Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 10511125

1639 questions total · 22pages · All types, answers revealed

Page 14

Page 15 of 22

Page 16
1051
MCQmedium

You are hunting for signs of credential dumping using Mimikatz. Which process events in Microsoft Defender for Endpoint would most likely indicate this activity?

A.A process opening lsass.exe with access to process memory (e.g., PROCESS_VM_READ)
B.A process named powershell.exe making network connections to an external IP
C.A process named svchost.exe spawning from explorer.exe
D.A process named cmd.exe executing whoami
AnswerA

Mimikatz opens LSASS to read credential material; such access is suspicious.

Why this answer

Option B is correct because Mimikatz often injects into LSASS to dump credentials, so detecting a process opening LSASS with specific access flags (e.g., PROCESS_VM_READ) is a key indicator. Option A is wrong because svchost.exe is not typically used for credential dumping. Option C is wrong because powershell.exe alone is generic.

Option D is wrong because cmd.exe is generic.

1052
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user's device was compromised. The analyst wants to determine if the attacker attempted to access sensitive files stored in SharePoint Online from that device. Which advanced hunting table should the analyst query to find file access events from cloud apps?

A.CloudAppEvents
B.IdentityLogonEvents
C.DeviceFileEvents
D.EmailEvents
AnswerA

This table contains events from cloud apps like SharePoint, including file access, which is directly relevant to the scenario.

Why this answer

The CloudAppEvents table in Microsoft 365 Defender captures audit logs for cloud applications, including SharePoint Online. It records file access events such as viewing, downloading, or modifying files, making it the correct table to query when investigating attacker attempts to access sensitive files from a compromised device.

Exam trap

The trap here is that candidates confuse DeviceFileEvents (local file events) with cloud file access events, not realizing that SharePoint Online actions are logged only in CloudAppEvents, not in device-level tables.

How to eliminate wrong answers

Option B (IdentityLogonEvents) is wrong because it tracks authentication events (logon attempts, success/failure) but does not include file-level access events within cloud apps. Option C (DeviceFileEvents) is wrong because it captures file events on the local device (e.g., file creation, modification, deletion) but not access to files stored in SharePoint Online. Option D (EmailEvents) is wrong because it focuses on email-related events (delivery, phishing, malware) and has no data on SharePoint file access.

1053
MCQhard

You are a security operations engineer for a company that uses Microsoft Defender XDR. You need to create a custom detection rule that alerts when a user performs more than 10 failed logon attempts within 5 minutes from different IP addresses. The rule should use the IdentityLogonEvents table. You have written the KQL query and now need to configure the rule settings in Microsoft 365 Defender. Which configuration should you use for the rule frequency and lookback period to minimize false positives while ensuring timely detection?

A.Run every 5 minutes with a 5-minute lookback.
B.Run every 5 minutes with a 1-hour lookback.
C.Run every 1 hour with no lookback.
D.Run every 24 hours with a 24-hour lookback.
AnswerA

Matches the detection window exactly.

Why this answer

Option A is correct because running every 5 minutes with a 5-minute lookback ensures the rule catches the pattern within the same window and minimizes false positives by not aggregating over longer periods. Option B is incorrect because a 1-hour lookback may capture multiple sessions. Option C is incorrect because a 24-hour run period is too coarse.

Option D is incorrect because no lookback misses past events.

1054
MCQhard

Your organization uses Microsoft Sentinel and has several analytics rules that generate incidents from various data sources. The SOC team is overwhelmed by the number of incidents. You need to implement a triage system that automatically assigns incidents to different analysts based on the incident's tactics and severity. You also want to send a notification to the assigned analyst via Teams. What should you do?

A.Create multiple automation rules that trigger on incident creation, each with conditions for specific tactics and severity, and then run a playbook that assigns the incident to an analyst and sends a Teams notification.
B.Use a workbook to create a triage dashboard and instruct analysts to manually claim incidents from the dashboard.
C.Modify each analytics rule to include a custom details field that specifies the analyst, and use a playbook to send Teams notification based on that field.
D.Create a single playbook that checks the incident's tactics and severity, assigns it to the appropriate analyst, and sends a Teams notification, then configure that playbook to run automatically on all new incidents.
AnswerA

Automation rules can filter by properties and run playbooks that perform assignments and notifications.

Why this answer

Automation rules can be used to assign incidents and run playbooks. Option A is correct because multiple automation rules can handle different conditions. Option B is wrong because playbooks cannot assign incidents directly.

Option C is wrong because analytics rules do not assign incidents. Option D is wrong because workbooks are for visualization, not automation.

1055
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that an incident is automatically assigned to a specific analyst when it is created. What should you create?

A.An analytics rule with an output to a specific user.
B.A playbook triggered by incident creation.
C.An automation rule with an 'Assign incident' action.
D.A watchlist that maps incident types to owners.
AnswerC

Automation rules can assign owner on incident creation.

Why this answer

Automation rules in Sentinel can trigger on incident creation and include actions like assigning owner. Option A is correct. Option B is wrong because playbooks require a trigger; automation rules are simpler.

Option C is wrong because watchlists are for reference data. Option D is wrong because analytics rules create alerts, not assign incidents.

1056
MCQmedium

An organization uses Microsoft 365 Defender and receives an alert for a suspicious email sent to multiple recipients. The analyst wants to view the email metadata, including the sender, subject, and any attachments. Which advanced hunting table should the analyst use?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.DeviceEmailEvents
AnswerA

This table contains core email metadata including sender, subject, recipients, and delivery actions.

Why this answer

The EmailEvents table in Advanced Hunting stores the core metadata for every email processed by Microsoft Defender for Office 365, including sender, subject, recipient, and delivery status. Since the analyst needs to view the sender, subject, and attachments for a suspicious email sent to multiple recipients, EmailEvents is the correct starting point because it contains the primary email envelope information.

Exam trap

The trap here is that candidates often confuse the purpose of EmailAttachmentInfo (which only has attachment metadata) with EmailEvents (which has the full email header), or they mistakenly choose DeviceEmailEvents thinking it covers all email activity, when it only logs client-side email events on endpoints.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it only contains details about the attachment file name, size, and hash, but does not include the sender or subject metadata. Option C (EmailUrlInfo) is wrong because it stores URLs extracted from the email body or attachments, not the email's sender or subject. Option D (DeviceEmailEvents) is wrong because it is part of Microsoft Defender for Endpoint and logs email events on devices (e.g., from Outlook client), not server-side email metadata from Exchange Online or Defender for Office 365.

1057
MCQhard

A security operations center (SOC) uses Microsoft Sentinel for log management. The SOC manager wants to reduce storage costs by automatically archiving logs that are older than 90 days to long-term retention, but retains the ability to search them if needed. What should the manager configure?

A.Change the table plan to Basic Logs for logs older than 90 days
B.Create a retention policy that deletes logs older than 90 days
C.Configure a data archiving policy in the Log Analytics workspace to archive logs after 90 days
D.Export logs older than 90 days to an Azure Storage account
AnswerC

Archived logs remain searchable (with additional cost).

Why this answer

Option C is correct because configuring a data archiving policy in the Log Analytics workspace automatically moves logs older than 90 days to long-term, low-cost storage while keeping them searchable via the search job or restore feature. This directly meets the SOC manager's requirement to reduce costs without losing the ability to query archived data.

Exam trap

The trap here is that candidates confuse 'archiving' with 'deleting' or 'exporting,' assuming that moving data to cheaper storage must mean losing queryability, whereas Microsoft Sentinel's archive tier preserves searchability through restore or search jobs.

How to eliminate wrong answers

Option A is wrong because changing the table plan to Basic Logs affects all data in the table, not just logs older than 90 days, and Basic Logs have reduced query capabilities and higher ingestion costs, not archival. Option B is wrong because a retention policy that deletes logs older than 90 days permanently removes the data, eliminating the ability to search them later. Option D is wrong because exporting logs to an Azure Storage account moves them out of Log Analytics, making them unsearchable via KQL without additional tooling and breaking the requirement for retained searchability.

1058
MCQhard

Refer to the exhibit. You run this KQL query in Microsoft 365 Defender advanced hunting to investigate an incident involving IP address 203.0.113.1. The query returns results, but you need to also see which devices communicated with this IP. How should you modify the query?

A.Join with IdentityLogonEvents on AccountUpn
B.Join with DeviceNetworkEvents on DeviceId where RemoteIP == "203.0.113.1"
C.Join with DeviceInfo on DeviceId
D.Join with EmailEvents on AlertId
AnswerB

DeviceNetworkEvents contains network connections from devices, including remote IP.

Why this answer

Option C is correct because you need to join with DeviceNetworkEvents to see device-level network connections to the IP. Option A is wrong because DeviceInfo does not contain network connections. Option B is wrong because EmailEvents contains email data, not device network traffic.

Option D is wrong because IdentityLogonEvents contains authentication events, not network connections.

1059
Multi-Selectmedium

Which THREE of the following are valid sources of threat intelligence that can be ingested into Microsoft Sentinel for threat hunting? (Select three.)

Select 3 answers
A.Syslog from a firewall
B.Microsoft Threat Intelligence feed
C.TAXII server
D.Custom threat intelligence via API
E.Azure Policy
AnswersB, C, D

Built-in feed from Microsoft.

Why this answer

Options A, C, and D are correct. A: Microsoft Threat Intelligence feed. C: TAXII server for STIX indicators.

D: Custom threat intelligence via API. B is wrong because Syslog is for log collection. E is wrong because Azure Policy is for compliance.

1060
MCQmedium

A cloud security administrator receives an alert from Microsoft Defender for Cloud indicating that a virtual machine has been compromised. The administrator wants to quickly isolate the VM from the network to prevent further spread while preserving the disk for forensic analysis. Which action should the administrator take?

