Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 751825

1639 questions total · 22pages · All types, answers revealed

Page 10

Page 11 of 22

Page 12
751
MCQmedium

You are investigating repeated SQL injection alerts. The KQL query returns IP addresses with more than 5 alerts in the last 7 days. What is the purpose of the `summarize` and `where AlertCount > 5` lines?

A.To identify IPs with a high number of alerts, indicating a possible attack.
B.To correlate alerts with other data sources.
C.To remove duplicate alerts from the same IP.
D.To count the number of distinct IP addresses.
AnswerA

High alert counts may indicate ongoing malicious activity.

Why this answer

Option D is correct because the query groups alerts by IP and filters for those with high frequency, indicating a potential attack. Option A is wrong because the query does not remove duplicates. Option B is wrong because it does not count distinct IPs.

Option C is wrong because it does not correlate with other tables.

752
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst is reviewing an incident that involves a user who clicked a phishing link in an email. The analyst wants to see the email's full timeline, including delivery, click, and any follow-up actions. Which section of the email entity page provides this information?

A.Detection details
B.Email timeline
C.Threat types
D.Investigation graph
AnswerB

The Email timeline provides a chronological view of all actions and events associated with the email, including delivery, user clicks, and system responses.

Why this answer

The Email timeline section on the email entity page in Microsoft 365 Defender provides a chronological view of the email's lifecycle, including delivery, user clicks on the phishing link, and subsequent remediation actions such as soft delete or quarantine. This directly meets the analyst's need to see the full sequence of events for the incident.

Exam trap

The trap here is that candidates often confuse the Investigation graph (which shows entity relationships) with the Email timeline (which shows chronological events), leading them to select the graph option when they need a sequential log of actions.

How to eliminate wrong answers

Option A is wrong because Detection details only show the specific detection technologies (e.g., anti-malware, anti-phishing) that flagged the email, not the chronological sequence of delivery, click, and follow-up actions. Option C is wrong because Threat types categorize the email by threat classification (e.g., phishing, malware) but do not provide a timeline of events. Option D is wrong because Investigation graph is a visual representation of related entities and alerts, not a dedicated timeline for a single email's lifecycle.

753
MCQeasy

You are threat hunting for indicators of compromise related to a known malware family. Which data source in Microsoft Defender XDR would provide the most direct evidence of malware execution on endpoints?

A.EmailEvents
B.DeviceProcessEvents
C.IdentityLogonEvents
D.DeviceNetworkEvents
AnswerB

Process creation events directly indicate execution.

Why this answer

Option C is correct because DeviceProcessEvents captures process creation events, which directly indicate malware execution. Option A is incorrect because EmailEvents only covers email, not execution. Option B is incorrect because DeviceNetworkEvents shows network connections after execution.

Option D is incorrect because IdentityLogonEvents focuses on authentication.

754
MCQmedium

A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?

A.Review Conditional Access app control policies for any block rules
B.Check Microsoft 365 Defender alerts for malicious OAuth apps
C.Query the Microsoft 365 Defender advanced hunting table 'CloudAppEvents' for app installation events and then use 'AppGovernance' to list all apps
D.Use the Cloud App Security activity log to search for 'Install app' events and then review the 'App governance' dashboard for all instances
AnswerD

This allows hunting for the app installations and then investigating all instances via app governance.

Why this answer

Option D (use the Activity log to search for app installations and then investigate using App Governance or Cloud App Security) is correct because it first identifies the app via installations and then uses app analytics to scope all instances. Option A (conditional access policy) is reactive and not hunting. Option B (alerts) only catches known threats.

Option C (OAuth apps page) can list apps but may not show all historical installations; activity log is more comprehensive for hunting.

755
MCQhard

A SOC analyst wants to detect when a user signs in from a device that has never been used by that user before. The analyst plans to use Microsoft Sentinel with the SigninLogs table. Which KQL approach correctly identifies sign-ins from devices not previously associated with the user within the last 30 days?

A.Join the SigninLogs table with itself to find the earliest sign-in per user and device, then filter for those that match the earliest timestamp
B.Use the _GetWatchlist function with a custom watchlist of known user-device pairs
C.Use the BehaviorAnalytics table which already identifies new devices
D.Apply the 'where DeviceId != '' and DeviceId startswith "device-"' filter to ensure the device is new
AnswerA

Correct. By summarizing the earliest sign-in time for each user-device pair and joining back, you can identify sign-ins that are the first for that combination, effectively detecting new device usage.

Why this answer

Option A is correct because it uses a self-join on the SigninLogs table to identify the earliest sign-in per user-device pair within the last 30 days. By filtering for rows where the sign-in timestamp matches the earliest timestamp, the query isolates sign-ins from devices that have never been used by that user before, effectively detecting first-time device usage.

Exam trap

The trap here is that candidates may assume a watchlist or pre-built table like BehaviorAnalytics is the easiest solution, but Microsoft Sentinel requires raw log analysis with KQL self-joins to dynamically detect first-time device usage without manual maintenance.

How to eliminate wrong answers

Option B is wrong because the _GetWatchlist function requires a pre-built watchlist of known user-device pairs, which is a manual, static approach that does not dynamically detect new devices within the last 30 days. Option C is wrong because the BehaviorAnalytics table provides pre-computed behavioral insights but does not directly contain raw sign-in logs or device-level data to identify new devices per user; it relies on underlying tables like SigninLogs for such analysis. Option D is wrong because filtering by DeviceId != '' and DeviceId startswith 'device-' does not identify new devices; it merely excludes empty or non-matching device IDs, and the prefix 'device-' is not a standard Azure AD device ID format.

756
MCQmedium

A security analyst in Microsoft 365 Defender needs to review all actions that were automatically taken by an investigation (e.g., isolating a device, deleting a file) that occurred during an incident. Where should the analyst find this list of executed actions?

A.Action center
B.Hunting queries
C.Incidents page
D.Alerts page
AnswerA

Action center lists all automated and manual actions taken during investigations, including status and results.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location that records all manual and automated response actions taken during investigations, such as device isolation, file deletion, or process termination. This includes actions automatically executed by automated investigation and response (AIR) playbooks during an incident. The analyst can filter the Action center by 'Automated' to see only those actions taken without manual intervention.

Exam trap

The trap here is that candidates confuse the Incidents page (which shows the overall story) with the Action center (which is the specific repository for executed actions), leading them to select the Incidents page instead of the correct Action center.

How to eliminate wrong answers

Option B is wrong because Hunting queries are used for proactive threat hunting using Kusto Query Language (KQL) to search for raw telemetry and logs, not to review a list of already-executed response actions. Option C is wrong because the Incidents page shows the incident summary, timeline, and related alerts, but it does not provide a dedicated, filterable list of all executed actions; the Action center is the specific location for that. Option D is wrong because the Alerts page lists individual alerts triggered by suspicious activities, but it does not aggregate the automated response actions taken; those actions are recorded in the Action center after an alert triggers an investigation.

757
MCQeasy

You are configuring Microsoft Sentinel to send email notifications to the security team when high-severity incidents are created. Which feature should you use?

A.Automation rule
B.Watchlist
C.Analytics rule
D.Workbook
AnswerA

Correct. Automation rules can trigger playbooks that send emails.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses to incidents, including sending email notifications to specified recipients when incidents meet certain criteria, such as high severity. This feature directly supports the requirement to notify the security team when high-severity incidents are created, without requiring additional logic or manual steps.

Exam trap

The trap here is that candidates often confuse analytics rules with automation rules, assuming that analytics rules can directly send notifications, when in fact they only create alerts/incidents and require automation rules or playbooks for notification actions.

How to eliminate wrong answers

Option B is wrong because watchlists are collections of data (e.g., IP addresses, usernames) used for correlation and enrichment in analytics rules, not for triggering actions like email notifications. Option C is wrong because analytics rules generate alerts and incidents based on query results, but they do not natively send email notifications; they rely on automation rules or playbooks for that purpose. Option D is wrong because workbooks are visualization tools that display data from queries and logs, not mechanisms for sending notifications or triggering automated responses.

758
MCQeasy

You are a Microsoft Security Operations Analyst. Your organization recently deployed Microsoft Defender for Cloud Apps. You need to ensure that alerts generated by Defender for Cloud Apps are automatically forwarded to Microsoft Sentinel. What should you configure?

A.In Microsoft Sentinel, create an analytics rule with a query that pulls data from Defender for Cloud Apps API.
B.In Microsoft Defender for Cloud Apps, configure SIEM integration.
C.In Microsoft Sentinel, configure a playbook to retrieve alerts from Defender for Cloud Apps.
D.In Microsoft Sentinel, add the Microsoft Defender for Cloud Apps data connector.
AnswerD

The data connector ingests alerts and logs from Defender for Cloud Apps.

Why this answer

Option A is correct because the data connector in Microsoft Sentinel for Microsoft Defender for Cloud Apps enables ingestion of alerts. The other options do not forward alerts to Sentinel.

759
MCQeasy

Your organization uses Microsoft Sentinel. An incident has been identified as a false positive. What is the recommended action to prevent similar false positives in the future?

A.Delete the analytics rule
B.Close the incident and set the classification to 'False positive'
C.Modify the analytics rule to reduce false positives
D.Mark the incident as 'False positive' and add a comment
AnswerC

Tuning the rule reduces future false positives.

Why this answer

Option C is correct because tuning the analytics rule reduces false positives. Option A is wrong because closing the incident without tuning does not prevent recurrence. Option B is wrong because marking as false positive in the incident is good for tracking but doesn't prevent future ones.

Option D is wrong because deleting the rule is too aggressive.

760
MCQhard

A security analyst in your company uses Microsoft Defender XDR to investigate an incident involving a user who received a malicious email. The analyst needs to block the sender's email address across all tenants in the organization. What is the most efficient way to achieve this?

A.In the Microsoft 365 Defender portal, use the action center to block the sender's email address across all tenants.
B.From the Microsoft 365 Defender portal, go to Email & collaboration > Exchange admin center and block the sender.
C.In Microsoft Purview, create a data loss prevention policy to block the sender.
D.In Microsoft Entra ID admin center, create a conditional access policy to block the sender.
AnswerA

The action center in Microsoft 365 Defender can perform global actions like blocking senders.

