Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 12011275

1639 questions total · 22pages · All types, answers revealed

Page 16

Page 17 of 22

Page 18
1201
Multi-Selectmedium

Which TWO roles are included in Microsoft Sentinel built-in roles? (Choose two.)

Select 2 answers
A.Microsoft Sentinel Responder
B.Microsoft Sentinel Administrator
C.Microsoft Sentinel Reader
D.Microsoft Sentinel Operator
E.Global Administrator
AnswersA, C

Responder is a built-in role for incident triage.

Why this answer

Microsoft Sentinel has built-in roles: Reader, Responder, Contributor, and Automation Contributor. Operator is not a built-in role. Global Administrator is a Microsoft Entra ID role, not a Sentinel built-in role.

1202
Multi-Selecteasy

Which TWO are valid incident management actions in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Merge two incidents into one
B.Export the incident to a CSV file
C.Change the incident status to 'Closed'
D.Delete an incident
E.Assign the incident to another analyst
AnswersC, E

Status can be changed to Closed or Resolved.

Why this answer

Options B and D are correct. B: Changing the status to 'Closed' is a valid action. D: Assigning the incident to another analyst is a valid action.

Option A is wrong because deleting incidents is not supported; they can be closed or archived. Option C is wrong because merging incidents is not a direct action; incidents can be linked via groups. Option E is wrong because exporting incidents to a CSV is not a built-in action.

1203
MCQhard

A security analyst in Microsoft Sentinel wants to correlate Microsoft Entra ID sign-in logs with IP addresses known to be associated with a threat actor. The threat actor's IPs are stored in a custom table named 'ThreatIntelligence_IP' that is ingested daily. The analyst needs to create an analytics rule that triggers only when a sign-in occurs from one of these IPs AND when the user is not in a list of approved users (stored in another custom table 'ApprovedUsers'). Which KQL query pattern should the analyst use to achieve this correlation and filtering?

A.SigninLogs | join ThreatIntelligence_IP on IPAddress | where UserId notin (ApprovedUsers | project UserId)
B.SigninLogs | where IPAddress in (ThreatIntelligence_IP | project IPAddress) and UserId !in (ApprovedUsers | project UserId)
C.SigninLogs | join kind=inner ThreatIntelligence_IP on IPAddress | join kind=leftanti (ApprovedUsers | project UserId) on $left.UserId == $right.UserId
D.SigninLogs | join ThreatIntelligence_IP on IPAddress | where not(UserId in (ApprovedUsers | project UserId))
AnswerC

This query first performs an inner join to keep only sign-ins from threat actor IPs, then a left anti join to exclude sign-ins from approved users. This is the most efficient and clear pattern.

Why this answer

Option C is correct because it uses a `join kind=inner` to match sign-in logs with threat IPs, ensuring only sign-ins from known malicious IPs are considered. It then applies a `join kind=leftanti` to exclude any user who appears in the ApprovedUsers table, effectively filtering out approved users. This pattern guarantees that the rule triggers only when both conditions are met: the IP is in the threat list and the user is not approved.

Exam trap

The trap here is that candidates often choose Option B thinking that `in` and `!in` with subqueries are the simplest way to filter, but they overlook that KQL requires proper join semantics for correlating two tables, and that `in` with a table expression may not work as expected in all contexts, especially when the subquery returns multiple rows or columns.

How to eliminate wrong answers

Option A is wrong because it uses a `join` without specifying a join kind, which defaults to `innerunique` and may produce duplicate or unexpected results, and the `where` clause after the join does not properly exclude approved users as a set operation. Option B is wrong because it uses `in` and `!in` operators with subqueries that are not supported in the `where` clause for table expressions; KQL requires `in` to work with a list or a subquery that returns a single column, but the syntax `UserId !in (ApprovedUsers | project UserId)` is valid only if the subquery is enclosed in parentheses and the table is referenced correctly, but the main issue is that `IPAddress in (ThreatIntelligence_IP | project IPAddress)` is inefficient and may cause performance issues or incorrect results due to lack of proper join semantics. Option D is wrong because it uses a `join` without specifying a kind (defaulting to `innerunique`), and the `where` clause with `not(UserId in (...))` is syntactically incorrect as `not` cannot be applied to an `in` operator in that way; the correct syntax would be `where UserId !in (...)`.

1204
Multi-Selecteasy

Your organization uses Microsoft 365 Defender. During an incident, which TWO actions can be taken directly from the Microsoft 365 Defender portal to remediate a compromised email account?

Select 2 answers
A.Remove mailbox delegation permissions.
B.Block the sender's email address in the tenant's allow/block list.
C.Soft delete malicious emails from the user's mailbox.
D.Reset the user's password and revoke sessions.
E.Isolate the user's mailbox from receiving emails.
AnswersC, D

Action available in Threat Explorer or email entity page.

Why this answer

Options A and D are correct because the Microsoft 365 Defender portal allows soft-deleting emails and resetting passwords for compromised accounts. Option B is wrong because sender reputation is not directly manageable. Option C is wrong because mailbox delegation is not a remediation action.

Option E is wrong because email isolation is not a feature for individual accounts.

1205
Multi-Selecthard

Which THREE conditions can you use to trigger a Microsoft Sentinel scheduled analytics rule?

Select 3 answers
A.Custom threshold on a specific field
B.Query results include a specific IP address
C.Query results contain a specific entity type
D.Number of query results exceeds a threshold
E.Time since last alert for a given entity exceeds a value
AnswersA, C, D

Rules can trigger when a custom field meets a condition.

Why this answer

Option A is correct because Microsoft Sentinel scheduled analytics rules allow you to set a custom threshold on a specific field within the query results. This condition triggers an alert when the aggregated value of that field (e.g., count, sum, or average) meets or exceeds the defined threshold, enabling precise detection of anomalies like excessive failed logins from a single user.

Exam trap

The trap here is that candidates confuse the query's WHERE clause (e.g., filtering for a specific IP) with a rule-level trigger condition, but Microsoft Sentinel only supports the three listed conditions (custom threshold, entity type, and result count) for scheduled rules.

1206
MCQhard

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. The security team wants to receive an alert when a new user is added to the local Administrators group on a Windows virtual machine. Which data source must be enabled in Defender for Cloud to capture this event?

A.Enable the collection of Windows Security Event Log events (e.g., Event ID 4732) through the Log Analytics agent configuration.
B.Enable Just-in-Time (JIT) VM access on the virtual machine.
C.Enable Adaptive Application Controls (AAC) for the virtual machine.
D.Enable Azure Defender for SQL on the subscription.
AnswerA

Correct. Local group changes are captured via Windows security event 4732. To get this into Defender for Cloud, you must ensure the Log Analytics agent is collecting security events and that the required audit policies are in place.

Why this answer

Option A is correct because the event of adding a user to the local Administrators group on Windows is logged as Security Event ID 4732. To capture this event in Defender for Cloud, the Log Analytics agent must be configured to collect Windows Security Event Log events, which includes Event ID 4732. This data source enables Defender for Cloud to generate security alerts based on such privileged group modifications.

Exam trap

The trap here is that candidates may confuse data collection sources (e.g., JIT, AAC, or SQL Defender) with the specific Windows Security Event Log required to detect local group membership changes, assuming any security control can generate the alert.

How to eliminate wrong answers

Option B is wrong because Just-in-Time (JIT) VM access controls network access to management ports (e.g., RDP, SSH) and does not capture local group membership changes. Option C is wrong because Adaptive Application Controls (AAC) define allowlists for running applications on VMs and do not monitor or alert on user account modifications. Option D is wrong because Azure Defender for SQL is a plan for securing SQL databases and servers, not for monitoring local user group changes on Windows VMs.

1207
MCQmedium

While hunting, you notice a user account has been created and then immediately added to the Domain Admins group. Which table in Microsoft 365 Defender should you query to find this event?

A.IdentityQueryEvents
B.IdentityLogonEvents
C.DeviceEvents
D.IdentityDirectoryEvents
AnswerD

Captures directory service changes including group membership.

Why this answer

IdentityDirectoryEvents captures directory service changes like group membership modifications. IdentityLogonEvents is for logons. IdentityQueryEvents is for LDAP queries.

DeviceEvents is for system events. The correct table is IdentityDirectoryEvents.

1208
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A new security policy requires that all incidents involving 'Credential Access' tactics be automatically assigned to the Tier 1 SOC team and have a severity of 'High'. You need to configure this automation. What should you do?

A.Configure an automated investigation rule in Microsoft Defender XDR to assign incidents.
B.Create a playbook in Microsoft Sentinel that runs on incident creation and assigns the incident to Tier 1 SOC.
C.Create an automation rule in Microsoft Sentinel with conditions for tactic 'Credential Access' and actions to assign to Tier 1 SOC and set severity to High.
D.Modify the analytics rule that generates the incidents to include the assignment and severity settings.
AnswerC

Correct: Automation rules can set incident properties based on conditions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can be set to trigger when an incident is created, with conditions based on tactic (e.g., Credential Access) and actions to assign owner and set severity. Option B is wrong because playbooks require an automation rule to trigger them. Option C is wrong because analytics rules create incidents but cannot assign or change severity after creation.

Option D is wrong because Microsoft Defender XDR doesn't manage Sentinel incident assignment.

1209
MCQeasy

Refer to the exhibit. You execute the Azure CLI command to create an analytics rule in Microsoft Sentinel. The rule is created but never triggers. What is the most likely cause?

A.The query references a column that does not exist in SigninLogs
B.The --enabled parameter should be set to false
C.The severity must be set to Low for the rule to trigger
D.The resource group name is incorrect
AnswerA

Correct column is 'riskLevelDuringSignIn' (camelCase).

Why this answer

Option A is correct because if the KQL query in the analytics rule references a column that does not exist in the SigninLogs table, the query will run but return zero results (or an error depending on the query structure), causing the rule to never trigger an alert. In Microsoft Sentinel, analytics rules rely on the query to produce matching results; if the column name is misspelled or absent, no events will match the rule conditions, so no incidents are generated.

Exam trap

The trap here is that candidates may assume a rule creation success means the query is valid, but Microsoft Sentinel does not validate column existence in KQL queries at creation time—only at execution time, leading to silent failures.

