Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

← Respond to security incidents practice sets

SC-200 Respond to security incidents • Complete Question Bank

SC-200 Respond to security incidents — All Questions With Answers

Complete SC-200 Respond to security incidents question bank — all 0 questions with answers and detailed explanations.

489
Questions
Free
No signup
Certifications/SC-200/Practice Test/Respond to security incidents/All Questions
Question 1mediummultiple choice
Read the full Ansible explanation →

You are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?

Question 2hardmulti select
Read the full Respond to security incidents explanation →

During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)

Question 3easymultiple choice
Read the full Respond to security incidents explanation →

Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?

Question 4mediummultiple choice
Read the full Respond to security incidents explanation →

An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?

Question 5hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?

Question 6easymultiple choice
Read the full Respond to security incidents explanation →

In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?

Question 7mediummultiple choice
Read the full Respond to security incidents explanation →

You are responding to an incident where a user's credentials were used to access a federated SaaS application from an IP address associated with a known threat actor. The user's account is not disabled. Which action is most effective to prevent further unauthorized access?

Question 8hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect forensic data from Microsoft Defender for Endpoint (MDE) on a remote device that is currently offline. What is the best approach?

Question 9mediummultiple choice
Read the full Ansible explanation →

An incident in Microsoft Sentinel involves a phishing campaign that delivered a malicious macro-enabled document. The document was opened by 15 users. Which playbook action should be triggered automatically to contain the threat?

Question 10hardmultiple choice
Read the full Ansible explanation →

An analyst creates a playbook in Microsoft Sentinel to automatically block an IP address when an alert fires. However, the playbook fails to block the IP. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block Malicious IP",
    "trigger": {
      "type": "Microsoft.SecurityInsights/alertRule",
      "alertRuleId": "1234"
    },
    "actions": [
      {
        "type": "Microsoft.SecurityInsights/incidentAction",
        "actionType": "BlockIP",
        "properties": {
          "ipAddress": "@{triggerBody()?['properties']?['alertRuleId']}",
          "blockDuration": "P1D"
        }
      }
    ]
  }
}
Question 11easymultiple choice
Read the full Respond to security incidents explanation →

You run the above KQL query in Microsoft Sentinel to identify ransomware alerts from the last day. The result shows zero rows. Which is the most likely reason?

Exhibit

Refer to the exhibit.
```kql
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertName contains "ransomware"
| summarize count() by AlertName
| order by count_ desc
```
Question 12hardmultiple choice
Read the full Respond to security incidents explanation →

An administrator creates a Microsoft Defender for Cloud Apps policy to block unsanctioned cloud storage apps. Despite the policy, users can still access these apps. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "policyType": "Microsoft.CloudAppSecurity/Policy",
    "policyName": "Block Unapproved Storage",
    "policyMode": "Monitor",
    "filter": {
      "app": {
        "category": "Cloud storage",
        "tag": "Unsanctioned"
      }
    },
    "actions": [
      {
        "actionType": "Block",
        "actionValue": "true"
      }
    ]
  }
}
Question 13mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions are appropriate when responding to a confirmed data exfiltration incident via email?

Question 14mediummulti select
Read the full Ansible explanation →

Which THREE steps should be included in a Microsoft Sentinel playbook for automatic incident response when a high-severity alert fires?

Question 15hardmulti select
Read the full Ansible explanation →

Which THREE conditions must be met for Microsoft Sentinel to automatically run a playbook on an incident?

Question 16mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives a high-severity alert for a suspicious login from an unusual location. The alert was generated by Microsoft Sentinel from Microsoft Entra ID sign-in logs. The analyst needs to determine if the login was successful and if any data exfiltration occurred. What is the MOST efficient first step?

Question 17easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. You need to create a custom anti-phishing policy to block similar emails in the future. What should you configure?

Question 18hardmultiple choice
Read the full Respond to security incidents explanation →

A security team is investigating a ransomware incident that encrypted files on several Windows servers. Microsoft Defender for Endpoint detected the ransomware but the initial infection vector is unknown. Which KQL query in Microsoft Sentinel would BEST identify the initial process that executed the ransomware?

Question 19mediummultiple choice
Read the full Respond to security incidents explanation →

You have a Microsoft Sentinel analytical rule with the above configuration. During a security incident, multiple high-severity alerts are generated within a 5-minute window. How does the rule handle these alerts?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "SOC Critical Alert Rule",
    "description": "Triggers on critical severity alerts",
    "severity": "High",
    "enabled": true,
    "query": "SecurityAlert | where Severity == 'High' | where TimeGenerated > ago(5m)",
    "queryFrequency": "PT5M",
    "queryPeriod": "PT5M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "suppressionDuration": "PT5M",
    "suppressionEnabled": false,
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": true,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5M",
        "entitiesMatchingMethod": "All"
      }
    }
  }
}
```
Question 20hardmultiple choice
Read the full Respond to security incidents explanation →

You are deploying Microsoft Sentinel using the above ARM template parameters. After deployment, you notice that Microsoft Defender for Cloud alerts are not being ingested. What is the MOST likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "sentinel-workspace"
    },
    "location": {
      "value": "eastus"
    },
    "enableUEBA": {
      "value": true
    },
    "dataConnectors": {
      "value": [
        "AzureIdentity",
        "AzureActivity",
        "MicrosoftThreatProtection"
      ]
    }
  }
}
```
Question 21mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You receive an alert that a critical vulnerability exists on a virtual machine. What is the BEST immediate action to validate the alert and contain the threat?

Question 22easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is investigating an incident where a user's credentials were compromised. The analyst uses Microsoft Sentinel to find all activities performed by the user in the last 24 hours. Which data source should the analyst query FIRST to get the most comprehensive view of the user's actions across Microsoft 365?

Question 23hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, you need to block a malicious IP address at the network level for all Azure resources in a subscription. You have Azure Firewall deployed. What is the MOST efficient method to implement the block?

Question 24mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Endpoint. An endpoint is detected as infected with a trojan. The analyst needs to isolate the device from the network while preserving forensic data. What action should the analyst take?

Question 25mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should an analyst take when triaging a Microsoft Sentinel incident that involves a user who clicked a malicious link in a phishing email? (Choose two.)

Question 26hardmulti select
Read the full Respond to security incidents explanation →

Which THREE are valid data connectors in Microsoft Sentinel for ingesting security events from Microsoft 365 services? (Choose three.)

Question 27easymulti select
Read the full Respond to security incidents explanation →

Which TWO are valid incident management actions in Microsoft Sentinel? (Choose two.)

Question 28mediummultiple choice
Read the full Respond to security incidents explanation →

You deploy the above ARM template to create a scheduled analytics rule in Microsoft Sentinel. After deployment, the rule runs but never generates incidents. What is the MOST likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('workspaceName'), '/', 'MyScheduledRule')]",
      "properties": {
        "displayName": "MyScheduledRule",
        "category": "Security",
        "query": "SigninLogs | where ResultType == 50057",
        "etag": "*"
      }
    },
    {
      "type": "Microsoft.SecurityInsights/alertRules",
      "apiVersion": "2022-11-01",
      "name": "[concat(parameters('workspaceName'), '/', 'MyAlertRule')]",
      "properties": {
        "displayName": "MyAlertRule",
        "description": "Detects disabled account sign-ins",
        "severity": "Medium",
        "enabled": true,
        "query": "SigninLogs | where ResultType == 50057",
        "queryFrequency": "PT1H",
        "queryPeriod": "PT1H",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": null
        }
      }
    }
  ]
}
```
Question 29easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst needs to investigate a potential data exfiltration incident involving a user uploading files to an external cloud storage service. Which Microsoft Sentinel data source would provide the MOST relevant information?

Question 30hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You receive an alert that a fileless malware attack was detected on an on-premises server connected via Azure Arc. The server is running Windows Server 2019. What is the BEST action to contain the threat?

Question 31mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert for a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately block the user from accessing the app. Which action should the analyst take?

Question 32hardmultiple choice
Read the full Respond to security incidents explanation →

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. You need to correlate the alerts and identify the initial entry point. Which KQL function should you use to combine the alerts?

Question 33easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives a Microsoft Defender for Cloud Apps alert about a user performing unusual file downloads from SharePoint. The analyst needs to investigate the user's activity in the last 24 hours. Which log source should the analyst query first?

Question 34mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization has Microsoft Defender XDR enabled. An incident is generated for a user who clicked a phishing link in an email. The analyst needs to automatically disable the user's mailbox for suspicious activity. Which automated action should the analyst configure in a Microsoft Sentinel automation rule?

Question 35hardmultiple choice
Read the full Respond to security incidents explanation →

You are responding to a data exfiltration incident in Microsoft Sentinel. The attacker used a PowerShell script to upload data to an external storage account. You need to identify the specific storage account used. Which KQL query should you use in the AzureActivity table?

Question 36easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst needs to contain a compromised device that is spreading malware in the network. The device is enrolled in Microsoft Intune and managed by Microsoft Defender for Endpoint. What is the fastest way to isolate the device from the network?

Question 37mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident investigation, you discover that an attacker used a legitimate account to access sensitive data in Microsoft Purview Information Protection. You need to identify what data was accessed and by whom. Which log source should you query?

Question 38hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with Fusion and Microsoft Security incident creation rules. You receive a high-severity incident from Microsoft Defender for Cloud Apps. The incident has a low confidence score. What should you do first?

Question 39easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a brute force attack on a user account in Microsoft Entra ID. The sign-in logs show multiple failed attempts from different IP addresses. Which property in the sign-in logs indicates the type of authentication used?

Question 40mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions are valid for containing a compromised user account in Microsoft 365 Defender? (Choose two.)

Question 41hardmulti select
Read the full Respond to security incidents explanation →

Which THREE data sources in Microsoft Sentinel can be used to detect lateral movement in a network? (Choose three.)

Question 42easymulti select
Read the full Respond to security incidents explanation →

Which TWO Microsoft 365 Defender portals provide automated investigation and response capabilities? (Choose two.)

Question 43mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed without investigation. You need to identify why the incident was closed automatically. Which Sentinel feature should you review?

Question 44hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect a memory dump from a compromised Windows 10 device managed by Microsoft Defender for Endpoint. Which action should you take in the Microsoft Defender XDR portal?

Question 45easymultiple choice
Read the full Respond to security incidents explanation →

An incident in Microsoft Sentinel was assigned to you. After investigation, you determine it is a false positive. What should you do to resolve the incident?

Question 46hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident with severity Medium is created?

Exhibit

Refer to the exhibit.
```
{
  "properties": {
    "displayName": "Block malicious IP",
    "triggers": [
      {
        "type": "IncidentCreated",
        "conditions": [
          {
            "condition": "IncidentSeverity",
            "operator": "Equals",
            "value": "High"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "/subscriptions/.../block-ip"
      }
    ]
  }
}
```
Question 47mediummultiple choice
Read the full Respond to security incidents explanation →

Your Microsoft 365 tenant is protected by Microsoft Defender for Office 365. A user reports receiving a suspicious email with a link. You need to investigate whether the link was malicious and if any other users clicked it. Which tool should you use first?

Question 48mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A security analyst runs this PowerShell script to query a Log Analytics workspace. What is the purpose of this query?

Exhibit

Refer to the exhibit.
```
$huntQuery = @"
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| take 1000
"@
$result = Invoke-AzOperationalInsightsQuery -WorkspaceId "..." -Query $huntQuery
```
Question 49hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident, you need to isolate a compromised device from the network while allowing communication with Microsoft Defender for Endpoint cloud services. Which isolation type should you choose in Microsoft Defender XDR?

Question 50easymultiple choice
Read the full Ansible explanation →

Which Microsoft Sentinel feature allows you to automatically respond to incidents by running a playbook when an incident is created?

Question 51hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert about an impossible travel activity for a user. What is the best first step to validate if this is a true positive?

Question 52mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident investigation in Microsoft Sentinel, you need to gather related events from multiple data sources into a single view for analysis. Which feature should you use?

Question 53easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are deploying this analytics rule in Microsoft Sentinel. Which activity will trigger an alert?

Exhibit

Refer to the exhibit.
```
{
  "type": "Microsoft.SecurityInsights/alertRules",
  "apiVersion": "2022-01-01-preview",
  "name": "Suspicious Process Creation",
  "properties": {
    "displayName": "Suspicious Process Creation",
    "description": "Detects suspicious process creation events.",
    "severity": "High",
    "query": "SecurityEvent | where EventID == 4688 | where ProcessName endswith '\\cmd.exe' | where ParentProcessName endswith '\\winword.exe'",
    "queryFrequency": "PT5H",
    "queryPeriod": "PT5H",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0
  }
}
Question 54mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you identify that a user's account was used to sign in from an unusual location. You need to contain the incident immediately. What should you do first?

Question 55hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. During an incident investigation, you find that a device is exfiltrating data to an external IP. You need to isolate the device from the network using automated response. Which action should you configure in an automation rule?

Question 56easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts. You need to group related alerts under the same incident to reduce alert fatigue. What should you do?

Question 57mediummultiple choice
Read the full Respond to security incidents explanation →

You are responding to a phishing incident. The investigation reveals that a user clicked a link in a phishing email and entered credentials on a fake site. You need to contain the incident and prevent further compromise. What should you do first?

Question 58hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. During an incident, you discover that a user is downloading large amounts of data from SharePoint to an unmanaged device. You need to automatically block further downloads from that device. What should you configure?

Question 59easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a security incident in Microsoft Sentinel. You want to visualize the relationships between entities such as IP addresses, users, and hosts. Which tool should you use?

Question 60mediummultiple choice
Read the full Respond to security incidents explanation →

You are responding to an incident where a malicious PowerShell script was executed on multiple endpoints. You need to collect the script content from the affected devices for analysis. What should you use?

Question 61hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During an incident, you need to automatically disable a compromised Azure VM from the network. Which playbook action should you use?

Question 62easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a suspicious sign-in to a privileged account. You need to determine if the sign-in was from a known malicious IP address. Which Microsoft Sentinel data source should you query?

Question 63mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should you perform to contain a ransomware incident in Microsoft Defender for Endpoint?

Question 64hardmulti select
Read the full Respond to security incidents explanation →

Which THREE actions are part of the containment phase in the Microsoft Incident Response process?

Question 65easymulti select
Read the full Respond to security incidents explanation →

Which TWO Microsoft Defender XDR entities can be managed during incident response?

