Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 901975

1639 questions total · 22pages · All types, answers revealed

Page 12

Page 13 of 22

Page 14
901
MCQmedium

Your organization uses Microsoft Sentinel. A fusion incident was created involving multiple alerts from different sources. You need to investigate the incident to determine if it is a true positive. What is the first step you should take?

A.Run a KQL query on the raw logs to see if the alerts are connected.
B.Assign the incident to a senior analyst for further investigation.
C.Review the incident timeline and entity mapping in the incident details.
D.Close the incident as a false positive if the alerts seem unrelated.
AnswerC

The timeline shows the sequence of events and helps correlate alerts.

Why this answer

Option C is correct because the first step is to review the incident timeline to understand the sequence of events and correlate the alerts. Option A is wrong because you should not immediately dismiss the incident. Option B is wrong because running KQL queries without context is inefficient.

Option D is wrong because assigning to another analyst without investigation delays response.

902
MCQmedium

A company uses Microsoft Defender for Cloud's Just-In-Time (JIT) VM access to secure its Azure virtual machines. A security analyst needs to grant a developer temporary RDP access to a specific VM for debugging purposes. Instead of using the default request approval flow, the analyst wants to configure an exemption so that the developer's access request never triggers a recommendation for that VM. Which action must the analyst perform?

A.Approve the access request once from the JIT blade and set a long expiration.
B.Add an exemption for the VM on the 'Management ports should be closed on just-in-time based virtual machines' recommendation.
C.Configure a custom Azure Policy to allow open management ports for that VM.
D.Disable the JIT solution for the entire subscription from the Defender for Cloud environment settings.
AnswerB

Correct. Exempting the VM from the recommendation disables JIT monitoring for that VM, allowing permanent open ports without alerts.

Why this answer

To prevent a specific VM from triggering a recommendation for open management ports, you must add an exemption directly on the 'Management ports should be closed on just-in-time based virtual machines' recommendation in Defender for Cloud. This exemption tells the recommendation engine to exclude that VM from compliance evaluation, so no alert or recommendation is generated for it. Approving a request with a long expiration does not suppress the underlying recommendation; it only grants temporary access.

Exam trap

The trap here is that candidates confuse 'approving a request with a long expiration' with 'exempting the VM from the recommendation,' not realizing that an exemption is a separate Azure Policy concept that permanently suppresses the recommendation for that resource.

How to eliminate wrong answers

Option A is wrong because approving a request with a long expiration still leaves the recommendation active and will continue to appear in the security recommendations list; it does not create an exemption. Option C is wrong because configuring a custom Azure Policy to allow open management ports would override the JIT policy but does not create an exemption on the specific recommendation; it would instead change the compliance state for all VMs under that policy scope, which is not the targeted exemption requested. Option D is wrong because disabling JIT for the entire subscription removes the protection from all VMs and is an overly broad action that does not meet the requirement to exempt only a single VM from the recommendation.

903
MCQmedium

A company uses Microsoft Sentinel as its SIEM. The security team is investigating an incident that involves multiple alerts from different data sources. The team wants to see a timeline of all related activities across all data sources in one view. Which Microsoft Sentinel feature should they use?

A.Workbooks
B.Incident timeline
C.Investigation graph
D.Hunting page
AnswerB

The Incident timeline shows a chronological list of all alerts and events for the incident.

Why this answer

Option D is correct because the Incident timeline in Microsoft Sentinel provides a unified chronological view of all alerts and events related to an incident. Option A is wrong because the Investigation graph is more about entity relationships. Option B is wrong because workbooks are for custom dashboards.

Option C is wrong because the Hunting page is for proactive searches, not incident investigation.

904
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. You want to forward MDI alerts to Microsoft Sentinel. What should you configure?

A.Microsoft 365 Defender connector
B.Azure Advanced Threat Protection connector
C.Microsoft Defender for Cloud Apps connector
D.Microsoft Defender for Identity connector
AnswerD

Direct connector for MDI alerts.

Why this answer

Option D is correct because Microsoft Defender for Identity (MDI) alerts are forwarded to Microsoft Sentinel by configuring the Microsoft Defender for Identity data connector. This connector ingests MDI security alerts, such as suspicious Kerberos activity or lateral movement attempts, directly into Sentinel for advanced correlation and incident response. The connector uses the Microsoft Graph Security API to pull alerts from the MDI service, enabling seamless integration without additional agents.

Exam trap

The trap here is that candidates confuse the Microsoft Defender for Identity connector with the Microsoft 365 Defender connector, assuming the unified portal connector is the correct way to forward MDI alerts, but the exam expects the specific product-named connector for direct integration.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Defender connector ingests alerts from the unified Microsoft 365 Defender portal (which includes MDI, MDE, and MDCA), but it is not the specific connector for forwarding MDI alerts directly; using it would require enabling the broader M365D integration, which may include unrelated data. Option B is wrong because Azure Advanced Threat Protection (Azure ATP) is the predecessor to Microsoft Defender for Identity; the current product is MDI, and the connector name has been updated to reflect the rebranding, so selecting this option indicates confusion with the legacy name. Option C is wrong because the Microsoft Defender for Cloud Apps connector is designed to ingest alerts from Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security), not from MDI; it handles shadow IT and SaaS app anomalies, not on-premises Active Directory threats.

905
MCQeasy

Which Microsoft Sentinel feature allows you to query data across multiple workspaces in a single KQL query?

A.The union operator with workspace names
B.The externaldata operator with workspace URLs
C.The workspace() function in KQL
D.The join operator with workspace identifiers
AnswerC

workspace() allows querying multiple workspaces in one query.

Why this answer

Option A is correct because the `workspace()` function in KQL allows cross-workspace queries. Option B is wrong because cross-resource queries use `workspace()`, not `union()`. Option C is wrong because `join` is used to combine tables, not workspaces.

Option D is wrong because `externaldata` is for external data sources.

906
MCQhard

Your organization uses Microsoft Sentinel with multiple watchlists. You need to create a KQL query that joins log data with a watchlist to enrich alerts. Which KQL operator should you use?

A.lookup
B.union
C._GetWatchlist
D.join
AnswerC

_GetWatchlist('watchlistname') returns the watchlist as a table.

Why this answer

The '_GetWatchlist' function is the recommended way to access watchlists in KQL. Option C is correct. Option A and B are for static tables.

Option D is for time series.

907
Multi-Selecthard

A SOC analyst in Microsoft Sentinel needs to create an automation rule that triggers a playbook when a new incident is created and the incident severity is 'High'. Additionally, the playbook should only run if the incident is not already assigned to an analyst. Which two conditions must the analyst include in the automation rule? (Select all that apply.) (Choose 2.)

Select 2 answers
A.Condition: 'Severity' equals 'High'
B.Condition: 'Assigned to' equals 'null'
C.Condition: 'Status' equals 'New'
D.Condition: 'Provider' contains 'Microsoft Sentinel'
AnswersA, B

This filters incidents by severity level.

Why this answer

Option A is correct because the automation rule must trigger only when the incident severity is 'High'. In Microsoft Sentinel, automation rules evaluate conditions against incident properties, and the 'Severity' condition filters incidents by their assigned severity level. This ensures the playbook runs exclusively for high-severity incidents, aligning with the SOC's requirement to prioritize critical alerts.

Exam trap

The trap here is that candidates often confuse the 'Status' condition with the 'Assigned to' condition, thinking a 'New' status is necessary, but the automation rule triggers on incident creation by default, and the 'Assigned to' null check is the precise way to enforce the unassigned requirement.

908
MCQmedium

Your organization uses Microsoft Defender for Identity. You need to monitor for potential lateral movement attacks using pass-the-hash techniques. Which entity type in Microsoft Defender for Identity should you focus on in the security alert timeline?

A.IP address
B.Account
C.Device
D.Computer
AnswerB

Defender for Identity alerts for pass-the-hash typically highlight the compromised account.

Why this answer

Option B is correct because pass-the-hash attacks involve compromised accounts, and Defender for Identity alerts include 'Account' entities. The other options are not the primary entity for lateral movement alerts.

909
MCQeasy

A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?

A.... | where SentBytes > 1000000 | project SourceIP, SentBytes
B.... | extend TotalBytes=SentBytes | summarize count() by SourceIP
C.... | project SourceIP, SentBytes | sort by SentBytes desc
D.... | summarize TotalBytes=sum(SentBytes) by SourceIP | top 10 by TotalBytes desc
AnswerD

Correctly uses summarize with sum and top to find top source IPs by total sent bytes.

Why this answer

The summarize operator with sum() aggregation computes total bytes per source IP, and top 10 limits to the top results. Option A is correct. Option B (where) filters but does not aggregate.

Option C (project) only selects columns. Option D (extend) adds computed columns without aggregation.

910
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint in 5 minutes. What type of policy should you create?

A.Activity policy
B.App permissions policy
C.Session policy
D.Anomaly detection policy
AnswerA

Allows custom activity thresholds.

Why this answer

An activity policy in Defender for Cloud Apps monitors specific user activities and can trigger alerts based on frequency thresholds. Option A is wrong because Anomaly detection policies use machine learning. Option C is wrong because Session policies control activities in real-time via proxy.

Option D is wrong because App permissions policies manage OAuth apps.

911
MCQhard

Your company uses Microsoft Defender XDR. A critical server is exhibiting signs of a potential ransomware attack, with files being encrypted and a ransom note appearing. The incident has been escalated to the security operations center (SOC). What is the most immediate action to contain the threat and prevent further spread?

A.Collect an investigation package for analysis
B.Disable the user account that was logged on
C.Initiate the 'Contain device' action from Microsoft Defender XDR
D.Run a full antivirus scan on the server
AnswerC

This isolates the device, stopping lateral movement and encryption.

Why this answer

Option B is correct because deploying the 'Contain device' action in Microsoft Defender XDR immediately isolates the device from the network, stopping the ransomware from spreading. Option A is wrong because running a full antivirus scan takes time and does not contain the threat. Option C is wrong because collecting an investigation package is for analysis, not containment.

