CCNA Manage security and threats by using Microsoft Defender XDR Questions

75 of 284 questions · Page 1/4 · Manage security and threats by using Microsoft Defender XDR · Answers revealed

1
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. You need to create a Safe Attachments policy that will block all attachments with a specific file type. Which TWO elements must you configure? (Choose two.)

Select 2 answers
A.Enable the redirect option to send the attachment to a security mailbox.
B.Set the action to 'Block' for the file type.
C.Add the file type to the policy's file type list.
D.Specify the recipient domain in the policy condition.
E.Select the user or group to apply the policy to.
AnswersB, C

Block action prevents delivery.

Why this answer

A and C are correct. The 'Block' action is necessary to block the attachment. Setting the file type in the policy configuration targets the specific type.

B is wrong because the redirect option is for delivering to a different location, not blocking. D is wrong because the policy applies to mailboxes, not individual users. E is wrong because the policy applies to a domain, not recipients.

2
MCQhard

A security administrator wants to create a custom detection rule in Microsoft Defender XDR that alerts when a device initiates an outbound TCP connection to a known malicious IP address on a non-standard port (e.g., port 4444). Which advanced hunting table should be queried to find these network connections?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.EmailEvents
D.IdentityLogonEvents
AnswerA

This table contains detailed network connection logs, including destination IP, port, and protocol, which is exactly what is needed.

Why this answer

DeviceNetworkEvents is the correct table because it specifically captures network connection events, including outbound TCP connections to IP addresses and ports. This table contains fields like RemoteIP, RemotePort, and Protocol, making it ideal for detecting connections to known malicious IPs on non-standard ports such as 4444.

Exam trap

The trap here is that candidates may confuse DeviceProcessEvents with network events because processes often initiate network connections, but DeviceProcessEvents does not contain network-level details like remote IP or port, leading to an incorrect choice.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation and execution events, not network connections; it lacks network-specific fields like RemoteIP or RemotePort. Option C is wrong because EmailEvents tracks email-related activities (delivery, phishing, etc.) and has no network connection data. Option D is wrong because IdentityLogonEvents records authentication and logon events for user identities, not device-level network traffic.

3
MCQeasy

A user reports that they cannot access a legitimate external website because Microsoft Defender for Endpoint is blocking it. The website is required for business. What should you do to allow access while maintaining security?

A.Exclude the device from the policy
B.Disable network protection for the device
C.Add the URL to the custom indicators allow list
D.Add the user to a custom group with lower security
AnswerC

Custom indicators allow specific URLs while keeping protections.

Why this answer

Option C is correct because adding the URL to the custom indicator allows the site while keeping other protections. Option A is wrong because disabling network protection removes all URL filtering. Option B is wrong because allowing the site per user is not granular.

Option D is wrong because excluding the device weakens security.

4
MCQmedium

A security administrator wants to prevent attackers from stealing credentials by blocking access to the Local Security Authority Subsystem Service (LSASS) from untrusted processes. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

A.Block credential stealing from the Windows local security authority subsystem (lsass.exe).
B.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
C.Block Office applications from creating child processes.
D.Block persistence through Windows Management Instrumentation (WMI) event subscription.
AnswerA

This rule blocks untrusted processes from accessing LSASS, directly preventing credential theft techniques.

Why this answer

The ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) directly prevents untrusted processes from accessing LSASS memory, which is a common technique used by attackers to dump credentials via tools like Mimikatz. This rule blocks attempts to open lsass.exe with specific access rights (e.g., PROCESS_VM_READ) from non-trusted processes, thereby protecting credential material stored in LSASS.

Exam trap

The trap here is that candidates often confuse the 'Block credential stealing from LSASS' rule with other ASR rules that address different attack vectors, such as blocking executable files or Office child processes, because they all fall under the same 'Attack Surface Reduction' umbrella but target distinct behaviors.

How to eliminate wrong answers

Option B is wrong because it addresses executable file execution based on prevalence, age, or trusted list criteria, which is a different ASR rule (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) focused on preventing untrusted or unknown executables from running, not specifically protecting LSASS from credential theft. Option C is wrong because it blocks Office applications from creating child processes (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a), which prevents malware from using Office apps as a launch point but does not directly protect LSASS from credential access. Option D is wrong because it blocks persistence through WMI event subscription (GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b), which prevents attackers from establishing persistence via WMI, but does not address the immediate credential theft from LSASS.

5
Multi-Selectmedium

Your organization uses Microsoft Defender for Endpoint. You need to configure advanced hunting to query device information. Which TWO tables contain device-related data?

Select 2 answers
A.AlertInfo
B.EmailEvents
C.IdentityLogonEvents
D.DeviceInfo
E.DeviceTvmInfoGathering
AnswersD, E

Contains device information like OS, device name.

Why this answer

Options B and D are correct because DeviceInfo and DeviceTvmInfoGathering are tables in advanced hunting that contain device information. Option A is wrong because AlertInfo contains alert metadata, not device info. Option C is wrong because EmailEvents contains email data.

Option E is wrong because IdentityLogonEvents contains authentication events.

6
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a process spawned by Microsoft Word (winword.exe) makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

Select 2 answers
A.DeviceProcessEvents and DeviceNetworkEvents
B.DeviceProcessEvents and DeviceEvents
C.DeviceNetworkEvents and IdentityLogonEvents
D.DeviceProcessEvents and DeviceFileEvents
AnswersA, B

DeviceProcessEvents provides process creation details, and DeviceNetworkEvents provides network connection details. Joining them correlates a process to its network connections.

Why this answer

To detect a process spawned by winword.exe making an outbound connection to a known malicious IP, you need to first identify the process creation event (parent-child relationship) in DeviceProcessEvents, then correlate it with the network connection event in DeviceNetworkEvents. Joining these two tables on DeviceId and a timestamp window allows you to link the specific process (winword.exe) to its outbound network activity.

Exam trap

The trap here is that candidates mistakenly think DeviceEvents (which includes security alerts) can substitute for network connection data, but DeviceNetworkEvents is the only table that records actual outbound IP addresses and ports.

7
MCQhard

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

A.Kusto Query Language (KQL)
B.PowerShell
C.Splunk SPL
D.SQL
AnswerA

KQL is the query language used in Microsoft Defender XDR advanced hunting to create custom detection rules.

Why this answer

Microsoft Defender XDR uses Kusto Query Language (KQL) for advanced hunting queries, including custom detection rules. KQL allows querying the DeviceProcessEvents and DeviceNetworkEvents tables to correlate process launches with network connections, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse the query language used in Microsoft Defender XDR with other common tools like PowerShell or SQL, but Microsoft specifically designed KQL for its security analytics and it is the only language supported for custom detections in this context.

How to eliminate wrong answers

Option B is wrong because PowerShell is a scripting language used for automation and configuration, not for querying Microsoft Defender XDR's underlying data schema; advanced hunting queries require KQL, not PowerShell cmdlets. Option C is wrong because Splunk SPL (Search Processing Language) is proprietary to Splunk and cannot be used in Microsoft Defender XDR, which has its own query engine. Option D is wrong because SQL is a relational database query language not supported by Microsoft Defender XDR's advanced hunting; the platform uses KQL, which is based on a tabular data stream model, not SQL.

8
MCQeasy

You are a security administrator. You need to configure Microsoft Defender for Cloud Apps to detect anomalous user activities such as impossible travel. Which feature should you enable?

A.App Discovery
B.Cloud Discovery
C.Anomaly Detection policies
D.Conditional Access App Control
AnswerC

Anomaly Detection policies detect unusual user activities.

Why this answer

Option D is correct because Anomaly Detection policies in Microsoft Defender for Cloud Apps detect unusual behavior like impossible travel, mass download, etc. Option A (App Discovery) finds shadow IT apps. Option B (Conditional Access App Control) provides real-time session controls.

Option C (Cloud Discovery) identifies cloud app usage.

9
MCQeasy

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

A.Automated investigation and response (AIR)
B.Advanced hunting
C.Threat analytics
D.Attack surface reduction rules
AnswerA

AIR uses automation to investigate alerts and take predefined remediation actions, such as isolating devices or deleting malicious emails.

Why this answer

Automated investigation and response (AIR) is the Microsoft Defender XDR capability that automatically investigates alerts and takes remediation actions across endpoints, email, and identities without manual intervention. It uses playbooks and machine learning to triage incidents, determine scope, and apply actions like isolating devices or deleting malicious emails.

Exam trap

The trap here is that candidates confuse 'automated investigation and response' with 'advanced hunting' because both involve security analysis, but only AIR provides the automated remediation workflow without manual querying.

How to eliminate wrong answers

Option B is wrong because advanced hunting is a query-based tool for manually searching raw telemetry data using Kusto Query Language (KQL), not an automated response mechanism. Option C is wrong because threat analytics provides threat intelligence reports and vulnerability assessments but does not perform automated investigation or response actions. Option D is wrong because attack surface reduction rules are endpoint-specific configurations that block common attack techniques (e.g., Office macro execution), but they do not automate the investigation and response lifecycle across multiple domains.

