Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 175

1639 questions total · 22pages · All types, answers revealed

Page 1 of 22

Page 2
1
MCQeasy

Your organization uses Microsoft Defender XDR. You receive an alert about a potentially unwanted application (PUA) being installed on a device. The PUA is not blocked by your current policy. You need to prevent future installations of this PUA without affecting other software. What should you do?

A.Enable blocking of all potentially unwanted applications in the antivirus policy.
B.Reset the device to its factory settings.
C.Create a custom indicator of compromise (IoC) to block the specific file's hash.
D.Run a full scan on the device to remove the PUA.
AnswerC

Custom indicators allow precise blocking based on file hash.

Why this answer

Adding the file's SHA-256 hash to the custom indicator allows Defender to block it specifically. Option A is incorrect because blocking all PUAs is too broad. Option C is incorrect because a full scan does not prevent future installations.

Option D is incorrect because resetting the device is excessive.

2
Multi-Selecteasy

Which TWO built-in Microsoft Sentinel hunting queries are useful for detecting signs of compromised credentials?

Select 2 answers
A.Baseline of user behavior
B.Anomalous logon location
C.Brute force attempt against user accounts
D.Deleted user account
E.New user account creation
AnswersB, C

Identifies logins from unexpected geographies.

Why this answer

Correct options: B and C. Anomalous logon location (B) can indicate credential misuse. Brute force attempt (C) detects password guessing.

Option A (Baseline) is not a specific query. Option D (New user) may be legitimate. Option E (Deleted) is not specific to compromise.

3
MCQeasy

Your SOC team uses Microsoft Sentinel incident investigation. An analyst needs to quickly see all related entities (users, IPs, machines) for an incident. Which feature should the analyst use?

A.Incident timeline
B.Hunting blade
C.Entity behavior analytics page
D.Incident investigation graph
AnswerD

The investigation graph shows all related entities.

Why this answer

The Incident investigation graph in Microsoft Sentinel provides a visual, interactive map of all entities (users, IPs, machines) linked to an incident, allowing analysts to quickly see relationships and pivot between entities. This is the dedicated feature for entity-centric incident exploration, unlike other options that serve different purposes.

Exam trap

Microsoft often tests the distinction between a chronological timeline (incident timeline) and a relational graph (investigation graph), leading candidates to confuse the incident timeline's alert sequence with the entity relationship view.

How to eliminate wrong answers

Option A is wrong because the Incident timeline shows a chronological list of alerts and activities within an incident, not a visual graph of related entities. Option B is wrong because the Hunting blade is used for proactive threat hunting with KQL queries, not for viewing entities tied to an existing incident. Option C is wrong because the Entity behavior analytics page provides behavioral insights and anomalies for a single entity over time, not a consolidated view of all entities related to an incident.

4
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to create a hunting query that finds users who have accessed a high number of distinct Azure resources within a short time frame, which may indicate credential theft. Which KQL query would be most effective?

A.AzureActivity | summarize dcount(Resource) by bin(TimeGenerated, 1m), Caller
B.AzureActivity | summarize count() by Caller | where count_ > 20
C.AzureActivity | summarize dcount(OperationName) by Caller, bin(TimeGenerated, 1h) | where dcount_OperationName > 20
D.AzureActivity | where TimeGenerated > ago(1d) | summarize dcount(Resource) by Caller, bin(TimeGenerated, 1h) | where dcount_Resource > 20
AnswerD

This counts distinct Azure resources accessed per user per hour, which can indicate rapid reconnaissance.

Why this answer

Option D is correct because it uses the AzureActivity table to count distinct resources per user per hour, filtering for those with more than 20 resources. Option A is wrong because it uses a 1-minute bucket, too granular for meaningful hunting. Option B is wrong because it counts operations, not distinct resources.

Option C is wrong because it counts distinct operation names, not resources.

5
MCQmedium

You are reviewing a Microsoft Sentinel scheduled analytics rule definition (JSON). What is the purpose of the "triggerThreshold": 0 setting?

A.The rule will generate an alert only if the query returns exactly 1 result
B.The rule will generate an alert if the query returns at least one result
C.The rule will not generate any alerts
D.The rule will generate an alert only if the query returns zero results
AnswerB

GreaterThan with threshold 0 triggers when count > 0, i.e., at least one result.

Why this answer

Option A is correct because a trigger threshold of 0 means the rule will generate an alert even if no results are returned (i.e., 0 results trigger), which is unusual but possible for certain use cases. Option B is wrong because threshold of 0 does not match count of 1. Option C is wrong because it's not about count of 1.

Option D is wrong because threshold of 0 means no alert only if threshold is -1 or not set.

6
MCQmedium

Refer to the exhibit. You are investigating a user account that shows multiple logons to the Azure Portal from various countries within a short time. The query returns no results despite known logons. What is the most likely issue?

A.The Timestamp filter should be Timestamp > ago(7d) but instead it's written incorrectly.
B.The AccountUpn field is not present in IdentityLogonEvents.
C.The Application filter should be 'Azure Portal' in a different case.
D.IdentityLogonEvents does not contain Azure Portal logon events; use AADSignInEventsBeta instead.
AnswerD

IdentityLogonEvents is for on-premises AD logons, not cloud.

Why this answer

Option A is correct because IdentityLogonEvents is a table in Microsoft Defender for Identity (now part of Microsoft Defender XDR), but it logs events from domain controllers, not Azure Portal logons. Azure Portal logons are in AADSignInEventsBeta. Option B is incorrect because the query uses Timestamp.

Option C is incorrect because AccountUpn is a valid field. Option D is incorrect because the filter on Application is valid.

7
MCQeasy

During a security incident response, you need to collect forensic evidence from a Windows 10 device that is suspected to be compromised. The device is not domain-joined and is located in a remote office. You have remote administrative access. Which Microsoft 365 tool should you use to acquire a memory dump of the device?

A.Microsoft Sentinel
B.Microsoft Purview eDiscovery
C.Microsoft Intune
D.Microsoft Defender for Endpoint
AnswerD

MDE's live response feature allows collection of memory dumps and other forensic artifacts.

Why this answer

Option C is correct because Microsoft Defender for Endpoint (MDE) includes live response capabilities that allow you to collect memory dumps from remote devices. Option A is wrong because Microsoft Intune is for device management, not forensic collection. Option B is wrong because Microsoft Purview eDiscovery is for content searches and legal holds, not live memory acquisition.

Option D is wrong because Microsoft Sentinel is a SIEM, not a tool for direct forensic collection from endpoints.

8
MCQmedium

You are responding to a ransomware incident in Microsoft Defender XDR. You have identified that the malware encrypted files on several devices and then deleted the volume shadow copies. Which of the following actions should you take first to contain the incident?

A.Run a remediation action to delete the detected malware
B.Restore encrypted files from backup
C.Run a full antivirus scan on all devices
D.Isolate affected devices using Microsoft Defender for Endpoint
AnswerD

Isolation prevents further spread.

Why this answer

The correct answer is A because isolating devices prevents the ransomware from spreading to other systems. Option B is wrong because deleting the malware does not address the encryption already done. Option C is wrong because restoring files should wait until containment is achieved.

Option D is wrong because running a full scan is not the first containment step.

9
Multi-Selectmedium

Which THREE are valid investigation actions in Microsoft Sentinel? (Select THREE.)

Select 3 answers
A.View related entities such as IP addresses.
B.Run a playbook.
C.View related incidents.
D.Modify an analytics rule.
E.View related alerts.
AnswersA, C, E

Entities are core to investigation.

Why this answer

Option A is correct because investigation can show related alerts. Option B is correct because investigation can show entities like IPs. Option E is correct because investigation can show related incidents.

Option C is wrong because running a playbook is a remediation action, not an investigation action. Option D is wrong because investigation does not modify analytics rules.

10
Multi-Selecteasy

Your organization uses Microsoft Sentinel. You are investigating an incident that involves multiple alerts. Which TWO actions can you perform from the incident details page to consolidate the investigation?

Select 2 answers
A.Create a bookmark to capture relevant evidence.
B.Delete alerts that are not relevant.
C.Add additional alerts to the incident.
D.Create a new playbook from the incident page.
E.Modify the analytics rule that generated the incident.
AnswersA, C

Bookmarks help preserve evidence for later.

Why this answer

From the incident details page, you can add alerts to the incident and create a bookmark to preserve evidence. Option A is correct because you can add related alerts. Option D is correct because bookmarks can be created.

Option B is wrong because analytics rules are modified in the Analytics blade. Option C is wrong because playbooks are run from the incident page, not created. Option E is wrong because deleting alerts is not a standard action.

11
Multi-Selecteasy

Which THREE actions are recommended when conducting a threat hunt for compromised identities using Microsoft Sentinel UEBA?

Select 3 answers
A.Search for access to applications the user does not normally use
B.Query DNS logs for unusual domain resolutions
C.Look for multiple failed logon attempts followed by a successful one
D.Investigate changes to firewall rules
E.Review UEBA anomalies for unusual logon times or locations
AnswersA, C, E

Unusual application access can indicate account takeover.

Why this answer

UEBA is used to detect anomalous behavior; focusing on unusual logon times, multiple failed attempts, and unusual application access are key indicators of compromised identities. Option C (investigating firewall changes) is more for network security. Option E (reviewing DNS logs) is for network anomalies.

12
MCQeasy

Refer to the exhibit. You are running a PowerShell script to enable the Anomalies setting in Microsoft Sentinel. After running the script, you check the Sentinel settings in the portal and see that Anomalies is still disabled. What is the most likely reason?

