Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 14261500

1639 questions total · 22pages · All types, answers revealed

Page 19

Page 20 of 22

Page 21
1426
Multi-Selecteasy

Which TWO data sources in Microsoft Sentinel are commonly used for threat hunting related to lateral movement?

Select 2 answers
A.DeviceNetworkEvents
B.Syslog
C.SecurityEvent
D.DnsEvents
E.AzureActivity
AnswersA, C

Shows network connections from endpoints to other internal IPs.

Why this answer

Options B and D are correct. SecurityEvent (Windows Event Logs) contains Event ID 4624 (logon) and 4688 (process), useful for lateral movement. DeviceNetworkEvents (Microsoft Defender for Endpoint) shows network connections.

Option A is for syslog, not Windows events. Option C is for DNS, which is less direct. Option E is for Azure activity, not lateral movement.

1427
MCQhard

A threat hunter writes the KQL query above in Microsoft Defender for Endpoint advanced hunting to find devices where a script host process was launched with encoded commands and then connected to an HTTPS endpoint within 10 minutes. The query is syntactically correct but returns no results. The hunter knows that such activity has occurred. What is the most likely reason?

A.The join on Timestamp with exact match is too restrictive; should use a time window between the two events
B.The FileName list does not include other script hosts like 'mshta.exe'
C.The time range of 7 days is too short; should be 30 days
D.The RemotePort filter should include 80 for HTTP connections
AnswerA

Exact timestamp match is unrealistic; a time difference of up to 10 minutes should be allowed.

Why this answer

Option D is correct because the join condition uses Timestamp which is not precise enough; the join should use a time window, not an exact match. The where clause after join tries to use Timestamp1 (not defined) and also compares incorrectly. Option A (time range too short) is possible but less likely given 7 days.

Option B (filename list) is broad enough. Option C (RemotePort 443) is expected for HTTPS.

1428
MCQmedium

You are reviewing the KQL query shown in the exhibit. What is the purpose of this query?

A.Count the number of high-severity alerts per hour
B.Return the timestamp of each high-severity alert
C.Identify high-severity alert names that occurred more than 10 times in the last 24 hours
D.List all high-severity incidents in the last 24 hours
AnswerC

The query filters, groups, and returns alert names with count > 10.

Why this answer

Option C is correct because the query filters high-severity alerts in the last 24 hours, groups by AlertName, and returns names with more than 10 alerts. Option A is wrong because it counts alerts, not incidents. Option B is wrong because it counts by AlertName, not by time.

Option D is wrong because it returns AlertName and AlertCount, not timestamps.

1429
MCQeasy

A security analyst in Microsoft 365 Defender is investigating an incident that involves multiple devices. The analyst wants to see a visual representation of the attack, showing how the attacker moved from one device to another. Which feature provides this view?

A.Alert queue
B.Incident graph
C.Advanced hunting
D.Action center
AnswerB

The Incident graph maps the entire attack story, showing how the attacker moved across devices and other entities.

Why this answer

The Incident graph in Microsoft 365 Defender provides a visual, interactive representation of an attack, showing how the attacker moved from one device to another, including lateral movement paths and related alerts. This feature is specifically designed to help analysts understand the full scope of an incident by mapping out the relationships between entities such as devices, users, and alerts.

Exam trap

The trap here is that candidates often confuse the Incident graph with Advanced hunting, thinking that a query-based tool is needed to visualize attack paths, but the Incident graph provides this visualization automatically without requiring any query writing.

How to eliminate wrong answers

Option A is wrong because the Alert queue is a list of individual alerts, not a visual graph showing lateral movement between devices. Option C is wrong because Advanced hunting is a query-based tool for searching raw data using KQL, not a pre-built visual attack path. Option D is wrong because the Action center is used to view and approve remediation actions (e.g., isolating devices, running antivirus scans), not to visualize attack progression.

1430
MCQeasy

Your organization uses Microsoft Sentinel with a pay-as-you-go pricing tier. You need to reduce costs by archiving older logs that are rarely accessed. Which action should you take?

A.Switch the Log Analytics workspace to Basic Logs tier for the Sentinel tables.
B.Configure a lifecycle management policy in Azure Storage to transition logs to the archive tier after the retention period.
C.Reduce the workspace retention period from 90 days to 30 days.
D.Create a Data Collection Rule to filter out logs before ingestion.
AnswerB

Archiving reduces cost while preserving data.

Why this answer

Option A is correct because Sentinel supports archiving logs to Azure Storage with lifecycle policies. Option B is wrong because Basic Logs still incur query costs and are not archival. Option C is wrong because decreasing retention deletes logs immediately.

Option D is wrong because Data Collection Rules don't archive existing logs.

1431
Multi-Selecthard

Which TWO actions are valid containment steps for a compromised user account in Microsoft Defender XDR?

Select 2 answers
A.Create a new email rule to forward emails
B.Disable the user account in Microsoft Entra ID
C.Add the user to a privileged role
D.Reset the user's password
E.Run a full antivirus scan on the user's device
AnswersB, D

Containment by disabling.

1432
MCQhard

Your organization uses Microsoft Sentinel. An incident is created from a fusion detection that combines multiple signals. You need to ensure that when the incident is resolved, all related alerts are also resolved automatically. What should you do?

A.Create an automation rule triggered when an incident is closed, with the action 'Close alert'
B.Create a playbook triggered on incident creation that closes alerts
C.Create an automation rule triggered when an alert is created
D.Configure the analytics rule to close alerts when the incident is resolved
AnswerA

This resolves all related alerts when the incident is closed.

Why this answer

Option D is correct because the 'Close incident' automation rule with a condition 'Alert was closed' causes alerts to close when the incident closes. Option A is wrong because analytics rules do not control alert closure on incident resolution. Option B is wrong because playbooks triggered on incident creation would not run on closure.

Option C is wrong because automation rules triggered on alert creation do not handle incident closure.

1433
MCQeasy

A security analyst wants to identify all devices in the organization that have a specific software vulnerability (CVE-2023-1234) installed using Microsoft 365 Defender Advanced Hunting. Which table should be queried?

A.DeviceInfo
B.DeviceTvmSoftwareVulnerabilities
C.DeviceTvmSoftwareInventory
D.DeviceNetworkInfo
AnswerB

This table contains records of software vulnerabilities identified by TVM, including the CVE ID, device, and software. It is the correct source to find devices with a specific CVE.

Why this answer

The DeviceTvmSoftwareVulnerabilities table in Microsoft 365 Defender Advanced Hunting contains records of software vulnerabilities discovered on devices, including specific CVE identifiers like CVE-2023-1234. This table is designed to answer questions about which devices have a particular vulnerability installed, as it links device IDs to vulnerability details such as CVE ID, severity, and exploitability.

Exam trap

The trap here is that candidates often confuse DeviceTvmSoftwareInventory (which lists installed software) with DeviceTvmSoftwareVulnerabilities (which lists actual vulnerabilities), leading them to pick Option C because they think software inventory implies vulnerability presence.

How to eliminate wrong answers

Option A is wrong because DeviceInfo provides general device metadata (e.g., OS version, device name, last seen time) but does not include vulnerability or software inventory details. Option C is wrong because DeviceTvmSoftwareInventory lists installed software products and versions on devices, but it does not map those to specific CVEs or vulnerabilities. Option D is wrong because DeviceNetworkInfo contains network-related data such as IP addresses, network adapters, and connection details, and has no relation to software vulnerabilities.

1434
MCQeasy

A SOC manager wants to quickly view the number of incidents generated in Microsoft Sentinel over the past 7 days, grouped by Azure subscription. Which KQL query should be used on the SecurityIncident table?

A.SecurityIncident | where CreatedTime > ago(7d) | summarize count() by SubscriptionId
B.SecurityAlert | where TimeGenerated > ago(7d) | summarize count() by SubscriptionId
C.SecurityIncident | where TimeGenerated > ago(7d) | summarize count() by SubscriptionId
D.SecurityIncident | where CreatedTime > ago(7d) | summarize count() by WorkspaceSubscriptionId
AnswerA

Correct. This query filters incidents created in the last 7 days and groups by subscription.

Why this answer

Option A is correct because the SecurityIncident table stores incident records, and the CreatedTime field records when each incident was generated. Filtering with `where CreatedTime > ago(7d)` limits results to the past 7 days, and `summarize count() by SubscriptionId` groups the count by the Azure subscription that owns the resources involved in the incident. This directly meets the SOC manager's requirement to view the number of incidents per subscription over the last week.

Exam trap

The trap here is confusing the SecurityIncident table's SubscriptionId with WorkspaceSubscriptionId, or using the wrong time field (TimeGenerated instead of CreatedTime), leading candidates to pick options that either query the wrong table or group by the wrong subscription identifier.

How to eliminate wrong answers

Option B is wrong because it queries the SecurityAlert table instead of SecurityIncident, which contains alerts rather than incidents; incidents are the higher-level grouping of alerts, so this would not show incident counts. Option C is wrong because it uses TimeGenerated on the SecurityIncident table, but SecurityIncident does not have a TimeGenerated column; this would cause a query error or return no results. Option D is wrong because it groups by WorkspaceSubscriptionId, which is the subscription of the Log Analytics workspace, not the Azure subscription associated with the incident's resources; the SOC manager specifically needs incidents grouped by the subscription where the resources reside, which is SubscriptionId.

1435
MCQeasy

A threat hunter wants to investigate a potential data exfiltration event involving large outbound file transfers to an unusual external IP. Which Microsoft Defender XDR advanced hunting table is most appropriate to start the investigation?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.IdentityDirectoryEvents
D.DeviceFileEvents
AnswerD

Can show large file creation or modification events that might indicate exfiltration.

Why this answer

Option B is correct because DeviceFileEvents shows file creation and modification events, which can indicate large file copies. Option A is wrong because DeviceNetworkEvents shows network connections, not file transfers. Option C is wrong because DeviceProcessEvents shows process creation, not file transfers.

Option D is wrong because IdentityDirectoryEvents shows identity events, not file transfers.

1436
MCQmedium

Your organization uses Microsoft Sentinel to monitor a hybrid environment consisting of on-premises servers and cloud workloads in Azure. As a threat hunter, you have been tasked with identifying potential lateral movement using pass-the-hash (PtH) attacks. You have enabled UEBA and connected Windows Event Logs, including Event ID 4624 (logon) and 4648 (explicit credentials). You need to create a hunting query that surfaces anomalous remote logons where the same account logon from a non-domain joined machine using NTLM authentication. Which KQL query should you use to start your hunt?

