CCNA Grc Security Ops Questions

30 questions · Grc Security Ops topic · All types, answers revealed

1
MCQhard

A company is designing a security operations strategy. They want to use Microsoft Sentinel to detect and respond to threats across their hybrid environment. They need to ensure that logs from all sources are collected cost-effectively and that analysts can easily query data. Which data ingestion strategy should they recommend?

A.Send all logs to the Basic logs table to reduce costs.
B.Send only Windows Security Events to Sentinel.
C.Send all logs to the Analytics logs table for full query capabilities.
D.Use Analytics logs for high-value security logs and Basic logs for verbose logs with low security value.
AnswerD

Balances cost and functionality; Basic logs for low-value data, Analytics for actionable data.

Why this answer

Option D is correct because it balances cost and query performance by routing high-value security logs (e.g., Windows Security Events, network logs) to the Analytics logs table for full KQL query capabilities and retention, while sending verbose, low-security-value logs (e.g., DNS debug, firewall flow logs) to the Basic logs table, which offers lower ingestion cost and limited query features (e.g., no KQL summarization). This tiered approach ensures analysts can efficiently hunt on critical data without incurring unnecessary costs for voluminous, less actionable logs.

Exam trap

The trap here is that candidates assume 'cost-effective' means using only the cheapest option (Basic logs) or only the most capable option (Analytics logs), failing to recognize that Microsoft Sentinel’s tiered ingestion model is designed specifically to optimize cost versus query capability by separating high-value and low-value log sources.

How to eliminate wrong answers

Option A is wrong because sending all logs to the Basic logs table would severely limit query capabilities—Basic logs support only simple search and no KQL aggregation functions like summarize or make-series—making threat hunting and advanced analytics impractical. Option B is wrong because sending only Windows Security Events ignores other critical sources like Azure Activity logs, network logs, and third-party security appliances, creating blind spots in the hybrid environment and violating the requirement to detect threats across all sources. Option C is wrong because sending all logs to the Analytics logs table would incur high ingestion and retention costs for verbose logs (e.g., DNS queries, firewall flow logs) that have low security value, contradicting the cost-effectiveness requirement.

2
MCQeasy

Refer to the exhibit. A security administrator created this Azure Policy definition to prevent unauthorized role assignments. However, SOC analysts are unable to assign the Security Operations Contributor role to new team members. What is the most likely cause?

A.The policy is scoped to a management group that does not include the SOC team's subscription.
B.The parameter 'principalId' is required but not provided when assigning the policy.
C.The role definition ID in the policy does not match the Security Operations Contributor role.
D.The policy uses the 'deny' effect, which blocks any role assignment for the specified role.
AnswerD

The policy denies assignments of the specified role, preventing SOC analysts from assigning it.

Why this answer

Option D is correct because the Azure Policy definition uses the 'deny' effect, which explicitly blocks any role assignment that matches the specified role definition ID. Since the policy targets the Security Operations Contributor role, any attempt to assign that role—including by SOC analysts—is denied by the policy engine, regardless of permissions.

Exam trap

The trap here is that candidates often confuse Azure Policy's 'deny' effect with RBAC 'deny assignments' or assume the issue is a missing parameter or scope misconfiguration, rather than recognizing that a policy with 'deny' explicitly blocks the action itself.

How to eliminate wrong answers

Option A is wrong because if the policy were scoped to a management group that excludes the SOC team's subscription, the policy would not apply at all, and role assignments would succeed without restriction—so this would not cause the failure. Option B is wrong because the 'principalId' parameter is not required for the policy to evaluate role assignments; it is only used in the 'roleAssignmentResource' alias to match the specific principal, and omitting it would cause the policy to deny all assignments for the role, not fail to assign. Option C is wrong because if the role definition ID did not match, the policy would not apply to Security Operations Contributor assignments, and they would succeed—so a mismatch would not cause the denial.

3
Multi-Selectmedium

A company uses Microsoft Sentinel for threat detection. They want to use User and Entity Behavior Analytics (UEBA) to detect anomalies. Which THREE of the following are key components of UEBA in Sentinel?

Select 3 answers
A.UEBA analytics rules that baseline normal behavior.
B.Playbooks for automated response to anomalies.
C.Anomaly detection based on machine learning models.
D.Azure AD sign-in logs
E.Entity pages that provide a timeline of user activities.
AnswersA, C, E

Baselines are built from historical data to detect deviations.

Why this answer

Option A is correct because UEBA in Microsoft Sentinel relies on analytics rules that establish a baseline of normal behavior for users and entities. These rules use machine learning to detect deviations from the established baseline, enabling the identification of anomalous activities such as unusual sign-in locations or data exfiltration attempts.

Exam trap

The trap here is that candidates confuse supporting data sources (like Azure AD logs) or response mechanisms (like playbooks) with the core UEBA components, which are specifically the analytics rules, machine learning anomaly detection, and entity pages that provide behavioral context.

4
MCQmedium

A company uses Microsoft 365 Defender to protect their endpoints, email, and identities. They want to create a custom detection for a specific behavior that is not covered by built-in detections. Which tool should they use?

A.Microsoft Sentinel analytics rules
B.Azure AD Identity Protection user risk policies
C.Custom detection rules in Microsoft 365 Defender
D.Microsoft Defender for Cloud Apps policies
AnswerC

Allows creation of custom KQL queries across data sources within M365 Defender.

