Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 676750

1639 questions total · 22pages · All types, answers revealed

Page 9

Page 10 of 22

Page 11
676
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You receive an alert that a critical vulnerability exists on a virtual machine. What is the BEST immediate action to validate the alert and contain the threat?

A.Contact Microsoft support to request a vulnerability assessment.
B.Immediately apply the latest security patches to the VM using Azure Update Manager.
C.Isolate the VM from the network by applying a network security group rule.
D.Review the alert details in Microsoft Defender for Cloud to identify the vulnerability and follow the remediation steps.
AnswerD

Alert details provide actionable information for validation and remediation.

Why this answer

Option A is correct because the alert includes affected resources and remediation steps. Option B is wrong because applying a patch without validation may cause downtime. Option C is wrong because isolating the VM from the network is a containment step but not validation.

Option D is wrong because contacting support is not immediate action.

677
Multi-Selectmedium

You need to configure Microsoft Sentinel to comply with a regulatory requirement that all security incidents must be retained for 7 years. Which TWO actions should you take?

Select 2 answers
A.Set the workspace retention policy to 2555 days (7 years).
B.Configure a data export rule to send data to an Azure Storage account with immutable storage for 7 years.
C.Configure table-level retention policies for each table to 7 years.
D.Use Basic Logs for all tables to reduce costs.
E.Use Azure Policy to enforce a minimum retention period of 7 years on all workspaces.
AnswersA, B

Workspace retention can be set to up to 730 days by default, but with archive policy it can be extended to 7 years.

Why this answer

Options A and D are correct. Setting a retention policy on the workspace to 7 years ensures data retention. Configuring a data export rule allows long-term retention in a storage account for compliance.

Option B is incorrect because Basic Logs have a maximum retention of 30 days. Option C is incorrect because table-level retention cannot exceed workspace retention. Option E is incorrect because log analytics workspace retention can be set to up to 730 days by default, but longer via archive.

678
MCQhard

You are creating a custom detection rule in Microsoft Sentinel using the JSON above. The rule does not trigger any alerts despite known PowerShell encoded commands executing. What is the most likely cause?

A.The query uses 'contains' which is not supported in custom detections.
B.The query is missing a time filter.
C.The JSON has a syntax error.
D.The filename 'powershell.exe' is case-sensitive and may not match actual events.
AnswerD

KQL is case-sensitive; 'powershell.exe' may need to be compared using 'has' or case-insensitive operators.

Why this answer

Option B is correct because the query is case-sensitive and 'powershell.exe' may be invoked as 'PowerShell.exe' with different casing. Option A is plausible but less likely because the file name is often lowercase. Option C is incorrect because the JSON has correct syntax.

Option D is incorrect because the query is valid KQL.

679
MCQmedium

Your SOC is investigating an incident in Microsoft Sentinel. You need to quickly identify all related alerts and entities across the timeline. What Microsoft Sentinel feature should you use?

A.Run a hunting query.
B.Open the incident investigation graph.
C.Review the analytics rule that generated the incident.
D.Use the Incident workbook.
AnswerB

Investigation graph shows relationships.

Why this answer

The incident investigation graph in Microsoft Sentinel provides a visual, interactive map of all alerts, entities (such as users, IP addresses, hosts), and their relationships linked to a specific incident. This allows SOC analysts to quickly see the full scope of an incident across the timeline without manually correlating data, making it the correct tool for this scenario.

Exam trap

The trap here is that candidates may confuse the incident investigation graph with the Incident workbook, assuming both provide incident details, but the workbook is for aggregated reporting while the graph is for interactive, entity-level exploration of a single incident.

How to eliminate wrong answers

Option A is wrong because hunting queries are proactive searches for potential threats across raw data, not designed to retroactively consolidate all alerts and entities for a single incident. Option C is wrong because reviewing the analytics rule only shows the rule's configuration and logic, not the aggregated alerts and entities tied to the incident. Option D is wrong because the Incident workbook provides summary metrics and trends across incidents, not a focused, interactive graph of a single incident's related alerts and entities.

680
Multi-Selecthard

Your organization uses Microsoft Sentinel with UEBA enabled. You need to investigate a potential insider threat where a user is accessing sensitive data outside of business hours. Which three built-in UEBA entities should you review?

Select 3 answers
A.Azure subscription
B.User account
C.Device
D.IP address
E.Resource group
AnswersB, C, D

Correct: User is a primary entity.

Why this answer

Option B is correct because UEBA tracks user entities. Option C is correct because IP address is a common entity. Option D is correct because devices are entities in UEBA.

Option A is incorrect because subscriptions are not UEBA entities. Option E is incorrect because resource groups are not entities.

681
MCQhard

Your organization has Microsoft Sentinel deployed across multiple workspaces for different business units. The security team wants to view a unified incident queue across all workspaces. What should you implement?

A.Create cross-workspace queries and use the incident view with workspace references
B.Use Microsoft Defender XDR portal to view all incidents
C.Use Azure Lighthouse to manage multiple workspaces
D.Configure a single workspace to receive all incidents
AnswerA

You can configure cross-workspace analytics rules and use the incidents blade to view incidents across workspaces.

Why this answer

Option C is correct because Microsoft Sentinel provides cross-workspace querying and incident management through the use of workspace references in analytics rules and the incidents blade. Option A is wrong because unified incident management is not natively supported in a single workspace; you need to configure cross-workspace views. Option B is wrong because Azure Lighthouse enables management across tenants but not necessarily unified incident queue.

Option D is wrong because Microsoft Defender XDR is a separate portal.

682
MCQeasy

Your SOC uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading a large number of files from SharePoint. Which action should you take to investigate and potentially block the activity?

A.Create a Conditional Access policy to block the user
B.Block the IP address in Azure Firewall
C.Use Microsoft Intune to wipe the user's device
D.Suspend the user in Defender for Cloud Apps
AnswerD

Governance actions like suspend immediately stop the activity.

Why this answer

Option D is correct because Defender for Cloud Apps allows you to govern the user by suspending them or blocking the app. Option A is wrong because Azure AD Conditional Access policies are applied at authentication, not during active session. Option B is wrong because Intune manages devices, not user access to cloud apps.

Option C is wrong because blocking the IP may affect other users.

683
MCQhard

Your organization uses Microsoft Sentinel and has a large number of incidents daily. You need to automatically assign incidents to the correct SOC tier based on severity: Low severity to Tier 1, Medium to Tier 2, High and Critical to Tier 3. Which approach should you use?

A.Configure custom details in the analytics rule to include severity, then use a playbook to assign
B.Create one automation rule with multiple conditions and trigger a playbook that uses a switch statement on severity
C.Create three separate automation rules, each with a condition on severity and a playbook that assigns to the appropriate group
D.Use incident grouping to combine incidents by severity and assign the group
AnswerC

Each automation rule can target a specific severity and trigger a playbook to assign the incident.

Why this answer

Option C is correct because automation rules can have conditions and trigger playbooks to assign. Option A is wrong because custom details cannot assign owners. Option B is wrong because you would need multiple rules, but each rule can have multiple conditions.

Option D is wrong because grouping doesn't help with assignment.

684
MCQeasy

A security analyst needs to connect a Palo Alto Networks firewall to Microsoft Sentinel to ingest logs. The firewall supports Syslog and Common Event Format (CEF). Which data connector should the analyst use?

A.Palo Alto Networks (via Syslog CEF)
B.Common Event Format (CEF) via Syslog (generic)
C.Syslog (without CEF)
D.Custom Text Logs
AnswerA

This connector is pre-built to ingest Palo Alto firewall logs formatted in CEF over Syslog.

Why this answer

The Palo Alto Networks firewall supports sending logs in Common Event Format (CEF) over Syslog, and Microsoft Sentinel provides a dedicated data connector specifically for Palo Alto Networks (via Syslog CEF). This connector parses the CEF-formatted syslog messages using a Log Analytics agent or AMA, normalizing fields into the CommonSecurityLog table for seamless ingestion. Using the vendor-specific connector ensures proper field mapping and schema alignment, unlike a generic CEF connector which may not handle Palo Alto's specific CEF extensions correctly.

Exam trap

Microsoft often tests the distinction between vendor-specific connectors and generic connectors, trapping candidates who assume any CEF-capable device can use the generic CEF connector without considering the need for vendor-specific field mappings and schema compatibility.

How to eliminate wrong answers

Option B is wrong because the generic 'Common Event Format (CEF) via Syslog' connector is intended for any CEF-capable device but lacks the vendor-specific parsing and field mappings that the dedicated Palo Alto Networks connector provides, potentially leading to missing or misaligned data. Option C is wrong because 'Syslog (without CEF)' ingests raw syslog messages without structured CEF fields, requiring custom parsing and losing the normalized CommonSecurityLog schema that CEF provides. Option D is wrong because 'Custom Text Logs' is used for log files in custom formats (e.g., JSON, CSV) and does not support syslog or CEF parsing, making it unsuitable for Palo Alto firewall logs sent via syslog.

685
MCQhard

Refer to the exhibit. A security administrator runs this PowerShell script. What is the effect?

A.It creates an automation rule that runs a playbook on medium severity incidents
B.It creates a playbook that runs daily for high severity incidents
C.It schedules a daily report generation for all incidents
D.It creates a playbook named 'DailySummaryReport'
AnswerA

The cmdlet creates an automation rule with a trigger condition for medium incidents.

Why this answer

The PowerShell script uses the `New-AzSentinelAutomationRule` cmdlet to create an automation rule in Microsoft Sentinel. The `-TriggerType` parameter is set to `IncidentCreated`, and the `-Action` parameter specifies a playbook to run. The `-TriggeringLogic` parameter filters for incidents with a severity of `Medium`, so the automation rule triggers the playbook only when a medium-severity incident is created.

Exam trap

The trap here is that candidates confuse creating an automation rule with creating a playbook, or assume the script schedules a recurring task because of the 'DailySummaryReport' name, when in fact the script only links an existing playbook to a trigger condition.

