SC-200 Respond to security incidents • Complete Question Bank
Complete SC-200 Respond to security incidents question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block Malicious IP",
"trigger": {
"type": "Microsoft.SecurityInsights/alertRule",
"alertRuleId": "1234"
},
"actions": [
{
"type": "Microsoft.SecurityInsights/incidentAction",
"actionType": "BlockIP",
"properties": {
"ipAddress": "@{triggerBody()?['properties']?['alertRuleId']}",
"blockDuration": "P1D"
}
}
]
}
}Refer to the exhibit. ```kql SecurityAlert | where TimeGenerated > ago(1d) | where AlertName contains "ransomware" | summarize count() by AlertName | order by count_ desc ```
Refer to the exhibit.
```json
{
"properties": {
"policyType": "Microsoft.CloudAppSecurity/Policy",
"policyName": "Block Unapproved Storage",
"policyMode": "Monitor",
"filter": {
"app": {
"category": "Cloud storage",
"tag": "Unsanctioned"
}
},
"actions": [
{
"actionType": "Block",
"actionValue": "true"
}
]
}
}Refer to the exhibit.
```json
{
"properties": {
"displayName": "SOC Critical Alert Rule",
"description": "Triggers on critical severity alerts",
"severity": "High",
"enabled": true,
"query": "SecurityAlert | where Severity == 'High' | where TimeGenerated > ago(5m)",
"queryFrequency": "PT5M",
"queryPeriod": "PT5M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT5M",
"suppressionEnabled": false,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5M",
"entitiesMatchingMethod": "All"
}
}
}
}
```Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "sentinel-workspace"
},
"location": {
"value": "eastus"
},
"enableUEBA": {
"value": true
},
"dataConnectors": {
"value": [
"AzureIdentity",
"AzureActivity",
"MicrosoftThreatProtection"
]
}
}
}
```Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('workspaceName'), '/', 'MyScheduledRule')]",
"properties": {
"displayName": "MyScheduledRule",
"category": "Security",
"query": "SigninLogs | where ResultType == 50057",
"etag": "*"
}
},
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2022-11-01",
"name": "[concat(parameters('workspaceName'), '/', 'MyAlertRule')]",
"properties": {
"displayName": "MyAlertRule",
"description": "Detects disabled account sign-ins",
"severity": "Medium",
"enabled": true,
"query": "SigninLogs | where ResultType == 50057",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": null
}
}
}
]
}
```Refer to the exhibit.
```
{
"properties": {
"displayName": "Block malicious IP",
"triggers": [
{
"type": "IncidentCreated",
"conditions": [
{
"condition": "IncidentSeverity",
"operator": "Equals",
"value": "High"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookId": "/subscriptions/.../block-ip"
}
]
}
}
```Refer to the exhibit. ``` $huntQuery = @" DeviceProcessEvents | where Timestamp > ago(7d) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | project Timestamp, DeviceName, AccountName, ProcessCommandLine | take 1000 "@ $result = Invoke-AzOperationalInsightsQuery -WorkspaceId "..." -Query $huntQuery ```
Refer to the exhibit.
```
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2022-01-01-preview",
"name": "Suspicious Process Creation",
"properties": {
"displayName": "Suspicious Process Creation",
"description": "Detects suspicious process creation events.",
"severity": "High",
"query": "SecurityEvent | where EventID == 4688 | where ProcessName endswith '\\cmd.exe' | where ParentProcessName endswith '\\winword.exe'",
"queryFrequency": "PT5H",
"queryPeriod": "PT5H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
}Refer to the exhibit.
```json
{
"type": "Microsoft.SecurityInsights/automationRules",
"apiVersion": "2023-02-01-preview",
"properties": {
"displayName": "Contain Malicious IP",
"order": 1,
"triggeringLogic": {
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"property": "IncidentSeverity",
"operator": "Equals",
"value": "High"
}
]
},
"actions": [
{
"order": 1,
"actionType": "RunPlaybook",
"actionConfiguration": {
"logicAppResourceId": "/subscriptions/.../blockIP",
"tenantId": "..."