A.SecurityEvent | where EventID == 4624 and AccountType == 'User' and LogonType == 3 | where IpAddress != '' | summarize count() by Account, IpAddress
B.SecurityEvent | where EventID == 4624 and LogonType == 3 and LogonProcessName contains 'NTLM' | where TargetUserName !endswith '$' | where Computer !in (list of domain controllers) | project TimeGenerated, Account=TargetUserName, SourceWorkstation=WorkstationName, LogonProcessName
C.SecurityEvent | where EventID == 4624 and LogonType == 2 and LogonProcessName contains 'NTLM' | project TimeGenerated, Account=TargetUserName
D.SecurityEvent | where EventID == 4624 and LogonType == 10 and AuthenticationPackageName == 'NTLM' | project TimeGenerated, Account=TargetUserName, SourceIP=IpAddress
AnswerB

Correctly filters NTLM network logons from non-domain controllers.

Why this answer

Correct: Option B filters for logon type 3 (network), NTLM authentication (LogonProcessName contains NTLM), and non-domain joined workstations (WorkstationName not in list of domain controllers). Option A misses PtH indicators; Option C incorrectly uses RDP logon type 10; Option D focuses on interactive logons.

1437
MCQmedium

During an incident investigation, you discover that an attacker used a legitimate account to access sensitive data in Microsoft Purview Information Protection. You need to identify what data was accessed and by whom. Which log source should you query?

A.Microsoft 365 Defender alerts
B.Microsoft Purview data access logs
C.Microsoft Entra ID sign-in logs
D.Office 365 audit logs (unified audit log)
AnswerB

Purview logs track access to sensitive data, including who accessed what.

Why this answer

Option D is correct because Purview logs track access to sensitive data. Option A is wrong because Azure AD sign-in logs show authentication only. Option B is wrong because Office 365 audit logs may not include Purview data access.

Option C is wrong because Microsoft 365 Defender alerts are for detections, not detailed access logs.

1438
MCQeasy

During a threat hunt, you identify a user account that has been logging in from multiple geographic regions within a short time. Which Microsoft Defender for Cloud Apps feature should you use to investigate this anomaly?

A.Cloud Discovery
B.App permissions
C.File policy
D.Activity log
AnswerD

The activity log shows login events with geographic locations.

Why this answer

Option B is correct because the activity log provides detailed user activities including location. Option A is wrong because App permissions is for OAuth apps. Option C is wrong because file policy is for data protection.

Option D is wrong because Cloud Discovery is for shadow IT, not user login anomalies.

1439
Multi-Selecteasy

Which THREE are valid incident severity levels in Microsoft Sentinel?

Select 3 answers
A.Critical
B.Low
C.High
D.Informational
E.Medium
AnswersB, C, E

Low is a valid severity level.

Why this answer

The correct answers are A, B, and D. Sentinel uses Low, Medium, High, and Informational. Critical is not a level; the highest is High.

Informational is a valid severity.

1440
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to configure a device group that automatically assigns devices to the group based on their domain membership. Devices joined to 'contoso.com' should be in the 'Corporate' group, and all others in 'Non-Corporate'. What should you use?

A.Use a custom detection rule to move devices based on risk level.
B.Create a device group with a rule using the device tag 'Contoso' and assign tags via GPO.
C.Create two device groups and manually move devices.
D.Create a device group with a rule using the domain field 'contoso.com'.
AnswerB

Tags can be set via GPO and then device groups use tag rules.

Why this answer

Option B is correct because Microsoft Defender for Endpoint device groups can use device tags to automatically assign devices based on domain membership. By creating a device group with a rule that matches the device tag 'Contoso' and assigning that tag to domain-joined machines via Group Policy Object (GPO), you ensure that devices joined to 'contoso.com' are placed in the 'Corporate' group, while all others fall into the default 'Non-Corporate' group.

Exam trap

The trap here is that candidates assume the domain field can be used directly in device group rules, but Defender for Endpoint does not expose the domain attribute for rule creation; instead, you must use tags applied via GPO or other management tools to achieve domain-based grouping.

How to eliminate wrong answers

Option A is wrong because custom detection rules are used for creating custom alerts and automated actions based on threat indicators, not for assigning devices to groups based on domain membership. Option C is wrong because manually moving devices is not scalable and does not meet the requirement for automatic assignment based on domain membership. Option D is wrong because device group rules in Defender for Endpoint do not support filtering directly on the domain field; they support tags, device names, OS platforms, and other attributes, but not the domain field itself.

1441
MCQmedium

Your organization uses Microsoft Defender for Endpoint and Microsoft Sentinel. As part of a threat hunting exercise, you need to detect potential lateral movement using remote desktop protocol (RDP). You want to identify devices that have initiated multiple RDP connections to different internal IP addresses within a short time frame. Which hunting query should you use in Microsoft Sentinel's Log Analytics workspace?

A.Syslog | where Facility == 'auth' and Message contains 'RDP' | summarize count() by HostName
B.DeviceProcessEvents | where ProcessCommandLine contains 'mstsc.exe' | summarize count() by DeviceName
C.DeviceNetworkEvents | where RemotePort == 3389 and ActionType == 'ConnectionSuccess' | summarize dcount(RemoteIP) by DeviceName
D.IdentityLogonEvents | where LogonType == 'RemoteInteractive' | summarize dcount(IPAddress) by DeviceName
AnswerC

This directly counts distinct RDP destinations per device.

Why this answer

Option C is correct because DeviceNetworkEvents contains network connections including RDP (destination port 3389). Summarizing by DeviceName and destination IP, then counting distinct destinations, can identify devices connecting to multiple internal IPs. Option A is incorrect because DeviceProcessEvents does not include network connections.

Option B is incorrect because IdentityLogonEvents focuses on authentication, not network connections. Option D is incorrect because Syslog is for Linux systems, not Windows RDP connections.

1442
Multi-Selecteasy

Which TWO data sources can you connect to Microsoft Sentinel to ingest security logs? (Select TWO.)

Select 2 answers
A.Google Cloud Platform audit logs
B.Azure Active Directory (Microsoft Entra ID) audit logs
C.Amazon Web Services (AWS) CloudTrail
D.Trello activity logs
E.GitHub Actions logs
AnswersB, C

Sentinel has a connector for Azure AD logs.

Why this answer

Azure Active Directory (Microsoft Entra ID) audit logs are a native data source for Microsoft Sentinel. They can be connected directly via the Azure AD connector, which ingests sign-in logs, audit logs, and provisioning logs into the Log Analytics workspace. This integration is essential for monitoring identity-related security events and is a standard requirement for SC-200 scenarios.

Exam trap

The trap here is that candidates often assume any cloud or SaaS service can be connected via a generic API, but Microsoft Sentinel only supports specific, pre-built connectors for security-relevant sources like AWS CloudTrail and Azure AD, not for productivity tools like Trello or GitHub Actions logs.

1443
MCQeasy

Your organization uses Microsoft Sentinel. You need to design a solution to automatically respond to a specific type of incident by sending an email to the SOC manager and creating a ticket in ServiceNow. What should you use?

A.Create an analytics rule that directly sends an email.
B.Create a workbook that triggers a webhook.
C.Create an automation rule that sends an email and creates a ticket.
D.Create a playbook in Microsoft Sentinel and trigger it with an automation rule.
AnswerD

Correct: Playbooks can integrate with external systems.

Why this answer

Option C is correct because playbooks (based on Logic Apps) can perform multiple actions like sending email and creating tickets. Option A is wrong because automation rules cannot directly integrate with external systems like ServiceNow. Option B is wrong because workbooks are for reporting.

Option D is wrong because analytics rules only generate incidents.

1444
Multi-Selecteasy

Which TWO roles can be used to manage Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Compliance Administrator
B.Microsoft Sentinel Responder
C.Security Reader
D.Global Administrator
E.Microsoft Sentinel Contributor
AnswersB, E

Responder role allows managing incidents and playbooks.

Why this answer

Options A and C are correct as they are built-in roles for Sentinel management. Option B is incorrect because Compliance Administrator has limited Sentinel access. Option D is incorrect because Security Reader is read-only.

Option E is incorrect because Global Administrator has wide access but is not the primary role for Sentinel management.

1445
Multi-Selecthard

Which THREE steps are part of the containment phase of incident response in a hybrid environment using Microsoft Defender XDR?

Select 3 answers
A.Remove malware from affected systems
B.Restore data from backups
C.Disable compromised user accounts in Microsoft Entra ID
D.Isolate affected devices using Microsoft Defender for Endpoint
E.Block malicious IP addresses at the firewall
AnswersC, D, E

Stops further access.

Why this answer

Option A is correct because isolation prevents spread. Option B is correct because disabling accounts stops credential misuse. Option D is correct because blocking IoCs is a containment action.

Option C is wrong because this is eradication. Option E is wrong because this is recovery.

1446
MCQmedium

A company uses Microsoft Defender for Cloud with Defender for Servers enabled. The security team wants to integrate a third-party vulnerability assessment solution (e.g., Qualys) and have findings appear in the Defender for Cloud recommendations. What must be done?

A.Install the Qualys agent on the VMs and configure the vulnerability assessment solution in Defender for Cloud.
B.Enable the built-in Microsoft Defender Vulnerability Management (MDVM) solution; it automatically integrates with any third-party scanner.
C.Set up automatic provisioning of the Log Analytics agent and enable vulnerability assessment in the regulatory compliance dashboard.
D.Nothing; Defender for Cloud automatically scans all Azure VMs for vulnerabilities using the integrated Qualys scanner.
AnswerA

This is correct. The agent must be deployed on each VM, and the integration must be configured in the Defender for Cloud security policy to accept findings from the third-party vulnerability assessment solution.

Why this answer

Option A is correct because to integrate a third-party vulnerability assessment solution like Qualys with Microsoft Defender for Cloud, you must install the Qualys agent on the VMs and then configure the vulnerability assessment solution in Defender for Cloud. This allows Defender for Cloud to receive and display the vulnerability findings from Qualys as part of its security recommendations. Without this explicit configuration, Defender for Cloud cannot ingest third-party scanner data.

Exam trap

The trap here is that candidates assume Defender for Cloud automatically integrates with any third-party scanner or that enabling MDVM will bridge to third-party tools, when in fact a specific agent installation and connector configuration is required for third-party solutions.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender Vulnerability Management (MDVM) is a built-in solution that does not automatically integrate with third-party scanners; it is a separate offering that replaces the need for third-party tools, not a bridge to them. Option C is wrong because automatic provisioning of the Log Analytics agent and enabling vulnerability assessment in the regulatory compliance dashboard does not integrate a third-party scanner; it only enables built-in vulnerability assessment or MDVM, not Qualys. Option D is wrong because Defender for Cloud does not automatically scan all Azure VMs using an integrated Qualys scanner; it uses its own built-in vulnerability assessment or requires explicit integration of a third-party solution.

