Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 11261200

1639 questions total · 22pages · All types, answers revealed

Page 15

Page 16 of 22

Page 17
1126
Multi-Selectmedium

Which THREE are valid ways to automatically respond to a security incident in Microsoft Defender XDR?

Select 3 answers
A.Configure an automated investigation and response (AIR) playbook.
B.Create a custom detection rule that triggers an automatic remediation action.
C.Integrate threat intelligence to automatically block indicators.
D.Manually run a playbook from the incident.
E.Use attack simulation training to automatically isolate devices.
AnswersA, B, E

AIR automatically responds to incidents.

Why this answer

Options A, B, and D are correct. Automated investigation and response (AIR) is a core feature, custom detection rules can trigger actions, and attack simulation training can be automated. Option C is wrong because manual playbooks are not automatic.

Option E is wrong because threat intelligence integration does not automatically respond.

1127
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that runs an automation rule to create a support ticket in ServiceNow. The playbook fails intermittently with a timeout error. You have verified that the playbook's managed identity has the correct permissions. What should you check next?

A.Ensure the playbook is assigned to an Azure Policy that allows outbound connections.
B.Check if the ServiceNow API has rate limits that are being exceeded.
C.Verify that the logic app's network connectivity allows outbound traffic to the ServiceNow endpoint, including any regional restrictions.
D.Verify that the logic app's workflow is configured to use asynchronous operations.
AnswerC

Intermittent timeouts often indicate network issues like firewall rules or regional routing.

Why this answer

The playbook is a Logic App, and intermittent timeout errors when calling an external API (ServiceNow) often indicate network connectivity issues. Since the managed identity permissions are correct, the next logical step is to verify that the Logic App's outbound traffic is allowed to the ServiceNow endpoint, including any regional restrictions that might block or delay traffic from the East US region. This directly addresses the root cause of the timeout.

Exam trap

The trap here is that candidates confuse authentication/authorization (managed identity) with network connectivity, assuming that correct permissions guarantee successful API calls, when in fact network restrictions or regional IP blocking can cause intermittent timeouts even with valid credentials.

How to eliminate wrong answers

Option A is wrong because Azure Policy does not manage outbound connections for Logic Apps; it enforces compliance rules on Azure resources, not network traffic. Option B is wrong because rate limits typically cause HTTP 429 responses, not timeout errors, and the question states the error is a timeout, not a throttling response. Option D is wrong because asynchronous operations affect how the Logic App handles long-running tasks internally, not the network connectivity to an external endpoint, and the timeout is on the outbound HTTP call, not the workflow execution.

1128
MCQeasy

A company has enabled Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing virtual machines have a vulnerability assessment solution installed. Which Defender for Cloud feature can automatically deploy a vulnerability assessment agent to supported VMs?

A.Vulnerability assessment recommendations
B.Defender for Servers plan
C.Security policies
D.Workload protections
AnswerA

These recommendations allow automatic deployment of vulnerability assessment agents to VMs as part of remediation steps.

Why this answer

The Vulnerability Assessment (VA) recommendations in Microsoft Defender for Cloud can automatically deploy a vulnerability assessment agent (such as the Qualys or Microsoft Defender Vulnerability Management agent) to supported Azure VMs. When a VM is found to be missing a VA solution, Defender for Cloud can enable the 'Auto-provision' setting for the VA recommendation, which triggers the agent installation without manual intervention. This directly meets the requirement to ensure all existing VMs have a vulnerability assessment solution installed.

Exam trap

The trap here is that candidates often confuse the 'Defender for Servers plan' (which enables the feature set) with the actual automated deployment mechanism, assuming the plan itself installs agents, when in fact the deployment is triggered by enabling the 'Auto-provision' setting on the specific vulnerability assessment recommendation.

How to eliminate wrong answers

Option B is wrong because the Defender for Servers plan enables advanced security capabilities (e.g., file integrity monitoring, just-in-time VM access, and adaptive application controls) but does not itself automatically deploy a vulnerability assessment agent; it only makes the VA recommendations available. Option C is wrong because security policies define the compliance rules and initiatives (e.g., Azure Policy) that govern resource configurations, but they do not directly deploy agents; they can enforce the VA recommendation but the deployment action is handled by the recommendation's auto-provision feature. Option D is wrong because workload protections refer to the set of threat detection alerts and security signals for workloads (e.g., SQL, storage, containers), not the automated deployment of vulnerability assessment agents to VMs.

1129
MCQhard

You have an automation rule in Microsoft Sentinel configured as shown. An incident with severity Medium is created, but the playbook does not run. What is the most likely reason?

A.The triggerType should be 'Alert' instead of 'Incident'.
B.The automation rule trigger is set to 'When incident is created', but the incident may have been created with a lower severity and later updated to Medium.
C.The playbook does not have permissions to run in the Sentinel resource group.
D.The playbookId is incorrect or the playbook has been deleted.
AnswerB

The rule only triggers on creation, not on update; if severity changes later, it won't trigger.

Why this answer

Option D is correct because automation rules require a trigger condition; if the incident is created with a different severity and later updated to Medium, the rule will not trigger because it is set to 'When incident is created'. Option A is wrong because permissions can cause issues, but typically the rule would show as created. Option B is wrong because the trigger type is incident, not alert.

Option C is wrong because playbook ID is valid.

1130
MCQeasy

Your Microsoft Sentinel workspace has a Microsoft 365 Defender connector configured. You notice that incidents are being created from Microsoft Defender for Office 365 alerts, but not from Microsoft Defender for Identity alerts. What should you check?

A.Enable the Microsoft Defender for Identity alert streaming in the connector configuration.
B.Verify that the Microsoft 365 Defender connector is connected.
C.Ensure you have licenses for Microsoft Defender for Identity.
D.Check the incident correlation rules in Microsoft Defender XDR.
AnswerA

The connector allows selecting which Microsoft Defender services to stream.

Why this answer

Option D is correct because Microsoft Defender for Identity alert streaming must be enabled in the Microsoft 365 Defender connector configuration. Option A is wrong because the connector is already configured; the issue is selective alert streaming. Option B is wrong because licensing for Identity is required but the question implies it's enabled.

Option C is wrong because correlation rules in Defender XDR affect incident creation from alerts, but the connector separately streams alerts.

1131
MCQmedium

Your company uses Microsoft Defender for Cloud to monitor multi-cloud resources. You want to ensure that all critical security recommendations are automatically assigned to the appropriate team leads based on the resource's tags. Which feature should you configure?

A.Configure a regulatory compliance standard to send email notifications.
B.Create a workbook that lists recommendations and manually assign them.
C.Use the 'Assign ownership' feature in Microsoft Defender for Cloud to map tags to owners.
D.Create a governance rule that automatically applies a compliance standard.
AnswerC

This feature assigns recommendations to owners based on tags.

Why this answer

Option C is correct because the 'Assign ownership' feature in Microsoft Defender for Cloud allows you to map resource tags to specific owners (e.g., team leads) via an automated rule. When a critical security recommendation is generated for a resource with a matching tag, the recommendation is automatically assigned to the designated owner, ensuring accountability without manual intervention.

Exam trap

The trap here is confusing governance rules (which enforce compliance standards or auto-remediation) with the 'Assign ownership' feature, which specifically handles tag-based assignment of recommendations to users.

How to eliminate wrong answers

Option A is wrong because regulatory compliance standards are used to assess compliance against frameworks (e.g., CIS, NIST) and send email notifications for compliance drift, not to assign recommendations to owners based on tags. Option B is wrong because creating a workbook only provides a visual list of recommendations; it does not automate assignment to team leads based on tags. Option D is wrong because a governance rule that applies a compliance standard enforces compliance policies (e.g., auto-remediation), but it does not assign ownership of recommendations to specific users based on resource tags.

1132
MCQhard

A security analyst is configuring a playbook in Microsoft Sentinel to run automatically when a new incident of severity 'High' is created. The playbook should only run for incidents that are not already assigned to an analyst. How can the analyst configure this automation?

A.Create an automation rule with a condition on 'Owner' field equals 'Unassigned'
B.Use a playbook trigger 'When a Microsoft Sentinel incident is created' and add a condition in the playbook
C.Configure a watchlist to filter incidents
D.Use a Logic Apps trigger for all incidents and check owner within the playbook
AnswerA

Automation rules can evaluate incident properties; setting a condition on Owner to 'Unassigned' ensures the rule triggers only for unassigned High severity incidents.

Why this answer

Option A is correct because Microsoft Sentinel automation rules can evaluate incident properties at creation time, including the 'Owner' field. By setting a condition that 'Owner' equals 'Unassigned', the rule triggers the playbook only for high-severity incidents that have not yet been assigned to an analyst, meeting the requirement without requiring custom logic inside the playbook.

Exam trap

The trap here is that candidates often think they must embed filtering logic inside the playbook (Option B or D), overlooking that automation rules provide a native, efficient pre-filtering mechanism that avoids unnecessary playbook executions.

How to eliminate wrong answers

Option B is wrong because using a playbook trigger 'When a Microsoft Sentinel incident is created' and adding a condition inside the playbook would cause the playbook to run for every new incident, even those already assigned, wasting resources and potentially causing unintended actions before the condition is evaluated. Option C is wrong because watchlists are used for correlation, enrichment, or filtering of data during queries and analytics rules, not for controlling automation rule triggers based on incident ownership. Option D is wrong because using a Logic Apps trigger for all incidents and checking the owner within the playbook is inefficient and redundant; automation rules are the correct and intended mechanism to filter incidents before invoking a playbook, and this approach would still invoke the playbook for every incident, consuming unnecessary compute and API calls.