}
}
]
}
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(7d) | where AlertName == "Malicious SQL injection" | extend IPAddress = tostring(parse_json(Entities)[0].Address) | summarize AlertCount = count() by IPAddress | where AlertCount > 5 | project IPAddress, AlertCount ```
Refer to the exhibit.
```json
{
"type": "Microsoft.SecurityInsights/incidents",
"properties": {
"title": "Possible privilege escalation detected",
"severity": "Medium",
"status": "Active",
"owner": {
"objectId": "user@contoso.com",
"email": "user@contoso.com",
"assignedTo": "user@contoso.com",
"userPrincipalName": "user@contoso.com"
},
"incidentNumber": 12345
}
}
```Refer to the exhibit.
{
"properties": {
"displayName": "Suspicious sign-in alert",
"enabled": true,
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"conditions": [
{
"property": "RiskLevelDuringSignIn",
"operator": "Equals",
"value": "high"
}
],
"actions": [
{
"actionGroupId": "/subscriptions/.../actionGroups/AG1",
"webhookProperties": {}
}
]
}
}Refer to the exhibit.
{
"properties": {
"displayName": "Block malicious IP",
"description": "Blocks traffic from known malicious IP addresses.",
"securityPolicy": {
"isEnabled": true,
"rules": [
{
"name": "BlockIP",
"priority": 100,
"sourceAddresses": ["10.0.0.5"],
"destinationAddresses": ["*"],
"access": "Deny",
"direction": "Inbound",
"protocol": "Any"
}
]
}
}
}Refer to the exhibit.
```
{
"displayName": "Malicious URL detect",
"description": "Detects access to known malicious URLs.",
"tactics": ["InitialAccess"],
"query": "UrlClickEvents | where ActionType == 'ClickAllowed' | where ThreatTypes contains 'Malicious' | project Timestamp, AccountUpn, Url",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": null
}
}
```Refer to the exhibit.
```json
{
"properties": {
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": null
}
},
"alertRuleTemplateName": null,
"description": "Detects suspicious sign-ins.",
"displayName": "Suspicious Sign-In",
"enabled": true,
"query": "SigninLogs | where ResultType == 50057"
}
}
```Refer to the exhibit.
```json
{
"id": "/subscriptions/.../resourceGroups/rg-sentinel/providers/Microsoft.OperationalInsights/workspaces/workspace-sentinel/providers/Microsoft.SecurityInsights/alertRules/5b7c8d9e-...",
"kind": "Scheduled",
"properties": {
"displayName": "RDP brute force success",
"query": "SecurityEvent | where EventID == 4625 | summarize count() by Account, IpAddress, bin(TimeGenerated, 5m) | where count_ > 10",
"queryFrequency": "PT5M",
"queryPeriod": "PT10M",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"severity": "High",
"enabled": true
}
}
```Refer to the exhibit. ```KQL SecurityAlert | where TimeGenerated > ago(7d) | where AlertName == "Suspicious process injection" | summarize count() by CompromisedEntity, AlertSeverity | order by count_ desc ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Phishing Incident Response",
"triggers": [
{
"type": "Alert",
"conditions": [
{
"field": "alertName",
"operator": "Equals",
"value": "Phishing email delivered"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookId": "/subscriptions/.../playbooks/QuarantineEmail"
}
]
}
}
```Refer to the exhibit. ``` DeviceName: DESKTOP-ABC123 AlertTime: 2025-03-01T14:32:00Z AlertTitle: Malware detected Severity: High Status: Active ```
Refer to the exhibit. ```kql let TimeRange = 7d; let Threshold = 100; SigninLogs | where TimeGenerated > ago(TimeRange) | where ResultType == "50057" | summarize Attempts = count() by UserPrincipalName, IPAddress | where Attempts > Threshold ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Investigate-Suspicious-Signin",
"triggers": [
{
"type": "SentinelIncident",
"conditions": [
{
"condition": "AlertName",
"operator": "Equals",
"value": "Suspicious sign-in activity"
}
]
}
],
"actions": [
{
"type": "RunQuery",
"query": "SigninLogs | where UserPrincipalName == @{trigger().outputs?.Incident?.Entities[0]?.UserPrincipalName}"
}
]
}
}
```Refer to the exhibit.