1447
MCQmedium

A company uses Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to automatically disable the local administrative account on all existing and future Azure virtual machines by applying a guest configuration policy. Which Defender for Cloud feature should they use?

A.Just-In-Time (JIT) VM access
B.Guest configuration (Azure Policy)
C.Adaptive application controls
D.Regulatory compliance dashboard
AnswerB

Guest configuration policies can audit and remediate settings inside VMs, such as disabling local accounts.

Why this answer

Option B is correct because Guest configuration (Azure Policy) is the only feature that can audit and remediate settings inside a virtual machine's operating system, such as disabling the local administrative account. Defender for Cloud integrates with Azure Policy's guest configuration extension to enforce desired state configurations on both existing and future VMs via policy assignments.

Exam trap

The trap here is confusing network-level access controls (JIT) or application whitelisting (Adaptive application controls) with OS-level configuration management, which is exclusively handled by Guest configuration (Azure Policy).

How to eliminate wrong answers

Option A is wrong because Just-In-Time (JIT) VM access controls network-level access to management ports (e.g., RDP/SSH) and does not modify local user accounts or enforce guest OS configurations. Option C is wrong because Adaptive application controls define allowlists for applications running on VMs to prevent malware, not manage local user accounts or disable administrative privileges. Option D is wrong because the Regulatory compliance dashboard provides visibility into compliance standards (e.g., ISO 27001, NIST) but does not perform any automated remediation or configuration changes on VMs.

1448
MCQhard

A SOC analyst is responding to a ransomware incident. The analyst identifies that the ransomware encrypted files on a file share and left a ransom note. The analyst needs to prevent the ransomware from spreading to other shares. Which action should the analyst take first?

A.Revoke the user's access to the file share.
B.Run a full antivirus scan on the server.
C.Restore the encrypted files from backup.
D.Isolate the server from the network using Microsoft Defender for Endpoint's device isolation.
AnswerD

Isolation prevents further communication and spread.

Why this answer

Option D is correct because isolating the affected server from the network stops the spread. Option A is wrong because restoring files does not prevent spread. Option B is wrong because antivirus may not detect unknown ransomware.

Option C is wrong because revoking user access does not stop the ransomware process.

1449
MCQmedium

A company runs its critical workloads on Azure Kubernetes Service (AKS). The security team wants to use Microsoft Defender for Cloud to protect the AKS clusters. After enabling Defender for Cloud on the subscription, they also need to enable the Defender for Containers plan. Which of the following capabilities becomes available specifically after enabling the Defender for Containers plan (with the plan turned on)?

A.Azure Policy for Kubernetes add-on installation to enforce pod security policies.
B.Kubernetes audit logs are automatically streamed to the Log Analytics workspace.
C.Security alerts for container runtime threats, such as privilege escalation in a container.
D.Integration with Microsoft Sentinel for monitoring AKS logs.
AnswerC

Correct. The plan enables advanced threat detection, generating security alerts based on behavioral analytics of cluster activities.

Why this answer

Option C is correct because enabling the Defender for Containers plan in Microsoft Defender for Cloud activates host-level and cluster-level threat detection for AKS, including runtime threat protection. This allows Defender for Cloud to generate security alerts for container-specific threats such as privilege escalation, container breakout, and suspicious process execution within containers, which are not available with just the basic Defender for Cloud enabled on the subscription.

Exam trap

The trap here is that candidates often confuse the general security monitoring capabilities of Defender for Cloud (like audit log streaming or policy enforcement) with the specific runtime threat detection that only the Defender for Containers plan enables, leading them to select options that are available without the plan or require separate configuration.

How to eliminate wrong answers

Option A is wrong because Azure Policy for Kubernetes add-on installation is a feature of Azure Policy itself, not of the Defender for Containers plan; it can be used to enforce pod security policies (e.g., via built-in initiatives) regardless of whether the Defender for Containers plan is enabled. Option B is wrong because Kubernetes audit logs are automatically streamed to the Log Analytics workspace only if you configure diagnostic settings on the AKS cluster to send them to a Log Analytics workspace; this is not an automatic behavior triggered by enabling the Defender for Containers plan. Option D is wrong because integration with Microsoft Sentinel for monitoring AKS logs is a feature of Sentinel's data connectors, not a capability that becomes available specifically after enabling the Defender for Containers plan; Sentinel can ingest AKS logs via diagnostic settings regardless of the Defender for Containers plan status.

1450
MCQmedium

You are hunting for signs of Pass-the-Hash attacks using Microsoft Defender for Identity. Which alert should you look for in Microsoft Defender XDR?

A.Honeytoken activity
B.Privilege escalation
C.Suspected brute force attack
D.Suspected overpass-the-hash attack
AnswerD

This alert specifically detects overpass-the-hash (Pass-the-Hash).

Why this answer

Microsoft Defender for Identity has a specific alert for suspected overpass-the-hash (Pass-the-Hash). Option A is for brute force. Option B is for honeytoken activity.

Option D is for privilege escalation. The correct alert is 'Suspected overpass-the-hash attack'.

1451
MCQmedium

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You recently deployed Microsoft Defender for Identity (MDI) to monitor on-premises domain controllers. The SOC team needs to receive alerts from MDI in Microsoft Sentinel. You have already installed the MDI sensor on all domain controllers and confirmed that the MDI portal shows alerts. However, no MDI alerts appear in Sentinel. The Microsoft Defender for Identity data connector in Sentinel shows 'Connected'. What should you do next?

A.Update the MDI sensor to the latest version.
B.Enable the Microsoft 365 Defender connector in Sentinel, as MDI alerts are ingested through that connector.
C.Reconfigure the MDI data connector to select all alert severities.
D.Check the MDI sensor health status on each domain controller.
AnswerB

MDI alerts are part of Microsoft 365 Defender alerts and require the Microsoft 365 Defender connector.

Why this answer

Option B is correct because MDI alerts are ingested into Sentinel via the Microsoft 365 Defender connector, not the MDI connector directly. The MDI connector is for other data. Option A is not needed; Option C is for health; Option D is incorrect because the connector is already connected.

1452
MCQmedium

A security analyst in Microsoft Defender for Cloud receives an alert that an Azure VM has a vulnerability with a high severity. The analyst wants to see the detailed finding, including the steps to remediate. Which blade or page should the analyst open?

A.Vulnerability Assessment findings
B.Secure Score
C.Regulatory Compliance
D.Workload protections alerts
AnswerA

Correct. The Vulnerability Assessment findings blade lists all discovered vulnerabilities with details and remediation guidance.

Why this answer

The Vulnerability Assessment findings blade in Microsoft Defender for Cloud displays detailed results from integrated vulnerability scanners (such as Qualys or Microsoft Defender Vulnerability Management), including the specific vulnerability ID, severity, description, and remediation steps. This is the correct location to view the detailed finding and remediation guidance for a high-severity vulnerability on an Azure VM.

Exam trap

The trap here is that candidates confuse the 'Workload protections alerts' blade (which shows active threat detections) with the 'Vulnerability Assessment findings' blade (which shows scan results), leading them to select D instead of A.

How to eliminate wrong answers

Option B (Secure Score) is wrong because Secure Score provides an overall security posture rating based on control recommendations, not the detailed vulnerability findings or remediation steps for a specific alert. Option C (Regulatory Compliance) is wrong because Regulatory Compliance shows compliance status against standards like ISO 27001 or SOC 2, not the technical details of a vulnerability finding. Option D (Workload protections alerts) is wrong because that blade lists security alerts (e.g., detected threats), not vulnerability assessment findings; alerts are generated from detections, whereas vulnerability findings come from scanning.

1453
Multi-Selectmedium

Which TWO actions should you take when responding to a confirmed data exfiltration incident involving Microsoft 365? (Choose two.)

Select 2 answers
A.Reset passwords for all users
B.Revoke user sessions in Microsoft Entra ID
C.Review audit logs in Microsoft Purview compliance portal
D.Disable all external sharing in SharePoint
E.Block all access to the tenant
AnswersB, C

Revoking sessions stops ongoing exfiltration.

Why this answer

Option A is correct: Contain the activity by revoking user sessions. Option D is correct: Investigate by reviewing audit logs to determine scope. Option B is wrong because resetting password for all users is excessive.

Option C is wrong because disabling all external sharing is too broad. Option E is wrong because blocking tenant access is disruptive and premature.

1454
MCQeasy

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You need to ensure that data from a specific source is retained for 2 years while other data remains at the default retention. What should you do?

A.Create a custom table for that source and set its retention to 2 years.
B.Adjust the data ingestion settings for that source.
C.Set the workspace retention to 2 years.
D.Configure archiving for that source's data.
AnswerA

Custom tables allow per-table retention policies.

Why this answer

In Microsoft Sentinel, retention is set at the table level. By creating a custom table for the specific data source and configuring its retention period to 2 years, you can override the default workspace retention for that table only. This allows other tables to retain the default retention setting while the custom table retains data for the required duration.

Exam trap

The trap here is that candidates often assume retention is set globally at the workspace level, but Microsoft Sentinel allows per-table retention, which is the correct method for applying different retention policies to different data sources.

How to eliminate wrong answers

Option B is wrong because data ingestion settings (like data source connectors or diagnostic settings) control what data is collected, not how long it is retained. Option C is wrong because setting the workspace retention to 2 years would apply to all tables in the workspace, not just the specific source. Option D is wrong because archiving is a separate tier for older data (e.g., after the interactive retention period ends) and does not set a specific retention duration for a source; it complements retention but does not replace the need for table-level retention configuration.

1455
Multi-Selecthard

Which THREE are valid data connectors in Microsoft Sentinel for ingesting security events from Microsoft 365 services? (Choose three.)

Select 3 answers
A.Microsoft 365 Defender
B.Microsoft Purview
C.Microsoft Intune
D.Microsoft Entra ID
E.Office 365
AnswersA, D, E

Ingests alerts and incidents from Microsoft Defender XDR.

Why this answer

Options A, C, and D are valid connectors. A: Microsoft Entra ID (formerly Azure AD) connector ingests sign-in logs and audit logs. C: Microsoft 365 Defender connector ingests alerts from Defender for Endpoint, Office 365, etc.

D: Office 365 connector ingests Exchange, SharePoint, Teams logs. Option B is wrong because Microsoft Purview is a compliance portal, not a data connector. Option E is wrong because Microsoft Intune is a device management service, but its logs are ingested via other connectors (e.g., Azure AD).