Option D is wrong because removing the user's access does not stop the ransomware already running on the device.

912
MCQeasy

A company manages multiple Azure subscriptions under a single management group. The security team wants to enable Microsoft Defender for Cloud's enhanced security features (e.g., Defender for Servers) for all subscriptions under that management group with minimal administrative effort. Which method should they use?

A.Enable the plans individually on each subscription
B.Enable the plans at the management group level
C.Use Azure Blueprints to assign the plans to each subscription
D.Create a custom Azure Policy that enforces the installation of the Log Analytics agent
AnswerB

Correct. Policy and plan assignments at the management group propagate to all child subscriptions.

Why this answer

Enabling Microsoft Defender for Cloud's enhanced security features at the management group level applies the plans to all current and future subscriptions under that management group with a single action, minimizing administrative effort. This is the most efficient method because Defender for Cloud supports inheritance of security policies and plans from the management group down to subscriptions, eliminating the need for per-subscription configuration.

Exam trap

The trap here is that candidates may think Azure Blueprints or custom policies are required for bulk enablement, but Defender for Cloud natively supports enabling plans at the management group level, which is the simplest and most direct method.

How to eliminate wrong answers

Option A is wrong because enabling plans individually on each subscription requires repeated manual effort and does not scale, failing the 'minimal administrative effort' requirement. Option C is wrong because Azure Blueprints are used for deploying consistent resource configurations (e.g., ARM templates, policies, role assignments) but cannot directly enable Defender for Cloud plans; they would require a custom policy or initiative to achieve this, which is more complex than enabling at the management group. Option D is wrong because creating a custom Azure Policy to enforce the Log Analytics agent installation does not enable Defender for Cloud's enhanced security features (e.g., Defender for Servers); it only ensures agent deployment, which is a prerequisite but not the same as enabling the security plan.

913
Multi-Selectmedium

Which TWO actions should an analyst take when a user reports receiving a suspicious email with an attachment? (Select TWO.)

Select 2 answers
A.Submit the email to Microsoft for analysis using the Submissions page in Microsoft 365 Defender.
B.Run a PowerShell script to automatically forward the email to IT.
C.Delete the email from the user's mailbox using Microsoft 365 Defender.
D.Open the attachment to verify if it is malicious.
E.Block the sender in the user's Outlook settings.
AnswersA, C

Submissions help analyze the threat.

Why this answer

Option A is correct because submitting the email to Microsoft for analysis helps improve detection. Option D is correct because deleting the email from the mailbox removes it from the user's environment. Option B is wrong because opening the attachment would be unsafe.

Option C is wrong because blocking the sender in Outlook only affects that user. Option E is wrong because running a script is not recommended.

914
Multi-Selecthard

Which TWO of the following are key indicators of a potential DCSync attack that a threat hunter should look for in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Failed logon attempts from a single IP
B.A new user account created with domain admin privileges
C.Event ID 4662 with access mask for DS-Replication-Get-Changes
D.Multiple Kerberos ticket requests from a single user
E.Directory replication requests from non-domain controller accounts
AnswersC, E

Direct indicator of replication request.

Why this answer

Options A and D are correct. A: Replication from a non-DC indicates DCSync. D: Event 4662 with DS-Replication-Get-Changes is characteristic.

B is for Kerberos. C is for account creation. E is for logon failure.

915
MCQmedium

A SOC analyst needs to automate response to a phishing email reported by a user. The playbook should automatically block the sender in Exchange Online and delete the email from all recipients. Which Microsoft Sentinel automation action should the analyst use?

A.Use the Azure Automation connector to run a runbook that deletes the email only.
B.Use the Microsoft Teams connector to post an adaptive card for approval, then use the Exchange Online PowerShell connector to run a script to block sender and delete email.
C.Use the Microsoft 365 Defender connector with an action to run an advanced hunting query.
D.Use the ServiceNow connector to create an incident ticket.
AnswerB

This automates with approval and performs the required actions.

Why this answer

Option C is correct because Microsoft Teams connector can trigger adaptive cards to get analyst approval before blocking. Option A is wrong because email connector sends emails, not blocks. Option B is wrong because ServiceNow is for ticketing, not immediate blocking.

Option D is wrong because Azure Automation can run scripts but is not the primary connector for Exchange Online actions.

916
MCQhard

A security analyst is investigating a sophisticated attack chain that started with a user clicking a link in a phishing email, which led to a drive-by download from a malicious website. The analyst wants to see the full list of URLs visited from the user's browser on the device. Which Advanced Hunting table contains this information?

A.DeviceEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceFileEvents
AnswerA

DeviceEvents includes browser telemetry events like 'UrlClicked' which record the full URL visited.

Why this answer

DeviceEvents in Microsoft Defender XDR captures browser-based activities, including URL visits, via the 'ActionType' field (e.g., 'BrowserUrlClicked' or 'BrowserUrlNavigation'). This table is specifically designed to log web navigation events from browsers like Microsoft Edge or Chrome, making it the correct source for the full list of URLs visited during the phishing attack chain.

Exam trap

The trap here is that candidates often confuse DeviceNetworkEvents (which shows network connections) with browser URL tracking, but DeviceNetworkEvents lacks the URL-level detail needed for web navigation analysis, while DeviceEvents is the dedicated table for browser activity.

How to eliminate wrong answers

Option B (DeviceNetworkEvents) is wrong because it logs network-level connections (IP addresses, ports, protocols) but does not capture the full URL path or browser navigation context; it focuses on raw network flows, not HTTP/HTTPS URL details. Option C (DeviceProcessEvents) is wrong because it records process creation and termination events (e.g., executable launches, command lines) but does not include browser URL navigation data; it would show the browser process starting but not the specific URLs visited. Option D (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events on the filesystem, which is irrelevant to browser URL history; it would capture downloaded files but not the URLs that led to them.

917
MCQhard

A SOC analyst needs to create an automated response in Microsoft Sentinel that, when a specific type of incident is created, automatically creates a ticket in ServiceNow and blocks the source IP address in Azure Firewall. The analyst already has a playbook that performs these actions. What is the correct configuration to trigger this playbook?

A.Attach the playbook to an automation rule that includes the condition for the target incident type.
B.Configure the playbook to run on a scheduled recurrence every 5 minutes.
C.Add the playbook to the incident's comments as a quick link.
D.Use a separate Power Automate flow with a trigger that watches for new Sentinel incidents.
AnswerA

Correct. Automation rules are the recommended method to trigger playbooks automatically on incident creation or update based on defined conditions.

Why this answer

Automation rules in Microsoft Sentinel are the correct mechanism to trigger a playbook automatically when an incident is created. By attaching the playbook to an automation rule with a condition that matches the specific incident type (e.g., based on incident title or tag), the rule executes the playbook immediately upon incident creation, fulfilling the requirement without manual intervention.

Exam trap

The trap here is that candidates may confuse automation rules (which trigger on incident lifecycle events) with scheduled playbooks or external flows, overlooking that automation rules are the native, event-driven mechanism for incident-triggered automation in Sentinel.

How to eliminate wrong answers

Option B is wrong because configuring the playbook on a scheduled recurrence every 5 minutes would run it periodically regardless of incident creation, leading to unnecessary executions and failing to trigger specifically on new incidents. Option C is wrong because adding the playbook as a quick link in incident comments only provides a manual clickable action for analysts, not an automated trigger. Option D is wrong because while a separate Power Automate flow can watch for new Sentinel incidents via the connector, it is an indirect, less integrated approach compared to using native automation rules, which are the designed and recommended method for automated incident-triggered playbook execution.

918
MCQhard

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?

A.Create a data loss prevention (DLP) policy in Microsoft Purview that triggers on failed logins.
B.Deploy a session policy in Defender for Cloud Apps that blocks after 50 failed logins.
C.Configure an app connector for each SaaS app and then create a custom activity policy.
D.Enable the 'Multiple failed login attempts' anomaly detection policy in Defender for Cloud Apps.
AnswerD

Anomaly detection policies include built-in templates for failed login attempts.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps includes a built-in anomaly detection policy named 'Multiple failed login attempts' that specifically monitors for a high volume of failed logins from a single user within a short time window. This policy is enabled by default and can be customized to trigger alerts when the threshold (e.g., more than 50 failed attempts in 10 minutes) is exceeded, without requiring any additional configuration or custom policy creation.

Exam trap

The trap here is that candidates often confuse the purpose of session policies (which control real-time access) with anomaly detection policies (which detect behavioral patterns), leading them to incorrectly select Option B, or they assume a custom policy is always required (Option C) when a built-in policy already exists for this exact scenario.

How to eliminate wrong answers

Option A is wrong because data loss prevention (DLP) policies in Microsoft Purview are designed to detect and protect sensitive information (e.g., credit card numbers, PII) in content, not to monitor or alert on failed login attempts. Option B is wrong because session policies in Defender for Cloud Apps control real-time access and actions during a user session (e.g., blocking downloads), but they cannot be used to block after a specific number of failed logins; that logic belongs to anomaly detection policies. Option C is wrong because while app connectors are required to collect activity logs from SaaS apps, creating a custom activity policy would require manual definition of the detection logic; the question explicitly asks for a built-in anomaly detection policy, making a custom policy unnecessary and incorrect.

919
MCQmedium

Refer to the exhibit. You are reviewing an Azure Security Center automation (now Microsoft Defender for Cloud) that should automatically trigger a Logic App when an alert is generated. However, the automation is not triggering. What is the most likely cause?

A.The action type is incorrect; it should be 'EventHub'
B.The logicAppResourceId is missing
C.The apiVersion is invalid
D.The automation is missing the 'triggers' property to filter on specific alert types
AnswerD

Without triggers, the automation does not know which alerts to act on.

Why this answer

Option D is correct because Microsoft Defender for Cloud automation requires a 'triggers' property to define which alert types should invoke the Logic App. Without this property, the automation is created but never fires, as it has no conditions to match incoming alerts. The exhibit shows the automation resource is configured, but missing the triggers array means no alerts will trigger the Logic App.