Why this answer

Microsoft Defender XDR allows you to take action on entities like email senders. Using the action center, you can block the sender's email address globally, which applies to all tenants. Option C is correct.

Option A is wrong because Exchange admin center works per tenant and is not as efficient for cross-tenant blocking. Option B is wrong because Microsoft Entra ID admin center manages identities, not email blocking. Option D is wrong because Microsoft Purview is for compliance, not email threat protection.

761
MCQhard

You are reviewing a scheduled analytics rule in Microsoft Sentinel. What does the suppressionDuration setting affect?

A.It groups alerts into a single incident within that time window.
B.It delays the execution of the query by that amount of time.
C.It determines how often the query runs.
D.It stops the rule from creating new alerts for that duration after an alert is generated.
AnswerD

Suppression duration prevents duplicate alerts within the specified time.

Why this answer

Option C is correct. Suppression duration determines how long to wait before creating another alert from the same rule after an alert is generated, suppressing duplicates. Option A is wrong because it does not affect query execution.

Option B is wrong because it does not affect incident grouping. Option D is wrong because it does not stop the rule from running.

762
MCQmedium

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans (e.g., Defender for Servers, Defender for SQL) enabled on a management group. The security team wants to automatically enable these plans on new Azure subscriptions that are created under this management group. Which approach is the most efficient and scalable?

A.Use an Azure Policy definition that enforces the Microsoft Defender for Cloud pricing tier (Standard) at the management group scope.
B.Manually enable the plans for each new subscription when it is created.
C.Create an Azure Automation runbook that runs on a schedule and enables plans for all subscriptions under the management group.
D.Use Azure Blueprints to define the Defender for Cloud settings in the blueprint definition.
AnswerA

Azure Policy can be assigned to a management group, automatically applying the desired Defender for Cloud configuration to all existing and new subscriptions within that group.

Why this answer

Azure Policy can be assigned at the management group scope to enforce the 'Standard' pricing tier for Microsoft Defender for Cloud on all current and future subscriptions. This ensures that when a new subscription is created under that management group, the policy automatically evaluates and remediates the subscription to enable the required Defender plans, providing a fully automated, scalable, and governance-driven approach without manual intervention or custom scripting.

Exam trap

The trap here is that candidates often confuse Azure Blueprints (which apply settings only at deployment time) with Azure Policy (which provides continuous enforcement and automatic remediation), leading them to choose the Blueprints option despite its lack of ongoing compliance and scalability for new subscriptions.

How to eliminate wrong answers

Option B is wrong because manually enabling plans for each new subscription is not scalable, introduces human error, and violates the principle of automated governance at scale. Option C is wrong because an Azure Automation runbook running on a schedule introduces latency, requires custom code and credential management, and does not provide real-time enforcement or compliance reporting like Azure Policy does. Option D is wrong because Azure Blueprints are deprecated in favor of deployment stacks and do not provide continuous enforcement of Defender for Cloud pricing tiers; they only apply settings at deployment time and do not automatically remediate drift or new subscriptions after the blueprint assignment.

763
MCQmedium

Your Microsoft Sentinel environment uses multiple workspaces. You need to centrally manage incidents from all workspaces in a single interface. What should you use?

A.Use cross-workspace queries in Sentinel incidents.
B.Create an Azure Monitor workbook.
C.Use the Microsoft 365 Defender portal.
D.Use Azure Logic Apps to aggregate incidents.
AnswerA

Sentinel allows you to include multiple workspaces in incident queries.

Why this answer

Cross-workspace queries in Microsoft Sentinel allow you to include multiple workspaces in a single query by using the `workspace()` expression. When you create an incident rule that uses such a query, Sentinel can centrally manage incidents generated from data across all specified workspaces, providing a unified incident queue in the Sentinel interface.

Exam trap

The trap here is that candidates often confuse cross-workspace queries (which enable centralized incident creation from multiple workspaces) with Azure Monitor workbooks (which only visualize data) or the Microsoft 365 Defender portal (which unifies Microsoft 365 security incidents, not Sentinel workspace incidents).

How to eliminate wrong answers

Option B is wrong because an Azure Monitor workbook is a visualization and reporting tool, not an incident management interface; it cannot centrally manage incidents or trigger response actions. Option C is wrong because the Microsoft 365 Defender portal unifies incidents from Microsoft 365 security products (e.g., Defender for Endpoint, Defender for Office 365), but it does not natively aggregate incidents from multiple Sentinel workspaces. Option D is wrong because Azure Logic Apps can automate incident response workflows and aggregate data, but it does not provide a single interface for centrally managing incidents; it is an orchestration tool, not a management console.

764
MCQmedium

A SOC team uses Microsoft Sentinel. They need to correlate syslog events from on-premises firewalls with Microsoft Entra ID sign-in logs to detect VPN-based intrusions. The correlation requires joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Which type of analytics rule should the analyst configure?

A.Scheduled query rule
B.Near-real-time (NRT) rule
C.Fusion rule
D.Anomaly rule
AnswerA

Scheduled query rules support custom KQL queries that join multiple tables and can be scheduled at any interval, making them suitable for cross-source correlation.

Why this answer

A scheduled query rule is correct because the requirement involves joining two tables (Syslog and SigninLogs) on a common field (IP address) and running on a 10-minute schedule. Scheduled query rules are designed for complex, multi-table correlations that run at fixed intervals (e.g., every 10 minutes) and can aggregate or join data across tables, making them ideal for this VPN intrusion detection scenario.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled rules, but NRT rules cannot perform multi-table joins, which is explicitly required by the question's correlation of Syslog and SigninLogs.

How to eliminate wrong answers

Option B is wrong because near-real-time (NRT) rules run every minute with a 1-minute lookback and cannot join multiple tables; they only support a single table query. Option C is wrong because Fusion rules are based on Microsoft's built-in machine learning correlation of multiple alert types, not custom user-defined joins on syslog and sign-in logs. Option D is wrong because anomaly rules use machine learning to detect unusual patterns in a single data source over time, not cross-table joins on a fixed schedule.

765
MCQhard

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You need to ensure that anomalous behavior alerts from Defender for Cloud Apps are automatically converted to incidents in Sentinel. What should you configure?

A.Enable the Microsoft Defender for Identity data connector in Microsoft Sentinel.
B.Enable the Microsoft 365 data connector in Microsoft Sentinel.
C.Create a playbook that triggers on Defender for Cloud Apps alerts and creates incidents in Sentinel.
D.Enable the Microsoft Defender for Cloud Apps data connector in Microsoft Sentinel.
AnswerD

This connector ingests alerts and creates incidents automatically.

Why this answer

The Microsoft Defender for Cloud Apps connector in Microsoft Sentinel allows you to ingest alerts and convert them to incidents. Option B is correct. Option A is wrong because the Microsoft 365 connector does not include Cloud Apps alerts.

Option C is wrong because a playbook would be an extra step. Option D is wrong because the Defender for Identity connector is for identity alerts.

766
MCQmedium

You are investigating a potential brute-force attack against Microsoft 365. Which KQL query in Microsoft Sentinel would best identify failed logon attempts from a single IP address across multiple users?

A.SigninLogs | summarize dcount(IPAddress) by UserId | where dcount_ > 10
B.SigninLogs | summarize count() by UserId | where count_ > 10
C.SigninLogs | summarize count() by IPAddress | where count_ > 10
D.SigninLogs | summarize dcount(UserId) by IPAddress | where dcount_ > 10
AnswerD

This query counts distinct users per IP, indicating a brute-force against multiple accounts.

Why this answer

Option A is correct because it counts distinct UserId per IP and filters for high counts. Option B is wrong because it counts total attempts, not distinct users. Option C is wrong because it groups by UserId, not IP.

Option D is wrong because it counts distinct IPs per user, the opposite of what is needed.

767
MCQeasy

You are reviewing this analytics rule in Microsoft Sentinel. What is the problem with this rule?

A.The query is missing a time range filter
B.The aggregate function should be 'summarize' with 'dcount'
C.The trigger threshold should be set to 5
D.The query syntax is invalid
AnswerA

Without a time filter, it queries all sign-in logs.

Why this answer

Option C is correct because the query does not include a time filter, which would cause it to run on all historical data. Option A is wrong because the syntax is valid. Option B is wrong because the threshold is fine for matching.

Option D is wrong because the aggregate is fine.

768
MCQeasy

During a threat hunt, you identify a suspicious process that spawned from Microsoft Word with a command-line argument containing ' -enc '. Which hunting technique is most appropriate to investigate this further?

A.Review the PowerShell script block logging
B.Initiate network traffic analysis for the host
C.Check the file hash against threat intelligence feeds
D.Decode the base64-encoded command-line argument
AnswerD

Base64 decoding reveals the actual command executed, aiding in understanding the threat.

Why this answer

Option B is correct because base64-encoded command lines are commonly used in malicious documents to obfuscate payloads. Decoding the argument reveals the intended command. Option A is incorrect because decoding is not limited to PowerShell.

Option C is incorrect because network traffic analysis may follow but is not the immediate next step. Option D is incorrect because file hash lookup is less relevant for the encoded command.

769
MCQmedium

Your organization uses Microsoft Defender XDR. The incident queue shows multiple alerts related to a single endpoint: malware detected, suspicious PowerShell execution, and data exfiltration attempts. The analyst needs to investigate the incident. Which tool should the analyst use to correlate these events?

A.Microsoft Defender for Office 365 Explorer.
B.Microsoft Defender for Cloud Apps activity log.
C.Advanced hunting in Microsoft Defender XDR.
D.Microsoft Sentinel incident workspace.
AnswerC

Advanced hunting can query across all domains.

Why this answer

Advanced hunting in Microsoft Defender XDR allows cross-domain queries (endpoint, identity, email). Option A is for email; Option B is for cloud apps; Option D is a different platform.

770
MCQeasy

A security analyst is investigating a phishing incident in Microsoft 365 Defender. They need to view the original email's sender, delivery action, and any automated remediation steps taken. Which entity page should the analyst open?

A.User entity page
B.Device entity page
C.Email entity page
D.IP entity page
AnswerC

The email entity page contains full email metadata including sender, delivery action, and any automated remediation steps taken.