How to eliminate wrong answers

Option B is wrong because setting --enabled to false would disable the rule entirely, but the question states the rule is created and never triggers—implying it is enabled but not firing; the issue is not about the enabled state. Option C is wrong because severity (Low, Medium, High) does not affect whether a rule triggers; severity only determines the classification of the incident once the rule fires. Option D is wrong because if the resource group name were incorrect, the Azure CLI command would fail during creation with a resource-not-found error, but the rule was successfully created, so the resource group name is valid.

1210
MCQmedium

During a threat hunt, you find an alert for a suspicious PowerShell script that encoded a payload. You want to decode the script to understand its intent. Which Microsoft Sentinel feature can assist with this task?

A.Playbooks
B.Workbooks
C.Hunting blade with KQL using base64_decode_tostring()
D.Analytics rules
AnswerC

KQL provides string functions like base64_decode_tostring() to decode Base64 content.

Why this answer

Sentinel's Entity behavior analytics can provide context, but for decoding, using a custom notebook or Azure Functions with PowerShell is more direct. However, the question asks for a feature; the correct answer is to use the 'Hunting' blade with a custom KQL query that uses base64_decode_tostring() function. Option A (Playbooks) are for automated response.

Option B (Workbooks) for visualization. Option D (Analytics rules) for detection.

1211
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule created via ARM template. You notice that the rule is not triggering the playbook when a high-severity incident is created. What is the most likely cause?

A.The playbook resource ID is missing the 'locations' parameter.
B.The automation rule is disabled by default and needs to be enabled.
C.The playbook does not have a trigger for Microsoft Sentinel.
D.The condition syntax is invalid; automation rules in ARM templates require specific operator properties.
AnswerD

The condition must use a valid operator like 'equals'.

Why this answer

Option D is correct because automation rules in ARM templates require explicit operator properties (e.g., 'Equals', 'Contains') in the condition syntax. If the condition is written without these operators or uses invalid JSON structure, the rule will fail to evaluate triggers correctly, preventing the playbook from being invoked when a high-severity incident is created.

Exam trap

Microsoft often tests the nuance that ARM templates require explicit operator properties in automation rule conditions, while the portal UI may hide this complexity, leading candidates to overlook syntax validation errors.

How to eliminate wrong answers

Option A is wrong because the 'locations' parameter is not a required property for a playbook resource ID in an automation rule; the resource ID only needs the subscription, resource group, and playbook name. Option B is wrong because automation rules created via ARM templates are not disabled by default; they are enabled unless explicitly set to 'disabled' in the template. Option C is wrong because the playbook does not need a separate trigger for Microsoft Sentinel; the automation rule itself invokes the playbook via its action, and the playbook's first step is typically a Microsoft Sentinel connector trigger.

1212
MCQmedium

You are a SOC analyst using Microsoft Defender XDR. You notice that a user's account has been compromised and is being used to send phishing emails. You need to prevent the user from sending any more emails while preserving the ability to receive emails for investigation. What should you do?

A.Remove the user's Microsoft 365 license.
B.Disable the user account in Microsoft Entra ID.
C.Restrict the user from sending email using Microsoft Defender for Office 365 mailbox restrictions.
D.Delete the user's mailbox in Exchange Online.
AnswerC

This blocks outgoing email while allowing incoming email for investigation.

Why this answer

In Microsoft Defender XDR, you can restrict a user from sending email by applying a mailbox restriction. Option B is correct. Option A is wrong because disabling the user in Entra ID prevents all access.

Option C is wrong because deleting the mailbox removes all data. Option D is wrong because removing licenses removes access to all Microsoft 365 services.

1213
Multi-Selecthard

Which THREE components are part of Microsoft's unified security operations platform (Microsoft Defender XDR)?

Select 3 answers
A.Microsoft Defender for Endpoint.
B.Microsoft Intune.
C.Microsoft Defender for Office 365.
D.Microsoft Defender for Identity.
E.Microsoft Sentinel.
AnswersA, C, D

Defender for Endpoint is a core component of Microsoft Defender XDR.

Why this answer

Microsoft Defender XDR is Microsoft's unified security operations platform that integrates signals from across the Microsoft 365 ecosystem. Microsoft Defender for Endpoint is a core component, providing endpoint detection and response (EDR) capabilities, including behavioral-based detection, automated investigation, and threat hunting on Windows, macOS, Linux, Android, and iOS devices. It contributes telemetry such as process creation, network connections, and file events to the unified incident and alert correlation in the Defender XDR portal.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel as a component of Microsoft Defender XDR, when in fact Sentinel is a separate SIEM that can ingest data from Defender XDR but is not part of the unified platform itself.

1214
MCQeasy

A security administrator wants to enable Microsoft Defender for Cloud on all Azure subscriptions to generate security alerts for resources. What is the minimum configuration required on a subscription?

A.Assign Azure Policy to enable Defender for Cloud plans on the subscription
B.Enable enhanced security features on the subscription
C.Install the Azure Monitor Agent on all virtual machines in the subscription
D.Enable Microsoft Defender for Cloud at the management group level only
AnswerB

Enabling enhanced security features (Standard tier) is the minimum requirement to start receiving security alerts for all supported resources.

Why this answer

Option B is correct because enabling enhanced security features (now called Defender for Cloud plans) on a subscription is the minimum configuration required to generate security alerts. This action activates the Defender for Cloud workload protection plans (e.g., Defender for Servers, Defender for SQL) that provide threat detection and alerts for resources within that subscription. Without this step, the subscription remains in the free tier, which only offers basic security assessments and recommendations, not security alerts.

Exam trap

The trap here is that candidates often confuse enabling Defender for Cloud plans (the minimum requirement for alerts) with deploying agents or assigning policies, which are additional steps for enhanced coverage or governance, not the baseline configuration.

How to eliminate wrong answers

Option A is wrong because assigning an Azure Policy to enable Defender for Cloud plans is not the minimum configuration; it is a governance method to enforce the plans across multiple subscriptions, but the plans themselves must first be enabled at the subscription level. Option C is wrong because installing the Azure Monitor Agent on all virtual machines is not required for generating security alerts from Defender for Cloud; alerts can be generated from platform-level telemetry and other data sources without the agent, though the agent enhances detection for certain workloads. Option D is wrong because enabling Defender for Cloud at the management group level only does not automatically enable it on individual subscriptions; each subscription must have the plans enabled to generate alerts, and management group inheritance applies to policy assignments, not the enabling of security plans.

1215
MCQhard

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. An analyst reports that low-severity incidents are not being closed automatically. The rule is enabled and has the highest order. What is the most likely reason?

A.The rule is triggered by alerts, not incidents.
B.The automation rule does not have the required permissions to modify incidents.
C.The rule is set to close incidents with classification 'TruePositive' but low-severity incidents are not true positives.
D.The rule is disabled due to a conflict with another rule.
AnswerB

The rule's identity must have Microsoft Sentinel Contributor role to close incidents.

Why this answer

Option C is correct because the rule triggers on "Incidents" (should be "Incident") and the trigger condition is "Created". However, the rule might not have permission to modify incidents. The most common cause is that the automation rule's managed identity or service principal does not have the required role (e.g., Microsoft Sentinel Contributor) to modify incidents.

Option A is wrong because the rule triggers on incident creation, not alert creation. Option B is wrong because the rule is enabled. Option D is wrong because the rule is set to close incidents.

1216
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to ensure that incidents generated in Microsoft 365 Defender are automatically synchronized to Microsoft Sentinel. What should you configure?

A.Set up an automation rule to import incidents
B.Configure the Microsoft Sentinel connector in Microsoft Defender XDR
C.Create an analytics rule to query Defender XDR data
D.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel
AnswerD

This connector synchronizes incidents automatically.

Why this answer

Option D is correct because the Microsoft Defender XDR data connector in Microsoft Sentinel is specifically designed to synchronize incidents from Microsoft 365 Defender into Sentinel. When enabled, this connector uses the Microsoft Graph Security API to ingest incidents, alerts, and evidence, ensuring automatic and bidirectional synchronization without requiring additional automation rules or analytics queries.

Exam trap

The trap here is that candidates often confuse automation rules (which handle incident orchestration) with data connectors (which handle ingestion), leading them to select Option A instead of the correct data connector configuration.

How to eliminate wrong answers

Option A is wrong because automation rules in Sentinel are used to automate responses to incidents already in Sentinel, not to import incidents from external sources. Option B is wrong because the Microsoft Sentinel connector in Microsoft Defender XDR is not a standard configuration; the data flow is from Defender XDR to Sentinel, not the reverse, and the connector is configured in Sentinel, not in Defender XDR. Option C is wrong because analytics rules query data already ingested into Sentinel to generate new incidents, but they cannot import or synchronize existing incidents from Microsoft 365 Defender.

1217
MCQhard

A SOC team uses Microsoft Sentinel with multiple workspaces in a single region. They have deployed Azure Policy to send all Azure resource logs to a central Log Analytics workspace. Now they want to create a set of analytics rules that run across multiple workspaces to detect cross-workspace attacks. However, they note that the built-in analytics rules can only query data within the workspace they are defined. Which solution should the team implement to efficiently query data from multiple workspaces for detection?

A.Use Azure Lighthouse to delegate management and then create rules in the managing workspace that use workspace() expressions
B.Create a KQL function that unions the relevant tables from all workspaces using the workspace() expression, then use that function in the analytics rule query
C.Configure the analytics rule to run in Log Analytics workspace manager and use cross-workspace queries native to Copilot for Security
D.Enable cross-workspace incident view in Sentinel settings and define the rule in the central workspace to automatically query all linked workspaces
AnswerB

A saved function can union data from multiple workspaces. The analytics rule can then query this function, effectively querying across workspaces.

Why this answer

Option B is correct because KQL functions can encapsulate cross-workspace queries using the `workspace()` expression, allowing an analytics rule to query multiple Log Analytics workspaces from a single rule definition. This approach efficiently reuses the union logic across rules without modifying each rule individually, addressing the limitation that built-in rules can only query their own workspace.