1456
MCQmedium

In Microsoft 365 Defender, an analyst is investigating an incident involving a malicious script. The analyst wants to see the command-line arguments executed by the script on a specific device. Which Advanced Hunting table should the analyst query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceFileEvents
D.DeviceEvents
AnswerA

This table logs process creation events and includes the command line, allowing the analyst to see executed arguments.

Why this answer

The DeviceProcessEvents table in Advanced Hunting captures process creation events, including the command-line arguments used to execute a process. Since the analyst needs to see the command-line arguments executed by a malicious script on a specific device, querying DeviceProcessEvents is the correct approach because it records the ProcessCommandLine column for each process creation event.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents with DeviceEvents, assuming the latter includes all process-related data, but DeviceEvents is a catch-all for miscellaneous events and does not contain the ProcessCommandLine column.

How to eliminate wrong answers

Option B is wrong because DeviceNetworkEvents logs network connections (e.g., source/destination IPs, ports, protocols) and does not contain command-line arguments. Option C is wrong because DeviceFileEvents records file creation, modification, and deletion events, but does not capture process command-line arguments. Option D is wrong because DeviceEvents is a generic table that includes various system-level events (e.g., security alerts, sensor events) but does not specifically store process command-line arguments; that data is in DeviceProcessEvents.

1457
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to create a custom alert that triggers when users receive external emails with attachments from untrusted domains. What should you configure?

A.Create an alert policy in Microsoft 365 Defender.
B.Create a mail flow rule in Exchange admin center.
C.Set up a conditional access policy in Microsoft Entra ID.
D.Configure a data sensitivity label in Microsoft Purview.
AnswerA

Alert policies can trigger on email events.

Why this answer

A custom alert policy in Microsoft 365 Defender can be configured to detect when users receive external emails with attachments from untrusted domains. This leverages the built-in threat detection capabilities of Defender for Office 365, allowing you to define conditions such as sender domain reputation and attachment presence, and trigger an alert when the criteria are met.

Exam trap

The trap here is that candidates often confuse alert policies (which detect and notify) with mail flow rules (which enforce actions like blocking or quarantining), leading them to choose Option B when the question specifically asks for creating a custom alert.

How to eliminate wrong answers

Option B is wrong because a mail flow rule (transport rule) in Exchange admin center can block or modify messages based on sender domain or attachment presence, but it cannot generate a custom alert in the Microsoft 365 Defender portal; it only applies actions during message transport. Option C is wrong because a conditional access policy in Microsoft Entra ID controls access to cloud apps based on user, device, or location signals, not email content or attachments from untrusted domains. Option D is wrong because a data sensitivity label in Microsoft Purview is used to classify and protect sensitive data (e.g., via encryption or visual markings), not to detect or alert on external emails with attachments from untrusted domains.

1458
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user has been accessing sensitive data from an anonymous IP address. The user's account appears to be compromised. You need to prevent further data exfiltration. What should you do?

A.Disable the user account in Microsoft Entra ID.
B.Create an IP range policy in Defender for Cloud Apps to block the anonymous IP.
C.Change the user's password and revoke sessions.
D.Suspend the user in Microsoft Defender for Cloud Apps.
AnswerD

Suspending instantly blocks all app access.

Why this answer

Suspending the user in Defender for Cloud Apps immediately blocks all access to cloud apps, preventing data exfiltration. Option A is incorrect because changing password alone may not terminate existing sessions. Option C is incorrect because disabling the account in Microsoft Entra ID is broader but also effective; however, suspending in Defender for Cloud Apps is more immediate for cloud app access.

Option D is not directly possible.

1459
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to use a Microsoft Copilot for Security to summarize an incident in Microsoft Defender XDR. What is the minimum role required?

A.Security Administrator
B.Reader
C.Security Reader
D.Global Administrator
AnswerC

Security Reader can read security data, which is sufficient for Copilot to summarize.

Why this answer

Option A is correct because the Security Reader role can view incidents but not edit; Copilot for Security requires at least Security Reader to access incident data. Option B is overly permissive for just viewing summaries. Option C is for managing security settings.

Option D is an Azure role, not a Microsoft 365 role.

1460
MCQhard

You are managing Microsoft Defender XDR. The security team reports that some automated investigations are closing prematurely without sufficient evidence. You need to ensure that investigations only close when a minimum confidence level is reached. What should you modify?

A.Change the action center settings to require manual approval.
B.Modify the tenant-level advanced features in Microsoft Defender XDR.
C.Create a custom detection rule to override default behavior.
D.Adjust the automation level in the Microsoft 365 Defender security settings.
AnswerD

The automation level includes a confidence threshold for automatic closure.

Why this answer

In Defender XDR, you can set the automation level for investigations, including the confidence level required for automatic closure. Option A is correct. Option B is wrong because action center handles manual actions.

Option C is wrong because it's not a tenant-level setting in that location. Option D is wrong because rules don't control investigation closure confidence.

1461
Multi-Selecthard

Which THREE actions are appropriate when investigating a potential data exfiltration incident in Microsoft Defender for Cloud Apps?

Select 3 answers
A.Check the device inventory for suspicious applications
B.Use the app dashboard to view unusual behavior alerts
C.Suspend the user's account immediately
D.Check the file policy matches for the user
E.Review the user's activity log in Defender for Cloud Apps
AnswersB, D, E

Dashboard highlights anomalies.

Why this answer

Options A, B, and D are correct. Option A: Reviewing the activity log helps identify the scope of exfiltration. Option B: Using the app dashboard to see unusual behavior provides context.

Option D: Checking the file policy matches shows which files were flagged. Option C is wrong because suspending the user is a containment action, not investigation. Option E is wrong because checking device inventory does not apply to cloud apps.

1462
MCQhard

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You discover that a user is performing unusual bulk downloads from SharePoint. You need to automatically create an incident in Sentinel and suspend the user in Microsoft Entra ID. What should you use?

A.Create a scheduled analytics rule in Sentinel and use automation rules to trigger a playbook that suspends the user.
B.Configure a Microsoft Entra ID Protection policy to require password reset for risky users.
C.Use a playbook triggered by an incident creation rule to suspend the user.
D.Configure a policy in Defender for Cloud Apps with a governance action to suspend the user.
AnswerA

Automation rules run playbooks, which can use Microsoft Graph to suspend the user.

Why this answer

A scheduled analytics rule in Sentinel can detect the unusual bulk download behavior from SharePoint (via ingested logs from Defender for Cloud Apps or Office 365 connector). An automation rule on that analytics rule triggers a playbook (Azure Logic App) that uses the Microsoft Graph API to suspend the user in Microsoft Entra ID, creating an incident automatically as part of the rule's configuration.

Exam trap

The trap here is that candidates assume Defender for Cloud Apps governance actions alone can satisfy both requirements, but they forget that creating a Sentinel incident requires an analytics rule and automation rule orchestration, not just a cloud app policy.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Protection policies focus on sign-in risk and user risk (e.g., leaked credentials, anonymous IP) but do not directly detect bulk download anomalies from SharePoint; they also cannot trigger a Sentinel incident. Option C is wrong because 'incident creation rule' is not a valid Sentinel construct—incidents are created by analytics rules, and playbooks are triggered by automation rules, not by a rule named 'incident creation rule'. Option D is wrong because while Defender for Cloud Apps can apply governance actions (like suspend user) directly, it does not automatically create an incident in Sentinel; the question requires both an incident in Sentinel AND user suspension, which requires the orchestration of a playbook.

1463
MCQmedium

Your organization uses Microsoft Sentinel with the Microsoft Defender for Cloud connector enabled. You receive an incident that alerts on 'Suspicious resource deployment' from a user who has been compromised. The incident involves the deployment of a virtual machine in a subscription that is normally not used by that user. The incident severity is High. You need to contain the threat immediately. The deployment is still in progress. What should you do first?

A.Investigate the Azure Activity logs to see what other resources were deployed.
B.Disable the user account in Microsoft Entra ID.
C.Apply a resource lock to the subscription to block all deployments.
D.Delete the virtual machine that is being deployed.
AnswerC

A resource lock prevents any new resource creation, containing the attack.

Why this answer

Option C is correct because locking the subscription prevents any further resource creation, containing the threat immediately. Option A is wrong because investigating logs takes time. Option B is wrong because deleting the VM may not stop other deployments.

Option D is wrong because disabling the user account does not stop the deployment session.

1464
MCQeasy

During an incident investigation, you find that a user's credentials were used to sign in from an unfamiliar location. You want to force a password reset and revoke all sessions immediately. Which action should you take in the Microsoft 365 Defender portal?

A.Disable the user account in Microsoft Entra ID.
B.Block the user's sign-in from the unfamiliar location via Conditional Access.
C.Use the 'Require password reset' action from the user investigation page.
D.Remove the user's MFA registration to force re-registration.
AnswerC

This action forces a password reset and revokes all current sessions.

Why this answer

Option B is correct because 'Require password reset' in the user investigation section revokes sessions and forces a reset. Option A is wrong because disabling the account blocks access but does not reset credentials. Option C is wrong because blocking sign-in requires additional configuration.

Option D is wrong because MFA registration does not reset the password.

1465
MCQmedium

Your organization uses Microsoft Sentinel. A new incident is created from a fusion alert that combines multiple low-severity alerts. The analyst needs to determine the entities involved. What should the analyst review?

A.The Sentinel Overview workbook.
B.The incident's entities tab.
C.The analytics rule that generated the incident.
D.The incident's timeline.
AnswerB

Entities tab shows all related entities.

Why this answer

Option C is correct because the incident entities tab lists all entities (users, IPs, hosts) related to the incident. Option A is wrong because the analytics rule is the source, not entities. Option B is wrong because the workbook may not show entities for a specific incident.

Option D is wrong because the incident timeline shows events, not entities.

1466
MCQhard

A security team is investigating a ransomware incident that encrypted files on several Windows servers. Microsoft Defender for Endpoint detected the ransomware but the initial infection vector is unknown. Which KQL query in Microsoft Sentinel would BEST identify the initial process that executed the ransomware?

A.DeviceNetworkEvents | where RemoteUrl contains 'malicious' | project DeviceName, RemoteIP, Timestamp
B.DeviceFileEvents | where FileName contains 'ransomware.exe' | project DeviceName, ActionType, Timestamp
C.DeviceProcessEvents | where FileName contains 'ransomware.exe' | project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
D.DeviceEvents | where ActionType == 'RansomwareDetection' | project DeviceName, Timestamp
AnswerC

Shows process creation and the parent process that launched it.