1133
MCQeasy

You are a threat hunter and you want to identify potential lateral movement in your environment. Which Microsoft Defender XDR hunting table would you query to find network connections from a compromised workstation to other internal devices?

A.DeviceProcessEvents
B.DeviceLogonEvents
C.DeviceNetworkEvents
D.DeviceFileEvents
AnswerC

This table records network connections, which are key for detecting lateral movement.

Why this answer

Option A is correct because DeviceNetworkEvents contains network connection events. Option B is for logon events. Option C is for process creation.

Option D is for file creation events.

1134
MCQmedium

You have detected a suspicious PowerShell command running on several workstations. The command appears to be downloading a payload from a known malicious URL. What is the most effective immediate response using Microsoft Defender for Endpoint?

A.Add the URL to the custom threat indicator list in Microsoft Defender for Endpoint.
B.Quarantine the affected workstations.
C.Enable attack surface reduction rule to block PowerShell scripts.
D.Initiate a Live Response session to investigate each workstation.
AnswerA

This immediately blocks the URL across all endpoints, preventing further downloads.

Why this answer

The most effective immediate response is to block the malicious URL via custom threat indicators, which will prevent the download on all devices. Live Response is for investigation, not blocking. Quarantine disrupts users.

ASR rules are pre-configured and may not cover this specific URL.

1135
MCQmedium

Your organization has Microsoft Defender XDR enabled. An incident is generated for a user who clicked a phishing link in an email. The analyst needs to automatically disable the user's mailbox for suspicious activity. Which automated action should the analyst configure in a Microsoft Sentinel automation rule?

A.Run a playbook that deletes the phishing email from the user's inbox.
B.Configure an automation rule to block the sender IP address in Defender for Cloud Apps.
C.Run a playbook that resets the user's password.
D.Run a playbook that uses the Microsoft 365 Defender connector to disable the mailbox.
AnswerD

The Microsoft 365 Defender connector allows disabling a mailbox as a remediation action.

Why this answer

Option A is correct because disabling the mailbox is a remediation action available in Microsoft 365 Defender. Option B is wrong because deleting the email does not prevent future access. Option C is wrong because blocking the sender IP is not a direct action from Sentinel.

Option D is wrong because resetting password is a different action.

1136
MCQeasy

During a threat hunt in Microsoft Defender XDR, you notice repeated failed logon attempts from an IP address that belongs to a known anonymizer service. What is the first action you should take?

A.Block the IP address in Microsoft Defender for Cloud Apps.
B.Create an analytics rule in Microsoft Sentinel to alert on all anonymizer IP addresses.
C.Initiate an investigation by reviewing the impacted user accounts and endpoints for signs of compromise.
D.Report the IP to the Microsoft Sentinel Threat Intelligence team.
AnswerC

Threat hunting requires understanding the context before taking action.

Why this answer

Option C is correct because the first step is to investigate the affected accounts and endpoints to determine if any compromise occurred. Option A may alert on false positives. Option B blocks access but may break legitimate business.

Option D is premature without investigation.

1137
MCQhard

You are a security operations analyst at a company that uses Microsoft Defender for Cloud Apps (now part of Microsoft Defender XDR) and Microsoft Sentinel. During a threat hunt, you suspect that an attacker may be using a compromised user account to access sensitive data in SharePoint Online from an unusual location. You have Microsoft Defender for Cloud Apps logs integrated into Sentinel. The log schema includes fields: TimeGenerated, UserId, AppName, ActivityType, IPAddress, Location, ObjectId (the document ID). You need to write a KQL query that returns a list of users who accessed the same sensitive document (ObjectId == 'SensitiveDocument123') from more than 3 unique IP addresses in the last hour, which could indicate a distributed access pattern. Which KQL query should you use?

A.CloudAppEvents | where TimeGenerated > ago(1h) | where ObjectId == 'SensitiveDocument123' | summarize dcount(IPAddress) by UserId | where dcount_IPAddress > 3
B.CloudAppEvents | where TimeGenerated > ago(24h) | where ObjectId == 'SensitiveDocument123' | summarize dcount(IPAddress) by UserId | where dcount_IPAddress > 3
C.CloudAppEvents | where TimeGenerated > ago(1h) | summarize dcount(IPAddress) by UserId | where dcount_IPAddress > 3
D.CloudAppEvents | where TimeGenerated > ago(1h) | where ObjectId == 'SensitiveDocument123' | summarize count() by UserId, IPAddress | where count_ > 3
AnswerA

Correctly counts unique IPs per user for the specific document.

Why this answer

Option A correctly filters for the sensitive document and the last hour, summarizes dcount(IPAddress) by UserId, and filters for more than 3 unique IPs. Option B uses count() instead of dcount(). Option C uses the wrong time range.

Option D does not filter for the specific document.

1138
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Select 2 answers
A.Create a new analytics rule based on an incident.
B.Assign an incident to a specific analyst.
C.Modify the data connector's polling interval.
D.Run a playbook automatically when an incident is created.
E.Automatically create an incident from a log event.
AnswersB, D

Automation rules can set the incident owner.

Why this answer

Option B is correct because Microsoft Sentinel automation rules can directly assign an incident to a specific analyst using the 'Assign owner' action. This allows security operations teams to automatically route incidents to the appropriate personnel based on criteria such as severity, tactic, or entity, improving response efficiency.

Exam trap

Microsoft often tests the distinction between automation rules (which act on incidents/alerts) and analytics rules (which generate incidents from log data), causing candidates to confuse the scope of automation rule actions.

1139
MCQmedium

Refer to the exhibit. You are reviewing a KQL query used in a Microsoft Sentinel scheduled analytics rule. What is the primary purpose of this query?

A.To investigate a new type of attack pattern
B.To identify which accounts are associated with the most incidents
C.To find accounts that have generated false positive alerts
D.To detect accounts that have triggered a high number of suspicious process alerts within 7 days
AnswerD

The query counts alerts per account and filters for >5.

Why this answer

Option C is correct because the query counts alerts per account and filters for >5, indicating a threshold for multiple alerts. Option A is wrong because it's not associating with incidents. Option B is wrong because it's not about false positives.

Option D is wrong because it's not about detecting a new attack.

1140
MCQmedium

A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to ensure that all Azure virtual machines have automatic provisioning of the Log Analytics agent (Azure Monitor Agent) turned on. Where should this configuration be set to cover existing and future VMs?

A.In Microsoft Defender for Cloud > Environment settings > Select subscription > Settings & monitoring > Log Analytics agent for Azure VMs > Set to 'On'
B.In Azure Policy > Assign a policy that deploys the Log Analytics agent to VMs
C.In Microsoft Defender for Cloud > Security policy > Data collection
D.In Azure virtual machine blade > Auto-provisioning
AnswerA

This is the correct location to enable automatic provisioning of the Log Analytics agent for all current and future VMs in the subscription.

Why this answer

Option A is correct because the 'Settings & monitoring' pane under Environment settings in Microsoft Defender for Cloud is the centralized location to enable automatic provisioning of the Log Analytics agent (Azure Monitor Agent) at the subscription level. This setting ensures that both existing Azure VMs and any future VMs are automatically provisioned with the agent, without requiring individual VM configuration or manual policy assignment.

Exam trap

The trap here is that candidates often confuse the deprecated 'Data collection' option under Security policy (Option C) with the current 'Settings & monitoring' pane, or they assume that Azure Policy (Option B) is the only way to enforce agent deployment, missing the built-in auto-provisioning toggle in Defender for Cloud.

How to eliminate wrong answers

Option B is wrong because Azure Policy can deploy the Log Analytics agent, but it is not the native Defender for Cloud auto-provisioning mechanism; using a custom policy requires additional management and does not integrate with Defender for Cloud's monitoring settings. Option C is wrong because the 'Security policy > Data collection' option in Defender for Cloud is deprecated and no longer controls auto-provisioning for the Log Analytics agent; it was used for the legacy Microsoft Monitoring Agent, not the Azure Monitor Agent. Option D is wrong because the Azure virtual machine blade's 'Auto-provisioning' setting does not exist; auto-provisioning is configured at the subscription level in Defender for Cloud, not per VM.

1141
MCQmedium

During a threat hunting exercise, an analyst discovers a suspicious PowerShell process that executed encoded commands and made outbound connections to an unknown IP address. The process tree shows it was spawned by a Microsoft Word instance. What is the most likely attack technique being observed?

A.Service Execution
B.Phishing with malicious macro
C.Execution via Rundll32
D.Lateral Movement via WMI
AnswerB

Word spawning PowerShell with encoded commands is typical of macro-based phishing.

Why this answer

Option B is correct because the scenario describes a malicious document (Word) executing PowerShell with encoded commands, which is classic phishing with macro-based payload. Option A is wrong because execution via rundll32 is not indicated. Option C is wrong because the attack originates from a document, not a service.

Option D is wrong because there is no evidence of lateral movement.

1142
MCQhard

Your company has a hybrid environment with Microsoft Sentinel and Microsoft Defender for Cloud. You notice that the 'Priority' field in Sentinel incidents is not being populated correctly. You need to ensure that Sentinel incidents inherit the priority from Microsoft Defender for Cloud alerts. What should you configure?

A.Enable the 'Sync incidents and alerts' setting in Microsoft Defender XDR.
B.Configure the Microsoft Defender for Cloud data connector to map severity and use an automation rule to set priority based on severity.
C.Use a workbook to display priority and manually update incidents.
D.Create an analytics rule that queries Microsoft Defender for Cloud alerts and sets the priority in the incident creation.
AnswerB

Correct: The data connector can map severity, and automation rules can set priority accordingly.

