Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 13511425

1639 questions total · 22pages · All types, answers revealed

Page 18

Page 19 of 22

Page 20
1351
Multi-Selectmedium

Which THREE steps should be included in a Microsoft Sentinel playbook for automatic incident response when a high-severity alert fires?

Select 3 answers
A.Investigate the alert by enriching with threat intelligence
B.Notify the security team via email or Teams
C.Pause the incident for 24 hours before taking action
D.Create a new Azure resource for logging
E.Contain the threat by blocking indicators
AnswersA, B, E

Enrichment helps validate the alert.

Why this answer

The playbook should investigate, contain, and notify. Pausing the incident is not standard; the playbook should run immediately. Creating a new Azure resource is not typically part of incident response.

1352
Multi-Selecthard

Which THREE conditions must be met for Microsoft Sentinel to automatically run a playbook on an incident?

Select 3 answers
A.The incident severity must be set to High or Critical
B.The playbook must have the Sentinel Responder role assigned
C.The incident must be created by a scheduled or NRT analytics rule
D.The user must be signed in to the Azure portal
E.The playbook must be set to 'Enabled' on the automation rule
AnswersB, C, E

Permissions are required for the playbook to run.

Why this answer

The playbook must be enabled for automatic triggers, the incident must be created by an analytics rule, and the playbook must have the correct permissions. The user does not need to be signed in, and the incident does not need to be of a specific severity.

1353
MCQhard

Refer to the exhibit. You are deploying this ARM template to create a saved search in Microsoft Sentinel. What is the purpose of this saved search?

A.Identify computers that have not sent heartbeats in the last 24 hours.
B.Identify computers with low disk space.
C.Identify computers that are generating a high number of heartbeats, which may indicate a potential compromise.
D.Identify computers that have communicated with a malicious IP address.
AnswerC

High heartbeat frequency can indicate malicious activity.

Why this answer

Option B is correct because the query counts heartbeats per computer in the last day and filters for computers with more than 100 heartbeats, indicating high activity. Option A is incorrect because it does not check malicious IP addresses. Option C is incorrect because it does not check missing heartbeats.

Option D is incorrect because it does not check unresponsive computers.

1354
MCQeasy

You are hunting for signs of ransomware activity. Which of the following behaviors in Microsoft Defender for Endpoint should you prioritize as a high-confidence indicator?

A.A process deleting Volume Shadow Copies
B.A process encrypting or renaming large numbers of files in rapid succession
C.A process creating a scheduled task
D.A process downloading multiple files from the internet
AnswerB

This is a hallmark of ransomware behavior.

Why this answer

Option A is correct because mass file encryption or renaming is a direct sign of ransomware. Option B is wrong because while shadow copy deletion is common after ransomware, it can also be done by legitimate tools. Option C is wrong because large file downloads can be benign.

Option D is wrong because scheduled task creation is common for persistence but not specific to ransomware.

1355
MCQmedium

You are responding to an incident where a user's credentials were used to access a federated SaaS application from an IP address associated with a known threat actor. The user's account is not disabled. Which action is most effective to prevent further unauthorized access?

A.Reset the user's password and revoke active sessions
B.Create a Conditional Access policy to block the IP
C.Disable the user's account
D.Block the source IP address on the firewall
AnswerA

This invalidates the compromised credentials and terminates current sessions.

Why this answer

Resetting the user's password and revoking tokens is the most effective because it invalidates current sessions and prevents further use of stolen credentials. Disabling the account is also effective but may cause business disruption; resetting and revoking is less disruptive. Blocking IP may not be effective if threat actor uses different IPs.

Conditional access policy change is slower.

1356
Multi-Selectmedium

Which THREE actions should you take when investigating a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

Select 3 answers
A.Create a file policy to detect similar activities in the future
B.Check Microsoft Defender for Identity for related alerts
C.Use the investigation tools to search for related events in Microsoft Sentinel
D.Run a cloud discovery report to identify unsanctioned apps
E.Review the user's activity log in the Defender for Cloud Apps portal
AnswersA, C, E

Helps in preventing future exfiltration.

Why this answer

Option A is correct because governance actions can be applied to the user. Option C is correct because SIEM integration provides context. Option D is correct because file policies are key.

Option B is wrong because MDI is for on-premises AD. Option E is wrong because cloud discovery is for shadow IT.

1357
Multi-Selectmedium

Which THREE components can be used in Microsoft Sentinel to automate incident response?

Select 3 answers
A.Automation rules
B.Triggers
C.Playbooks
D.Watchlists
E.Analytics rules
AnswersA, B, C

Automation rules define conditions and actions for incident response.

Why this answer

Correct answers are A, B, and E. Automation rules, playbooks, and triggers are part of Microsoft Sentinel's automation capabilities. Analytics rules generate incidents but do not automate response.

Watchlists are for enrichment, not automation.

1358
MCQeasy

A security analyst is reviewing a threat hunting query in Microsoft Sentinel that uses the Kusto Query Language (KQL) to identify potential lateral movement. The query returns a large number of false positives. What is the most effective way to reduce false positives while maintaining detection coverage?

A.Increase the threshold for the anomaly score in the query.
B.Add allowlist conditions to exclude known administrative tools.
C.Reduce the time range of the query to the last 1 hour.
D.Replace the query with a different data source that has less noise.
AnswerB

Allowlisting known safe tools reduces false positives while keeping the detection logic intact.

Why this answer

Option B is correct because adding allowlist conditions, such as excluding known administrative tools or approved remote management traffic, directly reduces false positives without removing the core logic. Option A is wrong because reducing the time range may miss true positives. Option C is wrong because the question asks to maintain detection coverage, and using a less sensitive data source would reduce coverage.

Option D is wrong because increasing the threshold may also miss true positives.

1359
MCQmedium

A SOC team wants to automatically categorize incidents in Microsoft Sentinel with MITRE ATT&CK tactics (e.g., 'Initial Access', 'Execution') when an analytics rule triggers. How can they achieve this?

A.Use the incident details custom fields
B.Map MITRE ATT&CK tactics in the analytics rule
C.Use automation rule to set tactics
D.Use playbook to update incident
AnswerB

Correct: The analytics rule configuration includes an option to select MITRE ATT&CK tactics, which are then applied to generated incidents.

Why this answer

Option B is correct because Microsoft Sentinel analytics rules include a dedicated 'MITRE ATT&CK' configuration section where you can map specific tactics (e.g., Initial Access, Execution) to the rule. When the rule triggers and generates an incident, Sentinel automatically populates the incident's MITRE ATT&CK tactics field based on this mapping, enabling automated categorization without additional configuration.

Exam trap

Microsoft often tests the distinction between native analytics rule configuration (which directly sets MITRE ATT&CK tactics) versus post-processing methods like automation rules or playbooks, leading candidates to overcomplicate the solution when the simplest, built-in option is correct.

How to eliminate wrong answers

Option A is wrong because incident details custom fields are user-defined fields for storing arbitrary data, not a mechanism to automatically set MITRE ATT&CK tactics from an analytics rule trigger. Option C is wrong because automation rules can modify incident properties (e.g., severity, status) but cannot directly set MITRE ATT&CK tactics; they lack a dedicated action for MITRE ATT&CK fields. Option D is wrong because while a playbook (Azure Logic App) could theoretically update incident tactics via the Microsoft Sentinel API, this is an indirect, complex approach that requires custom code and is not the intended or simplest method—the native analytics rule mapping is the correct design.

1360
MCQeasy

During a threat hunting exercise, you need to pivot from a suspicious IP address to find all related alerts and incidents in Microsoft Sentinel. Which feature should you use?

A.Workbook
B.Incidents blade
C.Investigation graph
D.Playbook
AnswerC

Allows pivoting on entities and visualizing relationships.

Why this answer

The investigation graph in Microsoft Sentinel allows visual pivoting and exploration of entities. Option A is correct because it provides a graphical view of connections between entities. Option B is incorrect because the incidents blade shows incidents but not entity relationships.

Option C is incorrect because playbooks automate responses. Option D is incorrect because workbooks are for dashboards.

1361
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert for a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately block the user from accessing the app. Which action should the analyst take?

A.Suspend the user account in Microsoft Entra ID.
B.Add the IP address to the blocked IP list in Defender for Cloud Apps.
C.Create a new access policy in Defender for Cloud Apps to block the user.
D.Revoke the user's session tokens in Microsoft Entra ID.
AnswerA

Suspending the user immediately blocks all access, including the sanctioned app.

Why this answer

Option C is correct because suspending the user in Microsoft Entra ID is the fastest way to block access across all apps. Option A is wrong because creating a block policy takes time. Option B is wrong because blocking the IP may affect other users.

Option D is wrong because revoking session tokens may not prevent new sign-ins immediately.

1362
MCQeasy

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). Which of the following connectors should you use to collect sign-in logs and audit logs?

A.Microsoft Defender for Cloud connector.
B.Office 365 connector.
C.Azure Activity connector.
D.Microsoft Entra ID connector.
AnswerD

This connector collects sign-in logs, audit logs, and provisioning logs.