Exam trap

The trap here is that candidates assume the automation will trigger on all alerts by default, but Microsoft Defender for Cloud requires explicit trigger conditions; otherwise, the automation exists but never fires.

How to eliminate wrong answers

Option A is wrong because the action type 'LogicApp' is correct for invoking a Logic App; 'EventHub' would be used to send alerts to an event hub, not to trigger a Logic App. Option B is wrong because the logicAppResourceId is present in the exhibit (it is a required property and shown in the JSON), so its absence is not the issue. Option C is wrong because the apiVersion '2019-01-01-preview' is a valid and supported version for Microsoft Defender for Cloud automation resources; an invalid apiVersion would cause a deployment error, not a silent failure to trigger.

920
MCQmedium

You are investigating a potential data exfiltration using Microsoft Defender for Cloud Apps. You find that a user downloaded a large number of files from SharePoint Online to a personal device. Which anomaly detection policy type would have detected this?

A.Activity anomaly detection policy
B.File anomaly detection policy
C.Cloud Discovery anomaly detection policy
D.OAuth app anomaly detection policy
AnswerA

Activity anomaly policies detect unusual user activities like mass downloads.

Why this answer

Option C is correct because Activity anomaly detection policies detect unusual download volumes. Option A is wrong because File anomaly policies focus on file types and metadata. Option B is wrong because OAuth app anomaly policies focus on app permissions.

Option D is wrong because Cloud Discovery anomaly policies focus on shadow IT.

921
MCQhard

An organization uses Microsoft Purview Communication Compliance to detect insider trading. An alert is generated for a user who sent a message containing sensitive financial data. The compliance officer needs to initiate a legal hold on the user's mailbox to preserve evidence. Which role must the officer have to perform this action?

A.Communication Compliance admin
B.Compliance Administrator (Global)
C.eDiscovery Manager (Legal Hold)
D.Exchange Online Mailbox Search role
AnswerC

The eDiscovery Manager role with the 'Legal Hold' sub-role is required to place a mailbox on hold.

Why this answer

Legal hold requires the 'Legal Hold' role in Microsoft Purview (eDiscovery). Communication Compliance roles alone do not include hold capabilities. Exchange Online roles may not have cross-functional hold.

922
Multi-Selecteasy

Which TWO of the following KQL functions are commonly used in threat hunting queries to identify outliers? (Choose TWO.)

Select 2 answers
A.where()
B.percentile()
C.project()
D.extend()
E.bin() with summarize
AnswersB, E

percentile() is used to find values that exceed a certain percentile, useful for anomaly detection.

Why this answer

Options B and D are correct. B: `percentile()` helps find values above a certain threshold. D: `bin()` with `summarize` is used to aggregate data over time for anomaly detection.

Option A is wrong because `extend()` adds columns, not for outlier detection. Option C is wrong because `project` selects columns.

923
MCQhard

Your company uses Microsoft Defender for Endpoint. A device shows signs of compromise with suspicious PowerShell execution. You need to collect forensic evidence before performing remediation. Which action should you use?

A.Isolate the device from the network.
B.Run a full antivirus scan.
C.Collect investigation package.
D.Initiate a live response session.
AnswerC

This collects forensic evidence without altering the system state.

Why this answer

Option B is correct because 'Collect investigation package' gathers a comprehensive set of forensic data from the device, including files, processes, and registry. Option A (Run antivirus scan) is a remediation step. Option C (Initiate live response) allows real-time investigation but does not collect a full package.

Option D (Isolate device) is a containment measure.

924
MCQeasy

You are configuring Microsoft Defender for Cloud Apps session controls for a SharePoint site containing sensitive data. Which condition must be met to apply real-time monitoring?

A.The SharePoint site must be added as a custom app in Defender for Cloud Apps.
B.Users must access the site through Microsoft Entra ID application proxy.
C.A browser extension must be installed on all client devices.
D.Users must be configured with Conditional Access policies from Microsoft Entra ID.
AnswerB

Session control uses reverse proxy; Entra ID app proxy is required.

Why this answer

Microsoft Defender for Cloud Apps session controls for SharePoint require traffic to be routed through Microsoft Entra ID (formerly Azure AD) to enable real-time monitoring and control. The Microsoft Entra ID application proxy acts as a reverse proxy that intercepts user requests, allowing Defender for Cloud Apps to inspect and apply policies on the fly. Without this proxy, the session control cannot intercept traffic at the application layer for SharePoint Online.

Exam trap

The trap here is that candidates often assume a browser extension is needed for session control, but Microsoft Entra ID application proxy provides the server-side interception required for SharePoint without client-side software.

How to eliminate wrong answers

Option A is wrong because SharePoint is already a recognized app in Defender for Cloud Apps; adding it as a custom app is unnecessary and does not enable session controls. Option B is correct as explained. Option C is wrong because session controls for SharePoint do not require a client-side browser extension; the proxy handles interception server-side.

Option D is wrong because while Conditional Access policies are used to route traffic to the session control, they are not the condition that enables real-time monitoring—the proxy is the prerequisite.

925
MCQhard

In a threat hunt, you discover that a non-admin user account created a scheduled task that executes a PowerShell script to connect to an external IP on port 4444. Which of the following is the most likely interpretation of this activity?

A.The user is performing legitimate remote administration
B.The PowerShell script is a remote assistance tool
C.The scheduled task is part of a software update mechanism
D.The scheduled task is likely a reverse shell for persistence and remote access
AnswerD

Reverse shells often use PowerShell to connect to external IPs on arbitrary high ports.

Why this answer

Option D is correct because PowerShell connecting to an external IP on a non-standard port like 4444 is indicative of a reverse shell. Option A is incorrect because standard admin tasks typically use RDP or WinRM. Option B is incorrect because port 4444 is not typically used for updates.

Option C is incorrect because remote assistance uses different ports and protocols.

926
MCQeasy

You are conducting a threat hunt for possible credential dumping using Mimikatz. Which Windows Security Event ID should you focus on in Microsoft Sentinel to detect potential use of Mimikatz?

A.Event ID 10 (Process accessed)
B.Event ID 4688 (Process creation)
C.Event ID 4625 (Failed logon)
D.Event ID 5156 (WFP connection)
AnswerA

Mimikatz accesses LSASS process; Event ID 10 logs process access attempts.

Why this answer

Option A is correct because Event ID 10 (Lsass process access) is a common indicator of Mimikatz usage. Option B is wrong because Event ID 4688 is process creation, too broad. Option C is wrong because Event ID 4625 is failed logon, unrelated.

Option D is wrong because Event ID 5156 is for Windows Filtering Platform connections, not credential dumping.

927
MCQmedium

You are reviewing a threat hunting KQL query in Microsoft Sentinel. The query references an external CSV containing malicious IPs. The query returns no results despite known malicious activity. What is the most likely issue?

A.The externaldata function is not supported in Microsoft Sentinel.
B.The HuntingTimeRange variable is not being used correctly.
C.The project clause removes the RemoteIP column.
D.The external CSV file is not accessible or the URL is malformed.
AnswerD

If the external data source is unavailable, the join produces no results.

Why this answer

Option B is correct because externaldata reads the file at query time, and if the URL is unreachable or the file format differs, no IPs are loaded, resulting in no matches. Option A is less likely because the syntax is valid. Option C is possible but the query does not filter on time; it uses the variable.

Option D is incorrect because the query projects relevant fields.

928
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You are hunting for a threat that uses 'process hollowing' to evade detection. Which advanced hunting query in Microsoft Defender for Endpoint would be most effective?

A.DeviceProcessEvents | where InitiatingProcessFileName != ImageFileName | where ParentProcessFileName != ImageFileName
B.DeviceProcessEvents | where FileName in~ ('rundll32.exe', 'regsvr32.exe', 'mshta.exe')
C.DeviceFileEvents | where FileName contains 'hollow'
D.AlertInfo | where Title contains 'Process hollowing'
AnswerA

Process hollowing typically involves a process where the original image is replaced; this query finds mismatches between initiating, parent, and image file names.

Why this answer

Option A is correct because process hollowing often involves a child process with a different parent image; DeviceProcessEvents can show such anomalies. Option B is wrong because it looks for specific image names. Option C is wrong because file events are less direct.

Option D is wrong because it waits for alerts.

929
MCQhard

Your incident response team uses Microsoft Sentinel with automation rules and playbooks. During an incident, you need to automatically collect a memory dump from an affected Windows server and upload it to an Azure storage account for analysis. Which type of playbook should you use?

A.A playbook that installs a script on the server to collect the dump.
B.A playbook triggered directly from the analytics rule that generates the alert.
C.A playbook that must be run manually from the incident page.
D.A playbook triggered by an automation rule when the incident is created.
AnswerD

Automation rules allow triggering playbooks automatically on incident creation.

Why this answer

Option A is correct because automation rules can trigger playbooks on incident creation or update. Option B is wrong because playbooks can be triggered by automation rules, not directly by analytics rules. Option C is wrong because playbooks can be triggered automatically.

Option D is wrong because playbooks run in Azure, not on the server.

930
Drag & Dropmedium

Order the steps to configure a Microsoft Sentinel analytics rule using a scheduled query.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Scheduled query rules run on a schedule and generate alerts based on query results meeting a threshold.

931
MCQeasy

Refer to the exhibit. An admin creates this activity policy in Microsoft Defender for Cloud Apps. What will happen when a user fails to log in from 3 different IP addresses within 10 minutes?

A.The policy will generate an alert but not block the user.
B.The user will be blocked immediately after the third failed login from any IP.
C.The user will be blocked after 10 minutes regardless of the number of IPs.
D.The user will be blocked only if the third IP is different from the first two.
AnswerD

The policy requires 3 distinct IP addresses; after the third distinct IP, the user is blocked.

Why this answer

The policy triggers when the count of different IPs for failed logins reaches 3 within 10 minutes. The action is to block the user. 'DifferentCount' means distinct IPs, not total attempts. So exactly 3 different IPs trigger it.

