CCNA Defender Xdr Security Questions

59 of 284 questions · Page 4/4 · Defender Xdr Security topic · Answers revealed

226
MCQmedium

Your company uses Microsoft Defender for Endpoint and Microsoft Intune. You have a group of remote users who connect to the corporate network via VPN. Recently, several of these devices were compromised due to unpatched vulnerabilities. You need to ensure that devices that are missing critical security updates are automatically blocked from accessing corporate resources. The solution must integrate with Microsoft Defender for Endpoint's threat and vulnerability management (TVM) data. What should you configure?

A.Configure the VPN server to only allow devices that have the latest updates installed.
B.Create a Microsoft Defender for Endpoint device group and set the remediation level to 'block' for devices with critical vulnerabilities.
C.Configure a device compliance policy in Intune that requires all critical updates to be installed, and assign it to the VPN users group.
D.Create a conditional access policy in Microsoft Entra ID that uses 'Require device to be marked as compliant' and integrate Defender for Endpoint's risk level to block devices with high risk.
AnswerD

Conditional access can block access based on device compliance, which can be determined by Defender for Endpoint's risk assessment.

Why this answer

Option A is correct because conditional access with device compliance policies can use Defender for Endpoint's risk level to block non-compliant devices. Option B is wrong because Intune compliance policies can mark devices as non-compliant, but the question requires using TVM data; conditional access can use the risk level from Defender for Endpoint. Option C is wrong because VPN configuration does not integrate with TVM data for automatic blocking.

Option D is wrong because requiring all devices to be fully patched is not automatically enforceable without compliance policies.

227
MCQmedium

Your organization uses Microsoft Defender XDR and Microsoft 365 E5 licenses. You are a security administrator. The security team wants to receive email notifications for high-severity incidents only. You need to configure the notification settings. What should you do?

A.In the Microsoft Defender XDR portal, go to Settings > Microsoft 365 Defender > Email notifications, and create a notification for high-severity incidents.
B.Create an incident response rule that sends an email when a high-severity incident is created.
C.Use the Microsoft Purview compliance portal to create an alert policy.
D.Configure a service health notification in the Microsoft 365 admin center.
AnswerA

Correct: Email notifications can be configured for specific severity.

Why this answer

Option C is correct because the notification settings in Microsoft Defender XDR allow you to create email notifications for specific severity levels. Option A is wrong because incident rules do not send email notifications. Option B is wrong because that's for service health.

Option D is wrong because alert policies in the compliance center are not for incident notifications.

228
MCQhard

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. You discover that a user's credentials were compromised and used to access sensitive data in SharePoint Online from an unusual location. You need to automatically suspend the user and prevent further access to cloud apps. What should you configure?

A.An anti-phishing policy in Defender for Office 365
B.A Safe Attachments policy in Defender for Office 365
C.A Safe Links policy in Defender for Office 365
D.A session policy in Defender for Cloud Apps
AnswerD

Session policies can block or suspend user access to cloud apps based on risk.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps offers session policies that can be set to block access or suspend users based on risk. Specifically, you can create a policy to automatically suspend the user when anomalous activity is detected. Option A is wrong because Safe Attachments is for email attachments.

Option B is wrong because anti-phishing policies are for email. Option C is wrong because Safe Links is for URL protection in email and Office documents.

229
Multi-Selectmedium

A security administrator is configuring Microsoft Defender for Cloud Apps to protect against data exfiltration from SaaS apps. The administrator wants to create a policy that alerts when a user attempts to download more than 50 files from SharePoint Online within 5 minutes. Which two components must be configured to achieve this? (Choose two.)

Select 2 answers
A.File policy
B.Session policy
C.Activity policy
D.Conditional Access App Control
E.App connector for SharePoint Online
AnswersC, E

Activity policies can detect anomalous download activity.

Why this answer

Options A and D are correct. An activity policy is needed to define the threshold (50 files in 5 minutes). The app connector for SharePoint Online must be enabled to allow Defender for Cloud Apps to monitor SharePoint activity.

Option B is wrong because a session policy is used for real-time control, not for alerting. Option C is wrong because Conditional Access App Control is for controlling access, not alerting. Option E is wrong because a file policy is for file sharing, not downloads.

230
Multi-Selecthard

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email and later clicks a link to a known malicious domain from their device. The rule will use advanced hunting queries. Which two tables should be joined to detect the click event from the device?

Select 2 answers
A.EmailEvents and EmailUrlInfo
B.EmailEvents and DeviceNetworkEvents
C.EmailUrlInfo and DeviceNetworkEvents
D.EmailAttachmentInfo and DeviceProcessEvents
AnswersB, C

This combination lacks the URL click info from EmailUrlInfo that indicates the user clicked the link.

Why this answer

Option C is correct because detecting a user clicking a link to a known malicious domain from their device requires joining the email URL information (EmailUrlInfo) with the device-level network event (DeviceNetworkEvents). EmailUrlInfo contains the URLs from emails, and DeviceNetworkEvents records outbound network connections from devices, including the destination domain. Joining these tables on the URL or domain allows you to correlate the email link with the subsequent device click event.

Exam trap

The trap here is that candidates often assume EmailEvents contains all necessary email data, but the click event requires device-level network logs, and the specific URL must be matched via EmailUrlInfo, not just the email metadata.

231
MCQmedium

You are configuring a network security policy in Microsoft Defender for Cloud Apps. The exhibit shows a policy to block traffic from known Tor exit nodes. However, the policy is not blocking traffic from IP 185.220.101.5. What is the most likely reason?

A.The action is set to Alert only, not block.
B.The IP address is not in the specified subnet.
C.The protocol condition is too restrictive.
D.The source address condition is missing a wildcard.
E.Another policy with a higher priority is allowing the traffic.
AnswerE

A policy with lower priority number (higher priority) may be allowing.

Why this answer

Option D is correct because the policy order must be set to a higher priority (lower number) to be evaluated first. Option A is wrong because the IP is within the range. Option B is wrong because the action is AlertAndBlock.

Option C is wrong because the protocol is Any. Option E is wrong because the source address condition is correct.

232
Multi-Selecthard

Your organization uses Microsoft Defender for Office 365 and Microsoft Defender for Cloud Apps. A security incident involves a user who accessed a malicious link from an email and then uploaded sensitive data to an external cloud app. Which THREE Microsoft Defender XDR components would provide relevant alerts and insights for this incident?

Select 3 answers
A.Microsoft Defender for Office 365
B.Microsoft Defender XDR incident correlation
C.Microsoft Sentinel
D.Microsoft Defender for Identity
E.Microsoft Defender for Cloud Apps
AnswersA, B, E

Provides email security alerts.

Why this answer

Correct: A, B, and D. Defender for Office 365 alerts on malicious links in email; Defender for Cloud Apps alerts on data upload to external apps; Microsoft Defender XDR correlates them into a single incident. Option C is wrong because Defender for Identity focuses on identity-related threats, not email or cloud app data upload.

Option E is wrong because Microsoft Sentinel is a SIEM, not a component of Defender XDR.

233
MCQmedium

A security administrator wants to automatically block malicious IP addresses from sending email to Exchange Online mailboxes. Which Microsoft Defender component should be configured?

A.Exchange Online Protection (EOP)
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerA

EOP includes connection filtering and IP allow/block lists to block malicious senders at the mail transport level.

