Sample questions
Microsoft Security Operations Analyst SC-200 practice questions
An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?
Trap 1: Run antivirus scan
This scans for malware but does not isolate the device from the network.
Trap 2: Contain device
Containment restricts the device's ability to communicate with other devices but does not support a custom list of allowed IPs like full isolation.
Trap 3: Restrict app execution
This allows only a set of applications to run but does not control network connectivity.
- A
Run antivirus scan
Why wrong: This scans for malware but does not isolate the device from the network.
- B
Isolate device
Correct: Isolation can be configured with an allowed list of IPs, such as update servers, while blocking all other traffic.
- C
Contain device
Why wrong: Containment restricts the device's ability to communicate with other devices but does not support a custom list of allowed IPs like full isolation.
- D
Restrict app execution
Why wrong: This allows only a set of applications to run but does not control network connectivity.
A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?
Trap 1: Clone Sentinel notebooks → Provision compute → Connect to workspace…
Cloning before provisioning compute may cause issues as the compute environment is needed to run the notebook.
Trap 2: Connect to workspace → Provision compute → Clone Sentinel notebooks…
Connecting to workspace before provisioning compute is not possible because the compute instance is required.
Trap 3: Provision compute → Connect to workspace → Clone Sentinel notebooks…
Cloning notebooks before connecting to workspace is acceptable, but connecting before cloning is not required; however, cloning after connect is still functional, but the recommended order is clone before connect. Option A is the most accurate.
- A
Provision compute → Clone Sentinel notebooks → Connect to workspace → Execute cells
This order follows the recommended setup: compute first, then notebooks, then workspace connection, then execution.
- B
Clone Sentinel notebooks → Provision compute → Connect to workspace → Execute cells
Why wrong: Cloning before provisioning compute may cause issues as the compute environment is needed to run the notebook.
- C
Connect to workspace → Provision compute → Clone Sentinel notebooks → Execute cells
Why wrong: Connecting to workspace before provisioning compute is not possible because the compute instance is required.
- D
Provision compute → Connect to workspace → Clone Sentinel notebooks → Execute cells
Why wrong: Cloning notebooks before connecting to workspace is acceptable, but connecting before cloning is not required; however, cloning after connect is still functional, but the recommended order is clone before connect. Option A is the most accurate.
An organization has enabled enhanced security features for a hybrid infrastructure including SQL servers on-premises and in Azure. Which Microsoft Defender for Cloud plan provides threat detection for both SQL Server on-premises and Azure SQL Database?
Trap 1: Defender for Servers
Defender for Servers protects VMs but not specifically SQL databases.
Trap 2: Defender for Databases
This is not an official plan name; the correct plan is Defender for SQL.
Trap 3: Defender for Storage
Defender for Storage protects Azure Storage accounts, not SQL workloads.
- A
Defender for Servers
Why wrong: Defender for Servers protects VMs but not specifically SQL databases.
- B
Defender for SQL
Defender for SQL provides threat detection for SQL Server workloads including on-premises and Azure SQL Database.
- C
Defender for Databases
Why wrong: This is not an official plan name; the correct plan is Defender for SQL.
- D
Defender for Storage
Why wrong: Defender for Storage protects Azure Storage accounts, not SQL workloads.
A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?
Trap 1: Microsoft Secure Score.
Secure Score measures security posture, not individual phishing campaign investigation.
Trap 2: Azure Activity log.
Azure Activity records Azure control-plane operations, not email campaign details.
Trap 3: Microsoft Defender Vulnerability Management software inventory.
Software inventory is endpoint-focused, not email investigation.
- A
Threat Explorer.
Threat Explorer is designed for email threat investigation and remediation.
- B
Microsoft Secure Score.
Why wrong: Secure Score measures security posture, not individual phishing campaign investigation.
- C
Azure Activity log.
Why wrong: Azure Activity records Azure control-plane operations, not email campaign details.