Exam trap

The trap here is that candidates confuse Azure Lighthouse's cross-tenant management delegation with cross-workspace querying, or assume that a central workspace automatically queries linked workspaces without explicit KQL expressions.

How to eliminate wrong answers

Option A is wrong because Azure Lighthouse delegates management across tenants, not across workspaces within the same tenant/region, and `workspace()` expressions in a managing workspace still only query that workspace unless explicitly used in a cross-workspace query. Option C is wrong because Log Analytics workspace manager does not exist as a feature; Copilot for Security is an AI assistant, not a cross-workspace query engine for analytics rules. Option D is wrong because cross-workspace incident view is a visualization feature, not a mechanism to make analytics rules query multiple workspaces; rules must explicitly include `workspace()` expressions to span workspaces.

1218
Multi-Selectmedium

Which TWO of the following are valid methods to ingest custom logs into Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Use Windows Event Forwarding to send custom logs to Sentinel.
B.Use the Azure Monitor Agent to collect custom logs via data collection rules.
C.Use the Application Insights connector to ingest custom logs.
D.Configure the Log Analytics agent to collect custom logs from a file.
E.Configure the syslog daemon to forward custom application logs.
AnswersB, D

AMA supports custom log ingestion via DCRs.

Why this answer

Options A and D are correct. Custom logs can be ingested via Log Analytics agent using custom log collection (A) or via Azure Monitor Agent with custom log upload (D). Option B is for Windows events, not custom logs.

Option C is for Linux syslog. Option E is for Application Insights, not custom logs.

1219
Multi-Selectmedium

Which THREE of the following are key components of a successful threat hunting program in a Microsoft Defender XDR environment?

Select 3 answers
A.Deep understanding of normal network behavior
B.A clear hypothesis based on threat intelligence
C.Use of MITRE ATT&CK framework
D.Automated incident response playbooks
E.Reactive response to alerts
AnswersA, B, C

Knowing normal helps spot anomalies.

Why this answer

Options A, B, and E are correct. A success hypothesis guides the hunt. Deep knowledge of the environment helps identify anomalies.

The MITRE ATT&CK framework provides a structured approach. Option C is incorrect because threat hunting is proactive, not reactive to alerts. Option D is incorrect because threat hunting is a skill distinct from incident response, though related.

1220
MCQhard

Refer to the exhibit. You are deploying an Azure Resource Manager (ARM) template to create a saved search in Microsoft Sentinel. However, the template does not create an analytics rule. What is missing to turn this saved search into a scheduled analytics rule?

A.A Schedule section with frequency and period
B.An IncidentConfiguration section
C.A Microsoft.OperationalInsights/workspaces/savedSearches/schedules resource
D.A Query property with a valid KQL
AnswerC

To create a scheduled alert, you need a schedule resource linked to the saved search, or better, use the alert rule resource type.

Why this answer

Option D is correct because a saved search alone is not an analytics rule; you need to create an alert rule resource. Option A is wrong because IncidentConfiguration is part of the alert rule. Option B is wrong because the saved search already has a query.

Option C is wrong because the template does not have a schedule property.

1221
Multi-Selecthard

Which THREE components are required to enable automated investigation and response (AIR) in Microsoft Defender XDR for alerts from Microsoft Defender for Identity?

Select 3 answers
A.Microsoft Sentinel workspace configured to ingest Defender for Identity alerts.
B.Automated investigation and response enabled in Microsoft Defender XDR.
C.A Microsoft 365 E5 license.
D.Microsoft Defender for Identity onboarded and connected to Microsoft Defender XDR.
E.A custom playbook in Microsoft Sentinel.
AnswersB, C, D

AIR must be turned on.

Why this answer

Option B is correct because automated investigation and response (AIR) must be explicitly enabled in Microsoft Defender XDR to allow the platform to automatically respond to alerts. Without this setting enabled, even if other components are in place, the system will not trigger automated actions for Defender for Identity alerts.

Exam trap

The trap here is that candidates often confuse the need for a SIEM (Sentinel) or custom automation (playbooks) with the built-in, native AIR capabilities of Microsoft Defender XDR, leading them to select unnecessary components like A or E.

1222
MCQeasy

Refer to the exhibit. The KQL query runs in Microsoft Sentinel and returns no results. The analyst expects to see failed logon attempts. What is the most likely reason?

A.The Application filter is incorrect.
B.The ResultType field does not exist in IdentityLogonEvents.
C.The summarize operator is misused.
D.The TimeRange variable is too short.
AnswerB

IdentityLogonEvents uses 'Result' or 'LogonResult' not 'ResultType'. Using a non-existent field causes no results.

Why this answer

The query filters on ResultType == 'Failed', but the field is likely named 'Result' or uses different values like 'Failure'. Also, the table 'IdentityLogonEvents' may not exist; it might be 'AADSignInEventsBeta' or similar. But the most common issue is incorrect field name for result type.

1223
MCQeasy

The exhibit shows the output of a Microsoft Defender for Endpoint API call to get machine information. What does the isolationStatus value indicate?

A.The device is healthy and has no issues.
B.The device is currently being scanned for malware.
C.The device is not isolated and is fully connected.
D.The device has been isolated from the network.
AnswerD

IsolationStatus of 'Isolated' means the device is cut off from the network to prevent spread.

Why this answer

The isolationStatus value 'Isolated' indicates that the device has been isolated from the network. The health status is separate and shows the device is healthy. It does not mean it is being scanned, nor that it is not isolated.

1224
MCQeasy

Your organization uses Microsoft Sentinel and has a requirement to retain log data for two years for compliance purposes. You have configured the Log Analytics workspace with a retention policy of 90 days. You need to extend the retention to two years while minimizing costs. The data must remain queryable. What should you do?

A.Increase the workspace retention to 730 days.
B.Export logs to Azure Blob Storage with cool access tier.
C.Enable unlimited retention for the workspace.
D.Configure an archive policy to move older data to Azure Storage hot tier and use Log Analytics workspace archive retention.
AnswerD

Archive retention allows querying archived data and is cost-effective.

Why this answer

Option D is correct because long-term retention with queryability is best achieved by configuring archive to Azure Storage with hot access. Option A is costly; Option B is costly; Option C is for cold storage and not queryable.

1225
MCQmedium

A security analyst is investigating a user who may have been compromised. The analyst sees a sign-in from an unusual location and then a series of suspicious actions performed by that user, including deleting files and sending emails. The analyst wants to find all emails sent by the user after the anomalous sign-in. Which advanced hunting tables should be used?

A.EmailEvents and IdentityLogonEvents
B.EmailEvents and DeviceFileEvents
C.IdentityLogonEvents and DeviceEvents
D.EmailAttachmentInfo and EmailUrlInfo alone
AnswerA

EmailEvents provides the email data, and IdentityLogonEvents provides sign-in times to correlate and find emails sent after the suspicious sign-in.

Why this answer

Option A is correct because the investigation requires correlating a specific sign-in event (from IdentityLogonEvents) with subsequent email activity (from EmailEvents). IdentityLogonEvents captures authentication details including location, while EmailEvents records email send/receive metadata. Joining these tables on the user principal name (UPN) and timestamp allows the analyst to filter all emails sent after the anomalous sign-in.

Exam trap

The trap here is that candidates often confuse DeviceFileEvents or DeviceEvents with email-related tables, forgetting that email actions are logged in EmailEvents, not in endpoint-level event tables.

How to eliminate wrong answers

Option B is wrong because DeviceFileEvents tracks file operations on endpoints, not email activity; it cannot identify emails sent by the user. Option C is wrong because DeviceEvents captures system-level events like process creation or registry changes, not email send actions; it lacks the email-specific fields needed. Option D is wrong because EmailAttachmentInfo and EmailUrlInfo alone provide details about attachments and URLs in emails but do not include the email send event itself or the sign-in context; they cannot identify which emails were sent after a specific sign-in.

1226
MCQeasy

You are investigating a phishing incident in Microsoft Defender XDR. The alert indicates that a user clicked a malicious link in an email. After confirming the email was delivered to the user's inbox, what should be your first action?

A.Add the URL to the tenant block list in Microsoft Defender for Office 365
B.Send a training notification to the user
C.Reset the user's password immediately
D.Use Microsoft Defender for Office 365 to soft-delete the email from the user's mailbox and other recipients
AnswerD

Soft-delete removes the email from inboxes, preventing further clicks.

Why this answer

Option A is correct because soft-deleting the email from all mailboxes removes the threat from the user's and possibly other recipients' inboxes. Option B is wrong because blocking the URL is important but does not remove the already delivered email. Option C is wrong because resetting the password is necessary only if credentials were compromised, but the immediate action is to remove the email.

Option D is wrong because training is a long-term prevention, not an immediate response.

1227
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert about suspicious activity from a user account indicating a potential ransomware attack. The analyst needs to quickly isolate the user's device and revoke the user's access to all cloud apps. What is the most efficient way to achieve this?

A.Create a Microsoft 365 Defender incident response playbook that triggers on the alert and runs automated actions.
B.Use Microsoft Defender for Cloud Apps Governance log to apply a user quarantine policy.
C.Disable the Microsoft Defender for Cloud Apps app connector for the affected cloud app.
D.Manually disable the user account in Microsoft Entra ID.
AnswerA

Correct: Playbooks can automate device isolation and user account restriction across services.

Why this answer

Option C is correct because Microsoft 365 Defender integrates alerts and supports automated response actions like device isolation and user account restriction across Microsoft Defender for Cloud Apps and Defender for Endpoint. Option A is wrong because incident-based response is less efficient for a single alert. Option B is wrong because manually disabling the user in Entra ID does not isolate the device.

Option D is wrong because disabling the app connector doesn't revoke access for that user only.

1228
MCQhard

An organization uses Microsoft Defender for Office 365. A security analyst is investigating a phishing email that was delivered to a user. The user clicked the link, but it was blocked by Defender for Office 365 at the time of click. The analyst needs to view the full click verdict, including the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

A.Threat Explorer in Microsoft 365 Defender
B.The email entity page in Microsoft 365 Defender
C.The advanced hunting table EmailEvents
D.The Attack simulation training dashboard
AnswerB

The email entity page includes a 'Click verdict' section that displays details about the user's click, including the verdict and the reason for blocking.

