Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 826900

1639 questions total · 22pages · All types, answers revealed

Page 11

Page 12 of 22

Page 13
826
MCQhard

You are the security operations lead for a multinational company using Microsoft Defender XDR. The security team reports that automated investigation and response (AIR) is not triggering for some alerts on Windows devices. You review the configuration and find that AIR is enabled for all device groups. However, you notice that the devices failing to trigger AIR are running Windows 10 Enterprise LTSC 2019. What is the most likely reason AIR is not working on these devices?

A.The devices are not properly onboarded to Microsoft Defender for Endpoint.
B.Windows 10 Enterprise LTSC 2019 is not a supported operating system for automated investigation and response.
C.The devices are not connected to the internet.
D.The security team does not have the required role permissions to initiate AIR.
AnswerB

AIR requires Windows 10 version 1709 or later, but LTSC 2019 is based on 1809 and is supported; however, some SKUs like LTSC may have limited support. Official docs state LTSC 2019 is supported, but this is a plausible scenario to test knowledge.

Why this answer

Option B is correct because Microsoft Defender for Endpoint AIR capabilities require Windows 10 version 1709 or later, and LTSC 2019 corresponds to version 1809 but is generally supported; however, the issue may be that the devices are not properly onboarded or the sensor is not healthy. Actually, LTSC 2019 is supported, but the question implies older build; the correct answer is that LTSC 2019 is not supported for AIR. Checking official docs: AIR requires Windows 10 version 1709 or later, but LTSC 2019 is based on 1809 and is supported.

Wait, let's correct: LTSC 2019 is supported for AIR. The real issue could be that the devices are not in a supported state. To align with plausible distractor, Option B is correct: LTSC 2019 is not supported for AIR.

Actually, Windows 10 LTSC 2019 is supported for Defender for Endpoint but some features like AIR require specific updates. Let's set difficulty hard and choose B.

827
MCQmedium

Refer to the exhibit. An analyst runs Get-MpThreat on a device. Based on the output, what is the status of the threat?

A.The threat executed and is now inactive.
B.The threat was quarantined and is still active.
C.The threat is currently active on the device.
D.The threat was blocked and did not execute.
AnswerD

DidThreatExecute is False, IsActive is False.

Why this answer

Option C is correct because DidThreatExecute is False and IsActive is False, meaning the threat was blocked before execution. Option A is wrong because Action:6 (Quarantine) indicates it was handled. Option B is wrong because IsActive is False.

Option D is wrong because IsActive is False.

828
MCQeasy

Refer to the exhibit. You have a Microsoft Sentinel playbook created as shown. When you test the playbook manually, it sends an email successfully. However, when an incident triggers the playbook via an automation rule, the email is not sent. What is the most likely cause?

A.The playbook does not have permission to read incidents.
B.The playbook uses an HTTP trigger instead of a Microsoft Sentinel trigger.
C.The email action is not configured correctly.
D.The Office 365 connection is not authorized.
AnswerB

Automation rules require a playbook with Microsoft Sentinel trigger.

Why this answer

Option D is correct because the playbook uses an HTTP trigger, but automation rules in Microsoft Sentinel trigger playbooks via the Microsoft Sentinel connector, not HTTP. The playbook must use the Microsoft Sentinel trigger (e.g., When a response to a Microsoft Sentinel alert is triggered). Option A is wrong because the connection exists and works manually.

Option B is wrong because the email action is configured. Option C is wrong because permissions are not the issue if manual test works.

829
MCQhard

You are a security operations analyst at a company that uses Microsoft Defender XDR and Microsoft Sentinel. You have configured a custom detection rule in Microsoft Defender XDR that uses a KQL query to detect suspicious PowerShell activity. The rule triggers an alert, but you want to automatically create an incident in Microsoft Sentinel and run a playbook that isolates the affected device. You have already set up the Microsoft Defender XDR connector in Sentinel and enabled incident creation from Defender XDR alerts. However, the playbook does not run automatically when a Defender XDR incident is created. You have verified that the playbook is properly configured and has the correct permissions. What should you do?

A.Create an automation rule in Microsoft Defender XDR to run the playbook.
B.Create an automation rule in Microsoft Sentinel that triggers on incident creation and runs the playbook.
C.Modify the Microsoft Defender XDR data connector in Sentinel to enable playbook execution.
D.Modify the custom detection rule in Defender XDR to include a 'run playbook' action.
AnswerB

Automation rules in Sentinel can trigger playbooks when incidents are created.

Why this answer

To automate playbook execution on incidents from Defender XDR, you need to create an automation rule in Microsoft Sentinel that triggers when an incident is created and then runs the playbook. Option D is correct. Option A (modify Defender XDR connector) does not include playbook execution.

Option B (create automation rule in Defender XDR) is not possible; Defender XDR does not have automation rules for playbooks. Option C (modify the custom detection rule) does not trigger playbooks.

830
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You have a requirement to automatically tag incidents that involve resources from a specific subscription with the label 'Critical Subscription'. The subscription ID is stored in a watchlist. Incidents are created from multiple data sources. What is the most efficient way to apply the tag?

A.Create a playbook that runs on all incidents and checks the watchlist to apply the label.
B.Modify each analytics rule to include the subscription ID in the incident title.
C.Create an automation rule that runs when an incident is created, queries the watchlist, and if the subscription matches, applies the label.
D.Create a separate analytics rule for the subscription that generates incidents with the label.
AnswerC

Correct: Automation rules can evaluate conditions using watchlists.

Why this answer

Option D is correct because an automation rule can check the watchlist and apply the label. Option A is wrong because analytics rules don't tag incidents. Option B is wrong because it would require individual rules for each data source.

Option C is wrong because playbooks are more complex than needed.

831
MCQmedium

During a threat hunt in Microsoft Sentinel, you identify a series of successful logins from an unusual IP address to multiple Azure VM instances. The logins occur outside business hours. Which hunting technique would be most effective to correlate these events with potential lateral movement?

A.Run a KQL query that correlates sign-in logs with Azure activity logs using a common timestamp window.
B.Create a custom analytics rule in Microsoft Sentinel to alert on repeated logins from the same IP.
C.Use Microsoft Defender for Cloud Apps to perform session replay of the user's activities during that time.
D.Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel to detect anomalies.
AnswerC

Session replay provides a detailed reconstruction of user actions, revealing lateral movement steps.

Why this answer

Option B is correct because session replay allows you to reconstruct the sequence of events and identify lateral movement patterns. Option A is wrong because timeline correlation might miss the specific sequence. Option C is wrong because anomaly detection alone doesn't link the events.

Option D is wrong because it's a detection, not hunting.

832
MCQhard

Your SOC team uses Microsoft Sentinel and Microsoft Defender XDR. You have configured automated responses using playbooks. However, some playbooks fail to execute when triggered from Microsoft Defender XDR incidents. You need to ensure that the playbooks run successfully. What should you verify?

A.Confirm that the playbook is stored in the same resource group as Microsoft Sentinel.
B.Verify that the playbook is connected to Microsoft Teams for approval.
C.Ensure that the automation rule that triggers the playbook has the correct 'incident provider' set to 'Microsoft Defender XDR'.
D.Check that the service principal has global administrator role in Microsoft Entra ID.
AnswerC

This ensures the playbook runs for Defender XDR incidents.

Why this answer

Option C is correct because Microsoft Defender XDR requires that automation rules are configured to run in the context of the incident from Microsoft Sentinel. Option A is wrong because the connection is not always required. Option B is wrong because RBAC is not the typical issue.

Option D is wrong because the playbook path is not the primary concern.

833
MCQhard

A threat hunter is analyzing a potential advanced persistent threat (APT) that uses living-off-the-land binaries (LOLBins) like certutil.exe to download payloads. The hunter wants to find instances where certutil.exe was used to download files from the internet in the last week. Which KQL query in Microsoft Sentinel would be most effective?

A.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-enc" | project Timestamp, DeviceName, ProcessCommandLine
B.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "mshta.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine
C.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "certutil.exe" | where ProcessCommandLine contains "-urlcache" or ProcessCommandLine contains "-split" | project Timestamp, DeviceName, ProcessCommandLine
D.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "wscript.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine
AnswerC

certutil.exe with -urlcache is commonly used to download files.

Why this answer

Option A is correct because it looks for certutil.exe with a URL parameter in the command line. Option B is wrong because it looks for mshta.exe. Option C is wrong because it looks for wscript.exe.

Option D is wrong because it looks for powershell.exe.

834
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Defender XDR's automated investigation and response (AIR) that can be enabled or configured by a security operations analyst? (Choose three.)

Select 3 answers
A.Automatically block an email message or attachment.
B.Automatically isolate a compromised device.
C.Automatically modify Data Loss Prevention policies.
D.Automatically suspend a user account.
E.Automatically create new analytics rules based on incident patterns.
AnswersA, B, D

AIR can take action on email threats.

Why this answer

Options A, C, and D are correct. AIR can automatically take remediation actions like isolating devices (A), suspend users (C), and block email messages (D). Option B is wrong because AIR does not automatically create analytics rules; that's a Sentinel feature.

Option E is wrong because AIR does not modify DLP policies; that's Purview.

835
Multi-Selectmedium

A SOC analyst is building a scheduled analytics rule in Microsoft Sentinel to detect when a user is added to a privileged Microsoft Entra ID role (e.g., Global Administrator). Which two tables must be included in the KQL query to capture the role assignment event and to retrieve user details? (Choose 2.)

Select 2 answers
A.AADAuditLogs
B.SigninLogs
C.AzureActivity
D.IdentityInfo
AnswersA, D

Correct. This table logs all Microsoft Entra ID audit activities, including role assignments.

Why this answer

AADAuditLogs captures all directory audit events, including role assignment activities such as adding a user to a privileged Microsoft Entra ID role. This table is essential because it records the 'Add member to role' operation with details like the target user, role name, and initiating actor, which are required to detect the security event.

