CCNA Defender Xdr Security Questions

75 of 284 questions · Page 2/4 · Defender Xdr Security topic · Answers revealed

76
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads a large number of files from Microsoft SharePoint Online in a short period. What should you create?

A.App Discovery policy
B.Activity policy
C.Anomaly Detection policy
D.Cloud Discovery policy
AnswerB

Activity policies allow custom detection of specific activities like mass download.

Why this answer

Option B is correct because Activity policies in Defender for Cloud Apps allow you to create custom rules to detect specific activities like mass download. Option A (Anomaly Detection) is for pre-built anomalies. Option C (Cloud Discovery) is for shadow IT.

Option D (App Discovery) is for identifying apps.

77
MCQhard

An organization uses Microsoft Defender for Endpoint and wants to allow only certain applications to run on managed devices. They create a custom indicator (IoA) to allow a specific application by its certificate thumbprint. However, after deployment, the application is still blocked by default Windows Defender Application Control (WDAC) policy. What is the most likely reason?

A.The indicator is not yet active due to propagation delay.
B.The certificate thumbprint is incorrect.
C.The WDAC policy is in enforce mode and does not trust the indicator.
D.Custom indicators cannot override WDAC policies.
AnswerC

WDAC enforce mode blocks unless explicitly allowed by WDAC policy itself.

Why this answer

Custom indicators for allow are prioritized over WDAC only if the WDAC policy trusts the indicator. However, by default, WDAC does not automatically trust Defender for Endpoint indicators; you must configure WDAC to allow indicators or use a WDAC policy that is in audit mode. Option D is correct.

Option A is wrong because indicators do work with WDAC. Option B is wrong because certificate thumbprint is a valid indicator. Option C is wrong because the indicator does not expire quickly.

78
Matchingmedium

Match each Microsoft 365 threat scenario to the appropriate protection.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anti-phishing policy in Defender for Office 365

Safe Attachments policy

Safe Links policy

Identity Protection and Conditional Access

Data Loss Prevention policy

Why these pairings

These protections are part of Microsoft 365 Defender and compliance.

79
MCQeasy

You need to configure Microsoft Defender for Identity to alert when a user account is assigned a high number of group memberships in Active Directory. Which attack type does this correspond to?

A.Golden Ticket attack
B.Overpass-the-Hash attack
C.DCSync attack
D.Skeleton Key attack
AnswerA

Golden Ticket attacks forge Kerberos tickets and may involve modifying group memberships to escalate privileges.

Why this answer

Option D is correct because Golden Ticket attacks often involve modifying group memberships to gain elevated privileges. Option A is wrong because DCSync attacks replicate domain credentials. Option B is wrong because Overpass-the-Hash uses Kerberos tickets.

Option C is wrong because Skeleton Key attacks inject a backdoor.

80
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You want to detect when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

A.Configure an app discovery policy
B.Set up a session policy to block access from anonymous IPs
C.Enable the cloud discovery shadow IT report
D.Create an activity policy in Defender for Cloud Apps
AnswerD

Activity policies can trigger alerts based on conditions like anonymous IP.

Why this answer

Option A is correct because an activity policy can detect access from anonymous IP addresses. Option B is wrong because app discovery identifies cloud apps, not detect anomalous access. Option C is wrong because session policies control access, not generate alerts.

Option D is wrong because cloud discovery shadow IT reports show discovered apps.

81
MCQhard

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt from a domain controller. You need to determine if the account was compromised by checking for lateral movement. What should you do in the Microsoft 365 Defender portal?

A.Review the incident graph for the related alert.
B.Review the identity timeline for the affected user account.
C.Run an advanced hunting query for IdentityLogonEvents.
D.Review the device timeline for the domain controller.
AnswerB

Identity timeline provides a chronological view of user activities, including logons and resource access, to detect lateral movement.

Why this answer

Option B is correct because the identity timeline in Defender for Identity shows the sequence of activities for a user, helping to identify lateral movement. Option A is wrong because the device timeline shows events on a device, not user identity activities across multiple devices. Option C is wrong because the incident graph shows related alerts but not the detailed user activity timeline.

Option D is wrong because the advanced hunting schema for IdentityLogonEvents can be used, but the identity timeline is the most direct tool for investigating lateral movement.

82
MCQeasy

As a Microsoft 365 administrator, you need to ensure that sensitive data is not shared externally via email. You configure Data Loss Prevention (DLP) policies in Microsoft Purview. What is the primary purpose of a DLP policy?

A.Prevent users from sending any external email.
B.Block all inbound emails from untrusted domains.
C.Encrypt all outgoing emails automatically.
D.Detect and prevent the sharing of sensitive information via email and other channels.
AnswerD

DLP policies identify, monitor, and protect sensitive data across Microsoft 365 services.

Why this answer

Option A is correct because DLP policies are designed to detect and prevent accidental or intentional sharing of sensitive information. Option B is wrong because email encryption is provided by Azure Information Protection or Office 365 Message Encryption. Option C is wrong because malware protection is handled by Defender for Office 365.

Option D is wrong because DLP does not block all external emails.

83
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to ensure that users are warned before opening potentially malicious attachments in Outlook on the web. Which policy setting should you configure?

A.Attachments in email are blocked
B.Open in protected view
C.Attachments are held and scanned
D.Dynamic Delivery
AnswerB

This displays a warning before opening a file in a sandboxed view.

Why this answer

Option C is correct because the 'Open in protected view' option displays a warning before opening a file in a sandboxed view. Option A is wrong because dynamic delivery delivers the email but replaces attachments with placeholders until scan completes. Option B is wrong because 'Attachments in email are blocked' completely blocks delivery.

Option D is wrong because 'Attachments are held and scanned' delays delivery until scan completes.

84
Multi-Selecthard

A company experiences a ransomware attack that encrypts files on several endpoints. The security team wants to use automated investigation and response (AIR) capabilities in Microsoft Defender XDR to contain the threat. Which TWO actions can be taken automatically by AIR? (Select TWO.)

Select 2 answers
A.Block the sender's email domain in Defender for Office 365.
B.Remove malicious files detected by Defender for Endpoint.
C.Isolate an affected device from the network.
D.Disable user accounts associated with the attack.
E.Reset user passwords for affected accounts.
AnswersB, C

AIR can remove files automatically.

Why this answer

AIR in Defender XDR can automatically isolate devices and remove malicious files. Option A and Option D are correct. Option B is wrong because disabling user accounts is not automatic; it requires a playbook.

Option C is wrong because password reset is not automatic. Option E is wrong because blocking email domains is not automatic.

85
MCQmedium

A security operations team wants to receive real-time alerts when a user is at high risk of having their account compromised based on unusual sign-in patterns. Which Microsoft Defender XDR component should they configure?

A.Microsoft Defender for Identity
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Endpoint
AnswerA

Defender for Identity uses behavioral analytics to detect sign-in anomalies and user compromise risks.

Why this answer

Microsoft Defender for Identity (MDI) is the correct component because it is specifically designed to detect and alert on identity-based threats, including unusual sign-in patterns that indicate a high risk of account compromise. MDI uses behavioral analytics and machine learning to monitor on-premises Active Directory and Azure AD sign-in logs for anomalies such as impossible travel, unusual login times, or suspicious credential usage, triggering real-time alerts. This directly matches the requirement for real-time alerts on user risk from unusual sign-in patterns.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps (option C) as the tool for sign-in anomaly detection, but its primary focus is on cloud app usage and data protection, not real-time identity risk alerts based on sign-in patterns—that is the domain of Defender for Identity.

How to eliminate wrong answers

Option B (Microsoft Defender for Office 365) is wrong because it focuses on protecting email and collaboration tools (e.g., phishing, malware in attachments) rather than analyzing user sign-in patterns for identity compromise. Option C (Microsoft Defender for Cloud Apps) is wrong because it primarily monitors cloud application usage and data exfiltration, not real-time sign-in risk alerts; its anomaly detection is broader and often requires additional configuration for identity-focused alerts. Option D (Microsoft Defender for Endpoint) is wrong because it is designed for endpoint threat detection and response (e.g., malware, fileless attacks) and does not analyze sign-in logs or user authentication patterns.

86
MCQhard

A security analyst wants to create a custom detection rule that triggers when a device communicates with a new, unclassified IP address that has been flagged by Microsoft threat intelligence as potentially malicious. The rule should run every hour and create an incident if more than 5 such communications from the same device occur within a 24-hour window. Which advanced hunting tables should be joined in the KQL query for this rule?

A.DeviceNetworkEvents and IPReputation
B.DeviceProcessEvents and AlertInfo
C.DeviceFileEvents and DeviceIPInfo
D.EmailEvents and DeviceNetworkEvents
AnswerA

DeviceNetworkEvents records network connections including remote IPs. IPReputation provides Microsoft's threat intelligence score for IP addresses, allowing the rule to filter for connections to flagged IPs. These tables can be joined on the RemoteIP column.