A.Apply a just-in-time (JIT) access policy to the VM.
B.Use the "Isolate VM" action in the security alert.
C.Enable the Azure Security Benchmark initiative for the VM.
D.Configure a custom Azure Policy to deny network access.
AnswerB

This action isolates the VM from the network while preserving the disk.

Why this answer

The 'Isolate VM' action in Microsoft Defender for Cloud is designed specifically for compromised VMs. It applies a network security group (NSG) rule that denies all inbound and outbound traffic to the VM, effectively quarantining it from the network while leaving the disk intact for forensic analysis. This is the fastest and most direct method to contain the threat without altering the VM's configuration or disk state.

Exam trap

The trap here is that candidates confuse Just-In-Time (JIT) access with network isolation, mistakenly thinking restricting management ports is sufficient to contain a compromise, when in fact JIT does not block lateral movement or outbound malicious traffic.

How to eliminate wrong answers

Option A is wrong because Just-In-Time (JIT) access policy controls inbound RDP/SSH access via NSG rules but does not isolate the VM from all network traffic; it only restricts management ports, leaving other traffic and outbound connections active. Option C is wrong because enabling the Azure Security Benchmark initiative applies compliance policies and recommendations, not an immediate network isolation action; it is a long-term governance framework, not a response to an active compromise. Option D is wrong because configuring a custom Azure Policy to deny network access is a declarative, non-immediate control that requires policy assignment and evaluation cycles, and it does not provide the real-time, one-click isolation needed during an active incident.

1061
Multi-Selectmedium

Which TWO of the following are valid methods to reduce Microsoft Sentinel data ingestion costs?

Select 2 answers
A.Disable all analytics rules.
B.Switch all data sources to basic logs.
C.Configure basic logs for high-volume verbose data sources.
D.Increase the retention period for all tables.
E.Set a daily data ingestion cap.
AnswersC, E

Basic logs cost less than analytics logs.

Why this answer

Options A and D are correct. Using basic logs for verbose data reduces cost, and setting daily cap stops ingestion when limit is reached. Option B is wrong because increasing retention increases cost.

Option C is wrong because it may reduce security. Option E is wrong because not all sources can be switched to basic logs.

1062
Multi-Selecthard

Which TWO playbook actions can be used to automatically contain a compromised user account in Microsoft Entra ID during an incident? (Choose TWO.)

Select 2 answers
A.Reset the user's password.
B.Send a notification email to the user.
C.Disable the user account via Microsoft Graph API.
D.Add the user to a group that has access to critical resources.
E.Revoke all refresh tokens and sessions for the user.
AnswersC, E

Disabling the account immediately blocks all access.

Why this answer

Option A is correct because disabling the account is a containment action. Option C is correct because revoking sessions ensures the attacker loses access. Option B is wrong because it does not prevent login.

Option D is wrong because it is not containment. Option E is wrong because it is not containment.

1063
MCQmedium

A threat hunter runs the KQL query above in Microsoft Sentinel to detect accounts that have experienced multiple failed sign-in attempts due to a disabled account (ResultType 50057) from the same IP. The query returns no results even though the hunter knows that some disabled accounts are being attacked. What is the most likely reason for the false negatives?

A.The ResultType value 50057 is incorrect; it should be 50058 for disabled account
B.The query should group by UserPrincipalName only, not by IPAddress
C.The time range (1h) is too narrow; the attacks may be spread over several hours
D.The threshold of 5 is too high; reducing it would show results
AnswerC

A larger time window would capture more attempts and meet the threshold.

Why this answer

Option B is correct because the query only looks at the last 1 hour; if attacks occurred over a longer period, they would be missed. Option A (ResultType wrong) is possible but not the most likely since 50057 is correct. Option C (summarize over UserPrincipalName alone) would group by user, but the query already includes IPAddress.

Option D (threshold too high) could be, but the scenario says attacks are happening; time window is the most likely cause.

1064
MCQhard

You are a security analyst at Contoso. Microsoft Sentinel is deployed with the Microsoft Defender for Cloud Apps connector. An incident is generated for a high-risk sign-in from a user named JaneDoe@contoso.com. The incident severity is Medium. The incident details show that the sign-in originated from an IP address in a country where Contoso has no business presence, and the user recently changed their password. You suspect account compromise. You need to take immediate action to contain the threat and prevent further unauthorized access. The user is currently active in Microsoft Entra ID. You have the following options: A) Force the user to re-authenticate by revoking their sessions in Microsoft Entra ID. B) Disable the user account in Microsoft Entra ID. C) Block the IP address in Microsoft Defender for Cloud Apps. D) Create a Sentinel automation rule to automatically disable accounts on similar alerts. Which action should you take first to contain the current incident?

A.Force the user to re-authenticate by revoking their sessions.
B.Disable the user account in Microsoft Entra ID.
C.Block the IP address in Microsoft Defender for Cloud Apps.
D.Create a Sentinel automation rule to automatically disable accounts on similar alerts.
AnswerB

Disabling the account stops all access immediately, containing the threat.

Why this answer

Option B is correct because disabling the user account immediately stops any further access using that account, which is the most direct containment action. Option A (Revoke sessions) would end current sessions but the user could still authenticate again if credentials are compromised. Option C (Block IP) is less effective as the attacker may use other IPs.

Option D (Create automation rule) is a long-term solution, not immediate containment.

1065
MCQeasy

A security analyst wants to see the delivery status and phishing verdict of an email. Which advanced hunting table should the analyst query in Microsoft 365 Defender?

A.EmailEvents
B.EmailPostDeliveryEvents
C.EmailAttachmentInfo
D.EmailUrlInfo
AnswerA

Contains delivery status, threat types, and phishing verdict for each email.

Why this answer

The EmailEvents table in Microsoft 365 Defender's advanced hunting schema contains the delivery status (e.g., Delivered, Failed, Filtered as spam) and the phishing verdict (e.g., Phish, Normal) for each email. This table records the initial processing and classification of the email, making it the correct source for both pieces of information.

Exam trap

The trap here is that candidates often confuse EmailEvents (initial delivery and verdict) with EmailPostDeliveryEvents (post-delivery actions), mistakenly thinking the latter includes the original verdict when it only records changes after delivery.

How to eliminate wrong answers

Option B (EmailPostDeliveryEvents) is wrong because it captures actions taken after delivery (e.g., user clicks, ZAP actions), not the initial delivery status or phishing verdict. Option C (EmailAttachmentInfo) is wrong because it stores metadata about email attachments (e.g., file name, SHA-256 hash), not delivery or verdict data. Option D (EmailUrlInfo) is wrong because it contains URLs found in the email body or attachments, not the email's delivery status or phishing classification.

1066
MCQhard

You are designing an automation rule in Microsoft Sentinel that should automatically assign incidents to the appropriate analyst based on the incident type. However, the rule fails to assign correctly for some incidents. What should you verify?

A.The order of conditions in the automation rule; ensure more specific conditions are evaluated first.
B.That a playbook has been created to perform the assignment.
C.That the incident assignment rule in Microsoft Entra ID is configured correctly.
D.That the owner (analyst) has the required permissions in Microsoft Sentinel.
AnswerA

Automation rules use top-down evaluation; specific conditions must precede general ones.

Why this answer

Automation rules in Microsoft Sentinel evaluate conditions in order, and the first matching condition triggers the associated action. If a broad condition (e.g., 'all incidents') is placed before a more specific condition (e.g., 'incident type equals Phishing'), the broad rule will match first and assign incorrectly, preventing the specific rule from ever running. Reordering conditions so that the most specific ones are evaluated first ensures correct assignment based on incident type.

Exam trap

Microsoft often tests the misconception that automation rules run in parallel or that all matching conditions are applied, when in fact they are evaluated sequentially and only the first match executes its action.

How to eliminate wrong answers

Option B is wrong because a playbook is not required for simple assignment; automation rules can directly set the owner (analyst) without invoking a playbook. Option C is wrong because Microsoft Entra ID (formerly Azure AD) does not have an 'incident assignment rule'—incident ownership is managed within Microsoft Sentinel, not via Entra ID configuration. Option D is wrong because the owner (analyst) does not need special permissions in Microsoft Sentinel to be assigned an incident; the automation rule itself runs with the system's permissions, and the assigned user only needs standard Sentinel reader/responder roles to interact with the incident.

1067
MCQhard

During a ransomware response in Microsoft Defender XDR, you identify that multiple devices are communicating with a known C2 server over port 443. You need to block this communication across all devices immediately. What is the most effective course of action?

A.Add the C2 server domain to the Microsoft Defender for Office 365 Tenant Allow/Block List
B.Create a firewall rule to block outbound traffic to the C2 server IP address
C.Create an indicator of compromise (IoC) in Microsoft Defender for Endpoint with action 'Alert and block'
D.Add the C2 server URL to the custom indicator list in Microsoft Defender for Cloud Apps
AnswerB

This blocks communication at the network level immediately.

Why this answer

Option C is correct because blocking the IOC at the firewall is immediate and network-wide. Option A is wrong because ISE actions are endpoint-only and may not cover all devices. Option B is wrong because this only affects endpoints, not network traffic.

Option D is wrong because it only blocks at the proxy level, not all traffic.

1068
MCQeasy

A security analyst is investigating a phishing incident in Microsoft Defender XDR. The analyst wants to see the full email content and attachments. Where should the analyst look?

A.The incident timeline
B.The action center
C.The email entity page
D.The user entity page
AnswerC

The email entity page displays email details, including content and attachments.