A.The cmdlet 'Set-AzSentinelSetting' does not exist in the Az module.
B.The user does not have Contributor permissions on the workspace.
C.The script requires the -PassThru parameter to apply changes.
D.The workspace was not retrieved correctly because the name is misspelled.
AnswerA

The correct cmdlet is 'Update-AzSentinelSetting' or similar.

Why this answer

The cmdlet 'Set-AzSentinelSetting' does not exist in the official Az.SecurityInsights module. Microsoft Sentinel settings, including Anomalies, are managed via the REST API or the 'Update-AzSentinelSetting' cmdlet (part of the Az.SecurityInsights preview module). Running a non-existent cmdlet would produce an error, not apply any changes, leaving Anomalies disabled in the portal.

Exam trap

The trap here is that candidates assume all Azure PowerShell cmdlets follow the 'Set-*' naming convention, but Microsoft Sentinel settings specifically use 'Update-*' in the Az.SecurityInsights module, leading to the mistaken belief that 'Set-AzSentinelSetting' is valid.

How to eliminate wrong answers

Option B is wrong because Contributor permissions on the workspace are sufficient to modify Sentinel settings; the issue is the cmdlet itself, not permissions. Option C is wrong because the -PassThru parameter is used to output the result object but is not required for the change to apply; its absence does not prevent the setting from being saved. Option D is wrong because even if the workspace name were misspelled, the script would fail with a 'workspace not found' error, not silently leave Anomalies disabled; the question states the script ran, implying no retrieval error.

13
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An incident is created for a user whose credentials were used from an unusual location to access sensitive HR data. The user's account is a domain admin. The security team needs to ensure the attacker cannot use the account again. What should you do first?

A.Remove the user from the Domain Admins group
B.Force the user to log out of all sessions
C.Reset the user's password and revoke the Kerberos TGT
D.Disable the user's account in Active Directory
AnswerC

Password reset and TGT revocation prevent reuse of credentials.

Why this answer

Option C is correct because resetting the password and revoking the Kerberos TGT ensures the attacker cannot reuse cached credentials. Option A is wrong because disabling the account may disrupt operations but password reset is more precise. Option B is wrong because logging out alone does not invalidate the TGT.

Option D is wrong because removing group membership is secondary.

14
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to reduce data ingestion costs while retaining security events for one year. You have enabled Azure Monitor Agent on all servers. What should you do?

A.Configure a daily ingestion cap and enable archiving for data older than 90 days.
B.Configure a daily ingestion cap and enable Basic Logs for the workspace.
C.Set a daily ingestion cap and convert the workspace to Auxiliary Logs.
D.Reduce the data retention period to 90 days and set a daily ingestion cap.
AnswerB

Basic Logs reduce storage cost and can be retained for up to one year.

Why this answer

Option B is correct because configuring a daily ingestion cap limits the total data ingested per day, directly controlling costs. Enabling Basic Logs for the workspace allows you to store security events at a lower ingestion cost while retaining them for up to one year, as Basic Logs support up to 365 days of retention by default. This combination meets the requirement to reduce costs and retain security events for one year without losing data.

Exam trap

The trap here is that candidates confuse archiving or retention reduction with cost savings, but the question specifically requires retaining security events for one year, so only Basic Logs (which offer low-cost long-term retention) combined with a daily ingestion cap satisfy both cost reduction and retention requirements.

How to eliminate wrong answers

Option A is wrong because enabling archiving for data older than 90 days does not reduce ingestion costs; archiving only reduces storage costs for data already ingested, and the daily ingestion cap alone does not address the need for one-year retention of security events. Option C is wrong because Auxiliary Logs are not a valid log category in Microsoft Sentinel; the correct low-cost log plan is Basic Logs, and converting the workspace to Auxiliary Logs would break Sentinel functionality. Option D is wrong because reducing the data retention period to 90 days directly contradicts the requirement to retain security events for one year, and a daily ingestion cap alone does not provide the necessary retention duration.

15
MCQhard

A SOC team uses Microsoft Sentinel with multiple workspaces distributed across different regions. They need to create a single analytics rule that can query data from multiple workspaces to detect cross-tenant attacks. What is the recommended approach?

A.Create separate analytics rules for each workspace
B.Use cross-workspace queries in a single analytics rule with the workspace() function
C.Create a union workspace that ingests data from all workspaces
D.Use Azure Lighthouse to manage multiple workspaces and create rules on each
AnswerB

The KQL workspace() function allows a single analytics rule to query tables from multiple Log Analytics workspaces, enabling cross-workspace detection.

Why this answer

The recommended approach is to use cross-workspace queries in a single analytics rule with the workspace() function. This allows the rule to query data from multiple Sentinel workspaces in different regions without duplicating rules or ingesting data centrally. The workspace() function enables a single KQL query to reference tables from up to 100 workspaces, making it ideal for detecting cross-tenant attacks across distributed environments.

Exam trap

The trap here is that candidates may think Azure Lighthouse alone solves the problem, but it only provides management plane access; the actual query logic still requires the workspace() function to combine data in a single rule.

How to eliminate wrong answers

Option A is wrong because creating separate analytics rules for each workspace would require managing multiple rules, increasing complexity and failing to correlate events across workspaces in a single detection. Option C is wrong because creating a union workspace that ingests data from all workspaces would require duplicating data ingestion, increasing costs and latency, and is not a native Sentinel feature for cross-workspace queries. Option D is wrong because Azure Lighthouse provides cross-tenant management capabilities but does not allow a single analytics rule to query multiple workspaces; rules must still be created per workspace or use cross-workspace queries.

16
Multi-Selecthard

Which THREE actions are part of the threat hunting process in Microsoft Defender XDR?

Select 3 answers
A.Configure automated response actions
B.Investigate entities found in the results
C.Query advanced hunting using KQL
D.Formulate a hypothesis based on threat intelligence
E.Set data retention policies for hunting data
AnswersB, C, D

Investigating entities is a key hunting activity.

Why this answer

Formulating a hypothesis, querying advanced hunting, and investigating entities are core steps. Configuring automated responses is part of incident response, and setting retention policies is data management.

17
MCQhard

Your threat hunt aims to detect possible Kerberoasting attacks. Which KQL query in Microsoft Sentinel would best identify service principal name (SPN) requests from unusual accounts?

A.SecurityEvent | where EventID == 4768 | summarize count() by Account | where count_ > 10
B.SecurityEvent | where EventID == 4769 | summarize count() by Account
C.let knownAccounts = dynamic(['svc_sql', 'svc_adfs']); SecurityEvent | where EventID == 4768 | where Account !in (knownAccounts) | summarize cnt=count() by Account, IpAddress | where cnt > 5
D.SecurityEvent | where EventID == 4773 | summarize count() by Account
AnswerC

This identifies unusual accounts with high TGT requests by excluding known service accounts.

Why this answer

Option B is correct because it joins TGT requests (Kerberos TGS requests) with high count per account and filters out known service accounts. Option A misses the join with known accounts. Option C focuses on TGT renewal, not service tickets.

Option D uses a different event ID (4769 is for TGS, not TGT).

18
MCQhard

Your organization uses Microsoft Sentinel with UEBA enabled. You need to identify anomalous user behavior that indicates a potential compromise. Which entity behavior analytics feature should you use?

A.Automation rules
B.Hunting queries
C.Entity behavior analytics peer comparison
D.Anomaly rules in analytics
AnswerC

UEBA compares user behavior to peers to detect anomalies.

Why this answer

UEBA in Sentinel uses anomaly detection models to baseline user behavior and alert on deviations. Option D is correct. Option A is for alerts.

Option B is for automation. Option C is for hunting.

19
MCQeasy

An analyst in your SOC receives a Microsoft Defender for Cloud Apps alert indicating a suspicious Power Automate flow that is forwarding emails to an external domain. The analyst needs to disable the flow immediately. Which action should they take?

A.Block the external domain in Exchange Online mail flow rules
B.Remove the flow from the Microsoft 365 admin center
C.Disable the user account in Microsoft Entra ID
D.Use the governance action in Microsoft Defender for Cloud Apps to disable the flow
AnswerD

Defender for Cloud Apps can take governance actions on connected apps, including disabling suspicious flows.

Why this answer

Option A is correct because from the Defender for Cloud Apps portal, the analyst can govern the app by disabling the suspicious flow. Option B is wrong because disabling the user account is more disruptive and may not stop the flow if it uses service principal. Option C is wrong because Power Automate flows are not managed via the Microsoft 365 admin center.

Option D is wrong because blocking the external domain in Exchange Online does not stop the flow.

20
MCQmedium

Your security team uses Microsoft Defender XDR to investigate incidents. You have a custom detection rule that runs a KQL query every hour. Recently, the rule stopped generating alerts. You verify that the query syntax is correct and that data is being ingested. What is the most likely cause?

A.The alert suppression threshold is configured too high.
B.The Microsoft Defender XDR license has expired.
C.An automation rule is deleting the alerts.
D.The query is not returning any results.
AnswerA

Suppression may prevent alerts from being generated.

Why this answer

The custom detection rule uses an alert suppression threshold, which prevents alerts from being generated unless the query results exceed a specified count. If this threshold is set too high, the rule may stop generating alerts even though the query returns valid results, because the number of matching events no longer meets the suppression limit. This is the most likely cause given that the query syntax is correct and data is being ingested.

Exam trap

The trap here is that candidates often assume a query returning no results (Option D) is the cause, but the question explicitly confirms data ingestion and correct syntax, so the issue is more likely a misconfigured suppression threshold that silently drops alerts.

