CCNA Defender Xdr Security Questions

75 of 284 questions · Page 3/4 · Defender Xdr Security topic · Answers revealed

151
MCQeasy

Your organization uses Microsoft Defender for Office 365. Users report that some phishing emails are still reaching inboxes despite the anti-phish policy being enabled. You need to reduce the number of phishing emails that bypass the filter. What should you configure?

A.Add the phishing domains to the Tenant Allow/Block List
B.Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams
C.Configure spoof intelligence in the anti-phish policy
D.Enable DKIM signing for your custom domains
AnswerC

Spoof intelligence analyzes sender reputation and blocks spoofed senders, reducing phishing.

Why this answer

Option B is correct because spoof intelligence allows you to analyze and block spoofed senders. Option A is wrong because Safe Attachments scans attachments, not the email body. Option C is wrong because Tenant Allow/Block List is for manual overrides.

Option D is wrong because DKIM is an authentication method, not a filtering setting.

152
MCQmedium

Your company uses Microsoft Defender for Cloud Apps. You notice that a user is downloading large amounts of data from a sanctioned cloud app from an unusual location. You need to automatically suspend the user's access when such activity is detected. What should you configure?

A.Configure an access policy in Defender for Cloud Apps.
B.Configure a file policy in Defender for Cloud Apps.
C.Configure a session policy in Defender for Cloud Apps.
D.Configure an anomaly detection alert in Defender for Cloud Apps.
AnswerC

Session policies can monitor user sessions and take actions like suspending access or blocking downloads.

Why this answer

Option B is correct because session policies in Defender for Cloud Apps can monitor and control user activities in real time and take actions like suspending access. Option A is wrong because access policies are for conditional access, not real-time session control. Option C is wrong because file policies govern file sharing, not user sessions.

Option D is wrong because anomaly detection alerts but does not automatically suspend access.

153
MCQeasy

A company wants to receive alerts when a user account is used from an unauthorized location. They have Microsoft Defender for Cloud Apps (MDA). Which policy type should they create?

A.Create a session policy.
B.Create an app permissions policy.
C.Create a file policy.
D.Create an anomaly detection policy.
AnswerD

Anomaly detection policies identify impossible travel and other anomalies.

Why this answer

Anomaly detection policies in MDA detect user behavior anomalies such as impossible travel. Option A is correct. Option B is wrong because session policies control real-time access.

Option C is wrong because file policies monitor file sharing. Option D is wrong because app permissions policies manage OAuth apps.

154
MCQhard

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malicious attachments to quarantine and notifies the security team. Additionally, you want to allow users to release their own quarantined messages if they are false positives. What should you do?

A.Create a new anti-malware policy and use the default quarantine policy.
B.Create a new anti-malware policy and set 'User release' to 'False' in the quarantine policy.
C.Create a new anti-malware policy and configure the quarantine policy to use 'LimitedAccess' or 'FullAccess'.
D.Modify the anti-malware policy to set 'Quarantine' as the action and assign a custom quarantine policy with user release enabled.
AnswerC

Allows users to release their own quarantined messages.

Why this answer

Option B is correct because the 'AdminOnlyAccessPolicy' for the quarantine policy allows only admins to release messages. To allow users to release their own quarantined messages, you must change the policy to 'LimitedAccess' or 'FullAccess'. Option A (use default policy) would not allow user release.

Option C (modify anti-malware policy) does not control quarantine release permissions. Option D (set user release to false) prevents user release.

155
MCQhard

A security analyst wants to automatically create a Microsoft Teams message in a dedicated security channel whenever a Microsoft 365 Defender incident with severity 'High' is created. Which automation approach should the analyst use?

A.Power Automate
B.Automation rules in Defender
C.Microsoft Graph API
D.Action Center
AnswerA

A Power Automate flow can be triggered by new incidents and post messages to a Teams channel using the 'Post message in a chat or channel' action.

Why this answer

Power Automate is the correct choice because it provides a no-code/low-code workflow that can be triggered by Microsoft 365 Defender's 'When an incident is created or updated' connector, filter for severity 'High', and then post a message to a dedicated Teams channel via the 'Post a message in a chat or channel' action. This directly meets the requirement for automatic, event-driven notification without custom code.

Exam trap

The trap here is that candidates confuse 'automation rules' in Defender (which handle response actions like isolation) with external notification workflows, leading them to choose Option B instead of recognizing that Power Automate is the correct integration tool for sending Teams messages.

How to eliminate wrong answers

Option B is wrong because Automation rules in Defender are designed for automated response actions (e.g., isolating a device, blocking an IP) within the Defender portal itself, not for sending external notifications like Teams messages. Option C is wrong because while Microsoft Graph API can technically achieve this, it requires custom scripting, authentication setup, and manual polling or webhook configuration, making it less straightforward than Power Automate for a security analyst without developer resources. Option D is wrong because Action Center is a centralized interface for reviewing and approving pending remediation actions from Defender, not a tool for creating automated notifications or workflows.

156
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Defender for Cloud Apps. You receive an alert about a user account that is exhibiting suspicious behavior: unusual login times from an IP address that is not in the user's typical location. The alert recommends action. You need to determine if the account is compromised. What is the best next step?

A.Initiate an automated investigation in Microsoft Defender XDR
B.Configure a conditional access policy in Microsoft Entra ID to block the IP
C.Immediately disable the user account
D.Reset the user's password
AnswerA

Automated investigation will analyze signals and determine if compromised.

Why this answer

Option B is correct because initiating an automated investigation in Microsoft Defender XDR will correlate signals across MDI, Defender for Cloud Apps, and other Microsoft 365 services to determine if the account is compromised. Option A is wrong because disabling the account immediately might be premature and could disrupt legitimate access. Option C is wrong because resetting password alone without investigation may not detect other malicious activity.

Option D is wrong because configuring an access policy in Microsoft Entra ID is a longer-term fix, not immediate investigation.

157
MCQmedium

Your organization has Microsoft 365 E5 and uses Microsoft Defender for Cloud Apps. You want to block downloads from an unsanctioned cloud app that is used by some employees. What should you configure?

A.Create a DLP policy to block sharing of sensitive data with the app.
B.Create a conditional access policy to require the use of managed apps.
C.Block the app by its IP addresses in the firewall.
D.Configure the app as unsanctioned in Defender for Cloud Apps and create a session policy to block downloads.
AnswerD

Unsanctioning an app and applying session policies allows you to block downloads and control usage.

Why this answer

Option A is correct because you can unsanction the app in Defender for Cloud Apps, which will block access and provide controls like session policies. Option B is wrong because blocking by IP address is not effective for cloud apps with dynamic IPs. Option C is wrong because a conditional access policy can require controls but does not directly block an unsanctioned app.

Option D is wrong because a DLP policy protects data but does not block app usage.

158
Multi-Selectmedium

A security analyst wants to search for instances where a user received a phishing email that was delivered to their inbox, and then later clicked a link within that email that led to a known malicious domain. Which two advanced hunting tables should be joined to identify both the email delivery and the link click events? (Choose the option that correctly identifies the primary table pair.)

Select 2 answers
A.EmailEvents and DeviceEvents
B.EmailPostDeliveryEvents and DeviceNetworkEvents
C.EmailUrlInfo and DeviceProcessEvents
D.EmailEvents and DeviceLogonEvents
AnswersA, B

Correct. EmailEvents tracks email delivery and DeviceEvents (specifically URL click events) tracks link clicks from user devices.

Why this answer

To correlate a phishing email that was delivered to a user's inbox with a subsequent link click to a known malicious domain, you need to join the EmailEvents table (which records email delivery events, including the delivery action and the unique NetworkMessageId) with the DeviceEvents table (which captures user actions such as clicking a URL, including the ActionType 'PhishClick' or 'UrlClick'). This join allows you to match the email's NetworkMessageId with the click event's NetworkMessageId, linking the delivered email to the specific link click.

Exam trap

The trap here is that candidates often confuse DeviceNetworkEvents (which logs network connections) with DeviceEvents (which logs user actions like URL clicks), leading them to choose Option B, but DeviceNetworkEvents lacks the NetworkMessageId field required to correlate with the email delivery event.

159
Multi-Selecthard

Your organization uses Microsoft Defender for Identity. You need to configure honeytoken accounts. Which THREE attributes should you ensure are NOT set for honeytoken accounts?

Select 3 answers
A.Description field
B.Last logon timestamp
C.Group memberships
D.Email address
E.Account enabled status
AnswersB, C, D

Honeytoken accounts should have no recent logons; any logon is suspicious.

Why this answer

Options A, C, and D are correct because honeytoken accounts should not have email, group memberships, or recent logins. Option B is wrong because they should be enabled. Option E is wrong because description can be anything.

160
MCQeasy

You run the KQL query shown in the exhibit in Microsoft Defender XDR advanced hunting. What is the primary purpose of this query?

