Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 76150

1639 questions total · 22pages · All types, answers revealed

Page 1

Page 2 of 22

Page 3
76
MCQmedium

You deploy the above ARM template to create a scheduled analytics rule in Microsoft Sentinel. After deployment, the rule runs but never generates incidents. What is the MOST likely cause?

A.The severity level 'Medium' is not supported.
B.The rule is disabled because 'enabled' is set to true but there is a typo.
C.The query 'SigninLogs | where ResultType == 50057' is invalid.
D.The saved search resource type is incorrectly used; it should not be included in the template.
AnswerD

The saved search resource is not a valid Sentinel alert rule; the alert rule is defined correctly but the template may cause deployment errors.

Why this answer

Option D is correct because the saved search (savedSearches) resource type is not a valid alert rule in Sentinel; the alert rule resource type should be 'Microsoft.SecurityInsights/alertRules' with the correct schema. The template includes a saved search and an alert rule, but the alert rule's query uses SigninLogs which is valid. However, the issue is that the saved search is incorrectly defined as a resource.

Option A is wrong because the query is valid. Option B is wrong because severity is valid. Option C is wrong because the rule is enabled.

77
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. During an incident investigation, you find that a device is exfiltrating data to an external IP. You need to isolate the device from the network using automated response. Which action should you configure in an automation rule?

A.Trigger a Microsoft Purview data loss prevention policy.
B.Run a Microsoft Entra ID playbook to disable the device.
C.Run a playbook that triggers a Microsoft Defender for Endpoint 'Isolate device' action.
D.Create an automation rule in Microsoft Intune to wipe the device.
AnswerC

This action isolates the device from the network, containing the exfiltration.

Why this answer

Option B is correct because Microsoft Defender for Endpoint provides the 'Isolate device' action that can be triggered from Sentinel automation rules. Option A is wrong because Microsoft Entra ID does not have device isolation. Option C is wrong because Intune is for device management but not immediate isolation.

Option D is wrong because Microsoft Purview is for data governance, not device isolation.

78
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. During an incident, you discover that a user is downloading large amounts of data from SharePoint to an unmanaged device. You need to automatically block further downloads from that device. What should you configure?

A.Create a session policy in Microsoft Defender for Cloud Apps to block download.
B.Create a Conditional Access policy to require a compliant device.
C.Configure Microsoft Intune device compliance policy.
D.Create a DLP policy in Microsoft Purview.
AnswerA

Session policies can monitor and control actions in real time.

Why this answer

Option B is correct because Defender for Cloud Apps session policies can block downloads from unmanaged devices. Option A is wrong because conditional access policies block access but not specific actions. Option C is wrong because DLP policies generate alerts but do not block.

Option D is wrong because device compliance policies require Intune enrollment.

79
MCQhard

During a threat hunt, you find a PowerShell script that decodes a base64-encoded command and executes it. Which MITRE ATT&CK technique is this behavior most associated with?

A.T1059.001 (PowerShell)
B.T1055 (Process Injection)
C.T1003 (Credential Dumping)
D.T1027 (Obfuscated Files or Information)
AnswerD

Base64 encoding is a form of obfuscation.

Why this answer

Obfuscated Files or Information (T1027) includes encoding. PowerShell execution is also part of T1059.001, but the encoding aspect points to T1027.

80
MCQeasy

You need to create a custom detection rule in Microsoft Sentinel that alerts when an anomalous number of failed logons occur from a single IP address within 5 minutes. Which KQL operator should you use to count failed logons per IP?

A.summarize
B.project
C.where
D.extend
AnswerA

summarize groups by IP and counts events.

Why this answer

Option A is correct because 'summarize' is used to aggregate counts per key (IP). Option B (project) only selects columns. Option C (extend) adds calculated columns.

Option D (where) filters rows.

81
Multi-Selectmedium

Which TWO of the following are valid methods to perform threat hunting in Microsoft Sentinel? (Choose TWO.)

Select 2 answers
A.Create and save custom KQL queries in the Hunting blade
B.Use the built-in hunting queries in the Microsoft Sentinel Hunting blade
C.Configure automated response rules to detect threats
D.Use Workbooks to visualize data and identify anomalies
E.Create a Playbook to automatically run queries on a schedule
AnswersA, B

Custom queries can be created and saved for reuse.

Why this answer

Options A and D are correct. A: The Hunting blade provides a list of built-in hunting queries. D: Custom KQL queries can be created and saved.

Option B is wrong because Playbooks are for automated response, not hunting. Option C is wrong because Workbooks are for visualization, not interactive hunting.

82
Multi-Selecteasy

Which THREE are valid methods to create a custom hunting query in Microsoft Sentinel?

Select 3 answers
A.Use the Playbook blade to generate a query.
B.Create a new analytics rule in the Analytics blade.
C.Save a query from the Logs blade to the Hunting blade.
D.Write a new KQL query in the Logs blade.
E.Clone an existing built-in hunting query and modify it.
AnswersC, D, E

Queries can be saved to Hunting.

Why this answer

Options A, C, and D are correct. A is correct because you can use the Logs blade to write KQL. C is correct because you can start from a built-in template and edit.

D is correct because you can save a query from Logs to Hunting. B is incorrect because the Analytics blade is for alert rules, not hunting. E is incorrect because Playbooks are for automation, not queries.

83
Multi-Selecteasy

Your organization uses Microsoft Sentinel as the primary SIEM. The SOC team reports that many low-severity incidents are overwhelming the queue. You need to reduce noise while ensuring that high-severity incidents are not missed. Which two actions should you take? (Choose two.)

Select 2 answers
A.Increase the data retention period for low-severity alerts.
B.Adjust the analytics rule settings to only create incidents for alerts with a severity of Medium or higher.
C.Use playbooks to manually review each low-severity incident.
D.Create additional analytics rules to better differentiate between true and false positives.
E.Configure automation rules to automatically close incidents with specific low-severity alert types.
AnswersB, E

This prevents low-severity alerts from becoming incidents.

Why this answer

Option A helps automatically close low-severity incidents that are false positives. Option D sets a severity threshold for alerts to be created as incidents. Option B is incorrect because creating more analytics rules would increase noise.

Option C is incorrect because increasing retention does not reduce noise. Option E is incorrect because playbooks do not suppress incidents.

84
MCQmedium

You are investigating a detection in Microsoft Defender for Endpoint. The PowerShell output shows a threat with ID 2147723152. Which type of threat does this ID represent?

A.Ransomware
B.HackTool
C.Worm
D.Trojan
AnswerB

2147723152 is a known hacktool detection.

Why this answer

Threat ID 2147723152 corresponds to a hacktool (specifically, a tool used for penetration testing), often detected as 'HackTool:MSIL/Mimikatz!dha'.

85
MCQmedium

A company uses Microsoft Defender XDR and has enabled automatic attack disruption for human-operated ransomware. During an incident, the system automatically contains a compromised account. However, the SOC team wants to ensure that the containment action is reversible and that the account can be restored after investigation. What should the team do before restoring the account?

A.Change the account's password and enable multi-factor authentication.
B.Verify that no other accounts were compromised.
C.Remove the account from all administrative roles.
D.Run a full antivirus scan on the account's devices.
AnswerA

Resetting the password and enabling MFA ensures the account is secured before restoration.

Why this answer

The correct answer is D. The account must be reset and verified clean to prevent the attacker from regaining access. The other options are not sufficient or incorrect.

86
MCQeasy

Your organization uses Microsoft Sentinel. A security incident is created, and the assigned analyst needs to perform initial triage. What is the first step the analyst should take according to Microsoft best practices for incident response?

A.Contain the affected resources immediately to prevent further damage.
B.Run a full investigation using Microsoft 365 Defender hunting queries.
C.Review the incident details and verify the alert is a true positive.
D.Escalate the incident to the senior security team.
AnswerC

First step is to validate the alert.

Why this answer

Option C is correct because the first step in the Microsoft incident response process is to verify the alert and determine its validity. Option A is wrong because containment should follow after verification. Option B is wrong because escalating before verification bypasses triage.

Option D is wrong because detailed investigation comes after initial triage.

87
Multi-Selecteasy

Which TWO data sources are natively supported by Microsoft Sentinel for ingesting security events? (Choose two.)

Select 2 answers
A.Salesforce audit logs
B.GitHub audit logs
C.Google Cloud Platform (GCP) logs
D.Windows Security Events
E.Azure Activity Logs
AnswersD, E

Native connector via Log Analytics agent.

Why this answer

Windows Security Events are natively supported by Microsoft Sentinel via the Windows Security Events via AMA connector or the legacy Log Analytics agent. This connector ingests security event logs (e.g., Event ID 4625 for failed logons) directly into Sentinel without requiring a third-party parser or custom data connector. Azure Activity Logs are also natively supported through the Azure Activity connector, which streams subscription-level operational events (e.g., resource creation, policy changes) into Sentinel at no additional cost.

Exam trap

The trap here is that candidates often confuse 'natively supported' with 'available via a connector in the content hub,' but Microsoft Sentinel defines native support as built-in data connectors that require no additional custom code or third-party services, excluding connectors that rely on Azure Functions or partner solutions.

88
Multi-Selecthard

Which THREE of the following are valid incident types in Microsoft 365 Defender? (Choose three.)

Select 3 answers
A.Insider risk
B.Phishing
C.Misconfiguration
D.Data exfiltration
E.Malware
AnswersB, D, E

Phishing incidents come from Defender for Office 365.

Why this answer

Options A, B, and D are correct because Microsoft 365 Defender incidents include categories like 'Malware', 'Phishing', and 'Data exfiltration'. Option C is wrong because 'Misconfiguration' is not an incident type; it is a finding. Option E is wrong because 'Insider risk' is managed in Microsoft Purview, not as a primary incident type in Defender.