Why this answer

The Email entity page in Microsoft 365 Defender (part of Microsoft Defender XDR) is specifically designed to provide a comprehensive view of an email message, including the original sender, delivery action (e.g., delivered, quarantined, blocked), and any automated remediation steps (e.g., zero-hour auto purge, soft delete). This page aggregates data from Exchange Online Protection (EOP) and Microsoft Defender for Office 365, making it the correct choice for investigating phishing incidents.

Exam trap

The trap here is that candidates may confuse the User entity page with email investigation because user accounts are often involved in phishing, but the User entity page lacks the specific email message-level details (sender, delivery action, remediation) that only the Email entity page provides.

How to eliminate wrong answers

Option A is wrong because the User entity page focuses on user-related activities, sign-ins, and alerts, but does not expose the original email's sender, delivery action, or remediation steps for a specific message. Option B is wrong because the Device entity page is used for investigating device-level threats, such as malware or suspicious processes, and has no context for email-specific attributes like sender or delivery action. Option D is wrong because the IP entity page provides information about network traffic and IP reputation, but it cannot show the original email's sender or automated remediation steps taken on a message.

771
MCQhard

Refer to the exhibit. You are reviewing a playbook configuration in Microsoft Sentinel. The playbook is supposed to create a task to generate a ServiceNow ticket and notify the SOC manager when a high-severity alert is triggered. However, when a high-severity alert occurs, only the notification task is created, and the ticket creation task is missing. What is the most likely cause?

A.The playbook uses an unsupported trigger type.
B.The playbook JSON has an invalid structure for the trigger.
C.The alertRuleId is a placeholder and does not correspond to a real analytics rule in the environment.
D.The severity filter is incorrectly specified; it should be an array of strings.
AnswerC

The ID is incomplete and likely invalid, causing the playbook to fail to associate with the rule.

Why this answer

Option D is correct because the playbook JSON shows that the alertRuleId is a placeholder 'a8144c0a-...' which is incomplete and likely invalid. If the playbook cannot resolve the alert rule, it may fail partially. Option A is wrong because the structure is valid.

Option B is wrong because only one trigger type is supported. Option C is wrong because there is no condition on severity; the trigger has severity filter but it's correct.

772
Drag & Dropmedium

Arrange the steps to configure a Microsoft Sentinel playbook (automation) using Azure Logic Apps.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Playbooks are Logic Apps that automate responses; they must be created and then linked to Sentinel automation rules.

773
MCQmedium

Refer to the exhibit. The KQL query is used for threat hunting. What is the primary purpose of this query?

A.Identify devices where cmd.exe launched PowerShell and made outbound HTTPS connections.
B.Find devices where PowerShell was used to download files.
C.Detect lateral movement using remote services.
D.Identify cmd.exe running with high integrity.
AnswerA

The join on DeviceName ensures both events occurred on the same device.

Why this answer

Option D is correct because the query joins cmd.exe executions containing 'powershell' with network connections to port 443 on the same device, indicating possible PowerShell download cradles. Option A is wrong because the query does not inspect process integrity levels. Option B is wrong because the query focuses on cmd.exe, not generic script execution.

Option C is wrong because the query is not limited to lateral movement; it targets command and control activity.

774
Multi-Selecthard

Which THREE actions should be taken when a phishing attack is detected in Microsoft Defender XDR?

Select 3 answers
A.Run a full antivirus scan on the user's device
B.Report the email as phishing in Microsoft Defender for Office 365
C.Reset the user's password
D.Block the sender's email address or domain
E.Delete the phishing email from the user's mailbox
AnswersB, D, E

Helps improve detection.

Why this answer

Options B, C, and D are correct. Reporting the email trains the system, deleting from user's mailbox removes access, and blocking the sender prevents further emails. Option A is wrong because resetting password is not immediate.

Option E is wrong because running a scan on the user's device may be done later, but not a priority.

775
MCQmedium

The exhibit shows a partial playbook trigger configuration in Microsoft Sentinel. When will this playbook be triggered?

A.When an incident is updated with severity High.
B.When an alert is generated with severity High.
C.When an incident of severity High is created.
D.When any incident is created.
AnswerC

The trigger condition explicitly checks that the incident severity is High.

Why this answer

The trigger is configured to fire when an incident is created with severity equal to High. It does not trigger on alerts, nor on any incident, nor on severity Medium or Low.

776
MCQmedium

Your organization uses Microsoft Sentinel in a hybrid environment with on-premises servers and Azure VMs. You need to ensure that all Windows servers forward their security events to Sentinel. The security team wants to use Windows Security Events via AMA connector. Windows servers are not domain-joined and are managed by a third-party RMM tool. What is the most efficient way to deploy the AMA agent?

A.Use Group Policy Objects (GPO) to push the agent installation.
B.Onboard the servers to Azure Arc and deploy the AMA agent via policy or script.
C.Use Microsoft Intune to deploy the AMA agent to all servers.
D.Manually install the agent on each server using the setup wizard.
AnswerB

Azure Arc enables management of non-Azure machines, allowing agent deployment via Azure Policy or custom scripts.

Why this answer

Option B is correct because deploying via Azure Arc allows centralized management using Azure policies or scripts for non-domain-joined servers. Option A is wrong because GPO requires domain membership. Option C is wrong because Microsoft Intune typically manages Azure VMs, not on-premises non-domain-joined servers.

Option D is wrong because manual installation is not efficient for multiple servers.

777
MCQeasy

Your organization uses Microsoft Defender for Office 365. You want to hunt for phishing emails that bypassed the initial filtering. Which feature should you use to manually submit suspicious emails for analysis and then review the results in the Threat Explorer?

A.Attack Simulator
B.Threat Explorer
C.Quarantine portal
D.Email trace in Exchange admin center
AnswerB

Threat Explorer provides investigation capabilities and manual submission.

Why this answer

Option A is correct because the Threat Explorer allows investigation of email threats and manual submissions. Option B is wrong because the Attack Simulator is for conducting simulated attacks. Option C is wrong because the Security & Compliance Center's email trace is for message flow, not deep threat analysis.

Option D is wrong because the Quarantine portal is for managing quarantined messages, not submitting for analysis.

778
Multi-Selectmedium

Which THREE components are required to collect syslog messages from a network appliance into Microsoft Sentinel using the Azure Monitor Agent?

Select 3 answers
A.A syslog daemon (e.g., rsyslog) on the log collector server to receive messages.
B.The Azure Monitor Agent installed on a log collector server.
C.The Log Analytics agent (MMA) installed on the appliance.
D.The Syslog data connector in Microsoft Sentinel.
E.A Data Collection Rule (DCR) specifying the syslog facilities and severities.
AnswersA, B, E

Syslog daemon receives network appliance logs.

Why this answer

Option A is correct because syslog messages are sent over UDP (or TCP) by network appliances, and a syslog daemon like rsyslog must be running on the log collector server to listen on port 514 (or a custom port) and receive those messages. Without this daemon, the Azure Monitor Agent cannot ingest the raw syslog data, as the agent relies on the local syslog daemon to capture and forward the logs to its event pipeline.

Exam trap

The trap here is that candidates often confuse the Syslog data connector (a configuration blade in Sentinel) as a required component, when in fact it is just a UI helper; the actual collection relies on the syslog daemon, AMA, and a DCR, which are the three components explicitly tested.

779
MCQmedium

A SOC analyst wants to leverage Microsoft Sentinel's User and Entity Behavior Analytics (UEBA) to detect anomalous sign-in attempts where a user signs in from a country outside their typical pattern. The analyst needs to create an analytics rule that queries the necessary UEBA data. Which Sentinel table should the rule's KQL query primarily reference to evaluate geographic anomalies?

A.SigninLogs
B.BehaviorAnalytics
C.IdentityInfo
D.AADUserRiskEvents
AnswerB

Correct. The BehaviorAnalytics table stores enriched behavioral data, including geographic anomalies, device information, and time-based patterns computed by the UEBA engine.

Why this answer

The BehaviorAnalytics table in Microsoft Sentinel is specifically designed to store UEBA output, including normalized user behavior data such as historical geo-location patterns and anomaly scores. By querying this table, the analyst can directly access pre-computed anomalies for sign-in location deviations without needing to perform complex baseline calculations on raw SigninLogs.

Exam trap

The trap here is that candidates often assume raw sign-in logs (SigninLogs) are sufficient for UEBA-based detection, not realizing that Microsoft Sentinel's UEBA pre-processes and enriches the data into the BehaviorAnalytics table, which is the authoritative source for anomaly queries.

How to eliminate wrong answers

Option A is wrong because SigninLogs contains raw Azure AD sign-in events but lacks the pre-computed behavioral baselines and anomaly scores that UEBA provides, requiring the analyst to manually build and maintain a baseline for geographic patterns. Option C is wrong because IdentityInfo stores user profile and attribute data (e.g., job title, department) but does not contain sign-in activity or behavioral analytics. Option D is wrong because AADUserRiskEvents logs risk detections from Azure AD Identity Protection (e.g., leaked credentials, impossible travel) but does not expose the UEBA-derived geographic anomaly scores or the normalized behavior records found in BehaviorAnalytics.

780
MCQeasy

A security analyst receives an alert in Microsoft Defender for Cloud that an Azure virtual machine is running a process with a known indicator of compromise (IOC). The analyst wants to investigate the process details, including the command line and parent process. Which feature should the analyst use to gather this information from the VM?

A.Vulnerability assessment
B.Live response
C.Inventory of resources
D.Secure score
AnswerB

Live response enables remote investigation of a VM, including process listing and command-line analysis.

Why this answer

Live Response in Microsoft Defender for Cloud provides a remote shell connection to the VM, allowing the analyst to run commands to inspect running processes, command-line arguments, and parent process details in real time. This is the correct feature for deep forensic investigation of an active IOC on the VM.

Exam trap

The trap here is that candidates confuse Live Response with Vulnerability Assessment or Inventory, thinking those can provide process-level details, but only Live Response offers interactive, real-time forensic access to the VM's operating system.

How to eliminate wrong answers

Option A is wrong because Vulnerability Assessment identifies missing patches and misconfigurations, not real-time process details. Option C is wrong because Inventory of Resources lists VM metadata (name, location, tags) but does not provide live process-level data. Option D is wrong because Secure Score is a compliance and posture metric, not a tool for investigating active threats on a VM.

781
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt. What is the best first step to contain the potential threat?

