Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 12761350

1639 questions total · 22pages · All types, answers revealed

Page 17

Page 18 of 22

Page 19
1276
MCQmedium

A security analyst in Microsoft 365 Defender has just completed an automated investigation on a device. The analyst wants to review the specific remediation actions that were taken automatically, such as file quarantine or process termination, as well as any actions that are still pending approval. Where should the analyst look?

A.Action center
B.Incident details page -> Alerts tab
C.Device timeline in advanced hunting
D.Email & collaboration incidents tab
AnswerA

Correct. The Action center lists all remediation actions from automated investigations and allows review and approval.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location to review all automated remediation actions (e.g., file quarantine, process termination) and pending approval actions across devices, email, and identities. It provides a unified view of completed, in-progress, and awaiting-approval actions from automated investigations, ensuring the analyst can track and manage remediation status efficiently.

Exam trap

The trap here is that candidates confuse the Incident details page (which shows alert evidence and investigation graph) with the Action center (which specifically tracks remediation actions and their approval status), leading them to select the Alerts tab instead of the correct centralized action management location.

How to eliminate wrong answers

Option B is wrong because the Incident details page's Alerts tab shows the alerts associated with an incident, not the specific remediation actions taken or pending; it focuses on alert metadata and evidence, not action status. Option C is wrong because the Device timeline in advanced hunting shows raw events and activities on a device (e.g., process creations, file modifications) but does not display remediation actions or their approval status; it is for hunting, not action management. Option D is wrong because the Email & collaboration incidents tab is specific to threats in Exchange Online and Microsoft Teams, not device-level automated remediation actions like file quarantine or process termination.

1277
Multi-Selecthard

You are managing a Microsoft Sentinel workspace that ingests data from multiple sources. You need to reduce the cost of log ingestion while maintaining security visibility. Which two actions should you take?

Select 2 answers
A.Remove all custom log connectors that are not used frequently.
B.Increase the retention period for all tables to 90 days to avoid data loss.
C.Enable analytics rules to run only on high-value data sources.
D.Configure data collection rules to send non-critical logs to the Basic Logs tier.
E.Use compression algorithms in Log Analytics to reduce log size.
AnswersC, D

Correct: Focusing rules on critical data reduces processing cost.

Why this answer

Option C is correct because enabling analytics rules to run only on high-value data sources reduces the volume of data that must be queried and processed, directly lowering ingestion and analytics costs while preserving security visibility on critical logs. In Microsoft Sentinel, analytics rules incur costs based on the data scanned; by scoping rules to high-value sources, you avoid unnecessary processing of low-signal data.

Exam trap

The trap here is that candidates often confuse reducing ingestion cost with reducing storage cost, leading them to choose retention-related options (B) or connector removal (A) instead of focusing on data tiering and query scoping.

1278
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Sentinel automation rules? (Select TWO.)

Select 2 answers
A.Assign an incident to a specific SOC analyst
B.Modify a data connector's configuration
C.Create a new analytics rule
D.Create a new watchlist
E.Run a playbook on an incident
AnswersA, E

Automation rules can set incident owner.

Why this answer

Options A and C are correct because automation rules can assign incidents to owners and run playbooks. Option B is wrong because automation rules do not create analytics rules. Option D is wrong because automation rules do not modify data connectors.

Option E is wrong because automation rules do not create watchlists.

1279
MCQhard

Your organization uses Microsoft Sentinel with UEBA enabled. You are investigating a suspicious incident where a user's account is reported to have accessed an unusual amount of data from a SharePoint site. The incident alert points to the user 'jdoe@contoso.com'. You open the incident and see that the entity timeline for jdoe shows several activities, including file downloads. However, you notice that the timeline does not include any Azure AD sign-in events for this user. You need to include sign-in events in the entity timeline to get a complete picture. What should you do?

A.Install the Azure Active Directory connector to ingest sign-in logs.
B.Enable UEBA for Azure AD in the Sentinel settings.
C.Install the Office 365 connector to ingest Azure AD logs.
D.Configure the entity timeline to include Azure AD events manually.
AnswerA

The Azure AD connector provides sign-in logs for UEBA.

Why this answer

The entity timeline in Microsoft Sentinel relies on data already ingested into the workspace. Since Azure AD sign-in events are not appearing, the most likely cause is that the Azure Active Directory connector has not been installed or configured. Installing this connector ingests sign-in logs (and audit logs) into Sentinel, which then populates the entity timeline with sign-in activities for users like jdoe.

Exam trap

The trap here is that candidates confuse the Office 365 connector (which handles SharePoint, Exchange, Teams) with the Azure AD connector (which handles sign-in and audit logs), leading them to choose Option C instead of A.

How to eliminate wrong answers

Option B is wrong because enabling UEBA for Azure AD in Sentinel settings does not ingest data; it only enables behavioral analytics on already-ingested data. Option C is wrong because the Office 365 connector ingests Exchange, Teams, and SharePoint logs, not Azure AD sign-in logs (those require the Azure AD connector). Option D is wrong because the entity timeline cannot be manually configured to include Azure AD events; it automatically displays any ingested entity-related data from connected sources.

1280
MCQeasy

Refer to the exhibit. You are viewing an incident in Microsoft Sentinel via the API. The incident is missing an owner. Which automation rule action would assign this incident to the SOC manager?

A.Change incident status to: Active
B.Run playbook (SimplePlaybook)
C.Add tags: ["Malware", "Endpoint"]
D.Assign incident to: SOC Manager
AnswerD

The Assign incident action allows specifying an owner.

Why this answer

Option B is correct because the 'Assign incident' action is used to assign an owner. Option A is wrong because 'Run playbook' triggers a playbook but does not directly assign. Option C is wrong because 'Change status' only changes status.

Option D is wrong because 'Add tags' adds labels.

1281
MCQmedium

Your SOC uses Microsoft Defender XDR. You need to create a custom detection rule that triggers when a specific process is executed on multiple devices within an hour. Which feature should you use?

A.Advanced hunting query
B.Microsoft Sentinel scheduled analytics rule
C.Attack simulation training
D.Microsoft Defender XDR custom detection rule
AnswerD

Custom detections in Defender XDR allow creation of detection rules using KQL.

Why this answer

Option B is correct because Custom detection rules in Microsoft Defender XDR allow KQL-based detection across devices. Option A is wrong because Scheduled analytics rules are in Sentinel. Option C is wrong because Hunting queries don't create alerts.

Option D is wrong because Attack simulation is for testing.

1282
MCQmedium

During an incident involving a compromised Azure VM, the security team wants to capture a memory dump for forensic analysis. The VM is running Windows Server 2022. What is the recommended approach?

A.Use Azure Backup to create a VM snapshot.
B.Establish a PowerShell remote session and run 'Get-Process | Export-CliXML'.
C.Initiate a live response session on the VM and run the 'dump memory' command.
D.Use Azure Disk Encryption to export the disk.
AnswerC

Live response in Microsoft Defender for Endpoint can collect memory dumps for analysis.

Why this answer

Option B is correct because initiating a live response session in Microsoft Defender for Endpoint allows running a memory dump collection command. Option A is wrong because taking a snapshot captures the disk, not memory. Option C is wrong because PowerShell remoting may not work if the VM is isolated.

Option D is wrong because Azure Backup captures disk state, not memory.

1283
MCQeasy

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. After configuring the data connector, you notice that no logs are appearing. You verify that the firewall is sending logs to the Syslog collector. What is the most likely cause?

A.The firewall is sending logs in a format incompatible with the Azure Monitor Agent.
B.The ingestion cost is too high and Sentinel throttled the connection.
C.The syslog daemon on the collector is not configured to forward logs to the Log Analytics workspace.
D.The data connector is disabled in the Log Analytics workspace.
AnswerC

The collector needs to forward logs; if not configured, logs won't reach Sentinel.

Why this answer

Option A is correct because a common issue is that the Syslog collector (e.g., Linux VM) does not have the required syslog daemon (rsyslog) properly configured to forward logs to Log Analytics. Option B is less likely because connectors are usually enabled by default. Option C is wrong because KQL is for querying, not ingestion.

Option D is wrong because the data connector for Syslog uses the Log Analytics agent, not AMA by default.

1284
MCQhard

Refer to the exhibit. You are threat hunting for possible lateral movement using cmd.exe. The KQL query returns no results even though you know cmd.exe was executed. What is the most likely reason?

A.The join key should be on DeviceName instead of DeviceId because DeviceProcessEvents uses DeviceName.
B.The query filters on a specific device name that is missing from the data.
C.The join type should be leftouter to include all process events even if no corresponding device event exists.
D.The join condition should include a time window; process creation events may have slightly different timestamps.
AnswerA

DeviceProcessEvents typically uses DeviceName, while DeviceEvents may use DeviceId or another field.

Why this answer

Option B is correct because the join key is DeviceId, but DeviceProcessEvents and DeviceEvents may use different column names (e.g., DeviceName vs DeviceId). Option A is wrong because timestamps are often not exactly equal; a join on time is not required. Option C is wrong because the join type is inner, which returns only matching rows.

Option D is wrong because the query does not filter on a specific device, so all devices are included.

1285
MCQmedium

You are investigating a security incident in Microsoft Defender XDR where a user received a phishing email that bypassed Exchange Online Protection. The email contained a link to a credential harvesting page. After the user entered credentials, the attacker used them to sign in from an unusual location. You need to recommend an automated response to prevent further credential theft from similar emails. What should you implement?

A.Create an Attack Simulation Training campaign in Microsoft Defender for Office 365.
B.Enable Cloud App Security to detect and block malicious cloud apps.
C.Enable Safe Links policy for all users.
D.Configure a Conditional Access policy to block sign-ins from unusual locations.
AnswerA

Attack Simulation Training educates users on recognizing phishing attempts, reducing the likelihood of credential theft.

Why this answer

Option A is correct because Attack Simulation Training in Microsoft Defender for Office 365 can create and automate phishing campaigns to train users, reducing the risk of credential theft. Option B is wrong because Safe Links protects against malicious links in real time but does not train users. Option C is wrong because Conditional Access policies require an identity provider and are not an automated response to emails.