Why this answer

The email entity page in Microsoft 365 Defender provides the full click verdict for a specific email, including the exact block action (e.g., blocked by custom block list, blocked by URL reputation). This page aggregates all detection and verdict details for a single email, making it the correct location for the analyst to view the specific block action at time of click.

Exam trap

The trap here is that candidates often assume Threat Explorer (Option A) is the go-to for all email investigation details, but it aggregates data and requires navigation to the email entity page to see the specific click verdict and block action.

How to eliminate wrong answers

Option A is wrong because Threat Explorer shows aggregated threat data and trends, but does not display the full click verdict with the specific block action for a single email; it requires drilling into the email entity page for that detail. Option C is wrong because the advanced hunting table EmailEvents contains raw event data but does not include the full click verdict or the specific block action; it requires joining with other tables and does not present the verdict in a user-friendly format. Option D is wrong because the Attack simulation training dashboard is used for managing simulated phishing campaigns and training, not for viewing real click verdicts or block actions from actual phishing emails.

1229
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that an external user from a partner organization can access a specific Sentinel workbook without having access to the entire Log Analytics workspace. What should you do?

A.Create a new Log Analytics workspace dedicated to the external partner and deploy the workbook there.
B.Use Azure AD B2B collaboration to invite the external user and assign the Sentinel Reader role on the workbook.
C.Share the workbook as a shared dashboard in the Azure portal.
D.Add the external user to the resource group containing the workspace with Reader role.
AnswerB

Azure AD B2B allows external user access with fine-grained RBAC on the workbook.

Why this answer

Azure AD B2B collaboration allows you to invite an external user from a partner organization into your Azure AD tenant. By assigning the Sentinel Reader role specifically on the workbook resource (not the workspace), the user can view the workbook without gaining access to the underlying Log Analytics workspace data or other Sentinel resources. This meets the requirement of granular, scoped access.

Exam trap

The trap here is that candidates confuse sharing a workbook (which requires RBAC on the workbook resource) with sharing a dashboard (which is a visual-only artifact in the Azure portal and does not grant any data access permissions).

How to eliminate wrong answers

Option A is wrong because creating a dedicated Log Analytics workspace for the partner is unnecessary overhead and still requires managing separate data ingestion and retention, whereas the requirement is to share only a specific workbook. Option C is wrong because sharing a workbook as a shared dashboard in the Azure portal does not grant the external user access to the workbook’s underlying data queries or Sentinel context; dashboards are visual only and cannot enforce Sentinel RBAC. Option D is wrong because adding the external user to the resource group with Reader role grants them read access to all resources in that group, including the entire Log Analytics workspace and its data, which violates the requirement to restrict access to only the workbook.

1230
MCQhard

During a security incident, you need to block a malicious IP address at the network level for all Azure resources in a subscription. You have Azure Firewall deployed. What is the MOST efficient method to implement the block?

A.Block the IP using Microsoft Defender for Cloud's adaptive network hardening.
B.Use Azure Firewall Manager to create a global deny rule for the IP address across all firewalls.
C.Create a network security group (NSG) rule on each virtual network subnet to deny the IP.
D.Add a rule to the Azure Firewall policy to deny outbound traffic to the IP address.
AnswerB

Firewall Manager can apply a policy to multiple firewalls, ensuring consistent blocking.

Why this answer

Option D is correct because Azure Firewall Manager allows central management of firewall policies, including application and network rules across subscriptions. Option A is wrong because NSGs are per-subnet and not as efficient. Option B is wrong because Azure Firewall policies are not automatically applied to all VMs.

Option C is wrong because each Azure Firewall rule applies to that firewall only.

1231
MCQeasy

A security analyst uses Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst knows the Internet Message ID of a malicious email. Which table should the analyst query to find all users who received that specific email?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.EmailPostDeliveryEvents
AnswerA

EmailEvents stores records of email delivery, including sender, recipient, subject, and InternetMessageId. Querying this table by InternetMessageId will return all relevant email events.

Why this answer

The EmailEvents table in Microsoft 365 Defender advanced hunting stores records of email transactions, including the Internet Message ID and recipient information. By querying this table with the known Internet Message ID, the analyst can retrieve all users who received that specific email, as it contains the RecipientEmailAddress field for each delivery event.

Exam trap

The trap here is that candidates often confuse EmailEvents with EmailPostDeliveryEvents, assuming post-delivery actions include recipient data, but EmailPostDeliveryEvents only logs post-delivery events like user clicks or remediation actions, not the original recipient list.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it stores metadata about email attachments, such as file names and hashes, but does not contain the Internet Message ID or recipient details needed to identify who received the email. Option C (EmailUrlInfo) is wrong because it logs URLs found in email bodies or attachments, not the email delivery recipients or the Internet Message ID. Option D (EmailPostDeliveryEvents) is wrong because it records actions taken after delivery (e.g., user clicks, ZAP actions), not the initial delivery recipients; it lacks the Internet Message ID field for mapping back to the original email.

1232
Multi-Selecteasy

Which TWO data sources are commonly used in Microsoft Sentinel for threat hunting related to lateral movement? (Select TWO.)

Select 2 answers
A.SigninLogs
B.SecurityEvent
C.OfficeActivity
D.DeviceNetworkEvents
E.AuditLogs
AnswersB, D

SecurityEvent contains Windows security events like logon and process creation that can indicate lateral movement.

Why this answer

Options B and C are correct because SecurityEvent (Windows events) and DeviceNetworkEvents (network connections) are key for detecting lateral movement. Option A is wrong because SigninLogs are for cloud sign-ins, not lateral movement. Option D is wrong because OfficeActivity is for Office 365, not lateral movement.

Option E is wrong because AuditLogs are for directory changes, not lateral movement.

1233
MCQmedium

Your security team is investigating a suspicious sign-in from an unfamiliar IP address. The user has Microsoft Entra ID P2 licenses and is assigned a Conditional Access policy that requires MFA for all cloud apps. During the incident response, you find that the sign-in succeeded despite the user not completing MFA. Which action should you take first to investigate the discrepancy?

A.Review the user risk detection in Microsoft Entra ID Protection
B.Check the Microsoft Entra audit logs for policy changes
C.Use the Conditional Access What If tool
D.Review the Microsoft Entra sign-in logs for the specific sign-in event
AnswerD

Sign-in logs show whether MFA was satisfied, interrupted, or bypassed, and which Conditional Access policies applied.

Why this answer

Option B is correct because the sign-in logs provide detailed authentication details, including whether MFA was satisfied or bypassed. Option A is wrong because the user risk policy triggers on detected risk, but the issue is about MFA enforcement. Option C is wrong because the audit logs show administrative actions, not authentication details.

Option D is wrong because the sign-in logs show the policy applied, not the policy configuration itself.

1234
Drag & Dropmedium

Order the steps to investigate a user account compromise using Microsoft Sentinel incidents.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Investigation starts with incident details, then reviewing alerts and behavior analytics, followed by deep querying, and finally remediation.

1235
MCQhard

An organization manages multiple Azure subscriptions under a single management group. They want to automatically enable Microsoft Defender for Cloud's enhanced security plans (e.g., Defender for Servers) on any new subscription added to the management group. Which configuration method should they use?

A.Create an Azure Policy that assigns the Defender for Cloud pricing tier at the management group level
B.Enable auto-provisioning in Defender for Cloud's settings
C.Use Azure Blueprints to define the subscription configurations
D.Manually enable plans per subscription as they are added
AnswerA

Azure Policy can enforce the 'Pricing tier' setting at a scope. When new subscriptions are added under the management group, they automatically get the policy and the plan is enabled.

Why this answer

Option A is correct because Azure Policy can be assigned at the management group scope to enforce the 'Configure Microsoft Defender for Cloud plans to be enabled' policy, which automatically sets the pricing tier (e.g., Standard) for Defender for Servers on any new subscription added to that management group. This ensures compliance without manual intervention, as the policy evaluates and remediates new subscriptions upon creation or addition.

Exam trap

The trap here is that candidates often confuse auto-provisioning (which installs agents) with policy-based enforcement of pricing tiers, leading them to select Option B instead of recognizing that Azure Policy at the management group level is the correct method for automatic, scalable plan activation.

How to eliminate wrong answers

Option B is wrong because auto-provisioning in Defender for Cloud's settings only enables the automatic installation of the Log Analytics agent on existing VMs, not the activation of enhanced security plans for new subscriptions. Option C is wrong because Azure Blueprints can define subscription configurations, but they require explicit assignment to each subscription and do not automatically apply to new subscriptions added to a management group; Azure Policy is the native tool for continuous compliance enforcement. Option D is wrong because manually enabling plans per subscription is not scalable and contradicts the requirement for automatic enablement on new subscriptions.

1236
MCQeasy

A security analyst is reviewing an email-related incident in Microsoft 365 Defender. The analyst wants to see the full delivery details, including the sender IP, authentication status, and the reason why the email was determined to be malicious. Which section of the email entity page should the analyst open?

A.Detection details
B.Details
C.Timeline
D.Preview
AnswerA

This section includes the sender IP, authentication results (SPF, DKIM, DMARC), and detection technology used.

Why this answer

The Detection details section of the email entity page in Microsoft 365 Defender provides comprehensive information about why an email was determined to be malicious, including the sender IP address, authentication status (SPF, DKIM, DMARC results), and the specific detection technology or policy that triggered the verdict. This section consolidates the full delivery details and threat analysis into a single view, making it the correct choice for the analyst's needs.

Exam trap

The trap here is that candidates often confuse the 'Details' section (which shows basic metadata) with the 'Detection details' section (which provides the full forensic analysis), leading them to select Option B incorrectly because they assume 'Details' is the most comprehensive option.

How to eliminate wrong answers

Option B (Details) is wrong because the Details section shows general email metadata such as subject, sender, and recipient, but does not include the full delivery details, authentication status, or the specific reason for the malicious verdict. Option C (Timeline) is wrong because the Timeline section displays a chronological sequence of events related to the email (e.g., delivery, user actions), but it does not provide the sender IP, authentication results, or the detection reason in a consolidated format. Option D (Preview) is wrong because the Preview section shows the rendered content of the email (body, attachments) for visual inspection, but it lacks the technical delivery details and detection logic needed to understand why the email was flagged as malicious.