Why this answer

The Microsoft Entra ID connector provides sign-in logs and audit logs directly to Sentinel. Option A is correct. Option B is wrong because Office 365 connector is for Exchange, SharePoint, etc.

Option C is wrong because Azure Activity connector is for Azure resource logs. Option D is wrong because Microsoft Defender for Cloud is for security alerts.

1363
MCQmedium

You are responding to an incident where a malicious PowerShell script was executed on multiple endpoints. You need to collect the script content from the affected devices for analysis. What should you use?

A.Microsoft Defender for Cloud Apps activity logs
B.Microsoft Defender for Endpoint live response
C.Microsoft Purview eDiscovery
D.Azure Automation runbook
AnswerB

Live response allows file collection and script execution.

Why this answer

Option C is correct because Microsoft Defender for Endpoint live response allows you to remotely collect files from devices. Option A is wrong because Microsoft Defender for Cloud Apps is for cloud apps. Option B is wrong because Azure Automation runbooks are for orchestration.

Option D is wrong because Microsoft Purview eDiscovery is for legal discovery.

1364
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. A critical server in Azure was compromised by ransomware. The incident response team needs to ensure that no other resources in the same resource group are affected. What is the most immediate containment action?

A.Delete the virtual machine immediately to stop the ransomware.
B.Disable the public IP address and apply an NSG rule to block all inbound/outbound traffic to the server's subnet.
C.Change the local administrator password on the VM.
D.Move the VM to a different virtual network and subnet.
AnswerB

This network isolation prevents lateral movement while preserving the VM for forensic analysis.

Why this answer

Option A is correct because disabling the public IP and applying a network security group (NSG) block isolates the server while preserving the disk. Option B is wrong because deleting the VM destroys evidence. Option C is wrong because moving the VM to a different subnet does not prevent lateral movement from the original IP.

Option D is wrong because changing the administrator password does not stop ransomware from running.

1365
MCQmedium

An analyst wants to enable the Defender for Containers plan in Microsoft Defender for Cloud to protect an Azure Kubernetes Service (AKS) cluster. Arrange the steps in the correct order.

A.1. Enable Microsoft Defender for Cloud on the subscription (if not already enabled). → 2. Go to Microsoft Defender for Cloud > Environment settings > Select the subscription. → 3. In the 'Defender plans' blade, toggle 'Containers' to On. → 4. (Optional) Install the Defender profile on the AKS cluster via recommendations or manually. → 5. Verify that container threat detection alerts appear in Defender for Cloud.
B.Verify results before configuring the source or rule settings.
C.Configure alert grouping before defining the detection query or source.
D.Skip validation and enable the rule or plan immediately.
AnswerA

This order follows the required configuration sequence and verifies the result last.

Why this answer

Option A is correct because it follows the logical sequence for enabling Defender for Containers: first ensure Defender for Cloud is enabled at the subscription level, then navigate to Environment settings, toggle the Containers plan on, optionally install the Defender profile on the AKS cluster (via the 'Azure Policy add-on for AKS' recommendation or manual helm chart), and finally verify threat detection alerts appear. This order ensures the plan is active before profile installation and validation.

Exam trap

The trap here is that candidates might think toggling the Containers plan On is sufficient without installing the Defender profile on the AKS cluster, but Microsoft explicitly recommends the profile for runtime threat detection, and the exam expects you to include that optional step in the correct order.

How to eliminate wrong answers

Option B is wrong because it suggests verifying results before configuring the source or rule settings, which is nonsensical in this context—you cannot verify alerts before enabling the plan and installing the profile. Option C is wrong because it mentions configuring alert grouping before defining the detection query or source, but Defender for Containers does not require custom alert grouping or queries; it uses built-in threat detection rules. Option D is wrong because it advises skipping validation and enabling the plan immediately, which ignores the optional but critical step of installing the Defender profile on the AKS cluster to ensure agent-based threat detection works.

1366
Multi-Selecthard

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Select three.)

Select 3 answers
A.Configuring Syslog using Azure Monitor Agent (AMA)
B.Using the Microsoft Sentinel API to push custom logs
C.Connecting to Azure DevOps directly
D.Importing from Power BI datasets
E.Using a built-in data connector for Microsoft Entra ID
AnswersA, B, E

Syslog is supported via AMA.

Why this answer

Option A is correct because the Azure Monitor Agent (AMA) can collect Syslog events from Linux-based sources and forward them to a Log Analytics workspace, which is the underlying data store for Microsoft Sentinel. By configuring a Data Collection Rule (DCR) that specifies the Syslog facility and severity levels, AMA streams these logs into the Syslog table in the workspace, making them available for detection and analysis within Sentinel.

Exam trap

The trap here is that candidates may assume any Microsoft service (like Azure DevOps or Power BI) can be directly connected via a built-in connector, but Sentinel only provides connectors for services that generate security-relevant logs, not for project management or BI analytics tools.

1367
MCQmedium

A Defender for Cloud alert repeatedly fires for a known test VM used by the security team. The alert type is valid, but it should not create noise for that VM. What should the analyst configure?

A.Create an alert suppression rule scoped to the test VM and alert type.
B.Disable Defender for Servers for the entire subscription.
C.Change the VM name.
D.Delete the recommendation from secure score.
AnswerA

This suppresses known benign noise without disabling protection globally.

Why this answer

Option A is correct because an alert suppression rule in Microsoft Defender for Cloud allows you to define a scope (e.g., a specific VM) and a condition (e.g., a specific alert type) to automatically dismiss alerts that are valid but not actionable for that resource. This reduces noise without affecting detection coverage for other resources. The rule is configured at the subscription or resource group level and applies only to matching alerts.

Exam trap

The trap here is that candidates may confuse alert suppression (which dismisses alerts without affecting detection) with disabling a security plan or modifying secure score, leading them to choose overly broad or irrelevant actions like disabling Defender for Servers or deleting recommendations.

How to eliminate wrong answers

Option B is wrong because disabling Defender for Servers for the entire subscription would remove all threat detection and security monitoring from every VM, not just the test VM, which is an extreme and unnecessary measure. Option C is wrong because changing the VM name does not affect the alert logic; Defender for Cloud identifies VMs by resource ID, not name, so the alert would still fire for the same resource. Option D is wrong because deleting a recommendation from secure score only removes it from the score calculation; it does not suppress alerts, and alerts are independent of secure score recommendations.

1368
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that incidents created in Microsoft Defender XDR are automatically synchronized to Microsoft Sentinel with the least administrative effort. What should you configure?

A.Create a Logic App that uses the Microsoft Defender XDR API to fetch incidents and push them to Microsoft Sentinel.
B.Use the Microsoft Sentinel API to pull incidents from Microsoft Defender XDR.
C.Enable raw data ingestion from Microsoft Defender for Endpoint to Microsoft Sentinel.
D.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel.
AnswerD

This connector automatically ingests incidents and alerts from Defender XDR.

Why this answer

The Microsoft Defender XDR connector in Microsoft Sentinel automatically streams incidents and alerts from Defender XDR into Sentinel. Option A is correct because it enables bidirectional synchronization out of the box. Option B is wrong because Logic Apps would require custom workflows and more effort.

Option C is wrong because the API connector is for custom integration, not automated synchronization. Option D is wrong because enabling raw data ingestion does not synchronize incidents.

1369
Multi-Selecthard

Which TWO actions are valid for automation rules in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Change the severity of an incident.
B.Delete an incident.
C.Run a playbook.
D.Add tags to an incident.
E.Modify an existing analytics rule.
AnswersA, C

Automation rules can change incident severity.

Why this answer

Options A and D are correct because automation rules can run playbooks and change incident severity. Option B is incorrect because automation rules do not modify analytics rules. Option C is incorrect because automation rules do not delete incidents.

Option E is incorrect because automation rules do not add tags directly (tags can be added via playbooks).

1370
MCQmedium

Your organization uses Microsoft Defender XDR. You want to ensure that all incidents with severity 'High' are automatically assigned to the 'Tier1' group and have a playbook executed. What should you use?

A.Microsoft Defender XDR incident assignment manually by analysts
B.Custom analytics rules in Microsoft Sentinel
C.Automation rules in Microsoft Sentinel
D.Playbooks in Microsoft Sentinel
AnswerC

Can trigger on incident creation and perform actions like assignment and playbook execution.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to a specific group (e.g., 'Tier1') and trigger a playbook based on incident properties such as severity. This directly meets the requirement to assign 'High' severity incidents to the 'Tier1' group and execute a playbook without manual intervention.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking playbooks alone can handle assignment and triggering, but playbooks are just the action component and require an automation rule to define the trigger and assignment logic.

How to eliminate wrong answers

Option A is wrong because manual assignment by analysts does not automate the process; it requires human action for each incident, which contradicts the requirement for automatic assignment. Option B is wrong because custom analytics rules in Microsoft Sentinel are used to generate alerts from raw data, not to manage incident assignment or trigger playbooks after an incident is created. Option D is wrong because playbooks in Microsoft Sentinel are automated response workflows that can be triggered by automation rules, but they cannot by themselves assign incidents to groups or set conditions for execution; they require an automation rule to define the trigger and assignment logic.

