Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Perform threat hunting practice sets

SC-200 Perform threat hunting • Complete Question Bank

SC-200 Perform threat hunting — All Questions With Answers

Complete SC-200 Perform threat hunting question bank — all 0 questions with answers and detailed explanations.

276
Questions
Free
No signup
Certifications/SC-200/Practice Test/Perform threat hunting/All Questions
Question 1easymultiple choice
Read the full Perform threat hunting explanation →

A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?

Question 2mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?

Question 3hardmultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?

Question 4easymultiple choice
Read the full Perform threat hunting explanation →

A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?

Question 5mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?

Question 6hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?

Question 7easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to proactively search for signs of ransomware activity in the environment using Microsoft Sentinel. Which data source is most likely to provide early indicators of ransomware, such as mass file renaming or encryption?

Question 8mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple servers in the environment. The script connects to an external IP address and downloads a payload. The analyst wants to find all other servers that may have been compromised by the same script. What is the most efficient way to search for this across the environment?

Question 9hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Sentinel to hunt for a potential advanced persistent threat (APT) that is using living-off-the-land binaries (LOLBins). The hunter creates a KQL query that lists all instances of certutil.exe making network connections. The query returns many legitimate results. What is the best way to reduce false positives while still detecting malicious use?

Question 10mediummulti select
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Sentinel to hunt for signs of privilege escalation via Azure AD role assignment changes. Which TWO KQL operators or functions are most useful for identifying changes that added a user to a high-privilege role?

Question 11hardmulti select
Read the full DNS explanation →

A threat hunter is investigating a potential data exfiltration via DNS tunneling using Microsoft Defender for Endpoint advanced hunting. Which THREE columns from the DeviceNetworkEvents table should the hunter include in a query to detect anomalous DNS queries?

Question 12easymulti select
Read the full Perform threat hunting explanation →

A security analyst is using Microsoft Sentinel to hunt for signs of a brute-force attack against Azure AD. Which TWO data sources are most relevant for this hunt?

Question 13mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter runs the KQL query above in Microsoft Sentinel to detect accounts that have experienced multiple failed sign-in attempts due to a disabled account (ResultType 50057) from the same IP. The query returns no results even though the hunter knows that some disabled accounts are being attacked. What is the most likely reason for the false negatives?

Exhibit

Refer to the exhibit.

```kql
let threshold = 5;
SigninLogs
| where TimeGenerated > ago(1h)
| where ResultType == "50057"  // User account is disabled
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > threshold
| project UserPrincipalName, IPAddress, FailedAttempts
```
Question 14hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter writes the KQL query above in Microsoft Defender for Endpoint advanced hunting to find devices where a script host process was launched with encoded commands and then connected to an HTTPS endpoint within 10 minutes. The query is syntactically correct but returns no results. The hunter knows that such activity has occurred. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kql
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe")
| where ProcessCommandLine contains "-enc" or ProcessCommandLine contains "-e "
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemotePort == 443
    | project Timestamp, DeviceName, RemoteUrl
) on DeviceName, Timestamp
| where Timestamp between (Timestamp1 .. Timestamp1 + 10m)
```
Question 15easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter in Microsoft Sentinel is reviewing a JSON definition for a scheduled analytics rule as shown in the exhibit. The rule is intended to run daily and alert on any device running powershell.exe with an encoded command. However, no alerts have been generated even though the hunter knows such activity exists. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Hunt for suspicious PowerShell",
    "description": "Detects PowerShell with encoded commands",
    "tactics": ["Execution"],
    "techniques": ["T1059.001"],
    "requiredDataConnectors": [
      { "connectorId": "MicrosoftThreatProtection", "dataTypes": ["DeviceProcessEvents"] }
    ],
    "queryPeriod": "14d",
    "queryFrequency": "1d",
    "triggerOperator": "gt",
    "triggerThreshold": 0,
    "query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ProcessCommandLine contains '-enc'",
    "suppressionEnabled": false
  }
}
```
Question 16mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you discover that a PowerShell script executed on multiple servers and established outbound connections to an external IP address. Which data source should you query in Microsoft Defender XDR to identify the specific command-line arguments used?

Question 17hardmultiple choice
Read the full Perform threat hunting explanation →

Your threat hunt aims to detect possible Kerberoasting attacks. Which KQL query in Microsoft Sentinel would best identify service principal name (SPN) requests from unusual accounts?

Question 18easymultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting for signs of credential dumping via LSASS access. Which Advanced Hunting schema table in Microsoft Defender XDR should you primarily query to find processes that opened a handle to LSASS?

Question 19mediummultiple choice
Read the full Perform threat hunting explanation →

Your threat hunt involves correlating alerts from Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint. Which Microsoft Sentinel integration should you use to unify these alerts for hunting?

Question 20hardmultiple choice
Read the full Perform threat hunting explanation →

During a hunt, you find that a user account has logged in from an IP address associated with a known command-and-control (C2) server. The hunt also reveals that the same IP accessed a SharePoint site containing sensitive documents. Which Microsoft Purview feature should you use to investigate data exfiltration?

Question 21easymultiple choice
Read the full Perform threat hunting explanation →

You need to create a custom detection rule in Microsoft Sentinel that alerts when an anomalous number of failed logons occur from a single IP address within 5 minutes. Which KQL operator should you use to count failed logons per IP?

Question 22mediummultiple choice
Read the full Perform threat hunting explanation →

Your threat hunt identifies that an attacker used a previously unknown malware variant to move laterally. Which Microsoft Defender XDR feature would you use to automatically block the file based on behavioral detection?

Question 23hardmultiple choice
Read the full Perform threat hunting explanation →

You are investigating a potential DCSync attack. Which Advanced Hunting query in Microsoft Defender XDR would best detect a process making atypical directory replication requests?

Question 24easymultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of pass-the-hash (PtH) attacks. Which Windows Security Event ID should you focus on to detect anomalous NTLM authentication using a hash?

Question 25mediummulti select
Read the full Perform threat hunting explanation →

Which TWO data sources are most relevant for threat hunting for lateral movement using remote service creation (e.g., WMI, PsExec)?

Question 26hardmulti select
Read the full DNS explanation →

Which THREE techniques would you use in Microsoft Sentinel to hunt for data exfiltration over DNS?

Question 27easymulti select
Read the full Perform threat hunting explanation →

Which TWO built-in Microsoft Sentinel hunting queries are useful for detecting signs of compromised credentials?

Question 28mediummultiple choice
Read the full Perform threat hunting explanation →

A security analyst is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. Which KQL function is most appropriate to identify anomalous Kerberos service ticket requests?

Question 29hardmultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you discover a suspicious PowerShell command that decoded a base64 string and executed a script. Which Microsoft Defender for Endpoint advanced hunting table should you query to find the decoded command line?

Question 30easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to use Microsoft Sentinel's UEBA to identify anomalous behavior. Which data connector must be enabled to provide the necessary Azure Active Directory (now Microsoft Entra ID) sign-in logs for UEBA?

Question 31hardmultiple choice
Read the full NAT/PAT explanation →

During a hunt, you find a device that made successive outbound connections to multiple IP addresses on port 445 (SMB) within a short time. Which type of activity does this pattern most likely indicate?

Question 32mediummultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of Pass-the-Hash attacks using Microsoft Defender for Identity. Which alert should you look for in Microsoft Defender XDR?

Question 33easymultiple choice
Read the full Perform threat hunting explanation →

To hunt for malicious PowerShell encoded commands, which columns in the DeviceProcessEvents table in Microsoft 365 Defender advanced hunting should you focus on?

Question 34hardmultiple choice
Read the full DNS explanation →

A threat hunter suspects a data exfiltration attempt via DNS tunneling. Which KQL query would best detect unusual DNS query patterns in Microsoft Sentinel?

Question 35mediummultiple choice
Read the full Perform threat hunting explanation →

While hunting, you notice a user account has been created and then immediately added to the Domain Admins group. Which table in Microsoft 365 Defender should you query to find this event?

Question 36easymultiple choice
Read the full Perform threat hunting explanation →

You are hunting for suspicious scheduled tasks that could be used for persistence. Which Microsoft 365 Defender advanced hunting table contains information about scheduled tasks?

Question 37mediummulti select
Read the full Perform threat hunting explanation →

Which TWO data sources are essential for threat hunting in Microsoft Sentinel to detect lateral movement?

Question 38hardmulti select
Read the full Perform threat hunting explanation →

Which THREE indicators are commonly associated with ransomware activity in Microsoft Sentinel threat hunting?

Question 39easymulti select
Read the full Perform threat hunting explanation →

Which TWO Microsoft Sentinel hunting features can be used to automatically surface suspicious activities without manual query writing?

Question 40mediummultiple choice
Read the full Perform threat hunting explanation →

You are reviewing a hunting query that identifies accounts with failed logons followed by successful logons from the same IP. The query returns no results even though you suspect brute force activity. What is the most likely issue?

Exhibit

Refer to the exhibit.
```kusto
// KQL query used in a Sentinel hunting query
let TimeWindow = 1h;
let Threshold = 5;
let FailedLogons = 
    SecurityEvent
    | where TimeGenerated > ago(TimeWindow)
    | where EventID == 4625
    | summarize FailedCount = count() by Account, SourceIP
    | where FailedCount > Threshold;
FailedLogons
| join kind=inner (
    SecurityEvent
    | where TimeGenerated > ago(TimeWindow)
    | where EventID == 4624
    | summarize LogonCount = count() by Account, SourceIP
) on Account, SourceIP
| where LogonCount > 0
```
Question 41hardmultiple choice
Read the full Perform threat hunting explanation →

You are creating a custom hunting query in Microsoft Sentinel for PowerShell Empire indicators. After deploying, the query never returns results, even though you know empire activity exists in the environment. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Hunt for PowerShell Empire",
    "description": "Searches for common PowerShell Empire indicators",
    "query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ProcessCommandLine contains 'Reflection.Assembly' or ProcessCommandLine contains 'System.Net.WebClient'",
    "tactics": ["Execution"],
    "techniques": ["T1059.001"],
    "inputEntityType": "host",
    "requiredDataConnectors": [
      {
        "connectorId": "MicrosoftThreatProtection"
      }
    ]
  }
}
Question 42easymultiple choice
Read the full NAT/PAT explanation →

A threat hunter runs this KQL query to find devices making many outbound SMB connections. The result shows a device 'DC01' connecting to over 100 different IPs on port 445. What is the most likely explanation?