1237
MCQhard

Your organization uses Microsoft Sentinel with UEBA enabled. You notice that the UEBA entity pages are not showing any insights for Azure resources. What is the most likely cause?

A.UEBA is not enabled for the workspace.
B.The user accounts are not synchronized with Microsoft Entra ID.
C.The Azure Activity data connector is not configured.
D.The resource context data is not being ingested from Azure Resource Manager.
AnswerD

Resource context is needed for Azure resource insights in UEBA.

Why this answer

UEBA entity pages for Azure resources rely on resource context data, which includes metadata about Azure resources such as virtual machines, storage accounts, and their activities. This data is ingested from Azure Resource Manager (ARM) via the Azure Activity data connector. If the resource context data is not being ingested, UEBA cannot correlate activities to specific Azure resources, resulting in no insights on entity pages.

Option D correctly identifies this missing data source as the root cause.

Exam trap

The trap here is that candidates often confuse the Azure Activity data connector (which handles subscription-level logs) with the Azure Resource Manager data connector (which provides resource context data), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because UEBA is explicitly stated as enabled in the question, so the issue is not about UEBA being disabled. Option B is wrong because user accounts not synchronized with Microsoft Entra ID would affect user entity insights, not Azure resource insights, which are based on resource metadata rather than user identities. Option C is wrong because the Azure Activity data connector is responsible for ingesting Azure subscription-level logs (e.g., resource creation, deletion), but the specific data needed for UEBA resource insights is the resource context data from ARM, which is a separate ingestion pipeline; the connector alone does not guarantee resource context data is being ingested.

1238
MCQhard

A SOC analyst is configuring a scheduled analytics rule in Microsoft Sentinel that detects sign-ins from IP addresses contained in a custom threat intelligence watchlist. The analyst wants to avoid creating multiple incidents for the same user and source IP address combination within a 6-hour window. Which configuration in the 'Incident creation' settings should the analyst use to achieve this suppression?

A.Using the 'Event grouping' option under 'Alert grouping' with a 6-hour re-open window
B.Setting a custom query threshold so that alerts are only generated once per time window
C.Enabling 'Suppression' on the 'Schedule' page to stop running the query after the first incident
D.Using the 'Custom' alert grouping and setting a time window for re-opening
AnswerA

Correct. 'Event grouping' (Group alerts into a single incident if they match criteria) allows you to deduplicate based on user and IP, and the re-open window prevents new incidents for the same combination within the selected time.

Why this answer

Option A is correct because the 'Event grouping' setting under 'Alert grouping' allows the analyst to group alerts that fire within a specified time window into a single incident. By setting the 'Re-open window' to 6 hours, any new alert matching the same user and source IP address combination will not create a new incident but will instead re-open the existing incident, effectively suppressing duplicate incidents within that window.

Exam trap

The trap here is confusing 'Suppression' on the Schedule page (which stops the query from running) with 'Event grouping' (which suppresses duplicate incidents while still allowing the query to run and detect new threats).

How to eliminate wrong answers

Option B is wrong because setting a custom query threshold controls how many query results are needed to generate an alert, not how alerts are grouped or suppressed over time; it does not prevent multiple incidents for the same user and IP combination within a 6-hour window. Option C is wrong because enabling 'Suppression' on the 'Schedule' page stops the query from running entirely after the first incident is created, which would prevent detection of any new sign-ins from that IP for the entire suppression period, not just suppress duplicate incidents. Option D is wrong because 'Custom' alert grouping allows you to define how alerts are grouped into incidents, but it does not include a 're-open window' setting; the re-open window is a feature of 'Event grouping', not 'Custom' grouping.

1239
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a threat hunt, you want to identify AWS resources that have been compromised by correlating AWS CloudTrail logs with Microsoft Defender for Cloud security alerts. How should you ingest AWS CloudTrail logs into Microsoft Sentinel?

A.Configure Microsoft Defender for Cloud to receive AWS CloudTrail logs.
B.Use the AWS S3 connector in Microsoft Sentinel.
C.Use the Microsoft 365 Defender connector to ingest CloudTrail logs.
D.Use Azure Policy to export CloudTrail logs to Log Analytics.
AnswerB

The AWS S3 connector ingests CloudTrail logs into Sentinel.

Why this answer

Option A is correct because AWS CloudTrail logs can be ingested via the AWS S3 connector in Microsoft Sentinel. Option B is incorrect because Microsoft Defender for Cloud does not natively ingest CloudTrail logs. Option C is incorrect because Azure Policy cannot ingest AWS logs.

Option D is incorrect because the Microsoft 365 Defender connector is for Microsoft 365 data, not AWS.

1240
MCQeasy

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that runs every 5 minutes and alerts when a single IP address fails to authenticate more than 10 times in that time window using the Microsoft Entra ID SigninLogs table. Which KQL function should be used to group the results into 5-minute intervals?

A.bin()
B.summarize
C.count
D.where
AnswerA

The bin() function is used to group time series data into time intervals, such as 5-minute buckets.

Why this answer

The `bin()` function is the correct choice because it is specifically designed to group time-series data into fixed-size buckets (e.g., 5-minute intervals) for aggregation. In this scenario, you need to align each authentication event to its corresponding 5-minute window so that you can count failures per IP address per window. Without `bin()`, the `summarize` operator would not automatically create these fixed intervals; it would group by the raw timestamp values, which would not produce the required 5-minute buckets.

Exam trap

Microsoft often tests the distinction between the `summarize` operator and the `bin()` function, trapping candidates who think `summarize` alone can bucket time, when in fact `bin()` must be used as the grouping expression inside `summarize` to create fixed time intervals.

How to eliminate wrong answers

Option B (summarize) is wrong because `summarize` is an operator that aggregates data, but it requires a grouping expression (like `bin()`) to create time buckets; by itself, it does not group timestamps into 5-minute intervals. Option C (count) is wrong because `count` is an aggregation function used within `summarize` to count rows, not a function to group results into time intervals. Option D (where) is wrong because `where` is a filtering operator that selects rows based on a condition; it cannot group or bucket data into time windows.

1241
MCQhard

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You have enabled bi-directional incident synchronization. The SOC team uses Microsoft Teams to collaborate on incidents. They have configured a playbook that posts incident details to a Teams channel whenever an incident is created. Recently, the playbook stopped posting messages. You check the playbook's run history in Azure Logic Apps and see that the run was successful with a 200 status code from the Teams connector. However, no message appears in the channel. You verify that the Teams webhook URL is correct and that the channel is active. What is the most likely cause?

A.The Microsoft Teams connector is not installed in the Logic Apps environment.
B.The playbook is disabled and needs to be re-enabled.
C.The service principal or managed identity used by the Logic App has lost permissions to post messages in the Teams channel.
D.The Teams channel has been deleted and re-created with a different ID.
AnswerC

Permissions can expire or be revoked, causing the message to fail silently.

Why this answer

Option D is correct because the Teams connector may require specific permissions that were changed or expired. Even though the HTTP request succeeded, the message might be blocked by Teams permissions. Option A is wrong because the run history shows success.

Option B is wrong because the webhook URL is correct. Option C is wrong because the connector is working (HTTP 200).

1242
MCQmedium

Your organization uses Microsoft Defender XDR. You receive an automated investigation that found a malicious file on a device. The investigation recommends 'Block the file'. What does this action do?

A.Adds the file hash to the block list in Microsoft Defender for Endpoint.
B.Isolates the device where the file was found.
C.Initiates a full antivirus scan on all devices.
D.Deletes the file from all devices in the organization.
AnswerA

Blocking the file prevents it from running on any device.

Why this answer

Option A is correct because blocking the file adds it to the global indicator of compromise (IOC) list, preventing future execution. Option B is wrong because it does not delete the file from all devices. Option C is wrong because it does not isolate the device.

Option D is wrong because it does not scan other devices automatically.

1243
MCQeasy

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a malware alert is generated, an automated investigation is triggered. What should you configure?

A.Configure the Action center settings.
B.Create custom indicators of compromise (IOCs).
C.Use threat analytics to trigger investigations.
D.Enable automated investigation and remediation in the Microsoft 365 Defender portal.
AnswerD

This setting enables automatic investigation on alerts.

Why this answer

Defender for Endpoint has automated investigation and remediation settings that can be enabled. Option C is correct. Option A is wrong because action center is for reviewing actions, not configuring automation.

Option B is wrong because indicators are for blocking, not automated investigations. Option D is wrong because threat analytics provides reports, not automated investigation triggers.

1244
MCQmedium

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel that triggers a playbook. The rule is not triggering. What is the most likely cause?

A.The Logic App resource ID is incorrect
B.The subscription ID is missing
C.The condition 'Status equals Active' is incorrect; incidents are created with status 'New'
D.The trigger type should be 'IncidentUpdated' instead of 'IncidentCreated'
AnswerC

Incidents start as 'New', not 'Active'.

Why this answer

Option A is correct because the condition filters for incidents with Status equals 'Active', but when an incident is created, its status is 'New', so the condition never matches. Option B is wrong because Logic App resource ID is correct. Option C is wrong because trigger type is correct.

Option D is wrong because subscription issue would cause a different error.

1245
MCQhard

A security analyst is investigating a ransomware attack in Microsoft 365 Defender and needs to understand how the attacker moved laterally from an initial compromised workstation to a domain controller. Which feature should the analyst use to see a visual timeline of device-to-device connections and process executions?

A.Device timeline view for each affected device
B.Incident graph (attack story)
C.Advanced hunting with DeviceNetworkEvents and DeviceProcessEvents
D.Automated investigation report
AnswerB

This graph maps the entire incident, showing connections between devices and processes, ideal for tracing lateral movement.

Why this answer

The Incident graph (attack story) in Microsoft 365 Defender provides a visual, interactive timeline that correlates alerts, device-to-device connections, and process executions across the entire attack chain. This allows the analyst to trace lateral movement from the initial compromised workstation to the domain controller in a single, consolidated view, which is exactly what the question requires.