89
MCQhard

Your organization uses Microsoft Sentinel. You need to implement a custom incident response process that requires approval before taking action on an incident. What should you use?

A.Automation rules with conditions
B.Watchlist for approval status
C.Playbook with Microsoft Teams connector for approval
D.Analytics rule with custom details
AnswerC

Enables human-in-the-loop approval.

Why this answer

Option C is correct because Microsoft Teams integration with Adaptive Cards allows approval workflows in playbooks. Option A is wrong because automation rules cannot require approval. Option B is wrong because analytics rules do not support approval.

Option D is wrong because watchlists are for reference data, not workflows.

90
MCQmedium

Refer to the exhibit. The query is intended to find devices where PowerShell was used with encoded commands and connected to specific remote IPs. However, the analyst notices that the query returns no results. What is the most likely reason?

A.The join key DeviceName does not exist in DeviceNetworkEvents.
B.The has_any operator is incorrect; should use contains.
C.The dynamic array syntax is incorrect.
D.The time range is too short.
AnswerA

DeviceNetworkEvents uses DeviceId, not DeviceName, so the join fails.

Why this answer

Option C is correct because the join condition uses DeviceName, but the inner join requires matching DeviceName in both tables. If DeviceNetworkEvents does not have a DeviceName field (it uses DeviceId), the join fails. Option A is wrong because the time range is valid.

Option B is wrong because the dynamic array syntax is correct. Option D is wrong because the use of has_any is correct for multiple strings.

91
Multi-Selectmedium

Which TWO of the following are valid data sources for Microsoft Sentinel threat hunting? (Choose 2)

Select 2 answers
A.Syslog
B.Google Workspace
C.ServiceNow
D.Amazon Web Services CloudTrail
E.Azure Active Directory (Microsoft Entra ID)
AnswersD, E

AWS CloudTrail is a supported connector via S3.

Why this answer

Options A and D are correct because Microsoft Sentinel can ingest Amazon Web Services (AWS) CloudTrail logs via the AWS S3 connector and Azure Active Directory (now Microsoft Entra ID) logs. Option B is wrong because Syslog is a protocol, not a pre-built data connector name; though syslog data can be ingested, 'Syslog' alone is not a data source name in the context of 'valid data sources' list. Option C is wrong because Google Workspace is not natively supported as a connector in Microsoft Sentinel (requires custom).

Option E is wrong because ServiceNow is not a direct data source; it can be integrated via Logic Apps but not as a standard data connector.

92
Multi-Selecteasy

Your organization uses Microsoft Sentinel. You are investigating an incident and need to gather additional context about a suspicious IP address. Which TWO Microsoft Sentinel features can you use to enrich the investigation?

Select 2 answers
A.Threat intelligence
B.Watchlist
C.Hunting
D.Entity behavior analytics
E.User and Entity Behavior Analytics (UEBA)
AnswersA, D

Threat intelligence can indicate if the IP is known malicious.

Why this answer

Entity behavior analytics provides insights into user and entity activities. Threat intelligence feeds provide context about known malicious IPs. The watchlist feature is for storing data, not enrichment.

The hunting feature is for proactive searches. The UEBA feature is similar to entity behavior analytics but not specifically for IP enrichment.

93
MCQeasy

A security analyst receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request. What is the first step the analyst should take?

A.Disable the user account
B.Reset the user's password
C.Run a full antivirus scan on the user's device
D.Validate the alert by checking the user's recent activity
AnswerD

Confirms the alert.

Why this answer

Option B is correct because validating the alert confirms if it is a true positive before taking action. Option A is wrong because disabling the user is premature. Option C is wrong because resetting the password may alert the attacker.

Option D is wrong because running a scan may not be relevant.

94
MCQmedium

Your team uses Microsoft Sentinel to investigate incidents. You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. What is the most efficient way to achieve this?

A.Create a playbook triggered by Microsoft Entra ID alerts.
B.Write a custom KQL query using SigninLogs.
C.Configure a Microsoft Purview insider risk policy.
D.Use a built-in Anomalous Sign-in Location rule template.
AnswerD

This template uses UEBA to detect anomalous sign-ins without custom KQL.

Why this answer

Option D is correct because Microsoft Sentinel provides a built-in 'Anomalous Sign-in Location' rule template that leverages Microsoft Entra ID Identity Protection data to detect sign-ins from unfamiliar locations. This template is pre-configured with the necessary KQL logic and alerting, making it the most efficient method without requiring custom development or additional data sources.

Exam trap

The trap here is that candidates may assume a custom KQL query (Option B) is the most flexible and efficient approach, overlooking that Sentinel's built-in templates are pre-optimized and require no manual logic for defining 'unfamiliar' locations.

How to eliminate wrong answers

Option A is wrong because playbooks are automated response actions (e.g., sending emails or blocking users) triggered by alerts, not the mechanism to create detection rules for unfamiliar location sign-ins. Option B is wrong because while a custom KQL query using SigninLogs could detect unfamiliar locations, it requires manual logic to define 'unfamiliar' (e.g., comparing against historical geolocation data) and is less efficient than using the built-in template. Option C is wrong because Microsoft Purview insider risk policies focus on detecting risky user activities like data exfiltration or policy violations, not sign-in location anomalies.

95
MCQeasy

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different workloads. You need to view all related alerts in a single timeline. What should you use?

A.Incident page
B.Advanced hunting
C.Action center
D.Device timeline
AnswerA

Shows all related alerts.

Why this answer

Option A is correct because the incident page in Defender XDR shows all related alerts. Option B is wrong because the action center shows remediation actions. Option C is wrong because the hunting page is for proactive queries.

Option D is wrong because the device timeline is per device.

96
MCQmedium

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. They also run SQL Server on Azure Virtual Machines (IaaS). The security team wants to enable Advanced Threat Protection (ATP) for these SQL Server IaaS instances to detect threats like SQL injection. What is the single most effective action to achieve this?

A.Enable the Defender for SQL plan on the management group or subscription
B.Install the SQL IaaS Agent extension on each VM
C.Configure a vulnerability assessment solution on each SQL Server
D.Enable Azure SQL Database Threat Detection policy
AnswerA

Defender for SQL (IaaS) is a plan under Defender for Cloud. Enabling it extends protection to SQL Server IaaS instances, including ATP capabilities.

Why this answer

The Defender for SQL plan in Microsoft Defender for Cloud provides Advanced Threat Protection (ATP) for Azure SQL Database, Azure SQL Managed Instance, and SQL Server on Azure VMs. Enabling this plan at the management group or subscription level automatically protects all current and future SQL Server IaaS instances within that scope, including threat detection for SQL injection attacks, without requiring per-VM agent installation.

Exam trap

The trap here is that candidates often confuse the SQL IaaS Agent extension (which is needed for VM registration and management) with the actual security configuration required for ATP, leading them to select Option B instead of the subscription-level plan enablement in Option A.

How to eliminate wrong answers

Option B is wrong because installing the SQL IaaS Agent extension is a prerequisite for registering the VM with the SQL IaaS resource provider, but it does not enable ATP by itself; ATP requires the Defender for SQL plan to be enabled. Option C is wrong because configuring a vulnerability assessment solution addresses security misconfigurations and vulnerabilities, not real-time threat detection like SQL injection. Option D is wrong because Azure SQL Database Threat Detection policy applies only to Azure SQL Database, not to SQL Server running on Azure VMs (IaaS).

97
MCQeasy

A SOC analyst needs to create a basic analytics rule in Microsoft Sentinel to detect when an Azure VM is created with an open management port (e.g., SSH or RDP). Which data source should the analyst configure to get the VM creation events?

A.Azure Activity log (AzureActivity)
B.Azure Security Center alerts (SecurityAlert)
C.Microsoft Entra ID Audit logs (AuditLogs)
D.Azure Network Watcher logs (NetworkMonitoring)
AnswerA

The AzureActivity table, ingested via the Azure Activity connector, contains events such as VM creation, which can be used to detect open management ports.

Why this answer

The Azure Activity log (AzureActivity) captures all control-plane operations on Azure resources, including virtual machine creation events (e.g., Microsoft.Compute/virtualMachines/write). When a VM is created with an open management port like SSH (22) or RDP (3389), the activity log records the deployment details, making it the correct data source for triggering a basic analytics rule in Microsoft Sentinel to detect such events.

Exam trap

The trap here is that candidates often confuse Azure Activity logs with Azure Security Center alerts, mistakenly thinking that security alerts will fire on VM creation events, when in fact Activity logs are the only source for raw control-plane operations in Sentinel.

How to eliminate wrong answers

Option B is wrong because Azure Security Center alerts (SecurityAlert) are generated from security findings after resource creation, not from the raw creation event itself, and cannot be used to detect the initial VM creation action. Option C is wrong because Microsoft Entra ID Audit logs (AuditLogs) track identity and authentication activities within Entra ID, not Azure resource creation events like VM deployments. Option D is wrong because Azure Network Watcher logs (NetworkMonitoring) capture network-level traffic and diagnostics (e.g., NSG flow logs, connection monitors), not control-plane operations such as VM provisioning.

98
MCQmedium

You are using Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should you look for to detect a potentially malicious app that was granted high privileges by a user?

A.Consent to application
B.Add service principal
C.Update application
D.Add app role assignment grant
AnswerA

This activity indicates a user granted permissions to an OAuth app.

Why this answer

Option B is correct because 'Consent to application' is the activity when a user grants OAuth permissions. Option A is wrong because 'Add app role assignment grant' is a different operation. Option C is wrong because 'Update application' may not involve consent.

Option D is wrong because 'Add service principal' is about creating a service principal, not consent.

99
MCQmedium

A security analyst in Microsoft 365 Defender is investigating an email-based threat. The analyst needs to find all emails that were initially delivered to user inboxes but were later remediated (e.g., moved to junk, deleted, or quarantined) by Zero-Hour Auto Purge (ZAP). Which advanced hunting tables should the analyst query to get both the original email metadata and the post-delivery remediation events?