10
MCQhard

You are configuring Microsoft Defender for Office 365 anti-phish policy. You want to protect against user impersonation attacks. The CEO and CFO are frequent targets. What should you configure in the anti-phish policy?

A.Configure spoof intelligence
B.Add the CEO and CFO's domains to domain impersonation
C.Enable user impersonation protection and add the CEO and CFO as protected users
D.Enable mailbox intelligence
AnswerC

User impersonation protection specifically protects selected users.

Why this answer

Option B is correct because user impersonation protection allows you to define specific users to protect. Option A is wrong because domain impersonation protects against domain spoofing. Option C is wrong because mailbox intelligence is for general impersonation detection.

Option D is wrong because spoof intelligence is for domain spoofing.

11
MCQmedium

A user reports that they are unable to access a file in SharePoint Online. You check the audit log and see that the file was quarantined by Microsoft Defender for Office 365. What is the most likely reason?

A.The file was overwritten by a previous version.
B.The file was detected as malware by Safe Attachments.
C.The file has a retention policy that moved it to the Preservation Hold library.
D.The file was labeled as highly confidential by Microsoft Purview Information Protection.
E.The file contains sensitive information and triggered a Data Loss Prevention (DLP) policy.
AnswerB

Safe Attachments quarantines malicious files.

Why this answer

Option C is correct because Defender for Office 365 can quarantine files that are detected as malicious by Safe Attachments. Option A is wrong because DLP policies block sharing, but do not quarantine files. Option B is wrong because retention policies do not quarantine.

Option D is wrong because versioning does not cause quarantine. Option E is wrong because sensitivity labels classify, not quarantine.

12
Multi-Selecteasy

Which TWO actions can you perform in the Microsoft Defender XDR portal to investigate a security incident?

Select 2 answers
A.View the incident timeline
B.Run advanced hunting queries
C.Create mail flow rules
D.Reset user passwords
E.Review impacted assets
AnswersA, E

The incident timeline shows the sequence of alerts and events.

Why this answer

Options B and D are correct. Viewing the incident timeline shows the sequence of events, and reviewing impacted assets shows affected devices and users. Option A is wrong because you cannot reset passwords directly in Defender XDR.

Option C is wrong because advanced hunting is a separate feature. Option E is wrong because creating mail flow rules is in Exchange admin center.

13
MCQeasy

You run the above KQL query in Microsoft Defender XDR Advanced Hunting. The query returns no results. What is the most likely reason?

A.The EmailDirection filter should be 'Outbound'.
B.No inbound emails were blocked in the last 30 days.
C.The time range should be 7 days instead of 30 days.
D.The column name SenderDomain does not exist in EmailEvents.
AnswerD

The correct column is 'SenderMailFromDomain'.

Why this answer

Option B is correct because the column name is 'SenderMailFromDomain' or 'SenderDomain' might not exist; the correct column in EmailEvents is 'SenderMailFromDomain'. Option A (no inbound emails blocked) is possible but less likely if the environment has filtering. Option C (time range too short) is not the issue.

Option D (only outbound emails) would still show inbound if any.

14
MCQeasy

Your organization uses Microsoft Defender for Endpoint (MDE). You need to configure an automated investigation and response (AIR) capability that will automatically remediate a confirmed malware infection on endpoints. Which action should you enable?

A.Run antivirus scan
B.Notify users via email
C.Automatically resolve alerts
D.Isolate device
AnswerC

Enables automatic remediation actions.

Why this answer

Option A is correct because 'Automatically resolve alerts' enables automatic remediation actions like quarantining files or killing processes. Option B is wrong because it only isolates the device, not remediates malware. Option C is wrong because it only sends an email, not remediates.

Option D is wrong because it is a response action, not automated investigation.

15
MCQmedium

Your organization uses Microsoft Defender for Identity. You need to configure a honeytoken account to detect attackers trying to use the account. In which location should you place the honeytoken account?

A.A domain user account with no privileges
B.A service account with high privileges
C.A non-existent account alias in AD
D.A guest account
AnswerA

Honeytoken accounts should be real user accounts with no privileges.

Why this answer

Option B is correct because honeytoken accounts should be real user accounts with no privileges and no recent activity to attract attackers. Option A is wrong because service accounts may have elevated privileges and trigger false positives. Option C is wrong because they are often used and may cause false alerts.

Option D is wrong because the account must exist in Active Directory to be monitored.

16
MCQmedium

A company uses Microsoft Defender for Office 365. Users report that phishing emails with malicious links are occasionally delivered to their inboxes. The security team wants to ensure that suspicious URLs are detonated in a sandbox before delivery for all recipients. What should the security team configure?

A.Configure a Safe Links policy with 'Use Safe Attachments to scan content' enabled.
B.Enable the 'Block URLs' option in the anti-phishing policy.
C.Configure a Safe Attachments policy for email messages.
D.Enable 'Safe Links for Microsoft Teams' in the global settings.
AnswerA

This triggers sandbox detonation of URLs before delivery.

Why this answer

Safe Links for email messages scans URLs at time of click, but to detonate before delivery, you need to enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, or use a policy that triggers sandbox analysis. However, to detonate URLs before delivery, you need to configure a Safe Links policy with 'Do not track user clicks' and 'Do not allow users to click through to original URL' and ensure 'Scan URLs in email messages' is enabled and 'Use Safe Attachments to scan content' is selected. Actually, the correct answer is to enable 'Use Safe Attachments to scan content' in a Safe Links policy, which triggers sandbox detonation of URLs in email.

Option C is correct because Safe Links with sandbox detonation (Safe Attachments scanning) is the recommended approach. Option A is wrong because Safe Attachments for email scans attachments, not URLs. Option B is wrong because that policy does not detonate URLs.

Option D is wrong because it only scans at click time.

17
MCQhard

A security administrator needs to block outbound network connections from a compromised Windows device to command-and-control servers. The solution must work at the network layer and be centrally managed via Microsoft 365 Defender. Which feature should the administrator enable?

A.Network Protection
B.Attack Surface Reduction rules
C.Session control in Defender for Cloud Apps
D.Windows Firewall with Advanced Security
AnswerA

Network Protection prevents outbound connections to malicious endpoints, providing network-layer blocking managed via Defender for Endpoint.

Why this answer

Network Protection in Microsoft Defender for Endpoint blocks outbound connections to command-and-control (C2) servers at the network layer by inspecting traffic using the Windows Filtering Platform (WFP). It is centrally managed via Microsoft 365 Defender policies and does not require per-device firewall rule configuration, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates confuse 'network layer blocking' with Windows Firewall, but the question specifically requires a solution centrally managed via Microsoft 365 Defender, which Network Protection fulfills through the Defender for Endpoint security configuration.

How to eliminate wrong answers

Option B is wrong because Attack Surface Reduction (ASR) rules focus on blocking file-based and script-based attack techniques (e.g., Office macro execution, credential theft from LSASS), not network-layer outbound connections to C2 servers. Option C is wrong because Session control in Defender for Cloud Apps operates at the application layer (HTTP/S) via reverse proxy, not the network layer, and is designed for controlling access to cloud apps, not blocking C2 traffic from a compromised device. Option D is wrong because Windows Firewall with Advanced Security can block outbound connections but is not centrally managed via Microsoft 365 Defender; it requires Group Policy or PowerShell for centralized management, and it lacks the threat intelligence integration that Network Protection provides for dynamic C2 blocking.

18
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to ensure that when a user reports a phishing email via the Microsoft Report Message add-in, the URL in the email is automatically blocked on all endpoints. What should you configure?

A.Configure Safe Links policies to block the URL.
B.Configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender.
C.Configure anti-phishing policies in Defender for Office 365.
D.Configure the Tenant Allow/Block List for URLs in the Microsoft 365 Defender portal.
AnswerD

When a user reports a phishing email, the URL is automatically added to the tenant block list, which Defender for Endpoint uses to block the URL on all endpoints.

Why this answer

Option C is correct because Defender for Office 365 can automatically block URLs reported as phishing in the tenant's block list, which Defender for Endpoint respects. Option A is wrong because Safe Links applies protection on email but not automatically block on endpoints. Option B is wrong because it's part of Defender for Office 365 but doesn't block on endpoints.

Option D is wrong because it's for endpoint detection response, not automatic blocking based on user reports.

19
Multi-Selecteasy

You are a security analyst. You need to investigate a potential malware outbreak on a device using Microsoft Defender XDR. Which three data sources can you include in an advanced hunting query to gather relevant information? (Choose three.)

Select 3 answers
A.CloudAppEvents
B.DeviceFileEvents
C.EmailAttachmentInfo
D.DeviceNetworkEvents
E.DeviceProcessEvents
AnswersB, D, E

Contains file creation and modification events.

Why this answer

Options A, B, and C are correct because DeviceProcessEvents, DeviceNetworkEvents, and DeviceFileEvents are all standard tables in advanced hunting for process, network, and file activities. Option D is wrong because EmailAttachmentInfo is for email, not device. Option E is wrong because CloudAppEvents is for cloud apps.