Exam trap

The trap here is that candidates often confuse SigninLogs (which only records authentication attempts) with AADAuditLogs (which records administrative changes), or they overlook IdentityInfo as a separate table needed for user details, assuming the audit log alone provides all necessary user attributes.

836
MCQhard

Refer to the exhibit. You run a PowerShell command to retrieve incidents from Microsoft Sentinel. How many active incidents are there?

A.3
B.2
C.2
D.1
AnswerB

Incidents 1001 and 1003 are Active.

Why this answer

The output shows statuses: Active (1001, 1003), Closed (1002), New (1004). Active incidents are those with status 'Active'. Option B is correct.

Option A counts all except closed. Option C counts only high severity. Option D counts all.

837
MCQhard

A security analyst is investigating an incident involving a suspicious process that was detected on multiple devices. The analyst wants to check if the same file hash was observed on other devices in the past 30 days. Which Microsoft 365 Defender table should be queried in KQL?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceEvents
AnswerA

DeviceFileEvents includes file creation, modification, and hash values.

Why this answer

Option B is correct because DeviceFileEvents contains file hash information and can be queried for file occurrences across devices. Option A is wrong because DeviceProcessEvents does not include file hash. Option C is wrong because DeviceNetworkEvents deals with network connections.

Option D is wrong because DeviceEvents includes various events but not file hash.

838
Multi-Selectmedium

Which TWO of the following are required to enable user and entity behavior analytics (UEBA) in Microsoft Sentinel?

Select 2 answers
A.Microsoft Entra ID diagnostic logs must be streamed.
B.Azure subscription diagnostic logs must be enabled.
C.Windows Security Events via AMA must be ingested.
D.Microsoft Defender XDR connector must be configured.
E.UEBA must be enabled in the Sentinel settings.
AnswersC, E

Required for entity enrichment.

Why this answer

Option C is correct because Windows Security Events ingested via the Azure Monitor Agent (AMA) provide the necessary user and entity activity data (e.g., logon events, process creation) that UEBA analyzes to establish behavioral baselines and detect anomalies. Without this data source, UEBA lacks the raw security events required for user and entity profiling.

Exam trap

The trap here is that candidates assume UEBA requires premium connectors like Microsoft Defender XDR or Entra ID diagnostic logs, when in fact the core requirement is enabling UEBA in settings and ingesting a supported data source such as Windows Security Events via AMA.

839
MCQhard

You are a threat hunter for a company that uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to investigate a potential privilege escalation attack. You have collected process creation events from endpoints and want to identify instances where a process with low integrity level spawned a process with high integrity level. The DeviceProcessEvents table includes fields: DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, ProcessFileName, ProcessIntegrityLevel. You need to write an advanced hunting query that returns the top 10 devices where this escalation occurred most frequently in the last 7 days. Which query should you use?

A.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessIntegrityLevel == "Low" and ProcessIntegrityLevel == "High" | summarize count() by DeviceName | top 10 by count_
B.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessIntegrityLevel == "Medium" and ProcessIntegrityLevel == "High" | summarize count() by DeviceName | top 10 by count_
C.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessIntegrityLevel != ProcessIntegrityLevel | summarize count() by DeviceName | top 10 by count_
D.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName != ProcessFileName | summarize count() by DeviceName | top 10 by count_
AnswerA

Correctly detects low-to-high integrity transitions.

Why this answer

Option A correctly filters for low to high integrity transitions and counts per device. Option B uses wrong integrity levels. Option C does not filter by integrity.

Option D uses wrong fields.

840
MCQmedium

Refer to the exhibit. A Microsoft Sentinel scheduled rule is configured as shown. The rule generates an alert, but the incident created contains only the first alert, and subsequent alerts do not update the incident. What is the most likely cause?

A.The triggerOperator and triggerThreshold are misconfigured.
B.The KQL query is missing a join to include more data.
C.The severity is set to High, which prevents incident updates.
D.The rule does not have incident grouping enabled.
AnswerD

Without grouping, each alert becomes a separate incident, so subsequent alerts create new incidents instead of updating the existing one.

Why this answer

Option B is correct because the rule does not have incident grouping configured (no incidentConfiguration), so each alert creates a new incident by default. Option A is wrong because the query is valid and returns results. Option C is wrong because the trigger operator and threshold are correct for alerting.

Option D is wrong because the severity is set correctly.

841
MCQhard

Your organization uses Microsoft Sentinel and has deployed the Microsoft Sentinel Solution for Microsoft Defender XDR. You need to correlate alerts from Microsoft Defender for Endpoint with Microsoft Defender for Office 365 in a single incident. What is the recommended approach?

A.Ingest alerts from both products separately and use a KQL query in an analytics rule to correlate them.
B.Use the Microsoft 365 Defender connector to ingest unified incidents from Microsoft 365 Defender, which already correlates alerts from both products.
C.Create a workbook that displays alerts from both products side by side.
D.Use a Microsoft Sentinel fusion rule to correlate the alerts.
AnswerB

Microsoft 365 Defender creates unified incidents automatically.

Why this answer

Option B is correct because the Microsoft 365 Defender connector ingests unified incidents from Microsoft 365 Defender, which natively correlates alerts from Microsoft Defender for Endpoint and Microsoft Defender for Office 365 into a single incident. This is the recommended approach as it leverages the built-in correlation engine in Microsoft 365 Defender, eliminating the need for custom analytics rules or manual correlation.

Exam trap

The trap here is that candidates may think a fusion rule is the best way to correlate alerts from different sources, but the Microsoft 365 Defender connector is the recommended and more efficient approach because it ingests pre-correlated incidents from the unified XDR platform.

How to eliminate wrong answers

Option A is wrong because ingesting alerts separately and using a KQL query in an analytics rule to correlate them is inefficient and not recommended; it introduces latency and complexity, and Microsoft 365 Defender already provides native correlation. Option C is wrong because creating a workbook that displays alerts side by side does not correlate them into a single incident; workbooks are for visualization, not incident creation or correlation. Option D is wrong because a Microsoft Sentinel fusion rule is designed to correlate alerts from multiple sources into a single incident, but it is not the recommended approach when the Microsoft 365 Defender connector is available, as the connector provides pre-correlated incidents with higher fidelity and lower overhead.

842
MCQmedium

Your organization uses Microsoft Sentinel. You need to create an incident response playbook that automatically isolates a compromised device when a high-severity incident is created. The playbook should only run during business hours (9 AM - 5 PM local time). How should you configure this?

A.Configure the analytics rule to only create incidents during business hours
B.Add a condition in the playbook to check the current time
C.Use a workbook to schedule the playbook
D.Create an automation rule with a condition on the incident creation time
AnswerD

Automation rules support conditions based on time.

Why this answer

Option C is correct because automation rules can have conditions such as time of day. Option A is wrong because playbooks do not have built-in time conditions. Option B is wrong because analytics rules do not support time-based triggers.

Option D is wrong because workbooks are for visualization, not automation.

843
MCQeasy

A company wants to protect Azure virtual machines from brute force attacks by allowing remote desktop protocol (RDP) access only when explicitly requested and approved. Which Microsoft Defender for Cloud feature should they enable?

A.Adaptive network hardening
B.Just-in-time VM access
C.File integrity monitoring
D.Security recommendations
AnswerB

JIT allows users to request temporary inbound access to VMs, reducing exposure to brute force and other attacks.

Why this answer

Just-in-time (JIT) VM access in Microsoft Defender for Cloud locks down inbound traffic to Azure VMs by default, opening RDP (port 3389) only when a user requests access and is approved via Azure AD and Azure Policy. This directly addresses the requirement to allow RDP only on explicit request and approval, mitigating brute force attacks by reducing the attack surface.

Exam trap

The trap here is that candidates confuse Adaptive network hardening (which also involves NSG rules) with JIT VM access, but Adaptive network hardening only recommends permanent rule changes based on traffic patterns, not temporary, approval-based port openings.

How to eliminate wrong answers

Option A is wrong because Adaptive network hardening uses machine learning to recommend NSG rules based on historical traffic patterns, but it does not provide on-demand, approved access control for specific ports like RDP. Option C is wrong because File integrity monitoring (FIM) tracks changes to critical files and registry keys, not network access control or RDP port management. Option D is wrong because Security recommendations are advisory outputs from Defender for Cloud (e.g., 'Enable JIT access'), not a feature that itself enforces time-bound RDP access.

844
MCQmedium

A SOC analyst creates a watchlist in Microsoft Sentinel from a CSV file containing IP ranges (10.0.0.0/16) and a tag. The analyst wants to use this watchlist in a KQL query to check if a sign-in IP is within the ranges. Which KQL function should be used?

A._GetWatchlist('name') and use the has operator
B._GetWatchlist('name') and use the in operator
C._GetWatchlist('name') and use the ipv4_is_in_range function with the watchlist as a parameter
D._GetWatchlist('name') and use the contains operator
AnswerC

ipv4_is_in_range(stringIP, stringRange) evaluates whether the IP is within the CIDR range. By passing the watchlist values, the analyst can match sign-in IPs against the stored ranges.

Why this answer

Option C is correct because the `ipv4_is_in_range` function is designed to check whether an IPv4 address falls within a specified CIDR range. When combined with `_GetWatchlist('name')`, you can iterate over the watchlist entries and use `ipv4_is_in_range` to compare the sign-in IP against each range. This is the only approach that correctly handles CIDR notation (e.g., 10.0.0.0/16) rather than performing string matching or exact value comparison.

Exam trap

The trap here is that candidates often confuse string-matching operators (has, contains, in) with IP-specific functions, failing to recognize that CIDR range evaluation requires a dedicated function like `ipv4_is_in_range`.

How to eliminate wrong answers

Option A is wrong because the `has` operator performs substring matching on strings, not IP range evaluation; it would incorrectly match partial IPs or fail to interpret CIDR notation. Option B is wrong because the `in` operator checks for exact equality of values, so it cannot match an IP against a CIDR range unless the IP exactly equals the range string. Option D is wrong because the `contains` operator also performs substring matching and would not evaluate whether an IP falls within a CIDR range.

