Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 15761639

1639 questions total · 22pages · All types, answers revealed

Page 21

Page 22 of 22

1576
MCQmedium

During an incident response, an analyst runs a live response command on a Windows device using Microsoft Defender for Endpoint. The command 'Get-Service -Name BITS' returns no output. What is the most likely cause?

A.The live response session has insufficient privileges.
B.The BITS service is disabled and hidden.
C.The command is blocked due to PowerShell ConstrainedLanguage mode.
D.The BITS service is not installed on the device.
AnswerC

Live response runs in ConstrainedLanguage mode, which restricts cmdlets. Get-Service is not allowed.

Why this answer

Live response uses a restricted PowerShell language mode (ConstrainedLanguage) which blocks many commands. Get-Service may not be available. The service might be stopped but still exist; permissions are usually fine.

1577
MCQhard

During a security incident, a SOC analyst uses Microsoft Defender XDR to investigate a compromised device. The analyst needs to collect a memory dump for forensic analysis. Which action should the analyst take from the Microsoft Defender XDR portal?

A.Use the 'Collect investigation package' action.
B.Initiate a live response session.
C.Run a custom detection rule.
D.Submit the file to Microsoft Defender for Cloud Apps.
AnswerA

This action collects a memory dump as part of the package.

Why this answer

The correct answer is C. 'Collect investigation package' collects memory dumps, registry hives, and other forensic data. The other options do not provide memory dumps.

1578
MCQhard

A global organization has Azure subscriptions organized under a single management group. The security team wants to ensure that the Azure Security Benchmark initiative is assigned once to cover all current and future subscriptions within that management group, without needing to assign it individually. They also want to see compliance results aggregated at the management group level. In Microsoft Defender for Cloud, what is the correct approach to achieve this?

A.Assign the Azure Security Benchmark initiative directly to the management group via Azure Policy, and use the Defender for Cloud's Regulatory Compliance dashboard.
B.Enable Defender for Cloud's enhanced security features on each subscription, and the benchmark will be automatically applied.
C.Create a custom assessment in Defender for Cloud that queries the management group scope.
D.Assign the initiative to the root management group using Azure Policy, then configure Defender for Cloud to ignore individual subscription assignments.
AnswerA

Assigning the initiative at the management group scope applies it to all subscriptions within, and the Regulatory Compliance dashboard shows aggregated results for that scope.

Why this answer

Assigning the Azure Security Benchmark initiative directly to the management group via Azure Policy ensures that the policy initiative is inherited by all current and future subscriptions under that management group. Defender for Cloud's Regulatory Compliance dashboard then aggregates compliance results at the management group level, providing a single view of compliance across the entire hierarchy without requiring individual assignments.

Exam trap

The trap here is that candidates may think enabling enhanced security features in Defender for Cloud automatically applies the Azure Security Benchmark, but in reality, the benchmark must be explicitly assigned as a policy initiative, and the management group scope is the correct way to cover all subscriptions.

How to eliminate wrong answers

Option B is wrong because enabling Defender for Cloud's enhanced security features on each subscription does not automatically assign the Azure Security Benchmark initiative; the benchmark must be explicitly assigned via Azure Policy. Option C is wrong because creating a custom assessment in Defender for Cloud that queries the management group scope does not enforce the Azure Security Benchmark initiative across subscriptions; it only provides a custom query without policy-driven compliance evaluation. Option D is wrong because assigning the initiative to the root management group would cover all subscriptions, but configuring Defender for Cloud to ignore individual subscription assignments is unnecessary and not a supported configuration; the correct approach is to assign directly to the target management group.

1579
MCQhard

A security analyst is hunting for a targeted phishing attack in Microsoft 365 Defender. They have identified a phishing email delivered to a user and want to find all devices where the user clicked the link in the email, and any processes that were spawned from the browser on those devices. Which advanced hunting strategy is most effective to correlate the email, network, and process data?

A.Query EmailEvents for the email, then DeviceLogonEvents for user logons, then DeviceProcessEvents for process creations after logon.
B.Query EmailUrlInfo for the URL, then DeviceNetworkEvents for devices that connected to that URL, then DeviceProcessEvents for processes on those devices that started shortly after the connection.
C.Query EmailAttachmentInfo, then DeviceFileEvents for files dropped.
D.Query IdentityLogonEvents, then DeviceEvents from the device where the logon occurred.
AnswerB

Correct: This directly ties the URL to network connections (clicks) and then to processes, providing a precise chain of events.

Why this answer

Option B is correct because it directly correlates the malicious URL from the email (via EmailUrlInfo) with devices that connected to that URL (via DeviceNetworkEvents), then identifies any processes spawned on those devices shortly after the connection (via DeviceProcessEvents). This sequence maps the attack chain from email delivery to network connection to post-click process execution, which is exactly what the analyst needs to find devices where the link was clicked and any resulting processes.

Exam trap

The trap here is that candidates often choose Option A, mistakenly thinking that user logon events are a reliable proxy for link clicks, but logons do not indicate that the user actually clicked the URL or that any malicious process was spawned from the browser.

How to eliminate wrong answers

Option A is wrong because DeviceLogonEvents captures user authentication events, not the specific act of clicking a link in a browser; correlating logons with process creations is too broad and misses the direct network connection to the phishing URL. Option C is wrong because it focuses on email attachments and file drops, but the question specifies a phishing email with a link, not an attachment; DeviceFileEvents would not capture browser network connections or spawned processes from clicking a URL. Option D is wrong because IdentityLogonEvents tracks identity-based logon events, not email or network activity; it cannot correlate the specific phishing email or URL with device processes.

1580
Multi-Selecteasy

Which TWO actions should a SOC analyst take immediately after confirming a ransomware incident in Microsoft Defender XDR?

Select 2 answers
A.Isolate affected devices from the network.
B.Begin restoring data from backups.
C.Disable all mailboxes in the organization.
D.Reset passwords for compromised accounts and enforce MFA.
E.Collect a full memory dump from each affected device.
AnswersA, D

Isolation prevents ransomware from spreading.

Why this answer

Correct answers are A and D. Isolating affected devices and resetting compromised account credentials are immediate containment steps. Collecting forensic data is important but after containment.

Starting recovery can wait. Disabling mailboxes is not necessary unless email is a vector.

1581
MCQmedium

A company has several Azure virtual machines running SQL Server (IaaS). The security team wants to enable Advanced Threat Protection for these SQL Server instances to detect threats like SQL injection. What should they do?

A.Deploy the SQL Server IaaS Agent extension on each VM and enable Azure Defender for SQL in Microsoft Defender for Cloud.
B.Enable Azure Defender for Servers on the subscription; it automatically protects SQL Server workloads.
C.Enable Azure Defender for SQL on the Log Analytics workspace used by the VMs.
D.Configure the Microsoft Sentinel SQL connector to ingest SQL audit logs.
AnswerA

Correct. The SQL IaaS Agent extension registers the VM with the SQL resource provider. After that, enabling Azure Defender for SQL (under Defender for Cloud plans) provides Advanced Threat Protection and vulnerability assessment for the SQL Server instances.

Why this answer

To enable Advanced Threat Protection for SQL Server IaaS, you must deploy the SQL Server IaaS Agent extension on each VM, which allows the VM to register with the SQL IaaS platform. Then, you enable Azure Defender for SQL in Microsoft Defender for Cloud, which provides threat detection for SQL injection and other anomalous activities. This combination ensures the SQL Server instances are monitored by Defender for Cloud's SQL-specific protections.