A.Review the Active Directory logs for related events.
B.Disable the account that was used for the authentication.
C.Reset the krbtgt account password twice.
D.Investigate the source IP address of the authentication attempt.
AnswerB

Disabling the account immediately prevents further access.

Why this answer

Option C is correct because disabling the compromised account immediately stops further authentication. Option A is wrong because investigating the source IP does not contain the threat. Option B is wrong because reviewing logs does not contain.

Option D is wrong because resetting the krbtgt account is a drastic step and not the first action.

782
Multi-Selectmedium

An analyst is building a custom detection rule in Microsoft 365 Defender to identify potential data exfiltration. The rule should alert when a process (e.g., powershell.exe) initiates multiple outbound network connections to an external IP address that is not in the company's corporate IP range within a short time. Which two Advanced Hunting tables must be joined to correlate process execution with network connection details?

Select 2 answers
A.DeviceProcessEvents and DeviceNetworkEvents
B.DeviceProcessEvents and DeviceFileEvents
C.DeviceLogonEvents and DeviceNetworkEvents
D.DeviceProcessEvents and EmailEvents
AnswersA, C

Correct. DeviceProcessEvents provides process start details, and DeviceNetworkEvents provides network connection records. They can be joined to identify processes making outbound connections.

Why this answer

The rule requires correlating process execution (e.g., powershell.exe) with outbound network connections to external IPs. DeviceProcessEvents logs process creation events, while DeviceNetworkEvents logs network connection details including destination IP and port. Joining these two tables on DeviceId and Timestamp (within a short time window) allows the analyst to identify which process initiated the suspicious outbound connections, making A correct.

Exam trap

The trap here is that candidates may confuse DeviceNetworkEvents with DeviceFileEvents or DeviceLogonEvents, mistakenly thinking file or logon events are needed to correlate process execution with network connections, when only DeviceNetworkEvents contains the necessary IP and port data.

783
MCQmedium

A security analyst receives an alert in Microsoft Defender XDR indicating a possible credential theft attempt from an external IP. The analyst wants to isolate the affected device immediately while preserving forensic data. What should the analyst do?

A.Use Microsoft Defender for Endpoint to 'contain device' from the device inventory.
B.Disable the user account in Microsoft Entra ID.
C.Initiate a live response session on the device and run the 'isolate device' command.
D.Reset the user's password and enforce sign-out.
AnswerC

Live response allows forensic collection and isolation, preserving evidence while containing the threat.

Why this answer

Option B is correct because initiating a 'real-time response' session with 'isolate device' allows forensic data to be collected before isolation. Option A is wrong because disabling the user account does not prevent lateral movement from the device. Option C is wrong because resetting the password does not isolate the device.

Option D is wrong because 'contain device' in Microsoft Defender for Endpoint is for network containment, not full isolation.

784
MCQhard

Refer to the exhibit. This JSON snippet is from an Azure Web Application Firewall (WAF) policy. What does this rule do?

A.Blocks traffic from the entire 10.0.0.0/24 subnet.
B.Blocks traffic originating from IP address 10.0.0.1.
C.Logs traffic from IP address 10.0.0.1 without blocking.
D.Allows traffic from IP address 10.0.0.1.
AnswerB

The rule matches RemoteAddr with IPMatch operator for '10.0.0.1' and blocks it.

Why this answer

Option B is correct. The rule matches the remote IP address '10.0.0.1' and blocks the request. Option A is wrong because it matches a specific IP, not a range.

Option C is wrong because the action is 'Block'. Option D is wrong because it does not allow.

785
MCQhard

Refer to the exhibit. You are reviewing an analytics rule in Microsoft Sentinel. The rule is enabled but has not generated any alerts in the past 24 hours. What is the most likely cause?

A.The triggerThreshold is set to 0, which means no alerts will be generated
B.Suppression is enabled with a duration of 6 hours, which may be suppressing new alerts after the first one
C.The queryFrequency is 1 hour and the queryPeriod is 7 days, which is a mismatch
D.The query uses 'Location == Unknown' but the actual sign-in location is not 'Unknown'
AnswerB

Suppression prevents duplicate alerts within the suppression window. If an alert was generated, new ones are suppressed for 6 hours.

Why this answer

Option C is correct. The suppression is enabled with a duration of 6 hours, meaning after an alert is generated, no new alerts are created for the same rule for 6 hours. If an alert was generated yesterday, suppression could prevent new alerts.

Option A is possible but less likely because the query uses 'unknown' location which may still match. Option B is not an issue; the rule will run every hour. Option D is not a problem.

786
MCQeasy

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user has signed in from a banned country. The analyst needs to block further access from that country for all users. What should the analyst configure?

A.Modify the device compliance policy in Microsoft Intune.
B.Configure a data loss prevention (DLP) policy in Microsoft Purview.
C.Create an IP range group for the country and configure a session policy to block it.
D.Create a conditional access policy in Microsoft Entra ID to block the country.
AnswerC

Session policies can block or allow access based on location.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps session policy can block access based on location. Option B is wrong because conditional access policies are in Entra ID, not Defender for Cloud Apps. Option C is wrong because DLP policies don't block access.

Option D is wrong because compliance policies don't block access.

787
MCQmedium

Your SOC team uses Microsoft Sentinel with multiple workspaces across regions. You need to implement a solution that allows analysts to query all workspaces from a single location without moving data. Which feature should you configure?

A.Use cross-workspace queries with workspace() expressions in KQL.
B.Export data to Azure Data Explorer and query there.
C.Create a single Log Analytics workspace and have all data sources send logs there.
D.Configure Azure Lighthouse to manage all workspaces.
AnswerA

Cross-workspace queries allow querying multiple workspaces without moving data.

Why this answer

Option A is correct because cross-workspace queries using the `workspace()` expression in KQL allow analysts to query multiple Log Analytics workspaces from a single query context without moving or centralizing the data. This is the native Microsoft Sentinel feature designed for multi-workspace environments, enabling seamless querying across regions while keeping data in its original workspace.

Exam trap

The trap here is that candidates often confuse Azure Lighthouse (cross-tenant management) with cross-workspace querying, but Lighthouse does not provide the KQL-level query capability needed to query data across workspaces from a single query.

How to eliminate wrong answers

Option B is wrong because exporting data to Azure Data Explorer requires moving data out of Log Analytics, which contradicts the requirement of querying without moving data, and adds latency and cost for data transfer. Option C is wrong because creating a single Log Analytics workspace would require all data sources to send logs to that one location, which violates the requirement of keeping data in multiple workspaces across regions. Option D is wrong because Azure Lighthouse provides cross-tenant management capabilities but does not enable querying across multiple workspaces from a single KQL query; it only allows managing resources across tenants, not querying data across workspaces.

788
Multi-Selecthard

Which THREE approaches are effective for hunting threats in Microsoft Defender XDR using advanced hunting? (Choose three.)

Select 3 answers
A.Using known indicators of compromise (IOCs) from threat intelligence feeds.
B.Establishing a baseline of normal behavior and hunting for deviations.
C.Reviewing all alerts generated by automated detection rules.
D.Searching for any single event that appears unusual.
E.Applying machine learning models to detect anomalous patterns.
AnswersA, B, E

IOCs help search for known threats.

Why this answer

Effective hunting includes using known IOCs, behavioral baselines, and anomaly detection. Options B, C, and E are correct. Option A is incorrect because alerts are reactive.

Option D is incorrect because a single event is not sufficient.

789
MCQmedium

A security analyst wants to identify all users who received a phishing email that contained a known malicious URL. The analyst has the URL. Which advanced hunting table should the analyst query first to find the emails that contained this URL?

A.EmailEvents
B.EmailUrlInfo
C.EmailAttachmentInfo
D.EmailPostDeliveryEvents
AnswerB

EmailUrlInfo stores each URL found in an email along with the NetworkMessageId. Querying this table filtered by the malicious URL will return the network message IDs of the emails containing it.

Why this answer

The EmailUrlInfo table in Microsoft Defender XDR contains records of URLs extracted from email messages, including the specific URL and the email's unique identifier (NetworkMessageId). By querying this table for the known malicious URL, the analyst can retrieve the NetworkMessageIds of all emails containing that URL, which can then be joined with the EmailEvents table to identify the recipients. This is the most direct and efficient first step because EmailUrlInfo is purpose-built to map URLs to email messages.

Exam trap

The trap here is that candidates often jump to EmailEvents thinking it contains all email details, but they forget that URL content is stored in a separate table (EmailUrlInfo) and must be queried first to identify the specific emails.

How to eliminate wrong answers

Option A is wrong because EmailEvents contains metadata about email delivery (sender, recipient, subject, delivery action) but does not include the actual URL content; it cannot be queried directly to find emails containing a specific URL. Option C is wrong because EmailAttachmentInfo stores information about email attachments (file names, hashes, sizes) and is used for malware or attachment-based threats, not for identifying URLs within the email body. Option D is wrong because EmailPostDeliveryEvents tracks actions taken on emails after delivery (e.g., user clicks, admin moves, ZAP actions) and does not contain the original URL content from the email.

790
MCQeasy

While threat hunting in Microsoft Sentinel, you want to create a hunting query that identifies all attempts to disable security controls. Which data table would be most appropriate to query for such activity?

A.Syslog
B.SecurityEvent
C.CommonSecurityLog
D.OfficeActivity
AnswerB

Windows security events log process and service changes.

Why this answer

Option A is correct because SecurityEvents (Windows Event Logs) contain events like 4688 (process creation) and 4689 (process termination) which can show attempts to stop security services. Option B is incorrect because CommonSecurityLog is for firewall logs. Option C is incorrect because Syslog is for Linux events.

Option D is incorrect because OfficeActivity is for Office 365.

791
MCQeasy

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a high severity alert is generated, an automated investigation is launched immediately. What is the correct configuration?

A.Create a custom indicator in Microsoft Defender for Endpoint.
B.Use advanced hunting to create a custom detection rule.
C.In Microsoft Defender for Endpoint, set up an alert suppression rule.
D.In Microsoft 365 Defender, configure automated investigation and response settings to automatically investigate alerts.
AnswerD

The automated investigation settings allow you to set the automation level for different alert groups, including high severity.

Why this answer

Option A is correct because automated investigation settings in Microsoft 365 Defender configure the automation level. Option B is wrong because alert suppression does not start investigation. Option C is wrong because indicators are for threat intelligence.