Question 66hardmultiple choice
Read the full Ansible explanation →

You are reviewing an automation rule in Microsoft Sentinel. The rule triggers on incident creation with severity High. However, during a recent High severity incident, the playbook did not run. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.SecurityInsights/automationRules",
  "apiVersion": "2023-02-01-preview",
  "properties": {
    "displayName": "Contain Malicious IP",
    "order": 1,
    "triggeringLogic": {
      "triggersOn": "Incidents",
      "triggersWhen": "Created",
      "conditions": [
        {
          "property": "IncidentSeverity",
          "operator": "Equals",
          "value": "High"
        }
      ]
    },
    "actions": [
      {
        "order": 1,
        "actionType": "RunPlaybook",
        "actionConfiguration": {
          "logicAppResourceId": "/subscriptions/.../blockIP",
          "tenantId": "..."
        }
      }
    ]
  }
}
```
Question 67mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating repeated SQL injection alerts. The KQL query returns IP addresses with more than 5 alerts in the last 7 days. What is the purpose of the `summarize` and `where AlertCount > 5` lines?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertName == "Malicious SQL injection"
| extend IPAddress = tostring(parse_json(Entities)[0].Address)
| summarize AlertCount = count() by IPAddress
| where AlertCount > 5
| project IPAddress, AlertCount
```
Question 68easymultiple choice
Read the full Respond to security incidents explanation →

You are reviewing an incident in Microsoft Sentinel. The incident is assigned to a user. What does the 'assignedTo' field indicate?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.SecurityInsights/incidents",
  "properties": {
    "title": "Possible privilege escalation detected",
    "severity": "Medium",
    "status": "Active",
    "owner": {
      "objectId": "user@contoso.com",
      "email": "user@contoso.com",
      "assignedTo": "user@contoso.com",
      "userPrincipalName": "user@contoso.com"
    },
    "incidentNumber": 12345
  }
}
```
Question 69easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You receive an alert for a suspicious sign-in from an unusual location. You want to automatically create an incident and assign it to the security team for investigation. What should you configure?

Question 70mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. You detect a suspicious app that has high data access and unusual API calls. You want to automatically block the app and notify the user. What should you implement?

Question 71hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You suspect a compromised on-premises admin account that has been used to modify security groups. You want to quickly contain the threat. What should you do first?

Question 72easymulti select
Read the full Respond to security incidents explanation →

Which TWO are valid incident response actions in Microsoft Sentinel?

Question 73mediummulti select
Read the full Respond to security incidents explanation →

Which THREE are valid ways to automatically respond to a security incident in Microsoft Defender XDR?

Question 74hardmulti select
Read the full Respond to security incidents explanation →

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender for Endpoint?

Question 75mediummultiple choice
Read the full Respond to security incidents explanation →

You are reviewing an alert rule in Microsoft Sentinel created via ARM template. What is the primary purpose of this rule?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "displayName": "Suspicious sign-in alert",
    "enabled": true,
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "conditions": [
      {
        "property": "RiskLevelDuringSignIn",
        "operator": "Equals",
        "value": "high"
      }
    ],
    "actions": [
      {
        "actionGroupId": "/subscriptions/.../actionGroups/AG1",
        "webhookProperties": {}
      }
    ]
  }
}
Question 76mediummultiple choice
Read the full Respond to security incidents explanation →

You are analyzing a firewall policy in Azure Firewall deployed via Azure Policy. What is the effect of this rule?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "displayName": "Block malicious IP",
    "description": "Blocks traffic from known malicious IP addresses.",
    "securityPolicy": {
      "isEnabled": true,
      "rules": [
        {
          "name": "BlockIP",
          "priority": 100,
          "sourceAddresses": ["10.0.0.5"],
          "destinationAddresses": ["*"],
          "access": "Deny",
          "direction": "Inbound",
          "protocol": "Any"
        }
      ]
    }
  }
}
Question 77hardmultiple choice
Read the full Respond to security incidents explanation →

You are reviewing a scheduled analytics rule in Microsoft Sentinel. What does the suppressionDuration setting affect?

Exhibit

Refer to the exhibit.
```
{
  "displayName": "Malicious URL detect",
  "description": "Detects access to known malicious URLs.",
  "tactics": ["InitialAccess"],
  "query": "UrlClickEvents | where ActionType == 'ClickAllowed' | where ThreatTypes contains 'Malicious' | project Timestamp, AccountUpn, Url",
  "queryFrequency": "PT1H",
  "queryPeriod": "PT1H",
  "triggerOperator": "GreaterThan",
  "triggerThreshold": 0,
  "suppressionDuration": "PT1H",
  "suppressionEnabled": false,
  "incidentConfiguration": {
    "createIncident": true,
    "groupingConfiguration": null
  }
}
```
Question 78easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud. You receive a security alert about a suspicious process on a virtual machine. You want to investigate the process further. What should you do?

Question 79mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to automatically isolate a device when a high-severity incident is created. What is the most efficient way to achieve this?

Question 80hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You have a requirement to automatically add a tag to incidents that involve a specific user. The tag should be added when the incident is created. What should you configure?

Question 81easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Office 365. You detect a phishing email that was delivered to a user's inbox. You want to remove the email from all recipients. What should you do?

Question 82mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt. What is the best first step to contain the potential threat?

Question 83hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and has enabled UEBA (User and Entity Behavior Analytics). You notice a series of incidents involving anomalous logon times for a privileged user. You want to automate the response to disable the user's account in Microsoft Entra ID when such incidents are created. What should you configure?

Question 84mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst receives an alert indicating that a user account was used to sign in from an unfamiliar location. You need to investigate the incident using Microsoft Defender XDR. Which action should you take first?

Question 85hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, you need to isolate a compromised Windows device from the network while allowing communication with Microsoft Defender for Endpoint services. Which Microsoft Defender for Endpoint action should you use?

Question 86easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a phishing incident in Microsoft Defender XDR. The incident involves a user who clicked a malicious link in an email. Which data source would you use to trace the email's origin?

Question 87mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You receive an incident that involves a potential lateral movement detected by Microsoft Defender for Identity. You need to investigate the timeline of the attack. Which Microsoft Sentinel feature should you use?

Question 88hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, you need to prevent the encryption of files on a server running Windows Server 2022. You have Microsoft Defender for Endpoint Plan 2. Which attack surface reduction rule should you enable?

Question 89easymultiple choice
Read the full Respond to security incidents explanation →

You are responding to an incident where a user's device may be compromised. You need to collect forensic data from the device using Microsoft Defender for Endpoint. Which action should you take?

Question 90mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security incident is generated by a scheduled analytics rule. You need to automatically assign the incident to the SOC team and set its severity. What should you create?

Question 91hardmultiple choice
Read the full NAT/PAT explanation →

During an incident, you need to prevent a malicious process from running on all endpoints using Microsoft Defender for Endpoint. The process is not yet detected by antivirus signatures. Which action should you use?

Question 92easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different workloads. You need to view all related alerts in a single timeline. What should you use?

Question 93mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions can you perform in Microsoft Defender XDR as part of incident response?

Question 94hardmulti select
Read the full Respond to security incidents explanation →

Which THREE actions can you take in Microsoft Sentinel to respond to an incident?

Question 95hardmulti select
Read the full Respond to security incidents explanation →

Which TWO actions are valid containment steps for a compromised user account in Microsoft Defender XDR?

Question 96mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives an alert in Microsoft Defender XDR indicating a possible credential theft attempt from an external IP. The analyst wants to isolate the affected device immediately while preserving forensic data. What should the analyst do?

Question 97easymultiple choice
Read the full Ansible explanation →

During an incident response, a SOC analyst needs to automatically collect relevant evidence from multiple Microsoft 365 services. Which Microsoft Sentinel playbook trigger should the analyst configure?

Question 98hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. A critical server in Azure was compromised by ransomware. The incident response team needs to ensure that no other resources in the same resource group are affected. What is the most immediate containment action?

Question 99mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule configured as above. An incident was created for multiple alerts triggering within a 5-hour window. The SOC team needs to investigate each alert separately because they involve different user accounts. What should the analyst do to ensure each alert generates a separate incident?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": true,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities",
        "groupByEntities": [],
        "groupByAlertDetails": [],
        "groupByCustomDetails": null
      }
    },
    "alertRuleTemplateName": null,
    "description": "Detects suspicious sign-ins.",
    "displayName": "Suspicious Sign-In",
    "enabled": true,
    "query": "SigninLogs | where ResultType == 50057"
  }
}
```
Question 100easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is investigating a phishing campaign that targets Microsoft 365 users. The analyst needs to collect email message headers from multiple users' mailboxes. Which Microsoft 365 Defender action should the analyst use?

Question 101mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident involving a compromised Azure VM, the security team wants to capture a memory dump for forensic analysis. The VM is running Windows Server 2022. What is the recommended approach?

Question 102hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An alert fires for a potential DCSync attack. The incident response team needs to immediately block the source account from performing directory replication. Which action should be taken?

Question 103easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is triaging an incident in Microsoft Sentinel and needs to assign it to a senior analyst for further investigation. What is the correct action?

Question 104mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A Microsoft Sentinel scheduled rule is configured as shown. The rule generates an alert, but the incident created contains only the first alert, and subsequent alerts do not update the incident. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "id": "/subscriptions/.../resourceGroups/rg-sentinel/providers/Microsoft.OperationalInsights/workspaces/workspace-sentinel/providers/Microsoft.SecurityInsights/alertRules/5b7c8d9e-...",
  "kind": "Scheduled",
  "properties": {
    "displayName": "RDP brute force success",
    "query": "SecurityEvent | where EventID == 4625 | summarize count() by Account, IpAddress, bin(TimeGenerated, 5m) | where count_ > 10",
    "queryFrequency": "PT5M",
    "queryPeriod": "PT10M",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0,
    "severity": "High",
    "enabled": true
  }
}
```
Question 105mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions can be performed using Microsoft Sentinel's automation rules? (Choose two.)

Question 106hardmulti select
Read the full Respond to security incidents explanation →

Which THREE are valid containment actions in Microsoft Defender for Endpoint? (Choose three.)

Question 107mediummulti select
Read the full Respond to security incidents explanation →

Which TWO are valid sources of evidence in a Microsoft Sentinel incident? (Choose two.)

Question 108hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Purview to manage insider risk. A user is suspected of exfiltrating data via email. The incident response team needs to preserve a copy of the user's mailbox for legal hold. Which action should be taken?

Question 109mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst is investigating a Microsoft Defender for Cloud Apps alert about a suspicious OAuth app that has high permissions. The analyst needs to disable the app immediately. What is the correct action?

Question 110easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is using Microsoft Sentinel to respond to an incident involving multiple compromised user accounts. The analyst needs to quickly see the timeline of all related events. Which feature should the analyst use?

Question 111easymultiple choice
Read the full Ansible explanation →

A security analyst in your organization receives an alert from Microsoft Defender for Cloud Apps indicating that a user has installed a third-party app with high permissions in Microsoft 365. The analyst suspects a consent phishing attack. Which playbook in Microsoft Sentinel should the analyst use to automate the investigation and remediation?

Question 112mediummultiple choice
Read the full Respond to security incidents explanation →

You are responding to a ransomware incident in Microsoft Defender XDR. You have identified that the malware encrypted files on several devices and then deleted the volume shadow copies. Which of the following actions should you take first to contain the incident?

Question 113hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud indicating that a virtual machine has a high severity vulnerability (CVE-2023-XXXX). You need to create an incident in Microsoft Sentinel and trigger a playbook to remediate the vulnerability. However, the incident is not being created automatically. What is the most likely cause?

Question 114easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos activity that may indicate a golden ticket attack. Which of the following actions should you take to investigate this alert?

Question 115mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with the UEBA (User and Entity Behavior Analytics) feature enabled. A security analyst notices that a user account has been flagged with an anomaly indicating a possible compromised credential. Which entity type in Microsoft Sentinel's UEBA is most relevant for this alert?

Question 116hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization has deployed Microsoft Sentinel and uses the Microsoft 365 connector to ingest audit logs. You receive an alert from Microsoft Defender for Office 365 about a phishing email that was delivered to a user's inbox. You need to create an incident in Sentinel and automatically quarantine the email. What is the most efficient way to achieve this?

Question 117easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud to protect hybrid cloud workloads. An alert indicates that a container in Azure Kubernetes Service (AKS) is running a privileged container. Which response action should you take first?

Question 118mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization has Microsoft Defender for Endpoint deployed. A security analyst receives an alert about a suspicious PowerShell command executed on a device. The analyst needs to investigate the process tree. Which feature should the analyst use?

Question 119hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and has enabled the Microsoft 365 Defender connector. You want to automatically assign incidents to a specific analyst team based on the incident severity and type. Which component should you configure?

Question 120mediummulti select
Read the full Respond to security incidents explanation →

Which TWO of the following are valid response actions that can be taken on a device from Microsoft Defender for Endpoint? (Choose two.)

Question 121hardmulti select
Read the full Respond to security incidents explanation →

Which THREE of the following are valid incident management capabilities in Microsoft Sentinel? (Choose three.)

Question 122mediummulti select
Read the full Respond to security incidents explanation →

Which TWO of the following are valid sources for creating incidents in Microsoft Sentinel? (Choose two.)

Question 123hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are investigating incidents related to suspicious process injection. The KQL query above is run in Microsoft Sentinel. What is the purpose of this query?

Exhibit

Refer to the exhibit.
```KQL
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertName == "Suspicious process injection"
| summarize count() by CompromisedEntity, AlertSeverity
| order by count_ desc
```
Question 124mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The JSON snippet defines an automation rule. What is the expected behavior of this rule?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Phishing Incident Response",
    "triggers": [
      {
        "type": "Alert",
        "conditions": [
          {
            "field": "alertName",
            "operator": "Equals",
            "value": "Phishing email delivered"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "/subscriptions/.../playbooks/QuarantineEmail"
      }
    ]
  }
}
```
Question 125easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are reviewing an alert in Microsoft Defender for Endpoint. The alert details are shown. Which of the following actions should you take first?

Exhibit

Refer to the exhibit.
```
DeviceName: DESKTOP-ABC123
AlertTime: 2025-03-01T14:32:00Z
AlertTitle: Malware detected
Severity: High
Status: Active
```
Question 126mediummultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded 500 GB of data from SharePoint to an unmanaged device. The user has no history of such behavior. What is the best first step in the incident response process?

Question 127hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident investigation, you find that a compromised account was used to log into a virtual machine via RDP from an IP address in a sanctioned country. The VM has Microsoft Defender for Endpoint installed. Which data source in Microsoft Sentinel would you query to see the RDP connection events?

Question 128easymultiple choice
Read the full Ansible explanation →

You have been tasked with creating an automated response in Microsoft Sentinel for incidents involving lateral movement. Which Azure service allows you to run a playbook to automatically isolate a compromised VM?

Question 129mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should you take when handling a confirmed ransomware incident in an environment protected by Microsoft Defender for Endpoint?

Question 130hardmulti select
Read the full Respond to security incidents explanation →

Which THREE components are required to enable automated investigation and response (AIR) in Microsoft Defender for Office 365?

Question 131easymulti select
Read the full Respond to security incidents explanation →

Which TWO are legitimate sources of threat intelligence that can be ingested into Microsoft Sentinel?

Question 132mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. The KQL query is used in a Microsoft Sentinel scheduled alert rule. What scenario does this query detect?

Exhibit

Refer to the exhibit.
```kql
let TimeRange = 7d;
let Threshold = 100;
SigninLogs
| where TimeGenerated > ago(TimeRange)
| where ResultType == "50057"
| summarize Attempts = count() by UserPrincipalName, IPAddress
| where Attempts > Threshold
```
Question 133hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. This is a snippet from an automation rule in Microsoft Sentinel. What is the purpose of the 'RunQuery' action?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Investigate-Suspicious-Signin",
    "triggers": [
      {
        "type": "SentinelIncident",
        "conditions": [
          {
            "condition": "AlertName",
            "operator": "Equals",
            "value": "Suspicious sign-in activity"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunQuery",
        "query": "SigninLogs | where UserPrincipalName == @{trigger().outputs?.Incident?.Entities[0]?.UserPrincipalName}"
      }
    ]
  }
}
```
Question 134easymultiple choice
Read the full Respond to security incidents explanation →

An incident in Microsoft Sentinel has been classified as a true positive. According to the incident response process, what should the analyst do next?

Question 135mediummultiple choice
Read the full Respond to security incidents explanation →

During an investigation, you need to check if any user has been assigned privileged roles in Microsoft Entra ID outside of normal business hours. Which data source would provide this information?

Question 136hardmultiple choice
Read the full NAT/PAT explanation →

You are investigating an incident where a user reported receiving a suspicious email with a malicious attachment. Microsoft Defender for Office 365 did not block it. The email originated from a known malicious sender domain. What configuration should you check first?

Question 137easymultiple choice
Read the full Respond to security incidents explanation →

You receive an incident in Microsoft Sentinel that is a low-confidence alert from Microsoft Defender for Identity. What should be your first step?

Question 138mediummultiple choice
Read the full Respond to security incidents explanation →

After a security incident, you need to collect forensic evidence from a Windows 10 machine. Which Microsoft tool should you use to create a memory dump?

Question 139hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. This JSON snippet is from an Azure Web Application Firewall (WAF) policy. What does this rule do?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Malicious IP Block Rule",
  "properties": {
    "rules": [
      {
        "name": "BlockMaliciousIP",
        "matchConditions": [
          {
            "matchVariable": "RemoteAddr",
            "operator": "IPMatch",
            "matchValue": "10.0.0.1"
          }
        ],
        "action": {
          "type": "Block"
        }
      }
    ]
  }
}
```
Question 140mediummultiple choice
Read the full Respond to security incidents explanation →

You are responding to an incident where a user's credentials were stolen via a phishing email. The attacker used the credentials to access Microsoft Entra ID and then tried to perform privileged role escalation. Which Microsoft Sentinel solution should you use to detect this type of attack?

Question 141mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed by a playbook before the investigation was complete. What should you do to prevent automatic closure in the future?

Question 142easymultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect a forensic image of a Windows 10 device managed by Microsoft Intune. Which Microsoft Defender XDR feature should you use?