Exhibit

Refer to the exhibit.
```kusto
// KQL query in Microsoft Sentinel hunting
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort == 445
| summarize TotalConnections = count() by DeviceName, RemoteIP
| where TotalConnections > 100
| project DeviceName, RemoteIP, TotalConnections
```
Question 43mediummultiple choice
Read the full Perform threat hunting explanation →

You are performing a threat hunt in Microsoft Sentinel and have a KQL query that returns a high number of false positives. You want to reduce the noise without missing real threats. Which approach should you take?

Question 44easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt in Microsoft Defender XDR, you notice repeated failed logon attempts from an IP address that belongs to a known anonymizer service. What is the first action you should take?

Question 45hardmultiple choice
Read the full Perform threat hunting explanation →

Your threat hunting team is using Microsoft Sentinel with User and Entity Behavior Analytics (UEBA). You want to identify anomalous outbound data transfers that may indicate data exfiltration. Which KQL function should you use to compare current activity against a baseline?

Question 46mediummultiple choice
Read the full Perform threat hunting explanation →

You are reviewing a threat hunting KQL query in Microsoft Sentinel. The query references an external CSV containing malicious IPs. The query returns no results despite known malicious activity. What is the most likely issue?

Exhibit

Refer to the exhibit.
```kusto
let HuntingTimeRange = 7d;
let MaliciousIPs = externaldata(IP:string)
["https://raw.githubusercontent.com/stixproject/.../malicious_ips.csv"]
with (format="csv");
DeviceNetworkEvents
| where Timestamp > ago(HuntingTimeRange)
| where RemoteIP in (MaliciousIPs)
| project Timestamp, DeviceName, RemoteIP, RemotePort, InitiatingProcessFileName
```
Question 47easymultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter and you want to identify potential lateral movement in your environment. Which Microsoft Defender XDR hunting table would you query to find network connections from a compromised workstation to other internal devices?

Question 48hardmultiple choice
Read the full Perform threat hunting explanation →

You are analyzing the query above in Microsoft 365 Defender advanced hunting. The goal is to identify potentially compromised accounts used only once. The query returns thousands of results including many normal single logons. How can you refine the query to reduce false positives?

Exhibit

Refer to the exhibit.
```kusto
IdentityLogonEvents
| where Timestamp > ago(14d)
| where AccountUpn endswith "@contoso.com"
| summarize LogonCount = count() by AccountUpn, IPAddress, Application
| where LogonCount == 1
| project AccountUpn, IPAddress, Application
```
Question 49mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a known malicious URL. The script was run on multiple workstations. Which Microsoft Defender XDR action should you take to contain the threat?

Question 50easymultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting for credential dumping activity. Which Windows event ID is commonly associated with the use of tools like Mimikatz?

Question 51hardmultiple choice
Read the full Perform threat hunting explanation →

You are creating a custom detection rule in Microsoft Sentinel using the JSON above. The rule does not trigger any alerts despite known PowerShell encoded commands executing. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Hunt for suspicious PowerShell",
    "description": "Detects base64 encoded PowerShell commands.",
    "query": "DeviceProcessEvents | where FileName == 'powershell.exe' | where ProcessCommandLine contains '-EncodedCommand'",
    "tactics": ["Execution", "DefenseEvasion"],
    "techniques": ["T1059.001", "T1027"],
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0
  }
}
```
Question 52mediummulti select
Read the full Perform threat hunting explanation →

Which TWO Microsoft 365 Defender advanced hunting tables would you use together to investigate a potential data exfiltration via email?

Question 53hardmulti select
Read the full Perform threat hunting explanation →

Which THREE actions are recommended when conducting a threat hunting exercise in Microsoft Sentinel using the MITRE ATT&CK framework?

Question 54easymulti select
Read the full Perform threat hunting explanation →

Which TWO data sources in Microsoft Sentinel are commonly used for threat hunting related to lateral movement?

Question 55mediummultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter using PowerShell on a Windows 10 device. The command returns no output for a known threat ID. What is the most likely reason?

Exhibit

Refer to the exhibit.
```powershell
$hunt = Get-MpThreat -ThreatID 12345
$hunt | Format-List
```
Question 56easymultiple choice
Read the full Perform threat hunting explanation →

You are using Microsoft Sentinel UEBA to hunt for insider threats. Which entity type would you investigate to detect unusual access to sensitive data?

Question 57hardmultiple choice
Read the full Perform threat hunting explanation →

You are analyzing the KQL query above in Microsoft Sentinel. The query is designed to find devices with high outbound SMB (port 445) connections to suspicious public IPs. However, the query returns no results. What is the most likely issue?

Exhibit

Refer to the exhibit.
```kusto
let TimeRange = 7d;
let SuspiciousIPs = materialize(
   DeviceNetworkEvents
   | where Timestamp > ago(TimeRange)
   | where RemoteIPType == "Public"
   | where RemotePort == 445
   | summarize Count = count() by RemoteIP
   | where Count > 100
);
DeviceNetworkEvents
| where Timestamp > ago(TimeRange)
| where RemoteIP in (SuspiciousIPs)
| summarize ConnectionCount = count() by DeviceName, RemoteIP
```
Question 58mediummultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst using Microsoft Sentinel. You want to proactively search for signs of a specific threat actor known to use PowerShell encoded commands. Which hunting technique is most appropriate?

Question 59hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Defender XDR for threat hunting. You suspect a threat actor is using scheduled tasks for persistence. Which hunting query would you use in Microsoft 365 Defender advanced hunting to find newly created scheduled tasks?

Question 60easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunting exercise, you need to pivot from a suspicious IP address to find all related alerts and incidents in Microsoft Sentinel. Which feature should you use?

Question 61mediummultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft 365 Defender. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.

```kusto
let T = (DeviceEvents
| where ActionType startswith 'ScheduledTask'
| where Timestamp > ago(7d)
| summarize count() by ActionType, bin(Timestamp,1h));
T
| where count_ > 10
| order by Timestamp desc
```
Question 62hardmultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of Kerberoasting in Microsoft Sentinel. Which hunting query using KQL would you use to identify service principal names (SPNs) being queried via Kerberos TGS requests?

Question 63easymultiple choice
Read the full Perform threat hunting explanation →

Your team is conducting a threat hunt for data exfiltration using Microsoft Defender for Cloud Apps. Which activity is most suspicious and should be included in the hunting query?

Question 64mediummulti select
Read the full Perform threat hunting explanation →

Which TWO techniques are commonly used in threat hunting with Microsoft Sentinel to identify lateral movement? (Choose two.)

Question 65hardmulti select
Read the full Perform threat hunting explanation →

Which THREE approaches are effective for hunting threats in Microsoft Defender XDR using advanced hunting? (Choose three.)

Question 66easymulti select
Read the full Perform threat hunting explanation →

Which TWO data sources in Microsoft Sentinel are most valuable for hunting for command-and-control (C2) communications? (Choose two.)

Question 67mediummultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. This JSON defines a scheduled analytics rule in Microsoft Sentinel. Which type of threat is the rule primarily designed to detect?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "query": "(union isfuzzy=true\n  (DeviceProcessEvents\n  | where FileName == \"rundll32.exe\"\n  | where ProcessCommandLine contains \"javascript\"\n  ),\n  (DeviceNetworkEvents\n  | where RemoteIPType == \"Public\"\n  | where Protocol == \"HTTP\"\n  )\n)",
    "queryFrequency": "1h",
    "queryPeriod": "1h",
    "triggerOperator": "gt",
    "triggerThreshold": 1
  }
}
Question 68hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. This KQL query is used for threat hunting in Microsoft Defender XDR. What is the primary goal of this query?

Exhibit

Refer to the exhibit.

```kusto
let baseline = (DeviceLogonEvents
| where Timestamp > ago(30d)
| summarize LogonCount = count() by AccountUpn, bin(Timestamp,1d)
| summarize avg(LogonCount), stdev(LogonCount) by AccountUpn);
DeviceLogonEvents
| where Timestamp > ago(1d)
| summarize DailyCount = count() by AccountUpn
| join kind=inner baseline on AccountUpn
| where DailyCount > (avg_LogonCount + 2*stdev_LogonCount)
```
Question 69easymultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting for signs of Microsoft 365 mailbox compromise. Which hunting query in Microsoft 365 Defender would be most effective for identifying suspicious mailbox forwarding rules?

Question 70mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt in Microsoft Sentinel, you find a series of suspicious sign-ins to Microsoft Entra ID from an IP address known to be associated with a threat actor. Which entity should you pivot on to investigate further?

Question 71hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft Defender XDR. What is the most likely scenario this query is designed to detect?

Exhibit

Refer to the exhibit.