A.Identify all PowerShell activity from a specific user
B.Detect potentially malicious PowerShell commands that are obfuscated
C.Find PowerShell processes running on a specific device
D.List all PowerShell executions in the last 7 days
AnswerB

Encoded commands are often used to hide malicious intent.

Why this answer

Option B is correct because the query filters for powershell.exe processes with an encoded command, which is commonly used to obfuscate malicious commands. Option A is wrong because the query does not filter for specific users. Option C is wrong because the query does not filter by device.

Option D is wrong because the query does not filter by time other than the last 7 days.

161
MCQmedium

You run the above PowerShell command on a Windows 10 device that is onboarded to Microsoft Defender for Endpoint. The device is reporting as healthy in the portal, but you suspect that some behavioral detection capabilities are turned off. Based on the output, which setting should you modify?

A.Set DisableBehaviorMonitoring to False to enable behavior monitoring.
B.Enable cloud-delivered protection by setting MAPSReporting to Advanced.
C.Set DisableBlockAtFirstSeen to True to enable Block at First Sight.
D.Set DisableRealtimeMonitoring to True to enable real-time monitoring.
AnswerA

Behavior monitoring is disabled (True = disabled).

Why this answer

Option C is correct because DisableBehaviorMonitoring is set to True, which disables behavior monitoring. You should set it to False to enable behavior monitoring. Option A (real-time monitoring) is already enabled.

Option B (Block at First Sight) is already enabled. Option D (cloud-delivered protection) is not shown but is separate.

162
MCQmedium

A company uses Microsoft Defender for Cloud Apps to monitor cloud app usage. They want to receive alerts when a user downloads a large number of files from SharePoint Online in a short time, which could indicate data exfiltration. What should they configure?

A.Session policy
B.Anomaly detection policy
C.File policy
D.Activity policy
AnswerD

Activity policies can detect mass download.

Why this answer

An activity policy can detect anomalous activities like mass download. Option B is correct. Option A is wrong because anomaly detection is for user behavior like impossible travel.

Option C is wrong because file policies monitor sharing. Option D is wrong because a session policy controls access.

163
Drag & Dropmedium

Drag and drop the steps to configure a Conditional Access policy in Microsoft Entra ID in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Conditional Access policies are created in Entra ID, assigned to users, conditions defined, and access controls applied.

164
MCQeasy

Your company uses Microsoft Defender XDR. You need to review the list of incidents that were investigated automatically by the system. Where should you navigate in the Microsoft Defender portal?

A.Hunting
B.Action center
C.Reports
D.Incidents & alerts > Incidents
AnswerD

This is where all incidents are listed, including automatically investigated ones.

Why this answer

Option A is correct because the Incidents & alerts section in the Microsoft Defender portal lists all incidents, including those investigated automatically. Option B is wrong because Action center shows pending and completed remediation actions, not incidents. Option C is wrong because Hunting is for proactive threat hunting using KQL.

Option D is wrong because Reports provides summary reports, not incident details.

165
Multi-Selectmedium

Which TWO actions can be performed by Microsoft Defender for Identity? (Select TWO.)

Select 2 answers
A.Manage firewall rules on endpoints.
B.Monitor domain controller activities and behavior.
C.Identify lateral movement paths in your network.
D.Scan files for malware in real time.
E.Block sign-in attempts from malicious IP addresses.
AnswersB, C

Defender for Identity monitors on-premises AD.

Why this answer

Defender for Identity identifies compromised accounts and lateral movement paths. Option A (identify lateral movement) and Option D (monitor domain controller activities) are correct. Option B is wrong because Defender for Identity does not block sign-ins; that is done by Conditional Access.

Option C is wrong because it does not scan files. Option E is wrong because it does not manage endpoints.

166
Multi-Selecteasy

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) to automatically remediate threats. Which two actions should you take?

Select 2 answers
A.Create a device group for automatic remediation.
B.Assign the Security Administrator role to all users.
C.Configure action center settings to allow automatic remediation.
D.Turn on automated investigation in the Microsoft Defender portal.
E.Set the automation level to 'Full - remediate threats automatically' globally.
AnswersC, D

Correct: Action settings control automatic remediation.

Why this answer

To enable automated investigation and response (AIR) in Microsoft Defender XDR, you must first enable the feature in the Microsoft Defender portal, and then configure action settings to allow automatic remediation. Option D is incorrect because automation levels are set per policy, not globally. Option E is incorrect because creating a device group is not required; AIR can be enabled for all devices.

167
Multi-Selectmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender Advanced Hunting. The rule should trigger when a process named 'powershell.exe' is launched with command-line arguments containing '-EncodedCommand', and within 5 minutes a service is created on the same device. Which two Advanced Hunting tables must be joined in the KQL query to create this detection?

Select 2 answers
A.DeviceProcessEvents and DeviceEvents
B.DeviceProcessEvents and DeviceNetworkEvents
C.DeviceProcessEvents and DeviceRegistryEvents
D.DeviceEvents and DeviceLogonEvents
AnswersA, C

DeviceProcessEvents for process creation, DeviceEvents for service creation; both are needed.

Why this answer

The correct answer is A because the detection rule requires monitoring process creation events (DeviceProcessEvents) to detect powershell.exe with '-EncodedCommand', and then service creation events (DeviceEvents) within 5 minutes on the same device. DeviceEvents captures service-related actions like 'ServiceInstalled' or 'ServiceCreated', which are essential for the second condition. Joining these two tables on DeviceId and a time window allows the KQL query to correlate the two events.

Exam trap

The trap here is that candidates may confuse DeviceEvents with DeviceRegistryEvents, assuming service creation is a registry operation, but in Windows, service creation is a system event captured by DeviceEvents, not registry changes.

168
MCQmedium

A company uses Microsoft Defender for Office 365. They want to ensure that users cannot ignore warning messages when clicking on a malicious link in an email. What should they configure?

A.Configure the anti-phishing policy with 'Impersonation protection' enabled.
B.Configure a Safe Links policy with 'Do not allow users to click through to original URL' selected.
C.Enable the 'Anti-malware' policy with 'Common attachments filter'.
D.Configure a Safe Attachments policy with 'Block' action.
AnswerB

This prevents users from bypassing the warning.

Why this answer

Safe Links policies allow you to prevent users from clicking through to the original URL. Option C is correct. Option A is wrong because Safe Attachments is for attachments.

Option B is wrong because anti-phishing policies do not control link click behavior. Option D is wrong because ATP anti-malware is for malware.

169
MCQmedium

A company is implementing Microsoft Defender for Identity (MDI) to protect its on-premises Active Directory environment. The security team needs to ensure that MDI can monitor all domain controllers. They have installed the MDI sensor on all domain controllers. However, they notice that some suspicious activities are not being detected. Which additional configuration should the team verify to ensure comprehensive coverage?

A.Configure port mirroring or network tap to ensure the sensor can see all relevant network traffic.
B.Integrate Microsoft Defender for Cloud Apps with MDI.
C.Install Azure AD Connect Health on domain controllers.
D.Enable auditing on domain controllers and forward logs to Microsoft Sentinel.
AnswerA

MDI sensors need to capture network traffic for detection.

Why this answer

Option C is correct because MDI requires port mirroring or a network tap to capture network traffic to and from domain controllers. Without proper network traffic configuration, some activities may not be detected. Option A is wrong because Event log collection is not required; MDI uses its own sensor.

Option B is wrong because Azure AD Connect Health is not related to MDI. Option D is wrong because Defender for Cloud Apps integration is optional.

170
MCQhard

Your organization uses Microsoft Defender for Identity. You need to investigate an alert indicating a suspected lateral movement using pass-the-hash from a compromised workstation. Which entity should you prioritize examining in the investigation timeline?

A.The source workstation
B.The destination server
C.The compromised account
D.The network segment
AnswerC

Pass-the-hash attacks use the account's hash to move laterally; examining account activities helps trace the attack.

Why this answer

Option A is correct because pass-the-hash attacks involve the compromise of NTLM hash, and examining the compromised account's activities is key to understanding the movement. Option B is wrong because the source workstation is where the attack originated but the hash is used from there. Option C is wrong because the destination server is the target, but the attacker's identity is more important.

Option D is wrong because the network segment is not the primary entity.

171
MCQmedium

A security analyst investigates a potential data exfiltration incident. The analyst identifies that a user's device has made multiple connections to an unknown external IP address using a custom port. Which Microsoft Defender XDR data source would provide the most detailed network communication logs for this investigation?

A.Microsoft Defender for Office 365
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Endpoint
D.Microsoft 365 Defender portal alerts
AnswerC

Defender for Endpoint captures detailed network communication events from devices, including connections to external IPs and ports.

Why this answer

Microsoft Defender for Endpoint (MDE) provides the most detailed network communication logs for this investigation because it captures full network events at the device level, including connections to external IP addresses on custom ports. MDE's advanced hunting schema includes the DeviceNetworkEvents table, which records source/destination IPs, ports, protocols, and process-level details, enabling precise analysis of anomalous outbound connections.