Why this answer

Option A is correct because the rule requires detecting network communications to potentially malicious IP addresses, which involves joining `DeviceNetworkEvents` (which logs network connections from devices) with `IPReputation` (which contains Microsoft's threat intelligence classifications for IP addresses). This join allows the query to filter for communications where the destination IP is flagged as malicious and then aggregate by device to trigger an incident when the count exceeds 5 within a 24-hour window.

Exam trap

The trap here is that candidates often confuse `DeviceNetworkEvents` with `DeviceProcessEvents` or `DeviceFileEvents`, mistakenly thinking process or file events can indicate network communication patterns, or they overlook that `IPReputation` is the specific table providing threat intelligence classification for IP addresses.

How to eliminate wrong answers

Option B is wrong because `DeviceProcessEvents` logs process creation events, not network communications, and `AlertInfo` contains metadata about alerts, not IP reputation data; this combination cannot detect communications with malicious IPs. Option C is wrong because `DeviceFileEvents` logs file creation/modification events, not network connections, and `DeviceIPInfo` provides IP configuration details (like DHCP leases) rather than threat intelligence reputation scores. Option D is wrong because `EmailEvents` tracks email delivery and phishing events, not device-level network communications, and joining it with `DeviceNetworkEvents` would not provide the required IP reputation data from Microsoft threat intelligence.

87
MCQhard

Contoso uses Microsoft Defender XDR and has a Microsoft 365 E5 license. The security team wants to automate incident response when a user is compromised. They create a custom automation rule in the Microsoft 365 Defender portal. The rule should automatically isolate the user's device, disable the user account, and reset the user's password. Which action type should they configure in the rule?

A.Create a playbook that performs all three actions and run it as the automation rule action.
B.Select 'Isolate device' as the incident action.
C.Configure a webhook to call an external API that performs the actions.
D.Use the 'Run script' action and provide a PowerShell script.
AnswerA

A playbook can orchestrate multiple steps.

Why this answer

In Microsoft Defender XDR automation rules, you can define actions that trigger playbooks. To perform multiple actions like isolate device, disable account, and reset password, you need to use Microsoft Sentinel playbooks (or Logic Apps) because Defender XDR automation rules only support a single action per trigger. However, with a custom playbook, you can combine multiple steps.

Option B is correct because a playbook can include multiple actions. Option A is wrong because an automation rule only supports one action. Option C is wrong because incident actions are limited.

Option D is wrong because a webhook would require external orchestration.

88
MCQhard

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Entra ID. You need to block access to a third-party cloud app that is not sanctioned. The app uses OAuth and users have already granted consent. What should you configure?

A.Create a Conditional Access policy in Microsoft Entra ID to block the app.
B.Create a session policy in Microsoft Defender for Cloud Apps.
C.Create an OAuth app policy in Microsoft Defender for Cloud Apps to revoke the app.
D.Create an app discovery policy in Microsoft Defender for Cloud Apps.
AnswerC

OAuth app policies revoke permissions and block the app.

Why this answer

Option A is correct because an OAuth app policy in Defender for Cloud Apps can revoke permissions and block access. Option B is wrong because a Conditional Access policy can block access but does not revoke OAuth permissions. Option C is wrong because an app discovery policy only identifies apps.

Option D is wrong because a session policy controls usage but does not block access after consent.

89
MCQmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a device establishes a network connection to an IP address that has been recently observed in threat intelligence feeds as a new, malicious command-and-control server. The rule should analyze network communication events. Which advanced hunting table should be the primary data source for the Kusto Query Language (KQL) query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.EmailEvents
D.AlertEvidence
AnswerB

This table records network connection events such as TCP, UDP, and ICMP traffic, making it suitable for IP-based detection.

Why this answer

DeviceNetworkEvents is the correct primary data source because it captures network connection events, including source and destination IP addresses, ports, and protocols. To detect a device connecting to a newly observed malicious command-and-control server, the KQL query must analyze network communication events, which are stored exclusively in this table.

Exam trap

Microsoft often tests the confusion between process-level and network-level tables, leading candidates to choose DeviceProcessEvents because they mistakenly think process creation is the primary indicator of malicious network activity.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation and execution events, not network connections; it cannot provide IP address or port information. Option C is wrong because EmailEvents tracks email delivery and phishing events, not device-level network connections to external IPs. Option D is wrong because AlertEvidence contains evidence linked to existing alerts, not raw network communication logs; it is used for investigating alerts, not as a primary source for custom detection rules.

90
MCQmedium

You are reviewing a conditional access policy in Microsoft Entra ID as shown in the exhibit. The policy is intended to block sign-ins that are considered risky. However, some high-risk users are still able to sign in. What is the most likely reason?

A.The policy requires user risk and sign-in risk to both be high
B.The policy requires multi-factor authentication instead of blocking
C.The policy does not include sign-in risk levels
D.The policy requires both user risk and sign-in risk to be at specified levels simultaneously
AnswerD

The conditions use AND logic; if sign-in risk is low, the policy does not trigger.

Why this answer

Option A is correct because the policy only blocks when both user risk is high AND sign-in risk is medium or high. If user risk is high but sign-in risk is low, the policy does not apply. Option B is wrong because the policy does not require both risk levels to be high; it requires user risk high and sign-in risk medium or high.

Option C is wrong because the policy includes sign-in risk levels medium and high. Option D is wrong because the policy does not require multi-factor authentication.

91
MCQhard

A security administrator wants to prevent users from uploading files to unsanctioned cloud storage apps (e.g., personal Dropbox or Google Drive) from managed Windows devices. The solution must use a reverse proxy to control file uploads in real time. Which Microsoft Defender for Cloud Apps feature should the administrator configure?

A.App discovery policy
B.Access policy
C.Session policy
D.Activity policy
AnswerC

Session policies use reverse proxy to control activities within a session, such as blocking uploads, downloads, or copy-paste.

Why this answer

Session policy in Microsoft Defender for Cloud Apps uses reverse proxy capabilities to monitor and control user activities in real time. When configured with the 'Control file upload' action, it can block or restrict uploads to unsanctioned cloud storage apps like personal Dropbox or Google Drive from managed Windows devices, meeting the requirement exactly.

Exam trap

The trap here is confusing session policies (real-time reverse proxy control) with access policies (pre-session conditional access), leading candidates to choose access policy because it also uses Conditional Access, but it cannot inspect or block file uploads within an active session.

How to eliminate wrong answers

Option A is wrong because App discovery policy identifies cloud apps in use but does not enforce real-time controls via reverse proxy. Option B is wrong because Access policy controls access based on user/device context but does not inspect or block file uploads within a session. Option D is wrong because Activity policy detects and alerts on specific activities (e.g., uploads) but cannot block them in real time using a reverse proxy; it is reactive, not proactive.

92
Multi-Selectmedium

Your organization is implementing Microsoft Defender XDR. Which TWO actions should you take to ensure that alerts from different workloads are correlated into incidents?

Select 2 answers
A.Enable unified role-based access control (RBAC) in Microsoft 365 Defender.
B.Verify that all workloads are onboarded and sending data to Microsoft 365 Defender.
C.Ensure that all workloads are configured to use the same data retention policy.
D.Configure each workload to send alerts to Microsoft Sentinel.
E.Assign Microsoft 365 E5 licenses to all users.
AnswersA, B

Unified RBAC is required for incident correlation across workloads.

Why this answer

Options A and D are correct because enabling unified roles and ensuring all workloads send data to Microsoft 365 Defender are prerequisites for incident correlation. Option B is not required because RBAC is separate. Option C is not required because data storage is independent.

Option E is wrong because licensing is per workload.

93
MCQeasy

A company wants to use Microsoft Defender XDR to automatically investigate and remediate threats across email, endpoints, and identities. Which role is required to configure automation settings in the Microsoft 365 Defender portal?

A.Global Reader
B.Compliance Administrator
C.Security Administrator
D.Security Reader
AnswerC

Security Administrator can configure automation settings.

Why this answer

The Security Administrator role can manage automation settings. Option A is correct. Option B is wrong because Global Reader is read-only.

Option C is wrong because Security Reader is read-only. Option D is wrong because Compliance Administrator is for compliance.

94
Multi-Selecthard

You are investigating a security incident in Microsoft 365 Defender. The incident involves a user who received a phishing email that contained a link to a malicious website. The user clicked the link and entered credentials. Which THREE components of Microsoft Defender XDR would generate alerts that contribute to this incident?

Select 3 answers
A.Microsoft Sentinel
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Identity
AnswersB, C, E

Defender for Office 365 detects the phishing email.

Why this answer

Options A, B, and C are correct because all three detect different aspects of the attack: endpoint (malicious website access), Office 365 (phishing email), and identity (credential compromise). Option D is not directly relevant to this incident. Option E is not part of Microsoft Defender XDR; it's a SIEM.

95
MCQhard

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user who is performing an unusual number of failed logon attempts from a non-corporate IP address. The user is a member of the Finance group. What is the recommended first step?

