 days and have a status of 'New'. What is the most efficient way to achieve this?

Question 505mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity. The security team wants to monitor for suspected DCSync attacks. Which Windows Event ID should you monitor to detect DCSync activity?

Question 506hardmulti select
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel to ingest data from multiple sources. Which TWO of the following are valid data connectors that can be used to ingest AWS CloudTrail logs?

Question 507mediummulti select
Read the full Manage a security operations environment explanation →

You are managing Microsoft Defender for Endpoint. Which TWO actions can be taken directly from the Microsoft 365 Defender portal to respond to a compromised device?

Question 508easymulti select
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Sentinel analytics rules. Which THREE of the following are valid types of analytics rules in Microsoft Sentinel?

Question 509hardmultiple choice
Read the full Manage a security operations environment explanation →

You are a security operations analyst for a large enterprise with a hybrid environment. Your organization uses Microsoft Sentinel as the central SIEM, Microsoft Defender for Cloud for Azure workloads, Microsoft Defender for Endpoint for endpoints, and Microsoft Defender for Identity for on-premises Active Directory. Recently, the security team has been overwhelmed by a high volume of low-severity incidents from Defender for Cloud that are not actionable. These incidents are generated from the built-in 'ASC Default' policy initiative. You need to reduce the noise without disabling the entire policy. The security team still wants to be alerted on high-severity incidents. You have been asked to implement a solution that automatically suppresses low-severity incidents from Defender for Cloud but still allows high-severity ones to be created in Sentinel. You must not modify the policy initiative itself. What should you do?

Question 510mediummultiple choice
Read the full Manage a security operations environment explanation →

You are the lead security operations analyst for a company that uses Microsoft Defender XDR. The company has recently deployed Microsoft Copilot for Security to help analysts investigate incidents. During a recent incident involving a potential ransomware attack on multiple devices, the analysts used Copilot to generate an investigation summary and recommended actions. However, the analysts report that Copilot's responses are not specific to the incident; they are generic and do not include device-specific details. You need to ensure that Copilot provides context-aware responses that include specific device information from the incident. What should you do?

Question 511easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You are configuring a new automation rule in Sentinel to automatically assign incidents to the appropriate SOC tier based on severity: Low and Medium to Tier 1, High to Tier 2, and Critical to Tier 3. You have created three separate automation rules, one for each tier. However, only the rule for Critical incidents is working. The other rules do not assign incidents. You verify that the other rules are enabled and have the correct conditions. What is the most likely cause?

Question 512hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has enabled UEBA. A security analyst observes that a user account with no prior administrative activity performed a high volume of Azure Resource Manager operations. The analyst wants to investigate further. Which Microsoft Sentinel feature should the analyst use to quickly identify if this behavior is anomalous based on the user's historical profile?

Question 513easymultiple choice
Read the full Manage a security operations environment explanation →

You are a Microsoft Security Operations Analyst. Your organization recently deployed Microsoft Defender for Cloud Apps. You need to ensure that alerts generated by Defender for Cloud Apps are automatically forwarded to Microsoft Sentinel. What should you configure?

Question 514mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Identity. You need to monitor for potential lateral movement attacks using pass-the-hash techniques. Which entity type in Microsoft Defender for Identity should you focus on in the security alert timeline?

Question 515hardmultiple choice
Read the full Manage a security operations environment explanation →

A company uses Microsoft Sentinel with the Microsoft 365 Defender connector. The security team notices that alerts from Microsoft Defender for Endpoint (MDE) are not appearing in Sentinel. The MDE data connector status shows 'Connected'. Which step should you take to troubleshoot this issue?

Question 516mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization is using Microsoft Sentinel and has deployed the Microsoft Entra ID (Azure AD) connector. You need to create an analytics rule that triggers an incident when a user from a specific IP address is assigned the Global Administrator role. The IP address is not in your trusted IP list. Which KQL query should you use as the rule logic?

Question 517hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails detected as 'Bulk' to the user's Junk Email folder. However, users must be able to override this by adding the sender to their Safe Senders list. What should you configure?

Question 518easymultiple choice
Read the full Manage a security operations environment explanation →

A security operations center (SOC) uses Microsoft Sentinel. You need to ensure that when a high-severity incident is created, an automated email notification is sent to the on-call security engineer. Which automation option should you use?