Exam trap

The trap here is that candidates often confuse the scope of Microsoft Defender for Cloud Apps, assuming it captures all network traffic, when in fact it only monitors cloud application usage and not raw endpoint network connections.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Office 365 focuses on email and collaboration threats (e.g., phishing, malware in attachments), not on device-level network traffic logs. Option B is wrong because Microsoft Defender for Cloud Apps provides visibility into cloud application usage and shadow IT, but it does not capture raw network connection logs from endpoints; it relies on API logs and traffic metadata from cloud apps. Option D is wrong because Microsoft 365 Defender portal alerts aggregate and correlate alerts from multiple sources but do not themselves store detailed network communication logs; they reference underlying data from MDE or other sources.

172
Multi-Selecteasy

You need to configure Microsoft Defender for Office 365 to protect users from malicious links in email. Which TWO actions should you configure?

Select 2 answers
A.Enable anti-malware engine
B.Enable anti-spam filtering
C.Enable URL detonation
D.Enable Safe Links scanning for email
E.Enable Safe Attachments
AnswersC, D

URL detonation analyzes links in real-time.

Why this answer

Options B and D are correct because Safe Links scanning and URL detonation are key protections. Option A is wrong because it's for attachments. Option C is wrong because it's for anti-spam.

Option E is wrong because it's for anti-malware.

173
MCQeasy

A security administrator wants to detect unusual user activity, such as a user downloading an abnormally large number of files from SharePoint Online in a short period. Which Microsoft Defender for Cloud Apps feature should be used to create a policy for this behavior?

A.Cloud Discovery
B.Conditional Access App Control
C.Anomaly detection policy
D.App permissions
AnswerC

Anomaly detection policies can be configured to alert on unusual file download activities based on user context and volume.

Why this answer

Option C is correct because Microsoft Defender for Cloud Apps uses anomaly detection policies to identify unusual user behavior, such as a user downloading an abnormally large number of files from SharePoint Online in a short period. These policies leverage machine learning to establish a baseline of normal activity and then trigger alerts when deviations occur, like a spike in download volume or rate.

Exam trap

The trap here is that candidates often confuse anomaly detection policies with Cloud Discovery, mistakenly thinking Cloud Discovery detects unusual user behavior, when in fact it only identifies unsanctioned cloud apps and services.

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is designed to identify and analyze shadow IT usage by inspecting traffic logs from network proxies or firewalls, not to detect user-specific behavioral anomalies within sanctioned cloud apps like SharePoint Online. Option B is wrong because Conditional Access App Control enforces access policies (e.g., blocking downloads or requiring multi-factor authentication) at the session level, but it does not create detection policies for anomalous user behavior after access is granted. Option D is wrong because App permissions focuses on auditing and managing OAuth permissions granted to third-party apps, not on monitoring user download patterns or detecting unusual activity.

174
MCQeasy

You are a security administrator for an organization that uses Microsoft Defender XDR. You want to provide your security operations team with a unified view of all incidents across endpoints, email, and identities. You also want to automate the creation of incidents when correlated alerts are detected. What should you do?

A.Navigate to the Microsoft Defender XDR portal (security.microsoft.com) and use the Incidents view.
B.Open the Microsoft Defender for Endpoint portal and create a dashboard for all alerts.
C.Install Microsoft Sentinel and configure data connectors for all workloads.
D.Create a custom KQL query that correlates alerts from different sources and create a workbook.
AnswerA

Correct: The XDR portal provides unified incidents across workloads.

Why this answer

Option B is correct because the Microsoft 365 Defender portal (now Microsoft Defender XDR) provides a unified incident view and automatically correlates alerts into incidents. Option A is wrong because that portal focuses on endpoints only. Option C is wrong because Microsoft Sentinel requires additional configuration and cost.

Option D is wrong because custom KQL queries do not provide automatic incident creation.

175
MCQmedium

A security administrator wants to reduce the risk of credential dumping from LSASS on managed Windows endpoints. Which Attack Surface Reduction rule should be enabled?

A.Block credential stealing from the Windows Local Security Authority Subsystem
B.Block executable files from running unless they meet prevalence, age, or trusted list criteria
C.Block untrusted and unsigned processes that run from USB
D.Block JavaScript or VBScript from launching downloaded executable content
AnswerA

This ASR rule targets attempts to access LSASS memory for credential theft.

Why this answer

Option A is correct because the 'Block credential stealing from the Windows Local Security Authority Subsystem' ASR rule (GUID: 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2) specifically prevents credential dumping from LSASS by blocking access to the process memory via common techniques like Mimikatz or direct API calls (e.g., OpenProcess, ReadProcessMemory). This directly reduces the risk of credential theft on managed Windows endpoints.

Exam trap

The trap here is that candidates often confuse ASR rules with general malware prevention or USB controls, failing to recognize that the specific rule for LSASS credential protection is explicitly named and targeted at memory-based credential theft, not broader execution or download restrictions.

How to eliminate wrong answers

Option B is wrong because it describes the 'Block executable files from running unless they meet prevalence, age, or trusted list criteria' ASR rule (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25), which targets untrusted executables based on reputation, not credential dumping from LSASS. Option C is wrong because it refers to the 'Block untrusted and unsigned processes that run from USB' ASR rule (GUID: b2b3f03d-6a4c-4b7e-8c6d-1f3b2a1e5c4d), which focuses on USB-borne malware execution, not LSASS memory protection. Option D is wrong because it describes the 'Block JavaScript or VBScript from launching downloaded executable content' ASR rule (GUID: d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f90), which prevents script-based download attacks, not direct credential theft from LSASS.

176
Multi-Selectmedium

Which THREE settings can you configure in a Microsoft Defender for Office 365 anti-phish policy?

Select 3 answers
A.Mailbox intelligence
B.Safe Attachments
C.DKIM signing
D.User impersonation protection
E.Spoof intelligence
AnswersA, D, E

Mailbox intelligence is part of anti-phish policies.

Why this answer

Options B, C, and D are correct. Anti-phish policies include spoof intelligence, mailbox intelligence, and user impersonation protection. Option A is wrong because DKIM is configured in the domain's DNS.

Option E is wrong because Safe Attachments is a separate policy.

177
MCQeasy

A security administrator wants to ensure that all email attachments are scanned in a sandbox environment and blocked if malicious, with email delivery delayed until scanning completes. Which Microsoft 365 Defender policy should the administrator configure?

A.Safe Links policy
B.Safe Attachments policy
C.Anti-spam policy
D.Anti-phishing policy
AnswerB

Safe Attachments scans email attachments in a virtual sandbox and blocks malicious ones, delaying delivery until analysis is complete.

Why this answer

Safe Attachments policy is the correct choice because it specifically provides time-of-delivery scanning of email attachments in a virtual sandbox environment. When configured with the 'Dynamic Delivery' action, the email body is delivered immediately while the attachment is held and scanned; if the attachment is found malicious, it is blocked and the user is notified. This directly meets the requirement to delay email delivery until scanning completes and block malicious attachments.

Exam trap

The trap here is that candidates often confuse Safe Attachments with Safe Links, assuming both handle attachments, but Safe Links only handles URLs, not file attachments, and the question explicitly requires sandbox scanning of attachments.

How to eliminate wrong answers

Option A is wrong because Safe Links policy protects users from malicious URLs in email messages and Office documents, not from email attachments; it does not perform sandbox scanning of files. Option C is wrong because Anti-spam policy filters inbound and outbound email based on spam, bulk mail, and phishing indicators, but it does not scan attachments in a sandbox environment. Option D is wrong because Anti-phishing policy protects against impersonation and spoofing attacks, not against malicious attachments; it does not include sandbox-based file scanning.

178
MCQmedium

You are investigating an incident in Microsoft Defender XDR where a user received a phishing email that contained a link to a malicious site. The user clicked the link but did not enter credentials. Which actions would be most effective to remediate the incident?

A.Block the user's account from signing in.
B.Use Threat Explorer to delete the phishing email from all mailboxes.
C.Initiate an automated investigation on the user's device.
D.Block the URL in the Tenant Allow/Block List.
E.Reset the user's password immediately.
AnswerB, C

Removing the email prevents further exposure.

Why this answer

Option B is correct because soft-deleting the email from all mailboxes removes the threat. Option D is correct because investigating the user's device for any post-click activity is crucial. Option A is wrong because blocking the user's sign-in is not necessary since credentials were not compromised.

Option C is wrong because resetting password is not needed. Option E is wrong because blocking the URL is good but not sufficient as the email remains in other users' inboxes.

179
MCQhard

Your organization has Microsoft Defender for Cloud Apps deployed. You need to be alerted when a user performs more than 50 failed login attempts in an hour from a non-corporate IP address. Which type of policy should you create?

A.Session policy
B.Anomaly detection policy
C.File policy
D.Access policy
AnswerB

Anomaly detection policies can detect unusual login patterns.

Why this answer

Option C is correct because an anomaly detection policy in Defender for Cloud Apps can detect unusual login patterns, such as multiple failed attempts. Option A is wrong because a session policy controls access in real-time, not detection. Option B is wrong because an access policy enforces conditional access.