Exam trap

The trap here is that candidates often confuse Azure Defender for Servers with Azure Defender for SQL, assuming server-level protection automatically covers SQL workloads, but SQL-specific threat detection requires the dedicated SQL Defender plan and the IaaS Agent extension.

How to eliminate wrong answers

Option B is wrong because Azure Defender for Servers protects the VM's operating system and network, but it does not automatically enable SQL-specific threat detection like SQL injection; you need Azure Defender for SQL for that. Option C is wrong because Azure Defender for SQL is enabled at the subscription or workspace level for PaaS SQL databases, not for SQL Server IaaS VMs, which require the IaaS Agent extension. Option D is wrong because the Microsoft Sentinel SQL connector ingests audit logs for analysis in Sentinel, but it does not enable Advanced Threat Protection or real-time threat detection for SQL Server IaaS; that requires Defender for SQL.

1582
MCQhard

You are reviewing an automation rule in Microsoft Sentinel. The rule triggers on incident creation with severity High. However, during a recent High severity incident, the playbook did not run. What is the most likely cause?

A.The action order is set to 1, but another action has a higher priority.
B.The automation rule does not have an owner assigned.
C.The condition requires IncidentSeverity equals High, but the incident was classified as Medium.
D.The rule triggers on incident creation, but the incident was first closed and then reopened.
AnswerB

Automation rules must have an owner to run playbooks.

Why this answer

Option B is correct because automation rules require an assigned owner to run playbooks. Option A is wrong because the rule triggers on creation, not closure. Option C is wrong because the condition is correct for High severity.

Option D is wrong because the action order is fine.

1583
MCQeasy

A security analyst is reviewing phishing emails in Microsoft 365 Defender and wants to identify all messages that were blocked by an anti-phish policy before delivery. The analyst plans to use advanced hunting. Which table column indicates whether an email was blocked as phishing?

A.EmailEvents table, the 'DeliveryAction' column
B.EmailPostDeliveryEvents table, the 'Action' column
C.EmailAttachmentInfo table, the 'FileType' column
D.EmailUrlInfo table, the 'Url' column
AnswerA

Correct. The EmailEvents table records the delivery action (Delivered, Blocked, Junked) determined by policies like anti-phish policies.

Why this answer

The EmailEvents table records actions taken on emails before delivery, including whether a message was blocked by anti-phish policies. The 'DeliveryAction' column specifically indicates the final disposition, such as 'Blocked' for phishing. This makes it the correct source for identifying pre-delivery phishing blocks in advanced hunting.

Exam trap

The trap here is that candidates confuse the EmailPostDeliveryEvents table (which shows post-delivery remediation actions like 'Move to Junk' or 'Soft Delete') with pre-delivery blocking, but the correct table for pre-delivery phishing blocks is EmailEvents with the 'DeliveryAction' column.

How to eliminate wrong answers

Option B is wrong because the EmailPostDeliveryEvents table captures actions taken after delivery (e.g., Zero-Hour Auto Purge), not pre-delivery blocks. Option C is wrong because the EmailAttachmentInfo table stores metadata about attachments (e.g., file type), not the delivery action or phishing disposition. Option D is wrong because the EmailUrlInfo table contains URLs found in emails, not the action taken on the email itself.

1584
MCQhard

Your organization's Microsoft Sentinel workspace ingests logs from multiple regions. During an incident, you need to search for a specific user's activity across all workspaces in a single query. What is the most efficient way to accomplish this?

A.Use a cross-workspace query with the workspace() expression.
B.Run separate queries in each workspace and combine results manually.
C.Create a new analytics rule that queries all workspaces.
D.Use the Microsoft Sentinel search feature with the workspace filter.
AnswerA

Cross-workspace queries enable searching across workspaces efficiently.

Why this answer

A cross-workspace query using the workspace() expression allows querying multiple workspaces in one KQL query. Option B is manual; Option C is for search; Option D is for analytics.

1585
MCQeasy

A company enables Microsoft Defender for Cloud on its Azure subscription. The security team wants to ensure that all existing and future Azure VMs have Just-In-Time (JIT) VM access configured. Which of the following actions must the team take first to enable JIT for VMs?

A.Enable the 'Just-In-Time VM access' plan in Microsoft Defender for Cloud's environment settings
B.Configure a network security group (NSG) to allow RDP traffic from a specific IP range
C.Create a security policy assignment to block all inbound RDP traffic
D.Install the Log Analytics agent on all VMs
AnswerA

JIT must be enabled first; then VMs can be configured and requests can be made.

Why this answer

Option A is correct because enabling the 'Just-In-Time VM access' plan in Microsoft Defender for Cloud's environment settings is the prerequisite step that activates the JIT feature for the subscription. Without this plan enabled, Defender for Cloud cannot enforce JIT policies on any VMs, regardless of NSG or agent configurations.

Exam trap

The trap here is that candidates often think JIT requires an agent or manual NSG configuration, but the first step is always enabling the plan in Defender for Cloud's environment settings, as JIT is a cloud-level policy feature, not a VM-level agent-based one.

How to eliminate wrong answers

Option B is wrong because configuring an NSG to allow RDP from a specific IP range is a manual access control method, not the first step to enable JIT; JIT itself dynamically manages NSG rules. Option C is wrong because creating a security policy to block all inbound RDP traffic would prevent JIT from opening ports on demand, as JIT requires the ability to temporarily allow traffic. Option D is wrong because the Log Analytics agent is not required for JIT VM access; JIT works through Azure Resource Manager and NSG rules, not agent-based monitoring.

1586
MCQhard

You are a security operations analyst for Contoso Ltd. The company uses Microsoft Sentinel as its SIEM and Microsoft Defender for Cloud Apps for SaaS security. You are tasked with threat hunting for potential data exfiltration via Microsoft SharePoint Online. You need to create a hunting query that identifies users who have downloaded an unusually high number of files from SharePoint within a short time window compared to their historical baseline. The query should be run in Microsoft Sentinel using the OfficeActivity table. Which of the following approaches should you take?

A.Use the HuntingBookmark table to search for user activity
B.Query the CommonSecurityLog table for SharePoint events and look for high volumes of outbound traffic
C.Query the OfficeActivity table, filter for Operation=='FileDownloaded', summarize by UserId and bin(TimeGenerated, 1h), then use a join with a historical baseline table to detect deviations
D.Query the SecurityAlert table for alerts related to data exfiltration
AnswerC

This approach uses the correct data source and method to compare current activity with historical baseline.

Why this answer

Option A is correct because using the OfficeActivity table with summarize and bin() allows you to count download events (Operation=='FileDownloaded') per user per hour and then compare the current count to a historical average to detect anomalies. Option B is incorrect because the CommonSecurityLog table does not contain SharePoint download events. Option C is incorrect because the HuntingBookmark table is for storing bookmarks, not for running analytics.

Option D is incorrect because the SecurityAlert table contains alerts, not raw events needed for baseline calculation.

1587
MCQmedium

A security analyst is investigating an incident in Microsoft 365 Defender involving a user who received a phishing email. The analyst needs to identify all devices on which the user clicked a link from the email. Which advanced hunting table should the analyst query to find the click events?

A.UrlClickEvents
B.EmailEvents
C.DeviceEvents
D.NetworkEvents
AnswerA

Correct. UrlClickEvents logs all clicks on URLs in emails, including phishing links, with device and user details.