Why this answer

Option D is correct because the data connector for Microsoft Defender for Cloud maps the alert's severity to Sentinel's severity, and priority can be set via an automation rule. Option A is wrong because analytics rules don't inherit from external alerts. Option B is wrong because Sentinel doesn't sync priority from Microsoft Defender for Cloud directly.

Option C is wrong because workbooks don't modify incident fields.

1143
MCQmedium

During a ransomware incident, an analyst needs to identify which files were encrypted on an endpoint. The endpoint is running Windows and is managed by Microsoft Defender for Endpoint. Which data source should the analyst query in Advanced hunting?

A.DeviceRegistryEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceFileEvents
AnswerD

File events show modifications like encryption.

Why this answer

DeviceFileEvents tracks file creation, modification, and deletion. Option A is for processes; Option C is for network; Option D is for registry.

1144
MCQmedium

You are performing a threat hunt in Microsoft Sentinel and have a KQL query that returns a high number of false positives. You want to reduce the noise without missing real threats. Which approach should you take?

A.Write a KQL query that looks for uncommon process chains, such as wscript.exe launched from Microsoft Office.
B.Add a filter to exclude all Microsoft signed processes.
C.Remove the time filter and run the query against all historical data.
D.Broaden the time range to capture more data.
AnswerA

This targets known suspicious patterns and reduces noise while keeping relevant events.

Why this answer

Option B is correct because filtering on specific process names and parent processes in KQL narrows the results to likely malicious activity. Option A may miss legitimate processes. Option C increases false positives.

Option D removes the time filter which is essential for hunting.

1145
MCQeasy

Your organization has Microsoft Defender for Cloud Apps enabled. You need to generate an alert when a user downloads more than 100 files from SharePoint in one hour. What should you create?

A.A data loss prevention (DLP) policy in Microsoft Purview.
B.A custom alert in Microsoft Sentinel using the CloudAppEvents table.
C.An app governance policy in Microsoft Defender for Cloud Apps.
D.An anomaly detection policy in Microsoft Defender for Cloud Apps.
AnswerD

Anomaly detection policies can detect activity volume anomalies.

Why this answer

An anomaly detection policy in Microsoft Defender for Cloud Apps is designed to detect unusual user behavior, such as mass file downloads, by establishing a baseline and triggering alerts when activity deviates from the norm. This policy type specifically supports the scenario of detecting a user downloading more than 100 files from SharePoint in one hour, as it can be configured with custom thresholds for file download activity.

Exam trap

The trap here is that candidates often confuse anomaly detection policies with DLP policies, assuming that any data exfiltration scenario must be handled by DLP, but DLP policies in Purview are content-based, not volume-based, making anomaly detection the correct choice for this behavioral threshold scenario.

How to eliminate wrong answers

Option A is wrong because a data loss prevention (DLP) policy in Microsoft Purview focuses on preventing data exfiltration by inspecting content and applying actions like blocking or encrypting, not on detecting volume-based anomalies like a high number of downloads. Option B is wrong because a custom alert in Microsoft Sentinel using the CloudAppEvents table would require ingesting logs and writing a KQL query, which is a more complex, post-facto detection method rather than a native, real-time policy within Defender for Cloud Apps. Option C is wrong because an app governance policy in Microsoft Defender for Cloud Apps is specifically for managing and monitoring OAuth-enabled apps (e.g., permissions, consent), not for detecting user behavior anomalies like mass file downloads.

1146
MCQmedium

Your threat hunting hypothesis is that a user's credentials were used to sign in from two geographically distant locations within a short time. In Microsoft Defender for Cloud Apps, which log type would you query in Microsoft Sentinel to detect impossible travel?

A.SigninLogs
B.AuditLogs
C.CommonSecurityLog
D.OfficeActivity
AnswerA

SigninLogs record user sign-in events with location and time.

Why this answer

SigninLogs contain user sign-in activities with IP address and timestamp, essential for detecting impossible travel.

1147
MCQhard

You are a security analyst for a company that uses Azure Firewall. You are reviewing a custom rule deployed via Azure Firewall Manager. The exhibit shows the rule configuration. The rule is intended to block inbound traffic from known Tor exit nodes. However, a recent incident involved an attacker using a Tor exit node with IP 138.197.5.5 to access an internal web server on port 8080. The log shows the traffic was ALLOWED. What is the most likely reason the rule did not block the traffic?

A.The destination port 8080 is not listed in the rule.
B.The source address range does not include 138.197.5.5.
C.The rule type is 'Prevention' but should be 'Detection'.
D.The rule priority is too low and is overridden by a higher priority rule.
AnswerA

The rule only blocks ports 443 and 80, but the traffic used port 8080.

Why this answer

The rule only blocks ports 80 and 443 (destinationPorts). The attacker used port 8080, which is not covered by the rule. Option C is correct.

Option A is wrong because the source IP is within the rule's range. Option B is wrong because the rule is of type Prevention, not Detection. Option D is wrong because the priority is not necessarily too low; the rule would still be evaluated if the port matched.

1148
MCQeasy

During a threat hunting exercise in Microsoft Sentinel, you want to identify all cloud application events where a user accessed a resource from an IP address not previously associated with that user. Which KQL operator should you use to compare current access patterns with a baseline of known IPs?

A.join
B.lookup
C.summarize
D.union
AnswerA

Join matches rows from two tables based on a key, enabling comparison of IPs.

Why this answer

The `join` operator allows combining two tables based on a key, such as UserId, and then filtering for rows where the IP does not match the baseline.

1149
MCQmedium

Your organization uses Microsoft Defender for Office 365. You want to automatically isolate a user's mailbox if a high-confidence phishing email is detected. Which Microsoft Sentinel automation should you use?

A.Configure a workbook to display the alert and manually isolate the mailbox.
B.Create a playbook that uses the Microsoft Graph API to apply a mailbox litigation hold or block access.
C.Enable the Office 365 connector and configure automatic response in the data connector.
D.Create a scheduled analytics rule that isolates the mailbox when triggered.
AnswerB

Playbooks can automate response actions using APIs.

Why this answer

Option B is correct because Microsoft Sentinel playbooks, built on Azure Logic Apps, can use the Microsoft Graph API to perform automated remediation actions like applying a mailbox litigation hold or blocking user access. This enables automatic isolation of a user's mailbox when a high-confidence phishing email is detected, which is a key incident response capability in Defender for Office 365.

Exam trap

The trap here is that candidates often confuse data connectors (which only ingest data) with automated response capabilities, or assume that analytics rules can directly execute remediation actions, when in fact only playbooks (or automation rules that invoke playbooks) can perform such actions.

How to eliminate wrong answers

Option A is wrong because workbooks are visualization tools for displaying data and alerts, not automation mechanisms; they cannot perform actions like mailbox isolation. Option C is wrong because the Office 365 data connector ingests logs and alerts into Sentinel but does not provide native automatic response configuration for mailbox isolation; automated responses require playbooks or custom logic. Option D is wrong because scheduled analytics rules only generate alerts based on query schedules; they cannot directly execute remediation actions like mailbox isolation — that requires a playbook or automation rule.

1150
MCQhard

A security operations team uses Microsoft Defender for Cloud and Microsoft Sentinel. They want to automatically suppress low-severity security recommendations that are older than 90 days for a specific resource group. Which combination of tools should they use?

A.Use Azure Policy to exempt the resource group from policy evaluation
B.Use a Microsoft Sentinel automation rule to close incidents
C.Use a suppression rule in Defender for Cloud to suppress specific recommendations
D.Use an Azure Blueprint to ignore recommendations
AnswerC

Suppression rules in Defender for Cloud allow you to ignore recommendations based on criteria like severity, resource scope, and time. You can create a rule for low-severity recommendations older than 90 days for the resource group.

Why this answer

Option C is correct because Defender for Cloud includes native suppression rules that allow you to automatically dismiss low-severity recommendations based on criteria such as age (older than 90 days) and scope (specific resource group). This is the only built-in mechanism in Defender for Cloud to permanently suppress recommendations without altering the underlying security posture or requiring external automation.

Exam trap

The trap here is that candidates confuse Defender for Cloud suppression rules with Azure Policy exemptions or Sentinel automation rules, failing to recognize that recommendation suppression is a dedicated feature within Defender for Cloud's own settings, not a cross-service configuration.

How to eliminate wrong answers

Option A is wrong because Azure Policy exemptions remove policy compliance requirements but do not suppress Defender for Cloud recommendations; recommendations are generated by the security engine independently of policy evaluation. Option B is wrong because Microsoft Sentinel automation rules close incidents in Sentinel, not recommendations in Defender for Cloud; these are separate products with distinct data planes. Option D is wrong because Azure Blueprints are used for environment orchestration and compliance, not for suppressing or ignoring security recommendations; they have no mechanism to filter Defender for Cloud recommendations.

1151
MCQmedium

A SOC analyst needs to ingest firewall logs from an on-premises Cisco ASA into Microsoft Sentinel. The logs are sent via syslog to a Linux server. Which data connector should the analyst use to properly parse and collect these logs?

A.Common Event Format (CEF)
B.Syslog
C.Windows Firewall
D.Cisco ASA via API
AnswerA

The CEF connector is designed to parse syslog messages in Common Event Format, which Cisco ASA supports, enabling detailed log ingestion.