Why this answer

Option B is correct because DeviceProcessEvents tracks process creation events and can trace parent-child relationships. Option A is wrong because DeviceFileEvents tracks file changes, not process creation. Option C is wrong because DeviceNetworkEvents tracks network connections, not processes.

Option D is wrong because DeviceEvents includes various events but not as directly for process ancestry.

1467
MCQeasy

A security analyst needs to identify incidents in Microsoft Sentinel that are related to IP addresses known to be associated with a specific threat actor. The analyst has a CSV file containing a list of these IP addresses. Which feature should the analyst use to make this list available for queries in Sentinel?

A.Custom Log
B.Watchlist
C.Threat Intelligence indicator
D.Bookmark
AnswerB

Watchlists allow you to upload CSV lists and make them available as tables that can be referenced in KQL queries, making them the easiest way to use a custom IP list.

Why this answer

A Watchlist in Microsoft Sentinel allows you to import a CSV file containing IP addresses and use it directly in KQL queries via the _GetWatchlist() function. This is the correct feature because it is specifically designed for storing and querying static reference data, such as known threat actor IPs, without requiring custom ingestion or transformation.

Exam trap

The trap here is that candidates often confuse Threat Intelligence indicators with a simple CSV import, but TI indicators require a structured format and integration with a TI platform, whereas a Watchlist is the direct, low-friction solution for static reference data.

How to eliminate wrong answers

Option A is wrong because a Custom Log is used to ingest raw data from a custom source into a Log Analytics workspace, requiring a defined schema and ingestion pipeline; it is not designed for quick, queryable reference lists from a CSV file. Option C is wrong because Threat Intelligence indicators are structured objects (e.g., STIX format) that integrate with threat intelligence platforms and are used for correlation with Sentinel's TI analytics rules, not for importing a simple CSV list of IPs. Option D is wrong because a Bookmark is used to save specific search results or hunting queries for later investigation, not to store or make a static list of IP addresses available for queries.

1468
MCQmedium

Contoso uses Microsoft Sentinel with Microsoft Defender XDR connector. You receive an incident titled 'Malware detected on endpoint' from Microsoft Defender for Endpoint. The incident includes a detailed timeline showing that the malware was downloaded from a malicious URL. You need to respond to the incident using Microsoft Sentinel and Microsoft Defender XDR capabilities. The affected device is a Windows 10 workstation used by a standard user. You have been asked to contain the threat and prevent recurrence. The organization has a policy to preserve evidence for 90 days. Which action should you take FIRST?

A.Reset the user's password and revoke sessions in Microsoft Entra ID.
B.Create a custom detection rule in Microsoft Sentinel for the malicious URL.
C.Block the malicious URL at the firewall using Microsoft Defender for Cloud Apps.
D.Isolate the device using Microsoft Defender for Endpoint device isolation.
AnswerD

Stops the malware from communicating and spreading.

Why this answer

Option B is correct: isolating the device in MDE stops the malware from spreading and communicating with C2. Option A is wrong because resetting password does not remove malware. Option C is wrong because creating a detection rule is proactive but not immediate.

Option D is wrong because blocking the URL is good but does not contain the already infected device.

1469
MCQmedium

During a threat hunt, you discover that a PowerShell script executed on multiple servers and established outbound connections to an external IP address. Which data source should you query in Microsoft Defender XDR to identify the specific command-line arguments used?

A.DeviceEvents
B.DeviceImageLoadEvents
C.DeviceProcessEvents
D.DeviceNetworkEvents
AnswerC

DeviceProcessEvents includes process creation events with command-line arguments.

Why this answer

Option C is correct because DeviceProcessEvents captures process creation events including command-line arguments. Option A (DeviceNetworkEvents) captures network connections but not command-line arguments. Option B (DeviceEvents) captures various events but not specifically process command lines.

Option D (DeviceImageLoadEvents) captures DLL loads, not command lines.

1470
MCQhard

Your organization uses Microsoft Defender XDR for threat hunting. You suspect a threat actor is using scheduled tasks for persistence. Which hunting query would you use in Microsoft 365 Defender advanced hunting to find newly created scheduled tasks?

A.DeviceEvents | where ActionType == 'ScheduledTaskCreated'
B.DeviceRegistryEvents | where RegistryKey contains 'Tasks'
C.DeviceProcessEvents | where FileName == 'schtasks.exe'
D.DeviceFileEvents | where FolderPath contains 'Tasks'
AnswerA

DeviceEvents captures scheduled task creation actions.

Why this answer

Advanced hunting uses tables like DeviceEvents. Option B is correct because the ScheduledTaskCreated action in DeviceEvents captures scheduled task creation. Option A is incorrect because DeviceProcessEvents records process events, not scheduled tasks.

Option C is incorrect because DeviceRegistryEvents is for registry changes. Option D is incorrect because DeviceFileEvents tracks file creation, not scheduled tasks directly.

1471
MCQhard

Refer to the exhibit. The KQL query is used in a threat hunting campaign. Which of the following best describes the hunting activity this query is designed to detect?

A.Macro-based PowerShell execution from Office documents
B.Encoded PowerShell commands executed from the command line
C.Lateral movement using PowerShell remoting
D.Data exfiltration via PowerShell over HTTP
AnswerA

The query specifically looks for PowerShell spawned from Office apps, indicating macro execution.

Why this answer

Option A is correct because the query detects PowerShell launched from Microsoft Office applications, which is a common technique for macro-based attacks. Option B is incorrect because the query does not filter by encoded command. Option C is incorrect because it does not look for lateral movement.

Option D is incorrect because there is no external IP or network connection in the query.

1472
MCQmedium

An organization uses Microsoft Sentinel to monitor Microsoft Entra ID sign-ins. A SOC analyst creates a scheduled analytics rule that runs every 15 minutes and uses the following KQL query: SigninLogs | where TimeGenerated > ago(30m) | summarize count() by IPAddress | where count_ > 10. The rule is intended to detect brute-force attacks from a single IP address. However, the analyst notices that alerts are generated even when IP addresses are within the company's trusted corporate network range. What is the most appropriate fix to reduce false positives?

A.Modify the query to exclude IP addresses from the corporate network by adding '| where IPAddress notin (dynamic(['10.0.0.0/8', '172.16.0.0/12', '192.168.0.0/16']))' or by using a watchlist
B.Increase the threshold from 10 to 20 failed attempts
C.Decrease the rule's run frequency to every 5 minutes
D.Change the data source to AADNonInteractiveUserSignInLogs
AnswerA

This filters out trusted IP ranges, reducing false positives while retaining detection of external brute-force attempts.

Why this answer

Option A is correct because the query currently counts all sign-in attempts, including those from trusted corporate IP ranges, which generates false positives for brute-force detection. By adding a filter to exclude corporate IP addresses (e.g., RFC 1918 ranges) or using a watchlist, the rule only alerts on external IPs that exceed the threshold, reducing noise. This directly addresses the root cause—internal traffic being incorrectly flagged—without altering detection logic or data sources.

Exam trap

The trap here is that candidates may think increasing the threshold (Option B) is a valid tuning approach, but it fails to address the root cause—internal IPs being included—and instead reduces detection sensitivity for all IPs, which is not a targeted fix.

How to eliminate wrong answers

Option B is wrong because increasing the threshold to 20 does not exclude corporate IPs; it only reduces sensitivity, potentially missing real attacks from external IPs while still generating alerts for high-volume internal traffic. Option C is wrong because decreasing the run frequency to 5 minutes does not filter out corporate IPs; it only increases query execution rate, which may cause performance issues and still produce false positives from internal addresses. Option D is wrong because changing the data source to AADNonInteractiveUserSignInLogs targets non-interactive sign-ins (e.g., service principals), which are irrelevant to user-based brute-force attacks and would not resolve false positives from corporate IPs in interactive sign-in logs.

1473
MCQhard

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. The data connector shows 'Connected' but no events are being received. You have verified network connectivity and firewall configuration. What should you check next?

A.Validate that the Data Collection Rule (DCR) is properly configured to ingest the Syslog facility and severity.
B.Verify that the connector has the necessary OAuth permissions in Microsoft Entra ID.
C.Check that the user who configured the connector has the Microsoft Sentinel Contributor role.
D.Ensure the firewall is registered in Azure Policy as a compliant resource.
AnswerA

The DCR defines how logs are ingested; if misconfigured, events may not appear.

Why this answer

Option A is correct because when a Syslog data connector shows 'Connected' but no events are received, the most common cause is a misconfigured Data Collection Rule (DCR). The DCR defines which Syslog facilities and severities to collect; if it does not match the firewall's actual Syslog output (e.g., facility 'local0' with severity 'informational'), events will be filtered out before ingestion. Network connectivity and firewall configuration are already verified, so the DCR is the next logical check.

Exam trap

The trap here is that candidates assume 'Connected' means data is flowing, but in Syslog connectors, 'Connected' only indicates the agent can reach the Log Analytics workspace—the DCR's filtering logic is the hidden gate that stops events from being ingested.

How to eliminate wrong answers

Option B is wrong because Syslog data connectors do not use OAuth permissions; they rely on the Log Analytics agent or Azure Monitor Agent (AMA) and a DCR, not Microsoft Entra ID authentication. Option C is wrong because the connector configuration does not require the user to have the Microsoft Sentinel Contributor role; the connector setup uses the Log Analytics workspace permissions, and the role is irrelevant to event ingestion. Option D is wrong because Azure Policy compliance is unrelated to Syslog ingestion; firewalls are not registered in Azure Policy as resources, and policy compliance does not affect data flow from on-premises or third-party devices.

1474
MCQmedium

A company has enabled Microsoft Defender for Cloud on multiple Azure subscriptions. The security team wants to view a unified security score that aggregates the scores from all subscriptions. Which feature should they use?

A.Azure Policy compliance dashboard
B.Secure Score dashboard
C.Security alerts dashboard
D.Workload protection dashboard
AnswerB

This dashboard aggregates scores from multiple subscriptions into a single metric.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud aggregates the security scores from all selected subscriptions into a single, unified score. This allows the security team to view the overall security posture across multiple Azure subscriptions at a glance, based on the compliance status of security recommendations.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard with the Security alerts dashboard, thinking alerts contribute to the score, but the Secure Score is purely based on recommendation compliance, not active threats.

How to eliminate wrong answers

Option A is wrong because the Azure Policy compliance dashboard shows the compliance state of resources against assigned policies, not a unified security score. Option C is wrong because the Security alerts dashboard lists active security alerts and incidents, not aggregated security scores. Option D is wrong because the Workload protection dashboard focuses on the coverage and status of workload protection plans (e.g., Defender for Servers, Defender for SQL), not a consolidated security score.