Option D is wrong because advanced hunting is a query tool, not automated response.

792
MCQmedium

Your organization has Microsoft Defender for Office 365 enabled. Users report that phishing emails are being delivered to their inboxes. You need to improve the filtering. What should you do first?

A.Increase the spam confidence level threshold.
B.Review phishing emails in Threat Explorer and adjust anti-phishing policies.
C.Disable third-party email connectors.
D.Enable the 'Secure by default' setting in Exchange Online.
AnswerB

Threat Explorer provides detailed analysis.

Why this answer

Reviewing the Threat Explorer in Defender for Office 365 allows you to analyze detected phishing emails and understand why they were delivered, then adjust policies accordingly. Option A is wrong because increasing spam confidence level might block legitimate email. Option C is wrong because disabling third-party connectors doesn't help.

Option D is wrong because enabling secure by default is already enabled.

793
MCQhard

In Microsoft 365 Defender advanced hunting, an analyst is investigating a case where a user's device was compromised via a malicious base64-encoded PowerShell script. The analyst wants to find all processes that were created by this script by decoding the command line. Which KQL function should be applied to the ProcessCommandLine column in the DeviceProcessEvents table?

A.base64_decode_tostring(ProcessCommandLine)
B.parse_base64(ProcessCommandLine)
C.decode_base64(ProcessCommandLine)
D.convertstring(ProcessCommandLine, 'base64')
AnswerA

This function decodes a base64-encoded string to its original text, revealing the obfuscated PowerShell commands.

Why this answer

The correct KQL function to decode a Base64-encoded string into a readable text format in Microsoft 365 Defender advanced hunting is `base64_decode_tostring()`. This function takes a string column (like ProcessCommandLine) and returns the decoded plaintext, allowing the analyst to see the actual PowerShell commands executed. The other options are either invalid KQL functions or do not exist in the Kusto Query Language used in advanced hunting.

Exam trap

The trap here is that Microsoft tests whether candidates know the exact KQL function name `base64_decode_tostring()` versus common but incorrect variations like `decode_base64()` or `parse_base64()`, which are not part of the Kusto Query Language.

How to eliminate wrong answers

Option B is wrong because `parse_base64()` is not a valid KQL function; the correct function is `base64_decode_tostring()`. Option C is wrong because `decode_base64()` is not a recognized KQL function; Kusto uses `base64_decode_tostring()` for this purpose. Option D is wrong because `convertstring(ProcessCommandLine, 'base64')` is not a valid KQL syntax; the correct function for Base64 decoding is `base64_decode_tostring()`, and `convertstring()` is used for different encoding conversions like UTF-8 or ASCII.

794
MCQeasy

Your SOC uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves malicious email attachments to quarantine before they reach user mailboxes. What should you configure?

A.Create an anti-phishing policy to detect phishing attempts.
B.Create an anti-spam policy with a high confidence spam filter.
C.Create an anti-malware policy in the Microsoft 365 Defender portal.
D.Create a Safe Attachments policy in the Microsoft 365 Defender portal.
AnswerD

Safe Attachments policy is designed to quarantine malicious attachments.

Why this answer

Safe Attachments is a Microsoft Defender for Office 365 feature specifically designed to detonate email attachments in a virtual sandbox environment before delivery. By creating a Safe Attachments policy in the Microsoft 365 Defender portal, you can automatically quarantine malicious attachments, preventing them from reaching user mailboxes. This directly addresses the requirement to handle malicious attachments, not phishing or spam.

Exam trap

The trap here is that candidates often confuse anti-malware policies (which use static signatures) with Safe Attachments (which uses dynamic sandbox analysis), leading them to select Option C instead of D.

How to eliminate wrong answers

Option A is wrong because anti-phishing policies protect against deceptive email messages designed to steal credentials, not against malicious attachments; they do not perform attachment sandboxing. Option B is wrong because anti-spam policies filter bulk or unwanted email based on content and sender reputation, not on attachment malware analysis; high confidence spam filters do not quarantine attachments. Option C is wrong because while an anti-malware policy can detect known malware via signature-based scanning, it does not provide the advanced sandbox detonation and zero-day protection that Safe Attachments offers; anti-malware policies are more basic and may miss polymorphic threats.

795
MCQeasy

Your security team detects a potential data exfiltration incident where an employee emailed sensitive customer data to a personal email address. The email was sent via Exchange Online. What is the immediate action to prevent further data loss?

A.Create a data loss prevention rule to block future emails to that domain
B.Review the user's email archive for other suspicious emails
C.Disable the user's account in Microsoft Entra ID
D.Use Microsoft Purview to perform a content search and purge the email from the recipient's mailbox
AnswerD

Content search and purge can remove the email from the external mailbox if it's within the same organization, but if it's an external address, this may not be possible; however, for internal recipients, it works. For external, the best step is to block the data and notify. The question implies the recipient is external, but typical immediate action is to prevent further sending.

Why this answer

Option A is correct because purging the email from the recipient's mailbox removes the data from the external location. Option B is wrong because blocking the user's account does not remove the already sent email. Option C is wrong because data loss prevention policies are preventive, not reactive.

Option D is wrong while important, it is an investigation step, not immediate containment.

796
MCQmedium

You are responding to an incident where a user's credentials were stolen via a phishing email. The attacker used the credentials to access Microsoft Entra ID and then tried to perform privileged role escalation. Which Microsoft Sentinel solution should you use to detect this type of attack?

A.Network Security Group flow logs
B.Syslog data connector
C.Threat intelligence connectors
D.UEBA (User and Entity Behavior Analytics)
AnswerD

UEBA can detect unusual role assignments or escalation attempts based on behavioral baselines.

Why this answer

Option D is correct. UEBA analytics in Microsoft Sentinel can detect anomalous behavior like role escalation attempts after credential theft. Option A (Syslog) is for generic log collection.

Option B (Threat Intelligence) is for known indicators. Option C (Network Security Groups) is for network traffic.

797
MCQmedium

You are a security analyst at Wingtip Toys using Microsoft Defender XDR. You are hunting for signs of privilege escalation via the SeDebugPrivilege abuse. You want to find processes that have enabled SeDebugPrivilege and then accessed LSASS (Event ID 10). You have DeviceProcessEvents and DeviceEvents tables available. Which advanced hunting query would best identify this pattern?

A.DeviceProcessEvents | where FileName == 'lsass.exe'
B.DeviceEvents | where ActionType == 'LsassAccess' | summarize by DeviceId
C.DeviceEvents | where ActionType == 'SeDebugPrivilegeEnabled' | project DeviceId
D.DeviceProcessEvents | where FileName in ('procexp.exe', 'procmon.exe', 'cmd.exe', 'powershell.exe') | join kind=inner (DeviceEvents | where ActionType == 'SeDebugPrivilegeEnabled') on DeviceId | join kind=inner (DeviceEvents | where ActionType == 'LsassAccess') on DeviceId
AnswerD

This correlates process execution with privilege enablement and LSASS access.

Why this answer

Option A is correct because it joins process creation with privilege enablement and LSASS access. Option B is wrong because it only checks privilege enablement. Option C is wrong because it only checks LSASS access.

Option D is wrong because it filters by process name, missing other processes.

798
MCQeasy

You are performing a threat hunt in Microsoft Sentinel. You want to identify devices that have been communicating with known malicious IP addresses. Which data source should you query?

A.SecurityEvent
B.CommonSecurityLog
C.DnsEvents
D.DeviceNetworkEvents
AnswerB

Contains network traffic logs from firewalls and other security appliances.

Why this answer

Option A is correct because CommonSecurityLog contains network traffic logs from security appliances. Option B is for Windows events, not network. Option C is for DNS queries.

Option D is for device events from Defender for Endpoint, but not IP communications.

799
MCQmedium

A security analyst is investigating a potential malware outbreak using Microsoft 365 Defender advanced hunting. The analyst wants to find all devices where a file with a specific SHA256 hash was first created and then later deleted, which may indicate a cleanup attempt. Which query pattern on the DeviceFileEvents table is appropriate?

A.DeviceFileEvents | where SHA256 == "<hash>" | summarize Actions = make_set(ActionType) by DeviceId | where Actions has_all ("FileCreated", "FileDeleted")
B.DeviceFileEvents | where SHA256 == "<hash>" and ActionType == "FileDeleted" | project DeviceId
C.DeviceFileEvents | where FileHash == "<hash>" | summarize Actions = make_set(ActionType) by DeviceId | where Actions has "FileCreated"
D.DeviceFileEvents | summarize by DeviceId, ActionType | where ActionType in ("FileCreated", "FileDeleted")
AnswerA

Correct. This query groups by DeviceId and checks that both 'FileCreated' and 'FileDeleted' actions exist in the set for that device, ensuring the file was both created and deleted.

Why this answer

Option A is correct because it first filters by the specific SHA256 hash, then uses `make_set(ActionType)` to collect all actions per device, and finally checks that both 'FileCreated' and 'FileDeleted' appear in the set. This precisely identifies devices where the file was both created and later deleted, indicating a potential cleanup attempt.

Exam trap

The trap here is that candidates may confuse the column name `SHA256` with `FileHash` (which does not exist in DeviceFileEvents) or forget to filter by the specific hash before summarizing, leading to false positives from unrelated file operations.

How to eliminate wrong answers

Option B is wrong because it only looks for 'FileDeleted' events, missing the requirement that the file must have been first created on the same device. Option C is wrong because it uses `FileHash` instead of `SHA256` (the correct column name in DeviceFileEvents) and only checks for 'FileCreated', not both actions. Option D is wrong because it summarizes by DeviceId and ActionType without filtering by the specific hash, returning all devices with any create/delete actions rather than those related to the target file.

800
MCQmedium

You are investigating a potential ransomware incident detected by Microsoft Defender XDR. The incident shows multiple machines with suspicious encryption activity. You need to contain the threat immediately. What should you do first?

A.Reset the passwords of all users on the affected machines
B.Run a full antivirus scan on all endpoints
C.Initiate device isolation on affected machines from Microsoft Defender XDR
D.Disable the user accounts associated with the affected machines
AnswerC

Isolation stops network communication and prevents lateral movement.