1371
MCQeasy

You are threat hunting for credential dumping activity. Which Windows event ID is commonly associated with the use of tools like Mimikatz?

A.4624 (Successful Logon)
B.4768 (Kerberos Authentication Ticket Request)
C.4688 (Process Creation)
D.4672 (Special Logon)
AnswerC

Process creation events can show when Mimikatz or similar tools are launched.

Why this answer

Option C is correct because Windows Event ID 4688 (Process Creation) logs every new process spawned on the system, including the execution of tools like Mimikatz. When Mimikatz runs, it creates a process (e.g., mimikatz.exe), and the 4688 event captures the command line, parent process, and user context, which are critical for detecting credential dumping activity.

Exam trap

Microsoft often tests the misconception that credential dumping is tied to authentication events (like 4624 or 4768), but the key indicator is the process creation event (4688) that captures the execution of the dumping tool itself.

How to eliminate wrong answers

Option A is wrong because Event ID 4624 (Successful Logon) records authentication events, not the execution of a process like Mimikatz; credential dumping occurs after logon, not during it. Option B is wrong because Event ID 4768 (Kerberos Authentication Ticket Request) tracks TGT requests to a domain controller, which is unrelated to local credential dumping via Mimikatz. Option D is wrong because Event ID 4672 (Special Logon) logs when a user is granted special privileges (e.g., SeTcbPrivilege), but it does not directly indicate process creation or execution of a credential dumping tool.

1372
MCQeasy

A threat hunter wants to use Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should the analyst investigate?

A.Failed logon attempts
B.File download from SharePoint
C.Mailbox forwarding rule created
D.OAuth app granting permissions
AnswerD

Granting OAuth permissions can be abused for data access.

Why this answer

Option D is correct because granting OAuth permissions is a key indicator of potential abuse. Option A is wrong because file downloads are not directly related to OAuth permissions. Option B is wrong because mailbox forwarding is an email rule, not OAuth.

Option C is wrong because logon failures are authentication events.

1373
MCQmedium

During a threat hunt in Microsoft Sentinel, you find a series of suspicious sign-ins to Microsoft Entra ID from an IP address known to be associated with a threat actor. Which entity should you pivot on to investigate further?

A.IP address
B.User account
C.Application
D.Device
AnswerA

IP address connects multiple sign-ins and is associated with the threat actor.

Why this answer

The IP address is the key entity linking the sign-ins. Option C is correct. Option A is incorrect because the user is a target, not the pivot.

Option B is incorrect because the device may be compromised but is not the initial pivot. Option D is incorrect because the application is secondary.

1374
MCQhard

You are creating a custom hunting query in Microsoft Sentinel for PowerShell Empire indicators. After deploying, the query never returns results, even though you know empire activity exists in the environment. What is the most likely cause?

A.The query should use 'and' instead of 'or'
B.The required data connector should be 'MicrosoftThreatProtection'
C.The query logic is flawed; it should group the conditions with parentheses
D.The 'contains' operator should be 'startswith'
AnswerC

Without parentheses, the 'or' applies to the whole condition, including FileName, so it matches any process with WebClient.

Why this answer

The query uses 'or' incorrectly; the condition 'ProcessCommandLine contains 'System.Net.WebClient'' is evaluated separately from the FileName condition, so it would match any process with WebClient, not just PowerShell. Option A: 'contains' is correct for substring. Option B: 'and' would make it too restrictive.

Option C: The connector is fine. The correct answer is D: the logical operator precedence is wrong.

1375
MCQhard

During an incident response, a security engineer needs to block an attacker's IP address at the network level for all devices in the organization. The organization uses Microsoft Defender for Endpoint and Microsoft Intune for device management. What is the most efficient way to achieve this?

A.Add the IP address to a blocklist in Microsoft Sentinel
B.Create a device configuration policy in Microsoft Intune to block the IP
C.Configure Azure Firewall to block the IP
D.Create a custom indicator (IOC) for the IP address in Microsoft Defender for Endpoint
AnswerD

Custom indicators block IPs across all Defender for Endpoint devices.

Why this answer

Option A is correct because a custom indicator in Defender for Endpoint blocks the IP across all onboarded devices. Option B is wrong because blocking in Microsoft Sentinel only affects log ingestion, not network traffic. Option C is wrong because Intune policies are for configuration, not real-time blocking.

Option D is wrong because Azure Firewall would need to be in the network path and is a separate product.

1376
Multi-Selectmedium

Which THREE components are part of Microsoft Sentinel's SOAR capabilities? (Choose three.)

Select 3 answers
A.Workbooks
B.Incident management
C.Watchlists
D.Automation rules
E.Playbooks
AnswersB, D, E

Incident management is part of SOAR workflows.

Why this answer

Options A, B, and D are correct as they are core SOAR components. Option C is incorrect because workbooks are for visualization, not automation. Option E is incorrect because watchlists are for enrichment, not automation.

1377
MCQmedium

Your company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You have deployed Microsoft Sentinel and configured the Microsoft Entra ID connector to collect sign-in logs and audit logs. The SOC team wants to be alerted when a user account is created in Entra ID, as this could indicate a malicious insider. You create a scheduled analytics rule that queries the AuditLogs table for 'Add user' activity. The rule runs every hour and looks back 1 hour. After a week, the rule has generated zero incidents. You know that new users are being created regularly. You test the query manually in Log Analytics and get results for the last hour. What is the most likely cause?

A.The Microsoft Entra ID connector is not enabled.
B.The analytics rule is disabled.
C.The analytics rule's query uses a different time filter than the manual query, such as using 'ago(1h)' but the rule's lookback is set to '5 minutes' in the rule settings.
D.The AuditLogs table is not available in the workspace.
AnswerC

The rule's query might have a time filter that doesn't align with the rule's schedule, causing the rule to look at a different time window.

Why this answer

Option C is correct because the query works in Log Analytics but not in the analytics rule, which may be due to the rule's query not including the same time range or having an incorrect time filter. Option A is wrong because the connector is working. Option B is wrong because audit logs are being collected.

Option D is wrong because the rule is enabled.

1378
Multi-Selecthard

You are investigating a potential data exfiltration incident in Microsoft Purview. A user has been downloading large amounts of data from a SharePoint site to an unmanaged device. Which TWO actions should you take to contain the exfiltration? (Choose two.)

Select 2 answers
A.Remove the user's permissions to the SharePoint site.
B.Apply a sensitivity label to the SharePoint site to restrict access.
C.Create a data loss prevention (DLP) policy to block downloads from unmanaged devices.
D.Disable the user's device in Microsoft Intune.
E.Create a retention policy for the SharePoint site.
AnswersA, C

Removing permissions immediately stops the user from accessing data.

Why this answer

Option A and D are correct. Blocking downloads from unmanaged devices using Conditional Access or DLP policies prevents further exfiltration. Removing the user's access to the site stops immediate access.

Option B is wrong because creating a sensitivity label may not apply retroactively. Option C is wrong because disabling the device may not stop the user from accessing data from another device. Option E is wrong because creating a retention policy is for data preservation, not containment.

1379
MCQhard

Your security team uses Microsoft Sentinel UEBA to detect anomalous user behavior. You need to configure UEBA to baseline user activities and generate alerts for deviations. What must you do first?

A.Create an Azure Machine Learning workspace for anomaly detection.
B.Enable UEBA in the Sentinel Settings blade and select relevant data sources.
C.Assign Microsoft 365 E5 licenses to all users.
D.Deploy a custom data connector for HR systems.
AnswerB

This is the prerequisite for UEBA to baseline and detect anomalies.

Why this answer

Option B is correct because Microsoft Sentinel UEBA requires explicit enablement in the Sentinel Settings blade under the 'Entity behavior analytics' section. Once enabled, you must select the relevant data sources (e.g., Azure Active Directory sign-in logs, Office 365 audit logs, Windows Security Events) so that Sentinel can baseline normal user behavior patterns and generate alerts for anomalous deviations. Without this initial configuration, UEBA cannot process any data or produce behavioral analytics.

Exam trap

The trap here is that candidates often assume UEBA is automatically enabled or that it requires external ML services (like Azure Machine Learning) or premium licenses (like M365 E5), when in fact the first step is simply toggling the feature on and selecting data sources within Sentinel's own settings.

How to eliminate wrong answers

Option A is wrong because Azure Machine Learning workspace is not required for Sentinel UEBA; UEBA uses built-in machine learning models within Sentinel itself, not an external ML workspace. Option C is wrong because Microsoft 365 E5 licenses are not a prerequisite for UEBA; Sentinel UEBA works with any license that provides the necessary data sources (e.g., Azure AD P1/P2, Office 365 E3/E5) and does not mandate E5 for all users. Option D is wrong because deploying a custom data connector for HR systems is an optional enhancement for enriching entity data (e.g., employee role, manager), but it is not the first step; UEBA must be enabled and data sources selected before any custom connectors can contribute to baselining.

1380
Multi-Selecteasy

Which TWO are legitimate sources of threat intelligence that can be ingested into Microsoft Sentinel?