A.EmailEvents and EmailPostDeliveryEvents
B.EmailEvents and EmailAttachmentInfo
C.EmailPostDeliveryEvents and EmailUrlInfo
D.EmailEvents and CloudAppEvents
AnswerA

Correct. EmailEvents has delivery info; EmailPostDeliveryEvents has ZAP and other post-delivery actions.

Why this answer

To investigate emails that were initially delivered but later remediated by Zero-Hour Auto Purge (ZAP), you need both the original email metadata (from EmailEvents) and the post-delivery remediation actions (from EmailPostDeliveryEvents). EmailEvents provides details like sender, recipient, subject, and delivery status, while EmailPostDeliveryEvents records ZAP actions such as moving to junk, deleting, or quarantining. Querying these two tables together allows you to correlate the initial delivery with the subsequent remediation event.

Exam trap

The trap here is that candidates may think EmailPostDeliveryEvents alone suffices, but without EmailEvents you cannot confirm the original delivery status (e.g., 'Delivered') which is essential to distinguish ZAP from other post-delivery actions like manual user moves.

How to eliminate wrong answers

Option B is wrong because EmailAttachmentInfo only contains metadata about email attachments (e.g., file name, hash) and does not include post-delivery remediation events or original email delivery metadata needed for ZAP investigation. Option C is wrong because EmailUrlInfo only contains URL-related information from emails (e.g., clicked links) and lacks the original email metadata from EmailEvents, so you cannot see the initial delivery status. Option D is wrong because CloudAppEvents tracks activities in Microsoft cloud apps (e.g., SharePoint, OneDrive) and is not related to email delivery or ZAP remediation events in Exchange Online.

100
MCQhard

As a threat hunter at Contoso, you are investigating a potential advanced persistent threat (APT) that may have compromised multiple Azure subscriptions. You have Microsoft Defender for Cloud enabled and Microsoft Sentinel collecting data from all subscriptions. You suspect the attacker is using Azure Resource Manager operations to create malicious resources. You need to create a hunting query that identifies anomalous Azure management operations, specifically focusing on operations that create new resources (e.g., virtual machines, storage accounts) from unusual IP addresses or at unusual times. Which approach should you take?

A.Use the CommonSecurityLog table to analyze network traffic from management tools.
B.Use the AzureActivity table in Microsoft Sentinel to query for any operation where the OperationNameValue contains 'write' and then manually review each result.
C.Use the AzureActivity table to filter for operations where HttpMethod == 'PUT' (create/update), then summarize by CallerIpAddress and bin(TimeGenerated, 1h) to find spikes or unusual caller IPs.
D.Query the SigninLogs table in Microsoft Sentinel for all interactive sign-ins to the Azure portal, then cross-reference with Azure Activity logs.
AnswerC

Correctly identifies write operations and aggregates for anomaly detection.

Why this answer

Option C leverages the AzureActivity table with a filter for write operations (HTTP PUT) and summarizes by caller IP and operation time, allowing for anomaly detection. Option A is too broad; Option B focuses on sign-ins, not resource operations; Option D uses the wrong log source for Azure management events.

101
MCQmedium

A security operations center (SOC) uses Microsoft Sentinel. The team wants to detect anomalous behavior for a specific user account that typically logs in only during business hours from a known IP range. They create a scheduled analytics rule that queries the SigninLogs table for logins outside that range or outside business hours. To reduce false positives, which of the following configurations should the analyst apply?

A.Set the alert threshold to 5 occurrences within the query lookback period.
B.Enable entity mapping for the user account to correlate with other data sources.
C.Increase the query scheduling frequency to every 5 minutes from every hour.
D.Group all events into a single alert and set the suppression limit to 1 hour.
AnswerA

Correct. Alert threshold sets a minimum number of matching events required to generate an alert, reducing noise from single anomalous but benign logins.

Why this answer

Option A is correct because setting an alert threshold (e.g., 5 occurrences within the query lookback period) reduces false positives by requiring the anomalous behavior to be persistent rather than a single outlier. In Microsoft Sentinel, the alert threshold filters out noise from occasional legitimate logins that might accidentally fall outside business hours or the known IP range, ensuring the rule only fires when the pattern is repeated enough to indicate a real threat.

Exam trap

The trap here is that candidates confuse alert suppression (which reduces duplicates) with alert threshold (which reduces false positives by requiring multiple occurrences), leading them to choose options like D that manage alert volume but do not filter out low-confidence events.

How to eliminate wrong answers

Option B is wrong because entity mapping does not reduce false positives; it enriches alerts with additional context (e.g., linking to user entities) for investigation but does not filter out low-confidence events. Option C is wrong because increasing the query scheduling frequency to every 5 minutes would generate more frequent alerts, potentially increasing false positives and noise, not reducing them. Option D is wrong because grouping events into a single alert with a suppression limit of 1 hour only prevents duplicate alerts for the same detected pattern; it does not address the underlying false-positive rate from single anomalous logins.

102
MCQmedium

You are a security analyst investigating a detected phishing campaign targeting users in your organization. The Microsoft Defender for Office 365 alert indicates that several users clicked on a malicious link. Which action should you take first to prevent further compromise?

A.Add the malicious URL to the Microsoft Defender for Endpoint custom threat indicator list.
B.Isolate all affected users' devices from the network.
C.Report the email to Microsoft for analysis.
D.Block the sender email address in the tenant.
AnswerA

This blocks the URL across all devices and is the fastest way to prevent further clicks.

Why this answer

The first priority is to block the malicious URL across all endpoints using Microsoft Defender for Endpoint's IOC capabilities to prevent any other users from clicking the link. Isolating users would be disruptive and may not be necessary for all. Reporting to Microsoft is not immediate.

Blocking the sender may help but does not stop users who already have the email.

103
MCQhard

You manage a Microsoft Sentinel workspace that ingests logs from multiple sources. You notice that the workspace is approaching its daily ingestion quota, and some data sources are being dropped. You need to ensure that security-related logs are prioritized and that non-critical logs are not ingested. What should you configure?

A.Create analytic rules with entity mapping to prioritize alerts
B.Use data collection rules (DCRs) to filter log ingestion
C.Set a daily cap on the Log Analytics workspace
D.Configure diagnostic settings to exclude certain logs
AnswerB

DCRs allow granular filtering and transformation before ingestion.

Why this answer

Data collection rules (DCRs) allow you to define transformations that filter logs before they are ingested into a Log Analytics workspace. By configuring a DCR with a KQL-based transformation, you can drop non-critical logs while ensuring security-related logs are always ingested, preventing them from being dropped when the daily quota is approached.

Exam trap

The trap here is that candidates often confuse data collection rules (which filter at ingestion) with diagnostic settings (which control log routing) or daily caps (which stop all ingestion), failing to recognize that DCRs provide the granular control needed to prioritize specific log types.

How to eliminate wrong answers

Option A is wrong because analytic rules with entity mapping are used to generate alerts and correlate events, not to control which logs are ingested or to prioritize ingestion. Option C is wrong because setting a daily cap on the Log Analytics workspace stops all ingestion when the cap is reached, including security logs, which does not prioritize critical data. Option D is wrong because diagnostic settings control which logs are sent from Azure resources to destinations like Log Analytics, but they do not provide granular filtering or prioritization within a single workspace; they either include or exclude entire log categories.

104
MCQeasy

Your organization uses Microsoft Defender for Office 365. You detect a phishing email that was delivered to a user's inbox. You want to remove the email from all recipients. What should you do?

A.Submit the email to Microsoft for analysis.
B.Create a mail flow rule to delete similar emails in the future.
C.Block the sender using the Tenant Allow/Block List.
D.Use Threat Explorer to find the email and take action to delete it.
AnswerD

Threat Explorer allows bulk removal of emails.

Why this answer

Option B is correct because the Threat Explorer in Defender for Office 365 allows you to take action on emails, such as deleting them. Option A is wrong because creating a mail flow rule is reactive but not immediate removal. Option C is wrong because submitting to Microsoft is for analysis.

Option D is wrong because blocking the sender does not remove already delivered emails.

105
Multi-Selectmedium

Which TWO data sources are most relevant for threat hunting for lateral movement using remote service creation (e.g., WMI, PsExec)?

Select 2 answers
A.DeviceRegistryEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceFileEvents
E.DeviceProcessEvents
AnswersC, E

Captures network connections to remote admin shares (e.g., port 445) or high ports.

Why this answer

Correct options: B and C. DeviceProcessEvents captures process creation on remote machines (e.g., services.exe, cmd.exe). DeviceNetworkEvents captures outbound connections to high ports on remote machines.

Option A (DeviceFileEvents) captures file writes, not execution. Option D (DeviceRegistryEvents) captures registry changes. Option E (DeviceEvents) captures various events but is less specific for remote service creation.

106
MCQmedium

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to find devices that have a specific file hash associated with a known malware variant. The analyst wants to include devices that have the file in any location, including quarantined items. Which table and column should be used?

A.DeviceImageLoadEvents, SHA256
B.DeviceFileEvents, SHA256
C.DeviceNetworkEvents, RemoteIP
D.DeviceProcessEvents, ProcessCommandLine
AnswerB

DeviceFileEvents tracks file creation, modification, and deletion, including quarantined items, with SHA256 hash.

Why this answer

Option D is correct because DeviceFileEvents includes quarantined items. Option A is wrong because DeviceProcessEvents does not include file information. Option B is wrong because DeviceNetworkEvents is for network connections.

Option C is wrong because DeviceImageLoadEvents is for loaded DLLs, not file discovery.

107
Multi-Selectmedium

A SOC team in Microsoft Sentinel wants to automatically assign high-severity incidents to the 'SOC Tier 2' group and automatically close low-severity incidents that have not been updated in 7 days. Which two configuration elements are required in a single automation rule?