Why this answer

Exchange Online Protection (EOP) is the cloud-based email filtering service that protects Exchange Online mailboxes from spam, malware, and malicious IP addresses. It includes connection filtering, which can automatically block messages from specified IP addresses by using the default connection filter policy or custom IP Allow/Block lists. This makes EOP the correct component for blocking malicious IPs from sending email to Exchange Online.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Endpoint (which handles device-level threats) with email security, or assume that Defender for Cloud Apps (a CASB) can filter inbound email, when in fact only EOP provides the connection filtering and IP block list functionality for Exchange Online mail flow.

How to eliminate wrong answers

Option B (Microsoft Defender for Endpoint) is wrong because it focuses on endpoint detection and response (EDR) for devices, not email traffic filtering or IP-based blocking for Exchange Online. Option C (Microsoft Defender for Identity) is wrong because it monitors on-premises Active Directory for identity-based threats (e.g., lateral movement, privilege escalation), not inbound email from IP addresses. Option D (Microsoft Defender for Cloud Apps) is wrong because it provides cloud access security broker (CASB) capabilities for SaaS applications, including shadow IT discovery and app permissions, but does not directly block IP addresses from sending email to Exchange Online.

234
Multi-Selectmedium

You are a security administrator for a company that uses Microsoft Defender XDR. You need to configure an automated investigation and response (AIR) policy to automatically remediate threats on devices. Which two actions can be taken automatically without requiring administrator approval? (Choose two.)

Select 2 answers
A.Quarantine file
B.Block URL
C.Run antivirus scan
D.Isolate device
E.Collect investigation package
AnswersA, D

Quarantine file can be automated in AIR.

Why this answer

Options A and C are correct because 'Quarantine file' and 'Isolate device' are both remediation actions that can be set to run automatically depending on the automation level. Option B is wrong because 'Run antivirus scan' is typically an investigation action, not a remediation action. Option D is wrong because 'Collect investigation package' is an investigation action.

Option E is wrong because 'Block URL' is a remediation action but often requires approval.

235
MCQhard

A tenant administrator runs the above PowerShell command to create a Conditional Access policy. Users on iOS and Android devices report that they are still prompted for MFA, but the policy is intended to exclude those platforms. What is the issue?

A.The policy does not apply to iOS and Android because they are not listed in IncludeApplications.
B.The policy creation failed due to invalid syntax.
C.The policy requires MFA for all apps, overriding the platform exclusion.
D.The ExcludePlatforms parameter is placed incorrectly in the JSON body; it should be under conditions.platforms.excludePlatforms.
AnswerD

The correct structure requires the excludePlatforms under conditions.

Why this answer

The 'ExcludePlatforms' property is used to exclude platforms from the policy. However, in the New-MgIdentityConditionalAccessPolicy cmdlet, the parameter for excluding platforms is 'ExcludePlatforms' but the correct property name in the body should be 'conditions' > 'platforms' > 'excludePlatforms'. The exhibit's structure is incorrect; the 'ExcludePlatforms' at the top level is ignored.

Therefore, the policy applies to all platforms, including iOS and Android. Option A is correct. Option B is wrong because the policy is successfully created.

Option C is wrong because MFA is enforced as intended for other platforms. Option D is wrong because the policy does apply.

236
MCQhard

You are a security administrator. You need to configure a Microsoft Defender for Endpoint policy that prevents users from running executables from the Temp folder. Which Attack Surface Reduction (ASR) rule should you enable?

A.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
B.Block Office communication application from creating child processes
C.Block process injections originating from Windows executable files
D.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
AnswerD

This rule blocks executables in Temp folder.

Why this answer

Option A is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' covers Temp folder executables. Option B is wrong because it blocks credential theft. Option C is wrong because it blocks macros.

Option D is wrong because it blocks process injection.

237
MCQhard

A security administrator needs to configure an automated investigation and response (AIR) playbook in Microsoft 365 Defender that will automatically isolate a device whenever a high-severity alert from Microsoft Defender for Endpoint is generated. The playbook must run without requiring manual approval. Which configuration must the administrator set to achieve automatic device isolation?

A.Set the automation level for device isolation to 'Full - automatically remediate threats' in the Advanced Features settings.
B.Create a custom detection rule that triggers on high-severity alerts and uses an automated action.
C.Configure the device isolation action to require approval in the automation level settings.
D.Enable automatic remediation only for medium severity and above.
AnswerA

The automation level controls whether AIR actions like device isolation are executed automatically. 'Full - automatically remediate' allows automatic isolation without manual approval.

Why this answer

Option A is correct because the automation level for device isolation in Microsoft 365 Defender's Advanced Features settings controls whether the AIR playbook executes actions automatically. Setting it to 'Full - automatically remediate threats' ensures that when a high-severity alert triggers the playbook, device isolation is performed without requiring manual approval, meeting the requirement for fully automated response.

Exam trap

The trap here is that candidates often confuse custom detection rules (Option B) with built-in AIR automation levels, or mistakenly think that enabling automatic remediation for a severity range (Option D) automatically applies to all actions, when in fact each action type must be individually configured for full automation.

How to eliminate wrong answers

Option B is wrong because custom detection rules are used for creating custom alerts based on advanced hunting queries, not for configuring the automation level of built-in AIR playbook actions like device isolation. Option C is wrong because configuring device isolation to require approval would prevent automatic execution, contradicting the requirement to run without manual approval. Option D is wrong because enabling automatic remediation only for medium severity and above does not guarantee that high-severity alerts will trigger automatic device isolation; the automation level must be explicitly set to 'Full' for the specific action.

238
Multi-Selecthard

A security team is investigating a potential ransomware outbreak using Microsoft Defender XDR. They have identified a suspicious PowerShell command that was executed on several devices. The team wants to use Advanced Hunting to find all other activities associated with the same command. Which three columns should they include in their KQL query to effectively correlate the activities? (Choose three.)

Select 3 answers
A.SHA256
B.ProcessId
C.AccountUpn
D.Timestamp
E.DeviceId
AnswersA, B, E

SHA256 identifies the file.

Why this answer

Options A, D, and E are correct. DeviceId uniquely identifies the device. ProcessId identifies the process.

SHA256 identifies the file. These three columns can be used to correlate activities across devices and processes. Option B is wrong because AccountUpn may change.

Option C is wrong because Timestamp is not unique.

239
Multi-Selecthard

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify when a user clicks a malicious URL in a phishing email and subsequently visits the malicious site from their corporate device. The analyst plans to use advanced hunting with Kusto Query Language (KQL). Which two tables must be joined to capture both the URL click event and the network connection to the malicious site?

Select 2 answers
A.EmailEvents and DeviceNetworkEvents
B.EmailUrlInfo and DeviceNetworkEvents
C.EmailAttachmentInfo and DeviceProcessEvents
D.EmailEvents and DeviceFileEvents
AnswersA, B

EmailEvents contains email delivery info but not URL click events; DeviceNetworkEvents is correct but EmailEvents does not provide click data.

Why this answer

Option B is correct because EmailUrlInfo contains the URL click events from phishing emails, and DeviceNetworkEvents logs network connections from corporate devices. Joining these two tables on the URL value captures the full chain: the user clicking the malicious link and the device subsequently connecting to that site.

Exam trap

The trap here is that candidates confuse EmailEvents (email metadata) with EmailUrlInfo (URL click data), assuming the email event table contains the URL click details, when in fact EmailUrlInfo is the dedicated table for that telemetry.