```json
{
"displayName": "Malicious IP Block Rule",
"properties": {
"rules": [
{
"name": "BlockMaliciousIP",
"matchConditions": [
{
"matchVariable": "RemoteAddr",
"operator": "IPMatch",
"matchValue": "10.0.0.1"
}
],
"action": {
"type": "Block"
}
}
]
}
}
```Refer to the exhibit.
{
"properties": {
"triggers": [
{
"logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/IsolateDevice",
"triggerType": "IncidentCreated",
"conditions": [
{
"property": "Status",
"operator": "Equals",
"value": "Active"
}
]
}
]
}
}Refer to the exhibit.
```kql
SecurityAlert
| where TimeGenerated > ago(7d)
| extend severity = case(
AlertSeverity == "High", "High",
AlertSeverity == "Medium", "Medium",
"Low")
| summarize Total = count() by severity
| order by severity asc
```Refer to the exhibit.
```json
{
"properties": {
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"reopenClosedIncident": false,
"lookbackDuration": "PT5H",
"matchingMethod": "AllEntities",
"groupByEntities": [],
"groupByAlertDetails": [],
"groupByCustomDetails": []
}
}
}
}Refer to the exhibit. ```kusto // KQL query in Microsoft Sentinel let threshold = 10; let timeframe = 1h; SigninLogs | where TimeGenerated > ago(timeframe) | where ResultType == "50057" // User account disabled | summarize Count = count() by UserPrincipalName, IPAddress | where Count > threshold | join kind=inner (IdentityInfo | project UserPrincipalName, AccountEnabled) on UserPrincipalName | where AccountEnabled == false ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block Malicious IP",
"description": "Playbook to block IP in firewall",
"triggers": [
{
"type": "Microsoft.SecurityInsights/incidents",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "High"
}
]
}
],
"actions": [...]
}
}
```Refer to the exhibit.
```json
{
"value": [
{
"id": "12345",
"machineName": "PC-001",
"isolationStatus": "Isolated",
"isolationState": "Isolated",
"healthStatus": "Healthy"
}
]
}
```Your organization uses Microsoft Sentinel and Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps). You have an incident response team that operates 24/7. Recently, there have been multiple incidents involving users receiving phishing emails that lead to credential theft. The phishing emails are sophisticated and bypass Exchange Online Protection (EOP) and Defender for Office 365's built-in phishing filters. The emails contain links to fake login pages that harvest credentials. Once credentials are stolen, the attacker uses them to sign in from anonymous IP addresses and attempts to access sensitive data in SharePoint Online. You need to design a response strategy that includes automated containment and investigation. The solution must: - Automatically disable user accounts when a phishing incident is confirmed. - Automatically trigger an investigation into the user's activity in Microsoft Defender for Cloud Apps. - Send a notification to the incident response team with a summary of the incident. - Minimize manual effort.
You have the following components available: - Microsoft Sentinel with automation rules and playbooks. - Microsoft Defender XDR with advanced hunting. - Microsoft Power Automate.
What is the most efficient way to achieve these requirements?
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block malicious IPs",
"trigger": {
"type": "IncidentCreated",
"conditions": [
{
"name": "High severity",
"field": "Severity",
"operator": "Equals",
"value": "High"
}
]
},
"actions": [
{
"name": "Run playbook",
"type": "RunPlaybook",
"properties": {
"logicAppResourceId": "/subscriptions/.../block-ip",
"tenantId": "..."