Why this answer

UrlClickEvents is the correct table because it specifically records click events on URLs in Microsoft Defender for Office 365, including clicks on links in phishing emails. This table captures the user's click action, the URL, and the verdict (e.g., allowed, blocked), enabling the analyst to identify all devices where the user clicked the link.

Exam trap

The trap here is that candidates often confuse EmailEvents (which tracks email delivery) with UrlClickEvents (which tracks user interaction with URLs), leading them to select EmailEvents when they need click-specific data.

How to eliminate wrong answers

Option B is wrong because EmailEvents contains email metadata (sender, recipient, subject, delivery status) but does not include user click events on URLs. Option C is wrong because DeviceEvents logs system-level events (e.g., process creation, file modifications) on endpoints, not user click actions on email links. Option D is wrong because NetworkEvents records network traffic flows (e.g., connections, IP addresses) but lacks the granularity to capture specific URL click events from email clients.

1588
MCQhard

You have a Microsoft Sentinel workspace that ingests logs from multiple sources. The log analytics workspace is in the East US region. You have a requirement to keep logs for 90 days for active investigation, then archive them to an Azure storage account for compliance for 5 years. What should you configure?

A.Set the retention period to 90 days and configure a data export rule to send logs older than 90 days to Azure Blob Storage
B.Set the retention period to 5 years and use purging for data older than 90 days
C.Set the retention period to 90 days and enable 'Archive' in the workspace retention settings
D.Configure diagnostic settings to send logs to storage with a retention of 90 days
AnswerA

Data export rules can continuously export data to storage after the retention period expires.

Why this answer

Option C is correct because Azure Log Analytics allows you to set a retention policy and then enable data archiving to Azure storage using a data export rule. Option A deletes logs after 90 days. Option B is for interactive retention only.

Option D is for diagnostic settings, not for archiving after retention.

1589
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During an incident, you receive a critical alert for a user who is reported as compromised. You need to verify if the compromise is real and respond quickly. Which feature should you use to automatically trigger a playbook that contains the account?

A.An automation rule that triggers a playbook when the alert is created.
B.An analytics rule configured to run a playbook when the alert is generated.
C.A workbook that displays the user's activity for manual investigation.
D.A watchlist that includes the user's name to block the account.
AnswerA

Automation rules can run playbooks automatically on alert or incident creation.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can trigger playbooks based on alert creation. Option A is wrong because analytics rules generate alerts but do not trigger playbooks directly. Option B is wrong because watchlists are for enrichment, not response.

Option C is wrong because workbooks are visualization tools.

1590
MCQmedium

You are investigating a Microsoft Sentinel incident involving a user who clicked a phishing link. The incident includes alerts from Microsoft Defender for Office 365. You need to identify if any other users received the same phishing email. What should you do?

A.Check the incident timeline for related alerts
B.Review the incident graph in Microsoft Sentinel
C.Run a KQL query in Advanced Hunting
D.Use the Threat Explorer in Microsoft Defender for Office 365
AnswerD

Threat Explorer can search for similar emails across all users.

Why this answer

Option C is correct because the Threat Explorer in Microsoft Defender for Office 365 can search for emails by subject, sender, or URL. Option A is wrong because the incident graph shows only linked entities. Option B is wrong because the timeline shows events for the current incident only.

Option D is wrong because Advanced Hunting is more complex and not the quickest method.

1591
MCQmedium

An analyst runs this PowerShell script to query Microsoft Sentinel data. The query returns no results. What is the most likely reason?

A.The timestamp filter is invalid; it should use TimeGenerated instead of Timestamp
B.The query syntax is incorrect; summarize cannot be used after where
C.No events matched the specific combination of process name and command line in the last 7 days
D.The API endpoint URL is incorrect; it should be /v2/workspaces
AnswerC

rundll32.exe with javascript is rare; likely no such events occurred.

Why this answer

Option B is correct because the query uses `rundll32.exe` with `javascript` in the command line, which is an uncommon but known technique for executing JavaScript via rundll32. Option A is wrong because the API endpoint is correct for Log Analytics. Option C is wrong because the date range is valid.

Option D is wrong because 7-day range is valid.

1592
Multi-Selecthard

Which THREE are valid containment actions in Microsoft Defender for Endpoint? (Choose three.)

Select 3 answers
A.Reset password
B.Contain device
C.Run antivirus scan
D.Collect investigation package
E.Isolate device
AnswersB, C, E

Contain device limits network communication to specific IPs.

Why this answer

Options A, B, and D are correct. 'Isolate device', 'Contain device', and 'Run antivirus scan' are built-in actions. Option C is wrong because 'Reset password' is not a containment action in Defender for Endpoint; it is done in Microsoft Entra ID. Option E is wrong because 'Collect investigation package' is a forensic action, not containment.

1593
MCQhard

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails detected as 'Bulk' to the user's Junk Email folder. However, users must be able to override this by adding the sender to their Safe Senders list. What should you configure?

A.Anti-spam policy with Bulk email threshold set to a value that triggers junk action
B.Anti-phishing policy
C.Malware filter policy
D.Connection filter policy
AnswerA

The anti-spam policy includes a bulk complaint level (BCL) threshold; emails exceeding it are sent to Junk. Safe Senders overrides.

Why this answer

Option B is correct because the anti-spam policy in Defender for Office 365 has a 'Bulk email threshold' that can be set, and users can override via Safe Senders. Option A is for phishing, not bulk; Option C is for malware; Option D is for connection filtering.

1594
MCQeasy

During an incident response, you need to collect a forensic image of a Windows 10 device managed by Microsoft Intune. Which Microsoft Defender XDR feature should you use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Purview eDiscovery
C.Microsoft Defender for Endpoint Live Response
D.Microsoft Sentinel
AnswerC

Allows remote forensic data collection.

Why this answer

Option B is correct because Microsoft Defender for Endpoint's Live Response allows you to collect forensic data from devices. Option A is wrong because Microsoft Purview eDiscovery is for content search and legal hold. Option C is wrong because Microsoft Defender for Cloud Apps is for cloud app security.

Option D is wrong because Microsoft Sentinel is a SIEM, not for live forensic collection.

1595
MCQmedium

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user from the finance department downloaded 500 files from SharePoint Online in 10 minutes. The analyst needs to determine if this is a true positive and, if so, contain the incident. Which action should the analyst take first?

A.Run a KQL query in Microsoft Sentinel to correlate with other alerts.
B.Suspend the user's account in Microsoft Entra ID.
C.Create an alert in Microsoft Sentinel for similar behavior.
D.Check the user's risk score in Microsoft Entra ID Identity Protection.
AnswerB

Suspending the account immediately prevents further data exfiltration while investigation proceeds.

Why this answer

The correct answer is B. Google Dorking is a technique used by attackers to find exposed sensitive information via Google search queries. Searching for the domain with site: and filetype: is an example of Google Dorking, which is not a standard security tool.

The other options are legitimate security features.

1596
MCQmedium

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. Which action should they take in Microsoft Defender for Cloud?

A.Enable 'Microsoft Defender for Servers' plan and check the 'Vulnerability assessment' option in the environment settings
B.Install the Log Analytics agent and configure the Qualys connector on each VM
C.Create a policy assignment from the built-in initiative 'Enable Azure Monitor for VMs'
D.Enable 'Servers' workload protection in Defender for Cloud and then manually deploy the VA agent to each existing VM using Azure Policy
AnswerA

This enables Defender for Servers at the subscription level, which includes the integrated vulnerability assessment solution. It automatically applies to all current and future VMs.