Select 2 answers
A.STIX/TAXII threat intelligence feeds
B.Microsoft Defender Threat Intelligence
C.Exchange Online Protection
D.Microsoft Intune
E.Microsoft Purview Compliance Manager
AnswersA, B

Sentinel supports ingesting TI from STIX/TAXII servers.

Why this answer

A is correct because STIX/TAXII is an open-source standard for sharing cyber threat intelligence (CTI). Microsoft Sentinel can ingest threat indicators from any TAXII 2.0 or 2.1 server using the built-in Threat Intelligence - TAXII data connector, allowing organizations to consume structured threat feeds (e.g., from MITRE ATT&CK or third-party providers) directly into Sentinel for correlation and alerting.

Exam trap

The trap here is that candidates confuse security management tools (like EOP, Intune, or Compliance Manager) with actual threat intelligence sources, assuming any Microsoft security product can be a threat feed, whereas only dedicated CTI platforms or feeds (STIX/TAXII, Microsoft Defender Threat Intelligence) provide structured indicator ingestion.

1381
MCQmedium

Refer to the exhibit. You have created a scheduled analytics rule in Microsoft Sentinel as shown. The rule is not generating any incidents, even though you know Copilot for Microsoft 365 is accessing sensitive files. What is the most likely cause?

A.The triggerThreshold is too high
B.The table being queried does not contain Copilot events
C.The severity is set to Medium, which suppresses incidents
D.The queryFrequency is too short
AnswerB

Copilot events are in CloudAppEvents.

Why this answer

The rule queries the 'SensitivityLabelEvents' table, which tracks sensitivity label changes but does not contain Copilot for Microsoft 365 events. Copilot events are stored in the 'MicrosoftCopilotAudit' table (or 'CloudAppEvents' with specific filters). Since the query targets the wrong table, no matching records are returned, and no incidents are generated.

Exam trap

The trap here is that candidates assume any table related to sensitivity labels will contain all Copilot events, but Microsoft separates Copilot-specific audit logs into a dedicated table, and the exam tests awareness of this schema distinction.

How to eliminate wrong answers

Option A is wrong because the triggerThreshold of 1 is the minimum value; a higher threshold would reduce incidents, but here the issue is zero incidents, not too few. Option C is wrong because severity settings (Medium, High, etc.) do not suppress incident creation; they only affect the incident's priority in the queue. Option D is wrong because a queryFrequency of 5 hours is reasonable for detecting patterns; making it shorter would increase run frequency but would not fix the root cause of querying the wrong table.

1382
MCQhard

An analyst is reviewing a series of alerts in Microsoft Defender XDR indicating potential lateral movement. Which KQL query in Microsoft Sentinel would best identify anomalous RDP connections to servers not typically accessed remotely?

A.DeviceProcessEvents | where ProcessCommandLine contains '3389'
B.DeviceRegistryEvents | where RegistryKey contains 'Remote Desktop'
C.DeviceNetworkEvents | where RemotePort == 3389 | summarize dcount(DestinationIP) by DeviceName | where dcount_DestinationIP > 5
D.DeviceLogonEvents | where LogonType == '10' | summarize dcount(DeviceName) by AccountName
AnswerC

DeviceNetworkEvents captures network connections; filtering by RDP port and counting distinct destinations helps detect lateral movement.

Why this answer

Option D is correct because the `DeviceNetworkEvents` table in Microsoft Defender XDR logs network connections, and filtering for RDP port 3389 with a count of distinct destination IPs over a threshold helps identify unusual RDP patterns. Option A is wrong because `DeviceProcessEvents` logs process creation, not network connections. Option B is wrong because `DeviceLogonEvents` logs authentication events, not network connections.

Option C is wrong because `DeviceRegistryEvents` logs registry changes.

1383
MCQhard

You are a threat hunter at Northwind Traders. The organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You suspect a golden ticket attack may have occurred in the domain. You need to create a hunting query in Microsoft Sentinel that leverages data from MDI to detect possible golden ticket usage. Which of the following queries or approaches is most appropriate?

A.Query DeviceProcessEvents for processes related to Kerberos
B.Query SecurityAlert where AlertName contains 'Golden Ticket' or 'Suspicious Kerberos'
C.Query CommonSecurityLog for unusual DNS queries related to Kerberos
D.Query IdentityLogonEvents for failed Kerberos authentication
AnswerB

MDI generates alerts for golden ticket activity, stored in SecurityAlert.

Why this answer

Option B is correct because golden ticket attacks often involve anomalous Kerberos service ticket requests that are not preceded by an authentication request. MDI generates alerts for such anomalies, which are stored in the SecurityAlert table. Option A is incorrect because DeviceProcessEvents is for endpoints, not authentication servers.

Option C is incorrect because IdentityLogonEvents may contain logon events but not specifically golden ticket indicators. Option D is incorrect because CommonSecurityLog is for network devices.

1384
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You have a custom analytics rule that triggers on a Defender for Endpoint alert. When the rule triggers, a playbook is executed that creates an incident in Microsoft Sentinel and sends a message to a Teams channel. The playbook fails to execute. Which permission should you verify first?

A.The Teams channel has the appropriate permissions for incoming webhooks
B.The analyst has Microsoft Sentinel Reader role
C.The user has Microsoft Entra ID Global Administrator role
D.The automation rule has the correct managed identity or connection permissions
AnswerD

Automation rules use managed identities or connections to run playbooks; misconfiguration causes failure.

Why this answer

Option A is correct because playbooks require an automation rule with appropriate permissions to run. Option B is wrong because Teams channel permissions are for posting messages, not for playbook execution. Option C is wrong because Microsoft Sentinel reader role is for viewing incidents, not executing playbooks.

Option D is wrong because Microsoft Entra ID admin rights are not required for playbook execution.

1385
MCQhard

Your organization has deployed Microsoft Sentinel and uses the Microsoft 365 connector to ingest audit logs. You receive an alert from Microsoft Defender for Office 365 about a phishing email that was delivered to a user's inbox. You need to create an incident in Sentinel and automatically quarantine the email. What is the most efficient way to achieve this?

A.Use Microsoft Defender for Cloud Apps to investigate the alert and manually quarantine the email
B.Create a custom analytics rule that triggers when an alert is generated, and configure the rule to run a playbook that quarantines the email
C.Create an automation rule in Microsoft Sentinel that is triggered when this specific alert is generated, and associate a playbook that uses the Microsoft 365 Defender connector to quarantine the email
D.Manually create an incident in Microsoft Sentinel and then run a playbook to quarantine the email
AnswerC

This automates the response.

Why this answer

The correct answer is C because Microsoft Sentinel can trigger an automation rule that runs a playbook to quarantine the email using Microsoft 365 Defender actions. Option A is wrong because the old Threat Explorer portal is not integrated with Sentinel. Option B is wrong because manual quarantine is not automatic.

Option D is wrong because it suggests manual creation.

1386
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a device is identified as compromised by Defender for Endpoint, an incident is automatically created in Sentinel with high severity. What should you configure?

A.Configure the Defender XDR connector to create incidents
B.Write an analytics rule that queries Defender for Endpoint data
C.Create a playbook to create an incident from the alert
D.Create an automation rule that triggers when an incident is created and set severity to High
AnswerD

Automation rules can modify incident properties after creation.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can be configured to run when an incident is created, and they can set the severity of the incident to High. In this scenario, when Defender for Endpoint identifies a compromised device, the Defender XDR connector creates an incident in Sentinel. The automation rule then immediately elevates the severity to High, meeting the requirement without additional manual steps or complex logic.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, thinking that a playbook is required to modify incident properties, when in fact automation rules can directly change severity without invoking a playbook.

How to eliminate wrong answers

Option A is wrong because configuring the Defender XDR connector to create incidents is already the default behavior that generates the incident, but it does not automatically set the severity to High; severity is inherited from the source alert. Option B is wrong because writing an analytics rule that queries Defender for Endpoint data would create a separate scheduled query rule, which is redundant and less efficient than using the existing incident creation from the connector, and it does not directly set severity on the connector-generated incident. Option C is wrong because creating a playbook to create an incident from the alert adds unnecessary complexity and latency; playbooks are better suited for response actions, while automation rules are the native, lightweight method to modify incident properties like severity.

1387
Multi-Selecthard

Which THREE of the following are valid methods to archive logs in Microsoft Sentinel to reduce costs?

Select 3 answers
A.Configure continuous export to Azure Data Lake Storage Gen2
B.Set the workspace to free tier
C.Enable Basic Logs ingestion for all tables
D.Use a Logic App to export logs to Azure Storage
E.Change the table's retention period to include archival
AnswersA, D, E

Continuous export is a feature for long-term retention.

Why this answer

Option A is correct because Microsoft Sentinel supports continuous export of logs to Azure Data Lake Storage Gen2, which allows you to retain raw log data at lower storage costs while still being able to query it using Azure Synapse or other analytics tools. This method reduces the cost of high-volume log retention in Sentinel's native workspace by moving data to a cheaper long-term storage tier.

Exam trap

The trap here is that candidates often confuse 'Basic Logs' (which reduce ingestion cost but not storage cost) with archival methods, or mistakenly think the free tier can be manually selected for cost savings, when in fact it is a temporary promotional offering.