Select 2 answers
A.One condition for 'Severity equals High' with action 'Assign to SOC Tier 2' and add another condition for 'Severity equals Low' AND 'Last update time older than 7 days' with action 'Close incident'.
B.Create one rule for high severity assignments and another rule for low severity closure; you cannot combine different actions in one rule.
C.Use a condition 'Severity is one of High, Low' and then use a playbook that checks the severity and applies the appropriate action.
D.Set the automation rule to trigger on incident creation and then use a custom action to assign owner, but closure cannot be automated in an automation rule.
AnswersA, C

This correctly uses two conditions in a single rule to handle both scenarios. However, note that conditions are evaluated with OR logic; each condition triggers its own actions.

Why this answer

Option A is correct because a single Microsoft Sentinel automation rule can include multiple conditions using AND/OR logic, and each condition can trigger a different action (e.g., assign or close). This allows the SOC team to handle both high-severity assignment and low-severity auto-closure within one rule, meeting the requirement efficiently.

Exam trap

The trap here is that candidates may think automation rules can only have one condition or action per rule, but Microsoft Sentinel allows multiple conditions (with AND/OR) and multiple actions in a single rule, enabling complex workflows without playbooks.

108
MCQhard

Your organization uses Microsoft Defender for Identity and Microsoft Defender XDR. You receive an alert about a suspicious LDAP query originating from a domain controller. The alert indicates potential use of the DCSync attack technique. What is the most effective immediate action to contain the attack?

A.Block all LDAP traffic at the firewall.
B.Restart the domain controller to clear any malicious processes.
C.Disable the account that initiated the suspicious replication request.
D.Reset the krbtgt account password twice.
AnswerC

Disabling the account stops the attack by removing the ability to replicate.

Why this answer

The DCSync attack uses replication requests to extract credentials. Disabling the replication permission for the compromised account stops the attack. Option A is incorrect because restarting the domain controller does not stop the attack if the account still has permissions.

Option B is incorrect because resetting the krbtgt password is a long-term remediation. Option C is incorrect because blocking LDAP may disrupt legitimate operations.

109
MCQhard

You are reviewing an analytics rule in Microsoft Sentinel. The rule is supposed to alert when a Confidential sensitivity label file is accessed. However, no alerts have been generated despite known accesses. What is the most likely reason?

A.The suppression duration is set to 5 hours, which suppresses alerts.
B.The required data connector for Microsoft Purview Information Protection is not connected.
C.The query frequency and period are too short to capture the events.
D.The trigger condition is set to 'GreaterThan' 0, which should fire on any event.
AnswerB

The SensitivityLabelEvent table requires the Microsoft Purview Information Protection connector to be enabled in Sentinel.

Why this answer

Microsoft Sentinel relies on data connectors to ingest logs from external sources. For alerts based on sensitivity labels (e.g., Confidential), the required data source is Microsoft Purview Information Protection (formerly Azure Information Protection). If this connector is not connected, Sentinel has no way to receive the label-related events, so no alerts can be generated regardless of the rule logic.

Exam trap

Microsoft often tests the misconception that a rule's logic or scheduling is the root cause, when in fact the underlying data source is missing or misconfigured — candidates overlook the prerequisite of having the correct data connector enabled.

How to eliminate wrong answers

Option A is wrong because suppression duration only temporarily hides alerts after a match is triggered; it does not prevent the rule from firing in the first place. Option C is wrong because query frequency and period affect how often the rule runs and how far back it looks, but if the events are never ingested, no query will find them. Option D is wrong because 'GreaterThan' 0 is a correct trigger condition that would fire on any positive match; the issue is that no matches exist due to missing data.

110
MCQeasy

Your team uses Microsoft Sentinel workbooks to visualize security data. You want to allow team members to customize a workbook without affecting the original. What should you do?

A.Edit the original workbook to add personalization
B.Assign the team the Microsoft Sentinel Reader role
C.Create a copy of the workbook and save it as a custom workbook
D.Share the workbook directly with the team
AnswerC

Each user can then modify their copy.

Why this answer

Option C is correct because creating a copy of the workbook and saving it as a custom workbook allows team members to modify their own version without altering the original. In Microsoft Sentinel, workbooks are based on Azure Monitor Workbooks, and saving a copy creates an independent resource with its own settings and queries. This preserves the original workbook for reference or reuse while enabling customization.

Exam trap

The trap here is that candidates may confuse the Microsoft Sentinel Reader role with the ability to customize workbooks, not realizing that Reader only allows viewing, not editing or saving copies, which requires at least Contributor permissions on the workbook resource.

How to eliminate wrong answers

Option A is wrong because editing the original workbook directly would modify the shared resource, affecting all users who access it, which contradicts the requirement to avoid impacting the original. Option B is wrong because the Microsoft Sentinel Reader role grants read-only access to Sentinel resources, including workbooks, but does not allow any customization or saving of copies. Option D is wrong because sharing the workbook directly with the team provides only read access by default; users cannot customize or save changes unless they have contributor permissions on the workbook resource, which still modifies the original.

111
MCQeasy

A threat hunter wants to use Microsoft Sentinel to hunt for signs of brute-force attacks against Azure AD (now Microsoft Entra ID). Which data connector should be enabled to ingest sign-in logs?

A.Windows Security Events via AMA
B.DNS (Preview)
C.Microsoft Entra ID Audit Logs
D.Microsoft Entra ID
AnswerD

Microsoft Entra ID connector ingests sign-in logs and audit logs.

Why this answer

Option A is correct because Microsoft Entra ID connector (formerly Azure AD) provides sign-in logs. Option B is wrong because it provides audit logs, not sign-ins. Option C is for Windows security events, not cloud sign-ins.

Option D is for DNS queries.

112
MCQhard

During a ransomware incident, security team needs to prevent encryption while preserving forensic data. Which action best achieves this balance?

A.Shut down all affected servers immediately.
B.Run a full antivirus scan on all endpoints.
C.Enable network micro-segmentation to isolate affected systems from file servers and take memory snapshots.
D.Disconnect the network but leave systems running.
AnswerC

Isolation prevents lateral movement and encryption; memory snapshots preserve forensic data.

Why this answer

Option C is correct because it prevents encryption and contains the threat without destroying data. Option A is wrong because it destroys data. Option B is wrong because it allows encryption to continue.

Option D is wrong because it only notifies.

113
Multi-Selectmedium

Which TWO actions are valid methods to ingest non-Microsoft security logs into Microsoft Sentinel?

Select 2 answers
A.Use Azure Policy to automatically enable diagnostics settings.
B.Configure Syslog forwarding to the Sentinel workspace.
C.Configure the Microsoft 365 Defender data connector.
D.Use Microsoft Intune to push a custom log collector.
E.Deploy the Log Analytics agent on the source device.
AnswersB, E

Syslog is a common protocol for forwarding logs from network devices.

Why this answer

Option B is correct because Syslog is a standard protocol for logging from network devices and other non-Microsoft sources. By configuring Syslog forwarding to a Log Analytics agent (or the new Azure Monitor Agent) running on a Linux machine, logs can be collected and ingested into the Microsoft Sentinel workspace. Option E is correct because the Log Analytics agent (or its successor, the Azure Monitor Agent) can be installed directly on a non-Microsoft device to collect custom logs, performance data, and event logs, which are then sent to the Sentinel workspace.

Exam trap

The trap here is that candidates often confuse Azure Policy (which only applies to Azure resources) with a general-purpose log collection tool, or they mistakenly think Microsoft 365 Defender connectors can ingest non-Microsoft logs.

114
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst wants to identify all devices that have been accessed from a compromised device via RDP in the past 24 hours. Which advanced hunting table should the analyst query?

A.DeviceEvents
B.DeviceNetworkEvents
C.DeviceLogonEvents
D.DeviceProcessEvents
AnswerC

DeviceLogonEvents contains logon events such as Remote Desktop logons (LogonType = 10), allowing identification of devices accessed via RDP.

Why this answer

DeviceLogonEvents is the correct table because it records authentication events, including remote interactive logons such as RDP (LogonType 10). By filtering for logon type 10 and the compromised device's IP address, the analyst can identify all devices that accepted an RDP connection from that source within the past 24 hours.

Exam trap

The trap here is that candidates often choose DeviceNetworkEvents thinking network connections alone can identify RDP access, but they fail to realize that only DeviceLogonEvents provides the logon type and authentication context necessary to confirm a successful RDP session.

How to eliminate wrong answers

Option A is wrong because DeviceEvents tracks security-related events like antivirus detections and file modifications, not authentication or network connection details. Option B is wrong because DeviceNetworkEvents captures network-level connections (e.g., TCP/UDP flows) but does not include logon type or user authentication context required to confirm RDP access. Option D is wrong because DeviceProcessEvents logs process creation and termination events, which do not directly record RDP logon sessions or authentication outcomes.

115
MCQhard

Refer to the exhibit. A security analyst creates a scheduled analytics rule in Microsoft Sentinel based on the JSON shown. After enabling the rule, the analyst notices that the rule generates alerts every hour for the same user accounts even after the incidents are resolved. What is the most likely cause?

A.The severity is set to High, causing multiple alerts
B.The query period is too short, causing the rule to refetch old data
C.Suppression is disabled, so the rule fires every hour with overlapping results
D.The trigger threshold is too low, causing the rule to fire too often
AnswerC

Without suppression, the rule re-alerts on the same entities every hour.

Why this answer

Option C is correct because suppression is disabled, so the rule fires every hour regardless of previous alerts. Option A is wrong because the query period is 1 day, which is appropriate. Option B is wrong because severity is High, not causing duplicates.

Option D is wrong because the trigger threshold is 10, which controls when an alert fires, not duplicate suppression.