Why this answer

Microsoft 365 Defender provides a 'Custom detection' feature under the 'Advanced hunting' section that allows security teams to create custom detection rules based on Kusto Query Language (KQL) queries. This is the correct tool because the question specifies creating a detection for behavior not covered by built-in detections within the Microsoft 365 Defender ecosystem, and custom detection rules are designed exactly for that purpose—they run on a schedule and generate alerts when the custom query matches.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel analytics rules with Microsoft 365 Defender custom detection rules because both use KQL and create alerts, but Sentinel is a separate SIEM product, while the question explicitly asks for a tool within Microsoft 365 Defender.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel analytics rules are used within the Azure Sentinel SIEM platform, not within Microsoft 365 Defender; while they can ingest data from Microsoft 365 Defender, they are not a tool native to the Defender portal for creating detections. Option B is wrong because Azure AD Identity Protection user risk policies focus on user risk levels (e.g., low, medium, high) and are not designed for custom behavioral detection—they use pre-defined risk signals and machine learning models, not custom KQL queries. Option D is wrong because Microsoft Defender for Cloud Apps policies are used for cloud app discovery, session controls, and app permissions, not for creating custom endpoint, email, or identity detections within Microsoft 365 Defender.

5
MCQmedium

A company uses Microsoft Defender for Cloud to assess the security posture of their Azure subscriptions. They want to ensure that critical recommendations are automatically remediated. They create a workflow automation that triggers a Logic App for specific recommendations. However, the Logic App fails to run. What is the most likely cause?

A.The managed identity of the Logic App lacks permissions on the target resources.
B.The subscription is not onboarded to Defender for Cloud.
C.Defender for Cloud is disabled for the resource group.
D.The recommendation is disabled in the security policy.
AnswerA

Logic App needs permissions to perform remediation actions.

Why this answer

The most likely cause is that the Logic App's managed identity lacks the necessary permissions on the target Azure resources. Workflow automations in Defender for Cloud use a Logic App that executes remediation actions; if the Logic App's identity (either system-assigned or user-assigned) does not have the required RBAC role (e.g., Contributor or a custom role with specific actions) on the resource scope, the remediation run will fail with an authorization error. This is a common misconfiguration because the automation trigger itself succeeds, but the downstream action fails due to insufficient permissions.

Exam trap

The trap here is that candidates often assume the trigger itself is failing due to a misconfiguration in Defender for Cloud, when in fact the trigger succeeds and the failure is in the Logic App's downstream action due to missing RBAC permissions on the managed identity.

How to eliminate wrong answers

Option B is wrong because if the subscription were not onboarded to Defender for Cloud, the workflow automation trigger would not be available at all, and the Logic App would not even be invoked. Option C is wrong because Defender for Cloud operates at the subscription level, not the resource group level; disabling it for a resource group is not a valid configuration, and the automation trigger is subscription-wide. Option D is wrong because disabling a recommendation in the security policy would prevent the recommendation from appearing and thus prevent the trigger from firing, but the Logic App would not fail to run; it simply would not be triggered.

6
Multi-Selecthard

A company has a Microsoft Sentinel workspace that ingests data from multiple sources. The SOC team wants to improve the efficiency of investigating incidents by using UEBA capabilities. Which two actions should the team take to enable and configure UEBA in Sentinel?

Select 2 answers
A.Install the UEBA data connector from the Sentinel content hub.
B.Create an analytics rule that uses the UEBA template.
C.Define a time range for entity behavior baselines.
D.Set the entity behavior analytics to 'Active' in the Sentinel configuration.
E.Navigate to Sentinel Settings, select Entity behavior analytics, and enable the feature per workspace.
AnswersD, E

Setting it to 'Active' enables UEBA for the workspace.

Why this answer

Options B and D are correct. Enabling UEBA is done per workspace (B). Setting the entity behavior analytics to 'Active' enables the feature (D).

Option A is incorrect because UEBA is not a data connector; it's a feature enabled in the workspace settings. Option C is incorrect because the analytics rule for UEBA is not a separate rule; UEBA is enabled at the workspace level. Option E is incorrect because time range selection is not part of enabling UEBA; it's part of analytics rule configuration.

7
MCQeasy

A company wants to implement a governance strategy for their Azure environment. They need to enforce tagging standards and restrict deployment to approved regions. Which combination of Azure services should they use?

A.Azure Management Groups and subscriptions
B.Azure RBAC and Azure AD
C.Azure Resource Graph and Azure Monitor
D.Azure Policy and Azure Blueprints
AnswerD

Policy enforces rules; Blueprints package policies, RBAC, and resources.

Why this answer

Azure Policy is the correct service for enforcing tagging standards and restricting deployments to approved regions because it applies rules and effects to resources during creation and existing resources. Azure Blueprints complements this by orchestrating the deployment of policy definitions, role assignments, and resource groups into a single, repeatable package, ensuring consistent governance across subscriptions.

Exam trap

The trap here is that candidates confuse Azure Policy (which enforces rules) with Azure RBAC (which controls permissions), or they assume Management Groups alone can enforce compliance, when in fact Policy is the only service that can block non-compliant resource creation at the API level.

How to eliminate wrong answers

Option A is wrong because Azure Management Groups and subscriptions provide hierarchical organization and management boundaries but do not enforce tagging or region restrictions themselves. Option B is wrong because Azure RBAC controls who can perform actions on resources (authorization) and Azure AD manages identities, neither of which enforces resource-level compliance rules like tags or allowed regions. Option C is wrong because Azure Resource Graph is a query service for exploring resources and Azure Monitor collects telemetry and alerts; neither can enforce or prevent deployment of non-compliant resources.