Exam trap

The trap here is that candidates often confuse the single-device Device timeline view (Option A) with the multi-device Incident graph, failing to recognize that lateral movement analysis requires a cross-device perspective, not per-device logs.

How to eliminate wrong answers

Option A is wrong because the Device timeline view shows events for a single device only, not the cross-device lateral movement path. Option C is wrong because Advanced hunting with DeviceNetworkEvents and DeviceProcessEvents requires manual query construction and does not provide a built-in visual timeline of the attack story. Option D is wrong because the Automated investigation report summarizes remediation actions and findings for a specific alert, not the full lateral movement timeline across multiple devices.

1246
MCQmedium

Your organization uses Microsoft Defender XDR. You need to ensure that alerts from Microsoft Defender for Identity are automatically correlated with alerts from Microsoft Defender for Endpoint in the unified incidents queue. What should you verify?

A.Microsoft Defender for Office 365 is enabled
B.Microsoft Defender XDR incident correlation is enabled
C.Microsoft Sentinel is connected to Microsoft Defender XDR
D.Custom detection rules are created in Microsoft 365 Defender
AnswerB

This setting aggregates alerts from all Defender workloads.

Why this answer

Automatic correlation requires that both workloads are integrated and the unified incident feature is enabled. Option B is correct. Option A is for MDO, not correlation.

Option C is for Sentinel, not Defender XDR. Option D is for custom detections, not correlation.

1247
MCQmedium

Refer to the exhibit. An automation rule is configured as shown. When will the playbook be triggered?

A.When any incident is created from Microsoft Defender for Endpoint
B.When a new incident with any severity contains 'Malware' in the title
C.When an incident is updated to High severity
D.When a new incident is created with severity High, from Microsoft Defender for Endpoint, and with 'Malware' in the title
AnswerD

All conditions must match.

Why this answer

Option A is correct because the rule triggers on incident creation with conditions: severity is High, provider is Microsoft Defender for Endpoint, and title contains 'Malware'. All conditions must be met. Option B is wrong because the condition is IncidentCreated, not IncidentUpdated.

Option C is wrong because the provider condition restricts to Defender for Endpoint only. Option D is wrong because severity must be High, not any.

1248
MCQhard

A user reports that they cannot access their Microsoft 365 apps after clicking a link in an email. You suspect token theft. In Microsoft Defender XDR, which incident investigation action should you take first to verify the scope?

A.Review the user's sign-in logs in Microsoft Entra ID for anomalous locations
B.Isolate the user's device from the network
C.Check the user's device for malware using Microsoft Defender for Endpoint
D.Investigate the email in Microsoft Defender for Office 365
AnswerA

Token theft often shows logins from unusual IPs.

Why this answer

Option B is correct because reviewing sign-in logs reveals token usage from unusual locations. Option A is wrong because it's not about apps. Option C is wrong because email investigation is secondary.

Option D is wrong because device isolation is not the first step.

1249
MCQeasy

Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?

A.Block the source IP address on the firewall
B.Investigate the incident details
C.Notify the users of the failed login attempts
D.Reset passwords for all affected accounts
AnswerB

Investigation confirms the attack and provides context.

Why this answer

The first step is to investigate the incident to confirm it's a true positive and assess scope. Blocking the IP might be premature without verification. Resetting passwords and notifying users come after confirmation.

1250
MCQmedium

You are managing Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from a sanctioned cloud app. You need to automatically suspend the user's access when the download exceeds 5 GB in 10 minutes. What should you create?

A.An anomaly detection policy with a mass download detection template.
B.A session policy to block downloads.
C.An app connector for the cloud app.
D.A data loss prevention (DLP) policy in Microsoft Purview.
AnswerA

Anomaly detection policies can detect mass download and suspend user access.

Why this answer

An anomaly detection policy in Microsoft Defender for Cloud Apps can detect unusual user behavior, such as mass file downloads, using predefined templates like 'Mass download by a single user'. This policy can be configured to trigger automatic governance actions, including suspending the user, when the download exceeds a threshold like 5 GB in 10 minutes. It directly addresses the need to automatically suspend access based on volume and time.

Exam trap

The trap here is that candidates often confuse session policies (which block actions in real-time) with anomaly detection policies (which trigger automated responses like suspension based on behavioral patterns), leading them to choose Option B instead of A.

How to eliminate wrong answers

Option B is wrong because a session policy blocks downloads in real-time but does not automatically suspend the user's access; it only prevents the download action during the session. Option C is wrong because an app connector is used to connect Defender for Cloud Apps to a cloud app for visibility and control, but it does not create policies to suspend users based on download thresholds. Option D is wrong because a DLP policy in Microsoft Purview focuses on preventing data loss by inspecting content (e.g., sensitive information) rather than monitoring download volume or triggering user suspension based on size and time.

1251
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed by a playbook before the investigation was complete. What should you do to prevent automatic closure in the future?

A.Disable the playbook
B.Remove the playbook from the automation rule
C.Modify the analytics rule to not automatically close incidents
D.Disable the automation rule that triggers the playbook
AnswerC

This prevents the playbook from closing incidents automatically.

Why this answer

Option C is correct because modifying the analytics rule to disable automatic incident closure stops the playbook from closing incidents automatically. Option A is wrong because disabling the playbook stops all its actions, not just closure. Option B is wrong because it disables all automation rules.

Option D is wrong because removing the playbook entirely is too drastic and unnecessary.

1252
MCQhard

Your organization has a Microsoft Sentinel workspace that ingests data from multiple sources. You notice that the cost of data ingestion is higher than expected. You need to reduce costs without affecting security visibility. Which action should you take?

A.Reduce the data retention period for all tables to 30 days.
B.Disable the collection of Windows event logs from domain controllers.
C.Configure specific tables to use the Basic Logs tier instead of Analytics Logs.
D.Export logs to Azure Storage and use Azure Data Explorer for analysis.
AnswerC

Basic Logs are cheaper and suitable for verbose logs that are less frequently queried.

Why this answer

Basic Logs in Microsoft Sentinel are a lower-cost option for high-volume, verbose logs that are used for infrequent querying. Option B is correct because you can move verbose logs (e.g., from VMs) to Basic Logs tier. Option A (reducing retention) affects visibility.

Option C (turning off connectors) reduces visibility. Option D (using Azure Storage) is not integrated with Sentinel for queries.

1253
MCQhard

A security team wants to automatically block an IP address in Azure Firewall when Microsoft Sentinel detects a high number of failed logins from that IP. Which automation approach should they use?

A.Create an automation rule that triggers a playbook directly.
B.Create a scheduled analytics rule that runs a playbook.
C.Create an automation rule that triggers on incident creation and runs a playbook that uses the Azure Firewall connector to add a rule.
D.Configure a Logic App to poll Sentinel alerts and block IPs.
AnswerC

This is correct: automation rule triggers on incident creation, invokes a playbook that uses Azure Firewall connector to block the IP.

Why this answer

Option C is correct because it uses an automation rule triggered on incident creation to run a playbook, which can leverage the Azure Firewall connector to add a blocking rule. This approach directly integrates Sentinel's detection of a high number of failed logins with automated remediation in Azure Firewall, ensuring a real-time response without manual intervention.

Exam trap

The trap here is that candidates may confuse automation rules with analytics rules, thinking a scheduled analytics rule can directly run a playbook, when in fact analytics rules only generate alerts/incidents, and playbooks are triggered separately via automation rules or incident/alert actions.

How to eliminate wrong answers

Option A is wrong because automation rules can trigger playbooks directly on alert or incident creation, but the question specifies blocking an IP in Azure Firewall, which requires a playbook with the Azure Firewall connector; however, the phrasing 'triggers a playbook directly' is too vague and does not specify the necessary connector or action, making it incomplete. Option B is wrong because scheduled analytics rules are used to generate alerts based on periodic queries, not to run playbooks; playbooks are executed by automation rules or directly from incidents/alerts, not by the analytics rule itself. Option D is wrong because polling Sentinel alerts with a Logic App is inefficient and not the recommended pattern; Sentinel provides native automation through automation rules and playbooks, and polling introduces latency and complexity compared to event-driven triggers.

1254
MCQmedium

An organization uses Microsoft Defender for Cloud and needs to track compliance with internal security policies that are not covered by any built-in regulatory standard. They want to see the compliance status for these internal controls in the Regulatory Compliance dashboard alongside other standards. What should they configure?

A.Create a custom Azure Policy initiative with the required controls and assign it to the relevant scopes.
B.Create a custom assessment in the Microsoft Defender for Cloud recommendations dashboard.
C.Use the Secure Score API to develop a custom dashboard outside Defender for Cloud.
D.Enable the "Custom compliance" feature in Defender for Cloud's pricing tier.
AnswerA

A custom Azure Policy initiative assigned to the subscription or management group will appear in the Regulatory Compliance dashboard, allowing tracking of internal controls.

Why this answer

To track compliance with internal security policies not covered by built-in regulatory standards, you must create a custom Azure Policy initiative that defines the required controls and assign it to the relevant scopes. Defender for Cloud automatically evaluates resources against assigned initiatives and surfaces the compliance status in the Regulatory Compliance dashboard alongside built-in standards, allowing unified visibility.

Exam trap

The trap here is that candidates confuse custom assessments in the recommendations dashboard with custom compliance controls, not realizing that only custom Azure Policy initiatives are surfaced in the Regulatory Compliance dashboard.

How to eliminate wrong answers

Option B is wrong because creating a custom assessment in the recommendations dashboard only adds a security recommendation, not a compliance control that appears in the Regulatory Compliance dashboard; it does not integrate with the compliance framework. Option C is wrong because using the Secure Score API to develop a custom dashboard outside Defender for Cloud bypasses the Regulatory Compliance dashboard entirely, failing to meet the requirement of seeing compliance status alongside other standards within Defender for Cloud. Option D is wrong because there is no 'Custom compliance' feature in Defender for Cloud's pricing tier; the pricing tier controls features like cloud security posture management (CSPM) but does not enable custom compliance tracking.

1255
Multi-Selecthard

Which TWO actions are part of the threat hunting process in Microsoft Sentinel?