240
MCQhard

Your organization has deployed Microsoft Defender for Cloud Apps. You want to detect anomalous behavior such as impossible travel for users accessing cloud apps. You need to configure the appropriate policy. Which policy type should you create?

A.App discovery policy
B.Activity policy
C.Session policy
D.File policy
AnswerB

Activity policies can detect anomalous activities such as impossible travel.

Why this answer

Option A is correct because activity policies can detect anomalies like impossible travel. Option B is wrong because file policies monitor file sharing. Option C is wrong because app discovery policies discover shadow IT.

Option D is wrong because session policies control real-time access.

241
MCQmedium

Your organization uses Microsoft Defender for Office 365. You receive a report that users are receiving spoofed email messages that appear to come from your own domain. The spoofed messages are not being filtered. You need to ensure that spoofed messages from your domain are blocked. What should you do?

A.Add your domain to the allowed domains list in the anti-spam policy
B.Configure spoof intelligence settings to block the spoofed domain
C.Configure DKIM signing for your domain
D.Configure DMARC policy to reject messages that fail SPF or DKIM
AnswerB

Spoof intelligence allows blocking spoofed senders.

Why this answer

Option B is correct because spoof intelligence in Microsoft Defender for Office 365 allows you to block spoofed messages from your own domain. Option A is wrong because DKIM signing is important but does not block spoofed messages by itself. Option C is wrong because DMARC policy can help but spoof intelligence is more direct.

Option D is wrong because adding domain to allowed list would actually allow spoofing.

242
MCQmedium

A security administrator wants to configure Automated Investigation and Response (AIR) in Microsoft 365 Defender to automatically isolate a device when a high-severity alert for malware is detected. Which step is required?

A.A: Create an automation rule in Microsoft Sentinel.
B.B: Create a custom detection rule in advanced hunting.
C.C: Configure the device to be part of a device group and enable automation level.
D.D: Enable auto-removal of malware from devices.
AnswerC

Device groups are the mechanism to define automation levels (e.g., full automation) that allow automatic isolation.

Why this answer

To enable Automated Investigation and Response (AIR) in Microsoft Defender for Endpoint, the device must be added to a device group, and the automation level for that group must be set to 'Full – remediate threats automatically' or a similar level. This configuration allows Defender to automatically isolate a device when a high-severity malware alert is triggered, as part of the built-in AIR playbooks.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel automation rules (which are for cross-source orchestration) with the device group automation settings in Microsoft Defender for Endpoint, leading them to pick Option A instead of the correct device group configuration.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel automation rules are used for orchestration and response across multiple data sources, not for configuring device-level automated isolation in Microsoft Defender for Endpoint. Option B is wrong because custom detection rules in advanced hunting are for creating custom alerts based on KQL queries, not for enabling automated response actions like device isolation. Option D is wrong because 'auto-removal of malware' is not a configurable setting in Defender for Endpoint; remediation actions are controlled via automation levels and device groups, not a separate toggle.

243
MCQhard

Contoso uses Microsoft 365 E5 and has enabled Microsoft Defender for Office 365. Users report that legitimate external emails are being quarantined. You need to reduce false positives without reducing protection. What should you do?

A.Disable third-party email filtering integration.
B.Reduce the Spam Confidence Level (SCL) threshold in anti-spam policies.
C.Allow all emails from the sender's domain in the Tenant Allow/Block List.
D.Configure Advanced Delivery for trusted senders from the external domain.
AnswerD

Advanced Delivery allows specific trusted senders to bypass filtering, reducing false positives without compromising overall protection.

Why this answer

Option D is correct because configuring User Mailbox Advanced Delivery allows trusted senders to bypass filtering only for specific domains, reducing false positives while maintaining general protection. Option A is wrong because allowing all senders from the same domain weakens security. Option B is wrong because reducing the spam confidence level threshold increases false negatives.

Option C is wrong because disabling third-party email filtering removes necessary protection.

244
Multi-Selecteasy

Your organization uses Microsoft Defender for Endpoint (Plan 2). You need to configure a custom detection rule that alerts when a specific process attempts to access the internet. Which TWO components are required to create this custom detection?

Select 2 answers
A.Attack surface reduction rule
B.Response action in the detection rule
C.Microsoft Sentinel automation rule
D.Indicator of compromise (IOC)
E.Advanced Hunting query
AnswersB, E

Response actions trigger alerts.

Why this answer

Correct: B and D. Custom detections use Advanced Hunting queries (KQL) to define detection logic. Alerts can trigger automated actions via response actions.

Option A is wrong because attack surface reduction rules are predefined. Option C is wrong because indicators of compromise are for threat intelligence. Option E is wrong because automation rules in Microsoft Sentinel are separate.

245
MCQhard

A security administrator wants to prevent malware from using Office macros to spawn malicious processes. Specifically, they want to block Excel, Word, and PowerPoint from creating child processes. Which Microsoft Defender for Endpoint capability should be configured?

A.Threat & Vulnerability Management
B.Attack Surface Reduction (ASR) rules
C.Web Protection
D.Network Protection
AnswerB

ASR rules are designed to block specific common attack techniques like Office apps spawning child processes.

Why this answer

Attack Surface Reduction (ASR) rules are a Microsoft Defender for Endpoint capability specifically designed to block common malware behaviors, such as Office applications (Excel, Word, PowerPoint) from creating child processes. This rule (GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869) prevents macros from spawning cmd.exe, powershell.exe, or other executables, directly addressing the administrator's requirement.

Exam trap

The trap here is that candidates often confuse Attack Surface Reduction rules with other Defender for Endpoint capabilities like Network Protection or Web Protection, mistakenly thinking that blocking network traffic is equivalent to blocking local process creation, when ASR rules are the only option that directly controls child process spawning from Office apps.

How to eliminate wrong answers

Option A is wrong because Threat & Vulnerability Management (TVM) identifies, prioritizes, and remediates vulnerabilities in software and configurations, but it does not enforce runtime behavioral blocks like preventing child process creation. Option C is wrong because Web Protection blocks access to malicious URLs, IPs, and web content, but it does not control local process spawning from Office macros. Option D is wrong because Network Protection blocks outbound connections to malicious domains or IPs at the network layer, but it does not prevent local child process creation from Office applications.

246
MCQhard

An administrator deployed the above Intune device configuration policy for Microsoft Defender for Endpoint on Windows 10 devices. Users report that some potentially unwanted applications (PUA) are still being installed. What is the most likely cause?

A.The cloud timeout value is too low, causing PUA detection to fail.
B.The PUAProtection setting is in AuditMode and not blocking PUAs.
C.Cloud-delivered protection is set to High level, which does not affect PUAs.
D.Real-time monitoring is disabled.
AnswerB

AuditMode only logs, does not block.

Why this answer

The PUAProtection is set to 'AuditMode', which only logs PUA events but does not block them. To block PUAs, the setting should be 'Enabled' or 'Block'. Option A is correct.

Option B is wrong because cloud-delivered protection is enabled. Option C is wrong because real-time monitoring is enabled. Option D is wrong because cloud timeout is not related to PUA detection.

247
Multi-Selectmedium

A security analyst wants to create a custom detection rule in Microsoft Defender XDR that triggers when a user receives a phishing email (delivered to inbox) and then, from their Windows device, establishes a network connection to a known malicious IP address. The rule will be based on an advanced hunting query. Which two tables should the analyst join in the KQL query to capture both the email delivery event and the network connection event?