8
MCQhard

Contoso Ltd. is a multinational organization with a hybrid environment consisting of on-premises Active Directory and Azure AD (now Microsoft Entra ID). They use Microsoft Defender for Cloud Apps, Microsoft Sentinel, and Microsoft 365 Defender. The security operations team has noticed that several high-severity alerts from Microsoft 365 Defender are not being forwarded to Microsoft Sentinel, causing delayed response. The team has confirmed that the data connector between Microsoft 365 Defender and Sentinel is enabled and appears healthy. However, only low-severity alerts appear in Sentinel. Further investigation reveals that the Microsoft 365 Defender portal has a configured rule set that suppresses high-severity alerts for certain users deemed low risk. The security operations manager wants to ensure all high-severity alerts are sent to Sentinel without changing the suppression rules in Microsoft 365 Defender, as those rules are required for operational efficiency. What should the team do to ensure high-severity alerts are ingested into Sentinel?

A.Modify the suppression rules in Microsoft 365 Defender to not suppress high-severity alerts.
B.In the Microsoft 365 Defender data connector in Sentinel, enable the option to include suppressed alerts.
C.Use the Microsoft Graph Security API connector in Sentinel to ingest alerts instead.
D.Create a separate Logic App to fetch high-severity alerts from Microsoft 365 Defender API and send them to Sentinel.
AnswerB

The connector has a setting to include suppressed alerts, which will forward all alerts regardless of suppression status.

Why this answer

Option B is correct because the Microsoft 365 Defender data connector in Microsoft Sentinel includes a configuration setting to 'Include suppressed alerts.' Enabling this option forces Sentinel to ingest all alerts from Microsoft 365 Defender, including those that are suppressed by rule sets in the Defender portal. This satisfies the requirement to forward high-severity alerts without modifying the suppression rules that the operations team relies on for operational efficiency.

Exam trap

The trap here is that candidates assume suppressed alerts are permanently hidden and cannot be ingested, leading them to choose either modifying the suppression rules (Option A) or building a custom workaround (Option D), when in fact the Sentinel connector has a specific toggle to include suppressed alerts.

How to eliminate wrong answers

Option A is wrong because it directly contradicts the requirement to keep the suppression rules unchanged; modifying the rules would break operational efficiency. Option C is wrong because the Microsoft Graph Security API connector ingests alerts from various Microsoft security products but does not bypass the suppression logic applied within Microsoft 365 Defender; suppressed alerts would still be omitted unless the API is specifically configured to include them, which is not a standard option. Option D is wrong because creating a separate Logic App to fetch high-severity alerts via the Microsoft 365 Defender API would be a complex, custom workaround that duplicates functionality already built into the Sentinel connector, and it would still need to handle the suppression flag to retrieve suppressed alerts, making it less efficient and more error-prone than the native connector option.

9
MCQmedium

A multinational company is implementing a Zero Trust security model. The security team needs to ensure that all access requests to critical applications are evaluated based on user identity, device health, and real-time risk signals. Which Microsoft solution should they use to centralize policy enforcement?

A.Microsoft Defender for Cloud Apps
B.Microsoft Entra Conditional Access
C.Azure AD Identity Protection
D.Microsoft Purview Compliance Manager
AnswerB

Centralizes policy evaluation based on user, device, and risk signals.

Why this answer

Correct answer is C: Microsoft Entra Conditional Access. It evaluates signals like user, device, and location to enforce access policies. Option A (Microsoft Defender for Cloud Apps) is a CASB, not a policy enforcement point for authentication.

Option B (Microsoft Purview Compliance Manager) is for compliance scores. Option D (Azure AD Identity Protection) identifies risks but does not enforce access policies directly.

10
Matchingmedium

Match each encryption type to its use case in Azure.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

At-rest encryption for blobs and files

BitLocker-based encryption for VMs

Real-time encryption for SQL databases

Centralized key management service

Encryption in use via TEEs

Why these pairings

These encryption mechanisms protect data at different states.

11
MCQeasy

A SOC analyst needs to investigate a potential privilege escalation using Azure AD roles. Which Microsoft 365 Defender data source would be most useful to review?

A.Microsoft 365 Defender identity logs
B.Azure Active Directory audit logs
C.Microsoft Defender for Cloud Apps logs
D.Microsoft 365 audit logs
AnswerB

Azure AD audit logs track role assignments and privilege changes.

Why this answer

Azure AD audit logs (now part of the Azure Monitor / Microsoft Entra audit logs) are the authoritative source for tracking changes to Azure AD roles, including role assignments, activations of Privileged Identity Management (PIM) roles, and modifications to directory roles. Since the question specifically involves privilege escalation using Azure AD roles, these logs contain the necessary details such as who assigned a role, when, and from which IP address, making them the most directly relevant data source.