Why this answer

Option A is correct because isolating devices from the network stops the spread of ransomware immediately. Option B is wrong because running antivirus scan is reactive and may not stop encryption in progress. Option C is wrong because disabling user accounts does not stop the malware on endpoints.

Option D is wrong because resetting passwords does not contain the active infection.

801
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident in Microsoft Defender XDR is automatically synchronized to Microsoft Sentinel. The incident in Sentinel is closed by the SOC team, but the corresponding incident in Defender remains open. What should you do to ensure that closing an incident in Sentinel also closes its linked incident in Defender?

A.Configure an automation rule in Microsoft Sentinel that triggers on incident closure and runs a playbook that closes the corresponding incident in Microsoft Defender XDR.
B.In the Microsoft Defender XDR portal, enable the setting to automatically close incidents when the linked Sentinel incident is closed.
C.Use the Microsoft Defender XDR API to set up a webhook that listens for Sentinel incident closure.
D.Enable the bi-directional sync in the Microsoft Sentinel data connector for Microsoft Defender XDR.
AnswerA

Automation rules can run playbooks that call APIs to close incidents in Defender.

Why this answer

Microsoft Sentinel can be configured to sync incident status back to Microsoft Defender XDR using automation rules. Option B is correct. Option A is wrong because the bi-directional sync is not automatic and requires configuration.

Option C is wrong because the Defender portal does not automatically sync with Sentinel. Option D is wrong because the integration settings in Defender do not control Sentinel's incident closure.

802
MCQmedium

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

A.File entity page
B.Device entity page
C.User entity page
D.Email entity page
AnswerA

Correct. The file entity page displays detection status and actions taken on the file across devices.

Why this answer

The File entity page in Microsoft Defender XDR provides a centralized view of a file's reputation, detection details, and the specific actions taken (e.g., blocked, allowed, quarantined) during automated investigations. Since the analyst needs to confirm the block action on a specific malicious file, this page directly displays the investigation result and the applied remediation action.

Exam trap

The trap here is that candidates often confuse the Device entity page (which shows that an investigation ran) with the File entity page (which shows the specific action taken on the file), leading them to incorrectly select the Device page.

How to eliminate wrong answers

Option B is wrong because the Device entity page shows device-level alerts, investigations, and software inventory, but does not display the specific action taken on a file (e.g., block vs. allow) — it only indicates that an investigation occurred. Option C is wrong because the User entity page focuses on user-related alerts, sign-in logs, and compromised accounts, not file-level remediation actions. Option D is wrong because the Email entity page is specific to email messages, attachments, and phishing detections within Microsoft Defender for Office 365, not for file actions on endpoints.

803
MCQhard

Your organization uses Microsoft Defender for Cloud to monitor hybrid workloads. You need to ensure that security alerts from on-premises servers running Windows Server 2022 are forwarded to Microsoft Sentinel. The servers are not yet onboarded to Azure Arc. What should you do first?

A.Install the Azure Monitor Agent on the servers.
B.Deploy Azure Policy to enable Defender for Cloud on the servers.
C.Onboard the servers to Azure Arc and enable Defender for Cloud.
D.Install Microsoft Defender for Endpoint on the servers.
AnswerC

Arc provides the identity and management needed for Defender for Cloud to monitor on-prem servers.

Why this answer

On-premises servers must first be onboarded to Azure Arc to establish a management identity and connectivity with Azure. Without Azure Arc, Defender for Cloud cannot apply its security policies or forward alerts to Microsoft Sentinel. Enabling Defender for Cloud on the servers after Arc onboarding allows security alerts to be collected and forwarded to Sentinel.

Exam trap

The trap here is that candidates often assume installing an agent (AMA or MDE) is sufficient to forward alerts to Sentinel, but Microsoft requires Azure Arc as the foundational onboarding step to bring non-Azure servers into the Azure management plane before Defender for Cloud can generate and forward security alerts.

How to eliminate wrong answers

Option A is wrong because the Azure Monitor Agent (AMA) can collect telemetry but does not enable Defender for Cloud's security alert generation or forwarding to Sentinel; AMA is a data collection agent, not a prerequisite for Defender for Cloud integration. Option B is wrong because Azure Policy can enforce configurations only on resources already managed by Azure; without Azure Arc, the on-premises servers are not visible to Azure Policy. Option D is wrong because Microsoft Defender for Endpoint (MDE) provides endpoint detection and response but does not, by itself, forward security alerts to Sentinel; MDE integration with Sentinel requires the servers to be onboarded to Azure Arc or have a direct data connector configured.

804
MCQmedium

A SOC analyst needs to create a scheduled analytics rule in Microsoft Sentinel that detects when a user logs in from an IP address that is not in a predefined list of known corporate IP ranges. The list is maintained as a custom Sentinel watchlist and frequently updated. Which KQL function should the analyst use to reference the watchlist within the rule's query?

A.externaldata()
B._GetWatchlist()
C.lookup()
D.invoke()
AnswerB

_GetWatchlist() is the built-in function that returns the content of a watchlist by name, allowing the query to join or compare against the watchlist data.

Why this answer

The _GetWatchlist() function is the correct KQL function to reference a custom Sentinel watchlist within an analytics rule query. It retrieves the watchlist content as a table, allowing the analyst to join or filter login events against the known corporate IP ranges. This function is specifically designed for Sentinel watchlists and supports frequent updates without modifying the rule query.

Exam trap

The trap here is that candidates may confuse _GetWatchlist() with externaldata() or lookup(), thinking they can achieve the same result, but only _GetWatchlist() is designed for Sentinel watchlists and integrates seamlessly with analytics rules.

How to eliminate wrong answers

Option A is wrong because externaldata() is used to query external data sources like Azure Blob Storage or files, not Sentinel watchlists, and requires a direct URI reference. Option C is wrong because lookup() is a KQL operator for joining tables based on a key, but it does not directly retrieve watchlist data; it would require the watchlist to already be in a table format. Option D is wrong because invoke() is used to call a function or a machine learning model, not to access watchlist data, and is not relevant for referencing a watchlist in a query.

805
Multi-Selectmedium

Which TWO of the following are valid methods to initiate a threat hunting session in Microsoft Sentinel?

Select 2 answers
A.Create a custom analytics rule
B.Import a watchlist as a hunting query
C.Start from a specific detection rule
D.Use a predefined hunting query from the Microsoft Sentinel content hub
E.Enable live mode on a hunting query
AnswersC, D

You can pivot from a detection rule to hunt for related activity.

Why this answer

Starting from a specific detection rule and using a predefined hunting query are both valid methods. Live mode is not a feature; custom analytics rules are for detection, not hunting; and watchlists are used for enrichment, not for initiating hunting.

806
MCQmedium

The exhibit shows a hunting query definition in Microsoft Sentinel. What is the primary issue with this hunting query?

A.The ActionType filter is invalid
B.The query does not filter by timestamp
C.The ipv4_lookup function does not exist in KQL
D.The ipv4_lookup function is used incorrectly because it requires a data source parameter
AnswerD

ipv4_lookup requires a second parameter specifying the lookup table or dataset, not just a string.

Why this answer

The query uses ipv4_lookup with a static lookup table 'solorigate_ips', but this function expects a parameter for the lookup data source. The correct syntax should reference a table or inline list. Option A is incorrect because the function exists.

Option C is incorrect because the query scans the entire DeviceEvents table. Option D is incorrect because there is no syntax error with ActionType.

807
MCQeasy

After a security incident, you need to preserve evidence from a compromised Microsoft 365 tenant. What is the best method to preserve data?

A.Take a backup of the entire tenant
B.Use Microsoft Purview eDiscovery to search and export
C.Export the data to a PST file and delete the original
D.Place the user's mailbox and OneDrive on litigation hold
AnswerD

Preserves all data from deletion.

Why this answer

Option A is correct because litigation hold preserves all data. Option B is wrong because deletion is destructive. Option C is wrong because eDiscovery is for search, not preservation.

Option D is wrong because backup is not immediate preservation.

808
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud Apps to monitor cloud application usage. You have a custom analytics rule that detects multiple failed login attempts from different IP addresses for the same user within 5 minutes. This rule generates an incident. The security team wants to automatically suspend the user in Microsoft Entra ID (formerly Azure AD) when such an incident is created, but only if the user is not a member of the 'Emergency Access' group. You need to implement this automation. You have already created the analytics rule. What should you do next?

A.Modify the analytics rule to include a condition that checks the user's group membership using KQL.
B.Create an automation rule that suspends the user directly using a condition on the incident.
C.Create an automation rule that triggers on incident creation and runs a playbook that suspends the user.
D.Create a playbook that uses the Microsoft Entra ID connector to check if the user is a member of the 'Emergency Access' group. If not, suspend the user. Then create an automation rule that runs this playbook on incident creation.
AnswerD

A playbook can use conditional logic to check group membership and then take action. The automation rule triggers the playbook.

Why this answer

Option D is correct because a playbook can check group membership and take action. Option A is wrong because automation rules cannot conditionally run playbooks based on group membership. Option B is wrong because modifying the analytics rule is not the way to add automation.

Option C is wrong because automation rules cannot directly suspend users.

809
MCQmedium

A SOC analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded 500 GB of data from SharePoint to an unmanaged device. The user has no history of such behavior. What is the best first step in the incident response process?

A.Run a full antivirus scan on the unmanaged device.
B.Contact the user to verify if the download was intentional.
C.Disable the user account in Microsoft Entra ID.
D.Create a detection rule for similar behavior in Microsoft Sentinel.
AnswerC

Immediately stops the user's access and prevents further data download, containing the incident.

Why this answer

Option B is correct because disabling the user account immediately stops the potential data exfiltration and is the recommended containment step in ransomware or data theft scenarios. Option A is reactive and does not prevent further data loss. Option C is premature without containment.

Option D may be necessary but not the first step.

810
MCQmedium

A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?

A.Threat Explorer.
B.Microsoft Secure Score.
C.Azure Activity log.
D.Microsoft Defender Vulnerability Management software inventory.
AnswerA

Threat Explorer is designed for email threat investigation and remediation.

Why this answer

Threat Explorer (also known as Explorer) in Microsoft 365 Defender is the correct tool because it provides a comprehensive view of email threats, including phishing campaigns. It allows analysts to search for all messages in a campaign, review delivery actions (e.g., blocked, delivered to junk, or delivered), and perform remediation actions such as soft delete, hard delete, or move to quarantine directly from the portal.