Select 2 answers
A.EmailEvents and DeviceNetworkEvents
B.EmailEvents and DeviceProcessEvents
C.EmailPostDeliveryEvents and DeviceNetworkEvents
D.EmailAttachmentInfo and DeviceRegistryEvents
AnswersA, C

EmailEvents contains email delivery data (RecipientEmailAddress, Timestamp), and DeviceNetworkEvents contains network connection data (DeviceName, RemoteIP, Timestamp). Joining these on a common key like recipient email/device identity and time window enables detection of post-click connections.

Why this answer

Option A is correct because the rule requires capturing both the phishing email delivery event and the subsequent network connection to a malicious IP. The EmailEvents table records email delivery status (including 'Delivered' to inbox), and the DeviceNetworkEvents table records outbound network connections from Windows devices, including destination IP addresses. Joining these two tables on a common identifier (such as RecipientObjectId and DeviceId) allows the analyst to correlate the email receipt with the network connection event.

Exam trap

The trap here is that candidates confuse EmailPostDeliveryEvents (post-delivery actions) with EmailEvents (initial delivery), or assume DeviceProcessEvents can capture network connections when it only records process creation.

248
Multi-Selectmedium

You are a Microsoft 365 administrator responsible for managing security and threats by using Microsoft Defender XDR. Which four of the following are core components or capabilities of Microsoft Defender XDR? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Microsoft Defender for Endpoint
.Microsoft Defender for Office 365
.Microsoft Defender for Identity
.Microsoft Defender for Cloud Apps
.Microsoft Intune
.Microsoft 365 Defender portal Threat Analytics

Why this answer

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively integrates signals from four core Microsoft Defender components: Defender for Endpoint (endpoint detection and response), Defender for Office 365 (email and collaboration security), Defender for Identity (on-premises Active Directory identity threat detection), and Defender for Cloud Apps (SaaS application access and shadow IT control). These four are the foundational pillars that feed into the Microsoft 365 Defender portal, enabling cross-domain correlation and automated incident response.

Exam trap

The trap here is that candidates often confuse Microsoft Intune (a management tool) or Threat Analytics (a reporting feature) as core components of Defender XDR, when in fact the exam expects the four specific Defender-branded products that natively integrate to form the XDR solution.

249
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that all email messages containing encrypted attachments are automatically scanned for malware before delivery. What should you configure?

A.Safe Attachments policy with Dynamic Delivery enabled
B.Safe Links policy with URL scanning
C.Anti-malware policy
D.Anti-spam policy
AnswerA

Dynamic Delivery allows scanning encrypted attachments.

Why this answer

Option A is correct because Safe Attachments policy can be configured to scan encrypted attachments. Option B is wrong because it's for links. Option C is wrong because it's for anti-spam.

Option D is wrong because it's for anti-malware.

250
MCQmedium

Your organization uses Microsoft Defender for Office 365. Users report that legitimate emails from a specific partner domain are being moved to Junk Email folder. You verify that the partner's SPF, DKIM, and DMARC records are correctly configured. Which two actions should you take to resolve this issue?

A.Modify the Anti-Spam policy to increase the spam threshold.
B.Review the Anti-Phishing policy's spoof intelligence settings.
C.Configure the Outbound spam filter policy.
D.Disable the Spam filter for the affected users.
E.Add the partner domain to the Tenant Allow/Block List as an allowed domain.
AnswerB, E

Spoof intelligence may be incorrectly marking the partner domain as spoofed.

Why this answer

Option A is correct because you can create an Allow entry in the Tenant Allow/Block List to explicitly allow emails from the partner domain. Option D is correct because reviewing the phishing simulation and spoof intelligence settings can help identify if the system is misclassifying the domain. Option B is wrong because the Anti-Spam policy is not the cause; the issue is likely in the anti-phishing or spoof settings.

Option C is wrong because disabling spam filtering is too aggressive and not recommended. Option E is wrong because the issue is with inbound filtering, not outbound.

251
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that detects when a user signs in from an unknown IP address and then downloads a large number of files. Which THREE components should you configure?

Select 3 answers
A.IP address range category
B.Scope (users and groups)
C.Anomaly detection policy template
D.Session policy
E.Alert settings
AnswersB, C, E

Specifies which users to monitor.

Why this answer

Options A, B, and D are correct because an anomaly detection policy requires a template, scope (users/groups), and alerts. Option C is wrong because the IP range is defined in the policy template itself, not separately. Option E is wrong because a session policy is used for real-time control, not detection.

252
MCQeasy

Refer to the exhibit. You deploy this configuration profile to Windows devices. What is the most likely outcome?

A.Automated investigation will be triggered for alerts with severity Medium and above, and email notifications will be sent to admin@contoso.com.
B.Automated investigation will be triggered only for alerts with severity High, and email notifications will be sent to all admins.
C.Automated investigation will be disabled, and email notifications will be sent to admin@contoso.com.
D.Automated investigation will be triggered for all alerts regardless of severity, and no email notifications will be sent.
AnswerA

The configuration enables automated investigation for Medium severity and above, and enables email notifications.

Why this answer

Option A is correct because the configuration enables automated investigation and sets the minimum alert severity to Medium, meaning automated investigation will trigger for alerts of severity Medium or higher. Option B is wrong because it says High or higher. Option C is wrong because the configuration enables automated investigation, not disables.

Option D is wrong because it says only for alerts of severity Low or higher, which is not configured.

253
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud Apps. You want to control the use of personal cloud storage apps. Which TWO actions should you take?

Select 2 answers
A.Create a DLP policy to prevent sharing of sensitive data to personal cloud storage apps.
B.Create a conditional access policy to require managed apps for cloud storage.
C.Block all personal cloud storage apps using Defender for Cloud Apps.
D.Create a session policy to monitor and control downloads to personal cloud storage apps.
E.Use app governance to monitor and control app permissions.
AnswersD, E

Session policies can monitor and restrict activities within cloud apps in real time.

Why this answer

Options A and D are correct because you can use app governance to control app permissions and session policies to monitor downloads. Option B is wrong because blocking all personal storage apps might be too restrictive and not granular. Option C is wrong because DLP policies do not control app usage.

Option E is wrong because a conditional access policy can require app protection but does not directly control cloud app usage.

254
MCQeasy

You need to configure Microsoft Defender for Cloud Apps to detect anomalous user behavior such as impossible travel. Which type of policy should you create?

A.Access policy
B.Session policy
C.Anomaly detection policy
D.File policy
AnswerC

Anomaly detection policies use machine learning to detect unusual behavior like impossible travel.

Why this answer

Option A is correct because an anomaly detection policy detects impossible travel, unusual activity, etc. Option B is wrong because file policies handle data protection. Option C is wrong because session policies control real-time access.

Option D is wrong because access policies control access conditions.

255
MCQeasy

A security administrator needs a single console to investigate and respond to a complex incident involving alerts from endpoints, email, and identities. Which Microsoft portal should they use?

A.Microsoft 365 Defender portal
B.Microsoft Sentinel
C.Microsoft Defender for Cloud
D.Microsoft 365 compliance center
AnswerA

This portal provides a unified incident management view across Microsoft Defender XDR products, correlating alerts from multiple domains.

Why this answer

The Microsoft 365 Defender portal (security.microsoft.com) is the correct choice because it provides a unified incident management console that correlates alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. This allows the security administrator to investigate and respond to a complex incident spanning endpoints, email, and identities from a single pane of glass, leveraging automated investigation and response (AIR) capabilities.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with the Microsoft 365 Defender portal (an XDR console), assuming that any security investigation must go through a SIEM, but the question specifically asks for the single console that natively correlates alerts from endpoints, email, and identities without additional data ingestion setup.