Exam trap

Microsoft often tests the distinction between Azure AD audit logs (which track directory configuration changes like role assignments) and Microsoft 365 audit logs (which track user activity across workloads), leading candidates to mistakenly choose the broader Microsoft 365 audit logs when the question specifically targets Azure AD role changes.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 Defender identity logs (derived from Microsoft Defender for Identity) focus on on-premises Active Directory security events and lateral movement detection, not Azure AD role assignments or changes. Option C is wrong because Microsoft Defender for Cloud Apps logs primarily track user activities within cloud applications (e.g., file downloads, app permissions) and do not natively capture Azure AD role assignment events. Option D is wrong because Microsoft 365 audit logs cover a broad range of user and admin activities across Exchange, SharePoint, and Teams, but they do not include the granular Azure AD role assignment and activation events that are specifically recorded in Azure AD audit logs.

12
Multi-Selecthard

A company is implementing a Zero Trust security model using Microsoft 365 Defender. Which THREE of the following are key principles they should follow?

Select 3 answers
A.Trust all traffic originating from within the corporate network.
B.Use least privilege access by limiting user permissions with Just-In-Time and Just-Enough-Access.
C.Provide implicit trust to known users and devices.
D.Assume breach and segment access to minimize blast radius.
E.Verify explicitly based on all available data points (user, device, location, etc.).
AnswersB, D, E

Minimizes the blast radius of a breach.

Why this answer

Option B is correct because Zero Trust mandates least privilege access, and Microsoft 365 Defender integrates with Azure AD Privileged Identity Management (PIM) to enforce Just-In-Time (JIT) and Just-Enough-Access (JEA) policies. This ensures users receive only the permissions necessary for a specific task, for a limited duration, reducing the risk of lateral movement and privilege escalation.

Exam trap

The trap here is that candidates often confuse Zero Trust with traditional perimeter-based security, mistakenly believing that internal network origin or known user status should be trusted implicitly, when in fact Zero Trust requires explicit verification for every access request regardless of source.

13
Multi-Selecteasy

A company wants to improve their security posture by using Microsoft Defender for Cloud. Which TWO of the following are features of Defender for Cloud that help with governance and compliance?

Select 2 answers
A.Azure Blueprints
B.Azure Policy
C.Microsoft Sentinel
D.Regulatory compliance dashboard
E.Secure Score
AnswersD, E

Tracks compliance with standards like SOC 2, ISO 27001.

Why this answer

The Regulatory compliance dashboard in Defender for Cloud provides continuous monitoring of your Azure and hybrid workloads against industry standards like SOC 2, ISO 27001, PCI DSS, and Azure CIS. It dynamically tracks compliance posture over time, highlights non-compliant resources, and maps controls to specific assessments, directly supporting governance and compliance workflows.

Exam trap

The trap here is that candidates confuse Azure Policy or Azure Blueprints as features of Defender for Cloud, when they are separate Azure services that Defender for Cloud can integrate with but are not part of its feature set.

14
Multi-Selecthard

Which THREE of the following are key components of a security operations strategy according to Microsoft's best practices?

Select 3 answers
A.Detection and analysis
B.Preparation including playbooks and training
C.Microsoft Sentinel deployment
D.Post-incident activity (containment, eradication, recovery)
E.Policy and standards development
AnswersA, B, D

Detection and analysis is the core of security operations, identifying and investigating threats.

Why this answer

Detection and analysis is a core component of a security operations strategy because it defines how security events are identified, triaged, and investigated. Microsoft's NIST-based SOC maturity model emphasizes continuous monitoring and analytics (e.g., using Microsoft Sentinel analytics rules, UEBA, and threat intelligence) to reduce mean time to detect (MTTD). Without robust detection and analysis, an organization cannot effectively respond to threats.

Exam trap

The trap here is confusing a specific Microsoft product (Sentinel) with a strategic component of the security operations lifecycle, leading candidates to select a tool name instead of the process phase it supports.

15
Multi-Selectmedium

A company uses Microsoft Defender for Cloud to assess compliance with Azure Security Benchmark (ASB). The security team wants to ensure that all recommendations are being followed. Which three actions should the team take to manage and remediate recommendations effectively?

Select 3 answers
A.Enable continuous export of compliance data to Log Analytics or Event Hubs.
B.Manually remediate all high-severity recommendations each month.
C.Create exemption rules for resources that are compliant by other means.
D.Enable automatic provisioning of the Log Analytics agent for all supported VMs.
E.Disable recommendations that are not applicable to the environment.
AnswersA, C, D

Continuous export allows for long-term retention and analysis of compliance data.

Why this answer

Option A is correct because enabling continuous export of compliance data to Log Analytics or Event Hubs allows the security team to centralize, query, and monitor compliance data over time. This is essential for tracking the status of all Azure Security Benchmark recommendations, creating custom alerts, and integrating with SIEM or automation workflows, rather than relying on manual checks.

Exam trap

The trap here is that candidates may think manual monthly remediation (Option B) is sufficient for compliance, but the SC-100 exam emphasizes continuous, automated monitoring and remediation as a core principle of a secure operations strategy.

16
MCQmedium

An organization is planning to use Microsoft Defender for Cloud's regulatory compliance dashboard to track adherence to PCI DSS. The security team wants to ensure that all Azure resources are covered by the compliance assessment. What is the first step?

A.Enable Microsoft Defender for Cloud on all subscriptions and ensure resources are covered.
B.Configure the compliance dashboard to show PCI DSS controls.
C.Create a custom regulatory compliance standard for PCI DSS.
D.Enable the built-in PCI DSS policy initiative in Azure Policy.
AnswerA

Resources must be onboarded to Defender for Cloud to be assessed against the regulatory compliance standard.