Why this answer

The Common Event Format (CEF) connector is the correct choice because Cisco ASA firewalls send syslog messages that can be forwarded to a Linux log collector (rsyslog or syslog-ng), which then formats them into CEF (a normalized syslog format) before forwarding to the Sentinel Log Analytics workspace. This connector parses the CEF headers and maps the fields into the CommonSecurityLog table, enabling proper parsing and correlation of firewall events.

Exam trap

The trap here is that candidates see 'syslog' in the question and immediately choose the Syslog connector, not realizing that Cisco ASA logs are best ingested via the CEF connector to leverage automatic parsing into structured fields, whereas raw Syslog would require heavy KQL parsing.

How to eliminate wrong answers

Option B is wrong because the raw Syslog connector ingests syslog messages without parsing them into a structured schema; it stores them in the Syslog table as raw text, which would require custom parsing for Cisco ASA fields like source/destination IP and port. Option C is wrong because the Windows Firewall connector is designed for Windows Defender Firewall logs on Windows machines, not for on-premises Cisco ASA logs sent via syslog. Option D is wrong because Cisco ASA does not natively support a REST API for log export; the ASA uses syslog (UDP/TCP) or SNMP, and the 'Cisco ASA via API' connector does not exist in Microsoft Sentinel.

1152
MCQhard

An analyst uses this KQL query in Microsoft Sentinel to hunt for potential brute-force attacks. What is the primary purpose of the join operation?

A.To filter out IP addresses that have only successful logons
B.To identify accounts that had both a high number of failed logons and at least one successful logon from the same IP
C.To calculate the ratio of failed to successful logons for each account
D.To remove duplicate entries of account and IP combinations
AnswerB

This correlation helps detect successful brute-force attacks.

Why this answer

Option C is correct because the join is used to correlate failed and successful logons from the same account and IP, which helps identify accounts that eventually succeeded after many failures, a classic brute-force pattern. Option A is wrong because the query does not filter out IPs with only successes. Option B is wrong because the join is not filtering anything; it's enriching.

Option D is wrong because the query does not calculate a ratio.

1153
Matchingmedium

Match each threat intelligence indicator type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv4 or IPv6 address associated with malicious activity

Domain name used for phishing or C2

Full URL path involved in an attack

MD5, SHA1, or SHA256 hash of a malicious file

Sender address from a phishing campaign

Why these pairings

These are common STIX indicator types used in threat intelligence.

1154
MCQeasy

A security analyst receives a Microsoft Defender for Cloud Apps alert about a user performing unusual file downloads from SharePoint. The analyst needs to investigate the user's activity in the last 24 hours. Which log source should the analyst query first?

A.Microsoft Entra ID sign-in logs
B.Microsoft Intune device logs
C.Office 365 audit logs
D.Cloud App Security logs in Microsoft Sentinel
AnswerD

Cloud App Security logs contain detailed user activities, including file downloads from SharePoint.

Why this answer

Option A is correct because Defender for Cloud Apps logs user activity in the cloud app activities log. Option B is wrong because Azure AD sign-in logs show authentication events, not file downloads. Option C is wrong because Office 365 audit logs include SharePoint file activities, but Defender for Cloud Apps provides a more consolidated view.

Option D is wrong because Microsoft Intune logs focus on device management.

1155
MCQmedium

An incident in Microsoft Sentinel involves a phishing campaign that delivered a malicious macro-enabled document. The document was opened by 15 users. Which playbook action should be triggered automatically to contain the threat?

A.Isolate all affected devices from the network
B.Block the sender's IP address on the email gateway
C.Block the file hash using Microsoft Defender for Endpoint
D.Disable the user accounts of those who opened the document
AnswerC

Blocking the hash stops the malware from running on any device.

Why this answer

The automatic playbook action should block the file hash at the endpoint to prevent further execution. Isolating devices may be too aggressive. Blocking sender IP is not effective against phishing.

Disabling user accounts is not direct.

1156
Multi-Selecthard

Which THREE of the following are valid ways to ingest logs into Microsoft Sentinel?

Select 3 answers
A.Syslog
B.Windows Event Logs
C.AWS CloudTrail
D.Azure Activity Log
E.Custom logs via direct API
AnswersA, C, D

Syslog is a standard data connector for Linux machines.

Why this answer

Syslog, Azure Activity Log, and AWS CloudTrail are valid data connectors. Windows Event Logs are ingested via the Windows Security Events connector, not directly. Custom logs can be ingested via API or Log Analytics agent, but not directly via a custom connector without configuration.

1157
MCQeasy

Your organization uses Microsoft Sentinel. You have a playbook that sends an email notification to the SOC team when a new incident is created. The playbook is currently triggered manually. You want the playbook to run automatically every time an incident of severity High is created. What should you do?

A.Edit the analytics rule that generates the incident to include the playbook as an automated response.
B.Create an automation rule that triggers when an incident is created with severity High and runs the playbook.
C.Modify the playbook to add a trigger of 'When an incident is created' and set the severity condition.
D.Configure the playbook's Logic Apps designer to use an HTTP trigger that polls Sentinel for new incidents.
AnswerB

Automation rules are the correct way to automate playbook execution.

Why this answer

Automation rules in Sentinel can automatically trigger playbooks based on incident conditions. Option A is correct. Option B is wrong because automation rules are created in the Automation blade.

Option C is wrong because the analytics rule does not directly run playbooks. Option D is wrong because the playbook trigger is not configured in Logic Apps designer.

1158
MCQmedium

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel with the following KQL query: SigninLogs | where TimeGenerated > ago(1h) | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by UserPrincipalName, IPAddress | where EndTime - StartTime < 5m and count_IPAddress > 1 The intended purpose is to detect users logging in from multiple IP addresses in a short time (impossible travel). However, the rule does not generate any alerts. What is the most likely cause?

A.The query references a column 'count_IPAddress' that does not exist. The summarize operator does not create a column with that name.
B.The query does not filter for failed sign-ins (e.g., ResultType == 0).
C.The rule should use a longer time range, such as 24 hours.
D.The rule needs to use the 'make_set' function to correctly count distinct IP addresses.
AnswerA

The summarize creates columns from the aggregate expressions and group-by columns. 'count_IPAddress' is not defined, so the where clause always evaluates to false.

Why this answer

The query uses `summarize ... by UserPrincipalName, IPAddress` which groups by both fields, so it does not create a column named `count_IPAddress`. The `where` clause then references `count_IPAddress`, which does not exist, causing the query to fail silently or return no results. This is why no alerts are generated.

Exam trap

The trap here is that candidates may focus on the logic of impossible travel detection (e.g., time range, distinct IPs) and overlook the simple syntax error of referencing a column that was never created by the `summarize` operator.

How to eliminate wrong answers

Option B is wrong because filtering for failed sign-ins (ResultType == 0) is irrelevant; the rule is designed to detect impossible travel from successful sign-ins, and the issue is a syntax error, not a missing filter. Option C is wrong because the time range (1 hour) is sufficient for detecting short-interval multiple IP logins; extending it would not fix the missing column error. Option D is wrong because `make_set` is used to create an array of distinct values, not to count them; the correct function to count distinct IPs would be `dcount` or `count_distinct`, but the core problem is the non-existent column reference.

1159
MCQeasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. You need to create a custom anti-phishing policy to block similar emails in the future. What should you configure?

A.Enable Safe Attachments for the organization.
B.Configure impersonation protection for the user's domain.
C.Enable spoof intelligence and add the sender domain to the blocked senders list.
D.Create a mail flow rule to block the sender's domain.
AnswerC

Spoof intelligence detects spoofed domains and blocks them.

Why this answer

Option D is correct because spoof intelligence identifies and blocks spoofed senders. Option A is wrong because impersonation protection addresses CEO fraud, not general phishing. Option B is wrong because mail flow rules are transport rules, not anti-phishing.

Option C is wrong because Safe Attachments handles attachments, not phishing content.

1160
MCQeasy

Your organization uses Microsoft Sentinel. A security analyst receives an alert for a suspicious sign-in from an unfamiliar IP address. The analyst wants to quickly check if the same IP address has been associated with any other alerts in the past 30 days. Which action should the analyst take?

A.Create an automation rule to block the IP address.
B.Submit the IP address to Microsoft for threat intelligence.
C.Create a new analytics rule to detect the IP address.
D.Run a KQL query in the Logs blade to search the Alert table for the IP.
AnswerD

KQL query on the Alert table can show all alerts involving the IP.

Why this answer

Using KQL to query the Alert table for the specific IP address allows the analyst to quickly find related alerts. Option A is too broad; Option B doesn't involve event correlation; Option D is for automation.

1161
Multi-Selecthard

Which TWO of the following are valid methods to retrieve data from Microsoft Sentinel for external analysis during an incident?

Select 2 answers
A.Use Microsoft Sentinel PowerShell cmdlets.
B.Create a Power BI dashboard.
C.Use the Export to CSV feature in the Logs blade.
D.Connect Log Analytics workspace to external tools via API.
E.Use the Microsoft Sentinel API to query incidents and alerts.
AnswersD, E

Log Analytics API allows external querying.

Why this answer

Export data to Log Analytics workspace for external querying and use the Microsoft Sentinel API to programmatically access data. Option A is not a standard method; Option D is for management; Option E is for visualization.

1162
MCQeasy

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a remote server. Which Microsoft Defender for Endpoint action type would most likely capture this behavior in DeviceEvents?

A.PowerShellCommand
B.ProcessCreated
C.FileCreated
D.NetworkConnection
AnswerA

Captures PowerShell script commands and execution.