1388
MCQhard

You are designing a Microsoft Sentinel deployment for a multinational organization that must comply with GDPR and local data residency requirements. They have offices in the US, EU, and Asia. They want to use a single Microsoft Sentinel workspace for global visibility but need to ensure that data from EU sources remains within the EU. What is the best approach to meet these requirements?

A.Deploy a single Microsoft Sentinel workspace in the US and use Azure Policy to restrict data ingestion from EU sources.
B.Deploy separate Microsoft Sentinel workspaces in the US, EU, and Asia, and use cross-workspace queries and Azure Lighthouse to manage them centrally.
C.Deploy a single workspace in the EU and enable UEBA to analyze all data.
D.Use Azure Lighthouse to project a single workspace into multiple regions, which automatically separates data storage.
AnswerB

Separate workspaces ensure data residency; cross-workspace queries provide a unified view.

Why this answer

Option B is correct because using separate workspaces per region ensures data residency, and cross-workspace queries provide a unified view. Option A is wrong because a single workspace cannot guarantee data residency for EU data. Option C is wrong because enabling UEBA does not control data residency.

Option D is wrong because Azure Lighthouse does not separate data storage.

1389
Multi-Selectmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents are reviewed within 24 hours. Which TWO actions should you take?

Select 2 answers
A.Create an automation rule that runs 24 hours after incident creation and escalates if status is not 'In progress'.
B.Create a playbook that runs every hour and checks incident age.
C.Configure Microsoft Defender XDR to automatically reassign incidents after 24 hours.
D.Create a workbook that displays incidents older than 24 hours and alerts the SOC manager.
E.Modify the analytics rule to automatically close incidents after 24 hours.
AnswersA, D

Correct: Automation rules can use conditions based on time.

Why this answer

Options A and D are correct. Automation rules can escalate if not reviewed, and workbooks can track SLA. Option B is wrong because analytics rules don't handle SLA.

Option C is wrong because playbooks don't trigger on time. Option E is wrong because Microsoft Defender XDR doesn't manage Sentinel SLA.

1390
MCQmedium

You are investigating a series of failed logon attempts across multiple on-premises servers. You want to use Microsoft Sentinel to hunt for patterns of brute-force attacks. Which data source should you ingest to capture detailed authentication events from domain controllers?

A.Syslog from domain controllers
B.Windows Security Events via Windows Event Forwarding
C.Azure Activity Log
D.Microsoft 365 Defender events
AnswerB

Windows Security Events from domain controllers provide Event IDs like 4625 for failed logons, essential for brute-force hunting.

Why this answer

Option C is correct because Windows Security Events from domain controllers include Event ID 4625 (failed logon) necessary for brute-force hunting. Option A is wrong because Azure Activity Log does not include on-premises authentication. Option B is wrong because Microsoft 365 Defender events focus on cloud identities.

Option D is wrong because Syslog typically contains network device logs, not Windows authentication.

1391
MCQeasy

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that detects when a user is added to a privileged Microsoft Entra ID role (e.g., Global Administrator). Which data table is essential for the query?

A.AuditLogs
B.SigninLogs
C.SecurityEvent
D.CommonSecurityLog
AnswerA

Correct. The AuditLogs table in Microsoft Sentinel (via Microsoft Entra ID connector) contains directory audit events, including changes to privileged role memberships.

Why this answer

The AuditLogs table in Microsoft Sentinel captures all directory-level audit activities, including modifications to Microsoft Entra ID (formerly Azure AD) role assignments. When a user is added to a privileged role like Global Administrator, the event is logged as an 'Add member to role' activity in the AuditLogs table. This makes AuditLogs the essential data source for detecting such privileged role changes.

Exam trap

Microsoft often tests the distinction between sign-in logs (SigninLogs) and audit logs (AuditLogs), trapping candidates who confuse authentication events with directory configuration changes.

How to eliminate wrong answers

Option B (SigninLogs) is wrong because it records user authentication events (sign-ins), not directory configuration changes like role assignments. Option C (SecurityEvent) is wrong because it contains Windows security events from on-premises or Azure VMs, not Microsoft Entra ID role activities. Option D (CommonSecurityLog) is wrong because it aggregates syslog-style logs from third-party security appliances (e.g., firewalls, IDS/IPS), not Microsoft Entra ID audit data.

1392
MCQmedium

Your organization uses Microsoft Sentinel with the UEBA (User and Entity Behavior Analytics) feature enabled. A security analyst notices that a user account has been flagged with an anomaly indicating a possible compromised credential. Which entity type in Microsoft Sentinel's UEBA is most relevant for this alert?

A.Device
B.Application
C.IP address
D.User account
AnswerD

UEBA focuses on user behavior.

Why this answer

The correct answer is B because UEBA in Sentinel tracks user accounts as entities. Option A is wrong because devices are not directly related to credential compromise. Option C is wrong because IP addresses are contextual but not the primary entity.

Option D is wrong because applications are not entities in UEBA for credential compromise.

1393
MCQmedium

You are a security analyst performing threat hunting in Microsoft Sentinel. You suspect an adversary is using living-off-the-land binaries (LOLBins) to execute code. Which KQL function should you use to search for processes spawned by a specific parent process across multiple machines?

A.search
B.find
C.evaluate
D.union
AnswerA

Search can be used to find patterns across tables, and for process ancestry, you can use it in combination with other functions.

Why this answer

Option C is correct because 'search' can scan across tables for a pattern, but for process ancestry queries, joining DeviceProcessEvents with DeviceEvents is common. However, the best approach is to use 'let' to define a lookup and then use 'join'. The question expects knowledge of 'search' as a broad tool.

Option A is wrong because 'union' combines tables, not specifically parent-child relationships. Option B is wrong because 'find' searches across tables but is less efficient. Option D is wrong because 'evaluate' is for plugin execution.

1394
MCQeasy

An incident in Microsoft Defender XDR shows a device with high severity alert: 'Suspicious PowerShell command line.' The device is currently isolated from the network. What is the best next step to investigate the alert?

A.Review the device timeline for related alerts.
B.Run a live response session on the device.
C.Restore network connectivity to allow the device to communicate with the cloud for analysis.
D.Initiate a full antivirus scan on the device.
AnswerB

Live response allows remote investigation and remediation on an isolated device, enabling collection of evidence and running scripts safely.

Why this answer

Running a live response session allows the analyst to remotely investigate the isolated device, collect artifacts, or execute commands without risking lateral movement. Full scan is reactive; reviewing timeline is passive; restoring connectivity prematurely could spread the threat.

1395
Drag & Dropmedium

Arrange the steps to deploy Microsoft Defender for Cloud Apps (formerly MCAS) and connect it to a cloud app.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Deploying Cloud App Security involves adding an app connector and authenticating to enable monitoring and control.

1396
MCQmedium

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a user receives more than 5 emails with the same attachment name within 1 hour, indicating a possible malware campaign. Which advanced hunting tables should be joined to achieve this detection?

A.Join EmailEvents and EmailAttachmentInfo on NetworkMessageId
B.Join EmailEvents and EmailUrlInfo on NetworkMessageId
C.Use only EmailAttachmentInfo table with a filter on file name
D.Join EmailEvents and DeviceFileEvents on SHA1 hash
AnswerA

This join allows counting emails per attachment name per user within a time window.

Why this answer

To detect when a user receives more than 5 emails with the same attachment name within 1 hour, you need to correlate email metadata with attachment details. The EmailEvents table contains email-level information (e.g., recipient, timestamp), while the EmailAttachmentInfo table stores attachment-level data (e.g., file name). Joining these on NetworkMessageId allows you to count occurrences of the same attachment name per recipient within a time window, enabling the custom detection rule.

Exam trap

The trap here is that candidates may think they need to join with endpoint file events (DeviceFileEvents) to detect malware, but the question specifically requires detecting the email receipt pattern, not post-delivery execution.

How to eliminate wrong answers

Option B is wrong because EmailUrlInfo contains URL data from emails, not attachment names, so it cannot be used to count attachments by file name. Option C is wrong because using only EmailAttachmentInfo lacks recipient and timestamp fields from EmailEvents, making it impossible to filter by user and time window. Option D is wrong because DeviceFileEvents tracks files on endpoints, not email attachments, and joining on SHA1 hash would require hash values, not file names, and would not capture email-specific metadata like recipient.

1397
Multi-Selecthard

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender for Endpoint?

Select 2 answers
A.Run a full antivirus scan on the affected devices.
B.Allow the ransomware executable in the firewall.
C.Collect an investigation package from the affected devices.
D.Isolate the affected devices from the network.
E.Initiate a live response session to delete files.
AnswersA, D

Scanning can remove malware.

Why this answer

Options B and D are correct. Isolating affected devices prevents spread, and running antivirus scans cleans the device. Option A is wrong because allowing malicious files is dangerous.

Option C is wrong because collecting investigation package is for analysis, not immediate response. Option E is wrong because initiating live response might be needed but is not a standard first action.

1398
MCQeasy

A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?