1475
MCQhard

An analyst is investigating a sophisticated attack involving a compromised device. The analyst has identified a malicious process that spawned multiple child processes. The analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a specific parent process creates a child process that makes an outbound network connection to any IP not in the organization's internal range. Which KQL query and rule type should the analyst use?

A.Create a custom detection rule (Advanced Hunting rule) with a query that joins DeviceProcessEvents and DeviceNetworkEvents, filtering for the parent process and external IP addresses
B.Create a scheduled rule in Sentinel and export the data from M365 Defender
C.Use a custom detection rule with DeviceEvents only
D.Use a Microsoft Defender for Endpoint custom detection rule (built-in) that already detects child process connections
AnswerA

Correct. Custom detection rules in M365 Defender allow multi-table joins and scheduled alerting, exactly what this scenario requires.

Why this answer

Option A is correct because the analyst needs to correlate process creation events with network connection events across two separate tables (DeviceProcessEvents and DeviceNetworkEvents) in Advanced Hunting. A custom detection rule (Advanced Hunting rule) in Microsoft 365 Defender allows joining these tables to identify when a specific parent process spawns a child that makes an outbound connection to an external IP address, which is exactly the required detection logic.

Exam trap

The trap here is that candidates may think DeviceEvents contains all necessary telemetry or that a built-in rule already covers this specific scenario, but they must recognize that joining two distinct tables (DeviceProcessEvents and DeviceNetworkEvents) in an Advanced Hunting custom detection rule is required to correlate process creation with outbound network connections.

How to eliminate wrong answers

Option B is wrong because creating a scheduled rule in Sentinel and exporting data from M365 Defender is unnecessary and inefficient; the detection can be built natively within Microsoft 365 Defender using Advanced Hunting rules without exporting data. Option C is wrong because DeviceEvents alone do not contain network connection details (like destination IP addresses) needed to filter for external IPs; DeviceNetworkEvents is required for that data. Option D is wrong because there is no built-in custom detection rule in Microsoft Defender for Endpoint that specifically detects child process connections to external IPs; the analyst must create a custom rule.

1476
MCQmedium

A security analyst uses Microsoft Sentinel to investigate an incident involving data exfiltration from Azure Blob Storage. The analyst needs to determine which user accessed the storage account and from which IP address. Which data source should the analyst query?

A.Azure AD sign-in logs
B.Azure Activity logs
C.Azure Security Center alerts
D.Azure Monitor metrics
AnswerB

Activity logs record data plane operations, including storage account access.

Why this answer

Option B is correct because Azure Activity logs storage account management events, including access logs. Option A is wrong because Azure AD sign-in logs only show authentication to Azure AD, not storage access. Option C is wrong because Azure Monitor metrics are aggregated and don't show per-user access.

Option D is wrong because Azure Security Center provides security recommendations, not access logs.

1477
MCQmedium

Your organization uses Microsoft Defender for Cloud. You need to recommend a solution to automatically remediate misconfigurations in Azure VMs without manual intervention. What should you use?

A.Use Azure Advisor recommendations
B.Configure Azure Backup
C.Set up Update Management in Azure Automation
D.Enable 'Remediate' option in Defender for Cloud recommendations
AnswerD

Automates remediation using Azure Policy.

Why this answer

Microsoft Defender for Cloud's 'Remediate' option in security recommendations can automatically apply fixes via Azure Policy's 'deployIfNotExists' effect. Option A is correct. Option B is a manual tool.

Option C is for backup, not remediation. Option D is for patching, not all misconfigurations.

1478
MCQeasy

Your organization has recently deployed Microsoft Sentinel and Microsoft Defender XDR. You are tasked with configuring the environment to ensure that incidents created by Microsoft Defender for Cloud Apps are automatically synchronized to Microsoft Sentinel. The security operations team wants to manage all incidents from within Sentinel. You have already connected the Microsoft Defender XDR connector to Sentinel. However, you notice that incidents from Defender for Cloud Apps are not appearing in Sentinel. You verify that the Defender for Cloud Apps connector is not listed in the data connectors blade. What should you do to resolve this issue?

A.Enable the Microsoft Sentinel integration in the Defender for Cloud Apps portal.
B.Configure a data collection rule in Microsoft Purview to forward alerts to Sentinel.
C.Install the Microsoft Defender for Cloud Apps connector from Sentinel data connectors.
D.Ensure the Microsoft Defender XDR connector is configured to include Defender for Cloud Apps incidents.
AnswerD

The Defender XDR connector automatically includes incidents from Defender for Cloud Apps.

Why this answer

When Microsoft Defender XDR connector is enabled in Sentinel, it can ingest incidents from all Microsoft Defender products, including Defender for Cloud Apps, provided the connector's configuration includes the option to synchronize those incidents. Since the Defender for Cloud Apps connector is not listed separately, the correct approach is to verify and adjust the Microsoft Defender XDR connector's settings to include Defender for Cloud Apps incidents. Option D directly addresses this by ensuring the existing connector is configured to forward those incidents.

Exam trap

The trap here is that candidates assume each Microsoft Defender product requires its own dedicated data connector in Sentinel, when in fact the Microsoft Defender XDR connector serves as the unified ingestion point for all Defender incidents, including those from Defender for Cloud Apps.

How to eliminate wrong answers

Option A is wrong because enabling the Sentinel integration in the Defender for Cloud Apps portal is used to send alerts from Defender for Cloud Apps to Sentinel via a legacy method, but when the Microsoft Defender XDR connector is already connected, incidents flow through the unified Microsoft 365 Defender pipeline, not through a separate portal toggle. Option B is wrong because data collection rules in Microsoft Purview are used for managing data lifecycle and compliance, not for forwarding security alerts or incidents to Sentinel. Option C is wrong because the Defender for Cloud Apps connector is not listed in the data connectors blade; this indicates that incidents from Defender for Cloud Apps are ingested through the Microsoft Defender XDR connector, not through a standalone connector.

1479
MCQeasy

In Microsoft Defender for Cloud, what does the Secure Score represent?

A.The number of currently active security alerts.
B.The percentage of compliance with the Azure Security Benchmark.
C.The overall security posture of your resources, based on implemented security controls and recommendations.
D.The number of VMs that have been assessed for vulnerabilities.
AnswerC

Secure Score is a percentage (0-100%) that reflects how well you have implemented security best practices.

Why this answer

The Secure Score in Microsoft Defender for Cloud is a numeric representation of your overall security posture, calculated based on the implementation of security controls and the remediation of recommendations. It aggregates the status of all assessed resources against security best practices, providing a single score that reflects how well you are protecting your workloads. This score helps prioritize actions to improve security, as each recommendation contributes a specific number of points toward the total possible score.

Exam trap

The trap here is that candidates often confuse the Secure Score with a simple compliance percentage or a count of alerts, but Microsoft specifically designed it as a posture metric that reflects the implementation of security controls, not just compliance with a single benchmark or the number of threats detected.

How to eliminate wrong answers

Option A is wrong because the Secure Score does not represent the number of active security alerts; active alerts are tracked separately in the Security Alerts dashboard and do not directly influence the score calculation. Option B is wrong because while the Secure Score is aligned with the Azure Security Benchmark, it is not a percentage of compliance with that benchmark; instead, it is a weighted score based on the implementation of security controls and recommendations across multiple benchmarks and standards. Option D is wrong because the Secure Score is not limited to VM vulnerability assessments; it encompasses all supported resource types (e.g., storage accounts, SQL servers, containers) and their associated security controls.

1480
MCQeasy

A SOC analyst wants to create a visual dashboard in Microsoft Sentinel to monitor sign-in activity trends over the past 30 days. Which feature should the analyst use?

A.Analytics rules
B.Workbooks
C.Playbooks
D.Threat Intelligence
AnswerB

Workbooks allow creation of visual dashboards and reports using KQL queries on ingested data.

Why this answer

Workbooks in Microsoft Sentinel provide a flexible canvas for creating custom visual dashboards using Azure Monitor Workbooks. They allow the analyst to query Log Analytics workspaces (e.g., SigninLogs table) and render time-series charts, trend lines, and other visualizations to monitor sign-in activity over the past 30 days. This is the correct feature for building a visual dashboard.

Exam trap

The trap here is that candidates often confuse Workbooks with Analytics rules, thinking that detection rules can also produce visual dashboards, but Analytics rules are solely for alert generation, not visualization.

How to eliminate wrong answers

Option A is wrong because Analytics rules are used to generate alerts and incidents based on threat detection logic, not to create visual dashboards or trend charts. Option C is wrong because Playbooks are automated response workflows (based on Azure Logic Apps) triggered by alerts or incidents, not a dashboarding or visualization tool. Option D is wrong because Threat Intelligence is a data source and management feature for ingesting and correlating threat indicators, not a feature for building visual dashboards.

1481
MCQmedium

A security analyst is investigating a phishing campaign targeting multiple users. The analyst has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to any user and contained this specific attachment. Which advanced hunting table should the analyst query in Microsoft 365 Defender to obtain the message IDs of emails containing the attachment?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailPostDeliveryEvents
D.DeviceFileEvents
AnswerB

Correct. This table stores each attachment's details (filename, SHA256, size) and links them to the email's NetworkMessageId. Filtering on the SHA256 hash yields the relevant message IDs.

Why this answer

The EmailAttachmentInfo table in Microsoft 365 Defender advanced hunting contains metadata about attachments on email messages, including the SHA256 hash of each attachment. By querying this table with the known malicious SHA256 hash, the analyst can retrieve the NetworkMessageId values for all emails that contained that specific attachment, regardless of whether the email was delivered or blocked.

Exam trap

The trap here is that candidates often confuse EmailAttachmentInfo with EmailEvents, mistakenly thinking that EmailEvents contains attachment details, when in fact EmailEvents only provides delivery-level metadata and requires a join to access attachment-specific information.

How to eliminate wrong answers

Option A is wrong because EmailEvents contains information about email delivery events (e.g., send, receive, deliver, fail) but does not include attachment metadata such as SHA256 hashes; it only provides the NetworkMessageId, which can then be joined with EmailAttachmentInfo. Option C is wrong because EmailPostDeliveryEvents records actions taken after delivery (e.g., user clicks, ZAP actions) and does not contain attachment hash information. Option D is wrong because DeviceFileEvents tracks file events on endpoints (e.g., file creation, modification) and is not related to email attachments in transit; it would only show files after they have been saved to a device.

1482
MCQmedium

Your organization uses Microsoft Defender XDR. You need to ensure that when a user reports a phishing email in Outlook, it automatically triggers an investigation in Microsoft Defender XDR. What should you configure?