Option D is wrong because Cloud App Security is for shadow IT discovery, not email-based phishing prevention.

1286
MCQmedium

You are configuring a Microsoft Sentinel analytics rule to detect brute-force attacks on your Azure Virtual Machines. The rule uses the 'SecurityEvent' table. You notice that the rule is not generating incidents even though you see failed logon events in the logs. What should you check?

A.An automation rule is suppressing incidents with the same name.
B.The workspace retention period is set to less than 90 days.
C.The Log Analytics agent is not installed on the VMs.
D.The analytics rule is enabled and the query is correctly filtering for event ID 4625.
AnswerD

If the rule is disabled or query is wrong, incidents won't be created.

Why this answer

Option A is correct because the 'SecurityEvent' table collects Windows security events, but the event ID for failed logon (4625) must be included in the query and the rule must be enabled. If the rule is not enabled, it won't generate incidents. Option B is about data source configuration, but the table is already populated.

Option C is about retention, not detection. Option D is about automation rules, not analytics rules.

1287
MCQhard

A security engineer is configuring Microsoft Defender for Cloud in a hybrid environment that includes on-premises servers connected via Azure Arc. The engineer wants to enable the Defender for Cloud plans for servers (including vulnerability assessment) on all Azure Arc-enabled machines. What is the correct method to deploy the Log Analytics agent (or Azure Monitor Agent) and the Microsoft Defender for Endpoint (MDE) integration?

A.Manually install the agents on each server via Group Policy.
B.Enable Azure Policy 'Configure Azure Arc machines to run Azure Monitor Agent' with a DeployIfNotExists policy that also installs the MDE extension.
C.Use the Azure Automation Update Management to deploy agents.
D.Enable the 'Log Analytics agent for Windows' extension on each Arc machine via Azure Arc management.
AnswerB

This policy automatically deploys the required agents and extensions to all Azure Arc machines, ensuring compliance at scale.

Why this answer

Option B is correct because it leverages Azure Policy with a DeployIfNotExists effect to automatically deploy the Azure Monitor Agent (AMA) and the Microsoft Defender for Endpoint (MDE) extension on Azure Arc-enabled servers. This ensures compliance at scale without manual intervention, and it is the recommended method in Defender for Cloud for hybrid machines. The policy also handles the vulnerability assessment integration by enabling the Defender for Cloud plans for servers.

Exam trap

The trap here is that candidates often assume manual agent installation (Option A) or Update Management (Option C) are valid for Defender for Cloud integration, but the exam tests the understanding that Azure Policy is the only scalable, compliant method to deploy both AMA and MDE extensions on Arc machines while enabling Defender for Cloud plans automatically.

How to eliminate wrong answers

Option A is wrong because manually installing agents via Group Policy does not integrate with Defender for Cloud's centralized management, nor does it automatically enable the MDE extension or vulnerability assessment; it also lacks the scalability and compliance enforcement of Azure Policy. Option C is wrong because Azure Automation Update Management is designed for patching and update orchestration, not for deploying agents or extensions; it cannot install the MDE extension or enable Defender for Cloud plans. Option D is wrong because enabling the 'Log Analytics agent for Windows' extension manually via Azure Arc management only deploys the legacy Log Analytics agent (MMA), not the Azure Monitor Agent (AMA) or the MDE extension, and it does not automatically enable vulnerability assessment or Defender for Cloud plans.

1288
MCQhard

During an incident response, a forensic investigator needs to collect a memory dump from a compromised Windows server that is still running. The server has Microsoft Defender for Endpoint installed but is not connected to the internet. Which method should the investigator use?

A.Collect a system memory snapshot from the Microsoft 365 Defender portal
B.Use Live Response to run a memory dump collector on the device
C.Initiate a memory dump from the Microsoft Defender for Endpoint portal
D.Use Sysinternals Suite to capture a memory dump locally
AnswerB

Live Response works even when the device is offline by using a separate communication channel.

Why this answer

Option D is correct because Live Response allows a live memory dump from an offline device via a connected channel. Option A is wrong because the device is offline, so the portal cannot initiate a dump. Option B is wrong because snapshot collection requires the device to be online.

Option C is wrong because Sysinternals is not part of Microsoft's recommended forensic toolkit for this scenario.

1289
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to ingest security logs from Azure resources in the West Europe region. The solution must minimize data transfer costs. What should you configure?

A.Configure diagnostic settings to send logs directly to the East US workspace.
B.Use Azure Monitor Agent to collect logs and send them to the East US workspace.
C.Configure diagnostic settings on the West Europe resources to send logs to a Log Analytics workspace in West Europe, and then use a cross-workspace query from the East US workspace.
D.Export logs to a storage account in West Europe and then import them to the East US workspace using Azure Data Factory.
AnswerC

This avoids cross-region transfer costs for ingestion.

Why this answer

Option A is correct because using a diagnostic setting to send logs to a Log Analytics workspace in the same region as the resources minimizes cross-region data transfer costs. Option B would increase costs. Option C is for storage, not real-time ingestion.

Option D is an alternative but not minimal cost.

1290
MCQeasy

You are an incident responder for a company using Microsoft 365 Defender. A critical incident is assigned to you. What is the first action you should take according to best practices?

A.Triage the incident to determine the scope and severity.
B.Escalate the incident to senior management.
C.Immediately isolate all affected devices.
D.Collect a full memory dump from the affected systems.
AnswerA

Triage is the first recommended step in any incident response.

Why this answer

Option C is correct because the first step in incident response is to triage the incident to understand its scope and severity before taking any action. Option A is wrong because isolating the device should only be done after assessing the impact. Option B is wrong because you need to investigate before collecting data.

Option D is wrong because escalation should occur after initial triage if needed.

1291
MCQeasy

Your Microsoft Sentinel workspace is experiencing high ingestion costs. Which of the following actions will most effectively reduce costs while maintaining security visibility?

A.Delete unused analytics rules to reduce log ingestion.
B.Configure Basic Logs for verbose logs like Windows events from non-critical servers.
C.Disable collection of all informational logs.
D.Reduce the data retention period to 30 days.
AnswerB

Basic Logs are cheaper and suitable for high-volume logs that are rarely queried.

Why this answer

Option B is correct because configuring Basic Logs for verbose logs (e.g., Windows Event ID 4688 from non-critical servers) reduces ingestion costs by storing them in a lower-cost tier while still retaining them for security investigations. Basic Logs are charged at a lower ingestion rate and support simple queries and search jobs, preserving visibility for incident response without the full cost of Analytics Logs.

Exam trap

The trap here is that candidates confuse reducing data retention (Option D) with reducing ingestion costs, but retention only affects storage charges, not the per-GB ingestion fee, which is the primary cost driver in Sentinel.

How to eliminate wrong answers

Option A is wrong because deleting unused analytics rules does not reduce log ingestion; analytics rules only consume data already ingested, and removing them does not lower the volume of logs sent to the workspace. Option C is wrong because disabling all informational logs can blind security operations to critical events like user logon failures (Event ID 4625) or privilege escalations, violating the requirement to maintain security visibility. Option D is wrong because reducing the retention period to 30 days may lower storage costs but does not address the ingestion cost itself, which is the primary driver of high costs; it also risks losing historical data needed for long-term threat hunting and compliance.

1292
MCQeasy

Refer to the exhibit. You are reviewing a playbook configuration for Microsoft Sentinel. What does this playbook do?

A.It runs only on medium severity incidents
B.It runs when a new alert is generated with high severity
C.It runs on all incidents regardless of severity
D.It runs when a high severity incident is created
AnswerD

The trigger condition checks for incident severity equal to 'High'.

Why this answer

The playbook is configured with a trigger condition that specifies 'When a high severity incident is created'. This means the playbook will only execute when an incident with a severity level of 'High' is generated in Microsoft Sentinel. The condition filters out incidents of other severity levels, ensuring the playbook runs exclusively for high-severity incidents.

Exam trap

The trap here is that candidates may confuse the trigger for incident creation versus alert generation, or overlook the severity filter in the condition, leading them to incorrectly select option B or C.

How to eliminate wrong answers

Option A is wrong because the trigger condition explicitly checks for 'high severity', not 'medium severity', so the playbook does not run on medium severity incidents. Option B is wrong because the trigger is based on incident creation, not alert generation; the playbook runs when an incident is created, not when a new alert is generated. Option C is wrong because the trigger condition includes a severity filter, so it does not run on all incidents regardless of severity; it only runs on high severity incidents.

1293
MCQmedium

A SOC analyst needs to create an analytics rule in Microsoft Sentinel that triggers when a user logs in from an IP address outside of the organization's typical geographic locations, based on a learned baseline. Which type of analytics rule is best suited for this scenario?

A.Scheduled rule
B.NRT (Near-Real-Time) rule
C.Anomaly rule
D.Fusion rule
AnswerC

Anomaly rules leverage machine learning to learn normal patterns and alert on outliers, making them perfect for detecting unusual sign-in locations.

Why this answer

An Anomaly rule in Microsoft Sentinel uses machine learning to establish a baseline of normal user behavior, such as typical geographic login locations. When a login event deviates from that learned baseline (e.g., from an unusual IP address outside the expected regions), the rule triggers an alert. This is the only rule type specifically designed for behavior-based anomaly detection without requiring static thresholds or predefined patterns.

Exam trap

The trap here is that candidates confuse Anomaly rules with Scheduled rules, thinking a scheduled query with a geographic filter (e.g., 'where ip_geo not in allowed list') can achieve the same result, but they miss that Anomaly rules dynamically learn and adapt the baseline without manual maintenance of allowed location lists.

How to eliminate wrong answers

Option A is wrong because a Scheduled rule runs on a fixed schedule (e.g., every 5 minutes) and relies on static KQL queries with explicit thresholds, not on a dynamically learned baseline of geographic locations. Option B is wrong because an NRT (Near-Real-Time) rule processes streaming data with low latency but still requires a predefined query and threshold, not machine learning-based anomaly detection. Option D is wrong because a Fusion rule correlates multiple low-fidelity alerts across different products to identify advanced attacks, but it does not learn a baseline of normal user behavior or detect single-event geographic anomalies.