How to eliminate wrong answers

Option B is wrong because Microsoft Sentinel is a cloud-native SIEM/SOAR platform that ingests logs from multiple sources, but it is not the single console designed for native XDR incident correlation across Microsoft 365 Defender workloads; it requires additional configuration and data connectors to unify alerts from endpoints, email, and identities. Option C is wrong because Microsoft Defender for Cloud is focused on securing cloud workloads (IaaS, PaaS, and data services) and does not natively integrate email and identity alerts from Microsoft 365 Defender. Option D is wrong because the Microsoft 365 compliance center is designed for data governance, eDiscovery, and compliance management, not for real-time security incident investigation and response.

256
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint Online within 10 minutes. This activity should be considered anomalous. Which type of policy should you create?

A.Cloud Discovery policy
B.Activity policy
C.Session policy
D.App discovery policy
AnswerB

Activity policies can detect anomalous activities like multiple file downloads.

Why this answer

Option B is correct because Activity policies in Defender for Cloud Apps can detect anomalous activities based on thresholds, such as multiple file downloads. Option A is wrong because App discovery policies are used to discover shadow IT. Option C is wrong because Cloud Discovery policies are for discovering cloud app usage.

Option D is wrong because Session policies control sessions in real-time, not alert on historical activity.

257
MCQhard

You are a security administrator for a large enterprise with 10,000 users. The company uses Microsoft 365 E5 licenses, which include Microsoft Defender XDR. The company has recently experienced a series of ransomware attacks where attackers gained initial access through phishing emails, then moved laterally using compromised credentials, and finally deployed ransomware on file servers. The CISO wants to implement a comprehensive defense strategy that reduces the attack surface and automates response. The requirements are: 1) Prevent phishing emails from reaching users, especially those targeting executives. 2) Detect and block lateral movement using compromised credentials. 3) Automatically contain compromised devices during an incident. 4) Provide a unified incident view across email, endpoints, and identities. You need to recommend a solution that meets all requirements with minimal manual effort. What should you do?

A.Configure Microsoft Defender XDR by enabling Defender for Office 365 with anti-phish and impersonation protection, Defender for Identity, and Defender for Endpoint with automated investigation and response.
B.Use Microsoft Purview to classify and protect sensitive data, and configure data loss prevention policies to block ransomware.
C.Deploy Microsoft Sentinel and create analytics rules to detect phishing, lateral movement, and ransomware. Configure automated playbooks to contain devices.
D.Upgrade to Microsoft Entra ID P2 and enable Identity Protection for risky sign-ins and user risk. Use Conditional Access to block access from compromised devices.
AnswerA

Defender XDR meets all requirements: anti-phish, lateral movement detection, automatic containment, unified incident view.

Why this answer

Option A is correct because Microsoft Defender XDR integrates Defender for Office 365 (for anti-phish with impersonation protection), Defender for Identity (for detecting lateral movement), Defender for Endpoint (for automatic containment), and provides a unified incident view. Option B is wrong because Microsoft Sentinel alone does not include all the required protections. Option C is wrong because Microsoft Purview is for compliance, not security.

Option D is wrong because Microsoft Entra ID P2 lacks endpoint and email protection.

258
MCQmedium

Refer to the exhibit. What is the effect of this session policy?

A.Allows viewing but blocks downloading files on managed devices
B.Blocks all access to SharePoint and OneDrive from unmanaged native clients only
C.Blocks upload of files to SharePoint Online and OneDrive from unmanaged devices
D.Blocks download of files from SharePoint Online and OneDrive on unmanaged devices
AnswerD

The policy blocks download actions.

Why this answer

Option B is correct because the policy blocks download actions for SharePoint Online and OneDrive for Business when accessed from browsers or native clients on unmanaged devices. Option A is wrong because it blocks download, not upload. Option C is wrong because it applies to both browsers and native clients.

Option D is wrong because it blocks downloads, not view.

259
MCQeasy

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for SaaS applications. Which Microsoft 365 security solution provides this capability?

A.Microsoft Defender for Identity
B.Microsoft Defender for Cloud Apps
C.Microsoft Defender for Office 365
D.Microsoft Defender for Endpoint
AnswerB

Automatic attack disruption is part of Defender for Cloud Apps.

Why this answer

Option A is correct because automatic attack disruption is a feature of Microsoft Defender for Cloud Apps that can stop attacks in SaaS applications. Option B is wrong because Microsoft Defender for Endpoint focuses on endpoints. Option C is wrong because Microsoft Defender for Office 365 focuses on email and collaboration.

Option D is wrong because Microsoft Defender for Identity focuses on on-premises Active Directory.

260
Multi-Selecthard

You are configuring Microsoft Defender for Identity. Which THREE capabilities does it provide?

Select 3 answers
A.Scanning of email attachments for malware.
B.Detection of compromised accounts through behavioral analytics.
C.Detection of reconnaissance activities such as LDAP enumeration.
D.Creation of data loss prevention (DLP) policies.
E.Detection of lateral movement between domain-joined machines.
AnswersB, C, E

Defender for Identity uses behavioral analytics to identify compromised accounts.

Why this answer

Options A, C, and E are correct because Defender for Identity provides detection of compromised accounts, lateral movement, and reconnaissance activities. Option B is wrong because email scanning is done by Defender for Office 365. Option D is wrong because DLP policies are in Microsoft Purview.

261
MCQmedium

You manage Microsoft Defender for Endpoint. A device is showing as 'Inactive' in the device inventory. The device is turned on and connected to the network. What is the most likely cause?

A.The device is turned off
B.A firewall is blocking communication with the Microsoft Defender for Endpoint cloud service
C.The Microsoft Defender for Endpoint sensor is not reporting
D.The onboarding script was not run successfully
AnswerC

If the sensor stops reporting, the device shows as inactive.

Why this answer

Option D is correct because the sensor needs to communicate regularly; if not, the device shows inactive. Option A is wrong because the device is on. Option B is wrong because the firewall might block, but usually the sensor communication uses HTTPS.

Option C is wrong because the onboarding script is only for initial setup.

262
Multi-Selectmedium

You are a Microsoft 365 administrator for a multinational organization. You are implementing Microsoft Defender XDR to provide centralized threat management across multiple domains. Which three of the following capabilities are core components of Microsoft Defender XDR? (Choose three.)

Select 3 answers
.Microsoft Defender for Endpoint
.Microsoft Defender for Office 365
.Microsoft Defender for Identity
.Microsoft Entra ID Governance
.Microsoft Purview Information Protection
.Microsoft Intune Device Enrollment

Why this answer

Microsoft Defender XDR is a unified pre- and post-breach enterprise defense suite that natively integrates signals from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. These three components are the core pillars that provide endpoint detection and response (EDR), email and collaboration protection, and identity threat detection, respectively, enabling automated incident correlation and remediation across the kill chain.

Exam trap

The trap here is that candidates often confuse Microsoft Purview Information Protection or Microsoft Intune with security detection components, but they are governance/compliance and management tools, respectively, not part of the Defender XDR suite.

263
MCQmedium

You are investigating a phishing campaign targeting your organization. In Microsoft Defender XDR, you run a KQL query in Advanced Hunting to find all email messages that contain a specific phishing URL. Which table should you query?