A.Enable user-reported message settings in Microsoft Defender for Office 365 and configure automated investigation.
B.Create a playbook in Microsoft Sentinel triggered by a custom connector.
C.Configure a data loss prevention policy in Microsoft Purview.
D.Set up a session policy in Microsoft Defender for Cloud Apps.
AnswerA

User-reported messages can trigger automated investigation and response.

Why this answer

Option D is correct because Microsoft Defender for Office 365's reporting and automation can trigger automated investigation and response (AIR) when users report phishing. Option A is incorrect because Microsoft Sentinel is not directly integrated with Outlook reporting. Option B is incorrect because Microsoft Purview is for compliance.

Option C is incorrect because Microsoft Defender for Cloud Apps focuses on cloud apps.

1483
Multi-Selecthard

Which THREE of the following are valid incident management capabilities in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Assign incidents to analysts or teams
B.Classify incidents as true positive, false positive, or benign positive
C.Merge related incidents into a single incident
D.Create playbooks to automate incident response
E.Create workbooks to visualize incident trends
AnswersA, B, C

Assignment is an incident management capability.

Why this answer

The correct answers are A, B, and C. Incident classification, assignment, and merging are all incident management capabilities. Option D is wrong because playbook creation is not incident management; it's automation.

Option E is wrong because workbook creation is for reporting, not incident management.

1484
MCQmedium

A company uses Microsoft Defender for Cloud to protect their Azure resources. They have enabled the enhanced security features on a subscription that contains several Azure SQL databases. They want to be alerted if a user attempts to perform SQL injection attacks against these databases. Which Defender for Cloud plan specifically enables SQL injection detection alerts?

A.Defender for Servers
B.Defender for SQL
C.Defender for App Service
D.Defender for Storage
AnswerB

Defender for SQL is the plan that provides security alerts for SQL databases, including SQL injection attempts.

Why this answer

Defender for SQL is the specific Microsoft Defender for Cloud plan that provides SQL-specific threat detection, including alerts for SQL injection attacks. This plan monitors SQL databases for anomalous activities such as SQL injection attempts, brute-force attacks, and unusual access patterns by analyzing query logs and audit records. Enabling Defender for SQL on the subscription activates these detection capabilities for Azure SQL databases, making it the correct choice for the scenario.

Exam trap

The trap here is that candidates may confuse Defender for App Service with SQL injection detection because App Service can host web applications that are vulnerable to SQL injection, but the question specifically asks for the plan that enables detection alerts against the SQL databases themselves, not the web layer.

How to eliminate wrong answers

Option A is wrong because Defender for Servers focuses on protecting virtual machines and servers, not Azure SQL databases, and does not include SQL injection detection. Option C is wrong because Defender for App Service is designed to protect web applications and APIs running on Azure App Service, not SQL databases, and its threat detection centers on web application attacks like DDoS or cross-site scripting. Option D is wrong because Defender for Storage protects Azure Blob Storage, Azure Files, and Azure Data Lake Storage from threats like malware uploads or anonymous access, but it does not monitor SQL databases or detect SQL injection attacks.

1485
MCQeasy

In Microsoft 365 Defender, after an automated investigation completes, where can an analyst review the specific remediation actions that were taken (e.g., file quarantine, device isolation)?

A.Incident timeline
B.Action center
C.Threat analytics
D.Device inventory
AnswerB

The Action center lists all remediation actions (pending, approved, or rejected) from automated investigations and manual response actions, making it the correct place to review actions taken.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location where all manual and automated remediation actions (such as file quarantine, device isolation, and process termination) are tracked and can be reviewed or approved. After an automated investigation completes, the specific actions taken are recorded in the Action center's history tab, allowing analysts to see exactly what was executed and the outcome. This is distinct from the Incident timeline, which shows alerts and events but not the detailed remediation action records.

Exam trap

The trap here is that candidates confuse the Incident timeline (which shows investigation steps and alerts) with the Action center (which is the sole location for reviewing and managing remediation actions), leading them to select the Incident timeline instead of the correct Action center.

How to eliminate wrong answers

Option A is wrong because the Incident timeline displays alerts, events, and investigation steps in chronological order, but it does not provide a dedicated view of remediation actions taken; those actions are logged in the Action center. Option C is wrong because Threat analytics provides threat intelligence, vulnerability reports, and mitigation guidance, not a record of specific remediation actions performed on endpoints. Option D is wrong because Device inventory lists managed devices and their properties (e.g., OS, health status) but does not show remediation actions like file quarantine or device isolation.

1486
Multi-Selecteasy

A threat hunter wants to use Jupyter Notebooks in Microsoft Sentinel for hypothesis-driven hunting. Which THREE steps should the hunter take to set up and use this capability?

Select 3 answers
A.Enable Machine Learning-based analytics in Microsoft Sentinel under 'Entity behavior' settings
B.Provision an Azure Machine Learning (AML) workspace in the same subscription
C.Install the MSTICpy Python library on each hunting analyst's workstation
D.Connect Microsoft Sentinel to the AML workspace using the 'Notebooks' blade in Sentinel
E.Create a PowerShell runbook to automate notebook execution
AnswersA, B, D

This enables the notebooks feature.

Why this answer

Enabling ML-based analytics in Microsoft Sentinel provides access to notebooks; provisioning an Azure Machine Learning workspace is required to run notebooks; connecting Microsoft Sentinel to an AML workspace is the final step to access data. Installing the MSTICpy library separately is not needed; notebooks use KQL, not PowerShell.

1487
Multi-Selecteasy

Which TWO data sources in Microsoft Sentinel are most valuable for hunting for command-and-control (C2) communications? (Choose two.)

Select 2 answers
A.Windows Event Logs (e.g., Security, System)
B.Azure Activity log
C.DNS logs (e.g., from DNS servers or Azure DNS Analytics)
D.Syslog from Linux servers
E.Network traffic logs (e.g., from firewalls or network security groups)
AnswersC, E

DNS queries to known malicious domains indicate C2.

Why this answer

C2 communications generate network traffic and DNS queries. Options A and D are correct. Option B is incorrect because Windows event logs are less direct.

Option C is incorrect because syslog may not capture all network traffic. Option E is incorrect because Azure Activity focuses on management plane.

1488
MCQeasy

A company uses Microsoft Defender for Cloud to secure its Azure environment. The security team wants to receive notifications via email whenever a high-severity security alert is generated. What should they configure in Defender for Cloud?

A.Enable the 'Continuous Export' feature to send alerts to a Log Analytics workspace.
B.Configure an alert rule in Azure Monitor.
C.Set up email notifications for high-severity alerts in the Defender for Cloud environment settings.
D.Create an automation rule in Microsoft Sentinel.
AnswerC

This is the correct approach. In Defender for Cloud, you can configure email notifications under the environment settings to send alerts to specified security contacts.

Why this answer

Option C is correct because Defender for Cloud provides a built-in email notification configuration specifically for security alerts. By navigating to the 'Environment settings' for the subscription or management group, then selecting 'Email notifications', you can enable and configure alerts to be sent to specified recipients when high-severity alerts are generated. This is the direct, purpose-built method for email notification of Defender for Cloud alerts without requiring additional services.

Exam trap

The trap here is that candidates often confuse the purpose of 'Continuous Export' (which is for data export, not direct notification) or assume that Azure Monitor alert rules are the universal mechanism for all Azure alerts, overlooking Defender for Cloud's dedicated email notification settings.

How to eliminate wrong answers

Option A is wrong because 'Continuous Export' streams security alerts and recommendations to a Log Analytics workspace or Event Hubs for integration with other tools (e.g., SIEM), but it does not directly send email notifications; it requires additional logic (e.g., Azure Monitor alerts or Logic Apps) to trigger emails. Option B is wrong because Azure Monitor alert rules are designed for metrics, logs, and activity logs, not for Defender for Cloud security alerts; while you can create a custom alert rule using Log Analytics data if Continuous Export is enabled, this is an indirect, extra-step approach, not the native configuration for Defender for Cloud email notifications. Option D is wrong because automation rules in Microsoft Sentinel are used to automate incident management and response within Sentinel, not to configure email notifications for Defender for Cloud alerts; Sentinel can ingest Defender for Cloud alerts, but the email notification setting is a Defender for Cloud feature, not a Sentinel one.

1489
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that all incidents are classified with a specific classification when closed. The classification must be chosen from a predefined list. What should you configure?

A.Modify the analytics rule to require classification.
B.Create a playbook that validates classification before closure.
C.Create an automation rule that enforces classification on closure.
D.Configure incident settings in Sentinel to define custom classifications.
AnswerD

Correct: Sentinel allows you to define custom classifications.

Why this answer

Option D is correct because you can create a custom classification in the Sentinel settings under 'Incident settings'. Option A is wrong because automation rules can set classification but not define the list. Option B is wrong because playbooks can set classification but not define options.

Option C is wrong because analytics rules don't handle incident closure.

1490
Multi-Selecteasy

Which TWO tables in Microsoft Defender XDR advanced hunting are most useful for detecting data exfiltration attempts? (Select two.)

Select 2 answers
A.DeviceProcessEvents
B.DeviceNetworkEvents
C.CloudAppEvents
D.EmailEvents
E.DeviceInfo
AnswersB, C

Shows outbound connections to unusual destinations.

Why this answer

Options A and C are correct. DeviceNetworkEvents shows outbound connections; CloudAppEvents shows cloud app activity. B is for device info, D is for emails, E is for process events.

1491
MCQhard

Refer to the exhibit. This KQL query is used for threat hunting in Microsoft Defender XDR. What is the primary goal of this query?

A.Detect brute force attacks by correlating multiple users from the same IP.
B.Identify logons from unusual geographic locations.
C.Find users with an unusually high number of successful logons compared to their own baseline.
D.Identify users with failed logon attempts exceeding a threshold.
AnswerC

Anomaly detection based on user's historical average.

Why this answer

The query calculates a baseline of daily logon counts per user over 30 days, then identifies users whose logon count in the last day exceeds 2 standard deviations above the mean. Option C is correct. Option A is incorrect because it counts logons, not failed logons.

Option B is incorrect because it compares to the user's own baseline, not peers. Option D is incorrect because it does not filter by location.

1492
MCQhard

An analyst runs this advanced hunting query to investigate suspicious command-line activity. Which type of activity is this query most likely detecting?

A.Execution of obfuscated scripts via encoded commands
B.Data exfiltration to external IPs
C.Privilege escalation attempts
D.Port scanning activity
AnswerA

The -enc flag indicates base64-encoded commands used for obfuscation.