A.Reset the user's password and require MFA.
B.Contact the user to verify if the activity is legitimate.
C.Disable the user account immediately.
D.Block the IP address in the firewall.
E.Close the alert as a false positive.
AnswerB

User confirmation is the quickest way to determine if it's a false positive.

Why this answer

Option D is correct because the first step is to verify with the user whether the activity is legitimate before taking any action. Option A is wrong because immediately disabling the account may cause unnecessary disruption. Option B is wrong because resetting password without verification may not be necessary.

Option C is wrong because blocking the IP may be premature. Option E is wrong because closing the alert without investigation is not appropriate.

96
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing sensitive data from an unmanaged device. You need to automatically restrict the user's access to sensitive data until the device is compliant. What should you configure?

A.Create a session policy that monitors and controls access to sensitive data
B.Create a Conditional Access App Control policy for all apps
C.Create an anomaly detection policy
D.Create an app discovery policy
AnswerA

Session policies can block access from non-compliant devices.

Why this answer

Option D is correct because session control can block access based on device compliance. Option A is wrong because it doesn't restrict access. Option B is wrong because it's for conditional access to apps.

Option C is wrong because it's for discovery.

97
MCQmedium

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure a policy to automatically remediate high-severity incidents involving ransomware on Windows 10 devices. The solution must minimize manual intervention. Which automation level should you configure in the automated investigation and response (AIR) capabilities?

A.Automatically remediate threats
B.Full - automatically remediate threats
C.Semi - require approval for any remediation
D.No automated response
AnswerA

This level allows automatic remediation without human approval, minimizing manual intervention.

Why this answer

Option C is correct because 'Automatically remediate threats' is the highest automation level that allows Defender XDR to take automatic remediation actions without human approval, which matches the requirement to minimize manual intervention. Option A is wrong because 'Full - automatically remediate threats' is the same as option C; note that the correct term is 'Automatically remediate threats' or 'Full automation' depending on the UI. Option B is wrong because 'Semi - require approval for any remediation' requires manual approval, which does not minimize manual intervention.

Option D is wrong because 'No automated response' disables automation entirely.

98
MCQhard

A ransomware alert is confirmed in Microsoft Defender XDR on a user device that is still communicating with other endpoints. What should the administrator do first to reduce spread while preserving the ability to investigate?

A.Isolate the affected device from the network
B.Collect a forensic package before taking containment action
C.Run a full antivirus scan before isolating the device
D.Wait for automated investigation to complete before responding
AnswerA

Device isolation contains the threat quickly while retaining management connectivity for investigation and remediation.

Why this answer

Option A is correct because immediately isolating the affected device from the network stops the ransomware from spreading laterally to other endpoints via SMB, RDP, or other protocols, while preserving the device's state for forensic analysis. Microsoft Defender XDR's device isolation feature blocks all inbound and outbound communication except with the Defender for Endpoint cloud service, allowing investigation to continue without the risk of further infection.

Exam trap

The trap here is that candidates often think they must preserve evidence first (Option B) or let automation run (Option D), but Microsoft explicitly prioritizes containment over collection in active ransomware outbreaks to prevent lateral spread.

How to eliminate wrong answers

Option B is wrong because collecting a forensic package before containment delays the response, allowing ransomware to continue spreading to other endpoints during the collection process. Option C is wrong because running a full antivirus scan before isolation is time-consuming and ineffective against active ransomware that may have already disabled or evaded the scanner, and it does not prevent lateral movement. Option D is wrong because waiting for automated investigation to complete gives the ransomware more time to encrypt files and propagate, whereas manual isolation is the recommended first step in confirmed ransomware incidents to contain the threat immediately.

99
MCQmedium

Your organization uses Microsoft 365 Defender. You need to configure automated investigation and response (AIR) to automatically remediate high-confidence phishing emails. What should you configure?

A.Automated investigation and response for collaboration content
B.Automated investigation and response for identities
C.Automated investigation and response for email
D.Automated investigation and response for devices
AnswerC

Email AIR can automatically remediate phishing emails.

Why this answer

Option C is correct because AIR policies for email handle automated remediation of phishing. Option A is wrong because it's for device. Option B is wrong because it's for user accounts.

Option D is wrong because it's for collaboration.

100
MCQmedium

Your organization uses Microsoft Defender for Office 365 and wants to simulate a phishing attack to train users. You need to configure a simulation that uses a URL link to a credential harvesting page. Which feature should you use?

A.Attack simulation training
B.Anti-phish policies
C.Safe Links policies
D.Safe Attachments policies
AnswerA

This allows you to create and launch phishing simulations.

Why this answer

Option D is correct because Attack simulation training allows you to create and launch phishing simulations with custom payloads including URLs. Option A is wrong because Safe Links is a protection feature, not simulation. Option B is wrong because Safe Attachments protects against malware in attachments.

Option C is wrong because Anti-phish policies protect against phishing, not simulate it.

101
Multi-Selecthard

A security administrator is configuring Microsoft Defender for Cloud Apps. The administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Defender for Cloud Apps features must be configured? (Select the two correct options.)

Select 2 answers
A.Cloud Discovery
B.App governance
C.Conditional Access App Control
D.OAuth app permissions
AnswersA, C

Cloud Discovery analyzes traffic logs to identify cloud apps used in the organization.

Why this answer

Cloud Discovery is the correct feature because it identifies which cloud apps are in use by analyzing traffic logs from the organization's network. This provides the visibility needed to determine which apps are unsanctioned. Conditional Access App Control is the correct feature because it uses a reverse proxy to enforce real-time access controls, blocking unsanctioned apps at the session level.

Exam trap

The trap here is that candidates confuse App governance (which manages OAuth app permissions) with the reverse proxy functionality of Conditional Access App Control, or assume Cloud Discovery alone is sufficient for blocking, when it only provides visibility.

102
Multi-Selecthard

Your organization has Microsoft Defender for Endpoint deployed on all devices. You are investigating an incident where a user received a phishing email containing a link that led to a drive-by download. The download executed a script that attempted to modify registry run keys for persistence. Which THREE advanced hunting tables should you use to investigate this attack chain?

Select 3 answers
A.DeviceFileEvents
B.EmailEvents
C.DeviceProcessEvents
D.DeviceRegistryEvents
E.DeviceNetworkEvents
AnswersB, C, D

Captures the phishing email event.

Why this answer

Option A (EmailEvents) captures the phishing email. Option C (DeviceProcessEvents) captures the script execution. Option E (DeviceRegistryEvents) captures the registry modification.

Option B is wrong because DeviceNetworkEvents might be used but not as directly relevant for the described chain. Option D is wrong because DeviceFileEvents could capture the download, but the chain is better captured by email, process, and registry.

103
MCQeasy

A security administrator needs to view a unified incident queue that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. Which console should the administrator open?

A.Microsoft 365 Defender portal (security.microsoft.com)
B.Azure Security Center
C.Microsoft Endpoint Manager admin center
D.Microsoft Purview compliance portal
AnswerA

This is the central console for incident management across Defender workloads.

Why this answer

The Microsoft 365 Defender portal (security.microsoft.com) provides a unified incident queue that aggregates and correlates alerts from Microsoft Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps. This single-pane-of-glass view enables security administrators to investigate and respond to cross-domain threats without switching between separate consoles.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender portal with Azure Security Center (now Defender for Cloud), mistakenly thinking that all security alerts converge in Azure, when in fact the unified incident queue for Microsoft 365 Defender workloads is exclusive to security.microsoft.com.

How to eliminate wrong answers

Option B is wrong because Azure Security Center (now Microsoft Defender for Cloud) focuses on securing cloud workloads (VMs, containers, SQL) and does not provide a unified incident queue for Microsoft 365 Defender workloads. Option C is wrong because Microsoft Endpoint Manager admin center (intune.microsoft.com) is used for device management, compliance policies, and app deployment, not for security incident correlation. Option D is wrong because the Microsoft Purview compliance portal (compliance.microsoft.com) is dedicated to data governance, eDiscovery, and compliance management, not for real-time threat alert correlation from Defender products.

104
MCQhard

Your company uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are the security administrator. The company's incident response team receives hundreds of low-severity alerts daily, causing alert fatigue. You need to reduce noise by automatically closing low-severity alerts that are determined to be false positives by Microsoft's threat intelligence. You want to minimize manual effort and ensure that only alerts with high confidence of being false positives are closed. What should you do?

A.Enable the built-in 'Automatic false positive suppression' feature in the Microsoft Defender XDR settings.
B.Configure an automated investigation and response rule for low-severity alerts to automatically close them.
C.Use the Microsoft Defender XDR API to export alerts daily and run a PowerShell script to close low-severity alerts that match a known false positive list.
D.Create a custom detection rule that excludes low-severity alerts from known false positive indicators.
AnswerA

Correct: This feature uses Microsoft's intelligence to close false positives.