Why this answer

Option D is correct because PowerShell commands that download and execute scripts are typically logged as 'PowerShellCommand' in DeviceEvents. Option A is incorrect because 'ProcessCreated' would show the PowerShell process creation but not the script content. Option B is incorrect because 'FileCreated' would show the payload file but not the download execution.

Option C is incorrect because 'NetworkConnection' would show the connection but not the script execution.

1163
Multi-Selecteasy

Your organization uses Microsoft Defender for Cloud. You need to remediate a security recommendation that indicates a virtual machine is missing critical security updates. Which TWO actions should you take to remediate this recommendation?

Select 2 answers
A.Add a network security group to block inbound traffic to the VM.
B.Connect to the VM and install the missing updates.
C.Create an exemption for the recommendation in Defender for Cloud.
D.Configure the VM to automatically install updates from Windows Update.
E.Restart the VM to trigger update installation.
AnswersB, D

Installing updates remediates the specific recommendation.

Why this answer

Options A and B are correct. Installing missing updates (A) directly remediates the recommendation, and enabling automatic updates (B) prevents future issues. Option C is wrong because restarting the VM does not install updates.

Option D is wrong because the recommendation is about updates, not NSGs. Option E is wrong because creating an exception would ignore the recommendation.

1164
MCQmedium

A security analyst is performing threat hunting in Microsoft Sentinel using KQL. The analyst wants to identify all network connections initiated from a specific internal IP address (10.0.0.5) to external IP addresses in the last 24 hours. Which KQL query should the analyst use?

A.DeviceNetworkEvents | where TimeGenerated > ago(24h) | where LocalIP == "10.0.0.5" | where RemoteIP !startswith "10."
B.CommonSecurityLog | where TimeGenerated > ago(24h) | where SourceIP == "10.0.0.5" | where ipv4_is_private(DestinationIP) == false
C.CommonSecurityLog | where TimeGenerated > ago(24h) | where DestinationIP == "10.0.0.5" | where ipv4_is_private(DestinationIP) == false
D.CommonSecurityLog | where TimeGenerated > ago(1h) | where SourceIP == "10.0.0.5" | where ipv4_is_private(DestinationIP) == false
AnswerB

Correctly filters source IP and external destinations over 24h.

Why this answer

Option C is correct because it filters on the source IP and only includes connections to external IPs using a where clause for not having a private IP range. Option A is wrong because it checks destination IP instead of source. Option B is wrong because it only checks last hour.

Option D is wrong because it uses the wrong table.

1165
Multi-Selectmedium

Your team uses Microsoft Defender for Endpoint. An incident involving a device is identified as a high-severity malware infection. Which THREE remediation actions can be performed directly from the incident in Microsoft 365 Defender?

Select 3 answers
A.Wipe the device remotely.
B.Collect an investigation package from the device.
C.Isolate the device from the network.
D.Run a full antivirus scan on the device.
E.Reset the device's local administrator password.
AnswersB, C, D

Action to gather forensic data.

Why this answer

Options A, C, and E are correct because Microsoft 365 Defender incident response actions include isolating the device, running antivirus scan, and collecting investigation package. Option B is wrong because device wipe is not a standard Defender for Endpoint action (it's Intune). Option D is wrong because resetting password is for user accounts, not devices.

1166
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Microsoft Defender for Cloud are ingested into Sentinel and that incidents are automatically created for alerts with severity 'High' or higher. You have already connected Microsoft Defender for Cloud to Sentinel using the data connector. However, no incidents are being created. What should you do?

A.Create an analytics rule that uses the SecurityAlert table and generates incidents for high severity.
B.Configure a streaming policy to forward Defender for Cloud incidents.
C.Enable 'Create incidents' in the Microsoft Defender for Cloud data connector.
D.Create an automation rule that runs on alert ingestion and creates incidents.
AnswerA

Correct: Analytics rules create incidents from alerts.

Why this answer

Option D is correct because the data connector for Defender for Cloud only brings alerts; to create incidents, you need an analytics rule. Option A is wrong because incident creation is not automatic from that connector. Option B is wrong because automation rules don't create incidents.

Option C is wrong because the connector does not have an incident creation toggle.

1167
MCQeasy

You are investigating a phishing incident in Microsoft Defender XDR. The user reported receiving an email with a malicious link. You need to identify all users who received the same email. Which feature should you use?

A.Automation & investigations
B.Incidents view
C.Threat Explorer
D.Advanced Hunting
AnswerC

Threat Explorer enables detailed email search and tracking.

Why this answer

Option A is correct because Threat Explorer in Microsoft Defender for Office 365 allows you to search and filter email messages by various attributes, including subject, sender, and recipients, to identify all users who received a specific email. Option B (Hunting) is for proactive threat hunting, not for investigating a known email. Option C (Incidents) shows aggregated alerts but not detailed email tracking.

Option D (Automation) is for automated investigation and response.

1168
MCQmedium

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect when a user account is added to a privileged role in Microsoft Entra ID. The analyst wants to correlate with the user's previous role assignments to identify potential privilege escalation. Which table should the analyst query?

A.AuditLogs
B.SigninLogs
C.AzureActivity
D.SecurityEvent
AnswerA

AuditLogs captures Microsoft Entra ID events such as 'Add member to role', which is essential for detecting privilege escalations.

Why this answer

The AuditLogs table in Microsoft Sentinel captures directory activity, including changes to privileged role assignments in Microsoft Entra ID (formerly Azure AD). By querying AuditLogs, the analyst can correlate the current role addition with historical role assignment events to detect potential privilege escalation. SigninLogs, AzureActivity, and SecurityEvent do not contain the specific role assignment audit data needed for this correlation.

Exam trap

The trap here is that candidates may confuse AzureActivity (which logs Azure resource operations) with Microsoft Entra ID audit logs, or assume SigninLogs contains role assignment data because it includes directory roles in sign-in token claims.

How to eliminate wrong answers

Option B is wrong because SigninLogs records user sign-in events, not directory changes like role assignments. Option C is wrong because AzureActivity logs Azure resource management operations (e.g., VM creation), not Microsoft Entra ID role assignments. Option D is wrong because SecurityEvent collects Windows security events from on-premises or Azure VMs, not cloud directory role changes.

1169
MCQhard

Your organization uses Microsoft Sentinel. You have a scheduled analytics rule that queries Windows Security Events to detect local admin group modifications. The rule runs every hour and looks back 1 hour. However, you are missing events that occur within the first few minutes of the hour. What is the most likely cause?

A.The event time is in local time, and the query uses UTC, causing events near the boundary to be excluded.
B.The query period is too short; it should be 2 hours.
C.The rule is using 'Last activity' instead of 'TimeGenerated'.
D.There is a 5-minute ingestion delay for Windows events.
AnswerA

Time zone mismatch can cause events to fall outside the query window.

Why this answer

By default, Sentinel uses UTC time, but the Windows event time may be in local time. If the local time is ahead of UTC, events near the hour boundary may fall outside the query period due to time conversion. Option A is incorrect because ingestion delay is usually not minutes.

Option C is incorrect because the query period is already 1 hour. Option D is incorrect because the rule's schedule should capture events within the lookback period.

1170
MCQeasy

You are configuring Microsoft Sentinel to send email notifications to the SOC manager when a high-severity incident is created. What should you use?

A.Configure an analytics rule to send an email when an incident is created.
B.Create a playbook that sends an email and assign it to an automation rule.
C.Use a workbook to track incidents and configure an alert for email.
D.Add the SOC manager's email to a watchlist and configure a scheduled query.
AnswerB

Playbooks can send emails via connectors like Office 365.

Why this answer

Option B is correct because playbooks can be triggered by automation rules to send emails. Option A is wrong because alert rules do not send emails directly; they create alerts. Option C is wrong because workbooks are for visualization, not notifications.

Option D is wrong because watchlists are for reference data.

1171
MCQhard

During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?

A.Upload the CSV to a custom threat intelligence feed using the Threat Intelligence - Upload Indicators API
B.Add the IPs to a Microsoft Sentinel watchlist and reference the watchlist in an analytics rule
C.Create a custom analytics rule that includes the IPs as inline indicators
D.Use Azure Logic Apps to create a playbook that blocks the IPs automatically
AnswerA

This makes the IPs available as threat intelligence indicators for use in detection rules.

Why this answer

Option C is correct because Microsoft Sentinel can ingest threat intelligence from custom CSV files via a Threat Intelligence - Upload Indicators API or TAXII connector; the analyst can upload the CSV as a new threat intelligence feed. Option A (watchlist) is for temporary lookups, not persistent IOCs for detection. Option B (custom analytics rule) would require the rule to reference the data, but the IOCs are not stored as indicators.

Option D (Azure Logic Apps) could automate but is not the primary method for persisting IOCs.

1172
MCQhard

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. You need to create an automated playbook that, when a Microsoft Sentinel incident is created from a Defender for Cloud Apps alert, automatically suspends the user in Microsoft Entra ID and sends a notification to the security team. Which two connectors should you use in the playbook?

A.Microsoft Power BI and Microsoft Teams
B.Microsoft Entra ID and Microsoft Teams
C.Azure Automation and Microsoft Sentinel
D.Microsoft Entra ID and Outlook.com
AnswerB

Correct. Entra ID suspends user, Teams sends notification.

Why this answer

The correct answer is A because Microsoft Entra ID is used to suspend the user, and Microsoft Teams is used to send notifications. Option B is incorrect because Outlook.com is not enterprise-grade and ServiceNow is not a Microsoft connector. Option C is incorrect because Power BI is for visualization, not suspension.

Option D is incorrect because Azure Automation is for scripts, not direct user suspension.