```kusto
DeviceFileEvents
| where Timestamp > ago(7d)
| where FolderPath contains @"\Users\" and FolderPath endswith @"\Desktop"
| where FileName matches regex @"^[a-z]{8}\.scr$"
| where isnotempty(SHA256)
| join kind=inner (DeviceNetworkEvents
| where RemoteIPType == "Private"
| where Protocol == "SMB"
) on DeviceId
| project Timestamp, DeviceName, FileName, SHA256, RemoteIP
```
Question 72mediummultiple choice
Read the full Perform threat hunting explanation →

You are a SOC analyst using Microsoft Sentinel. You need to create a hunting query that searches for unusual outbound RDP connections from workstations. Which KQL operators or functions would be most essential for this query?

Question 73hardmultiple choice
Read the full Perform threat hunting explanation →

An analyst is reviewing a series of alerts in Microsoft Defender XDR indicating potential lateral movement. Which KQL query in Microsoft Sentinel would best identify anomalous RDP connections to servers not typically accessed remotely?

Question 74mediummultiple choice
Read the full NAT/PAT explanation →

You are investigating a potential data exfiltration incident. You notice a user uploading large amounts of data to a cloud storage service that the organization has not approved. Which Microsoft Defender XHR feature would best help you hunt for similar patterns across all users?

Question 75easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you want to identify processes that have made network connections to known malicious IP addresses. Which data source in Microsoft Defender for Endpoint would provide the necessary information?

Question 76hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to create a hunting query that finds users who have accessed a high number of distinct Azure resources within a short time frame, which may indicate credential theft. Which KQL query would be most effective?

Question 77mediummultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of credential dumping using Mimikatz. Which process events in Microsoft Defender for Endpoint would most likely indicate this activity?

Question 78hardmultiple choice
Read the full Perform threat hunting explanation →

An analyst uses this KQL query in Microsoft Sentinel to hunt for potential brute-force attacks. What is the primary purpose of the join operation?

Exhibit

Refer to the exhibit.
```kusto
let threshold = 10;
IdentityLogonEvents
| where Timestamp > ago(7d)
| where Application == "Microsoft Entra ID"
| summarize FailedAttempts = countif(LogonType != "Success") by AccountUpn, IPAddress
| where FailedAttempts > threshold
| join kind=inner (IdentityLogonEvents
    | where Timestamp > ago(7d)
    | where Application == "Microsoft Entra ID" and LogonType == "Success"
    | summarize SuccessfulLogons = count() by AccountUpn, IPAddress)
    on AccountUpn, IPAddress
| project AccountUpn, IPAddress, FailedAttempts, SuccessfulLogons
```
Question 79easymultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of ransomware activity. Which of the following behaviors in Microsoft Defender for Endpoint should you prioritize as a high-confidence indicator?

Question 80mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt in Microsoft Sentinel, you find a query that returns a high number of false positives. Which action should you take to refine the hunt?

Question 81hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. A custom detection rule in Microsoft Sentinel uses this JSON definition. An analyst notices that the rule is generating alerts for legitimate administrative scripts launched from File Explorer. What is the best way to reduce false positives while retaining detection of malicious Office-based PowerShell launches?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Suspicious PowerShell Execution",
  "description": "Detects PowerShell launching from unusual parent processes",
  "query": "DeviceProcessEvents | where FileName == 'powershell.exe' and ParentFileName in~ ('explorer.exe', 'winword.exe', 'excel.exe')",
  "tactics": ["Execution"],
  "techniques": ["T1059.001"],
  "severity": "Medium"
}
```
Question 82mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are valid methods to perform threat hunting in Microsoft Sentinel? (Choose TWO.)

Question 83hardmulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are key considerations when designing a threat hunting program in Microsoft Defender XDR and Microsoft Sentinel? (Choose THREE.)

Question 84easymulti select
Read the full Perform threat hunting explanation →

Which TWO of the following KQL functions are commonly used in threat hunting queries to identify outliers? (Choose TWO.)

Question 85mediummultiple choice
Read the full Perform threat hunting explanation →

An analyst runs this PowerShell script to query Microsoft Sentinel data. The query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.
```powershell
# PowerShell script to run a custom hunting query in Microsoft Sentinel via REST API
$query = @"
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "javascript"
| summarize Count = count() by DeviceName
| where Count > 5
"@
$workspaceId = "12345678-1234-1234-1234-123456789abc"
$body = @{query = $query} | ConvertTo-Json
Invoke-RestMethod -Uri "https://api.loganalytics.io/v1/workspaces/$workspaceId/query" -Method Post -Body $body -ContentType "application/json"
```
Question 86easymultiple choice
Read the full Perform threat hunting explanation →

Which Microsoft Sentinel feature allows you to query data across multiple workspaces in a single KQL query?

Question 87hardmultiple choice
Read the full Perform threat hunting explanation →

You are conducting a threat hunt in Microsoft Defender XDR and want to identify devices that have recently communicated with a known C2 server IP address. Which advanced hunting table should you query?

Question 88mediummultiple choice
Read the full Perform threat hunting explanation →

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network traffic from a compromised virtual machine. Which data source should be prioritized for this hunt?

Question 89hardmultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt in Microsoft Defender XDR, an analyst discovers that a specific user account has been executing unusual PowerShell commands from a non-corporate device. The analyst wants to investigate the timeline of these activities across all Microsoft 365 services. Which advanced hunting schema should be used to correlate these events?

Question 90easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter in Microsoft Sentinel wants to detect attempts to disable security logging on Windows servers using a KQL query. Which Windows Event ID should the query filter on to capture security log clearing events?

Question 91mediummultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you find that a user accessed a sensitive SharePoint site from an anonymous IP address. Which hunting method would best identify all users who accessed the same site from similar anonymous IPs?

Question 92hardmultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting in Microsoft Sentinel and have enabled UEBA. You want to detect a possible privilege escalation where a user creates a new user account and adds it to a privileged role within minutes. Which UEBA anomaly type should you investigate?

Question 93easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Defender XDR Advanced hunting to find evidence of credential dumping. Which table should be queried to detect use of tools like Mimikatz?

Question 94mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you find an alert for a suspicious PowerShell script that encoded a payload. You want to decode the script to understand its intent. Which Microsoft Sentinel feature can assist with this task?

Question 95hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You are hunting for signs of a possible Kerberos Golden Ticket attack. Which advanced hunting table should you query to detect anomalous Kerberos ticket-granting ticket (TGT) requests?

Question 96easymultiple choice
Read the full Perform threat hunting explanation →

While threat hunting in Microsoft Defender for Cloud Apps, you notice a user has an unusually high number of failed login attempts from a single IP address. What is the most effective next step to determine if this is a brute-force attack?

Question 97hardmultiple choice
Read the full Perform threat hunting explanation →

The KQL query above is used in a threat hunt. What is the most likely scenario this query is designed to detect?

Exhibit

Refer to the exhibit.
```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName == "powershell.exe"
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "javascript:"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
```
Question 98mediummultiple choice
Read the full Perform threat hunting explanation →