Question 143hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. An incident is created from a fusion detection that combines multiple signals. You need to ensure that when the incident is resolved, all related alerts are also resolved automatically. What should you do?

Question 144easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst in your SOC receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded a large number of files from SharePoint in a short time. What is the most likely classification of this activity?

Question 145mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel. You need to create an incident response playbook that automatically isolates a compromised device when a high-severity incident is created. The playbook should only run during business hours (9 AM - 5 PM local time). How should you configure this?

Question 146mediummultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel that triggers a playbook. The rule is not triggering. What is the most likely cause?

Exhibit

Refer to the exhibit.
{
  "properties": {
    "triggers": [
      {
        "logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/IsolateDevice",
        "triggerType": "IncidentCreated",
        "conditions": [
          {
            "property": "Status",
            "operator": "Equals",
            "value": "Active"
          }
        ]
      }
    ]
  }
}
Question 147hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. A security administrator reports that a user's device is showing high severity alerts for 'Tampering with Microsoft Defender Antivirus' but the device is not isolated. You need to ensure that when such alerts occur, the device is automatically isolated in Microsoft Defender for Endpoint. What should you do?

Question 148easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. An incident has been identified as a false positive. What is the recommended action to prevent similar false positives in the future?

Question 149hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are investigating why the query returns only two rows (High and Medium) even though there are Low severity alerts. What is the problem?

Exhibit

Refer to the exhibit.
```kql
SecurityAlert
| where TimeGenerated > ago(7d)
| extend severity = case(
    AlertSeverity == "High", "High",
    AlertSeverity == "Medium", "Medium",
    "Low")
| summarize Total = count() by severity
| order by severity asc
```
Question 150mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender XDR?

Question 151hardmulti select
Read the full Respond to security incidents explanation →

Which THREE actions should be taken when a phishing attack is detected in Microsoft Defender XDR?

Question 152easymulti select
Read the full Respond to security incidents explanation →

Which TWO are valid incident classification categories in Microsoft Sentinel?

Question 153mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are configuring an analytics rule in Microsoft Sentinel. What is the effect of this configuration?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": true,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5H",
        "matchingMethod": "AllEntities",
        "groupByEntities": [],
        "groupByAlertDetails": [],
        "groupByCustomDetails": []
      }
    }
  }
}
Question 154hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You need to implement a custom incident response process that requires approval before taking action on an incident. What should you use?

Question 155easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request. What is the first step the analyst should take?

Question 156mediummultiple choice
Read the full Respond to security incidents explanation →

You are a security analyst investigating a detected phishing campaign targeting users in your organization. The Microsoft Defender for Office 365 alert indicates that several users clicked on a malicious link. Which action should you take first to prevent further compromise?

Question 157hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, the security team needs to prevent the encryption of files while allowing the investigation to continue. Which feature in Microsoft Defender for Endpoint should be used to achieve this?

Question 158easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. An incident is created for a possible data exfiltration via an unapproved external IP address. Which type of Microsoft Sentinel automation should you use to automatically block the IP address in the firewall?

Question 159mediummultiple choice
Read the full Respond to security incidents explanation →

You have detected a suspicious PowerShell command running on several workstations. The command appears to be downloading a payload from a known malicious URL. What is the most effective immediate response using Microsoft Defender for Endpoint?

Question 160hardmultiple choice
Read the full Respond to security incidents explanation →

A security administrator receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request from a domain controller. The alert suggests a possible Golden Ticket attack. Which action should the administrator take to validate the alert?

Question 161easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert that an administrator performed an unusual bulk download from SharePoint. What is the recommended first step to respond?

Question 162mediummultiple choice
Read the full Respond to security incidents explanation →

A Microsoft Defender for Endpoint alert indicates that a device has been communicating with a known command-and-control (C2) server. The device is critical for production. What is the most appropriate response?

Question 163hardmultiple choice
Read the full Respond to security incidents explanation →

You are investigating a lateral movement incident in Microsoft Defender for Endpoint. The timeline shows that a user's credentials were used from a compromised workstation to access a sensitive server. Which action should you take to contain the incident?

Question 164easymultiple choice
Read the full Respond to security incidents explanation →

An incident is opened in Microsoft Sentinel for multiple sign-in failures from a single IP address targeting a privileged user account. Which action is most effective in automatically responding to this incident?

Question 165mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions are appropriate when responding to a confirmed malware outbreak on multiple workstations identified by Microsoft Defender for Endpoint?

Question 166hardmulti select
Read the full Respond to security incidents explanation →

Which TWO actions should be taken to respond to a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

Question 167easymulti select
Read the full Respond to security incidents explanation →

Which THREE steps are part of the incident response process when using Microsoft Sentinel?

Question 168hardmultiple choice
Read the full Respond to security incidents explanation →

The KQL query above is used in a Microsoft Sentinel analytics rule. What is the purpose of this rule?

Exhibit

Refer to the exhibit.

```kusto
// KQL query in Microsoft Sentinel
let threshold = 10;
let timeframe = 1h;
SigninLogs
| where TimeGenerated > ago(timeframe)
| where ResultType == "50057" // User account disabled
| summarize Count = count() by UserPrincipalName, IPAddress
| where Count > threshold
| join kind=inner (IdentityInfo | project UserPrincipalName, AccountEnabled) on UserPrincipalName
| where AccountEnabled == false
```
Question 169mediummultiple choice
Read the full Ansible explanation →

The exhibit shows a partial playbook trigger configuration in Microsoft Sentinel. When will this playbook be triggered?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block Malicious IP",
    "description": "Playbook to block IP in firewall",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/incidents",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          }
        ]
      }
    ],
    "actions": [...]
  }
}
```
Question 170easymultiple choice
Read the full Respond to security incidents explanation →

The exhibit shows the output of a Microsoft Defender for Endpoint API call to get machine information. What does the isolationStatus value indicate?

Exhibit

Refer to the exhibit.

```json
{
  "value": [
    {
      "id": "12345",
      "machineName": "PC-001",
      "isolationStatus": "Isolated",
      "isolationState": "Isolated",
      "healthStatus": "Healthy"
    }
  ]
}
```
Question 171easymultiple choice
Read the full Respond to security incidents explanation →

Your organization is using Microsoft Defender for Office 365. A user reports receiving a suspicious email that appears to be from the CEO requesting an urgent wire transfer. You need to investigate the email and take immediate action. What should you do first?

Question 172mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to reduce similar false positives in the future without affecting legitimate detections. What should you do?

Question 173hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization is using Microsoft Defender for Cloud to protect Azure workloads. A critical vulnerability was discovered in a virtual machine that is part of a production application. The vulnerability has a high severity score and is actively being exploited in the wild. You need to respond quickly to mitigate the risk. What is the most effective immediate action?

Question 174mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. A user reports that their device is behaving erratically, with unexpected pop-ups and high CPU usage. You suspect malware infection. You need to collect forensic data from the device for analysis. What should you do?

Question 175mediummulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You have been asked to configure automated responses to security incidents. Which TWO of the following can be used to automate responses in Microsoft Sentinel?

Question 176hardmulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. A security incident involving a compromised user account has been identified. Which THREE actions should you take to contain and remediate the incident?

Question 177easymulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You are investigating an incident and need to gather additional context about a suspicious IP address. Which TWO Microsoft Sentinel features can you use to enrich the investigation?

Question 178hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Defender for Identity and Microsoft Defender XDR. You receive an alert about a suspicious LDAP query originating from a domain controller. The alert indicates potential use of the DCSync attack technique. What is the most effective immediate action to contain the attack?

Question 179easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You have configured a data connector to ingest events from a third-party firewall. However, you notice that the logs are not appearing in Sentinel. What is the first thing you should check?

Question 180mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user has been accessing sensitive data from an anonymous IP address. The user's account appears to be compromised. You need to prevent further data exfiltration. What should you do?

Question 181hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You have a scheduled analytics rule that queries Windows Security Events to detect local admin group modifications. The rule runs every hour and looks back 1 hour. However, you are missing events that occur within the first few minutes of the hour. What is the most likely cause?

Question 182easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. You receive an alert about a potentially unwanted application (PUA) being installed on a device. The PUA is not blocked by your current policy. You need to prevent future installations of this PUA without affecting other software. What should you do?

Question 183hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps). You have an incident response team that operates 24/7. Recently, there have been multiple incidents involving users receiving phishing emails that lead to credential theft. The phishing emails are sophisticated and bypass Exchange Online Protection (EOP) and Defender for Office 365's built-in phishing filters. The emails contain links to fake login pages that harvest credentials. Once credentials are stolen, the attacker uses them to sign in from anonymous IP addresses and attempts to access sensitive data in SharePoint Online. You need to design a response strategy that includes automated containment and investigation. The solution must: - Automatically disable user accounts when a phishing incident is confirmed. - Automatically trigger an investigation into the user's activity in Microsoft Defender for Cloud Apps. - Send a notification to the incident response team with a summary of the incident. - Minimize manual effort.

You have the following components available: - Microsoft Sentinel with automation rules and playbooks. - Microsoft Defender XDR with advanced hunting. - Microsoft Power Automate.

What is the most efficient way to achieve these requirements?

Question 184easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst receives an alert for a suspicious sign-in from an unfamiliar IP address. The analyst wants to quickly check if the same IP address has been associated with any other alerts in the past 30 days. Which action should the analyst take?

Question 185mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident response, a security analyst identifies that a user's account was used to access sensitive data from an anomalous location. The analyst needs to immediately prevent further access from that account while preserving forensic data. Which action should the analyst take?

Question 186hardmultiple choice
Read the full Ansible explanation →

The exhibit shows an automation rule in Microsoft Sentinel. The analyst reports that the playbook is not triggered for high-severity incidents. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block malicious IPs",
    "trigger": {
      "type": "IncidentCreated",
      "conditions": [
        {
          "name": "High severity",
          "field": "Severity",
          "operator": "Equals",
          "value": "High"
        }
      ]
    },
    "actions": [
      {
        "name": "Run playbook",
        "type": "RunPlaybook",
        "properties": {
          "logicAppResourceId": "/subscriptions/.../block-ip",
          "tenantId": "..."
        }
      }
    ]
  }
}
Question 187easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst receives a Microsoft Defender for Cloud Apps alert about a mass download of files from a SharePoint site by a single user. The analyst needs to contain the incident. Which action should be taken first?

Question 188mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. The incident queue shows multiple alerts related to a single endpoint: malware detected, suspicious PowerShell execution, and data exfiltration attempts. The analyst needs to investigate the incident. Which tool should the analyst use to correlate these events?

Question 189hardmultiple choice
Read the full Respond to security incidents explanation →

The exhibit shows a KQL query used during incident investigation. The analyst wants to identify devices with an unusually high number of outbound connections to public IPs. The query returns no results, though the analyst suspects there should be some. What is the most likely reason?

Exhibit

Refer to the exhibit.
```kusto
DeviceNetworkEvents
| where Timestamp > ago(1d)
| where RemoteIPType == "Public"
| summarize ConnectionCount = count() by DeviceName, RemoteIP
| where ConnectionCount > 100
| sort by ConnectionCount desc
```
Question 190easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst in Microsoft Sentinel receives an incident with a high severity alert from Microsoft Defender for Identity. The incident description mentions a suspected lateral movement pass-the-hash attack. What should the analyst do first?

Question 191mediummultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, an analyst needs to identify which files were encrypted on an endpoint. The endpoint is running Windows and is managed by Microsoft Defender for Endpoint. Which data source should the analyst query in Advanced hunting?

Question 192hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization's Microsoft Sentinel workspace ingests logs from multiple regions. During an incident, you need to search for a specific user's activity across all workspaces in a single query. What is the most efficient way to accomplish this?

Question 193easymulti select
Read the full Respond to security incidents explanation →

Which TWO actions should be taken immediately when a compromised user account is detected in Microsoft Entra ID?

Question 194mediummulti select
Read the full Respond to security incidents explanation →

Which THREE features in Microsoft Sentinel allow an analyst to automate incident response actions?

Question 195hardmulti select
Read the full Respond to security incidents explanation →

Which TWO of the following are valid methods to retrieve data from Microsoft Sentinel for external analysis during an incident?

Question 196mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with Microsoft Defender XDR integrated. A critical incident has been raised involving a user account that was used to access a confidential SharePoint site from an unusual location at 2:00 AM. The incident includes alerts from Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, and Microsoft Defender for Office 365. The analyst needs to contain the incident, investigate the scope, and begin remediation. The environment has the following: Microsoft Entra ID with conditional access policies, Microsoft Intune for device management, and Microsoft Defender for Endpoint on all devices. The analyst has identified the user account and the device used. Which course of action should the analyst take first?

Question 197hardmultiple choice
Study the full multicast explanation →

You are a SOC analyst at Contoso Ltd. The company uses Microsoft Sentinel and Microsoft Defender XDR. A high-severity incident is generated from a Sentinel analytics rule that detects multiple failed logins followed by a successful login from a geographically unusual location for a user. The incident includes an alert from Microsoft Defender for Identity indicating a possible brute-force attack. The user's account is a privileged administrator. Your organization has strict compliance requirements: any privileged account compromise must be contained within 15 minutes of detection. You have the following tools available: Microsoft Entra ID with Privileged Identity Management (PIM), Microsoft Defender for Cloud Apps, and Microsoft 365 Defender automation rules. The incident is now 5 minutes old. What should you do to meet the compliance requirement?

Question 198mediummultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Sentinel as its SIEM. You are investigating an incident where a user reported receiving a phishing email that appeared to come from the CEO requesting a wire transfer. The user did not respond. However, the incident also contains alerts from Microsoft Defender for Office 365 indicating that other users clicked on a malicious link in a similar email. The email was sent to 100 users. The company has Microsoft Defender for Endpoint deployed on all devices. The incident requires immediate containment to prevent further compromise. What should you do first?

Question 199mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst detects a suspicious sign-in from an unfamiliar IP address for a user with high privileges. The analyst wants to immediately contain the threat while preserving the user's ability to work with proper approvals. What is the most effective first step?

Question 200hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, security team needs to prevent encryption while preserving forensic data. Which action best achieves this balance?

Question 201easymultiple choice
Read the full Ansible explanation →

An incident response playbook in Microsoft Sentinel has a step: 'Investigate the user's recent activities using Microsoft 365 Defender.' Which data source would provide the most relevant information for this step?

Question 202hardmultiple choice
Read the full Respond to security incidents explanation →

The analyst notices that the rule does not fire for a user who has 12 sign-ins from the same IP address, but all are low risk. The expected behavior is to alert when a single user has more than 10 sign-ins from the same IP with at least one high-risk sign-in. What is the issue?

Exhibit

Refer to the exhibit. The following KQL query is used in a Microsoft Sentinel analytics rule to detect anomalous Azure AD sign-ins:

```kql
let threshold = 10;
SigninLogs
| where TimeGenerated > ago(1h)
| summarize count() by UserPrincipalName, IPAddress
| where count_ > threshold
| join kind=inner (SigninLogs
| where TimeGenerated > ago(1h)
| where RiskLevelDuringSignIn == "high")
on UserPrincipalName, IPAddress
```
Question 203mediummultiple choice
Read the full Ansible explanation →

A SOC analyst needs to automate response to a phishing email reported by a user. The playbook should automatically block the sender in Exchange Online and delete the email from all recipients. Which Microsoft Sentinel automation action should the analyst use?

Question 204easymultiple choice
Read the full Respond to security incidents explanation →

During an incident, an analyst wants to use Microsoft Defender XDR's automatic attack disruption to contain an ongoing attack. What prerequisite must be met?

Question 205hardmultiple choice
Read the full Ansible explanation →

A company uses Microsoft Sentinel with Microsoft Defender for Cloud Apps. An incident is created when a user downloads 500 GB from SharePoint in one hour. The analyst wants to create a playbook that automatically suspends the user in Microsoft Entra ID when such activity is detected. Which connector and action should the analyst use in the playbook?

Question 206mediummultiple choice
Read the full Respond to security incidents explanation →

An analyst is investigating a potential data exfiltration incident involving a user who accessed sensitive files from a personal device. The analyst wants to gather evidence about the device's compliance status and recent activity. Which Microsoft Intune feature should the analyst use?

Question 207easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user has signed in from a banned country. The analyst needs to block further access from that country for all users. What should the analyst configure?

Question 208mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should an analyst take when a confirmed ransomware incident is detected on multiple endpoints? (Choose TWO.)

Question 209hardmulti select
Read the full Ansible explanation →

Which THREE elements are essential when creating a custom incident response playbook in Microsoft Sentinel? (Choose THREE.)

Question 210easymulti select
Read the full Respond to security incidents explanation →

Which TWO are valid methods to collect forensic evidence from a compromised Windows endpoint during an incident? (Choose TWO.)

Question 211mediummulti select
Read the full Respond to security incidents explanation →

Which THREE indicators of compromise (IOCs) are commonly used in Microsoft Sentinel to detect advanced persistent threats (APTs)? (Choose THREE.)

Question 212hardmulti select
Read the full Ansible explanation →

Which TWO playbook actions can be used to automatically contain a compromised user account in Microsoft Entra ID during an incident? (Choose TWO.)

Question 213hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint protection. You have a custom analytics rule that triggers on suspicious PowerShell activity. The rule uses the following KQL query:

```kql DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | where InitiatingProcessFileName != "explorer.exe" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ```

The rule generates incidents that are assigned to the SOC team for investigation. However, analysts report that they are spending too much time manually collecting additional process details for each alert. You need to automate the enrichment of these incidents with additional context, such as parent process details, network connections, and file creation events from the same device within the last hour. The enrichment should be triggered automatically when an incident is created, and the results should be added as a comment to the incident. You have access to Azure Logic Apps and Azure Automation. Which approach should you use?