Option D is wrong because a file policy monitors file activities.

180
Multi-Selecthard

A security analyst wants to create a custom detection rule that triggers when a user receives a phishing email that bypassed Exchange Online Protection, and then clicks a link that leads to a known malicious domain. Which two advanced hunting tables should the analyst combine to detect this chain of events?

Select 2 answers
A.EmailEvents and DeviceNetworkEvents
B.EmailEvents and UrlClickEvents
C.EmailEvents and IdentityLogonEvents
D.UrlClickEvents and DeviceNetworkEvents
AnswersB, D

EmailEvents tracks email delivery and UrlClickEvents tracks when users click URLs in email. Combining them allows correlation.

Why this answer

Option B is correct because the detection requires correlating the email receipt (EmailEvents) with the user's click on a malicious link (UrlClickEvents). EmailEvents captures email delivery details, while UrlClickEvents records user clicks on URLs in email messages, including those that bypassed Exchange Online Protection. Combining these two tables allows the analyst to identify the specific chain: a user received a phishing email and then clicked a link to a known malicious domain.

Exam trap

The trap here is that candidates often confuse DeviceNetworkEvents with user click events, assuming network-level logs can replace UrlClickEvents, but DeviceNetworkEvents does not capture the user's click action on an email link or the email context (e.g., NetworkMessageId).

181
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is accessing a sanctioned cloud app from an unknown IP address. You want to require multi-factor authentication (MFA) for this access. What should you configure?

A.Create a file policy
B.Create an access policy
C.Create a session policy
D.Create an app discovery policy
AnswerB

Access policies can require MFA based on location, device, etc.

Why this answer

Option A is correct because an access policy can require MFA based on conditions like IP address. Option B is wrong because session policies control real-time access but are for monitoring. Option C is wrong because app discovery policies identify apps.

Option D is wrong because file policies control file sharing.

182
MCQhard

A security analyst needs to create a custom detection rule in Microsoft Defender XDR that triggers when a user's device establishes a network connection to a known malicious IP address on a port commonly used by a specific malware. The rule must also include process information such as the filename of the process that initiated the connection. Which advanced hunting table should be the primary data source for this rule?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceFileEvents
D.IdentityLogonEvents
AnswerA

Correct. This table includes network connection events with details like remote IP, port, and initiating process filename, allowing direct rule creation.

Why this answer

The DeviceNetworkEvents table in Microsoft Defender XDR captures network connection events, including source and destination IP addresses, ports, and the initiating process's filename and ID. This makes it the ideal primary data source for a custom detection rule that must trigger on a specific malicious IP and port combination while also providing process information.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which includes process command lines) as sufficient for network detection, overlooking that it lacks the network-specific fields (RemoteIP, RemotePort) required to match a malicious IP and port combination.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it logs process creation and termination events, not network connections; it lacks the destination IP and port fields needed for this rule. Option C (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events, which are irrelevant to network connections. Option D (IdentityLogonEvents) is wrong because it captures authentication and logon events from Azure AD, not network-level activities on devices.

183
MCQeasy

You are a security administrator for a company that uses Microsoft Defender XDR. You need to investigate a suspicious email that was reported by a user. You want to see the full email details, including headers, attachments, and URLs. Where should you look?

A.Use the Threat analytics dashboard to find the email.
B.Go to the user entity page and view their email activity.
C.In the Microsoft Defender XDR portal, search for the email message ID or subject to open the email entity page.
D.Open the incident related to the email and view the alert details.
AnswerC

Correct: Email entity page shows full details.

Why this answer

Option A is correct because the email entity page in Microsoft Defender XDR provides detailed information about a specific email. Option B is wrong because that page shows alerts, not email details. Option C is wrong because it shows attack patterns.

Option D is wrong because it shows user activity, not email details.

184
MCQhard

You create a custom detection rule in Microsoft Defender XDR using the KQL query shown in the exhibit. The rule is intended to detect lateral movement via SMB. After deploying the rule, you notice that it generates many false positives from legitimate administrative activity. What is the most effective way to reduce false positives?

A.Filter for only inbound SMB connections
B.Remove the join with DeviceProcessEvents
C.Add a filter to exclude specific administrative accounts or IP ranges
D.Increase the time window of the query
AnswerC

Excluding known good activity reduces false positives.

Why this answer

Option D is correct because adding a filter to exclude known administrative accounts or devices can reduce false positives. Option A is wrong because increasing the time window would include more events, potentially increasing false positives. Option B is wrong because removing the join would eliminate the correlation between SMB connections and PowerShell, which is key to detecting lateral movement.

Option C is wrong because focusing only on inbound connections may miss the lateral movement scenario.

185
MCQeasy

Your organization uses Microsoft Defender for Endpoint (MDE). A security analyst needs to investigate a file that was detected as malicious on several devices. The analyst wants to see the file's prevalence across the organization and other related events. Which feature in MDE should the analyst use?

A.File page
B.Alert page
C.Device page
D.Investigation page
AnswerA

File page shows file prevalence, devices, and related events.

Why this answer

Option B is correct because the File page in MDE provides details about the file, including prevalence, device list, and related events. Option A is wrong because the Device page focuses on a specific device. Option C is wrong because the Alert page focuses on alerts.

Option D is wrong because the Investigation page is for automated investigations.

186
MCQhard

Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A security analyst reports that several domain controllers are generating alerts for anomalous logon activity. You need to investigate the scope of the potential compromise across the entire environment, including endpoints, identities, and cloud apps. What is the most efficient approach?

A.Check each workload portal individually and correlate manually
B.Review the alerts in Microsoft Defender for Identity only
C.Review the alerts in Microsoft Defender for Endpoint only
D.Use the Microsoft Defender XDR portal to view the unified incident
AnswerD

Unified incident view correlates all workload alerts.

Why this answer

Option D is correct because Microsoft Defender XDR provides a unified incident view that correlates alerts from all workloads. Option A is wrong because checking only endpoints misses identity and cloud app alerts. Option B is wrong because checking only identities misses endpoints.

Option C is wrong because using multiple portals is inefficient.

187
MCQmedium

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You need to ensure that when a user is determined to be compromised (e.g., due to a leaked credential), all active sessions are terminated and the user is required to re-authenticate with multi-factor authentication (MFA). You want to automate this process as much as possible. What should you do?

A.In Microsoft Defender for Cloud Apps, create a session policy with the 'Suspend user' governance action and configure it to revoke sessions and require re-authentication.
B.Disable the user account in Microsoft Entra ID.
C.Create a conditional access policy that requires MFA for all users.
D.Manually reset the user's password and sign out of all sessions.
AnswerA

Correct: Automatically terminates sessions and forces MFA re-authentication.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps can use the 'Suspend user' governance action and integrate with Microsoft Entra ID to revoke sessions and require re-authentication with MFA. Option A is wrong because conditional access alone does not terminate existing sessions. Option B is wrong because manual reset does not terminate active sessions.

Option C is wrong because disabling the account terminates sessions but does not require MFA re-authentication.

188
MCQhard

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. A user receives an email with a link that leads to a malicious website. The user clicks the link, but the browser is protected by Microsoft Defender SmartScreen. However, the user is still able to download a file from the site. What should you configure to prevent this?

A.Enable Attack Surface Reduction rules.
B.Enable network protection in Microsoft Defender for Endpoint.
C.Enable Safe Attachments in Microsoft Defender for Office 365.
D.Configure an Anti-Phishing policy.
E.Enable Safe Links in Microsoft Defender for Office 365.
AnswerE

Safe Links blocks malicious URLs at the time of click, preventing access to the malicious site.

Why this answer

Option A is correct because Safe Links protects users by scanning URLs in emails and blocking malicious links at time of click. Option B is wrong because Safe Attachments is for email attachments, not links. Option C is wrong because Anti-Phishing policies deal with impersonation.

Option D is wrong because Attack Surface Reduction rules apply to processes, not web downloads. Option E is wrong because network protection blocks connections to malicious IPs, but the download may occur if the site is allowed.

189
MCQmedium

A security administrator wants to automatically isolate a device in Microsoft Defender for Endpoint whenever a high-severity alert is triggered. The isolation should occur without manual intervention. Which Microsoft Defender XDR feature should be configured?

A.Attack surface reduction rules
B.Automated investigation and response
C.Threat analytics
D.Vulnerability management
AnswerB

Correct. AIR automates investigation and can take response actions like device isolation based on alert severity.

Why this answer

Automated Investigation and Response (AIR) in Microsoft Defender XDR is designed to automatically respond to threats by running playbooks that can take remediation actions, such as isolating a device, without manual intervention. When a high-severity alert triggers, AIR evaluates the alert and, if configured, executes the isolation action as part of its automated response, meeting the requirement for zero-touch isolation.