The exhibit shows a hunting query definition in Microsoft Sentinel. What is the primary issue with this hunting query?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Solorigate Hunt",
    "description": "Hunt for Solorigate activity",
    "tactics": ["Persistence", "DefenseEvasion"],
    "relevantTechniques": ["T1053", "T1562"],
    "query": "DeviceEvents | where Timestamp > ago(7d) | where ActionType == 'DnsQueryResponse' | where RemoteIP in (ipv4_lookup('solorigate_ips', 'RemoteIP'))"
  }
}
```
Question 99mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter runs the KQL query above in Microsoft Sentinel. What is the main limitation of this query?

Exhibit

Refer to the exhibit.
```kusto
let suspiciousIPs = externaldata(IP:string)
["https://raw.githubusercontent.com/threatlist/suspicious-ips.txt"]
with(format="csv");
IdentityLogonEvents
| where Timestamp > ago(1d)
| where IPAddress in (suspiciousIPs)
| summarize LogonCount = count() by IPAddress, AccountUpn
| where LogonCount > 5
```
Question 100hardmulti select
Read the full Perform threat hunting explanation →

Which TWO actions are effective when threat hunting for lateral movement using remote desktop protocol (RDP) in Microsoft Defender XDR?

Question 101mediummulti select
Read the full DNS explanation →

Which THREE data sources should be included in a threat hunt to detect data exfiltration via DNS tunneling in Microsoft Sentinel?

Question 102easymulti select
Read the full Perform threat hunting explanation →

Which THREE actions are recommended when conducting a threat hunt for compromised identities using Microsoft Sentinel UEBA?

Question 103mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt in Microsoft Sentinel, you identify a series of successful logins from an unusual IP address to multiple Azure VM instances. The logins occur outside business hours. Which hunting technique would be most effective to correlate these events with potential lateral movement?

Question 104easymultiple choice
Read the full Perform threat hunting explanation →

A security analyst is hunting for signs of credential dumping using Microsoft Defender for Endpoint. Which advanced hunting query should the analyst use to detect the use of Mimikatz?

Question 105hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During a hunt, you notice that some alerts from Microsoft Defender for Identity are not appearing in Sentinel. You have verified the connector is enabled and data is flowing for other Defender products. What is the most likely cause?

Question 106mediummultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. You are reviewing a KQL query used in a threat hunting campaign. What is the primary purpose of this query?

Exhibit

{
  "huntQuery": "let threshold = 5;\nSigninLogs\n| where TimeGenerated > ago(7d)\n| summarize SigninCount = count() by UserPrincipalName, IPAddress, AppDisplayName\n| where SigninCount > threshold\n| join kind=leftouter (\n    AADUserRiskEvents\n    | where TimeGenerated > ago(7d)\n    | summarize RiskCount = count() by UserPrincipalName\n) on UserPrincipalName\n| project UserPrincipalName, IPAddress, AppDisplayName, SigninCount, RiskCount\n| order by SigninCount desc\n"}
Question 107mediummultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter investigating a potential data exfiltration via Microsoft Teams. You need to identify if any users have shared sensitive files externally. Which hunting approach should you use?

Question 108hardmultiple choice
Read the full Perform threat hunting explanation →

During a hunt, you discover that an attacker used a valid but compromised service principal to authenticate to Azure Key Vault and export secrets. Which Microsoft Sentinel hunting query would best identify similar activity across your environment?

Question 109easymultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of ransomware in your environment using Microsoft 365 Defender. Which advanced hunting table should you primarily query to detect file encryption events?

Question 110mediummultiple choice
Read the full Perform threat hunting explanation →

As a threat hunter, you want to proactively search for signs of privilege escalation using the 'AzureHound' tool within your Microsoft Sentinel environment. Which data source is most relevant to ingest to detect AzureHound usage?

Question 111hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You are hunting for a threat that uses 'process hollowing' to evade detection. Which advanced hunting query in Microsoft Defender for Endpoint would be most effective?

Question 112mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are valid techniques for threat hunting using Microsoft Sentinel? (Select TWO.)

Question 113hardmulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are best practices for performing threat hunting in Microsoft Defender XDR? (Select THREE.)

Question 114mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are valid methods to detect Kerberoasting attacks during a threat hunt? (Select TWO.)

Question 115hardmultiple choice
Read the full NAT/PAT explanation →

You are a threat hunter at Contoso, a multinational company with 10,000 employees. Your production environment includes: Microsoft 365 E5 licenses; Microsoft Sentinel in a central Log Analytics workspace; Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps; and Microsoft Entra ID P2. You are tasked with hunting for a potential advanced persistent threat (APT) that may have compromised a high-privilege account. The threat intelligence team has reported that the APT group uses living-off-the-land binaries (LOLBins) to execute malicious code and uses encrypted tunnels to C2 servers. You need to design a hunting query in Microsoft Sentinel that correlates multiple data sources to identify suspicious LOLBin usage combined with unusual network connections. Which approach should you take?

Question 116mediummultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter at Fabrikam, a mid-sized company with 2,000 users. Your environment uses: Microsoft 365 E3 licenses; Microsoft Sentinel with the Microsoft 365 Defender connector; Microsoft Defender for Office 365; and Microsoft Defender for Endpoint (without Microsoft Defender for Identity). You are investigating a suspicious email campaign where some users received phishing emails with links to a credential harvesting page. You want to proactively search for any users who may have entered credentials on the phishing page. You have no direct logs from the phishing server. Which hunting approach should you use in Microsoft Sentinel?

Question 117easymultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst at Wingtip Toys, a small business with 500 users. You have Microsoft 365 Business Premium licenses and Microsoft Sentinel deployed. You are conducting a threat hunt for signs of brute-force attacks against your Azure AD tenant. You want to identify IP addresses that have attempted multiple failed sign-ins across different user accounts within a short time window. You have access to the SigninLogs table in Microsoft Sentinel. Which KQL query should you use?

Question 118mediummultiple choice
Read the full NAT/PAT explanation →

You are investigating a series of failed logon attempts across multiple on-premises servers. You want to use Microsoft Sentinel to hunt for patterns of brute-force attacks. Which data source should you ingest to capture detailed authentication events from domain controllers?

Question 119hardmultiple choice
Read the full DNS explanation →

During a threat hunt, you notice an unusual number of DNS queries for randomly generated subdomains from a single workstation. You suspect data exfiltration via DNS tunneling. Which KQL query in Microsoft Sentinel would best help you identify the suspicious domain names?

Question 120hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. You are reviewing a custom hunting query in Microsoft Defender XDR. The query aims to identify devices with more than 100 outbound connections in the last 30 days to IPs that appear in active threat intelligence indicators. However, the query returns no results. What is the most likely cause?

Exhibit

{
  "QueryText": "DeviceNetworkEvents | where RemoteIPType == 'Public' and Timestamp > ago(30d) | summarize ConnectionCount = count() by DeviceName, RemoteIP | where ConnectionCount > 100 | join kind=inner (ThreatIntelligenceIndicator | where Active == true) on $left.RemoteIP == $right.NetworkIP",
  "QueryDescription": "Hunt for devices making high-volume outbound connections to known threat intelligence IPs"
}
Question 121easymultiple choice
Read the full Perform threat hunting explanation →

You are conducting a threat hunt for possible credential dumping using Mimikatz. Which Windows Security Event ID should you focus on in Microsoft Sentinel to detect potential use of Mimikatz?

Question 122mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Sentinel with custom analytics rules. During a threat hunt, you want to identify lateral movement using pass-the-hash techniques. Which data source combination is most effective?

Question 123mediummultiple choice
Read the full Perform threat hunting explanation →

While hunting in Microsoft Sentinel, you find a KQL query that uses the `evaluate` operator with `bag_unpack` to expand JSON properties. The query runs slowly and times out. What is the best practice to optimize this query?

Question 124hardmultiple choice
Read the full NAT/PAT explanation →

You are hunting for signs of ransomware using Microsoft Defender XDR's advanced hunting. Which query pattern would best identify a process that encrypts many files in a short time?

Question 125mediummulti select
Read the full Perform threat hunting explanation →

Which TWO data sources are most useful for detecting unauthorized lateral movement in a hybrid environment using Microsoft Sentinel?

Question 126hardmulti select
Read the full Perform threat hunting explanation →

Which THREE techniques are effective for hunting for living-off-the-land (LotL) attacks using Microsoft Sentinel?

Question 127easymulti select
Read the full Perform threat hunting explanation →

Which TWO are common indicators of compromise (IOCs) used in threat hunting with Microsoft Sentinel?

Question 128easymultiple choice
Read the full network assurance explanation →

You are hunting for possible data exfiltration via email in Microsoft 365. Which data source in Microsoft Sentinel provides the most relevant telemetry for email forwarding rules?

Question 129hardmultiple choice
Read the full DNS explanation →

Refer to the exhibit. You are using a hunting query in Microsoft Defender XDR to find devices generating excessive DNS queries. The query returns many results, but you want to exclude legitimate DNS servers. What is the best approach to refine the query?

Exhibit

{
  "QueryText": "DeviceNetworkEvents | where RemotePort == 53 and Timestamp > ago(1d) | summarize count() by DeviceName, RemoteIP | where count_ > 1000",
  "QueryDescription": "Hunt for potential DNS amplification attacks from internal devices"
}
Question 130hardmultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at Contoso, a multinational company with 10,000 endpoints. You are using Microsoft Sentinel and Microsoft Defender XDR for threat hunting. In the past week, you have observed an increase in failed logon events (Event ID 4625) from multiple workstations towards a single domain controller, targeting the built-in Administrator account. The source IPs are a mix of internal and external addresses. You suspect a password spraying attack. You need to confirm the attack and identify all affected accounts. You have access to Windows Security Events ingested into Sentinel. Which single KQL query would best identify accounts with repeated failed logons across multiple source IPs, indicating password spraying?

Question 131mediummultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst at Fabrikam using Microsoft Sentinel. You are conducting a threat hunt for signs of remote code execution (RCE) via the Windows Event Log. You want to detect suspicious service creation that could indicate lateral movement. Specifically, you want to find events where a service was created (Event ID 7045) on a server, and within 5 minutes, a network connection was established from that server to another internal server. You have SecurityEvent and CommonSecurityLog tables ingested. Which KQL query should you use?

Question 132mediummultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at Wingtip Toys using Microsoft Defender XDR. You are hunting for signs of privilege escalation via the SeDebugPrivilege abuse. You want to find processes that have enabled SeDebugPrivilege and then accessed LSASS (Event ID 10). You have DeviceProcessEvents and DeviceEvents tables available. Which advanced hunting query would best identify this pattern?

Question 133easymulti select
Read the full Perform threat hunting explanation →

Which TWO actions are essential for configuring Microsoft Sentinel to support effective threat hunting?

Question 134easymulti select
Read the full Perform threat hunting explanation →

A threat hunter wants to use Jupyter Notebooks in Microsoft Sentinel for hypothesis-driven hunting. Which THREE steps should the hunter take to set up and use this capability?

Question 135mediummultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel to monitor a hybrid environment consisting of on-premises servers and cloud workloads in Azure. As a threat hunter, you have been tasked with identifying potential lateral movement using pass-the-hash (PtH) attacks. You have enabled UEBA and connected Windows Event Logs, including Event ID 4624 (logon) and 4648 (explicit credentials). You need to create a hunting query that surfaces anomalous remote logons where the same account logon from a non-domain joined machine using NTLM authentication. Which KQL query should you use to start your hunt?

Question 136mediummultiple choice
Read the full Perform threat hunting explanation →

Your team is using Microsoft 365 Defender advanced hunting to investigate a possible data exfiltration incident. The security team suspects that an internal attacker used a compromised SharePoint Online account to download sensitive files from multiple sites. You need to build a hunting query that identifies all file download activities from SharePoint Online for a specific user account over the past 7 days, and then calculates the total size of downloaded files. Which KQL query should you use?

Question 137hardmultiple choice
Read the full Perform threat hunting explanation →

As a threat hunter at Contoso, you are investigating a potential advanced persistent threat (APT) that may have compromised multiple Azure subscriptions. You have Microsoft Defender for Cloud enabled and Microsoft Sentinel collecting data from all subscriptions. You suspect the attacker is using Azure Resource Manager operations to create malicious resources. You need to create a hunting query that identifies anomalous Azure management operations, specifically focusing on operations that create new resources (e.g., virtual machines, storage accounts) from unusual IP addresses or at unusual times. Which approach should you take?

Question 138hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. As a threat hunter, you receive an alert about a potential DCSync attack. You want to hunt for any other instances of this attack across your domain controllers over the past 30 days. Which hunting query should you run in Microsoft 365 Defender advanced hunting?

Question 139hardmultiple choice
Read the full Perform threat hunting explanation →

Your team is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. You have enabled Advanced Security Audit Policy on domain controllers to log Kerberos service ticket operations (Event ID 4769). You need to create a KQL query that identifies potential golden ticket use by looking for service tickets that have anomalous attributes, such as ticket encryption type 0x17 (RC4) combined with a long lifetime or unusual service names. Which KQL query should you use?

Question 140mediummultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector to ingest alerts and incidents from Defender for Endpoint, Defender for Office 365, and Defender for Identity. As a threat hunter, you want to proactively search for devices that may be communicating with known malicious IP addresses that have not yet triggered an alert. You have a list of known malicious IP addresses from an external threat intelligence feed. Which approach should you take to perform this hunt efficiently?

Question 141mediummultiple choice
Read the full NAT/PAT explanation →

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network connections from a compromised workstation. The analyst suspects that a beaconing pattern is present. Which KQL function is most appropriate to detect periodic beaconing behavior over time?

Question 142hardmultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, an analyst discovers that a user's device has been sending large amounts of data to an external IP address associated with a known C2 server. The analyst wants to trace the process responsible for the outbound connections. Which Microsoft Defender for Endpoint advanced hunting table should be queried to find the process that initiated the network connections?

Question 143easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to use Microsoft Sentinel to hunt for signs of brute-force attacks against Azure AD (now Microsoft Entra ID). Which data connector should be enabled to ingest sign-in logs?

Question 144mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is analyzing a suspicious email that bypassed Microsoft Defender for Office 365. The email contains a link to a malicious website. The hunter wants to identify all users who clicked the link. Which hunting query in Microsoft 365 Defender should be used?

Question 145mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, a security analyst uses Microsoft Sentinel and identifies a series of failed logon attempts from a single IP address targeting multiple user accounts. The analyst wants to create a scheduled analytics rule that generates an alert when the same IP address fails to logon to more than 10 different accounts within 5 minutes. Which KQL operator should be used to count distinct accounts per IP?

Question 146hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is investigating a potential data exfiltration incident. The hunter suspects that a user is using an unauthorized cloud storage service. Which Microsoft Defender for Cloud Apps signal would be most useful to detect this activity?

Question 147easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to use KQL in Microsoft Sentinel to find all events from the SecurityEvent table where the event ID is 4625 (failed logon) and the account name is not 'SYSTEM'. Which query achieves this?

Question 148hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Sentinel and wants to leverage machine learning to detect anomalous behavior in Azure subscription activity. Which analytics rule template should the hunter use?

Question 149easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to correlate alerts from multiple Microsoft security products in Microsoft Sentinel. Which feature should be used to create a unified incident?

Question 150hardmulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are valid approaches to perform threat hunting using Microsoft Sentinel? (Choose two.)

Question 151mediummulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are valid sources of data that a threat hunter can use in Microsoft Sentinel for hunting? (Choose three.)

Question 152mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are effective techniques for identifying lateral movement in Microsoft Defender for Endpoint advanced hunting? (Choose two.)

Question 153mediummultiple choice
Read the full Perform threat hunting explanation →

During threat hunting, you identify a suspicious PowerShell process that executed encoded commands. Which Microsoft Defender XDR hunting capability would best help you trace the parent process and command-line arguments across the enterprise?

Question 154hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to proactively identify devices that may have been compromised by a known adversary using DLL side-loading techniques. Which Microsoft Sentinel solution or feature should the hunter leverage to create custom detection rules based on the latest threat intelligence?

Question 155easymultiple choice
Read the full Perform threat hunting explanation →

Your threat hunting team uses Microsoft Sentinel. They want to search for anomalous network connections to known malicious IP addresses over the past 7 days. Which KQL operator should they use to match the source IP addresses against a watchlist containing the malicious IPs?

Question 156mediummultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting in Microsoft Defender for Cloud Apps. You want to identify users who have enabled mailbox forwarding rules to external domains, which could indicate data exfiltration. Which log source should you query?

Question 157hardmultiple choice
Read the full DNS explanation →

During a threat hunt, you discover a previously unknown malware variant that communicates over HTTPS to a command-and-control (C2) server. You want to create a custom detection in Microsoft Sentinel that triggers when any device in the organization resolves the C2 domain via DNS. Which data connector should you ensure is enabled?

Question 158easymultiple choice
Read the full Perform threat hunting explanation →

Your team uses Microsoft Defender for Endpoint to hunt for signs of credential theft. You want to query for events where a process accesses the LSASS process memory. Which event type should you look for?

Question 159mediummultiple choice
Read the full network assurance explanation →

You are a threat hunter using Microsoft Sentinel. You have ingested syslog data from a Palo Alto firewall. You want to create a scheduled query rule that alerts when more than 10 outbound connections to a known bad IP address occur within 5 minutes. Which KQL function should you use to summarize the count?

Question 160hardmultiple choice
Read the full Perform threat hunting explanation →

While threat hunting, you find a suspicious scheduled task that runs a PowerShell script from a temp directory. You want to check if this task exists on other devices in the environment. Which Microsoft Defender for Endpoint advanced hunting table would you query?

Question 161easymultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Defender for Office 365. You want to hunt for phishing emails that bypassed the initial filtering. Which feature should you use to manually submit suspicious emails for analysis and then review the results in the Threat Explorer?

Question 162mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are valid data sources for Microsoft Sentinel threat hunting? (Choose 2)

Question 163hardmulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are valid techniques for threat hunting using Microsoft Defender for Cloud Apps? (Choose 3)

Question 164easymulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are recommended practices when performing threat hunting in Microsoft Sentinel? (Choose 2)

Question 165hardmultiple choice
Read the full Perform threat hunting explanation →

You are reviewing a hunting query. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.
```kusto
// KQL query in Microsoft Sentinel hunting
let TargetUsers = dynamic(["admin@contoso.com", "user1@contoso.com"]);
SigninLogs
| where TimeGenerated > ago(7d)
| where UserPrincipalName in (TargetUsers)
| where RiskLevelDuringSignIn == "medium"
| project TimeGenerated, UserPrincipalName, IPAddress, RiskLevelDuringSignIn
| join kind=leftouter (
    AADServicePrincipalSignInLogs
    | where TimeGenerated > ago(7d)
    | project ServicePrincipalName, IPAddress
) on IPAddress
| summarize Count = count() by UserPrincipalName
| where Count > 5
```
Question 166mediummultiple choice
Read the full Perform threat hunting explanation →

You are reviewing a Microsoft Sentinel scheduled analytics rule definition (JSON). What is the purpose of the "triggerThreshold": 0 setting?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Hunt for Midnight Blizzard IOCs",
    "description": "This hunting query looks for indicators associated with Midnight Blizzard.",
    "tactics": ["InitialAccess", "Persistence"],
    "relevantTechniques": ["T1566", "T1098"],
    "queryText": "let IOCs = externaldata(...); ...",
    "queryFrequency": "P1D",
    "queryPeriod": "P14D",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0
  }
}
```
Question 167mediummultiple choice
Read the full Perform threat hunting explanation →

