Manage security and threats by using Microsoft Defender XDR

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

A security administrator wants to automatically block malicious IP addresses from sending email to Exchange Online mailboxes. Which Microsoft Defender component should be configured?

A security analyst investigates a potential data exfiltration incident. The analyst identifies that a user's device has made multiple connections to an unknown external IP address using a custom port. Which Microsoft Defender XDR data source would provide the most detailed network communication logs for this investigation?

A security administrator wants to automatically block a file that is detected as malware on one endpoint from being executed on all other endpoints in the organization. Which Microsoft Defender for Endpoint capability provides this?

A security operations team wants to receive real-time alerts when a user is at high risk of having their account compromised based on unusual sign-in patterns. Which Microsoft Defender XDR component should they configure?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?

A ransomware alert is confirmed in Microsoft Defender XDR on a user device that is still communicating with other endpoints. What should the administrator do first to reduce spread while preserving the ability to investigate?

A security administrator wants to create a custom detection rule in Microsoft Defender XDR that alerts when a device initiates an outbound TCP connection to a known malicious IP address on a non-standard port (e.g., port 4444). Which advanced hunting table should be queried to find these network connections?

A security team wants to automatically investigate and remediate alerts generated from Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. Which Microsoft Defender XDR capability should be configured?

A security analyst wants to create a custom detection rule that triggers when a user receives a phishing email that bypassed Exchange Online Protection, and then clicks a link that leads to a known malicious domain. Which two advanced hunting tables should the analyst combine to detect this chain of events?

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a user's device establishes a network connection to a known malicious IP address on a port commonly used by a specific malware. The rule must also include process information such as the filename of the process that initiated the connection. Which advanced hunting table should be the primary data source for this rule?

A security analyst needs to search for devices that have been communicating with a known malicious command-and-control server over the past 7 days. The analyst wants to identify the process that initiated the connection. Which advanced hunting query would be most efficient?

A security analyst identifies a malicious file hash on one endpoint. They need to ensure that file is blocked from executing on all other endpoints in the organization immediately. Which Microsoft Defender for Endpoint feature should be used?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and later clicks a link to a known malicious domain from their device. The rule will use advanced hunting queries. Which two tables should be joined to detect the click event from the device?

A security analyst needs to identify the specific process (filename) that initiated a network connection from a device to a known malicious IP address over the last 24 hours. Which advanced hunting table in Microsoft Defender XDR provides the necessary data including the initiating process filename and the remote IP address?

A security administrator wants to simulate a realistic phishing attack to train users and measure their susceptibility. The simulation should be run from within Microsoft Defender XDR and provide detailed reporting. Which feature should the administrator use?

A security administrator wants to prevent malware from using Office macros to spawn malicious processes. Specifically, they want to block Excel, Word, and PowerPoint from creating child processes. Which Microsoft Defender for Endpoint capability should be configured?

A security administrator wants to automatically isolate a device in Microsoft Defender for Endpoint whenever a high-severity alert is triggered. The isolation should occur without manual intervention. Which Microsoft Defender XDR feature should be configured?

A security analyst has identified a new malware sample with SHA256 hash 'abc123...'. They need to immediately block this file from executing on any managed endpoint across the organization. Which Microsoft Defender for Endpoint capability should they use?

A security analyst wants to search for instances where a user received a phishing email that was delivered to their inbox, and then later clicked a link within that email that led to a known malicious domain. Which two advanced hunting tables should be joined to identify both the email delivery and the link click events? (Choose the option that correctly identifies the primary table pair.)

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?

A security administrator needs to view a unified incident queue that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Which console should the administrator open?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and later clicks a link from that email that leads to a known malicious domain. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the query to capture both the email delivery event and the link click event? (Choose two.)

A security analyst has identified a new malware sample with a specific SHA256 hash. The analyst needs to immediately block this file from executing on any managed endpoint across the organization, including prevention of future execution. Which Microsoft Defender for Endpoint capability should the analyst use?