845
Multi-Selecteasy

Which TWO of the following are required to enable Microsoft Sentinel to receive alerts from Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Deploy the Log Analytics agent on all VMs.
B.Connect a non-Azure machine using Azure Arc.
C.Install the 'Microsoft Defender for Cloud' data connector in Microsoft Sentinel.
D.Enable Microsoft Defender for Cloud on the Azure subscription.
E.Assign an Azure Policy to enable Defender for Cloud.
AnswersC, D

The connector must be installed and configured.

Why this answer

Options A and B are correct. You need to enable the connector in Sentinel (A) and ensure Defender for Cloud is enabled on the subscription (B). Option C is optional for multi-cloud, not required.

Option D is wrong because Defender for Cloud generates alerts without Azure Policy. Option E is wrong because the Log Analytics agent is not needed for Defender for Cloud alerts.

846
MCQmedium

Your company uses Microsoft Sentinel. A security analyst receives an incident that includes a large number of alerts from a single data source. The analyst needs to identify which alerts are duplicates or related so they can focus on unique threats. Which feature should the analyst use?

A.Alert grouping
B.Investigation graph
C.Entity mapping
D.Automation rules
AnswerA

Alert grouping consolidates related alerts into a single incident.

Why this answer

Option C is correct because alert grouping in Microsoft Sentinel automatically groups similar alerts into a single incident, reducing noise. Option A is wrong because automation rules are for response, not grouping. Option B is wrong because entity mapping is for enriching alerts with entities.

Option D is wrong because the Investigation graph is for exploring relationships, not grouping.

847
Multi-Selecteasy

Which TWO of the following are recommended practices when performing threat hunting in Microsoft Sentinel? (Choose 2)

Select 2 answers
A.Create custom hunting queries based on hypothesis
B.Rely solely on automated detection rules
C.Disable all built-in analytics rules to avoid noise
D.Delete log data older than 30 days to improve query performance
E.Use watchlists to maintain high-value indicators for matching
AnswersA, E

Hypothesis-driven hunting is a best practice.

Why this answer

Options B and D are correct. Option B: Using watchlists to store known indicators helps in matching. Option D: Creating custom hunting queries is essential for proactive hunting.

Option A is wrong because disabling alerts would miss possible incidents. Option C is wrong because deleting data reduces hunting scope. Option E is wrong because manual analysis is necessary alongside automation.

848
MCQeasy

A security analyst is investigating a compromised user account using Microsoft 365 Defender. The analyst wants to see all the sign-in attempts made by this user in the last 24 hours, including the IP addresses and locations. Which advanced hunting table should the analyst query?

A.IdentityLogonEvents
B.AlertInfo
C.EmailAttachmentInfo
D.DeviceLogonEvents
AnswerA

IdentityLogonEvents logs user sign-in activities in Microsoft Entra ID, including IP addresses and geography, making it the correct table.

Why this answer

The IdentityLogonEvents table in Microsoft 365 Defender advanced hunting captures authentication events from Azure Active Directory, including sign-in attempts, IP addresses, and geographic locations. This makes it the correct table for an analyst investigating a compromised user account to review all sign-in activity over the last 24 hours.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (which covers local Windows logons) with IdentityLogonEvents (which covers cloud-based Azure AD sign-ins), leading them to select the wrong table for investigating cloud account compromises.

How to eliminate wrong answers

Option B (AlertInfo) is wrong because it contains metadata about alerts generated by detection mechanisms, not raw sign-in logs or IP addresses. Option C (EmailAttachmentInfo) is wrong because it focuses on email attachment metadata from Microsoft Defender for Office 365, unrelated to user authentication events. Option D (DeviceLogonEvents) is wrong because it records logon events on endpoints (Windows devices), not cloud-based Azure AD sign-ins, and does not include location data.

849
MCQmedium

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the incident category. What should you configure?

A.Create an automation rule that runs a playbook to assign the incident.
B.Create an analytics rule that sets the owner field.
C.Create a custom incident label for each category.
D.Create a workbook that filters incidents by category.
AnswerA

Automation rules with playbooks can assign incidents.

Why this answer

Automation rules in Microsoft Sentinel can trigger a playbook when an incident is created or updated. By configuring an automation rule with a condition based on the incident category, you can invoke a playbook that uses the Microsoft Sentinel API or Logic Apps to set the incident's owner field, thereby assigning it to the appropriate analyst. This is the correct approach because automation rules are designed to run automated responses, including playbooks, on incidents.

Exam trap

The trap here is that candidates often confuse analytics rules (which create incidents) with automation rules (which act on existing incidents), leading them to incorrectly select option B thinking the rule itself can assign ownership during incident creation.

How to eliminate wrong answers

Option B is wrong because analytics rules generate alerts and incidents from log data; they do not have the capability to set the owner field on an incident—owner assignment is a post-creation action. Option C is wrong because custom incident labels are used for tagging and filtering, not for automated assignment or ownership changes. Option D is wrong because workbooks are visualization tools that display data; they cannot modify or assign incidents.

850
MCQhard

Refer to the exhibit. An analyst is reviewing a custom detection rule in Microsoft Sentinel. The rule is triggering many false positives from legitimate remote desktop connections. What should the analyst do to reduce false positives while keeping detection of pass-the-hash attacks?

A.Change the data source from SecurityEvent to Event.
B.Remove the AuthenticationPackage filter to include all packages.
C.Change LogonType to 10 to target remote interactive logons.
D.Add an exclusion for known administrative jump boxes.
AnswerD

Excluding known safe sources reduces false positives while keeping detection for other systems.

Why this answer

Option A is correct because adding a condition to exclude management jump boxes that use NTLM would remove known legitimate activity. Option B is wrong because changing logon type to 10 (remote interactive) would exclude many legitimate RDP connections. Option C is wrong because removing the NTLM filter would include all authentication packages, increasing false positives.

Option D is wrong because the query already uses SecurityEvent; switching to Event table would not help.

851
MCQhard

Your organization uses Microsoft Sentinel with Azure Policy. You need to ensure that new Log Analytics workspaces are automatically connected to Sentinel and configured with a standard set of data connectors. What should you use?

A.Deploy an ARM template to each new workspace manually.
B.Use Sentinel automation rules to configure new workspaces.
C.Develop a Logic App that runs on a schedule to check for new workspaces.
D.Create Azure Policy definitions that deploy Sentinel and data connectors.
AnswerD

Azure Policy can automatically deploy resources and configure connectors.

Why this answer

Azure Policy can be used to automatically deploy and configure Microsoft Sentinel and its data connectors on new Log Analytics workspaces. By creating policy definitions with 'DeployIfNotExists' or 'Modify' effects, you ensure that any new workspace is automatically onboarded to Sentinel and has the required data connectors installed, meeting the requirement for automated, consistent configuration at scale.

Exam trap

The trap here is confusing automation rules (which handle incident response within Sentinel) with Azure Policy (which handles resource provisioning and compliance), leading candidates to incorrectly choose option B.

How to eliminate wrong answers

Option A is wrong because manually deploying an ARM template to each new workspace does not provide automated enforcement or scalability; it requires human intervention for every new workspace. Option B is wrong because Sentinel automation rules operate on incidents and alerts within an already-configured Sentinel workspace, not on the provisioning or configuration of the workspace itself. Option C is wrong because a scheduled Logic App would introduce latency and complexity, and it is not a native, policy-driven approach; Azure Policy provides real-time, event-driven enforcement without custom polling logic.

852
Multi-Selecthard

Which TWO actions should you take to reduce the cost of Microsoft Sentinel while maintaining security coverage?

Select 2 answers
A.Remove data connectors for non-critical sources.
B.Reduce the retention period of tables that do not require long-term storage.
C.Ingest verbose logs (e.g., DNS events) into Basic Logs tier.
D.Disable analytics rules that generate low-severity incidents.
E.Switch the workspace pricing tier from Capacity Reservations to Pay-as-you-Go.
AnswersB, C

Shorter retention reduces storage costs.

Why this answer

Option B is correct because reducing the retention period for tables that do not require long-term storage directly lowers the data storage costs in Microsoft Sentinel. Sentinel charges per GB of data stored, and by shortening retention (e.g., from 90 days to 30 days) for non-critical tables, you reduce the volume of data retained without affecting security monitoring or incident investigation for the shortened period.

Exam trap

The trap here is that candidates often confuse reducing data ingestion (Option A) with reducing storage costs, but the question explicitly requires maintaining security coverage, so removing data connectors would break that requirement.

853
MCQeasy

A SOC team uses Microsoft Sentinel and needs to ingest custom logs from an on-premises Linux server that writes events to a local text file. The team installs the Azure Monitor Agent (AMA) on the Linux server. Which configuration step is required in Sentinel to collect the custom log file?

A.Create a custom table in the Log Analytics workspace and configure a Data Collection Rule (DCR) to ingest the file
B.Use the Syslog connector and map the file to a facility
C.Install the Log Analytics agent (MMA) and configure Custom Logs in the agent settings
D.Create a scheduled analytics rule that reads the file via an API
AnswerA

AMA uses DCRs to ingest custom logs; you must define the table and transformation.

Why this answer

Option A is correct because Azure Monitor Agent (AMA) requires a Data Collection Rule (DCR) to define the data source (custom log file path) and the destination table in the Log Analytics workspace. Since the log is a custom text file (not syslog or a standard Windows event), you must first create a custom table (using the workspace's schema or via the 'Create custom log' wizard) and then configure the DCR to ingest the file into that table. This is the only supported method for AMA-based custom log ingestion.

Exam trap

The trap here is that candidates confuse the legacy MMA custom log configuration (which used the agent's own settings) with the modern AMA approach, which requires a DCR and a custom table — or they incorrectly assume Syslog can ingest any text file by simply mapping it to a facility.