}
}
]
}
}Refer to the exhibit. ```kusto DeviceNetworkEvents | where Timestamp > ago(1d) | where RemoteIPType == "Public" | summarize ConnectionCount = count() by DeviceName, RemoteIP | where ConnectionCount > 100 | sort by ConnectionCount desc ```
Refer to the exhibit. The following KQL query is used in a Microsoft Sentinel analytics rule to detect anomalous Azure AD sign-ins: ```kql let threshold = 10; SigninLogs | where TimeGenerated > ago(1h) | summarize count() by UserPrincipalName, IPAddress | where count_ > threshold | join kind=inner (SigninLogs | where TimeGenerated > ago(1h) | where RiskLevelDuringSignIn == "high") on UserPrincipalName, IPAddress ```
Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint protection. You have a custom analytics rule that triggers on suspicious PowerShell activity. The rule uses the following KQL query:
```kql DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | where InitiatingProcessFileName != "explorer.exe" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ```
The rule generates incidents that are assigned to the SOC team for investigation. However, analysts report that they are spending too much time manually collecting additional process details for each alert. You need to automate the enrichment of these incidents with additional context, such as parent process details, network connections, and file creation events from the same device within the last hour. The enrichment should be triggered automatically when an incident is created, and the results should be added as a comment to the incident. You have access to Azure Logic Apps and Azure Automation. Which approach should you use?
{
"alert": {
"id": "alert-12345",
"title": "Suspicious PowerCLI execution on Exchange Server",
"severity": "High",
"entities": [
{
"type": "host",
"name": "EXCH01.contoso.com",
"ipAddress": "10.0.1.10"
},
{
"type": "user",
"name": "svc_exchange"
}
],
"evidence": [
{
"source": "Microsoft Defender for Identity",
"description": "PowerCLI executed remotely on Exchange server from IP 192.168.1.100"
}
]
}
}Refer to the exhibit. KQL Query: ``` SecurityAlert | where TimeGenerated > ago(7d) | where AlertName has "Malware" | extend CompromisedEntity = tostring(parse_json(Entities)[0].Name) | summarize TotalAlerts = count() by CompromisedEntity | order by TotalAlerts desc | take 10 ``` Exhibit: A KQL query in Microsoft Sentinel.
Refer to the exhibit.
PowerShell Output:
```
PS C:\> Get-MpThreat
ThreatID : 2147685180
Action : 6
Category : 22
DidThreatExecute : False
IsActive : False
InitialDetectionTime : 3/15/2025 10:30:00 AM
Resources : {file:_C:\Users\Public\malware.exe}
```
Exhibit: Output from Get-MpThreat cmdlet on a Windows 10 device.Refer to the exhibit. ```kusto SecurityAlert | where AlertName == "Malware detected" | where TimeGenerated >= ago(1h) | summarize count() by ComputerName | where count_ > 3 ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block malicious IP",
"triggers": [
{
"type": "AlertCreated",
"logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/BlockIP"
}
]
}
}
```Refer to the exhibit. ```kusto DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | project Timestamp, DeviceName, ProcessCommandLine ```
Refer to the exhibit.
```json
{
"displayName": "Ransomware Detection",
"description": "Detects ransomware patterns",
"severityFilter": "High,Medium",
"triggers": [
{ "type": "IncidentCreated", "conditions": [] }
],
"actions": [
{ "type": "RunPlaybook", "playbookId": "/subscriptions/.../playbook1" },
{ "type": "ChangeStatus", "status": "Active" },
{ "type": "AssignOwner", "owner": "tier2" }
]
}
```Refer to the exhibit. ```kusto SecurityAlert | where TimeGenerated > ago(1d) | where AlertName contains "malware" | extend parsed = parse_json(ExtendedProperties) | where parsed.IPAddress == "10.0.0.5" | project AlertName, TimeGenerated, IPAddress = parsed.IPAddress, AccountUpn = parsed.AccountUpn ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malware detection playbook",
"triggers": [
{
"type": "Microsoft.SecurityInsights/AlertRule",
"conditions": [
{
"property": "AlertName",
"operator": "Contains",
"value": "malware"
}
]
}
],
"actions": [
{
"type": "Microsoft.SecurityInsights/Incident",
"order": 1,
"actionConfiguration": {
"severity": "High",
"owner": "tier2",
"status": "Active"
}
}
]
}
}
```Refer to the exhibit. ```kusto let TimeFrame = 1h; let Threshold = 5; SigninLogs | where TimeGenerated > ago(TimeFrame) | where Status.errorCode == 50057 | summarize FailedAttempts = count() by UserPrincipalName, IPAddress | where FailedAttempts > Threshold ```
Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block malicious IPs",
"triggers": [
{
"type": "incidentTrigger",
"conditions": [
{
"property": "incident.severity",
"operator": "Equals",
"value": "High"
}
]
}
],
"actions": [
{
"type": "blockIP",
"value": "{{incident.entities.IP}}"
}
]
}
}
```Refer to the exhibit. ```kusto DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-enc" | project DeviceName, AccountName, ProcessCommandLine | take 10 ```
Refer to the exhibit.