A.EmailUrlInfo
B.EmailAttachmentInfo
C.UrlClickEvents
D.EmailEvents
AnswerA

EmailUrlInfo contains URL information from email messages.

Why this answer

Option C is correct because the EmailUrlInfo table contains URL information from email messages, including URLs that can be used to identify phishing links. Option A (EmailEvents) contains email delivery events but not URL details. Option B (EmailAttachmentInfo) contains attachment info.

Option D (UrlClickEvents) contains click events, not email-level URL info.

264
MCQmedium

A security administrator needs to block outbound network connections from a compromised Windows device to a known malicious IP address. The solution should be configured in Microsoft Defender for Endpoint and must work at the network layer, not relying on a user-installed client. Which feature should the administrator enable?

A.Attack surface reduction (ASR) rules
B.Custom detection rules (advanced hunting)
C.Network protection
D.Web protection (web threat protection)
AnswerC

Network protection uses the Windows Defender Firewall to block outbound connections to malicious IPs and domains, as defined by Microsoft threat intelligence.

Why this answer

Option C, Network protection, is correct because it is a Microsoft Defender for Endpoint feature that blocks outbound connections to malicious IP addresses and domains at the network layer, using the Windows Filtering Platform (WFP) to enforce policies without requiring a user-installed client. This ensures the block applies system-wide, even if the device is compromised, as it operates before the TCP/IP stack processes the connection.

Exam trap

The trap here is that candidates often confuse Network protection with Web protection, mistakenly thinking Web protection can block IP-based outbound connections, when in fact Web protection only filters HTTP/HTTPS traffic based on URL reputation and does not operate at the network layer for arbitrary IP addresses.

How to eliminate wrong answers

Option A is wrong because Attack surface reduction (ASR) rules are designed to block specific behaviors (e.g., script execution, Office macro abuse) at the endpoint, not to block outbound network connections to a specific IP address. Option B is wrong because Custom detection rules (advanced hunting) only create alerts based on queries against telemetry data; they do not actively block network traffic. Option D is wrong because Web protection (web threat protection) focuses on blocking malicious URLs and web content based on reputation, not on blocking outbound connections to a known malicious IP address at the network layer.

265
MCQmedium

A security analyst needs to search for devices that have been communicating with a known malicious command-and-control server over the past 7 days. The analyst wants to identify the process that initiated the connection. Which advanced hunting query would be most efficient?

A.DeviceNetworkEvents | where RemoteIP == 'malicious IP' and Timestamp > ago(7d) | project DeviceName, InitiatingProcessFileName, Timestamp
B.DeviceProcessEvents | where ProcessId in (select ProcessId from DeviceNetworkEvents where RemoteIP == 'malicious IP' and Timestamp > ago(7d)) | project DeviceName, ProcessFileName, Timestamp
C.DeviceNetworkEvents | where Timestamp > ago(7d) | join DeviceProcessEvents on ProcessId | where RemoteIP == 'malicious IP' | project DeviceName, ProcessFileName, Timestamp
D.IdentityLogonEvents | where IPAddress == 'malicious IP' | project DeviceName, Timestamp
AnswerA

Correct. This query directly retrieves the required fields from DeviceNetworkEvents, which already contains the initiating process name.

Why this answer

Option A is correct because DeviceNetworkEvents contains network connection data including the remote IP and the initiating process details. Filtering by RemoteIP and Timestamp directly retrieves the required information without unnecessary joins or subqueries, making it the most efficient query for identifying the process that initiated the connection to a known malicious C2 server.

Exam trap

The trap here is that candidates may choose Option C thinking a join is necessary to get process details, but DeviceNetworkEvents already includes the initiating process name, making the join redundant and inefficient.

How to eliminate wrong answers

Option B is wrong because it uses a subquery on DeviceNetworkEvents to get ProcessIds, but DeviceProcessEvents does not contain network connection data; it focuses on process creation events, so it cannot directly identify processes that initiated network connections. Option C is wrong because it performs a join on ProcessId after filtering by Timestamp, which is inefficient and may return incorrect results if ProcessId is not unique across tables; it also filters RemoteIP after the join, processing more data than necessary. Option D is wrong because IdentityLogonEvents tracks authentication events, not network connections, and IPAddress in this table refers to the logon source IP, not the destination IP of a C2 server.

266
Multi-Selectmedium

A security administrator needs to block unsanctioned cloud apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps components must be configured?

Select 2 answers
A.Cloud Discovery
B.Conditional Access App Control
C.App governance
D.Session control policies
AnswersB, D

This component enables the reverse proxy for real-time session control.

Why this answer

Conditional Access App Control (B) is the reverse proxy component in Microsoft Defender for Cloud Apps that enforces real-time session-level monitoring and control of cloud app access. Session control policies (D) are the specific policy objects that define the actions (e.g., block download, block access) applied through that reverse proxy. Together, they enable blocking unsanctioned cloud apps in real time by intercepting user traffic via the reverse proxy architecture.

Exam trap

The trap here is that candidates confuse Cloud Discovery (which only detects unsanctioned apps via log analysis) with the real-time blocking capability, or they assume App governance provides reverse proxy controls when it actually focuses on OAuth app permissions and lifecycle management.

267
Multi-Selectmedium

Your organization uses Microsoft Defender XDR. You need to configure automatic response actions for a high-severity incident. Which TWO options are available in the Microsoft Defender XDR automated investigation and response capabilities?

Select 2 answers
A.Create a mailbox rule to delete suspicious emails
B.Isolate a device from the network
C.Collect an investigation package from a device
D.Delegate mailbox permissions
E.Reset user passwords
AnswersB, C

Device isolation is a supported action.

Why this answer

Correct: A and D. Automated investigation can initiate device isolation and collect investigation packages. Option B is wrong because mailbox delegation is not automated.

Option C is wrong because resetting passwords is not an automated response action. Option E is wrong because creating a mailbox rule is not an automated action.

268
MCQmedium

You are configuring Microsoft Defender for Cloud Apps to detect anomalous behavior. You need to set up a policy that triggers an alert when a user downloads more than 100 files from SharePoint Online in 10 minutes. Which policy template should you use?

A.Activity from anonymous IP addresses
B.Impossible travel
C.Malware detection
D.Ransomware detection
E.Unusual file sharing by user
AnswerA

This template can be configured for high download rates.

Why this answer

Option B is correct because the 'Activity from anonymous IP addresses' template is used to detect unusual download volumes. Option A is wrong because 'Impossible travel' is for geographic anomalies. Option C is wrong because 'Unusual file sharing' is for sharing to external users.

Option D is wrong because 'Malware detection' is for malware. Option E is wrong because 'Ransomware detection' is for ransomware.

269
MCQhard

Your organization has Microsoft Defender for Endpoint deployed. You are investigating a potential ransomware incident. The device timeline shows a series of events: a user downloaded a malicious attachment from an email, which then executed a script that encrypted files and attempted to propagate to other devices via SMB. You need to configure a custom detection rule to alert on similar behavior in the future. Which KQL query should you use as a basis?

A.DeviceFileEvents | where FileName endswith '.encrypted'
B.DeviceLogonEvents | where LogonType == 3
C.DeviceRegistryEvents | where RegistryKey contains 'Run'
D.DeviceProcessEvents | join DeviceNetworkEvents on DeviceId
AnswerD

Combines process creation and network events to detect script execution followed by SMB propagation.