How to eliminate wrong answers

Option B is wrong because the script creates an automation rule triggered by incident creation, not a scheduled playbook; there is no recurrence or daily schedule defined. Option C is wrong because the script does not generate any report or schedule a report generation; it only associates a playbook with incident creation. Option D is wrong because the script creates an automation rule, not a playbook; the playbook named 'DailySummaryReport' is referenced as an action, but the script itself does not create the playbook.

686
MCQeasy

As part of a threat hunt, you want to find instances where a user successfully authenticated to multiple applications within a short time using different IP addresses. Which Microsoft 365 Defender data source would be most appropriate?

A.CloudAppEvents
B.DeviceLogonEvents
C.IdentityLogonEvents
D.AlertInfo
AnswerC

IdentityLogonEvents track user authentications to applications.

Why this answer

IdentityLogonEvents contains authentication events for cloud apps, with columns like Application, IP address, and Timestamp.

687
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An alert fires for a potential DCSync attack. The incident response team needs to immediately block the source account from performing directory replication. Which action should be taken?

A.Use Microsoft Defender for Identity to disable the account.
B.Reset the account password and enforce a sign-out.
C.Disable the account in Microsoft Entra ID (if synced) or Active Directory.
D.Remove the account from the Domain Admins group.
AnswerC

Disabling the account immediately revokes access and prevents further authentication.

Why this answer

Option D is correct because disabling the account in Microsoft Entra ID (formerly Azure AD) is the quickest way to stop the account from performing any actions, including DCSync. Option A is wrong because removing from Domain Admins does not remove the 'Replicate Directory Changes' permission if it was delegated. Option B is wrong because resetting the password does not terminate existing sessions immediately.

Option C is wrong because the Microsoft Defender for Identity alert provides details but does not directly block the account.

688
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Sentinel's automation rules? (Choose two.)

Select 2 answers
A.Block an IP address in Azure Firewall.
B.Change the severity of an incident.
C.Assign a user to an incident owner.
D.Trigger a playbook.
E.Run a KQL query against a Log Analytics workspace.
AnswersB, D

Automation rules can modify incident properties including severity.

Why this answer

Option A and D are correct. Automation rules can trigger playbooks and change incident severity. Option B is wrong because automation rules cannot directly block IP addresses; that requires a playbook.

Option C is wrong because automation rules run on incidents, not on queries. Option E is wrong because automation rules do not manage user permissions.

689
MCQmedium

Refer to the exhibit. You are analyzing high severity alerts from Microsoft Defender for Endpoint in Microsoft Sentinel. What does this KQL query do?

A.It counts alerts for a specific alert name
B.It displays detailed properties of each alert
C.It lists high severity Defender for Endpoint alerts, grouped by name and day, ordered by frequency
D.It shows all alerts from Defender for Endpoint in the last week
AnswerC

The query does exactly that.

Why this answer

The KQL query uses `summarize` with `count()` to group alerts by `AlertName` and `startofday(TimeGenerated)`, then sorts by `count_` descending. This directly produces a list of high severity Defender for Endpoint alerts grouped by name and day, ordered by frequency, matching option C.

Exam trap

Microsoft often tests the distinction between summarizing aggregated data (counts) versus displaying raw event details, so candidates mistakenly choose 'displays detailed properties' when the query uses `summarize` and `count()`.

How to eliminate wrong answers

Option A is wrong because the query groups by alert name and day, not filtering to a single specific alert name. Option B is wrong because the query uses `summarize` to aggregate counts, not `project` or `extend` to display detailed properties of each alert. Option D is wrong because the query filters for `TimeGenerated > ago(7d)` but also filters by `AlertSeverity == 'High'` and groups results, not showing all alerts from the last week.

690
MCQhard

Refer to the exhibit. You are reviewing a custom scheduled analytics rule in Microsoft Sentinel. The rule is enabled but has not fired any alerts despite users having multiple locations in the last day. What is the most likely reason?

A.The UserPrincipalName field is case-sensitive and the data has mixed case.
B.The query frequency is set to 1 hour, but the query period is 1 day, causing a mismatch.
C.The rule is disabled.
D.The 'Location' field does not exist in SigninLogs; the query returns an error silently.
AnswerD

Location is not a column; it's inside LocationDetails.

Why this answer

Option B is correct because the query uses the default SigninLogs schema which includes 'Location' as a string, not 'Location' as a column. The correct column is 'LocationDetails' or the query should parse location from IP. Option A is incorrect because the rule is enabled.

Option C is incorrect because the query period and frequency are set correctly. Option D is incorrect because the query summarizes by UserPrincipalName, which is a common field.

691
MCQmedium

A SOC analyst needs to create an automation rule that triggers only when an incident contains a specific custom tag (e.g., 'PII'). Which condition should the analyst use to filter incidents based on the presence of that tag?

A.Incident tag contains
B.Incident severity
C.Alert product name
D.Entity type
AnswerA

This condition matches incidents that include the specified custom tag.

Why this answer

Option A is correct because Microsoft Sentinel automation rules use the 'Incident tag contains' condition to filter incidents based on the presence of specific custom tags. When an incident is enriched with a tag like 'PII' via analytics rules or playbooks, this condition allows the automation rule to match and trigger actions only on incidents carrying that exact tag, ensuring precise targeting without affecting unrelated incidents.

Exam trap

The trap here is that candidates confuse incident-level tags with alert-level properties or entity attributes, mistakenly thinking 'Alert product name' or 'Entity type' can filter by custom tags, when in fact only the 'Incident tag contains' condition directly evaluates tags assigned to the incident.

How to eliminate wrong answers

Option B is wrong because 'Incident severity' filters incidents by their severity level (e.g., High, Medium, Low), not by custom tags, so it cannot detect the presence of a specific tag like 'PII'. Option C is wrong because 'Alert product name' filters based on the source product of the alert (e.g., Microsoft Defender for Endpoint, Azure Identity Protection), which is unrelated to custom tags assigned to incidents. Option D is wrong because 'Entity type' filters incidents based on the type of entity involved (e.g., IP address, host, user), not on incident-level custom tags.

692
MCQhard

A threat hunter runs the above KQL query in Microsoft Defender Advanced Hunting. What is the primary purpose of this query?

A.Detect logon attempts from new IP addresses for existing users.
B.Create a list of all unique logon events in the last day.
C.Identify users who have not logged in within the past 30 days.
D.Find all logon events from IPs that have never been seen before.
AnswerA

The leftanti join removes known pairs, leaving only new IPs for known users.

Why this answer

The query creates a baseline of known AccountUpn and RemoteIP pairs from the past 30 days (excluding last day), then selects new logon events from the last day where the AccountUpn exists in baseline but the RemoteIP is not in the paired IP for that user. This detects logons from new IPs for existing users.

693
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that critical alerts are automatically assigned to the appropriate SOC tier for investigation. What should you configure in Microsoft Sentinel?

A.Create a playbook that assigns the incident to a user
B.Use a watchlist to map alert types to owners
C.Configure an analytics rule to set the owner
D.Create an automation rule that sets the incident owner
AnswerD

Automation rules can automatically assign incidents to owners or groups.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific owners based on conditions like severity or alert type. This ensures critical alerts are routed to the appropriate SOC tier without manual intervention, directly meeting the requirement.

Exam trap

The trap here is that candidates often confuse the capabilities of analytics rules (which generate incidents) with automation rules (which handle post-creation actions like owner assignment), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because a playbook that assigns an incident to a user is an over-engineered solution; automation rules are designed for simple owner assignment without the need for a Logic App. Option B is wrong because watchlists are used for correlating data or enriching alerts, not for assigning incident ownership. Option C is wrong because analytics rules define alert conditions and generate incidents, but they do not have a setting to configure the incident owner; owner assignment is handled post-creation by automation rules or playbooks.

694
Multi-Selecteasy

A security analyst detects a suspicious login from an unusual location for a user in Microsoft Defender XDR. The analyst needs to investigate and contain the incident. Which TWO actions should be taken?

Select 2 answers
A.Disable the user account from Microsoft Entra ID.
B.Create a custom hunting query in Microsoft 365 Defender advanced hunting.
C.Review the user's sign-in logs and risk level in Microsoft Entra ID Identity Protection.
D.Run an automated investigation playbook.
E.Reset the user's password.
AnswersA, C

Disabling the account immediately stops further access.

Why this answer

Disabling the user account (B) immediately stops further access. Using Microsoft Entra ID Identity Protection to confirm risk (C) provides additional context. Investigation playbooks (A) are for automation not immediate containment.

Resetting password (D) is less immediate than disabling. Hunting queries (E) are for proactive threat hunting.

695
MCQmedium

You are a security analyst at Fabrikam using Microsoft Sentinel. You are conducting a threat hunt for signs of remote code execution (RCE) via the Windows Event Log. You want to detect suspicious service creation that could indicate lateral movement. Specifically, you want to find events where a service was created (Event ID 7045) on a server, and within 5 minutes, a network connection was established from that server to another internal server. You have SecurityEvent and CommonSecurityLog tables ingested. Which KQL query should you use?

A.SecurityEvent | where EventID == 7045 | union CommonSecurityLog | where TimeGenerated > ago(1d)
B.SecurityEvent | where EventID == 7045 | project Computer, TimeGenerated | where TimeGenerated > ago(1h)
C.SecurityEvent | where EventID == 7045 | where TimeGenerated between (ago(1d) .. now()) | summarize by Computer
D.let ServiceCreation = SecurityEvent | where EventID == 7045 | project Computer, TimeGenerated; let NetworkConn = CommonSecurityLog | where DeviceAction == 'Allow' | project SourceIP, TimeGenerated; ServiceCreation | join kind=inner NetworkConn on $left.Computer == $right.SourceIP and abs(TimeGenerated - TimeGenerated) <= 5m
AnswerD

This joins service creation and network events within 5 minutes to detect lateral movement.

Why this answer

Option B is correct because it uses a join with a time window to correlate service creation and network connection. Option A is wrong because it lacks the join. Option C is wrong because it uses a time filter on creation, not correlation.