Exam trap

The trap here is that candidates often confuse proactive prevention features (like ASR rules) with automated post-breach response capabilities, assuming any security feature that 'blocks' something can also isolate a device automatically.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction (ASR) rules are proactive policies that block specific behaviors (e.g., Office apps creating child processes) but do not perform post-breach automated isolation actions. Option C is wrong because Threat Analytics provides intelligence reports on active threats and vulnerabilities but does not execute any automated remediation or device isolation. Option D is wrong because Vulnerability Management identifies and prioritizes software vulnerabilities but lacks the capability to automatically isolate a device in response to an alert.

190
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that emails containing malicious attachments are automatically removed from users' inboxes after detection. What should you configure?

A.Configure a Safe Links policy
B.Configure an anti-spam policy to delete the email
C.Configure a Safe Attachments policy
D.Use the attack simulation training to report the email
AnswerC

Safe Attachments can automatically remove malicious attachments.

Why this answer

Option B is correct because Safe Attachments policies can automatically remove detected malicious attachments. Option A is wrong because anti-spam policies handle spam, not malware. Option C is wrong because Safe Links policies handle URLs.

Option D is wrong because phishing simulation is for training.

191
MCQhard

A security analyst is using Microsoft 365 Defender Advanced Hunting to investigate a potential malware outbreak. The analyst needs to find all devices where a specific signed executable (known to be malicious) was created in the past 24 hours. Which Advanced Hunting table should be queried to detect the creation of the executable file?

A.DeviceFileEvents
B.DeviceProcessEvents
C.DeviceNetworkEvents
D.DeviceRegistryEvents
AnswerA

This table logs file creation, modification, and other file events, including the file name and path, which is needed to find the malicious executable.

Why this answer

The DeviceFileEvents table in Microsoft 365 Defender Advanced Hunting captures file creation, modification, and deletion events. Since the question specifically asks for detecting the creation of a signed executable file, this table provides the necessary data, including file name, path, and timestamp, to identify when and where the malicious executable was created.

Exam trap

The trap here is that candidates often confuse file creation with process execution, mistakenly selecting DeviceProcessEvents because they think of the executable running, but the question explicitly asks for the creation event, which is only captured in DeviceFileEvents.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation and execution events, not file creation; it would show the executable running but not its initial creation. Option C is wrong because DeviceNetworkEvents records network connections and communications, which are unrelated to local file creation. Option D is wrong because DeviceRegistryEvents tracks registry key modifications, not file system operations like file creation.

192
MCQeasy

You are a security administrator. You need to ensure that email messages containing malicious attachments are automatically removed from all mailboxes in your organization after delivery. Which Microsoft Defender for Office 365 feature should you configure?

A.Safe Links
B.Zero-hour auto purge (ZAP)
C.Anti-phishing
D.Safe Attachments
AnswerB

ZAP retroactively removes malicious messages from mailboxes.

Why this answer

Option D is correct because Zero-hour auto purge (ZAP) automatically removes malicious messages that have already been delivered to mailboxes. Option A is wrong because Safe Attachments scans attachments before delivery. Option B is wrong because Safe Links scans URLs.

Option C is wrong because anti-phishing policies protect against phishing, not necessarily remove malicious attachments after delivery.

193
MCQhard

Your organization deploys Microsoft Defender XDR and wants to use advanced hunting to detect lateral movement by an attacker who uses RDP from a compromised workstation to a domain controller. Which KQL query should you use in advanced hunting?

A.DeviceNetworkEvents | where RemotePort == 3389 and RemoteIP == '10.0.0.10' and InitiatingProcessAccountName == 'compromised_user'
B.DeviceLogonEvents | where RemoteIP == '10.0.0.10' and LogonType == '10'
C.IdentityLogonEvents | where AccountUpn == 'compromised_user@contoso.com' and Application == 'Microsoft Remote Desktop'
D.DeviceProcessEvents | where ProcessCommandLine contains 'mstsc.exe' and AccountName == 'compromised_user'
AnswerA

This query shows RDP connections from a compromised user to the DC.

Why this answer

Option B is correct because DeviceNetworkEvents captures network connections, and filtering for RDP (port 3389) from a compromised device to a domain controller identifies lateral movement. Option A is wrong because DeviceLogonEvents shows logons but not the network direction. Option C is wrong because DeviceProcessEvents shows processes, not network connections.

Option D is wrong because IdentityLogonEvents is for cloud identities, not endpoint network events.

194
MCQmedium

Refer to the exhibit. You are configuring a session policy in Microsoft Defender for Cloud Apps. The policy must block downloads when both the app risk is high and the user risk is high. Based on the exhibit, which additional condition should you add to ensure the policy only applies to unsanctioned apps?

A.Add a condition for app risk score to be medium or low.
B.Add a condition for user risk score to be medium.
C.Add a condition for activity to include upload.
D.Add a condition for app tag to be 'unsanctioned'.
AnswerD

Adding a condition for the app tag unsanctioned ensures the policy only applies to unsanctioned apps.

Why this answer

Option D is correct because the policy currently applies to all apps with high risk; to limit to unsanctioned apps, you need to add a condition for the app tag. Option A is wrong because the policy already checks app risk score. Option B is wrong because the policy already checks user risk.

Option C is wrong because the policy already checks the activity.

195
MCQmedium

An administrator wants to configure automated investigation and response (AIR) in Microsoft 365 Defender so that when a high-severity malware alert is generated for a device from Microsoft Defender for Endpoint, the device is automatically isolated from the network without requiring a security analyst to approve the action. Which configuration step is required?

A.Set the automation level for device isolation to 'Semi - require approval for any remediation'
B.Set the automation level for device isolation to 'Full - remediate threats automatically'
C.Create a custom detection rule that automatically isolates the device
D.Enable 'Automated device isolation' in the Microsoft 365 Defender settings
AnswerB

Full automation means the system automatically takes action (including device isolation) without waiting for approval.

Why this answer

Option B is correct because setting the automation level for device isolation to 'Full - remediate threats automatically' in Microsoft Defender for Endpoint's automated investigation and response (AIR) configuration allows the system to automatically isolate a device when a high-severity malware alert is triggered, without requiring analyst approval. This automation level is specifically designed to execute remediation actions like device isolation immediately based on the alert's severity and the device's risk level.

Exam trap

The trap here is that candidates often confuse the 'Full' automation level with requiring approval for all actions, or they mistakenly think a separate toggle like 'Automated device isolation' exists, when in fact the automation level controls all remediation actions including isolation.

How to eliminate wrong answers

Option A is wrong because 'Semi - require approval for any remediation' means that any remediation action, including device isolation, will wait for a security analyst to manually approve it, which contradicts the requirement for automatic isolation without approval. Option C is wrong because creating a custom detection rule is not the standard or recommended method for configuring automated device isolation; AIR automation levels are the native mechanism to control automatic remediation actions. Option D is wrong because 'Automated device isolation' is not a standalone setting in Microsoft 365 Defender; the correct configuration is done through the automation level settings within the device group's AIR policies.

196
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A user reports receiving a suspicious email with a link to a known phishing site. You need to prevent other users from clicking similar links in the future. What should you configure?

A.Use the attack simulation training to educate users
B.Create a Safe Attachments policy to block the attachment
C.Configure a spam filter policy to block the sender
D.Add the URL to the Tenant Allow/Block List in Microsoft 365 Defender
AnswerD

Block list prevents users from accessing the URL.

Why this answer

Option A is correct because creating a block list in the Tenant Allow/Block List will block the URL across the organization. Option B is wrong because spam filter settings are for spam, not specific URLs. Option C is wrong because Safe Attachments policies handle attachments, not URLs.

Option D is wrong because phishing simulation is for training, not blocking.

197
MCQmedium

A security administrator wants to automatically block a file that is detected as malware on one endpoint from being executed on all other endpoints in the organization. Which Microsoft Defender for Endpoint capability provides this?

A.Attack surface reduction rules
B.Network protection
C.Tamper protection
D.Automated investigation and remediation
AnswerD

Automated investigation can take actions such as blocking a file and containing it across the organization.

Why this answer

Automated investigation and remediation (AIR) in Microsoft Defender for Endpoint is designed to automatically respond to detected threats by containing or blocking malicious files across the organization. When malware is detected on one endpoint, AIR can trigger a remediation action (e.g., blocking the file hash) that is propagated to all other endpoints via the Microsoft Defender security center, preventing execution elsewhere.

Exam trap

The trap here is that candidates often confuse automated investigation and remediation with proactive controls like attack surface reduction rules, but AIR is specifically the reactive, automated response capability that can block a detected file across all endpoints.

How to eliminate wrong answers

Option A is wrong because attack surface reduction rules are proactive policies that reduce exploit entry points (e.g., blocking Office apps from creating child processes), not a reactive mechanism to block a file already detected as malware across endpoints. Option B is wrong because network protection blocks outbound connections to malicious IPs/domains using the Windows Filtering Platform, not the execution of a specific file hash on endpoints. Option C is wrong because tamper protection prevents unauthorized changes to security settings (e.g., disabling real-time protection), but does not automatically block a detected malware file from running on other machines.