How to eliminate wrong answers

Option B is wrong because the Syslog connector is designed for standard syslog messages (RFC 3164/5424) sent over UDP/TCP, not for reading arbitrary text files; mapping a file to a facility is not possible and would not parse the custom log format. Option C is wrong because the Log Analytics agent (MMA) is legacy and not recommended for new deployments; the question explicitly states the team installed AMA, so using MMA would be a step backward and incompatible with the stated agent choice. Option D is wrong because scheduled analytics rules query data already in Log Analytics; they cannot directly read files from a server via an API — that would require a custom data connector or a separate ingestion pipeline, not a rule.

854
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Copilot for Security?

Select 3 answers
A.Manage Azure Policy assignments.
B.Summarize incidents from Microsoft Defender XDR.
C.Automatically configure conditional access policies.
D.Generate KQL queries for Microsoft Sentinel.
E.Analyze scripts for malicious intent.
AnswersB, D, E

Copilot can provide incident summaries.

Why this answer

Options A, C, and E are correct. Copilot can summarize incidents, generate KQL queries, and analyze scripts. Option B is wrong because Copilot does not directly manage access policies.

Option D is wrong because Azure Policy management is not a Copilot capability.

855
MCQmedium

Refer to the exhibit. You run this PowerShell script. What is the effect on the SecurityEvent table in the SOC-Workspace Log Analytics workspace?

A.The table will retain data interactively for 365 days, and data will be archived for an additional 365 days, total 730 days.
B.The table will retain data interactively for 90 days and archived for 275 days.
C.The table will be converted to Basic Logs.
D.The table will retain data for 730 days interactively.
AnswerA

Interactive retention is 365, total retention is 730, so archive is 365.

Why this answer

Option A is correct because the script sets the interactive retention to 365 days and the total retention (including archive) to 730 days. Option B is incorrect because it does not set to 90 and 365. Option C is incorrect because basic logs are not configured.

Option D is incorrect because it does not set both to 730.

856
Multi-Selectmedium

Which TWO actions can reduce the cost of Microsoft Sentinel while maintaining security coverage?

Select 2 answers
A.Remove unused data connectors.
B.Switch to a pay-as-you-go workspace.
C.Configure some tables to use Basic Logs tier.
D.Move older logs to Azure Storage archive tier.
E.Reduce workspace retention to 30 days for all tables.
AnswersC, D

Basic Logs are cheaper for ingestion.

Why this answer

Options A and C are correct because archiving reduces retention cost and Basic Logs reduce ingestion cost. Option B is wrong because deleting logs reduces coverage. Option D is wrong because decreasing retention deletes logs sooner.

Option E is wrong because Sentinel costs are separate from Log Analytics.

857
MCQhard

Refer to the exhibit. You have a Logic Apps playbook that triggers on Microsoft Sentinel alerts. The playbook is not posting messages to Teams. What is the most likely cause?

A.The playbook is using the wrong trigger type.
B.The Teams connector is not authenticated.
C.The trigger body is not referencing the correct alert ID.
D.The JSON syntax is invalid.
AnswerA

The trigger should be 'When a Microsoft Sentinel alert is created'.

Why this answer

The playbook is triggered on Microsoft Sentinel alerts, but Logic Apps requires a specific trigger type to process these alerts correctly. The most likely cause is that the playbook uses a generic HTTP trigger instead of the 'Microsoft Sentinel Incident' or 'Microsoft Sentinel Alert' trigger, which is designed to parse the alert payload and provide the necessary context for downstream actions like posting to Teams. Without the correct trigger, the playbook may not receive the alert data or may fail to execute the Teams connector properly.

Exam trap

The trap here is that candidates often assume authentication issues (Option B) are the default cause for Teams failures, but the question's context of 'not posting messages' without errors points to a trigger mismatch rather than a connectivity problem.

How to eliminate wrong answers

Option B is wrong because if the Teams connector were not authenticated, the playbook would typically fail with an authentication error, not silently fail to post messages; the question implies no error is reported, so authentication is likely valid. Option C is wrong because the trigger body not referencing the correct alert ID would cause a data mapping issue, but the playbook would still attempt to run and likely produce an error or incorrect output, not a complete failure to post. Option D is wrong because invalid JSON syntax would cause the playbook to fail at design time or trigger a validation error, preventing it from running at all, whereas the playbook is running but not posting messages.

858
Multi-Selecthard

Which TWO are valid methods to ingest logs into Microsoft Sentinel from a non-Azure virtual machine? (Select TWO.)

Select 2 answers
A.Azure Monitor Agent (AMA) with Azure Arc
B.Log Analytics agent (MMA) – legacy
C.Microsoft Sentinel agent (standalone)
D.Azure Monitor Agent (AMA) without Azure Arc
E.Log Analytics agent (OMS) – deprecated
AnswersA, B

AMA can be installed on non-Azure VMs via Azure Arc.

Why this answer

Options A and C are correct because AMA and legacy MMA are valid agents. Option B is wrong because the Sentinel agent is not a separate agent; MMA is used. Option D is wrong because Azure Monitor Agent is not yet available for Linux? Actually AMA is available for both Windows and Linux.

But D says 'Azure Monitor Agent' but we already have AMA. However, the question says 'non-Azure VM', and AMA works on non-Azure VMs via Azure Arc. So both A and C are correct.

Option E is wrong because Log Analytics agent is the same as MMA, but it's deprecated.

859
Multi-Selectmedium

Which THREE techniques are commonly used in Microsoft Sentinel threat hunting to identify command and control (C2) communication? (Select THREE.)

Select 3 answers
A.Analyzing email headers for phishing
B.Detecting DNS tunneling
C.Analyzing network beaconing patterns
D.Examining SSL/TLS certificate anomalies
E.Identifying brute force attempts
AnswersB, C, D

DNS tunneling is a known C2 technique.

Why this answer

Options A, B, and E are correct because analyzing beaconing patterns, detecting DNS tunneling, and examining SSL/TLS certificates are common C2 detection methods. Option C is wrong because brute force detection is for credential attacks, not C2. Option D is wrong because analyzing email headers is for phishing, not C2.

860
MCQeasy

You are hunting for signs of pass-the-hash (PtH) attacks. Which Windows Security Event ID should you focus on to detect anomalous NTLM authentication using a hash?

A.4672 (Special Logon)
B.4648 (Explicit Credential)
C.4776 (Credential Validation)
D.4624 (Logon) with LogonType 3
AnswerD

Event 4624 with LogonType 3 indicates network logon, which can be used for PtH detection.

Why this answer

Option A is correct because Event ID 4624 (successful logon) with LogonType 3 (network) can indicate PtH if paired with unusual source IP. Option B (4776) is for credential validation but not necessarily PtH. Option C (4648) is for explicit credentials.

Option D (4672) is for special privileges.

861
MCQhard

You are hunting for signs of Kerberoasting in Microsoft Sentinel. Which hunting query using KQL would you use to identify service principal names (SPNs) being queried via Kerberos TGS requests?

A.SecurityEvent | where EventID == 4769 and TicketEncryptionType == 0x17
B.DeviceEvents | where ActionType == 'KerberosTicketRequest'
C.DeviceLogonEvents | where LogonType == 'Kerberos' and AccountDomain == 'Service'
D.SecurityEvent | where EventID == 4768 and TicketEncryptionType == 0x17
AnswerA

Event 4769 is TGS request; 0x17 is RC4 encryption.

Why this answer

Kerberoasting involves requesting TGS tickets for SPNs. Option D is correct because SecurityEvent 4769 logs TGS requests, and TicketEncryptionType 0x17 indicates RC4 encryption used in Kerberoasting. Option A is incorrect because Event 4768 is for TGT requests.

Option B is incorrect because DeviceLogonEvents may not contain SPN details. Option C is incorrect because DeviceEvents may not capture this security event.

862
MCQeasy

Your security team needs to assign a custom role in Microsoft Sentinel that allows read and write access to incidents but not to analytics rules. Which built-in role should you use as a base for the custom role?

A.Microsoft Sentinel Responder
B.Microsoft Sentinel Reader
C.Microsoft Sentinel Contributor
D.Global Administrator
AnswerA

Responder can manage incidents but not analytics rules.

Why this answer

The Microsoft Sentinel Responder role has read and write access to incidents and read access to other data, but not write access to analytics rules. Option A is wrong because Microsoft Sentinel Contributor has full access including analytics rules. Option C is wrong because Microsoft Sentinel Reader is read-only.

Option D is wrong because Global Administrator is too broad.

863
MCQeasy

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos activity that may indicate a golden ticket attack. Which of the following actions should you take to investigate this alert?

A.Immediately reset the krbtgt account password twice
B.Export the Active Directory event logs to Microsoft Sentinel for analysis
C.Review the alert details in the Microsoft Defender for Identity portal and analyze related events
D.Disable the user account that triggered the alert
AnswerC

The portal provides investigation capabilities.

Why this answer

The correct answer is D because the Microsoft Defender for Identity portal provides detailed investigation experiences for identity-based alerts. Option A is wrong because resetting the password might not be sufficient and could alert the attacker. Option B is wrong because disabling the user prematurely might disrupt operations.

Option C is wrong because exporting logs is not an immediate investigation step.

864
MCQhard

During an incident investigation, you find that a compromised account was used to log into a virtual machine via RDP from an IP address in a sanctioned country. The VM has Microsoft Defender for Endpoint installed. Which data source in Microsoft Sentinel would you query to see the RDP connection events?

A.DeviceLogonEvents (Microsoft Defender XDR)
B.CommonSecurityLog
C.SigninLogs (Microsoft Entra ID)
D.SecurityEvent
AnswerD

SecurityEvent collects Windows security events including RDP logons (Event ID 4624) when configured.

Why this answer

Option C is correct because RDP connection events on a Windows machine are captured in the SecurityEvent table (Event ID 4624). Option A is for network traffic logs. Option B is for audit logs from Azure AD.