```json
{
"type": "Microsoft.Security/automations",
"apiVersion": "2021-01-01-preview",
"properties": {
"actions": [
{
"type": "LogicApp",
"order": 1,
"logicAppResourceId": "/subscriptions/.../providers/Microsoft.Logic/workflows/MyPlaybook"
}
],
"sources": [
{
"sourceType": "Incidents",
"ruleSets": [
{
"rules": [
{
"property": "Severity",
"operator": "Equals",
"expectedValue": "High"
}
]
}
]
}
]
}
}
```Refer to the exhibit.
```json
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"apiVersion": "2020-08-01",
"name": "[concat(parameters('workspaceName'), '/', 'SuspiciousLogins')]",
"properties": {
"displayName": "Suspicious Logins",
"category": "Security",
"query": "SigninLogs | where RiskLevelDuringSignIn == 'medium' or RiskLevelAggregated == 'medium' | where TimeGenerated > ago(1h)",
"tags": [
{"name": "Suspicious", "value": "High"}
]
}
}
]
}
```Refer to the exhibit. ```kql // KQL query from Microsoft Sentinel DeviceEvents | where Timestamp > ago(7d) | where ActionType == "ProcessCreated" | where InitiatingProcessFileName == "powershell.exe" | where ProcessCommandLine has "-EncodedCommand" | project Timestamp, DeviceName, FileName, ProcessCommandLine | take 100 ```
Refer to the exhibit.
```json
// Microsoft Sentinel automation rule configuration (partial)
{
"triggerType": "Incident",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "Medium"
}
],
"actions": [
{
"order": 1,
"actionType": "RunPlaybook",
"playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/Playbook1"
}
]
}
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Isolate Compromised Device",
"trigger": {
"type": "SecurityIncident",
"conditions": [
{
"property": "IncidentSeverity",
"operator": "Equals",
"value": "High"
},
{
"property": "AlertTitle",
"operator": "ContainsAny",
"value": ["Malware", "Ransomware"]
}
]
},
"actions": [
{
"type": "RunPlaybook",
"playbookId": "<playbook-id>"
}
]
}
}
```Refer to the exhibit. ```kql DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | project Timestamp, DeviceName, AccountName, ProcessCommandLine | order by Timestamp desc ```
Refer to the exhibit.
```json
{
"properties": {
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": false,
"reopenClosedIncident": false,
"lookbackDuration": "PT5M"
}
}
}
}
```Refer to the exhibit. ```kql AlertInfo | where Timestamp > ago(1h) | join kind=inner AlertEvidence on AlertId | where EvidenceType == "ip" and EvidenceValue == "203.0.113.1" | project Timestamp, AlertTitle, EvidenceValue ```
Refer to the exhibit.
```json
{
"type": "Microsoft.SecurityInsights/automationRules",
"apiVersion": "2023-02-01",
"name": "Auto-Isolate-High-Severity",
"properties": {
"displayName": "Auto-Isolate-High-Severity",
"order": 1,
"triggersOn": "Incidents",
"triggersWhen": "Created",
"conditions": [
{
"conditionProperties": {
"propertyName": "Severity",
"operator": "Equals",
"propertyValues": ["High"]
},
"conditionType": "PropertyCondition"
}
],
"actions": [
{
"actionType": "RunPlaybook",
"playbookName": "IsolateDevice",
"logicAppResourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.Logic/workflows/IsolateDevice"
}
]
}
}
```Refer to the exhibit.