- D
Microsoft Defender Vulnerability Management software inventory.
Why wrong: Software inventory is endpoint-focused, not email investigation.
A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?
Trap 1: Security policies
Security policies set overall compliance standards but do not enforce configurations inside VMs themselves.
Trap 2: Just-In-Time VM access
Just-In-Time VM access controls network access to VMs, not internal configuration.
Trap 3: Adaptive application controls
Adaptive application controls recommend allowed applications to run on VMs, not general security baselines.
- A
Security policies
Why wrong: Security policies set overall compliance standards but do not enforce configurations inside VMs themselves.
- B
Azure Policy Guest Configuration
Correct: Guest Configuration can audit and deploy configurations inside VMs, automating baseline enforcement.
- C
Just-In-Time VM access
Why wrong: Just-In-Time VM access controls network access to VMs, not internal configuration.
- D
Adaptive application controls
Why wrong: Adaptive application controls recommend allowed applications to run on VMs, not general security baselines.
A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?
Trap 1: Just-In-Time VM access
JIT controls network access to VMs, not deployment of missing resource settings.
Trap 2: Adaptive network hardening
Adaptive network hardening provides recommendations for tightening NSG rules, not automatic deployment of baseline configurations.
Trap 3: File integrity monitoring
File integrity monitoring tracks changes to files on VMs, not resource compliance.
- A
Azure Policy's DeployIfNotExists effect
Correct: DeployIfNotExists automatically deploys required configurations when a resource is non-compliant, enabling auto-remediation.
- B
Just-In-Time VM access
Why wrong: JIT controls network access to VMs, not deployment of missing resource settings.
- C
Adaptive network hardening
Why wrong: Adaptive network hardening provides recommendations for tightening NSG rules, not automatic deployment of baseline configurations.
- D
File integrity monitoring
Why wrong: File integrity monitoring tracks changes to files on VMs, not resource compliance.
A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.
Trap 1: Verify results before configuring the source or rule settings.
Verification can only happen after the required configuration has been completed.
Trap 2: Configure alert grouping before defining the detection query or…
The detection logic/source must be defined before grouping or response settings.
Trap 3: Skip validation and enable the rule or plan immediately.
Skipping validation increases the risk of false positives or incomplete configuration.
- A
Create a query using KQL to count failed sign-ins. → Set the rule schedule (run every 5 minutes). → Set the alert threshold (e.g., >5 failed sign-ins from same IP in 5 minutes). → Define incident properties (title, severity, tactics). → Configure grouping settings to group alerts into incidents.
This order follows the required configuration sequence and verifies the result last.
- B
Verify results before configuring the source or rule settings.
Why wrong: Verification can only happen after the required configuration has been completed.
- C
Configure alert grouping before defining the detection query or source.
Why wrong: The detection logic/source must be defined before grouping or response settings.
- D
Skip validation and enable the rule or plan immediately.
Why wrong: Skipping validation increases the risk of false positives or incomplete configuration.
An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?
Trap 1: Device entity page
The device entity page focuses on device state and incidents, not specific file actions.
Trap 2: User entity page
The user entity page shows user-related incidents and activities, not file-level actions.
Trap 3: Email entity page
The email entity page is for email messages, not files.
- A
File entity page
Correct. The file entity page displays detection status and actions taken on the file across devices.
- B
Device entity page
Why wrong: The device entity page focuses on device state and incidents, not specific file actions.
- C
User entity page
Why wrong: The user entity page shows user-related incidents and activities, not file-level actions.
- D
Email entity page
Why wrong: The email entity page is for email messages, not files.
A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)
Trap 1: Disable the data connector.
Disabling the connector prevents useful telemetry from being ingested.
Trap 2: Delete the Log Analytics workspace.
That would remove the Sentinel environment and data.
- A
Configure event grouping or incident grouping by user entity.
Grouping related alerts/incidents reduces duplicate investigation objects.