Exam trap

The trap here is that candidates may confuse Threat Explorer with the general-purpose Activity log or Secure Score, assuming any security-related tool can handle email threats, but only Threat Explorer is designed for deep email threat hunting and remediation within Microsoft 365 Defender.

How to eliminate wrong answers

Option B is wrong because Microsoft Secure Score is a security posture measurement tool that assesses an organization's security configuration and recommends improvements; it does not provide message-level threat hunting, campaign visibility, or remediation capabilities for phishing emails. Option C is wrong because Azure Activity log records control-plane operations on Azure resources (e.g., creating VMs, modifying RBAC roles) and does not capture email delivery actions or phishing campaign data. Option D is wrong because Microsoft Defender Vulnerability Management software inventory focuses on identifying and managing software vulnerabilities on endpoints, not on email threat analysis or remediation.

811
Multi-Selecthard

Your organization uses Microsoft Defender XDR. You need to delegate incident management tasks to a team of analysts without granting full global admin permissions. Which THREE roles in Microsoft 365 Defender should you assign?

Select 3 answers
A.Security Administrator
B.Security Operator
C.Security Analyst
D.Security Reader
E.Compliance Administrator
AnswersA, B, D

Can manage security settings and incidents.

Why this answer

Security Administrator is correct because this role in Microsoft 365 Defender provides full access to incident management features, including the ability to investigate, respond to, and resolve incidents, while not granting full global admin permissions. It allows analysts to manage alerts, perform advanced hunting, and configure security settings within the Defender portal, making it suitable for delegated incident management tasks.

Exam trap

The trap here is that candidates may confuse the non-existent 'Security Analyst' role with the actual 'Security Operator' role, or incorrectly assume that 'Compliance Administrator' includes incident management permissions due to overlapping security and compliance concepts.

812
MCQhard

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. The rule does not trigger as expected for newly created incidents with High severity. What is the most likely cause?

A.The automation rule is disabled because 'state' is set to 'Enabled' but the rule is in a 'Disabled' state due to a missing property.
B.The trigger type is misspelled; it should be 'Microsoft.SecurityInsights/Incident' instead of 'Microsoft.SecurityInsights/Incident'.
C.The playbookId references a Logic App in a resource group that does not exist.
D.The conditions use 'Equals' operator, but 'Severity' and 'Status' require 'Contains' operator.
AnswerB

The trigger type has a typo, causing the rule not to match any incident.

Why this answer

Option B is correct because the JSON shows a typo in the trigger type: 'Microsoft.SecurityInsights/Incident' instead of 'Microsoft.SecurityInsights/Incident'. The correct trigger type should be 'Microsoft.SecurityInsights/Incident'. Option A is incorrect because the trigger type is malformed.

Option C is incorrect because the conditions use 'Equals' which is valid. Option D is incorrect because the playbookId is a well-formed resource ID.

813
MCQhard

Your organization has deployed Microsoft Defender XDR and Microsoft Sentinel in a hybrid environment. You need to ensure that incidents from Microsoft Defender for Endpoint are synchronized to Microsoft Sentinel with full alert details. You have already connected the Microsoft Defender XDR connector. What additional step must you take?

A.In the Microsoft Defender XDR connector, enable 'Microsoft 365 Defender incident creation'.
B.Enable the Microsoft Defender for Endpoint API connector in Microsoft Sentinel.
C.Configure a bi-directional sync between Microsoft Sentinel and Microsoft Defender XDR.
D.No additional steps are required; the connector automatically syncs all incident details.
AnswerA

This setting ensures full alert details are included.

Why this answer

Option D is correct because the Microsoft Defender XDR connector streams incidents but not all alert details; enabling Microsoft 365 Defender incident creation is required for full synchronization. Option A is wrong because the connector is already set up. Option B is wrong because data connectors don't need bi-directional sync for incidents.

Option C is wrong because the API connector is unnecessary if the main connector is enabled.

814
MCQhard

You are a SOC analyst at Contoso. The environment includes Microsoft Sentinel in a single workspace, Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps), Microsoft Entra ID, and Microsoft Intune. You need to design a solution to automatically triage and respond to phishing incidents detected by Defender for Office 365. The requirements are: 1) When a phishing alert is generated with high confidence, an incident should be automatically created in Sentinel. 2) The incident should be assigned to the 'Phishing' team and have a severity of High. 3) A playbook should run that will send a Teams message to the Phishing team and also block the sender in Exchange Online. 4) The incident should be automatically closed if the playbook successfully executes. What should you do?

A.Use the Office 365 connector to ingest alerts, then create an analytics rule to generate incidents, and use automation rules to assign and run playbooks.
B.Enable the Microsoft 365 Defender connector to synchronize incidents, create an automation rule triggered on incident creation with conditions for 'Phishing' and high confidence, assigning to 'Phishing' team, running a playbook, and enabling auto-closure.
C.Use a Logic App to continuously poll Defender for Office 365 APIs for alerts, create incidents via the Sentinel API, and assign them.
D.Create a custom analytics rule with KQL to detect phishing in Defender for Office 365 logs, generate incidents, and use automation rules.
AnswerB

This meets all requirements.

Why this answer

Option B is correct because it leverages the Microsoft 365 Defender connector to synchronize incidents from Defender for Office 365 into Microsoft Sentinel, which is the recommended approach for ingesting high-confidence phishing alerts. An automation rule triggered on incident creation with conditions for 'Phishing' and high confidence can assign the incident to the 'Phishing' team, run a playbook to send a Teams message and block the sender in Exchange Online, and enable auto-closure upon successful playbook execution.

Exam trap

The trap here is that candidates often confuse the Office 365 connector (which ingests raw alerts) with the Microsoft 365 Defender connector (which synchronizes incidents), leading them to choose Option A, which requires an extra analytics rule and does not natively support high-confidence phishing incident synchronization.

How to eliminate wrong answers

Option A is wrong because the Office 365 connector ingests raw alerts, not incidents, and requires an analytics rule to generate incidents, which adds unnecessary complexity and does not directly synchronize Defender for Office 365 incidents with high-confidence phishing detection. Option C is wrong because using a Logic App to continuously poll Defender for Office 365 APIs is inefficient, introduces latency, and bypasses the native incident synchronization provided by the Microsoft 365 Defender connector, which is the designed pattern for automated triage. Option D is wrong because creating a custom analytics rule with KQL to detect phishing in Defender for Office 365 logs is redundant and error-prone, as Defender for Office 365 already generates high-confidence phishing alerts that should be synchronized as incidents via the Microsoft 365 Defender connector, not re-detected through log queries.

815
Multi-Selecthard

A threat hunter is investigating a potential data exfiltration via DNS tunneling using Microsoft Defender for Endpoint advanced hunting. Which THREE columns from the DeviceNetworkEvents table should the hunter include in a query to detect anomalous DNS queries?

Select 3 answers
A.RemoteUrl
B.ActionType
C.RemoteIP
D.Timestamp
E.InitiatingProcessFileName
AnswersA, D, E

Contains the domain name being resolved, critical for detecting tunneling.

Why this answer

Option A (RemoteIP) is the destination IP of the DNS server; not the queried domain. Option B (RemoteUrl) contains the domain name being queried. Option C (InitiatingProcessFileName) shows which process made the query.

Option D (Timestamp) is essential for time patterns. Option E (ActionType) indicates if it's a DNS query. Correct: RemoteUrl, InitiatingProcessFileName, Timestamp.

ActionType is not a column in DeviceNetworkEvents for DNS; it's in DeviceEvents.

816
MCQmedium

Your organization uses Microsoft Sentinel and has deployed multiple analytics rules. You need to evaluate the effectiveness of these rules by identifying which rules generate the most incidents and have the highest false positive rate. What should you use?

A.Incidents view in Microsoft Sentinel filtered by analytics rule
B.Hunting view in Microsoft Sentinel
C.MITRE ATT&CK view in Microsoft Sentinel
D.Entity behavior analytics view in Microsoft Sentinel
AnswerA

You can group incidents by rule and review classifications.

Why this answer

Option C is correct because the Incident view in Microsoft Sentinel allows filtering and grouping by analytics rule to see incident counts and classifications. Option A is wrong because the MITRE ATT&CK view maps incidents to techniques, not rule performance. Option B is wrong because the Entity behavior analytics view is for UEBA.

Option D is wrong because the Hunting view is for proactive threat hunting.

817
MCQmedium

A security analyst is investigating an incident in Microsoft 365 Defender where a user's device is suspected to be compromised. The analyst wants to collect a copy of a specific suspicious file from the device for offline analysis without disrupting the user. Which action should the analyst initiate?

A.Initiate a Live Response session
B.Isolate the device from the network
C.Initiate an automated investigation
D.Run a full antivirus scan
AnswerA

Live Response provides a remote command-line interface to the device, enabling the analyst to collect files and perform investigation without isolating or disrupting the user.

Why this answer

A Live Response session allows the analyst to remotely connect to the device in real time, collect a specific suspicious file via commands like 'getfile', and download it for offline analysis without interrupting the user's workflow. This is the only action that provides targeted file collection while the device remains operational.

Exam trap

The trap here is that candidates confuse 'Live Response' with 'isolation' or 'automated investigation', thinking that any remediation action can collect files, but only Live Response provides the granular, non-disruptive file collection capability required for offline analysis.

How to eliminate wrong answers

Option B is wrong because isolating the device from the network disconnects it from all network communications, which disrupts the user and prevents file collection without additional steps. Option C is wrong because an automated investigation runs predefined playbooks to detect and remediate threats, but it does not allow the analyst to manually collect a specific file for offline analysis. Option D is wrong because a full antivirus scan scans for malware and may delete or quarantine the file, but it does not provide a copy of the file for offline analysis and can disrupt the user by consuming system resources.

818
MCQeasy

Your organization uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate SOC tier based on severity. What should you create?

A.A data connector to Microsoft Teams
B.A scheduled analytics rule
C.A playbook in Microsoft Power Automate
D.An automation rule with an owner assignment action
AnswerD

Automation rules can assign incidents to specific users or groups.

Why this answer

Automation rules in Sentinel can automatically assign incidents to owners based on conditions like severity. Option A is correct. Option B is for queries.