Why this answer

Option D is correct because the Email entity page in Microsoft Defender XDR provides detailed information about an email, including content and attachments. Option A is wrong because the user entity page shows user information, not email content. Option B is wrong because the incident timeline shows events, not full email content.

Option C is wrong because the action center is for response actions.

1069
MCQeasy

A security administrator wants to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent enabled by default in Microsoft Defender for Cloud. Where should this configuration be set?

A.In the Azure portal under each virtual machine's 'Extensions + applications' blade
B.In Microsoft Defender for Cloud, under 'Environment settings' > 'Data collection'
C.In Microsoft Sentinel, under 'Data connectors' for Defender for Cloud
D.In Azure Policy, by assigning the 'Deploy Log Analytics agent' initiative
AnswerB

This is where you enable auto-provisioning for the Log Analytics agent across all subscriptions.

Why this answer

Option B is correct because the automatic provisioning of the Log Analytics agent for all Azure virtual machines in Defender for Cloud is configured under 'Environment settings' > 'Data collection'. This setting enables Defender for Cloud to automatically deploy the Log Analytics agent to new and existing VMs, ensuring security monitoring without manual intervention.

Exam trap

The trap here is that candidates often confuse the centralized 'Data collection' setting in Defender for Cloud with per-VM manual extension installation (Option A) or with Azure Policy assignments (Option D), not realizing that Defender for Cloud provides a built-in toggle to enable automatic provisioning across all VMs in a subscription.

How to eliminate wrong answers

Option A is wrong because the 'Extensions + applications' blade under each VM only allows manual installation of the Log Analytics agent on a per-VM basis, not a default, automated provisioning for all VMs. Option C is wrong because Microsoft Sentinel's 'Data connectors' for Defender for Cloud is used to ingest security alerts and events from Defender for Cloud into Sentinel, not to configure automatic agent provisioning. Option D is wrong because while Azure Policy can enforce agent deployment, the specific 'Deploy Log Analytics agent' initiative is a broader policy that can be assigned independently, but the question asks for the configuration location within Defender for Cloud itself, which is the 'Data collection' setting under 'Environment settings'.

1070
MCQmedium

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a known malicious URL. The script was run on multiple workstations. Which Microsoft Defender XDR action should you take to contain the threat?

A.Run a full antivirus scan on all affected workstations.
B.Add the URL to the custom indicator list in Microsoft Defender XDR.
C.Initiate a device isolation on the affected workstations using Microsoft Defender for Endpoint.
D.Create a custom detection rule in Microsoft Sentinel.
AnswerC

Isolation stops the device from communicating with other devices, containing the threat.

Why this answer

Option D is correct because Microsoft Defender for Endpoint can isolate devices to prevent further spread. Option A only removes the file but does not prevent re-infection. Option B blocks the URL but not the already infected machines.

Option C is a detection, not containment.

1071
MCQmedium

An organization uses Microsoft Sentinel with the Microsoft Defender for Cloud connector enabled. A security analyst receives an alert from Defender for Cloud about a potential brute-force attack on an Azure VM. The analyst wants to automatically create an incident in Sentinel and trigger a playbook that blocks the attacker's IP using a firewall. Which type of Sentinel automation rule should the analyst configure?

A.Analytics rule automation
B.Incident automation rule
C.Playbook trigger
D.Custom log ingestion
AnswerB

Incident automation rules run on incident creation or update and can trigger playbooks to respond to threats, such as blocking an IP.

Why this answer

Incident automation rules in Microsoft Sentinel allow you to automatically trigger a playbook when an incident is created or updated. Since the Defender for Cloud alert generates an incident in Sentinel, an incident automation rule can be configured to run a playbook that blocks the attacker's IP via a firewall, meeting the requirement without needing to modify the analytics rule itself.

Exam trap

The trap here is confusing 'analytics rule automation' with 'incident automation rule'—candidates often think the automation must be tied to the rule that generated the alert, but Sentinel separates alert generation (analytics rules) from incident-level actions (incident automation rules).

How to eliminate wrong answers

Option A is wrong because analytics rule automation is used to automatically run a playbook when an analytics rule generates an alert, not when an incident is created from an existing alert (like from Defender for Cloud). Option C is wrong because a playbook trigger is not a type of Sentinel automation rule; playbooks are triggered by automation rules or directly from incidents/alerts, but 'Playbook trigger' is not a valid rule type. Option D is wrong because custom log ingestion is a data collection method, not an automation rule, and cannot trigger playbooks based on incidents.

1072
MCQhard

Your organization uses Microsoft Defender XDR. A security administrator reports that a user's device is showing high severity alerts for 'Tampering with Microsoft Defender Antivirus' but the device is not isolated. You need to ensure that when such alerts occur, the device is automatically isolated in Microsoft Defender for Endpoint. What should you do?

A.Create an automation rule in Microsoft Sentinel
B.Create an endpoint detection and response policy in Microsoft Intune
C.Create a custom detection rule in Microsoft Defender XDR
D.Configure an attack surface reduction rule
AnswerC

Custom detections can trigger automatic actions like isolation.

Why this answer

Option B is correct because you can create a custom detection rule in Microsoft Defender XDR that triggers an automatic response action like device isolation. Option A is wrong because Endpoint detection and response policies are for baseline settings. Option C is wrong because attack surface reduction rules are for blocking behaviors, not automatic response.

Option D is wrong because automation rules in Sentinel are for incidents, not direct device isolation.

1073
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. What is the most appropriate first step?

A.Disable the user account.
B.Investigate the alert in the Microsoft 365 Defender portal.
C.Reset the user's password.
D.Reset the krbtgt account password.
AnswerB

Investigation helps determine if the alert is a true positive before taking action.

Why this answer

Option B is correct because the first step when receiving any security alert, including a suspicious Kerberos ticket request from Microsoft Defender for Identity, is to investigate the alert in the Microsoft 365 Defender portal. This portal provides the unified security operations console where you can view the full alert details, related entities, and the MITRE ATT&CK mapping to understand the scope and severity before taking any remediation actions. Prematurely disabling accounts or resetting passwords without investigation can destroy forensic evidence and potentially disrupt legitimate user activity.

Exam trap

The trap here is that candidates often jump to immediate remediation actions like disabling accounts or resetting passwords, forgetting that the first step in any incident response process (as per NIST 800-61 and Microsoft's own guidance) is always investigation and triage to confirm the alert and understand the attack context.

How to eliminate wrong answers

Option A is wrong because disabling the user account without investigation may be premature; the alert could be a false positive or part of a larger attack chain that requires analysis before containment. Option C is wrong because resetting the user's password does not address the root cause of a suspicious Kerberos ticket request, which may involve ticket forgery (e.g., Golden Ticket or Silver Ticket) or Kerberoasting, and password reset alone will not invalidate already issued tickets. Option D is wrong because resetting the krbtgt account password is a drastic, high-impact action that should only be performed as part of a structured response to a confirmed domain compromise (e.g., KRBTGT reset procedure), not as a first step for a single suspicious ticket alert.

1074
Multi-Selecthard

Your Microsoft Sentinel workspace ingests logs from multiple regions. You need to reduce data ingestion costs while ensuring that all security events are retained for at least one year for compliance. Which two actions should you take? (Choose two.)

Select 2 answers
A.Configure the table's plan to 'Analytics' for security events and set a retention policy of 90 days, then create an archive policy for up to 1 year.
B.Set the retention policy on the SecurityEvent table to 365 days.
C.Configure the diagnostic setting to send security logs to a separate low-cost storage account.
D.Use Basic Logs for the SecurityEvent table to reduce costs.
AnswersA, B

Analytics plan with archive is cost-effective for long retention.

Why this answer

Options A and B are correct. Option A reduces costs by archiving less frequently accessed data. Option B enables long-term retention beyond the default.

Option C is incorrect because Basic Logs are for debugging, not security events. Option D is incorrect because the diagnostic setting should be separate for security events.

1075
MCQeasy

Your SOC team uses Microsoft Sentinel incident management. They want to automatically assign high-severity incidents to a senior analyst and send a notification to Microsoft Teams. What should you use?

A.Create an automation rule that triggers on incident creation, assigns the incident, and runs a playbook to post to Teams.
B.Create a playbook and attach it directly to the analytics rule.
C.Create a watchlist to define assignment rules and configure a workbook for notifications.
D.Create an analytics rule with incident grouping and assignment.
AnswerA

Automation rules provide the necessary trigger and actions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can trigger on incident creation (e.g., when severity is 'High'), automatically assign the incident to a specific owner (senior analyst), and then invoke a playbook (Azure Logic App) to post a message to Microsoft Teams. This combines assignment logic with automated notification in a single, manageable rule.

Exam trap

The trap here is that candidates confuse analytics rules (which only generate alerts) with automation rules (which handle post-creation actions like assignment and playbook execution), leading them to incorrectly select option B or D.

How to eliminate wrong answers

Option B is wrong because playbooks cannot be attached directly to analytics rules; they must be invoked via automation rules or as part of an incident trigger. Option C is wrong because watchlists are used for reference data (e.g., IP addresses) and workbooks are for visualization, not for automated assignment or notification. Option D is wrong because analytics rules generate alerts and can group incidents, but they do not support assignment or notification actions; those require automation rules or playbooks.

1076
MCQeasy

Refer to the exhibit. An analyst runs the command to install the Azure Monitor Agent on a VM. What is the primary purpose of installing this agent in the context of security incident response?

A.To collect security events and performance data for analysis in Microsoft Sentinel.
B.To integrate the VM with Microsoft Defender for Cloud.
C.To scan the VM for vulnerabilities.
D.To enable real-time malware protection on the VM.
AnswerA

The agent collects data for SIEM.