- B
Configure suppression to stop creating new alerts for a defined period after a match.
Suppression reduces repeated alerts from the same condition.
- C
Disable the data connector.
Why wrong: Disabling the connector prevents useful telemetry from being ingested.
- D
Delete the Log Analytics workspace.
Why wrong: That would remove the Sentinel environment and data.
A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?
Trap 1: Secure score
Secure score measures your security posture based on recommendations, but it is not a compliance benchmark like CIS.
Trap 2: Azure Policy
Azure Policy is used to create and assign policies, but the regulatory compliance dashboard is the feature that presents the compliance status in Defender for Cloud.
Trap 3: Workload protections
Workload protections provide threat detection alerts, not compliance assessment.
- A
Regulatory compliance dashboard
This dashboard allows you to track compliance against built-in standards like CIS, and you can assign the CIS initiative to your subscriptions.
- B
Secure score
Why wrong: Secure score measures your security posture based on recommendations, but it is not a compliance benchmark like CIS.
- C
Azure Policy
Why wrong: Azure Policy is used to create and assign policies, but the regulatory compliance dashboard is the feature that presents the compliance status in Defender for Cloud.
- D
Workload protections
Why wrong: Workload protections provide threat detection alerts, not compliance assessment.
A hybrid environment contains Azure VMs and on-premises servers connected through Azure Arc. Which two outcomes can Defender for Cloud provide for these servers? (Choose 2.)
Trap 1: Automatic replacement of all unsupported operating systems.
Defender for Cloud recommends actions but does not automatically replace operating systems.
Trap 2: Guaranteed compliance certification for every regulatory standard.
It helps assess compliance but does not guarantee certification.
- A
Security recommendations for misconfigurations and missing updates.
Defender for Cloud can assess server posture and recommend remediation.
- B
Threat detection alerts for protected server workloads.
Defender plans can generate alerts for suspicious activity on servers.
- C
Automatic replacement of all unsupported operating systems.
Why wrong: Defender for Cloud recommends actions but does not automatically replace operating systems.
- D
Guaranteed compliance certification for every regulatory standard.
Why wrong: It helps assess compliance but does not guarantee certification.
A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?
Trap 1: Azure Policy for Kubernetes add-on installation to enforce pod…
The Azure Policy for Kubernetes add-on can be enabled independently. The plan adds threat detection, not just policy enforcement.
Trap 2: Kubernetes audit logs are automatically streamed to the Log…
Audit logs are required for threat detection, but they can be configured without the full plan. The plan makes use of them for alerting.
Trap 3: Integration with Microsoft Sentinel for monitoring AKS logs.
Integration with Microsoft Sentinel is a separate data connector configuration and not exclusive to the Defender for Containers plan.
- A
Azure Policy for Kubernetes add-on installation to enforce pod security policies.
Why wrong: The Azure Policy for Kubernetes add-on can be enabled independently. The plan adds threat detection, not just policy enforcement.
- B
Kubernetes audit logs are automatically streamed to the Log Analytics workspace.
Why wrong: Audit logs are required for threat detection, but they can be configured without the full plan. The plan makes use of them for alerting.
- C
Security alerts for container runtime threats, such as privilege escalation in a container.
Correct. The plan enables advanced threat detection, generating security alerts based on behavioral analytics of cluster activities.
- D
Integration with Microsoft Sentinel for monitoring AKS logs.
Why wrong: Integration with Microsoft Sentinel is a separate data connector configuration and not exclusive to the Defender for Containers plan.
A company uses Microsoft Defender for Cloud. They need to continuously assess the compliance of their Azure resources against the CIS benchmark. Which feature should they enable?
Trap 1: Secure Score
Secure Score is an overall security posture score based on controls, not a specific compliance standard assessment.
Trap 2: Azure Policy
Azure Policy is the underlying enforcement engine, but the feature that displays compliance is the Regulatory compliance dashboard.