198
MCQeasy

Your organization is a small business with 200 users. You use Microsoft 365 Business Premium, which includes Microsoft Defender for Business (the small business version of Defender for Endpoint) and Microsoft Defender for Office 365 Plan 1. You want to protect against ransomware by blocking malicious processes and behaviors on endpoints. You also need to enable automated investigation and response for common threats. However, your IT team has limited security expertise and wants a simple configuration that provides out-of-the-box protection without custom policies. What should you do?

A.Configure Safe Attachments policies in Microsoft Defender for Office 365 to block ransomware attachments.
B.Enable the default security baseline in Microsoft Defender for Business, which includes attack surface reduction rules and automated investigation.
C.Create custom attack surface reduction rules in Microsoft Defender for Business to block ransomware behaviors.
D.Deploy a third-party endpoint detection and response (EDR) solution alongside Microsoft Defender for Business.
AnswerB

Out-of-the-box protection with minimal configuration.

Why this answer

Option B is correct because Defender for Business provides default security baselines that include attack surface reduction rules and automated investigation, requiring minimal configuration. Option A is wrong because creating custom policies is complex and not necessary. Option C is wrong because third-party EDR adds complexity and cost.

Option D is wrong because Safe Attachments is for email, not endpoint behavior.

199
MCQmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and clicks a link to a known malicious domain. Which advanced hunting table should the analyst query to track the clicked URL?

A.EmailEvents
B.EmailUrlInfo
C.EmailAttachmentInfo
D.DeviceEvents
AnswerB

EmailUrlInfo includes the URL, click status, and other URL-related details, making it suitable for tracking clicked links.

Why this answer

The EmailUrlInfo table in Advanced Hunting for Microsoft Defender XDR contains records of URLs that were present in emails, including the URL domain and whether the link was clicked. By joining EmailEvents with EmailUrlInfo on the NetworkMessageId, the analyst can identify when a user clicked a URL that leads to a known malicious domain, making it the correct table for tracking clicked URLs.

Exam trap

The trap here is that candidates often confuse EmailUrlInfo (which stores URL metadata and supports click tracking) with EmailEvents (which only contains email flow data), leading them to incorrectly select EmailEvents as the primary table for URL click analysis.

How to eliminate wrong answers

Option A is wrong because EmailEvents captures metadata about email delivery events (e.g., sender, recipient, delivery action) but does not include the specific URLs contained in the email or click actions. Option C is wrong because EmailAttachmentInfo tracks file attachments in emails, not URLs or link clicks. Option D is wrong because DeviceEvents logs system-level events on endpoints (e.g., process creation, registry changes) and does not contain email URL click data.

200
MCQeasy

An organization wants to prevent users from running executable files from the Windows Temp folder. Which Microsoft Defender for Endpoint capability should be configured?

A.Attack surface reduction rules
B.Network protection
C.Exploit protection
D.Controlled folder access
AnswerA

ASR rules can block executables from running from common temporary folders, reducing the risk of malware execution.

Why this answer

Attack surface reduction (ASR) rules are a Microsoft Defender for Endpoint capability that can block executable files from running from specific locations, such as the Windows Temp folder. Rule GUID 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 specifically targets this behavior by preventing executables and scripts from launching from temporary folders. This is the correct capability because ASR rules are designed to reduce the attack surface by controlling common malware entry points and persistence mechanisms.

Exam trap

The trap here is that candidates often confuse Controlled folder access (which protects files from modification) with execution control, or they mistakenly think Network protection can block local file execution because it sounds like a broad security measure.

How to eliminate wrong answers

Option B (Network protection) is wrong because it prevents users from accessing malicious websites or IP addresses, not from running local executable files from a folder. Option C (Exploit protection) is wrong because it applies mitigations to system processes and applications to prevent exploitation of vulnerabilities, such as heap spray or code injection, not to block execution from a specific folder path. Option D (Controlled folder access) is wrong because it protects folders from unauthorized changes by untrusted applications, such as ransomware encryption, but does not block the execution of executables from the Temp folder.

201
MCQhard

Your organization uses Microsoft Defender for Endpoint (Plan 2) and Microsoft Defender for Identity. A user reports that their device is running slowly and exhibiting unusual network traffic. You investigate in Microsoft Defender XDR and see a high number of alerts for the device. You need to determine if the device is compromised and, if so, initiate an automated investigation. What should you do first?

A.Isolate the device from the network immediately
B.Initiate a Live Response session to gather forensic data
C.Use the Microsoft Defender XDR portal to trigger an automated investigation on the device
D.Run a full antivirus scan from Microsoft Defender Antivirus
AnswerC

Automated investigation uses XDR capabilities.

Why this answer

Option C is correct because using the Microsoft Defender XDR portal to initiate an automated investigation will leverage the full XDR capabilities. Option A is wrong because live response is manual and not automated. Option B is wrong because running a full scan is not automated investigation.

Option D is wrong because device isolation is a manual step.

202
MCQhard

Refer to the exhibit. You run the KQL query and see that a device named 'WORKSTATION42' has made 1500 connections to a public IP address 203.0.113.55 in the last day. You suspect the device may be compromised. What should you do next to gain the most context?

A.Isolate the device immediately using Microsoft Defender for Endpoint
B.Expand the query to join with DeviceProcessEvents to see which process initiated the connections
C.Add the IP address to the Tenant Allow/Block List to block it
D.Create a Safe Links policy to block the IP address
AnswerB

Provides context on the process causing the traffic.

Why this answer

Option B is correct because expanding the query to include process information can reveal which process is making the connections, helping identify malware. Option A is wrong because simply isolating the device loses forensic data. Option C is wrong because Safe Links is for email, not device network.

Option D is wrong because blocking the IP is reactive and may disrupt legitimate traffic.

203
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to generate alerts when a user downloads more than 100 files from SharePoint Online within 10 minutes. What should you configure?

A.Create an activity policy
B.Create an app discovery policy
C.Create a session policy
D.Create an OAuth app policy
AnswerA

Activity policies can detect anomalous download activity.

Why this answer

Option C is correct because an anomaly detection policy in Defender for Cloud Apps can detect such activity. Option A is wrong because app discovery policies identify apps. Option B is wrong because session policies control access.

Option D is wrong because OAuth app policies manage app permissions.

204
MCQhard

A security administrator wants to block executable files from running from writable system directories such as %TEMP% and %APPDATA% on Windows devices. Which attack surface reduction (ASR) rule should be enabled?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion.
B.Block Office communication application from creating child processes.
C.Block credential stealing from the Windows local security authority subsystem (lsass.exe).
D.Block executable content from email client and webmail.
AnswerA

This ASR rule is designed to block executables in writable system directories where persistence is common.

Why this answer

The ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is designed specifically to block executables (e.g., .exe, .dll, .scr) from running from writable locations like %TEMP% and %APPDATA% unless they have sufficient global prevalence, are older than a certain age, or are on a trusted list. This directly addresses the administrator's requirement to prevent untrusted executables from executing from these directories.

Exam trap

The trap here is that candidates often confuse the 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' rule with the 'Block executable content from email client and webmail' rule, mistakenly thinking the latter covers all executable execution from writable directories when it only applies to email/webmail sources.

How to eliminate wrong answers

Option B is wrong because 'Block Office communication application from creating child processes' targets Microsoft Office communication apps (e.g., Outlook, Teams) from spawning child processes, which is a different attack vector (e.g., script-based attacks), not executable files from writable directories. Option C is wrong because 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' specifically protects LSASS from credential dumping via tools like Mimikatz, not from executables running in %TEMP% or %APPDATA%. Option D is wrong because 'Block executable content from email client and webmail' prevents executable attachments from being launched from email clients (e.g., Outlook, Gmail), which is a different entry point than local writable system directories.

205
Multi-Selecteasy

A company is deploying Microsoft Defender for Office 365 to protect against advanced threats. Which two features are available only in Defender for Office 365 Plan 2 and not in Plan 1? (Choose two.)

Select 2 answers
A.Automated Investigation & Response
B.Anti-phishing
C.Safe Attachments
D.Safe Links
E.Threat Explorer
AnswersA, E

AIR is Plan 2 only.

Why this answer

Options C and D are correct. Threat Explorer and Automated Investigation & Response (AIR) are only available in Plan 2. Option A is wrong because Safe Attachments is available in both plans.

Option B is wrong because Anti-phishing is available in both plans. Option E is wrong because Safe Links is available in both plans.

206
Multi-Selecteasy

Your organization uses Microsoft Defender XDR. You need to configure automated actions for high-confidence phishing emails. Which TWO actions can be automatically taken by Microsoft Defender for Office 365?

Select 2 answers
A.Add a header to the email indicating it is phishing
B.Permanently delete the email from the user's mailbox
C.Soft delete the email from the user's mailbox
D.Move the email to quarantine
E.Forward the email to the security team
AnswersC, D

Soft delete moves the email to the recoverable items folder.