116
MCQmedium

Your organization uses Microsoft Sentinel. A security incident is generated by a scheduled analytics rule. You need to automatically assign the incident to the SOC team and set its severity. What should you create?

A.An analytics rule
B.An automation rule
C.A workbook
D.A playbook
AnswerB

Assigns owner and severity.

Why this answer

Option D is correct because automation rules in Sentinel can perform actions like assigning owner and changing severity. Option A is wrong because playbooks are for complex tasks, but automation rules are simpler. Option B is wrong because workbooks are for visualization.

Option C is wrong because analytics rules generate incidents, not handle them.

117
MCQhard

You are threat hunting in Microsoft Sentinel and have enabled UEBA. You want to detect a possible privilege escalation where a user creates a new user account and adds it to a privileged role within minutes. Which UEBA anomaly type should you investigate?

A.Unusual file access
B.Impossible travel
C.Mass role assignment changes
D.Anomalous sign-in
AnswerC

This anomaly detects bulk or rapid role changes, indicative of privilege escalation.

Why this answer

UEBA detects 'Mass role assignment changes' as an anomaly that could indicate privilege escalation. Option A (Impossible travel) is for geographic anomalies. Option B (Unusual file access) is for data exfiltration.

Option D (Anomalous sign-in) focuses on authentication.

118
Multi-Selecteasy

You are a security analyst at a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects failed logon attempts from multiple IP addresses within 5 minutes. Which two KQL operators should you use?

Select 2 answers
A.where
B.project
C.bin
D.join
E.summarize
AnswersC, E

Correct: bin creates time windows.

Why this answer

Option B is correct because summarize with count and dcount helps aggregate. Option E is correct because the bin function is used for time windows. Option A is incorrect because where filters rows.

Option C is incorrect because project selects columns. Option D is incorrect because join combines tables.

119
MCQhard

A security analyst receives a high-severity incident in Microsoft Sentinel for a user who is suspected of lateral movement. The analyst wants to automatically run a playbook that isolates the user's machine and disables their account when such an incident is created. What is the most efficient way to achieve this?

A.Configure a Logic Apps trigger to poll for new incidents every minute
B.Train analysts to manually run the playbook when they see the incident
C.Create an analytics rule that runs a playbook as part of its alert generation
D.Create an automation rule that triggers the playbook when the incident is created
AnswerD

Automation rules are designed to run playbooks automatically based on incident creation or update.

Why this answer

Option D is correct because it uses an automation rule to trigger the playbook on incident creation, which is the recommended approach. Option A and B add unnecessary latency. Option C is manual and not automated.

120
MCQmedium

Refer to the exhibit. A SOC analyst runs the KQL query in Microsoft Sentinel to identify the top 10 alert names by count. They notice the results include alerts with low severity that are not relevant. What should they add to the query to focus on high-severity alerts only?

A.Add 'order by Severity' to the query.
B.Add 'where Severity == "High"' after the summarize clause.
C.Change the time range to last 24 hours.
D.Add 'where Severity == "High"' before the summarize clause.
AnswerD

Filters before aggregation.

Why this answer

Adding a filter on the Severity column with 'where Severity == "High"' will restrict results to high-severity alerts. Option B is wrong because filtering after summarize would not reduce the data processed. Option C is wrong because changing the time range doesn't filter severity.

Option D is wrong because sorting differently doesn't filter.

121
MCQhard

Your organization uses Microsoft Sentinel and has enabled the Microsoft 365 Defender connector. You want to automatically assign incidents to a specific analyst team based on the incident severity and type. Which component should you configure?

A.Analytics rule in Microsoft Sentinel
B.Workbook in Microsoft Sentinel
C.Automation rule in Microsoft Sentinel
D.Custom playbook in Microsoft Sentinel
AnswerC

Automation rules can set owner and assign incidents.

Why this answer

The correct answer is A because automation rules in Sentinel can set owner and assign to a team based on conditions. Option B is wrong because playbooks are for complex automation but assignment can be done with automation rules. Option C is wrong because analytics rules define alert conditions, not incident assignment.

Option D is wrong because workbooks are for reporting.

122
Multi-Selectmedium

Which TWO of the following are valid techniques for threat hunting using Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.Creating watchlists to correlate data from external sources.
B.Deploying playbooks to automatically remediate threats.
C.Using Jupyter notebooks with MSTICpy for advanced analytics.
D.Using the Log Analytics Integrated Viewer (LIVB) to visually explore data.
E.Configuring automation rules to trigger on incident creation.
AnswersC, D

Jupyter notebooks integrated with Sentinel allow custom hunting using Python libraries.

Why this answer

Options A and B are correct. A: Jupyter notebooks allow custom analysis. B: LIVB provides interactive investigation.

C: Automation rules are for response, not hunting. D: Watchlists can be used but are not a hunting technique per se. E: Playbooks are for automated response.

123
Matchingmedium

Match each Microsoft Defender for Cloud security alert to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anomalous process run on a VM

Multiple failed login attempts from an IP

Antimalware scan found a threat

Download of a suspicious file from an external source

Unusual outbound data transfer detected

Why these pairings

These are examples of security alerts from Microsoft Defender for Cloud.

124
MCQmedium

A SOC team uses Microsoft Sentinel and ingests Windows Security Events from domain controllers using the Azure Monitor Agent (AMA). They want to create a scheduled analytics rule that generates an incident when a user account is created in a sensitive Active Directory group (e.g., Domain Admins) outside of approved change windows (e.g., after 9 PM). The required event IDs are 4728 (member added to security-enabled global group) and 4732 (member added to security-enabled local group). Which KQL query should the analyst use to filter for these specific events and the targeted group?

A.SecurityEvent | where EventID in (4728, 4732) | where TargetAccount contains 'Domain Admins'
B.SecurityEvent | where EventID == 4624 | where Account contains 'Admin'
C.SecurityEvent | where EventID == 4738 | where TargetAccount contains 'Domain Admins'
D.SecurityEvent | where EventID == 4670 | where ObjectName contains 'Domain Admins'
AnswerA

EventIDs 4728 and 4732 log member additions to security groups. Filtering by TargetAccount containing the group name isolates the desired group.

Why this answer

Option A is correct because it uses the `SecurityEvent` table with the `EventID` filter for 4728 and 4732, which are the exact event IDs for member additions to security-enabled global and local groups. The `TargetAccount` field contains the name of the group being modified, so filtering for 'Domain Admins' correctly identifies when a user is added to that sensitive group. This query directly matches the requirement to detect account creation in a sensitive AD group outside approved change windows.

Exam trap

The trap here is that candidates often confuse EventID 4738 (user account changed) or 4624 (logon) with group membership events, or they incorrectly assume the TargetAccount field contains the user account being added rather than the group name.

How to eliminate wrong answers

Option B is wrong because EventID 4624 corresponds to a successful logon event, not a group membership change, and filtering for 'Admin' in the Account field is too broad and unrelated to the target group. Option C is wrong because EventID 4738 is for a user account being changed (e.g., password reset or attribute modification), not for adding a member to a group. Option D is wrong because EventID 4670 is for permissions on an object being changed (e.g., ACL modification), not for group membership additions, and the ObjectName field does not reliably capture the group name in this context.

125
MCQhard

Your organization is implementing Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. The SOC team needs to investigate incidents across all tenants from a single interface. Which configuration is required?

A.Use Azure AD B2B to grant users from other tenants access to the workspace.
B.Create a single workspace and have all tenants send logs to it.
C.Assign custom roles in each tenant's Sentinel workspace.
D.Onboard multiple workspaces to Azure Lighthouse and use a central workspace for investigation.
AnswerD

Azure Lighthouse delegates resources across tenants, enabling centralized management in Sentinel.

Why this answer

Option D is correct because Azure Lighthouse enables cross-tenant management by allowing the SOC team to delegate access to multiple Sentinel workspaces from a single control plane. This configuration lets investigators view and manage incidents across all tenants without needing separate sign-ins or duplicating data, which is essential for a multi-tenant SOC environment.

Exam trap

The trap here is that candidates often confuse Azure AD B2B (external user access) with Azure Lighthouse (delegated resource management), assuming that granting external identities access to a single workspace is sufficient for multi-tenant incident investigation, when in fact Lighthouse is required to project multiple workspaces into a single management plane.

How to eliminate wrong answers

Option A is wrong because Azure AD B2B provides external user access to a single tenant's resources but does not aggregate incidents from multiple tenants into one interface; each tenant would still require separate workspace access. Option B is wrong because sending logs from all tenants to a single workspace violates data residency and isolation requirements, and Microsoft Sentinel does not support ingesting logs from external tenants into a workspace without proper delegation. Option C is wrong because assigning custom roles in each tenant's Sentinel workspace still requires the SOC team to switch between tenants to investigate incidents, failing to provide a unified investigation interface.

126
MCQhard

During a security incident, you need to collect forensic evidence from a compromised Linux server running in Azure. The server is not domain-joined and has the Azure Monitor Agent installed. You need to capture volatile data such as running processes and network connections. What is the most efficient method?

A.Use Event Viewer to export logs
B.Use Microsoft Defender for Endpoint live response to run commands
C.Use a custom script via Azure Custom Script Extension to collect data and send to Log Analytics
D.Take a snapshot of the OS disk for later analysis
AnswerC

Custom script can execute commands to capture volatile data and forward it to the workspace for analysis.

Why this answer

Option D is correct because the Azure Monitor Agent can collect syslog and custom logs, but to capture volatile data like processes and connections, you need to run a script or use a tool like PowerShell or bash. Using a Azure Automation Runbook or a Custom Script Extension can execute commands and forward the output to Log Analytics. Option A is wrong because Azure Disk Snapshots capture disk state, not memory or processes.

Option B is wrong because Event Viewer is Windows-only. Option C is wrong because Microsoft Defender for Endpoint may not be installed and its live response may not be available.