How to eliminate wrong answers

Option B is wrong because if the Microsoft Defender XDR license had expired, the entire service would be affected, not just a single custom detection rule, and you would likely see broader licensing errors or service degradation. Option C is wrong because automation rules in Microsoft Defender XDR can take actions on alerts (e.g., assign, resolve, or trigger playbooks), but they do not delete alerts; they modify alert properties or trigger automated responses, not remove alerts from the system. Option D is wrong because the scenario states that data is being ingested and the query syntax is correct, so the query should return results; if it returned no results, the rule would not generate alerts, but the question explicitly says data is being ingested, making this unlikely.

21
MCQmedium

Refer to the exhibit. An incident in Microsoft Sentinel contains the entities shown. Which additional data source would be most useful to investigate this incident?

A.Microsoft Defender for Endpoint device timeline
B.Microsoft Entra ID sign-in logs
C.Microsoft Purview audit logs
D.Microsoft Intune device compliance logs
AnswerB

Sign-in logs provide details about the authentication event.

Why this answer

Option B is correct because the incident involves a suspicious sign-in from an unfamiliar IP. Checking Microsoft Entra ID sign-in logs can provide additional context like authentication details, user agent, and risk level. Option A is wrong because Microsoft Defender for Endpoint focuses on endpoints, not cloud sign-ins.

Option C is wrong because Microsoft Purview is for compliance and data governance. Option D is wrong because Microsoft Intune is for device management, not sign-in events.

22
MCQeasy

A SOC analyst is triaging an incident in Microsoft Sentinel and needs to assign it to a senior analyst for further investigation. What is the correct action?

A.Create a new incident and manually add the senior analyst as a comment.
B.Open the incident and change the Owner field to the senior analyst.
C.Close the incident and reopen it under the senior analyst's name.
D.Run a playbook that sends an email to the senior analyst.
AnswerB

Changing the owner assigns the incident to the specified analyst.

Why this answer

Option A is correct because the incident details blade allows changing the owner. Option B is wrong because creating a new incident is not necessary. Option C is wrong because closing the incident would stop investigation.

Option D is wrong because the playbook is for automation, not for assignment.

23
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Microsoft Defender XDR are synchronized to Microsoft Sentinel with the same status (e.g., 'Active', 'Resolved'). What should you configure?

A.Create a custom playbook to poll Defender XDR API and update Sentinel incidents.
B.Connect Microsoft Defender XDR to Microsoft Sentinel using the official data connector.
C.Manually update status in both systems.
D.Disable the Microsoft Defender XDR connector and use separate connectors for each workload.
AnswerB

The connector provides bi-directional sync of incidents and status.

Why this answer

Option A is correct because bi-directional synchronization is built-in when you connect Microsoft Defender XDR to Sentinel. Option B is wrong because a playbook would be unnecessary and could cause duplicates. Option C is wrong because manual synchronization is not practical.

Option D is wrong because the Microsoft Defender XDR connector does sync status by default.

24
MCQeasy

A security analyst in Microsoft Sentinel receives an incident with a high severity alert from Microsoft Defender for Identity. The incident description mentions a suspected lateral movement pass-the-hash attack. What should the analyst do first?

A.Reset the password of the compromised account.
B.Review the Microsoft Defender for Cloud Apps logs.
C.Isolate the affected device from the network.
D.Create a new analytics rule to detect pass-the-hash attacks.
AnswerC

Isolation stops the attack from spreading.

Why this answer

Isolating the affected device prevents further lateral movement. Option A is for future detection; Option C is not immediate; Option D is for cloud apps.

25
MCQhard

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. An incident is created from a Defender for Endpoint alert about a malware detection on a device. The incident has low priority, but you want to automatically isolate the device from the network if the alert is confirmed as a true positive by the SOC. What is the recommended approach?

A.Create a separate analytics rule that triggers on the same alert and uses a playbook to isolate the device.
B.Use automatic attack disruption in Microsoft Defender XDR to isolate the device automatically.
C.Configure an automated response in Defender for Endpoint to isolate the device immediately when an alert is generated.
D.Create an automation rule in Microsoft Sentinel that triggers a playbook with an approval step before executing device isolation.
AnswerD

This ensures human confirmation before taking action.

Why this answer

Option C is correct because automation rules can trigger a playbook that requires manual approval before isolating the device, ensuring a human confirms the alert. Option A is wrong because immediate isolation without confirmation could impact productivity. Option B is wrong because automatic attack disruption may isolate based on severity but does not wait for SOC confirmation.

Option D is wrong because a separate analytics rule cannot isolate devices; it only generates incidents.

26
MCQmedium

Your security team receives frequent false positive alerts from Microsoft Defender for Cloud Apps. You need to reduce noise without disabling any threat detection policies. What should you do?

A.Disable the built-in anomaly detection policies that generate false positives.
B.Configure suppression rules based on user, IP, or app to automatically dismiss matching alerts.
C.Adjust the alert severity thresholds in the policy settings.
D.Create custom detection policies to override default rules.
AnswerB

Suppression rules allow dismissing alerts without disabling detection.

Why this answer

Option B is correct because suppression rules in Microsoft Defender for Cloud Apps allow you to automatically dismiss alerts that match specific criteria (e.g., user, IP address, or app) without disabling the underlying threat detection policy. This reduces false positive noise while keeping the detection engine active for genuine threats. Disabling policies or adjusting severity thresholds would either remove detection entirely or fail to address the root cause of false positives.

Exam trap

The trap here is that candidates often confuse 'suppression' with 'disabling' or 'tuning' policies, assuming that reducing noise requires altering detection logic or severity, rather than using the dedicated suppression feature that automatically dismisses matching alerts without affecting detection.

How to eliminate wrong answers

Option A is wrong because disabling built-in anomaly detection policies would remove threat detection capabilities entirely, contradicting the requirement to not disable any threat detection policies. Option C is wrong because adjusting alert severity thresholds only changes the classification of alerts (e.g., from high to medium) but does not suppress or dismiss them, so false positives would still appear in the console. Option D is wrong because creating custom detection policies adds new rules but does not reduce noise from existing default policies; it would not suppress false positives generated by the built-in policies.

27
MCQhard

A SOC manager wants to implement a new workflow where high-severity Microsoft Defender for Cloud Apps alerts are automatically sent to a Teams channel for immediate action. The solution must not require custom code. What should the manager configure?

A.Use Microsoft Power Automate to monitor the alerts and send a Teams message
B.Configure a rule in Microsoft Defender XDR to send email notifications
C.Create an automation rule in Microsoft Sentinel with a playbook that posts to Teams
D.Configure Microsoft Entra ID to send the alerts to Teams
AnswerC

Microsoft Sentinel can ingest Defender for Cloud Apps alerts and use playbooks to post to Teams.

Why this answer

Option C is correct because Microsoft Sentinel's automation rules can trigger a playbook (built on Azure Logic Apps) when a high-severity alert is generated, and the playbook can post a message to a Teams channel without requiring custom code. This directly meets the requirement of automatically sending high-severity Microsoft Defender for Cloud Apps alerts to Teams for immediate action, leveraging built-in connectors.

Exam trap

The trap here is that candidates may confuse Microsoft Defender XDR's email notification rules with the ability to send Teams messages, or assume Power Automate is the correct low-code solution, but the question's requirement for no custom code and direct integration with Microsoft Defender for Cloud Apps alerts points specifically to Sentinel's automation rules with playbooks.

How to eliminate wrong answers

Option A is wrong because Microsoft Power Automate does not natively integrate with Microsoft Defender for Cloud Apps alerts to trigger on them directly; it would require custom connectors or workarounds, and the question explicitly states no custom code is allowed. Option B is wrong because configuring a rule in Microsoft Defender XDR to send email notifications only sends emails, not Teams messages, and does not meet the requirement of sending alerts to a Teams channel. Option D is wrong because Microsoft Entra ID (formerly Azure AD) is an identity and access management service and does not have the capability to send alerts from Microsoft Defender for Cloud Apps to Teams.

28
MCQmedium

You are a security analyst using Microsoft Sentinel. You want to proactively search for signs of a specific threat actor known to use PowerShell encoded commands. Which hunting technique is most appropriate?

A.Create an analytics rule to trigger an alert when PowerShell encoded commands are detected.
B.Create a watchlist of known malicious IPs and correlate with PowerShell events.
C.Enable UEBA to detect anomalous PowerShell usage.
D.Use a hunting query in the Microsoft Sentinel hunting blade to search for PowerShell encoded commands.
AnswerD

Hunting queries are designed for proactive search and investigation.

Why this answer

Hunting queries in Microsoft Sentinel allow proactive searching for suspicious patterns. Option C is correct because it directly aligns with the need to create a custom KQL query to detect encoded PowerShell commands. Option A is incorrect because a watchlist is used for known indicators, not proactive hunting.

Option B is incorrect because analytic rules create alerts after detection, not for proactive hunting. Option D is incorrect because UEBA identifies anomalies, not specific threat actor techniques.

29
MCQmedium

A Microsoft Defender for Endpoint alert indicates that a device has been communicating with a known command-and-control (C2) server. The device is critical for production. What is the most appropriate response?

A.Disconnect the network cable of the device.
B.Run a full antivirus scan on the device.
C.Block the C2 server URL in the firewall.
D.Isolate the device using Microsoft Defender for Endpoint's device isolation feature.
AnswerD

Isolation can be done with a forensic preservation mode, allowing investigation while blocking communication.

Why this answer

The most appropriate response is to isolate the device from the network to prevent further C2 communication while preserving forensic data. Disconnecting the network cable does not preserve data. Running a full scan is reactive.

Blocking the C2 URL is less effective because the device may have other backdoors.

30
MCQmedium

An organization uses Microsoft Sentinel and Microsoft Defender XDR. A critical incident is created when a user is detected as compromised. The incident severity is set to High. The SOC manager wants to ensure that all incidents with severity High or above are automatically assigned to the senior analyst tier. What should the analyst configure?