Option D is wrong because it uses a union which is incorrect.

696
MCQeasy

You are threat hunting for signs of credential dumping via LSASS access. Which Advanced Hunting schema table in Microsoft Defender XDR should you primarily query to find processes that opened a handle to LSASS?

A.DeviceProcessEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceRegistryEvents
AnswerB

DeviceEvents includes LSASS access events (ActionType: 'LsassAccessedByProcess').

Why this answer

Option D is correct because DeviceEvents includes events like 'LsassAccessedByProcess' from the Microsoft Defender for Identity sensor. Option A (DeviceProcessEvents) records process creation, not handle open. Option B (DeviceNetworkEvents) is for network.

Option C (DeviceRegistryEvents) is for registry.

697
Multi-Selectmedium

Which THREE data sources in Microsoft Sentinel are most useful for threat hunting activities related to identity compromise?

Select 3 answers
A.SecurityEvent
B.SigninLogs
C.CommonSecurityLog
D.AuditLogs
E.OfficeActivity
AnswersA, B, D

Windows security events including logon types.

Why this answer

SigninLogs (Azure AD), AuditLogs (Azure AD), and SecurityEvent (Windows) provide identity-related data. CommonSecurityLog is for network appliances, OfficeActivity for M365 workloads.

698
MCQmedium

A SOC analyst wants to ensure that multiple alerts from the same analytics rule that occur within a 1-hour window for the same user are automatically merged into a single incident. Which configuration setting should the analyst adjust in the analytics rule?

A.Incident grouping settings
B.Entity mapping
C.Alert details
D.Query scheduling
AnswerA

This setting controls how alerts are grouped into incidents, including time-based grouping and entity matching.

Why this answer

Option A is correct because the Incident grouping settings in a Microsoft Sentinel analytics rule control whether multiple alerts from the same rule are automatically merged into a single incident. By configuring the grouping to 'Group alerts into a single incident if they match the specified conditions' and setting the time window to 1 hour, the SOC analyst ensures that alerts triggered for the same user within that window are combined, reducing alert noise and improving incident management efficiency.

Exam trap

The trap here is that candidates often confuse Entity mapping with incident grouping, thinking that mapping entities automatically merges alerts, but entity mapping only enriches alerts with contextual data and does not control grouping logic.

How to eliminate wrong answers

Option B is wrong because Entity mapping defines how entities (e.g., user accounts, IP addresses) are extracted from raw log data and linked to alerts, but it does not control alert grouping or incident creation logic. Option C is wrong because Alert details allow customization of the alert's name, description, and severity, but they have no role in merging multiple alerts into a single incident. Option D is wrong because Query scheduling sets the frequency and lookback period for running the analytics rule's query, not the grouping of resulting alerts into incidents.

699
MCQmedium

A company uses Microsoft Defender for Cloud to manage security posture. The compliance team needs to continuously monitor resources against the CIS Microsoft Azure Foundations Benchmark and receive a consolidated score across all subscriptions. Which Defender for Cloud feature should they use?

A.Secure Score
B.Regulatory compliance dashboard
C.Adaptive application controls
D.File Integrity Monitoring (FIM)
AnswerB

The regulatory compliance dashboard tracks compliance against selected standards (e.g., CIS, ISO) by evaluating resources against the corresponding Azure Policy initiatives.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides continuous monitoring of resources against specific compliance standards, such as the CIS Microsoft Azure Foundations Benchmark, and aggregates a consolidated score across all subscriptions. This feature maps Azure Policy initiatives to compliance controls, showing pass/fail status and a compliance score, which directly meets the compliance team's requirement for ongoing assessment and a unified score.

Exam trap

The trap here is that candidates often confuse Secure Score with regulatory compliance scoring, but Secure Score is a general posture metric based on Microsoft's security recommendations, not a dedicated compliance benchmark score like CIS.

How to eliminate wrong answers

Option A is wrong because Secure Score measures an organization's overall security posture based on security recommendations, not specific compliance with the CIS Microsoft Azure Foundations Benchmark; it does not provide a consolidated compliance score for a particular regulatory standard. Option C is wrong because Adaptive application controls are a workload protection feature that uses machine learning to define allowlists for running applications on Azure VMs, unrelated to compliance monitoring or scoring. Option D is wrong because File Integrity Monitoring (FIM) examines changes to files and registries on VMs for security incidents, not for assessing compliance against a benchmark like CIS.

700
Drag & Dropmedium

Order the steps to create a Microsoft Sentinel automation rule that automatically closes low-severity incidents.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Automation rules are created in the Automation blade, conditions define when to trigger, and actions define what to do.

701
MCQeasy

Your organization uses Microsoft Sentinel to manage security incidents. The security team wants to automatically assign incidents to the appropriate analyst based on the incident’s severity and category. Which feature should you configure?

A.Automation rules
B.Analytics rules
C.Playbooks
D.Watchlists
AnswerA

Automation rules can automatically assign incidents based on conditions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to automatically assign incidents based on conditions like severity and category. Option B is wrong because playbooks are used for automated response actions, not assignment. Option C is wrong because analytics rules generate incidents, they don't assign them.

Option D is wrong because watchlists are used to correlate data, not assign incidents.

702
MCQmedium

Refer to the exhibit. You are configuring an analytics rule in Microsoft Sentinel. What is the effect of this configuration?

A.All alerts that share any entity are grouped into one incident
B.Each alert creates a separate incident
C.Alerts that share all the same entities are grouped into one incident within 5 hours
D.Alerts are grouped by alert type
AnswerC

Correctly describes 'AllEntities' matching.

Why this answer

Option D is correct because grouping with matchingMethod 'AllEntities' groups alerts that share all entities (like IP, host, user) into a single incident within a 5-hour lookback. Option A is wrong because it does not create incidents per entity. Option B is wrong because it does not create an incident for each alert.

Option C is wrong because it does not create an incident per alert type.

703
MCQmedium

Your company uses Microsoft Sentinel and has a workspace in the East US region. You need to ingest logs from a non-Azure Windows server located in a branch office in Europe. You have limited bandwidth and need to ensure that log ingestion does not impact network performance. What should you use?

A.Use Microsoft Defender for Endpoint to collect logs from the server and forward them to Sentinel.
B.Install the Log Analytics agent (MMA) on the server and configure it to send logs directly to the workspace.
C.Install the Azure Monitor Agent on the server and create a data collection rule to filter and compress logs before sending.
D.Configure the server to send logs to an Azure Event Hub, then stream to Sentinel.
AnswerC

AMA with DCRs allows filtering and compression to minimize bandwidth.

Why this answer

Option C is correct because the Azure Monitor Agent (AMA) supports data collection rules (DCRs) that can filter logs at the source and compress data before transmission, reducing bandwidth usage. This is critical for the limited bandwidth scenario, and AMA is the modern replacement for the Log Analytics agent, designed for efficient log ingestion across regions.

Exam trap

The trap here is that candidates often assume MMA is still the default for on-premises servers, but Microsoft has deprecated MMA in favor of AMA, and AMA’s DCR-based filtering and compression directly address bandwidth constraints, which MMA cannot do natively.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint collects security telemetry (e.g., alerts, EDR signals) but does not natively forward arbitrary Windows event logs or custom logs to Sentinel; it requires additional configuration and does not address bandwidth optimization. Option B is wrong because the Log Analytics agent (MMA) sends logs without built-in compression or filtering at the source, leading to higher bandwidth consumption, and it is deprecated in favor of AMA. Option D is wrong because sending logs to an Azure Event Hub introduces additional network hops and potential latency, and while Event Hubs can handle high throughput, they do not inherently compress or filter logs to reduce bandwidth impact; this approach is typically used for high-volume streaming, not bandwidth-constrained scenarios.

704
MCQeasy

You are configuring Microsoft Sentinel to ingest syslog data from a network appliance. After configuring the data connector, you notice that no data is appearing in the CommonSecurityLog table. The syslog server is sending data to the Azure Monitor Agent (AMA) on the log collector. What should you verify first?

A.Check the Heartbeat table for the log collector.
B.Verify that a Data Collection Rule is defined to collect the syslog facilities.
C.Ensure the syslog appliance can reach the collector on UDP port 514.
D.Check the data connector health status in Sentinel.
AnswerB

A DCR is required to instruct AMA to collect and send syslog data.

Why this answer

The Azure Monitor Agent (AMA) requires a Data Collection Rule (DCR) to specify which syslog facilities and severity levels to collect. Without a DCR, the AMA will not forward syslog data to the CommonSecurityLog table, even if the syslog server is sending data to the collector. This is the most common missing configuration step after setting up the data connector.

Exam trap

The trap here is that candidates assume the data connector automatically creates the necessary Data Collection Rule, when in fact the DCR must be manually configured or verified after connector setup.

How to eliminate wrong answers

Option A is wrong because the Heartbeat table shows agent connectivity, not whether syslog data is being collected or forwarded to the correct table; a healthy heartbeat does not guarantee DCR configuration. Option C is wrong because the question states the syslog server is already sending data to the AMA, so network connectivity on UDP 514 is already established. Option D is wrong because the data connector health status in Sentinel checks the connector's overall configuration and permissions, not the specific DCR mapping of syslog facilities to the CommonSecurityLog table.

705
MCQmedium

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You need to ensure that security alerts from on-premises servers are sent to Microsoft Sentinel. What should you configure?

A.Install a third-party SIEM connector on the servers and forward logs to Sentinel.
B.Deploy Azure Policy on the servers to audit security settings.
C.Connect the on-premises servers to Azure Arc and deploy the Log Analytics agent.
D.Configure a site-to-site VPN to Azure and enable network logging.
AnswerC

Azure Arc allows agent deployment and log forwarding to Sentinel.

Why this answer

Azure Arc enables on-premises servers to be managed as Azure resources and to install the Log Analytics agent, forwarding logs to Sentinel. Option A is wrong because Azure Policy can enforce configurations but does not directly send alerts. Option C is wrong because a third-party SIEM would bypass Sentinel.