Why this answer

To enable vulnerability assessment for all existing and future Azure VMs using the integrated Microsoft Defender Vulnerability Management solution, you must enable the 'Microsoft Defender for Servers' plan in Defender for Cloud and then check the 'Vulnerability assessment' option within the environment settings. This action activates the built-in, agentless vulnerability assessment engine that is part of Defender for Cloud, automatically scanning VMs without requiring additional agents or manual deployment.

Exam trap

The trap here is that candidates often confuse enabling 'Microsoft Defender for Servers' (which provides general threat protection) with the separate 'Vulnerability assessment' toggle that must be explicitly checked to activate the integrated vulnerability scanning, leading them to select option D which only mentions enabling workload protection.

How to eliminate wrong answers

Option B is wrong because installing the Log Analytics agent and configuring the Qualys connector is a legacy approach for vulnerability assessment that requires a third-party solution and manual per-VM configuration, not the integrated Microsoft Defender Vulnerability Management solution. Option C is wrong because creating a policy assignment from 'Enable Azure Monitor for VMs' enables VM insights and Log Analytics agent deployment, not vulnerability assessment via Defender for Cloud. Option D is wrong because enabling 'Servers' workload protection alone does not automatically enable vulnerability assessment; you must also check the 'Vulnerability assessment' option, and manually deploying the VA agent is unnecessary when the integrated solution is agentless.

1597
MCQeasy

Your team uses Microsoft Sentinel to manage incidents. You want to automatically assign incidents with a severity of 'High' to the Tier 2 security team. Which feature should you configure?

A.Playbook
B.Analytics rule
C.Automation rule
D.Workbook
AnswerC

Automation rules can assign incidents to owners based on properties.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can automatically assign incidents based on conditions like severity. Option A is wrong because analytics rules generate alerts, not assign incidents. Option C is wrong because playbooks are for response actions, not assignment.

Option D is wrong because workbooks are for visualization.

1598
MCQhard

Match each Microsoft Sentinel data connector on the left with the table name it populates on the right.

A.Microsoft Entra ID → SigninLogs; Windows Security Events via AMA → SecurityEvent; Cisco ASA via Syslog → CommonSecurityLog; Azure Activity → AzureActivity
B.The first and last mappings are swapped.
C.Every item maps to the same log table or feature category.
D.Only identity-related items are mapped; workload and network items are omitted.
AnswerA

This is the correct mapping based on the documented function of each item.

Why this answer

Option A is correct because it accurately maps each Microsoft Sentinel data connector to its corresponding log table. Microsoft Entra ID populates the SigninLogs table, Windows Security Events via AMA populates the SecurityEvent table, Cisco ASA via Syslog populates the CommonSecurityLog table (which is the standard schema for syslog-based security appliances), and Azure Activity populates the AzureActivity table. These mappings are defined by the data connectors themselves and are fundamental to querying the correct data in Sentinel.

Exam trap

The trap here is that candidates often confuse the CommonSecurityLog table with the Syslog table, but Cisco ASA via Syslog specifically populates CommonSecurityLog (not Syslog) because Sentinel normalizes syslog data from security appliances into a common schema for easier correlation.

How to eliminate wrong answers

Option B is wrong because it suggests the first and last mappings are swapped, but Microsoft Entra ID correctly maps to SigninLogs (not AzureActivity) and Azure Activity correctly maps to AzureActivity (not SigninLogs); swapping them would be incorrect. Option C is wrong because it claims every item maps to the same log table or feature category, which is false as each connector populates a distinct table (SigninLogs, SecurityEvent, CommonSecurityLog, AzureActivity) with different schemas and purposes. Option D is wrong because it states only identity-related items are mapped, but the set includes Windows Security Events (workload security) and Cisco ASA (network security), which are not identity-related; all four items are correctly mapped.

1599
Multi-Selecthard

A security analyst is investigating a potential data exfiltration incident in Microsoft Sentinel. The analyst needs to identify which users may have been compromised. Which THREE data sources should be queried to gather the most relevant evidence?

Select 3 answers
A.WindowsEvent from Microsoft Defender for Endpoint.
B.AzureActivity from Azure Monitor.
C.SigninLogs and AuditLogs from Microsoft Entra ID.
D.OfficeActivity from Microsoft 365.
E.CloudAppEvents from Microsoft Defender for Cloud Apps.
AnswersC, D, E

Provides authentication and user activity in Entra ID.

Why this answer

Options A, C, and D are correct because SigninLogs and AuditLogs (Entra ID) provide authentication and activity logs; OfficeActivity provides Exchange and SharePoint logs; and CloudAppEvents (Defender for Cloud Apps) provides shadow IT and app activity. Option B (AzureActivity) is for Azure resource logs, not user activity. Option E (WindowsEvent) is for device-level events, less relevant for cloud exfiltration.

1600
Multi-Selecteasy

Which THREE steps are part of the incident response process when using Microsoft Sentinel?

Select 3 answers
A.Identify the incident by creating an analytics rule.
B.Investigate the incident using hunting queries and entity timelines.
C.Remediate the incident by running playbooks or manual actions.
D.Report the incident to the security team via email.
E.Triage the incident to determine severity.
AnswersB, C, E

Investigation is a key step to understand the scope and impact.

Why this answer

The three correct steps are triage, investigation, and remediation. Identification is a precursor, and reporting is a final step but not always part of the core process in Sentinel.

1601
MCQhard

You are a security administrator for a multinational company using Microsoft Sentinel. You need to ensure that critical incidents are automatically escalated to the on-call team via email and SMS. The on-call schedule uses Microsoft Teams channel. What is the most efficient way to achieve this?

A.Create an automation rule that sends email directly to the on-call team.
B.Build a playbook using Microsoft Teams connector to post a message in the on-call channel with an adaptive card that allows acknowledge and escalate.
C.Configure the analytics rule to send an email when the incident is created.
D.Use a workbook to display critical incidents and expect the team to monitor it.
AnswerB

A playbook can use Teams connector to send notifications and include logic for escalation. An automation rule triggers the playbook on incident creation.

Why this answer

Option B is correct because Playbook with Teams connector can send adaptive cards and use logic for escalation. Option A is wrong because automation rules alone cannot send SMS. Option C is wrong because an analytics rule only triggers incidents.

Option D is wrong because workbooks are for visualization, not automation.

1602
Multi-Selecthard

Which TWO actions are effective when threat hunting for lateral movement using remote desktop protocol (RDP) in Microsoft Defender XDR?

Select 2 answers
A.Query DeviceNetworkEvents for inbound connections on port 3389
B.Review CloudAppEvents for access to cloud apps from multiple IPs
C.Correlate RDP connections with successful logon events (Event ID 4624) with LogonType 10
D.Check for unusual email forwarding rules
E.Search for SMB file share connections
AnswersA, C

Port 3389 is used by RDP; inbound connections may indicate lateral movement.

Why this answer

Querying DeviceNetworkEvents for inbound RDP connections (port 3389) helps identify potential lateral movement. Correlating with LogonEvents for successful RDP logins confirms the movement. Option B (looking for SMB connections) is more for file sharing.

Option D (checking email forwarding) is for exfiltration. Option E (reviewing cloud app activities) is not directly RDP-related.