Question 519mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR. You need to investigate a potential ransomware incident that has affected multiple devices. The security team wants to identify the initial access vector. Which advanced hunting table should you query to find the process that initiated the encryption?

Question 520mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel with the Azure Activity connector. Which TWO actions should you take to ensure that all subscription-level activity logs are being ingested into Sentinel?

Question 521hardmulti select
Read the full Manage a security operations environment explanation →

Your Microsoft Defender XDR environment has an advanced hunting query that returns devices potentially affected by a known vulnerability. You want to create a custom detection rule that triggers an alert when more than 10 devices are affected. Which THREE steps are required?

Question 522easymulti select
Read the full NAT/PAT explanation →

Your organization plans to use Microsoft Sentinel for incident management. Which TWO are native incident management features in Sentinel?

Question 523hardmulti select
Read the full Manage a security operations environment explanation →

You are configuring Microsoft Defender for Cloud Apps with Cloud Discovery. You need to ensure that logs from your network proxies are processed correctly. Which THREE steps are required?

Question 524mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue. Which TWO actions should you take to improve the quality of incidents?

Question 525easymulti select
Read the full Manage a security operations environment explanation →

You are investigating a phishing incident in Microsoft Defender for Office 365. Which THREE pieces of information are available in the Threat Explorer?

Question 526hardmultiple choice
Read the full Manage a security operations environment explanation →

You are a Microsoft Security Operations Analyst for a large enterprise with 50,000 users. Your organization uses Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Defender for Cloud Apps. The security team has observed an increase in alerts related to SaaS applications (e.g., Box, Salesforce) accessed from unusual locations. You need to design a solution to automatically investigate and respond to these alerts. The solution should: (1) correlate user activity across multiple SaaS apps, (2) automatically isolate a user's account if the risk score exceeds 90, and (3) create an incident in Sentinel. Which approach should you use?

Question 527mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You recently deployed Microsoft Defender for Identity (MDI) to monitor on-premises domain controllers. The SOC team needs to receive alerts from MDI in Microsoft Sentinel. You have already installed the MDI sensor on all domain controllers and confirmed that the MDI portal shows alerts. However, no MDI alerts appear in Sentinel. The Microsoft Defender for Identity data connector in Sentinel shows 'Connected'. What should you do next?

Question 528easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and has a requirement to retain log data for two years for compliance purposes. You have configured the Log Analytics workspace with a retention policy of 90 days. You need to extend the retention to two years while minimizing costs. The data must remain queryable. What should you do?

Question 529mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A new security policy requires that all incidents involving 'Credential Access' tactics be automatically assigned to the Tier 1 SOC team and have a severity of 'High'. You need to configure this automation. What should you do?

Question 530hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company has a hybrid environment with Microsoft Sentinel and Microsoft Defender for Cloud. You notice that the 'Priority' field in Sentinel incidents is not being populated correctly. You need to ensure that Sentinel incidents inherit the priority from Microsoft Defender for Cloud alerts. What should you configure?

Question 531easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to design a solution to automatically respond to a specific type of incident by sending an email to the SOC manager and creating a ticket in ServiceNow. What should you use?

Question 532mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents are reviewed within 24 hours. Which TWO actions should you take?

Question 533mediummulti select
Read the full Manage a security operations environment explanation →

Your security team uses Microsoft Sentinel and Microsoft Purview. You need to classify incidents that involve sensitive data according to Microsoft Purview's sensitivity labels. Which THREE components should you use?

Question 534hardmulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to implement a solution that automatically suppresses low-severity incidents from specific IP addresses that are known internal scanners. Which THREE configurations should you make?

Question 535mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You are responsible for managing the security operations environment. Recently, the SOC team reported that incidents from Microsoft Defender for Endpoint are not appearing in Microsoft Sentinel. You have already configured the data connector for Microsoft Defender XDR and verified that logs are flowing into the 'SecurityAlert' table. However, incidents are not being created in Sentinel. What should you do?