Why this answer

Option A is correct because the Azure Monitor Agent collects logs and performance data, which can be used for security analysis. Option B is wrong because the agent does not block threats. Option C is wrong because Defender for Cloud is a separate service.

Option D is wrong because the agent is for data collection, not vulnerability scanning.

1077
Multi-Selectmedium

Which TWO conditions must be met to enable Microsoft Sentinel UEBA? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P2 licenses must be assigned to users.
B.KQL queries must be created for entity behavior.
C.Microsoft Defender XDR must be onboarded.
D.The SecurityInsights solution must be installed in the workspace.
E.Azure SQL Database must be deployed.
AnswersA, D

Entra ID P2 provides identity protection and user entity data.

Why this answer

Microsoft Sentinel UEBA requires the SecurityInsights solution to be installed in the Log Analytics workspace, as this solution provides the UEBA data connectors and analytics rules. Additionally, Microsoft Entra ID P2 licenses are required because UEBA relies on the identity protection and risk detection capabilities that are only available with P2 licensing, enabling the enrichment of entity behavior profiles with risk data.

Exam trap

The trap here is that candidates often confuse enabling UEBA with simply having Sentinel deployed, overlooking the specific licensing requirement (Entra ID P2) and the need for the SecurityInsights solution to be installed, rather than assuming UEBA is automatically available with any Sentinel workspace.

1078
MCQhard

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel. The rule is enabled but does not assign incidents. What is the most likely issue?

A.The action 'AssignIncident' is not a supported automation rule action.
B.The condition 'Owner' property does not support 'Equals' operator.
C.The trigger type 'Microsoft.SecurityInsights/Incident' is incorrect.
D.The 'assignedTo' value should be a user principal name instead of an email alias.
AnswerA

Automation rules do not support direct assignment; assignment must be done via playbook.

Why this answer

Option C is correct because the action type 'AssignIncident' is not a valid automation rule action. Valid actions include 'RunPlaybook' and 'ChangeSeverity'. Option A is incorrect because the trigger type is valid.

Option B is incorrect because the conditions are valid. Option D is incorrect because the action is not valid.

1079
MCQhard

Your organization uses Microsoft Sentinel. You have a requirement to automatically add a tag to incidents that involve a specific user. The tag should be added when the incident is created. What should you configure?

A.Add the user to a watchlist and create a fusion rule.
B.Create an automation rule that triggers on incident creation and runs a playbook with the 'Add tag' action.
C.Modify the analytics rule to include a tag in the incident configuration.
D.Enable entity behavior analytics to automatically tag incidents.
AnswerB

Automation rules can run playbooks that add tags.

Why this answer

Option A is correct because an automation rule can run a playbook that adds a tag based on incident properties. Option B is wrong because watchlists are for enrichment, not tagging. Option C is wrong because analytics rules create alerts, not tags.

Option D is wrong because entity behavior analytics does not add tags.

1080
Multi-Selecteasy

Which TWO response actions are available in Microsoft Defender for Endpoint for a compromised device? (Choose two.)

Select 2 answers
A.Disable the user account
B.Run a full antivirus scan
C.Change the Windows Firewall rules
D.Isolate the device from the network
E.Reset the device to factory defaults
AnswersB, D

Full scan can be initiated from the Defender for Endpoint console.

Why this answer

Options A and D are correct because Defender for Endpoint supports isolating a device and running a full antivirus scan. Option B is wrong because resetting the device to factory defaults is not a standard response action. Option C is wrong because disabling the user account is an identity action, not a device action.

Option E is wrong because changing the firewall rules is not a predefined response action in Defender for Endpoint.

1081
MCQmedium

Refer to the exhibit. You are using this KQL query in a Microsoft Sentinel scheduled analytics rule to detect brute-force attacks. The rule has been running for a week but has never triggered an alert. What is the most likely reason?

A.The query uses a 24-hour lookback and the rule runs every 5 minutes, so it misses data.
B.The query syntax is incorrect.
C.The query uses 'summarize' which is not allowed in analytics rules.
D.The SecurityEvent table is not being populated because Windows event collection is not configured.
AnswerD

Without data, the query returns no results.

Why this answer

Option B is correct because the query filters EventID 4625 (failed logon) and groups by Account. If the data source (SecurityEvent) is not being ingested, the query returns no results. Option A is wrong because the query is correct syntax.

Option C is wrong because the query uses a 24-hour lookback, which is fine. Option D is wrong because the query is a simple aggregation, not complex.

1082
MCQhard

During a threat hunt, you identify a suspicious process execution chain in Microsoft Defender for Endpoint: `powershell.exe` spawned `cmd.exe` which then executed `rundll32.exe`. To investigate the parent-child relationships, which KQL statement should you use in Advanced Hunting?

A.DeviceProcessEvents | where FileName == "rundll32.exe" and InitiatingProcessFileName == "cmd.exe"
B.DeviceProcessEvents | where ProcessChain has_all ("powershell.exe", "cmd.exe", "rundll32.exe")
C.DeviceProcessEvents | summarize by ProcessChain
D.DeviceProcessEvents | where FileName == "powershell.exe" | join kind=inner DeviceProcessEvents on $left.DeviceId == $right.DeviceId
AnswerB

ProcessChain contains the full sequence of parent processes.

Why this answer

The `make_list` function with `ProcessChain` parameter can construct the process chain, but the standard approach is to use `DeviceProcessEvents` and join on `InitiatingProcessFileName` and `FileName`. However, the correct answer involves using `scan` or `join`. Actually, the best practice is to use the `ProcessChain` column if available, or use `make_list`.

Option C is the most direct.

1083
MCQmedium

A security analyst in Microsoft 365 Defender is using advanced hunting to investigate a suspected data exfiltration. The analyst wants to find all outbound network connections from a specific device that occurred in the last hour, ordered by timestamp. Which table and KQL query should the analyst use?

A.DeviceNetworkEvents | where DeviceName == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
B.DeviceProcessEvents | where DeviceName == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
C.DeviceFileEvents | where DeviceName == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
D.EmailEvents | where SenderUpn == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
AnswerA

DeviceNetworkEvents logs network connections; the query filters to the device and last hour, ordering by time.

Why this answer

Option A is correct because the DeviceNetworkEvents table in Microsoft 365 Defender captures outbound network connections, including remote IP addresses and ports. The query filters for a specific device (DeviceName == 'deviceA'), limits results to the last hour using Timestamp > ago(1h), projects the relevant columns, and orders by Timestamp ascending to show the earliest connections first.

Exam trap

The trap here is that candidates may confuse the purpose of different Microsoft 365 Defender tables, mistakenly selecting DeviceProcessEvents or DeviceFileEvents for network-related queries because they associate processes or files with data exfiltration, rather than recognizing that network connections are stored exclusively in DeviceNetworkEvents.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation events, not network connections, and does not contain RemoteIP or RemotePort fields. Option C is wrong because DeviceFileEvents logs file creation, modification, and deletion events, not network connections, and lacks RemoteIP/RemotePort. Option D is wrong because EmailEvents tracks email messages, not device network connections, and uses SenderUpn (a user principal name) instead of DeviceName, making the filter invalid.

1084
MCQmedium

Your SOC team uses Microsoft Sentinel analytics rules. You need to ensure that a scheduled rule runs every hour, but only during business hours (8 AM to 6 PM). What configuration should you use?

A.Use a custom log with a logic app to only trigger the rule during business hours.
B.Configure the rule to run continuously with an alert threshold of 0.
C.Create two rules: one that runs every hour during business hours and another that runs but suppresses alerts outside business hours.
D.Set the rule to run every hour and use a KQL query to filter events outside business hours.
AnswerC

You can have a rule run continuously but use suppression or separate rules for time-based scheduling.

Why this answer

Option C is correct because Microsoft Sentinel scheduled analytics rules do not natively support time-based scheduling restrictions like 'only during business hours'. The recommended workaround is to create two separate rules: one that runs every hour during business hours to generate alerts, and another that runs every hour outside business hours but is configured to suppress alerts (e.g., by setting a low severity or using a suppression query). This ensures detection logic runs continuously while avoiding alert fatigue outside the desired window.

Exam trap

The trap here is that candidates assume a single rule can be configured with a time-based schedule filter, but Microsoft Sentinel does not support conditional scheduling; the only way to achieve time-restricted alerting is by using multiple rules with suppression logic.

How to eliminate wrong answers

Option A is wrong because using a custom log with a logic app to trigger the rule during business hours introduces unnecessary complexity and latency; Logic Apps are not designed to natively gate the execution of a scheduled analytics rule, and this approach would require custom orchestration that violates the principle of using built-in rule scheduling. Option B is wrong because configuring the rule to run continuously with an alert threshold of 0 does not restrict the rule to business hours; it would generate alerts for every query result at all times, which is the opposite of the requirement. Option D is wrong because setting the rule to run every hour and using a KQL query to filter events outside business hours would still execute the rule every hour, consuming resources and potentially generating suppressed alerts; KQL can filter results but cannot prevent the rule from running or generating alerts outside the intended time window.

1085
Multi-Selectmedium

An incident in Microsoft Sentinel involves multiple alerts indicating a potential data exfiltration via SharePoint Online. You need to respond and remediate. Which THREE actions should be taken?

Select 3 answers
A.Remove external sharing permissions on SharePoint sites.
B.Block the user account in Microsoft Entra ID.
C.Reset the user's password and enforce MFA.
D.Isolate the user's device using Microsoft Defender for Endpoint.
E.Create a custom detection rule for similar activity.
AnswersA, B, D

Prevents further data exfiltration via sharing.