1294
MCQhard

During a ransomware incident, you need to prevent the encryption of files on a server running Windows Server 2022. You have Microsoft Defender for Endpoint Plan 2. Which attack surface reduction rule should you enable?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
B.Block credential stealing from the Windows local security authority subsystem
C.Block Adobe Reader from creating child processes
D.Use advanced protection against ransomware
AnswerD

Specifically blocks ransomware.

Why this answer

Option A is correct because 'Use advanced protection against ransomware' is a specific ASR rule that blocks ransomware behavior. Option B is wrong because 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' helps against unknown executables but not specifically ransomware. Option C is wrong because 'Block credential stealing from the Windows local security authority subsystem' targets credential theft.

Option D is wrong because 'Block Adobe Reader from creating child processes' is for PDF exploits.

1295
MCQmedium

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft 365 Defender. What is the primary purpose of this query?

A.List all scheduled tasks created in the last 7 days.
B.Correlate scheduled task creation with known threat actor techniques.
C.Identify periods of high scheduled task creation activity that may indicate lateral movement.
D.Calculate the baseline of scheduled task creation per hour.
AnswerC

The query highlights hours with >10 events, suggesting bursts.

Why this answer

The query filters for scheduled task events, groups by ActionType and hourly buckets, then returns only those hours with more than 10 events. Option A is correct because it identifies high-frequency scheduled task activity, which could indicate lateral movement or persistence. Option B is incorrect because it does not compare to a baseline.

Option C is incorrect because it does not list specific tasks. Option D is incorrect because it does not correlate with known threats.

1296
MCQmedium

Based on the KQL query shown, what is the purpose of the case() function?

A.To aggregate counts by severity
B.To include alerts with name containing Malware or Ransomware
C.To filter alerts with severity High or Critical
D.To reclassify High severity alerts as Critical
AnswerD

The case() function changes AlertSeverity value from 'High' to 'Critical'.

Why this answer

Option A is correct because case() reclassifies 'High' severity alerts as 'Critical' for better prioritization. Option B is wrong because case() does not filter alerts; it only transforms the Severity field. Option C is wrong because the query already filters for Malware and Ransomware.

Option D is wrong because case() does not aggregate; summarize does that.

1297
Multi-Selectmedium

Which TWO actions should a security analyst take to contain a ransomware outbreak on a Windows server that has Microsoft Defender for Endpoint installed?

Select 2 answers
A.Run a full scan with Microsoft Defender Antivirus
B.Reset the local administrator password
C.Initiate device isolation
D.Uninstall Microsoft Defender for Endpoint and reinstall
E.Restore the system from a backup
AnswersA, C

A full scan can detect and remove the ransomware.

Why this answer

Options B and D are correct. B isolates the device to prevent lateral movement, and D runs a scan to remove the ransomware. Option A is wrong because resetting the password does not stop the ransomware.

Option C is wrong because uninstalling would remove protection. Option E is wrong because a full restore might reintroduce the malware.

1298
Multi-Selecthard

Which THREE techniques would you use in Microsoft Sentinel to hunt for data exfiltration over DNS?

Select 3 answers
A.Analyze DNS query logs for high volume or long subdomains
B.Examine network traffic logs for large data transfers to known cloud storage IPs
C.Correlate DNS events with process creation events to identify the process making queries
D.Review email forwarding rules for external domains
E.Use ASIM DNS parsers to normalize DNS logs and detect anomalies
AnswersA, C, E

High volume or long subdomains are indicators of DNS tunneling.

Why this answer

Correct options: A, B, D. DNS query analysis (A) identifies unusual domains. Correlating DNS with process creation (B) identifies which process made the query.

Using ASIM DNS parsers (D) standardizes DNS logs. Option C (Network traffic logs) covers IP traffic but not DNS queries specifically. Option E (Email events) is unrelated.

1299
Multi-Selecthard

Which THREE Microsoft Sentinel features are specifically designed to assist with threat hunting?

Select 3 answers
A.Livestream for real-time hunting.
B.Workbooks for interactive dashboards.
C.Bookmarks to record interesting results.
D.Automation rules to respond to incidents.
E.The Hunting blade with built-in and custom queries.
AnswersA, C, E

Livestream allows live querying.

Why this answer

Options A, C, and D are correct. A is correct because the Hunting blade is dedicated to hunting. C is correct because bookmarks allow preserving findings.

D is correct because Livestream provides real-time hunting. B is incorrect because Workbooks are for visualization, not hunting. E is incorrect because Automation rules are for incident response, not hunting.

1300
Multi-Selecthard

Your organization uses Microsoft Sentinel. A security incident related to a compromised user account has been fully investigated and remediated. Which THREE steps should you take to close the incident properly? (Choose three.)

Select 3 answers
A.Verify that all related alerts are resolved or closed.
B.Create a new analytics rule to detect similar activity.
C.Change the incident status to Closed and select an appropriate classification.
D.Add comments summarizing the investigation and remediation steps.
E.Delete the incident to clean up the workspace.
AnswersA, C, D

Ensures no residual alerts.

Why this answer

Options A, B, and D are correct. Adding comments documents the investigation, changing status to Closed with classification provides closure, and ensuring no related alerts remain prevents lingering issues. Option C (Deleting the incident) is not recommended.

Option E (Creating detection rule) is not necessary for closure.

1301
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Sentinel. You discover that phishing emails are bypassing Defender for Office 365 and being reported by users. You need to ensure that user-reported emails are automatically analyzed and incidents are created in Sentinel for high-confidence phishing. What should you configure?

A.Set up a custom connector using Microsoft Graph API to ingest user-reported messages into Sentinel.
B.Use the Microsoft 365 Defender portal to create a submission rule for user-reported messages.
C.Configure a mail flow rule to forward user-reported messages to a dedicated mailbox monitored by Sentinel.
D.Enable the 'User reported messages' feature in Defender for Office 365 and ensure the Microsoft Defender XDR connector is enabled in Sentinel.
AnswerD

This integrates automated analysis and incident creation.

Why this answer

Option D is correct because the User Reported Messages feature in Defender for Office 365 can trigger automated analysis and, when integrated with Sentinel via the connector, can create incidents. Option A is wrong because a mail flow rule cannot create Sentinel incidents. Option B is wrong because creating a submission rule manually does not automate analysis.

Option C is wrong because a custom connector would be more complex than using the built-in integration.

1302
MCQeasy

Your organization wants to use Microsoft Copilot for Security to generate incident summaries. What is the minimum license required?

A.Microsoft 365 E5
B.Microsoft Sentinel
C.Microsoft Defender for Office 365 P2
D.Microsoft Copilot for Security standalone or add-on
AnswerD

This is the required license.

Why this answer

Microsoft Copilot for Security is a standalone product that can be licensed independently or as an add-on to existing security subscriptions. It is not included in any Microsoft 365 or Defender plan by default; therefore, the minimum license required is either the standalone Copilot for Security SKU or the add-on license. This ensures the organization has the necessary entitlements to generate incident summaries using Copilot for Security.

Exam trap

The trap here is that candidates often assume Copilot for Security is included with high-tier licenses like Microsoft 365 E5 or Microsoft Sentinel, but Microsoft explicitly requires a separate Copilot for Security license (standalone or add-on) to use its AI capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 E5 provides advanced security features like Defender for Office 365 P2 and Microsoft Sentinel, but it does not include Microsoft Copilot for Security; a separate license is required. Option B is wrong because Microsoft Sentinel is a SIEM/SOAR solution that ingests and analyzes security data, but it does not include Copilot for Security; Copilot for Security is a separate AI-powered tool that can integrate with Sentinel but requires its own license. Option C is wrong because Microsoft Defender for Office 365 P2 offers advanced threat protection for email and collaboration tools, but it does not include Copilot for Security; the Copilot for Security add-on or standalone license is needed to access its AI capabilities.

1303
MCQmedium

A security analyst is investigating a potential data exfiltration incident in Microsoft 365 Defender. They have identified a suspicious email sent to an external recipient containing an attachment. They want to know if the attachment has been opened and if any sensitive data was accessed. Which advanced hunting table should the analyst query to find email attachment activities, such as file download or view?

A.DeviceFileEvents
B.EmailEvents
C.EmailAttachmentInfo
D.UrlClickEvents
AnswerB

EmailEvents includes columns for action type, such as EmailAttachmentOpened or EmailAttachmentDownloaded, making it the correct table for this investigation.

Why this answer

B is correct because EmailEvents is the advanced hunting table in Microsoft 365 Defender that captures email-level activities, including whether an attachment was opened or viewed by the recipient. This table contains actions such as 'Email open' and 'Attachment open', which directly answer the analyst's question about attachment access and potential data exfiltration.

Exam trap

The trap here is that candidates often confuse EmailAttachmentInfo (which only provides static metadata) with EmailEvents (which includes user actions), leading them to select the wrong table for activity tracking.

How to eliminate wrong answers

Option A is wrong because DeviceFileEvents logs file operations (create, modify, delete) on endpoints, not email attachment activities like opening or viewing within an email client. Option C is wrong because EmailAttachmentInfo provides metadata about attachments (e.g., file name, size, hash) but does not include actions such as download or view. Option D is wrong because UrlClickEvents tracks clicks on URLs in emails or documents, not attachment open events.

1304
MCQhard

Your Microsoft Sentinel workspace is receiving a high volume of false positive alerts from a specific analytics rule. You need to suppress these alerts without disabling the rule. Which feature should you use?

A.Create an automation rule to close incidents
B.Adjust the alert threshold in the analytics rule
C.Configure alert suppression in the analytics rule
D.Disable incident creation for the rule
AnswerC

Alert suppression stops the rule from creating alerts for matching conditions.

Why this answer

Option D is correct because alert suppression in Sentinel allows you to temporarily suppress alerts matching specific criteria. Option A is wrong because automation rules execute actions but do not suppress alerts. Option B is wrong because the alert threshold is a rule setting, not a suppression mechanism.

Option C is wrong because incident creation setting only controls whether incidents are created, not alert suppression.