20
MCQmedium

You are a Microsoft 365 administrator. A user reports that they received a Microsoft Teams message from an external user containing a link to a malicious website. The user clicked the link but did not enter any credentials. You need to prevent similar incidents in the future. What should you configure?

A.Configure a Teams messaging policy to block all messages from external users.
B.Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
C.Enable Safe Links for Microsoft Teams in Defender for Office 365.
D.Configure an anti-phishing policy to protect against impersonation in Teams.
AnswerC

Safe Links for Teams rewrites and checks URLs at the time of click, blocking malicious links.

Why this answer

Option D is correct because enabling Safe Links for Microsoft Teams in Defender for Office 365 provides time-of-click protection for links shared in Teams. Option A is wrong because blocking all external messages would hinder collaboration. Option B is wrong because Safe Attachments scans files, not links.

Option C is wrong because anti-phishing policies for Teams are not available in the same way; Safe Links is the appropriate protection.

21
MCQhard

A security analyst needs to identify the specific process (filename) that initiated a network connection from a device to a known malicious IP address over the last 24 hours. Which advanced hunting table in Microsoft Defender XDR provides the necessary data including the initiating process filename and the remote IP address?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceEvents
D.DeviceRegistryEvents
AnswerA

This table records network connections with fields for remote IP and initiating process details.

Why this answer

DeviceNetworkEvents is the correct table because it specifically captures network connection events, including the initiating process filename (InitiatingProcessFileName) and the remote IP address (RemoteIP). This table is designed for hunting network-related activities, such as connections to known malicious IPs, within Microsoft Defender XDR's advanced hunting schema.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which shows process creation) with network connection data, mistakenly thinking that process events include network details, but DeviceProcessEvents lacks the RemoteIP field entirely.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it focuses on process creation events (e.g., file execution, command-line arguments) and does not include network-specific fields like RemoteIP or remote port. Option C (DeviceEvents) is wrong because it aggregates various system-level events (e.g., file creation, registry modifications) but lacks the dedicated network connection fields required to identify the initiating process filename and remote IP address. Option D (DeviceRegistryEvents) is wrong because it only captures registry modification events (e.g., key changes, value writes) and has no relevance to network connections or IP addresses.

22
MCQeasy

You are configuring policies in Microsoft Defender for Office 365. You need to ensure that users cannot click through to a malicious website that is hosted on a newly registered domain. Which policy setting should you enable?

A.Anti-phishing
B.Safe Links
C.Anti-spam
D.Safe Attachments
AnswerB

Safe Links scans and blocks malicious URLs at click time.

Why this answer

Option A is correct because Safe Links checks URLs at time of click and can block newly registered domains if configured. Option B is wrong because Safe Attachments deals with attachments. Option C is wrong because anti-phishing policies protect against phishing but not specifically against malicious URLs in emails.

Option D is wrong because anti-spam policies filter spam, not malicious URLs.

23
MCQhard

You run the above KQL query in Microsoft Defender for Endpoint advanced hunting. What is the purpose of this query?

A.To identify the top 10 devices with the most suspicious process injection alerts
B.To correlate device alerts with user activities
C.To list all devices with high severity alerts
D.To find the top 10 devices with the most alerts of any type
AnswerA

It filters for that alert title and returns top 10.

Why this answer

Option C is correct. The query summarizes by DeviceName and counts alerts, then returns top 10. Option A is wrong because it does not filter by severity.

Option B is wrong because it does not list individual alerts. Option D is wrong because it does not correlate with other data.

24
MCQmedium

A security analyst has identified a new malware sample with a specific SHA256 hash. The analyst needs to immediately block this file from executing on any managed endpoint across the organization, including prevention of future execution. Which Microsoft Defender for Endpoint capability should the analyst use?

A.Attack surface reduction (ASR) rules
B.Indicators (IoCs) for file hashes
C.Custom detection rules via advanced hunting
D.Microsoft Defender Vulnerability Management
AnswerB

Indicators for file hashes with action 'Block and Remediate' block execution of the specific file across all endpoints and remove it if found.

Why this answer

Option B is correct because Indicators of Compromise (IoCs) for file hashes in Microsoft Defender for Endpoint allow an analyst to create a block indicator for a specific SHA256 hash. This action immediately prevents the file from executing on any managed endpoint and persists across reboots, effectively blocking future execution attempts. Unlike other capabilities, IoCs provide a direct, hash-based block that is enforced by the Microsoft Defender Antivirus engine at the point of execution.

Exam trap

The trap here is that candidates often confuse ASR rules (which block behaviors) with IoC-based blocking (which blocks specific file hashes), or they assume custom detection rules can directly block execution when they only generate alerts or run limited response actions.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction (ASR) rules are behavior-based policies that reduce the attack surface by blocking common malware behaviors (e.g., Office apps creating child processes), not by blocking specific file hashes. Option C is wrong because Custom detection rules via advanced hunting are used to create custom alerts based on query results, but they do not directly block file execution; they only trigger alerts or run response actions that may not be immediate or persistent. Option D is wrong because Microsoft Defender Vulnerability Management focuses on identifying, assessing, and remediating vulnerabilities (e.g., missing patches), not on blocking specific malware file hashes.

25
MCQmedium

You are reviewing a Microsoft Defender for Cloud Apps policy JSON. What does this policy do?

A.Blocks sign-ins from a specific IP address range
B.Blocks sign-ins from anonymous proxy IP addresses
C.Alerts when a sign-in occurs from an anonymous proxy
D.Blocks sign-ins from risky sessions based on user behavior
AnswerB

The filter specifies IP category as AnonymousProxy.

Why this answer

Option B is correct. The policy blocks sign-ins from anonymous proxy IP addresses. Option A is wrong because the filter is on IP address category, not location.

Option C is wrong because it blocks sign-ins, not sessions. Option D is wrong because the action is Block, not alert.

26
MCQmedium

A security administrator wants to configure Microsoft Defender for Cloud Apps to block downloads of sensitive files from Salesforce to unmanaged devices in real time. Which Defender for Cloud Apps component must be configured?

A.Cloud Discovery
B.App Connectors
C.Conditional Access App Control
D.Activity policies
AnswerC

Conditional Access App Control uses a reverse proxy to monitor and control sessions in real time, enabling block actions.

Why this answer

Conditional Access App Control (CAAC) is the correct component because it enables real-time session-level monitoring and control of user activities in SaaS apps like Salesforce. By integrating with Azure AD Conditional Access, CAAC can enforce policies to block downloads of sensitive files to unmanaged devices at the moment of access, using reverse proxy architecture to inspect and intervene in the traffic.

Exam trap

The trap here is that candidates often confuse App Connectors (API-based governance) with Conditional Access App Control (proxy-based real-time control), assuming both can block downloads in real time, but only the reverse proxy can intercept and block actions during the session.

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is used to identify shadow IT and analyze traffic logs to discover cloud apps in use, not to enforce real-time blocking policies on managed SaaS apps. Option B is wrong because App Connectors are used for API-based integration to scan and govern data at rest (e.g., applying DLP labels or quarantine), not for real-time session control of downloads. Option D is wrong because Activity policies are reactive, rule-based alerts triggered after an activity occurs (e.g., multiple failed logins), and cannot block actions in real time during the session.

27
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You need to configure automated remediation for a confirmed phishing email that was delivered to a user's inbox. The remediation should also block the sender's domain across the tenant. Which action should you include in the automation playbook?

A.Create an attack simulation training campaign for the affected user
B.Create a data loss prevention policy to classify the email as malicious
C.Create a playbook in Microsoft Defender XDR that triggers automated actions
D.Configure a Safe Links policy to block the URL at click time
AnswerC

Playbooks can automate remediation actions like soft-delete and domain block.

Why this answer

Option B is correct because a playbook in Microsoft Defender XDR can trigger automatic remediation actions such as soft-deleting emails and blocking sender domains. Option A is wrong because attack simulation is for testing, not remediation. Option C is wrong because Safe Links policies protect links, not remediate delivered emails.

Option D is wrong because data loss prevention policies focus on data classification, not email remediation.

28
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate the alert. Which log should you analyze in Microsoft Defender for Identity?

A.Lateral movement paths
B.Entity profile
C.Network activities
D.Security alerts
AnswerC

Network activities include Kerberos requests and other protocol activities.

Why this answer

Option D is correct because Kerberos ticket requests are captured as network activities. Option A is wrong because lateral movement paths show potential attack paths. Option B is wrong because entity profiles show user or machine details.

Option C is wrong because security alerts are the alerts themselves, not the underlying data.

29
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device is onboarded, it automatically receives all current threat intelligence signatures. What should you verify is configured?

A.The device is configured to receive updates from Microsoft Update.
B.Network protection is enabled in the attack surface reduction rules.
C.Sample submission is enabled in the advanced features.
D.Cloud-delivered protection is enabled in the Microsoft 365 Defender portal.
AnswerD

Cloud-delivered protection provides real-time signature updates from Microsoft.