Why this answer

Option C is correct because Microsoft Defender XDR includes built-in false positive suppression for alerts with high confidence. Option A is wrong because automatic investigation rules address behavior, not false positives. Option B is wrong because tuning rules require manual input and may close genuine alerts.

Option D is wrong because suppression rules require manual creation.

105
MCQeasy

You are configuring a mail flow rule in Exchange Online. The exhibit shows a snippet. What will this rule do?

A.Quarantine messages sent to example.com
B.Reject messages sent to example.com
C.Block messages from example.com
D.Allow messages to example.com
AnswerA

The action is Quarantine for that domain.

Why this answer

Option B is correct because the rule quarantines messages to example.com. Option A is wrong because it's not rejected. Option C is wrong because it's not blocked.

Option D is wrong because it's only for example.com.

106
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to be alerted when a user accesses a cloud app from a risky IP address. What should you configure?

A.Create an anomaly detection policy with the 'Activity from risky IP address' template.
B.Create a session policy to monitor risky IP addresses.
C.Create a file policy to detect access from risky IPs.
D.Create an access policy to block risky IPs.
AnswerA

This template alerts when a user accesses an app from a known risky IP.

Why this answer

Option A is correct because an anomaly detection policy can alert on activities from risky IP addresses. Option B is wrong because session policies control real-time access. Option C is wrong because file policies monitor data.

Option D is wrong because access policies control access based on conditions.

107
MCQhard

Your organization uses Microsoft Defender for Endpoint and Microsoft Defender for Identity. A user reports that their account was used to send a large volume of email messages to internal recipients, which appears to be a potential account compromise. You need to determine if the account is compromised and if any lateral movement occurred. Which data sources should you analyze in Microsoft Defender XDR?

A.EmailEvents and EmailAttachmentInfo
B.DeviceNetworkEvents and DeviceProcessEvents
C.DeviceEvents and DeviceNetworkEvents
D.IdentityLogonEvents, EmailEvents, and DeviceProcessEvents
AnswerD

Combines identity, email, and process events to detect compromise and lateral movement.

Why this answer

Option C is correct because analyzing IdentityLogonEvents (from MDI) and EmailEvents (from MDO) together can correlate the logon activity with email sending, while DeviceProcessEvents can detect lateral movement. Option A is wrong because DeviceEvents are not as useful for email context. Option B is wrong because EmailEvents alone cannot detect lateral movement.

Option D is wrong because DeviceNetworkEvents alone may miss identity context.

108
MCQmedium

A company's security team needs to investigate a suspicious email that was reported by a user. The email was not blocked by Exchange Online Protection (EOP) and was delivered to the user's inbox. The security team wants to use Microsoft Defender XDR to analyze the email and its attachments. Which feature should they use to submit the email for automated investigation?

A.Submissions
B.Advanced Hunting
C.Threat Explorer
D.Attack Simulator
AnswerA

Submissions allow security teams to submit emails, URLs, and attachments for analysis.

Why this answer

Option C is correct because Submissions in Microsoft 365 Defender allow security teams to submit emails, URLs, and attachments to Microsoft for analysis and automated investigation. Option A is wrong because Threat Explorer is used for investigating threats after they have been detected, not for manual submission. Option B is wrong because Attack Simulator is used for simulating phishing attacks.

Option D is wrong because Advanced Hunting is a query-based tool for threat detection, not for submitting emails.

109
MCQeasy

You are a security administrator for a company that uses Microsoft Defender XDR. You need to generate a report that shows the number of incidents closed as true positive, false positive, and benign in the last 30 days. You want to use built-in features without writing custom queries. What should you do?

A.Use the Microsoft Defender for Endpoint reports section.
B.Use the Device health report in Microsoft Defender XDR.
C.Navigate to Threat analytics in the Defender XDR portal.
D.In the Microsoft Defender XDR portal, go to Reports > General > Incident summary.
AnswerD

Correct: Built-in report shows classification breakdown.

Why this answer

Option A is correct because the Microsoft Defender XDR portal has built-in reports for incidents classification. Option B is wrong because that is for endpoints, not all incidents. Option C is wrong because that's for threat analytics.

Option D is wrong because that's for attack surface reduction.

110
MCQeasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the built-in anti-phishing policy. You need to analyze the email headers to determine why it was not detected. What should you use?

A.Attack Simulator in Microsoft Defender for Office 365
B.Threat Explorer in Microsoft Defender for Office 365
C.Message trace in Exchange admin center
D.Quarantine page in Microsoft Defender for Office 365
AnswerB

Threat Explorer provides deep analysis of email threats.

Why this answer

Option B is correct because Threat Explorer allows you to search for emails and view detailed headers and detection details. Option A is wrong because the email trace tool is for transport flow, not security analysis. Option C is wrong because the Quarantine page shows quarantined items, not delivered emails.

Option D is wrong because the Attack Simulator is for training, not analysis.

111
Multi-Selecthard

Which THREE features are included in Microsoft Defender for Office 365 Plan 2 but NOT in Plan 1? (Choose three.)

Select 3 answers
A.Anti-phishing policies
B.Safe Links
C.Automated Investigation and Response (AIR)
D.Threat Explorer
E.Attack Simulation Training
AnswersC, D, E

AIR is a Plan 2 feature.

Why this answer

Options A, C, and D are correct. Plan 2 includes Threat Explorer (A), Automated Investigation and Response (C), and Attack Simulation Training (D). Option B (Safe Links) is included in Plan 1.

Option E (Anti-phishing) is included in Plan 1.

112
MCQmedium

A security analyst runs the above KQL query in Microsoft 365 Defender. The query returns an empty result set. Which is the most likely reason?

A.The time range is too wide and the query times out.
B.No antivirus detection events for files with 'ransomware' or 'encrypt' in the filename occurred in the last 7 days.
C.The 'has_any' operator is used incorrectly; it should be 'contains' for each condition.
D.The DeviceEvents table does not contain antivirus detection events.
AnswerB

The filter is too restrictive.

Why this answer

The query uses 'has_any' to match filenames containing 'ransomware' or 'encrypt'. If no detections match those strings, the result is empty. Option B is correct.

Option A is wrong because the query uses the correct table. Option C is wrong because the syntax is valid. Option D is wrong because the time range is 7 days, which is typical.

113
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user shares a file containing sensitive data with an external domain. Which three components must you configure in the policy? (Choose three.)

Select 3 answers
A.A content inspection method (e.g., DLP)
B.A governance action (e.g., alert, block)
C.A filter to specify the sharing type (e.g., external)
D.A session control action
E.An access token condition
AnswersA, B, C

Content inspection detects sensitive data.

Why this answer

Options A, B, and D are correct because a file policy requires a filter (e.g., sharing with external users), a content inspection method to detect sensitive data, and a governance action (e.g., alert or block). Option C is wrong because session policies are separate. Option E is wrong because access token is not a component of a file policy.

114
MCQmedium

A security administrator wants to prevent Microsoft Office applications (Word, Excel, PowerPoint) from creating child processes, which is a common technique used by malware to execute malicious code. Which attack surface reduction (ASR) rule should be enabled?

A.Block all Office applications from creating child processes
B.Block executable files from running unless they meet a prevalence, age, or trusted list criteria
C.Block Office applications from creating executable content
D.Block Win32 API calls from Office macros
AnswerA

This rule directly addresses the described behavior by blocking Office apps from creating child processes.

Why this answer

Option A is correct because the ASR rule 'Block all Office applications from creating child processes' (GUID: D4F940AB-401B-4EFC-AADC-AD5F3C50688A) specifically prevents Word, Excel, and PowerPoint from spawning child processes such as cmd.exe, PowerShell, or wscript.exe. This directly mitigates a common malware technique where Office macros or exploits launch malicious executables. The rule is part of Microsoft Defender for Endpoint's attack surface reduction capabilities and is designed to stop process injection and lateral movement without blocking legitimate Office functionality.

Exam trap

The trap here is that candidates confuse 'creating child processes' with 'creating executable content' or 'blocking Win32 API calls,' leading them to choose options that address file writes or macro restrictions rather than the specific process spawning behavior.

How to eliminate wrong answers

Option B is wrong because 'Block executable files from running unless they meet a prevalence, age, or trusted list criteria' is an ASR rule that targets executable files (e.g., .exe, .dll) based on reputation, not Office child process creation. Option C is wrong because 'Block Office applications from creating executable content' prevents Office apps from writing executable files (e.g., .exe, .scr) to disk, but does not block the spawning of child processes. Option D is wrong because 'Block Win32 API calls from Office macros' disables macros from calling Win32 APIs (e.g., via VBA), which is a different attack vector; it does not prevent Office apps from creating child processes through other means like OLE or DDE.

115
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a user clicks a malicious link in an email, the endpoint is automatically isolated. What should you configure?

A.Enable network protection in block mode.
B.Configure an automated investigation and response (AIR) playbook for device isolation.
C.Configure attack surface reduction rules to block the link.
D.Create a custom detection rule to trigger isolation.
AnswerB

AIR can automatically isolate a device when an alert like 'malicious link clicked' is triggered.