Question 214mediummultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at Contoso. A user reports that they received a suspicious email with an attachment named "Invoice.pdf.exe". The user did not open the attachment. You need to investigate this potential threat using Microsoft Defender XDR. You want to determine if any other users received the same email, and whether the attachment was detonated in a sandbox. You also want to block the sender domain and the attachment hash across the organization if it is malicious. You have the email message ID from the user. You have appropriate permissions to use advanced hunting and take action. Which set of actions should you take in Microsoft 365 Defender?

Question 215easymultiple choice
Read the full Ansible explanation →

Your company uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is created when a user performs an unusual mass download from SharePoint Online. The playbook assigned to the incident automatically suspends the user account in Microsoft Entra ID. However, after investigation, the user's activity is determined to be legitimate (they were backing up data for a migration). You need to restore the user's account and ensure that the user can access all resources immediately. You also need to update the incident to reflect the findings. What should you do?

Question 216easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst reports a high number of false positives from a scheduled analytics rule that detects anomalous sign-ins. The rule uses the 'UserAgent' field in the SigninLogs table. What is the best practice to reduce false positives while maintaining detection coverage?

Question 217mediummultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. The email contains an external link to a credential harvesting site. You need to block similar emails in the future. What should you do?

Question 218hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. A security investigator discovers that a user's session token was stolen and used to access sensitive data in SharePoint Online from an anomalous IP address. You need to immediately revoke the attacker's access while minimizing impact on the legitimate user. What should you do?

Question 219mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A fusion incident was created involving multiple alerts from different sources. You need to investigate the incident to determine if it is a true positive. What is the first step you should take?

Question 220mediummulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft 365 Defender. You are investigating a potential malware outbreak on several endpoints. Which TWO actions should you take to isolate affected devices and prevent lateral movement?

Question 221hardmulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A new analytics rule is needed to detect brute-force attacks against your Azure SQL databases. The rule should minimize false positives and trigger only when multiple failed logins occur from a single IP address within a short time window. Which THREE components are essential for building this rule?

Question 222easymulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud. You need to remediate a security recommendation that indicates a virtual machine is missing critical security updates. Which TWO actions should you take to remediate this recommendation?

Question 223hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An alert in Microsoft Defender for Identity shows suspicious PowerCLI execution on an Exchange server. The service account 'svc_exchange' is used. What is the most likely true-positive scenario?

Exhibit

{
  "alert": {
    "id": "alert-12345",
    "title": "Suspicious PowerCLI execution on Exchange Server",
    "severity": "High",
    "entities": [
      {
        "type": "host",
        "name": "EXCH01.contoso.com",
        "ipAddress": "10.0.1.10"
      },
      {
        "type": "user",
        "name": "svc_exchange"
      }
    ],
    "evidence": [
      {
        "source": "Microsoft Defender for Identity",
        "description": "PowerCLI executed remotely on Exchange server from IP 192.168.1.100"
      }
    ]
  }
}
Question 224mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Sentinel. You are responsible for responding to incidents. A new 'MFA Denied' incident is created from Microsoft Entra ID sign-in logs, indicating that a user in your organization had multiple MFA denials from a suspicious IP address (203.0.113.5). The user is a sales representative who frequently travels. The incident severity is Medium. The incident contains entities: user 'jsmith@contoso.com', IP address 203.0.113.5, and a device running Windows 11. You need to investigate and determine if this is a true positive. The user is currently on a business trip in Europe, but the sign-in attempts originated from an IP address in a different region. What should you do first?

Question 225hardmultiple choice
Read the full wireless explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You receive a high-severity incident indicating that a user's credentials were used to access a sensitive SharePoint site from an unmanaged device. The user, 'jdoe@contoso.com', is a senior executive. The IP address is from a public Wi-Fi hotspot. The incident includes a recommendation to apply session policy to block download of sensitive files. You need to create a policy in Microsoft Defender for Cloud Apps that blocks downloads from unmanaged devices for this specific user when accessing the sensitive site. The policy should trigger only when the user accesses the specific SharePoint site named 'ExecConfidential'. What should you do?

Question 226easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft 365 Defender. A security analyst detects a malware infection on a single endpoint named 'SalesPC01'. The malware is identified as 'Trojan:Win32/Emotet'. The endpoint is currently isolated from the network by the automatic response. You need to remediate the infection. The malware has been detected and the endpoint is isolated. What should you do next?

Question 227mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with the Microsoft Defender for Cloud connector enabled. You receive an incident that alerts on 'Suspicious resource deployment' from a user who has been compromised. The incident involves the deployment of a virtual machine in a subscription that is normally not used by that user. The incident severity is High. You need to contain the threat immediately. The deployment is still in progress. What should you do first?

Question 228hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft 365 Defender. An incident is created for a user who received a phishing email that contained a link to a malicious website. The user clicked the link but did not enter any credentials. The incident includes the alert 'Phishing delivered' from Microsoft Defender for Office 365. You need to remediate the incident and prevent future occurrences. The user is in the Finance department and frequently receives emails from external vendors. What is the best course of action?

Question 229mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You receive an incident indicating that a user's account was used to sign in from an unusual location (Russia) while the user is in the United States. The sign-in was successful and no MFA challenge was prompted because the user had a valid session. The incident severity is High. You need to respond immediately. What should you do first?

Question 230hardmultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud that a virtual machine has a high severity vulnerability: 'CVE-2023-XXXX' with a CVSS score of 9.8. The virtual machine is running a critical application for the finance department. You need to remediate the vulnerability as quickly as possible while minimizing downtime. The application vendor has not yet released a patch but has provided a workaround. What should you do?

Question 231mediummulti select
Read the full Respond to security incidents explanation →

A security analyst is investigating a potential ransomware incident in Microsoft Defender XDR. The analyst needs to confirm the scope of the attack and halt further propagation. Which TWO actions should the analyst take first?

Question 232hardmulti select
Read the full Respond to security incidents explanation →

During a security incident, a Microsoft Sentinel analytics rule generated an alert for a suspicious sign-in from an unusual location. The incident involves a user whose account has been compromised. The security team needs to take immediate actions to remediate and prevent further damage. Which THREE actions should the security team prioritize?

Question 233mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You receive an alert indicating that a user from the finance department accessed a sensitive SharePoint file from an IP address associated with a known malicious Tor exit node. The file contains payment information. The user's account has not been disabled. What should you do first to contain the incident?

Question 234hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization has deployed Microsoft Sentinel with the Microsoft Defender XDR connector. A high-severity incident is created for a user who received a phishing email that contained a malicious link. The user clicked the link, and the attacker gained access to the user's mailbox. The security team needs to remove the attacker's access and prevent future occurrences. What should you do first?

Question 235easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a security incident in Microsoft Sentinel involving a series of failed logon attempts followed by a successful logon from a different geographic location. The user's account is a privileged administrator. The incident is assigned a medium severity. What should you do first to contain the potential breach?

Question 236mediummultiple choice
Read the full Respond to security incidents explanation →

You are a security analyst for a company using Microsoft Defender XDR. An incident is detected involving a device that has been communicating with a known command-and-control (C2) server. The device is currently online and the user is active. What should you do first to contain the threat?

Question 237hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An incident is created for a user whose credentials were used from an unusual location to access sensitive HR data. The user's account is a domain admin. The security team needs to ensure the attacker cannot use the account again. What should you do first?

Question 238easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a low-severity incident in Microsoft Sentinel where a user reported receiving a phishing email. The email was not blocked by the email security solution. The user did not click any links. What should you do first?

Question 239mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. An alert indicates that an external IP address is downloading large amounts of data from a SharePoint site containing confidential documents. The activity is coming from a valid user account that appears to be compromised. What should you do first to stop the data exfiltration?

Question 240hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization has Microsoft Sentinel and Microsoft Defender for Identity deployed. An incident is created for a user whose account was used to access a sensitive database from an unusual workstation. The user is a member of the 'Database Admins' group. The security team needs to prevent further unauthorized access and preserve evidence. What should you do first?

Question 241mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives a Microsoft Defender for Cloud Apps alert about a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately prevent further access from that IP. What should the analyst do?

Question 242hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident response, a SOC analyst identifies that a malicious PowerShell script was executed on multiple endpoints. The analyst needs to collect relevant files from all affected endpoints for further analysis. What should the analyst use?

Question 243easymultiple choice
Read the full Respond to security incidents explanation →

An analyst is investigating a phishing campaign that targeted multiple users. The analyst needs to identify if any users clicked a malicious link in the email. Which Microsoft Defender for Office 365 feature should be used?

Question 244mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A new incident is created from a fusion alert that combines multiple low-severity alerts. The analyst needs to determine the entities involved. What should the analyst review?

Question 245hardmultiple choice
Read the full Respond to security incidents explanation →

A SOC team uses Microsoft Sentinel with Microsoft Defender XDR integration. An incident is created from a Defender for Endpoint alert. The analyst wants to run a KQL query across all affected devices without creating a new analytics rule. How can the analyst achieve this?

Question 246mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident, an analyst finds that a user's account was compromised and used to send spam. The analyst needs to revoke all active sessions for that user. What should the analyst do?

Question 247easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives a Microsoft Defender for Identity alert about a suspicious Kerberos attack. The analyst needs to contain the compromised account immediately. What should the analyst do?

Question 248mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud to protect Azure resources. A security alert indicates that a virtual machine (VM) is communicating with a known malicious IP. The analyst needs to isolate the VM from the network to prevent further data exfiltration. What should the analyst do?

Question 249hardmultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is responding to a ransomware incident. The analyst identifies that the ransomware encrypted files on a file share and left a ransom note. The analyst needs to prevent the ransomware from spreading to other shares. Which action should the analyst take first?

Question 250mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should an analyst take when a user reports receiving a suspicious email with an attachment? (Select TWO.)

Question 251hardmulti select
Read the full Respond to security incidents explanation →

Which THREE steps are part of the containment phase of incident response in Microsoft Sentinel? (Select THREE.)

Question 252easymulti select
Read the full Respond to security incidents explanation →

Which TWO are valid incident classification categories in Microsoft Sentinel? (Select TWO.)

Question 253hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An analyst runs the query to identify the top 10 entities with the most malware alerts. However, the query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.

KQL Query:
```
SecurityAlert
| where TimeGenerated > ago(7d)
| where AlertName has "Malware"
| extend CompromisedEntity = tostring(parse_json(Entities)[0].Name)
| summarize TotalAlerts = count() by CompromisedEntity
| order by TotalAlerts desc
| take 10
```

Exhibit: A KQL query in Microsoft Sentinel.
Question 254mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An analyst runs Get-MpThreat on a device. Based on the output, what is the status of the threat?

Exhibit

Refer to the exhibit.

PowerShell Output:
```
PS C:\> Get-MpThreat

ThreatID          : 2147685180
Action            : 6
Category          : 22
DidThreatExecute  : False
IsActive          : False
InitialDetectionTime : 3/15/2025 10:30:00 AM
Resources         : {file:_C:\Users\Public\malware.exe}
```

Exhibit: Output from Get-MpThreat cmdlet on a Windows 10 device.
Question 255easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An analyst runs the command to install the Azure Monitor Agent on a VM. What is the primary purpose of installing this agent in the context of security incident response?

Network Topology
az vm extension setresource-group MyResourceGroupvm-name MyVMname AzureMonitorWindowsAgentpublisher Microsoft.Azure.MonitorRefer to the exhibit.Azure CLI Output:```
Question 256mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and exhibiting unusual network activity. You run a live response session and find a suspicious process running. Which action should you take first to contain the threat?

Question 257easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating an incident in Microsoft Sentinel where a user account was used to sign in from an unfamiliar location and then accessed multiple sensitive files. Which step is most important to perform first?

Question 258hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, you need to create a custom detection rule in Microsoft Sentinel to alert on multiple failed logins followed by a successful login from the same IP within 10 minutes. Which KQL function should you use to group events by IP address and time window?

Question 259mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading large amounts of data from SharePoint Online. What should you do first to investigate?

Question 260easymultiple choice
Read the full Respond to security incidents explanation →

You receive a Microsoft Defender for Identity alert for a suspicious Kerberos ticket request. What is the most likely intent of this attack?

Question 261hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are investigating a malware outbreak in Microsoft Sentinel. The KQL query returns no results. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kusto
SecurityAlert
| where AlertName == "Malware detected"
| where TimeGenerated >= ago(1h)
| summarize count() by ComputerName
| where count_ > 3
```
Question 262mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. You receive an automated investigation that found a malicious file on a device. The investigation recommends 'Block the file'. What does this action do?

Question 263easymultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect forensic evidence from a compromised Windows device using Microsoft Defender for Endpoint live response. Which command should you use to gather running processes?

Question 264mediummultiple choice
Read the full Ansible explanation →

Your Microsoft Sentinel workspace receives logs from multiple sources. You need to ensure that an incident response playbook is triggered automatically when a specific alert is generated. What should you create?

Question 265hardmulti select
Read the full Respond to security incidents explanation →

Which TWO actions can you perform in Microsoft Defender XDR's automated investigation and response (AIR) to contain a threat? (Select TWO.)

Question 266mediummulti select
Read the full Respond to security incidents explanation →

Which THREE are valid investigation actions in Microsoft Sentinel? (Select THREE.)

Question 267easymulti select
Read the full Respond to security incidents explanation →

Which TWO are valid methods to submit a file for analysis in Microsoft Defender for Endpoint? (Select TWO.)

Question 268hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel to trigger a playbook when an alert is created. However, the playbook does not run. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block malicious IP",
    "triggers": [
      {
        "type": "AlertCreated",
        "logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/BlockIP"
      }
    ]
  }
}
```
Question 269mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to detect suspicious PowerShell activity. Why might this query generate many false positives?

Exhibit

Refer to the exhibit.

```kusto
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, ProcessCommandLine
```
Question 270easymultiple choice
Read the full Respond to security incidents explanation →

After containing a security incident, what is the most important next step in the incident response process?

Question 271mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert about suspicious activity from a user account indicating a potential ransomware attack. The analyst needs to quickly isolate the user's device and revoke the user's access to all cloud apps. What is the most efficient way to achieve this?

Question 272hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, your team needs to preserve evidence from a Microsoft Defender for Endpoint onboarded device for forensic analysis. The device is still running and connected to the network. Which action should be taken to collect a forensic image while minimizing disruption?

Question 273easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security incident is created, and the assigned analyst needs to perform initial triage. What is the first step the analyst should take according to Microsoft best practices for incident response?

Question 274mediummultiple choice
Read the full Respond to security incidents explanation →

Your Microsoft Sentinel workspace ingests logs from multiple sources. During an incident, you need to quickly identify all user accounts that have been compromised based on a known malicious IP address. Which KQL operator is most efficient for this?

Question 275hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Purview Data Loss Prevention (DLP) and Microsoft Defender for Cloud Apps. During an incident, you discover that a user is exfiltrating sensitive data via a sanctioned cloud app. You need to block the user's ability to share files in that app immediately. What should you do?