932
MCQmedium

Your company uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. The email contains an external link to a credential harvesting site. You need to block similar emails in the future. What should you do?

A.Create an anti-spam policy to block the sender's domain.
B.Create a Safe Links policy and add the malicious domain to the blocked URLs list.
C.Create an anti-malware policy to block the attachment type.
D.Add the sender's domain to the Tenant Allow/Block List.
AnswerB

Safe Links policies can block URLs at click time, protecting users.

Why this answer

Option D is correct because creating a Safe Links policy and adding the domain to the blocked URLs list prevents users from clicking malicious links. Option A is wrong because anti-spam policies do not block specific URLs. Option B is wrong because tenant allow/block lists are for sender/domain blocking, not URLs.

Option C is wrong because anti-malware policies do not handle link blocking.

933
MCQhard

A company uses Microsoft Sentinel with Microsoft Defender for Cloud Apps. An incident is created when a user downloads 500 GB from SharePoint in one hour. The analyst wants to create a playbook that automatically suspends the user in Microsoft Entra ID when such activity is detected. Which connector and action should the analyst use in the playbook?

A.Microsoft Teams connector with 'Post message' action to notify admin.
B.Microsoft Entra ID connector with 'Update user' action to set accountEnabled to false.
C.Microsoft 365 Defender connector with 'Run advanced hunting' action.
D.Exchange Online connector with 'Set mailbox' action.
AnswerB

Directly disables the user account in Entra ID.

Why this answer

Option C is correct because the Microsoft Entra ID connector can update user settings, and the action to disable account is available. Option A is wrong because Defender for Cloud Apps connector does not directly disable users. Option B is wrong because Exchange Online is for mailboxes.

Option D is wrong because Microsoft Teams is for communication.

934
MCQmedium

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst wants to find emails that were delivered to users (DeliveryAction != 'Blocked') and contained a specific malicious URL (e.g., 'https://malicious.com'). The EmailEvents table contains delivery information, and the EmailUrlInfo table contains URL details. Which KQL query correctly joins these two tables to find the desired emails?

A.EmailEvents | where DeliveryAction != 'Blocked' | join kind=inner EmailUrlInfo on NetworkMessageId | where Url == 'https://malicious.com'
B.EmailEvents | where DeliveryAction != 'Blocked' | join kind=leftouter EmailUrlInfo on NetworkMessageId | where Url == 'https://malicious.com'
C.EmailEvents | where DeliveryAction != 'Blocked' | join kind=inner EmailUrlInfo on Name | where Url == 'https://malicious.com'
D.EmailEvents | where DeliveryAction != 'Blocked' | join kind=inner EmailUrlInfo on SenderFromDomain | where Url == 'https://malicious.com'
AnswerA

This query correctly joins on NetworkMessageId, filters delivered emails, and then filters for the specific URL.

Why this answer

Option A is correct because it uses an inner join on the `NetworkMessageId` column, which is the common key between `EmailEvents` and `EmailUrlInfo` tables in Microsoft 365 Defender advanced hunting. The query first filters `EmailEvents` to only delivered emails (`DeliveryAction != 'Blocked'`), then joins with `EmailUrlInfo` to match URLs to those emails, and finally filters for the specific malicious URL. This ensures only emails that were delivered and contained the target URL are returned.

Exam trap

The trap here is that candidates may choose a `leftouter` join (Option B) thinking it is safer to include all delivered emails, but the requirement is to find only emails that actually contained the malicious URL, making an `inner` join the correct choice.

How to eliminate wrong answers

Option B is wrong because a `leftouter` join would include all delivered emails even if they have no matching URL in `EmailUrlInfo`, and the subsequent `where Url == 'https://malicious.com'` would filter those nulls out, but it is less efficient and conceptually incorrect for this requirement (inner join is appropriate since we only want emails with the URL). Option C is wrong because it joins on `Name`, which is not a common key between `EmailEvents` and `EmailUrlInfo`; the correct join key is `NetworkMessageId`. Option D is wrong because it joins on `SenderFromDomain`, which is not a unique identifier for individual emails and would produce incorrect matches across different emails from the same domain.

935
MCQeasy

Your organization uses Microsoft Defender XDR. You need to ensure that incidents are automatically classified as 'True positive' when a specific indicator of compromise (IOC) is detected. What should you configure?

A.Configure a suppression rule in Microsoft Defender XDR.
B.Create a custom detection rule in Microsoft 365 Defender that sets the classification to 'True positive' when the IOC is detected.
C.Create a transport rule in Exchange Online.
D.Add the IOC to the Microsoft Defender for Endpoint indicator list.
AnswerB

Custom detection rules can include actions to classify incidents.

Why this answer

Option D is correct because custom detection rules can be configured to automatically classify incidents. Option A is for email filtering. Option B is for file reputation.

Option C is for alert suppression, not classification.

936
MCQhard

Your Microsoft Defender XDR environment is experiencing high false positive rates for a specific type of alert. You need to reduce the noise without completely disabling the alert. What is the most effective method?

A.Create a custom detection rule to tune the detection logic.
B.Create a suppression rule for the alert.
C.Use an automation rule to automatically close the false positive incidents.
D.Disable the built-in detection rule.
AnswerA

Custom detections allow fine-tuning to reduce false positives.

Why this answer

Custom detections in Microsoft Defender XDR allow you to create custom rules that tune the detection logic, e.g., by adding conditions to reduce false positives. Option A is wrong because suppression rules hide alerts but do not address the root cause. Option C is wrong because disabling the alert removes detection entirely.

Option D is wrong because automation rules can only handle incidents after generation, not prevent false alerts.

937
Multi-Selecthard

Which THREE actions can you take in Microsoft Sentinel to respond to an incident?

Select 3 answers
A.Assign the incident to a user
B.Create an automation rule
C.Run a playbook
D.Modify a KQL query in an analytics rule
E.Export logs to Azure Storage
AnswersA, B, C

Part of incident management.

938
MCQmedium

Your company uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to ensure that when a device is determined to be compromised, the device is automatically isolated from the network and a Sentinel incident is updated with the isolation status. What is the most efficient way to achieve this?

A.Have the SOC analyst manually isolate the device from the MDE console and update the incident in Sentinel
B.Configure Microsoft Intune to automatically isolate the device when a compliance policy is violated
C.Use Microsoft Defender XDR conditional access to block the device
D.Create a Microsoft Sentinel automation rule with a playbook that isolates the device and updates the incident
AnswerD

This automates the response and updates the incident in Sentinel.

Why this answer

Option D is correct because it leverages Microsoft Sentinel's automation capabilities to respond to security incidents without manual intervention. By creating an automation rule that triggers a playbook (an Azure Logic Apps workflow), you can automatically isolate a compromised device via Microsoft Defender for Endpoint APIs and simultaneously update the Sentinel incident with the isolation status. This provides the most efficient, end-to-end automated response directly within the security operations workflow.

Exam trap

The trap here is that candidates may confuse Microsoft Intune compliance policies or conditional access with automated incident response actions, not realizing that only a Sentinel automation rule with a playbook can directly orchestrate both device isolation and incident update in a single, efficient workflow.

How to eliminate wrong answers

Option A is wrong because manual isolation and incident update are inefficient, error-prone, and do not meet the requirement for an automated response. Option B is wrong because Microsoft Intune compliance policies are designed for device configuration and health checks, not for real-time incident response to a compromise detected by Defender for Endpoint; Intune cannot trigger isolation based on a Defender alert. Option C is wrong because Microsoft Defender XDR conditional access controls access to cloud apps based on risk, but it does not perform network isolation of a device or update a Sentinel incident; it is a conditional access policy, not an automated response action.

939
MCQhard

A security administrator receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request from a domain controller. The alert suggests a possible Golden Ticket attack. Which action should the administrator take to validate the alert?

A.Review Microsoft Defender for Identity alerts for brute force attempts.
B.Check the domain controller's Security event log for Event ID 4769 with suspicious attributes.
C.Reset the krbtgt account password twice.
D.Verify if the user account associated with the ticket is disabled.
AnswerB

Event ID 4769 logs Kerberos service ticket requests; anomalous entries can indicate forged tickets.

Why this answer

To validate a Golden Ticket attack, the administrator should check the domain controller's event logs for Event ID 4769 (Kerberos service ticket request) with anomalous attributes such as ticket encryption type 0x17 (RC4) or non-existent user accounts. Checking user accounts for anomalies is less direct. Resetting passwords does not invalidate a Golden Ticket.

Checking for brute force is unrelated.

940
MCQeasy

An organization has connected a Palo Alto Networks firewall to Microsoft Sentinel using the Common Event Format (CEF) connector via a Linux log forwarder. The analyst notices that some expected firewall logs are missing in Sentinel. Which troubleshooting step should be performed first to check if the logs are reaching the Sentinel workspace?

A.Run a KQL query in the Sentinel Logs workspace: CommonSecurityLog | where TimeGenerated > ago(1h) | take 10
B.Check the firewall configuration to ensure syslog forwarding is enabled and pointing to the correct Linux forwarder
C.Verify network connectivity between the firewall and the Linux forwarder on port 514 (or the configured port)
D.Restart the Log Analytics agent on the Linux forwarder
AnswerA

This query quickly reveals if any CommonSecurityLog records have been ingested in the last hour, indicating logs are reaching the workspace.

Why this answer

Option A is correct because the first step in troubleshooting missing logs in Microsoft Sentinel is to verify whether the logs are actually reaching the workspace. Running a KQL query against the CommonSecurityLog table (which stores CEF data) with a recent time filter confirms if any CEF logs have been ingested. If the query returns results, the issue lies elsewhere (e.g., parsing or missing events); if it returns no results, the problem is upstream (connector, forwarder, or source).

This step isolates the problem to the Sentinel ingestion pipeline before investigating network or configuration issues.

Exam trap

The trap here is that candidates often jump to checking the source (firewall) or network connectivity first, but Microsoft Sentinel expects you to start by verifying data ingestion at the workspace level using KQL, as this immediately confirms whether the entire pipeline is working or broken.