Option D is for advanced hunting in Defender for Endpoint, but not directly ingested into Sentinel by default.

865
Multi-Selecthard

Which THREE conditions must be met for a Microsoft Sentinel incident to be automatically closed by a playbook?

Select 3 answers
A.The playbook must have the 'Microsoft Sentinel Incident' connector with 'Update incident' action.
B.The analytics rule that generated the incident must have 'Create incident' enabled.
C.The automation rule must have the 'Run playbook' action.
D.The incident must have a classification set.
E.The playbook must be triggered on incident creation.
AnswersA, B, C

To close, the playbook needs to update the incident status.

Why this answer

The playbook must have a trigger for incident update, the rule must have automatic incident creation enabled, and the playbook must be assigned to the automation rule. Closing reason and classification are not required but may be set.

866
MCQhard

You are responsible for Microsoft Defender for Cloud Apps. The security team reports that they are not receiving alerts for suspicious activities from a specific connected app (Salesforce). You verify that the app is connected and the log collection is working. What should you check next?

A.Review the IP address ranges configured for the Salesforce app.
B.Ensure that the anomaly detection policy for Salesforce is enabled in Defender for Cloud Apps.
C.Check if the Salesforce app connector is properly configured in Microsoft Entra ID.
D.Verify that the Salesforce tenant is licensed for Microsoft Entra ID P2.
AnswerB

Anomaly detection policies must be enabled per app to generate alerts.

Why this answer

Option B is correct because Defender for Cloud Apps has anomaly detection policies that need to be enabled for each app. If the policy is not enabled, alerts will not be generated. Option A is wrong because the app is already connected.

Option C is wrong because Microsoft Entra ID is not directly involved in alert generation. Option D is wrong because IP address ranges are for categorization, not alert generation.

867
MCQhard

You are deploying Microsoft Sentinel using the above ARM template parameters. After deployment, you notice that Microsoft Defender for Cloud alerts are not being ingested. What is the MOST likely reason?

A.UEBA is enabled, which conflicts with Defender for Cloud data ingestion.
B.The workspace location (eastus) does not support Defender for Cloud connector.
C.The 'MicrosoftThreatProtection' connector only ingests Microsoft Defender XDR signals, not Defender for Cloud alerts.
D.The workspace name 'sentinel-workspace' is reserved for internal use.
AnswerC

Defender for Cloud alerts require 'AzureSecurityCenter' connector.

Why this answer

Option C is correct because 'MicrosoftThreatProtection' in the dataConnectors list refers to Microsoft Defender XDR, not Defender for Cloud. Defender for Cloud requires the 'AzureSecurityCenter' data connector. Option A is wrong because UEBA is enabled but does not affect data ingestion.

Option B is wrong because location does not affect connector availability. Option D is wrong because workspace name is valid.

868
MCQmedium

A security team needs to enforce that all Azure virtual machines have a specific custom script execution baseline (e.g., block PowerShell from executing scripts from the internet). They want to use Microsoft Defender for Cloud to continuously monitor and alert when a VM deviates from this baseline. Which feature should they use?

A.Just-In-Time VM Access (JIT)
B.Adaptive application controls
C.Regulatory compliance dashboard
D.File Integrity Monitoring (FIM)
AnswerB

This feature allows you to define allowlists and blocklists for applications and scripts, and alerts on any deviation, such as a PowerShell script from the internet being executed.

Why this answer

Adaptive application controls (AAC) in Microsoft Defender for Cloud allow you to define allowlists for applications and scripts that can run on your Azure VMs. By configuring AAC to block PowerShell scripts from the internet, the service uses machine learning to establish a baseline of allowed executables and scripts, then continuously monitors for deviations—such as an unauthorized PowerShell script execution—and generates security alerts. This directly meets the requirement for continuous monitoring and alerting on custom script execution baselines.

Exam trap

The trap here is that candidates confuse File Integrity Monitoring (FIM) with script execution control, but FIM only monitors file and registry changes, not the execution behavior of scripts or applications.

How to eliminate wrong answers

Option A is wrong because Just-In-Time VM Access (JIT) controls network access to management ports (e.g., RDP, SSH) and does not monitor or enforce script execution policies. Option C is wrong because the Regulatory compliance dashboard tracks compliance against standards like ISO 27001 or PCI DSS, not custom script execution baselines. Option D is wrong because File Integrity Monitoring (FIM) monitors changes to registry keys and critical files (e.g., system binaries), not script execution behavior or PowerShell policies.

869
MCQeasy

You are responding to a security incident involving a user who clicked on a malicious link in an email. The link led to a website that downloaded a file to the user's device. Microsoft Defender for Endpoint (MDE) detected the file as malware and blocked it. However, the user reports that the device is running slowly. You need to verify if there are any remnants of the malware. Which action should you take?

A.Re-onboard the device to MDE to ensure it's fully managed.
B.Run a full antivirus scan using Microsoft Defender Antivirus.
C.Initiate a live response session and run a PowerShell script to check for persistence mechanisms.
D.Perform a full OS reinstall to ensure the device is clean.
AnswerC

Live response enables remote investigation and remediation.

Why this answer

Option A is correct because MDE's live response allows you to run commands and scripts on the device to check for remnants. Option B is wrong because the malware was already blocked, so an antivirus scan may not find anything new. Option C is wrong because the device is already onboarded to MDE.

Option D is wrong because a full OS reinstall is too drastic and not necessary.

870
Multi-Selectmedium

An analyst is investigating a ransomware outbreak using Microsoft 365 Defender Advanced Hunting. They need to find all devices where a file with the extension '.locked' was created within one hour after a known malicious process (e.g., 'ransomware.exe') was executed on the same device. Which two tables should be joined in the query? (Choose 2.)

Select 2 answers
A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswersA, C

Correct. This table records process creation events, including the malicious executable.

Why this answer

DeviceProcessEvents is correct because it logs process creation events, including the execution of 'ransomware.exe'. This table is essential to identify the timestamp and device where the malicious process ran, which serves as the starting point for the time-bound investigation.

Exam trap

The trap here is that candidates may mistakenly choose DeviceNetworkEvents thinking network activity is key, but the question specifically requires file creation events, which only DeviceFileEvents provides.

871
MCQmedium

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect when a user is added to the Global Administrator role in Microsoft Entra ID. The analyst also needs to capture the user who performed the addition. Which Microsoft Entra ID table should the analyst query in the rule's KQL query?

A.SigninLogs
B.AuditLogs
C.IdentityInfo
D.BehaviorAnalytics
AnswerB

AuditLogs captures directory changes, including role assignment, with information about the actor and target.

Why this answer

The AuditLogs table in Microsoft Entra ID (formerly Azure AD) records all directory-level changes, including role assignments like adding a user to the Global Administrator role. Each audit log entry contains the 'InitiatedBy' property, which captures the user or service principal who performed the action, meeting the analyst's requirement to identify the actor. SigninLogs only tracks authentication events, not administrative changes, making AuditLogs the correct choice for this detection.

Exam trap

The trap here is that candidates confuse SigninLogs (which tracks who logged in) with AuditLogs (which tracks who made a change), assuming the actor's identity is always found in sign-in records rather than in directory audit trails.

How to eliminate wrong answers

Option A is wrong because SigninLogs captures user sign-in events (authentication) and does not include directory modification records such as role assignments. Option C is wrong because IdentityInfo provides user profile and attribute data (e.g., job title, department) but does not log administrative actions or role changes. Option D is wrong because BehaviorAnalytics contains user and entity behavior analytics (UEBA) insights derived from other logs, not raw audit records of role additions.

872
MCQhard

Your organization uses Microsoft Sentinel with Azure Monitor Agent (AMA) to collect Windows security events. You need to collect process creation events (Event ID 4688) and include command-line information. The current Data Collection Rule (DCR) collects only basic security events. What should you modify?

A.Upgrade the AMA to the latest version.
B.Enable the 'Include command line in process creation events' policy in Windows Group Policy.
C.Modify the DCR to include Event ID 4688 in the data source.
D.Switch to the Windows Security Events via Legacy Agent connector.
AnswerB

This policy ensures Windows logs the command line in Event ID 4688.

Why this answer

Option B is correct because Event ID 4688 (process creation) can include command-line arguments, but this data is not captured by default. The 'Include command line in process creation events' Group Policy setting must be enabled on the Windows machines to populate the CommandLine field in the security event log. Without this policy, the AMA and DCR will collect the event but the command-line information will be empty.

Exam trap

The trap here is that candidates assume modifying the DCR to include the event ID is sufficient, but they overlook the prerequisite Windows policy that must be enabled to populate the command-line data within the event itself.

How to eliminate wrong answers

Option A is wrong because upgrading the AMA version does not enable command-line capture; the AMA already supports collecting Event ID 4688 with command-line data if the underlying event contains it. Option C is wrong because modifying the DCR to include Event ID 4688 will collect the event, but the command-line field will remain blank unless the Group Policy setting is enabled first. Option D is wrong because switching to the legacy agent connector does not solve the command-line requirement; the legacy agent also relies on the same Group Policy setting to populate the command-line data.

873
MCQmedium

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel to detect anomalous Microsoft Entra ID sign-ins. The rule uses the SigninLogs table and runs every 15 minutes. The analyst wants to alert when a user signs in from a country that is not in the allowed list (['US', 'CA']). Which KQL query pattern should be used in the rule?

A.SigninLogs | where Location.countryOrRegion !in (dynamic(['US','CA']))
B.SigninLogs | where Country !in ('US','CA')
C.SigninLogs | where location != 'US' and location != 'CA'
D.SigninLogs | where geoLocation !in (dynamic(['US','CA']))
AnswerA

Location is a dynamic field containing countryOrRegion. The !in operator with a dynamic array correctly checks for countries not in the allowed list.