A.Set a playbook to run when an incident is created.
B.Create an analytics rule with a custom severity.
C.Define an automation rule to assign incidents based on severity.
D.Configure an alert tuning rule.
AnswerC

Automation rules can conditionally assign incidents to specific owners or groups based on severity.

Why this answer

The correct answer is D. Automation rules in Microsoft Sentinel allow setting conditions based on incident properties (like severity) and then assigning the incident to an owner or group. The other options do not provide automatic assignment based on severity.

31
MCQeasy

Your organization is planning to deploy Microsoft Sentinel. You need to ensure that security events from on-premises servers are sent to Sentinel. Which connector should you use?

A.Install the Log Analytics agent (MMA) on the servers and connect to Sentinel workspace.
B.Use the Microsoft Defender for Cloud (MDC) connector to stream security events.
C.Enable Azure Arc on the servers and use the Arc agent to forward events.
D.Install the Azure Monitor Agent (AMA) on the servers and configure a Data Collection Rule (DCR) to send events to Sentinel.
AnswerD

AMA is the current agent for collecting logs to Azure Monitor / Sentinel.

Why this answer

The Azure Monitor Agent (AMA) is the recommended agent for collecting logs from Windows and Linux servers to Azure Monitor and Sentinel. Option A is correct. Option B is wrong because the Log Analytics agent is legacy and being deprecated.

Option C is wrong because Microsoft Defender for Cloud is for cloud security posture, not log collection. Option D is wrong because Azure Arc is for managing servers outside Azure, but the actual log collection still uses AMA.

32
MCQhard

Your organization has Microsoft Sentinel and Microsoft Defender for Identity deployed. An incident is created for a user whose account was used to access a sensitive database from an unusual workstation. The user is a member of the 'Database Admins' group. The security team needs to prevent further unauthorized access and preserve evidence. What should you do first?

A.Disable the user's account in Active Directory
B.Reset the user's password
C.Force the user to log off all sessions
D.Remove the user from the Database Admins group
AnswerA

Disabling the account prevents further access immediately.

Why this answer

Option D is correct because disabling the account immediately prevents further access while preserving the group membership for investigation. Option A is wrong because removing from the group may not stop access if the attacker has cached credentials. Option B is wrong because resetting password alone may not invalidate existing sessions.

Option C is wrong because logging off may not be possible or effective.

33
MCQmedium

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute-force attacks on Microsoft Entra ID. The rule should generate an incident when a single user account fails to authenticate more than 10 times in 5 minutes from the same IP address. Which KQL operator is most appropriate to aggregate the count of failed sign-ins?

A.summarize
B.extend
C.project
D.where
AnswerA

summarize groups data by the specified columns (e.g., UserPrincipalName, IPAddress) and calculates an aggregate like count(), which is essential for detecting the threshold.

Why this answer

The `summarize` operator is the correct choice because it aggregates data into groups based on specified criteria, such as counting the number of failed sign-ins per user and IP address within a time window. In this scenario, you need to count events where `ResultType` indicates failure (e.g., 50053 or 50057), grouped by `UserPrincipalName` and `IPAddress`, and then filter for counts exceeding 10. The `summarize` operator with `count()` directly provides this aggregation, enabling the rule to trigger an incident when the threshold is met.

Exam trap

Microsoft often tests the distinction between row-level operators (`extend`, `project`, `where`) and aggregation operators (`summarize`, `make-series`), and the trap here is that candidates mistakenly choose `where` thinking it can count events by filtering for a threshold, but `where` only filters rows and cannot aggregate across multiple rows to produce a count.

How to eliminate wrong answers

Option B (`extend`) is wrong because it creates new calculated columns or modifies existing ones but does not perform any aggregation; it operates on individual rows, not groups, so it cannot count events across multiple rows. Option C (`project`) is wrong because it selects or reorders columns without any aggregation capability; it is used to shape the output, not to summarize data. Option D (`where`) is wrong because it filters rows based on a condition but does not group or count; it can only reduce the dataset to rows meeting a predicate, such as failed sign-ins, but cannot produce a count per user and IP.

34
MCQeasy

An organization uses Microsoft Sentinel for security operations. A security engineer needs to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created in Sentinel. Which feature should the engineer use?

A.Analytics rule
B.Workbook
C.Automation rule with a playbook
D.Hunting query
AnswerC

Automation rules can trigger a playbook that disables the user account.

Why this answer

Option B is correct because automation rules in Sentinel trigger playbooks on incident creation. Option A is wrong because analytics rules only create alerts, not actions on users. Option C is wrong because workbooks are for visualization, not automation.

Option D is wrong because hunting queries are manual.

35
MCQhard

You are a security analyst at Contoso, a multinational company with 10,000 endpoints. You are using Microsoft Sentinel and Microsoft Defender XDR for threat hunting. In the past week, you have observed an increase in failed logon events (Event ID 4625) from multiple workstations towards a single domain controller, targeting the built-in Administrator account. The source IPs are a mix of internal and external addresses. You suspect a password spraying attack. You need to confirm the attack and identify all affected accounts. You have access to Windows Security Events ingested into Sentinel. Which single KQL query would best identify accounts with repeated failed logons across multiple source IPs, indicating password spraying?

A.SecurityEvent | where EventID == 4625 | summarize FailedAttempts = count() by Account, IpAddress | where FailedAttempts > 10
B.SecurityEvent | where EventID == 4625 | summarize DistinctSourceIPs = dcount(IpAddress) by Account | where DistinctSourceIPs > 1
C.SecurityEvent | where EventID == 4625 | summarize FailedAttempts = count() by Account | where FailedAttempts > 50
D.SecurityEvent | where EventID == 4625 and Account == 'Administrator' | summarize count() by IpAddress
AnswerB

This identifies accounts targeted from multiple IPs, indicating password spraying.

Why this answer

Option C is correct because it counts distinct source IPs per target account and filters for those with more than one source IP, which is characteristic of password spraying. Option A is wrong because it groups by source IP, which identifies brute-force from a single IP. Option B is wrong because it counts total attempts regardless of source IP.

Option D is wrong because it filters by account name, missing other targeted accounts.

36
MCQmedium

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple workstations with encoded commands. The analyst wants to find all instances of this script across the environment. Which hunting method in Microsoft Sentinel is most effective?

A.Search for the SHA256 hash of the script file in DeviceFileEvents.
B.Search for the encoded command string in DeviceProcessEvents command line.
C.Search for the script in DeviceNetworkEvents as a downloaded file.
D.Search for the script file name in DeviceFileEvents where the folder path contains 'Temp'.
AnswerA

The file hash uniquely identifies the script regardless of filename or location.

Why this answer

Option C is correct because searching for the script hash across DeviceFileEvents will find any file with that hash, regardless of location. Option A is wrong because it only finds the script if it was executed via command line. Option B is wrong because it only finds it if it was run from Temp folder.

Option D is wrong because it only finds it if it was downloaded via browser.

37
MCQeasy

You are hunting for signs of credential theft in Microsoft Defender XDR. Which advanced hunting table is most appropriate to investigate suspicious logon events?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.EmailEvents
D.IdentityLogonEvents
AnswerD

Captures logon attempts from Microsoft Defender for Identity.

Why this answer

Option B is correct because IdentityLogonEvents contains authentication logs. Option A is for email. Option C is for process events.

Option D is for network events.

38
MCQmedium

The exhibit shows a Conditional Access policy configuration in Microsoft Entra ID. The policy is intended to require MFA and compliant device for all users accessing all applications from trusted locations. However, users are reporting that they are being prompted for MFA even when accessing from the office (which is a trusted location). What is the most likely issue?

A.The policy should target specific applications instead of 'All applications'.
B.The grant controls should be 'Require MFA' only, not 'Require compliant device'.
C.The policy should exclude the 'All Users' group and instead assign specific users.
D.The location condition should include 'All untrusted locations' and exclude 'All trusted locations'.
AnswerD

The policy currently applies to trusted locations, but it should apply to untrusted locations to require MFA only when not trusted.

Why this answer

The policy includes 'All trusted locations' but the condition 'exclude' is set to 'All untrusted locations', which is redundant and may not be the issue. Actually, the problem might be that the condition 'locations' is misconfigured: 'include' should be 'All trusted locations' and 'exclude' should be left empty or set to something else. However, the correct answer is that the policy does not have a condition to 'Exclude' trusted locations? Wait, the policy is supposed to apply to trusted locations, but it includes 'All trusted locations' and excludes 'All untrusted locations', which means it applies only to trusted locations (since untrusted are excluded).

The issue is that the policy is set to apply to all users and all applications, but the grant controls require MFA and compliant device. If the policy applies to trusted locations, users at the office (trusted) will get prompted. But the intent is to require MFA only from untrusted locations.

So the policy should include untrusted locations, not trusted. Option A is correct because the location condition is inverted: it should include untrusted locations and exclude trusted ones. Option B is wrong because the grant controls are correct.

Option C is wrong because the policy applies to all apps. Option D is wrong because the assignments seem fine.

39
MCQmedium

You are managing a Microsoft Sentinel environment. You need to ensure that only security analysts with specific roles can modify automation rules. The solution must use least privilege. What should you do?

A.Use Azure Policy to restrict access to automation rules.
B.Assign the 'Microsoft Sentinel Contributor' role to all security analysts.
C.Assign the 'Microsoft Sentinel Reader' role to the analysts and grant them 'Automation' permissions via a separate policy.
D.Create a custom role with 'Microsoft Sentinel Automation Contributor' permission and assign it to the analysts.
AnswerD

This custom role provides least privilege for automation rule management.

Why this answer

Option B is correct because the Microsoft Sentinel Contributor role includes permissions to modify automation rules. Option A gives full access to all Sentinel resources. Option C is for read-only access.