How to eliminate wrong answers

Option B is wrong because checking the firewall’s syslog forwarding configuration is a downstream step that should only be taken after confirming logs are not reaching the workspace; it assumes the issue is at the source, but the first diagnostic step must be at the destination (Sentinel). Option C is wrong because verifying network connectivity between the firewall and the Linux forwarder on port 514 is also a downstream step; if logs are reaching the forwarder but not Sentinel, the network between forwarder and Sentinel (or the agent) is the real issue. Option D is wrong because restarting the Log Analytics agent is a reactive, brute-force action that does not provide diagnostic information; it may temporarily mask the problem but does not help identify whether logs are reaching the workspace.

941
MCQeasy

A security analyst in your SOC receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded a large number of files from SharePoint in a short time. What is the most likely classification of this activity?

A.Ransomware
B.Lateral movement
C.Data exfiltration
D.Privilege escalation
AnswerC

Downloading many files suggests theft of data.

Why this answer

Option A is correct because this behavior is indicative of data exfiltration. Option B is wrong because privilege escalation involves gaining higher permissions. Option C is wrong because ransomware would encrypt files.

Option D is wrong because lateral movement involves moving between systems.

942
MCQeasy

A large organization manages multiple Azure subscriptions under a single management group. The security team wants to ensure that when new subscriptions are added to the management group, the Microsoft Defender for Cloud plans (e.g., Defender for Servers) are automatically enabled. What is the most efficient way to achieve this?

A.Assign the Azure Policy initiative 'Configure Azure Defender to be enabled on subscriptions' to the management group with appropriate policy parameters.
B.Enable all Microsoft Defender plans at the management group level in the Microsoft Defender for Cloud portal.
C.Manually enable the Defender plans on each new subscription as they are created.
D.Use an Azure Blueprint to assign the Defender plans to the subscription.
AnswerA

Correct. Azure Policy can be assigned at the management group scope to enforce Defender for Cloud plans across all subscriptions, including those created in the future. This ensures automatic compliance.

Why this answer

Option A is correct because assigning the built-in Azure Policy initiative 'Configure Azure Defender to be enabled on subscriptions' to the management group ensures that any new subscription added under that management group automatically inherits the policy. This initiative uses DeployIfNotExists effect to enable the specified Defender plans (e.g., Defender for Servers) on subscriptions that do not already have them enabled, providing a fully automated, scalable solution without manual intervention.

Exam trap

The trap here is that candidates often confuse the 'Enable at management group level' portal setting (which only applies to existing subscriptions) with the automatic inheritance behavior of Azure Policy, leading them to choose Option B.

How to eliminate wrong answers

Option B is wrong because enabling Defender plans at the management group level in the Microsoft Defender for Cloud portal only applies to existing subscriptions under that management group; it does not automatically enable plans on newly added subscriptions. Option C is wrong because manually enabling Defender plans on each new subscription is inefficient, error-prone, and does not scale for a large organization with frequent subscription creation. Option D is wrong because Azure Blueprints are used to define and deploy a repeatable set of Azure resources and policies, but they require explicit assignment to each subscription and do not automatically propagate to new subscriptions added to the management group; Azure Policy is the native, more efficient mechanism for automatic inheritance.

943
MCQmedium

A security administrator needs to ensure that only approved applications can run on a set of Windows Server virtual machines. The administrator has already enabled Microsoft Defender for Cloud's enhanced security features. Which Defender for Cloud feature should the administrator configure to define a list of allowed applications and get alerts when unapproved applications are executed?

A.Adaptive Application Controls
B.File Integrity Monitoring (FIM)
C.Just-in-Time VM Access (JIT)
D.Vulnerability Assessment
AnswerA

Correct. Adaptive Application Controls learns typical application usage and creates an allowlist; alerts are generated when an application outside the allowlist runs.

Why this answer

Adaptive Application Controls (AAC) is the correct feature because it uses machine learning to establish a baseline of known-safe processes on your Windows Server VMs, then enforces an allowlist so that only those approved applications can run. When an unapproved application is executed, AAC generates a security alert in Microsoft Defender for Cloud, meeting the requirement to both define allowed applications and receive alerts on violations.

Exam trap

The trap here is that candidates confuse 'application control' with 'file integrity monitoring' because both deal with files, but FIM only alerts on changes to existing files, not on execution of new unapproved applications.

How to eliminate wrong answers

Option B (File Integrity Monitoring) is wrong because FIM monitors changes to critical files, registry keys, and software installations, but it does not enforce an application allowlist or alert on unapproved application execution; it focuses on integrity changes. Option C (Just-in-Time VM Access) is wrong because JIT controls network access to management ports (like RDP or SSH) by reducing exposure, not by controlling which applications can run on the VM. Option D (Vulnerability Assessment) is wrong because VA scans for known vulnerabilities and misconfigurations in the OS and applications, but it does not define or enforce an allowlist of approved applications.

944
MCQhard

Your organization uses Microsoft Sentinel with multiple workspaces across different regions. You need to centrally manage all security incidents from a single pane of glass. The solution must allow analysts to investigate incidents across workspaces without switching contexts. What should you configure?

A.Deploy Microsoft Sentinel in a single region and use Azure Arc to connect other workspaces.
B.Create a union query across workspaces using the workspace() expression.
C.Use Azure Lighthouse to manage multiple workspaces and enable cross-workspace incident view in Microsoft Sentinel.
D.Configure a single workspace and use diagnostic settings to send all logs to it.
AnswerC

Azure Lighthouse allows managing multiple workspaces from a single view.

Why this answer

Option C is correct because Microsoft Sentinel's incident management supports cross-workspace views via Azure Lighthouse or unified incident management. Option A is for queries, not incident management. Option B is for data collection.

Option D is for event management, not Sentinel.

945
MCQmedium

A security operations center (SOC) team uses Microsoft Defender XDR and Microsoft Sentinel. An incident is created in Defender XDR that involves a malicious email and a compromised device. The team wants the incident to automatically sync to Sentinel. What is the minimum configuration required?

A.Configure the Microsoft Defender for Office 365 connector in Sentinel
B.Configure the Azure AD Identity Protection connector in Sentinel
C.Configure the Microsoft Defender XDR connector in Sentinel
D.Configure the Microsoft 365 Defender connector in Sentinel
AnswerC

This connector synchronizes all Defender XDR incidents to Sentinel.

Why this answer

Option A is correct because the connector for Microsoft Defender XDR automatically syncs incidents to Sentinel. Option B is wrong because the connector for Microsoft 365 Defender is the same. Option C is wrong because the connector for Microsoft Defender for Office 365 only syncs email-related alerts.

Option D is wrong because the connector for Azure AD Identity Protection only syncs identity alerts.

946
MCQeasy

Your company uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is created when a user performs an unusual mass download from SharePoint Online. The playbook assigned to the incident automatically suspends the user account in Microsoft Entra ID. However, after investigation, the user's activity is determined to be legitimate (they were backing up data for a migration). You need to restore the user's account and ensure that the user can access all resources immediately. You also need to update the incident to reflect the findings. What should you do?

A.Send a new invitation to the user via Microsoft Entra ID and close the incident as resolved.
B.Reset the user's password in Microsoft Entra ID and force a password change at next sign-in.
C.Edit the playbook to remove the suspend action and re-run it for the incident.
D.Re-enable the user account in Microsoft Entra ID and set the incident status to Closed with classification 'False positive'.
AnswerD

Re-enabling restores access; closing with classification documents the finding.

Why this answer

Option B is correct because re-enabling the account in Entra ID restores access, and closing the incident with a classification updates the record. Option A is wrong because resetting password is unnecessary. Option C is wrong because re-inviting is for guest users.

Option D is wrong because editing the playbook is not needed.

947
MCQmedium

Your security team receives alerts from Microsoft Defender for Cloud. You need to configure automated response to remediate a specific alert type. What should you create in Microsoft Sentinel?

A.An analytics rule
B.A workbook
C.A watchlist
D.An automation rule
AnswerD

Automation rules trigger playbooks or other actions in response to incidents.

Why this answer

In Microsoft Sentinel, automation rules are the correct mechanism to define automated responses triggered by alerts, including those from Microsoft Defender for Cloud. They allow you to run playbooks, change incident severity, assign ownership, or add comments when a specific alert type fires, enabling remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse 'automation rule' with 'analytics rule', mistakenly thinking the rule that generates the alert can also handle the response, but Sentinel separates detection (analytics rules) from response (automation rules).

How to eliminate wrong answers

Option A is wrong because analytics rules are used to generate alerts or incidents from raw data (e.g., querying Log Analytics), not to automate responses to existing alerts. Option B is wrong because workbooks are interactive dashboards for visualizing data, not for triggering automated remediation actions. Option C is wrong because watchlists are collections of data (e.g., IP addresses or hostnames) used for correlation or filtering in queries, not for executing response actions.

948
MCQmedium

Refer to the exhibit. You are creating a scheduled analytics rule in Microsoft Sentinel using the ARM template snippet. The rule runs every 5 minutes and queries the last 5 minutes of data. The rule is not generating alerts even though malware detections are occurring. What is the most likely issue?

A.The queryPeriod and queryFrequency are the same, causing overlapping windows.
B.The triggerThreshold is set to 0, which should always trigger.
C.The ARM template is missing the required 'kind' property.
D.The table DeviceEvents is not ingested into the Log Analytics workspace.
AnswerD

Without data, no alerts.

Why this answer

Option B is correct because the query uses DeviceEvents, which is a table in Microsoft Defender for Endpoint but not in Sentinel by default unless the connector is configured and data is mapped to that table. Option A is wrong because the query period and frequency are consistent. Option C is wrong because the threshold is 0, so any result should trigger.

Option D is wrong because the ARM template is valid.

949
Multi-Selecteasy

Which TWO Microsoft 365 Defender portals provide automated investigation and response capabilities? (Choose two.)