Why this answer

Option A (Move to quarantine) and Option C (Soft delete) are automated actions that can be configured for phishing emails. Option B (Delete from the user's mailbox permanently) is not a direct automated action; soft delete is used. Option D (Forward to the security team) is not an automated action.

Option E (Add a header to the email) is not a typical automated action for phishing.

207
MCQhard

A security analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a suspicious PowerShell process (e.g., using -EncodedCommand) is detected on a device, and within 5 minutes, an outbound network connection to a known malicious IP address occurs. Which two advanced hunting tables must be joined?

A.DeviceProcessEvents and DeviceNetworkEvents
B.DeviceEvents and DeviceFileCertificateInfo
C.IdentityLogonEvents and CloudAppEvents
D.EmailEvents and EmailAttachmentInfo
AnswerA

DeviceProcessEvents logs process creation events (e.g., PowerShell), and DeviceNetworkEvents logs network connections. Joining these on DeviceId within a time range identifies the described pattern.

Why this answer

The custom detection rule requires correlating a suspicious PowerShell process event with a subsequent outbound network connection to a malicious IP within a 5-minute window. DeviceProcessEvents contains process creation data (e.g., command line, process name) for detecting encoded PowerShell commands, while DeviceNetworkEvents logs network connections (destination IP, port, protocol). Joining these two tables on DeviceId and a time range allows the rule to identify the sequence of a process event followed by a network event from the same device.

Exam trap

The trap here is that candidates may confuse the purpose of DeviceEvents (which covers broader system events like driver loads or registry changes) with DeviceProcessEvents, or mistakenly think cloud or email tables are relevant to endpoint-based process and network correlation.

How to eliminate wrong answers

Option B is wrong because DeviceEvents and DeviceFileCertificateInfo are used for tracking system-level events (e.g., driver loading, registry changes) and file certificate information, not for correlating process execution with network connections. Option C is wrong because IdentityLogonEvents and CloudAppEvents track user authentication and cloud application activity, not device-level process or network events. Option D is wrong because EmailEvents and EmailAttachmentInfo are focused on email delivery and attachment metadata, which are irrelevant to detecting PowerShell process behavior and outbound network connections on endpoints.

208
MCQmedium

You manage a Microsoft Defender for Endpoint environment. A device onboarded to Defender for Endpoint is not reporting alerts. You run the Microsoft Defender for Endpoint client analyzer and see that the service is running. Which log should you review to troubleshoot the issue?

A.Network Protection logs in %ProgramData%\Microsoft\Windows Defender\NIS
B.Microsoft 365 Defender portal audit log
C.Microsoft Defender for Endpoint sensor logs located in %ProgramData%\Microsoft\Windows Defender Advanced Threat Protection\Datamart
D.Windows Event Log (Applications and Services Logs/Microsoft/Windows/Defender)
AnswerC

Sensor logs contain diagnostic info for troubleshooting communication issues.

Why this answer

Option C is correct because the Microsoft Defender for Endpoint sensor logs contain detailed information about the sensor's communication with the cloud. Option A is wrong because Windows Event Logs may not contain sensor-specific errors. Option B is wrong because Microsoft 365 Defender portal logs are cloud-side.

Option D is wrong because Network Protection logs are for network filtering.

209
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Defender XDR Advanced Hunting. The query returns a list of devices where PowerShell or cmd.exe with encoded commands executed more than 5 times in the last 7 days. The security team suspects that one of the devices is compromised due to excessive use of encoded commands. However, a legitimate administrative script uses encoded commands regularly. How can you refine the query to reduce false positives while still detecting potentially malicious activity?

A.Increase the Count threshold to 10.
B.Add a filter to exclude processes signed by a trusted certificate or running under specific service accounts.
C.Remove cmd.exe from the FileName filter.
D.Change the time range to 1 day instead of 7 days.
AnswerB

Excluding known trusted processes reduces false positives.

Why this answer

Option A is correct because adding a filter to exclude known administrative accounts or processes that are approved would reduce false positives. Option B is wrong because changing the time range to 1 day might miss legitimate administrative activity but does not target the false positive source. Option C is wrong because looking for only powershell.exe would miss cmd.exe encoded commands.

Option D is wrong because increasing the count threshold to 10 might still include the legitimate script if it runs frequently.

210
Multi-Selectmedium

A security analyst is investigating a potential lateral movement attack. They need to identify which processes were created on a compromised device and then which network connections were made by those processes. Which two advanced hunting tables should the analyst join in a KQL query?

Select 2 answers
A.A: DeviceProcessEvents and DeviceNetworkEvents
B.B: DeviceEvents and DeviceFileEvents
C.C: IdentityLogonEvents and DeviceProcessEvents
D.D: EmailEvents and DeviceNetworkEvents
AnswersA, C

DeviceProcessEvents logs process creations; DeviceNetworkEvents logs network connections. Joining them identifies processes that made connections.

Why this answer

Option A is correct because the analyst needs to correlate process creation events (DeviceProcessEvents) with network connections initiated by those processes (DeviceNetworkEvents). Joining these two tables on a common field like DeviceId and ProcessId allows the analyst to trace which specific processes on the compromised device made outbound connections, directly mapping lateral movement indicators such as SMB, RDP, or WinRM traffic.

Exam trap

The trap here is that candidates often confuse DeviceEvents (which includes generic security events like process creation alerts) with DeviceProcessEvents (the dedicated table for process creation data), leading them to pick Option B, but DeviceEvents lacks the detailed process-to-network mapping fields needed for this investigation.

211
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to generate a report of all external users who have shared sensitive files from SharePoint Online. Which feature should you use?

A.OAuth app policies
B.Activity log
C.App permissions report
D.Cloud Discovery
AnswerB

Activity log can filter by external users and file actions.

Why this answer

Option A is correct because Cloud Discovery is used for shadow IT, not user activity. Option B is correct because Activity log can filter by external users and file actions. Option C is wrong because App permissions report shows consent grants to apps, not user file sharing.

Option D is wrong because OAuth app policies govern app permissions, not user activity.

212
Multi-Selecthard

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different sources. Which THREE actions should you take during the investigation?

Select 3 answers
A.Review the incident timeline to understand the sequence of events.
B.Delete all emails related to the incident from all mailboxes.
C.Use advanced hunting to query for related activities across devices and identities.
D.Isolate affected devices from the network using Microsoft Defender for Endpoint.
E.Reset the passwords of all user accounts involved.
AnswersA, C, D

The incident timeline provides a chronological view of alerts and activities.

Why this answer

Options A, C, and D are correct because during investigation, you should analyze alerts, gather evidence, and isolate affected devices. Option B is wrong because immediately deleting all related emails may destroy evidence. Option E is wrong because resetting passwords should be done after analysis.

213
MCQmedium

A security administrator wants to monitor and control user downloads from a third-party SaaS application (e.g., Box) in real time. The administrator needs to apply session-level policies to block downloads based on risk. Which Microsoft 365 Defender feature should be used?

A.Cloud Discovery
B.Conditional Access App Control
C.App Connectors
D.Anomaly Detection Policies
AnswerB

Conditional Access App Control (session control) allows real-time monitoring and restriction of user actions in cloud apps, such as blocking downloads from specific sessions.

Why this answer

Conditional Access App Control (CAAC) is the correct feature because it enables real-time session-level monitoring and control of user activities within third-party SaaS applications like Box. By integrating with Microsoft Defender for Cloud Apps, CAAC can apply policies to block downloads based on risk signals such as user location, device compliance, or anomalous behavior, all within the user's active session.

Exam trap

The trap here is that candidates often confuse App Connectors (API-based control) with Conditional Access App Control (proxy-based session control), mistakenly thinking API integration can enforce real-time download blocks when it only provides retrospective or policy-based actions on stored data.

How to eliminate wrong answers

Option A is wrong because Cloud Discovery is a tool for identifying shadow IT and assessing cloud app usage from traffic logs, not for applying real-time session-level download controls. Option C is wrong because App Connectors provide API-based visibility and control for data at rest (e.g., file scanning) but cannot enforce session-level policies in real time. Option D is wrong because Anomaly Detection Policies identify suspicious activities after they occur (e.g., impossible travel) and trigger alerts, not block downloads in real time within a session.

214
MCQhard

You are configuring Microsoft Defender for Office 365 to protect against business email compromise (BEC) attacks. Which policy setting should you enable to analyze email sender behavior and detect impersonation attempts?

A.Safe Attachments policy - Dynamic Delivery
B.Anti-phishing policy - Impersonation protection
C.Safe Links policy - URL scan
D.Anti-malware policy - Malware filter
AnswerB

Impersonation protection detects impersonation of users, domains, or brands.

Why this answer

Option C is correct because Anti-phishing policies in Defender for Office 365 include impersonation protection that analyzes sender behavior to detect impersonation attempts. Option A (Anti-malware) deals with malware. Option B (Safe Attachments) deals with attachments.

Option D (Safe Links) deals with URLs.