1603
Multi-Selecteasy

Which THREE are valid incident classification options in Microsoft Sentinel?

Select 3 answers
A.Informational
B.Benign Positive
C.Malicious
D.False Positive
E.True Positive
AnswersB, D, E

Classification for non-malicious but interesting activity.

Why this answer

Option A is correct because 'True Positive' is a standard classification. Option C is correct because 'False Positive' is standard. Option D is correct because 'Benign Positive' is a classification for non-malicious but relevant activity.

Option B is wrong because 'Malicious' is a sub-classification, not a main classification. Option E is wrong because 'Informational' is not a classification; it's a severity level.

1604
MCQhard

A SOC analyst in Microsoft Sentinel is creating a scheduled analytics rule to detect a possible password spray attack. The rule must trigger when a single source IP address has more than 10 failed logon attempts on different user accounts within a 30-minute window. The analyst writes a KQL query starting with 'SigninLogs | where ResultType == 50057' (failed logon). Which operator should the analyst use to group events by source IP and count distinct user accounts, then filter for counts above 10?

A.summarize
B.where
C.extend
D.project
AnswerA

The 'summarize' operator groups rows and applies aggregate functions like dcount() or count() to calculate distinct user counts per IP.

Why this answer

The `summarize` operator is required to group events by source IP address and count distinct user accounts using `dcount()` or `count()`. After summarizing, you apply a `where` clause to filter for counts above 10, which meets the rule's threshold. This is the standard pattern for aggregation in KQL.

Exam trap

The trap here is that candidates often confuse `summarize` with `extend` or `project`, thinking they can achieve aggregation without an explicit grouping operator, or they mistakenly use `where` after a simple filter instead of performing the required count and threshold check.

How to eliminate wrong answers

Option B is wrong because `where` filters rows based on conditions but cannot perform grouping or counting; it would only filter individual sign-in events, not aggregate them. Option C is wrong because `extend` adds new calculated columns to each row without any aggregation or grouping, so it cannot count distinct users per IP. Option D is wrong because `project` selects or reorders columns but does not group or count data; it would merely reduce the columns returned.

1605
MCQeasy

Your organization uses Microsoft Defender for Identity. You need to create a role that allows analysts to view security alerts but not modify them. Which built-in role should you assign?

A.Security Administrator
B.Compliance Administrator
C.Global Administrator
D.Security Reader
AnswerD

Read-only access to security alerts.

Why this answer

The Security Reader role (D) is the correct choice because it provides read-only access to security-related features in Microsoft 365 Defender, including the ability to view security alerts from Microsoft Defender for Identity without the ability to modify or respond to them. This aligns directly with the requirement to allow analysts to view alerts but not modify them, as the role grants no write permissions to security configurations or alert states.

Exam trap

The trap here is that candidates often confuse Security Reader with Security Administrator, assuming the 'Administrator' suffix implies broader access, but the key distinction is that Security Reader is the only built-in role that provides read-only access to security alerts without modification rights.

How to eliminate wrong answers

Option A is wrong because the Security Administrator role has full write permissions to security policies and alerts, including the ability to modify alert statuses and configurations, which violates the requirement to prevent modifications. Option B is wrong because the Compliance Administrator role is focused on compliance settings (e.g., data classification, DLP, retention policies) and does not grant access to security alerts from Defender for Identity; it is not designed for security operations viewing. Option C is wrong because the Global Administrator role has unrestricted access to all administrative features, including full control over security alerts, which far exceeds the read-only requirement and introduces unnecessary privilege.

1606
MCQmedium

Your SOC team uses Microsoft Sentinel to manage incidents. You want to improve the efficiency of incident triage by automatically enriching incidents with threat intelligence data from Microsoft Threat Intelligence. What should you configure?

A.Enable the Threat Intelligence - TAXII connector to ingest threat indicators.
B.Create a playbook that queries the Threat Intelligence API and adds a comment to the incident.
C.Create a watchlist containing threat intelligence data and use it in an automation rule to add tags or comments.
D.Enable User and Entity Behavior Analytics (UEBA) to detect anomalies.
AnswerC

Watchlists can be used in automation rules to enrich incidents with additional data.

Why this answer

Option C is correct because watchlists in Microsoft Sentinel allow you to store and reference static threat intelligence data directly within automation rules. By creating a watchlist with threat indicators and configuring an automation rule to add tags or comments based on matches, you can enrich incidents without requiring external API calls or complex playbooks, thus improving triage efficiency.

Exam trap

The trap here is that candidates often confuse the purpose of the TAXII connector (ingestion) with incident enrichment, or assume that a playbook is always the best automation method, overlooking the simpler and more efficient watchlist-based approach for static data.

How to eliminate wrong answers

Option A is wrong because the Threat Intelligence - TAXII connector ingests threat indicators into Sentinel's ThreatIntelligenceIndicator table, but it does not automatically enrich incidents; it only populates the threat intelligence repository. Option B is wrong because while a playbook can query the Threat Intelligence API and add a comment, this approach is less efficient than using a watchlist with an automation rule, as playbooks require manual or scheduled execution and introduce latency. Option D is wrong because UEBA detects behavioral anomalies and generates alerts, but it does not directly enrich incidents with threat intelligence data; it focuses on user and entity behavior rather than external threat indicator matching.

1607
MCQeasy

You are configuring Microsoft Defender for Cloud Apps to enhance visibility into your organization's SaaS app usage. You need to ensure that risky user activities are automatically suspended. What should you configure?

A.Set up IP address range policies.
B.Configure app discovery policies.
C.Create a session policy to block or limit activities based on risk.
D.Define file policies to protect sensitive data.
AnswerC

Session policies allow real-time monitoring and control of user sessions, such as blocking downloads from risky sessions.

Why this answer

Option B is correct because session policies allow real-time control of user sessions based on risk level. Option A is wrong because app discovery only identifies apps used. Option C is wrong because file policies govern data protection.

Option D is wrong because IP address ranges are used for location-based policies, not activity control.

1608
MCQhard

A SOC team wants to use Microsoft Sentinel to detect when a user logs in from a new country not previously seen for that user. They have the SigninLogs table. Which KQL function is most appropriate to build this anomaly detection?

A.timechart()
B.make_set() with lookup
C.dcount()
D.startofday()
AnswerB

make_set() creates an array of previously seen countries per user. Using a join or lookup operation, you can compare a new login's country against that set to detect anomalies.

Why this answer

The `make_set()` function creates a dynamic array of distinct values (e.g., countries) per user over a specified time window. By using `lookup` to compare the current sign-in's country against the historical set, you can flag logins from countries not previously seen. This directly implements the 'new country' anomaly detection pattern in KQL.

Exam trap

Microsoft often tests the distinction between aggregate functions that return counts (`dcount`) versus those that return the actual set of values (`make_set`), leading candidates to choose `dcount` when they need to compare individual values against a historical list.

How to eliminate wrong answers

Option A is wrong because `timechart()` is a rendering function used to plot time-series data visually; it does not perform set-based anomaly detection or comparison logic. Option C is wrong because `dcount()` returns an approximate distinct count of values, not the actual set of values needed to check if a specific country has been seen before. Option D is wrong because `startofday()` is a datetime function that truncates timestamps to the start of the day; it has no capability to build or compare historical sets of countries.