127
MCQhard

You have a Microsoft Sentinel workspace that uses Customer-Managed Keys (CMK). A security audit requires that all data at rest be encrypted with the CMK. You recently onboarded a new data connector that sends logs to a Log Analytics workspace in a different region. You need to ensure the new workspace uses CMK. What should you do?

A.Associate the new Log Analytics workspace with an Azure Key Vault containing the CMK before ingesting data.
B.Update the data connector settings to enable CMK at the source.
C.Use Azure Policy to enforce CMK on the new workspace.
D.Configure CMK on the new workspace's tables individually.
AnswerA

CMK association must be done before data ingestion.

Why this answer

Option D is correct because CMK must be configured at the Log Analytics workspace level before ingestion. Option A is wrong because CMK is per workspace, not per table. Option B is wrong because the connector itself doesn't handle encryption.

Option C is wrong because CMK is set at workspace creation or later via Azure Policy.

128
Multi-Selecthard

Which TWO actions can you perform in Microsoft Defender XDR's automated investigation and response (AIR) to contain a threat? (Select TWO.)

Select 2 answers
A.Isolate a device from the network.
B.Add a firewall rule to block an IP.
C.Disable a user account.
D.Reset a user's password.
E.Soft-delete an email message.
AnswersA, E

Isolation is a standard AIR action.

Why this answer

Option A is correct because AIR can isolate devices. Option D is correct because AIR can soft-delete an email message. Option B is wrong because disabling a user account is not an AIR action; it's manual.

Option C is wrong because resetting a password is not part of AIR. Option E is wrong because adding a firewall rule is not an AIR capability.

129
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Copilot for Security. You want to improve incident response efficiency. Which THREE features should you implement? (Choose three.)

Select 3 answers
A.Enable Microsoft Copilot for Security to assist with incident investigations.
B.Use watchlists to track known malicious IP addresses.
C.Configure workbooks to display real-time incident trends.
D.Develop playbooks to automate response actions for common threats.
E.Create automation rules to automatically assign and triage incidents based on severity.
AnswersA, D, E

Copilot can generate incident summaries and recommended actions.

Why this answer

Option A is correct because Microsoft Copilot for Security integrates directly with Microsoft Sentinel to provide AI-driven natural language assistance for incident investigations, enabling analysts to query data, summarize incidents, and generate KQL queries without manual scripting. This directly improves incident response efficiency by reducing investigation time and cognitive load.

Exam trap

The trap here is that candidates confuse passive features (watchlists, workbooks) with active response features (Copilot, automation rules, playbooks), leading them to select options that provide visibility rather than efficiency improvements in incident handling.

130
MCQhard

A global enterprise uses Microsoft 365 Defender across multiple tenants. During an incident, a security analyst needs to search for a specific file hash indicator of compromise (IOC) across all mailboxes and endpoints in all tenants from a single interface. Which feature allows the analyst to run a query across multiple tenants without switching contexts?

A.Cross-tenant advanced hunting
B.Multi-tenant management
C.Unified audit log
D.Microsoft Graph Security API
AnswerA

This feature allows running advanced hunting queries across multiple tenants in one query, enabling IOC searches across all environments.

Why this answer

Cross-tenant advanced hunting in Microsoft 365 Defender allows a security analyst to run Kusto Query Language (KQL) queries across multiple tenants from a single interface. This feature is specifically designed for hunting for indicators of compromise (IOCs), such as file hashes, across all mailboxes and endpoints in a multi-tenant environment without requiring the analyst to switch between tenant portals.

Exam trap

The trap here is that candidates often confuse multi-tenant management (a centralized policy and settings tool) with cross-tenant advanced hunting (a query tool), assuming that any 'multi-tenant' feature can run cross-tenant queries, but only cross-tenant advanced hunting supports interactive KQL hunting across tenants.

How to eliminate wrong answers

Option B is wrong because multi-tenant management provides a centralized view for managing settings and policies across tenants, but it does not support running ad-hoc hunting queries for IOCs like file hashes across mailboxes and endpoints. Option C is wrong because the unified audit log aggregates audit records from multiple Microsoft 365 services but is limited to audit events and does not support endpoint data or advanced hunting queries for file hashes. Option D is wrong because the Microsoft Graph Security API enables programmatic access to security alerts and incidents but is not a single interface for running interactive hunting queries across multiple tenants; it requires custom development and does not provide the built-in query experience of advanced hunting.

131
MCQmedium

A security analyst is investigating an incident in Microsoft 365 Defender that involves a user who clicked a phishing link. The analyst wants to find all processes executed on the user's device immediately after the email was opened. Which advanced hunting table should the analyst query to obtain process creation events with timestamps relative to the email event?

A.DeviceProcessEvents
B.EmailEvents
C.DeviceNetworkEvents
D.IdentityLogonEvents
AnswerA

This table stores process creation events on endpoints, suitable for identifying processes executed after a phishing click.

Why this answer

DeviceProcessEvents is the correct table because it stores process creation events (including image name, command line, and timestamp) for all devices onboarded to Microsoft Defender for Endpoint. By querying this table with a time range starting immediately after the email event (identified from EmailEvents), the analyst can correlate the phishing click with subsequent process executions on the user's device.

Exam trap

The trap here is that candidates confuse the table that stores the email event (EmailEvents) with the table that stores the resulting process activity (DeviceProcessEvents), forgetting that process creation data is only in the endpoint-specific table.

How to eliminate wrong answers

Option B (EmailEvents) is wrong because it contains email delivery and post-delivery events (e.g., sender, recipient, subject, delivery action) but does not include process creation data. Option C (DeviceNetworkEvents) is wrong because it records network connections (source/destination IP, port, protocol) but not process creation events. Option D (IdentityLogonEvents) is wrong because it tracks authentication and logon activities from Azure AD and Active Directory, not process execution on endpoints.

132
MCQeasy

Your organization has multiple Azure subscriptions and wants to ensure that all of them have Microsoft Defender for Cloud's enhanced security features enabled. What is the minimal step required to achieve this for all subscriptions?

A.Assign an Azure Policy initiative to enable Defender for Cloud on each subscription
B.Enable the required Defender for Cloud plans at the management group level
C.Install the Log Analytics agent on all virtual machines in each subscription
D.Create a security contact email for each subscription
AnswerB

This propagates the enabled plans to all subscriptions under the management group, making it the simplest and minimal step.

Why this answer

Enabling Microsoft Defender for Cloud plans at the management group level is the minimal step because it applies the configuration to all child subscriptions under that management group in a single action. This leverages Azure's hierarchical management structure, ensuring every subscription inherits the enhanced security features without needing individual subscription-level configuration.

Exam trap

The trap here is that candidates often confuse enabling Defender for Cloud plans with deploying agents or configuring policies, but the minimal step is simply toggling the plans at the management group scope, which applies to all child subscriptions automatically.

How to eliminate wrong answers

Option A is wrong because assigning an Azure Policy initiative to enable Defender for Cloud is not minimal; it requires creating and assigning a policy, which is more complex than directly enabling plans at the management group level. Option C is wrong because installing the Log Analytics agent on virtual machines is not required to enable Defender for Cloud's enhanced security features; the agent is needed for specific features like file integrity monitoring but not for enabling the plans themselves. Option D is wrong because creating a security contact email for each subscription is a separate compliance requirement for incident notification, not a step to enable enhanced security features.

133
MCQmedium

A SOC analyst wants to create a Microsoft Sentinel scheduled analytics rule that alerts when a user from a critical department (e.g., Finance) logs on from an IP address that is not in the company's approved IP address ranges. The analyst has an Azure Sentinel watchlist named 'FinanceApprovedIPs' containing the allowed IP ranges. Which KQL operator should be used in the rule's query to efficiently check if the IP address from SigninLogs falls within any of the watchlist ranges?

A.join kind=inner (watchlist) on $left.IPAddress $right.IPRange with condition using ipv4_is_in_range() or ipv4_lookup()
B.where IPAddress has any (watchlist)
C.where IPAddress in (watchlist)
D.where IPAddress startswith (watchlist)
AnswerA

This pattern joins the sign-in data with the watchlist and uses IP range comparison functions to check if the IP falls within any allowed range.

Why this answer

Option A is correct because the `ipv4_lookup()` function (or `ipv4_is_in_range()` used with a join) is specifically designed to efficiently check whether an IP address falls within a range defined in a watchlist. In Microsoft Sentinel, watchlists store data as tables, and `ipv4_lookup()` performs a range-based lookup using CIDR notation, which is far more efficient than string-based or exact-match operators. This allows the query to match the `IPAddress` from `SigninLogs` against the `IPRange` column in the `FinanceApprovedIPs` watchlist without iterating over every possible address.

Exam trap

The trap here is that candidates often confuse string-based operators like `has`, `in`, or `startswith` with IP-specific functions, failing to recognize that IP range matching requires subnet-aware logic (CIDR) rather than simple text comparison.

How to eliminate wrong answers

Option B is wrong because the `has` operator performs a substring search, not an IP range match; it would incorrectly match partial strings (e.g., '10.0.0.1' would match '10.0.0.15') and cannot evaluate CIDR ranges. Option C is wrong because the `in` operator performs exact string matching, which cannot handle IP ranges or CIDR notation; it would only match if the IP address literally equals a watchlist entry (e.g., '192.168.1.0/24' would never match '192.168.1.5'). Option D is wrong because `startswith` checks if the IP address string begins with a specified prefix, which is not suitable for range-based matching and would produce false positives (e.g., '10.0.0.1' would match '10.0.0.0/24' but also '10.0.0.100' incorrectly).

134
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You are hunting for signs of a possible Kerberos Golden Ticket attack. Which advanced hunting table should you query to detect anomalous Kerberos ticket-granting ticket (TGT) requests?