215
MCQhard

Your organization is a financial services company with 5,000 users. You use Microsoft Defender XDR, including Defender for Endpoint Plan 2, Defender for Identity, Defender for Office 365 Plan 2, and Defender for Cloud Apps. You have recently deployed Microsoft Copilot for Security to assist your security operations center (SOC) analysts. A high-severity incident is generated: 'A user named jdoe accessed a malicious IP address from their device, and then logged into Azure Portal from an anonymous IP address. Defender for Identity detected a suspicious Kerberos ticket request from the same user's domain controller. The SOC analysts are overwhelmed with alerts and need to quickly understand the full scope of the incident, including related alerts, impacted assets, and recommended actions. They also want to use natural language to ask questions about the incident. What should you do to enable the analysts to efficiently investigate this incident?

A.Train the analysts to use Advanced Hunting to query across all data sources and build custom KQL queries to correlate the alerts.
B.Create custom detection rules in Microsoft Defender XDR to generate more specific alerts for similar activity.
C.Use Microsoft Copilot for Security integrated with Microsoft Defender XDR to get a natural language summary of the incident, ask follow-up questions, and receive recommended actions.
D.Configure automated investigation and remediation to automatically contain the threat and then review the results.
AnswerC

Copilot for Security provides natural language incident analysis.

Why this answer

Option D is correct because Copilot for Security is designed to summarize incidents, provide insights, and answer natural language questions, which directly addresses the analysts's needs. Option A is wrong because advanced hunting requires KQL knowledge and is not natural language. Option B is wrong because automated investigation runs but does not provide natural language interaction.

Option C is wrong because custom detection rules add more alerts, not help investigate existing ones.

216
MCQhard

Your organization has Microsoft 365 E5 licenses and uses Microsoft Defender for Office 365. You need to ensure that users are warned before clicking on malicious URLs in email messages, even if the URL is clicked after the email is delivered. Which policy should you configure?

A.Anti-malware policy
B.Safe Attachments policy
C.Safe Links policy
D.Anti-phishing policy
AnswerC

Safe Links provides time-of-click protection for URLs in email.

Why this answer

Option B is correct because Safe Links protection for email messages provides time-of-click protection, warning users when they click on malicious URLs after delivery. Option A (anti-phishing) does not provide URL click protection. Option C (anti-malware) deals with attachments.

Option D (Safe Attachments) deals with attachments, not URLs.

217
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that malicious links in email messages are blocked at the time of click by checking the link reputation in real time. What should you enable?

A.Anti-spam policy.
B.Safe Attachments policy.
C.Safe Links policy.
D.Anti-phishing policy.
AnswerC

Safe Links provides time-of-click protection by checking link reputation.

Why this answer

Option A is correct because Safe Links in Defender for Office 365 rewrites URLs and checks them against a dynamic list of known malicious links at click time. Option B is wrong because Safe Attachments scans email attachments, not links. Option C is wrong because anti-phishing policies protect against phishing attempts but do not provide real-time link checking.

Option D is wrong because anti-spam policies filter spam, not malicious links.

218
MCQmedium

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is not receiving security updates. You need to ensure that the device is properly onboarded to Defender for Endpoint. Which log should you check first?

A.Event Viewer Application logs
B.System logs
C.Microsoft Defender for Endpoint client logs
D.Windows Update logs
AnswerC

Client logs provide detailed information about onboarding and updates.

Why this answer

Option D is correct because the Microsoft Defender for Endpoint client logs (e.g., C:\ProgramData\Microsoft\Windows Defender\Platform\*\MpCmdRun.log) provide detailed information about onboarding and update issues. Option A (Event Viewer Application logs) may show some errors but not as detailed. Option B (Windows Update logs) are for Windows Update, not Defender updates.

Option C (System logs) are for system events.

219
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from SharePoint Online to an unmanaged device. You need to automatically block the download and alert the security team. What should you configure?

A.Session policy
B.Access policy
C.File policy
D.Anomaly detection policy
AnswerA

Session policies can control and block specific actions like downloads.

Why this answer

Option B is correct because a session policy can control access and block downloads in real-time. Option A is wrong because an anomaly detection policy only alerts, it does not block. Option C is wrong because an access policy can block access entirely, but not specifically block downloads.

Option D is wrong because a file policy monitors file activities but does not block downloads real-time.

220
MCQmedium

A company is using Microsoft Defender for Identity (MDI) and wants to receive alerts when a user account is involved in a suspicious network connection. The security team has enabled MDI alerts but is not receiving any alerts for a specific account that is showing anomalous behavior. What should the team check first?

A.Verify that the MDI sensor is running correctly on the domain controller.
B.Check that the user has an appropriate Microsoft 365 license.
C.Confirm that the user's Active Directory attributes are synced to Azure AD.
D.Ensure the user's email address is configured in the MDI alert settings.
AnswerD

Alerts are sent to the user's email; if missing, no alert.

Why this answer

Option C is correct because MDI needs to be configured with the user's email address for alerts to be sent. If the email is missing or incorrect, alerts will not be delivered. Option A is wrong because the sensor status would affect all accounts, not just one.

Option B is wrong because licensing is per user. Option D is wrong because directory data is not required for alerts.

221
Multi-Selectmedium

Which THREE features are part of Microsoft Defender XDR? (Select THREE.)

Select 3 answers
A.Microsoft Purview
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
E.Microsoft Defender for Identity
AnswersB, C, E

Defender for Endpoint is a core component.

Why this answer

Defender XDR integrates signals from Microsoft 365 Defender, Defender for Endpoint, Defender for Identity, Defender for Cloud Apps, and Defender for Office 365. Options A, B, and C are correct. Option D is wrong because Microsoft Sentinel is a separate SIEM.

Option E is wrong because Microsoft Purview is a separate compliance solution.

222
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to configure a rule that automatically isolates a device from the network when a specific threat is detected, but only if the device is in a specific device group. Which approach should you use?

A.Indicator of compromise (IoC)
B.Automation rule
C.Custom detection rule
D.Group policy in Intune
AnswerB

Automation rules allow conditions and actions like isolation.

Why this answer

Option B is correct because automation rules allow you to specify conditions, including device group, and actions like isolation. Option A is wrong because a custom detection rule creates custom alerts but does not automate isolation. Option C is wrong because an indicator of compromise (IoC) blocks files/processes, not isolates devices.

Option D is wrong because group policy is not part of Defender for Endpoint automation.

223
MCQmedium

A company is planning to deploy Microsoft Defender for Endpoint to its Windows 10 devices. The devices are managed by Microsoft Intune. The security team wants to ensure that the MDE sensor is installed automatically on new devices that are enrolled in Intune. Which method should the team use?

A.Manually install MDE on each device.
B.Use Group Policy to deploy the MDE installation package.
C.Deploy MDE using Microsoft Configuration Manager.
D.Create an Endpoint security policy in Intune to deploy MDE.
AnswerD

Intune can deploy MDE via Endpoint security policies.

Why this answer

Option A is correct because Intune can push the MDE sensor as a 'Microsoft Defender for Endpoint' profile under Endpoint security. Option B is wrong because Group Policy is not used in a cloud-only Intune environment. Option C is wrong because Configuration Manager is on-premises and not needed.

Option D is wrong because manual installation is not automatic.

224
Multi-Selectmedium

You are configuring Microsoft Defender for Office 365. Which TWO actions should you take to protect users from phishing attacks that use impersonation?

Select 2 answers
A.Create a data loss prevention (DLP) policy to prevent sharing of credentials.
B.Configure anti-spam policies to increase the spam confidence level.
C.Configure anti-phishing policies to protect users from impersonation of custom domains.
D.Configure anti-phishing policies to protect users from impersonation of internal users.
E.Enable Safe Attachments for SharePoint, OneDrive, and Microsoft Teams.
AnswersC, D

Anti-phishing policies can also protect against impersonation of your organization's domains.

Why this answer

Options B and D are correct because anti-phishing policies can protect against impersonation of users and domains. Option A is wrong because Safe Attachments is for file scanning. Option C is wrong because anti-spam policies are for spam, not impersonation.

Option E is wrong because DLP protects sensitive data, not from phishing.

225
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a device with a high-risk vulnerability is detected, it is automatically isolated from the network. What should you configure?

A.Run an advanced hunting query to identify high-risk devices.
B.Create an automation rule in Microsoft Defender XDR.
C.Create a device group and assign a device configuration policy.
D.Enable vulnerability management in Microsoft Defender for Endpoint.
AnswerB

Automation rules can trigger automatic isolation based on vulnerability data.

Why this answer

Option D is correct because an automation rule in Microsoft Defender XDR can automatically isolate a device when a vulnerability is detected. Option A is wrong because device groups control policy assignment, not automation. Option B is wrong because vulnerability management shows findings but does not automate isolation.

Option C is wrong because the advanced hunting query only identifies devices, it does not trigger actions.

← PreviousPage 3 of 4 · 284 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Defender Xdr Security questions.