1305
MCQmedium

You manage a Microsoft Sentinel workspace with multiple analytics rules. You notice that an analytics rule has not generated any alerts in the past month despite relevant data being ingested. The rule uses a custom KQL query that joins two tables. What is the most likely cause?

A.The join condition in the KQL query is incorrect, resulting in no matching records
B.The rule is using an unsupported KQL function
C.The data connector for the tables is disabled
D.The rule is running on a schedule of 5 minutes but the data arrives every hour
AnswerA

An incorrect join condition would cause the query to return zero results, thus no alerts.

Why this answer

Option C is correct because a missing join field would prevent any results from the KQL query, leading to no alerts. Option A is less likely because the rule would still run. Option B would cause an error, not just silence.

Option D would generate alerts on other data.

1306
MCQmedium

You are managing a Microsoft Sentinel environment with multiple workspaces across different regions. You need to centralize incident management and allow security analysts to triage incidents from all workspaces in a single view. What should you configure?

A.Configure a central Microsoft Sentinel workspace with cross-workspace analytics rules.
B.Create a workbook that queries all workspaces.
C.Use the Microsoft Sentinel SIEM Migration experience.
D.Use Azure Lighthouse to manage all workspaces from a single pane of glass.
AnswerA

Central workspace with cross-workspace rules can aggregate incidents.

Why this answer

Option A is correct because cross-workspace analytics rules in Microsoft Sentinel allow you to define a single analytics rule that queries multiple workspaces, enabling centralized incident creation and management. This configuration ensures that security analysts can view and triage incidents from all workspaces in a single Microsoft Sentinel instance, without needing to switch between different workspace blades.

Exam trap

The trap here is that candidates often confuse Azure Lighthouse's cross-tenant management capabilities with the specific need to aggregate incidents into a single view, overlooking that Lighthouse alone does not merge incident queues across workspaces.

How to eliminate wrong answers

Option B is wrong because a workbook is a visualization and reporting tool, not an incident management interface; it cannot centralize incident triage or provide a unified incident queue. Option C is wrong because the SIEM Migration experience is designed to help migrate from a third-party SIEM to Microsoft Sentinel, not to centralize incident management across existing Sentinel workspaces. Option D is wrong because Azure Lighthouse provides cross-tenant management capabilities but does not natively aggregate incidents from multiple Sentinel workspaces into a single incident view; it still requires navigating separate Sentinel instances per workspace.

1307
Multi-Selectmedium

Your organization is responding to a ransomware incident. Which TWO actions should be taken first to contain the incident while preserving forensic evidence?

Select 2 answers
A.Isolate affected devices using Microsoft Defender for Endpoint.
B.Reset passwords for all users in the organization.
C.Disable compromised user accounts in Microsoft Entra ID.
D.Perform a factory reset on all affected devices.
E.Shut down network switches to isolate the network segment.
AnswersA, C

Isolation contains the threat and preserves data.

Why this answer

Option A (isolate affected devices) and Option B (disable compromised accounts) are correct first steps to contain the incident, as they stop lateral movement and further damage while preserving evidence. Option C is wrong because wiping devices destroys evidence. Option D is wrong because resetting passwords of all users is broad and not a containment step.

Option E is wrong because shutting down network ports may be necessary but is not a standard first step.

1308
MCQmedium

An analyst is investigating a file that was detected as malicious on several devices. In Microsoft 365 Defender, where can the analyst find information about the file's prevalence, global reputation, and related incidents?

A.File entity page
B.Device entity page
C.User entity page
D.Email entity page
AnswerA

The file entity page aggregates all file-related information, making it the central place for investigation.

Why this answer

The File entity page in Microsoft 365 Defender aggregates file-level telemetry, including prevalence (number of devices/users), global reputation (Microsoft's cloud-based threat intelligence), and a timeline of related incidents. This page is the single pane of glass for file-centric investigations, pulling data from Microsoft Defender for Endpoint, Office 365, and other XDR sources.

Exam trap

Microsoft often tests the distinction between entity pages by making candidates confuse the File entity page (which shows prevalence and reputation) with the Device entity page (which shows device-specific alerts but not file-level global data).

How to eliminate wrong answers

Option B is wrong because the Device entity page focuses on device-level details (OS, alerts, logged-on users, network connections) and does not show file prevalence or global reputation. Option C is wrong because the User entity page displays user-centric data (sign-ins, roles, alerts) and lacks file-specific prevalence or reputation metrics. Option D is wrong because the Email entity page is scoped to email messages (headers, attachments, delivery status) and does not provide file prevalence across devices or global reputation scores.

1309
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to ensure that alerts from Defender for Cloud Apps are forwarded to Microsoft Sentinel. Which connector should you use in Sentinel?

A.Windows Security Events via AMA connector
B.Microsoft Defender for Cloud Apps connector
C.Microsoft 365 Defender connector
D.Azure Activity connector
AnswerB

This is the dedicated connector to ingest alerts from Defender for Cloud Apps.

Why this answer

The Microsoft Defender for Cloud Apps connector (built-in data connector) is the correct way to ingest alerts. Option A is wrong because Microsoft 365 Defender connector covers alerts from Defender for Identity, Defender for Office 365, etc., but not directly from Defender for Cloud Apps. Option C is wrong because Windows Security Events connector is for on-premises events.

Option D is wrong because Azure Activity connector is for Azure resource logs.

1310
Multi-Selectmedium

A security analyst is triaging security alerts in Microsoft Defender for Cloud. Which of the following are valid ways to suppress a specific alert type to reduce noise? (Choose all that apply.)

Select 2 answers
A.Create an alert suppression rule based on alert entity
B.Modify the alert's severity
C.Set an automatic response action
D.Define a rule to automatically dismiss alerts that meet criteria
AnswersA, D

Alert suppression rules can be configured to suppress alerts based on entity, such as specific IP addresses or resources.

Why this answer

Option A is correct because Microsoft Defender for Cloud allows you to create suppression rules that automatically dismiss alerts based on specific alert entities (such as alert ID, title, or severity) to reduce noise. These rules are configured in the security alerts settings and can be scoped to a subscription or management group, ensuring that alerts matching the defined criteria are silently dismissed without generating incidents.

Exam trap

The trap here is that candidates often confuse 'suppression' with 'automation' or 'severity modification', thinking that changing severity or adding a response action will reduce noise, when in fact only suppression rules (or automatic dismissal rules) actually remove alerts from the queue.

1311
Multi-Selecteasy

Which TWO roles in Microsoft Entra ID can manage Microsoft Defender for Cloud Apps? (Select two.)

Select 2 answers
A.Compliance Administrator
B.Security Administrator
C.Global Administrator
D.Security Reader
E.Application Administrator
AnswersB, C

Can manage security settings.

Why this answer

The Security Administrator role in Microsoft Entra ID has the necessary permissions to manage Microsoft Defender for Cloud Apps, including configuring policies, investigating alerts, and managing app permissions. This role is specifically designed for security-related tasks within Microsoft 365 security products, making it a correct choice for managing Defender for Cloud Apps.

Exam trap

The trap here is that candidates often confuse the Compliance Administrator role as having security management capabilities due to its name, but it is strictly limited to compliance tasks and cannot manage Defender for Cloud Apps.

1312
MCQmedium

In Microsoft 365 Defender, a security analyst wants to get a detailed report on a newly discovered malware campaign, including indicators of compromise, recommended actions, and impacted devices. Where should the analyst go to find this information?

A.Alerts queue
B.Incident page
C.Threat analytics
D.Action center
AnswerC

Threat analytics delivers detailed reports on active threats, including IoCs, impact, and mitigation guidance.

Why this answer

Threat analytics in Microsoft 365 Defender provides detailed reports on active malware campaigns, including indicators of compromise (IoCs), recommended actions, and impacted devices. This is the dedicated workspace for tracking and responding to emerging threats, offering curated intelligence from Microsoft security researchers.

Exam trap

The trap here is that candidates confuse the Incident page (which handles active investigations) with Threat analytics (which provides pre-built campaign intelligence and proactive guidance), leading them to select the Incident page for campaign details instead of the dedicated threat intelligence hub.

How to eliminate wrong answers

Option A is wrong because the Alerts queue shows individual security alerts (e.g., from Defender for Endpoint or Defender for Office 365) but does not aggregate campaign-level context, IoCs, or recommended actions. Option B is wrong because the Incident page groups related alerts into an incident for investigation but does not provide the pre-built campaign analysis, threat intelligence, or remediation guidance found in Threat analytics. Option D is wrong because the Action center lists pending and completed remediation actions (e.g., running antivirus scans or isolating devices) but does not contain threat campaign reports or IoCs.

1313
MCQeasy

During an incident response, a SOC analyst needs to automatically collect relevant evidence from multiple Microsoft 365 services. Which Microsoft Sentinel playbook trigger should the analyst configure?

A.Microsoft Sentinel Playbook trigger 'When a response action is executed'.
B.Microsoft Sentinel Scheduled Analytics rule trigger.
C.Microsoft Sentinel Alert trigger.
D.Microsoft Sentinel Incident trigger with action 'Collect evidence'.
AnswerD

Incident trigger allows playbooks to run on incident creation and collect evidence from various sources.

Why this answer

Option C is correct because 'When an incident is triggered' allows automation based on Sentinel incidents. Option A is wrong because 'When a new alert is created' is too granular and not designed for multi-service evidence collection. Option B is wrong because 'When a response action is executed' is not a standard trigger.

Option D is wrong because a scheduled query is for hunting, not for automated response.

1314
Multi-Selectmedium

Which TWO are valid methods for performing threat hunting in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Using playbooks to respond to incidents
B.Using the Hunting blade with built-in queries
C.Using the MITRE ATT&CK dashboard
D.Using Jupyter notebooks with MSTICpy
E.Using watchlists to create alerts
AnswersB, D

The Hunting blade provides pre-built queries for threat hunting.

Why this answer

Option B is correct because Jupyter notebooks allow custom hunting queries. Option C is correct because the Hunting blade provides built-in queries. Option A is wrong because the MITRE ATT&CK dashboard is a visualization, not a hunting method.