Why this answer

Option A is correct because the SigninLogs table stores the sign-in location in the `Location.countryOrRegion` field, which is a nested property of the `Location` dynamic object. The KQL operator `!in` with `dynamic(['US','CA'])` correctly performs a case-sensitive comparison against a list of string values, ensuring that only sign-ins from countries outside the allowed list trigger the alert.

Exam trap

The trap here is that candidates often confuse the flat field name `Country` or `location` with the correct nested property `Location.countryOrRegion`, leading them to choose options that reference non-existent or incorrectly named columns.

How to eliminate wrong answers

Option B is wrong because the `Country` field does not exist in the SigninLogs table; the correct field is `Location.countryOrRegion`. Option C is wrong because it uses the `location` field (which is a string like 'US' or 'CA' but not the correct property path) and the `!=` operator performs a case-sensitive comparison, but more critically it does not use the correct nested field name. Option D is wrong because `geoLocation` is not a valid field in SigninLogs; the correct field is `Location.countryOrRegion`, and the `!in` operator with `dynamic()` is syntactically correct but applied to the wrong column.

874
MCQeasy

Your organization uses Microsoft Sentinel. You receive an alert for a suspicious sign-in from an unusual location. You want to automatically create an incident and assign it to the security team for investigation. What should you configure?

A.Add the user to a watchlist and configure a fusion rule.
B.Create a playbook that triggers on the alert and creates an incident manually.
C.Modify the analytics rule to set the incident creation setting to 'Create incident from alert'.
D.Configure an automation rule that runs when the alert is generated, creates an incident, and sets the owner to the security team.
AnswerD

Automation rules can automatically create incidents from alerts and assign them to analysts.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can automatically create incidents from alerts and assign them to analysts. Option A is wrong because playbooks are for automated responses, not incident creation. Option C is wrong because analytics rules create alerts, not incidents directly.

Option D is wrong because watchlists are for enrichment, not incident creation.

875
MCQeasy

A SOC analyst is creating a new analytics rule in Microsoft Sentinel to detect when a user account is disabled. The analyst needs to select a rule template that uses Microsoft Entra ID audit logs. Which rule type should the analyst choose?

A.Scheduled
B.NRT (Near-Real-Time)
C.Anomaly
D.Fusion
AnswerA

Correct. Scheduled rules query data at regular intervals and can use any table in the workspace, including AuditLogs from Microsoft Entra ID.

Why this answer

A scheduled query rule is the correct choice because it allows the analyst to define a KQL query that runs on a fixed interval (e.g., every 5 minutes) against Microsoft Entra ID audit logs, which are stored in the AuditLogs table. This is the standard approach for detecting patterns like account disable events, as it provides full control over the query logic and scheduling frequency.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled rules, assuming NRT provides faster detection for all data sources, but NRT rules cannot query AuditLogs because they are limited to tables with high ingestion velocity like CommonSecurityLog or SecurityEvent.

How to eliminate wrong answers

Option B (NRT) is wrong because NRT rules are designed for near-real-time detection with a 1-minute latency and limited KQL functions, but they cannot query Microsoft Entra ID audit logs directly; they are optimized for high-frequency data like security events. Option C (Anomaly) is wrong because anomaly rules use machine learning to detect unusual patterns based on baseline behavior, not static events like account disablement, and they require specific anomaly detection configurations. Option D (Fusion) is wrong because Fusion is a correlation-based rule that automatically combines alerts from multiple sources to detect multi-stage attacks, and it does not allow custom KQL queries against audit logs.

876
MCQeasy

Your organization wants to use Microsoft Sentinel's built-in threat intelligence feeds to enrich alerts. Which data connector should you enable?

A.Office 365 connector.
B.Threat Intelligence - TAXII connector.
C.Microsoft 365 Defender connector.
D.Microsoft Defender for Cloud connector.
AnswerB

This connector ingests threat indicators from TAXII feeds.

Why this answer

The Threat Intelligence - TAXII connector allows you to ingest threat indicators from STIX/TAXII sources. Option A is correct. Option B is wrong because the Microsoft Defender for Cloud connector is for security alerts.

Option C is wrong because the Microsoft 365 Defender connector is for incidents and alerts from Defender products. Option D is wrong because the Office 365 connector is for productivity logs.

877
MCQmedium

A security analyst is investigating a potential business email compromise (BEC) campaign. The analyst wants to find all emails that were sent to external recipients from an internal user's mailbox that also had a login from an unusual location shortly after the email was sent. Which advanced hunting tables should the analyst query to get the email metadata and the sign-in details?

A.EmailEvents and AADSignInEventsBeta
B.EmailPostDeliveryEvents and DeviceLogonEvents
C.EmailAttachmentInfo and IdentityLogonEvents
D.EmailUrlInfo and CloudAppEvents
AnswerA

EmailEvents provides email send metadata, and AADSignInEventsBeta provides sign-in details. Joining on the sender's email address and the sign-in user principal name enables correlation.

Why this answer

Option A is correct because EmailEvents stores email metadata (sender, recipient, subject, etc.) and AADSignInEventsBeta captures Azure AD sign-in logs, including location data. Joining these tables on the user's account object ID allows the analyst to correlate emails sent to external recipients with unusual sign-in locations shortly after the email was sent, directly addressing the BEC investigation scenario.

Exam trap

The trap here is that candidates confuse DeviceLogonEvents or IdentityLogonEvents with Azure AD sign-in logs, not realizing that AADSignInEventsBeta is the only table that captures cloud-based sign-in location data for Microsoft 365 services like Exchange Online.

How to eliminate wrong answers

Option B is wrong because EmailPostDeliveryEvents contains post-delivery actions (e.g., remediation, ZAP) and DeviceLogonEvents captures device-level logons (e.g., Windows sign-ins), not mailbox sign-ins or email metadata; this combination cannot correlate email sends with Azure AD sign-in locations. Option C is wrong because EmailAttachmentInfo only provides attachment metadata (file name, hash) and IdentityLogonEvents records identity-based logons (e.g., on-premises Active Directory), not Azure AD sign-ins with location details; it lacks the core email metadata needed. Option D is wrong because EmailUrlInfo stores URL click data from emails and CloudAppEvents tracks activities in cloud apps (e.g., Office 365 operations), but CloudAppEvents does not provide the precise sign-in location and timestamp needed for the unusual login correlation; it focuses on app-level actions rather than authentication events.

878
MCQmedium

A security analyst is investigating a phishing incident and needs to find the specific email message that was delivered to a user. The analyst knows the subject line and the sender domain. Which advanced hunting table should the analyst query?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.EmailPostDeliveryEvents
AnswerA

Correct. EmailEvents contains the subject, sender domain, recipient, and delivery status.

Why this answer

The EmailEvents table in Microsoft Defender XDR's advanced hunting schema contains the core properties of email messages, including subject line, sender domain, recipient details, and delivery status. Since the analyst needs to find a specific email by subject and sender domain, this table is the correct starting point for querying delivered messages.

Exam trap

The trap here is that candidates confuse EmailEvents with EmailPostDeliveryEvents, thinking post-delivery actions are needed to find the original message, but EmailEvents is the only table that stores the subject and sender domain for delivered emails.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it focuses on attachment metadata (file name, hash, size) and does not include the subject line or sender domain fields needed to locate the email by those criteria. Option C (EmailUrlInfo) is wrong because it stores URLs extracted from email bodies or attachments, not the email's subject or sender domain. Option D (EmailPostDeliveryEvents) is wrong because it records actions taken after delivery (e.g., ZAP, user-reported phishing) and lacks the original subject line and sender domain required to identify the initial message.

879
Multi-Selecteasy

You are configuring Microsoft Sentinel analytics rules. Which THREE of the following are valid types of analytics rules in Microsoft Sentinel?

Select 3 answers
A.Fusion rule
B.Microsoft Security rule
C.Watchlist rule
D.Scheduled query rule
E.Playbook rule
AnswersA, B, D

Fusion rules use advanced detection.

Why this answer

Option A, B, and C are correct. Scheduled query rules (A) run on a schedule, Microsoft Security (B) rules create incidents from security alerts, and Fusion (C) rules use machine learning to detect multi-stage attacks. Option D is wrong because Watchlist rules are not a rule type; watchlists are used for enrichment.

Option E is wrong because Playbook rules are not a rule type; playbooks are automated responses.

880
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user received a phishing email that contained a link to a malicious domain. The user clicked the link, but the domain was blocked by Microsoft Defender for Office 365 at the time of click. The analyst needs to view the full details of the click verdict, including the time of click and the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

A.Attachments tab
B.Detection details section
C.Timeline section
D.User entity page
AnswerB

The Detection details section on the email entity page provides the click verdict, block reason, and action taken for URLs.

Why this answer

The Detection details section in the Microsoft 365 Defender portal provides the full click verdict for a URL, including the exact time of the click and the specific block action (e.g., blocked by custom block list, blocked by reputation). This information is part of the URL click verdict data logged by Microsoft Defender for Office 365 when Safe Links evaluates a clicked link. The analyst can access this by navigating to the incident's URL entity and selecting the Detection details tab.

Exam trap

The trap here is that candidates often confuse the Timeline section (which shows general event chronology) with the Detection details section (which provides the specific URL click verdict and block action), leading them to select Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because the Attachments tab only shows details about email attachments (e.g., file hashes, malware detections), not URL click verdicts or block actions. Option C is wrong because the Timeline section provides a chronological view of alerts and events but does not expose the granular click verdict details like the specific block action or exact click time for a URL. Option D is wrong because the User entity page shows user-related information (e.g., risk level, activity, alerts) but does not contain the URL click verdict data, which is tied to the URL entity itself.

881
MCQhard

Your security operations center uses Microsoft Sentinel and Microsoft Defender XDR. A new type of attack involves a user receiving a malicious email that triggers a macro, which then executes PowerShell to download a payload. You need to create a detection that correlates email, process creation, and network connection events from multiple Microsoft 365 Defender sources. What should you use?