1173
MCQmedium

You are reviewing a hunting query that identifies accounts with failed logons followed by successful logons from the same IP. The query returns no results even though you suspect brute force activity. What is the most likely issue?

A.The time range is too short
B.The join condition is too strict; the SourceIP might differ between failed and successful logons
C.The threshold is too low
D.The EventID for successful logon is incorrect
AnswerB

An attacker may switch IPs after a failed attempt, causing join to miss.

Why this answer

The join uses 'inner', which requires matching keys in both sides. If the IP is different for failed and successful logons (e.g., attacker changes IP), the join fails. Option A (time range) is unlikely.

Option C (EventID) is correct. Option D (threshold) is not the issue. The correct answer is B.

1174
MCQeasy

An organization uses Microsoft Defender for Office 365. The security team wants to automatically investigate and respond to user-reported phishing emails. Which feature should they enable to automate this process?

A.Attack simulation training
B.Automated investigation and response (AIR)
C.Campaign views
D.Threat Explorer
AnswerB

Correct: AIR can be configured to automatically investigate and remediate threats in user-reported emails.

Why this answer

Automated investigation and response (AIR) in Microsoft Defender for Office 365 automatically triggers a playbook when a user reports a phishing email via the Report Message or Report Phishing add-in. It collects the email, analyzes it using threat intelligence and machine learning, and takes remediation actions such as soft-deleting the message or blocking the sender, all without manual intervention.

Exam trap

The trap here is that candidates often confuse 'Attack simulation training' (a proactive training tool) with the automated response capability, or they think 'Threat Explorer' or 'Campaign views' can automate responses, when in fact those are manual investigation and visualization tools, not automated response engines.

How to eliminate wrong answers

Option A is wrong because Attack simulation training is used to create and run simulated phishing campaigns to train users, not to automatically investigate or respond to actual user-reported phishing emails. Option C is wrong because Campaign views provide a consolidated dashboard to identify and analyze coordinated phishing or malware campaigns across the organization, but they do not automate the investigation and response process for individual user-reported emails. Option D is wrong because Threat Explorer is a real-time investigation tool that allows security analysts to query and hunt for threats across email and collaboration data, but it does not automatically trigger responses based on user reports.

1175
MCQhard

You are reviewing a Microsoft Sentinel analytics rule configuration. The rule is not generating incidents as expected. What is the most likely cause?

A.The queryFrequency and queryPeriod are mismatched.
B.The suppressionDuration is set to 5 hours, suppressing alerts.
C.The action type 'MFA disabled' is not supported in IdentityLogonEvents.
D.The query references a table that is not available in the Sentinel workspace.
AnswerD

IdentityLogonEvents requires Microsoft Defender for Identity connector.

Why this answer

Option A is correct because the query uses 'IdentityLogonEvents', which is a table from Microsoft Defender for Identity, not from Microsoft Entra ID. The data source connector for Microsoft Defender for Identity may not be configured. Option B is incorrect because 'MFA disabled' action type is valid.

Option C is incorrect because the suppression is disabled. Option D is incorrect because the query frequency matches the query period.

1176
MCQmedium

Your company uses Microsoft Sentinel with the Microsoft Defender XDR connector. You receive an incident: 'Suspicious mailbox forwarding rule created.' The incident indicates that a user's mailbox in Exchange Online has a forwarding rule to an external email address. The user's account shows no other suspicious activity. You need to respond to the incident. The company policy requires preserving evidence for 30 days. Which action should you take FIRST?

A.Run an automated playbook to collect additional evidence.
B.Reset the user's password and require MFA.
C.Block the external email domain in Exchange Online.
D.Remove the mailbox forwarding rule.
AnswerD

Immediately stops the exfiltration.

Why this answer

Option B is correct: removing the forwarding rule stops data exfiltration immediately. Option A is wrong because resetting password is not needed if account is not compromised. Option C is wrong because blocking the external domain may be too broad.

Option D is wrong because running a playbook is investigative, not immediate.

1177
MCQeasy

Your organization uses Microsoft Defender for Cloud. You receive a security alert about a suspicious process on a virtual machine. You want to investigate the process further. What should you do?

A.Create a custom detection rule to alert on similar processes.
B.Run a vulnerability assessment scan on the VM.
C.Initiate a live response session on the VM from Microsoft Defender for Cloud.
D.Initiate an automated investigation on the VM.
AnswerC

Live response provides real-time investigation capabilities.

Why this answer

Option A is correct because live response allows real-time investigation of a VM. Option B is wrong because creating a custom detection rule is for future alerts. Option C is wrong because initiating an automated investigation is for incident response, not ad-hoc investigation.

Option D is wrong because running a vulnerability scan is for vulnerabilities, not process investigation.

1178
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Defender for Cloud are automatically ingested into Sentinel with the least latency. What should you configure?

A.Configure a custom API connector in Sentinel to pull alerts from Defender for Cloud REST API every 5 minutes.
B.Enable continuous export in Defender for Cloud to send alerts to a Log Analytics workspace and then create a scheduled query in Sentinel.
C.Use the Microsoft Defender for Cloud data connector in Sentinel to stream alerts.
D.Create a Logic App that triggers on Defender for Cloud alerts and sends them to Sentinel via the Azure Monitor HTTP Data Collector API.
AnswerC

The built-in data connector streams alerts in near real-time with minimal latency.

Why this answer

Option D is correct because the data connector for Microsoft Defender for Cloud (formerly Azure Security Center) provides real-time streaming of alerts into Sentinel. Option A is incorrect because Logic Apps introduce processing delay. Option B is incorrect because the API connector is not optimized for low latency.

Option C is incorrect because continuous export is a feature of Defender for Cloud but does not directly connect to Sentinel without a connector.

1179
MCQmedium

Refer to the exhibit. This JSON defines a scheduled analytics rule in Microsoft Sentinel. Which type of threat is the rule primarily designed to detect?

A.Script-based malware execution attempting C2 communication
B.Lateral movement using remote desktop
C.Credential dumping via LSASS
D.Data exfiltration via DNS tunneling
AnswerA

Combination of script execution and outbound HTTP.

Why this answer

The query combines rundll32.exe with javascript (often used for script-based execution) and outbound HTTP connections (C2). Option B is correct. Option A is incorrect because no lateral movement is detected.

Option C is incorrect because credential theft is not indicated. Option D is incorrect because the query is about outbound connections, not file exfiltration.

1180
MCQeasy

A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a single user attempts to sign in from more than three different countries within 10 minutes. Which tables and KQL operators are needed?

A.SigninLogs, summarize make_set(Country) by UserPrincipalName, then where countof(Country) > 3
B.SigninLogs, summarize dcount(Country) by UserPrincipalName, bin(TimeGenerated, 10m) having dcount > 3
C.AADSignInEventsMicrosoft, summarize count() by UserPrincipalName
D.AzureActivity, summarize make_list(Country) by Caller
AnswerB

This correctly groups sign-in attempts by user and 10-minute bins, then counts distinct countries and filters for >3.

Why this answer

Option B is correct because it uses the `SigninLogs` table, which contains Azure AD sign-in events with geographic data, and the `summarize dcount(Country) by UserPrincipalName, bin(TimeGenerated, 10m)` pattern to count distinct countries per user within a 10-minute window. The `having dcount > 3` clause filters for users who signed in from more than three distinct countries, directly matching the requirement.

Exam trap

The trap here is that candidates confuse `count()` (total events) with `dcount()` (distinct values) and overlook the need for `bin()` to enforce the time window, leading them to choose Option A or C despite their invalid syntax or wrong table.

How to eliminate wrong answers

Option A is wrong because `make_set(Country)` creates a list of all countries, but `countof(Country)` is not a valid KQL operator; the correct approach is `dcount()` for distinct count, and the syntax `where countof(Country) > 3` would fail. Option C is wrong because `AADSignInEventsMicrosoft` is a table from Microsoft 365 Defender, not Sentinel's default sign-in logs, and `count()` aggregates total events per user without any country or time-window logic. Option D is wrong because `AzureActivity` logs Azure resource management operations, not user sign-ins, and `make_list(Country)` would not apply to sign-in geography.

1181
MCQeasy

Your threat hunting team uses Microsoft Sentinel. They want to search for anomalous network connections to known malicious IP addresses over the past 7 days. Which KQL operator should they use to match the source IP addresses against a watchlist containing the malicious IPs?

A.where
B.in
C.has
D.contains
AnswerB

The `in` operator returns true if the value is in the list.

Why this answer

Option A is correct because the `in` operator checks if a value exists in a list or dynamic array. Option B is wrong because `has` is for string containment, not list membership. Option C is wrong because `where` is a clause, not an operator for list matching.

Option D is wrong because `contains` is for substring matching.

1182
MCQmedium

A security analyst is investigating a malware incident and has identified a specific parent process ID (PID) on an endpoint. The analyst wants to retrieve all outbound network connections made by any child processes spawned by this parent process. Which advanced hunting table should the analyst query to get the network connection details, including the destination IP and the child process ID?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceEvents
D.IdentityNetworkEvents
AnswerB

DeviceNetworkEvents captures network connections initiated by processes, including destination IP and initiating process ID.