Question 276easymultiple choice
Read the full Respond to security incidents explanation →

Your team uses Microsoft Sentinel to manage incidents. You want to automatically assign incidents with a severity of 'High' to the Tier 2 security team. Which feature should you configure?

Question 277mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect email messages from a user's mailbox in Microsoft 365 for evidence. The user is suspected of phishing. Which Microsoft Purview solution should you use?

Question 278hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule triggers when an incident is created, changes its status to 'Active', assigns it to 'tier2', and runs a playbook. However, you notice that the playbook is not executing for incidents with severity 'Low'. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "displayName": "Ransomware Detection",
  "description": "Detects ransomware patterns",
  "severityFilter": "High,Medium",
  "triggers": [
    { "type": "IncidentCreated", "conditions": [] }
  ],
  "actions": [
    { "type": "RunPlaybook", "playbookId": "/subscriptions/.../playbook1" },
    { "type": "ChangeStatus", "status": "Active" },
    { "type": "AssignOwner", "owner": "tier2" }
  ]
}
```
Question 279easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel during an investigation. The analyst expects to see alerts related to malware from IP 10.0.0.5 but receives no results. The SecurityAlert table contains data from the last 24 hours. What is the most likely reason for no results?

Exhibit

Refer to the exhibit.
```kusto
SecurityAlert
| where TimeGenerated > ago(1d)
| where AlertName contains "malware"
| extend parsed = parse_json(ExtendedProperties)
| where parsed.IPAddress == "10.0.0.5"
| project AlertName, TimeGenerated, IPAddress = parsed.IPAddress, AccountUpn = parsed.AccountUpn
```
Question 280mediummulti select
Read the full Respond to security incidents explanation →

Your organization is responding to a ransomware incident. Which TWO actions should be taken first to contain the incident while preserving forensic evidence?

Question 281hardmulti select
Read the full Respond to security incidents explanation →

A security analyst is investigating a potential data exfiltration incident in Microsoft Sentinel. The analyst needs to identify which users may have been compromised. Which THREE data sources should be queried to gather the most relevant evidence?

Question 282easymulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft 365 Defender. During an incident, which TWO actions can be taken directly from the Microsoft 365 Defender portal to remediate a compromised email account?

Question 283mediummulti select
Read the full Respond to security incidents explanation →

Your team uses Microsoft Defender for Endpoint. An incident involving a device is identified as a high-severity malware infection. Which THREE remediation actions can be performed directly from the incident in Microsoft 365 Defender?

Question 284hardmulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a security incident involving a compromised Azure VM, which THREE actions are appropriate to contain and investigate the incident?

Question 285mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule definition. The rule is intended to automatically change the severity to High, assign to tier2, and set status to Active for incidents triggered by alerts containing 'malware'. However, incidents are not being updated. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Malware detection playbook",
    "triggers": [
      {
        "type": "Microsoft.SecurityInsights/AlertRule",
        "conditions": [
          {
            "property": "AlertName",
            "operator": "Contains",
            "value": "malware"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "Microsoft.SecurityInsights/Incident",
        "order": 1,
        "actionConfiguration": {
          "severity": "High",
          "owner": "tier2",
          "status": "Active"
        }
      }
    ]
  }
}
```
Question 286mediummultiple choice
Read the full Respond to security incidents explanation →

Your security team is investigating a suspicious sign-in from an unfamiliar IP address. The user has Microsoft Entra ID P2 licenses and is assigned a Conditional Access policy that requires MFA for all cloud apps. During the incident response, you find that the sign-in succeeded despite the user not completing MFA. Which action should you take first to investigate the discrepancy?

Question 287hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, a security analyst needs to isolate an affected Windows 10 device managed by Microsoft Intune. The device is currently online and connected to the corporate network. Which remediation action should be taken from Microsoft Defender XDR to achieve this?

Question 288easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You receive a high-severity incident indicating a potential data exfiltration from an Azure Storage account. The incident contains entities such as IP addresses and user accounts. Which step should you perform first to contain the threat?

Question 289mediummultiple choice
Read the full Ansible explanation →

Your security operations center (SOC) uses Microsoft Sentinel with a custom analytics rule that generates an incident when more than 10 failed logons occur within 5 minutes. During a review, you notice that a single user triggered the rule by forgetting their password multiple times. The incident was automatically closed by a playbook. What is the most effective way to reduce false positives for this rule?

Question 290hardmultiple choice
Read the full Respond to security incidents explanation →

A security analyst is investigating an incident involving a suspicious process that was detected on multiple devices. The analyst wants to check if the same file hash was observed on other devices in the past 30 days. Which Microsoft 365 Defender table should be queried in KQL?

Question 291mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that generates an incident for users with more than 5 failed sign-in attempts (error code 50057 indicates user account is disabled) from a single IP in the last hour. After enabling the rule, you receive too many incidents from a service account that legitimately fails frequently. How should you modify the query to reduce false positives?

Exhibit

Refer to the exhibit.
```kusto
let TimeFrame = 1h;
let Threshold = 5;
SigninLogs
| where TimeGenerated > ago(TimeFrame)
| where Status.errorCode == 50057
| summarize FailedAttempts = count() by UserPrincipalName, IPAddress
| where FailedAttempts > Threshold
```
Question 292easymultiple choice
Read the full Respond to security incidents explanation →

An analyst in your SOC receives a Microsoft Defender for Cloud Apps alert indicating a suspicious Power Automate flow that is forwarding emails to an external domain. The analyst needs to disable the flow immediately. Which action should they take?

Question 293hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect forensic evidence from a compromised Azure virtual machine that is currently offline. What is the most efficient method to acquire a disk snapshot for analysis while preserving the integrity of the evidence?

Question 294easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You have a custom analytics rule that triggers on a Defender for Endpoint alert. When the rule triggers, a playbook is executed that creates an incident in Microsoft Sentinel and sends a message to a Teams channel. The playbook fails to execute. Which permission should you verify first?

Question 295mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions can be taken directly from within a Microsoft Sentinel incident to aid in investigation? (Choose two.)

Question 296hardmulti select
Read the full Respond to security incidents explanation →

Which THREE of the following are valid incident types in Microsoft 365 Defender? (Choose three.)

Question 297easymulti select
Read the full Respond to security incidents explanation →

Which TWO response actions are available in Microsoft Defender for Endpoint for a compromised device? (Choose two.)

Question 298mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel to block IP addresses from high-severity incidents. The rule triggers on incident creation but fails to block the IP. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Block malicious IPs",
    "triggers": [
      {
        "type": "incidentTrigger",
        "conditions": [
          {
            "property": "incident.severity",
            "operator": "Equals",
            "value": "High"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "blockIP",
        "value": "{{incident.entities.IP}}"
      }
    ]
  }
}
```
Question 299mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Defender XDR to find devices running encoded PowerShell commands in the last hour. The query returns results showing a device named 'DESKTOP-123' with account 'jdoe'. The analyst suspects malicious activity. Which immediate next step should the analyst take?

Exhibit

Refer to the exhibit.
```kusto
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-enc"
| project DeviceName, AccountName, ProcessCommandLine
| take 10
```
Question 300hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An Azure administrator deploys this ARM template to create a Microsoft Sentinel automation rule. After deployment, the automation rule does not trigger when a high-severity incident is created. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.Security/automations",
  "apiVersion": "2021-01-01-preview",
  "properties": {
    "actions": [
      {
        "type": "LogicApp",
        "order": 1,
        "logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/MyPlaybook"
      }
    ],
    "sources": [
      {
        "sourceType": "Incidents",
        "ruleSets": [
          {
            "rules": [
              {
                "property": "Severity",
                "operator": "Equals",
                "expectedValue": "High"
              }
            ]
          }
        ]
      }
    ]
  }
}
```
Question 301mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a potential ransomware incident in Microsoft Defender XDR. The incident has a high severity alert indicating that a user installed a suspicious application. Which initial response action should you take to contain the threat while preserving evidence?

Question 302easymultiple choice
Read the full Respond to security incidents explanation →

During a security incident, you need to collect email messages associated with a phishing campaign from multiple mailboxes in Microsoft 365. Which tool should you use to search and export these emails?

Question 303hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During an incident, you receive a critical alert for a user who is reported as compromised. You need to verify if the compromise is real and respond quickly. Which feature should you use to automatically trigger a playbook that contains the account?

Question 304mediummultiple choice
Read the full Respond to security incidents explanation →

You are responding to a data exfiltration incident involving a user who copied sensitive files to a personal cloud storage service. The files were accessed from the user's managed device. Which Microsoft Defender for Cloud Apps activity policy should you create to detect similar future incidents?

Question 305easymultiple choice
Read the full Respond to security incidents explanation →

During an incident investigation, you find that a user's credentials were used to sign in from an unfamiliar location. You want to force a password reset and revoke all sessions immediately. Which action should you take in the Microsoft 365 Defender portal?

Question 306hardmultiple choice
Read the full Ansible explanation →

Your incident response team uses Microsoft Sentinel with automation rules and playbooks. During an incident, you need to automatically collect a memory dump from an affected Windows server and upload it to an Azure storage account for analysis. Which type of playbook should you use?

Question 307mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a suspicious sign-in reported in Microsoft Defender for Cloud Apps. The activity shows that a user accessed a sensitive SharePoint site from an anonymous IP address. What is the most effective immediate response to prevent further access?

Question 308hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You have a critical incident that involves multiple alerts across different services. The incident is being updated with new alerts. You need to ensure that a specific playbook runs only when the incident severity is updated to High. How should you configure the automation rule?

Question 309easymultiple choice
Read the full Respond to security incidents explanation →

During an incident response, you need to collect forensic data from a compromised Linux server that is not managed by Microsoft Defender for Endpoint. You plan to use a manual collection script. Which tool should you use to securely upload the collected data to Azure for analysis?

Question 310hardmulti select
Read the full Respond to security incidents explanation →

You are responding to a ransomware incident where multiple devices are encrypted. The incident is captured in Microsoft Sentinel. Which TWO actions should you take first to contain the incident?

Question 311mediummulti select
Read the full Respond to security incidents explanation →

Which THREE of the following are valid incident response actions in Microsoft Defender XDR?

Question 312hardmulti select
Read the full Respond to security incidents explanation →

You are investigating a data exfiltration incident in Microsoft Defender for Cloud Apps. The investigation reveals that a user downloaded sensitive files from SharePoint and uploaded them to a third-party cloud storage app. Which THREE actions should you take to contain the incident?

Question 313mediummultiple choice
Read the full Respond to security incidents explanation →

You deploy this ARM template to a Microsoft Sentinel workspace. After deployment, you notice that the saved search does not appear as an analytics rule. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[concat(parameters('workspaceName'), '/', 'SuspiciousLogins')]",
      "properties": {
        "displayName": "Suspicious Logins",
        "category": "Security",
        "query": "SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelAggregated  == 'medium' | where TimeGenerated > ago(1h)",
        "tags": [
          {"name": "Suspicious", "value": "High"}
        ]
      }
    }
  ]
}
```
Question 314mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a potential malicious PowerShell execution in Microsoft Defender for Endpoint using this KQL query in Advanced Hunting. The query returns no results. What is the most likely cause?

Exhibit

Refer to the exhibit.

```kql
// KQL query from Microsoft Sentinel
DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "ProcessCreated"
| where InitiatingProcessFileName == "powershell.exe"
| where ProcessCommandLine has "-EncodedCommand"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| take 100
```
Question 315hardmultiple choice
Read the full Ansible explanation →

You have an automation rule in Microsoft Sentinel configured as shown. An incident with severity Medium is created, but the playbook does not run. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
// Microsoft Sentinel automation rule configuration (partial)
{
  "triggerType": "Incident",
  "conditions": [
    {
      "property": "Severity",
      "operator": "Equals",
      "value": "Medium"
    }
  ],
  "actions": [
    {
      "order": 1,
      "actionType": "RunPlaybook",
      "playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/Playbook1"
    }
  ]
}
```
Question 316mediummultiple choice
Read the full Respond to security incidents explanation →

Your security team receives an alert from Microsoft Defender for Endpoint indicating a suspicious PowerShell command was executed on a device. The command attempted to download a payload from a known malicious IP. After confirming the alert is a true positive, what should be your first containment step?

Question 317hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, Microsoft Sentinel generated an incident with high severity. The incident includes alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Entra ID. Your team needs to automate the containment process. What is the best approach to automatically isolate affected devices and disable compromised accounts?

Question 318easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a phishing incident in Microsoft Defender XDR. The alert indicates that a user clicked a malicious link in an email. After confirming the email was delivered to the user's inbox, what should be your first action?

Question 319mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to respond to an incident involving data exfiltration from a virtual machine in West Europe. The incident was created from a custom analytics rule that queries the AzureActivity table. What should you do to ensure the incident contains all relevant evidence from the West Europe region?

Question 320hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You have created an automation rule in Microsoft Sentinel with the above configuration. The playbook isolates the device and disables the user account. After enabling the rule, you notice that a low-severity incident containing an alert titled 'Ransomware Behavior' did NOT trigger the automation. What is the most likely reason?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "displayName": "Isolate Compromised Device",
    "trigger": {
      "type": "SecurityIncident",
      "conditions": [
        {
          "property": "IncidentSeverity",
          "operator": "Equals",
          "value": "High"
        },
        {
          "property": "AlertTitle",
          "operator": "ContainsAny",
          "value": ["Malware", "Ransomware"]
        }
      ]
    },
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "<playbook-id>"
      }
    ]
  }
}
```
Question 321mediummultiple choice
Read the full Respond to security incidents explanation →

Your Microsoft Defender XDR environment generates an incident indicating that a user's account was used to sign in from an anonymous IP address and then accessed sensitive data in SharePoint Online. After confirming the account is compromised, what should be your first containment step?

Question 322hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, you need to collect forensic evidence from a compromised Linux server running in Azure. The server is not domain-joined and has the Azure Monitor Agent installed. You need to capture volatile data such as running processes and network connections. What is the most efficient method?

Question 323easymultiple choice
Read the full Respond to security incidents explanation →

Your security team detects a potential data exfiltration incident where an employee emailed sensitive customer data to a personal email address. The email was sent via Exchange Online. What is the immediate action to prevent further data loss?

Question 324mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You run this KQL query in Microsoft Defender for Endpoint advanced hunting as part of an incident investigation. The query returns zero results, but you suspect PowerShell execution with encoded commands occurred. What is the most likely reason for no results?

Exhibit

Refer to the exhibit.
```kql
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "-EncodedCommand"
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
| order by Timestamp desc
```
Question 325hardmulti select
Read the full Respond to security incidents explanation →

Which THREE are valid response actions when using Microsoft Sentinel automation rules?

Question 326mediummulti select
Read the full Respond to security incidents explanation →

Which TWO are recommended first steps when responding to a confirmed ransomware incident in Microsoft Defender XDR?

Question 327easymulti select
Read the full Respond to security incidents explanation →

Which THREE are valid incident severity levels in Microsoft Sentinel?

Question 328easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You are configuring a Microsoft Sentinel scheduled analytics rule with the above incident creation settings. What is the effect of setting 'groupingConfiguration.enabled' to false?

Exhibit

Refer to the exhibit.
```json
{
  "properties": {
    "incidentConfiguration": {
      "createIncident": true,
      "groupingConfiguration": {
        "enabled": false,
        "reopenClosedIncident": false,
        "lookbackDuration": "PT5M"
      }
    }
  }
}
```
Question 329mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating an incident in Microsoft Defender XDR that involves a user who clicked a link in a phishing email. The email was detected and blocked by Microsoft Defender for Office 365, but the user still clicked the link before it was blocked. The incident includes an alert for 'Malicious URL click'. What additional information should you check to determine if the user's credentials were compromised?

Question 330hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. You run this KQL query in Microsoft 365 Defender advanced hunting to investigate an incident involving IP address 203.0.113.1. The query returns results, but you need to also see which devices communicated with this IP. How should you modify the query?

Exhibit

Refer to the exhibit.
```kql
AlertInfo
| where Timestamp > ago(1h)
| join kind=inner AlertEvidence on AlertId
| where EvidenceType == "ip" and EvidenceValue == "203.0.113.1"
| project Timestamp, AlertTitle, EvidenceValue
```
Question 331mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user from the finance department downloaded 500 files from SharePoint Online in 10 minutes. The analyst needs to determine if this is a true positive and, if so, contain the incident. Which action should the analyst take first?

Question 332hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, a SOC analyst uses Microsoft Defender XDR to investigate a compromised device. The analyst needs to collect a memory dump for forensic analysis. Which action should the analyst take from the Microsoft Defender XDR portal?

Question 333easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is reviewing an incident in Microsoft Sentinel that involves a user receiving a phishing email with a malicious attachment. The attachment was opened on a device managed by Microsoft Intune. Which Microsoft Defender XDR component would have provided the earliest detection of the malicious file?

Question 334mediummultiple choice
Read the full Respond to security incidents explanation →

An organization uses Microsoft Sentinel and Microsoft Defender XDR. A critical incident is created when a user is detected as compromised. The incident severity is set to High. The SOC manager wants to ensure that all incidents with severity High or above are automatically assigned to the senior analyst tier. What should the analyst configure?

Question 335hardmultiple choice
Read the full Ansible explanation →

Refer to the exhibit. You have an automation rule in Microsoft Sentinel that triggers a playbook to isolate a device when a High severity incident is created. However, you notice that the playbook is not triggered for incidents that are created from analytics rules that use entity mapping. What is the most likely cause?

Exhibit

Refer to the exhibit.