Option D is for Log Analytics, not Sentinel.

40
MCQeasy

A company runs SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) to detect threats like SQL injection against these SQL Server instances. Which single action is required to achieve this?

A.Enable Microsoft Defender for SQL on the Azure subscription or at the SQL Server resource level.
B.Install the SQL Server IaaS Agent extension on each virtual machine.
C.Enable just Microsoft Defender for Servers on the subscription.
D.Configure an Azure SQL firewall rule to allow only trusted IP addresses.
AnswerA

Enabling Defender for SQL activates threat detection for Azure SQL databases and SQL Server on VMs. This is the direct method to get alerts for SQL injection and other threats.

Why this answer

To enable Advanced Threat Protection (ATP) for SQL Server on Azure VMs, you must enable Microsoft Defender for SQL at the Azure subscription or SQL Server resource level. This activates the SQL-specific threat detection capabilities, including alerts for SQL injection, anomalous access patterns, and suspicious activities. Without this, the SQL Server instances lack the dedicated security monitoring that ATP provides.

Exam trap

The trap here is that candidates confuse the prerequisite infrastructure (SQL IaaS Agent extension) with the actual security service (Defender for SQL), or assume that general server protection (Defender for Servers) covers SQL-specific threats, which it does not.

How to eliminate wrong answers

Option B is wrong because the SQL Server IaaS Agent extension is required for managing SQL Server on Azure VMs (e.g., licensing, patching), but it does not enable ATP; ATP is a feature of Microsoft Defender for SQL, not the extension. Option C is wrong because Microsoft Defender for Servers protects the VM's OS and network layer but does not include SQL-specific threat detection like SQL injection alerts; that requires Defender for SQL. Option D is wrong because configuring an Azure SQL firewall rule restricts network access but does not enable ATP; ATP is a security monitoring and alerting service, not a network control.

41
MCQmedium

You have deployed Microsoft Defender for Endpoint and integrated it with Microsoft Sentinel. You notice that alerts from Defender for Endpoint are not appearing in Sentinel. What should you check first?

A.Verify that the Microsoft 365 Defender connector in Sentinel is enabled and configured.
B.Confirm that Defender for Endpoint is licensed for all users.
C.Check that the alert severity is not being filtered out by analytics rules.
D.Ensure that all devices are onboarded to Defender for Endpoint.
AnswerA

The connector must be enabled to receive alerts.

Why this answer

The Microsoft 365 Defender connector in Microsoft Sentinel is the specific data connector responsible for ingesting alerts from Microsoft Defender for Endpoint (and other Defender products). If this connector is not enabled or misconfigured, alerts will not flow into Sentinel regardless of licensing, device onboarding, or analytics rules. This is the first and most direct check because the connector acts as the ingestion pipeline.

Exam trap

The trap here is that candidates often jump to troubleshooting device onboarding or licensing, forgetting that the Sentinel connector is the explicit integration point that must be verified first.

How to eliminate wrong answers

Option B is wrong because licensing for Defender for Endpoint is a prerequisite for generating alerts, but it does not control the data ingestion pipeline into Sentinel; even with full licensing, alerts will not appear if the connector is disabled. Option C is wrong because analytics rules in Sentinel process events that have already been ingested; if alerts are not arriving, filtering by severity is irrelevant. Option D is wrong because device onboarding is necessary for Defender for Endpoint to generate alerts, but it does not affect the Sentinel connector's ability to receive those alerts; onboarded devices with alerts still require the connector to be enabled.

42
MCQmedium

Your organization uses Microsoft Sentinel with Microsoft Defender XDR integrated. A critical incident has been raised involving a user account that was used to access a confidential SharePoint site from an unusual location at 2:00 AM. The incident includes alerts from Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, and Microsoft Defender for Office 365. The analyst needs to contain the incident, investigate the scope, and begin remediation. The environment has the following: Microsoft Entra ID with conditional access policies, Microsoft Intune for device management, and Microsoft Defender for Endpoint on all devices. The analyst has identified the user account and the device used. Which course of action should the analyst take first?

A.Create a conditional access policy to block the user.
B.Isolate the user's device using Microsoft Defender for Endpoint.
C.Run a KQL query to find all resources accessed by the user.
D.Disable the user account in Microsoft Entra ID and revoke all sessions.
AnswerD

Immediately stops the user from accessing any resources.

Why this answer

Disabling the user account in Microsoft Entra ID is the fastest way to stop access. Option B is secondary; Option C doesn't stop access; Option D is for future, not immediate containment.

43
MCQmedium

A company has Azure virtual machines running Windows Server. The security team wants to use Microsoft Defender for Cloud's vulnerability assessment solution to identify missing security updates. Which of the following is required to enable built-in vulnerability assessment for VMs?

A.Enable Defender for Servers plan
B.Install the Log Analytics agent manually
C.Configure a vulnerability assessment solution from Azure Marketplace
D.Enable the regulatory compliance dashboard
AnswerA

Enabling the Defender for Servers plan activates the built-in vulnerability assessment, which automatically deploys the Qualys agent to discover missing security updates.

Why this answer

The built-in vulnerability assessment solution in Microsoft Defender for Cloud for Azure VMs is powered by Qualys and is automatically provisioned when the Defender for Servers plan is enabled. This integration does not require manual agent installation or third-party solutions; enabling the plan activates the scanner on supported VMs to identify missing security updates and other vulnerabilities.

Exam trap

The trap here is that candidates often assume a separate agent or marketplace solution is required, but Microsoft’s built-in assessment is automatically included with the Defender for Servers plan, making the other options unnecessary.

How to eliminate wrong answers

Option B is wrong because the built-in vulnerability assessment uses a Qualys-based scanner that is automatically deployed by Defender for Cloud, not the Log Analytics agent. Option C is wrong because the built-in solution is native and does not require configuring a separate solution from Azure Marketplace; that would be for third-party integrations. Option D is wrong because the regulatory compliance dashboard is a separate feature for tracking compliance standards, not a prerequisite for enabling vulnerability scanning.

44
Multi-Selecteasy

Which TWO Microsoft Defender XDR entities can be managed during incident response?

Select 2 answers
A.Network interfaces
B.Azure subscriptions
C.Devices
D.Microsoft 365 tenants
E.User accounts
AnswersC, E

Devices are core entities in Defender for Endpoint.

Why this answer

Options B and D are correct. Devices and user accounts are managed entities in Defender XDR. Option A is wrong because Azure subscriptions are not entities in Defender XDR.

Option C is wrong because Microsoft 365 tenants are not managed entities. Option E is wrong because network interfaces are not entities.

45
Multi-Selecteasy

Which TWO actions can a Microsoft Sentinel automation rule perform when an incident is created?

Select 2 answers
A.Create a new analytics rule
B.Query Log Analytics workspaces
C.Run a playbook
D.Change the incident severity
E.Ingest data from a new source
AnswersC, D

Correct. Automation rules can trigger playbooks.

Why this answer

Microsoft Sentinel automation rules can trigger actions when an incident is created, including running a playbook (Option C) and changing the incident severity (Option D). Playbooks are automated workflows based on Azure Logic Apps that can perform complex response actions, while severity changes allow dynamic triage based on incident properties.

Exam trap

The trap here is that candidates may confuse automation rule actions with analytics rule capabilities, incorrectly assuming automation rules can create rules or query workspaces directly, when in fact those are separate functions within Sentinel.

46
MCQeasy

A SOC analyst is using Microsoft Sentinel to respond to an incident involving multiple compromised user accounts. The analyst needs to quickly see the timeline of all related events. Which feature should the analyst use?

A.Entity behavior page.
B.Analytics rule page.
C.Workbook.
D.Incident timeline.
AnswerD

The incident timeline provides a chronological view of all evidence and activities.

Why this answer

Option A is correct because the incident timeline shows all alerts, bookmarks, and activities in chronological order. Option B is wrong because entity pages provide details about an entity, not a timeline. Option C is wrong because workbooks are for dashboards, not incident-specific timelines.

Option D is wrong because the analytics rule page shows rule configuration, not timeline.

47
MCQhard

A security engineer is responsible for protecting containerized workloads in Azure Kubernetes Service (AKS) clusters. They want to enable Microsoft Defender for Cloud to detect threats against the Kubernetes control plane and container runtime. Additionally, they want to ensure vulnerability assessments are performed on images stored in Azure Container Registry. Which Defender for Cloud plan should the engineer enable?

A.Enable the Microsoft Defender for Servers plan on the subscription.
B.Enable the Microsoft Defender for Containers plan on the subscription.
C.Enable the Microsoft Defender for App Service plan on the subscription.
D.Enable the Microsoft Defender for Container Registries plan (legacy) on the registry.
AnswerB

Defender for Containers includes detection for Kubernetes threats, runtime security, and vulnerability assessment for images.

Why this answer

Option B is correct because the Microsoft Defender for Containers plan is the only plan that provides integrated threat detection for the AKS control plane and container runtime, as well as vulnerability assessment for images in Azure Container Registry. This plan replaces the legacy Defender for Container Registries and Defender for Kubernetes plans, offering a unified solution for container security.

Exam trap

The trap here is that candidates may confuse the legacy Defender for Container Registries plan (Option D) as sufficient, not realizing it lacks control plane threat detection and has been replaced by the unified Defender for Containers plan.

How to eliminate wrong answers

Option A is wrong because the Microsoft Defender for Servers plan is designed for protecting virtual machines and on-premises servers, not containerized workloads in AKS or container registries. Option C is wrong because the Microsoft Defender for App Service plan focuses on threats against web applications running on Azure App Service, not Kubernetes clusters or container registries. Option D is wrong because the Microsoft Defender for Container Registries plan (legacy) only provides vulnerability scanning for images in the registry and does not include threat detection for the AKS control plane or container runtime; it has been superseded by the Defender for Containers plan.