Why this answer

Option D is correct because to assess compliance, the resources must first be onboarded to Defender for Cloud (enabling enhanced security features). Option A is incorrect because the built-in initiative does not apply automatically without enabling Defender for Cloud coverage. Option B is incorrect because while you can assign a custom initiative, the first step is still to ensure resources are covered.

Option C is incorrect because the compliance dashboard shows results only after assessment.

17
MCQhard

You are the security architect for a large financial services company. The company has a hybrid environment with on-premises Active Directory, Azure AD, and multiple Azure subscriptions. They use Microsoft Sentinel as their SIEM and have deployed Microsoft Defender for Cloud to assess their cloud security posture. Recently, the security team discovered that a critical Azure SQL database was exposed to the internet with a firewall rule allowing 'AllowAllWindowsAzureIps'. This misconfiguration was not flagged by Defender for Cloud because the corresponding recommendation was disabled in the security policy. The company wants to prevent such misconfigurations in the future and ensure that all critical resources are covered by security recommendations. They also need to ensure that any changes to security policies are reviewed and approved. Which of the following actions should you recommend as the most comprehensive solution?

A.Review and enable all relevant security recommendations in Defender for Cloud, and implement a change management process using Azure Policy and a custom workflow that requires approval before modifying security policies.
B.Deploy Azure Monitor alerts on all SQL Server firewall rule changes and instruct the security team to manually review each change.
C.Assign the Contributor role to the security team on the subscription so they can directly modify firewall rules if needed.
D.Enable the specific recommendation for SQL Server firewall rules in Defender for Cloud and set up an automation rule to send alerts when the recommendation is triggered.
AnswerA

Comprehensive approach: ensures all recommendations are active and changes are controlled.

Why this answer

Option A is correct because it addresses the root cause—disabled security recommendations—by enabling all relevant recommendations in Defender for Cloud, and it enforces a change management process using Azure Policy with a custom approval workflow. This ensures that any modifications to security policies are reviewed and approved, preventing future misconfigurations like the 'AllowAllWindowsAzureIps' rule from going unnoticed. The combination of policy enforcement and approval workflow provides a comprehensive, automated governance layer that covers both detection and prevention.

Exam trap

The trap here is that candidates often focus on a single technical fix (like enabling a recommendation or setting an alert) rather than recognizing the need for a comprehensive governance solution that combines policy enforcement with a change management approval process to prevent and detect misconfigurations across all critical resources.

How to eliminate wrong answers

Option B is wrong because Azure Monitor alerts on firewall rule changes only provide reactive notifications; they do not prevent misconfigurations or ensure that security policies are reviewed and approved, leaving the manual review process prone to human error and delays. Option C is wrong because assigning the Contributor role to the security team grants them broad permissions to modify firewall rules directly, which increases the risk of unauthorized or accidental changes without any approval gate, contradicting the requirement for reviewed and approved changes. Option D is wrong because enabling only the specific recommendation for SQL Server firewall rules and setting up automation alerts is a narrow, reactive fix that does not address the broader need to ensure all critical resources are covered by security recommendations, nor does it implement a change management process for policy modifications.

18
MCQhard

A company is planning their cloud governance strategy. They have multiple business units with varying compliance requirements. They need to enforce policies consistently across subscriptions while allowing some flexibility. Which Azure governance structure should they recommend?

A.Assign RBAC roles to each subscription owner.
B.Use a management group hierarchy with Azure Policy assignments and exemptions.
C.Create separate Azure AD tenants for each business unit.
D.Use Azure Blueprints with locked permissions.
AnswerB

Management groups allow inheritance; exemptions provide flexibility.

Why this answer

B is correct because a management group hierarchy allows the company to organize subscriptions by business unit or compliance requirement, then apply Azure Policy assignments at the management group level to enforce consistent policies across all subscriptions. Exemptions can be granted at lower scopes (e.g., specific subscriptions or resource groups) to provide the required flexibility while maintaining overall governance. This structure centralizes policy enforcement without requiring separate tenants or manual RBAC assignments.

Exam trap

The trap here is that candidates often confuse RBAC (access control) with Azure Policy (compliance enforcement), or assume that separate tenants or Blueprints are needed for isolation, when in fact management groups with policy exemptions provide the exact balance of consistency and flexibility required.

How to eliminate wrong answers

Option A is wrong because assigning RBAC roles to each subscription owner delegates access control but does not enforce consistent policies across subscriptions; RBAC controls who can manage resources, not what configurations or compliance rules must be applied. Option C is wrong because creating separate Azure AD tenants for each business unit isolates identities and policies completely, preventing centralized governance and increasing administrative overhead; it also breaks cross-tenant resource access and reporting. Option D is wrong because Azure Blueprints with locked permissions can define a repeatable environment, but locked permissions prevent any flexibility for business units to deviate when needed, and Blueprints are deprecated in favor of deployment stacks; they do not support the exemption-based flexibility required.

19
MCQhard

A global organization uses Microsoft Sentinel for SIEM and Microsoft Defender for Cloud for cloud security posture management. The security team notices that critical alerts from Azure Active Directory Identity Protection are not triggering automated response playbooks in Sentinel. The team needs to ensure that all high-severity Identity Protection risk detections automatically create incidents in Sentinel and trigger a playbook to block the user. What should the team configure?