Why this answer

Option C is correct because automated investigation and response (AIR) can be configured to isolate a device when a malicious link is clicked. Option A is wrong because attack surface reduction rules reduce vulnerability but do not automatically isolate. Option B is wrong because network protection blocks connections but does not isolate.

Option D is wrong because custom detection rules can trigger isolation but require additional configuration; AIR is the built-in automation.

116
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user receives a phishing email containing a malicious URL and then clicks that URL within 10 minutes. Which two Advanced Hunting tables must be joined in the KQL query?

Select 2 answers
A.EmailEvents and UrlClickEvents
B.EmailEvents and DeviceProcessEvents
C.EmailUrlInfo and UrlClickEvents
D.EmailAttachmentInfo and UrlClickEvents
AnswersA, C

EmailEvents tracks email delivery but not URL-specific details; joining directly to UrlClickEvents is not straightforward without URL info.

Why this answer

The rule requires detecting when a user receives a phishing email with a malicious URL and then clicks that URL within 10 minutes. The EmailUrlInfo table contains the URL extracted from the email (including the verdict), and the UrlClickEvents table records user clicks on URLs in Microsoft Defender for Office 365 Safe Links. Joining these two tables on the URL hash (SHA256) allows correlation of the email-delivered URL with the user's click event, enabling the time-based trigger.

Exam trap

The trap here is that candidates often assume EmailEvents is needed to capture the email reception, but the URL-to-click correlation requires the URL-specific table (EmailUrlInfo) rather than the email metadata table, and UrlClickEvents is the only table that records the click action.

117
MCQhard

A security analyst has identified a new malware sample with SHA256 hash 'abc123...'. They need to immediately block this file from executing on any managed endpoint across the organization. Which Microsoft Defender for Endpoint capability should they use?

A.Attack surface reduction rules
B.Indicators (IoC)
C.Automated investigation and response
D.Threat analytics
AnswerB

Correct. Indicators allow you to create allow/block actions based on file hashes, IPs, or domains.

Why this answer

Option B is correct because Indicators of Compromise (IoC) in Microsoft Defender for Endpoint allow security analysts to create custom indicators (such as file hashes, IPs, or URLs) that are immediately enforced across all managed endpoints. This capability enables blocking execution of a specific SHA256 hash at the kernel level via the Microsoft Defender Antivirus driver, providing near-instant protection without requiring a signature update or policy change.

Exam trap

The trap here is that candidates confuse Indicators (IoC) with Attack Surface Reduction rules, mistakenly thinking ASR rules can block specific file hashes, when in fact ASR rules only block behavioral patterns and cannot target individual file hashes.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction (ASR) rules are policy-based rules that target specific behaviors (e.g., blocking Office apps from creating child processes), not individual file hashes; they cannot block a single SHA256 hash on demand. Option C is wrong because Automated Investigation and Response (AIR) is a post-breach remediation workflow that triggers after detection, not a proactive blocking mechanism for a known IoC. Option D is wrong because Threat Analytics is a reporting and intelligence feature that provides threat summaries and mitigations, not a direct enforcement action to block file execution.

118
MCQeasy

You are a security administrator for a Microsoft 365 E5 organization. You need to configure a policy that automatically blocks execution of files that have a low reputation score in Microsoft Defender for Endpoint. Which policy type should you configure?

A.Attack surface reduction rule in Microsoft Defender for Endpoint
B.Device control policy in Microsoft Intune
C.Anti-malware policy in Exchange Online Protection
D.Cloud App Security policy in Microsoft Defender for Cloud Apps
AnswerA

ASR rules can block executables based on reputation.

Why this answer

Option D is correct because Attack Surface Reduction rules can block execution of files with low reputation. Option A is wrong because it's for email. Option B is wrong because it's for device control.

Option C is wrong because it's for cloud apps.

119
MCQhard

Your company has deployed Microsoft Defender for Endpoint on all Windows devices. You are investigating an alert for a suspicious PowerShell command that was blocked by Attack Surface Reduction (ASR) rules. The alert shows the command was executed from a script embedded in a Word document. You need to identify the ASR rule that blocked this activity. Which rule is most likely responsible?

A.Block Office applications from creating child processes
B.Block Office applications from making Win32 API calls
C.Block Office applications from injecting code into other processes
D.Block Office applications from creating executable content
AnswerA

This rule prevents Word from launching PowerShell.

Why this answer

Option B is correct because the ASR rule 'Block Office applications from creating child processes' specifically prevents Office apps like Word from launching child processes such as PowerShell. Option A is wrong because that rule blocks macros from making Win32 API calls, not launching processes. Option C is wrong because that rule blocks Office apps from injecting code into other processes.

Option D is wrong because that rule blocks Office apps from executable content creation.

120
MCQhard

Your company uses Microsoft Defender XDR and Microsoft Defender for Cloud Apps. You have discovered that a user's credentials were compromised and used to access a SaaS application from an unusual location. You need to automatically suspend the user's access to all cloud apps and require a password reset. The suspension should be immediate upon detection. What should you do?

A.In Microsoft Defender for Cloud Apps, create a session policy that uses the 'Suspend user' governance action and configure it to require password reset.
B.Create a playbook in Microsoft Sentinel that disables the user account in Microsoft Entra ID.
C.Set up a conditional access policy in Microsoft Entra ID to block all access from unusual locations.
D.Configure an automated investigation rule in Microsoft Defender XDR to reset the user's password.
AnswerA

Correct: Cloud Apps can suspend user and trigger password reset via integration with Entra ID.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps can be integrated with Microsoft Entra ID to automatically suspend a user and require password reset via conditional access and session policies. Option A is wrong because manual reset is not automatic. Option B is wrong because disabling the account does not force password reset.

Option C is wrong because that policy only applies to on-premises apps.

121
Multi-Selectmedium

As a security administrator, you are tuning automated investigation and response (AIR) capabilities in Microsoft Defender XDR. You need to ensure that the system can automatically remediate threats while minimizing false positives. Which three of the following actions can be taken by automated investigation and response in Microsoft Defender XDR? (Choose three.)

Select 3 answers
.Quarantine a file detected as malicious on a device
.Disable a compromised user account temporarily
.Delete an email message from a user's mailbox that was identified as phishing
.Modify a Conditional Access policy to block all external access
.Uninstall an application from all devices in a tenant
.Reset a user's password without administrator approval

Why this answer

Automated investigation and response (AIR) in Microsoft Defender XDR can quarantine a file detected as malicious on a device by using built-in remediation actions that isolate the file from the operating system. It can also disable a compromised user account temporarily through integration with Microsoft Entra ID, applying a conditional account disable action to prevent further access. Additionally, AIR can delete an email message from a user's mailbox that was identified as phishing by leveraging Exchange Online Protection (EOP) and Microsoft Defender for Office 365 to perform mailbox-level remediation.

Exam trap

The trap here is that candidates may assume AIR can perform broad administrative actions like modifying Conditional Access policies or resetting passwords, but Microsoft deliberately restricts AIR to only a specific set of remediation actions that are safe for automated execution without causing widespread disruption.

122
MCQhard

A security administrator needs to block users from running portable executable files (e.g., .exe, .scr) that were downloaded from the internet on Windows devices. Which Attack Surface Reduction (ASR) rule should the administrator enable to meet this requirement?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
B.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
C.Block Adobe Reader from creating child processes
D.Block persistence through WMI event subscription
AnswerA

This ASR rule blocks executables that are not trusted based on Microsoft's reputation and prevalence data.

Why this answer

Option A is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) specifically targets executable files (e.g., .exe, .scr) that have been downloaded from the internet by checking their Mark-of-the-Web (MoTW) attribute. When enabled, this rule prevents execution of such files unless they meet criteria like high prevalence, sufficient age, or inclusion in a trusted list, directly addressing the requirement to block internet-downloaded portable executables.

Exam trap

The trap here is that candidates often confuse ASR rules focused on execution control (like blocking downloaded executables) with rules that block specific attack techniques (like credential theft or persistence), leading them to select a rule that addresses a different threat vector entirely.

How to eliminate wrong answers

Option B is wrong because the ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) protects against credential theft via LSASS access, not against running internet-downloaded executables. Option C is wrong because the ASR rule 'Block Adobe Reader from creating child processes' (GUID: 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c) only restricts Adobe Reader from spawning child processes, which is unrelated to blocking execution of downloaded .exe or .scr files. Option D is wrong because the ASR rule 'Block persistence through WMI event subscription' (GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b) targets WMI-based persistence techniques, not the execution of internet-downloaded portable executables.

123
Multi-Selecthard

You are configuring Microsoft Defender for Office 365 to protect against sophisticated phishing attacks. You need to ensure that users are warned about potentially malicious messages that bypass other filters. Which two policies should you configure?