Why this answer

Option B is correct because -enc (encoded command) is commonly used in malicious PowerShell commands to obfuscate. Option A is wrong because port scanning does not use encoded commands. Option C is wrong because data exfiltration typically involves network connections, not encoded commands.

Option D is wrong because privilege escalation is not directly indicated by encoded commands.

1493
MCQmedium

Your organization has Microsoft Sentinel deployed in a central Log Analytics workspace. You have a custom analytics rule that detects brute-force attacks against Azure AD by counting failed sign-ins from the same IP address within 5 minutes. The rule currently generates an incident for every 10 failed attempts. During a recent incident, a single IP address generated over 200 failed sign-ins in 10 minutes, resulting in 20 separate incidents. The SOC team is overwhelmed and wants to reduce the number of incidents without lowering the detection threshold. You need to modify the rule to generate only one incident per IP address within a 1-hour window. What should you do?

A.Enable alert suppression in the analytics rule for 1 hour
B.Modify the analytics rule to group alerts by IP address with a 1-hour window
C.Create a new analytics rule that triggers only when failed sign-ins exceed 200 in 5 minutes
D.Create an automation rule that closes duplicate incidents from the same IP
AnswerB

Grouping by IP address consolidates all alerts from the same IP into one incident per hour.

Why this answer

Option A is correct because grouping alerts by IP address and setting a 1-hour window will consolidate all alerts from that IP into one incident. Option B is wrong because suppression only suppresses alerts after an incident is created, it doesn't group them. Option C is wrong because a separate analytics rule would still generate multiple incidents.

Option D is wrong because an automation rule cannot change incident grouping after alerts are created.

1494
MCQhard

A SOC analyst creates a scheduled analytics rule in Microsoft Sentinel that uses the following KQL query to detect impossible travel: SigninLogs | where TimeGenerated > ago(1d) | summarize Countries = make_set(Location) by UserPrincipalName | where array_length(Countries) > 1 However, the analyst notices that the rule generates too many false positives for users who travel legitimately. What is the best way to refine the rule to reduce false positives without missing actual impossible travel?

A.Add a condition to filter out VPN IP addresses from the Log Analytics workspace.
B.Instead of using make_set, use the dcount() function to estimate distinct countries.
C.Use the time series anomaly detection function series_decompose() on the signin data.
D.Modify the query to include a time difference condition using the partition operator or a join to find sign-ins from different countries within a short time window.
AnswerD

This correctly adds a temporal constraint to identify truly impossible travel.

Why this answer

Option D is correct because impossible travel detection requires correlating sign-ins from different geographic locations within a time window that is too short for physical travel. By using the partition operator or a join to compare timestamps between sign-ins from different countries, the query can distinguish between legitimate sequential travel (e.g., a user flying from New York to London over 8 hours) and truly impossible simultaneous sign-ins (e.g., sign-ins from New York and London within 30 minutes). This reduces false positives while still catching actual impossible travel.

Exam trap

The trap here is that candidates may think filtering by VPN or using aggregation functions like make_set or dcount() is sufficient, but they fail to recognize that impossible travel detection fundamentally requires a time-based correlation between geographically distinct sign-in events.

How to eliminate wrong answers

Option A is wrong because filtering out VPN IP addresses does not address the core issue of legitimate travel; VPNs may be used for remote access and do not inherently indicate impossible travel, and this approach could miss actual threats where an attacker uses a VPN to mask their location. Option B is wrong because using dcount() instead of make_set only changes how distinct countries are counted (approximate vs. exact) and does not add any time-based logic to differentiate between sequential and simultaneous sign-ins. Option C is wrong because series_decompose() is designed for time series anomaly detection on numeric metrics (e.g., count of sign-ins over time), not for correlating geographic locations across user sign-in events to detect impossible travel.

1495
Multi-Selecteasy

Which TWO are common techniques used during threat hunting to identify suspicious behavior in Microsoft Defender XDR?

Select 2 answers
A.Updating antivirus signatures.
B.Searching for known indicators of compromise (IOCs).
C.Applying anomaly detection models to user behavior.
D.Configuring mail flow rules in Exchange Online.
E.Performing vulnerability scans on endpoints.
AnswersB, C

IOC search is a core hunting technique.

Why this answer

Options B and D are correct. B is correct because anomaly detection is a common hunting technique. D is correct because searching for known IOCs (indicators of compromise) is fundamental.

A is incorrect because vulnerability scanning is not a hunting technique. C is incorrect because patch management is a maintenance activity. E is incorrect because configuring mail flow is administrative.

1496
Multi-Selectmedium

Which of the following resource types are supported by Microsoft Defender for Cloud's workload protection plans? (Select all that apply.) (Choose 3.)

Select 3 answers
A.Azure virtual machines
B.Azure SQL databases
C.On-premises servers connected via Azure Arc
D.Azure Logic Apps
AnswersA, B, C

Defender for Servers plan protects Azure VMs, including threat detection and vulnerability assessment.

Why this answer

Microsoft Defender for Cloud's workload protection plans support Azure virtual machines by providing integrated threat detection and advanced security features like just-in-time VM access, file integrity monitoring, and vulnerability assessments. These capabilities leverage the Microsoft Monitoring Agent or Azure Monitor Agent to analyze security events and detect suspicious activities within the VM's operating system and network traffic.

Exam trap

The trap here is that candidates often assume all Azure resource types are covered by the same workload protection plan, but Microsoft specifically scopes these plans to compute, data, and hybrid workloads, excluding serverless or integration services like Logic Apps which require separate Defender plans.

1497
MCQeasy

Your SOC team uses Microsoft Sentinel workbooks to monitor the security posture. One workbook shows a chart of incidents by severity over the last 7 days. The workbook uses a KQL query that queries the SecurityIncident table. Recently, the workbook stopped displaying data. You check the workspace and confirm that incidents are being created and are visible in the Sentinel portal. You also verify that the workbook has not been modified. What is the most likely cause?

A.The workbook was accidentally deleted and needs to be re-created.
B.The workspace has been switched to a different pricing tier that does not support workbooks.
C.The Log Analytics workspace linked to the workbook has been moved or renamed.
D.The KQL query in the workbook has a syntax error.
AnswerC

Workbooks are tied to a specific workspace; if the workspace is moved, the workbook loses its data source.

Why this answer

Option B is correct because workbooks rely on the Log Analytics workspace for queries. If the workspace was moved to a different resource group or subscription, the workbook may lose its connection. Option A is wrong because the workbook hasn't been modified.

Option C is wrong because the query is fine; data is being ingested. Option D is wrong because a different license doesn't affect workbook functionality.

1498
MCQeasy

You are a security analyst at a company that uses Microsoft Defender for Cloud Apps. You receive an alert that an anomalous activity was detected from a user's device. You need to investigate the activity to determine if it is a true positive. What should you do first?

A.Use Microsoft Power BI to analyze user activity data.
B.In the Microsoft Defender for Cloud Apps portal, open the alert and then click 'View activity' to see the detailed activity log.
C.Open the user's page in Microsoft Entra ID to review sign-in logs.
D.Create an IP address range policy to block the user's IP.
AnswerB

This is the direct way to investigate the specific activity.

Why this answer

Option B is correct because the first step in investigating an anomalous activity alert in Microsoft Defender for Cloud Apps is to open the alert and click 'View activity' to examine the detailed activity log. This log provides the raw telemetry—such as IP address, user agent, timestamp, and activity type—needed to determine if the behavior is malicious or benign. Without reviewing this evidence, you cannot make an informed judgment about the alert's validity.

Exam trap

The trap here is that candidates confuse the investigation phase with the remediation phase, incorrectly choosing to block the IP (Option D) or review sign-in logs (Option C) before examining the actual activity details that confirm the threat.

How to eliminate wrong answers

Option A is wrong because Microsoft Power BI is a business analytics tool for visualizing data, not a security investigation interface; it cannot directly access the granular activity logs within Defender for Cloud Apps alerts. Option C is wrong because reviewing sign-in logs in Microsoft Entra ID only shows authentication events, not the full activity context (e.g., file downloads, app permissions) that Defender for Cloud Apps captures for anomaly detection. Option D is wrong because creating an IP address range policy to block the user's IP is a reactive remediation step, not a first investigative action; you must first confirm the activity is malicious before applying blocking policies.

1499
MCQmedium

Your organization has deployed Microsoft Sentinel and configured a workspace with data connectors for Microsoft 365 Defender, Azure Activity, and Office 365. You need to ensure that security incidents are automatically assigned to the appropriate analyst based on the incident type. What should you configure?

A.Create a playbook triggered by incident creation that assigns the incident to a user based on the incident title.
B.Add a watchlist that maps incident types to analyst email addresses and configure a scheduled analytics rule.
C.Create an automation rule that runs when an incident is created, with conditions on the incident title, and an action to assign the incident to a specific owner.
D.Configure a Microsoft 365 Defender incident assignment rule in the Microsoft 365 Defender portal.
AnswerC

Automation rules can assign incidents based on conditions like title or severity.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel allow you to define conditions (e.g., incident title containing specific keywords) and actions (e.g., assign incident to a specific owner) that run automatically when an incident is created. This directly meets the requirement to assign incidents to the appropriate analyst based on incident type without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks or think that Microsoft 365 Defender incident assignment rules can manage all Sentinel incidents, but automation rules are the correct native mechanism for incident assignment within Sentinel across all data connectors.

How to eliminate wrong answers

Option A is wrong because playbooks triggered by incident creation can assign incidents, but they require custom logic and are more complex than necessary; automation rules provide a simpler, native way to assign incidents based on conditions. Option B is wrong because watchlists are used for correlation and enrichment in analytics rules, not for assigning incidents; scheduled analytics rules generate alerts, not incidents, and cannot assign ownership. Option D is wrong because Microsoft 365 Defender incident assignment rules apply only to incidents generated within the Microsoft 365 Defender portal, not to incidents ingested into Microsoft Sentinel from other connectors like Azure Activity or Office 365.

1500
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that an Azure function app can send custom logs to a Log Analytics workspace. What should you configure?

A.Threat intelligence data connector
B.Diagnostic settings on the function app
C.Data collection rule (DCR) with Azure Monitor Agent
D.Microsoft Sentinel automation rule
AnswerC

DCRs define how to collect and transform data from sources like function apps.

Why this answer

The Log Analytics agent (now replaced by Azure Monitor Agent) is used to send custom logs from a function app to Log Analytics. Option A is correct. Option B is for automation, not ingestion.

Option C is for threat intelligence, not custom logs. Option D is for exporting data, not ingestion.

Page 19

Page 20 of 22

Page 21