A.IdentityLogonEvents
B.DeviceEvents
C.IdentityDirectoryEvents
D.CloudAppEvents
AnswerC

IdentityDirectoryEvents include domain controller events such as Kerberos ticket requests and can help detect Golden Ticket attacks.

Why this answer

IdentityDirectoryEvents captures domain controller events, including Kerberos authentication details. Option A (IdentityLogonEvents) is for user logons. Option B (DeviceEvents) for endpoint processes.

Option D (CloudAppEvents) for cloud apps.

135
MCQmedium

Your organization uses Microsoft Sentinel with multiple workspaces for different business units. You need to provide a single-pane-of-glass view for incident management across all workspaces. You have deployed Azure Lighthouse to manage multiple workspaces from a single portal. The SOC team is able to see incidents from all workspaces, but when they try to investigate an incident by clicking on it, they receive a 'Resource not found' error. The team has the necessary permissions on the Sentinel resources. What is the most likely cause of this error?

A.The workspace is in a different Azure region.
B.The user does not have the 'Microsoft Sentinel Contributor' role on the subscription containing the workspace.
C.Cross-workspace queries are not enabled in Sentinel.
D.The incidents are generated by analytics rules that are not deployed in the user's workspace.
AnswerB

Lighthouse requires subscription-level role assignments for full access.

Why this answer

The 'Resource not found' error when clicking an incident in a cross-workspace view typically occurs because the user lacks the 'Microsoft Sentinel Contributor' role at the subscription level that contains the workspace. While Azure Lighthouse enables cross-workspace visibility, each workspace's Sentinel resources require the user to have the Contributor role on the subscription (or at least the resource group) to access incident details, not just the workspace itself. Without this role, the portal cannot resolve the resource path for the incident.

Exam trap

The trap here is that candidates assume Azure Lighthouse alone grants full access to all resources, but they overlook that Sentinel-specific RBAC roles must be assigned at the subscription scope, not just the workspace, for incident detail retrieval.

How to eliminate wrong answers

Option A is wrong because Azure regions do not affect resource access permissions; cross-region workspace views are fully supported with Azure Lighthouse. Option C is wrong because cross-workspace queries are a feature for running KQL queries across workspaces, not a prerequisite for viewing incident details from a Lighthouse-managed view. Option D is wrong because the incident's source analytics rule does not need to be deployed in the user's workspace; the incident exists in the workspace where it was created, and the error is about resource access, not rule deployment.

136
Multi-Selecteasy

Which TWO actions can you perform in the Microsoft Defender XDR unified alert queue? (Select TWO.)

Select 2 answers
A.Link the alert to an existing incident
B.Assign an alert to a SOC analyst
C.Create a hunting query from the alert details
D.Edit the analytics rule that generated the alert
E.Run a playbook to automatically remediate the alert
AnswersA, B

You can link alerts to incidents from the queue.

Why this answer

Options A and C are correct because the unified alert queue allows managing alerts (assign, change status) and investigating related incidents. Option B is wrong because run a playbook is a Sentinel feature. Option D is wrong because editing analytics rules is done in the rules configuration.

Option E is wrong because creating hunting queries is in Advanced hunting.

137
MCQeasy

You manage Microsoft Sentinel. You need to ensure that an automated response is triggered when a specific type of incident is created. The response should send an email to the on-call security engineer. What should you use?

A.Use a watchlist to map incident types to email addresses and configure a scheduled query.
B.Create an automation rule that runs a playbook when an incident is created.
C.Modify the analytics rule to include an email action in the rule settings.
D.Create a workbook that alerts via email when new incidents appear.
AnswerB

Automation rules can trigger playbooks on incident creation.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can trigger a playbook (an Azure Logic Apps workflow) when an incident is created. The playbook can include an action to send an email to the on-call security engineer, providing the automated response required by the scenario.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rule settings or workbooks, mistakenly thinking that email actions can be configured directly in the analytics rule or that workbooks can send alerts, when in fact only automation rules with playbooks provide the necessary automated response capability.

How to eliminate wrong answers

Option A is wrong because watchlists are used for correlation and enrichment of data in queries, not for triggering automated email responses; a scheduled query can generate alerts but does not directly send emails based on incident types. Option C is wrong because analytics rules do not have a built-in email action in their settings; they generate alerts or incidents, but email notifications must be handled by automation rules or playbooks. Option D is wrong because workbooks are visualization tools that do not send alerts via email; they display data but cannot trigger automated responses like email notifications.

138
MCQmedium

A security incident in Microsoft Sentinel has been classified as a true positive and remediated. According to your SOC playbook, the incident should be closed with a classification of 'True Positive' and a sub-classification of 'Confirmed activity'. What is the correct way to close the incident in Microsoft Sentinel?

A.In the Microsoft Sentinel incident, set Status to 'Closed', Classification to 'True Positive', and Sub-classification to 'Confirmed activity'.
B.Close the incident in Microsoft Defender XDR and let it sync to Microsoft Sentinel.
C.Change the incident status to 'Closed' without adding a classification.
D.Use the Microsoft Security Graph API to close the incident with the appropriate classification.
AnswerA

This matches the playbook requirements.

Why this answer

Option A is correct because closing the incident in the Microsoft Sentinel incident blade allows setting classification and sub-classification. Option B is wrong because changing status to 'Closed' without classification doesn't meet requirements. Option C is wrong because the API requires the correct parameters.

Option D is wrong because closing in Microsoft Defender XDR may not carry the same classification options.

139
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malware to quarantine before delivery. Which policy type should you use?

A.Anti-spam policy.
B.Antimalware policy.
C.Safe Attachments policy.
D.Anti-phishing policy.
AnswerB

Antimalware policies detect and quarantine malware in email.

Why this answer

Antimalware policies in Microsoft Defender for Office 365 are specifically designed to scan inbound and outbound email messages for malware (e.g., viruses, worms, trojans) and automatically quarantine detected threats before delivery. This policy type uses the built-in malware detection engine to inspect attachments and message bodies, ensuring malicious content is blocked at the transport layer.

Exam trap

The trap here is that candidates often confuse Safe Attachments (post-delivery sandboxing) with antimalware (pre-delivery quarantine), because both deal with malware, but only antimalware policies automatically quarantine before delivery.

How to eliminate wrong answers

Option A is wrong because anti-spam policies target unwanted bulk email (spam) and phishing attempts, not malware in attachments; they use SCL thresholds and allow/block lists, not malware scanning. Option C is wrong because Safe Attachments policies provide time-of-click protection by detonating attachments in a sandbox environment after delivery, not pre-delivery quarantine; they are a supplementary layer, not the primary pre-delivery malware quarantine mechanism. Option D is wrong because anti-phishing policies focus on impersonation detection (e.g., domain spoofing, user impersonation) and do not scan for malware payloads in attachments.

140
MCQmedium

A security analyst is investigating a Microsoft Defender for Cloud Apps alert about a suspicious OAuth app that has high permissions. The analyst needs to disable the app immediately. What is the correct action?

A.Revoke all tokens for the app in Microsoft Entra ID.
B.Generate a new client secret for the app.
C.From the Microsoft Defender for Cloud Apps alert, select 'Disable app'.
D.Go to Microsoft Entra ID admin center and delete the app registration.
AnswerC

Defender for Cloud Apps provides a direct action to disable OAuth apps.

Why this answer

Option B is correct because Microsoft Defender for Cloud Apps allows disabling OAuth apps from the app governance page. Option A is wrong because Microsoft Entra ID admin center can also manage OAuth apps, but the question specifies from the Defender for Cloud Apps alert. Option C is wrong because revoking user tokens does not disable the app.

Option D is wrong because generating a new secret does not revoke existing tokens.

141
MCQmedium

An analyst is investigating a potential data exfiltration incident involving a user who accessed sensitive files from a personal device. The analyst wants to gather evidence about the device's compliance status and recent activity. Which Microsoft Intune feature should the analyst use?

A.Exchange Online message trace
B.Microsoft Intune device inventory and compliance reports
C.Azure Activity Log
D.Microsoft 365 Defender's service health dashboard
AnswerB

Provides device compliance status and recent activities.

Why this answer

Option D is correct because Microsoft Intune's device compliance and inventory provide the needed information. Option A is wrong because it audits Azure resource changes. Option B is wrong because it's for service health.

Option C is wrong because it's for email flow.

142
MCQhard

You are threat hunting for signs of Kerberoasting in Microsoft Sentinel. Which combination of events indicates that a service account's Kerberos ticket was requested and then used?

A.Event ID 4769 (Kerberos Service Ticket Request) followed by Event ID 4624 (An account was logged on)
B.Event ID 4770 (Kerberos Ticket Renewal) followed by Event ID 4634 (Logoff)
C.Event ID 4740 (Account Lockout) followed by Event ID 4625 (Failed Logon)
D.Event ID 4768 (Kerberos Authentication Ticket) followed by Event ID 4776 (Credential Validation)
AnswerA

Service ticket request and subsequent logon are key indicators.

Why this answer

Option A is correct because Kerberoasting involves TGS requests (4769) followed by service logon (4624). Option B is for AS requests. Option C is for account lockout.

Option D is for ticket renewal.

143
MCQhard

Refer to the exhibit. You are using a hunting query in Microsoft Defender XDR to find devices generating excessive DNS queries. The query returns many results, but you want to exclude legitimate DNS servers. What is the best approach to refine the query?

A.Add a `where` clause to exclude known internal DNS server IPs.
B.Join with DeviceInfo to filter by device type.
C.Change the RemotePort filter to UDP 53 only instead of all DNS.
D.Increase the count threshold to 5000.
AnswerA

Excluding known DNS servers reduces noise from legitimate traffic.

Why this answer

Option C is correct because filtering out known DNS server IPs reduces false positives. Option A is wrong because changing the port to 53 is already done. Option B is wrong because increasing the threshold may miss real attacks.