Select 2 answers
A.Microsoft Purview compliance portal
B.Microsoft Sentinel (portal.azure.com)
C.Microsoft Intune admin center
D.Microsoft Defender for Endpoint (security.microsoft.com)
E.Microsoft 365 Defender (security.microsoft.com)
AnswersD, E

Defender for Endpoint has automated investigation and response for endpoint threats.

Why this answer

A and D are correct. Microsoft 365 Defender (https://security.microsoft.com) provides automated investigation for incidents. Microsoft Defender for Endpoint has its own AIR capabilities.

B is wrong because Microsoft Sentinel is a SIEM, not a portal for automated response. C is wrong because Microsoft Purview is for compliance. E is wrong because Microsoft Intune is for device management.

950
MCQmedium

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You have configured the Microsoft Defender for Endpoint connector in Sentinel to ingest alerts and incidents. The security team wants to automatically create a Sentinel incident when an MDE alert of severity 'High' or 'Critical' is generated. Additionally, they want to assign the incident to a specific SOC tier based on the alert title. For example, if the alert title contains 'Ransomware', assign to Tier 3; otherwise assign to Tier 2. You need to implement this automation efficiently. You have already enabled the connector and verified that MDE alerts are flowing into Sentinel. What is the best approach?

A.Create an automation rule that triggers when an incident is created with a condition on alert severity, and set the owner to the appropriate group. Then create another automation rule for 'Ransomware' alerts.
B.Configure an automation rule with a condition on the alert title using KQL, then set the owner.
C.Create an automation rule that triggers on incident creation for High and Critical severity. The rule runs a playbook that uses Logic Apps to parse the alert title and assign the incident to the appropriate tier using the Microsoft Sentinel connector 'Update incident' action.
D.Modify the Microsoft Defender for Endpoint analytics rule to include a custom mapping that assigns the incident to a specific owner based on the alert title.
AnswerC

A playbook can parse the alert title and assign the incident to the correct owner.

Why this answer

Option B is correct because it uses a playbook triggered by an automation rule on incident creation, which can then parse the alert title and assign the incident. Option A is wrong because automation rules cannot assign based on alert content directly. Option C is wrong because it's not efficient to modify the analytics rule.

Option D is wrong because automation rules cannot assign owners directly based on dynamic conditions.

951
MCQeasy

A security analyst is reviewing an incident in Microsoft 365 Defender where malware was detected on multiple endpoints. The analyst wants to see a visual representation of the attack progression, including the initial entry point and all affected devices. Which feature in the Microsoft 365 Defender portal should the analyst use?

A.Incident graph
B.Advanced hunting
C.Threat analytics
D.Action center
AnswerA

The incident graph visually maps the attack chain, showing entity relationships and progression.

Why this answer

The incident graph in Microsoft 365 Defender provides a visual, interactive map of the entire attack progression, showing the initial entry point, lateral movement, and all affected devices and users. It correlates alerts and evidence into a single timeline, enabling the analyst to understand the full scope of the incident at a glance. This directly meets the requirement for a visual representation of the attack progression.

Exam trap

The trap here is that candidates confuse the incident graph (visual attack path) with Advanced hunting (raw data querying) because both are used for investigation, but only the graph provides a pre-built visual map of the attack progression.

How to eliminate wrong answers

Option B (Advanced hunting) is wrong because it is a query-based tool for searching raw data using Kusto Query Language (KQL), not a visual representation of an attack progression. Option C (Threat analytics) is wrong because it provides reports on active threats, vulnerabilities, and mitigations, but does not show the specific attack path for a given incident. Option D (Action center) is wrong because it lists pending and completed remediation actions (e.g., isolating devices, running antivirus scans), not a visual attack timeline or device map.

952
MCQeasy

A SOC analyst needs to create a custom scheduled analytics rule in Microsoft Sentinel that detects when a user attempts to sign in from an IP address not in the organization's allowlist. The rule should run every 5 minutes. Which table should the analyst query?

A.SigninLogs
B.AADNonInteractiveUserSignInLogs
C.AuditLogs
D.AzureActivity
AnswerA

SigninLogs captures interactive user sign-in events, which is the correct data source for detecting sign-in attempts from specific IP addresses.

Why this answer

The SigninLogs table in Microsoft Sentinel captures interactive user sign-in events, including the source IP address. Since the rule needs to detect user sign-in attempts from non-allowlisted IPs, SigninLogs is the correct table to query. It provides the necessary fields like UserPrincipalName, IPAddress, and ResultType to build the detection logic.

Exam trap

The trap here is that candidates may confuse AuditLogs or AzureActivity with sign-in logs, but only SigninLogs contains the interactive user sign-in data with source IP addresses needed for this detection.

How to eliminate wrong answers

Option B is wrong because AADNonInteractiveUserSignInLogs captures non-interactive sign-ins (e.g., service-to-service authentication), not the interactive user sign-in attempts the rule targets. Option C is wrong because AuditLogs records administrative actions and changes in Azure AD (e.g., user creation, role changes), not sign-in events. Option D is wrong because AzureActivity logs Azure resource management operations (e.g., VM creation, resource group changes), not user authentication events.

953
MCQmedium

You are a threat hunter at Fabrikam, a mid-sized company with 2,000 users. Your environment uses: Microsoft 365 E3 licenses; Microsoft Sentinel with the Microsoft 365 Defender connector; Microsoft Defender for Office 365; and Microsoft Defender for Endpoint (without Microsoft Defender for Identity). You are investigating a suspicious email campaign where some users received phishing emails with links to a credential harvesting page. You want to proactively search for any users who may have entered credentials on the phishing page. You have no direct logs from the phishing server. Which hunting approach should you use in Microsoft Sentinel?

A.Query the UrlClickEvents table to identify users who clicked the malicious link, then correlate with AADSignInEventsBeta to find sign-ins from new IPs after the click.
B.Query the DeviceProcessEvents table for any browser process that accessed the phishing URL.
C.Query the AADSignInEventsBeta table for users who signed in shortly after the email campaign from IPs not previously seen.
D.Query the EmailEvents table for users who received the phishing email and then check if they have any subsequent sign-in anomalies.
AnswerA

This directly identifies users who interacted with the phishing link and may have entered credentials, then checks for anomalous sign-ins.

Why this answer

Option C is correct because using URL click verdict data from Defender for Office 365's Safe Links can show which users clicked the malicious link, and correlating with subsequent sign-ins from unusual IPs can indicate credential compromise. Option A is wrong because email events show delivery but not credential entry. Option B is wrong because sign-in logs alone may not be linked to the phishing.

Option D is wrong because endpoint process events are less likely to capture web form submissions.

954
MCQmedium

You are a SOC analyst using Microsoft Sentinel. You need to create a hunting query that searches for unusual outbound RDP connections from workstations. Which KQL operators or functions would be most essential for this query?

A.DeviceProcessEvents and where ProcessCommandLine contains 'mstsc'
B.DeviceNetworkEvents and where LocalPort == 3389 and RemoteIPType == 'Public'
C.DeviceLogonEvents and where LogonType == 'RemoteInteractive'
D.DeviceEvents and where ActionType contains 'RDP'
AnswerB

Outbound RDP uses local port 3389 to public IPs.

Why this answer

Hunting for outbound RDP requires identifying connections on port 3389 from workstations. Option B is correct because DeviceNetworkEvents includes network connections and port information. Option A is incorrect because DeviceLogonEvents is for logon sessions.

Option C is incorrect because DeviceProcessEvents is for processes. Option D is incorrect because DeviceEvents may not include network details.

955
Multi-Selectmedium

Which TWO are recommended first steps when responding to a confirmed ransomware incident in Microsoft Defender XDR?

Select 2 answers
A.Assess the financial impact of the incident
B.Disable all user accounts
C.Run a full antivirus scan on all devices
D.Isolate affected devices using Microsoft Defender for Endpoint
E.Revoke user sessions and require reauthentication
AnswersD, E

Isolation stops lateral movement and communication with C2.

Why this answer

The correct answers are A and D. Isolating affected devices and revoking user sessions are immediate containment steps. Disabling accounts is also important but can be done after revoking sessions.

Running a full antivirus scan is not a first step; it may alert the attacker. Assessing impact is part of investigation, not first containment.

956
MCQhard

You are the security operations lead for a multinational company using Microsoft Sentinel. You have deployed a custom analytics rule that uses a KQL query to detect anomalous outbound network traffic. The rule runs every hour and looks back 24 hours. Recently, the rule has been generating a high number of false positives. You need to tune the rule to reduce false positives without missing genuine threats. The rule currently triggers when the count of outbound connections to a single IP exceeds 100 in an hour. You analyze the data and find that legitimate cloud services often trigger the rule. What should you do?

A.Disable the rule and create a new one with a different query.
B.Increase the threshold to 200 connections per hour.
C.Configure a suppression rule to automatically close incidents from those IPs.
D.Modify the KQL query to exclude traffic to known benign IP ranges.
AnswerD

Excluding known good IPs reduces false positives without changing threshold.

Why this answer

Option A is correct because adding known benign IPs to the exclusion list directly reduces false positives from legitimate cloud services while keeping the detection logic intact. Option B is incorrect because suppressing alerts only hides them, not reducing false positives. Option C is incorrect because increasing the threshold may miss real threats.

Option D is incorrect because disabling the rule is not tuning.

957
MCQhard

Your organization uses Microsoft Defender for Cloud with enhanced security features enabled. You need to ensure that all Azure subscriptions are covered by a single Defender for Cloud policy that enforces specific security standards. The policy must be automatically applied to new subscriptions. What should you do?

A.Enable the default Defender for Cloud policy from the Azure portal.
B.Manually assign the policy to each subscription using PowerShell.
C.Create a custom policy initiative and assign it to the root management group.
D.Configure the security contact email for each subscription.
AnswerC

Assigning to the root management group ensures inheritance to all subscriptions.

Why this answer

Assigning a custom policy initiative to the root management group ensures that the policy is inherited by all subscriptions under that management group, including new subscriptions as they are added. This approach enforces consistent security standards across the entire Azure environment without requiring manual intervention for each subscription.