```json
{
  "type": "Microsoft.SecurityInsights/automationRules",
  "apiVersion": "2023-02-01",
  "name": "Auto-Isolate-High-Severity",
  "properties": {
    "displayName": "Auto-Isolate-High-Severity",
    "order": 1,
    "triggersOn": "Incidents",
    "triggersWhen": "Created",
    "conditions": [
      {
        "conditionProperties": {
          "propertyName": "Severity",
          "operator": "Equals",
          "propertyValues": ["High"]
        },
        "conditionType": "PropertyCondition"
      }
    ],
    "actions": [
      {
        "actionType": "RunPlaybook",
        "playbookName": "IsolateDevice",
        "logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/IsolateDevice"
      }
    ]
  }
}
```
Question 336easymultiple choice
Read the full Respond to security incidents explanation →

During a security incident, a SOC analyst needs to collect evidence from multiple Microsoft 365 workloads including Exchange Online, SharePoint Online, and Teams. Which Microsoft Purview solution should the analyst use to perform a unified investigation?

Question 337mediummultiple choice
Read the full Respond to security incidents explanation →

A company uses Microsoft Defender XDR and has enabled automatic attack disruption for human-operated ransomware. During an incident, the system automatically contains a compromised account. However, the SOC team wants to ensure that the containment action is reversible and that the account can be restored after investigation. What should the team do before restoring the account?

Question 338hardmultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst is using Microsoft Sentinel to investigate an incident involving a user who accessed a sensitive database from an unusual location. The analyst wants to find all activities performed by this user within the last 24 hours from multiple data sources. Which KQL operator should the analyst use to combine the results of two queries that return different schemas?

Question 339mediummultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel to investigate devices in the finance subnet. Which result would indicate that a device might be compromised?

Exhibit

Refer to the exhibit.

```kusto
DeviceInfo
| where Timestamp > ago(7d)
| where DeviceName has "finance"
| join kind=inner (
    DeviceNetworkInfo
    | where Timestamp > ago(7d)
    | where LocalIPAddress startswith "10."
) on DeviceId
| project Timestamp, DeviceName, LocalIPAddress, ConnectedNetworks
```
Question 340easymulti select
Read the full Respond to security incidents explanation →

Which TWO actions should a SOC analyst take immediately after confirming a ransomware incident in Microsoft Defender XDR?

Question 341mediummulti select
Read the full Respond to security incidents explanation →

Which THREE components can be used in Microsoft Sentinel to automate incident response?

Question 342hardmulti select
Read the full Respond to security incidents explanation →

Which TWO indicators of compromise (IOCs) are most likely to be included in a Microsoft Sentinel threat intelligence feed to detect a known malware campaign?

Question 343hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A SOC analyst runs this Advanced Hunting query in Microsoft Defender XDR to detect potential living-off-the-land (LotL) attacks. An alert is triggered when a device shows multiple occurrences of 'mshta.exe' executing with a remote script. Which additional data source should the analyst check to confirm the attack?

Exhibit

Refer to the exhibit.

```powershell
# Microsoft Defender XDR Advanced Hunting query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("powershell", "cmd", "wscript")
| where FileName has_any ("rundll32.exe", "regsvr32.exe", "mshta.exe")
| project Timestamp, DeviceName, ProcessCommandLine
```
Question 344easymultiple choice
Read the full VPN explanation →

An organization uses Microsoft Defender for Cloud Apps to detect anomalous behavior. An alert indicates that a user has signed in from an impossible travel scenario. The SOC analyst confirms the alert is a false positive due to a VPN. What should the analyst do to prevent future false positives for this user?

Question 345mediummultiple choice
Read the full Respond to security incidents explanation →

A SOC team uses Microsoft Sentinel and wants to automatically enrich incidents with threat intelligence from a third-party feed. Which feature should they configure to ingest the threat intelligence and correlate it with alerts?

Question 346easymultiple choice
Read the full Respond to security incidents explanation →

During an incident response, your team identifies a suspicious PowerShell command executed on multiple devices. Which Microsoft Defender XDR feature should you use to block the command across all endpoints immediately?

Question 347mediummultiple choice
Read the full Respond to security incidents explanation →

Your incident response team receives an alert from Microsoft Sentinel for a user account that has been compromised. The alert indicates that the user's credentials were used from an unfamiliar location. What is the first action you should take?

Question 348hardmultiple choice
Read the full Respond to security incidents explanation →

Your Microsoft Sentinel workspace is receiving a high volume of false positive alerts from a specific analytics rule. You need to suppress these alerts without disabling the rule. Which feature should you use?

Question 349mediummultiple choice
Read the full Respond to security incidents explanation →

During a security incident, you need to collect forensic evidence from a compromised Windows device. Which Microsoft Defender for Endpoint action should you use to collect a memory dump?

Question 350easymultiple choice
Read the full Respond to security incidents explanation →

Your security operations center (SOC) uses Microsoft Sentinel. An incident is created from a fusion alert. What does Fusion technology do?

Question 351hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization is using Microsoft Defender XDR. During an incident, you need to create a custom detection rule that triggers when a specific file hash is executed on any device. Which component should you use?

Question 352mediummultiple choice
Read the full Respond to security incidents explanation →

Your incident response team has identified a phishing campaign targeting your organization. The emails contain a link to a malicious site. Which Microsoft Defender for Office 365 feature should you use to block the URL across all users?

Question 353hardmultiple choice
Read the full network assurance explanation →

Your organization is using Microsoft Sentinel as a SIEM. You need to forward logs from a legacy firewall that does not support common event format (CEF) or Syslog. Which solution should you use?

Question 354easymultiple choice
Read the full Respond to security incidents explanation →

Your SOC uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading a large number of files from SharePoint. Which action should you take to investigate and potentially block the activity?

Question 355mediummulti select
Read the full Respond to security incidents explanation →

Which TWO of the following are valid response actions when a malware outbreak is detected on multiple endpoints? (Select TWO.)

Question 356hardmulti select
Read the full Respond to security incidents explanation →

Which THREE of the following are key steps when containing a ransomware incident in Microsoft Defender XDR? (Select THREE.)

Question 357easymulti select
Read the full Respond to security incidents explanation →

Which TWO of the following are valid data connectors for Microsoft Sentinel? (Select TWO.)

Question 358mediummultiple choice
Read the full Respond to security incidents explanation →

Based on the KQL query shown, what is the purpose of the case() function?

Exhibit

Refer to the exhibit.
```kusto
// KQL query in Microsoft Sentinel
SecurityAlert
| where TimeGenerated > ago(1h)
| where AlertName has_any ("Malware", "Ransomware")
| extend Severity = case(AlertSeverity == "High", "Critical", AlertSeverity)
| summarize Count = count() by Severity
| sort by Count desc
```
Question 359hardmultiple choice
Read the full Respond to security incidents explanation →

An analyst runs this advanced hunting query to investigate suspicious command-line activity. Which type of activity is this query most likely detecting?

Exhibit

Refer to the exhibit.
```json
// Microsoft Defender XDR advanced hunting query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe")
| where ProcessCommandLine contains "-enc"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| sort by Timestamp desc
```
Question 360mediummultiple choice
Read the full Respond to security incidents explanation →

Based on the ARM template snippet, what is the purpose of this analytics rule?

Exhibit

Refer to the exhibit.
```json
// ARM template snippet for Microsoft Sentinel analytics rule
{
  "type": "Microsoft.OperationsManagement/solutions/workspaces/savedSearches",
  "apiVersion": "2021-04-01",
  "name": "[concat('SecurityInsights/', parameters('workspaceName'), '/', 'MyRule')]",
  "properties": {
    "category": "Security",
    "displayName": "My custom rule",
    "query": "SecurityEvent | where EventID == 4625 | summarize Count = count() by Account",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 5
  }
}
Question 361mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst receives an alert from a custom analytics rule that triggers on a specific sequence of failed logon attempts followed by a successful logon from an unusual location. The incident is generated but the analyst is not sure if the activity is malicious or a user error. What should the analyst do first to quickly gather additional context?

Question 362hardmultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Defender XDR. A critical server is exhibiting signs of a potential ransomware attack, with files being encrypted and a ransom note appearing. The incident has been escalated to the security operations center (SOC). What is the most immediate action to contain the threat and prevent further spread?

Question 363easymultiple choice
Read the full Ansible explanation →

An organization uses Microsoft Sentinel. A security engineer needs to set up automatic response actions when a high-severity incident is created. The engineer wants to trigger a playbook that sends a notification to a Microsoft Teams channel and creates a ticket in ServiceNow. What should the engineer use?

Question 364hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Cloud Apps. A security analyst discovers that a user's account has been compromised and is exfiltrating sensitive data from SharePoint Online. The analyst needs to immediately block the suspicious activities while allowing legitimate user activities to continue. What should the analyst do?

Question 365mediummultiple choice
Read the full Respond to security incidents explanation →

A company uses Microsoft Sentinel as its SIEM. The security team is investigating an incident that involves multiple alerts from different data sources. The team wants to see a timeline of all related activities across all data sources in one view. Which Microsoft Sentinel feature should they use?

Question 366easymultiple choice
Read the full Respond to security incidents explanation →

An organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and they see unexpected pop-ups. The security team suspects malware. What should the team do first to investigate?

Question 367mediummultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Sentinel. A security analyst receives an incident that includes a large number of alerts from a single data source. The analyst needs to identify which alerts are duplicates or related so they can focus on unique threats. Which feature should the analyst use?

Question 368hardmultiple choice
Read the full Respond to security incidents explanation →

An organization uses Microsoft Defender XDR. During an incident investigation, the security team needs to determine if a specific file was executed on any devices in the organization over the past 30 days. They have the file hash. What is the most efficient way to get this information?

Question 369easymultiple choice
Read the full Respond to security incidents explanation →

A security analyst is investigating a phishing incident in Microsoft Defender XDR. The analyst wants to see the full email content and attachments. Where should the analyst look?

Question 370mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should a security analyst take when responding to a confirmed malware outbreak in Microsoft Defender for Endpoint?

Question 371hardmulti select
Read the full Respond to security incidents explanation →

Which THREE actions are appropriate when investigating a potential data exfiltration incident in Microsoft Defender for Cloud Apps?

Question 372easymulti select
Read the full Respond to security incidents explanation →

Which TWO sources of evidence should a security analyst examine first when investigating a user-reported phishing email in Microsoft Defender XDR?

Question 373mediummultiple choice
Read the full Ansible explanation →

Refer to the exhibit. An automation rule is configured as shown. When will the playbook be triggered?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Malware detected on endpoint",
    "description": "This automation rule will isolate the device when a malware incident is created.",
    "triggers": [
      {
        "type": "IncidentCreated",
        "conditions": [
          {
            "property": "Severity",
            "operator": "Equals",
            "value": "High"
          },
          {
            "property": "Provider",
            "operator": "Equals",
            "value": "Microsoft Defender for Endpoint"
          },
          {
            "property": "Title",
            "operator": "Contains",
            "value": "Malware"
          }
        ]
      }
    ],
    "actions": [
      {
        "type": "RunPlaybook",
        "playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/IsolateDevicePlaybook"
      }
    ]
  }
}
```
Question 374hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Defender XDR advanced hunting. What is the most likely purpose of this query?

Exhibit

Refer to the exhibit.

```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-e", "-Command")
| summarize Count = count() by DeviceName, AccountName
| where Count > 5
| order by Count desc
```
Question 375mediummultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An incident in Microsoft Sentinel contains the entities shown. Which additional data source would be most useful to investigate this incident?

Exhibit

Refer to the exhibit.

```json
{
  "id": "incident_1234",
  "title": "Suspicious sign-in from unfamiliar location",
  "severity": "Medium",
  "status": "Active",
  "entities": [
    {
      "type": "account",
      "name": "jdoe@contoso.com",
      "domain": "contoso.com",
      "sid": "S-1-5-21-..."
    },
    {
      "type": "ip",
      "address": "203.0.113.45",
      "location": "Unknown"
    }
  ],
  "alerts": [
    {
      "alertId": "alert_5678",
      "title": "Unfamiliar sign-in properties",
      "severity": "Medium",
      "provider": "Microsoft Defender for Cloud Apps"
    }
  ]
}
Question 376mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst detects a suspicious sign-in from an unusual location using Microsoft Entra ID. The user has not enabled MFA. Which action should the analyst take first to investigate and potentially contain the incident?

Question 377easymultiple choice
Read the full Respond to security incidents explanation →

An incident in Microsoft Defender XDR shows a device with high severity alert: 'Suspicious PowerShell command line.' The device is currently isolated from the network. What is the best next step to investigate the alert?

Question 378hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware investigation, a security analyst finds that multiple files on a file server have been encrypted. The server runs Microsoft Defender for Cloud and has been onboarded to Microsoft Sentinel. Which data source in Sentinel would provide the most granular information about the file encryption events?

Question 379easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. The KQL query runs in Microsoft Sentinel and returns no results. The analyst expects to see failed logon attempts. What is the most likely reason?

Exhibit

Refer to the exhibit.
```kql
// KQL query in Microsoft Sentinel
let TimeRange = 1h;
IdentityLogonEvents
| where Timestamp > ago(TimeRange)
| where Application == "Microsoft Entra ID"
| summarize LogonAttempts = count() by UserPrincipalName, IPAddress, ResultType
| where ResultType == "Failed"
| where LogonAttempts > 5
```
Question 380mediummultiple choice
Read the full Respond to security incidents explanation →

A security operations center (SOC) analyst is investigating an incident involving a user who received a phishing email with a malicious macro. The analyst needs to determine if any other users received the same email. Which Microsoft 365 Defender feature should the analyst use?

Question 381hardmultiple choice
Read the full Respond to security incidents explanation →

An organization uses Microsoft Purview Communication Compliance to detect insider trading. An alert is generated for a user who sent a message containing sensitive financial data. The compliance officer needs to initiate a legal hold on the user's mailbox to preserve evidence. Which role must the officer have to perform this action?

Question 382mediummultiple choice
Read the full Respond to security incidents explanation →

During an incident response, an analyst runs a live response command on a Windows device using Microsoft Defender for Endpoint. The command 'Get-Service -Name BITS' returns no output. What is the most likely cause?

Question 383hardmultiple choice
Read the full Ansible explanation →

An organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. An incident is generated for a user who is suspected of being compromised. The analyst wants to automatically block the user's sign-ins using a playbook. Which connector should the playbook use?

Question 384easymultiple choice
Read the full Ansible explanation →

Refer to the exhibit. An automation rule is created in Microsoft Sentinel. A new incident is created with severity 'Medium' and two alerts: one 'High' and one 'Medium'. Will the playbook run?

Exhibit

Refer to the exhibit.
```json
// Microsoft Sentinel automation rule JSON
{
  "trigger": "When incident created",
  "actions": [
    {
      "type": "Run playbook",
      "playbookName": "Block-IP-Address"
    }
  ],
  "conditions": [
    {
      "property": "AlertSeverity",
      "operator": "Equals",
      "value": "High"
    }
  ]
}
```
Question 385mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions are appropriate when handling a confirmed ransomware incident in Microsoft 365?