Trap 3: Just-In-Time VM access
Just-In-Time VM access reduces network attack surface but does not assess compliance against CIS benchmarks.
- A
Regulatory compliance dashboard
Correct. The Regulatory compliance dashboard includes built-in initiatives for standards like CIS, allowing continuous compliance monitoring.
- B
Secure Score
Why wrong: Secure Score is an overall security posture score based on controls, not a specific compliance standard assessment.
- C
Azure Policy
Why wrong: Azure Policy is the underlying enforcement engine, but the feature that displays compliance is the Regulatory compliance dashboard.
- D
Just-In-Time VM access
Why wrong: Just-In-Time VM access reduces network attack surface but does not assess compliance against CIS benchmarks.
A SOC analyst is configuring a Microsoft Sentinel scheduled analytics rule to detect rare operations on Azure Key Vaults. The rule uses the AzureActivity table. The analyst wants to use a machine learning algorithm to identify anomalies based on historical activity patterns. Which analytics rule type should the analyst choose?
Trap 1: Scheduled
Scheduled rules use KQL queries with fixed thresholds and do not incorporate machine learning for anomaly detection.
Trap 2: Microsoft Security Incident (for using existing alert triggers)
Microsoft Security Incident rules create incidents based on alerts from other Microsoft security products, not on raw data with ML.
Trap 3: NRT (Near-Real-Time)
NRT rules run near real-time but are based on static query logic without ML.
- A
Scheduled
Why wrong: Scheduled rules use KQL queries with fixed thresholds and do not incorporate machine learning for anomaly detection.
- B
Microsoft Security Incident (for using existing alert triggers)
Why wrong: Microsoft Security Incident rules create incidents based on alerts from other Microsoft security products, not on raw data with ML.
- C
Anomaly detection
Anomaly detection rules apply machine learning models to identify deviations from historical patterns, making them suitable for detecting rare operations.
- D
NRT (Near-Real-Time)
Why wrong: NRT rules run near real-time but are based on static query logic without ML.
A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?
Trap 1: Create a Syslog data connector and specify the facility and…
Syslog collects system logs via the syslog daemon, not arbitrary application log files written to other paths. The agent does not treat random files as syslog.
Trap 2: Configure the Log Analytics agent to collect performance counters…
Performance counters collect metrics like CPU and memory, not log file text content.
Trap 3: Deploy a Log Analytics gateway and configure the application to…
The HTTP Data Collector API can be used, but it requires the application to send HTTP requests. The scenario states the application writes to a local file, so the agent must watch that file.
- A
Create a Syslog data connector and specify the facility and severity to filter the application logs from /var/log.
Why wrong: Syslog collects system logs via the syslog daemon, not arbitrary application log files written to other paths. The agent does not treat random files as syslog.
- B
Configure the Log Analytics agent to collect performance counters for the application process.
Why wrong: Performance counters collect metrics like CPU and memory, not log file text content.
- C
Use the Custom Logs feature in the Log Analytics workspace to specify the path to the application log file and define the log type name.
Correct. Custom Logs allow ingestion of text files by monitoring specified file paths and parsing lines into custom logs.
- D
Deploy a Log Analytics gateway and configure the application to write directly to the gateway using the HTTP Data Collector API.
Why wrong: The HTTP Data Collector API can be used, but it requires the application to send HTTP requests. The scenario states the application writes to a local file, so the agent must watch that file.
A security administrator wants to assess their Azure environment against the Azure Security Benchmark and also include custom security controls defined by their organization. They need a single, reusable policy initiative that can be assigned across multiple subscriptions and management groups. What should the administrator create in Microsoft Defender for Cloud?
Trap 1: A new regulatory compliance standard
Incorrect. Regulatory compliance standards in Defender for Cloud are built-in (e.g., CIS, PCI DSS). You cannot create a custom standard; instead, you create a custom policy initiative that appears in the dashboard.