A.Use a Microsoft Sentinel playbook to automatically flag any password reset
B.Write a KQL query that joins SigninLogs with AuditLogs on user principal name and times within a short window
C.Search the SigninLogs table for logins from unusual locations
D.Create a watchlist of known unusual locations and use it in a query against AuditLogs
AnswerB

This correlates the two events to detect the sequence of unusual login followed by password reset.

Why this answer

Option B (KQL query using join between two tables) is correct because it allows correlating login events from one table with password reset events from another table, combining the two conditions. Option A (single table) cannot correlate two different event types. Option C (watchlist) is for static data, not real-time correlation.

Option D (playbook) is for automated response, not hunting.

1399
MCQhard

During a threat hunt, you discover a previously unknown malware variant that communicates over HTTPS to a command-and-control (C2) server. You want to create a custom detection in Microsoft Sentinel that triggers when any device in the organization resolves the C2 domain via DNS. Which data connector should you ensure is enabled?

A.DNS (Preview) via AMA
B.Azure Activity
C.Office 365 (Preview)
D.Windows Security Events via AMA
AnswerA

The DNS connector ingests DNS query logs for detection.

Why this answer

Option B is correct because the DNS connector in Microsoft Sentinel ingests DNS query logs from Windows DNS servers, which can be used to detect domain resolutions. Option A is wrong because the Windows Security Events connector focuses on security events like logons. Option C is wrong because the Azure Activity connector logs Azure resource operations, not DNS queries.

Option D is wrong because Office 365 connector ingests audit logs, not DNS.

1400
Multi-Selectmedium

Your organization uses Microsoft Sentinel. You need to ensure that incident response times are monitored and reported. Which TWO capabilities should you use?

Select 2 answers
A.Playbooks
B.UEBA
C.Automation rules
D.Watchlists
E.Workbooks
AnswersC, E

Automation rules can record timestamps on incidents.

Why this answer

Sentinel workbooks can visualize response times, and automation rules can track timestamps. Option A and D are correct. Option B (playbooks) can perform actions but not directly monitor times.

Option C (watchlists) are for reference data. Option E (UEBA) is for behavioral analytics.

1401
MCQmedium

A SOC analyst has created a custom scheduled analytics rule in Microsoft Sentinel that runs every hour and generates an incident when a certain pattern is detected. The analyst notices that the same set of events is causing a new incident every hour, leading to duplicates. What should the analyst configure to prevent duplicate incident generation from the same events?

A.Set the alert suppression setting in the analytics rule
B.Use an automation rule to close duplicates
C.Modify the query to use the 'summarize' operator
D.Change the query to use the 'take' operator
AnswerA

Correct: Alert suppression prevents duplicate alerts from the same events within a specified period.

Why this answer

Option A is correct because the alert suppression setting in a Microsoft Sentinel scheduled analytics rule allows you to configure a time window during which duplicate alerts from the same events are suppressed. When enabled, Sentinel will not generate a new incident from the same set of events until the suppression window expires, preventing the hourly duplication the analyst observed.

Exam trap

The trap here is that candidates often confuse alert suppression (preventing duplicate alerts) with incident closing mechanisms (automation rules), leading them to choose Option B instead of the correct suppression setting.

How to eliminate wrong answers

Option B is wrong because automation rules can close incidents after they are created, but they do not prevent the generation of duplicate incidents from the same events; duplicates would still be created and then closed, which is inefficient and does not address the root cause. Option C is wrong because using the 'summarize' operator in the query would aggregate events but would not prevent the same events from being evaluated again in the next hourly run; it could also alter the detection logic and miss patterns. Option D is wrong because the 'take' operator limits the number of rows returned by the query, which would arbitrarily drop events and could cause missed detections, not prevent duplicates from the same events.

1402
MCQhard

During a threat hunt, you discover a suspicious PowerShell command that decoded a base64 string and executed a script. Which Microsoft Defender for Endpoint advanced hunting table should you query to find the decoded command line?

A.IdentityLogonEvents
B.DeviceProcessEvents
C.DeviceNetworkEvents
D.DeviceEvents
AnswerB

DeviceProcessEvents includes the command line in ProcessCommandLine.

Why this answer

DeviceProcessEvents stores process creation events including command lines. DeviceEvents stores raw events but not command lines. DeviceNetworkEvents is for network connections.

IdentityLogonEvents is for logons. The correct table for command lines is DeviceProcessEvents.

1403
Multi-Selectmedium

Which THREE data sources should be included in a threat hunt to detect data exfiltration via DNS tunneling in Microsoft Sentinel?

Select 3 answers
A.Network flow logs (e.g., Azure Network Watcher)
B.Azure Key Vault diagnostic logs
C.DNS server logs (e.g., from Windows DNS Server or Azure DNS)
D.Windows Event Logs (System and DNS Server events)
E.Microsoft 365 audit logs
AnswersA, C, D

Flow logs help correlate DNS query volumes with network traffic.

Why this answer

DNS events (from DNS servers or Azure DNS), network flow logs (to see volume), and Windows Event Logs (if DNS server logs are not directly available) can help detect DNS tunneling. Option C (Azure Key Vault logs) are for secret access. Option E (Microsoft 365 audit logs) are for user activities.

1404
MCQeasy

While hunting for lateral movement, you want to find out which devices have established remote PowerShell sessions to other devices. Which Microsoft Defender for Endpoint advanced hunting table should you query?

A.DeviceProcessEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceLogonEvents
AnswerC

Contains network connections, including remote management ports.

Why this answer

Option B is correct because DeviceNetworkEvents contains network connections that can indicate remote PowerShell sessions (port 5985/5986). Option A is incorrect because DeviceProcessEvents shows process creation, not network connections. Option C is incorrect because DeviceEvents shows general events.

Option D is incorrect because DeviceLogonEvents shows logon events, not network sessions.

1405
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst receives an alert indicating that a user account was used to sign in from an unfamiliar location. You need to investigate the incident using Microsoft Defender XDR. Which action should you take first?

A.Create an automated playbook to reset the user's password.
B.Review the alert in the Microsoft Defender XDR portal and classify it as a true or false positive.
C.Turn off the user account in Microsoft Entra ID.
D.Reset the user's password immediately to prevent further access.
AnswerB

First step is to classify the incident.

Why this answer

Option D is correct because the first step in incident response is to classify the incident as a true or false positive. Option A is wrong because creating a playbook should be done after confirming the incident is a true positive. Option B is wrong because resetting the password should be a containment action after classification.

Option C is wrong because turning off the user account is a containment action, not the first step.

1406
MCQeasy

Your company is deploying Microsoft Defender for Endpoint. You need to ensure that all devices report their security baseline compliance to Microsoft Intune. Which configuration should you use?

A.Configure a device configuration profile in Microsoft Intune
B.Deploy Windows Update for Business reports
C.Assign a Security Baseline policy in Microsoft Intune to the device groups
D.Enable Microsoft Defender for Cloud Apps session controls
AnswerC

Security Baselines in Intune provide compliance assessment for security configurations.

Why this answer

Option A is correct because Security Baselines in Intune allow you to assess and enforce compliance. Option B is for device-level configuration, but not specifically for baseline compliance. Option C is for Defender for Cloud Apps, not endpoints.

Option D is for Windows Update, not baseline compliance.

1407
MCQmedium

Your organization uses Microsoft Sentinel and has enabled UEBA (User and Entity Behavior Analytics). You notice that the UEBA timeline is not populating for some users. You have verified that the data sources are connected and the UEBA feature is enabled. What could be the issue?

A.There is insufficient data to build baselines for those users; UEBA needs at least 14 days of data.
B.Users must opt in to UEBA tracking.
C.UEBA only works with Azure Active Directory (now Microsoft Entra ID) audit logs.
D.The data sources are not sending logs for those users.
AnswerA

UEBA requires historical data to establish behavioral baselines. If users are new or have sparse logs, timelines may not populate.

Why this answer

Option C is correct because UEBA requires a minimum amount of data over time to establish baselines. Option A is wrong because UEBA does not require user consent. Option B is wrong because data is flowing.

Option D is wrong because UEBA uses existing data.

1408
MCQeasy

You run the PowerShell command shown in the exhibit to enable diagnostics on an Azure VM. The VM is running Windows Server 2022. You want to collect security events and send them to a Log Analytics workspace. What should you include in the diagnostics.json configuration file?

A.An EtwProvider element with provider GUID for Microsoft-Windows-Security-Auditing.
B.A WindowsEventLog element with ProviderName set to 'Security' and a query of '*'.
C.A Syslog element with facility set to 'auth' and severity set to 'info'.
D.A PerformanceCounter element with a counter for security incidents.
AnswerB

This collects all security events.

Why this answer

Option B is correct because the Azure Diagnostics extension for Windows VMs uses a WindowsEventLog element in the diagnostics.json configuration to specify which Windows Event Log channels to collect. Setting ProviderName to 'Security' and query to '*' collects all security events from the Security log, which are then forwarded to the Log Analytics workspace.

Exam trap

The trap here is that candidates confuse ETW providers (EtwProvider) with standard Windows Event Log channels, or mistakenly apply Linux-centric concepts like Syslog to a Windows VM, leading them to choose incorrect options A or C.