Option D is wrong because a VPN does not solve log ingestion.

706
MCQhard

Your organization uses Microsoft Defender XDR. You need to ensure that when a user reports a phishing email using the built-in Outlook add-in, the incident is automatically created in Microsoft Sentinel with high severity and a custom tag 'Phishing-Reported'. What is the most efficient way to achieve this?

A.Configure the 'User-reported phishing' policy in Microsoft Defender XDR to create an incident in Microsoft Sentinel with high severity and the tag.
B.Set up an automation rule in Microsoft Sentinel to tag incidents from 'Microsoft Defender' connector with the tag when severity is high.
C.Create a Power Automate flow that reads from the unified audit log and creates a Sentinel incident via API.
D.Use a playbook triggered by a Microsoft Sentinel analytics rule that monitors for 'PhishDeliver' events.
AnswerA

Defender XDR can directly create Sentinel incidents with specified properties.

Why this answer

Option A is correct because Microsoft Defender XDR has a built-in automation for user-reported phishing that can create incidents. You can configure the policy to set severity and add tags. Option B requires custom development.

Option C is an alternative but less integrated. Option D is wrong because automation rules in Sentinel trigger on existing incidents, not on email reports directly.

707
MCQmedium

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to detect suspicious PowerShell activity. Why might this query generate many false positives?

A.The time range is too broad.
B.The query is too specific and misses many attacks.
C.Legitimate administrators often use encoded PowerShell commands.
D.The query does not filter by user.
AnswerC

Encoded commands are used by both attackers and admins, leading to false positives.

Why this answer

Option D is correct because legitimate administrative scripts often use encoded commands. Option A is wrong because the query is specific. Option B is wrong because the time range is narrow.

Option C is wrong because the query does not filter by user.

708
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel automation rules? (Select two.)

Select 2 answers
A.Create a task on an incident
B.Run a playbook on an incident
C.Create an incident automatically
D.Create a new automation rule
E.Send an email notification
AnswersA, B

Automation rules can add tasks to incidents.

Why this answer

Option A is correct because Microsoft Sentinel automation rules can create tasks on incidents. This allows you to automatically assign investigation steps or remediation actions to specific personnel, ensuring consistent incident response workflows.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming automation rules can directly send emails or create incidents, when in fact they only orchestrate actions that may be executed by playbooks or other components.

709
MCQhard

Refer to the exhibit. You have an automation rule defined as shown. The rule is enabled but never triggers. What is the most likely reason?

A.The playbook resource ID is incomplete.
B.The condition requires incident status 'Active', but incidents start as 'New'.
C.The trigger type should be 'AlertCreated' instead of 'IncidentCreated'.
D.The rule order is set to 1, which is too low.
AnswerB

Incidents are created with status 'New', so the condition never matches.

Why this answer

The automation rule triggers on incident creation, but the condition requires the incident status to be 'Active'. In Microsoft Sentinel, incidents are created with a status of 'New', not 'Active'. Therefore, the condition is never met, and the rule never triggers.

To fix this, the condition should either be removed or changed to include 'New' status.

Exam trap

Microsoft often tests the subtle difference between incident status values ('New' vs 'Active') and the fact that incidents are created as 'New', not 'Active', causing candidates to overlook the condition mismatch.

How to eliminate wrong answers

Option A is wrong because the playbook resource ID is used to identify the playbook to run, and an incomplete ID would cause a different error (e.g., playbook not found), not prevent the rule from triggering entirely. Option C is wrong because the trigger type 'IncidentCreated' is correct for an automation rule that runs when an incident is created; 'AlertCreated' would be used for alert-based automation, not incident-based. Option D is wrong because the rule order (priority) determines the sequence of rule execution but does not prevent a rule from triggering; a low order number simply means it runs earlier among enabled rules.

710
MCQhard

Your organization has deployed Microsoft Sentinel with the Microsoft Defender XDR connector. A high-severity incident is created for a user who received a phishing email that contained a malicious link. The user clicked the link, and the attacker gained access to the user's mailbox. The security team needs to remove the attacker's access and prevent future occurrences. What should you do first?

A.Run a full antivirus scan on the user's device
B.Reset the user's password immediately
C.Report the incident to Microsoft for further investigation
D.Remove any mailbox forwarding rules and delegated access
AnswerD

Removing forwarding rules and delegated access cuts off the attacker's access.

Why this answer

Option A is correct because the immediate priority is to revoke the attacker's access to the mailbox by removing the delegated access or forwarding rule. Option B is wrong while password reset is important, it may not remove the attacker's existing session. Option C is wrong because running antivirus is not applicable for mailbox compromise.

Option D is wrong because reporting the incident is secondary.

711
MCQmedium

Your security team uses Microsoft Defender XDR. You need to ensure that a user who is suspected of credential theft is immediately blocked from accessing corporate email and cloud apps, while the investigation continues. What should you do?

A.Create a conditional access policy in Microsoft Entra ID to block the user
B.Use Microsoft Defender for Cloud Apps to suspend the user
C.Disable the user account in Microsoft Entra ID
D.Reset the user's password from Microsoft Entra ID
AnswerB

Suspending the user immediately blocks access to all connected apps.

Why this answer

Option B is correct because suspending the user in Microsoft Defender for Cloud Apps immediately revokes the user's access tokens and active sessions for cloud apps, blocking further access to corporate email and cloud apps without deleting the account. This allows the investigation to continue while the user is isolated, which is the precise requirement for a suspected credential theft scenario.

Exam trap

The trap here is that candidates often confuse 'blocking access' with 'disabling the account' or 'resetting the password,' not realizing that immediate token revocation via Defender for Cloud Apps is the only option that stops active sessions without disrupting the user's directory object.

How to eliminate wrong answers

Option A is wrong because creating a conditional access policy in Microsoft Entra ID requires time to propagate and may not immediately revoke existing sessions; it also does not suspend the user's tokens for already-authenticated sessions. Option C is wrong because disabling the user account in Microsoft Entra ID removes the user from all directory services and can break dependencies like group memberships or licensing, and it does not specifically target cloud app access while preserving the account for investigation. Option D is wrong because resetting the user's password does not invalidate existing active sessions or tokens issued before the reset, so the user could still access email and cloud apps until those tokens expire.

712
MCQmedium

A SOC analyst needs to create a Microsoft Sentinel scheduled analytics rule that detects a potential brute-force attack. The rule should alert when a single IP address attempts to sign in to more than 10 different user accounts within 5 minutes. The data is in the 'SigninLogs' table. Which KQL operator should the analyst use to count distinct users per IP address per 5-minute time window?

A.summarize dcount(UserPrincipalName) by IPAddress, bin(TimeGenerated, 5m)
B.summarize count(UserPrincipalName) by IPAddress
C.summarize dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 5m)
D.make-set(UserPrincipalName) by IPAddress
AnswerA

This groups records by IPAddress and 5-minute bins, then counts distinct user accounts for each, which is exactly what is needed.

Why this answer

Option A is correct because the requirement is to count distinct user accounts per IP address within a 5-minute window. The `dcount()` function estimates the number of distinct values of `UserPrincipalName`, `bin(TimeGenerated, 5m)` groups the logs into 5-minute buckets, and `summarize ... by IPAddress` ensures the count is per source IP. This directly matches the brute-force detection logic of more than 10 distinct users from a single IP in 5 minutes.

Exam trap

The trap here is confusing `count()` (total events) with `dcount()` (distinct values), leading candidates to pick Option B, which would count repeated attempts to the same user as separate events and miss the distinct-user threshold required for a brute-force detection.

How to eliminate wrong answers

Option B is wrong because `count(UserPrincipalName)` counts all sign-in attempts, including duplicates, not distinct users, which would inflate the count and cause false positives. Option C is wrong because it counts distinct IP addresses per user, which is the inverse of the required logic and would detect a single user being targeted from many IPs, not a brute-force from one IP. Option D is wrong because `make-set()` creates an array of distinct values but does not provide a count; the analyst would need to further process the set to get the number of distinct users, making it inefficient and not directly usable in a rule condition.

713
MCQmedium

A SOC analyst wants to automate a response in Microsoft Sentinel such that whenever an incident is created containing a specific user entity (e.g., compromised user), a playbook runs that disables the user in Microsoft Entra ID. Which condition should be configured in the automation rule?

A.When incident is created, and the incident contains a user entity.
B.When alert is generated, and the alert contains a user entity.
C.When incident is created with severity high, then run the playbook.
D.When playbook is triggered manually from the incident details page.
AnswerA

Correct. Automation rules can be configured to trigger when an incident is created and match conditions on entity types (e.g., 'User'). This allows the playbook to run automatically for incidents involving the specified user.

Why this answer

Option A is correct because the automation rule must trigger on incident creation and evaluate whether the incident contains a specific user entity to run the playbook that disables the user in Microsoft Entra ID. This ensures the playbook only executes when the relevant entity is present, aligning with the requirement to automate a response based on a compromised user entity.

Exam trap

The trap here is that candidates may confuse alert-level triggers (Option B) with incident-level triggers, or assume severity (Option C) is sufficient without considering entity-specific conditions, leading to over-triggering or missing the precise automation requirement.

How to eliminate wrong answers

Option B is wrong because automation rules in Microsoft Sentinel trigger on incidents, not directly on alerts; alerts are ingested into incidents, and the rule must be set at the incident level. Option C is wrong because it specifies a severity condition (high) without requiring the user entity, which would cause the playbook to run for all high-severity incidents regardless of whether a compromised user entity exists. Option D is wrong because manual triggering from the incident details page does not automate the response; the requirement is for an automated response when an incident is created.

714
Multi-Selectmedium

You are managing Microsoft Defender for Endpoint. Which TWO actions can be taken directly from the Microsoft 365 Defender portal to respond to a compromised device?

Select 2 answers
A.Run a full antivirus scan on the device.
B.Block the user's sign-in from Microsoft Entra ID.
C.Remotely wipe the device.
D.Isolate the device from the network.
E.Reset the device's local administrator password.
AnswersA, D

Running a scan is a supported response action.