Option D is wrong because watchlists are data sources, not hunting methods. Option E is wrong because playbooks are for automation.

1315
MCQhard

A security administrator is configuring Microsoft Defender for Cloud's regulatory compliance dashboard for Azure resources. They need to track compliance against the SOC 2 standard using a built-in initiative. Which steps are required to add SOC 2 to the dashboard?

A.Enable Defender for Cloud on the subscription, then add the SOC 2 regulatory compliance initiative
B.Enable Defender for Cloud's enhanced security features, then assign the built-in SOC 2 policy initiative
C.Create a custom policy initiative based on SOC 2 controls and assign it to the management group
D.Configure Azure Policy manually with SOC 2 policies
AnswerB

Enhanced security features (Defender for Cloud plans) enable the full set of capabilities, and then the SOC 2 initiative can be assigned from the regulatory compliance dashboard.

Why this answer

Option B is correct because Microsoft Defender for Cloud's regulatory compliance dashboard requires enhanced security features (formerly Azure Defender) to be enabled on the subscription. Once enabled, you can assign the built-in SOC 2 policy initiative, which automatically maps Azure Policy definitions to SOC 2 controls and displays compliance status in the dashboard. Without enhanced security features, the regulatory compliance dashboard is not available.

Exam trap

The trap here is that candidates often assume the free tier of Defender for Cloud is sufficient for regulatory compliance tracking, but Microsoft specifically requires enhanced security features (paid tier) to enable the regulatory compliance dashboard and assign built-in initiatives like SOC 2.

How to eliminate wrong answers

Option A is wrong because simply enabling Defender for Cloud (the free tier) does not provide access to the regulatory compliance dashboard; enhanced security features must be enabled. Option C is wrong because creating a custom policy initiative based on SOC 2 controls is unnecessary and not the built-in method; the SOC 2 initiative is provided out-of-the-box and should be assigned directly. Option D is wrong because manually configuring Azure Policy with SOC 2 policies would not integrate with the regulatory compliance dashboard's automated mapping and scoring; the built-in initiative is required for proper dashboard integration.

1316
MCQeasy

You are a security operations analyst. You need to ensure that when a suspicious sign-in is detected by Microsoft Entra ID Protection, an incident is automatically created in Microsoft Sentinel and assigned to the Tier 1 SOC team. What should you configure in Microsoft Sentinel?

A.Create an automation rule that triggers when an incident is created and sets the owner to the Tier 1 SOC group.
B.Create a playbook that is triggered by the Microsoft Entra ID Protection data connector.
C.Enable UEBA and configure role-based access control (RBAC).
D.Configure an analytics rule with a corresponding automation rule to assign the incident.
AnswerA

Automation rules handle incident assignment.

Why this answer

Option A is correct because automation rules trigger on incident creation and can assign ownership. Option B is wrong because playbooks are for complex automation, not simple assignment. Option C is wrong because analytics rules create incidents from raw data, not from existing alerts.

Option D is wrong because UEBA is a behavioral detection feature, not incident assignment.

1317
MCQmedium

You are configuring a Microsoft Sentinel workbook to display incident metrics. You want to show the average time to triage incidents over the last 30 days. Which data source should you use?

A.CommonSecurityLog table.
B.SecurityIncident table.
C.SecurityAlert table.
D.SigninLogs table.
AnswerB

The SecurityIncident table contains incident properties including created and triaged times.

Why this answer

Incident data in Sentinel is stored in the SecurityIncident table. Option A is correct. Option B is wrong because Alert is for individual alerts, not incidents.

Option C is wrong because CommonSecurityLog is for syslog data. Option D is wrong because SigninLogs is for authentication logs.

1318
MCQmedium

A SOC analyst wants to use Microsoft Sentinel's User and Entity Behavior Analytics (UEBA) to identify a user who is performing suspicious actions, such as accessing a high number of resources outside of their normal pattern. What must be enabled for UEBA to function correctly in Microsoft Sentinel?

A.Enable Microsoft Entra ID Identity Protection and ensure the Microsoft Sentinel workspace has UEBA enabled.
B.Enable Microsoft Entra ID Audit Logs and Sign-in Logs streaming directly to the Sentinel workspace.
C.Install the Microsoft 365 Defender connector and enable UEBA in Microsoft 365 Defender.
D.Deploy the Azure Sentinel UEBA solution from Content Hub and configure watchlists for user baselines.
AnswerA

Correct. UEBA requires Microsoft Entra ID Identity Protection for baseline user behavior, and the Sentinel workspace must have the UEBA feature turned on.

Why this answer

UEBA in Microsoft Sentinel relies on data sources that provide user activity logs, such as Microsoft Entra ID Audit Logs and Sign-in Logs, to establish behavioral baselines and detect anomalies. However, for UEBA to function correctly, the Microsoft Sentinel workspace must have UEBA enabled at the workspace level, and Microsoft Entra ID Identity Protection must be enabled to provide the necessary risk signals and enrichments that feed into the anomaly detection engine. Without Identity Protection, UEBA lacks the contextual risk data required to identify suspicious actions like accessing a high number of resources outside normal patterns.

Exam trap

The trap here is that candidates often assume simply enabling data connectors (like Audit Logs or Microsoft 365 Defender) is sufficient for UEBA, but they overlook the requirement to explicitly enable UEBA at the Sentinel workspace level and to enable Microsoft Entra ID Identity Protection for risk signal integration.

How to eliminate wrong answers

Option B is wrong because simply streaming Microsoft Entra ID Audit Logs and Sign-in Logs to Sentinel provides raw data but does not enable UEBA; UEBA requires the workspace-level UEBA setting to be turned on and Identity Protection for risk scoring. Option C is wrong because installing the Microsoft 365 Defender connector and enabling UEBA in Microsoft 365 Defender does not enable UEBA in Microsoft Sentinel; UEBA in Sentinel is a separate feature that must be enabled within the Sentinel workspace, not in Microsoft 365 Defender. Option D is wrong because there is no 'Azure Sentinel UEBA solution' in Content Hub; UEBA is a built-in feature of Sentinel that is enabled via the workspace settings, not through a solution deployment, and watchlists are used for custom entity enrichment, not for enabling UEBA.

1319
MCQmedium

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident is created?

A.The incident severity will be changed
B.A new analytics rule will be created
C.The playbook 'BlockIPPlaybook' will be executed
D.The incident will be automatically closed
AnswerC

Action type is RunPlaybook with the specified playbook.

Why this answer

The exhibit shows an automation rule that triggers on incident creation and runs a playbook. Option C is correct. Option A and B are not actions.

Option D is about analytics rules, not automation.

1320
MCQeasy

A security analyst in your organization receives an alert from Microsoft Defender for Cloud Apps indicating that a user has installed a third-party app with high permissions in Microsoft 365. The analyst suspects a consent phishing attack. Which playbook in Microsoft Sentinel should the analyst use to automate the investigation and remediation?

A.Automation rule
B.Hunting query
C.Entity page
D.Workbook
AnswerC

Entity page provides a consolidated view of all activities related to a user.

Why this answer

The correct answer is B because the 'Entity page' in Microsoft Sentinel provides a consolidated view of all alerts, incidents, and activities related to a specific user, enabling efficient investigation of consent phishing. Option A is wrong because Automation rules are for automated response, not investigation. Option C is wrong because Hunting queries are for proactive threat hunting, not immediate investigation.

Option D is wrong because Workbooks are for visualizations and reporting, not investigation.

1321
MCQmedium

Refer to the exhibit. You have a Microsoft Sentinel analytic rule configured to detect brute force attacks. The rule runs every 30 minutes and groups alerts into incidents based on Account and IP. You notice that multiple incidents are created for the same user and IP within a short time. What should you do to reduce the number of incidents?

A.Decrease the query frequency to 1 hour
B.Increase the lookback duration to 2 hours
C.Increase the trigger threshold to 10
D.Disable alert grouping
AnswerB

A longer lookback groups more alerts into one incident.

Why this answer

Increasing the lookback duration to 2 hours allows the analytic rule to consider a longer window of historical data when grouping alerts into incidents. This means that alerts for the same Account and IP that occur within that extended timeframe will be merged into a single incident, directly reducing the number of duplicate incidents created for the same user and IP.

Exam trap

Microsoft often tests the distinction between query frequency (how often the rule runs) and lookback duration (the window for grouping alerts), causing candidates to mistakenly adjust the frequency instead of the grouping window.

How to eliminate wrong answers

Option A is wrong because decreasing the query frequency to 1 hour would make the rule run less often, but it does not change the lookback window for grouping; alerts from separate runs would still create separate incidents for the same Account and IP. Option C is wrong because increasing the trigger threshold to 10 would require more alerts before an incident is created, which could suppress legitimate incidents entirely rather than reducing the number of incidents for the same user and IP. Option D is wrong because disabling alert grouping would cause each individual alert to become its own incident, which would dramatically increase the number of incidents, not reduce them.

1322
MCQmedium

Your organization has a Microsoft Sentinel workspace in the East US region. You have deployed the Microsoft Defender XDR connector and are ingesting incidents from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. The SOC team reports that some incidents from Defender for Office 365 are missing in Sentinel, but all incidents from the other sources appear correctly. You have verified that the connector is enabled and that there are no ingestion errors. The missing incidents are related to phishing emails that were detected by Defender for Office 365 and automatically remediated (soft deleted) by the system. The incidents are visible in the Microsoft 365 Defender portal. What should you do to ensure these incidents appear in Sentinel?

A.Create an automation rule that triggers on missing incidents and creates them manually.
B.Create a new analytics rule using the Office 365 connector to generate incidents from Defender for Office 365 alerts.
C.Create a new Microsoft Defender XDR connector in a different region to capture all incidents.
D.Re-enable the Microsoft Defender XDR connector and restart the data ingestion.
AnswerB

This ensures that alerts from Defender for Office 365, including auto-resolved ones, generate incidents in Sentinel.