Question 536hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft Entra ID. You need to implement a solution that automatically disables a user account in Microsoft Entra ID when a high-severity incident involving that user is created in Sentinel. The solution must also send a notification to the security team. You have a playbook that disables the user and sends an email. What should you configure to trigger the playbook?

Question 537mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Microsoft Defender for Cloud are ingested into Sentinel and that incidents are automatically created for alerts with severity 'High' or higher. You have already connected Microsoft Defender for Cloud to Sentinel using the data connector. However, no incidents are being created. What should you do?

Question 538easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. The SOC manager wants to track the average time to triage incidents. You need to create a report that shows this metric. What should you use?

Question 539hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You have a custom analytics rule that generates incidents based on a KQL query. The rule is configured to run every 5 minutes. You notice that the rule is generating duplicate incidents for the same event. What should you do to prevent duplicates?

Question 540mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to configure a solution that automatically escalates incidents that have been in 'New' status for more than 4 hours. The escalation should change the status to 'Active' and assign the incident to a senior analyst. What should you do?

Question 541easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel. You need to ensure that all incidents are classified with a specific classification when closed. The classification must be chosen from a predefined list. What should you configure?

Question 542hardmultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You have a requirement to automatically tag incidents that involve resources from a specific subscription with the label 'Critical Subscription'. The subscription ID is stored in a watchlist. Incidents are created from multiple data sources. What is the most efficient way to apply the tag?

Question 543easymulti select
Read the full Manage a security operations environment explanation →

Your SOC team needs to ensure that all incidents in Microsoft Sentinel are assigned to an analyst within 30 minutes of creation. Which TWO configurations should you implement?

Question 544mediummulti select
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR and Microsoft Sentinel in a hybrid deployment. You need to ensure that all incidents from Defender XDR are synchronized to Sentinel and that any changes to incident status in Sentinel are reflected back in Defender XDR. Which THREE components or configurations are required?

Question 545hardmulti select
Read the full Manage a security operations environment explanation →

Your SOC is implementing a Microsoft Sentinel workspace with multiple content hub solutions. You need to ensure that only approved analytics rules are enabled and that any custom rules are reviewed before activation. Which THREE actions should you take?

Question 546mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has a Microsoft Sentinel workspace in the East US region. You have deployed the Microsoft Defender XDR connector and are ingesting incidents from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. The SOC team reports that some incidents from Defender for Office 365 are missing in Sentinel, but all incidents from the other sources appear correctly. You have verified that the connector is enabled and that there are no ingestion errors. The missing incidents are related to phishing emails that were detected by Defender for Office 365 and automatically remediated (soft deleted) by the system. The incidents are visible in the Microsoft 365 Defender portal. What should you do to ensure these incidents appear in Sentinel?

Question 547hardmultiple choice
Read the full Manage a security operations environment explanation →

Your company uses Microsoft Sentinel as its SIEM and has enabled User and Entity Behavior Analytics (UEBA) to detect insider threats. The UEBA timeline for a user shows several high-risk events, including unusual data exfiltration to an external site and multiple failed logons from a new geographic location. You are asked to create a custom analytics rule that generates an incident when a user exhibits both high-risk behaviors within a 24-hour period. You have the necessary KQL skills. However, when you test the rule, it does not generate any incidents even though the behavior exists. You have confirmed that the UEBA tables (BehaviorAnalytics, IdentityInfo) are populated and that the rule is enabled with a frequency of 1 hour. What is the most likely reason the rule is not firing?

Question 548easymultiple choice
Read the full Manage a security operations environment explanation →

Your SOC team uses Microsoft Sentinel workbooks to monitor the security posture. One workbook shows a chart of incidents by severity over the last 7 days. The workbook uses a KQL query that queries the SecurityIncident table. Recently, the workbook stopped displaying data. You check the workspace and confirm that incidents are being created and are visible in the Sentinel portal. You also verify that the workbook has not been modified. What is the most likely cause?