A.Enable the Identity Protection data connector and create a Microsoft Security incident creation rule for Identity Protection.
B.Enable the Azure Active Directory Identity Protection data connector in Sentinel.
C.Configure diagnostic settings on Azure AD to stream logs to Sentinel and create a playbook automation rule.
D.Configure the Identity Protection connector with the 'Create incidents' toggle enabled.
AnswerA

This ensures alerts are ingested and incidents are created automatically.

Why this answer

Option A is correct because to have Identity Protection risk detections automatically create incidents in Microsoft Sentinel and trigger a playbook, you must first enable the Identity Protection data connector (which brings the alerts into Sentinel) and then create a Microsoft Security incident creation rule specifically for Identity Protection. This rule ingests the alerts as security incidents, and you can attach an automation rule to run a playbook (e.g., to block the user) when a high-severity incident is created. Without the incident creation rule, the alerts would be ingested as raw events but not automatically turned into incidents.

Exam trap

The trap here is that candidates confuse simply enabling a data connector (which only ingests data) with the separate requirement of creating an incident creation rule to transform those alerts into actionable incidents, leading them to pick Option B or D.

How to eliminate wrong answers

Option B is wrong because simply enabling the Azure AD Identity Protection data connector only ingests the alerts into Sentinel as raw data; it does not automatically create incidents or trigger playbooks. Option C is wrong because configuring diagnostic settings on Azure AD streams sign-in and audit logs, not Identity Protection risk detections; Identity Protection alerts are not sent via diagnostic settings and require the dedicated connector. Option D is wrong because the Identity Protection connector does not have a 'Create incidents' toggle; incident creation is handled by a separate Microsoft Security incident creation rule, not by a toggle on the connector itself.

20
MCQhard

You are the security architect for a multinational corporation that uses Microsoft 365 E5 licenses. The company has deployed Microsoft Sentinel in a central Azure subscription, and all subsidiaries stream their logs to this workspace. The SOC team uses Microsoft 365 Defender to investigate incidents. Recently, the company experienced a sophisticated phishing campaign that bypassed Exchange Online Protection (EOP) and resulted in credential theft for several users. The SOC team manually created incidents in Sentinel for each compromised user. However, they want to automate the creation of Sentinel incidents from Microsoft 365 Defender alerts. Additionally, they want to ensure that when a user is confirmed compromised, a playbook automatically disables the user's account in Azure AD and resets their password. The SOC team has already deployed the Microsoft 365 Defender data connector in Sentinel and enabled streaming of alerts. However, no incidents are being created automatically from Defender alerts. You need to recommend a solution to automate incident creation and response. What should you do?

A.Configure the Microsoft 365 Defender connector to send alerts to a Logic App that creates incidents.
B.Create a Microsoft Security incident creation rule for Microsoft 365 Defender, and create an automation rule that triggers a playbook to disable the user and reset password.
C.Enable the Microsoft 365 Defender connector by selecting the 'Create incidents' checkbox.
D.Create an analytics rule that queries Microsoft 365 Defender alerts and creates incidents.
AnswerB

This automates incident creation from Defender alerts and triggers the playbook for response.

Why this answer

Option B is correct because it uses a Microsoft Security incident creation rule, which is the proper method to automatically generate Sentinel incidents from Microsoft 365 Defender alerts. The automation rule then triggers a playbook to disable the user in Azure AD and reset their password, fulfilling the automated response requirement. This approach aligns with Sentinel's native integration for Microsoft 365 Defender, where alerts are ingested via the data connector but incidents require a dedicated rule to be created.

Exam trap

The trap here is that candidates often confuse the 'Create incidents' checkbox on the data connector with the actual incident creation rule, assuming that enabling the checkbox alone will generate incidents, when in fact it only ingests alerts and requires a separate Microsoft Security incident creation rule to transform those alerts into incidents.

How to eliminate wrong answers

Option A is wrong because configuring the Microsoft 365 Defender connector to send alerts directly to a Logic App bypasses Sentinel's incident management pipeline, requiring custom development and not leveraging Sentinel's built-in incident creation and automation capabilities. Option C is wrong because the 'Create incidents' checkbox in the Microsoft 365 Defender connector enables the ingestion of alerts into Sentinel's raw data tables (e.g., SecurityAlert), but does not automatically create Sentinel incidents; incidents require a separate incident creation rule. Option D is wrong because an analytics rule that queries Microsoft 365 Defender alerts would create incidents based on scheduled queries, which is inefficient and duplicates effort, whereas the Microsoft Security incident creation rule is specifically designed to create incidents directly from security alerts streamed via the connector.

21
MCQeasy

A company is designing a security operations strategy using Microsoft Sentinel. They want to prioritize triage of incidents that involve critical assets. The SOC manager suggests using the entity behavior analytics feature. Which capability of entity behavior analytics helps achieve this goal?

A.It combines multiple alerts into a single incident using Fusion.
B.It uses threat intelligence to correlate with known bad actors.
C.It profiles entities and assigns an anomaly score based on deviations from baseline behaviors.
D.It automatically groups incidents by severity and asset criticality.
AnswerC

This is the core of UEBA: creating baselines and scoring anomalies to identify risky entities.

Why this answer

Entity behavior analytics (UEBA) in Microsoft Sentinel profiles entities such as users, hosts, or applications by establishing baseline behaviors over time. It then assigns an anomaly score to deviations from that baseline, enabling SOC analysts to prioritize incidents involving critical assets based on unusual activity rather than static rules. This directly supports the goal of triaging incidents by highlighting anomalous behavior on high-value targets.