Option D is wrong because joining with identity info is unnecessary and may not help.

144
MCQeasy

A company wants to enable Microsoft Defender for Cloud's enhanced security features for all Azure virtual machines in a subscription. What is the first action they should take in the Defender for Cloud pricing & settings page?

A.Turn on the 'Servers' plan for the subscription
B.Install the Log Analytics agent on each VM
C.Enable vulnerability assessment
D.Assign a regulatory compliance policy
AnswerA

Enabling the Servers plan activates the enhanced security features for all VMs in the subscription.

Why this answer

To enable Microsoft Defender for Cloud's enhanced security features for Azure VMs, the first step is to turn on the 'Servers' plan at the subscription level in the Defender for Cloud pricing & settings page. This activates Defender for Servers, which provides threat detection, vulnerability assessment, and just-in-time access. Without enabling this plan, no enhanced security features are available, regardless of other configurations.

Exam trap

The trap here is that candidates often confuse the order of operations, thinking that installing the Log Analytics agent or enabling vulnerability assessment is the first step, when in fact the subscription-level plan toggle must be enabled to unlock all enhanced security features.

How to eliminate wrong answers

Option B is wrong because installing the Log Analytics agent (now the Azure Monitor Agent) is a prerequisite for data collection but is not the first action; the 'Servers' plan must be enabled first to authorize the use of enhanced features. Option C is wrong because enabling vulnerability assessment (e.g., via Qualys or Microsoft Defender Vulnerability Management) is a feature within the 'Servers' plan and cannot be activated until the plan itself is turned on. Option D is wrong because assigning a regulatory compliance policy (e.g., Azure Policy for compliance standards) is a separate governance action that does not enable the underlying threat detection capabilities; it only maps resources to compliance frameworks after the plan is active.

145
MCQhard

The exhibit shows a KQL query used in a Microsoft Sentinel analytics rule. The rule is intended to detect brute-force attacks by identifying IP addresses that have more than 10 failed sign-ins (result code 50057) followed by a successful sign-in (result code 0) within an hour. However, the rule is not triggering alerts even though you are confident such patterns exist. What is the most likely issue?

A.The threshold is too high.
B.The time window is too short to capture the pattern.
C.The query does not ensure the successful sign-in occurred after the failed attempts.
D.The query does not consider the same IP address across different users.
AnswerC

Without temporal ordering, the successful sign-in could have occurred before the failed attempts, which would not indicate a successful brute-force.

Why this answer

The query uses an inner join, which only returns IP addresses that have both failed and successful sign-ins. However, the join condition uses both UserPrincipalName and IPAddress. If the same IP address is used by multiple users, the join might still work.

The more likely issue is that the query does not account for the fact that the successful sign-in might occur after the failed attempts, but the join does not enforce temporal order. However, the biggest problem is that the query uses `join kind=inner` which could be correct. Actually, the issue might be that the query uses `where ResultType == "0"` which is a string, but the actual value might be an integer.

But in KQL, it should work. Another common issue is that the query might not be scheduled to run frequently enough to capture the pattern. But among the options, the most plausible is that the query does not ensure the successful sign-in happened after the failed attempts.

Option D is correct. Option A is wrong because the time window is defined. Option B is wrong because the threshold is defined.

Option C is wrong because the query does consider the same IP address.

146
MCQeasy

A security administrator wants to see the overall security posture of all their Azure subscriptions in a single numerical score. Which dashboard in Microsoft Defender for Cloud provides this score based on implemented security controls?

A.Regulatory Compliance
B.Secure Score
C.Inventory
D.Recommendations
AnswerB

Secure Score aggregates all recommendations into a score that reflects the overall security posture.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud aggregates the security posture across all Azure subscriptions into a single numerical score. This score is calculated based on the implementation of security controls and recommendations, reflecting the percentage of completed security measures. The administrator needs this consolidated view, which is exactly what Secure Score provides.

Exam trap

The trap here is that candidates confuse the Secure Score with the Regulatory Compliance score, thinking both provide a general security posture, but Regulatory Compliance is specifically tied to compliance frameworks, not the overall security control implementation.

How to eliminate wrong answers

Option A is wrong because Regulatory Compliance provides a score based on compliance with specific standards (e.g., CIS, NIST), not a general security posture score. Option C is wrong because Inventory lists resources and their security configurations but does not calculate a numerical score. Option D is wrong because Recommendations shows individual security suggestions and their status, but does not aggregate them into a single overall score.

147
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select THREE.)

Select 3 answers
A.Compliance dashboard that shows your posture against regulatory standards.
B.Continuous assessment of your cloud resources against security best practices.
C.Endpoint detection and response for on-premises machines.
D.Secure score calculation based on implemented security controls.
E.Integrated vulnerability assessment for virtual machines.
AnswersA, B, D

CSPM includes compliance monitoring.

Why this answer

Option A is correct because Microsoft Defender for Cloud's CSPM plan includes a compliance dashboard that continuously assesses your cloud resources against regulatory standards such as SOC 2, ISO 27001, and PCI DSS. This dashboard provides a real-time view of your compliance posture, mapping security controls to specific regulatory requirements and highlighting non-compliant resources.

Exam trap

The trap here is that candidates often confuse the CSPM plan's compliance and secure score capabilities with workload protection features like vulnerability assessment or EDR, which belong to separate Defender plans (e.g., Defender for Servers or Defender for Endpoint).

148
MCQmedium

Your organization has Microsoft Defender for Cloud Apps (MDA) connected to Microsoft Sentinel. The SOC team wants to receive alerts when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

A.Create a file policy in Defender for Cloud Apps.
B.Create an activity policy in Defender for Cloud Apps and connect it to Sentinel.
C.Enable the Defender for Cloud Apps connector in Sentinel without additional configuration.
D.Create a session policy in Defender for Cloud Apps.
AnswerB

Activity policies can detect specific behaviors like anonymous IP access and send alerts to Sentinel.

Why this answer

Option B is correct because an activity policy in Defender for Cloud Apps can be configured to trigger alerts on specific user activities, such as accessing a sanctioned app from an anonymous IP address. This policy can then be connected to Microsoft Sentinel via the Defender for Cloud Apps data connector, which ingests alerts as incidents for SOC review. File policies (A) focus on file-level actions like sharing or malware detection, not user access events, while session policies (D) control real-time access but do not generate alerts for historical or post-access monitoring.

Exam trap

The trap here is that candidates confuse file policies with activity policies, assuming any policy in Defender for Cloud Apps can detect access events, but only activity policies are designed to monitor user sign-in and access behaviors against IP-based conditions.

How to eliminate wrong answers

Option A is wrong because file policies monitor file-related activities (e.g., sharing, upload, download) and cannot detect user access events like logging into an app from an anonymous IP. Option C is wrong because simply enabling the Defender for Cloud Apps connector in Sentinel without additional configuration only ingests default alerts (e.g., from anomaly detection policies), not custom activity-based alerts for anonymous IP access. Option D is wrong because session policies are designed for real-time access control and monitoring during a user session (e.g., blocking downloads), not for generating alerts on access events that have already occurred.

149
MCQmedium

You are configuring automated responses in Microsoft Sentinel. You have created an automation rule that runs a playbook when an incident is created. The playbook performs actions in Microsoft Entra ID and Microsoft Defender for Cloud. However, the playbook fails with a permissions error. What should you do?

A.Assign the managed identity of the playbook the required roles in Microsoft Entra ID and Defender for Cloud.
B.Enable 'Allow playbooks to use managed identity' in the Sentinel settings.
C.Configure the Microsoft Entra ID connector in Sentinel with delegated permissions.
D.Grant the security analyst's account Contributor permissions on the automation rule.
AnswerA

The playbook's managed identity needs permissions to execute actions.

Why this answer

The playbook fails with a permissions error because it uses a managed identity to authenticate to Microsoft Entra ID and Microsoft Defender for Cloud, but that identity has not been granted the necessary Azure RBAC roles (e.g., Security Reader, Security Admin) on the target resources. Assigning the required roles to the managed identity directly resolves the authorization failure.

Exam trap

The trap here is that candidates often confuse enabling the managed identity feature (Option B) with actually assigning the necessary RBAC roles to that identity, assuming the setting alone grants permissions.

How to eliminate wrong answers

Option B is wrong because 'Allow playbooks to use managed identity' is a setting that enables the use of managed identities for authentication, but it does not grant the actual permissions needed to perform actions in Entra ID or Defender for Cloud; permissions must be assigned separately via RBAC. Option C is wrong because configuring the Microsoft Entra ID connector with delegated permissions is used for user-based authentication (OAuth 2.0 authorization code flow), not for a playbook’s managed identity; the playbook uses a system-assigned or user-assigned managed identity, not delegated permissions. Option D is wrong because granting the security analyst's account Contributor permissions on the automation rule does not affect the permissions of the playbook’s managed identity; the playbook runs under its own identity, not the analyst’s account.

150
MCQeasy

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel during an investigation. The analyst expects to see alerts related to malware from IP 10.0.0.5 but receives no results. The SecurityAlert table contains data from the last 24 hours. What is the most likely reason for no results?

A.The ExtendedProperties column does not contain a key named 'IPAddress' for these alerts.
B.The 'contains' operator is case-sensitive.
C.The time filter 'ago(1d)' is too restrictive; should use 'ago(7d)'.
D.The 'project' statement drops the necessary columns.
AnswerA

The property might be named differently (e.g., 'IpAddress').

Why this answer

Option D is correct because the ExtendedProperties column may not contain the exact property name 'IPAddress' as a key; the analyst may need to check the actual schema. Option A is wrong because the query uses a 1-day time range. Option B is wrong because the contains operator is case-insensitive unless specified.

Option C is wrong because the query projects the parsed IPAddress correctly.

Page 1

Page 2 of 22

Page 3