1609
MCQhard

Wide World Importers uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview for data loss prevention (DLP). An incident is generated: 'DLP policy violation - sensitive data shared externally.' The incident shows that a user shared a document containing credit card numbers via SharePoint Online with an external guest. The user is a finance department employee. You need to respond to the incident. The organization wants to minimize business disruption while protecting data. Which of the following is the BEST immediate action?

A.Delete the document from SharePoint Online.
B.Modify the DLP policy to block sharing of credit card numbers.
C.Remove the external guest's access to the document in SharePoint Online.
D.Disable the user's account in Microsoft Entra ID and investigate.
AnswerC

Immediately stops unauthorized access while preserving the document and user productivity.

Why this answer

Option C is correct: removing the external guest's access to the document stops data exposure without affecting the user's work. Option A is wrong: disabling the user prevents all work and may be too drastic. Option B is wrong: deleting the document destroys evidence.

Option D is wrong: DLP policy change takes time and does not stop current exposure.

1610
MCQhard

Refer to the exhibit. An analyst runs this Azure CLI command and receives no output. The workspace has many High severity incidents in 'New' status. What is the most likely reason?

A.The analyst does not have read permissions for the workspace.
B.The query syntax is incorrect; the pipe between conditions is invalid.
C.No incidents match both conditions.
D.The --query parameter is not supported for this command.
AnswerB

JMESPath uses comma or boolean operators, not pipe. The correct query would be '[?status==`New` && severity==`High`]'.

Why this answer

The JMESPath query uses '||' operator incorrectly; the correct syntax for filtering is '&&' or multiple filters. The query as written tries to combine two conditions with '|' which is not valid. Also the index [0] might be wrong if no matches, but the issue is the query syntax.

1611
MCQmedium

Your organization uses Microsoft Defender XDR. You are investigating an incident that involves a malware infection on a Windows 10 device. The device is currently isolated from the network. The incident shows that the malware attempted to communicate with a command-and-control (C2) server. You have collected an investigation package. Now you need to remediate the device and bring it back to a clean state. The device has critical data that must not be lost. Which remediation action should you take? A) Run a full antivirus scan and remove threats. B) Perform a factory reset of the device. C) Reimage the device from a clean backup. D) Initiate a live response to manually remove the malware. Which option best balances thorough remediation with data preservation?

A.Initiate a live response to manually remove the malware.
B.Run a full antivirus scan and remove threats.
C.Reimage the device from a clean backup.
D.Perform a factory reset of the device.
AnswerC

Reimaging from a known good backup removes malware and restores data.

Why this answer

Option C is correct because reimaging from a clean backup ensures the malware is completely removed while preserving data from the backup. Option A (Full scan) may not detect all malware. Option B (Factory reset) loses all data.

Option D (Live response) may miss persistent threats and is not as thorough as reimaging.

1612
MCQmedium

You are reviewing a PowerShell script used for automated response on a Windows 10 device managed by Microsoft Defender for Endpoint. What is the intended outcome of this script?

A.It removes all Trojan threats from the device.
B.It updates the antimalware signatures and then performs a scan.
C.It triggers a quick scan if any Trojan detection exists.
D.It configures Windows Defender to exclude Trojan files.
AnswerC

The condition checks for Trojan detections and then runs a quick scan.

Why this answer

Option D is correct because the script retrieves threat detections containing 'Trojan' and if found, initiates a quick scan. Option A is wrong because the script doesn't remove threats, only scans. Option B is wrong because it doesn't exclude anything.

Option C is wrong because it doesn't update signatures.

1613
MCQmedium

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

A.The delivery location and whether the email was delivered to Inbox, Junk, or Quarantine.
B.The authentication statuses (SPF, DKIM, DMARC) for the sender domain.
C.The sender IP address and the recipient email address.
D.The detection technology (e.g., Advanced ML, Reputation) and if the email was part of a phish simulation or a campaign.
AnswerD

Correct. Detection details show how the email was flagged, including specific technologies, simulation tags, and campaign information.

Why this answer

Option D is correct because the 'Detection details' section on the email entity page in Microsoft 365 Defender specifically shows the detection technology used (e.g., Advanced ML, Reputation, Bulk) and whether the email was part of a phishing simulation or a campaign. This information helps analysts understand how the email was identified as malicious and its context within broader threat activity.

Exam trap

The trap here is that candidates confuse the 'Detection details' section with other sections like 'Summary' or 'Authentication', leading them to select options that describe information found elsewhere on the email entity page.

How to eliminate wrong answers

Option A is wrong because the delivery location (Inbox, Junk, Quarantine) is found in the 'Email details' or 'Summary' section, not in 'Detection details'. Option B is wrong because authentication statuses (SPF, DKIM, DMARC) are displayed in the 'Authentication' section of the email entity page, not in 'Detection details'. Option C is wrong because the sender IP address and recipient email address are shown in the 'Summary' or 'Details' sections, not in 'Detection details'.

1614
MCQhard

Your security team uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to investigate incidents. You notice that some alerts from Microsoft Defender for Endpoint are not being automatically correlated into incidents as expected. You have confirmed that the relevant alert sources are enabled in the Microsoft Defender XDR portal. What is the most likely cause?

A.Alert tuning rules are causing the alerts to be excluded.
B.Incident correlation rules are not enabled for the relevant alert sources.
C.Automation rules in Microsoft Sentinel are deleting the alerts.
D.Alert suppression rules are blocking the alerts.
AnswerB

Correlation rules must be enabled to automatically create incidents from alerts.

Why this answer

Microsoft Defender XDR uses built-in correlation logic to automatically group related alerts from different sources (e.g., Defender for Endpoint, Defender for Office 365) into incidents. If alerts from a specific source, such as Defender for Endpoint, are not being correlated, the most likely cause is that the incident correlation rules for that source are not enabled in the Microsoft Defender XDR portal. Enabling the alert source alone is insufficient; the correlation engine must be explicitly activated for each source to aggregate alerts into incidents.

Exam trap

The trap here is that candidates assume enabling an alert source in the Microsoft Defender XDR portal automatically enables incident correlation for that source, but in reality, correlation rules must be explicitly enabled separately for each source.

How to eliminate wrong answers

Option A is wrong because alert tuning rules in Microsoft Defender XDR are used to reduce noise by suppressing or grouping alerts, but they do not prevent alerts from being correlated into incidents; they only affect alert generation. Option C is wrong because automation rules in Microsoft Sentinel are separate from Microsoft Defender XDR and operate on Sentinel incidents, not on Defender XDR alert correlation; Sentinel automation rules cannot delete alerts from Defender XDR. Option D is wrong because alert suppression rules in Defender for Endpoint are designed to suppress alerts based on criteria like device groups or severity, but they do not block alerts from being correlated into incidents; suppression only prevents alert creation, not correlation.

1615
MCQeasy

Your organization uses Microsoft 365 Defender. A security analyst detects a malware infection on a single endpoint named 'SalesPC01'. The malware is identified as 'Trojan:Win32/Emotet'. The endpoint is currently isolated from the network by the automatic response. You need to remediate the infection. The malware has been detected and the endpoint is isolated. What should you do next?

A.Delete the user account that was logged in when the malware was detected.
B.Disconnect the endpoint from the network manually.
C.Reimage the endpoint to ensure complete removal.
D.Initiate a full antivirus scan using Microsoft Defender Antivirus.
AnswerD

A full scan will detect and remove the malware.