Why this answer

Option A is correct because DeviceProcessEvents can capture process creation events (script execution) and DeviceNetworkEvents can capture SMB outbound connections, allowing correlation of initial script execution with later network propagation. Option B is wrong because DeviceFileEvents captures file modifications but not process or network events. Option C is wrong because DeviceRegistryEvents captures registry changes.

Option D is wrong because DeviceLogonEvents captures logon activity.

270
MCQmedium

You are a security administrator. You need to configure a policy that automatically blocks sign-ins from anonymous IP addresses for all users in your Microsoft 365 tenant. Which policy should you configure in Microsoft Entra ID?

A.Password protection policy
B.Conditional Access policy with user risk condition
C.Conditional Access policy with sign-in risk condition
D.Identity Protection user risk policy
AnswerC

Sign-in risk includes anonymous IP address detection.

Why this answer

Option C is correct because Conditional Access policies can block anonymous IP sign-ins. Option A is wrong because Identity Protection detects but doesn't block. Option B is wrong because password protection doesn't control sign-in.

Option D is wrong because it's for user risk.

271
MCQmedium

A security administrator needs to configure a policy that automatically blocks high-confidence phishing emails in Microsoft Defender for Office 365. The policy should be applied to all users in the finance department. The administrator wants to ensure that if an email is determined to be high-confidence phishing, it is quarantined and the user is not notified. Which type of policy should the administrator configure?

A.Anti-phishing policy
B.Safe Attachments policy
C.Anti-spam policy
D.Safe Links policy
AnswerA

Anti-phishing policies can quarantine high-confidence phishing emails.

Why this answer

Option A is correct because Anti-phishing policies in Defender for Office 365 can be configured to take action on high-confidence phishing emails, such as quarantining them. Option B is wrong because Safe Links policies protect against malicious URLs, not the overall email classification. Option C is wrong because Safe Attachments policies handle malicious attachments.

Option D is wrong because Anti-spam policies handle spam, not high-confidence phishing.

272
MCQhard

You are investigating an incident in Microsoft 365 Defender. The incident involves a user who received a malicious link in an email and clicked it. The link led to a credential phishing page. You need to identify which user accounts might have been compromised. Which Microsoft 365 Defender feature should you use?

A.Live Response
B.Investigation package
C.File investigation
D.Action center
AnswerB

The investigation package includes details on compromised accounts.

Why this answer

Option C is correct because the investigation package contains evidence for compromised accounts. Option A is wrong because it's for automated actions. Option B is wrong because it's for device investigation.

Option D is wrong because it's for file investigation.

273
MCQmedium

Your organization uses Microsoft Defender for Endpoint. You need to collect investigation packages from multiple devices for forensic analysis. What is the most efficient method?

A.Use the central investigations feature to collect packages from multiple devices.
B.Use the Microsoft 365 Defender portal's forensic collection tool.
C.Initiate a Live Response session on each device.
D.Run a manual collection from each device's page.
AnswerA

Central investigations allow bulk collection.

Why this answer

Option B is correct because the central investigations feature allows you to collect packages from multiple devices in one action. Option A is wrong because the device page only handles one device. Option C is wrong because a Live Response session is manual and one device at a time.

Option D is wrong because the Microsoft 365 Defender portal does not have a dedicated forensic collection tool.

274
MCQeasy

Your organization uses Microsoft Defender XDR. You need to configure automated investigation and response (AIR) for email and collaboration content. Which policy type should you configure in the Microsoft 365 Defender portal?

A.Attack simulation training
B.Safe attachments policies
C.Quarantine policies
D.Automated investigation and response
AnswerD

This policy enables AIR for email and collaboration.

Why this answer

Option A is correct because AIR for email is configured via the 'Automated investigation and response' policy within Email & collaboration policies. Option B is wrong because attack simulation training is for phishing simulations. Option C is wrong because quarantine policies manage quarantined messages.

Option D is wrong because safe attachments policies are part of anti-malware settings.

275
MCQhard

You run the KQL query in Microsoft Defender XDR. The query returns a list of users who logged into Exchange Online more than 10 times in the last day from a single IP address. However, you notice that some IP addresses are internal corporate IPs. What should you add to the query to focus on suspicious logons from external IPs?

A.Add a line: | where IPAddress !startswith "10."
B.Add a line: | where Application == "Outlook Web App"
C.Add a line: | summarize by Application
D.Add a line: | where TotalLogons > 50
E.Add a line: | sort by TotalLogons desc
AnswerA

This filters out internal IPs in the 10.0.0.0/8 range.

Why this answer

Option C is correct because the query should filter by an IP range that excludes internal corporate IPs. Option A is wrong because filtering by Application would not exclude internal IPs. Option B is wrong because summarizing by Application is unnecessary.

Option D is wrong because filtering by TotalLogons > 10 already exists. Option E is wrong because sorting does not exclude internal IPs.

276
MCQhard

Your organization has Microsoft Defender for Cloud Apps (MCAS) deployed. You need to create a policy that automatically blocks downloads of files classified as 'Highly Confidential' from SharePoint Online to unmanaged devices. Which policy type should you use?

A.Access policy
B.Activity policy
C.App discovery policy
D.Session policy
AnswerD

Uses reverse proxy to control actions in real-time.

Why this answer

Option B is correct because session policy uses reverse proxy to monitor and control user actions in real-time, allowing blocking of downloads based on device state. Option A is wrong because access policy controls sign-in conditions, not file downloads. Option C is wrong because activity policy monitors activities but does not block in real-time.

Option D is wrong because app discovery policy identifies shadow IT, not controls file downloads.

277
Drag & Dropmedium

Drag and drop the steps to configure a compliance retention policy in Microsoft Purview in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Retention policies are created in Purview, locations selected, retention settings defined, and then published.

278
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. You need to investigate which user account is potentially compromised. Which tool should you use to correlate the alert with user activity?

A.Microsoft Defender XDR portal
B.Microsoft Intune admin center
C.Microsoft Purview compliance portal
D.Microsoft Entra admin center
AnswerA

This provides unified incident view across Defender products.

Why this answer

Option C is correct because Microsoft Defender XDR provides a unified incident view that correlates alerts from Defender for Identity with user and device information. Option A is wrong because Microsoft 365 compliance center is for compliance, not security investigation. Option B is wrong because it manages endpoints, not identity alerts.

Option D is wrong because it is for identity governance, not security incident correlation.

279
MCQmedium

A security administrator wants to block users from uploading files to personal cloud storage apps (e.g., Dropbox) from managed Windows devices, while allowing access from compliant mobile devices. Which Microsoft 365 Defender feature should be used?

A.Microsoft Defender for Endpoint Attack Surface Reduction rules
B.Microsoft Defender for Cloud Apps session policy
C.Microsoft Defender for Office 365 Safe Attachments
D.Microsoft Defender for Identity
AnswerB

Session policies allow granular control of user sessions in SaaS apps, including blocking file uploads based on device compliance.

Why this answer

Microsoft Defender for Cloud Apps session policies use reverse proxy architecture to monitor and control user activities in real time. By configuring a session policy with the 'Block' action for the 'Upload file' activity on managed Windows devices, the administrator can prevent file uploads to personal cloud storage apps like Dropbox. Conditional Access App Control enforces this policy based on device compliance, allowing compliant mobile devices to bypass the block.

Exam trap

The trap here is that candidates confuse host-level ASR rules (Option A) with cloud-level session policies, failing to recognize that ASR rules cannot enforce conditional access based on device compliance or control uploads to specific cloud apps.