Why this answer

Option B is correct because cloud-delivered protection ensures devices receive the latest signatures from Microsoft. Option A is wrong because sample submission is for advanced analysis, not signature updates. Option C is wrong because it's part of the detection engine but not specifically for signature updates.

Option D is wrong because network protection is a feature, not signature delivery.

30
Multi-Selectmedium

Which TWO Microsoft Defender XDR components provide protection for email and collaboration tools? (Choose two.)

Select 2 answers
A.Microsoft Defender for Identity
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Endpoint
AnswersB, D

Protects email and collaboration tools.

Why this answer

Options B and D are correct. Microsoft Defender for Office 365 protects email and collaboration tools like SharePoint, OneDrive, and Teams. Microsoft Defender for Cloud Apps provides visibility and control over cloud apps including email and collaboration platforms.

Option A (Defender for Endpoint) protects endpoints. Option C (Defender for Identity) protects on-premises Active Directory. Option E (Defender for Cloud) protects cloud workloads.

31
MCQmedium

Your organization has Microsoft Defender for Office 365. Users report that legitimate emails from a partner domain are being quarantined. You need to ensure these emails are delivered while maintaining security. What should you do?

A.Add the partner domain to the Allow list in the Tenant Allow/Block List.
B.Disable spam filtering for the partner domain.
C.Lower the spam confidence level (SCL) threshold for the organization.
D.Create a mail flow rule to bypass spam filtering for the partner domain.
AnswerA

This allows the domain while maintaining filtering for other domains; however, the root cause should be addressed.

Why this answer

Option B is correct because adding the partner domain to the Allow list in the Tenant Allow/Block List allows the emails but may be used temporarily; long-term best practice is to fix authentication. Option A is wrong because disabling filtering is not recommended. Option C is wrong because it affects all external emails.

Option D is wrong because creating a transport rule bypasses security checks and is not best practice.

32
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to stream advanced hunting data from Defender XDR to Sentinel to run analytics rules. What should you configure?

A.Configure Diagnostic settings in Microsoft Defender XDR to send logs to Log Analytics.
B.Install the Microsoft Defender XDR data connector in Microsoft Sentinel.
C.Use the Microsoft 365 Defender connector in Sentinel.
D.Configure the Threat Intelligence – TAXII connector in Sentinel.
AnswerB

The connector streams advanced hunting data directly into Sentinel.

Why this answer

Option B is correct because the Microsoft Defender XDR data connector in Sentinel streams advanced hunting data. Option A is wrong because the Diagnostic settings in Defender XDR export to Log Analytics, but the direct connector is simpler. Option C is wrong because the Microsoft 365 Defender connector is for Office 365 data.

Option D is wrong because the Threat Intelligence connector ingests threat intel, not telemetry.

33
MCQeasy

Your organization uses Microsoft Defender XDR. You want to create a custom detection rule that triggers an alert when a specific process is created on multiple endpoints. Which advanced hunting table should you use?

A.DeviceNetworkEvents
B.DeviceFileEvents
C.DeviceLogonEvents
D.DeviceRegistryEvents
E.DeviceProcessEvents
AnswerE

This table logs process creation events on endpoints.

Why this answer

Option A is correct because DeviceProcessEvents contains process creation events. Option B is wrong because DeviceNetworkEvents is for network connections. Option C is wrong because DeviceFileEvents is for file operations.

Option D is wrong because DeviceLogonEvents is for logon events. Option E is wrong because DeviceRegistryEvents is for registry changes.

34
MCQhard

You are designing an incident response plan using Microsoft Defender XDR. You want to automate the containment of compromised devices when a high-severity incident is detected. What should you configure?

A.Configure custom detection rules in Microsoft Defender for Endpoint
B.Configure device groups in Microsoft Defender for Endpoint
C.Enable automated investigation and response (AIR) in Microsoft Defender XDR
D.Create a playbook in Microsoft Sentinel
AnswerC

AIR can automatically contain devices based on incident severity.

Why this answer

Option C is correct because automated investigation and response (AIR) in Microsoft Defender XDR can automatically contain devices. Option A is wrong because playbooks in Microsoft Sentinel require manual triggering or separate automation. Option B is wrong because custom detection rules only create alerts.

Option D is wrong because device groups are for management, not automation.

35
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that automatically alerts when a user downloads more than 100 files from SharePoint Online in 10 minutes. What type of policy should you create?

A.Session policy
B.App discovery policy
C.Anomaly detection policy
D.OAuth app policy
AnswerC

Anomaly detection policies detect unusual file download activity.

Why this answer

Option A is correct because an anomaly detection policy detects unusual download activity. Option B is wrong because an app discovery policy identifies shadow IT. Option C is wrong because an OAuth app policy governs third-party app permissions.

Option D is wrong because a session policy controls real-time access, not download thresholds.

36
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and later clicks a link from that email that leads to a known malicious domain. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the query to capture both the email delivery event and the link click event? (Choose two.)

Select 2 answers
A.EmailEvents
B.UrlClickEvents
C.DeviceEvents
D.IdentityLogonEvents
AnswersA, B

This table contains details of email delivery events, including whether the email was delivered to the inbox, and the unique NetworkMessageId that can link to click events.

Why this answer

EmailEvents contains records of email delivery events, including phishing emails that were delivered to the inbox. UrlClickEvents captures user clicks on URLs in emails, including the target domain. Joining these two tables on the email's network message ID allows the analyst to correlate the specific phishing email delivery with the subsequent link click to a known malicious domain, which is the exact scenario described.

Exam trap

The trap here is that candidates may confuse UrlClickEvents with DeviceEvents, thinking that a link click is a device-level action, but in Microsoft Defender XDR, URL clicks from emails are specifically tracked in the UrlClickEvents table, not in endpoint event tables.

37
MCQeasy

A security analyst identifies a malicious file hash on one endpoint. They need to ensure that file is blocked from executing on all other endpoints in the organization immediately. Which Microsoft Defender for Endpoint feature should be used?

A.Indicators of compromise (IOCs)
B.Attack surface reduction rules
C.Automated investigation and response
D.Custom detection rules
AnswerA

IOCs allow creating custom policy to block file hashes across all endpoints.

Why this answer

Indicators of compromise (IOCs) in Microsoft Defender for Endpoint allow security analysts to create custom indicators (e.g., file hashes, IPs, URLs) that are enforced across all endpoints in near real-time. By adding the malicious file hash as an IOC with an 'Alert and Block' action, the file is immediately prevented from executing on any managed device, providing a rapid, organization-wide block without waiting for signature updates.

Exam trap

The trap here is that candidates confuse 'Indicators of compromise (IOCs)' with 'Custom detection rules,' because both involve custom definitions, but IOCs are for immediate blocking of known artifacts while custom detection rules are for behavioral detection over time.

How to eliminate wrong answers

Option B is wrong because Attack surface reduction rules are pre-configured policies that reduce common attack vectors (e.g., blocking Office apps from creating child processes), but they cannot block a specific file hash on demand. Option C is wrong because Automated investigation and response (AIR) automatically investigates and remediates alerts after detection, but it does not proactively block a known malicious hash from executing; it reacts to incidents already triggered. Option D is wrong because Custom detection rules use Advanced Hunting queries to detect suspicious behavior over time, but they are not designed for immediate, hash-based execution blocking across all endpoints.

38
MCQhard

An organization wants to allow only specific company-approved USB devices (e.g., those with a specific hardware ID) on managed Windows devices. All other USB devices must be blocked. Which Microsoft 365 Defender feature should be configured?

A.Attack surface reduction rules
B.Microsoft Defender for Endpoint device control
C.Microsoft Defender for Cloud Apps session policy
D.Conditional Access device compliance
AnswerB

Device control policies in Defender for Endpoint can restrict USB devices based on hardware IDs.

Why this answer

Microsoft Defender for Endpoint device control is the correct feature because it provides granular control over peripheral devices, including USB devices, based on hardware IDs. It allows administrators to create allow/block policies that enforce restrictions on managed Windows devices, ensuring only company-approved USB devices can be used.

Exam trap

The trap here is that candidates often confuse Attack surface reduction rules with device control because both are part of Microsoft Defender for Endpoint, but ASR rules focus on process behaviors, not hardware device access.

How to eliminate wrong answers

Option A is wrong because Attack surface reduction rules are designed to mitigate common malware behaviors (e.g., blocking Office apps from creating child processes) and do not include USB device control capabilities. Option C is wrong because Microsoft Defender for Cloud Apps session policies are used to monitor and control user sessions in cloud apps (e.g., blocking downloads from SharePoint) and have no effect on local USB device access. Option D is wrong because Conditional Access device compliance policies evaluate device health (e.g., requiring BitLocker or antivirus) for cloud app access but do not enforce USB device restrictions on the endpoint itself.

39
Multi-Selectmedium

Your organization uses Microsoft Defender XDR. You need to ensure that when an incident is created, it is automatically assigned to the appropriate analyst team based on the incident category. Which TWO actions should you configure? (Choose two.)