Why this answer

Option B is correct because running a full scan or using Microsoft Defender for Endpoint's 'Run antivirus scan' action can remove the malware. Option A is wrong because the endpoint is already isolated. Option C is wrong because reimaging is a last resort.

Option D is wrong because deleting the user account is not necessary.

1616
MCQmedium

A company uses Microsoft Defender for Cloud to protect Azure virtual machines. The security team receives an alert indicating that a VM is communicating with a known malicious IP address. Which Defender for Cloud feature can be used to automatically block outbound traffic to that IP address by adjusting the network security group (NSG)?

A.Adaptive application controls
B.Just-in-time VM access
C.Adaptive network hardening
D.File integrity monitoring
AnswerC

Adaptive network hardening analyzes network traffic and NSG rules to harden them against threats, including blocking outbound traffic to malicious IPs.

Why this answer

Adaptive network hardening (C) is the correct feature because it uses machine learning to analyze traffic patterns and recommend NSG rules to restrict traffic to known trusted sources. When a VM communicates with a malicious IP, adaptive network hardening can automatically create a deny rule in the NSG to block outbound traffic to that IP, reducing the attack surface without manual intervention.

Exam trap

The trap here is that candidates confuse 'adaptive network hardening' with 'just-in-time VM access' because both involve NSG adjustments, but JIT only manages inbound ports while adaptive network hardening handles both inbound and outbound traffic based on threat intelligence.

How to eliminate wrong answers

Option A is wrong because adaptive application controls are designed to control which applications can run on a VM, not to block network traffic to specific IP addresses. Option B is wrong because just-in-time VM access reduces the attack surface by locking down inbound ports to a VM and opening them only when needed, but it does not block outbound traffic to malicious IPs. Option D is wrong because file integrity monitoring tracks changes to critical files and registry settings, not network traffic or IP-based blocking.

1617
MCQeasy

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What does it return?

A.Number of high-severity incidents per status.
B.Total count of high-severity incidents in the last 7 days.
C.Top 5 incident owners by number of high-severity incidents in the last 7 days.
D.Top 5 users assigned to high-severity incidents.
AnswerC

The query summarizes by Owner and returns top 5.

Why this answer

The KQL query uses `summarize` with `count()` by `Owner`, then `top 5 by count_`, and filters with `where Severity == 'High'` and `TimeGenerated > ago(7d)`. This returns the top 5 incident owners ranked by the number of high-severity incidents they own in the last 7 days, making option C correct.

Exam trap

The trap here is that candidates confuse `Owner` (the incident owner, often a person or automation rule) with `User` (a user entity involved in the incident), leading them to pick option D, which incorrectly assumes the query returns users assigned to incidents rather than owners.

How to eliminate wrong answers

Option A is wrong because the query does not group or summarize by `Status`; it groups by `Owner` and counts incidents, not statuses. Option B is wrong because the query returns a top 5 list of owners with counts, not a single total count of incidents. Option D is wrong because the query filters by `Owner` (the incident owner, typically a security analyst or automation account), not by `User` (which would refer to a user entity or account involved in the incident).

1618
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that escalates incidents to ServiceNow. Due to compliance requirements, all data must remain in the West Europe region. You need to ensure that the playbook execution and any data it processes stays within West Europe. What should you do?

A.Use a different Sentinel workspace in West Europe for the incidents.
B.Move the Sentinel workspace to West Europe.
C.Configure the ServiceNow connector to use a West Europe endpoint.
D.Create the playbook as a Logic App in the West Europe region and ensure it uses a managed identity for authentication.
AnswerD

Playbooks run in the region of the Logic App; creating it in West Europe ensures compliance.

Why this answer

Playbooks run in the same region as the Logic Apps resource, which can be created in West Europe. By creating the playbook in West Europe, it will process data there. Option D is correct.

Option A is wrong because moving the Sentinel workspace is not possible without redeployment. Option B is wrong because the API connector does not control data location. Option C is wrong because using a different workspace would require changing all data collection.

1619
MCQmedium

During a threat hunt, you suspect a user may have exfiltrated data via email. Which Microsoft 365 Defender advanced hunting table should you query to review email attachments and their file hashes?

A.EmailUrlInfo
B.EmailAttachmentInfo
C.EmailEvents
D.EmailPostDeliveryEvents
AnswerB

This table includes attachment information and hashes.

Why this answer

EmailAttachmentInfo contains details about email attachments, including file name, size, and SHA256 hash.

1620
Multi-Selecteasy

Which THREE components are part of Microsoft Defender XDR? (Select three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Entra ID
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud
E.Microsoft Defender for Office 365
AnswersA, C, E

Endpoint protection is a core component.

Why this answer

Defender XDR includes Defender for Endpoint, Defender for Office 365, and Defender for Identity. Option A, B, and D are correct. Option C is a cloud security solution, not part of Defender XDR.

Option E is an identity management service.

1621
MCQhard

You are a SOC analyst at Contoso Ltd. The company uses Microsoft Sentinel and Microsoft Defender XDR. A high-severity incident is generated from a Sentinel analytics rule that detects multiple failed logins followed by a successful login from a geographically unusual location for a user. The incident includes an alert from Microsoft Defender for Identity indicating a possible brute-force attack. The user's account is a privileged administrator. Your organization has strict compliance requirements: any privileged account compromise must be contained within 15 minutes of detection. You have the following tools available: Microsoft Entra ID with Privileged Identity Management (PIM), Microsoft Defender for Cloud Apps, and Microsoft 365 Defender automation rules. The incident is now 5 minutes old. What should you do to meet the compliance requirement?

A.Create an automation rule in Microsoft 365 Defender to alert the security team.
B.Disable the user account in Microsoft Entra ID immediately.
C.Create a conditional access policy to block the user's sign-ins.
D.Activate PIM and remove the user's role assignments.
AnswerB

Disabling stops all access within seconds.

Why this answer

Disabling the account is the fastest containment; PIM may take extra steps; alerting is not containment; policies are slower.

1622
MCQeasy

During a ransomware incident, you need to prevent the encryption of files in SharePoint Online and OneDrive for Business. You have already identified the compromised user account. What should you do?

A.Disable external sharing for SharePoint Online
B.Lock the compromised user account in Microsoft Entra ID
C.Delete the compromised user's OneDrive files
D.Apply a retention policy to all SharePoint sites
AnswerB

Locking the account prevents further access to files.

Why this answer

Option B is correct because locking the account stops the attacker from accessing files. Option A is wrong because deleting files does not prevent encryption. Option C is wrong because applying a retention policy does not block access.

Option D is wrong because disabling external sharing does not stop internal encryption.

1623
MCQhard

You are investigating an incident where a user reported receiving a suspicious email with a malicious attachment. Microsoft Defender for Office 365 did not block it. The email originated from a known malicious sender domain. What configuration should you check first?

A.User-reported message settings
B.SPF record for the sender domain
C.Safe Attachments policy
D.Anti-phishing policy in Microsoft Defender for Office 365
AnswerD

Anti-phishing policies can block emails from known malicious domains or impersonation attempts.

Why this answer

Option C is correct. The most likely reason for the email not being blocked is that the anti-phishing policy is not properly configured or the sender is bypassed. Option A (SPF) is relevant but less likely if the domain is known malicious.

Option B (safe attachments) may not catch all. Option D (user reporting) is not about blocking.

1624
MCQeasy

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user account is created and then deleted within 24 hours, which could indicate a test account used for malicious purposes. The rule should only run on the SecurityEvent table. You have written the KQL query and now need to configure the rule settings. Which alert scheduling configuration should you set to minimize latency while ensuring that the rule catches the pattern?