Exam trap

The trap here is that candidates confuse entity behavior analytics (UEBA) with Fusion or threat intelligence correlation, assuming any 'intelligent' feature must involve combining alerts or external threat data, rather than recognizing that UEBA is specifically about profiling internal entity behavior and scoring anomalies.

How to eliminate wrong answers

Option A is wrong because Fusion is a correlation engine that combines multiple alerts from different products into a single incident using machine learning, not entity behavior profiling or anomaly scoring. Option B is wrong because threat intelligence correlation with known bad actors is a separate capability (e.g., TI integration), not entity behavior analytics, which focuses on internal behavioral baselines rather than external threat feeds. Option D is wrong because automatic grouping by severity and asset criticality is a feature of incident classification or automation rules, not a function of entity behavior analytics, which provides per-entity anomaly scores rather than grouping incidents.

22
Multi-Selectmedium

A company is designing a security operations center (SOC) using Microsoft Sentinel. Which TWO of the following are best practices for managing incident response in Sentinel?

Select 2 answers
A.Create multiple Sentinel workspaces for each incident type.
B.Use automation rules and playbooks to automate common response actions.
C.Manually classify all incidents to ensure accuracy.
D.Use a single data connector for all log sources.
E.Tag incidents with severity and status for better tracking.
AnswersB, E

Increases efficiency and consistency.

Why this answer

Option B is correct because automation rules and playbooks in Microsoft Sentinel allow you to automate common incident response actions, such as triggering investigations, sending notifications, or running remediation scripts. This reduces manual effort, ensures consistent response, and accelerates mean time to respond (MTTR), which is a core best practice for SOC operations.

Exam trap

The trap here is that candidates often confuse 'automation' with 'manual classification' or 'single workspace design', not realizing that Sentinel's strength lies in centralized correlation and automated response, not fragmentation or manual overhead.

23
Drag & Dropmedium

Order the steps to configure a Conditional Access policy requiring MFA for all users.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Conditional Access policy creation involves assignments for users and apps, then access controls like MFA.

24
MCQmedium

A company is deploying Microsoft Defender for Cloud to secure their hybrid cloud environment. They need to ensure that regulatory compliance with PCI DSS is continuously monitored and reported. Which solution should they use to automatically assess and report compliance posture?

A.Azure Policy
B.Microsoft Purview Information Protection
C.Regulatory compliance dashboard in Microsoft Defender for Cloud
D.Microsoft Entra ID Governance
AnswerC

The regulatory compliance dashboard in Defender for Cloud continuously monitors compliance with standards like PCI DSS and generates reports.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud is the correct solution because it provides built-in, automated assessment of compliance against regulatory standards like PCI DSS. It continuously monitors your hybrid cloud environment against the PCI DSS controls, generates a compliance score, and produces detailed reports without requiring custom policy definitions. This dashboard integrates with Azure Policy to map controls to assessments, but the dashboard itself is the dedicated tool for viewing and reporting compliance posture.

Exam trap

The trap here is that candidates often confuse Azure Policy (the enforcement engine) with the Regulatory compliance dashboard (the reporting interface), leading them to select Azure Policy as the direct solution for compliance reporting, when in fact the dashboard is the correct tool for continuous monitoring and reporting of regulatory posture.

How to eliminate wrong answers

Option A is wrong because Azure Policy is a service that enforces and audits compliance rules by creating custom policies and initiatives, but it does not provide a pre-built, continuously updated regulatory compliance dashboard or reporting specifically for PCI DSS; it is the underlying mechanism that the Regulatory compliance dashboard uses, not the reporting solution itself. Option B is wrong because Microsoft Purview Information Protection focuses on classifying, labeling, and protecting sensitive data (e.g., credit card numbers) through encryption and access controls, not on assessing or reporting overall compliance posture against a framework like PCI DSS. Option D is wrong because Microsoft Entra ID Governance deals with identity lifecycle, access reviews, and entitlement management for users and groups, not with continuous monitoring or reporting of cloud infrastructure compliance against regulatory standards.

25
MCQhard

A company is evaluating their incident response (IR) process. They use Microsoft Sentinel as their SIEM. During a security incident, the IR team struggles to quickly find related alerts and entities. Which improvement should they implement to enhance investigation efficiency?

A.Create more analytics rules to cover additional scenarios.
B.Configure automation rules to automatically classify incidents.
C.Increase data retention for all log tables.
D.Leverage the investigation graph to explore entity relationships.
AnswerD

Provides visual mapping of connections between alerts, entities, and incidents.

Why this answer

The investigation graph in Microsoft Sentinel provides a visual, interactive map of entity relationships (e.g., users, hosts, IP addresses, alerts) connected to an incident. This directly addresses the IR team's struggle to quickly find related alerts and entities by allowing them to explore and pivot across linked data points, drastically reducing manual correlation time.

Exam trap

The trap here is that candidates often confuse 'automation' (Option B) with 'investigation efficiency,' but automation rules handle classification and assignment, not the visual exploration of entity relationships that the investigation graph provides.

How to eliminate wrong answers

Option A is wrong because creating more analytics rules increases the volume of alerts and incidents, which would exacerbate the problem of finding related alerts and entities rather than improving investigation efficiency. Option B is wrong because configuring automation rules to automatically classify incidents helps with triage and prioritization, but does not assist investigators in exploring relationships between alerts and entities during an active investigation. Option C is wrong because increasing data retention for all log tables extends the storage period but does not provide any mechanism to correlate or visualize relationships between alerts and entities; it simply keeps more raw data without improving discoverability.