48
Multi-Selecteasy

Which TWO actions are essential for configuring Microsoft Sentinel to support effective threat hunting?

Select 2 answers
A.Connect Microsoft 365 data sources (e.g., Office 365, Entra ID, Defender for Cloud Apps)
B.Create a Watchlist that maps user names to email addresses
C.Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel
D.Configure custom analytics rules for every MITRE ATT&CK technique
E.Install Sysmon on all domain controllers
AnswersA, C

These sources provide user and entity data critical for hunting.

Why this answer

Enabling User and Entity Behavior Analytics (UEBA) provides baselines for hunting anomalies, and connecting Microsoft 365 data sources provides rich data for hunting. Customizing analytics rules is for detection, not hunting; Sysmon is not required; Watchlists are helpful but not essential for basic hunting setup.

49
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You notice that a large number of log entries from Defender for Cloud Apps are being dropped at ingestion due to 'malformed data' errors. The data connector shows a healthy status. What is the most likely cause?

A.The log type is not supported by Sentinel.
B.The Log Analytics workspace key has expired.
C.The data volume exceeds the workspace's ingestion capacity, causing data truncation.
D.The Defender for Cloud Apps connector is blocked by a firewall.
AnswerC

Throttling can cause partial logs that are malformed.

Why this answer

Option A is correct because excessive data volume can cause throttling or truncation, leading to malformed data errors even if the connector appears healthy. Option B is wrong because an expired workspace key would cause authentication failures, not malformed data. Option C is wrong because a firewall block would prevent connectivity entirely.

Option D is wrong because unsupported log types would result in schema errors, not malformed data.

50
MCQeasy

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to assign a custom initiative to a specific management group to track compliance. Which two components must you create?

A.An Azure Blueprint and a role assignment.
B.A policy definition and an initiative definition.
C.An Azure RBAC role and a Log Analytics workspace.
D.An Azure Monitor workbook and an alert rule.
AnswerB

Custom initiatives require policy definitions and an initiative definition to group them.

Why this answer

To track compliance for a custom initiative in Microsoft Defender for Cloud, you must first create a custom policy definition that specifies the rules or effects to enforce. Then, you must create an initiative definition (a group of policy definitions) that can be assigned to a management group. This assignment enables Defender for Cloud to evaluate resources against the custom initiative and report compliance.

Exam trap

The trap here is that candidates confuse Azure Blueprints (which also group resources) with policy initiatives, or they think a Log Analytics workspace is required to store compliance data, when in fact compliance data is stored and reported by Defender for Cloud itself without needing a separate workspace.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints are used for deploying repeatable environments and templates, not for creating custom compliance initiatives in Defender for Cloud; role assignments control permissions, not policy definitions. Option C is wrong because Azure RBAC roles manage access control, and Log Analytics workspaces store monitoring data, but neither component defines the compliance rules required for a custom initiative. Option D is wrong because Azure Monitor workbooks and alert rules are for visualizing and responding to telemetry, not for defining or assigning compliance policies.

51
Multi-Selectmedium

Which THREE of the following are valid sources of data that a threat hunter can use in Microsoft Sentinel for hunting? (Choose three.)

Select 3 answers
A.Microsoft Entra ID audit logs
B.Azure Cost Management data
C.Azure DevOps pipelines
D.Microsoft 365 audit logs
E.AWS CloudTrail logs
AnswersA, D, E

Entra ID audit logs are a common data source.

Why this answer

Option A is correct because Microsoft Entra ID (Azure AD) logs can be ingested. Option B is correct because AWS CloudTrail can be connected via connector. Option C is correct because Microsoft 365 data can be ingested.

Option D is wrong because it is not a data source. Option E is wrong because it is not a data source.

52
MCQmedium

A security administrator wants to assess their Azure environment against the Azure Security Benchmark and also include custom security controls defined by their organization. They need a single, reusable policy initiative that can be assigned across multiple subscriptions and management groups. What should the administrator create in Microsoft Defender for Cloud?

A.A new regulatory compliance standard
B.A custom Azure Policy initiative
C.A custom Azure Policy definition
D.A Secure Score recommendation override
AnswerB

Correct. By creating a custom initiative that includes the Azure Security Benchmark policy definitions plus custom policy definitions, you can deploy a single initiative covering both required sets of controls.

Why this answer

The administrator needs a single, reusable policy initiative that includes both Azure Security Benchmark controls and custom organizational controls. A custom Azure Policy initiative (also known as a policy set) allows combining multiple policy definitions, including built-in benchmark controls and custom definitions, into one assignable package across subscriptions and management groups. This is the correct approach because initiatives are designed for grouping related policies and can be assigned at scale in Microsoft Defender for Cloud.

Exam trap

The trap here is that candidates confuse a single custom policy definition (Option C) with a policy initiative, not realizing that an initiative is the only way to group multiple controls into a single assignable package for compliance assessment.

How to eliminate wrong answers

Option A is wrong because a new regulatory compliance standard in Defender for Cloud is a built-in framework (like Azure Security Benchmark, ISO 27001) that cannot be customized to include arbitrary custom controls; it only maps to predefined compliance assessments. Option C is wrong because a custom Azure Policy definition is a single policy rule, not a collection of multiple controls; it cannot bundle the Azure Security Benchmark with custom controls into one reusable package. Option D is wrong because a Secure Score recommendation override only changes the scoring impact or status of an existing recommendation, not the underlying policy set or compliance standard.

53
MCQmedium

Your threat hunting team wants to identify all email messages that contained a specific malicious attachment hash in Microsoft 365. Which Microsoft Defender XRB data source should they query in Microsoft Sentinel?

A.EmailEvents
B.EmailAttachmentInfo
C.AlertEvidence
D.DeviceEvents
AnswerA

EmailEvents includes attachment hash information.

Why this answer

Option C is correct because EmailEvents in Microsoft Defender for Office 365 contains information about email messages including attachment hashes. Option A is incorrect because DeviceEvents is for endpoint events. Option B is incorrect because EmailAttachmentInfo is a separate table but EmailEvents is more comprehensive.

Option D is incorrect because AlertEvidence is for alerts, not raw email data.

54
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You receive an alert indicating that a user from the finance department accessed a sensitive SharePoint file from an IP address associated with a known malicious Tor exit node. The file contains payment information. The user's account has not been disabled. What should you do first to contain the incident?

A.Delete the SharePoint file from the site
B.Notify the user of the suspicious activity
C.Block the IP address in Microsoft Defender for Cloud Apps
D.Suspend the user's account in Microsoft Entra ID
AnswerD

Suspending the account prevents further access immediately.

Why this answer

Option C is correct because the first step is to suspend the user's access to the compromised account to prevent further data exfiltration. Option A is wrong because blocking the IP is less effective as the attacker can change IPs. Option B is wrong because deleting the file may destroy evidence.

Option D is wrong because notifying the user could alert the attacker.

55
MCQmedium

Your security operations team receives an alert from Microsoft Sentinel about a suspicious sign-in from an unfamiliar IP address. You need to investigate the alert by correlating it with user activity and device information. Which data sources should you query first?

A.Microsoft Purview audit logs and Microsoft Intune device compliance
B.Microsoft 365 Defender alerts and Microsoft Sentinel incidents
C.Microsoft Entra ID sign-in logs and Microsoft Defender for Endpoint device events
D.Azure Activity Logs and Azure Firewall logs
AnswerC

Entra ID sign-in logs provide user authentication details; Defender for Endpoint provides device context.

Why this answer

Option C is correct because investigating a suspicious sign-in requires correlating the sign-in event with user activity and device context. Microsoft Entra ID sign-in logs provide the authentication details (IP address, timestamp, user), while Microsoft Defender for Endpoint device events supply device-level telemetry (processes, network connections, logged-on users). This combination directly enables the correlation needed to validate whether the sign-in was legitimate or malicious.

Exam trap

The trap here is that candidates often confuse aggregated alert sources (like Microsoft 365 Defender alerts) with raw telemetry sources (like sign-in logs and device events), leading them to pick Option B instead of the correct raw data sources needed for correlation.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview audit logs focus on data governance and compliance events (e.g., file access, eDiscovery), not real-time sign-in or device activity; Intune device compliance checks device policy adherence but lacks the granular sign-in and process-level events needed for alert correlation. Option B is wrong because Microsoft 365 Defender alerts and Sentinel incidents are aggregated alert outputs, not raw data sources; querying them first would only re-consume the same alert without underlying telemetry for correlation. Option D is wrong because Azure Activity Logs track control-plane operations (e.g., resource creation) and Azure Firewall logs capture network traffic, neither of which provides user sign-in details or device process-level events required for this investigation.

56
Multi-Selecteasy

Which TWO of the following are valid data connectors in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Windows Defender Firewall
B.Office 365
C.Microsoft Forms
D.Azure DevOps
E.Azure Activity
AnswersB, E

Office 365 is a standard data connector.

Why this answer

Option A and Option D are correct. The Azure Activity connector and Office 365 connector are standard data connectors in Sentinel. Option B is wrong because Windows Defender Firewall is not a standard connector; firewall logs can be ingested via other connectors.

Option C is wrong because Azure DevOps is not a standard Sentinel connector. Option E is wrong because Microsoft Forms is not a standard connector.

57
MCQhard

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS applications. You discover that a user is downloading a large number of files from SharePoint Online to an unmanaged device. You need to automatically block the download and require the user to acknowledge a policy violation. Which action should you configure in a session policy?