How to eliminate wrong answers

Option A is wrong because Attack Surface Reduction rules are host-level controls that block specific behaviors (e.g., Office apps creating child processes) but cannot differentiate between managed and unmanaged devices or enforce conditional access based on device compliance for cloud app uploads. Option C is wrong because Safe Attachments is a feature of Defender for Office 365 that scans email attachments for malware in a sandbox environment; it does not control user uploads to third-party cloud storage apps. Option D is wrong because Defender for Identity monitors on-premises Active Directory for identity-based threats (e.g., Kerberoasting, pass-the-hash) and has no capability to block file uploads to cloud apps.

280
MCQhard

A security administrator notices that users are receiving phishing emails that evade built-in anti-spam filters. The administrator wants to enable users to report these suspicious emails from Outlook and have them automatically trigger an investigation and block the sender. Which feature should be configured in Microsoft Defender for Office 365?

A.Attack simulation training
B.Threat Explorer
C.User reported settings in the Microsoft 365 Defender portal
D.Safe Links
AnswerC

These settings can be configured to route reported messages for automated investigation and automatically block senders detected as malicious.

Why this answer

User reported settings in the Microsoft 365 Defender portal allow administrators to configure how user-reported messages are handled. When enabled, users can report suspicious emails directly from Outlook, and these reports can automatically trigger an investigation and block the sender via automated investigation and response (AIR) policies. This directly addresses the requirement to have user-reported emails initiate security actions.

Exam trap

The trap here is that candidates often confuse user reporting features with attack simulation training or threat hunting tools, not realizing that the specific setting to enable automated investigation and blocking from user reports is found in the User reported settings within the Microsoft 365 Defender portal.

How to eliminate wrong answers

Option A is wrong because Attack simulation training is a tool for creating and launching simulated phishing campaigns to train users, not for handling real user-reported emails or triggering automated investigations. Option B is wrong because Threat Explorer is a real-time reporting and investigation tool for analyzing threats, but it does not provide a mechanism for users to report emails or automatically block senders based on user reports. Option D is wrong because Safe Links is a time-of-click protection feature that scans URLs in emails and Office documents, but it does not enable user reporting or automated investigation workflows.

281
MCQmedium

Your organization is a multinational company with 10,000 users. You use Microsoft Defender for Office 365 Plan 2, Microsoft Defender for Endpoint Plan 2, Microsoft Defender for Cloud Apps, and Microsoft Defender for Identity. Recently, a sophisticated phishing campaign targeted your executives. The campaign used personalized emails with malicious links that bypassed Safe Links protection. Several executives clicked the links and entered their credentials on a fake login page. The attackers then used those credentials to access the executives' mailboxes and exfiltrate sensitive data. You need to implement a solution that prevents similar attacks in the future by automatically blocking access to newly discovered phishing sites and providing real-time protection when users click unknown URLs. The solution should also allow you to simulate phishing campaigns to train users. What should you do?

A.Create a Safe Links policy that blocks all URLs from domains not in the allowed list.
B.Deploy Safe Attachments policies with dynamic delivery and enable 'Automatic forwarding of attachments' for unknown files.
C.Add the known phishing domain to the Tenant Allow/Block List and block it.
D.Configure Attack Simulation Training in Microsoft 365 Defender, create a simulated phishing campaign targeting executives, and use the training to educate users on reporting phishing. Additionally, ensure Safe Links policy uses the 'Do not allow users to click through to the original URL' option and enable 'URL detonation' for unknown URLs.
AnswerD

Attack Simulation Training combined with Safe Links detonation provides proactive protection and user education.

Why this answer

Option A is correct because Attack Simulation Training allows you to create and run phishing campaigns to educate users, and it integrates with Defender for Office 365 to improve detection. Option B is wrong because Safe Attachments handles attachments, not URLs. Option C is wrong because Safe Links already failed to protect; the issue is that the phishing site was new.

Option D is wrong because tenant allow/block list is reactive, not proactive.

282
Multi-Selecthard

A security administrator needs to discover which cloud apps are being used in the organization and then block usage of unsanctioned apps in real time using a reverse proxy. Which two Microsoft Defender for Cloud Apps features must be configured to meet these requirements? (Select all that apply.)

Select 2 answers
A.Cloud Discovery
B.App Connectors
C.Conditional Access App Control
D.API connectors
AnswersA, C

Cloud Discovery identifies cloud apps being used in the organization.

Why this answer

Cloud Discovery (A) is correct because it analyzes traffic logs from your network to identify all cloud apps in use, providing visibility into sanctioned and unsanctioned apps. Conditional Access App Control (C) is correct because it enforces real-time access controls via a reverse proxy, allowing you to block unsanctioned apps as users attempt to access them.

Exam trap

The trap here is confusing App Connectors/API connectors (which provide API-based control for specific apps) with the reverse proxy and discovery capabilities of Cloud Discovery and Conditional Access App Control, leading candidates to select options that manage existing apps rather than discover and block unsanctioned ones.

283
Multi-Selecthard

Your organization uses Microsoft Defender for Cloud Apps. You need to detect and block the use of a newly discovered cloud app that is classified as 'high risk' by the Cloud App Catalog. Which THREE actions should you take? (Choose three.)

Select 3 answers
A.Create a session policy to block downloads or uploads for the app.
B.Create an access policy to block access for the app.
C.Sanction the app in the Cloud App Catalog.
D.Create an app discovery policy for the app.
E.Unsanction the app in the Cloud App Catalog.
AnswersA, B, C

Session policies can control actions in real-time.

Why this answer

A, B, and D are correct. Sanctioning the app is required to apply policies. A session policy can block uploads/downloads.

An access policy can block access. C is wrong because unsanctioning the app alone does not block it; policies must be enforced. E is wrong because the app discovery policy only identifies apps, not blocks them.

284
Multi-Selecthard

A security analyst is investigating a potential attack where a user received a malicious email with an HTML attachment. The HTML file, when opened, fetched a JavaScript payload from a remote server that then dropped a binary on the user's machine and executed it. The analyst wants to create a custom detection rule in Microsoft 365 Defender Advanced Hunting that alerts when an email contains an HTML attachment with an external link, and that attachment is opened, causing a process creation. Which two tables should the analyst join in the KQL query to correlate the email attachment with the resulting process?

Select 2 answers
A.EmailAttachmentInfo and DeviceProcessEvents
B.EmailEvents and DeviceProcessEvents
C.EmailAttachmentInfo and DeviceFileEvents
D.EmailUrlInfo and DeviceProcessEvents
AnswersA, B

Correct. Join these tables on the SHA256 hash of the attachment to link the email attachment to a specific process that was created after the attachment was opened.

Why this answer

Option A is correct because the analyst needs to correlate the email attachment (identified by its SHA256 hash in EmailAttachmentInfo) with the process creation event (DeviceProcessEvents) that occurs when the HTML attachment is opened and executes a binary. Joining these two tables on the SHA256 hash of the attachment allows the query to trace from the malicious email attachment directly to the resulting process on the same device, fulfilling the detection requirement.

Exam trap

The trap here is that candidates often confuse EmailEvents (email metadata) with EmailAttachmentInfo (attachment details), or mistakenly think DeviceFileEvents (file events) can substitute for DeviceProcessEvents (process creation), when only the hash-based join between EmailAttachmentInfo and DeviceProcessEvents directly links the attachment to its execution.

← PreviousPage 4 of 4 · 284 questions total

Ready to test yourself?

Try a timed practice session using only Defender Xdr Security questions.