Why this answer

Option A and C are correct. From the Defender for Endpoint portal, you can isolate a device (A) and run a full antivirus scan (C). Option B is wrong because you cannot reset a device's password from Defender for Endpoint; that is done via Microsoft Entra ID.

Option D is wrong because you cannot remotely wipe a device (Intune). Option E is wrong because you cannot block a user's sign-in from Defender for Endpoint (Entra ID).

715
MCQmedium

A security team wants to enable advanced threat detection for all Azure SQL databases across multiple subscriptions. They want to receive alerts for SQL injection attempts and anomalous activities. Which action should they take in Microsoft Defender for Cloud?

A.Enable the Microsoft Defender for Servers plan on each subscription.
B.Enable the Microsoft Defender for SQL plan at the subscription level.
C.Configure SQL Auditing and Threat Detection on each SQL server individually.
D.Create an Azure Policy to deploy Azure SQL Firewall rules.
AnswerB

When enabled at the subscription level, all SQL databases in that subscription are protected, and alerts are generated for threats like SQL injection.

Why this answer

Microsoft Defender for SQL provides advanced threat detection for Azure SQL databases, including alerts for SQL injection attempts and anomalous activities. Enabling the plan at the subscription level automatically protects all existing and future SQL databases within that subscription, ensuring centralized management and compliance.

Exam trap

The trap here is that candidates often confuse the need for per-server configuration (Option C) with the centralized subscription-level enablement, or they mistakenly think that server-level security controls like firewalls (Option D) or server-specific plans (Option A) can provide the same threat detection capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Servers is designed to protect virtual machines and servers, not Azure SQL databases; it does not include SQL-specific threat detection capabilities. Option C is wrong because configuring SQL Auditing and Threat Detection on each SQL server individually is a legacy, manual approach that lacks the centralized policy enforcement and advanced analytics provided by Microsoft Defender for SQL at the subscription level. Option D is wrong because creating an Azure Policy to deploy Azure SQL Firewall rules only manages network access controls and does not enable threat detection or alerting for SQL injection or anomalous activities.

716
MCQhard

You are managing a Microsoft Sentinel workspace that ingests data from Microsoft 365 Defender. You notice that some incident creation rules are not generating incidents as expected. What should you check first?

A.The Microsoft 365 Defender data connector
B.The workspace daily usage cap
C.The SecurityIncident table schema
D.The analytics rule status
AnswerA

Ensure the connector is enabled and configured to forward incidents.

Why this answer

The Microsoft 365 Defender data connector is the correct first check because it is the ingestion pipeline for security alerts from Microsoft 365 Defender into Microsoft Sentinel. If this connector is misconfigured, disconnected, or has stopped syncing, incident creation rules that depend on these alerts will not trigger, even if the analytics rules themselves are enabled and correctly configured.

Exam trap

The trap here is that candidates often jump to checking analytics rule status first, assuming the rule is disabled or misconfigured, but the real issue is that the data connector—the upstream dependency—is broken, preventing the rule from ever receiving the alerts it needs to evaluate.

How to eliminate wrong answers

Option B is wrong because the workspace daily usage cap affects data ingestion costs and can stop data ingestion if exceeded, but it would impact all data types, not just incident creation rules from Microsoft 365 Defender; moreover, Sentinel incident creation rules are based on analytics rule logic, not directly on ingestion volume. Option C is wrong because the SecurityIncident table schema is a fixed schema in Log Analytics that stores incidents after they are created; checking the schema would not reveal why incidents are not being generated, as schema changes are rare and would cause errors, not silent failures. Option D is wrong because while analytics rule status (enabled/disabled) is relevant, the question states that incident creation rules are not generating incidents as expected, implying they are enabled; the root cause is more likely a data connector issue that prevents the required alerts from being ingested.

717
MCQhard

An analyst is using advanced hunting in Microsoft 365 Defender. A device made outbound RDP connections shortly after a suspicious PowerShell process started. Which join is most useful to identify the initiating process for those network connections?

A.Join EmailEvents with UrlClickEvents
B.Join IdentityInfo with SecureScoreControls
C.Join CloudAppEvents with AlertEvidence only
D.Join DeviceNetworkEvents with DeviceProcessEvents by device and process identifiers/time window
AnswerD

DeviceNetworkEvents records network connections, while DeviceProcessEvents records process creation details needed to identify the initiating process.

Why this answer

Option D is correct because it joins DeviceNetworkEvents (which contain outbound RDP connection details) with DeviceProcessEvents (which contain process creation data like the suspicious PowerShell process) using device ID, process ID, and a time window. This join allows the analyst to directly correlate the network connection to the initiating process, identifying whether the PowerShell process spawned the RDP connection.

Exam trap

The trap here is that candidates may choose a join involving cloud or email tables (A, B, C) because they focus on the 'suspicious PowerShell' aspect, forgetting that the question specifically asks for the initiating process of network connections, which requires device-level process and network event correlation.

How to eliminate wrong answers

Option A is wrong because EmailEvents and UrlClickEvents deal with email and URL click data, which are irrelevant to identifying the initiating process of outbound RDP connections from a device. Option B is wrong because IdentityInfo and SecureScoreControls relate to user identity and security posture scores, not process-to-network correlation. Option C is wrong because CloudAppEvents and AlertEvidence focus on cloud application activities and alerts, not device-level process and network events; joining them would not reveal the initiating process for RDP connections on a device.

718
MCQhard

Your organization uses Microsoft Defender XDR for threat detection and response. The security team wants to automatically isolate a compromised device when a specific malware alert is triggered, but only if the device is not a critical server. What is the most efficient way to achieve this?

A.Use advanced hunting to find devices and then manually isolate
B.Use PowerShell scripts in a playbook
C.Configure an automation rule in Microsoft Defender XDR
D.Create a custom detection rule
AnswerC

Automation rules can trigger device isolation based on conditions like alert title and device group.

Why this answer

Option D is correct because automation rules in Microsoft Defender XDR allow you to set conditions (e.g., device group, alert title) and trigger automated actions like device isolation. This is the most efficient method as it doesn't require custom scripting or playbooks. Option A is wrong because custom detection rules can generate alerts but not trigger isolation directly.

Option B is wrong because you can't use PowerShell directly within Microsoft Defender XDR without a playbook. Option C is wrong because advanced hunting is a query tool, not for automated response.

719
MCQhard

You are reviewing an analytics rule configuration in Microsoft Sentinel using ARM template JSON. The rule is enabled and incident creation is set to true. However, when alerts are generated, they are not being grouped into a single incident. What is the most likely reason?

A.The lookbackDuration is set to 5 hours which is too short.
B.The groupingConfiguration is disabled.
C.The matchingMethod is set to 'AllEntities' which is not supported.
D.The rule is not enabled properly.
AnswerB

Grouping is disabled, so each alert creates a separate incident.

Why this answer

The grouping configuration has enabled set to false. This means that even though incident creation is enabled, alerts will not be grouped; each alert will create its own incident. Option A correctly identifies this.

Option B is wrong because matchingMethod is set but grouping is disabled. Option C is wrong because grouping is disabled, not because of lookbackDuration. Option D is wrong because the rule is enabled and incident creation is true.

720
MCQhard

Refer to the exhibit. You have created an automation rule in Microsoft Sentinel with the above configuration. The playbook isolates the device and disables the user account. After enabling the rule, you notice that a low-severity incident containing an alert titled 'Ransomware Behavior' did NOT trigger the automation. What is the most likely reason?

A.The 'ContainsAny' operator does not match single values
B.The automation rule does not have permission to run the playbook
C.The playbook ID is invalid
D.The incident severity is Low, but the rule only triggers on High severity
AnswerD

The condition requires severity equals High, so low-severity incidents are not processed.

Why this answer

Option B is correct because the trigger condition requires incident severity 'Equals High', so low-severity incidents are excluded. Option A is wrong because the condition uses 'ContainsAny' for alert title, which works for a single value. Option C is wrong because the playbook ID is referenced correctly.

Option D is wrong because automation rules do not require explicit permissions beyond the playbook's permissions.

721
MCQeasy

A security analyst is hunting for signs of credential dumping using Microsoft Defender for Endpoint. Which advanced hunting query should the analyst use to detect the use of Mimikatz?

A.DeviceRegistryEvents where RegistryKey contains 'mimikatz'
B.DeviceProcessEvents where ProcessCommandLine contains 'mimikatz'
C.DeviceFileEvents where FileName contains 'mimikatz'
D.DeviceNetworkEvents where RemoteIP contains 'mimikatz'
AnswerB

Mimikatz is typically executed as a process with command-line arguments that include the tool name.

Why this answer

Option C is correct because DeviceProcessEvents records process creation events, and Mimikatz often appears as a process. Option A is wrong because network events are not directly related to local credential dumping. Option B is wrong because registry events may show persistence but not the dumping itself.

Option D is wrong because file creation events are less direct for process-based tools.

722
Multi-Selecteasy

Which TWO are common indicators of compromise (IOCs) used in threat hunting with Microsoft Sentinel?

Select 2 answers
A.File hashes (MD5, SHA256)
B.Usernames
C.IP addresses
D.Device names
E.Registry keys
AnswersA, C

File hashes uniquely identify known malicious files.

Why this answer

Options B and D are correct because file hashes and IP addresses are standard IOCs. Option A is wrong because usernames are not IOCs; they are artifacts. Option C is wrong because device names are not IOCs.

Option E is wrong because registry keys can be IOCs but are less common than hashes and IPs.

723
MCQhard

A threat hunter wants to proactively identify devices that may have been compromised by a known adversary using DLL side-loading techniques. Which Microsoft Sentinel solution or feature should the hunter leverage to create custom detection rules based on the latest threat intelligence?

A.User and Entity Behavior Analytics (UEBA)
B.Automation rules with playbooks
C.Custom workbooks
D.Threat Intelligence integration with analytics rules
AnswerD

TI indicators can be used in scheduled query rules to match against events.

