MS-102 · topic practice

Manage security and threats by using Microsoft Defender XDR practice questions

Practise Microsoft 365 Administrator MS-102 Manage security and threats by using Microsoft Defender XDR practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Manage security and threats by using Microsoft Defender XDR

What the exam tests

What to know about Manage security and threats by using Microsoft Defender XDR

Manage security and threats by using Microsoft Defender XDR questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Manage security and threats by using Microsoft Defender XDR exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Manage security and threats by using Microsoft Defender XDR questions

20 questions · select your answer, then reveal the explanation

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

An organization uses Microsoft Defender for Cloud Apps to monitor shadow IT. They want to enforce policies that block downloads from risky cloud apps. Which Microsoft Defender XDR component provides this capability?

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

A security team wants to automatically investigate and respond to security incidents across endpoints, email, and identities without manual intervention. Which Microsoft Defender XDR capability provides this automation?

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

A security operations team uses Microsoft Defender XDR. They want to create a custom detection rule that alerts when a specific process (e.g., wscript.exe) launches from a user's temp directory and then performs a network connection to an external IP. Which advanced hunting query language should they use?

A security administrator wants to automatically block malicious IP addresses from sending email to Exchange Online mailboxes. Which Microsoft Defender component should be configured?

A security analyst investigates a potential data exfiltration incident. The analyst identifies that a user's device has made multiple connections to an unknown external IP address using a custom port. Which Microsoft Defender XDR data source would provide the most detailed network communication logs for this investigation?

A security administrator wants to automatically block a file that is detected as malware on one endpoint from being executed on all other endpoints in the organization. Which Microsoft Defender for Endpoint capability provides this?

Question 10mediummultiple choice
Read the full NAT/PAT explanation →

A security operations team wants to receive real-time alerts when a user is at high risk of having their account compromised based on unusual sign-in patterns. Which Microsoft Defender XDR component should they configure?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?

A ransomware alert is confirmed in Microsoft Defender XDR on a user device that is still communicating with other endpoints. What should the administrator do first to reduce spread while preserving the ability to investigate?

A security administrator wants to create a custom detection rule in Microsoft Defender XDR that alerts when a device initiates an outbound TCP connection to a known malicious IP address on a non-standard port (e.g., port 4444). Which advanced hunting table should be queried to find these network connections?

A security team wants to automatically investigate and remediate alerts generated from Microsoft Defender for Endpoint, Office 365, and Microsoft Entra ID. Which Microsoft Defender XDR capability should be configured?

A security analyst wants to create a custom detection rule that triggers when a user receives a phishing email that bypassed Exchange Online Protection, and then clicks a link that leads to a known malicious domain. Which two advanced hunting tables should the analyst combine to detect this chain of events?

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a user's device establishes a network connection to a known malicious IP address on a port commonly used by a specific malware. The rule must also include process information such as the filename of the process that initiated the connection. Which advanced hunting table should be the primary data source for this rule?

A security analyst needs to search for devices that have been communicating with a known malicious command-and-control server over the past 7 days. The analyst wants to identify the process that initiated the connection. Which advanced hunting query would be most efficient?

A security analyst identifies a malicious file hash on one endpoint. They need to ensure that file is blocked from executing on all other endpoints in the organization immediately. Which Microsoft Defender for Endpoint feature should be used?

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and later clicks a link to a known malicious domain from their device. The rule will use advanced hunting queries. Which two tables should be joined to detect the click event from the device?

A security analyst needs to identify the specific process (filename) that initiated a network connection from a device to a known malicious IP address over the last 24 hours. Which advanced hunting table in Microsoft Defender XDR provides the necessary data including the initiating process filename and the remote IP address?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Manage security and threats by using Microsoft Defender XDR sessions

Start a Manage security and threats by using Microsoft Defender XDR only practice session

Every question in these sessions is drawn from the Manage security and threats by using Microsoft Defender XDR domain — nothing else.

Related practice questions

Related MS-102 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the MS-102 exam test about Manage security and threats by using Microsoft Defender XDR?
Manage security and threats by using Microsoft Defender XDR questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Manage security and threats by using Microsoft Defender XDR questions in a focused session?
Yes — the session launcher on this page draws every question from the Manage security and threats by using Microsoft Defender XDR domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other MS-102 topics?
Use the topic links above to move to related areas, or go back to the MS-102 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the MS-102 exam covers. They are not copied from any real exam or dump site.