A security analyst wants to create a custom detection rule that triggers when a device communicates with a new, unclassified IP address that has been flagged by Microsoft threat intelligence as potentially malicious. The rule should run every hour and create an incident if more than 5 such communications from the same device occur within a 24-hour window. Which advanced hunting tables should be joined in the KQL query for this rule?

A security administrator needs to create an automated investigation and response (AIR) playbook that automatically isolates a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook should run without requiring manual approval. Which capability in Microsoft 365 Defender should the administrator configure?

A security analyst is investigating a potential lateral movement attack. They need to identify which processes were created on a compromised device and then which network connections were made by those processes. Which two advanced hunting tables should the analyst join in a KQL query?

A security administrator wants to configure Automated Investigation and Response (AIR) in Microsoft 365 Defender to automatically isolate a device when a high-severity alert for malware is detected. Which step is required?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a device establishes a network connection to an IP address that has been recently observed in threat intelligence feeds as a new, malicious command-and-control server. The rule should analyze network communication events. Which advanced hunting table should be the primary data source for the Kusto Query Language (KQL) query?

A user receives an email from an unknown sender with a .zip attachment. The attachment contains a potentially malicious executable file. Microsoft Defender for Office 365 is enabled. Which feature dynamically detonates the attachment in a sandbox environment and blocks it if malicious behavior is detected?

A security administrator wants to detect unusual user activity, such as a user downloading an abnormally large number of files from SharePoint Online in a short period. Which Microsoft Defender for Cloud Apps feature should be used to create a policy for this behavior?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?

A security administrator needs to configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender that will automatically isolate a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook must run without requiring manual approval. Which configuration must the administrator set to achieve automatic device isolation?

A security administrator wants to block executable files from running from writable system directories such as %TEMP% and %APPDATA% on Windows devices. Which attack surface reduction (ASR) rule should be enabled?

A security administrator needs to block outbound network connections from a compromised Windows device to a known malicious IP address. The solution should be configured in Microsoft Defender for Endpoint and must work at the network layer, not relying on a user-installed client. Which feature should the administrator enable?

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify when a user clicks a malicious URL in a phishing email and subsequently visits the malicious site from their corporate device. The analyst plans to use advanced hunting with Kusto Query Language (KQL). Which two tables must be joined to capture both the URL click event and the network connection to the malicious site?

An administrator wants to configure automated investigation and response (AIR) in Microsoft 365 Defender so that when a high-severity malware alert is generated for a device from Microsoft Defender for Endpoint, the device is automatically isolated from the network without requiring a security analyst to approve the action. Which configuration step is required?

A security administrator needs to block executable files from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

A security administrator wants to monitor and control user downloads from a third-party SaaS application (e.g., Box) in real time. The administrator needs to apply session-level policies to block downloads based on risk. Which Microsoft 365 Defender feature should be used?

A security administrator needs to block outbound network connections from a compromised Windows device to command-and-control servers. The solution must work at the network layer and be centrally managed via Microsoft 365 Defender. Which feature should the administrator enable?

A security analyst wants to automatically create a Microsoft Teams message in a dedicated security channel whenever a Microsoft 365 Defender incident with severity 'High' is created. Which automation approach should the analyst use?

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a PowerShell process with suspicious command-line arguments is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP occurs. Which two advanced hunting tables must be joined in the KQL query?

A security administrator wants to prevent Microsoft Office applications (Word, Excel, PowerPoint) from creating child processes, which is a common technique used by malware to execute malicious code. Which attack surface reduction (ASR) rule should be enabled?

A security administrator wants to block users from uploading files to personal cloud storage apps (e.g., Dropbox) from managed Windows devices, while allowing access from compliant mobile devices. Which Microsoft 365 Defender feature should be used?

A security administrator needs to block executable files (e.g., .exe, .ps1) from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

A security analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a suspicious PowerShell process (e.g., using -EncodedCommand) is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP address occurs. Which two advanced hunting tables must be joined?

A security administrator wants to ensure that all email attachments are scanned in a sandbox environment and blocked if malicious, with email delivery delayed until scanning completes. Which Microsoft 365 Defender policy should the administrator configure?