Question 386hardmulti select
Read the full Respond to security incidents explanation →

Which THREE elements are required to create a custom detection rule in Microsoft Sentinel?

Question 387mediummulti select
Read the full Respond to security incidents explanation →

Which TWO tools in Microsoft Defender XDR provide automated investigation and response capabilities?

Question 388hardmulti select
Read the full Ansible explanation →

Which THREE conditions must be met for a Microsoft Sentinel incident to be automatically closed by a playbook?

Question 389easymultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An admin creates this activity policy in Microsoft Defender for Cloud Apps. What will happen when a user fails to log in from 3 different IP addresses within 10 minutes?

Exhibit

Refer to the exhibit.
```json
// Microsoft Defender for Cloud Apps policy snippet
{
  "policyType": "Activity policy",
  "severity": "High",
  "description": "Detect multiple failed logins from different IPs",
  "filters": {
    "activity": "Failed login",
    "ip": {
      "differentCount": 3,
      "timeWindow": 10
    }
  },
  "actions": [
    {
      "type": "Block",
      "target": "User"
    }
  ]
}
```
Question 390hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. An analyst runs this Azure CLI command and receives no output. The workspace has many High severity incidents in 'New' status. What is the most likely reason?

Network Topology
az sentinel incident listresource-group rg-sentinelworkspace-name law-sentinelquery "[?status=='New']Refer to the exhibit.```powershell```
Question 391mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a security incident in Microsoft Sentinel where a user reported receiving a phishing email with a malicious attachment. You need to identify all users who received the same email within the last 24 hours. Which KQL query should you use?

Question 392hardmultiple choice
Read the full Respond to security incidents explanation →

During a ransomware response in Microsoft Defender XDR, you identify that multiple devices are communicating with a known C2 server over port 443. You need to block this communication across all devices immediately. What is the most effective course of action?

Question 393easymultiple choice
Read the full Respond to security incidents explanation →

You receive an alert in Microsoft Sentinel indicating a potential privilege escalation using the 'AzureHound' tool. You need to determine if the alert is a true positive. What is the first step you should take?

Question 394mediummultiple choice
Read the full Respond to security incidents explanation →

You are reviewing this ARM template for a Microsoft Sentinel analytics rule. What is the most likely issue with the rule?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.SecurityInsights/alertRules",
  "apiVersion": "2023-02-01-preview",
  "properties": {
    "displayName": "Suspicious Service Principal Creation",
    "description": "Detects creation of service principal with high privileges.",
    "severity": "High",
    "query": "IdentityInfo | where TimeGenerated > ago(7d) | where OperationName == 'Add service principal' and TargetResources[0].modifiedProperties[0].newValue contains 'Global Administrator'"
  }
}
```
Question 395hardmultiple choice
Read the full Respond to security incidents explanation →

You are responding to an incident where a user's Microsoft Entra ID account was compromised and used to send phishing emails internally. You need to prevent further damage. Which two actions should you take first?

Question 396mediummulti select
Read the full Respond to security incidents explanation →

Which THREE actions should you take when investigating a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

Question 397hardmulti select
Read the full Respond to security incidents explanation →

Which TWO remediation actions are available in Microsoft Defender for Endpoint when responding to a malware infection?

Question 398easymultiple choice
Read the full Respond to security incidents explanation →

You are reviewing this analytics rule in Microsoft Sentinel. What is the problem with this rule?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.SecurityInsights/alertRules",
  "apiVersion": "2023-02-01-preview",
  "properties": {
    "displayName": "MFA Denied High Volume",
    "description": "Detects multiple MFA denials for a user.",
    "severity": "Medium",
    "query": "SigninLogs | where ResultType == 50076 | summarize Count = count() by UserPrincipalName | where Count > 5",
    "triggerOperator": "GreaterThan",
    "triggerThreshold": 0
  }
}
```
Question 399hardmultiple choice
Read the full Respond to security incidents explanation →

A user reports that they cannot access their Microsoft 365 apps after clicking a link in an email. You suspect token theft. In Microsoft Defender XDR, which incident investigation action should you take first to verify the scope?

Question 400easymultiple choice
Read the full Respond to security incidents explanation →

You are working on a security incident in Microsoft Sentinel where you need to contain a compromised virtual machine. What is the most immediate containment action?

Question 401mediummulti select
Read the full Respond to security incidents explanation →

Which TWO data sources should you enable in Microsoft Sentinel to improve detection of credential theft attacks?

Question 402hardmulti select
Read the full Respond to security incidents explanation →

Which THREE steps are part of the containment phase of incident response in a hybrid environment using Microsoft Defender XDR?

Question 403mediummultiple choice
Read the full Respond to security incidents explanation →

You are testing this analytics rule. It should detect encoded PowerShell commands not from System32, but it is generating false positives. What is the most likely cause?

Exhibit

Refer to the exhibit.
```json
{
  "type": "Microsoft.SecurityInsights/alertRules",
  "apiVersion": "2023-02-01-preview",
  "properties": {
    "displayName": "Anomalous PowerShell Execution",
    "description": "Detects PowerShell executed from unusual locations.",
    "severity": "High",
    "query": "DeviceProcessEvents | where FileName == 'powershell.exe' | where InitiatingProcessCommandLine contains '-EncodedCommand' | where not(ProcessCommandLine contains 'C:\\Windows\\System32')"
  }
}
```
Question 404hardmultiple choice
Read the full Respond to security incidents explanation →

You are handling an incident where a user's account was used to access sensitive data from an unusual location. Microsoft Entra ID Identity Protection flagged the sign-in as risky. You need to determine if the account is compromised. Which investigation step should you perform first?

Question 405easymultiple choice
Read the full Respond to security incidents explanation →

After a security incident, you need to preserve evidence from a compromised Microsoft 365 tenant. What is the best method to preserve data?

Question 406mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a security incident in Microsoft Defender XDR where a user received a phishing email that bypassed Exchange Online Protection. The email contained a link to a credential harvesting page. After the user entered credentials, the attacker used them to sign in from an unusual location. You need to recommend an automated response to prevent further credential theft from similar emails. What should you implement?

Question 407hardmultiple choice
Read the full Respond to security incidents explanation →

You run the above KQL query in Microsoft Sentinel to detect potential brute-force attacks on Microsoft Teams. After reviewing the results, you notice that some entries have a high LogonCount but are missing from the output. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kql
let threshold = 10;
IdentityLogonEvents
| where Timestamp > ago(1h)
| where Application == "Microsoft Teams"
| summarize LogonCount = count() by AccountUpn, IPAddress
| where LogonCount > threshold
| join kind=inner (
    AADSignInEventsBeta
    | where Timestamp > ago(1h)
    | where RiskLevelDuringSignIn == "medium" or RiskLevelDuringSignIn == "high"
    | project AccountUpn, IPAddress, RiskLevelDuringSignIn
) on AccountUpn, IPAddress
| project AccountUpn, IPAddress, LogonCount, RiskLevelDuringSignIn
```
Question 408easymultiple choice
Read the full Respond to security incidents explanation →

During a security incident response, you need to collect forensic evidence from a Windows 10 device that is suspected to be compromised. The device is not domain-joined and is located in a remote office. You have remote administrative access. Which Microsoft 365 tool should you use to acquire a memory dump of the device?

Question 409mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You receive an alert about a suspicious sign-in from an IP address associated with a known malicious actor. The sign-in was for a privileged account. You need to immediately contain the incident. What should you do first?

Question 410hardmultiple choice
Read the full Respond to security incidents explanation →

You deploy the above ASR rule in Microsoft Defender for Endpoint. After deployment, you notice that .exe files are still being executed from Outlook attachments. What is the most likely reason?

Exhibit

Refer to the exhibit.

```json
{
  "properties": {
    "displayName": "Block malicious file types",
    "description": "Blocks execution of potentially malicious file types.",
    "policyContent": {
      "policyRule": {
        "if": {
          "allOf": [
            {
              "field": "fileExtension",
              "in": [".exe", ".dll", ".ps1"]
            },
            {
              "field": "initiatingProcessFileName",
              "equals": "outlook.exe"
            }
          ]
        },
        "then": {
          "effects": [
            {
              "type": "block",
              "action": "blockExecution"
            }
          ]
        }
      }
    }
  }
}
```
Question 411easymultiple choice
Read the full Respond to security incidents explanation →

You are responding to a security incident involving a user who clicked on a malicious link in an email. The link led to a website that downloaded a file to the user's device. Microsoft Defender for Endpoint (MDE) detected the file as malware and blocked it. However, the user reports that the device is running slowly. You need to verify if there are any remnants of the malware. Which action should you take?

Question 412mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). During an incident investigation, you identify that a user account has been exhibiting anomalous behavior, such as logging in from multiple countries within a short time. You need to determine if the account is compromised and take appropriate action. What should you do first?

Question 413hardmultiple choice
Read the full Respond to security incidents explanation →

You run the above KQL query in Microsoft Sentinel to detect encoded PowerShell commands. The query returns no results, even though you know that some devices have executed encoded PowerShell commands. What is the most likely reason?

Exhibit

Refer to the exhibit.