Select 2 answers
A.Creating custom hunting queries based on hypotheses.
B.Using bookmarks to preserve interesting findings.
C.Setting up data connectors to ingest logs.
D.Fine-tuning the severity of analytical rules.
E.Configuring scheduled analytics rules.
AnswersA, B

Hunting queries are used to search for threats.

Why this answer

Options A and C are correct. A is correct because creating hunting queries is a key activity. C is correct because bookmarks allow tracking interesting findings.

B is incorrect because configuring alert rules is part of detection, not hunting. D is incorrect because setting up data connectors is an initial setup step, not a hunting activity. E is incorrect because fine-tuning analytical rules is detection engineering.

1256
MCQeasy

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

A.Trigger a training campaign for the user who reported the email.
B.Move the email to the tenant's shared mailbox for review.
C.Remove the Report Message add-in from Outlook to prevent false reports.
D.Soft-delete the email from the user's mailbox and other mailboxes that received the same message.
AnswerD

Correct. AIR can automatically delete the reported email across the organization to contain the threat.

Why this answer

When a user reports a phishing email via the Report Message add-in, the automated investigation and response (AIR) playbook in Microsoft Defender for Office 365 can automatically soft-delete the email from the user's mailbox and from all other mailboxes that received the same message. This action is part of the built-in remediation steps that AIR can take after confirming the threat, leveraging the email entity's hash or message ID to perform tenant-wide removal via the threat protection pipeline.

Exam trap

The trap here is that candidates may confuse automated remediation actions (like soft-delete) with administrative or training-related tasks, leading them to select options that describe manual or non-automated processes.

How to eliminate wrong answers

Option A is wrong because triggering a training campaign is not an automated action within an AIR playbook; training campaigns are separate features in Defender for Office 365 that require manual configuration and are not triggered automatically by AIR. Option B is wrong because moving the email to a shared mailbox for review is not a standard AIR remediation action; AIR focuses on containment and removal, not manual review workflows. Option C is wrong because removing the Report Message add-in would prevent future reports and is not an automated remediation action; AIR playbooks are designed to respond to threats, not to disable reporting tools.

1257
MCQhard

A KQL query detects brute-force attempts by summarizing failed sign-ins by user, IP address, and five-minute time bins. Which operator is most appropriate for this aggregation?

A.summarize.
B.project-away.
C.parse_json.
D.extend.
AnswerA

summarize is used for aggregation such as count() by user, IP, and bin(TimeGenerated, 5m).

Why this answer

The `summarize` operator is the correct choice because it groups rows by specified columns (user, IP address, and five-minute time bins) and applies an aggregation function (e.g., `count()`) to detect brute-force patterns. In KQL, `summarize` is the only operator that can create time-binned aggregations using the `bin()` function, which is essential for grouping failed sign-ins into fixed five-minute intervals. This directly supports the brute-force detection requirement by counting failed attempts per user/IP/time window.

Exam trap

The trap here is that candidates may confuse `extend` with `summarize` because both can create new columns, but only `summarize` performs grouping and aggregation, which is essential for detecting brute-force patterns over time bins.

How to eliminate wrong answers

Option B is wrong because `project-away` removes columns from the result set, but it does not perform any aggregation or grouping, so it cannot summarize failed sign-ins by user, IP, and time bins. Option C is wrong because `parse_json` extracts values from JSON strings into structured fields, but it has no aggregation capability and cannot group or count events over time. Option D is wrong because `extend` adds new calculated columns to each row without reducing or grouping rows, so it cannot produce the summarized counts needed for brute-force detection.

1258
MCQmedium

You have a Microsoft Sentinel automation rule as shown in the exhibit. The rule triggers a playbook that blocks a user in Microsoft Entra ID. The rule is enabled but never fires. What is the most likely reason?

A.The automation rule is disabled.
B.The playbook does not have a Microsoft Sentinel trigger.
C.No incidents with High severity are created.
D.The JSON syntax is invalid.
AnswerB

The playbook must start with a Sentinel trigger to be invoked by an automation rule.

Why this answer

The automation rule trigger specifies 'severity: High' and 'status: New'. However, automation rules trigger on incident creation, but the status condition may be incorrect because incidents are typically created with status 'New' unless changed by another rule. The exhibit shows correct syntax.

However, the most common issue is that automation rules require the playbook to have a Sentinel trigger; but the rule itself seems fine. Option D is a plausible misconfiguration: if the playbook doesn't have a Sentinel trigger, it won't run. Option A is wrong because the rule is enabled.

Option B is wrong because the JSON is valid. Option C is wrong because high severity incidents exist.

1259
Multi-Selecthard

Which THREE actions should a threat hunter take when using Microsoft Defender XDR advanced hunting to investigate a potential ransomware outbreak? (Select THREE.)

Select 3 answers
A.Check for service installation events that mimic system services.
B.Review mailbox audit logs for email forwarding rules.
C.Inspect scheduled tasks for persistence mechanisms.
D.Correlate process creation events with file modification events.
E.Review password change events for service accounts.
AnswersA, C, D

Ransomware may install services to maintain persistence.

Why this answer

Options A, C, and E are correct because correlating process creation with file modifications, inspecting scheduled tasks, and checking for service installation are key steps to identify ransomware behavior. Option B is wrong because reviewing mailbox audit logs is not relevant for ransomware on endpoints. Option D is wrong because reviewing password changes is not directly related to ransomware.

1260
MCQeasy

A threat hunter wants to proactively search for signs of ransomware activity in the environment using Microsoft Sentinel. Which data source is most likely to provide early indicators of ransomware, such as mass file renaming or encryption?

A.Azure AD sign-in logs
B.Microsoft Defender for Endpoint advanced hunting tables like DeviceFileEvents and DeviceProcessEvents
C.Azure Activity Log
D.Office 365 audit logs (UnifiedAuditLog)
AnswerB

These tables capture file modifications and process executions that can indicate ransomware.

Why this answer

Option B (Microsoft Defender for Endpoint) provides advanced hunting on endpoint processes and file events, which can detect mass file modifications indicative of ransomware. Option A (Azure Activity Log) logs control plane operations. Option C (Office 365 audit logs) logs cloud app activities.

Option D (Azure AD sign-in logs) logs authentication events.

1261
MCQhard

During a hunt, you find that a user account has logged in from an IP address associated with a known command-and-control (C2) server. The hunt also reveals that the same IP accessed a SharePoint site containing sensitive documents. Which Microsoft Purview feature should you use to investigate data exfiltration?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Information Protection
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Audit (Standard)
AnswerA

DLP policies and activity explorer can identify if sensitive data was exfiltrated via SharePoint.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies and activity explorer can show if sensitive data was accessed or shared externally. Option A (Information Protection) labels data but does not track exfiltration. Option C (Audit Log) logs events but lacks context of sensitive data.

Option D (Compliance Manager) is for assessments, not investigation.

1262
MCQhard

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident with severity Medium is created?

A.The rule will not trigger because severity is Medium
B.The rule will trigger and create a new incident
C.The rule will trigger and run the playbook
D.The rule will update the incident severity to High
E.The rule will trigger but skip the playbook
AnswerA

Condition is not met.

Why this answer

The automation rule triggers only on 'IncidentCreated' with condition 'IncidentSeverity Equals High'. Medium severity does not meet the condition, so the rule does not run.

1263
MCQeasy

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to see a timeline of all actions performed on a specific device, including file creation, registry modifications, and network connections, in chronological order. Which feature should the analyst use?

A.Device timeline
B.Advanced hunting
C.Incident graph
D.Action center
AnswerA

The device timeline displays a chronological sequence of events that occurred on a specific device, allowing analysts to trace attack activities.

Why this answer

The Device timeline in Microsoft Defender for Endpoint provides a chronological view of all events and actions on a specific device, including file creation, registry modifications, and network connections. This feature is specifically designed for forensic investigation of incidents like ransomware, offering a time-ordered list of activities without requiring custom queries.

Exam trap

The trap here is that candidates may confuse the chronological event view of the Device timeline with the query-based flexibility of Advanced hunting, but the question specifically asks for a pre-built timeline without requiring custom queries.

How to eliminate wrong answers

Option B is wrong because Advanced hunting is a query-based tool using Kusto Query Language (KQL) to search across raw data tables, not a pre-built chronological timeline for a single device. Option C is wrong because the Incident graph visualizes the relationships between alerts, assets, and entities within an incident, but it does not provide a sequential timeline of actions on a specific device. Option D is wrong because Action center is used to review and approve remediation actions (e.g., isolating a device or running antivirus scans), not to view historical event timelines.

1264
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule definition. The rule is intended to automatically change the severity to High, assign to tier2, and set status to Active for incidents triggered by alerts containing 'malware'. However, incidents are not being updated. What is the most likely cause?

A.The action configuration is missing the 'incident' property.
B.The condition operator 'Contains' is incorrect; should be 'Equals'.
C.The trigger type should be 'IncidentCreated', not 'AlertRule'.
D.The playbook requires a managed identity to run.
AnswerC

Automation rules trigger on incident creation, not alert rule.

Why this answer

Option B is correct because the trigger type is 'Microsoft.SecurityInsights/AlertRule', which triggers on alert creation, not incident creation. Automation rules in Sentinel trigger on incident creation, not alert creation. Option A is wrong because the condition is valid.

Option C is wrong because the actions are correctly structured. Option D is wrong because there is no such requirement.

1265
MCQeasy

An organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and they see unexpected pop-ups. The security team suspects malware. What should the team do first to investigate?

A.Run a quick scan on the device from Microsoft Defender for Endpoint
B.Check the device inventory for recent software installations
C.Initiate a live response session on the device
D.Submit a suspicious file to Microsoft for analysis
AnswerA

A quick scan detects common malware efficiently.

Why this answer

Option A is correct because running a quick scan in Microsoft Defender for Endpoint will detect common malware quickly. Option B is wrong because submitting the file to Microsoft for analysis is not the first step. Option C is wrong because initiating a live response session is more invasive and should be used after initial detection.

Option D is wrong because checking the device inventory does not help with active malware.