Why this answer

Option B is correct because Microsoft Sentinel's Threat Intelligence integration allows importing TI indicators and creating analytics rules. Option A is wrong because UEBA focuses on user behavior, not specific TI. Option C is wrong because workbook is for visualization, not detection.

Option D is wrong because playbook is for response automation.

724
Drag & Dropmedium

Order the steps to set up a Microsoft Sentinel workspace and connect Microsoft 365 Defender data.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sentinel is enabled on a Log Analytics workspace, then data connectors like M365 Defender are configured to ingest data.

725
MCQhard

Your organization uses Microsoft Defender for Endpoint and has enabled the 'Block at First Sight' feature. You notice that some legitimate executables are being blocked incorrectly. You need to temporarily allow these files while you submit them for analysis. What should you do?

A.Create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to allow the file hash.
B.Add an application control policy in Microsoft Intune to allow the files.
C.Submit the files to Microsoft for analysis and wait for the verdict.
D.Disable the 'Block at First Sight' feature until the files are analyzed.
AnswerA

Allow indicators override automatic blocking for specific files.

Why this answer

Option A is correct because creating an allow indicator (IoC) in Microsoft Defender for Endpoint explicitly overrides the cloud-based 'Block at First Sight' verdict for a specific file hash. This allows the legitimate executable to run while you submit it for analysis, without disabling the broader protection feature. The allow indicator takes precedence over automated blocking actions, providing a temporary, targeted exemption.

Exam trap

The trap here is that candidates may think disabling the feature entirely (Option D) is a quick fix, but the exam tests the understanding that targeted allow indicators are the correct, least-privilege approach to handle false positives without compromising overall security posture.

How to eliminate wrong answers

Option B is wrong because application control policies in Microsoft Intune (e.g., Windows Defender Application Control) enforce execution rules based on code integrity policies, not file hash overrides for cloud-delivered protection; they cannot bypass the 'Block at First Sight' verdict. Option C is wrong because waiting for Microsoft's analysis without taking immediate action leaves the legitimate executables blocked, disrupting operations; the question explicitly asks for a temporary allow while submitting. Option D is wrong because disabling 'Block at First Sight' removes protection against all unknown files, not just the specific ones, creating a broad security gap; the goal is to allow only the known legitimate files.

726
Multi-Selecthard

Which THREE of the following are valid techniques for threat hunting using Microsoft Defender for Cloud Apps? (Choose 3)

Select 3 answers
A.Create custom activity policies to detect suspicious behaviors
B.Investigate user activities and generate alerts
C.Create custom detections in Microsoft Sentinel
D.Use IP address ranges to define trusted locations
E.Use advanced hunting queries
AnswersA, B, D

Custom activity policies are a core hunting feature.

Why this answer

Options A, B, and D are correct. Option A: you can create custom activity policies to detect anomalies. Option B: IP address ranges can be used to define trusted locations.

Option D: User investigation allows examining user activities. Option C is wrong because custom detections in Microsoft Sentinel are not part of Defender for Cloud Apps. Option E is wrong because hunting queries are in Microsoft Defender for Endpoint, not Cloud Apps.

727
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud indicating that a virtual machine has a high severity vulnerability (CVE-2023-XXXX). You need to create an incident in Microsoft Sentinel and trigger a playbook to remediate the vulnerability. However, the incident is not being created automatically. What is the most likely cause?

A.The Microsoft Defender for Cloud connector in Microsoft Sentinel is not enabled or misconfigured
B.An analytics rule with a matching severity threshold has not been created
C.The free trial of Microsoft Sentinel has expired
D.The playbook does not have the correct permissions on the target VM
AnswerA

The connector must be enabled for alert ingestion.

Why this answer

The correct answer is B because the connector must be enabled and configured properly for alerts to flow from Defender for Cloud to Sentinel. Option A is wrong because incorrect playbook permissions would affect playbook execution, not incident creation. Option C is wrong because analytics rules are not required for default incident creation.

Option D is wrong because the free tier is functional but may have limitations.

728
MCQmedium

Refer to the exhibit. You are reviewing an Azure Resource Manager (ARM) template for a Microsoft Sentinel analytics rule. Based on the exhibit, which statement is true?

A.The rule will create one incident per alert and group alerts by entity.
B.The rule will only trigger if more than 5 users have MFA disabled.
C.The rule runs every hour and looks back 5 hours.
D.The rule will generate one alert per user that has MFA disabled.
AnswerD

The query returns each user row, and AlertPerResult creates an alert for each row.

Why this answer

Option D is correct because the ARM template configures a Microsoft Sentinel scheduled analytics rule that runs every hour, queries for users with MFA disabled, and uses the 'Alert Per Result' event grouping setting. This setting generates a separate alert for each unique result returned by the query, meaning each user who has MFA disabled triggers its own alert.

Exam trap

The trap here is that candidates confuse the 'frequency' and 'period' values (both PT5H) with a common 1-hour interval, or misinterpret 'AlertPerResult' as grouping alerts into incidents, when in fact it creates one alert per query result row.

How to eliminate wrong answers

Option A is wrong because the rule uses 'Alert Per Result' event grouping, not 'Group alerts into a single incident per alert'—the setting creates one alert per result, not one incident per alert with entity grouping. Option B is wrong because the query does not include any aggregation or threshold condition like 'count > 5'; it simply lists users with MFA disabled, so the rule triggers for any number of results. Option C is wrong because the rule runs every 5 hours (frequency: PT5H) and looks back 5 hours (period: PT5H), not every hour.

729
MCQeasy

A threat hunter wants to use KQL in Microsoft Sentinel to find all events from the SecurityEvent table where the event ID is 4625 (failed logon) and the account name is not 'SYSTEM'. Which query achieves this?

A.SecurityEvent | where EventID equals 4625 and Account not equals 'SYSTEM'
B.SecurityEvent | where EventID == 4625 and Account != 'SYSTEM'
C.SecurityEvent | where EventID == 4625 and Account != 'SYSTEM'
D.SecurityEvent | where EventID == 4625 and not Account == 'SYSTEM'
AnswerB

'!=' is the correct KQL operator for not equal.

Why this answer

Option D is correct because it filters EventID and then excludes 'SYSTEM' account. Option A is wrong because it uses '!=' incorrectly. Option B is wrong because 'not' without parentheses may cause syntax error.

Option C is wrong because 'equals' is not a KQL operator.

730
MCQmedium

You are a security analyst at Fabrikam. The company uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you need to identify users who are accessing cloud applications from multiple geographic locations in a short time, which could indicate credential theft or token replay. You want to create a hunting query in Microsoft Sentinel using the CloudAppEvents table. Which approach should you take?

A.Query CommonSecurityLog for VPN connections
B.Query OfficeActivity for sign-in logs
C.Query SecurityAlert for location-related alerts
D.Query CloudAppEvents, summarize by AccountDisplayName and bin(TimeGenerated, 1h), then use dcount(CountryCode) > 1
AnswerD

This directly identifies users with activities in multiple countries within an hour.

Why this answer

Option A is correct because CloudAppEvents contains location data (CountryCode or IPLocation). By summarizing per user and bin by time, you can group activities by user and time window, then filter for those with multiple distinct countries. Option B is incorrect because SecurityAlert contains alerts, not raw events.

Option C is incorrect because OfficeActivity only covers Office 365, not all cloud apps. Option D is incorrect because CommonSecurityLog is for on-premises network devices, not cloud apps.

731
Multi-Selectmedium

A SOC analyst is configuring a Microsoft Sentinel automation rule to trigger a playbook when an incident is created. The playbook should only run if the incident severity is 'High' and the incident title contains 'Phishing'. Which two conditions should the analyst add to the automation rule? (Select all that apply.) (Choose 2.)

Select 2 answers
A.Incident severity equals High
B.Incident title contains Phishing
C.Incident status is New
D.Incident owner is Unassigned
AnswersA, B

Correct. This condition filters incidents with severity High.

Why this answer

Option A is correct because the automation rule condition 'Incident severity equals High' directly matches the requirement that the playbook should only trigger for incidents with a severity of 'High'. In Microsoft Sentinel, automation rules evaluate conditions against incident properties, and severity is a standard field that can be filtered using the 'equals' operator. This ensures the playbook is not invoked for lower-severity incidents.

Exam trap

The trap here is that candidates may mistakenly add 'Incident status is New' thinking the playbook should only run on newly created incidents, but the automation rule already triggers 'when an incident is created', making the status condition redundant and incorrect for this specific requirement.

732
MCQeasy

An SOC analyst wants to quickly enable detection for when a user account is added to the Global Administrator role in Microsoft Entra ID using a built-in analytics rule template in Microsoft Sentinel. Which type of analytics rule template should the analyst use?

A.Scheduled
B.Microsoft Security
C.Fusion
D.Machine Learning (ML)
AnswerA

Correct. The built-in template for detecting additions to the Global Administrator role is a Scheduled rule template that queries AzureADAuditLogs or AuditLogs on a schedule.

Why this answer

The analyst should use a Scheduled analytics rule template because the detection for when a user account is added to the Global Administrator role in Microsoft Entra ID requires querying the AuditLogs table at a regular interval. Scheduled rules allow you to define a KQL query that runs on a schedule (e.g., every 5 minutes) and generates alerts based on the results. This is the only built-in rule type that supports custom log queries for specific activities like role assignments.

Exam trap

The trap here is that candidates often confuse 'Microsoft Security' rules (which handle alerts from other Microsoft services) with the ability to create custom detections from raw logs, but only Scheduled rules allow you to write your own KQL query against tables like AuditLogs.

How to eliminate wrong answers

Option B (Microsoft Security) is wrong because Microsoft Security rules are pre-built templates that generate alerts from Microsoft security products (e.g., Microsoft Defender for Cloud, Microsoft 365 Defender) and do not allow custom KQL queries against raw logs like AuditLogs. Option C (Fusion) is wrong because Fusion rules use advanced machine learning to correlate multiple alerts into incidents based on kill-chain analysis, not for detecting a single, specific event like a role assignment. Option D (Machine Learning (ML)) is wrong because ML rules are designed for behavioral anomaly detection using custom ML models, not for deterministic detection of a known event like adding a user to a privileged role.