```kql
DeviceProcessEvents
| where Timestamp > ago(1d)
| where FileName == "powershell.exe"
| extend DecodedCommand = base64_decode_tostring(ProcessCommandLine)
| where DecodedCommand contains "-EncodedCommand"
| project Timestamp, DeviceName, ProcessCommandLine, DecodedCommand
```
Question 414easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating an incident where a user reported receiving a suspicious email with an attachment. The attachment is a .docm file that contains macros. The email was not blocked by Exchange Online Protection. You need to ensure that similar emails are blocked in the future. What should you configure?

Question 415mediummulti select
Read the full Respond to security incidents explanation →

During a security incident response, you need to collect forensic data from multiple endpoints. Which TWO tools can be used to remotely collect forensic data from Windows devices in a Microsoft Defender for Endpoint environment? (Choose two.)

Question 416hardmulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and has configured analytics rules for detecting ransomware. You receive an alert indicating possible ransomware activity on a server. Which THREE actions should you take to contain and investigate the incident? (Choose three.)

Question 417easymulti select
Read the full Respond to security incidents explanation →

You are investigating a security incident involving a compromised user account. The attacker used the account to access sensitive data in SharePoint Online. Which TWO actions should you take to remediate the incident? (Choose two.)

Question 418mediummulti select
Read the full Ansible explanation →

Your Microsoft Sentinel workspace ingests logs from Microsoft Defender for Cloud and Microsoft 365 Defender. You need to create an incident response playbook that automatically responds to high-severity incidents. Which THREE components are required? (Choose three.)

Question 419hardmulti select
Read the full Respond to security incidents explanation →

You are investigating a potential data exfiltration incident in Microsoft Purview. A user has been downloading large amounts of data from a SharePoint site to an unmanaged device. Which TWO actions should you take to contain the exfiltration? (Choose two.)

Question 420easymulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that was not blocked by the service. You need to improve detection of similar phishing emails. Which TWO actions should you take? (Choose two.)

Question 421mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a potential ransomware incident detected by Microsoft Defender XDR. The incident shows multiple machines with suspicious encryption activity. You need to contain the threat immediately. What should you do first?

Question 422hardmultiple choice
Read the full Respond to security incidents explanation →

During a security incident, the Microsoft Sentinel workspace is receiving high volume of low-severity alerts causing analyst fatigue. You need to reduce noise while ensuring critical alerts are not missed. What should you configure?

Question 423easymultiple choice
Read the full Respond to security incidents explanation →

You receive a Microsoft Defender XDR incident alert about a suspicious sign-in from an unfamiliar location. The user confirms they did not perform the sign-in. What should you do to immediately secure the account?

Question 424mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating an incident in Microsoft Sentinel where a PowerShell script was executed on multiple servers with suspicious parameters. The incident is high severity. You need to determine if the script is malicious and if lateral movement occurred. What should you do?

Question 425easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. An incident is created from an Azure Active Directory (now Microsoft Entra ID) sign-in alert. You need to determine if the sign-in was from a compromised token. What data source should you examine?

Question 426hardmultiple choice
Read the full Respond to security incidents explanation →

A Microsoft Defender XDR incident shows that a user's device has been communicating with a known malicious C2 server. The device is online and the user is actively working. You need to contain the threat with minimal business disruption. What should you do?

Question 427mediummultiple choice
Read the full Respond to security incidents explanation →

You are investigating a Microsoft Sentinel incident involving a user who clicked a phishing link. The incident includes alerts from Microsoft Defender for Office 365. You need to identify if any other users received the same phishing email. What should you do?

Question 428easymultiple choice
Read the full Respond to security incidents explanation →

During a ransomware incident, you need to prevent the encryption of files in SharePoint Online and OneDrive for Business. You have already identified the compromised user account. What should you do?

Question 429mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should you take when responding to a confirmed data exfiltration incident involving Microsoft 365? (Choose two.)

Question 430hardmulti select
Read the full Respond to security incidents explanation →

Which THREE are valid methods to collect forensic evidence from a compromised Windows machine during incident response in Microsoft Defender XDR? (Choose three.)

Question 431easymulti select
Read the full Respond to security incidents explanation →

Which TWO are immediate containment actions in Microsoft Sentinel for a compromised Azure VM? (Choose two.)

Question 432mediummulti select
Read the full Respond to security incidents explanation →

Which THREE resources can be used as data sources for Microsoft Sentinel to detect security incidents? (Choose three.)

Question 433hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A critical incident has been generated from Microsoft Defender for Cloud indicating that a Linux VM in Azure is running a cryptocurrency miner. The VM is part of a production application and cannot be shut down immediately. The incident severity is High. You need to contain the threat while maintaining application availability, investigate the root cause, and prevent recurrence. The environment includes Azure Policy, Microsoft Defender for Endpoint on the VM, and a Log Analytics workspace. You must minimize manual steps. What course of action should you take?

Question 434mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to ensure that similar sign-ins do not generate incidents in the future. What should you do?

Question 435hardmultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Defender XDR. During a ransomware incident, you need to isolate a compromised Windows 10 device from the network while allowing connectivity to the Microsoft Defender for Endpoint service. Which action should you take?

Question 436easymultiple choice
Read the full Respond to security incidents explanation →

You are investigating a phishing incident in Microsoft Defender XDR. The user reported receiving an email with a malicious link. You need to identify all users who received the same email. Which feature should you use?

Question 437mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You receive an incident for a potential data exfiltration involving a sensitive blob storage container. You need to determine if the data was accessed from an unusual IP address. What should you do?

Question 438hardmultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Defender for Cloud Apps. You discover that a user's account is compromised and used to access a sensitive SharePoint site from an unfamiliar IP. You need to immediately revoke the user's session and force them to re-authenticate. Which action should you take?

Question 439easymultiple choice
Read the full Respond to security incidents explanation →

You are an incident responder for a company using Microsoft 365 Defender. A critical incident is assigned to you. What is the first action you should take according to best practices?

Question 440mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You have an incident that involves multiple alerts. You want to automatically assign the incident to the appropriate analyst based on the alert type. What should you use?

Question 441hardmultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Defender for Endpoint. A device shows signs of compromise with suspicious PowerShell execution. You need to collect forensic evidence before performing remediation. Which action should you use?

Question 442easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You receive an incident for a potential malware outbreak. You need to quickly see which entities are involved (e.g., IPs, hosts, accounts). Where should you look?

Question 443mediummulti select
Read the full Respond to security incidents explanation →

Your organization is responding to a security incident in Microsoft Defender XDR. You need to contain a compromised on-premises Exchange server. Which TWO actions are appropriate? (Choose two.)

Question 444hardmulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. A security incident related to a compromised user account has been fully investigated and remediated. Which THREE steps should you take to close the incident properly? (Choose three.)

Question 445easymulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email. You need to investigate the email and take action. Which TWO actions can you perform? (Choose two.)

Question 446hardmultiple choice
Read the full NAT/PAT explanation →

You are a security analyst at Contoso. Microsoft Sentinel is deployed with the Microsoft Defender for Cloud Apps connector. An incident is generated for a high-risk sign-in from a user named JaneDoe@contoso.com. The incident severity is Medium. The incident details show that the sign-in originated from an IP address in a country where Contoso has no business presence, and the user recently changed their password. You suspect account compromise. You need to take immediate action to contain the threat and prevent further unauthorized access. The user is currently active in Microsoft Entra ID. You have the following options: A) Force the user to re-authenticate by revoking their sessions in Microsoft Entra ID. B) Disable the user account in Microsoft Entra ID. C) Block the IP address in Microsoft Defender for Cloud Apps. D) Create a Sentinel automation rule to automatically disable accounts on similar alerts. Which action should you take first to contain the current incident?

Question 447mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Defender XDR. You are investigating an incident that involves a malware infection on a Windows 10 device. The device is currently isolated from the network. The incident shows that the malware attempted to communicate with a command-and-control (C2) server. You have collected an investigation package. Now you need to remediate the device and bring it back to a clean state. The device has critical data that must not be lost. Which remediation action should you take? A) Run a full antivirus scan and remove threats. B) Perform a factory reset of the device. C) Reimage the device from a clean backup. D) Initiate a live response to manually remove the malware. Which option best balances thorough remediation with data preservation?

Question 448easymultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An incident is generated for a potential lateral movement attack. The incident is linked to multiple alerts involving a domain controller and several workstations. You need to understand the attack path and identify the initial compromised account. Which feature should you use to visualize the attack chain? A) The incident graph in Microsoft Sentinel. B) The entity timeline in Microsoft Defender for Identity. C) The Microsoft 365 Defender attack story. D) The Microsoft Purview compliance portal. Which option provides the best visual representation of the attack path?

Question 449mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst receives an alert in Microsoft Defender XDR indicating that a user account was compromised. The analyst needs to isolate the affected device to prevent lateral movement. Which action should the analyst take first?

Question 450hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident response, a forensic investigator needs to collect a memory dump from a compromised Windows server that is still running. The server has Microsoft Defender for Endpoint installed but is not connected to the internet. Which method should the investigator use?

Question 451easymultiple choice
Read the full Respond to security incidents explanation →

An organization uses Microsoft Sentinel for security operations. A security engineer needs to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created in Sentinel. Which feature should the engineer use?

Question 452mediummultiple choice
Read the full Respond to security incidents explanation →

A security operations center (SOC) team uses Microsoft Defender XDR and Microsoft Sentinel. An incident is created in Defender XDR that involves a malicious email and a compromised device. The team wants the incident to automatically sync to Sentinel. What is the minimum configuration required?

Question 453hardmultiple choice
Read the full Respond to security incidents explanation →

Refer to the exhibit. A security analyst creates a scheduled analytics rule in Microsoft Sentinel based on the JSON shown. After enabling the rule, the analyst notices that the rule generates alerts every hour for the same user accounts even after the incidents are resolved. What is the most likely cause?

Exhibit

{
  "alertRuleTemplate": "5a5b5c5d-6e6f-7071-7273-747576777879",
  "displayName": "Suspicious Activity from Compromised Account",
  "query": "IdentityLogonEvents | where Timestamp > ago(1d) | summarize count() by AccountUpn, IPAddress",
  "queryPeriod": "1d",
  "queryFrequency": "1h",
  "triggerOperator": "GreaterThan",
  "triggerThreshold": 10,
  "severity": "High",
  "suppressionDuration": "4h",
  "suppressionEnabled": false
}
Question 454easymultiple choice
Read the full Respond to security incidents explanation →

After a security incident, the SOC team needs to preserve forensic evidence from a compromised Microsoft Entra ID joined Windows 10 device. The device is still online. Which tool should the team use to collect a forensic image of the hard drive?

Question 455mediummultiple choice
Read the full Respond to security incidents explanation →

A security analyst uses Microsoft Sentinel to investigate an incident involving data exfiltration from Azure Blob Storage. The analyst needs to determine which user accessed the storage account and from which IP address. Which data source should the analyst query?

Question 456hardmultiple choice
Read the full Respond to security incidents explanation →

During an incident response, a security engineer needs to block an attacker's IP address at the network level for all devices in the organization. The organization uses Microsoft Defender for Endpoint and Microsoft Intune for device management. What is the most efficient way to achieve this?

Question 457easymultiple choice
Read the full Respond to security incidents explanation →

A SOC analyst receives a phishing alert in Microsoft Defender for Office 365. The analyst needs to quickly determine if any users clicked the malicious link. Which action should the analyst take first?

Question 458mediummulti select
Read the full Respond to security incidents explanation →

Which TWO actions should a security analyst take to contain a ransomware outbreak on a Windows server that has Microsoft Defender for Endpoint installed?

Question 459hardmulti select
Read the full Respond to security incidents explanation →

Which THREE data sources should be included in a Microsoft Sentinel workspace to comprehensively monitor for lateral movement within an Azure environment?

Question 460easymulti select
Read the full Respond to security incidents explanation →

Which TWO options are valid ways to create an incident in Microsoft Sentinel?

Question 461mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization has Microsoft Sentinel deployed in a central Log Analytics workspace. You have a custom analytics rule that detects brute-force attacks against Azure AD by counting failed sign-ins from the same IP address within 5 minutes. The rule currently generates an incident for every 10 failed attempts. During a recent incident, a single IP address generated over 200 failed sign-ins in 10 minutes, resulting in 20 separate incidents. The SOC team is overwhelmed and wants to reduce the number of incidents without lowering the detection threshold. You need to modify the rule to generate only one incident per IP address within a 1-hour window. What should you do?

Question 462hardmultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Defender for Endpoint (MDE) on all Windows 10 devices. You are investigating a machine that is suspected of being part of a botnet. The machine is communicating with a known C2 server at IP 203.0.113.55. You have confirmed that the IP is malicious. You need to block all outbound traffic from the machine to that IP immediately, and also ensure that no other devices in the organization can communicate with that IP. The solution must be implemented without deploying additional network appliances. What should you do?

Question 463easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel for security operations. The SOC team receives an incident that was generated from a Microsoft Defender for Cloud Apps alert. The incident involves a user who is downloading a large number of files from SharePoint Online. The analyst needs to suspend the user's account immediately to stop the potential data exfiltration. The organization has a Microsoft Sentinel playbook that can suspend a user in Microsoft Entra ID. However, the playbook is not triggering automatically. You need to ensure that the playbook runs automatically whenever a Defender for Cloud Apps alert generates an incident in Sentinel. What should you configure?

Question 464mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel. An incident with severity Medium is created from an analytics rule that detects brute-force attempts against on-premises domain controllers. The incident contains alerts from multiple machines. You need to automatically run a playbook that collects evidence from affected machines and then changes the incident severity to High. What should you configure?

Question 465hardmultiple choice
Read the full Respond to security incidents explanation →

A security analyst in your company uses Microsoft Defender XDR to investigate an incident involving a user who received a malicious email. The analyst needs to block the sender's email address across all tenants in the organization. What is the most efficient way to achieve this?

Question 466easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident in Microsoft Defender XDR is automatically synchronized to Microsoft Sentinel. The incident in Sentinel is closed by the SOC team, but the corresponding incident in Defender remains open. What should you do to ensure that closing an incident in Sentinel also closes its linked incident in Defender?

Question 467hardmulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to incidents with severity High and enriches them with threat intelligence from Microsoft Defender Threat Intelligence. Which TWO actions should you include?

Question 468mediummulti select
Read the full Respond to security incidents explanation →

A SOC analyst in your organization is investigating an incident in Microsoft Defender XDR that involves a compromised user account. The analyst needs to gather more information about the user's recent activities. Which THREE actions can the analyst take directly from the incident page?

Question 469easymulti select
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel. You are investigating an incident that involves multiple alerts. Which TWO actions can you perform from the incident details page to consolidate the investigation?

Question 470mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel with Microsoft Defender XDR integration. You have a scheduled analytics rule that detects failed logon attempts across multiple on-premises domain controllers. The rule is configured to run every 5 minutes and create an incident when more than 10 failed attempts occur from a single IP address within 5 minutes. Recently, the SOC team noticed that the rule is generating a high volume of low-fidelity incidents, mostly from legitimate users mistyping passwords. You need to reduce the number of false positive incidents while still detecting real brute-force attacks. What should you do?

Question 471hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization has a hybrid identity environment with Microsoft Entra ID (Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Identity (MDI) integrated with Microsoft Defender XDR. An incident is raised indicating that a user account has been compromised because of an anomaly in Kerberos protocol activity. The incident severity is High. You need to contain the incident immediately by disabling the user account across both on-premises and cloud. However, you also want to preserve the account for forensic analysis. What is the recommended course of action?

Question 472easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel and Microsoft 365 Defender. You have a playbook that automatically isolates a device when a malware incident is confirmed. The playbook uses the Microsoft Defender for Endpoint connector. During a recent incident, the playbook failed to isolate a device because the device was not found in Defender for Endpoint. Upon investigation, you find that the device is onboarded to Microsoft Defender for Endpoint but the playbook is using an incorrect device ID format. What should you do to ensure the playbook works correctly?

Question 473hardmultiple choice
Read the full Ansible explanation →

Your company uses Microsoft Sentinel and Microsoft Defender for Cloud Apps (MCAS). A security analyst detects that a user is accessing a sanctioned cloud app from an unusual location. The analyst creates an incident in Sentinel. You need to automatically apply a session policy in MCAS to block downloads from that user for the next hour. You have an existing playbook that can apply session policies. What is the most efficient way to automate this response?

Question 474mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and has deployed the Microsoft Defender XDR connector. You notice that some incidents from Defender XDR are not being synchronized to Sentinel. You verify that the connector is enabled and healthy. You also check that the relevant Defender XDR alerts are being generated. What could be the cause of the missing incidents?

Question 475easymultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel. You have a playbook that sends an email notification to the SOC team when a new incident is created. The playbook is currently triggered manually. You want the playbook to run automatically every time an incident of severity High is created. What should you do?

Question 476hardmultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and has several analytics rules that generate incidents from various data sources. The SOC team is overwhelmed by the number of incidents. You need to implement a triage system that automatically assigns incidents to different analysts based on the incident's tactics and severity. You also want to send a notification to the assigned analyst via Teams. What should you do?

Question 477mediummultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You receive an alert in MDE about a suspicious PowerShell command executed on a device. You create an incident in Sentinel from this alert. You need to automatically collect a memory dump from the affected device for further analysis. You have a playbook that can initiate a memory dump collection via the MDE API. What is the best way to automate this?

Question 478easymulti select
Read the full Respond to security incidents explanation →

A security analyst detects a suspicious login from an unusual location for a user in Microsoft Defender XDR. The analyst needs to investigate and contain the incident. Which TWO actions should be taken?

Question 479mediummulti select
Read the full Respond to security incidents explanation →

An incident in Microsoft Sentinel involves multiple alerts indicating a potential data exfiltration via SharePoint Online. You need to respond and remediate. Which THREE actions should be taken?

Question 480hardmultiple choice
Read the full Ansible explanation →

Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint detection. A critical incident has been generated: 'Possible ransomware activity detected on multiple endpoints.' The incident includes alerts from Microsoft Defender for Endpoint (MDE) about file encryption behaviors and from Microsoft Defender for Identity (MDI) about anomalous service account logins. You have been assigned the incident and need to contain the threat effectively. You have Microsoft Sentinel automation rules that can trigger playbooks, and you have Microsoft Defender XDR actions available. The environment includes 500 Windows 10 devices managed by Microsoft Intune, and 50 servers on-premises. Some servers are domain controllers. Which of the following is the BEST first course of action?

Question 481mediummultiple choice
Read the full Respond to security incidents explanation →

Contoso uses Microsoft Sentinel with Microsoft Defender XDR connector. You receive an incident titled 'Malware detected on endpoint' from Microsoft Defender for Endpoint. The incident includes a detailed timeline showing that the malware was downloaded from a malicious URL. You need to respond to the incident using Microsoft Sentinel and Microsoft Defender XDR capabilities. The affected device is a Windows 10 workstation used by a standard user. You have been asked to contain the threat and prevent recurrence. The organization has a policy to preserve evidence for 90 days. Which action should you take FIRST?

Question 482easymultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident is generated for a user who received a phishing email that bypassed Exchange Online Protection. The user clicked the link and entered credentials on a fake login page. The incident includes alerts from Microsoft Defender for Office 365 and Microsoft Entra ID. You need to respond to the incident. The affected user has administrative privileges. Which of the following should you do FIRST?

Question 483hardmultiple choice
Read the full Respond to security incidents explanation →

Fabrikam has a hybrid environment with on-premises Active Directory synced to Microsoft Entra ID. They use Microsoft Sentinel and Microsoft Defender XDR. A critical incident is opened: 'Credential theft detected - domain admin account compromised.' The incident includes alerts from Microsoft Defender for Identity (MDI) showing anomalous Kerberos ticket requests and from Microsoft Defender for Endpoint showing a process dump on a domain controller. You need to contain the incident immediately. The organization has a strict policy of not disabling the domain admin account without approval due to critical dependencies. Which of the following is the BEST course of action?

Question 484mediummultiple choice
Read the full Respond to security incidents explanation →

Your company uses Microsoft Sentinel with the Microsoft Defender XDR connector. You receive an incident: 'Suspicious mailbox forwarding rule created.' The incident indicates that a user's mailbox in Exchange Online has a forwarding rule to an external email address. The user's account shows no other suspicious activity. You need to respond to the incident. The company policy requires preserving evidence for 30 days. Which action should you take FIRST?

Question 485hardmultiple choice
Read the full Respond to security incidents explanation →

Wide World Importers uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview for data loss prevention (DLP). An incident is generated: 'DLP policy violation - sensitive data shared externally.' The incident shows that a user shared a document containing credit card numbers via SharePoint Online with an external guest. The user is a finance department employee. You need to respond to the incident. The organization wants to minimize business disruption while protecting data. Which of the following is the BEST immediate action?

Question 486mediummultiple choice
Read the full Respond to security incidents explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident is triggered: 'Lateral movement detected - pass-the-hash attack.' The incident includes alerts from Microsoft Defender for Identity (MDI) showing anomalous NTLM authentication attempts from a compromised workstation to multiple servers. The compromised workstation is a Windows 10 device. You need to contain the incident. Which of the following actions should you take FIRST?

Question 487easymultiple choice
Read the full Respond to security incidents explanation →

Contoso uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is generated: 'Unusual file download by user - possible data exfiltration.' The incident shows that a user downloaded 500 files from SharePoint Online within 10 minutes, which is abnormal for that user. The user's account shows no other suspicious activity. You need to respond. Which of the following is the BEST first action?

Question 488mediummultiple choice
Read the full NAT/PAT explanation →

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You receive an incident: 'Malicious PowerShell command executed on endpoint.' The incident shows that a PowerShell command was executed on a server that attempted to download a payload from a known malicious IP. The process was terminated by MDE, but the server may still be compromised. You need to respond to the incident. Which of the following actions should you take FIRST?

Question 489hardmultiple choice
Read the full Respond to security incidents explanation →

Fabrikam uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview Compliance Manager. An incident is generated: 'Insider risk - user deleting large volumes of files from SharePoint Online.' The incident is from Microsoft Purview Insider Risk Management. The user is a senior executive, and disabling the account is not an option without board approval. You need to contain the data deletion. Which of the following is the BEST immediate action?

Practice tests

Scored 10-question sessions with instant feedback and explanations.

SC-200 Practice Test 1 — 10 Questions→SC-200 Practice Test 2 — 10 Questions→SC-200 Practice Test 3 — 10 Questions→SC-200 Practice Test 4 — 10 Questions→SC-200 Practice Test 5 — 10 Questions→SC-200 Practice Exam 1 — 20 Questions→SC-200 Practice Exam 2 — 20 Questions→SC-200 Practice Exam 3 — 20 Questions→SC-200 Practice Exam 4 — 20 Questions→Free SC-200 Practice Test 1 — 30 Questions→Free SC-200 Practice Test 2 — 30 Questions→Free SC-200 Practice Test 3 — 30 Questions→SC-200 Practice Questions 1 — 50 Questions→SC-200 Practice Questions 2 — 50 Questions→SC-200 Exam Simulation 1 — 100 Questions→

Practice by domain

Each domain maps to a weighted exam section. Focus on the domain where you are weakest.

Manage a security operations environmentRespond to security incidentsPerform threat huntingMitigate threats using Microsoft Defender XDRMitigate threats using Microsoft Defender for CloudMitigate threats using Microsoft Sentinel

Practice by scenario

Filter questions by type — troubleshooting, exhibit, drag-and-drop, PBQ, ACLs, OSPF, and more.

Browse scenarios→

Continue studying

All Respond to security incidents setsAll Respond to security incidents questionsSC-200 Practice Hub