Question 549mediummultiple choice
Read the full Manage a security operations environment explanation →

You are managing a Microsoft Sentinel environment that ingests data from multiple sources: Microsoft 365, Azure Activity, and custom logs via AMA. The SOC manager has requested that all security events from Windows servers be collected and stored for 90 days for compliance purposes. You have configured the Windows Security Events via AMA data connector to collect all events (Event ID 4624, 4625, etc.) and set the workspace retention to 90 days. After a week, you notice that the daily ingested volume is higher than expected, exceeding the budget. You analyze the data and find that many low-severity informational events are being ingested, such as Event ID 5156 (Windows Filtering Platform allowed connection). The manager confirms that only security-relevant events are needed. What should you do to reduce ingestion volume while still meeting compliance requirements?

Question 550hardmultiple choice
Read the full Ansible explanation →

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You have enabled bi-directional incident synchronization. The SOC team uses Microsoft Teams to collaborate on incidents. They have configured a playbook that posts incident details to a Teams channel whenever an incident is created. Recently, the playbook stopped posting messages. You check the playbook's run history in Azure Logic Apps and see that the run was successful with a 200 status code from the Teams connector. However, no message appears in the channel. You verify that the Teams webhook URL is correct and that the channel is active. What is the most likely cause?

Question 551mediummultiple choice
Read the full Manage a security operations environment explanation →

Your organization has a Microsoft Sentinel workspace that ingests data from Microsoft 365 Defender (Defender for Endpoint, Office 365, Identity, Cloud Apps). You have configured a scheduled analytics rule to detect possible privilege escalation based on user activity. The rule runs every 5 minutes and looks at the last 5 minutes of data. Recently, the rule has been generating a high number of false positives. You analyze the alerts and find that they are triggered by legitimate administrative actions. You need to reduce false positives without completely disabling the rule. The rule uses a KQL query that joins the IdentityLogonEvents and CloudAppEvents tables. What should you do?

Question 552hardmultiple choice
Read the full Ansible explanation →

Your company uses Microsoft Sentinel and has connected Microsoft 365 Defender. You have configured an automation rule that, when an incident is created with a high severity, triggers a playbook that sends an email to the SOC manager and creates a ticket in ServiceNow. Recently, the automation rule stopped triggering the playbook. You check the automation rule and see it is enabled. You also check the playbook and see it is enabled. However, the playbook's run history shows no new runs for the last 24 hours, even though high-severity incidents have been created. You verify that the incidents are indeed high severity and that the automation rule's conditions match. What is the most likely cause?

Question 553easymultiple choice
Read the full Manage a security operations environment explanation →

Your organization uses Microsoft Defender XDR to protect endpoints. You need to ensure that all endpoints are reporting to the Defender for Endpoint service and that any devices that have not checked in for more than 7 days are flagged. You have created a custom detection rule in Microsoft Sentinel that queries the DeviceInfo table and generates an incident for devices with a last check-in time older than 7 days. After a week, you notice that no incidents have been generated, even though you know there are some inactive devices. You verify that the DeviceInfo table is populated with data. What is the most likely issue?

Question 554mediummultiple choice
Read the full Manage a security operations environment explanation →

Your company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You have deployed Microsoft Sentinel and configured the Microsoft Entra ID connector to collect sign-in logs and audit logs. The SOC team wants to be alerted when a user account is created in Entra ID, as this could indicate a malicious insider. You create a scheduled analytics rule that queries the AuditLogs table for 'Add user' activity. The rule runs every hour and looks back 1 hour. After a week, the rule has generated zero incidents. You know that new users are being created regularly. You test the query manually in Log Analytics and get results for the last hour. What is the most likely cause?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-200 Practice Test 1 — 10 Questions→SC-200 Practice Test 2 — 10 Questions→SC-200 Practice Test 3 — 10 Questions→SC-200 Practice Test 4 — 10 Questions→SC-200 Practice Test 5 — 10 Questions→SC-200 Practice Exam 1 — 20 Questions→SC-200 Practice Exam 2 — 20 Questions→SC-200 Practice Exam 3 — 20 Questions→SC-200 Practice Exam 4 — 20 Questions→Free SC-200 Practice Test 1 — 30 Questions→Free SC-200 Practice Test 2 — 30 Questions→Free SC-200 Practice Test 3 — 30 Questions→SC-200 Practice Questions 1 — 50 Questions→SC-200 Practice Questions 2 — 50 Questions→SC-200 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Manage a security operations environment setsAll Manage a security operations environment questionsSC-200 Practice Hub