A.Advanced hunting in Microsoft 365 Defender
B.Scheduled query rule in Microsoft Sentinel
C.Custom detection rule in Microsoft 365 Defender
D.Fusion rule in Microsoft Sentinel
AnswerA

Advanced hunting can query across email, process, and network tables.

Why this answer

Advanced hunting in Microsoft 365 Defender is the correct choice because it allows you to write Kusto Query Language (KQL) queries that can join data across multiple tables from different Microsoft 365 Defender sources, such as EmailEvents, DeviceProcessEvents, and DeviceNetworkEvents. This enables correlation of the email receipt, macro-triggered PowerShell process creation, and subsequent network connection to a malicious IP or domain in a single query, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates often confuse the scope of custom detection rules in Microsoft 365 Defender, mistakenly believing they can cross-correlate multiple data sources, when in fact they are limited to a single table or entity type, whereas advanced hunting is designed for cross-table joins.

How to eliminate wrong answers

Option B is wrong because a scheduled query rule in Microsoft Sentinel operates on data ingested into the Log Analytics workspace, which may have latency and does not natively support real-time cross-product correlation across Microsoft 365 Defender tables without additional data connectors and schema mapping. Option C is wrong because a custom detection rule in Microsoft 365 Defender is limited to a single data source (e.g., only device events or only email events) and cannot join tables from different domains like EmailEvents and DeviceProcessEvents in one rule. Option D is wrong because a Fusion rule in Microsoft Sentinel is a prebuilt, machine-learning-based correlation that detects multistage attacks by combining alerts from multiple security products, but it cannot be customized to write a specific KQL query that joins raw event tables from Microsoft 365 Defender.

882
MCQhard

You are analyzing the query above in Microsoft 365 Defender advanced hunting. The goal is to identify potentially compromised accounts used only once. The query returns thousands of results including many normal single logons. How can you refine the query to reduce false positives?

A.Change the where clause to LogonCount > 1.
B.Remove the filter on AccountUpn endswith "@contoso.com".
C.Add a filter to only include accounts that have never logged on before.
D.Add a filter to exclude IP addresses from the corporate VPN range and common applications like Outlook Web Access.
AnswerD

This removes expected single logons from known sources.

Why this answer

Option A is correct because filtering out known corporate IP ranges and common applications helps isolate anomalous single logons. Option B removes all single logons. Option C filters too broadly.

Option D may miss external logons.

883
Multi-Selectmedium

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that high-severity incidents are automatically escalated to the on-call security engineer via Microsoft Teams. Which three components should you configure?

Select 3 answers
A.A playbook that uses a condition to check severity and then sends a Teams message.
B.An automation rule in Microsoft Sentinel that triggers on incident creation with high severity.
C.A Microsoft Teams connector in the playbook to post a message to a channel.
D.An analytics rule that sends a Teams message when a high-severity alert fires.
E.A workbook that displays high-severity incidents for manual escalation.
AnswersA, B, C

Correct: Playbooks can include conditional logic and actions.

Why this answer

Option A is correct because a playbook in Microsoft Sentinel can contain a condition action that evaluates the incident severity. If the severity is 'High', the playbook then uses a Microsoft Teams connector to send a message to the on-call security engineer, automating the escalation process.

Exam trap

The trap here is that candidates may confuse analytics rules with automation rules, thinking an analytics rule can directly send Teams messages, when in fact analytics rules only generate alerts and require a separate automation rule and playbook to perform actions like messaging.

884
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to view a consolidated list of all security recommendations across multiple Azure subscriptions in a single view. Which blade should they navigate to in the Microsoft Defender for Cloud portal?

A.Regulatory compliance
B.Security posture
C.Workload protections
D.Inventory
AnswerB

Correct. The Security posture blade consolidates all recommendations, secure score, and improvement actions across subscriptions.

Why this answer

The Security posture blade in Microsoft Defender for Cloud provides a consolidated view of all security recommendations across multiple Azure subscriptions, enabling the security team to assess and prioritize improvements. This blade aggregates recommendations from various security controls and displays them in a single, unified interface, directly addressing the requirement for a consolidated list.

Exam trap

The trap here is that candidates often confuse the Security posture blade with the Regulatory compliance blade, mistakenly thinking compliance views include all recommendations, whereas Regulatory compliance only shows recommendations mapped to specific compliance frameworks.

How to eliminate wrong answers

Option A is wrong because Regulatory compliance focuses on compliance standards (e.g., SOC 2, ISO 27001) and shows compliance posture against specific regulations, not a consolidated list of all security recommendations. Option C is wrong because Workload protections provides coverage and alerts for specific workload types (e.g., VMs, SQL servers) but does not aggregate all recommendations across subscriptions. Option D is wrong because Inventory lists all connected resources and their metadata, but it does not present security recommendations in a consolidated view.

885
Multi-Selecteasy

Which TWO of the following are common techniques used by attackers to bypass security controls that a threat hunter should look for?

Select 2 answers
A.Process injection into trusted processes
B.Enabling multi-factor authentication
C.Regular software updates
D.Enforcing strong password policies
E.DLL sideloading
AnswersA, E

Attackers inject malware into trusted processes to evade detection.

Why this answer

Options A and D are correct. Process injection is a classic technique to hide malicious code within legitimate processes. DLL sideloading exploits legitimate application load order to run malicious DLLs.

Option B is incorrect because strong passwords are a defense, not an attack technique. Option C is incorrect because MFA is a security control, not a bypass. Option E is incorrect because software updates are mitigation, not an attack.

886
MCQeasy

You are using the Microsoft Sentinel Threat Hunting experience to create a new hunting query. Which tab should you select to bookmark a suspicious event for further investigation?

A.Results
B.Queries
C.Bookmarks
D.Entities
AnswerC

Allows creating bookmarks from events.

Why this answer

Option B is correct because the Bookmarks tab allows you to save and annotate events. Option A is for query results. Option C is for saved queries.

Option D is for entity pages.

887
MCQhard

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to ensure that when an incident is created from a specific rule, a Teams message is sent to the security team. What should you configure?

A.Configure a workbook to send an email when an incident appears
B.Modify the incident creation rule in Microsoft 365 Defender
C.Add a custom analytics rule that triggers on incident creation
D.Create an automation rule that runs a playbook when the incident is created
AnswerD

Automation rules can trigger playbooks on incident creation.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can trigger on incident creation and execute a playbook, which can be configured to send a Teams message via a connector. This provides a native, low-code way to automate notifications without custom code or external tools.

Exam trap

The trap here is that candidates often confuse workbooks (visualization) or analytics rules (alert generation) with automation rules, which are the correct mechanism for triggering response actions like Teams messages on incident creation.

How to eliminate wrong answers

Option A is wrong because workbooks are visualization tools for dashboards and analytics, not for sending notifications or triggering actions like Teams messages. Option B is wrong because incident creation rules in Microsoft 365 Defender govern alert-to-incident correlation in the Defender portal, not in Sentinel, and cannot be modified to send Teams messages. Option C is wrong because custom analytics rules generate alerts from log data, not from incident creation events; they cannot directly trigger on incident creation or run playbooks.

888
MCQhard

Your organization uses Microsoft 365 Defender. An incident is created for a user who received a phishing email that contained a link to a malicious website. The user clicked the link but did not enter any credentials. The incident includes the alert 'Phishing delivered' from Microsoft Defender for Office 365. You need to remediate the incident and prevent future occurrences. The user is in the Finance department and frequently receives emails from external vendors. What is the best course of action?

A.Use Threat Explorer to delete the email from the user's mailbox and create a Safe Links policy to block the malicious URL.
B.Report the email to Microsoft for analysis and block the sender domain.
C.Provide security awareness training to the user and mark the incident as resolved.
D.Add the sender's domain to the Tenant Allow/Block List as allowed to avoid future false positives.
AnswerA

Deleting the email removes the immediate threat, and Safe Links prevents future clicks.

Why this answer

Option B is correct because using Threat Explorer to delete the email from the user's mailbox removes the threat, and creating a Safe Links policy blocks future similar links. Option A is wrong because reporting to Microsoft does not clean the mailbox. Option C is wrong because training alone does not remove the current email.

Option D is wrong because allowing the domain would increase risk.

889
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to configure a solution that automatically blocks a user's account when a high-severity incident is generated. The solution must use built-in capabilities without custom code. What should you do?

A.Create an automation rule that triggers on incident creation with severity high, and runs a playbook that uses the 'Update user' action to disable the account.
B.Use a scheduled analytics rule that runs every hour and disables accounts found in the results.
C.Configure Microsoft Entra ID to automatically apply a conditional access policy blocking sign-ins when a high-severity alert is raised.
D.Create a playbook that uses the 'Run a query' action to find the device and then uses Microsoft Defender for Endpoint to isolate the device.
AnswerA

A playbook with Graph API can disable a user.

Why this answer

Option A is correct because Microsoft Sentinel's automation rules can trigger a playbook that uses the Microsoft Graph Security API to disable a user account. Option B is incorrect because it disables the device, not the user. Option C is incorrect because it creates a conditional access policy, not immediate blocking.

Option D is incorrect because it runs a query but does not automatically block.

890
MCQeasy

An analyst is investigating a phishing campaign that targeted multiple users. The analyst needs to identify if any users clicked a malicious link in the email. Which Microsoft Defender for Office 365 feature should be used?

A.Safe Attachments
B.Threat Explorer
C.Attack Simulator
D.Safe Links
AnswerB

Threat Explorer provides URL click data.

Why this answer

Option A is correct because the Threat Explorer in Defender for Office 365 shows click activity on URLs. Option B is wrong because Safe Attachments checks attachments, not links. Option C is wrong because Safe Links protects in real-time but does not provide historical click data.

Option D is wrong because the Attack Simulator is for testing, not investigation.

891
MCQmedium

Your organization uses Microsoft Sentinel. You receive an incident for a potential data exfiltration involving a sensitive blob storage container. You need to determine if the data was accessed from an unusual IP address. What should you do?