Option C is for external systems. Option D is for integration.

819
MCQeasy

Your organization uses Microsoft Sentinel and you have a playbook that sends an email notification when a high-severity incident is created. You want to ensure that the playbook only runs for incidents that are not already assigned to a user. What should you configure?

A.Set the playbook trigger to 'When an incident is created' and add a condition inside
B.Add a condition in the playbook to check if the incident is assigned
C.Configure the automation rule trigger to include a condition for 'Incident owner equals null'
D.Modify the analytics rule to only generate unassigned incidents
AnswerC

Automation rules can conditionally trigger based on incident properties.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can include conditions that filter which incidents trigger a playbook. By configuring the automation rule with a condition for 'Incident owner equals null', the playbook will only run for incidents that are unassigned, ensuring that already assigned incidents are not processed. This approach is efficient and avoids unnecessary execution of the playbook.

Exam trap

The trap here is that candidates may think a condition inside the playbook is sufficient, but Microsoft Sentinel automation rules are designed to filter incidents before triggering the playbook, making the automation rule condition the correct and more efficient choice.

How to eliminate wrong answers

Option A is wrong because setting the playbook trigger to 'When an incident is created' and adding a condition inside the playbook would still cause the playbook to be triggered for every incident, including assigned ones, leading to unnecessary runs and potential performance issues; the condition should be applied at the automation rule level to filter before triggering. Option B is wrong because adding a condition inside the playbook to check if the incident is assigned does not prevent the playbook from being triggered for all incidents, which wastes resources and may cause unwanted email notifications for assigned incidents. Option D is wrong because modifying the analytics rule to only generate unassigned incidents is not feasible; analytics rules generate incidents based on detection logic, not assignment status, and assignment is a post-creation action.

820
Multi-Selecthard

Which THREE permissions are required for a user to manage Microsoft Sentinel playbooks using Azure Logic Apps? (Choose three.)

Select 3 answers
A.Microsoft Sentinel Contributor
B.Log Analytics Contributor
C.Global Administrator in Microsoft Entra ID
D.Reader on the Logic App
E.Contributor on the resource group containing the Logic App
AnswersA, B, E

Allows reading and triggering playbooks from Sentinel.

Why this answer

Microsoft Sentinel Contributor is required because it grants the necessary permissions to create, update, and delete playbooks within Microsoft Sentinel, which are built on Azure Logic Apps. This role allows the user to manage playbooks as part of the security operations environment, including assigning playbooks to automation rules and incident triggers.

Exam trap

The trap here is that candidates often assume Global Administrator is needed for any automation in Sentinel, but Microsoft specifically scopes playbook management to resource group-level Contributor roles to enforce least privilege and avoid granting tenant-wide admin rights.

821
MCQmedium

Your organization has recently deployed Microsoft Sentinel and wants to ensure that all critical Azure resources are monitored for security misconfigurations. You have already enabled Microsoft Defender for Cloud on all subscriptions. You need to configure a solution that will automatically create a Sentinel incident whenever a new security recommendation with severity 'High' is generated in Defender for Cloud. The incident should be assigned to the 'Infrastructure' team. Additionally, you want to run a playbook that will open a ticket in your IT Service Management (ITSM) tool. What should you do?

A.Use the Azure Activity connector to ingest recommendations, then create an analytics rule to generate incidents.
B.Enable the Defender for Cloud connector and create a workbook to monitor recommendations.
C.Create a custom analytics rule that queries the SecurityRecommendation table in the Log Analytics workspace.
D.Enable the Defender for Cloud connector, then create an automation rule that triggers on incident creation from the connector, assigns to 'Infrastructure', and runs a playbook.
AnswerD

This is the correct approach.

Why this answer

Option D is correct because the Defender for Cloud connector in Microsoft Sentinel ingests security recommendations and alerts as incidents. By creating an automation rule that triggers on incident creation from this connector, you can automatically assign incidents to the 'Infrastructure' team and run a playbook to open a ticket in your ITSM tool, fulfilling all requirements without custom queries or workbooks.

Exam trap

The trap here is that candidates often think they need to write a custom analytics rule (Option C) or use the Azure Activity connector (Option A) to ingest Defender for Cloud data, when in fact the Defender for Cloud connector already provides incident creation and automation rules handle assignment and playbook execution natively.

How to eliminate wrong answers

Option A is wrong because the Azure Activity connector ingests operational logs (e.g., resource creation/deletion), not security recommendations from Defender for Cloud; it cannot generate incidents from recommendations. Option B is wrong because enabling the Defender for Cloud connector and creating a workbook only visualizes data—it does not automatically generate incidents or trigger playbooks. Option C is wrong because while the SecurityRecommendation table exists, creating a custom analytics rule to query it is unnecessary and less efficient; the Defender for Cloud connector already ingests these recommendations as incidents, and automation rules provide the required assignment and playbook execution without custom KQL.

822
Multi-Selecthard

Which THREE of the following are key considerations when designing a threat hunting program in Microsoft Defender XDR and Microsoft Sentinel? (Choose THREE.)

Select 3 answers
A.Understanding the data schema and available tables in the advanced hunting schema
B.Operational security (OpSec) to avoid tipping off adversaries during manual hunting
C.Implementing multi-factor authentication for all users
D.Using only built-in detection rules to identify threats
E.Data retention policies for logs in Microsoft Sentinel and Microsoft Defender XDR
AnswersA, B, E

Knowing schema is essential to write effective queries.

Why this answer

Options A, B, and E are correct. A: Data retention policies affect how far back you can hunt. B: Understanding data sources ensures you use the right tables.

E: OpSec is critical to avoid alerting adversaries. Option C is wrong because hunting often requires custom queries, not just built-in rules. Option D is wrong because MFA is an identity protection measure, not a hunting consideration.

823
MCQmedium

While hunting in Microsoft Sentinel, you find a KQL query that uses the `evaluate` operator with `bag_unpack` to expand JSON properties. The query runs slowly and times out. What is the best practice to optimize this query?

A.Increase the cluster's concurrency and nodes.
B.Remove the `evaluate` operator and use `extend` with `parse_json`.
C.Add a `where` clause to filter rows before applying `bag_unpack`.
D.Use the `materialize` function to cache the entire table before expansion.
AnswerC

Filtering early reduces the number of rows processed by the expansion.

Why this answer

Option B is correct because filtering before expanding reduces the dataset size. Option A is wrong because materializing entire table is inefficient. Option C is wrong because increasing nodes may not help if the dataset is too large.

Option D is wrong because reducing nodes starves resources.

824
MCQmedium

A security administrator is configuring Microsoft Defender for Cloud's regulatory compliance dashboard. The organization needs to be compliant with the NIST SP 800-53 standard. Which built-in initiative should the administrator assign to the subscription to populate the dashboard with NIST controls?

A.Azure Security Benchmark
B.NIST SP 800-53 R5
C.CIS Microsoft Azure Foundations Benchmark
D.ISO 27001
AnswerB

This built-in initiative provides controls mapped to NIST SP 800-53.

Why this answer

The NIST SP 800-53 R5 built-in initiative is the correct choice because Microsoft Defender for Cloud includes a dedicated regulatory compliance policy initiative that maps directly to the NIST SP 800-53 standard's controls. Assigning this initiative to the subscription populates the regulatory compliance dashboard with the specific NIST controls and their compliance status, enabling the organization to track and report against that framework.

Exam trap

The trap here is that candidates often confuse the Azure Security Benchmark (a Microsoft best-practice framework) with a regulatory standard, assuming it covers NIST controls, when in fact it is a separate initiative that does not map to NIST SP 800-53.

How to eliminate wrong answers

Option A is wrong because the Azure Security Benchmark is a Microsoft-authored set of best practices for securing Azure workloads, not a regulatory standard like NIST SP 800-53, and it does not map to NIST controls. Option C is wrong because the CIS Microsoft Azure Foundations Benchmark is a community-driven benchmark for Azure configuration, not a NIST-specific standard, and its controls are unrelated to NIST SP 800-53. Option D is wrong because ISO 27001 is a separate international security standard with its own control set, and its built-in initiative would populate the dashboard with ISO controls, not NIST SP 800-53 controls.

825
MCQhard

A security analyst is using advanced hunting in Microsoft 365 Defender to detect lateral movement. The analyst wants to find all devices where a specific user account had an interactive logon, and then identify which of those devices subsequently initiated outbound Remote Desktop Protocol (RDP) connections to other internal IP addresses. Which KQL approach is most efficient for this investigation?

A.Use DeviceLogonEvents and DeviceNetworkEvents with a join on DeviceId and a time range
B.Use IdentityLogonEvents and DeviceNetworkEvents with a join on IP address
C.Use DeviceProcessEvents and DeviceNetworkEvents with a join on DeviceId
D.Use EmailEvents and DeviceLogonEvents with a join on RecipientEmail
AnswerA

DeviceLogonEvents provides logon data per device; DeviceNetworkEvents provides outbound connections. Joining by DeviceId within a short time after logon can reveal lateral movement via RDP.

Why this answer

Option A is correct because it uses DeviceLogonEvents to identify interactive logons for the specific user account on devices, then joins those results with DeviceNetworkEvents on DeviceId within a time range to find subsequent outbound RDP connections (destination port 3389) to internal IPs. This approach directly correlates the user's logon activity with network connections from the same device, which is the most efficient and precise method for detecting lateral movement via RDP.

Exam trap

The trap here is that candidates may confuse IdentityLogonEvents (cloud identity) with DeviceLogonEvents (device-level logon), leading them to choose Option B, but the correct approach requires device-specific logon data to correlate with network events on the same device.

How to eliminate wrong answers

Option B is wrong because IdentityLogonEvents captures cloud identity logons (e.g., Azure AD) rather than device-level interactive logons, and joining on IP address is unreliable due to NAT and shared IPs, making it ineffective for correlating a specific device's network activity. Option C is wrong because DeviceProcessEvents tracks process creation events, not interactive logons; while it could indirectly indicate logon activity, it is less direct and less efficient than using DeviceLogonEvents for the specific user account. Option D is wrong because EmailEvents deals with email delivery and recipient data, which is irrelevant to device logons or RDP network connections; joining on RecipientEmail has no bearing on lateral movement detection.

Page 10

Page 11 of 22

Page 12