Exam trap

The trap here is that candidates may think enabling the default Defender for Cloud policy (Option A) is sufficient for all subscriptions, but that only applies to the current subscription and does not enforce a custom standard or automatically cover new subscriptions.

How to eliminate wrong answers

Option A is wrong because enabling the default Defender for Cloud policy from the Azure portal only applies the built-in security policy to the current subscription, not to all subscriptions automatically, and does not enforce a single custom standard across multiple subscriptions. Option B is wrong because manually assigning the policy to each subscription using PowerShell does not automatically cover new subscriptions; each new subscription would require a separate manual assignment, defeating the requirement for automatic application. Option D is wrong because configuring the security contact email for each subscription only sets notification recipients for security alerts, not the enforcement of security standards or policies.

958
MCQhard

You are the security operations analyst for a large enterprise that uses Microsoft Sentinel and Microsoft Defender XDR. The environment includes: - 10,000 Windows 11 devices managed by Microsoft Intune - 5,000 macOS devices managed by Jamf Pro - 2,000 Linux servers running Ubuntu 22.04 - Microsoft 365 E5 licenses for all users - Microsoft Sentinel in the East US region - Microsoft Defender for Cloud Apps enabled - Microsoft Defender for Identity deployed - Microsoft Defender for Office 365 configured You need to design a solution to meet the following requirements: 1. Ingest security events from all devices (Windows, macOS, Linux) into Microsoft Sentinel. 2. Ensure that all alerts from Microsoft Defender XDR components (including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps) are automatically correlated into incidents in Microsoft Sentinel. 3. Minimize latency between alert generation in Defender XDR and incident creation in Sentinel. 4. Use the least amount of administrative overhead. What should you implement?

A.Enable the Microsoft Defender XDR connector for incident correlation. Deploy the Log Analytics agent on all devices to collect events.
B.Enable the Microsoft Defender XDR connector for incident correlation. For Windows devices, use the Windows Security Events via AMA connector. For Linux and macOS, use the Syslog via AMA connector.
C.Use a Logic App to fetch incidents from Microsoft Defender XDR and create incidents in Sentinel. Install the Azure Monitor Agent on all devices.
D.Enable the Microsoft Defender XDR connector and use the Microsoft Graph API to ingest logs from all devices directly into Sentinel.
AnswerB

This meets all requirements with native connectors and minimal overhead.

Why this answer

The Microsoft Defender XDR connector streams incidents from all Defender products into Sentinel with low latency and minimal overhead. For device logs, the Windows Security Events via AMA (Azure Monitor Agent) connector ingests Windows events, and Syslog via AMA ingests Linux and macOS logs (since Jamf Pro can forward logs via Syslog). Option A is correct because it uses the native connectors.

Option B is wrong because Log Analytics agent is deprecated and not recommended. Option C is wrong because a Logic App adds latency and overhead. Option D is wrong because direct API ingestion is complex and not scalable.

959
MCQeasy

Your organization uses Microsoft Sentinel. You need to provide a SOC analyst with the ability to create and modify incident comments but not delete incidents. Which role should you assign?

A.Global Administrator
B.Microsoft Sentinel Contributor
C.Microsoft Sentinel Reader
D.Microsoft Sentinel Responder
AnswerD

Responder can manage incidents and add comments.

Why this answer

Option B is correct because Microsoft Sentinel Responder role allows managing incidents including comments but not deletion. Option A is incorrect because Reader is read-only. Option C is incorrect because Contributor can delete incidents.

Option D is incorrect because Global Administrator has full access.

960
MCQeasy

A security administrator needs to ensure that all newly provisioned Azure virtual machines automatically install the Microsoft Defender for Cloud agent (Log Analytics agent) to enable security monitoring. Which configuration should be enabled in Defender for Cloud?

A.Auto-provisioning of the Log Analytics agent
B.Enable the Defender for Servers plan
C.Configure a vulnerability assessment solution
D.Enable just-in-time (JIT) VM access
AnswerA

Correct. When enabled, Defender for Cloud automatically installs the agent on new and existing VMs.

Why this answer

Auto-provisioning of the Log Analytics agent in Microsoft Defender for Cloud automatically installs the Log Analytics agent (Microsoft Monitoring Agent) on all new Azure VMs. This ensures that security monitoring data, such as security events and syslog, is collected and sent to the Log Analytics workspace without manual intervention. The setting is found under 'Environment settings' > 'Auto provisioning' and must be toggled to 'On' for the agent to be deployed on newly provisioned VMs.

Exam trap

The trap here is that candidates confuse 'enabling the Defender for Servers plan' with automatic agent deployment, but the plan only enables threat detection capabilities and does not handle the agent installation process.

How to eliminate wrong answers

Option B is wrong because enabling the Defender for Servers plan activates advanced threat protection features (e.g., fileless attack detection, network-based detection) but does not automatically install the Log Analytics agent; the agent must be deployed separately or via auto-provisioning. Option C is wrong because configuring a vulnerability assessment solution (e.g., Qualys or Microsoft Defender Vulnerability Management) scans for software vulnerabilities but does not handle agent deployment for general security event collection. Option D is wrong because enabling just-in-time (JIT) VM access controls network access to management ports (e.g., RDP/SSH) and has no role in installing the Log Analytics agent for monitoring.

961
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect hybrid cloud workloads. An alert indicates that a container in Azure Kubernetes Service (AKS) is running a privileged container. Which response action should you take first?

A.Investigate the alert details in Microsoft Defender for Cloud
B.Disable the container immediately
C.Restart the AKS cluster
D.Delete the container and its image
AnswerA

Investigation is the first step.

Why this answer

The correct answer is A because the first step is to investigate the alert to confirm the behavior. Option B is wrong because disabling the container without investigation could impact services. Option C is wrong because restarting is not a containment measure.

Option D is wrong because deleting the container is too drastic without investigation.

962
MCQhard

While threat hunting, you find a suspicious scheduled task that runs a PowerShell script from a temp directory. You want to check if this task exists on other devices in the environment. Which Microsoft Defender for Endpoint advanced hunting table would you query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceEvents
D.DeviceRegistryEvents
AnswerC

DeviceEvents captures scheduled task creation and other system events.

Why this answer

Option B is correct because the `DeviceEvents` table includes scheduled task creation events (ActionType: ScheduledTaskCreated). Option A is wrong because `DeviceProcessEvents` focuses on process execution, not task creation. Option C is wrong because `DeviceNetworkEvents` is for network connections.

Option D is wrong because `DeviceRegistryEvents` is for registry changes.

963
MCQeasy

Your organization is implementing Microsoft Sentinel. You need to ensure that security events from AWS CloudTrail are collected. What should you configure?

A.Azure Policy to audit AWS resources.
B.AWS S3 connector in Sentinel.
C.Microsoft Defender for Cloud to monitor AWS.
D.A REST API connector to call CloudTrail API.
AnswerB

Directly ingests CloudTrail logs.

Why this answer

The AWS S3 connector in Microsoft Sentinel ingests CloudTrail logs from an S3 bucket. Option A is wrong because Azure Policy is for Azure resources. Option B is wrong because Microsoft Defender for Cloud does not natively ingest AWS logs.

Option D is wrong because a REST API connector would require custom development.

964
MCQhard

Refer to the exhibit. You are investigating a malware outbreak in Microsoft Sentinel. The KQL query returns no results. What is the most likely reason?

A.The time range is too restrictive.
B.The alert name in the query does not match the actual alert name.
C.No alerts were generated in the last hour.
D.The query syntax is incorrect.
AnswerB

Alert names are case-sensitive and must match exactly.

Why this answer

Option B is correct because the alert name must match exactly; 'Malware detected' might not be the correct name. Option A is wrong because if no alerts were generated, the table would be empty but the query would still run. Option C is wrong because the syntax is correct.

Option D is wrong because the time filter is not the issue.

965
MCQmedium

You are investigating a security incident in Microsoft Sentinel where a user reported receiving a phishing email with a malicious attachment. You need to identify all users who received the same email within the last 24 hours. Which KQL query should you use?

A.EmailEvents | where RecipientEmailAddress == 'user@contoso.com' and Timestamp > ago(24h) | project SenderFromAddress, Subject
B.EmailUrlInfo | where Url == 'http://malicious.com' | project RecipientEmailAddress
C.EmailAttachmentInfo | where FileName == 'malicious.doc' | project RecipientEmailAddress
D.EmailEvents | where SenderFromAddress == 'attacker@example.com' and Subject == 'Invoice' and Timestamp > ago(24h) | project RecipientEmailAddress
AnswerD

This retrieves all recipients who received the same email from the same sender and subject.

Why this answer

The correct query uses EmailEvents table and filters by sender and subject. Option A is wrong because EmailAttachmentInfo does not contain recipient info. Option B is wrong because it would only show the specific user.

Option D is wrong because EmailUrlInfo is for URLs, not attachments.

966
MCQeasy

An incident in Microsoft Sentinel was assigned to you. After investigation, you determine it is a false positive. What should you do to resolve the incident?

A.Add a comment and leave it open
B.Close the incident with classification 'FalsePositive'
C.Delete the incident
D.Reassign to another analyst
E.Change the status to 'Active'
AnswerB

Properly closes the incident and provides reason.

Why this answer

The correct action is to close the incident with a classification of 'FalsePositive'. Changing status or adding comments does not resolve it properly. Deleting is not recommended.

967
MCQeasy

As a security operations analyst, you receive an alert from Microsoft Defender for Identity about a suspicious Kerberos activity. You need to investigate the alert and determine if it is a true positive. What should you use to pivot from the alert to the related user and device timeline?

A.Search for the user in Azure AD audit logs.
B.Open the alert in Microsoft Sentinel and use the investigation graph.
C.From the Microsoft 365 Defender portal, open the alert and click on the user or device name to view their timeline.
D.Use the Microsoft 365 compliance portal to run an eDiscovery search.
AnswerC

Defender for Identity alerts in Microsoft 365 Defender provide direct links to user and device timelines.