Why this answer

Blocking the user in Microsoft Entra ID (A) stops further access. Removing external sharing (B) prevents further data leaks. Isolating the user's device (C) is a containment step.

Changing passwords (D) is less immediate than blocking. Running a hunting query (E) is investigative, not containment.

1086
MCQeasy

A threat hunter wants to identify potential command and control (C2) communication by looking for DNS queries to domains with a high entropy and short TTL. Which advanced hunting query in Microsoft Defender XDR should be used?

A.DeviceNetworkEvents
B.AlertInfo
C.IdentityLogonEvents
D.EmailEvents
AnswerA

DeviceNetworkEvents includes DNS queries and responses, including domain name and TTL.

Why this answer

Option B is correct because DeviceNetworkEvents includes DNS queries. Option A is wrong because IdentityLogonEvents is for logons. Option C is wrong because EmailEvents is for email.

Option D is wrong because AlertInfo does not contain DNS details.

1087
MCQhard

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have an Azure subscription with many VMs that are all protected by Defender for Servers. The security team wants to identify VMs that have not had a vulnerability assessment scan in the last 7 days. The integrated vulnerability assessment (Microsoft Defender Vulnerability Management) is enabled. Which KQL query in Azure Resource Graph or Log Analytics can achieve this?

A.securityresources | where type == 'microsoft.security/assessments' | summarize arg_max(properties.status.severity, properties.timeGenerated) by id
B.securityresources | where type == 'microsoft.security/assessments' and properties.displayName == 'Vulnerability assessment solution should be enabled on your virtual machines' and properties.status.code == 'Healthy' | project id, properties.timeGenerated | where properties.timeGenerated < ago(7d)
C.resources | where type == 'microsoft.compute/virtualmachines' | join kind=leftouter (securityresources) on $left.id == $right.id
D.operationalinsights | where TimeGenerated < ago(7d)
AnswerB

This assessment shows 'Healthy' when the VA solution is installed and running, and includes a timeGenerated indicating last scan. Filtering for older than 7 days identifies VMs not recently scanned.

Why this answer

Option B is correct because it queries the 'securityresources' table in Azure Resource Graph for assessments where the display name matches 'Vulnerability assessment solution should be enabled on your virtual machines' and the status code is 'Healthy'. A 'Healthy' status indicates the assessment passed, meaning a scan occurred within the configured period. By filtering for 'properties.timeGenerated < ago(7d)', it identifies VMs where the last scan was more than 7 days ago, directly meeting the requirement.

Exam trap

The trap here is that candidates often confuse the 'Healthy' status as indicating a good state (scanned recently) and forget to apply the time filter 'ago(7d)', or they incorrectly use 'Unhealthy' thinking it means no scan, when in fact 'Unhealthy' means the assessment failed or is missing, which would include VMs that never had a scan at all, not just those not scanned in 7 days.

How to eliminate wrong answers

Option A is wrong because it uses 'summarize arg_max(properties.status.severity, properties.timeGenerated) by id', which returns the most recent assessment by severity, not specifically the vulnerability assessment scan status, and does not filter for the required 7-day window. Option C is wrong because it performs a left outer join between 'resources' (all Azure resources) and 'securityresources', which would return all VMs regardless of scan status, and lacks any filter for vulnerability assessments or time constraints. Option D is wrong because 'operationalinsights' is not a valid table in Azure Resource Graph; the correct table for Log Analytics workspace data is 'Usage' or 'Heartbeat' in Log Analytics, and the query does not reference vulnerability assessments or VMs.

1088
MCQhard

You are analyzing the KQL query above in Microsoft Sentinel. The query is designed to find devices with high outbound SMB (port 445) connections to suspicious public IPs. However, the query returns no results. What is the most likely issue?

A.Port 445 is not used for SMB.
B.The column RemoteIPType does not exist in DeviceNetworkEvents.
C.The materialize function is not allowed in this context.
D.The syntax for the second query is incorrect.
AnswerB

DeviceNetworkEvents uses 'RemoteIPType'? Actually it is 'RemoteIPType' may not exist; typical columns are 'RemoteIP', 'RemotePort', etc. This likely causes the where clause to fail.

Why this answer

Option A is correct because RemoteIPType is not a standard column in DeviceNetworkEvents; the actual column is RemoteIPType, but it might be spelled differently or not exist, causing the filter to exclude all rows. Option B is incorrect because materialize is used correctly. Option C is incorrect because the syntax is valid.

Option D is incorrect because port 445 is standard SMB.

1089
MCQhard

A threat hunter suspects a data exfiltration attempt via DNS tunneling. Which KQL query would best detect unusual DNS query patterns in Microsoft Sentinel?

A.DnsEvents | summarize count() by ClientIP, Subdomain | where count_ > 100
B.DnsEvents | where ResponseSize > 1000
C.DnsEvents | where ResultCode != 0
D.DnsEvents | where QueryType == 'A'
AnswerA

High count of queries to the same IP with many subdomains suggests tunneling.

Why this answer

To detect DNS tunneling, you need to look for high volume of queries to many unique domains or subdomains. Option A looks for large size (not typical for tunneling). Option B looks for failed queries.

Option D is too broad. Option C (queries with many unique subdomains) is a classic sign of DNS tunneling.

1090
Multi-Selecteasy

Which TWO are valid incident classification categories in Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.False Positive
B.Malicious
C.Informational
D.True Positive
E.Benign Positive
AnswersD, E

True Positive is a standard classification.

Why this answer

Option B is correct because True Positive is a valid classification. Option E is correct because Benign Positive is also a valid classification. Option A is wrong because False Positive is a classification, but not listed as a category in the question context? Actually, False Positive is also valid, but we need exactly two correct.

According to Microsoft Sentinel incident classification, True Positive, False Positive, Benign Positive are common. But the question asks for TWO, and the correct ones here are True Positive and Benign Positive. Option C is wrong because Malicious is not a standard classification.

Option D is wrong because Informational is not a classification.

1091
Multi-Selecthard

Which THREE are valid components of a Microsoft Sentinel automation rule?

Select 3 answers
A.Actions (e.g., Run playbook, Change severity)
B.Watchlist
C.KQL query
D.Conditions (e.g., If severity equals Medium)
E.Trigger (e.g., When incident is created)
AnswersA, D, E

Actions define what happens when conditions are met.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to define actions such as running a playbook or changing the severity of an incident. These actions are executed automatically when the rule's trigger and conditions are met, enabling streamlined incident response without manual intervention.

Exam trap

The trap here is that candidates often confuse the components of an automation rule with those of an analytics rule, mistakenly selecting KQL queries or watchlists as valid automation rule components.

1092
MCQeasy

You are a SOC analyst using Microsoft Sentinel. You receive an incident with high severity. You need to quickly gather additional context about the affected user account, including recent sign-in logs and role assignments. Which feature should you use?

A.Sentinel Workbooks
B.Analytics rules
C.Entity pages
D.Hunting queries
AnswerC

Entity pages show timeline, related alerts, and details for users, hosts, etc.

Why this answer

Option D is correct because Entity pages in Sentinel provide contextual information about entities. Option A is wrong because Workbooks are for custom reporting. Option B is wrong because Hunting queries are for proactive threat hunting.

Option C is wrong because Analytics rules create incidents.

1093
MCQmedium

A security analyst in Microsoft 365 Defender uses advanced hunting to detect possible credential theft. They want to find instances where a user signed in from an IP address that is not in their organization's known IP range. Which table should they query to get sign-in location and IP address?

A.DeviceLogonEvents
B.IdentityLogonEvents
C.EmailEvents
D.AlertInfo
AnswerB

IdentityLogonEvents captures cloud and on-premises identity authentication attempts, including the source IP address and user details.

Why this answer

IdentityLogonEvents is the correct table because it contains cloud identity logon data from Microsoft Entra ID (formerly Azure AD), including sign-in location, IP address, and user details. This table is specifically designed for hunting authentication-related events like credential theft, where you need to correlate user sign-ins with IP addresses to detect anomalies against known IP ranges.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (local device logs) with IdentityLogonEvents (cloud identity logs), failing to recognize that credential theft via cloud sign-ins requires cloud authentication data, not local OS event logs.

How to eliminate wrong answers

Option A is wrong because DeviceLogonEvents captures local device logon events (e.g., Windows security events like Event ID 4624) and does not include cloud sign-in IP addresses or location data from Microsoft Entra ID. Option C is wrong because EmailEvents focuses on email-related events (e.g., delivery, phishing) and does not contain sign-in location or IP address data. Option D is wrong because AlertInfo provides metadata about alerts (e.g., severity, title) but does not contain raw sign-in logs with IP addresses or location information.

1094
MCQeasy

A security analyst is investigating a malware outbreak and needs to find all devices where a specific malicious file with a known SHA1 hash has been observed in the last 24 hours. Which Advanced Hunting table in Microsoft 365 Defender should be the primary source for this query?

A.DeviceFileEvents
B.EmailAttachmentInfo
C.DeviceProcessEvents
D.DeviceNetworkEvents
AnswerA

Correct. DeviceFileEvents records file creation and modification events with SHA1 hashes, making it suitable for finding devices with a specific file hash.

Why this answer

DeviceFileEvents is the correct table because it specifically records file creation, modification, and deletion events on endpoints, including the SHA1 hash of files. To find all devices where a specific malicious file with a known SHA1 hash has been observed, this table provides the direct file-level telemetry needed for the query.

Exam trap

The trap here is that candidates may confuse file observation with process execution or network activity, leading them to choose DeviceProcessEvents or DeviceNetworkEvents, but DeviceFileEvents is the only table that directly records the presence of a file by its hash on a device.