26
MCQmedium

A SOC team uses Microsoft Sentinel for incident management. They need to ensure that when a high-severity incident is created, a Teams message is sent to the security team and an email is sent to the IT manager. What is the most efficient way to achieve this?

A.Configure the analytics rule to send notifications when an incident is created.
B.Create an automation rule in Sentinel that triggers a playbook to send the notifications.
C.Use a workbook to display incidents and have a manual process to send notifications.
D.Enable incident creation in the data connector settings.
AnswerB

Automation rules are designed to respond to incidents with playbooks.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can trigger a playbook (an Azure Logic Apps workflow) when an incident is created, allowing you to send a Teams message and an email simultaneously. This is the most efficient, automated approach without manual intervention or modifying the analytics rule itself.

Exam trap

The trap here is that candidates often confuse analytics rule configuration (which can only generate incidents or alerts) with automation rules (which handle post-creation actions like playbooks), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because analytics rules in Sentinel do not have native capabilities to send Teams messages or emails directly; they only generate incidents or alerts. Option C is wrong because workbooks are for visualization and reporting, not for automated notification workflows, and relying on a manual process defeats efficiency. Option D is wrong because data connector settings only control ingestion of logs and incident creation from external sources, not post-incident notification actions.

27
Matchingmedium

Match each Microsoft 365 Defender workload to its protection domain.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Endpoint protection

Email and collaboration protection

On-premises identity protection

SaaS application protection

Unified XDR

Why these pairings

Each workload focuses on a specific attack surface.

28
Drag & Dropmedium

Order the steps to troubleshoot an Azure VPN gateway connection failure.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting starts with Azure side, then on-premises, and may require reset.

29
MCQhard

A company has a hybrid identity infrastructure with on-premises Active Directory synchronized to Azure AD using Azure AD Connect. The security team wants to use Microsoft Defender for Identity (MDI) to detect on-premises attacks. They have installed the MDI sensor on all domain controllers. However, they notice that some alerts are missing. What is the most likely cause?

A.MDI is not integrated with Microsoft Sentinel.
B.Azure AD Connect is not syncing frequently enough.
C.The sensor is not licensed for all detection types.
D.The necessary Windows event logs are not being forwarded to the MDI sensor.
AnswerD

MDI relies on specific event logs; without them, many detections are not possible.

Why this answer

Microsoft Defender for Identity relies on Windows Event Logs (specifically Event ID 4776, 4624, 4648, and others) to detect on-premises attacks such as Pass-the-Hash, Golden Ticket, and DCSync. If these logs are not being forwarded to the MDI sensor (e.g., due to disabled audit policies or log size limits), the sensor cannot analyze the events, resulting in missing alerts. The sensor itself is installed on domain controllers, but it must have access to the relevant security logs to function correctly.

Exam trap

The trap here is that candidates often assume missing alerts are due to licensing or integration gaps, but the root cause is typically a missing prerequisite—specifically, the Windows event logs that MDI relies on for attack detection.

How to eliminate wrong answers

Option A is wrong because MDI does not require integration with Microsoft Sentinel to generate alerts; Sentinel is a SIEM that can consume MDI alerts but is not a prerequisite for detection. Option B is wrong because Azure AD Connect sync frequency affects identity synchronization, not the real-time event log analysis that MDI performs on domain controllers. Option C is wrong because MDI sensors are licensed per instance and include all detection capabilities; there is no tiered licensing that restricts specific detection types on a properly licensed sensor.

30
MCQeasy

A company's security team wants to automate response to common incidents like malware detected on endpoints. They have Microsoft 365 Defender and Microsoft Sentinel. Which feature should they use to create automated playbooks?

A.Microsoft Purview's data loss prevention policies
B.Microsoft Sentinel automation rules and playbooks
C.Azure Policy
D.Microsoft Defender for Cloud's workflow automation
AnswerB

Integrates with Logic Apps for automated response to incidents.

Why this answer

Microsoft Sentinel's automation rules and playbooks are the correct choice because they are specifically designed to automate incident response by triggering predefined actions (e.g., running a Logic App) when a detection event, such as malware on an endpoint, is ingested from Microsoft 365 Defender. This integration allows security teams to create custom, automated workflows that respond to common incidents without manual intervention.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud's workflow automation (which can send notifications or trigger a Logic App for Defender for Cloud alerts) with Sentinel's full playbook engine, but Sentinel is the correct choice because it is the centralized SIEM/SOAR platform that ingests alerts from Microsoft 365 Defender and orchestrates complex, multi-step automated responses across the entire security ecosystem.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview's data loss prevention policies focus on classifying and protecting sensitive data (e.g., preventing unauthorized sharing), not on automating incident response to security alerts like malware. Option C is wrong because Azure Policy is used to enforce compliance rules on Azure resources (e.g., ensuring VMs have specific tags), not to orchestrate response actions to security incidents. Option D is wrong because Microsoft Defender for Cloud's workflow automation is limited to triggering actions (e.g., sending email) for security recommendations and alerts within Defender for Cloud, but it lacks the deep integration and flexible Logic Apps-based playbook engine that Sentinel provides for multi-source incident response.

Ready to test yourself?

Try a timed practice session using only Grc Security Ops questions.