Why this answer

Option D is correct because Defender for Office 365 incidents that are automatically resolved (e.g., soft delete) may not be sent to Sentinel by default. You need to create an analytics rule in Sentinel using the Office 365 connector to generate incidents for those alerts. Option A is wrong because the connector is already enabled.

Option B is wrong because the incidents are present in Defender, so the connector should be ingesting them; the issue is with auto-resolved incidents. Option C is wrong because an automation rule cannot generate incidents from alerts that are not ingested.

1323
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that returns accounts with more than 10 failed logins within 5 minutes. The query is not returning any results even though you know there have been multiple failed logins. What is the most likely reason?

A.The 'startswith' operator is not a valid KQL operator
B.The 'bin' function is used incorrectly
C.The query syntax requires a 'let' statement
D.The filter condition 'Account !startswith "ANONYMOUS LOGON"' is case-sensitive and may be excluding valid results
AnswerD

The 'startswith' operator is case-sensitive; 'ANONYMOUS LOGON' in the event may have different casing.

Why this answer

Option D is correct because the `!startswith` operator in KQL is case-sensitive by default. If the actual account name in the SecurityEvent table is stored as 'ANONYMOUS LOGON' with a different case (e.g., 'Anonymous Logon' or 'anonymous logon'), the filter will exclude those rows, causing the query to return no results even though failed logins occurred. This is a common pitfall when using string comparison operators in KQL without considering case sensitivity.

Exam trap

The trap here is that candidates assume string operators in KQL are case-insensitive by default, when in fact they are case-sensitive, leading them to overlook the filter's exclusion of valid results.

How to eliminate wrong answers

Option A is wrong because `startswith` is a valid KQL operator used to filter strings that start with a specified prefix; it is not invalid. Option B is wrong because the `bin` function is used correctly in time-series aggregations to group events into fixed time intervals (e.g., 5-minute bins), and its misuse would not cause the query to return zero results if failed logins exist—it would only affect the grouping. Option C is wrong because a `let` statement is not required for this query; `let` is used to define variables or reusable expressions, but the query can run without it.

1324
MCQmedium

During a threat hunt, you discover suspicious PowerShell commands executed on multiple workstations. Which KQL function in Microsoft Sentinel is most effective for aggregating similar commands to identify a pattern?

A.summarize
B.extend
C.search
D.project
AnswerA

Aggregates events by common fields like command hash.

Why this answer

Option C is correct because summarize with make_list groups similar events. Option A is wrong because search is for raw text. Option B is wrong because project is for column selection.

Option D is wrong because extend adds computed columns.

1325
MCQeasy

A threat hunter is using Microsoft Defender XDR Advanced hunting to find evidence of credential dumping. Which table should be queried to detect use of tools like Mimikatz?

A.CloudAppEvents
B.DeviceEvents
C.IdentityLogonEvents
D.EmailEvents
AnswerB

DeviceEvents contain endpoint behavioral alerts, including credential dumping detections.

Why this answer

DeviceEvents table includes events from security sensors, including detection of credential dumping tools like Mimikatz. Option B (IdentityLogonEvents) is for logon events. Option C (EmailEvents) for email.

Option D (CloudAppEvents) for cloud apps.

1326
MCQmedium

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerC

Defender for Cloud Apps monitors cloud app activity including SharePoint Online and can alert on suspicious file access.

Why this answer

Microsoft Defender for Cloud Apps (Option C) is the correct workload because it provides visibility into cloud application usage, including SharePoint Online, and can generate alerts for suspicious file access patterns such as mass download, unusual file sharing, or access from anomalous locations. It uses behavioral analytics and anomaly detection to identify compromised accounts accessing sensitive data in SaaS applications like SharePoint.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming Office 365 covers all cloud workloads, but Cloud Apps is specifically designed for SaaS app security and anomaly detection in services like SharePoint.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., Windows, macOS, Linux) and detects threats like malware or suspicious processes on those devices, not file access patterns in SharePoint Online. Option B is wrong because Microsoft Defender for Office 365 primarily protects email and collaboration tools (Exchange Online, Teams) from threats like phishing and malware, but does not specialize in monitoring file access patterns in SharePoint. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and hybrid identities for attacks like Kerberos abuse or lateral movement, not cloud-based SharePoint file access.

1327
Multi-Selectmedium

Which TWO actions can be performed using automation rules in Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.Create a new incident from an alert.
B.Modify the query of an existing analytics rule.
C.Assign an incident to a specific owner.
D.Delete an incident automatically.
E.Trigger a playbook when an incident is created.
AnswersC, E

Assignment is a supported action in automation rules.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can perform actions such as assigning an incident to a specific owner. This is a built-in action within the automation rule configuration, allowing you to automatically set the owner field of an incident based on conditions like severity or rule ID, without requiring a playbook.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, mistakenly thinking automation rules can create incidents or modify analytics rule logic, when in fact automation rules only act on existing incidents and cannot alter detection logic or delete incidents.

1328
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to implement a solution that automatically suppresses low-severity incidents from specific IP addresses that are known internal scanners. Which THREE configurations should you make?

Select 3 answers
A.Add the IP addresses to a watchlist and reference it in analytics rules.
B.Configure an analytics rule with a suppression condition that includes the IP addresses.
C.Create an automation rule that closes incidents matching the IP addresses.
D.Create a suppression rule in Microsoft Defender for Cloud.
E.Create a playbook that deletes incidents from those IP addresses.
AnswersA, B, C

Correct: Watchlists can be used for filtering.

Why this answer

Options A, C, and D are correct. Analytics rules can be set to suppress, automation rules can close incidents, and watchlists can be used for known IPs. Option B is wrong because Microsoft Defender for Cloud doesn't suppress Sentinel incidents.

Option E is wrong because playbooks cannot suppress incidents before creation.

1329
MCQeasy

A security analyst wants to quickly check the number of incidents created in Microsoft Sentinel in the last 7 days, grouped by severity. Which KQL query should the analyst use?

A.SecurityIncident | where TimeGenerated > ago(7d) | summarize count() by Severity
B.SecurityAlert | where TimeGenerated > ago(7d) | summarize count() by Severity
C.SigninLogs | where TimeGenerated > ago(7d) | summarize count() by Status
D.DeviceEvents | where TimeGenerated > ago(7d) | summarize count() by ActionType
AnswerA

Correct. This query filters incidents from the last 7 days and counts them per severity.

Why this answer

Option A is correct because the SecurityIncident table in Microsoft Sentinel stores incident records, and the query filters for incidents created in the last 7 days using `where TimeGenerated > ago(7d)`, then groups them by severity with `summarize count() by Severity`. This directly answers the analyst's need to check the number of incidents grouped by severity.

Exam trap

The trap here is confusing the SecurityIncident table (for incidents) with the SecurityAlert table (for alerts), as many candidates mistakenly use SecurityAlert when the question explicitly asks for incident counts.

How to eliminate wrong answers

Option B is wrong because SecurityAlert contains alert data, not incidents; alerts can be grouped into incidents but are not the same entity, so this query would count alerts, not incidents. Option C is wrong because SigninLogs tracks user sign-in events and uses Status (e.g., success/failure), not incident severity, so it is irrelevant to incident counts. Option D is wrong because DeviceEvents logs device-level activities and uses ActionType (e.g., 'CreateProcess'), not incident severity, making it unrelated to incident management.

1330
MCQhard

Your SOC team uses Microsoft Sentinel's UEBA to detect insider threats. You want to ensure that UEBA can correlate activities across multiple data sources. Which data source must be enabled for UEBA to function properly?

A.Azure Activity logs
B.Office 365 audit logs
C.Windows Security Events
D.Microsoft Entra ID audit logs
AnswerD

Provides identity context for UEBA.

Why this answer

Microsoft Entra ID (formerly Azure AD) audit logs provide identity context that is essential for UEBA to correlate user activities. Option B is wrong because Azure Activity logs provide resource-level operations. Option C is wrong because Windows Security Events alone lack identity correlation.

Option D is wrong because Office 365 audit logs are useful but not the core requirement.

1331
MCQeasy

You are hunting for privileged account abuse in Microsoft Entra ID. Which table in Microsoft Sentinel contains audit logs for changes to directory roles?

A.IdentityLogonEvents
B.AuditLogs
C.SigninLogs
D.DeviceLogonEvents
AnswerB

Contains directory role changes and other audit events.

Why this answer

Option D is correct because AuditLogs in Microsoft Entra ID contain directory role changes. Option A is incorrect because SigninLogs contains sign-in events. Option B is incorrect because DeviceLogonEvents is for device logons.

Option C is incorrect because IdentityLogonEvents is for identity protection events.

1332
Multi-Selectmedium

Which TWO actions should you perform to contain a ransomware incident in Microsoft Defender for Endpoint?

Select 2 answers
A.Reset the local administrator password.
B.Isolate the device from the network.
C.Run a full antivirus scan.
D.Kill the malicious processes.
E.Collect the ransomware sample for analysis.
AnswersB, D

Isolation stops communication with command and control.

Why this answer

Options B and D are correct. Isolating the device prevents further spread, and killing malicious processes stops encryption. Option A is wrong because running antivirus may not be immediate containment.

Option C is wrong because resetting passwords is for user accounts, not endpoints. Option E is wrong because collecting files is for investigation, not containment.

1333
MCQeasy

A security analyst is using Microsoft Defender for Cloud's adaptive application controls (AAC) to allowlist trusted applications on Azure VMs. After enabling AAC and running in 'Audit' mode for a week, the analyst wants to switch to 'Enforce' mode. Which pre-requisite must be met before enforcement can be applied?

A.The VM must have the Guest Configuration extension installed.
B.A valid Microsoft Defender for Servers Plan 2 license must be assigned to the VM.
C.The VM must have a baseline of allowed applications generated from at least two weeks of audit data.
D.The VM must be running on a supported operating system like Windows Server 2016 or later.
AnswerC

Correct. AAC requires a baseline of known good applications from audit mode before enforcement can block unapproved applications.

Why this answer

Adaptive application controls require a minimum of two weeks of audit data to establish a reliable baseline of allowed applications before enforcement can be applied. This baseline ensures that legitimate applications are not blocked when switching from Audit to Enforce mode, reducing false positives and operational disruptions.