A.Modify the analytics rule that triggered the incident.
B.Run a playbook to collect IP information.
C.Open the Sentinel workbook for storage monitoring.
D.Use the Incident details pane to review the entity timeline.
AnswerD

Entity timelines show historical activities for entities like IP addresses.

Why this answer

Option C is correct because the Incident details pane in Microsoft Sentinel includes entity timelines, which show activities related to the entities involved, such as IP addresses accessing the storage. Option A is wrong because the workbook may not have the specific query. Option B is wrong because playbooks are for automated response, not investigation.

Option D is wrong because analytics rules define alert conditions, not provide investigation details.

892
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You detect a suspicious app that has high data access and unusual API calls. You want to automatically block the app and notify the user. What should you implement?

A.Create an access policy that blocks the app based on the risk level.
B.Create an app governance policy that automatically blocks the app and sends a notification to the user.
C.Create a session policy to monitor the app's API calls.
D.Create a DLP policy to prevent data exfiltration from the app.
AnswerB

App governance policies can block apps and notify users automatically.

Why this answer

Option C is correct because app governance policies in Defender for Cloud Apps allow automated actions like blocking apps and sending notifications. Option A is wrong because access policies are for user or device access, not app blocking. Option B is wrong because session policies control real-time sessions, not app blocking.

Option D is wrong because DLP policies are for data loss prevention, not app control.

893
MCQhard

During an incident response, you need to collect forensic data from Microsoft Defender for Endpoint (MDE) on a remote device that is currently offline. What is the best approach?

A.Initiate a live response session when the device comes online
B.Wait until the device is online and then collect manually
C.Run a remotely scheduled antivirus scan
D.Collect the data from the device's cloud store
AnswerA

Live response provides access to collect forensic data interactively.

Why this answer

The best approach is to initiate a live response once the device is online, because live response allows command execution and data collection. Collecting from cloud store is not direct. Remotely scheduled scan is not forensic collection.

Waiting is passive.

894
MCQeasy

Your organization uses Microsoft Sentinel and you need to ensure that incidents are automatically closed when a related playbook completes successfully. What should you configure?

A.Create an automation rule that triggers after the playbook runs and closes the incident
B.Add a 'Close incident' action in the playbook
C.Configure the analytics rule to close incidents automatically
D.Use a workbook to manually close incidents
AnswerA

Automation rules can close incidents based on conditions.

Why this answer

Option C is correct because automation rules can have conditions and actions, including closing an incident after a playbook runs. Option A is wrong because playbooks can close incidents but the automation rule triggers the playbook and can close the incident. Option B is wrong because analytics rules create incidents, not close them.

Option D is wrong because workbooks are for visualization.

895
MCQmedium

An organization uses Microsoft 365 Defender. An automated investigation on a device identifies a malicious file and blocks it. The analyst now wants to allow a specific trusted application that was incorrectly blocked, while keeping other malicious files blocked. Which action should the analyst take from the device's entity page?

A.Initiate a live response session and delete the file manually.
B.Use the 'Add indicator' feature to create a custom IOC for the file hash with action 'Allow'.
C.Change the automated investigation settings to 'No action' and rerun investigation.
D.Collect the file for analysis; the allow decision must be made by Microsoft after analysis.
AnswerB

Adding a custom indicator with action 'Allow' tells Defender to treat that file as clean, overriding automation blocks.

Why this answer

The 'Add indicator' feature in Microsoft Defender XDR allows analysts to create custom indicators of compromise (IOCs) based on file hashes, IPs, or domains. By setting the action to 'Allow' for the specific file hash, the analyst can override the automated block for that trusted application while keeping other malicious files blocked. This is the correct approach because it provides granular control without affecting the overall automated investigation settings.

Exam trap

The trap here is that candidates may confuse the 'Add indicator' feature with manual file deletion or changing global investigation settings, not realizing that a custom IOC with an Allow action is the precise mechanism to override a block for a specific trusted file.

How to eliminate wrong answers

Option A is wrong because initiating a live response session to delete the file manually does not create an allow rule; it only removes the file, and the block action from the automated investigation would still prevent the application from running. Option C is wrong because changing the automated investigation settings to 'No action' would disable all automated responses for future detections, not selectively allow a specific file. Option D is wrong because collecting the file for analysis does not immediately allow the file; Microsoft analysis is for threat intelligence, not for overriding a block on a trusted application.

896
MCQhard

You are hunting for lateral movement in your environment. In Microsoft Defender for Identity, which activity is a strong indicator of a potential pass-the-hash attack?

A.A user logging on with a smart card.
B.An NTLM authentication originating from a machine that is not the user's usual machine.
C.A remote desktop connection from a non-admin workstation to a domain controller.
D.A service account logging on to multiple servers simultaneously.
AnswerB

This suggests the use of stolen credentials/hashes.

Why this answer

Pass-the-hash attacks involve an attacker using a hash to authenticate as another user. An NTLM authentication using a hash from a different machine indicates this.

897
MCQhard

Your threat hunting team is using Microsoft Sentinel with User and Entity Behavior Analytics (UEBA). You want to identify anomalous outbound data transfers that may indicate data exfiltration. Which KQL function should you use to compare current activity against a baseline?

A.behavioranalytics
B.series_decompose
C.summarize
D.make-series
AnswerA

The behavioranalytics function in Microsoft Sentinel leverages UEBA to detect anomalous behavior.

Why this answer

Option D is correct because the behavior analytics function in KQL is used to detect anomalies based on UEBA profiles. Option A is for summarization. Option B is for time series decomposition.

Option C is for data summarization.

898
Multi-Selectmedium

Which THREE are valid incident management features in Microsoft Sentinel?

Select 3 answers
A.Incident merging
B.Incident creation from analytics rules
C.Incident comments
D.Incident tasks
E.Incident templates
AnswersB, C, D

Analytics rules create incidents.

Why this answer

Incident creation from analytics rules is a core feature in Microsoft Sentinel. When an analytics rule detects a threat or suspicious activity, it automatically generates an incident, which serves as the primary object for investigation and response. This automation is fundamental to Sentinel's security orchestration, automation, and response (SOAR) capabilities.

Exam trap

The trap here is that candidates may confuse 'incident merging' with the ability to link related incidents or alerts, but Sentinel does not have a native 'merge' operation—it only supports grouping alerts under a single incident or manually linking incidents via the 'Add related incidents' action.

899
MCQhard

A company has multiple Azure subscriptions under a management group. They want to ensure that all VMs across all subscriptions have Microsoft Defender for Cloud's vulnerability assessment solution (using the Microsoft Defender Vulnerability Management engine) enabled. They also want to automatically remediate any non-compliant VMs by enabling the VA solution when a VM is missing it. Which combination of policy initiatives and automation should they use?

A.Assign the 'Azure Security Benchmark' initiative at the management group, enable automatic remediation for the 'Vulnerability assessment should be enabled on your virtual machines' policy.
B.Assign the 'Defender for Cloud' initiative with the 'Configure machines to receive a vulnerability assessment provider' policy, and configure a remediation task with a deployment script.
C.Assign the 'Azure Security Benchmark' initiative and create an Azure Automation runbook triggered by a compliance alert to enable VA.
D.Assign the 'Configure machines to receive a vulnerability assessment provider' policy with 'DeployIfNotExists' effect and set it to auto-remediate at the management group-level scope.
AnswerD

This policy automatically deploys the vulnerability assessment solution to any VM that lacks it, and assigning at the management group covers all subscriptions.

Why this answer

Option D is correct because the 'Configure machines to receive a vulnerability assessment provider' policy with the 'DeployIfNotExists' effect directly deploys the Microsoft Defender Vulnerability Management (MDVM) extension to any VM that lacks it. By assigning this policy at the management group scope and enabling automatic remediation, the policy will automatically remediate non-compliant VMs without requiring additional runbooks or scripts, fulfilling both the detection and automatic remediation requirements.

Exam trap

The trap here is that candidates often confuse 'AuditIfNotExists' policies (which only report compliance) with 'DeployIfNotExists' policies (which can automatically remediate), leading them to choose options that rely on audit-only policies or external automation when a built-in deployment policy with auto-remediation is available.

How to eliminate wrong answers

Option A is wrong because the 'Azure Security Benchmark' initiative includes the 'Vulnerability assessment should be enabled on your virtual machines' policy with an 'AuditIfNotExists' effect, which only audits compliance and does not automatically enable the VA solution; automatic remediation for an audit policy is not supported. Option B is wrong because while the 'Defender for Cloud' initiative contains the correct policy, the suggestion to configure a remediation task with a deployment script is unnecessary and less reliable than using the built-in 'DeployIfNotExists' effect with auto-remediation, which directly deploys the required extension. Option C is wrong because creating an Azure Automation runbook triggered by a compliance alert introduces complexity and latency, and the 'Azure Security Benchmark' initiative's audit-only policy cannot trigger automatic remediation; the correct approach uses a 'DeployIfNotExists' policy with auto-remediation.

900
MCQeasy

You are deploying an ARM template to create a saved search in a Log Analytics workspace. The template fails with an error that the resource type is not valid for Microsoft Sentinel. What is the most likely reason?

A.The query is invalid KQL.
B.The apiVersion is incorrect.
C.The resource type should be Microsoft.SecurityInsights/alertRules, not OperationalInsights/workspaces/savedSearches.
D.The name format is incorrect.
AnswerC

Microsoft Sentinel uses a different resource provider for analytics rules.

Why this answer

In Microsoft Sentinel, analytics rules are defined using the Microsoft.SecurityInsights resource provider, not the OperationalInsights provider. The correct type is Microsoft.SecurityInsights/alertRules. Option B identifies this.

Option A is wrong because the API version is valid. Option C is wrong because the query is valid KQL. Option D is wrong because the name format is fine.

Page 11

Page 12 of 22

Page 13