Trap 2: A custom Azure Policy definition
Incorrect. A single custom policy definition only covers one specific condition (e.g., enforce encryption). To combine multiple controls, you need an initiative (a set of policies).
Trap 3: A Secure Score recommendation override
Incorrect. Secure Score overrides allow you to exempt or suppress certain recommendations, but they do not enable assessment against custom controls.
- A
A new regulatory compliance standard
Why wrong: Incorrect. Regulatory compliance standards in Defender for Cloud are built-in (e.g., CIS, PCI DSS). You cannot create a custom standard; instead, you create a custom policy initiative that appears in the dashboard.
- B
A custom Azure Policy initiative
Correct. By creating a custom initiative that includes the Azure Security Benchmark policy definitions plus custom policy definitions, you can deploy a single initiative covering both required sets of controls.
- C
A custom Azure Policy definition
Why wrong: Incorrect. A single custom policy definition only covers one specific condition (e.g., enforce encryption). To combine multiple controls, you need an initiative (a set of policies).
- D
A Secure Score recommendation override
Why wrong: Incorrect. Secure Score overrides allow you to exempt or suppress certain recommendations, but they do not enable assessment against custom controls.
A security analyst is investigating a suspicious email that was reported by a user. The email contains an attachment with a known malicious macro. The analyst wants to find all instances of this same email being delivered to other users in the organization. Which Advanced Hunting table should the analyst query to find the delivery events?
Trap 1: EmailAttachmentInfo
This table provides details about email attachments but does not indicate which users received the email. It must be joined with EmailEvents.
Trap 2: EmailUrlInfo
This table stores URL information in emails, not attachment delivery events.
Trap 3: DeviceFileEvents
This table tracks file events on endpoints (not email delivery) and would only show if the attachment was opened on a device.
- A
EmailAttachmentInfo
Why wrong: This table provides details about email attachments but does not indicate which users received the email. It must be joined with EmailEvents.
- B
EmailEvents
Correct. EmailEvents contains the delivery records, including the recipient addresses and delivery status. It can be filtered or joined with attachment data to find all recipients.
- C
EmailUrlInfo
Why wrong: This table stores URL information in emails, not attachment delivery events.
- D
DeviceFileEvents
Why wrong: This table tracks file events on endpoints (not email delivery) and would only show if the attachment was opened on a device.
A security analyst wants to see the delivery status and phishing verdict of an email. Which advanced hunting table should the analyst query in Microsoft 365 Defender?
Trap 1: EmailPostDeliveryEvents
Contains actions taken after delivery (e.g., user reported phishing, ZAP actions), not initial delivery verdict.
Trap 2: EmailAttachmentInfo
Contains details about file attachments, not delivery status or verdict.
Trap 3: EmailUrlInfo
Contains details about URLs in emails, not delivery status or verdict.
- A
EmailEvents
Contains delivery status, threat types, and phishing verdict for each email.
- B
EmailPostDeliveryEvents
Why wrong: Contains actions taken after delivery (e.g., user reported phishing, ZAP actions), not initial delivery verdict.
- C
EmailAttachmentInfo
Why wrong: Contains details about file attachments, not delivery status or verdict.
- D
EmailUrlInfo
Why wrong: Contains details about URLs in emails, not delivery status or verdict.
A large enterprise uses Microsoft Defender for Cloud with the integrated Microsoft Defender Vulnerability Management solution enabled for all servers. The security team wants to identify all virtual machines that have not been scanned for vulnerabilities in the last 7 days. They plan to use Azure Resource Graph (ARG) to generate a report. Which KQL query would correctly identify these machines?
Trap 1: resources | where type =~ 'microsoft.compute/virtualmachines' |…
This query only returns virtual machines with managed disks; it does not include any vulnerability scan information.
Trap 2: securityresources | where type =~…
Regulatory compliance standards (e.g., NIST) do not contain vulnerability scan timestamps per machine.