Exam trap

The trap here is that candidates may assume any supported OS or license is sufficient, but Microsoft specifically requires the two-week audit baseline to prevent enforcement from blocking legitimate applications.

How to eliminate wrong answers

Option A is wrong because the Guest Configuration extension is used for Azure Policy guest configuration assignments, not for adaptive application controls. Option B is wrong because while Defender for Servers Plan 2 is required to use adaptive application controls, it is a prerequisite for enabling the feature itself, not specifically for switching from Audit to Enforce mode. Option D is wrong because although supported operating systems are necessary, the specific prerequisite for enforcement is the two-week audit baseline, not just OS version support.

1334
MCQeasy

A security analyst receives a Microsoft Defender for Identity alert about a suspicious Kerberos attack. The analyst needs to contain the compromised account immediately. What should the analyst do?

A.Disable the user account in Microsoft Entra ID.
B.Remove the user from all privileged groups.
C.Require the user to change their password at next sign-in.
D.Reset the user's password and notify the user.
AnswerA

Disabling stops all authentication.

Why this answer

Option A is correct because disabling the account in Microsoft Entra ID stops authentication. Option B is wrong because resetting password without disabling may allow ongoing attacks. Option C is wrong because removing from groups does not prevent authentication.

Option D is wrong because the user's own password reset may not be effective.

1335
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are configuring Microsoft Defender for Identity to protect against lateral movement attacks. Which configuration should you prioritize to detect pass-the-hash attacks?

A.Configure port mirroring for domain controllers
B.Enable 'SAM-R' (Remote SAM) in the Microsoft Defender for Identity sensor configuration
C.Configure Windows Event Forwarding (WEF) for domain controllers
D.Enable 'Capture NTLM hashes' in the Microsoft Defender for Identity sensor configuration
AnswerD

Enabling this setting allows the sensor to capture NTLM hashes for pass-the-hash detection.

Why this answer

Option D is correct because enabling 'Capture NTLM hashes' in the Microsoft Defender for Identity sensor configuration allows the sensor to extract NTLM hashes from network traffic. Pass-the-hash attacks rely on capturing and reusing NTLM hashes to authenticate laterally; by capturing these hashes, Defender for Identity can detect anomalies such as a hash being used from a different source or for suspicious logon attempts, directly identifying the attack.

Exam trap

The trap here is that candidates confuse prerequisites (port mirroring) or supporting features (SAM-R for lateral movement paths, WEF for event collection) with the specific configuration needed to detect pass-the-hash, which is the direct capture of NTLM hashes from network traffic.

How to eliminate wrong answers

Option A is wrong because port mirroring for domain controllers is a prerequisite for network traffic capture but does not itself enable detection of pass-the-hash attacks; it only provides the raw data. Option B is wrong because enabling SAM-R (Remote SAM) is used for lateral movement path detection (e.g., enumerating local admin groups) but does not capture or analyze NTLM hashes for pass-the-hash detection. Option C is wrong because configuring Windows Event Forwarding (WEF) for domain controllers collects Windows security events (e.g., 4624 logon events) but does not capture NTLM hashes from network traffic, which is essential for detecting pass-the-hash.

1336
MCQmedium

A large enterprise uses Microsoft Defender for Cloud with all enhanced security plans enabled. They want to automatically enable the Defender for Cloud plans on new Azure subscriptions that are created under their management group. Which approach should they use?

A.Assign the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' at the management group level.
B.Configure 'Continuous export' settings in Defender for Cloud to export policies to Log Analytics for each subscription.
C.Set the default security policies at the management group level in Defender for Cloud's environment settings.
D.Enable 'Auto provisioning' for the Log Analytics agent in Defender for Cloud.
AnswerA

This policy initiative automatically enables the defined Defender plans for current and future subscriptions under the management group.

Why this answer

Option A is correct because the built-in Azure Policy initiative 'Enable Microsoft Defender for Cloud on all subscriptions' is designed to be assigned at a management group scope, automatically enabling all Defender for Cloud plans on new subscriptions as they are created under that management group. This leverages Azure Policy's compliance evaluation and remediation tasks to enforce the security plans across the entire hierarchy without manual intervention.

Exam trap

The trap here is that candidates often confuse configuring default security policies (which only set recommendation baselines) with the Azure Policy initiative that actually enables the pricing tiers for Defender for Cloud plans on new subscriptions.

How to eliminate wrong answers

Option B is wrong because 'Continuous export' in Defender for Cloud is used to stream security alerts and recommendations to Log Analytics or Event Hubs for external analysis, not to enable Defender for Cloud plans on new subscriptions. Option C is wrong because setting default security policies at the management group level in Defender for Cloud's environment settings only defines the security configurations (e.g., which recommendations are enforced) but does not automatically enable the enhanced security plans themselves on new subscriptions. Option D is wrong because 'Auto provisioning' for the Log Analytics agent installs the agent on existing VMs to collect data, but it does not enable Defender for Cloud plans or apply to new subscriptions automatically.

1337
MCQhard

A security analyst is investigating a ransomware incident and needs to find all files that were written to a specific device within a 5-minute window before the ransomware process started. The analyst knows the device name and the ransomware process start time. Which advanced hunting table and KQL operator combination would be most efficient to find the file creation events?

A.DeviceFileEvents with where
B.DeviceProcessEvents with join
C.DeviceEvents with where
D.DeviceImageLoadEvents with where
AnswerA

DeviceFileEvents contains file creation events; filtering with 'where' on device and time is the simplest approach.

Why this answer

DeviceFileEvents is the correct table because it specifically captures file creation, modification, and deletion events on devices. Using the `where` operator to filter by device name and a timestamp range (5 minutes before the ransomware process start time) is the most efficient way to retrieve the exact file creation events needed for the investigation.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (process creation) with file creation events, or they think a `join` is needed to correlate process start time with file events, when a simple `where` on DeviceFileEvents is sufficient and more efficient.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents tracks process creation events, not file creation events, and using `join` would be unnecessarily complex and less efficient than a simple `where` filter. Option C is wrong because DeviceEvents is a generic table that captures various security events (e.g., Windows Defender alerts, exploit guard events) but does not specifically log file creation events. Option D is wrong because DeviceImageLoadEvents records when a process loads a DLL or executable image, not file creation events.

1338
MCQhard

Refer to the exhibit. An analyst is reviewing this custom detection rule in Microsoft Sentinel. The rule is not generating any alerts even though services are being installed on servers. What is the most likely reason?

A.The where clause filters for legitimate services only.
B.The extend functions are incorrectly parsing the AdditionalFields.
C.The ActionType filter is incorrect.
D.The triggerThreshold should be set to a higher value.
AnswerA

The condition 'ServiceName startswith 'Legit'' matches only services starting with 'Legit', so it alerts on legitimate services, not suspicious ones.

Why this answer

Option B is correct because the where clause filters for ServiceName starting with 'Legit', which is a legitimate prefix, so it will only alert on services that start with 'Legit', which is the opposite of what is intended. Option A is wrong because ActionType is correct. Option C is wrong because the extend functions are correct.

Option D is wrong because the trigger threshold is 0, meaning any result triggers an alert.

1339
Multi-Selecteasy

Which TWO techniques are commonly used in threat hunting to identify potential malicious activity? (Choose two.)

Select 2 answers
A.Searching for known indicators of compromise (IoCs).
B.Disabling security controls to observe attacker behavior.
C.Analyzing anomalies in baseline behavior.
D.Waiting for alerts from automated detection tools.
E.Automatically blocking all suspicious traffic.
AnswersA, C

IoCs help identify known threats.

Why this answer

Option A is correct because searching for known indicators of compromise (IoCs) is a common technique. Option D is correct because analyzing anomalies in baseline behavior is a core hunting technique. Option B is wrong because threat hunting is proactive, not just reactive.

Option C is wrong because disabling security controls is not a hunting technique. Option E is wrong because threat hunting is typically performed by humans, not fully automated.

1340
Multi-Selecteasy

Which TWO of the following are valid data connectors for Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.Docker containers
B.Amazon RDS
C.Azure Firewall
D.Google Cloud Storage
E.Microsoft Entra ID
AnswersC, E

Azure Firewall connector is available.

Why this answer

Options B and D are correct. Microsoft Entra ID and Azure Firewall have built-in connectors. Option A is wrong because Google Cloud Storage is not a default connector; it requires custom ingestion.

Option C is wrong because Docker is not a data source for Sentinel. Option E is wrong because Amazon RDS is not a direct connector.

1341
MCQmedium

During an investigation, you need to check if any user has been assigned privileged roles in Microsoft Entra ID outside of normal business hours. Which data source would provide this information?

A.OfficeActivity (Office 365)
B.SecurityEvent (Windows Event Logs)
C.SigninLogs (Microsoft Entra ID)
D.AuditLogs (Microsoft Entra ID)
AnswerD

AuditLogs track administrative activities including role assignments.

Why this answer

Option A is correct because AuditLogs in Azure AD (now Entra ID) capture role assignment changes. Option B (SigninLogs) shows sign-ins but not role changes. Option C (SecurityEvent) is for Windows events.

Option D (OfficeActivity) is for Office 365 workloads.

1342
MCQhard

Fabrikam has a hybrid environment with on-premises Active Directory synced to Microsoft Entra ID. They use Microsoft Sentinel and Microsoft Defender XDR. A critical incident is opened: 'Credential theft detected - domain admin account compromised.' The incident includes alerts from Microsoft Defender for Identity (MDI) showing anomalous Kerberos ticket requests and from Microsoft Defender for Endpoint showing a process dump on a domain controller. You need to contain the incident immediately. The organization has a strict policy of not disabling the domain admin account without approval due to critical dependencies. Which of the following is the BEST course of action?

A.Reset the domain admin password and revoke sessions in Microsoft Entra ID.
B.Disable the domain admin account temporarily.
C.Isolate the domain controller using Microsoft Defender for Endpoint.
D.Reset the krbtgt account password twice to force Kerberos ticket invalidation.
AnswerD

This invalidates all existing Kerberos tickets, cutting off attacker access.