A security analyst is using Microsoft 365 Defender Advanced Hunting to investigate a potential malware outbreak. The analyst needs to find all devices where a specific signed executable (known to be malicious) was created in the past 24 hours. Which Advanced Hunting table should be queried to detect the creation of the executable file?

A security administrator wants to prevent users from uploading files to unsanctioned cloud storage apps (e.g., personal Dropbox or Google Drive) from managed Windows devices. The solution must use a reverse proxy to control file uploads in real time. Which Microsoft Defender for Cloud Apps feature should the administrator configure?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should fire when a Windows device exhibits this sequence of events within 3 minutes: 1) A PowerShell process runs with an encoded command, 2) A service is created with a random name, and 3) An outbound network connection to a suspicious IP address is observed. Which three Advanced Hunting tables must be joined in the KQL query to create this detection?

An organization wants to allow only specific company-approved USB devices (e.g., those with a specific hardware ID) on managed Windows devices. All other USB devices must be blocked. Which Microsoft 365 Defender feature should be configured?

A security administrator wants to prevent attackers from stealing credentials by blocking access to the Local Security Authority Subsystem Service (LSASS) from untrusted processes. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a device makes an outbound connection to a known malicious IP address, and within 10 minutes, a process with suspicious command-line arguments is started on the same device. Which two Advanced Hunting tables must be joined using a KQL query to create this detection?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a process named 'powershell.exe' is launched with command-line arguments containing '-EncodedCommand', and within 5 minutes a service is created on the same device. Which two Advanced Hunting tables must be joined in the KQL query to create this detection?

A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user receives a phishing email containing a malicious URL and then clicks that URL within 10 minutes. Which two Advanced Hunting tables must be joined in the KQL query?

A security administrator is configuring Microsoft Defender for Cloud Apps. The administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Defender for Cloud Apps features must be configured? (Select the two correct options.)

A security analyst is investigating a suspected credential theft attack where an attacker attempts to dump credentials from LSASS. Which Attack Surface Reduction (ASR) rule should the administrator enable to block this activity from untrusted processes?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user opens a malicious email attachment, which launches a PowerShell process, and then that PowerShell process makes an outbound connection to a known malicious IP address. Which three Advanced Hunting tables must be joined in the KQL query?

A security administrator wants to reduce the risk of credential dumping from LSASS on managed Windows endpoints. Which Attack Surface Reduction rule should be enabled?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user opens a malicious Office document, which launches a process named cmd.exe from Microsoft Word, and then that cmd.exe process makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

A security administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps features must be configured to meet these requirements? (Select all that apply.)

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a user receives a phishing email and clicks a malicious link within 10 minutes. Which two tables must be joined in the KQL query?

A security administrator needs to block unsanctioned cloud apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps components must be configured?

A security analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when a process spawned by Microsoft Word (winword.exe) makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

A security administrator wants to configure Microsoft Defender for Cloud Apps to block downloads of sensitive files from Salesforce to unmanaged devices in real time. Which Defender for Cloud Apps component must be configured?

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should detect when a user receives a malicious email attachment and then opens the attachment, resulting in a process being created (e.g., .exe file). Which two Advanced Hunting tables must be joined to correlate the email attachment with the resulting process?

A security analyst is investigating a potential attack where a user received a malicious email with an HTML attachment. The HTML file, when opened, fetched a JavaScript payload from a remote server that then dropped a binary on the user's machine and executed it. The analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when an email contains an HTML attachment with an external link, and that attachment is opened, causing a process creation. Which two tables should the analyst join in the KQL query to correlate the email attachment with the resulting process?

A security administrator wants to configure Microsoft Defender for Cloud Apps so that when a user accesses a sensitive file in a sanctioned cloud app from an unmanaged device, the user is blocked from downloading the file and a block action is logged in real time. Which type of policy should the administrator configure?

A company is experiencing a significant number of phishing attempts that target high-level executives by impersonating their email addresses. The security team wants to configure protection against user impersonation in Microsoft Defender for Office 365. Which setting must be enabled in the anti-phishing policy to protect these specific users?