CCNA Design security operations, identity, and compliance capabilities Questions

6 of 231 questions · Page 4/4 · Design security operations, identity, and compliance capabilities · Answers revealed

226
MCQhard

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to create an analytics rule in Sentinel that triggers an incident when a device is reported as 'high risk' by MDE. Which data source and rule type should you use?

A.Microsoft Sentinel's Anomalous Activity rule
B.Microsoft 365 Defender connector with an NRT query rule
C.Microsoft Defender XDR connector with a Scheduled query rule
D.Microsoft Defender for Cloud connector with a Fusion rule
AnswerC

The XDR connector ingests MDE alerts and device info; scheduled query can detect high risk.

Why this answer

The Microsoft Defender XDR connector ingests alerts from Microsoft Defender for Endpoint (MDE) into Sentinel. A Scheduled query rule is required to run a KQL query at a defined interval (e.g., every 5 minutes) that checks for devices with a 'high risk' severity level in the ingested alert data. This combination allows you to create an incident when MDE reports a device as high risk.

Exam trap

The trap here is confusing the Microsoft Defender XDR connector (which covers MDE, MDO, MDI, and MDCA) with the Microsoft 365 Defender connector (which is deprecated or used for legacy scenarios), leading candidates to incorrectly choose Option B.

How to eliminate wrong answers

Option A is wrong because Anomalous Activity rules use machine learning to detect unusual patterns in time-series data, not to trigger on a specific static alert severity like 'high risk' from MDE. Option B is wrong because the Microsoft 365 Defender connector is used for Microsoft 365 Defender (formerly Microsoft Threat Protection) alerts, not for MDE alerts directly; also, NRT (near-real-time) query rules are designed for low-latency scenarios but require a specific connector (Microsoft Defender XDR) for MDE data. Option D is wrong because the Microsoft Defender for Cloud connector ingests security alerts from Azure and hybrid workloads, not from MDE endpoint devices; Fusion rules correlate multiple alert types across different products, not a single static condition.

227
Multi-Selecthard

A company uses Microsoft Intune to manage devices. They need to ensure that only compliant devices can access corporate email. They plan to use Conditional Access in Microsoft Entra ID. Which THREE components must be configured?

Select 3 answers
A.Device registration in Entra ID
B.Conditional Access policy in Entra ID
C.Windows Autopilot deployment profile
D.Compliance policy in Intune
E.Configuration profile in Intune
AnswersA, B, D

Devices must be registered to be evaluated.

Why this answer

Device registration in Entra ID (A) is required because Conditional Access policies evaluate device compliance based on the device's identity in Entra ID. Without registration, the device lacks a unique identity that Entra ID can assess for compliance status, making it impossible to enforce access controls based on device state.

Exam trap

The trap here is that candidates often confuse Configuration profiles (which apply settings) with Compliance policies (which define security requirements), leading them to incorrectly select Configuration profile instead of Compliance policy for enforcing device-based access control.

228
MCQeasy

Refer to the exhibit. You configure this mail flow rule in Exchange Online. What happens to emails with 'FREE' in the subject?

A.Emails are deleted
B.Emails have a custom header added
C.Emails are moved to the Junk Email folder
D.Emails are blocked and not delivered
AnswerC

Marking as spam in Exchange Online typically moves the email to the Junk Email folder.

Why this answer

The mail flow rule is configured to add the header 'X-CustomHeader' with the value 'Free' to emails that have 'FREE' in the subject. However, the rule also has the action 'Increase the spam confidence level (SCL) to 9', which causes Exchange Online to treat the message as high-confidence spam. When the SCL is set to 9, Exchange Online automatically moves the email to the Junk Email folder for the recipient, unless a transport rule or mailbox setting overrides this behavior.

Therefore, the emails are not deleted, blocked, or simply have a header added; they are moved to the Junk Email folder due to the SCL increase.

Exam trap

The trap here is that candidates see the 'add a custom header' action and assume that is the only effect, overlooking that the subsequent 'increase SCL to 9' action takes precedence and causes the email to be moved to the Junk Email folder, making the header addition secondary.

How to eliminate wrong answers

Option A is wrong because the rule does not include a 'Delete the message without notifying anyone' action; it only adds a header and increases the SCL, which does not result in deletion. Option B is wrong because while the rule does add a custom header ('X-CustomHeader: Free'), this is not the final outcome—the SCL increase to 9 overrides this action by causing the message to be moved to Junk Email, so the primary effect is the junking, not just header addition. Option D is wrong because the rule does not use a 'Reject the message' action (such as with a non-delivery report or 550 status code); increasing the SCL to 9 does not block delivery but instead routes the message to the Junk Email folder.