Why this answer

Option C is correct because in the Microsoft 365 Defender portal, when you open a Microsoft Defender for Identity alert, you can directly click on the user or device name to pivot to their timeline. This timeline provides a consolidated view of activities, including Kerberos events, authentication attempts, and other related signals, enabling you to quickly assess whether the suspicious Kerberos activity is a true positive without leaving the portal.

Exam trap

The trap here is that candidates may assume they need to use a separate tool like Microsoft Sentinel or Azure AD audit logs for deeper investigation, but the exam tests the knowledge that the Microsoft 365 Defender portal provides a built-in, integrated timeline for direct pivoting from Defender for Identity alerts.

How to eliminate wrong answers

Option A is wrong because Azure AD audit logs focus on directory-level administrative actions (e.g., user creation, password changes) and do not include detailed Kerberos authentication events or device timelines needed for this investigation. Option B is wrong because while Microsoft Sentinel has an investigation graph, the question specifically asks about pivoting from a Defender for Identity alert; the native integration within the Microsoft 365 Defender portal provides the most direct and efficient path to the user and device timeline without requiring a separate SIEM. Option D is wrong because the Microsoft 365 compliance portal and eDiscovery are designed for legal and compliance searches (e.g., mailbox, SharePoint content), not for real-time security event investigation of Kerberos activity.

968
MCQmedium

You are a security analyst for a multinational company with Microsoft Sentinel deployed in a central workspace. You need to grant a team of analysts in the European branch the ability to view incidents and run queries, but they should not be able to modify analytics rules or data connectors. The team already has Microsoft Sentinel Reader role assigned. However, they report that they cannot run KQL queries in the Logs blade. You need to provide the minimum additional permissions. What should you do?

A.Assign the Log Analytics Contributor role to the team on the Sentinel workspace.
B.Assign the Microsoft Sentinel Contributor role to the team on the Sentinel workspace.
C.Assign the Log Analytics Reader role to the team on the Sentinel workspace.
D.Assign the Reader role to the team on the Sentinel workspace.
AnswerC

Log Analytics Reader allows running queries and reading log data.

Why this answer

The Microsoft Sentinel Reader role grants read access to Sentinel data, including incidents, but does not include the ability to run KQL queries in the Logs blade because that requires read permissions on the underlying Log Analytics workspace. The Log Analytics Reader role provides the necessary read access to log data and the ability to execute queries without granting write permissions to analytics rules or data connectors, fulfilling the requirement with minimal privileges.

Exam trap

The trap here is that candidates assume the Microsoft Sentinel Reader role is sufficient for all read operations, but they overlook that running KQL queries in the Logs blade requires separate Log Analytics read permissions, which is a common cross-service dependency tested in SC-200.

How to eliminate wrong answers

Option A is wrong because Log Analytics Contributor role includes write permissions to the Log Analytics workspace, which would allow modifying data connectors and other settings, exceeding the required minimal permissions. Option B is wrong because Microsoft Sentinel Contributor role grants full write access to Sentinel resources, including analytics rules and data connectors, which violates the requirement that the team should not be able to modify these components. Option D is wrong because the Reader role at the Sentinel workspace level does not include the Log Analytics Reader permissions needed to run KQL queries in the Logs blade; it only provides read access to Sentinel-specific resources like incidents and workbooks.

969
MCQeasy

As a threat hunter, you want to use MITRE ATT&CK techniques to categorize detected behaviors. In Microsoft Sentinel, which feature allows you to map alerts to MITRE techniques automatically?

A.Analytics rules
B.Playbooks
C.Watchlists
D.Workbooks
AnswerA

Analytics rules (scheduled or NRT) allow mapping to MITRE techniques.

Why this answer

Option B is correct because analytics rules can include MITRE ATT&CK technique mapping. Option A is wrong because workbooks are for visualization, not mapping. Option C is wrong because playbooks are for automated response.

Option D is wrong because watchlists are for reference data.

970
MCQeasy

A security analyst needs to create a custom watchlist in Microsoft Sentinel to correlate IP addresses known to be used by a threat actor. The watchlist will be uploaded from a CSV file. Which data type should the analyst specify for the watchlist alias?

A.String
B.Integer
C.DateTime
D.Boolean
AnswerA

IP addresses are stored as strings.

Why this answer

The watchlist alias in Microsoft Sentinel is a string identifier used to reference the watchlist in KQL queries. Since IP addresses are stored as text values in CSV files and are not numeric integers, dates, or boolean flags, the correct data type for the alias is String. This ensures the alias can be used in join or lookup operations without type mismatch errors.

Exam trap

The trap here is that candidates may confuse the data type of the alias with the data type of the IP address values in the CSV, assuming IPs should be integers, but the alias is purely a metadata label and must be a string.

How to eliminate wrong answers

Option B is wrong because Integer is a numeric data type, but IP addresses are not integers and cannot be meaningfully represented as such without conversion. Option C is wrong because DateTime is used for date/time values, not for IP addresses which are textual identifiers. Option D is wrong because Boolean is a true/false data type, which cannot represent an IP address or serve as a watchlist alias.

971
MCQeasy

You are managing a Microsoft Sentinel environment. An analyst reports that a scheduled analytics rule is not generating alerts. The rule has been enabled for a week. What is the most likely cause?

A.The rule is disabled due to a cost threshold.
B.The rule has a short lookback period that misses data.
C.The rule's query does not match any events in the workspace.
D.The rule is configured as a real-time rule instead of scheduled.
AnswerC

If the query returns no results, the rule will not generate alerts.

Why this answer

Option A is correct because if the rule's query is not returning results, no alerts are generated. Option B is wrong because the rule is enabled. Option C is wrong because the rule is scheduled, not real-time.

Option D is wrong because the rule has been enabled for a week.

972
MCQhard

During a security incident, the Microsoft Sentinel workspace is receiving high volume of low-severity alerts causing analyst fatigue. You need to reduce noise while ensuring critical alerts are not missed. What should you configure?

A.Disable analytics rules for low-severity alerts
B.Change the severity of low-severity alerts to Informational in the analytics rule
C.Create an automation rule to close low-severity incidents automatically
D.Modify the incident creation rule to only create incidents for alerts with severity High or Medium
AnswerD

This filters alerts before incident creation, reducing noise.

Why this answer

Option C is correct because incident creation rules can filter by alert severity to only create incidents for high and medium severity, reducing noise. Option A is wrong because disabling analytics rules would stop all alerts. Option B is wrong because automation rules trigger after incident creation, not before.

Option D is wrong because setting severity to Informational would not help filter.

973
MCQhard

A SOC analyst is configuring a Microsoft Sentinel scheduled analytics rule to detect rare operations on Azure Key Vaults. The rule uses the AzureActivity table. The analyst wants to use a machine learning algorithm to identify anomalies based on historical activity patterns. Which analytics rule type should the analyst choose?

A.Scheduled
B.Microsoft Security Incident (for using existing alert triggers)
C.Anomaly detection
D.NRT (Near-Real-Time)
AnswerC

Anomaly detection rules apply machine learning models to identify deviations from historical patterns, making them suitable for detecting rare operations.

Why this answer

The Anomaly Detection rule type in Microsoft Sentinel is specifically designed to use machine learning algorithms to identify unusual patterns in historical data. For detecting rare operations on Azure Key Vaults based on historical activity patterns in the AzureActivity table, this rule type automatically applies time series analysis and ML models to baseline normal behavior and flag deviations, making it the correct choice.

Exam trap

The trap here is that candidates often confuse Scheduled rules with Anomaly Detection rules because both can run on a schedule, but only Anomaly Detection rules incorporate built-in machine learning algorithms for dynamic baseline analysis.

How to eliminate wrong answers

Option A is wrong because a Scheduled analytics rule runs a query at defined intervals but does not inherently use machine learning algorithms; it relies on static threshold-based detection. Option B is wrong because Microsoft Security Incident rules are used to import alerts from other Microsoft security products (like Microsoft Defender for Cloud) and do not perform ML-based anomaly detection on AzureActivity data. Option D is wrong because NRT (Near-Real-Time) rules are designed for low-latency detection using simple queries and do not support machine learning-based anomaly detection.

974
MCQeasy

You are investigating a phishing incident in Microsoft Defender XDR. The incident involves a user who clicked a malicious link in an email. Which data source would you use to trace the email's origin?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Covers email threats.

Why this answer

Option A is correct because Microsoft Defender for Office 365 provides email and phishing data. Option B is wrong because Defender for Endpoint focuses on devices. Option C is wrong because Defender for Identity focuses on on-premises identity threats.

Option D is wrong because Defender for Cloud Apps focuses on cloud applications.

975
MCQmedium

Your security team uses Microsoft Defender XDR to investigate a potential malware outbreak. You need to collect a full memory dump from an affected Windows 10 device for forensic analysis. Which action should you take from the Microsoft Defender XDR portal?

A.Initiate a 'Collect investigation package' action.
B.Isolate the device from the network.
C.Run a full antivirus scan on the device.
D.Restrict app execution on the device.
AnswerA

Correct. This action collects memory dumps and forensic data.

Why this answer

To collect a full memory dump for forensic analysis from a Windows 10 device during a potential malware outbreak, you must initiate a 'Collect investigation package' action from the Microsoft Defender XDR portal. This action gathers a comprehensive set of forensic data, including a full memory dump, event logs, registry hives, and other artifacts, which is essential for deep analysis of malware behavior and persistence mechanisms.

Exam trap

The trap here is that candidates often confuse 'Collect investigation package' with a simple log collection, not realizing it specifically includes a full memory dump, which is the only option that meets the forensic requirement for volatile memory analysis.

How to eliminate wrong answers

Option B is wrong because isolating the device from the network is a containment step to prevent lateral movement, but it does not collect a memory dump or any forensic data. Option C is wrong because running a full antivirus scan only detects and removes known malware based on signatures; it does not capture a volatile memory snapshot needed for forensic analysis. Option D is wrong because restricting app execution is a mitigation technique to block untrusted software, but it does not gather a memory dump or any investigative data.

Page 12

Page 13 of 22

Page 14