You executed this Azure CLI command. What is the result?

Network Topology
az sentinel hunting-query createresource-group rg-contosoworkspace-name sentinel-workspacename "Suspicious PowerShell"query-text "DeviceProcessEventsRefer to the exhibit.```azurecli```
Question 168mediummultiple choice
Read the full Perform threat hunting explanation →

A security analyst is performing threat hunting in Microsoft Sentinel using KQL. The analyst wants to identify all network connections initiated from a specific internal IP address (10.0.0.5) to external IP addresses in the last 24 hours. Which KQL query should the analyst use?

Question 169easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, an analyst notices multiple failed logon events from a single user account across different workstations within a short time window. Which hunting technique is most appropriate to detect potential lateral movement?

Question 170mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to find devices that have a specific file hash associated with a known malware variant. The analyst wants to include devices that have the file in any location, including quarantined items. Which table and column should be used?

Question 171easymultiple choice
Read the full DNS explanation →

A threat hunter wants to identify potential command and control (C2) communication by looking for DNS queries to domains with a high entropy and short TTL. Which advanced hunting query in Microsoft Defender XDR should be used?

Question 172mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple workstations with encoded commands. The analyst wants to find all instances of this script across the environment. Which hunting method in Microsoft Sentinel is most effective?

Question 173easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to investigate a potential data exfiltration event involving large outbound file transfers to an unusual external IP. Which Microsoft Defender XDR advanced hunting table is most appropriate to start the investigation?

Question 174mediummulti select
Read the full Perform threat hunting explanation →

Which TWO actions are valid when performing threat hunting in Microsoft Sentinel using hunting queries? (Choose two.)

Question 175hardmulti select
Read the full NAT/PAT explanation →

Which THREE data sources can be used in Microsoft Sentinel for threat hunting to detect unusual authentication patterns? (Choose three.)

Question 176easymulti select
Read the full Perform threat hunting explanation →

Which TWO techniques are commonly used in threat hunting to identify potential malicious activity? (Choose two.)

Question 177mediummultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is investigating a potential compromise involving a user account that has been used to sign in from multiple locations within a short time. The hunter wants to use Microsoft Sentinel to find all sign-in events for that user from different IP addresses in the last 24 hours. Which KQL query should be used?

Question 178hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter is analyzing a potential advanced persistent threat (APT) that uses living-off-the-land binaries (LOLBins) like certutil.exe to download payloads. The hunter wants to find instances where certutil.exe was used to download files from the internet in the last week. Which KQL query in Microsoft Sentinel would be most effective?

Question 179hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. You are analyzing a potential C2 communication pattern. The KQL query returns no results despite known malicious IPs being active. What is the most likely cause?

Exhibit

Refer to the exhibit.

```kql
let IPs = dynamic(['10.0.0.1', '10.0.0.2']);
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteIP in (IPs)
| summarize count() by RemoteIP, DeviceName
| where count_ > 5
```
Question 180mediummultiple choice
Read the full Perform threat hunting explanation →

Your security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to correlate Azure AD sign-in logs with Microsoft Defender for Cloud Apps alerts. Which KQL operator should they use to join the two tables on the user principal name?

Question 181easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a remote server. Which Microsoft Defender for Endpoint action type would most likely capture this behavior in DeviceEvents?