A.Set the action to 'Monitor only'.
B.Set the action to 'Redirect to Microsoft Entra ID conditional access'.
C.Set the action to 'Block' and enable 'Notify user' with a customized message.
D.Set the action to 'Block' and enable 'Custom block message'.
AnswerC

Correct. Block stops the download and Notify user sends a message to acknowledge.

Why this answer

Option C is correct because a session policy in Microsoft Defender for Cloud Apps can enforce real-time controls on SaaS app traffic. Setting the action to 'Block' stops the download immediately, and enabling 'Notify user' with a customized message both blocks the action and requires the user to acknowledge the policy violation, satisfying the requirement to automatically block and obtain acknowledgment.

Exam trap

The trap here is that candidates confuse 'Custom block message' (a static notification) with 'Notify user' (which includes an interactive acknowledgment), leading them to select Option D instead of the correct Option C.

How to eliminate wrong answers

Option A is wrong because 'Monitor only' only logs the activity without blocking it, failing to meet the requirement to automatically block the download. Option B is wrong because 'Redirect to Microsoft Entra ID conditional access' redirects the session for additional authentication or device compliance checks but does not block the download or require acknowledgment of a policy violation. Option D is wrong because 'Block' with 'Custom block message' blocks the download but does not require the user to acknowledge the violation; it simply displays a message without an interactive acknowledgment step.

58
MCQhard

Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint protection. You have a custom analytics rule that triggers on suspicious PowerShell activity. The rule uses the following KQL query: ```kql DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | where InitiatingProcessFileName != "explorer.exe" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ``` The rule generates incidents that are assigned to the SOC team for investigation. However, analysts report that they are spending too much time manually collecting additional process details for each alert. You need to automate the enrichment of these incidents with additional context, such as parent process details, network connections, and file creation events from the same device within the last hour. The enrichment should be triggered automatically when an incident is created, and the results should be added as a comment to the incident. You have access to Azure Logic Apps and Azure Automation. Which approach should you use?

A.Create a second analytics rule that triggers on the same events and sends the additional context to a watchlist, then use a playbook to read the watchlist and add comments.
B.Create an automation rule in Microsoft Sentinel that triggers a Logic App playbook when an incident is created. The playbook uses the Microsoft 365 Defender connector to run advanced hunting queries for parent process, network connections, and file creation events from the same device in the last hour, then adds the results as a comment to the incident.
C.Use Microsoft Power Automate to create a flow that is triggered when a new incident appears in Sentinel, then use the flow to query Defender XDR and update the incident.
D.Modify the analytics rule query to join with additional tables to include parent process details, network connections, and file creation events directly in the alert.
AnswerB

Automation rules can trigger playbooks on incident creation; Logic App can perform queries and add comments.

Why this answer

Option A is correct because an automation rule can trigger a playbook (Logic App) when an incident is created. The Logic App can use the advanced hunting connector to query Defender XDR for additional context and add a comment. Option B is wrong because watchlists are for static data, not dynamic queries.

Option C is wrong because analytics rules do not trigger playbooks; automation rules do. Option D is wrong because power automate is not integrated in Sentinel.

59
Multi-Selecthard

Which THREE actions are part of the containment phase in the Microsoft Incident Response process?

Select 3 answers
A.Notify senior management of the incident.
B.Block known malicious IP addresses at the firewall.
C.Disable compromised user accounts.
D.Isolate affected systems from the network.
E.Collect forensic data from affected systems.
AnswersB, C, D

Blocking IPs stops communication with attackers.

Why this answer

Options A, C, and D are correct. Disabling compromised accounts, isolating affected systems, and blocking malicious IPs are containment actions. Option B is wrong because collecting forensic data is part of investigation.

Option E is wrong because notifying stakeholders is communication.

60
MCQhard

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule is enabled but never runs. The playbook exists and is in the same resource group. What is the most likely cause?

A.The condition uses 'Contains' operator, but 'AlertProvider' requires 'Equals'.
B.The automation rule is in a 'Disabled' state.
C.The trigger type is incorrect; it should be 'Microsoft.SecurityInsights/Alert'.
D.The playbookId is missing the subscription ID.
AnswerC

Automation rules for alerts use 'Alert' trigger, not 'AlertRule'.

Why this answer

Option C is correct because the exhibit shows the trigger type set to 'Microsoft.SecurityInsights/Incident', but the playbook is designed to run on alerts, not incidents. Automation rules in Microsoft Sentinel require the trigger type to match the data type the playbook expects; for alert-triggered playbooks, the trigger must be 'Microsoft.SecurityInsights/Alert'. Since the rule is enabled and the playbook exists in the same resource group, the mismatch in trigger type is the most likely reason the rule never runs.

Exam trap

The trap here is that candidates assume any enabled automation rule with a valid playbook will run, overlooking the critical requirement that the trigger type must exactly match the playbook's intended data source (alert vs. incident).

How to eliminate wrong answers

Option A is wrong because the 'Contains' operator is valid for string conditions in automation rules; 'AlertProvider' does not require 'Equals' exclusively. Option B is wrong because the question explicitly states the rule is enabled, so a 'Disabled' state cannot be the cause. Option D is wrong because the playbookId in an automation rule does not require the subscription ID to be included; the resource ID format is sufficient as long as the playbook is in the same resource group.

61
MCQmedium

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to respond to an incident involving data exfiltration from a virtual machine in West Europe. The incident was created from a custom analytics rule that queries the AzureActivity table. What should you do to ensure the incident contains all relevant evidence from the West Europe region?

A.Create the analytics rule in a separate workspace in West Europe
B.Ensure that Azure activity logs from West Europe are streamed to the same Sentinel workspace in East US
C.Configure the analytics rule to query the West Europe workspace
D.Use the incident merge feature to combine incidents from multiple workspaces
AnswerB

Centralizing logs into one workspace allows the rule to query all relevant data.

Why this answer

Option C is correct because the workspace is in East US, but data from West Europe must be ingested into the same workspace for the rule to query it. Option A is wrong because the analytics rule runs in the workspace where it is defined, not in multiple workspaces. Option B is wrong because setting the scope to West Europe does not bring data into the East US workspace.

Option D is wrong because incidents are workspace-scoped and cannot be merged across workspaces by default.

62
MCQhard

Your company uses Microsoft Sentinel and Microsoft Defender for Cloud Apps (MCAS). A security analyst detects that a user is accessing a sanctioned cloud app from an unusual location. The analyst creates an incident in Sentinel. You need to automatically apply a session policy in MCAS to block downloads from that user for the next hour. You have an existing playbook that can apply session policies. What is the most efficient way to automate this response?

A.Create an automation rule in Sentinel that triggers when an incident is created with the relevant conditions and runs the playbook.
B.Instruct the analyst to run the playbook manually from the incident page each time.
C.Configure the incident creation rule in MCAS to automatically run the playbook.
D.Modify the analytics rule that detected the anomaly to run the playbook as an automated response.
AnswerA

Automation rules are designed for automated response.

Why this answer

To automate the response, you can create an automation rule that triggers on incident creation and runs the playbook. Option A is correct. Option B is wrong because analytics rules do not run playbooks directly.

Option C is wrong because the incident creation rule is not for automated response. Option D is wrong because manual actions are not automated.

63
MCQhard

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to ensure that any new Azure subscription automatically has Microsoft Defender for Cloud enabled with the 'Defender for Cloud (CSPM)' plan active. What should you do?

A.Create an automation account that runs a PowerShell script daily to check and enable Defender for Cloud.
B.Configure Azure Arc to enforce the plan on new subscriptions.
C.Assign a built-in Azure Policy initiative that deploys Microsoft Defender for Cloud configuration to subscriptions.
D.Use Microsoft Sentinel's 'Subscription Migration' playbook.
AnswerC

Azure Policy can auto-deploy and configure Defender for Cloud on new subscriptions.

Why this answer

Option D is correct because Azure Policy can be used to enforce that Defender for Cloud is enabled on subscriptions. Specifically, the built-in policy 'Configure Azure Defender to be enabled on SQL Servers' but for general CSPM you need custom or built-in 'Deploy Microsoft Defender for Cloud configuration'. Option A is manual.

Option B is for on-boarding to Sentinel. Option C is for Azure Arc, not subscriptions.

64
MCQhard

You are conducting a threat hunt in Microsoft Defender XDR and want to identify devices that have recently communicated with a known C2 server IP address. Which advanced hunting table should you query?

A.DeviceNetworkEvents
B.DeviceFileEvents
C.DeviceLogonEvents
D.DeviceProcessEvents
AnswerA

DeviceNetworkEvents captures outbound and inbound network connections, including destination IPs.

Why this answer

Option D is correct because `DeviceNetworkEvents` contains network connection information including destination IPs. Option A is wrong because `DeviceProcessEvents` is for processes. Option B is wrong because `DeviceLogonEvents` is for logons.

Option C is wrong because `DeviceFileEvents` is for files.

65
MCQhard

A threat hunter is using Microsoft Sentinel and wants to leverage machine learning to detect anomalous behavior in Azure subscription activity. Which analytics rule template should the hunter use?

A.Anomalous Sign-In Locations
B.Anomalous Azure Operations
C.Anomalous User Behavior
D.Lateral Movement Detection
AnswerB

This rule uses ML to detect anomalous operations in Azure subscription activity.

Why this answer

Option B is correct because the Anomalous Azure Operations analytics rule uses ML to detect unusual Azure resource operations. Option A is wrong because it's for sign-ins. Option C is wrong because it's for user behavior.

Option D is wrong because it's for on-premises lateral movement.

66
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a security incident involving a compromised Azure VM, which THREE actions are appropriate to contain and investigate the incident?