Select 2 answers
A.Use the incident page's 'Assign to' option.
B.Create automation rules in Microsoft Defender XDR to assign incidents based on criteria.
C.Configure the default assignment rule to assign all incidents to a specific team.
D.Use tags to categorize incidents and then manually assign.
E.Define custom incident fields to capture the team assignment.
AnswersB, E

Automation rules can assign incidents to a group automatically.

Why this answer

A and D are correct. Automation rules can be used to assign incidents based on conditions. Custom incident fields can categorize incidents.

B is wrong because not all incidents are assigned automatically. C is wrong because tags help with classification but not assignment. E is wrong because the main incident page does not automate assignment.

40
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel in a hybrid deployment. You are the security operations lead. A new regulation requires that all security alerts be automatically enriched with threat intelligence indicators from an external feed before being sent to Sentinel. You need to implement this enrichment with minimal latency and without writing custom code. What should you do?

A.Configure the Microsoft Defender XDR connector in Sentinel to receive alerts, and use the Threat Intelligence API to add indicators to Defender XDR.
B.Create a Logic App that runs on a schedule to pull alerts from Defender XDR, enrich them using external TI, and push to Sentinel.
C.Create an Azure Function that uses the Microsoft Graph API to get alerts, enrich them, and send to Sentinel.
D.Use the Microsoft Sentinel data connector for Microsoft Defender XDR and configure automatic enrichment in the data connector settings.
AnswerA

Correct: Defender XDR can enrich alerts with external TI via API, and Sentinel connector pulls enriched alerts.

Why this answer

Option A is correct because Microsoft Defender XDR can ingest external threat intelligence via the API and then forward enriched alerts to Sentinel using the built-in connector. Option B is wrong because Logic Apps require custom code and may introduce latency. Option C is wrong because Azure Functions require custom code.

Option D is wrong because the data connector does not support enrichment.

41
MCQhard

Refer to the exhibit. You run the KQL query in advanced hunting. What is the primary purpose of this query?

A.Identify devices with outbound connections to malicious IPs
B.Identify devices with PowerShell execution policy set to bypass
C.Identify devices where a user deleted system files using cmd
D.Identify devices with high use of encoded commands, which may indicate malicious activity
AnswerD

Encoded commands are often used to hide malicious intent.

Why this answer

Option C is correct because the query looks for PowerShell or cmd.exe processes using -EncodedCommand, which is a common technique for obfuscating malicious commands. Option A is wrong because the query doesn't filter by execution policy. Option B is wrong because the query doesn't look for files being deleted.

Option D is wrong because the query doesn't look for outbound connections.

42
MCQhard

Your organization has Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A critical server is showing signs of a ransomware attack. You need to contain the threat while preserving forensic evidence for analysis. What should you do first?

A.Run a Live Response session to collect forensic data
B.Isolate the server from the network immediately
C.Run a full antivirus scan on the server
D.Initiate an automated investigation in Microsoft Defender XDR
AnswerD

Automated investigation collects evidence and contains threat.

Why this answer

Option D is correct because initiating an automated investigation will collect and analyze evidence while containing the threat. Option A is wrong because machine isolation is immediate but may not preserve evidence. Option B is wrong because live response is manual and may be slower.

Option C is wrong because full scan is slow and may not contain.

43
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user receives a malicious email attachment and then opens the attachment, resulting in a process being created (e.g., .exe file). Which two Advanced Hunting tables must be joined to correlate the email attachment with the resulting process?

Select 2 answers
A.EmailEvents and DeviceProcessEvents
B.EmailAttachmentInfo and DeviceProcessEvents
C.EmailAttachmentInfo and DeviceFileEvents
D.DeviceProcessEvents and IdentityLogonEvents
AnswersA, B

EmailEvents provides email metadata but not attachment-specific details like file hash needed for correlation with processes.

Why this answer

Option B is correct because correlating email attachment information with process creation requires joining the EmailAttachmentInfo table (which contains details about attachments like file name and SHA256 hash) with the DeviceProcessEvents table (which logs process creation events). This join allows the analyst to match the attachment's hash or file name to the process that was created when the user opened the attachment, directly linking the malicious email to the resulting executable.

Exam trap

The trap here is that candidates often confuse DeviceFileEvents with DeviceProcessEvents, thinking that file events (like saving an attachment) are sufficient, but the question explicitly requires detecting a process being created (execution), which only DeviceProcessEvents captures.

44
Multi-Selectmedium

Your organization uses Microsoft Defender XDR. You are configuring a custom detection rule to detect a specific behavior: a user runs a PowerShell script that connects to a known malicious IP address. Which TWO advanced hunting tables should you use in your KQL query to detect this behavior?

Select 2 answers
A.DeviceProcessEvents
B.DeviceRegistryEvents
C.DeviceLogonEvents
D.DeviceFileEvents
E.DeviceNetworkEvents
AnswersA, E

Captures process creation, including PowerShell.

Why this answer

Option A (DeviceProcessEvents) captures PowerShell process creation. Option D (DeviceNetworkEvents) captures network connections to IP addresses. Together they can correlate the script execution with the connection.

Option B is wrong because DeviceFileEvents captures file events not processes. Option C is wrong because DeviceRegistryEvents captures registry changes. Option E is wrong because DeviceLogonEvents captures logon events.

45
Multi-Selecthard

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user opens a malicious email attachment, which launches a PowerShell process, and then that PowerShell process makes an outbound connection to a known malicious IP address. Which three Advanced Hunting tables must be joined in the KQL query?

Select 3 answers
A.EmailEvents, DeviceProcessEvents, DeviceNetworkEvents
B.EmailAttachmentInfo, DeviceProcessEvents, DeviceNetworkEvents
C.EmailEvents, DeviceProcessEvents, DeviceFileEvents
D.EmailAttachmentInfo, DeviceProcessEvents, DeviceLogonEvents
AnswersA, B, C

EmailEvents does not contain attachment-specific information such as file names; EmailAttachmentInfo is required.

Why this answer

Option B is correct because the detection requires tracking the attachment that initiated the process (EmailAttachmentInfo), the PowerShell process execution (DeviceProcessEvents), and the outbound network connection to a malicious IP (DeviceNetworkEvents). EmailAttachmentInfo provides the link between the email and the file, while EmailEvents lacks file-level details needed for this chain.

Exam trap

The trap here is that candidates often choose EmailEvents (Option A) thinking it captures attachment details, but EmailEvents lacks the file hash and name fields needed to join to process events, while EmailAttachmentInfo is the correct table for attachment-to-process correlation.

46
MCQmedium

You are a security administrator for a multinational company that uses Microsoft Defender XDR. You have deployed Microsoft Defender for Endpoint on all devices. The company has a strict policy that any device with a high-severity alert must be isolated from the network immediately. You need to configure an automated response that isolates the device as soon as a high-severity alert is generated. What should you do?

A.Enable 'Automatically investigate alerts' in the Microsoft Defender portal.
B.Use the Action Center to manually isolate devices as alerts come in.
C.Create a device group for high-severity alerts and configure a conditional access policy to block network access.
D.In Microsoft Defender XDR, navigate to Settings > Endpoints > Automated investigation and response, and configure the automation level for high-severity alerts to 'Full - remediate threats automatically'.
AnswerD

Correct: Automation level includes automatic isolation.

Why this answer

Option B is correct because automation levels in incident response rules allow automatic isolation for high-severity alerts. Option A is wrong because device groups are not directly linked to automatic isolation. Option C is wrong because action center is for manual actions.

Option D is wrong because that setting controls automatic investigation, not isolation.

47
MCQhard

Your organization is using Microsoft Defender for Cloud Apps. You want to generate an alert when a user shares a file containing sensitive information with an external domain. You have configured a file policy with the condition: 'Inspection method: Data Classification Service' and 'Inspection type: Sensitive information type'. However, no alerts are triggered. What is the most likely reason?

A.The file is shared with an internal user only.
B.The policy is not applied to the specific cloud app.
C.The file size is too large for inspection.
D.The sensitive information type is not correctly configured in the data classification service.
E.The user is not licensed for Microsoft Defender for Cloud Apps.
AnswerD

The Data Classification Service must be properly set up with the correct sensitive info types.

Why this answer

Option D is correct because the Data Classification Service requires a Microsoft Purview Information Protection (MIP) scanner or label to be applied. Option A is wrong because the policy applies to all apps, not just one. Option B is wrong because external sharing can be detected.

Option C is wrong because user log is not required. Option E is wrong because file size is not a limiting factor.

48
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from an anonymous IP address. Which type of policy should you create?

A.Session policy
B.File policy
C.Activity policy
D.App discovery policy
AnswerC

Activity policies can detect access from anonymous IPs.

Why this answer

Option B is correct because an activity policy can detect access from anonymous IP addresses. Option A is wrong because an app discovery policy is for discovering shadow IT. Option C is wrong because a session policy controls sessions.

Option D is wrong because a file policy monitors file sharing.

49
MCQhard

Your organization uses Microsoft 365 E5 and has deployed Microsoft Defender for Cloud Apps. You discover that a user in the finance department is using a personal cloud storage app to store sensitive financial data. The app is unsanctioned. You need to prevent any further uploads of sensitive data to this app. Additionally, you want to automatically alert when users attempt to access this app from unmanaged devices. You must not block access entirely, as some users need to read data already stored there. What should you configure?