Question 182hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. You are reviewing a custom scheduled analytics rule in Microsoft Sentinel. The rule is enabled but has not fired any alerts despite users having multiple locations in the last day. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "id": "12345678-1234-1234-1234-123456789012",
  "displayName": "Unusual Geographically Impossible Travel",
  "enabled": true,
  "alertRuleTemplateName": null,
  "query": "SigninLogs | where TimeGenerated > ago(1d) | summarize make_set(Location) by UserPrincipalName | where array_length(set_Location) > 1",
  "queryFrequency": "PT1H",
  "queryPeriod": "P1D",
  "severity": "Medium",
  "triggerOperator": "GreaterThan",
  "triggerThreshold": 0
}
```
Question 183mediummultiple choice
Read the full Perform threat hunting explanation →

Your threat hunting team wants to identify all email messages that contained a specific malicious attachment hash in Microsoft 365. Which Microsoft Defender XRB data source should they query in Microsoft Sentinel?

Question 184easymultiple choice
Read the full Perform threat hunting explanation →

While hunting for lateral movement, you want to find out which devices have established remote PowerShell sessions to other devices. Which Microsoft Defender for Endpoint advanced hunting table should you query?

Question 185hardmultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a threat hunt, you want to identify AWS resources that have been compromised by correlating AWS CloudTrail logs with Microsoft Defender for Cloud security alerts. How should you ingest AWS CloudTrail logs into Microsoft Sentinel?

Question 186easymultiple choice
Read the full Perform threat hunting explanation →

You are hunting for privileged account abuse in Microsoft Entra ID. Which table in Microsoft Sentinel contains audit logs for changes to directory roles?

Question 187mediummultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. You are investigating a user account that shows multiple logons to the Azure Portal from various countries within a short time. The query returns no results despite known logons. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kql
let TargetUser = 'jdoe@contoso.com';
IdentityLogonEvents
| where Timestamp > ago(7d)
| where AccountUpn == TargetUser
| where Application == 'Azure Portal'
| summarize LogonCount = count() by IPAddress, Country
| where LogonCount > 10
```
Question 188hardmulti select
Read the full Perform threat hunting explanation →

Which TWO actions are part of the threat hunting process in Microsoft Sentinel?

Question 189mediummulti select
Read the full Perform threat hunting explanation →

Which THREE data sources can be used in Microsoft Sentinel for threat hunting involving network traffic?

Question 190easymulti select
Read the full Perform threat hunting explanation →

Which TWO are common techniques used during threat hunting to identify suspicious behavior in Microsoft Defender XDR?

Question 191hardmulti select
Read the full Perform threat hunting explanation →

Which THREE Microsoft Sentinel features are specifically designed to assist with threat hunting?

Question 192mediummulti select
Read the full Perform threat hunting explanation →

Which TWO tables in Microsoft Defender XDR advanced hunting provide information about user authentication events?

Question 193easymulti select
Read the full Perform threat hunting explanation →

Which THREE are valid methods to create a custom hunting query in Microsoft Sentinel?

Question 194easymultiple choice
Read the full Perform threat hunting explanation →

A security analyst is reviewing a threat hunting query in Microsoft Sentinel that uses the Kusto Query Language (KQL) to identify potential lateral movement. The query returns a large number of false positives. What is the most effective way to reduce false positives while maintaining detection coverage?

Question 195mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunting exercise, an analyst discovers a suspicious PowerShell process that executed encoded commands and made outbound connections to an unknown IP address. The process tree shows it was spawned by a Microsoft Word instance. What is the most likely attack technique being observed?

Question 196hardmultiple choice
Read the full Perform threat hunting explanation →

An organization uses Microsoft Defender for Endpoint (MDE) to hunt for signs of credential dumping. An analyst runs a custom advanced hunting query that searches for processes accessing LSASS.exe. The query uses DeviceProcessEvents and DeviceFileEvents. The analyst notices that some known credential dumping tools are detected, but they want to find previously unknown variants. Which approach should the analyst take to improve the hunt?

Question 197easymultiple choice
Read the full DNS explanation →

A threat hunter wants to identify possible data exfiltration over DNS in Microsoft Sentinel. Which KQL function should the analyst use to extract domain names from DNS queries?

Question 198mediummultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. The KQL query is used for threat hunting. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.

```kusto
// KQL query in Microsoft Sentinel
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "cmd.exe"
| where ProcessCommandLine contains "powershell"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemotePort == 443
) on DeviceName
```
Question 199hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. An analyst is reviewing a custom detection rule in Microsoft Sentinel. The rule is triggering many false positives from legitimate remote desktop connections. What should the analyst do to reduce false positives while keeping detection of pass-the-hash attacks?

Exhibit

Refer to the exhibit.

```json
{
  "displayName": "Hunt for Pass-the-Hash",
  "description": "Detects possible PtH using Event ID 4624 with logon type 9 and NTLM authentication.",
  "tactics": ["LateralMovement"],
  "techniques": ["T1550.002"],
  "query": "SecurityEvent\n| where EventID == 4624\n| where LogonType == 9\n| where AuthenticationPackage == 'NTLM'\n| project TimeGenerated, Account, Computer, TargetLogonId",
  "triggerOperator": "gt",
  "triggerThreshold": 0
}
```
Question 200easymultiple choice
Read the full DNS explanation →

A threat hunter is investigating a potential data exfiltration via DNS tunneling. Which Microsoft Defender XDR advanced hunting table should the analyst primarily use to examine DNS queries from endpoints?

Question 201mediummultiple choice
Read the full Perform threat hunting explanation →

An analyst is using Microsoft Sentinel to hunt for signs of privilege escalation via token manipulation. Which Windows Security Event ID should the analyst focus on to detect potential token duplication or manipulation?

Question 202hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. The query is designed to hunt for potentially compromised accounts that are not on the suspicious list but have many network logons. However, the query returns zero results even though the analyst suspects there should be some hits. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kusto
// Microsoft Sentinel KQL for hunting suspicious logons
let suspiciousAccounts = dynamic(["svc_backup", "sql_sa", "testuser"]);
SecurityEvent
| where EventID == 4624
| where Account !in (suspiciousAccounts)
| where LogonType in (3, 10)
| where LogonProcessName == "NtLmSsp" or LogonProcessName == "Kerberos"
| summarize LogonCount = count() by Account, Computer
| where LogonCount > 10
```
Question 203easymulti select
Read the full Perform threat hunting explanation →

Which TWO data sources are commonly used in Microsoft Sentinel for threat hunting related to lateral movement? (Select TWO.)

Question 204mediummulti select
Read the full Perform threat hunting explanation →

Which THREE techniques are commonly used in Microsoft Sentinel threat hunting to identify command and control (C2) communication? (Select THREE.)

Question 205hardmulti select
Read the full Perform threat hunting explanation →

Which THREE actions should a threat hunter take when using Microsoft Defender XDR advanced hunting to investigate a potential ransomware outbreak? (Select THREE.)

Question 206mediummultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. The query is intended to find devices where PowerShell was used with encoded commands and connected to specific remote IPs. However, the analyst notices that the query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
// KQL for hunting suspicious PowerShell usage
let RemoteIPs = dynamic(["10.0.0.1", "10.0.0.2"]);
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-EncodedCommand", "-e ", "-enc ")
| join kind=inner (
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteIP in (RemoteIPs)
) on DeviceName
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, RemoteIP
```
Question 207hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. An analyst is reviewing this custom detection rule in Microsoft Sentinel. The rule is not generating any alerts even though services are being installed on servers. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "displayName": "Hunt for Unusual Service Creation",
  "description": "Detect abnormal service installations on servers.",
  "tactics": ["Persistence", "Execution"],
  "techniques": ["T1543.003"],
  "query": "DeviceEvents\n| where ActionType == 'ServiceInstalled'\n| extend ServiceName = tostring(AdditionalFields['ServiceName'])\n| extend ServiceImagePath = tostring(AdditionalFields['ServiceImagePath'])\n| where ServiceName startswith 'Legit'\n| project TimeGenerated, DeviceName, ServiceName, ServiceImagePath",
  "triggerOperator": "gt",
  "triggerThreshold": 0
}
```
Question 208easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to use Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should the analyst investigate?

Question 209mediummultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst performing threat hunting in Microsoft Sentinel. You suspect an adversary is using living-off-the-land binaries (LOLBins) to execute code. Which KQL function should you use to search for processes spawned by a specific parent process across multiple machines?

Question 210hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. You are threat hunting for possible lateral movement using cmd.exe. The KQL query returns no results even though you know cmd.exe was executed. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kql
let TimeRange = 7d;
let TargetProcess = "cmd.exe";
DeviceProcessEvents
| where Timestamp > ago(TimeRange)
| where FileName == TargetProcess
| join kind=inner (
    DeviceEvents
    | where Timestamp > ago(TimeRange)
    | where ActionType == "ProcessCreated"
) on DeviceId
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName
```
Question 211easymultiple choice
Read the full DNS explanation →

A threat hunter wants to identify anomalous DNS queries that may indicate data exfiltration. In Microsoft Sentinel, which data source is most appropriate for ingesting DNS logs from on-premises servers?

Question 212mediummultiple choice
Read the full Perform threat hunting explanation →

You are using Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should you look for to detect a potentially malicious app that was granted high privileges by a user?

Question 213hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. A threat hunter creates a scheduled analytics rule in Microsoft Sentinel using this query. The rule triggers frequently but generates many false positives. What is the best way to improve the rule's precision?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "query": "SecurityAlert\n| where AlertName has_any ('Malware', 'Ransomware')\n| project TimeGenerated, AlertName, CompromisedEntity, ProviderName"
  }
}
```
Question 214easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you identify a user account that has been logging in from multiple geographic regions within a short time. Which Microsoft Defender for Cloud Apps feature should you use to investigate this anomaly?

Question 215mediummultiple choice
Read the full Perform threat hunting explanation →

You are investigating a potential data exfiltration using Microsoft Defender for Cloud Apps. You find that a user downloaded a large number of files from SharePoint Online to a personal device. Which anomaly detection policy type would have detected this?

Question 216hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. You are hunting for PowerShell used to launch cmd.exe. The query is intended to find cmd.exe processes that occurred after the first PowerShell execution on the same device. However, it returns no results. What is the most likely issue?

Exhibit

Refer to the exhibit.