733
MCQeasy

During an incident, an analyst wants to use Microsoft Defender XDR's automatic attack disruption to contain an ongoing attack. What prerequisite must be met?

A.Devices must be onboarded to Microsoft Defender for Endpoint.
B.Microsoft Purview compliance portal must be configured.
C.Users must have Azure AD Premium P2 licenses.
D.Microsoft Sentinel must be enabled and connected to Defender XDR.
AnswerA

Automatic attack disruption works on Defender for Endpoint devices.

Why this answer

Option A is correct because automatic attack disruption requires the device to be onboarded to Microsoft Defender for Endpoint. Option B is wrong because it's not required. Option C is wrong because Sentinel is not required.

Option D is wrong because it's not required.

734
MCQmedium

You are responsible for Microsoft Defender for Identity. The security team reports that some high-confidence alerts are not triggering any automated response. You need to automate the response for these alerts. What should you configure?

A.Use Microsoft Intune to trigger a script on domain controllers when an alert fires.
B.Create an automation rule in Microsoft Sentinel to respond to Identity alerts.
C.In Microsoft Defender XDR, configure automated investigation and response for Identity alerts.
D.Configure Microsoft Purview compliance policies to respond to Identity alerts.
AnswerC

Defender XDR provides AIR for Identity alerts.

Why this answer

Option C is correct because Microsoft Defender for Identity alerts are natively integrated into Microsoft Defender XDR (formerly Microsoft 365 Defender), which provides automated investigation and response (AIR) capabilities. By configuring AIR for Identity alerts in Defender XDR, you can automatically trigger remediation actions such as suspending compromised accounts or blocking suspicious activities without additional scripting or third-party tools.

Exam trap

The trap here is that candidates may confuse Microsoft Sentinel (a SIEM/SOAR) with the native automated investigation and response capabilities within Microsoft Defender XDR, assuming that any automation must go through Sentinel, when in fact Defender XDR provides built-in AIR for its own alerts including Identity alerts.

How to eliminate wrong answers

Option A is wrong because Microsoft Intune is a mobile device management (MDM) and mobile application management (MAM) service, not designed to trigger scripts on domain controllers in response to security alerts; it manages endpoints, not on-premises Active Directory infrastructure. Option B is wrong because Microsoft Sentinel is a SIEM/SOAR platform that can ingest alerts from various sources, but it is not the native automation mechanism for Defender for Identity alerts; the correct native automation is within Defender XDR. Option D is wrong because Microsoft Purview compliance policies focus on data governance, eDiscovery, and compliance (e.g., retention labels, DLP), not on automated response to identity-based security alerts.

735
MCQmedium

You are a security analyst using Microsoft Sentinel. During a threat hunt, you need to identify potential data exfiltration via DNS tunneling. You have DNS query logs ingested from your DNS servers via Syslog. The log schema includes fields: TimeGenerated, QueryName, QueryType, ClientIP, ResponseIP. You want to find DNS queries that are unusually long (over 50 characters in the query name) and have a high count of unique responses, which may indicate tunneling. You need to write a KQL query that returns the top 10 client IPs with the most unique response IPs for queries with query name length > 50 in the last 24 hours. Which query should you use?

A.Syslog | where TimeGenerated > ago(24h) | extend QueryNameLength = strlen(QueryName) | where QueryNameLength > 50 | summarize dcount(ResponseIP) by ClientIP | top 10 by dcount_ResponseIP
B.Syslog | where TimeGenerated > ago(24h) | extend QueryNameLength = strlen(QueryName) | where QueryNameLength > 50 | summarize count() by ClientIP | top 10 by count_
C.Syslog | where TimeGenerated > ago(24h) | extend QueryNameLength = strlen(QueryName) | where QueryNameLength > 50 | summarize dcount(ResponseIP) by ClientIP | top 10 by dcount_ResponseIP | project ClientIP
D.Syslog | where TimeGenerated > ago(24h) | summarize dcount(ResponseIP) by ClientIP | top 10 by dcount_ResponseIP
AnswerA

Correctly counts unique response IPs for long queries.

Why this answer

Option A correctly filters for long query names, summarizes distinct ResponseIPs per ClientIP, and orders by dcount. Option B counts all responses, not unique. Option C uses wrong field.

Option D does not filter length.

736
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you find that a user accessed a sensitive SharePoint site from an anonymous IP address. Which hunting method would best identify all users who accessed the same site from similar anonymous IPs?

A.Query CloudAppEvents in Advanced hunting for the SharePoint site URL and filter by IP category 'AnonymousProxy'
B.Query DeviceEvents for network connections from the anonymous IP
C.Use Microsoft Purview to scan for sensitive data accessed from anonymous IPs
D.Search Azure AD sign-in logs for the same IP
AnswerA

CloudAppEvents captures cloud app activities, including SharePoint access, and IP categories help identify anonymous proxies.

Why this answer

Using KQL to query CloudAppEvents for the specific SharePoint site and filtering by IP address categories (e.g., AnonymousProxy) is the most direct method. Option A (Azure AD sign-in logs) may not include SharePoint site-level access. Option B (Microsoft Defender for Endpoint) is for endpoint activities.

Option D (Microsoft Purview) focuses on data classification and governance.

737
MCQeasy

Your security operations center (SOC) uses Microsoft Sentinel. An incident is created from a fusion alert. What does Fusion technology do?

A.Uses machine learning to detect suspicious user behavior
B.Runs queries at scheduled intervals to detect threats
C.Detects unusual patterns in Azure activity logs
D.Correlates alerts from different products to detect multi-stage attacks
AnswerD

Fusion uses machine learning to correlate alerts across products.

Why this answer

Option A is correct because Fusion correlates multiple alerts and signals to identify multi-stage attacks. Option B is wrong because that describes Scheduled rules. Option C is wrong because that describes Machine Learning (ML) analytics.

Option D is wrong because that describes Anomaly detection.

738
MCQeasy

Your organization uses Microsoft Sentinel with a Log Analytics workspace in the East US region. You need to ensure that incident investigation data is retained for two years for compliance. What should you configure?

A.Adjust the Interactive retention period to 730 days in the Log Analytics workspace.
B.Configure a data retention policy in Microsoft Purview.
C.Set the Total retention period to 730 days and enable Archive.
D.Enable Basic Logs and set retention to 730 days.
AnswerA

Interactive retention can be set up to 2 years.

Why this answer

Option A is correct because Log Analytics workspaces allow you to configure the Interactive retention period independently from the Total retention period. Setting Interactive retention to 730 days ensures that incident investigation data remains available for interactive queries for the full two-year compliance requirement, without needing to enable archive or change log types.

Exam trap

The trap here is that candidates often confuse the Interactive retention period with the Total retention period, assuming that setting Total retention to 730 days automatically keeps data interactively available, when in fact only the Interactive retention period controls that access, and archive data requires a search job to query.

How to eliminate wrong answers

Option B is wrong because Microsoft Purview manages data governance, compliance, and sensitivity labels, not the retention of operational data in a Log Analytics workspace used by Microsoft Sentinel. Option C is wrong because setting the Total retention period to 730 days and enabling Archive would move data to the archive tier after the interactive period (default 30 days), making it inaccessible for interactive queries and requiring a search job to retrieve, which does not meet the requirement for incident investigation data to be retained for two years in an accessible state. Option D is wrong because Basic Logs are designed for verbose, low-volume logs with reduced query capabilities and a maximum retention of 30 days; setting retention to 730 days is not supported for Basic Logs.

739
MCQmedium

During a threat hunt, a security analyst uses Microsoft Sentinel and identifies a series of failed logon attempts from a single IP address targeting multiple user accounts. The analyst wants to create a scheduled analytics rule that generates an alert when the same IP address fails to logon to more than 10 different accounts within 5 minutes. Which KQL operator should be used to count distinct accounts per IP?

A.count()
B.summarize count() by Account
C.distinct Account
D.dcount(Account)
AnswerD

dcount provides an approximate distinct count of accounts, suitable for performance.

Why this answer

Option B is correct because dcount is an approximate distinct count that is efficient for large datasets. Option A is wrong because count counts all events, not distinct accounts. Option C is wrong because distinct is used to return unique rows, not to count.

Option D is wrong because summarize with count() counts all rows.

740
MCQmedium

A security administrator wants to ensure that all existing and future Azure virtual machines have Microsoft Defender for Cloud's built-in vulnerability assessment solution (Qualys or Microsoft) installed without manual intervention. Which feature should the administrator configure?

A.Continuous export of security findings to Log Analytics
B.Auto-provisioning of the vulnerability assessment solution
C.Just-in-time VM access
D.Regulatory compliance dashboard
AnswerB

Auto-provisioning automatically installs the VA agent (Microsoft or Qualys) to all existing and new VMs, ensuring continuous coverage.

Why this answer

Auto-provisioning of the vulnerability assessment solution ensures that Microsoft Defender for Cloud automatically installs either the Qualys or Microsoft built-in vulnerability assessment extension on all existing and future Azure VMs without manual intervention. This feature is specifically designed to enable continuous vulnerability scanning by deploying the agent at scale, covering both new and existing resources as they are provisioned or discovered.

Exam trap

The trap here is that candidates often confuse 'continuous export' (which sends data after the agent is installed) with 'auto-provisioning' (which actually installs the agent), leading them to select Option A thinking it automates the deployment process.

How to eliminate wrong answers

Option A is wrong because continuous export of security findings to Log Analytics is a data export feature that sends vulnerability scan results to a Log Analytics workspace for centralized analysis or integration, but it does not install or deploy the vulnerability assessment solution itself. Option C is wrong because Just-in-time VM access is a network security feature that controls inbound traffic to VMs by opening ports only when needed, and it has no role in deploying vulnerability assessment agents. Option D is wrong because the Regulatory compliance dashboard provides a view of compliance posture against standards like CIS or NIST, but it does not automate the installation of vulnerability assessment software.