Trap 3: resources | where type =~ 'microsoft.security/securitystatuses'
The securitystatuses resource type is outdated and does not provide the granular vulnerability assessment scan data needed.
- A
securityresources | where type =~ 'microsoft.security/assessments' and name == '4da3e7e8-0e4b-4c5e-8e0a-7e8f4e8e4e8e' | where properties.status.code == 'Unhealthy' and properties.status.firstEvaluationDate < ago(7d)
This query filters for the specific vulnerability assessment and checks if the last scan (firstEvaluationDate) is older than 7 days or not present.
- B
resources | where type =~ 'microsoft.compute/virtualmachines' | where properties.storageProfile.osDisk.managedDisk.id != ''
Why wrong: This query only returns virtual machines with managed disks; it does not include any vulnerability scan information.
- C
securityresources | where type =~ 'microsoft.security/regulatorycompliancestandards'
Why wrong: Regulatory compliance standards (e.g., NIST) do not contain vulnerability scan timestamps per machine.
- D
resources | where type =~ 'microsoft.security/securitystatuses'
Why wrong: The securitystatuses resource type is outdated and does not provide the granular vulnerability assessment scan data needed.
A security analyst is investigating a user who may have been compromised. The analyst sees a sign-in from an unusual location and then a series of suspicious actions performed by that user, including deleting files and sending emails. The analyst wants to find all emails sent by the user after the anomalous sign-in. Which advanced hunting tables should be used?
Trap 1: EmailEvents and DeviceFileEvents
DeviceFileEvents are for file operations on devices, not directly related to email sending.
Trap 2: IdentityLogonEvents and DeviceEvents
Missing the email table; DeviceEvents may not include email activity (depends on data source).
Trap 3: EmailAttachmentInfo and EmailUrlInfo alone
These lack the sender and full email metadata needed to identify emails sent by the user.
- A
EmailEvents and IdentityLogonEvents
EmailEvents provides the email data, and IdentityLogonEvents provides sign-in times to correlate and find emails sent after the suspicious sign-in.
- B
EmailEvents and DeviceFileEvents
Why wrong: DeviceFileEvents are for file operations on devices, not directly related to email sending.
- C
IdentityLogonEvents and DeviceEvents
Why wrong: Missing the email table; DeviceEvents may not include email activity (depends on data source).
- D
EmailAttachmentInfo and EmailUrlInfo alone
Why wrong: These lack the sender and full email metadata needed to identify emails sent by the user.
A security analyst is investigating a compromised user account using Microsoft 365 Defender. The analyst wants to see all the sign-in attempts made by this user in the last 24 hours, including the IP addresses and locations. Which advanced hunting table should the analyst query?
Trap 1: AlertInfo
AlertInfo contains metadata about alerts, not raw sign-in events.
Trap 2: EmailAttachmentInfo
EmailAttachmentInfo provides metadata about email attachments, not sign-in events.
Trap 3: DeviceLogonEvents
DeviceLogonEvents tracks interactive and non-interactive logons on devices, not Microsoft Entra ID user sign-ins.
- A
IdentityLogonEvents
IdentityLogonEvents logs user sign-in activities in Microsoft Entra ID, including IP addresses and geography, making it the correct table.
- B
AlertInfo
Why wrong: AlertInfo contains metadata about alerts, not raw sign-in events.
- C
EmailAttachmentInfo
Why wrong: EmailAttachmentInfo provides metadata about email attachments, not sign-in events.
- D
DeviceLogonEvents
Why wrong: DeviceLogonEvents tracks interactive and non-interactive logons on devices, not Microsoft Entra ID user sign-ins.
A security analyst in Microsoft 365 Defender needs to review all actions that were automatically taken by an investigation (e.g., isolating a device, deleting a file) that occurred during an incident. Where should the analyst find this list of executed actions?
Trap 1: Hunting queries
Hunting is for creating custom queries to find threats, not for reviewing executed actions.