Select 2 answers
A.Safe Attachments policy
B.Safe Links policy
C.Anti-malware policy
D.Anti-spam policy: Spoof intelligence
E.Anti-phishing policy: Impersonation protection settings
AnswersD, E

Correct: Spoof intelligence can show warnings for spoofed senders.

Why this answer

To warn users about potentially malicious messages, you should configure anti-phishing policy's impersonation protection and spoof intelligence. Spam filter policies do not provide user warnings. Safe Attachments and Safe Links policies block or detonate attachments/links but do not warn users.

124
MCQhard

A security administrator needs to block executable files from running from the %TEMP% folder on Windows devices to prevent common malware execution. Which attack surface reduction (ASR) rule should be enabled?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criteria
B.Block credential stealing from the Windows local security authority subsystem
C.Block all Office applications from creating child processes
D.Block JavaScript or VBScript from launching downloaded executable content
AnswerA

Correct. This ASR rule specifically blocks executables in writable directories unless they have been around long enough or are commonly seen.

Why this answer

Option A is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criteria' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) specifically targets executables launched from locations commonly used by malware, such as the %TEMP% folder. This rule uses cloud-delivered reputation data to allow only executables that are prevalent, have sufficient age, or are on a trusted list, effectively blocking unknown or suspicious binaries from running in temporary directories.

Exam trap

The trap here is that candidates often confuse ASR rules focused on script-based attacks (Option D) or credential theft (Option B) with the specific rule designed to block executables in low-reputation locations like %TEMP%, leading them to choose a rule that addresses a different attack vector.

How to eliminate wrong answers

Option B is wrong because 'Block credential stealing from the Windows local security authority subsystem' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) protects against credential theft via LSASS, not against executable execution from %TEMP%. Option C is wrong because 'Block all Office applications from creating child processes' (GUID: d4f940ab-401b-4efc-aadc-ad5f3c50688a) prevents Office apps from spawning child processes (e.g., PowerShell or cmd.exe), which is unrelated to blocking executables in the %TEMP% folder. Option D is wrong because 'Block JavaScript or VBScript from launching downloaded executable content' (GUID: e22096a2-2f8a-4e6c-8f3a-7a5f1c5b0c3d) targets scripts that launch downloaded executables, not the direct execution of executables from the %TEMP% folder.

125
MCQhard

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a device communicates with a new, unclassified IP address flagged by Microsoft threat intelligence as potentially malicious. The rule must run every hour and create an incident if the count of such communications exceeds 10 in a 24-hour window. Which type of rule should the analyst create?

A.custom detection rule using advanced hunting
B.scheduled alert rule in Microsoft Sentinel
C.An incident creation rule in Microsoft Defender for Cloud Apps
D.custom remediation action rule
AnswerA

Defender XDR custom detections use advanced hunting queries that can be scheduled and trigger incidents when thresholds are exceeded.

Why this answer

A custom detection rule using advanced hunting is the correct choice because Microsoft Defender XDR allows you to create custom detection rules based on Kusto Query Language (KQL) queries that run on a scheduled interval (e.g., every hour). This rule can query the `DeviceNetworkEvents` table to identify communications with IP addresses flagged as malicious by Microsoft threat intelligence, aggregate the count over a 24-hour sliding window, and trigger an incident when the threshold of 10 is exceeded. This directly meets the requirement for a scheduled, threshold-based detection within Defender XDR.

Exam trap

The trap here is that candidates often confuse the scope of Microsoft Defender XDR custom detections with Microsoft Sentinel scheduled alert rules, assuming any scheduled query must be in Sentinel, but Defender XDR's advanced hunting custom detections natively support scheduled queries and incident creation without requiring Sentinel.

How to eliminate wrong answers

Option B is wrong because a scheduled alert rule in Microsoft Sentinel is designed for Azure-based SIEM and SOAR capabilities, not for native custom detection within Microsoft Defender XDR; Sentinel operates on a different data ingestion pipeline and is not the correct tool for creating rules that run directly in the Defender XDR portal. Option C is wrong because an incident creation rule in Microsoft Defender for Cloud Apps focuses on app-level anomalies and cloud application behaviors, not on device-level network communications with IP addresses flagged by threat intelligence. Option D is wrong because a custom remediation action rule is used to define automated response actions (e.g., isolating a device or running a script) after a detection occurs, not to define the detection logic or scheduling itself.

126
MCQeasy

A user receives an email from an unknown sender with a .zip attachment. The attachment contains a potentially malicious executable file. Microsoft Defender for Office 365 is enabled. Which feature dynamically detonates the attachment in a sandbox environment and blocks it if malicious behavior is detected?

A.Safe Attachments
B.Safe Links
C.Anti-phishing
D.Anti-spam
AnswerA

Safe Attachments uses behavioral analysis and sandboxing to detect and block malicious attachments in email messages.

Why this answer

Safe Attachments is the correct feature because it specifically detonates email attachments in a dynamic sandbox environment, analyzing behavior in real time. If the .zip file contains a malicious executable, Safe Attachments will block the email before delivery, preventing the user from accessing the threat. This is distinct from other Defender for Office 365 features that focus on URLs, phishing content, or spam filtering.

Exam trap

The trap here is that candidates confuse Safe Attachments with Safe Links, assuming both handle attachments, but Safe Links only rewrites and checks URLs, not file payloads.

How to eliminate wrong answers

Option B is wrong because Safe Links protects against malicious URLs within emails or Office documents, not file attachments. Option C is wrong because Anti-phishing policies detect impersonation and spoofing attempts, not executable file analysis. Option D is wrong because Anti-spam policies filter bulk or junk email based on sender reputation and content, not dynamic file detonation.

127
MCQhard

You are hunting for malicious activity in Microsoft 365 Defender. The exhibit shows a KQL query. What is the query searching for?

A.PowerShell processes with standard command line arguments
B.Processes that created PowerShell processes
C.PowerShell processes that were downloaded from the internet
D.PowerShell processes with encoded command line arguments
AnswerD

The command line contains '-EncodedCommand'.

Why this answer

Option B is correct because it hunts for PowerShell with encoded commands. Option A is wrong because it's not about powershell.exe from internet. Option C is wrong because it's not about standard commands.

Option D is wrong because it's not about processes creating powershell.exe.

128
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a device makes an outbound connection to a known malicious IP address, and within 10 minutes, a process with suspicious command-line arguments is started on the same device. Which two Advanced Hunting tables must be joined using a KQL query to create this detection?

Select 2 answers
A.DeviceNetworkEvents and DeviceProcessEvents.
B.DeviceEvents and DeviceLogonEvents.
C.DeviceProcessEvents and DeviceFileEvents.
D.DeviceNetworkEvents and DeviceRegistryEvents.
AnswersA, C

DeviceNetworkEvents contains outbound connections with remote IPs; DeviceProcessEvents contains process start details including command line. Joining on DeviceId and timestamp enables correlation.

Why this answer

Option A is correct because the detection rule requires correlating outbound network connections (DeviceNetworkEvents) with process creation events (DeviceProcessEvents) on the same device within a 10-minute window. The KQL query would join these two tables on the DeviceId field and use a time filter to ensure the process event occurs within 10 minutes after the network event, enabling the detection of post-connection malicious activity.

Exam trap

Microsoft often tests the misconception that DeviceEvents (which includes security alerts) can substitute for DeviceNetworkEvents, but DeviceEvents lacks the granular outbound connection details needed for IP-based detection rules.

129
MCQeasy

A security administrator wants to review email messages that were blocked due to a malware detection in Microsoft Defender for Office 365. Which report should they use?

A.Submissions report
B.Spoof intelligence report
C.Mailflow map report
D.Threat Protection Status report
AnswerD

This report includes malware detections.

Why this answer

The Threat Protection Status report shows malware detections in email. Option A is correct. Option B is wrong because the Mailflow report shows message routing.

Option C is wrong because the Submission report shows user-reported messages. Option D is wrong because the Spoof Intelligence report shows spoofed senders.

130
MCQmedium

Your organization uses Microsoft Defender for Endpoint. A security analyst reports that a critical file was quarantined on several devices, but the file is a trusted application. You need to restore the file and prevent future false positives. What should you do?

A.Add the file to the allowed list in Microsoft Defender Antivirus exclusions.
B.Disable real-time protection on affected devices.
C.Add the file to the trusted list in Windows Defender Firewall.
D.Create a custom indicator for the file hash with the action 'Allow and alert'.
AnswerD

Custom indicators in Defender for Endpoint allow you to override detection and prevent false positives.

Why this answer

Option C is correct because adding an indicator for the file hash allows and alerts on the file, preventing future quarantines. Option A is wrong because adding the file to the trusted list in Windows Defender Firewall does not affect Defender for Endpoint. Option B is wrong because allowing the file in Microsoft Defender Antivirus does not prevent it from being blocked by cloud protection.

Option D is wrong because excluding the file from real-time protection is a temporary workaround that can be bypassed.

131
MCQhard

Your organization is implementing Microsoft Defender for Cloud Apps. You need to configure anomaly detection policies to alert when a user downloads an unusually large number of files from SharePoint Online. Which data source should you connect to enable this detection?