Why this answer

DeviceNetworkEvents is the correct table because it specifically captures outbound network connections, including destination IP addresses and process IDs (PID). By filtering on the parent process ID and then joining or filtering on child process IDs, the analyst can trace all network connections initiated by child processes spawned from the identified parent PID.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which shows process ancestry) with DeviceNetworkEvents (which shows actual network flows), mistakenly thinking process creation logs include network details, when in fact you need the network-specific table to retrieve destination IPs and child process IDs.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation events (e.g., command lines, parent PID) but does not include network connection details such as destination IP or port. Option C is wrong because DeviceEvents captures security-related events (e.g., Windows Defender alerts, file modifications) but not raw network connection logs. Option D is wrong because IdentityNetworkEvents is part of Microsoft Defender for Identity and tracks network activities related to identity-based attacks (e.g., Kerberos, NTLM) on domain controllers, not endpoint outbound connections from arbitrary child processes.

1183
MCQmedium

An organization ingests Windows Security Events into Microsoft Sentinel via the Security Events connector. An analyst wants to create a scheduled analytics rule that alerts when more than 10 failed logon events (Event ID 4625) occur for the same user within a 5-minute window. Which KQL operator should the analyst use to count events per user in that time window?

A.summarize
B.extend
C.project
D.where
AnswerA

summarize groups rows and can compute aggregate values like count() per user and time bin.

Why this answer

The `summarize` operator is correct because it groups events by user and then applies an aggregation function (like `count()`) to calculate the number of failed logon events per user within the 5-minute window. This directly supports the rule's requirement to count events per user and compare the count to a threshold of 10.

Exam trap

The trap here is that candidates often confuse `summarize` with `extend` or `project`, mistakenly thinking that adding a calculated column or selecting columns can perform grouping and counting, when only `summarize` provides aggregation capabilities.

How to eliminate wrong answers

Option B (`extend`) is wrong because it creates new calculated columns for each row but does not group or aggregate data, so it cannot count events per user. Option C (`project`) is wrong because it selects or reorders columns without performing any aggregation or grouping. Option D (`where`) is wrong because it filters rows based on a condition but does not count or group events per user.

1184
MCQhard

A security analyst is using Microsoft 365 Defender advanced hunting to investigate potential lateral movement. The analyst has identified a compromised device (DeviceA) and wants to find all other devices that initiated a remote desktop connection from DeviceA to other devices in the last 24 hours. Which table and query approach should the analyst use?

A.Query DeviceNetworkEvents for events from DeviceA with RemotePort 3389, then join with DeviceInfo to get target device names.
B.Query DeviceLogonEvents for LogonType 10 (RemoteInteractive), filtering by initiating device.
C.Query IdentityLogonEvents to find logons associated with DeviceA.
D.Query EmailEvents to find emails sent from DeviceA that contain RDP configuration files.
AnswerA

DeviceNetworkEvents captures network connections including destination IP and port. RemoteDesktop connections typically use port 3389. From the IP, the analyst can identify target devices via DeviceInfo.

Why this answer

Option A is correct because DeviceNetworkEvents logs network connections, including outbound RDP traffic (port 3389). By filtering for events from DeviceA with RemotePort 3389, the analyst captures all RDP connections initiated by DeviceA. Joining with DeviceInfo resolves the target IP addresses to device names, providing a complete list of devices that received an RDP connection from DeviceA in the last 24 hours.

Exam trap

The trap here is that candidates confuse 'initiating an RDP connection' (network-level outbound connection) with 'successful RDP logon' (authentication event on the target), leading them to incorrectly choose DeviceLogonEvents with LogonType 10 instead of DeviceNetworkEvents.

How to eliminate wrong answers

Option B is wrong because DeviceLogonEvents with LogonType 10 (RemoteInteractive) records successful interactive logons on the target device, not the initiation of an RDP connection from the source device; it would show logons on DeviceA from other devices, not connections from DeviceA to others. Option C is wrong because IdentityLogonEvents tracks authentication events at the identity level (e.g., Azure AD logons), not device-level network connections or RDP session initiations. Option D is wrong because EmailEvents logs email traffic, not network connections; RDP configuration files attached to emails are irrelevant to detecting actual RDP connections made from DeviceA.

1185
Multi-Selectmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The SOC team needs to investigate a cross-tenant incident. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Use the Microsoft Defender XDR unified incident queue to view incidents across tenants.
B.Install the Microsoft Sentinel solution for each tenant separately.
C.Onboard the tenants to Azure Lighthouse and delegate the Sentinel workspace.
D.Create a workspace query using the union operator to combine data from all tenants.
AnswersA, C

The unified incident queue aggregates incidents from all onboarded tenants.

Why this answer

Option A is correct because the Microsoft Defender XDR unified incident queue can display incidents from multiple tenants when properly configured, enabling cross-tenant investigation without additional licensing. This feature leverages Azure Lighthouse delegated access to aggregate alerts and incidents across tenants into a single view, streamlining SOC workflows.

Exam trap

The trap here is that candidates confuse cross-workspace queries (which combine log data) with cross-tenant incident management, assuming the union operator can unify incidents when it only merges raw log tables, not the incident entities themselves.

1186
MCQmedium

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network connections from a compromised workstation. The analyst suspects that a beaconing pattern is present. Which KQL function is most appropriate to detect periodic beaconing behavior over time?

A.series_decompose(TimeGenerated)
B.make_list(TimeGenerated)
C.startofday(TimeGenerated)
D.bin(TimeGenerated, 1h)
AnswerC

startofday groups by day, making it easy to count daily beacons and detect periodicity.

Why this answer

Option C is correct because the `startofday` function can be used to aggregate events by day and then count occurrences to detect regular beaconing. Option A is wrong because `make_list` is for creating arrays, not for time-series detection. Option B is wrong because `bin` can help but `startofday` is more natural for daily beaconing.

Option D is wrong because `series_decompose` is for anomaly detection but not specifically for periodic beaconing.

1187
MCQhard

You have a Microsoft Sentinel automation rule that triggers a playbook. The playbook definition is shown in the exhibit. The playbook runs but no email is sent. What is the most likely cause?

A.The JSON syntax is invalid.
B.The email operation 'SendEmailV2' is deprecated.
C.The playbook uses a recurrence trigger instead of a Microsoft Sentinel trigger.
D.The connection name 'office365' is incorrect.
AnswerC

Automation rules require a Sentinel-specific trigger; recurrence triggers don't receive incident context.

Why this answer

The playbook definition shows a 'Recurrence' trigger, but automation rules in Sentinel use 'MicrosoftSentinelIncident' or 'MicrosoftSentinelAlert' triggers. A recurrence trigger is for scheduled playbooks, not incident-triggered. Option C is correct.

Option A is wrong because connection names are typically 'office365' and valid. Option B is wrong because the JSON is valid. Option D is wrong because the operation 'SendEmailV2' is valid.

1188
Multi-Selectmedium

Which TWO of the following are valid methods to detect Kerberoasting attacks during a threat hunt? (Select TWO.)

Select 2 answers
A.Service account logon events with RC4 encryption type.
B.Multiple Kerberos TGS requests from a single user account to multiple service accounts.
C.Unusual number of LDAP queries from a domain controller.
D.High volume of NTLM authentication failures from a single IP.
E.Detection of forged Kerberos tickets (Golden Ticket) in the domain.
AnswersA, B

Kerberoasting often results in RC4-encrypted tickets.

Why this answer

Options B and D are correct. B: Unusual TGS requests from a single user can indicate Kerberoasting. D: Service account usage with RC4 encryption is a sign of Kerberoasting.

A: NTLM authentication is not specific. C: Golden ticket attacks involve different artifacts.

1189
MCQhard

Refer to the exhibit. You create an automation rule in Microsoft Sentinel using the ARM template snippet shown. However, the rule does not trigger when a high-severity incident is created. What is the most likely cause?

A.The playbook resource ID is invalid.
B.The 'triggersWhen' property should be 'Updated' instead of 'Created'.
C.The order property is set to 1, conflicting with another rule.
D.The automation rule does not specify the incident provider condition.
AnswerD

Missing provider condition prevents triggering.

Why this answer

The automation rule is missing the 'Incident Provider' condition, which is required to specify which provider's incidents should trigger the rule (e.g., Microsoft Defender XDR). Without it, the rule may not fire for incidents from certain providers. Option A is wrong because the playbook is referenced correctly.

Option C is wrong because the order is fine. Option D is wrong because the format is correct.

1190
MCQeasy

Your organization is migrating from Azure Active Directory to Microsoft Entra ID. You need to ensure that Microsoft Sentinel continues to receive identity logs. What should you do?

A.Install the new Microsoft 365 Defender connector for identity logs.
B.No action is required; the existing connector automatically updates.
C.Reconfigure the diagnostic settings to send logs to a new Log Analytics workspace.
D.Create a new data connector for Microsoft Entra ID.
AnswerB

The connector uses the same underlying API.

Why this answer

Option A is correct because Entra ID is the same service; connectors remain. Option B is wrong because logs are free. Option C is wrong because Microsoft 365 Defender is separate.

Option D is wrong because no migration is needed.

1191
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You notice that MDI alerts are not appearing in Sentinel. You have already installed the MDI data connector and configured the workspace. What is the most likely cause?

A.The workspace is in a different region than MDI
B.The Microsoft 365 Defender connector is not installed
C.The data connector is not enabled, even though it is installed
D.Microsoft Defender for Identity is not licensed
AnswerC

Installing a connector does not enable it; you must also enable it in the Sentinel connectors page.

Why this answer

Option A is correct because the connector needs to be enabled. Option B is wrong because it still works. Option C is wrong because it's not required.

Option D is wrong because the connector handles ingestion.

1192
Multi-Selecthard

Which THREE of the following are key steps when containing a ransomware incident in Microsoft Defender XDR? (Select THREE.)