```kql
let FirstSeen = (DeviceProcessEvents
| where FileName == "powershell.exe"
| summarize min(Timestamp));
DeviceProcessEvents
| where Timestamp between (FirstSeen .. ago(0d))
| where FileName == "cmd.exe"
| join kind=leftsemi (
    DeviceProcessEvents
    | where FileName == "powershell.exe"
    | project DeviceId, ParentProcessFileName
) on DeviceId
| project Timestamp, DeviceName, FileName, ParentProcessFileName
```
Question 217easymultiple choice
Read the full Perform threat hunting explanation →

As a threat hunter, you want to use MITRE ATT&CK techniques to categorize detected behaviors. In Microsoft Sentinel, which feature allows you to map alerts to MITRE techniques automatically?

Question 218mediummulti select
Read the full Perform threat hunting explanation →

Which TWO are valid methods for performing threat hunting in Microsoft Sentinel? (Choose two.)

Question 219hardmulti select
Read the full Perform threat hunting explanation →

Which THREE are essential components of a threat hunting hypothesis in Microsoft Sentinel? (Choose three.)

Question 220easymulti select
Read the full Perform threat hunting explanation →

Which TWO are valid KQL operators for performing time-based analysis in threat hunting? (Choose two.)

Question 221mediummultiple choice
Read the full Perform threat hunting explanation →

You are investigating a potential brute-force attack against Microsoft 365. Which KQL query in Microsoft Sentinel would best identify failed logon attempts from a single IP address across multiple users?

Question 222hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. A threat hunter runs this PowerShell script to query Microsoft Sentinel. The script fails with an error stating that the query language is not recognized. What is the most likely cause?

Exhibit

Refer to the exhibit.