741
MCQmedium

You are conducting a threat hunt to find evidence of credential dumping on Windows servers. Which event ID in Windows Security Event Log (SecurityEvent) is most indicative of LSASS process access?

A.4656 (Handle to an object requested)
B.4688 (Process creation)
C.4672 (Special privileges assigned)
D.4624 (Logon)
AnswerA

4656 can indicate access to LSASS process handle.

Why this answer

Event ID 4656 is generated when a handle to an object (like LSASS) is requested, often used in credential dumping.

742
MCQmedium

Your SOC team uses Microsoft Sentinel. You receive a high volume of false positive incidents from a specific analytics rule. The rule uses a scheduled query that runs every 5 minutes. What is the most efficient way to reduce false positives without disabling the rule?

A.Increase the query run frequency to every hour
B.Disable the rule and create a new one with a different query
C.Use a suppression rule to close incidents automatically for 24 hours
D.Modify the rule to use entity mapping and alert grouping
AnswerD

Entity mapping helps in alert grouping and reducing duplicate incidents.

Why this answer

Option B is correct because entity mapping and alert grouping help reduce noise. Option A is wrong because increasing run frequency would generate more alerts. Option C is wrong because disabling the rule stops all detections.

Option D is wrong because suppressing for 24 hours might miss real incidents.

743
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel. The query returns no results even though you know there are alerts with the name 'Malware detected'. What is the most likely issue?

A.The operator 'mv-expand' should be lowercase 'mv-expand'.
B.The 'project' operator should be 'project-away'.
C.The 'Entities' column might be null for these alerts.
D.The function 'parse_json' should be 'parse_json()' with parentheses.
AnswerA

KQL requires lowercase for operators.

Why this answer

The `mv-expand` operator in KQL is case-sensitive and must be written in lowercase. Using uppercase `MV-Expand` or any other casing causes KQL to treat it as an unrecognized command, resulting in a syntax error or no results. Since the query returns no results despite alerts existing, the most likely issue is the incorrect casing of the operator.

Exam trap

The trap here is that candidates often assume KQL is case-insensitive like SQL, leading them to overlook the exact casing of operators such as `mv-expand` versus `MV-Expand`.

How to eliminate wrong answers

Option B is wrong because `project-away` would remove columns, not cause the query to return zero results when alerts exist; the issue is with operator casing, not column selection. Option C is wrong because even if the 'Entities' column is null, the query would still return rows for alerts with that name, just with null values in that column. Option D is wrong because `parse_json` is a function that does not require parentheses when used in a KQL `extend` or `project` statement; adding parentheses would not fix the casing issue.

744
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You receive an incident: 'Malicious PowerShell command executed on endpoint.' The incident shows that a PowerShell command was executed on a server that attempted to download a payload from a known malicious IP. The process was terminated by MDE, but the server may still be compromised. You need to respond to the incident. Which of the following actions should you take FIRST?

A.Run a Microsoft Sentinel playbook to collect forensic data.
B.Isolate the server using Microsoft Defender for Endpoint.
C.Reset the local administrator password on the server.
D.Block the malicious IP address at the firewall.
AnswerB

Immediately contains the server to prevent further damage.

Why this answer

Option A is correct: isolating the server in MDE ensures that if any malware is present, it cannot communicate or spread. Option B is wrong: blocking the IP does not contain the server. Option C is wrong: resetting passwords is not necessary if no credential compromise.

Option D is wrong: running a playbook for evidence collection can wait until after containment.

745
Multi-Selecthard

A Microsoft Sentinel scheduled analytics rule detects impossible travel but creates too many duplicate incidents for the same user within a short period. Which two rule settings should you tune? (Choose 2.)

Select 2 answers
A.Configure event grouping or incident grouping by user entity.
B.Configure suppression to stop creating new alerts for a defined period after a match.
C.Disable the data connector.
D.Delete the Log Analytics workspace.
AnswersA, B

Grouping related alerts/incidents reduces duplicate investigation objects.

Why this answer

Option A is correct because configuring event grouping or incident grouping by user entity consolidates multiple alerts for the same user into a single incident, reducing duplicate incidents. In Microsoft Sentinel, this setting controls how alerts are aggregated into incidents based on entity fields like user account, ensuring that a burst of impossible travel alerts for the same user generates one incident instead of many.

Exam trap

The trap here is that candidates often confuse suppression (which stops alert creation) with incident grouping (which consolidates alerts into incidents), and may incorrectly think disabling the data connector or deleting the workspace are valid tuning actions for reducing duplicates.

746
Multi-Selecthard

Your organization is implementing Microsoft Sentinel and needs to ensure that incident response activities are compliant with regulatory requirements. You need to track and document all changes made to analytics rules and playbooks. Which TWO features should you enable?

Select 2 answers
A.Sentinel workbooks
B.Automation rules
C.Activity logs (Azure Monitor)
D.Azure Resource Change History (Change tracking)
E.Microsoft Purview Compliance Manager
AnswersC, D

Activity logs record all write operations (create, update, delete) on Sentinel resources.

Why this answer

Option B and E are correct because Change tracking tracks resource modifications, and audit logs record user actions. Option A is wrong because Microsoft Purview is for data governance, not Sentinel changes. Option C is wrong because workbooks are for visualization.

Option D is wrong because automation rules do not log changes themselves.

747
MCQhard

You are configuring Microsoft Sentinel automation rules to handle incidents from multiple analytics rules. You need to ensure that incidents from a specific rule are automatically assigned to the 'SOC Tier 2' group and have a severity of 'High' regardless of the original severity. What should you do?

A.Use a logic app trigger to change severity
B.Create a playbook to modify the incident properties
C.Create a separate analytics rule to override the incident
D.Configure an automation rule with 'Add tag' and 'Set severity' actions, plus 'Assign owner'
AnswerD

Automation rules can directly modify incident properties.

Why this answer

Automation rules in Microsoft Sentinel can directly modify incident properties such as severity and owner without requiring external logic apps or playbooks. Option D correctly uses the 'Set severity' action to override the original severity to 'High' and the 'Assign owner' action to assign the incident to the 'SOC Tier 2' group, fulfilling both requirements in a single, efficient rule.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, assuming that any property modification requires a playbook, when in fact automation rules natively support 'Set severity' and 'Assign owner' actions for simple, rule-based changes.

How to eliminate wrong answers

Option A is wrong because a logic app trigger is used to initiate automated workflows, but it cannot directly modify incident properties within Sentinel; it would require a playbook to change severity, making this an indirect and unnecessary step. Option B is wrong because a playbook is designed for complex, multi-step automation and is overkill for simple property changes; automation rules are the native, simpler solution for such tasks. Option C is wrong because creating a separate analytics rule to override an incident is not possible; analytics rules generate incidents based on detection logic, not modify existing incidents' properties.

748
MCQeasy

After containing a security incident, what is the most important next step in the incident response process?

A.Monitor for signs of recurrence.
B.Recover systems to normal operation.
C.Eradicate the threat from all systems.
D.Conduct a post-incident review.
AnswerD

Post-incident review identifies improvements.

Why this answer

Option C is correct because the 'Lessons Learned' phase helps improve future response. Option A is wrong because eradication should have been done before containment. Option B is wrong because recovery is after eradication.

Option D is wrong because monitoring is ongoing but not the immediate next step.

749
MCQmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?

A.ipv4_is_in_range(SigninIP, '192.168.0.0/16')
B.has_any(SigninIP, dynamic(['192.168.0.0/16']))
C.ipv4_is_private(SigninIP)
D.SigninIP startswith '192.168.'
AnswerA

Correct. This function directly checks if the IP is within the given CIDR range.

Why this answer

The correct KQL function is `ipv4_is_in_range()` because it is specifically designed to check whether an IPv4 address falls within a given CIDR range. In this scenario, the function compares the `SigninIP` field against the company's approved range `192.168.0.0/16` and returns `true` if the IP is within that range, enabling the rule to alert on out-of-range sign-ins. This function handles subnet mask calculations natively, ensuring accurate and efficient IP range matching without manual parsing.

Exam trap

The trap here is that candidates may choose `ipv4_is_private()` thinking it covers all internal ranges, but it does not account for custom or non-RFC 1918 ranges, and it misses the requirement to match a specific CIDR block like 192.168.0.0/16.

How to eliminate wrong answers

Option B is wrong because `has_any()` is a string-matching operator that checks if any substring from a dynamic array exists in a field; it does not perform CIDR range calculations and would incorrectly treat the CIDR notation as a literal string. Option C is wrong because `ipv4_is_private()` only checks if an IP belongs to any private address space (RFC 1918), not whether it falls within a specific custom range like `192.168.0.0/16`; it would also match other private ranges (e.g., 10.0.0.0/8, 172.16.0.0/12), causing false positives. Option D is wrong because `startswith` performs a simple prefix match on the string representation of the IP, which fails for IPs like `192.168.255.255` (correctly in range) but also fails to exclude IPs like `192.169.0.1` (outside the /16 range) because it only checks the first three octets.

750
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You receive an alert about a suspicious sign-in from an IP address associated with a known malicious actor. The sign-in was for a privileged account. You need to immediately contain the incident. What should you do first?

A.Reset the user's password.
B.Disable the user account in Microsoft Entra ID.
C.Create a custom analytics rule in Sentinel to detect similar sign-ins.
D.Block the IP address in the firewall.
AnswerB

Disabling the account immediately prevents further sign-ins.

Why this answer

Option B is correct because disabling the user account immediately stops the attacker from using the compromised credentials. Option A is wrong because resetting the password might not be fast enough if the attacker has an active session. Option C is wrong because blocking the IP in the firewall is reactive and may not be effective if the attacker uses a different IP.

Option D is wrong because creating an analytics rule does not contain the incident immediately.

Page 9

Page 10 of 22

Page 11