A.Configure app governance in Defender for Cloud Apps to revoke the app's permissions.
B.Create an access policy in Defender for Cloud Apps that blocks all access to the app from unmanaged devices and blocks uploads from all devices.
C.Create a file policy in Defender for Cloud Apps that detects sensitive data and automatically applies a DLP label.
D.Create a session policy in Defender for Cloud Apps that blocks uploads for the unsanctioned app and requires conditional access app control for unmanaged devices.
AnswerD

Session policies allow granular control over activities like uploads and can enforce conditional access.

Why this answer

Option A is correct because a session policy can monitor and control activities in the app, blocking uploads while allowing reads, and can apply conditional access for unmanaged devices. Option B is wrong because an access policy would block all access. Option C is wrong because a file policy does not control user sessions.

Option D is wrong because app governance does not provide session-level controls.

50
MCQmedium

Your organization has Microsoft Defender for Office 365 Plan 2. You need to ensure that when a user reports a phishing email using the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the result. What should you configure?

A.Create a Safe Links policy to block the reported email
B.Configure an anti-phishing policy to automatically submit reported emails
C.Use a mail flow rule to send reported emails to a custom mailbox
D.Configure a submission policy in the Microsoft 365 Defender portal
AnswerD

Submission policies define how user-reported messages are handled.

Why this answer

Option B is correct because a submission policy in the Microsoft 365 Defender portal defines the behavior for user-reported messages. Option A is wrong because anti-phishing policies handle detection, not user reporting. Option C is wrong because Safe Links policies protect links.

Option D is wrong because mail flow rules handle routing, not user submissions.

51
MCQhard

A security administrator needs to block executable files (e.g., .exe, .ps1) from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
B.Block executable content from email client and webmail
C.Block Office applications from creating child processes
D.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
AnswerA

This rule blocks executables in common writable folders if they are not prevalent or trusted, covering %TEMP%.

Why this answer

ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is designed specifically to block executables (including .exe, .ps1, .scr, .dll) from launching from locations like %TEMP%, %APPDATA%, and the Windows folder, which are common malware staging areas. This rule uses cloud-delivered reputation (prevalence and age) and a Microsoft-managed trusted list to allow legitimate files while blocking unknown or suspicious ones, directly addressing the requirement to prevent malware execution from %TEMP%.

Exam trap

The trap here is that candidates confuse ASR rules by their generic names — they might pick 'Block executable content from email client and webmail' because it mentions 'executable content,' but the question specifically targets execution from the %TEMP% folder, not email delivery.

How to eliminate wrong answers

Option B is wrong because 'Block executable content from email client and webmail' targets executable attachments and scripts in email/webmail clients (e.g., Outlook, Gmail) to prevent phishing-based malware delivery, not execution from local folders like %TEMP%. Option C is wrong because 'Block Office applications from creating child processes' prevents Office apps (Word, Excel, etc.) from spawning child processes (e.g., cmd.exe, powershell.exe), which stops macro-based attacks but does not restrict executables already in %TEMP%. Option D is wrong because 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' specifically protects LSASS memory from being dumped or accessed by tools like Mimikatz, addressing credential theft, not executable execution from %TEMP%.

52
MCQmedium

A security team wants to automatically investigate and remediate alerts generated from Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. Which Microsoft Defender XDR capability should be configured?

A.Threat Analytics
B.Automated Investigation and Response
C.Advanced Hunting
D.Secure Score
AnswerB

AIR automates the investigation and response across multiple domains including endpoints, email, and identities.

Why this answer

Automated Investigation and Response (AIR) in Microsoft Defender XDR is the correct capability because it automatically triggers playbooks to investigate and remediate alerts across Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. AIR uses predefined or custom automation rules to correlate signals from these sources, run investigations, and apply remediation actions like isolating devices or blocking accounts without manual intervention.

Exam trap

The trap here is that candidates often confuse Threat Analytics (which provides threat intelligence) with Automated Investigation and Response (which executes automated remediation), leading them to select A when the question explicitly asks for a capability that 'automatically investigates and remediates' alerts.

How to eliminate wrong answers

Option A is wrong because Threat Analytics is a reporting and intelligence feature that provides threat actor profiles, attack techniques, and recommended mitigations, but it does not perform automated investigation or remediation actions. Option C is wrong because Advanced Hunting is a query-based tool using Kusto Query Language (KQL) to manually search for threats across raw data tables, not an automated response mechanism. Option D is wrong because Secure Score is a security posture measurement tool that tracks configuration improvements and recommendations, not a capability for investigating or responding to active alerts.

53
MCQhard

You are investigating a potential security incident in Microsoft Defender XDR. The incident involves a user who received a phishing email and clicked a link that executed a PowerShell script. You need to perform a detailed investigation of the PowerShell script's behavior across all affected devices. Which feature should you use?

A.Advanced hunting in Microsoft Defender XDR.
B.The Action Center in Microsoft Defender XDR.
C.Live Response from Microsoft Defender for Endpoint.
D.The device timeline in the Microsoft 365 Defender portal.
AnswerA

Advanced hunting uses KQL to query data from multiple sources, enabling cross-device investigation.

Why this answer

Option C is correct because advanced hunting in Microsoft Defender XDR allows you to query across devices, emails, and other data sources to investigate the script's execution and impact. Option A is wrong because Live Response is for real-time incident response on a single device. Option B is wrong because the Action Center is for reviewing pending actions.

Option D is wrong because the Microsoft 365 Defender portal's device timeline shows events on one device only.

54
MCQmedium

You are reviewing a Microsoft Defender for Cloud Apps file policy. The exhibit shows a policy snippet. What is the effect of this policy?

A.It blocks all Office files from the internet
B.It allows all Office files from the internet regardless of size
C.It blocks Office files larger than 10 MB from the internet
D.It allows Office files between 10 MB and 100 MB from the internet
AnswerD

The policy allows files meeting conditions; the name is misleading.

Why this answer

Option C is correct because the policy action is 'Allow' but the name is 'BlockLargeOfficeFiles', which is misleading. Option A is wrong because it allows files. Option B is wrong because it doesn't block.

Option D is wrong because it allows docx files.

55
MCQhard

Refer to the exhibit. You are reviewing an anti-phishing policy configuration in Microsoft Defender for Office 365. The policy is applied to all users. A user reports that a legitimate email from a known vendor (domain contoso.com) was quarantined. The email contained a link to a rarely visited website. The link was not malicious. Which setting in the policy is most likely causing the false positive?

A.EnableMailboxIntelligence: true
B.EnableSimilarDomainsSafetyTips: true
C.PhishThresholdLevel: 2
D.EnableUnusualCharactersSafetyTips: false
AnswerB

Similar domains safety tips can cause false positives when a known domain is similar to a flagged domain.

Why this answer

Option D is correct because EnableSimilarDomainsSafetyTips can cause false positives when a known domain is similar to a potentially dangerous domain. The vendor's domain contoso.com might be flagged as similar to a domain that is impersonated. Option A is wrong because PhishThresholdLevel set to 2 is the default and not restrictive.

Option B is wrong because MailboxIntelligence uses machine learning to reduce false positives. Option C is wrong because EnableUnusualCharactersSafetyTips only flags unusual characters in the sender's name or domain, not a link.

56
MCQeasy

You are configuring Microsoft Defender for Identity to monitor on-premises Active Directory. You need to ensure that honeytoken accounts are configured to detect attackers attempting to use them. What is a honeytoken account?

A.A service account used for application authentication
B.A disabled user account that cannot be used for sign-in
C.A fake user account created to attract attackers
D.A real user account with high privileges used for monitoring
AnswerC

Honeytoken accounts are decoys to detect lateral movement.

Why this answer

Option B is correct because honeytoken accounts are fake accounts used to detect attackers. Option A is wrong because they are not real. Option C is wrong because they are not service accounts.

Option D is wrong because they are not disabled.

57
MCQmedium

You are configuring Microsoft Defender for Identity (MDI) to monitor for lateral movement attacks. Which of the following activities would MDI alert on as a potential lateral movement?

A.A user logging into multiple servers using a compromised account.
B.A user performing a DCSync attack.
C.A user conducting a password spray attack.
D.A user executing a privilege escalation tool on their workstation.
E.A user performing a brute force attack on a domain controller.
AnswerA

Multiple remote logons from a compromised account indicate lateral movement.

Why this answer

Option D is correct because using a compromised account to connect to multiple machines is a classic lateral movement technique. Option A is wrong because brute force is a separate attack. Option B is wrong because privilege escalation is different.

Option C is wrong because DCSync is a domain replication attack. Option E is wrong because password spray is a type of brute force.

58
Multi-Selectmedium

You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malware attachment. Which THREE actions can you take from the incident page?

Select 3 answers
A.Start an automated investigation
B.Isolate the user's device
C.Reset the user's password
D.Delete the email from the user's mailbox
E.Block the malicious URL globally
AnswersA, B, D

Automated investigation can be triggered from incident.