Trap 2: Incidents page
The Incidents page shows summary information, but detailed actions are found in the Action center.
Trap 3: Alerts page
Alerts page lists individual alerts, not the remediation actions taken.
- A
Action center
Action center lists all automated and manual actions taken during investigations, including status and results.
- B
Hunting queries
Why wrong: Hunting is for creating custom queries to find threats, not for reviewing executed actions.
- C
Incidents page
Why wrong: The Incidents page shows summary information, but detailed actions are found in the Action center.
- D
Alerts page
Why wrong: Alerts page lists individual alerts, not the remediation actions taken.
A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?
Trap 1: has_any(SigninIP, dynamic(['192.168.0.0/16']))
has_any is for substring matching, not for CIDR range evaluation.
Trap 2: ipv4_is_private(SigninIP)
This checks if the IP is in any private range (RFC1918), not against a specific range.
Trap 3: SigninIP startswith '192.168.'
String prefix matching works only for /16 ranges and fails for subnets like /24.
- A
ipv4_is_in_range(SigninIP, '192.168.0.0/16')
Correct. This function directly checks if the IP is within the given CIDR range.
- B
has_any(SigninIP, dynamic(['192.168.0.0/16']))
Why wrong: has_any is for substring matching, not for CIDR range evaluation.
- C
ipv4_is_private(SigninIP)
Why wrong: This checks if the IP is in any private range (RFC1918), not against a specific range.
- D
SigninIP startswith '192.168.'
Why wrong: String prefix matching works only for /16 ranges and fails for subnets like /24.
A security analyst in Microsoft Sentinel wants to correlate Microsoft Entra ID sign-in logs with IP addresses known to be associated with a threat actor. The threat actor's IPs are stored in a custom table named 'ThreatIntelligence_IP' that is ingested daily. The analyst needs to create an analytics rule that triggers only when a sign-in occurs from one of these IPs AND when the user is not in a list of approved users (stored in another custom table 'ApprovedUsers'). Which KQL query pattern should the analyst use to achieve this correlation and filtering?
Trap 1: SigninLogs | join ThreatIntelligence_IP on IPAddress | where UserId…
This uses a subquery to filter UserId, but it does not use a proper anti-join; the 'notin' operator may be inefficient and not as clear as an anti-join.
Trap 2: SigninLogs | where IPAddress in (ThreatIntelligence_IP | project…
Using 'in' and '!in' with subqueries is valid but less performant than joins for large tables. Also, '!in' is not a KQL operator; the correct operator is '!in' is not valid; should be 'notin'.
Trap 3: SigninLogs | join ThreatIntelligence_IP on IPAddress | where…
While this works logically, using a join followed by a 'where not in' subquery is less efficient than an anti-join.
- A
SigninLogs | join ThreatIntelligence_IP on IPAddress | where UserId notin (ApprovedUsers | project UserId)
Why wrong: This uses a subquery to filter UserId, but it does not use a proper anti-join; the 'notin' operator may be inefficient and not as clear as an anti-join.
- B
SigninLogs | where IPAddress in (ThreatIntelligence_IP | project IPAddress) and UserId !in (ApprovedUsers | project UserId)
Why wrong: Using 'in' and '!in' with subqueries is valid but less performant than joins for large tables. Also, '!in' is not a KQL operator; the correct operator is '!in' is not valid; should be 'notin'.
- C
SigninLogs | join kind=inner ThreatIntelligence_IP on IPAddress | join kind=leftanti (ApprovedUsers | project UserId) on $left.UserId == $right.UserId
This query first performs an inner join to keep only sign-ins from threat actor IPs, then a left anti join to exclude sign-ins from approved users. This is the most efficient and clear pattern.
- D
SigninLogs | join ThreatIntelligence_IP on IPAddress | where not(UserId in (ApprovedUsers | project UserId))
Why wrong: While this works logically, using a join followed by a 'where not in' subquery is less efficient than an anti-join.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.