How to eliminate wrong answers

Option B is wrong because EmailAttachmentInfo tracks email attachments and their metadata, but it does not record file events on devices after the attachment is opened or saved, so it cannot show where the file was observed on endpoints. Option C is wrong because DeviceProcessEvents logs process creation events, not file events; while a malicious file might be executed as a process, the table does not directly record the SHA1 hash of the file itself unless it is the process image. Option D is wrong because DeviceNetworkEvents logs network connections and traffic, not file-level events, so it cannot be used to find devices where a specific file was observed.

1095
MCQmedium

Your organization has Microsoft Defender for Office 365. You need to review a user's reported phishing email in Microsoft Defender XDR. Which section of the Microsoft Defender portal should you check?

A.Submissions
B.Threat Explorer
C.Alerts
D.Action center
AnswerA

The Submissions page in Microsoft Defender XDR shows user-reported messages.

Why this answer

Option A is correct because User-reported messages are in the Submissions page. Option B is wrong because Threat Explorer is for hunting, not user reports. Option C is wrong because Action center shows remediation actions.

Option D is wrong because Alerts shows alerts, not submissions.

1096
MCQeasy

During an incident response, you need to collect forensic data from a compromised Linux server that is not managed by Microsoft Defender for Endpoint. You plan to use a manual collection script. Which tool should you use to securely upload the collected data to Azure for analysis?

A.Azure CLI to upload the data to an Azure Files share.
B.AzCopy to upload the data to Azure Blob Storage.
C.PowerShell to send the data to Log Analytics workspace.
D.The Log Analytics agent to forward the data.
AnswerB

AzCopy is a command-line tool for uploading files to Azure Storage.

Why this answer

Option A is correct because AzCopy can securely upload files to Azure Blob Storage. Option B is wrong because PowerShell is not natively available on Linux. Option C is wrong because Azure CLI requires installation.

Option D is wrong because Log Analytics agent sends data to Log Analytics, not arbitrary files.

1097
MCQeasy

A security analyst in Microsoft Sentinel wants to create a custom analytics rule that triggers when more than 10 failed logon attempts from a single source IP address occur within 5 minutes. The analyst writes a KQL query to aggregate sign-in logs. Which KQL operator should the analyst use to group events by source IP and count each failure?

A.extend
B.project
C.summarize
D.where
AnswerC

summarize groups rows by specified columns and applies aggregation functions like count(), making it the correct operator for this use case.

Why this answer

The `summarize` operator is correct because it groups rows by a specified key (source IP) and applies an aggregation function (like `count()`) to produce a single output row per group. In this scenario, the analyst needs to count failed logon attempts per source IP, which requires grouping and counting—exactly what `summarize` does.

Exam trap

The trap here is that candidates often confuse `extend` or `project` with aggregation, thinking they can count events by adding a column, but only `summarize` performs the required grouping and counting operation.

How to eliminate wrong answers

Option A is wrong because `extend` adds a new calculated column to each row but does not group or aggregate data; it would not produce a count per IP. Option B is wrong because `project` selects or reorders columns without any aggregation or grouping; it cannot count events. Option D is wrong because `where` filters rows based on a condition but does not group or aggregate; it would only reduce the dataset without producing counts per IP.

1098
MCQeasy

A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team wants to identify which VMs have missing system updates such as critical security patches. Which Defender for Cloud feature should they use?

A.Adaptive application controls
B.Just-in-time VM access
C.Vulnerability assessment
D.File integrity monitoring
AnswerC

Vulnerability assessment scans VMs for known vulnerabilities, including missing security updates and misconfigurations, making it the correct choice.

Why this answer

Vulnerability assessment in Microsoft Defender for Cloud scans Azure VMs for missing system updates, including critical security patches, by integrating with built-in or partner vulnerability scanners (e.g., Qualys). This feature provides a continuous assessment of OS and application vulnerabilities, directly addressing the need to identify VMs with missing patches.

Exam trap

The trap here is confusing vulnerability assessment (which identifies missing patches and misconfigurations) with adaptive application controls (which restricts application execution) or file integrity monitoring (which detects file changes), leading candidates to pick a feature that addresses a different security control objective.

How to eliminate wrong answers

Option A is wrong because Adaptive application controls use machine learning to define allowlists for applications running on VMs, focusing on controlling which executables can run, not on identifying missing system updates. Option B is wrong because Just-in-time VM access reduces the attack surface by managing inbound network access to VMs on specific ports, but it does not scan for missing patches or vulnerabilities. Option D is wrong because File integrity monitoring tracks changes to critical system files and registry keys, alerting on unauthorized modifications, but it does not assess the state of system updates or patch levels.

1099
Multi-Selectmedium

Which THREE actions can be performed by automation rules in Microsoft Sentinel?

Select 3 answers
A.Modify a data connector to ingest more logs
B.Create a new analytics rule
C.Assign an incident to a specific owner
D.Run a playbook on an incident
E.Add a tag to an incident
AnswersC, D, E

Automation rules have an 'Assign owner' action.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can automatically assign incidents to specific owners based on conditions such as severity, entity type, or custom criteria. This action helps streamline incident response by ensuring the right personnel are notified and responsible for handling the incident without manual intervention.

Exam trap

The trap here is that candidates may confuse automation rules with analytics rules or data connectors, assuming automation rules can modify data sources or create detection logic, when in fact automation rules are limited to post-ingestion incident management actions.

1100
Multi-Selectmedium

Which TWO actions are part of managing a security operations environment in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Configuring physical access controls to the data center
B.Installing the Azure Monitor Agent on servers
C.Creating automation rules to triage incidents
D.Configuring data retention policies for Log Analytics workspaces
E.Creating Microsoft Purview sensitivity labels
AnswersC, D

Automation rules manage incident response workflows.

Why this answer

Managing SOC environment includes configuring data retention and setting up automation. Option A and D are correct. Option B is for compliance, not SOC management.

Option C is for data collection, not management. Option E is for physical security.

1101
Multi-Selecteasy

Which TWO permissions are required to configure a data connector in Microsoft Sentinel?

Select 2 answers
A.Log Analytics Contributor
B.Microsoft Sentinel Reader
C.Global Administrator
D.Security Admin
E.Microsoft Sentinel Contributor
AnswersA, E

Contributor can modify workspace settings needed for connectors.

Why this answer

To configure a data connector, you need Microsoft Sentinel Contributor to manage Sentinel resources and Log Analytics Contributor to manage the workspace. Option B and C are correct. Option A (Reader) is insufficient.

Option D (Security Admin) is not a Sentinel-specific role. Option E (Global Admin) is not required.

1102
MCQeasy

A threat hunter wants to correlate alerts from multiple Microsoft security products in Microsoft Sentinel. Which feature should be used to create a unified incident?

A.Threat Intelligence
B.Jupyter Notebooks
C.Analytics Rules
D.Investigation Graph
AnswerC

Analytics rules can create incidents from alerts, correlating multiple signals.

Why this answer

Option D is correct because Incident creation rules (or analytics rules) can create incidents from alerts across products. Option A is wrong because it is for notebooks. Option B is wrong because it is for external threat intelligence.

Option C is wrong because it is for investigation.

1103
Drag & Dropmedium

Arrange the steps to run a Microsoft 365 Defender advanced hunting query and create a custom detection rule from it.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

After running a query in Advanced hunting, you can create a detection rule directly from the results to alert on future matches.

1104
Multi-Selecteasy

Which TWO Microsoft Sentinel features allow you to organize and prioritize incidents for better triage?

Select 2 answers
A.Entity mapping in analytics rules.
B.Automation rules with incident creation triggers.
C.Workbooks for dashboard reporting.
D.Incident assignment to analysts.
E.Incident classification and tagging.
AnswersD, E

Assignment helps in triage.

Why this answer

Options A and D are correct. Option B is wrong because playbooks are for response. Option C is wrong because workbooks are for visualization.

Option E is wrong because entities are components of incidents.

1105
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure resources. A security alert indicates that a virtual machine (VM) is communicating with a known malicious IP. The analyst needs to isolate the VM from the network to prevent further data exfiltration. What should the analyst do?

A.Use Azure Bastion to connect to the VM and shut it down.
B.Use Azure Monitor to create an alert and then manually stop the VM.
C.Create an Azure Firewall rule to block traffic to the malicious IP.
D.Apply a Just-in-time VM access policy in Microsoft Defender for Cloud to deny all inbound and outbound traffic.
AnswerD

JIT can create NSG rules to isolate the VM.

Why this answer

Option B is correct because Defender for Cloud's Just-in-time VM access can create a network security group (NSG) rule to deny all traffic, effectively isolating the VM. Option A is wrong because Azure Bastion provides RDP/SSH access, not isolation. Option C is wrong because Azure Firewall rules apply to the entire network, not a single VM.

Option D is wrong because Azure Monitor does not isolate VMs.

1106
MCQhard

You are investigating a lateral movement incident in Microsoft Defender for Endpoint. The timeline shows that a user's credentials were used from a compromised workstation to access a sensitive server. Which action should you take to contain the incident?

A.Disable the sensitive server's network account.
B.Isolate the compromised workstation only.
C.Block all network traffic from the compromised workstation to the server.
D.Reset the compromised user's password and revoke all active sessions.
AnswerD

This invalidates the stolen credentials and stops lateral movement regardless of source.

Why this answer

Resetting the compromised user's password and revoking sessions is the most effective way to stop lateral movement because it invalidates the stolen credentials. Isolating the workstation is necessary but does not stop credential reuse. Disabling the server account is too broad.

Blocking network traffic may not be feasible.

1107
Multi-Selectmedium

Which TWO actions can you perform in Microsoft Defender XDR as part of incident response?