```kusto
DeviceInfo
| where Timestamp > ago(7d)
| where DeviceName has "finance"
| join kind=inner (
DeviceNetworkInfo
| where Timestamp > ago(7d)
| where LocalIPAddress startswith "10."
) on DeviceId
| project Timestamp, DeviceName, LocalIPAddress, ConnectedNetworks
```Refer to the exhibit.
```powershell
# Microsoft Defender XDR Advanced Hunting query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine has_any ("powershell", "cmd", "wscript")
| where FileName has_any ("rundll32.exe", "regsvr32.exe", "mshta.exe")
| project Timestamp, DeviceName, ProcessCommandLine
```Refer to the exhibit.
```kusto
// KQL query in Microsoft Sentinel
SecurityAlert
| where TimeGenerated > ago(1h)
| where AlertName has_any ("Malware", "Ransomware")
| extend Severity = case(AlertSeverity == "High", "Critical", AlertSeverity)
| summarize Count = count() by Severity
| sort by Count desc
```Refer to the exhibit.
```json
// Microsoft Defender XDR advanced hunting query
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "cmd.exe", "wscript.exe")
| where ProcessCommandLine contains "-enc"
| project Timestamp, DeviceName, FileName, ProcessCommandLine
| sort by Timestamp desc
```Refer to the exhibit.
```json
// ARM template snippet for Microsoft Sentinel analytics rule
{
"type": "Microsoft.OperationsManagement/solutions/workspaces/savedSearches",
"apiVersion": "2021-04-01",
"name": "[concat('SecurityInsights/', parameters('workspaceName'), '/', 'MyRule')]",
"properties": {
"category": "Security",
"displayName": "My custom rule",
"query": "SecurityEvent | where EventID == 4625 | summarize Count = count() by Account",
"triggerOperator": "GreaterThan",
"triggerThreshold": 5
}
}Refer to the exhibit.
```json
{
"properties": {
"displayName": "Malware detected on endpoint",
"description": "This automation rule will isolate the device when a malware incident is created.",
"triggers": [
{
"type": "IncidentCreated",
"conditions": [
{
"property": "Severity",
"operator": "Equals",
"value": "High"
},
{
"property": "Provider",
"operator": "Equals",
"value": "Microsoft Defender for Endpoint"
},
{
"property": "Title",
"operator": "Contains",
"value": "Malware"
}
]
}
],
"actions": [
{
"type": "RunPlaybook",
"playbookId": "/subscriptions/.../providers/Microsoft.Logic/workflows/IsolateDevicePlaybook"
}
]
}
}
```Refer to the exhibit.
```kusto
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine has_any ("-enc", "-e", "-Command")
| summarize Count = count() by DeviceName, AccountName
| where Count > 5
| order by Count desc
```Refer to the exhibit.
```json
{
"id": "incident_1234",
"title": "Suspicious sign-in from unfamiliar location",
"severity": "Medium",
"status": "Active",
"entities": [
{
"type": "account",
"name": "jdoe@contoso.com",
"domain": "contoso.com",
"sid": "S-1-5-21-..."
},
{
"type": "ip",
"address": "203.0.113.45",
"location": "Unknown"
}
],
"alerts": [
{
"alertId": "alert_5678",
"title": "Unfamiliar sign-in properties",
"severity": "Medium",
"provider": "Microsoft Defender for Cloud Apps"
}
]
}Refer to the exhibit. ```kql // KQL query in Microsoft Sentinel let TimeRange = 1h; IdentityLogonEvents | where Timestamp > ago(TimeRange) | where Application == "Microsoft Entra ID" | summarize LogonAttempts = count() by UserPrincipalName, IPAddress, ResultType | where ResultType == "Failed" | where LogonAttempts > 5 ```
Refer to the exhibit.