```powershell
$table = "DeviceProcessEvents"
$query = "DeviceProcessEvents | where FileName == 'reg.exe' | project Timestamp, DeviceName, AccountName"
Invoke-AzOperationalInsightsQuery -WorkspaceId $wsId -Query $query
```
Question 223mediummultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting for signs of credential dumping using Mimikatz. In Microsoft Defender for Identity, which type of alert would you expect to see?

Question 224easymultiple choice
Read the full NAT/PAT explanation →

During a threat hunting exercise in Microsoft Sentinel, you want to identify all cloud application events where a user accessed a resource from an IP address not previously associated with that user. Which KQL operator should you use to compare current access patterns with a baseline of known IPs?

Question 225mediummultiple choice
Read the full Perform threat hunting explanation →

Your threat hunting hypothesis is that a user's credentials were used to sign in from two geographically distant locations within a short time. In Microsoft Defender for Cloud Apps, which log type would you query in Microsoft Sentinel to detect impossible travel?

Question 226hardmultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you identify a suspicious process execution chain in Microsoft Defender for Endpoint: `powershell.exe` spawned `cmd.exe` which then executed `rundll32.exe`. To investigate the parent-child relationships, which KQL statement should you use in Advanced Hunting?

Question 227easymultiple choice
Read the full Perform threat hunting explanation →

You are reviewing a custom analytics rule in Microsoft Sentinel. The rule is enabled but you notice that no alerts have been generated even though there are many matching events. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "name": "ThreatHuntRule",
  "type": "Microsoft.SecurityInsights/alertRules",
  "apiVersion": "2023-02-01-preview",
  "properties": {
    "displayName": "Threat Hunt - Suspicious Process",
    "description": "Detects suspicious process execution",
    "severity": "Medium",
    "enabled": true,
    "query": "DeviceProcessEvents | where FileName has_any ('wscript.exe','cscript.exe','mshta.exe')",
    "queryFrequency": "PT1H",
    "queryPeriod": "PT1H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5,
    "suppressionDuration": "PT5H",
    "suppressionEnabled": false,
    "tactics": ["Execution"],
    "techniques": ["T1059"],
    "alertRuleTemplateName": null
  }
}
Question 228mediummultiple choice
Read the full Perform threat hunting explanation →

You are investigating a detection in Microsoft Defender for Endpoint. The PowerShell output shows a threat with ID 2147723152. Which type of threat does this ID represent?

Exhibit

Refer to the exhibit.
```powershell
$rules = Get-MpThreatDetection
$rules | Where-Object { $_.ThreatID -eq 2147723152 }
```
Question 229hardmultiple choice
Read the full Perform threat hunting explanation →

A threat hunter runs the above KQL query in Microsoft Defender Advanced Hunting. What is the primary purpose of this query?

Exhibit

Refer to the exhibit.
```kusto
let baseline = materialize(
    DeviceLogonEvents
    | where Timestamp between (ago(30d) .. ago(1d))
    | summarize by AccountUpn, RemoteIP
);
DeviceLogonEvents
| where Timestamp > ago(1d)
| where AccountUpn in (baseline | project AccountUpn)
| join kind=leftanti baseline on AccountUpn, RemoteIP
```
Question 230easymultiple choice
Read the full Perform threat hunting explanation →

As part of a threat hunt, you want to find instances where a user successfully authenticated to multiple applications within a short time using different IP addresses. Which Microsoft 365 Defender data source would be most appropriate?

Question 231mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you suspect a user may have exfiltrated data via email. Which Microsoft 365 Defender advanced hunting table should you query to review email attachments and their file hashes?

Question 232hardmultiple choice
Read the full Perform threat hunting explanation →

You are hunting for lateral movement in your environment. In Microsoft Defender for Identity, which activity is a strong indicator of a potential pass-the-hash attack?

Question 233easymulti select
Read the full Perform threat hunting explanation →

Which TWO KQL operators are commonly used in threat hunting to join tables based on a key?

Question 234mediummulti select
Read the full Perform threat hunting explanation →

Which THREE data sources in Microsoft Sentinel are most useful for threat hunting activities related to identity compromise?

Question 235hardmulti select
Read the full Perform threat hunting explanation →

Which THREE techniques are commonly used in threat hunting within Microsoft Defender XDR to detect privilege escalation?

Question 236easymultiple choice
Read the full Perform threat hunting explanation →

A threat hunter wants to identify all devices that have communicated with a known malicious IP address in the last 7 days. Which table in Microsoft Defender for Endpoint advanced hunting should be queried?

Question 237mediummultiple choice
Read the full Perform threat hunting explanation →

You are conducting a threat hunt to find evidence of credential dumping on Windows servers. Which event ID in Windows Security Event Log (SecurityEvent) is most indicative of LSASS process access?

Question 238hardmultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you find a PowerShell script that decodes a base64-encoded command and executes it. Which MITRE ATT&CK technique is this behavior most associated with?

Question 239easymultiple choice
Read the full Perform threat hunting explanation →

You are performing a threat hunt in Microsoft Sentinel. You want to identify devices that have been communicating with known malicious IP addresses. Which data source should you query?

Question 240mediummultiple choice
Read the full NAT/PAT explanation →

During a threat hunt, you discover suspicious PowerShell commands executed on multiple workstations. Which KQL function in Microsoft Sentinel is most effective for aggregating similar commands to identify a pattern?

Question 241hardmultiple choice
Read the full Perform threat hunting explanation →

You run the KQL query above in Microsoft Sentinel. The query returns zero results even though you know some devices have connected to malicious IPs. What is the most likely cause?

Exhibit

Refer to the exhibit.
```kusto
let timeframe = 7d;
let maliciousIPs = externaldata(IP:string)
["https://raw.githubusercontent.com/.../malicious_ips.txt"]
with (format="csv");
DeviceNetworkEvents
| where Timestamp > ago(timeframe)
| where RemoteIP in (maliciousIPs)
| summarize count() by DeviceName, RemoteIP
```
Question 242easymultiple choice
Read the full Perform threat hunting explanation →

You are hunting for signs of credential theft in Microsoft Defender XDR. Which advanced hunting table is most appropriate to investigate suspicious logon events?

Question 243mediummultiple choice
Read the full NAT/PAT explanation →

Your threat hunt reveals a series of failed logon attempts from a single IP address across multiple user accounts. Which Microsoft Sentinel analytic rule template is best suited to alert on this brute-force pattern?

Question 244hardmultiple choice
Read the full NAT/PAT explanation →

You are threat hunting for signs of Kerberoasting in Microsoft Sentinel. Which combination of events indicates that a service account's Kerberos ticket was requested and then used?

Question 245easymultiple choice
Read the full Perform threat hunting explanation →

You are using the Microsoft Sentinel Threat Hunting experience to create a new hunting query. Which tab should you select to bookmark a suspicious event for further investigation?

Question 246mediummultiple choice
Read the full Perform threat hunting explanation →

Your threat hunt identifies a process that is making outbound connections to an unknown IP address. Which Microsoft Defender for Endpoint action can you take to immediately isolate the device?

Question 247hardmultiple choice
Read the full Perform threat hunting explanation →

You are reviewing a custom hunting query in Microsoft Sentinel. The query above returns results, but you suspect it misses low-frequency beaconing. Which modification improves detection while reducing false positives?

Exhibit

Refer to the exhibit.
```json
{
  "id": "12345678-1234-1234-1234-123456789abc",
  "displayName": "Hunt for C2",
  "description": "Look for beaconing patterns",
  "queryText": "DeviceNetworkEvents | where Timestamp > ago(1d) | summarize count() by RemoteIP, DeviceName | where count_ > 100",
  "tactics": ["CommandAndControl"],
  "techniques": ["T1071"]
}
```
Question 248mediummulti select
Read the full Perform threat hunting explanation →

Which TWO KQL operators are most useful for threat hunting lateral movement in Microsoft Defender XDR? (Select two.)

Question 249hardmulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are recommended practices for creating effective threat hunting queries in Microsoft Sentinel? (Select three.)

Question 250easymulti select
Read the full Perform threat hunting explanation →

Which TWO tables in Microsoft Defender XDR advanced hunting are most useful for detecting data exfiltration attempts? (Select two.)

Question 251mediummulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are valid sources of threat intelligence that can be ingested into Microsoft Sentinel for threat hunting? (Select three.)

Question 252hardmulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are key indicators of a potential DCSync attack that a threat hunter should look for in Microsoft Sentinel? (Select two.)

Question 253hardmultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst at Contoso. You manage a Microsoft Sentinel workspace with Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID (formerly Azure AD) data connectors. You are performing a proactive threat hunt for potential data exfiltration via external file sharing services like Dropbox and Google Drive. Your organization blocks these services on managed devices but users can access them from personal devices. You want to detect when users log in to these services from a corporate network using Microsoft Entra ID credentials. You have access to CloudAppEvents, AADSignInEventsBeta, and DeviceNetworkEvents tables in Microsoft Defender XDR advanced hunting. You need to create a hunting query that identifies sign-ins to external file sharing apps from corporate IP ranges. The query should also exclude sign-ins from known good service accounts. Which approach should you take?

Question 254easymultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you identify a suspicious process that spawned from Microsoft Word with a command-line argument containing ' -enc '. Which hunting technique is most appropriate to investigate this further?

Question 255mediummultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting in Microsoft Defender XDR for signs of Kerberoasting. Which hunting query would be most effective in identifying Kerberoasting activity?

Question 256hardmultiple choice
Read the full Perform threat hunting explanation →

Refer to the exhibit. The KQL query is used in a threat hunting campaign. Which of the following best describes the hunting activity this query is designed to detect?

Exhibit

{
  "query": "DeviceProcessEvents | where ProcessCommandLine contains '\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\"' and InitiatingProcessFileName in~ ('winword.exe', 'excel.exe', 'outlook.exe') | project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine"
}
Question 257mediummultiple choice
Read the full Perform threat hunting explanation →

During a threat hunt, you notice an anomalous number of failed logon attempts from a single IP address across multiple user accounts in Microsoft Entra ID sign-in logs. What is the most effective next step to determine if this is a brute-force attack?

Question 258easymultiple choice
Read the full Perform threat hunting explanation →

You are threat hunting for indicators of compromise related to a known malware family. Which data source in Microsoft Defender XDR would provide the most direct evidence of malware execution on endpoints?

Question 259hardmultiple choice
Read the full Perform threat hunting explanation →

In a threat hunt, you discover that a non-admin user account created a scheduled task that executes a PowerShell script to connect to an external IP on port 4444. Which of the following is the most likely interpretation of this activity?

Question 260easymultiple choice
Read the full Perform threat hunting explanation →

While threat hunting in Microsoft Sentinel, you want to create a hunting query that identifies all attempts to disable security controls. Which data table would be most appropriate to query for such activity?

Question 261easymulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are common techniques used by attackers to bypass security controls that a threat hunter should look for?

Question 262mediummulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are key components of a successful threat hunting program in a Microsoft Defender XDR environment?

Question 263mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following KQL operators are most useful when building hunting queries to detect anomalous activities over time?

Question 264hardmulti select
Read the full Perform threat hunting explanation →

Which THREE of the following are indicators of a potential pass-the-hash attack that a threat hunter should investigate in Microsoft Defender for Identity?

Question 265hardmultiple choice
Read the full Perform threat hunting explanation →

You are a security operations analyst for Contoso Ltd. The company uses Microsoft Sentinel as its SIEM and Microsoft Defender for Cloud Apps for SaaS security. You are tasked with threat hunting for potential data exfiltration via Microsoft SharePoint Online. You need to create a hunting query that identifies users who have downloaded an unusually high number of files from SharePoint within a short time window compared to their historical baseline. The query should be run in Microsoft Sentinel using the OfficeActivity table. Which of the following approaches should you take?

Question 266mediummultiple choice
Read the full Perform threat hunting explanation →

Your organization uses Microsoft Defender for Endpoint and Microsoft Sentinel. As part of a threat hunting exercise, you need to detect potential lateral movement using remote desktop protocol (RDP). You want to identify devices that have initiated multiple RDP connections to different internal IP addresses within a short time frame. Which hunting query should you use in Microsoft Sentinel's Log Analytics workspace?

Question 267mediummultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst at Fabrikam. The company uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you need to identify users who are accessing cloud applications from multiple geographic locations in a short time, which could indicate credential theft or token replay. You want to create a hunting query in Microsoft Sentinel using the CloudAppEvents table. Which approach should you take?

Question 268hardmultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter at Northwind Traders. The organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You suspect a golden ticket attack may have occurred in the domain. You need to create a hunting query in Microsoft Sentinel that leverages data from MDI to detect possible golden ticket usage. Which of the following queries or approaches is most appropriate?

Question 269mediummulti select
Read the full Perform threat hunting explanation →

Which TWO of the following are valid methods to initiate a threat hunting session in Microsoft Sentinel?

Question 270hardmulti select
Read the full Perform threat hunting explanation →

Which THREE actions are part of the threat hunting process in Microsoft Defender XDR?

Question 271easymultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst at a company using Microsoft Sentinel. You have been asked to perform a threat hunt to identify potential brute-force attacks against your on-premises Active Directory. The relevant data is ingested into Sentinel from Windows Event Logs (Event ID 4625) and Azure ATP (now Microsoft Defender for Identity). Your hunting query should focus on failed logon attempts with high frequency from the same source IP within a short time window. You need to write a KQL query that returns the top 10 source IPs with the most failed logon attempts in the last 24 hours. Which KQL query should you use?

Question 272mediummultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter for an organization that uses Microsoft Defender XDR. You suspect that an attacker may be using PowerShell to perform reconnaissance on domain controllers. You need to write an advanced hunting query in Microsoft Defender XDR that returns PowerShell commands executed on domain controllers in the last 7 days that contain cmdlets related to Active Directory reconnaissance, such as Get-ADUser or Get-ADGroupMember. The query should also include the device name, account name, and command line. Which query should you use?

Question 273mediummultiple choice
Read the full DNS explanation →

You are a security analyst using Microsoft Sentinel. During a threat hunt, you need to identify potential data exfiltration via DNS tunneling. You have DNS query logs ingested from your DNS servers via Syslog. The log schema includes fields: TimeGenerated, QueryName, QueryType, ClientIP, ResponseIP. You want to find DNS queries that are unusually long (over 50 characters in the query name) and have a high count of unique responses, which may indicate tunneling. You need to write a KQL query that returns the top 10 client IPs with the most unique response IPs for queries with query name length > 50 in the last 24 hours. Which query should you use?

Question 274hardmultiple choice
Read the full NAT/PAT explanation →

You are a security operations analyst at a company that uses Microsoft Defender for Cloud Apps (now part of Microsoft Defender XDR) and Microsoft Sentinel. During a threat hunt, you suspect that an attacker may be using a compromised user account to access sensitive data in SharePoint Online from an unusual location. You have Microsoft Defender for Cloud Apps logs integrated into Sentinel. The log schema includes fields: TimeGenerated, UserId, AppName, ActivityType, IPAddress, Location, ObjectId (the document ID). You need to write a KQL query that returns a list of users who accessed the same sensitive document (ObjectId == 'SensitiveDocument123') from more than 3 unique IP addresses in the last hour, which could indicate a distributed access pattern. Which KQL query should you use?

Question 275hardmultiple choice
Read the full Perform threat hunting explanation →

You are a threat hunter for a company that uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to investigate a potential privilege escalation attack. You have collected process creation events from endpoints and want to identify instances where a process with low integrity level spawned a process with high integrity level. The DeviceProcessEvents table includes fields: DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, ProcessFileName, ProcessIntegrityLevel. You need to write an advanced hunting query that returns the top 10 devices where this escalation occurred most frequently in the last 7 days. Which query should you use?

Question 276hardmultiple choice
Read the full Perform threat hunting explanation →

You are a security analyst at a company that uses Microsoft Sentinel and Microsoft Defender for Identity (now part of Microsoft Defender XDR). During a threat hunt, you need to identify potential golden ticket attacks. You have Windows Security Events (Event ID 4672: Special Logon) and Kerberos service ticket events (Event ID 4769) ingested. A golden ticket attack often involves service ticket requests with unusual encryption types or ticket options. You want to find service ticket requests (4769) that have TicketOptions containing '0x40810000' (forwardable, renewable, canonicalize) and TicketEncryptionType == '0x17' (RC4), which are common in attacks. You need to write a KQL query that returns the top 10 accounts requesting such tickets in the last 7 days. Which query should you use?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-200 Practice Test 1 — 10 Questions→SC-200 Practice Test 2 — 10 Questions→SC-200 Practice Test 3 — 10 Questions→SC-200 Practice Test 4 — 10 Questions→SC-200 Practice Test 5 — 10 Questions→SC-200 Practice Exam 1 — 20 Questions→SC-200 Practice Exam 2 — 20 Questions→SC-200 Practice Exam 3 — 20 Questions→SC-200 Practice Exam 4 — 20 Questions→Free SC-200 Practice Test 1 — 30 Questions→Free SC-200 Practice Test 2 — 30 Questions→Free SC-200 Practice Test 3 — 30 Questions→SC-200 Practice Questions 1 — 50 Questions→SC-200 Practice Questions 2 — 50 Questions→SC-200 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Perform threat hunting setsAll Perform threat hunting questionsSC-200 Practice Hub