How to eliminate wrong answers

Option A is wrong because EtwProvider elements are used for collecting ETW (Event Tracing for Windows) providers, not for standard Windows Event Log channels like Security; the Security log is a classic event log, not an ETW provider. Option C is wrong because Syslog is a Linux-specific logging protocol and is not applicable to a Windows Server 2022 VM; the Azure Diagnostics extension for Windows does not support Syslog. Option D is wrong because PerformanceCounter elements collect performance metrics (e.g., CPU, memory), not security events; security incidents are not represented as performance counters.

1409
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. They have several Azure virtual machines running SQL Server. The security team wants to enable advanced threat protection for their Azure SQL databases. What should they do?

A.Enable Microsoft Defender for SQL on the subscription.
B.Enable Microsoft Defender for Servers on the subscription.
C.Enable Microsoft Defender for Database on the subscription.
D.Configure SQL Vulnerability Assessment in the Azure portal for each database.
AnswerA

Defender for SQL is the dedicated plan for protecting Azure SQL databases with threat detection and vulnerability assessment.

Why this answer

Microsoft Defender for SQL (formerly Advanced Threat Protection for Azure SQL) is the specific plan that provides threat detection for Azure SQL databases, including SQL Server on Azure VMs. Enabling it at the subscription level ensures all existing and future Azure SQL databases under that subscription are protected, which is the recommended and most efficient approach.

Exam trap

The trap here is that candidates may confuse 'Microsoft Defender for Servers' with SQL protection, not realizing that SQL-specific threat detection requires the dedicated 'Microsoft Defender for SQL' plan, even when SQL Server is running on Azure VMs.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Servers is designed to protect the operating system and workloads of virtual machines, not the SQL databases running on them; it does not include SQL-specific threat detection like SQL injection alerts. Option C is wrong because there is no 'Microsoft Defender for Database' plan; the correct plan name is 'Microsoft Defender for SQL'. Option D is wrong because SQL Vulnerability Assessment is a separate feature for identifying database misconfigurations and vulnerabilities, not a threat protection service; it does not provide real-time threat detection or advanced threat protection.

1410
MCQeasy

During an incident response, you need to collect forensic evidence from a compromised Windows device using Microsoft Defender for Endpoint live response. Which command should you use to gather running processes?

A.dir
B.reg query
C.netstat
D.processes
AnswerD

The 'processes' command lists running processes.

Why this answer

Option B is correct because 'processes' is a built-in command in live response to list running processes. Option A is wrong because 'netstat' shows network connections. Option C is wrong because 'reg query' accesses the registry.

Option D is wrong because 'dir' lists files.

1411
MCQhard

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

A.DeviceProcessEvents
B.DeviceLogonEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerA

DeviceProcessEvents contains process creation events, which can be joined with network events to identify the process initiating the RDP connection.

Why this answer

The DeviceNetworkEvents table logs network connections, including outgoing RDP traffic (port 3389). To identify which process initiated a specific outgoing RDP connection, you must join with the DeviceProcessEvents table on DeviceId and Timestamp (or ProcessId), because DeviceProcessEvents contains the process creation details (e.g., mstsc.exe) that launched the network connection. This join reveals the parent process responsible for the lateral movement attempt.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (which logs RDP logon events) with the process initiation side, but the question asks for the table that identifies the process initiating the outgoing connection, not the authentication event on the target machine.

How to eliminate wrong answers

Option B is wrong because DeviceLogonEvents tracks authentication events (logon sessions), not process-to-network mappings; it cannot identify which process initiated the RDP connection. Option C is wrong because DeviceFileEvents logs file creation, modification, and deletion events, which are unrelated to network connection initiation. Option D is wrong because DeviceRegistryEvents records registry key changes, which have no direct role in identifying the process that started an outgoing RDP session.

1412
MCQhard

The exhibit shows a KQL query used during incident investigation. The analyst wants to identify devices with an unusually high number of outbound connections to public IPs. The query returns no results, though the analyst suspects there should be some. What is the most likely reason?

A.The timeframe is too short.
B.Data retention for DeviceNetworkEvents is less than 1 day.
C.The field 'RemoteIPType' does not exist in DeviceNetworkEvents.
D.The 'summarize' operator is misused.
AnswerC

The correct field is usually 'RemoteIP' and classification is done by IP ranges.

Why this answer

The RemoteIPType field may not exist in DeviceNetworkEvents; the correct field for public IP classification is typically RemoteIP. Option A is possible but less likely; Option C is a syntax error; Option D is about data retention.

1413
Multi-Selecthard

A Microsoft Sentinel incident contains alerts from multiple analytics rules. The analyst suspects the same compromised account performed impossible travel followed by suspicious mailbox access. Which two actions best help correlate identity and mailbox activity?

Select 2 answers
A.Query SigninLogs for the account around the alert timestamps
B.Delete the incident to force it to regenerate
C.Disable all analytics rules that contributed alerts
D.Query OfficeActivity or relevant Microsoft 365 Defender email/cloud activity tables for mailbox operations
AnswersA, D

SigninLogs provide Microsoft Entra sign-in events, locations, risk details, and timestamps for identity correlation.

Why this answer

Option A is correct because querying SigninLogs for the account around the alert timestamps directly retrieves Azure AD authentication events, which are essential for identifying the source IP addresses, locations, and timestamps that define the impossible travel pattern. This data is the primary evidence for the first part of the suspected compromise.

Exam trap

The trap here is that candidates may think deleting or disabling rules will fix the correlation gap, but the correct approach is to manually query the relevant data sources (SigninLogs and OfficeActivity) to perform the correlation, as Sentinel does not automatically link identity and mailbox events across different data connectors.

1414
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident is generated for a user who received a phishing email that bypassed Exchange Online Protection. The user clicked the link and entered credentials on a fake login page. The incident includes alerts from Microsoft Defender for Office 365 and Microsoft Entra ID. You need to respond to the incident. The affected user has administrative privileges. Which of the following should you do FIRST?

A.Reset the user's password and revoke sessions in Microsoft Entra ID.
B.Report the phishing email to Microsoft for analysis.
C.Create a transport rule to block similar phishing emails.
D.Delete the phishing email from the user's mailbox.
AnswerA

Immediately invalidates stolen credentials.

Why this answer

Option D is correct: resetting the user's password and revoking sessions immediately prevents attacker use of stolen credentials. Option A is wrong because reporting the email is not urgent. Option B is wrong because deleting the email is good but does not address compromised credentials.

Option C is wrong because creating a rule is a longer-term action.

1415
MCQmedium

During threat hunting, you identify a suspicious PowerShell process that executed encoded commands. Which Microsoft Defender XDR hunting capability would best help you trace the parent process and command-line arguments across the enterprise?

A.Automated investigation and response
B.Threat analytics
C.Device inventory
D.Advanced hunting
AnswerD

Advanced hunting enables KQL queries to trace process creation events across devices.

Why this answer

Option C is correct because advanced hunting in Microsoft Defender XDR allows KQL queries to correlate process events across devices. Option A is wrong because device inventory lacks process lineage. Option B is wrong because automated investigation and response focuses on containment, not deep tracing.

Option D is wrong because threat analytics provides intelligence, not raw event data.

1416
MCQhard

Refer to the exhibit. The query is designed to hunt for potentially compromised accounts that are not on the suspicious list but have many network logons. However, the query returns zero results even though the analyst suspects there should be some hits. What is the most likely issue?

A.The time range filter is missing; no events are returned.
B.The LogonProcessName filter uses an incorrect string.
C.The dynamic array syntax is incorrect.
D.The summarize function cannot be used after a where clause.
AnswerB

The correct process name is 'NtLmSsp' (capital L and M), not 'NtLmSsp'.

Why this answer

Option C is correct because the typo 'NtLmSsp' should be 'NtLmSsp' (note the capital L and M). The correct process name is 'NtLmSsp' (spelled with capital L and M). Option A is wrong because the time range is not specified but defaults to last 24h; this would not cause zero results.

Option B is wrong because the dynamic array syntax is correct. Option D is wrong because the summarize function works correctly.

1417
MCQeasy

Contoso uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is generated: 'Unusual file download by user - possible data exfiltration.' The incident shows that a user downloaded 500 files from SharePoint Online within 10 minutes, which is abnormal for that user. The user's account shows no other suspicious activity. You need to respond. Which of the following is the BEST first action?

A.Block SharePoint Online access for all users temporarily.
B.Create an anomaly detection policy for such downloads.
C.Suspend the user account in Microsoft Entra ID.
D.Investigate the user's recent activity logs.
AnswerC

Immediately stops the user from accessing any resources.

Why this answer

Option B is correct: suspending the user in Microsoft Entra ID immediately stops any further downloads. Option A is wrong: investigating first allows more data to be exfiltrated. Option C is wrong: blocking SharePoint affects all users.

Option D is wrong: creating a policy is a long-term improvement.

1418
MCQmedium

A security analyst is investigating a potential malware outbreak detected by Microsoft 365 Defender. The analyst needs to identify all devices that have executed a specific parent process with a given ProcessId. Which column in the DeviceProcessEvents table should be used to find processes whose parent is the specified process?