Why this answer

Options A, B, and E are correct because you can isolate device, delete email, and investigate. Option C is wrong because resetting password is not in incident page. Option D is wrong because blocking URL is not directly in incident page.

59
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Defender XDR's Advanced Hunting? (Choose two.)

Select 2 answers
A.Deploy EDR sensors to endpoints.
B.Configure data retention policies for logs.
C.Create custom detection rules based on query results.
D.Manage the status of incidents.
E.Run KQL queries to hunt for threats across email, endpoints, identities, and apps.
AnswersC, E

Custom detections can be created from Advanced Hunting queries.

Why this answer

Options A and C are correct. Advanced Hunting allows you to run KQL queries across data from various Defender products (A) and create custom detection rules based on query results (C). Option B (manage incident status) is done in the Incidents queue, not Advanced Hunting.

Option D (configure data retention) is a tenant setting. Option E (deploy EDR sensors) is done via GPO or Intune.

60
MCQmedium

An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365
AnswerA

Defender for Cloud Apps provides app discovery, session controls, and policies to block unauthorized activities in cloud apps.

Why this answer

Microsoft Defender for Cloud Apps is the correct component because it is specifically designed to provide visibility into shadow IT and enforce policies on cloud applications. Its 'Governance' actions include blocking downloads from risky apps by integrating with the cloud app's API to prevent data exfiltration, which directly addresses the requirement.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming that Office 365's data loss prevention (DLP) covers all cloud apps, but DLP in Office 365 is limited to Microsoft 365 services, not third-party shadow IT apps.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR), antivirus, and vulnerability management on devices, not on controlling downloads from cloud apps. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based attacks (e.g., lateral movement, privilege escalation) and does not manage cloud app policies. Option D is wrong because Microsoft Defender for Office 365 protects email and collaboration tools (Exchange Online, SharePoint, Teams) from threats like phishing and malware, but it does not enforce download blocks across a broad set of cloud apps discovered via shadow IT.

61
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. You need to configure automatic investigation and response (AIR) to handle a phishing email that was delivered to a user's inbox and the user clicked a link that downloaded a malicious file. What should you configure?

A.Configure the unified automated investigation and response playbook in Microsoft Defender XDR.
B.Configure separate automated investigation playbooks in each workload.
C.Set the automation level for each playbook to 'Full – remediate automatically'.
D.Enable manual investigation triggers in Microsoft Defender XDR.
AnswerA

The unified playbook coordinates actions across workloads.

Why this answer

Option C is correct because the unified AIR playbook in Microsoft Defender XDR coordinates automated actions across Defender for Office 365 and Defender for Endpoint, handling the email and the file in one playbook. Option A is wrong because separate playbooks do not coordinate. Option B is wrong because manual triggers are not automated.

Option D is wrong because automation levels apply to individual playbooks.

62
MCQmedium

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user reports a phishing email using the Microsoft Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. You want to minimize administrative effort. What should you do?

A.Create a mail flow rule that forwards reported messages to a security team mailbox.
B.Configure the Microsoft Report Message add-in for all users.
C.Use the Microsoft 365 Defender portal to manually submit the email for analysis whenever a user reports it.
D.In Microsoft Defender XDR, go to Settings > Email & collaboration > User reported messages, and enable 'Send reported messages to Microsoft' and 'Notify users when analysis completes'.
AnswerD

Correct: This automates submission and notification.

Why this answer

Option C is correct because user-reported messages settings in Microsoft Defender XDR allow automatic submission and notification. Option A is wrong because that only enables reporting, not automated submission to Microsoft. Option B is wrong because that's for security team analysis, not Microsoft analysis.

Option D is wrong because that's for admins to submit, not users.

63
Multi-Selectmedium

You are investigating an alert in Microsoft Defender XDR that indicates a user clicked a malicious link in an email. You need to gather additional information to determine the scope of the attack. Which three sources should you examine?

Select 3 answers
A.Incidents page
B.Email entity page
C.Alert timeline
D.Device timeline
E.User entity page
AnswersB, C, E

Correct: Provides email details like sender, links, and attachments.

Why this answer

To fully investigate a phishing incident, you should examine the alert timeline for related events, the email entity page for email details, and the user entity page for user actions. Device timeline may not be relevant if the user only clicked a link without further action. The incidents page provides a summary but not detailed scope.

64
MCQmedium

A company is experiencing a significant number of phishing attempts that target high-level executives by impersonating their email addresses. The security team wants to configure protection against user impersonation in Microsoft Defender for Office 365. Which setting must be enabled in the anti-phishing policy to protect these specific users?

A.Enable users to protect against impersonation
B.Enable domains to protect against impersonation
C.Mailbox intelligence
D.Spoofed sender posture
AnswerA

This setting allows you to define a list of specific users (e.g., executives) whose email addresses are protected from being impersonated in inbound emails. When impersonation is detected, the action defined in the policy is applied.

Why this answer

Option A is correct because the 'Enable users to protect against impersonation' setting in an anti-phishing policy allows you to specify a list of users (such as high-level executives) whose email identities will be monitored for impersonation attempts. When enabled, Defender for Office 365 analyzes inbound messages for display name and email address matches against the protected users, and if a match is found with a suspicious sender, the message is flagged or quarantined. This directly addresses the scenario of attackers spoofing executive email addresses.

Exam trap

The trap here is that candidates often confuse 'user impersonation protection' with 'domain impersonation protection' or 'spoof intelligence,' but the question specifically asks for protection against impersonation of individual users, which requires the user-based setting, not domain-level or spoof-based controls.

How to eliminate wrong answers

Option B is wrong because 'Enable domains to protect against impersonation' protects against impersonation of entire domains (e.g., contoso.com), not specific individual user mailboxes, so it would not target the high-level executives as individuals. Option C is wrong because 'Mailbox intelligence' is a feature that learns normal sending patterns for users in your organization to detect anomalies, but it does not provide a static list of protected users; it relies on behavioral baselines rather than explicit user protection. Option D is wrong because 'Spoofed sender posture' is part of the spoof intelligence feature that evaluates the authentication status of the sending domain (SPF, DKIM, DMARC), not the impersonation of a specific user's display name or email address.

65
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a potential DCSync attack. What should you do to investigate this alert in Microsoft Defender XDR?

A.Review the IdentityDirectoryEvents table for replication-related events.
B.Use IdentityQueryEvents to find LDAP queries related to replication.
C.Check the IdentityAlertEvents table to see if the alert has additional context.
D.Run a KQL query in Advanced Hunting against IdentityLogonEvents to identify suspicious replication attempts.
AnswerD

IdentityLogonEvents contains logon events that can show replication attempts.

Why this answer

Option C is correct because in Microsoft Defender XDR, you can use Advanced Hunting to run a KQL query against the IdentityLogonEvents table to look for replication attempts. Option A (review IdentityDirectoryEvents) contains directory service events, but logon events are more relevant for DCSync. Option B (use IdentityQueryEvents) is for query events.

Option D (check IdentityAlertEvents) shows alerts but not raw logon data.

66
MCQhard

A security administrator wants to configure Microsoft Defender for Cloud Apps so that when a user accesses a sensitive file in a sanctioned cloud app from an unmanaged device, the user is blocked from downloading the file and a block action is logged in real time. Which type of policy should the administrator configure?

A.Create a session policy with the action 'Block' on the download action for files with a specific sensitivity label
B.Create a file policy that monitors for sensitive files being accessed from unmanaged devices and generates an alert
C.Configure an access policy that blocks access to the cloud app from unmanaged devices
D.Configure an activity policy that monitors download activities from unmanaged devices and triggers automatic remediation
AnswerA

Correct. Session policies can inspect and control user actions in real time through the reverse proxy, including blocking downloads based on device context.

Why this answer

A session policy in Microsoft Defender for Cloud Apps allows real-time control over user activities within a sanctioned cloud app. By configuring the action 'Block' on the download action for files with a specific sensitivity label, the administrator can block the download when the session is initiated from an unmanaged device, and the block action is logged in real time. This meets the requirement of blocking the download and logging the action simultaneously.

Exam trap

The trap here is that candidates confuse session policies with access policies or file policies, mistakenly thinking that blocking access to the entire app (Option C) or monitoring after the fact (Option B) achieves the same real-time blocking of a specific download action, when only a session policy provides the required granular, in-session control.

How to eliminate wrong answers

Option B is wrong because a file policy is designed for monitoring and alerting on files that match certain criteria (e.g., sensitivity labels) but does not provide real-time blocking of user actions like downloads; it generates alerts after the fact. Option C is wrong because an access policy blocks entire access to the cloud app from unmanaged devices, which is too broad—it would prevent any access, not just the download of sensitive files, and does not log the specific block action on the download. Option D is wrong because an activity policy monitors activities and can trigger automatic remediation (e.g., suspending a user), but it does not support real-time blocking of a specific download action within a session; it typically acts after the activity has occurred.