Select 2 answers
A.Create a Microsoft Sentinel workbook
B.Modify a Microsoft Entra ID conditional access policy
C.Run a KQL query in Azure Data Explorer
D.Collect an investigation package from a device
E.Isolate a device from the network
AnswersD, E

Valid response action.

1108
MCQeasy

Your company uses Microsoft Defender for Office 365. You want to automatically take action on malicious emails that bypass the filter. What should you configure?

A.Enable anti-phishing policy.
B.Enable Safe Attachments policy.
C.Create a transport rule in Exchange.
D.Configure automated investigation and response (AIR) policies.
AnswerD

AIR automatically remediates threats like malicious emails.

Why this answer

Automated investigation and response (AIR) policies in Microsoft Defender for Office 365 are specifically designed to automatically take action on malicious emails that bypass initial filters. AIR uses playbooks to investigate threats and automatically remediate, such as deleting or moving emails, without manual intervention. This directly addresses the requirement to automatically act on bypassed malicious emails.

Exam trap

The trap here is that candidates often confuse pre-delivery protection policies (like anti-phishing or Safe Attachments) with post-delivery automated response capabilities, assuming any security policy can automatically act on bypassed emails, but only AIR provides the automated investigation and remediation workflow for threats that have already evaded initial filters.

How to eliminate wrong answers

Option A is wrong because anti-phishing policies in Defender for Office 365 are preventive controls that block phishing attempts at the point of delivery, not reactive actions for emails that have already bypassed filters. Option B is wrong because Safe Attachments policies scan attachments in email in real-time to block malicious files, but they do not automatically take action on emails that have already bypassed the filter—they are a pre-delivery protection mechanism. Option C is wrong because transport rules in Exchange (mail flow rules) are used for custom routing, compliance, or filtering based on conditions, but they are not designed to automatically investigate and remediate malicious emails that bypassed Defender filters; they lack the automated investigation and response capabilities of AIR.

1109
MCQeasy

You are working on a security incident in Microsoft Sentinel where you need to contain a compromised virtual machine. What is the most immediate containment action?

A.Isolate the VM by applying a network security group (NSG) rule
B.Apply the latest security patches to the VM
C.Run a full antivirus scan on the VM
D.Take a snapshot of the VM for forensic analysis
AnswerA

Immediate network containment.

Why this answer

Option A is correct because isolating the VM prevents lateral movement. Option B is wrong because patching is not immediate containment. Option C is wrong because a snapshot is for forensics.

Option D is wrong because this is for endpoints.

1110
MCQhard

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect sign-ins from IP addresses that are not in the organization's known allow list. The allow list is maintained in a custom watchlist named 'AllowedIPs'. The analyst wants the KQL query to efficiently filter out allowed IPs. Which KQL approach should the analyst use?

A.Use the 'lookup' operator to map IPs against the watchlist.
B.Use a 'let' statement to define a static list of allowed IPs.
C.Use the _GetWatchlist('AllowedIPs') function and filter with the '!in' operator.
D.Use the 'evaluate' operator with a python script.
AnswerC

The _GetWatchlist function retrieves the watchlist content, and the '!in' operator efficiently excludes matching IPs from the results.

Why this answer

Option C is correct because the _GetWatchlist('AllowedIPs') function retrieves the watchlist content at query runtime, and combining it with the '!in' operator efficiently filters out sign-ins from IPs present in the watchlist. This approach is dynamic, meaning updates to the watchlist are automatically reflected without modifying the query, and it avoids hardcoding IPs or using inefficient row-by-row lookups.

Exam trap

The trap here is that candidates often confuse the 'lookup' operator with filtering, or assume a static 'let' statement is acceptable, failing to recognize that watchlists are designed for dynamic, centrally managed data that must be referenced at query runtime.

How to eliminate wrong answers

Option A is wrong because the 'lookup' operator is designed to extend a table with columns from another table based on matching keys, not to filter rows; using it here would be semantically incorrect and less efficient than a simple '!in' filter. Option B is wrong because a 'let' statement with a static list would require manual updates whenever the allow list changes, defeating the purpose of a dynamic watchlist and introducing maintenance overhead. Option D is wrong because the 'evaluate' operator with a python script is overkill for a simple IP filtering task, introduces unnecessary complexity and performance overhead, and is not the recommended pattern for watchlist-based filtering in Sentinel.

1111
MCQeasy

Your organization uses Microsoft Sentinel. You receive an incident for a potential malware outbreak. You need to quickly see which entities are involved (e.g., IPs, hosts, accounts). Where should you look?

A.Incident timeline
B.Comments section
C.Entities tab
D.Alerts tab
AnswerC

Entities tab shows all related entities in the incident.

Why this answer

Option D is correct because the Entities tab in an incident shows all related entities. Option A (Timeline) shows events over time. Option B (Alerts) lists individual alerts.

Option C (Comments) is for collaboration.

1112
MCQhard

Refer to the exhibit. You are reviewing an automation rule configuration in Microsoft Sentinel. Based on the JSON snippet, what will happen when a high-severity incident is created?

A.The rule will run a playbook when a high-severity incident is created
B.The rule will change the severity of the incident to Medium
C.The rule will assign the incident to the SOC manager
D.The rule will run the playbook when a new alert is created
AnswerA

The trigger condition is on incident creation with severity equals High, and action is RunPlaybook.

Why this answer

Option A is correct because the automation rule's trigger condition is set to 'When incident is created' and the condition filters for incidents with a severity of 'High'. When a high-severity incident is created, the rule will execute the associated playbook, which is a common use case for automated response in Microsoft Sentinel.

Exam trap

The trap here is that candidates may confuse the incident creation trigger with alert creation trigger, or assume that any rule with a condition automatically modifies the incident properties like severity or assignment, when in fact the rule only executes the defined actions (playbook) based on the condition.

How to eliminate wrong answers

Option B is wrong because the JSON snippet does not include any action to change the severity of the incident; it only triggers a playbook. Option C is wrong because there is no assignment action configured in the rule; the rule only runs a playbook, not reassigns ownership. Option D is wrong because the trigger is set to 'When incident is created', not 'When alert is created'; alerts are separate entities that can be correlated into incidents, but the rule specifically acts on incident creation.

1113
MCQeasy

You need to ensure that Microsoft Sentinel can access threat intelligence feeds from external sources like AlienVault OTX. Which data connector should you use?

A.Microsoft 365 Defender data connector
B.Microsoft Entra ID data connector
C.Amazon Web Services data connector
D.Threat Intelligence - TAXII data connector
AnswerD

Connects to TAXII feeds like AlienVault OTX.

Why this answer

The Threat Intelligence - TAXII data connector is the correct choice because it enables Microsoft Sentinel to ingest threat intelligence feeds from external sources that support the TAXII (Trusted Automated eXchange of Indicator Information) protocol, such as AlienVault OTX. This connector uses the STIX (Structured Threat Information Expression) standard to pull indicators of compromise (IOCs) like IP addresses, domains, and hashes directly into Sentinel for correlation and alerting.

Exam trap

The trap here is that candidates may confuse the 'Threat Intelligence - TAXII' connector with other data connectors that also deal with external data (like AWS or Microsoft 365), but only the TAXII connector is specifically designed to ingest structured threat intelligence feeds using the STIX/TAXII standard.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Defender data connector ingests alerts and incidents from Microsoft 365 Defender (e.g., Defender for Endpoint, Defender for Office 365), not external threat intelligence feeds like AlienVault OTX. Option B is wrong because the Microsoft Entra ID data connector (formerly Azure AD) ingests sign-in logs and audit logs for identity-related security events, not threat intelligence feeds. Option C is wrong because the Amazon Web Services data connector ingests AWS CloudTrail and other AWS service logs, not external threat intelligence feeds.

1114
MCQmedium

During a threat hunt, you notice an anomalous number of failed logon attempts from a single IP address across multiple user accounts in Microsoft Entra ID sign-in logs. What is the most effective next step to determine if this is a brute-force attack?

A.Immediately block the IP address in the firewall
B.Reset passwords for all affected accounts
C.Disable the accounts that had failed logons
D.Correlate with successful logon events from the same IP for those accounts
AnswerD

A successful logon after many failures strongly indicates a brute-force attack.

Why this answer

Option B is correct because correlating failed logons with successful ones from the same IP helps confirm if the attacker eventually succeeded. Option A is incorrect as blocking prematurely may not be justified. Option C is incorrect as resetting passwords does not address the source.

Option D is incorrect as disabling accounts may impact legitimate users.

1115
MCQmedium

A SOC team wants to automatically run a playbook that retrieves threat intelligence details whenever a high-severity incident is created in Microsoft Sentinel. Which type of automation should they configure?

A.Automation rule with incident trigger
B.Automation rule with alert trigger
C.Playbook with manual trigger
D.Logic app with recurrence
AnswerA

Incident trigger automation rules execute playbooks when an incident is created, matching the requirement.

Why this answer

Automation rules in Microsoft Sentinel can be configured with an incident trigger to automatically run playbooks when incidents are created or updated. Since the requirement is to run a playbook on high-severity incidents, an automation rule with an incident trigger allows you to filter by severity (e.g., High) and invoke the playbook without manual intervention.

Exam trap

The trap here is confusing the incident trigger with the alert trigger; candidates often select alert trigger because they think alerts are the primary event, but incidents are the higher-level object that SOC teams triage, and the question explicitly says 'incident is created'.

How to eliminate wrong answers

Option B is wrong because an automation rule with an alert trigger runs when an alert is generated, not when an incident is created; incidents aggregate alerts, so this would not meet the requirement to act on incident creation. Option C is wrong because a playbook with a manual trigger requires a human to run it, which contradicts the 'automatically' requirement. Option D is wrong because a Logic App with a recurrence trigger runs on a schedule (e.g., every hour) and cannot respond to real-time incident creation events in Sentinel.