229
MCQhard

You are a security architect for a large organization that uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Entra ID. The organization has a hybrid identity environment with on-premises Active Directory synchronized to Azure AD. The security team needs to detect and automatically respond to a specific attack pattern: an attacker compromises a user's credentials and then uses a new device to sign in to a critical application from an unusual location. The response should block the user's account for one hour and reset the user's password. You have already configured Microsoft Sentinel to receive sign-in logs from Azure AD. You need to design the detection and automated response. What should you do?

A.Create a Microsoft Sentinel scheduled analytics rule that queries sign-in logs for unusual location and new device, then trigger a playbook to block the user and reset password.
B.Create a custom detection rule in Microsoft Defender XDR for the attack pattern and configure an automated action to block the user.
C.Enable the Microsoft Entra ID Protection data connector in Microsoft Sentinel, create an analytics rule from the 'Sign-in from new device' template, and configure a playbook to block the user and reset password.
D.Enable Microsoft Entra ID Protection and configure a risk-based Conditional Access policy to block access and require password change.
AnswerC

This leverages ID Protection's risk detections and Sentinel's automation capabilities.

Why this answer

Option C is correct because the Microsoft Entra ID Protection connector provides risk detections that can be ingested into Sentinel, and a playbook can be triggered to block the user and reset the password via the Azure AD API. Option A is incorrect because ID Protection can detect risky sign-ins, but the requirement is to use Sentinel for detection and response. Option B is incorrect because a scheduled query would be less efficient and not leverage ID Protection's risk assessments.

Option D is incorrect because custom detection rules are less accurate than ID Protection's machine learning.

230
MCQeasy

Refer to the exhibit. You are reviewing an ARM template for an Azure storage account. The security team requires that only HTTPS traffic is allowed and that TLS 1.2 is enforced. Does this template meet the requirements?

A.No, because 'minimumTlsVersion' should be 'TLS1_0'
B.No, because 'supportsHttpsTrafficOnly' should be false
C.No, because 'defaultAction': 'Deny' blocks all traffic including HTTPS
D.Yes, the template correctly enforces HTTPS and TLS 1.2
AnswerD

Both properties are set correctly.

Why this answer

Option D is correct because the ARM template sets 'supportsHttpsTrafficOnly' to true, which enforces HTTPS-only traffic, and 'minimumTlsVersion' to 'TLS1_2', which enforces TLS 1.2 as the minimum protocol version. These two properties together fully satisfy the security team's requirement that only HTTPS traffic is allowed and TLS 1.2 is enforced.

Exam trap

The trap here is that candidates may confuse 'defaultAction': 'Deny' in network rules with blocking all traffic, when in fact it only denies traffic that does not match an explicit allow rule, and HTTPS traffic can still be permitted through a separate rule.

How to eliminate wrong answers

Option A is wrong because 'minimumTlsVersion' should be 'TLS1_2', not 'TLS1_0', as 'TLS1_0' would allow older, less secure TLS versions. Option B is wrong because 'supportsHttpsTrafficOnly' should be true to enforce HTTPS-only traffic; setting it to false would allow HTTP traffic. Option C is wrong because 'defaultAction': 'Deny' in a network rule set does not block all traffic including HTTPS; it blocks traffic that does not match an explicit allow rule, and HTTPS traffic can still be allowed via a separate rule.

231
Multi-Selecthard

Your organization uses Microsoft Entra ID and needs to implement a Zero Trust identity strategy. Which THREE principles should you apply?

Select 3 answers
A.Use least privilege access
B.Verify explicitly
C.Trust implicitly
D.Use a single authentication method
E.Assume breach
AnswersA, B, E

Least privilege limits access to only what is needed.

Why this answer

Option A is correct because least privilege access is a core Zero Trust principle that ensures users, devices, and services are granted only the minimum permissions necessary to perform their tasks. In Microsoft Entra ID, this is implemented through features like Privileged Identity Management (PIM), Conditional Access policies, and role-based access control (RBAC) to reduce the attack surface and limit lateral movement.

Exam trap

The trap here is that candidates often confuse 'Trust implicitly' with the legacy perimeter-based security model and select it as a valid principle, or mistakenly think a single authentication method simplifies management, but Zero Trust explicitly rejects both for continuous verification and defense-in-depth.

← PreviousPage 4 of 4 · 231 questions total

Ready to test yourself?

Try a timed practice session using only Design security operations, identity, and compliance capabilities questions.