A.API connector for custom apps
B.App connector for SharePoint Online
C.Microsoft 365 Defender portal
D.Microsoft Entra ID logs
AnswerB

This provides activity logs from SharePoint for anomaly detection.

Why this answer

Option B is correct because anomaly detection policies in Defender for Cloud Apps require app connector for SharePoint to analyze user activity logs. Option A is wrong because Microsoft 365 Defender portal is the management interface, not a data source. Option C is wrong because Microsoft Entra ID provides sign-in logs but not file download activity.

Option D is wrong because the API connector is used for custom applications, not native SaaS apps like SharePoint.

132
MCQmedium

Your organization uses Microsoft 365 E5 and has Microsoft Defender for Office 365 enabled. Users report that legitimate external emails are being quarantined as phishing attempts. You need to reduce false positives while maintaining security. What should you do?

A.Create a transport rule to allow all emails from external domains
B.Configure user-reported message settings in Microsoft Defender for Office 365
C.Disable the anti-phishing policy
D.Increase the Spam Confidence Level (SCL) threshold for incoming mail
AnswerB

User reporting helps improve filter accuracy over time.

Why this answer

Option C is correct because configuring user-reported phishing settings allows users to report false positives, which feeds into Microsoft's machine learning and reduces future false positives. Option A is wrong because allowing all external emails bypasses security. Option B is wrong because disabling phishing detection removes protection.

Option D is wrong because increasing spam confidence threshold may not address phishing false positives specifically.

133
Multi-Selecthard

Which TWO components are part of Microsoft Defender XDR?

Select 2 answers
A.Microsoft Defender for Office 365
B.Microsoft Purview
C.Microsoft Defender for Endpoint
D.Microsoft Intune
E.Microsoft Sentinel
AnswersA, C

Defender for Office 365 is a core component of Defender XDR.

Why this answer

Options A and D are correct. Microsoft Defender XDR includes Microsoft Defender for Endpoint and Microsoft Defender for Office 365. Option B is wrong because Microsoft Sentinel is a separate SIEM.

Option C is wrong because Microsoft Purview is for compliance. Option E is wrong because Microsoft Intune is for device management.

134
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious LDAP query from a domain controller. After investigating, you determine the query is legitimate. How should you prevent future alerts for this activity?

A.Create a suppression rule for that alert type and entity.
B.Create a custom detection rule to allow the LDAP query.
C.Disable the Defender for Identity sensor on the domain controller.
D.Change the alert severity to Low.
AnswerA

Suppression rules prevent future alerts for that specific activity.

Why this answer

Option C is correct because creating a suppression rule for the specific alert type and entity prevents future false positives. Option A is wrong because disabling the sensor would stop all monitoring. Option B is wrong because modifying the alert severity does not suppress the alert.

Option D is wrong because creating a detection rule is for custom detections, not suppression.

135
MCQeasy

You need to integrate Microsoft Defender XDR with Microsoft Sentinel for centralized monitoring. Which data connector should you use?

A.Microsoft Defender for Cloud connector
B.Azure Security Center connector
C.Microsoft 365 Defender connector
D.Microsoft Defender XDR connector
AnswerD

This connector ingests incidents from all Defender products.

Why this answer

Option A is correct because the Microsoft Defender XDR connector in Sentinel ingests incidents and alerts from all Defender products. Option B (Microsoft 365 Defender connector) is the same as A but named differently; the official name is Microsoft Defender XDR. Option C (Azure Security Center) is for Azure resources.

Option D (Microsoft Defender for Cloud) is for cloud security posture.

136
MCQhard

You are the security administrator for a multinational organization using Microsoft 365 E5. The organization has 10,000 users across three regions: North America, Europe, and Asia. You have deployed Microsoft Defender for Endpoint on all Windows devices and enabled Microsoft Defender for Office 365. Recently, a sophisticated phishing campaign targeted executives in Europe, using a custom domain that closely resembles your legitimate domain (e.g., contoso.com vs. contos0.com). The emails bypassed anti-spam and anti-phishing policies. You need to configure protection to block these impersonation attempts without affecting legitimate emails from the actual domain. You must also ensure that any similar future attempts using different variations are automatically detected. What should you do?

A.Create a Safe Links policy with a block action for URLs containing 'contos0.com'.
B.Enable mailbox intelligence in anti-phishing policies to detect unusual sender behavior.
C.Add the spoofed domain 'contos0.com' to the Tenant Allow/Block List in the Defender for Office 365 portal.
D.Configure an anti-phishing policy to protect against impersonation of your domain, enabling the 'Protect against impersonation of domains I own' setting and adding your legitimate domain to the list of domains to protect.
AnswerD

This leverages Defender's impersonation protection and AI to detect similar domains automatically.

Why this answer

Option C is correct because adding the legitimate domain to the impersonation protection list in anti-phishing policies will protect against variations, and the policy's intelligence will detect similar domains automatically. Option A is wrong because adding the spoofed domain to the Tenant Allow/Block List would block that specific domain but not future variations. Option B is wrong because a Safe Links policy does not protect against impersonation.

Option D is wrong because a mailbox intelligence policy is for user-specific phishing detection, not domain impersonation.

137
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a PowerShell process with suspicious command-line arguments is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP occurs. Which two advanced hunting tables must be joined in the KQL query?

Select 2 answers
A.DeviceProcessEvents and DeviceNetworkEvents
B.EmailEvents and DeviceNetworkEvents
C.DeviceEvents and DeviceProcessEvents
D.IdentityLogonEvents and DeviceNetworkEvents
AnswersA, C

Correct. These two tables contain the necessary process and network connection data for the scenario.

Why this answer

Option A is correct because the detection rule requires correlating a PowerShell process event (stored in DeviceProcessEvents) with a subsequent outbound network connection to a known malicious IP (stored in DeviceNetworkEvents). Joining these two tables on the device ID and timestamp within a 5-minute window allows the KQL query to identify the specific sequence of process execution followed by network activity, which is the core behavior being monitored.

Exam trap

The trap here is that candidates may confuse DeviceEvents (which sounds like it covers all events) with the specific process and network tables, or incorrectly assume EmailEvents or IdentityLogonEvents are relevant to endpoint-based detection rules, when in fact only DeviceProcessEvents and DeviceNetworkEvents contain the precise telemetry needed for process-to-network correlation.

138
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. You need to protect users from malicious links in email messages. Which TWO features should you configure?

Select 2 answers
A.Anti-phish policy
B.Safe Links
C.Safe Attachments
D.Spam filter policy
E.Safe Links for Office 365 apps
AnswersB, E

Protects users from malicious links.

Why this answer

Options B and C are correct because Safe Links protects users from malicious links in email and Office apps. Option A is wrong because Safe Attachments protects attachments, not links. Option D is wrong because Anti-phish policy protects against phishing attempts, but not specifically links.

Option E is wrong because Spam filter deals with spam, not malicious links.

139
Multi-Selecthard

A security administrator is configuring Microsoft Defender for Endpoint (MDE) to automatically remediate threats. The administrator wants to ensure that when a high-severity alert is triggered, the affected device is isolated from the network. Which three components must be configured to achieve this? (Choose three.)

Select 3 answers
A.Alert severity
B.Automation level
C.Device tag
D.Indicator of compromise (IoC)
E.Device isolation action
AnswersA, B, E

Alert severity triggers the automation.

Why this answer

Options B, C, and D are correct. Automation levels define the response action. Device isolation is an action that can be automated.

Alert severity sets the trigger. Option A is wrong because indicator of compromise (IoC) is for blocking, not automation. Option E is wrong because a tag is for grouping, not automation.

140
MCQhard

Your company uses Microsoft Defender XDR and Microsoft Defender for Identity. You have detected that a domain controller is communicating with a known malicious IP address. You need to immediately contain the threat by isolating the domain controller from the network while preserving forensic data. However, you cannot afford downtime for authentication services. What should you do?

A.Create a conditional access policy to block the domain controller.
B.Use Microsoft Defender for Endpoint to isolate the domain controller.
C.In Microsoft Defender for Identity, configure a network protection policy to block communication to the malicious IP.
D.Block the IP address at the network firewall.
AnswerC

Correct: Blocks only malicious traffic, preserving authentication.

Why this answer

Option B is correct because Microsoft Defender for Identity can automatically suspend the domain controller's communications to the malicious IP via network protection policies without isolating the entire device. Option A is wrong because isolation would block all network traffic, including authentication. Option C is wrong because blocking in the firewall may not be immediate and could affect other services.

Option D is wrong because conditional access does not apply to domain controllers.

141
Matchingmedium

Match each Microsoft 365 compliance feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents sensitive data from being shared

Searches and exports content for legal cases

Keeps or deletes content based on rules

Classifies and protects data

Records user and admin activities

Why these pairings

These are key compliance features in Microsoft 365.