1116
MCQeasy

During a threat hunt, an analyst notices multiple failed logon events from a single user account across different workstations within a short time window. Which hunting technique is most appropriate to detect potential lateral movement?

A.Search for multiple instances of special privileges assigned to new logon (Event ID 4672).
B.Search for large outbound RDP connections from a single host.
C.Search for failed logon events (Event ID 4625) followed by successful logon (Event ID 4624) from the same account on different machines.
D.Search for creation of new user accounts (Event ID 4720).
AnswerC

This pattern indicates an attacker trying to move laterally after obtaining credentials.

Why this answer

Option A is correct because failed logons followed by successful logons from the same account can indicate lateral movement. Option B is wrong because it focuses on privilege escalation, not lateral movement. Option C is wrong because it's about data exfiltration.

Option D is wrong because it's about account creation.

1117
MCQhard

The KQL query above is used in a Microsoft Sentinel analytics rule. What is the purpose of this rule?

A.Detect when a disabled user account attempts to sign in.
B.Identify users who have been disabled due to inactivity.
C.Detect brute force attempts against disabled user accounts.
D.Monitor sign-in attempts from suspicious IP addresses.
AnswerC

The threshold on count per IP and the condition on disabled accounts makes this a brute force detection for disabled accounts.

Why this answer

The query looks for sign-in failures (ResultType 50057) for disabled accounts (AccountEnabled == false) from the same IP exceeding a threshold. This indicates potential brute force attacks against disabled accounts, which could be a sign of reconnaissance or credential stuffing.

1118
MCQhard

During an incident, you need to prevent a malicious process from running on all endpoints using Microsoft Defender for Endpoint. The process is not yet detected by antivirus signatures. Which action should you use?

A.Run antivirus scan
B.Add an indicator to block the process
C.Collect investigation package
D.Initiate Live Response
AnswerB

Blocks by hash or other indicator.

Why this answer

Option C is correct because 'Indicators' allow you to block or allow specific hashes, IPs, or certificates. Option A is wrong because 'Initiate Live Response' is for live interaction. Option B is wrong because 'Run antivirus scan' may not detect unknown processes.

Option D is wrong because 'Collect investigation package' is for data collection.

1119
Multi-Selecthard

Which THREE of the following are best practices for performing threat hunting in Microsoft Defender XDR? (Select THREE.)

Select 3 answers
A.Focus only on alerts generated by automated detection rules.
B.Limit hunting to a single data source to reduce complexity.
C.Start with a hypothesis based on threat intelligence or recent incidents.
D.Use a combination of KQL queries and built-in hunting capabilities.
E.Leverage advanced hunting across devices, email, and identities.
AnswersC, D, E

Hypothesis-driven hunting is a fundamental best practice.

Why this answer

Options A, B, and D are correct. A: Documenting hypotheses is key. B: Using multiple data sources enriches hunting.

D: Hunting across endpoints, email, and identities provides full coverage. C: Relying solely on alerts is reactive. E: Using sample data may miss threats in other segments.

1120
MCQeasy

A SOC analyst receives a Microsoft Defender for Cloud Apps alert about a mass download of files from a SharePoint site by a single user. The analyst needs to contain the incident. Which action should be taken first?

A.Increase the SharePoint download limit.
B.Notify the user's manager.
C.Suspend the user account in Microsoft Entra ID.
D.Run a malware scan on the downloaded files.
AnswerC

Suspending the account stops all access immediately.

Why this answer

Suspending the user in Microsoft Entra ID stops all account activity. Option A doesn't prevent further downloads; Option C is reactive; Option D is for other scenarios.

1121
MCQhard

An organization uses Microsoft Defender for Endpoint (MDE) to hunt for signs of credential dumping. An analyst runs a custom advanced hunting query that searches for processes accessing LSASS.exe. The query uses DeviceProcessEvents and DeviceFileEvents. The analyst notices that some known credential dumping tools are detected, but they want to find previously unknown variants. Which approach should the analyst take to improve the hunt?

A.Enable LSASS auditing via Windows Security Event Log.
B.Focus on file reputation data to exclude clean files.
C.Add more signature-based indicators to the query.
D.Look for anomalous LSASS access patterns using process lineage and call stacks.
AnswerD

Anomaly detection helps uncover unknown tools by identifying unusual behavior.

Why this answer

Option C is correct because hunting for anomalous LSASS access patterns (e.g., unusual call stacks, rare processes) helps discover novel tools. Option A is wrong because adding more signatures only catches known variants. Option B is wrong because focusing on file reputation may miss fileless or signed malicious tools.

Option D is wrong because MDE already collects LSASS access events; enabling additional logging is not the primary issue.

1122
MCQeasy

You are a security analyst at Wingtip Toys, a small business with 500 users. You have Microsoft 365 Business Premium licenses and Microsoft Sentinel deployed. You are conducting a threat hunt for signs of brute-force attacks against your Azure AD tenant. You want to identify IP addresses that have attempted multiple failed sign-ins across different user accounts within a short time window. You have access to the SigninLogs table in Microsoft Sentinel. Which KQL query should you use?

A.SigninLogs | where ResultType != 0 | summarize FailedAttempts = count() by IPAddress | where FailedAttempts > 10
B.SigninLogs | where ResultType !in ('0', '50125') | summarize FailedAttempts = count(), DistinctUsers = dcount(UserPrincipalName) by IPAddress | where FailedAttempts > 10 and DistinctUsers > 5 | order by FailedAttempts desc
C.SigninLogs | where ResultType != 0 | top 10 by IPAddress
D.SigninLogs | where ResultType == 0 | summarize SuccessAttempts = count() by IPAddress | order by SuccessAttempts desc
AnswerB

This identifies IPs with many failed attempts across multiple users, indicative of brute-force.

Why this answer

Option A is correct because it summarizes failed sign-ins by IP and counts distinct users, filtering for IPs with many attempts across many users. Option B is wrong because it counts total attempts without requiring multiple users. Option C is wrong because it only returns the top IP.

Option D is wrong because it counts success, not failures.

1123
MCQmedium

A SOC analyst is investigating a potential brute-force attack on an Azure VM. The analyst has ingested Windows Security Events into Microsoft Sentinel. Which KQL query would count the number of failed logon attempts (EventID 4625) per user account in the last hour?

A.SecurityEvent | where EventID == 4625 | summarize Count = count() by Account | where TimeGenerated > ago(1h)
B.SecurityEvent | where EventID == 4625 and TimeGenerated > ago(1h) | summarize Count = count() by Account
C.SigninLogs | where ResultType != 0 | summarize Count = count() by UserPrincipalName | where TimeGenerated > ago(1h)
D.SecurityEvent | where EventID == 4625 | make-series Count = count() default=0 on TimeGenerated from ago(1h) to now() step 1h by Account
AnswerB

This correctly filters by event ID and time first, then summarizes counts per account.

Why this answer

Option B is correct because it filters for EventID 4625 (failed logon) and restricts the time range to the last hour before summarizing the count per Account. This ensures only relevant events are counted, and the aggregation is performed on the correct field (Account) from the SecurityEvent table, which contains Windows Security Events ingested into Sentinel.

Exam trap

The trap here is that candidates often apply the time filter after the summarize operator (as in Option A), which incorrectly counts all historical data before filtering, or they confuse the SecurityEvent table with SigninLogs (Option C), which is for Azure AD sign-ins and not Windows Security Events on a VM.

How to eliminate wrong answers

Option A is wrong because the time filter (where TimeGenerated > ago(1h)) is applied after the summarize operator, meaning the count includes all historical failed logons and only then filters the results, which does not limit the events to the last hour. Option C is wrong because it uses the SigninLogs table, which contains Azure AD sign-in logs, not Windows Security Events; EventID 4625 is specific to Windows Security Events, and the query also incorrectly filters by ResultType != 0 (which indicates failure in Azure AD sign-ins) but does not use the correct field (Account) for user accounts. Option D is wrong because it uses make-series to create a time series, which is overkill for a simple count and does not produce a straightforward count per user account; it also applies the time filter only in the make-series range, not as a filter on the events themselves, potentially including older data.

1124
MCQeasy

A junior security analyst reports that they cannot create a new analytics rule in Microsoft Sentinel. They have the 'Microsoft Sentinel Contributor' role on the workspace. What could be the issue?

A.The workspace is in a locked resource group preventing modifications.
B.They need the 'Owner' role to create analytics rules.
C.They do not have the 'Microsoft Sentinel Responder' role.
D.They are assigned the role at the subscription level but not at the workspace level.
AnswerA

Resource locks can prevent any modifications, even with Contributor role.

Why this answer

Option B is correct because custom roles can be restrictive. Option A is not a common requirement. Option C is incorrect because Contributor can create rules.

Option D is incorrect because the role is assigned on the workspace.

1125
MCQmedium

A threat hunter is analyzing a suspicious email that bypassed Microsoft Defender for Office 365. The email contains a link to a malicious website. The hunter wants to identify all users who clicked the link. Which hunting query in Microsoft 365 Defender should be used?

A.EmailAttachmentInfo
B.EmailUrlInfo
C.EmailEvents
D.DeviceFileEvents
AnswerB

EmailUrlInfo contains URL clicks from email messages.

Why this answer

Option C is correct because EmailUrlInfo contains URL clicks from email. Option A is wrong because it contains email events, not click data. Option B is wrong because it contains email attachment info.

Option D is wrong because it contains file creation events.

Page 14

Page 15 of 22

Page 16