```json
// Microsoft Sentinel automation rule JSON
{
"trigger": "When incident created",
"actions": [
{
"type": "Run playbook",
"playbookName": "Block-IP-Address"
}
],
"conditions": [
{
"property": "AlertSeverity",
"operator": "Equals",
"value": "High"
}
]
}
```Refer to the exhibit.
```json
// Microsoft Defender for Cloud Apps policy snippet
{
"policyType": "Activity policy",
"severity": "High",
"description": "Detect multiple failed logins from different IPs",
"filters": {
"activity": "Failed login",
"ip": {
"differentCount": 3,
"timeWindow": 10
}
},
"actions": [
{
"type": "Block",
"target": "User"
}
]
}
```Refer to the exhibit.
```json
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2023-02-01-preview",
"properties": {
"displayName": "Suspicious Service Principal Creation",
"description": "Detects creation of service principal with high privileges.",
"severity": "High",
"query": "IdentityInfo | where TimeGenerated > ago(7d) | where OperationName == 'Add service principal' and TargetResources[0].modifiedProperties[0].newValue contains 'Global Administrator'"
}
}
```Refer to the exhibit.
```json
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2023-02-01-preview",
"properties": {
"displayName": "MFA Denied High Volume",
"description": "Detects multiple MFA denials for a user.",
"severity": "Medium",
"query": "SigninLogs | where ResultType == 50076 | summarize Count = count() by UserPrincipalName | where Count > 5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
}
}
```Refer to the exhibit.
```json
{
"type": "Microsoft.SecurityInsights/alertRules",
"apiVersion": "2023-02-01-preview",
"properties": {
"displayName": "Anomalous PowerShell Execution",
"description": "Detects PowerShell executed from unusual locations.",
"severity": "High",
"query": "DeviceProcessEvents | where FileName == 'powershell.exe' | where InitiatingProcessCommandLine contains '-EncodedCommand' | where not(ProcessCommandLine contains 'C:\\Windows\\System32')"
}
}
```Refer to the exhibit.
```kql
let threshold = 10;
IdentityLogonEvents
| where Timestamp > ago(1h)
| where Application == "Microsoft Teams"
| summarize LogonCount = count() by AccountUpn, IPAddress
| where LogonCount > threshold
| join kind=inner (
AADSignInEventsBeta
| where Timestamp > ago(1h)
| where RiskLevelDuringSignIn == "medium" or RiskLevelDuringSignIn == "high"
| project AccountUpn, IPAddress, RiskLevelDuringSignIn
) on AccountUpn, IPAddress
| project AccountUpn, IPAddress, LogonCount, RiskLevelDuringSignIn
```Refer to the exhibit.
```json
{
"properties": {
"displayName": "Block malicious file types",
"description": "Blocks execution of potentially malicious file types.",
"policyContent": {
"policyRule": {
"if": {
"allOf": [
{
"field": "fileExtension",
"in": [".exe", ".dll", ".ps1"]
},
{
"field": "initiatingProcessFileName",
"equals": "outlook.exe"
}
]
},
"then": {
"effects": [
{
"type": "block",
"action": "blockExecution"
}
]
}
}
}
}
}
```Refer to the exhibit. ```kql DeviceProcessEvents | where Timestamp > ago(1d) | where FileName == "powershell.exe" | extend DecodedCommand = base64_decode_tostring(ProcessCommandLine) | where DecodedCommand contains "-EncodedCommand" | project Timestamp, DeviceName, ProcessCommandLine, DecodedCommand ```
{
"alertRuleTemplate": "5a5b5c5d-6e6f-7071-7273-747576777879",
"displayName": "Suspicious Activity from Compromised Account",
"query": "IdentityLogonEvents | where Timestamp > ago(1d) | summarize count() by AccountUpn, IPAddress",
"queryPeriod": "1d",
"queryFrequency": "1h",
"triggerOperator": "GreaterThan",
"triggerThreshold": 10,
"severity": "High",
"suppressionDuration": "4h",
"suppressionEnabled": false
}