142
MCQhard

Your organization has deployed Microsoft Defender for Cloud Apps. You need to ensure that all external file sharing to untrusted domains is automatically blocked. The solution must not affect internal sharing. What should you configure?

A.Create an access policy in Microsoft Defender for Cloud Apps to block access from untrusted domains.
B.Create a file policy in Microsoft Defender for Cloud Apps with a governance action to remove external users.
C.Configure an app connector for the cloud app to enforce DLP policies.
D.Create a session policy in Microsoft Defender for Cloud Apps to monitor external sharing.
AnswerB

File policies can automatically remove external users from shared files based on domain conditions.

Why this answer

Option A is correct because file policies in Defender for Cloud Apps can detect and automatically block sharing to untrusted domains. Option B is wrong because session policies control real-time access but do not automatically block file sharing. Option C is wrong because access policies control access conditions but not file sharing actions.

Option D is wrong because app connectors provide visibility but do not enforce automatic blocking of file sharing.

143
MCQmedium

Your organization uses Microsoft 365 Defender. You need to ensure that when a user reports a phishing email via the Report Message add-in, the email is automatically submitted to Microsoft for analysis and the user is notified of the analysis result. What should you configure?

A.Configure a mail flow rule to forward reported messages to Microsoft
B.Configure User Reported Settings in the Microsoft 365 Defender portal
C.Create a submission policy in the Microsoft 365 Defender portal
D.Enable Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Teams
AnswerB

This setting enables automatic submission and user notification.

Why this answer

Option B is correct because the User Reported Settings in the portal allow automatic submission and notification. Option A is wrong because it only affects admin submissions. Option C is wrong because ATP is deprecated.

Option D is wrong because it only allows reporting, not auto-submission.

144
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a user opens a malicious Office document, which launches a process named cmd.exe from Microsoft Word, and then that cmd.exe process makes an outbound connection to a known malicious IP address. Which two Advanced Hunting tables must be joined in the KQL query?

Select 2 answers
A.EmailEvents and EmailUrlInfo
B.DeviceProcessEvents and DeviceNetworkEvents
C.DeviceEvents and DeviceLogonEvents
D.DeviceProcessEvents and DeviceRegistryEvents
AnswersB, D

DeviceProcessEvents tracks process creation; DeviceNetworkEvents tracks outbound network connections.

Why this answer

Option B is correct because the detection rule requires tracking the process creation (cmd.exe launched from Microsoft Word) and the subsequent network connection from that process to a malicious IP. DeviceProcessEvents captures process creation events, including parent-child relationships, while DeviceNetworkEvents captures outbound network connections initiated by processes. Joining these tables on DeviceId and ProcessId allows correlating the specific cmd.exe instance with its network activity.

Exam trap

The trap here is that candidates may confuse the tables needed for process-level network correlation with those for email or registry events, leading them to select options that capture unrelated telemetry (e.g., email links or registry changes) instead of the precise process-to-network chain.

145
MCQhard

You are analyzing a custom detection rule in Microsoft Defender XDR. The rule is designed to alert on suspicious PowerShell execution. However, you notice that the rule is not triggering alerts even though you know such activity is occurring. What is the most likely reason?

A.The query syntax is invalid; 'has_any' requires a dynamic array.
B.The custom detection rule is not enabled.
C.The severity is set to Medium, which may be suppressed by other policies.
D.The rule only looks back 7 days, and the activity occurred more than 7 days ago.
AnswerA

Correct syntax: 'has_any (dynamic([...]))'.

Why this answer

Option B is correct because the query uses 'has_any' with a list of strings, but the syntax is incorrect. 'has_any' expects a dynamic array, e.g., 'has_any (dynamic(["powershell.exe", "cmd.exe"]))'. The current query will cause a syntax error. Option A (no alerts in 7 days) would not explain if activity is known.

Option C (severity too low) would still trigger alerts. Option D (custom detection not enabled) is possible but less likely given the syntax error.

146
MCQhard

A security analyst is investigating a suspected credential theft attack where an attacker attempts to dump credentials from LSASS. Which Attack Surface Reduction (ASR) rule should the administrator enable to block this activity from untrusted processes?

A.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
B.Block Office applications from creating child processes
C.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
D.Block Adobe Reader from creating child processes
AnswerA

This rule prevents untrusted processes from reading LSASS memory, directly blocking credential dumping.

Why this answer

The ASR rule 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) is specifically designed to prevent untrusted processes from accessing LSASS memory and dumping credentials, such as with tools like Mimikatz. This directly addresses the described attack scenario of credential theft from LSASS, making it the correct choice.

Exam trap

The trap here is that candidates may confuse generic credential theft prevention rules (like Windows Defender Credential Guard) with ASR rules, or mistakenly think that blocking child processes (Option B or D) would stop LSASS dumping, when in fact the attack often involves a direct process handle to lsass.exe rather than spawning a child process.

How to eliminate wrong answers

Option B is wrong because 'Block Office applications from creating child processes' prevents Office apps (e.g., Word, Excel) from spawning child processes like PowerShell or cmd.exe, which is a common technique for lateral movement or payload execution, not specifically for dumping credentials from LSASS. Option C is wrong because 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' is a cloud-delivered protection rule that restricts unknown executables based on reputation, not a targeted ASR rule for LSASS credential theft. Option D is wrong because 'Block Adobe Reader from creating child processes' prevents Adobe Reader from launching other executables, which is a defense against PDF-based exploits, not a rule designed to block credential dumping from LSASS.

147
MCQmedium

You are a security analyst. You need to create a custom detection rule in Microsoft Defender XDR that triggers an alert when a user account is created and then added to a privileged role within 24 hours. Which advanced hunting table should you primarily use?

A.EmailEvents
B.IdentityLogonEvents
C.DeviceEvents
D.CloudAppEvents
AnswerB

IdentityLogonEvents captures identity-related events, including account creation and role changes.

Why this answer

Option B is correct because the IdentityLogonEvents table captures identity events including user account creation and role changes. Option A is wrong because DeviceEvents focuses on device-level events. Option C is wrong because EmailEvents is for email events.

Option D is wrong because CloudAppEvents is for cloud app events, not identity events in Defender for Identity.

148
MCQhard

A security administrator is configuring Microsoft Defender for Office 365 to protect against zero-day malware in attachments. The administrator wants to use dynamic delivery so that users can view the email body while the attachment is being analyzed. However, the administrator is concerned about false positives and wants to ensure that if a benign attachment is later found to be malicious, it is removed from the user's inbox. What should the administrator configure?

A.Configure a Safe Attachments policy with dynamic delivery and enable ZAP.
B.Configure a Safe Links policy with URL detonation.
C.Configure an anti-phishing policy with mailbox intelligence.
D.Configure an anti-malware policy with common attachments filter.
AnswerA

Safe Attachments with dynamic delivery and ZAP meets the requirement.

Why this answer

Option D is correct because Safe Attachments policies with dynamic delivery can be set to allow email body delivery while the attachment is scanned, and if later found malicious, the attachment can be removed using the 'Zero-hour auto purge' (ZAP) feature. Option A is wrong because Anti-phishing policies do not handle attachments. Option B is wrong because Safe Links policies handle URLs, not attachments.

Option C is wrong because Anti-malware policies do not provide dynamic delivery.

149
MCQeasy

You are a security administrator. You need to investigate a suspicious logon from an anonymous IP address. Which Microsoft Defender XDR data source should you query first?

A.Identity and authentication events
B.Cloud app events
C.Endpoint device events
D.Vulnerability and compliance events
E.Email & collaboration events
AnswerA

Logon events are part of identity and authentication.

Why this answer

Option B is correct because Identity and authentication events are the primary source for logon investigations in Defender XDR. Option A is wrong because email events are for phishing. Option C is wrong because endpoint events are for device-level activities.

Option D is wrong because cloud app events are for app usage. Option E is wrong because vulnerability data is for device vulnerabilities.

150
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Defender for Cloud Apps. You need to configure a policy that automatically blocks downloads of sensitive files from a specific cloud app if the user's risk score is high. Which integration and policy type should you use?

A.Create a session policy in Microsoft Defender for Cloud Apps using Conditional Access App Control.
B.Use the Cloud Discovery dashboard to block the app.
C.Create an attack surface reduction rule in MDE.
D.Create a Conditional Access policy in Microsoft Entra ID to block access to the app.
E.Create a device compliance policy in Microsoft Intune.
AnswerA

Session policies can monitor and block downloads based on risk in real-time.

Why this answer

Option D is correct because the session policy in Microsoft Defender for Cloud Apps can use Microsoft Entra ID Conditional Access app control to monitor and block downloads in real-time based on risk. Option A is wrong because MDE device policies do not control cloud app downloads. Option B is wrong because Cloud Discovery is for identifying shadow IT.

Option C is wrong because MDE policy does not integrate with cloud app download blocking. Option E is wrong because Conditional Access policies do not have per-file download controls.

← PreviousPage 2 of 4 · 284 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Defender Xdr Security questions.