1266
MCQmedium

You are investigating an incident in Microsoft Defender XDR that involves a user who clicked a link in a phishing email. The email was detected and blocked by Microsoft Defender for Office 365, but the user still clicked the link before it was blocked. The incident includes an alert for 'Malicious URL click'. What additional information should you check to determine if the user's credentials were compromised?

A.Check if the link was blocked by the time the user clicked
B.Check for sign-in events from unusual locations or anonymous IP addresses after the click
C.Check if the user has recently changed their password
D.Check if the email had any attachments
AnswerB

Such sign-ins indicate that the attacker used stolen credentials.

Why this answer

Option D is correct because a URL click could lead to a credential harvesting page. Checking for subsequent failed logins from unusual locations indicates that credentials were used. Option A is wrong because the email was blocked, so there was no attachment.

Option B is wrong because a password reset does not indicate compromise. Option C is wrong because the block already happened; the click is what matters.

1267
Multi-Selectmedium

Your security team uses Microsoft Sentinel and Microsoft Purview. You need to classify incidents that involve sensitive data according to Microsoft Purview's sensitivity labels. Which THREE components should you use?

Select 3 answers
A.Microsoft Defender for Cloud to apply sensitivity labels.
B.Analytics rules that trigger on data sensitivity events from Microsoft Purview.
C.Automation rules in Microsoft Sentinel to check for sensitivity labels in the incident.
D.Playbooks in Microsoft Sentinel to query Microsoft Purview for label information.
E.Microsoft Intune compliance policies to label data.
AnswersB, C, D

Correct: Analytics rules can ingest logs from Purview.

Why this answer

Options A, D, and E are correct. Automation rules can trigger on label conditions, playbooks can query Purview, and analytics rules can detect data sensitivity. Option B is wrong because Microsoft Intune manages devices.

Option C is wrong because Microsoft Defender for Cloud doesn't integrate with Purview labels.

1268
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They recently deployed a new Azure Kubernetes Service (AKS) cluster and want to ensure it is protected by Defender for Containers. What must they do to enable protection?

A.Enable the Defender for Containers plan for the subscription in Defender for Cloud.
B.Install the Microsoft Defender for Cloud agent on the AKS nodes.
C.Create a Log Analytics workspace and connect AKS to it.
D.Enable Azure Policy for AKS.
AnswerA

This enables the workload protection plan for containers, which automatically covers AKS clusters in the subscription.

Why this answer

Defender for Containers is a plan-level feature in Microsoft Defender for Cloud that must be enabled at the subscription level. Once enabled, it automatically discovers and protects AKS clusters without requiring any manual agent installation on nodes, as it uses the Defender sensor deployed by AKS itself. This is the only action needed to enable protection for the new AKS cluster.

Exam trap

The trap here is that candidates often assume agent installation or Log Analytics workspace configuration is necessary for container protection, but Defender for Containers is a subscription-level plan that automatically provisions the required sensor without manual node-level setup.

How to eliminate wrong answers

Option B is wrong because Defender for Containers does not require installing the Microsoft Defender for Cloud agent on AKS nodes; it uses a dedicated Defender sensor that is automatically deployed by the AKS integration. Option C is wrong because a Log Analytics workspace is not a prerequisite for Defender for Containers; while logs can be collected, the plan works independently of Log Analytics. Option D is wrong because enabling Azure Policy for AKS is not required to enable Defender for Containers; Azure Policy can be used for compliance and governance but is separate from the Defender plan activation.

1269
MCQmedium

You are a security analyst at Contoso. A user reports that they received a suspicious email with an attachment named "Invoice.pdf.exe". The user did not open the attachment. You need to investigate this potential threat using Microsoft Defender XDR. You want to determine if any other users received the same email, and whether the attachment was detonated in a sandbox. You also want to block the sender domain and the attachment hash across the organization if it is malicious. You have the email message ID from the user. You have appropriate permissions to use advanced hunting and take action. Which set of actions should you take in Microsoft 365 Defender?

A.Use the Exchange admin center to run a message trace for the email, then use the Malware section to block the attachment hash.
B.Use the Email & collaboration > Explorer to find the email, then use the Quarantine section to block the sender domain.
C.Use the Threat Explorer to find the email, then manually block the sender domain in the Exchange Online PowerShell.
D.Use Advanced hunting to query EmailEvents for the message ID to find other recipients, then query EmailAttachmentInfo to get the attachment hash. Use the sandbox data in EmailUrlInfo to check detonation. Then create an indicator block rule for the sender domain and file hash in the Settings > Indicators.
AnswerD

This comprehensive approach uses advanced hunting for investigation and indicators for blocking.

Why this answer

Option C is correct because advanced hunting can identify other recipients and sandbox detonation results, and indicators can block the sender domain and file hash. Option A is wrong because email trace is from Exchange admin center, not Defender XDR. Option B is wrong because quarantine finder doesn't show sandbox results.

Option D is wrong because it does not use indicators for blocking.

1270
MCQmedium

An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?

A.Run antivirus scan
B.Isolate device
C.Contain device
D.Restrict app execution
AnswerB

Correct: Isolation can be configured with an allowed list of IPs, such as update servers, while blocking all other traffic.

Why this answer

The 'Isolate device' action in Microsoft Defender for Endpoint's automated investigation and response (AIR) playbook can be configured to isolate a device from the network while allowing communication with a specified list of trusted IP addresses (e.g., for patching or compliance). This is achieved through the 'selective isolation' capability, which uses Windows Filtering Platform (WFP) to block all inbound/outbound traffic except to the defined IPs. Option B is correct because it directly matches the requirement to maintain connectivity to trusted endpoints during isolation.

Exam trap

The trap here is that candidates often confuse 'Contain device' (which only blocks inbound connections from other devices) with 'Isolate device' (which blocks both inbound and outbound traffic, with optional selective allow lists), leading them to choose the wrong option when the question specifies allowing outbound communication to trusted IPs.

How to eliminate wrong answers

Option A is wrong because 'Run antivirus scan' only performs a malware scan and does not involve any network isolation or allow-listing of IP addresses. Option C is wrong because 'Contain device' is a legacy term from Microsoft Defender for Endpoint that typically refers to blocking communication with the device from other devices (network containment), but it does not provide the granular control to allow specific trusted IPs for outbound communication; it is a broader block. Option D is wrong because 'Restrict app execution' limits which applications can run on the device (e.g., via AppLocker or WDAC), but it does not affect network connectivity or allow specific IP addresses.

1271
MCQhard

Your organization uses Microsoft Sentinel and has enabled UEBA. A security analyst observes that a user account with no prior administrative activity performed a high volume of Azure Resource Manager operations. The analyst wants to investigate further. Which Microsoft Sentinel feature should the analyst use to quickly identify if this behavior is anomalous based on the user's historical profile?

A.Hunting queries
B.Workbooks
C.User and Entity Behavior Analytics (UEBA)
D.Analytics rules
AnswerC

UEBA uses machine learning to establish baselines and detect anomalous behavior for users and entities.

Why this answer

Option D is correct because UEBA in Microsoft Sentinel provides user entity analytics that profile normal behavior and detect anomalies. The other options are not primarily designed for user behavior anomaly detection based on historical profiles.

1272
Multi-Selectmedium

Your organization uses Microsoft Sentinel. You need to automatically classify incidents based on MITRE ATT&CK techniques. Which THREE methods can be used to accomplish this?

Select 3 answers
A.Enable the MITRE ATT&CK data connector.
B.Create a watchlist with MITRE techniques.
C.Use analytics rules that include MITRE ATT&CK mapping.
D.Use UEBA to detect techniques.
E.Create an automation rule that tags incidents with MITRE techniques.
AnswersA, C, E

This connector provides threat intelligence and enriches incidents.

Why this answer

Analytics rules can map to MITRE techniques, the MITRE ATT&CK connector can enrich incidents, and automation rules can add tags. Option A, B, and E are correct. Option C (watchlists) can store mappings but not automatically classify.

Option D (UEBA) doesn't classify incidents by MITRE techniques.

1273
Multi-Selectmedium

Which TWO actions are valid when performing threat hunting in Microsoft Sentinel using hunting queries? (Choose two.)

Select 2 answers
A.Bookmark specific rows of results for later investigation.
B.Create a custom detection rule based on a hunting query.
C.Schedule a hunting query to run every hour.
D.Automatically trigger an alert when a hunting query returns results.
E.Export results directly to Azure Blob Storage.
AnswersA, B

Bookmarking is a feature in Sentinel for hunting.

Why this answer

Option A is correct because you can bookmark results for later investigation. Option C is correct because you can create a custom detection rule from a hunting query. Option B is wrong because hunting queries do not automatically trigger alerts; they are manual.

Option D is wrong because you cannot directly export results to Azure Storage, only to a CSV file or Log Analytics. Option E is wrong because you cannot schedule a hunting query to run automatically; you would need to create an analytics rule.

1274
MCQeasy

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What is the effect of this rule?

A.It assigns the incident to the SOC team.
B.It changes the status of newly created incidents from 'New' to 'Active'.
C.It suppresses the incident if it is a false positive.
D.It creates a task in the incident for investigation.
AnswerB

The action type 'ChangeStatus' with status 'Active' does exactly that.

Why this answer

Option B is correct because the rule triggers on incident creation with status 'New' and changes status to 'Active'. Option A is incorrect because it does not assign owner. Option C is incorrect because it does not suppress.

Option D is incorrect because it does not create tasks.

1275
MCQhard

You are responding to an incident where a user's Microsoft Entra ID account was compromised and used to send phishing emails internally. You need to prevent further damage. Which two actions should you take first?

A.Reset the user's password
B.Revoke the user's sessions
C.Disable the user account in Microsoft Entra ID
D.Block all external email from the organization
E.Remove the user from all distribution groups
AnswerB, C

Invalidates any active tokens.

Why this answer

Option A is correct because disabling the account stops immediate use. Option D is correct because revoking sessions ensures any active tokens are invalidated. Option B is wrong because resetting password is secondary.

Option C is wrong because blocking external email is too broad. Option E is wrong because it's unnecessary for internal phishing.

Page 16

Page 17 of 22

Page 18