Select 3 answers
A.Use Microsoft Defender for Cloud's Just-in-Time VM access to isolate the VM.
B.Create a Microsoft Sentinel automation rule to trigger a playbook that runs investigation actions.
C.Enable network security group flow logs to capture network traffic.
D.Delete the compromised VM to prevent further damage.
E.Update the VM's operating system to the latest patch.
AnswersA, B, C

Limits network access to the VM.

Why this answer

Options A, C, and E are correct because enabling network security group flow logs helps trace lateral movement, isolating the VM in Defender for Cloud stops communication, and creating an automation rule can trigger a playbook for response. Option B is wrong because deleting the VM destroys evidence. Option D is wrong because updating the VM does not contain the incident.

67
Multi-Selecthard

Which THREE indicators are commonly associated with ransomware activity in Microsoft Sentinel threat hunting?

Select 3 answers
A.Network connections to known C2 infrastructure
B.Unusual DNS queries to known safe domains
C.Excessive failed logon attempts from a single IP
D.Mass file rename or extension changes
E.Scheduled task creation on multiple endpoints
AnswersA, D, E

Ransomware communicates with C2 servers for key exchange.

Why this answer

Ransomware typically involves file encryption (mass file rename/extension changes), C2 communication (beaconing), and scheduled task creation for persistence. Option A (unusual DNS) is not typical. Option D (excessive logins) is more brute force.

The correct options are B, C, and E.

68
MCQhard

You are configuring an automated investigation and response (AIR) playbook in Microsoft Sentinel. The playbook should automatically block a user in Microsoft Entra ID when a high-severity incident is created. Which action should you include in the playbook?

A.Use the 'Block user' action from the Microsoft Entra ID connector in Azure Logic Apps.
B.Call the Microsoft Graph API to update the user's accountEnabled property to false.
C.Add a 'Block IP' action from the Azure Firewall connector.
D.Add a 'Change incident status' action to close the incident.
AnswerB

Graph API can disable accounts.

Why this answer

Option B is correct because the 'Block user' action is not available in the Microsoft Entra ID connector for Azure Logic Apps; instead, you must call the Microsoft Graph API to update the user's `accountEnabled` property to `false`. This directly disables the user account in Microsoft Entra ID, effectively blocking their access. The playbook in Microsoft Sentinel uses Azure Logic Apps, and the Graph API is the appropriate method to perform this action programmatically.

Exam trap

The trap here is that candidates assume a 'Block user' action exists in the Microsoft Entra ID connector, but Microsoft Sentinel playbooks rely on Logic Apps connectors, which lack that specific action, forcing the use of the Graph API instead.

How to eliminate wrong answers

Option A is wrong because the Microsoft Entra ID connector in Azure Logic Apps does not include a 'Block user' action; it only supports actions like 'Get user' or 'Update user', and blocking requires a Graph API call. Option C is wrong because a 'Block IP' action from the Azure Firewall connector blocks network traffic from an IP address, not a user account in Microsoft Entra ID, which is irrelevant for blocking a user identity. Option D is wrong because changing the incident status to closed does not perform any blocking action; it only updates the incident's lifecycle in Microsoft Sentinel, leaving the user unblocked.

69
MCQmedium

An organization has enabled enhanced security features for a hybrid infrastructure including SQL servers on-premises and in Azure. Which Microsoft Defender for Cloud plan provides threat detection for both SQL Server on-premises and Azure SQL Database?

A.Defender for Servers
B.Defender for SQL
C.Defender for Databases
D.Defender for Storage
AnswerB

Defender for SQL provides threat detection for SQL Server workloads including on-premises and Azure SQL Database.

Why this answer

Defender for SQL is the correct plan because it is specifically designed to protect both on-premises SQL Server instances (via Azure Arc-enabled SQL Server) and Azure SQL Database. It provides threat detection, vulnerability assessment, and advanced threat protection across the hybrid SQL estate, unlike other Defender plans that focus on different resource types.

Exam trap

The trap here is that candidates confuse 'Defender for Databases' (a broader, non-existent plan in the current Microsoft Defender for Cloud portfolio) with 'Defender for SQL,' which is the actual plan that covers both on-premises and Azure SQL databases.

How to eliminate wrong answers

Option A is wrong because Defender for Servers protects virtual machines and servers (including SQL Server hosts) but does not provide SQL-specific threat detection for the database engine itself. Option C is wrong because Defender for Databases is not a standalone plan; it is a legacy term or a grouping that has been replaced by Defender for SQL, which is the actual plan covering SQL databases. Option D is wrong because Defender for Storage protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage from storage-specific threats, not SQL databases.

70
Multi-Selecthard

Which TWO permissions are required to create and manage automation rules in Microsoft Sentinel?

Select 2 answers
A.Microsoft Sentinel Reader
B.Microsoft Sentinel Automation Contributor
C.Microsoft Sentinel Responder
D.Log Analytics Contributor
E.Microsoft Sentinel Contributor
AnswersB, E

Specifically for automation rules.

Why this answer

Microsoft Sentinel Contributor and Microsoft Sentinel Automation Contributor both allow managing automation rules. Sentinel Reader is read-only, Sentinel Responder does not include automation rule management, and Log Analytics Contributor is not sufficient alone.

71
Multi-Selectmedium

Your organization is responding to a security incident in Microsoft Defender XDR. You need to contain a compromised on-premises Exchange server. Which TWO actions are appropriate? (Choose two.)

Select 2 answers
A.Disconnect the server from the network.
B.Collect an investigation package from the server.
C.Block the compromised user account in Microsoft Entra ID.
D.Update the antivirus definitions on the server.
E.Run a full antivirus scan on the server.
AnswersA, C

Disconnecting isolates the server.

Why this answer

Options A and C are correct. Blocking the compromised account prevents further access, and disconnecting the server from the network contains the threat. Option B (Running full scan) is a remediation step, not containment.

Option D (Collecting investigation package) is evidence collection. Option E (Updating antivirus) is not immediate containment.

72
Multi-Selectmedium

Which THREE components are part of the Microsoft Sentinel SOAR capabilities? (Select THREE.)

Select 3 answers
A.Connectors
B.Workbooks
C.Playbooks
D.Analytics rules
E.Automation rules
AnswersA, C, E

Connectors enable integration with external systems for playbooks.

Why this answer

Options A, C, and E are correct because Automation rules, Playbooks, and Connectors are core SOAR components. Option B is wrong because Workbooks are for visualization. Option D is wrong because Analytics rules are for detection.

73
MCQmedium

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You receive an alert in MDE about a suspicious PowerShell command executed on a device. You create an incident in Sentinel from this alert. You need to automatically collect a memory dump from the affected device for further analysis. You have a playbook that can initiate a memory dump collection via the MDE API. What is the best way to automate this?

A.Configure the alert details enrichment in Sentinel to automatically add the memory dump to the incident.
B.Create an automation rule that triggers when an incident is created from a MDE alert and runs the playbook to collect the memory dump.
C.Use entity behavior analytics in Sentinel to trigger the playbook when suspicious behavior is detected.
D.Have the analyst manually run the playbook from the incident page.
AnswerB

Automation rules enable automated response.

Why this answer

Automation rules can trigger playbooks on incident creation. Option A is correct because the playbook can collect the memory dump immediately. Option B is wrong because the alert details enrichment is not for running playbooks.

Option C is wrong because the entity behavior analytics is not relevant. Option D is wrong because the playbook should run automatically, not manually.

74
MCQeasy

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

A.A mail flow rule in Exchange Online configured to forward alerts.
B.Microsoft 365 Defender email notification settings.
C.Microsoft Defender for Cloud Apps notification settings.
D.A Microsoft Sentinel analytics rule configured to send email notifications.
AnswerB

Microsoft 365 Defender can send email alerts for incidents and alerts.

Why this answer

The automated email alerting a user about possible credential theft is sent by Microsoft 365 Defender's built-in email notification settings. These settings allow security teams to configure notifications for specific alert severities or categories, such as credential theft, directly from the Microsoft 365 Defender portal. The email includes a link to investigate the alert, which aligns with the notification functionality within Microsoft 365 Defender.

Exam trap

The trap here is that candidates may confuse the source of the alert (Microsoft 365 Defender) with other Microsoft security tools like Microsoft Defender for Cloud Apps or Microsoft Sentinel, which have their own notification settings but are not responsible for this specific credential theft alert.

How to eliminate wrong answers

Option A is wrong because a mail flow rule in Exchange Online is used to route, filter, or modify email messages based on conditions like sender or content, not to generate security alerts from Microsoft 365 Defender. Option C is wrong because Microsoft Defender for Cloud Apps notification settings are specific to cloud app security alerts, such as anomalous activity in SaaS apps, not credential theft alerts from Microsoft 365 Defender. Option D is wrong because a Microsoft Sentinel analytics rule can send email notifications, but Sentinel is a separate SIEM tool; the question explicitly states the alert originates from Microsoft 365 Defender, not Sentinel.

75
MCQmedium

Your organization is using Microsoft Sentinel and has deployed the Microsoft Entra ID (Azure AD) connector. You need to create an analytics rule that triggers an incident when a user from a specific IP address is assigned the Global Administrator role. The IP address is not in your trusted IP list. Which KQL query should you use as the rule logic?

A.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress == '10.0.0.1'
B.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress !in (dynamic(['10.0.0.1', '10.0.0.2']))
C.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress !has '10.0.'
D.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress !in ('trusted IP list')
AnswerB

Correctly filters for Global Administrator role assignment and excludes trusted IPs using dynamic array.

Why this answer

Option C is correct because it filters AuditLogs for 'Add member to role' activity for the Global Administrator role and checks that the IP address is not in the trusted IP list. The other options have incorrect logic or syntax.

Page 1 of 22

Page 2