Select 3 answers
A.Restore encrypted files from backup
B.Block known malicious file hashes via Indicators of compromise
C.Disable compromised user accounts in Microsoft Entra ID
D.Analyze the root cause of the outbreak
E.Isolate compromised devices using Microsoft Defender for Endpoint
AnswersB, C, E

Blocking IoCs prevents further execution.

Why this answer

Options A, B, and D are correct. Isolating devices, blocking indicators, and disabling user accounts are key containment steps. Option C is wrong because restoring from backup is part of recovery, not containment.

Option E is wrong because analyzing the root cause is part of investigation after containment.

1193
MCQmedium

Your SOC team uses Microsoft Sentinel to manage incidents. You want to categorize incidents based on the MITRE ATT&CK technique. You notice that some incidents are not being tagged with the correct technique. What should you check first?

A.The playbook assigned to the incident is overriding the technique tag.
B.The incident creation rule in the automation section is misconfigured.
C.The data connector for the source service is not ingesting the required fields.
D.The analytics rule that generated the incident has the correct MITRE ATT&CK technique selected.
AnswerD

The rule defines the technique mapping.

Why this answer

Option A is correct because the mapping of alerts to MITRE techniques is done in the analytics rule itself. If the rule does not have the correct technique configured, incidents won't be tagged. Option B is for enrichment, not the source.

Option C is about data ingestion. Option D is about automation, not the initial mapping.

1194
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert about an impossible travel activity for a user. What is the best first step to validate if this is a true positive?

A.Block the user immediately
B.Run an advanced hunting query in Microsoft Sentinel
C.Contact the user's manager
D.Review the user's sign-in logs in Microsoft Entra ID
E.Check the user's device compliance in Microsoft Intune
AnswerD

Corroborate the activity.

Why this answer

Option D is correct because impossible travel alerts in Microsoft Defender for Cloud Apps are generated based on sign-in activity and user location data. The most direct way to validate whether the alert is a true positive is to review the user's sign-in logs in Microsoft Entra ID (formerly Azure AD), which provides detailed information about each sign-in attempt, including IP addresses, locations, timestamps, and authentication details. This allows you to confirm whether the two sign-ins occurred within an unrealistic time frame for the geographic distance, or if there are anomalies such as VPN usage or IP spoofing that indicate a false positive.

Exam trap

The trap here is that candidates often jump to advanced hunting in Sentinel (Option B) as the first step, forgetting that the alert originates from Defender for Cloud Apps and the most immediate and authoritative source for sign-in details is the Entra ID sign-in logs, which are the same data that Defender for Cloud Apps uses to generate the alert.

How to eliminate wrong answers

Option A is wrong because immediately blocking the user without investigation could disrupt legitimate access and does not validate the alert; it is a reactive action, not a validation step. Option B is wrong because running an advanced hunting query in Microsoft Sentinel is a deeper investigation step that may be appropriate after initial validation, but it is not the best first step when the alert originates from Defender for Cloud Apps and the sign-in logs in Entra ID are the primary source for immediate verification. Option C is wrong because contacting the user's manager is a secondary step that relies on human confirmation and does not provide technical evidence; it should be done after reviewing logs to gather context.

Option E is wrong because checking the user's device compliance in Microsoft Intune addresses device health and policy compliance, which is unrelated to verifying the geographic plausibility of sign-in events in an impossible travel scenario.

1195
Multi-Selecthard

Which THREE components are required to automate incident response in Microsoft Sentinel using playbooks? (Choose three.)

Select 3 answers
A.An automation rule in Sentinel.
B.A Logic Apps workflow.
C.A workbook.
D.An analytics rule.
E.A trigger (e.g., when an incident is created).
AnswersA, B, E

Automation rules trigger playbooks.

Why this answer

Option A is correct because playbooks are based on Azure Logic Apps. Option B is correct because automation rules trigger playbooks. Option C is correct because a trigger is required for the logic app.

Option D is wrong because analytics rules create incidents, not playbooks. Option E is wrong because workbooks are visualization, not automation.

1196
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that a specific AWS CloudTrail log is ingested into Microsoft Sentinel. Which data connector should you use?

A.AWS CloudTrail Connector
B.Amazon Web Services S3 Connector
C.Azure Functions (AWS)
D.AWS Security Hub Connector
AnswerB

The AWS S3 connector ingests CloudTrail logs.

Why this answer

The Amazon Web Services S3 Connector is the correct choice because AWS CloudTrail logs are stored as JSON files in an S3 bucket. Microsoft Sentinel ingests these logs by connecting directly to the S3 bucket, reading the CloudTrail log files, and pulling them into the Log Analytics workspace. The AWS CloudTrail Connector, by contrast, is a legacy connector that requires a separate AWS Lambda function and is deprecated in favor of the S3 connector.

Exam trap

The trap here is that candidates confuse the legacy AWS CloudTrail Connector (Option A) with the modern Amazon Web Services S3 Connector, assuming the name 'CloudTrail' is the correct match, when in fact the S3 connector is the current recommended method for ingesting CloudTrail logs.

How to eliminate wrong answers

Option A is wrong because the AWS CloudTrail Connector is a legacy connector that requires an AWS Lambda function to forward logs, and it is deprecated in favor of the Amazon Web Services S3 Connector. Option C is wrong because Azure Functions (AWS) is a generic compute service used for custom integrations, not a dedicated data connector for CloudTrail logs. Option D is wrong because the AWS Security Hub Connector ingests security findings from AWS Security Hub, not raw CloudTrail log files.

1197
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from a specific app for users outside the corporate network. What should you configure?

A.A session policy
B.An anomaly detection alert
C.A file policy
D.An access policy
AnswerA

Session policies can block downloads based on location.

Why this answer

Conditional Access App Control in Defender for Cloud Apps allows session policies to control actions based on location. Option B is correct. Option A is for access policies.

Option C is for alerts. Option D is for data classification.

1198
MCQhard

Refer to the exhibit. A KQL query is used in a Microsoft Sentinel scheduled analytics rule to detect unhealthy agents. The rule runs every 5 minutes and has a lookback period of 5 minutes. What is the potential issue?

A.The query will return all computers as unhealthy because the threshold is too high.
B.The query will not return any results because Heartbeat data is not in the workspace.
C.The query may miss agents with no heartbeat in the last 5 minutes due to the lookback period matching the run frequency.
D.The query will cause a runtime error because ago() is misused.
AnswerC

The lookback period is too short, causing gaps.

Why this answer

Option C is correct because the rule runs every 5 minutes with a 5-minute lookback, creating a gap: if an agent sends a heartbeat at 0:01 and the rule runs at 0:05, the heartbeat falls within the lookback window. However, if the agent misses a heartbeat cycle (e.g., heartbeat interval is 10 minutes), the rule may not detect the absence because the lookback window only covers the last 5 minutes, and the last heartbeat might be older than 5 minutes. This means agents with no heartbeat in the last 5 minutes could be missed, especially if the heartbeat interval is longer than the lookback period.

Exam trap

The trap here is that candidates assume matching the lookback to the run frequency ensures complete coverage, but they overlook that the data source (Heartbeat) may have a longer generation interval, causing missed detections.

How to eliminate wrong answers

Option A is wrong because the threshold is not specified in the query or rule configuration; the issue is about timing, not threshold values. Option B is wrong because Heartbeat data is a standard data type collected by the Log Analytics agent and is typically present in the workspace; the query assumes it exists. Option D is wrong because ago() is used correctly in KQL to reference a time range relative to the current time; there is no misuse that would cause a runtime error.

1199
Multi-Selectmedium

Which THREE actions are recommended practices for managing Microsoft Sentinel costs?

Select 3 answers
A.Set daily caps on high-volume tables.
B.Use Basic Logs tier for verbose logs.
C.Implement ingestion-time data transformation to filter out noise.
D.Ingest all logs to ensure complete visibility.
E.Increase retention period to 1 year for all tables.
AnswersA, B, C

Prevents runaway costs.

Why this answer

Setting daily caps on high-volume tables is a recommended practice because it prevents unexpected cost overruns by limiting the amount of data ingested into expensive tables like SecurityEvent or CommonSecurityLog. Microsoft Sentinel bills per GB ingested, so capping tables that generate large volumes of noise (e.g., verbose Windows event logs) directly controls costs without necessarily impacting security visibility, as critical alerts can still be generated from other sources.

Exam trap

The trap here is that candidates often confuse 'complete visibility' (Option D) with best practice, but Microsoft Sentinel explicitly recommends filtering noise at ingestion to reduce costs and improve signal-to-noise ratio, not ingesting everything.

1200
Multi-Selecthard

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to incidents with severity High and enriches them with threat intelligence from Microsoft Defender Threat Intelligence. Which TWO actions should you include?

Select 2 answers
A.Create an automation rule that triggers when an incident is created with severity High and runs a playbook to enrich the incident with threat intelligence.
B.Set the automation rule to modify the analytics rule's query to include threat intelligence.
C.Configure the playbook to run directly from the analytics rule that generates the incident.
D.Use the analytics rule's incident configuration to automatically run the playbook.
E.Add an action in the automation rule to change the incident severity after enrichment.
AnswersA, E

Automation rules can trigger on incident creation and run playbooks.

Why this answer

To respond to incidents automatically, you use automation rules. Option A is correct because automation rules run playbooks. Option D is correct because automation rules can also change severity.

Option B is wrong because playbooks are triggered by automation rules, not directly. Option C is wrong because automation rules cannot modify queries. Option E is wrong because analytics rules do not automatically run playbooks without an automation rule.

Page 15

Page 16 of 22

Page 17