A.ParentProcessId
B.InitiatingProcessId
C.ProcessId
D.LogonId
AnswerA

ParentProcessId directly identifies the process that spawned the current process, allowing filtering for child processes.

Why this answer

The ParentProcessId column in the DeviceProcessEvents table stores the process ID (PID) of the parent process that initiated the current process. To find all child processes spawned by a specific parent process with a known ProcessId, you query the ParentProcessId column for that value. This directly links child processes to their parent, enabling the analyst to trace the malware's execution chain.

Exam trap

The trap here is that candidates confuse InitiatingProcessId (which often appears in alert schemas for the root process of an incident) with ParentProcessId, not realizing that in DeviceProcessEvents, the direct parent-child relationship is stored in ParentProcessId, not InitiatingProcessId.

How to eliminate wrong answers

Option B (InitiatingProcessId) is wrong because it refers to the process ID of the process that initiated the event, which is often the same as the parent process in some contexts, but in Microsoft 365 Defender's schema, InitiatingProcessId is used for the process that started the entire chain (e.g., from an alert), not for direct parent-child relationships in DeviceProcessEvents. Option C (ProcessId) is wrong because it is the unique identifier of the current process itself, not its parent; using it would only find the process with that specific PID, not its children. Option D (LogonId) is wrong because it identifies the user logon session under which the process runs, not the parent process relationship; it is used for grouping processes by session, not for parent-child lineage.

1419
MCQmedium

You are a security analyst for a company using Microsoft Defender XDR. An incident is detected involving a device that has been communicating with a known command-and-control (C2) server. The device is currently online and the user is active. What should you do first to contain the threat?

A.Isolate the device from the network using Microsoft Defender for Endpoint
B.Run a full antivirus scan on the device
C.Notify the user to disconnect the device
D.Kill the suspicious processes on the device
AnswerA

Isolation immediately stops C2 communication.

Why this answer

Option A is correct because isolating the device from the network immediately stops communication with the C2 server. Option B is wrong because killing processes may not stop network communication. Option C is wrong because scanning is reactive.

Option D is wrong because contacting the user could tip off the attacker.

1420
MCQeasy

Which Microsoft Sentinel feature allows you to automatically respond to incidents by running a playbook when an incident is created?

A.Analytics rules
B.Playbooks
C.Watchlists
D.Workbooks
E.Automation rules
AnswerE

Automation rules can trigger playbooks on incident creation.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses to incidents, including running a playbook when an incident is created. They provide a centralized way to trigger actions based on incident properties such as severity, status, or specific tactics, without needing to embed automation logic directly in analytics rules.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking playbooks themselves automatically respond to incidents, when in fact playbooks are the action components that must be triggered by an automation rule or manual invocation.

How to eliminate wrong answers

Option A is wrong because analytics rules generate alerts or incidents based on data queries, but they do not directly run playbooks; automation rules are the mechanism that triggers playbooks upon incident creation. Option B is wrong because playbooks are collections of actions (based on Azure Logic Apps) that can be run manually or via automation rules, but they are not the feature that automatically responds to incidents when created. Option C is wrong because watchlists are collections of data (e.g., IP addresses, hostnames) used for correlation and enrichment in analytics rules, not for automated incident response.

Option D is wrong because workbooks are interactive dashboards for visualizing and analyzing data, not for triggering automated responses.

1421
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule created via ARM template. What is the effect of the grouping configuration?

A.Groups alerts into one incident if any entity matches.
B.Creates a separate incident for each alert.
C.Suppresses alerts for 5 hours after the first alert.
D.Groups alerts into one incident if all entities match within a 5-hour lookback.
AnswerD

The grouping config creates a single incident for alerts with matching entities within 5 hours.

Why this answer

The grouping configuration in the exhibit sets the grouping condition to 'Group alerts into a single incident if all entities match' with a 5-hour lookback period. This means that alerts generated within 5 hours that share identical entities (e.g., same IP, host, or account) will be merged into one incident, reducing alert noise. Option D correctly describes this behavior, as it specifies both the entity matching requirement and the time window.

Exam trap

The trap here is confusing the grouping lookback window with alert suppression or mistaking 'any entity matches' for 'all entities match,' which leads candidates to pick Option A or C instead of D.

How to eliminate wrong answers

Option A is wrong because it states 'if any entity matches,' but the configuration requires all entities to match, not any single entity. Option B is wrong because it describes creating a separate incident for each alert, which is the opposite of grouping; the configuration explicitly enables grouping. Option C is wrong because it refers to suppressing alerts for 5 hours after the first alert, which is a different feature (alert suppression) not related to grouping configuration; the 5-hour value here is the lookback window for grouping, not a suppression period.

1422
MCQhard

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft Defender XDR. What is the most likely scenario this query is designed to detect?

A.Persistence mechanism via startup folder
B.Ransomware dropping executables on desktops and spreading via SMB
C.Registry modification to disable security tools
D.Phishing campaign delivering .lnk files
AnswerB

.scr files on desktop and SMB connections are common in ransomware outbreaks.

Why this answer

The query looks for .scr files (screensaver, but also used to disguise executables) with names matching 8 lowercase letters on the desktop, and correlates with SMB connections to private IPs. Option A is correct because ransomware often drops executables on desktops and spreads via SMB. Option B is incorrect because the file is on the desktop, not in startup.

Option C is incorrect because no registry events are involved. Option D is incorrect because the file is .scr, not .lnk.

1423
MCQmedium

A cloud security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to integrate a third-party vulnerability assessment solution for their Azure VMs and ensure findings appear in the Defender for Cloud recommendations. What must be done?

A.Configure a data connector in Microsoft Sentinel to forward the partner's findings.
B.Enable the 'Integrated' partner solution in Defender for Cloud and install the scanner on VMs.
C.Deploy the Microsoft Defender Vulnerability Management solution instead of a third-party tool.
D.Use Azure Policy to assign a built-in initiative that mandates vulnerability scanning.
AnswerB

This configures Defender for Cloud to accept findings from the partner vulnerability scanner and display them as recommendations.

Why this answer

Option B is correct because Defender for Cloud supports integrating third-party vulnerability assessment solutions through the 'Integrated' partner solution setting. Once enabled, you must install the partner's scanner agent on each Azure VM. The findings are then ingested into Defender for Cloud and appear in the 'Vulnerabilities in your virtual machines should be remediated' recommendation, allowing the security team to view and manage them alongside built-in assessments.

Exam trap

The trap here is that candidates often confuse the role of Microsoft Sentinel (a SIEM) with Defender for Cloud's native vulnerability assessment integration, thinking that any security data can be funneled through Sentinel to populate Defender for Cloud recommendations, which is incorrect because Sentinel does not write to Defender for Cloud's recommendation engine.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a SIEM for collecting and analyzing security logs, not a mechanism to ingest vulnerability assessment findings into Defender for Cloud recommendations; it would not populate the specific Defender for Cloud vulnerability recommendation. Option C is wrong because the question explicitly requires integrating a third-party solution, not replacing it with Microsoft Defender Vulnerability Management. Option D is wrong because Azure Policy can enforce that a vulnerability assessment solution is deployed, but it does not directly cause findings from a third-party tool to appear in Defender for Cloud recommendations; the 'Integrated' partner solution must be enabled and the scanner installed.

1424
Multi-Selecthard

Which THREE of the following are features of Microsoft Defender XDR that help manage a security operations environment?

Select 3 answers
A.Sentinel SIEM integration
B.Threat analytics
C.Automated investigation and response
D.Advanced hunting
E.Unified incident management
AnswersC, D, E

AIR is a key feature of Defender XDR.

Why this answer

Microsoft Defender XDR includes incident management, automated investigation and response, and advanced hunting. Threat analytics is a feature of Microsoft Defender for Endpoint, but not a core feature of XDR. Sentinel is a separate SIEM.

Custom detection rules are part of Defender XDR.

1425
MCQeasy

Your organization uses Microsoft Defender for Cloud. You need to view a list of all security recommendations for your Azure subscriptions. Which blade should you use?

A.Workbooks
B.Regulatory Compliance
C.Inventory
D.Recommendations
AnswerD

This blade lists all security recommendations.

Why this answer

The Recommendations blade in Microsoft Defender for Cloud is the centralized hub that lists all security recommendations for your Azure subscriptions, including those from Azure Security Benchmark and custom initiatives. It provides a prioritized view of security posture improvements, such as remediating vulnerabilities or enabling encryption, directly actionable from the blade.

Exam trap

The trap here is that candidates confuse the Inventory blade (which shows resources and their security state) with the Recommendations blade (which shows the actionable list of security improvements), leading them to select Inventory instead of the correct Recommendations blade.

How to eliminate wrong answers

Option A is wrong because Workbooks are used for creating custom visualizations and reports from Azure Monitor data, not for viewing the list of security recommendations. Option B is wrong because Regulatory Compliance focuses on compliance scores and controls against standards like SOC 2 or ISO 27001, not the full set of security recommendations. Option C is wrong because Inventory shows a list of Azure resources and their security posture, but it does not display the aggregated list of recommendations; it is a resource-centric view, not a recommendation-centric one.

Page 18

Page 19 of 22

Page 20