Why this answer

Option A is correct: resetting the krbtgt account password twice forces all Kerberos tickets to be invalidated, effectively containing credential theft without disabling the account. Option B is wrong because isolating the domain controller would disrupt services. Option C is wrong because resetting the domain admin password alone does not invalidate existing Kerberos tickets.

Option D is wrong because disabling the account violates policy.

1343
MCQmedium

A security analyst suspects a user's device is exfiltrating data via DNS queries to a known malicious domain. Which Advanced Hunting table should the analyst query to find DNS requests made from the device?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.IdentityLogonEvents
D.EmailUrlInfo
AnswerA

This table logs network connections, and when the action type is DnsQuery, it captures DNS requests.

Why this answer

DeviceNetworkEvents is the correct table because it contains network-level events, including DNS queries, from devices monitored by Microsoft Defender for Endpoint. The analyst needs to inspect DNS requests to identify exfiltration to a known malicious domain, and this table specifically logs the destination URL (including FQDNs) and the initiating process, making it the appropriate source for such queries.

Exam trap

The trap here is that candidates may confuse DeviceProcessEvents with network activity because processes initiate network connections, but DeviceProcessEvents only logs process creation details, not the actual network traffic or DNS queries.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it logs process creation events (e.g., command-line arguments, parent processes), not network traffic like DNS queries. Option C (IdentityLogonEvents) is wrong because it captures authentication and logon events from Azure Active Directory, not network-level DNS activity. Option D (EmailUrlInfo) is wrong because it records URLs found in email messages, not DNS queries made from a device.

1344
MCQhard

Your company uses Microsoft Sentinel and has connected Microsoft 365 Defender. You have configured an automation rule that, when an incident is created with a high severity, triggers a playbook that sends an email to the SOC manager and creates a ticket in ServiceNow. Recently, the automation rule stopped triggering the playbook. You check the automation rule and see it is enabled. You also check the playbook and see it is enabled. However, the playbook's run history shows no new runs for the last 24 hours, even though high-severity incidents have been created. You verify that the incidents are indeed high severity and that the automation rule's conditions match. What is the most likely cause?

A.The incident severity was changed after creation, so the rule condition no longer matches.
B.The automation rule has reached its maximum number of actions (trigger limit) and has been automatically disabled by Sentinel.
C.The playbook has been deleted and needs to be re-created.
D.The automation rule was accidentally disabled by another administrator.
AnswerB

Automation rules have a limit on the number of times they can trigger; once exceeded, they stop.

Why this answer

Option A is correct because automation rules have a trigger limit (number of actions per rule) that might be exceeded if many incidents are created. Once the limit is reached, the rule stops triggering. Option B is wrong because the rule is enabled.

Option C is wrong because the incidents are high severity, so conditions match. Option D is wrong because the playbook is not the issue; the automation rule is not triggering it.

1345
MCQmedium

A SOC team wants to automate response to incidents detected by Microsoft Sentinel. When a new incident is created with severity "High" and contains a specific tag "malware", they want to run a playbook that isolates the affected device. What is the correct way to configure this automation?

A.Create an automation rule that triggers on "When incident is created" and set conditions for severity equals High and tag contains "malware", then set a playbook action.
B.Create a custom analytics rule that runs the playbook directly when triggered.
C.Configure a logic app with a trigger on "When a Microsoft Sentinel incident is created" and use conditions inside the logic app.
D.Use the Microsoft Sentinel API to create a webhook that triggers the playbook.
AnswerA

This correctly uses automation rules to trigger the playbook based on incident properties.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel are specifically designed to trigger playbooks based on incident creation events and conditions like severity and tag. By setting the trigger to 'When incident is created' and conditions for severity equals 'High' and tag contains 'malware', the rule will invoke the playbook to isolate the affected device automatically, without manual intervention.

Exam trap

The trap here is that candidates may think a custom analytics rule or a direct Logic App trigger is equivalent to an automation rule, but Microsoft Sentinel's automation rules are the intended and most efficient way to conditionally invoke playbooks based on incident properties like severity and tags.

How to eliminate wrong answers

Option B is wrong because custom analytics rules generate alerts or incidents based on query results, but they do not directly run playbooks; playbooks are invoked by automation rules or as part of incident response. Option C is wrong because while a Logic App with a 'When a Microsoft Sentinel incident is created' trigger can work, it bypasses the native automation rule framework and requires manual condition handling inside the Logic App, making it less efficient and not the recommended configuration for this scenario. Option D is wrong because using the Microsoft Sentinel API to create a webhook is an indirect, custom integration method that lacks the built-in triggering and condition evaluation of automation rules, and is not the standard way to automate incident response.

1346
Multi-Selecthard

Which THREE techniques are commonly used in threat hunting within Microsoft Defender XDR to detect privilege escalation?

Select 3 answers
A.Spearphishing attachment
B.Data exfiltration
C.Token manipulation
D.Access token manipulation
E.Process injection
AnswersC, D, E

Involves stealing or creating tokens to gain higher privileges.

Why this answer

Token manipulation, process injection, and access token manipulation are common privilege escalation techniques. Data exfiltration is a goal, not technique; spearphishing is initial access.

1347
MCQmedium

Your threat hunt identifies that an attacker used a previously unknown malware variant to move laterally. Which Microsoft Defender XDR feature would you use to automatically block the file based on behavioral detection?

A.Web Protection
B.Custom file indicators (IoC)
C.Network Protection
D.Attack Surface Reduction (ASR) rules
AnswerD

ASR rules can block behaviors like 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion'.

Why this answer

Option D is correct because Attack Surface Reduction (ASR) rules can block suspicious behavior. Option A (Custom file indicators) blocks based on known IOCs. Option B (Network Protection) blocks network connections.

Option C (Web Protection) blocks web traffic.

1348
MCQhard

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

A.DeviceNetworkEvents | where RemoteIP == 'user@contoso.com' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
B.IdentityLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
C.DeviceLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
D.DeviceLogonEvents | where AccountUpn == 'user@contoso.com' | summarize count() by DeviceName, bin(Timestamp, 10m) | where count_ > 5
AnswerC

Correct. This query filters for the user's interactive logons, groups by 10-minute windows, counts distinct DeviceNames, and returns windows where the count exceeds 5.

Why this answer

Option C is correct because DeviceLogonEvents is the Microsoft 365 Defender table that captures logon events on devices, including RDP interactive logons. The query filters for the specific user account and interactive logon type, then uses summarize with dcount(DeviceName) by bin(Timestamp, 10m) to count distinct devices within each 10-minute window, and finally filters for windows where the distinct device count exceeds 5, which matches the lateral movement scenario.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents with IdentityLogonEvents or DeviceNetworkEvents, mistakenly thinking network events or identity provider logs can reveal device-level interactive logon patterns, but only DeviceLogonEvents contains the necessary fields (AccountUpn, LogonType, DeviceName) for this specific lateral movement detection.

How to eliminate wrong answers

Option A is wrong because DeviceNetworkEvents captures network-level events (like connections), not logon events, and filtering RemoteIP by a UPN (user@contoso.com) is semantically incorrect—RemoteIP is an IP address, not a user identifier. Option B is wrong because IdentityLogonEvents tracks authentication events from identity providers (like Azure AD) and does not include device-level interactive logon details such as RDP logons on workstations. Option D is wrong because it uses count() instead of dcount(DeviceName), which counts total logon events per device rather than distinct devices, and it lacks the LogonType filter for 'Interactive', so it would include non-interactive logons and fail to identify lateral movement via RDP.

1349
MCQmedium

A SOC analyst receives a high-severity alert for a user who downloaded a malicious file from a phishing email. The analyst needs to quickly assess the scope of the incident across endpoints, email, and identities. Which Microsoft Defender XDR feature should the analyst use to get a unified view of the incident?

A.Microsoft Defender XDR incident queue
B.Microsoft Purview compliance portal
C.Microsoft Intune device compliance dashboard
D.Microsoft Sentinel incidents blade
AnswerA

Microsoft Defender XDR incident queue provides a unified view of incidents across all workloads.

Why this answer

The Microsoft Defender XDR incident queue is the correct choice because it aggregates alerts from Microsoft Defender for Endpoint, Office 365, and Identity into a single incident view, enabling the analyst to correlate the malicious file download across endpoints, email, and user identities without switching consoles. This unified incident management is a core feature of Microsoft Defender XDR, designed specifically for rapid triage and scope assessment in multi-domain threats.

Exam trap

The trap here is that candidates often confuse the Microsoft Defender XDR incident queue with Microsoft Sentinel incidents, assuming Sentinel is the primary unified view, but the question specifically asks for the Microsoft Defender XDR feature, not a separate SIEM product.

How to eliminate wrong answers

Option B is wrong because the Microsoft Purview compliance portal focuses on data governance, eDiscovery, and compliance policies (e.g., DLP, retention), not on real-time incident correlation across endpoints, email, and identities. Option C is wrong because the Microsoft Intune device compliance dashboard provides device compliance status and policy enforcement for managed devices, but it does not aggregate security alerts or provide a unified incident view across email and identity domains. Option D is wrong because the Microsoft Sentinel incidents blade is a SIEM/SOAR tool that can ingest alerts from multiple sources, but it is not the native Microsoft Defender XDR incident queue; using Sentinel for this purpose would require additional configuration and is not the direct, built-in feature for unified incident management within the Defender XDR ecosystem.

1350
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that only users with the appropriate permissions can run playbooks from within the incident investigation interface. What role should you assign to the security operations team?

A.Microsoft Sentinel Contributor
B.Microsoft Sentinel Reader
C.Microsoft Sentinel Responder
D.Global Administrator in Microsoft Entra ID
AnswerA

Contributor can run playbooks.

Why this answer

The Microsoft Sentinel Contributor role is required to run playbooks from the incident interface. Option B is correct because it includes permissions to use playbooks. Option A is wrong because Reader cannot run playbooks.

Option C is wrong because Responder can triage but not run playbooks. Option D is wrong because Global Admin is overly privileged and not recommended.

Page 17

Page 18 of 22

Page 19