67
MCQeasy

Your organization uses Microsoft Defender XDR. You need to configure a policy that automatically blocks high-risk user activities in Microsoft Defender for Cloud Apps. Which feature should you configure?

A.Session policy
B.App governance policy
C.Access policy
D.Anomaly detection policy
AnswerA

Session policies can block risky activities in real time.

Why this answer

Option A is correct because session policies in Defender for Cloud Apps allow real-time control over user sessions, enabling blocking of risky activities. Option B is wrong because access policies control access based on conditions, but not real-time activity blocking. Option C is wrong because app governance policies focus on app permissions.

Option D is wrong because anomaly detection policies generate alerts but do not automatically block.

68
MCQmedium

A security administrator wants to simulate a realistic phishing attack to train users and measure their susceptibility. The simulation should be run from within Microsoft Defender XDR and provide detailed reporting. Which feature should the administrator use?

A.Advanced Hunting
B.Attack Simulation Training
C.Automated Investigation and Response
D.Threat Analytics
AnswerB

This feature is designed for simulating phishing attacks and training users.

Why this answer

Attack Simulation Training in Microsoft Defender XDR allows security administrators to create and launch realistic phishing campaigns directly from the Microsoft 365 Defender portal. It provides detailed reporting on user interactions, such as who clicked the link or entered credentials, enabling measurement of user susceptibility and targeted training follow-ups.

Exam trap

The trap here is that candidates often confuse Attack Simulation Training with Advanced Hunting, thinking that hunting queries can simulate attacks, but Advanced Hunting is purely a read-only data exploration tool with no simulation or user training features.

How to eliminate wrong answers

Option A is wrong because Advanced Hunting is a query-based tool for proactively searching for threats across raw data, not for simulating attacks or training users. Option C is wrong because Automated Investigation and Response (AIR) automatically responds to detected incidents by running playbooks and remediating threats, but it does not create or manage phishing simulations. Option D is wrong because Threat Analytics provides intelligence reports on active threats and adversary techniques, but it does not include simulation or user training capabilities.

69
MCQhard

Contoso has a hybrid identity environment with Microsoft Defender for Identity deployed. They suspect a compromised account is being used to perform reconnaissance against domain controllers. Which Defender for Identity alert type would most likely trigger?

A.Brute Force attack
B.Suspicious service creation
C.DCSync attack
D.Golden Ticket activity
AnswerB

Service creation can be used for reconnaissance.

Why this answer

Reconnaissance attacks are often detected by 'Suspicious service creation' or 'Directory services enumeration'. Option A is correct. Option B is wrong because Golden Ticket is for persistence.

Option C is wrong because DCSync is for credential dumping. Option D is wrong because Brute Force is for password attacks.

70
MCQeasy

You are reviewing a Conditional Access policy in Microsoft Entra ID. The policy is intended to block access to Exchange Online for users with high risk level. However, users with high risk are still able to access Exchange Online. What is the most likely cause?

A.The policy does not include Exchange Online.
B.The policy excludes the affected users.
C.The policy is targeting low risk instead of high risk.
D.The policy is set to report-only mode.
E.The grant control is set to require multi-factor authentication.
AnswerD

Report-only does not enforce; it only logs.

Why this answer

Option B is correct because the policy is in report-only mode, which does not enforce block. Option A is wrong because the risk level is correctly set to high. Option C is wrong because the grant control is block, not require MFA.

Option D is wrong because the policy includes Exchange Online. Option E is wrong because the policy includes all users.

71
Multi-Selecteasy

Which TWO features in Microsoft Defender for Office 365 help protect against zero-day malware in email attachments?

Select 2 answers
A.Safe Attachments
B.Mail flow rules
C.Anti-spam policies
D.Anti-phishing policies
E.Zero-hour auto purge (ZAP)
AnswersA, E

Safe Attachments use detonation to detect zero-day malware.

Why this answer

Options B and D are correct because Safe Attachments detonates files in a sandbox, and ZAP retroactively removes malicious messages. Option A is a security policy but does not specifically target zero-day. Option C is a macro security feature.

Option E is not a feature of Office 365.

72
MCQhard

A security administrator needs to create an automated investigation and response (AIR) playbook that automatically isolates a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook should run without requiring manual approval. Which capability in Microsoft 365 Defender should the administrator configure?

A.Automated investigation and response (AIR) action policy
B.Custom detection rule
C.Threat analytics
D.Attack simulation training
AnswerA

AIR action policies allow administrators to define automatic responses to specific alert types. By setting the isolation action for high-severity alerts from Microsoft Defender for Endpoint, the device can be isolated automatically without manual intervention.

Why this answer

Option A is correct because Automated Investigation and Response (AIR) action policies in Microsoft 365 Defender allow administrators to define automated remediation actions—such as device isolation—that execute automatically when specific alert conditions are met, without requiring manual approval. The policy can be configured to trigger on high-severity alerts from Microsoft Defender for Endpoint, enabling fully automated containment of compromised devices.

Exam trap

The trap here is that candidates often confuse custom detection rules (Option B) with automated response capabilities, mistakenly thinking that creating a detection rule can also trigger automatic remediation, when in fact custom detection rules only generate alerts and require an AIR policy or manual action to respond.

How to eliminate wrong answers

Option B is wrong because custom detection rules are used to create custom analytics queries (e.g., using KQL) to detect specific threats or behaviors, but they do not directly configure automated response actions like device isolation; they rely on AIR policies or manual steps for remediation. Option C is wrong because Threat Analytics provides threat intelligence reports, vulnerability assessments, and mitigation recommendations, but it does not include the ability to configure automated response actions or playbooks. Option D is wrong because Attack Simulation Training is a tool for running simulated phishing and attack campaigns to test user awareness, not for automating incident response actions like device isolation.

73
Multi-Selecthard

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should fire when a Windows device exhibits this sequence of events within 3 minutes: 1) A PowerShell process runs with an encoded command, 2) A service is created with a random name, and 3) An outbound network connection to a suspicious IP address is observed. Which three Advanced Hunting tables must be joined in the KQL query to create this detection?

Select 3 answers
A.DeviceProcessEvents, DeviceRegistryEvents, DeviceNetworkEvents
B.DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents
C.DeviceProcessEvents, DeviceEvents, DeviceNetworkEvents
D.DeviceProcessEvents, DeviceLogonEvents, DeviceNetworkEvents
AnswersA, B, C

Service creation is not recorded in DeviceRegistryEvents; service creation is in DeviceEvents.

Why this answer

Option C is correct because the three required event types — PowerShell process execution, service creation, and outbound network connection — are captured by DeviceProcessEvents (for process creation), DeviceEvents (for service creation events, such as Event ID 4697 or service install events), and DeviceNetworkEvents (for network connections). DeviceEvents specifically includes security-related events like service creation, which is not covered by DeviceRegistryEvents, DeviceFileEvents, or DeviceLogonEvents.

Exam trap

The trap here is that candidates mistakenly associate service creation with DeviceRegistryEvents (because services have registry keys) or DeviceFileEvents (because service binaries are files), but Microsoft specifically logs service creation as a security event in DeviceEvents, not in those other tables.

74
MCQeasy

Your organization has Microsoft Defender for Office 365 Plan 2. You want to set up a policy that automatically moves messages containing malware to quarantine and notifies the security team. Which policy should you configure?

A.DKIM policy
B.DMARC policy
C.Anti-Spam policy
D.Anti-Phishing policy
E.Safe Attachments policy
AnswerE

Safe Attachments scans attachments for malware and quarantines them.

Why this answer

Option A is correct because Safe Attachments policy is specifically designed to handle email attachments with malware. Option B is wrong because Anti-Phishing policy deals with phishing attempts. Option C is wrong because Anti-Spam policy handles spam and bulk mail.

Option D is wrong because DMARC policy handles email authentication. Option E is wrong because DKIM policy is for signing emails.

75
Multi-Selecteasy

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a user receives a phishing email and clicks a malicious link within 10 minutes. Which two tables must be joined in the KQL query?

Select 2 answers
A.EmailEvents and UrlClickEvents
B.EmailEvents and DeviceEvents
C.EmailAttachmentInfo and UrlClickEvents
D.EmailPostDeliveryEvents and DeviceNetworkEvents
AnswersA, B

Correct. EmailEvents for email details, UrlClickEvents for user clicks on URLs.

Why this answer

To detect a user receiving a phishing email and clicking a malicious link within 10 minutes, you need to correlate the email delivery event with the click action. The EmailEvents table contains records of email delivery (including sender, recipient, and subject), while the UrlClickEvents table logs when a user clicks a link in an email, including the URL and timestamp. Joining these two tables on a common identifier (such as NetworkMessageId) allows you to filter for clicks that occur within 10 minutes of email delivery, satisfying the detection requirement.

Exam trap

The trap here is that candidates often confuse UrlClickEvents with DeviceEvents or DeviceNetworkEvents, thinking that network-level logs capture link clicks, but UrlClickEvents is the only table that specifically records user clicks on URLs in Microsoft 365 Defender.

Page 1 of 4 · 284 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage security and threats by using Microsoft Defender XDR questions.