A.Run query every 1 hour with a 1-hour lookback.
B.Run query every 24 hours with a 24-hour lookback.
C.Run query every 1 hour with no lookback.
D.Run query every 5 minutes with a 5-minute lookback.
AnswerA

Balances latency and detection coverage.

Why this answer

Option A is correct because running the query every 1 hour with a 1-hour lookback ensures that any account creation and deletion occurring within a 24-hour window is captured with minimal latency. The 1-hour lookback allows the rule to detect events that span across the current and previous execution windows, which is essential for catching the creation and deletion pattern without missing events due to scheduling gaps.

Exam trap

The trap here is that candidates often choose a lookback equal to the pattern duration (24 hours) or a very short frequency (5 minutes), failing to realize that the combination of frequency and lookback must ensure overlapping windows to capture events that span across execution boundaries.

How to eliminate wrong answers

Option B is wrong because running the query every 24 hours with a 24-hour lookback introduces up to 24 hours of latency, which is not minimal and could delay detection of malicious activity. Option C is wrong because running the query every 1 hour with no lookback means the rule only evaluates events from the current hour, so it would miss the creation event if it occurred in a previous hour and the deletion in the current hour. Option D is wrong because running the query every 5 minutes with a 5-minute lookback would require the creation and deletion to occur within the same 5-minute window, which is too restrictive for a 24-hour pattern and would likely miss most occurrences.

1625
MCQeasy

Refer to the exhibit. You are configuring a Microsoft Sentinel scheduled analytics rule with the above incident creation settings. What is the effect of setting 'groupingConfiguration.enabled' to false?

A.Alerts will be suppressed for 5 minutes
B.The rule will run every 5 minutes
C.No incidents will be created
D.Each alert will generate a separate incident
AnswerD

With grouping disabled, every alert triggers a new incident.

Why this answer

Option A is correct because grouping configuration controls whether alerts are grouped into a single incident. Disabling it means each alert creates its own incident. Option B is wrong because the rule still creates incidents.

Option C is wrong because the rule runs on the schedule defined elsewhere. Option D is wrong because suppression is a different setting.

1626
MCQeasy

Refer to the exhibit. You are reviewing a custom Azure Policy definition that should block deployments from specific IP addresses. However, the policy does not seem to be evaluating any resources. What is the most likely issue?

A.The 'in' operator cannot be used with an array parameter
B.The policy definition has not been assigned to any scope
C.The policy mode should be 'Indexed' for network policies
D.The 'effect' should be 'audit' instead of 'deny'
AnswerB

A policy must be assigned to a scope to evaluate resources.

Why this answer

The exhibit shows a custom Azure Policy definition that is syntactically correct, but the policy is not evaluating any resources. The most likely cause is that the policy definition has not been assigned to a scope (e.g., management group, subscription, or resource group). In Azure Policy, a definition alone does nothing; it must be assigned to a scope to take effect and begin evaluating resources.

Exam trap

The trap here is that candidates focus on syntax errors or operator misuse in the policy definition, overlooking the prerequisite that a policy must be assigned to a scope before it can evaluate any resources.

How to eliminate wrong answers

Option A is wrong because the 'in' operator can be used with an array parameter in Azure Policy; the issue is not with the operator but with the missing assignment. Option C is wrong because the policy mode should be 'All' (or 'Microsoft.Network.Data') for network policies that evaluate resource properties, not 'Indexed', which is used for resource provider modes like 'Microsoft.Kubernetes.Data'. Option D is wrong because changing the effect from 'deny' to 'audit' would not cause the policy to fail to evaluate resources; it would only change the enforcement behavior, and the policy would still need to be assigned to a scope.

1627
MCQeasy

You receive a Microsoft Defender XDR incident alert about a suspicious sign-in from an unfamiliar location. The user confirms they did not perform the sign-in. What should you do to immediately secure the account?

A.Disable the user account in Microsoft Entra ID
B.Reset the user's password
C.Block the IP address used for the suspicious sign-in
D.Require the user to register for Microsoft Entra Multi-Factor Authentication
AnswerA

Disabling the account immediately blocks all sign-ins.

Why this answer

Option B is correct because disabling the user account in Microsoft Entra ID immediately prevents further use. Option A is wrong because resetting password alone does not block active sessions. Option C is wrong because MFA registration does not stop ongoing compromise.

Option D is wrong because blocking the IP may not be effective if the attacker uses multiple IPs.

1628
MCQeasy

A SOC analyst needs to create a custom alert in Microsoft Sentinel that triggers when a specific user logs in from an unusual geographic location, compared to a learned baseline of normal locations. Which type of analytics rule is best suited for this scenario?

A.Scheduled query
B.Near-real-time (NRT) rule
C.Anomaly detection rule (machine learning)
D.Fusion rule
AnswerC

Correct: This rule type uses ML to learn normal patterns and trigger alerts on deviations.

Why this answer

Option C is correct because anomaly detection rules in Microsoft Sentinel use machine learning to establish a baseline of normal user behavior, such as typical geographic login locations. When a login event deviates significantly from this learned baseline, the rule triggers an alert. This is the only rule type specifically designed for detecting behavioral anomalies without requiring static thresholds or predefined patterns.

Exam trap

The trap here is that candidates often confuse scheduled queries (Option A) with anomaly detection, assuming a KQL query using 'where Location != 'US'' can replace ML-based baseline learning, but scheduled queries cannot dynamically adapt to changing user behavior over time.

How to eliminate wrong answers

Option A is wrong because scheduled queries run on a fixed schedule (e.g., every 5 minutes) and rely on static KQL queries with hardcoded thresholds or lists, not on a learned baseline of normal locations. Option B is wrong because near-real-time (NRT) rules process streaming data with minimal latency but still require explicit query logic and cannot adaptively learn a baseline of normal behavior. Option D is wrong because Fusion rules correlate alerts from multiple security products to detect multi-stage attacks, not to detect single-user geographic anomalies against a learned baseline.

1629
MCQeasy

Your team uses Microsoft Defender XDR to manage incidents. You need to ensure that all incidents with a severity of 'High' are automatically assigned to a specific SOC analyst group. What should you configure?

A.Set up an advanced hunting query to detect high severity incidents and send email.
B.Create an automation rule in Microsoft Defender XDR to automatically assign incidents.
C.Configure a playbook in Microsoft Sentinel triggered by incidents.
D.Use the 'New-MTPIncidentAssignment' cmdlet in a scheduled task.
AnswerB

Automation rules can apply actions like assignment based on conditions.

Why this answer

Option A is correct because Microsoft Defender XDR allows you to create automation rules that can assign incidents based on criteria like severity. Option B is incorrect because it is for automated investigation and response. Option C is incorrect because it is a PowerShell cmdlet, not a configuration.

Option D is incorrect because advanced hunting is for querying data, not automation.

1630
MCQeasy

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to ensure that all incidents from a specific analytics rule are automatically assigned to the 'SOC Tier 1' team. What should you configure in Microsoft Sentinel?

A.Configure alert enrichment in the analytics rule to add the owner.
B.Modify the analytics rule to write the incident to a custom table accessible by the SOC team.
C.Create a playbook that assigns the incident and attach it to the analytics rule.
D.Create an automation rule that triggers when the incident is created and sets the owner.
AnswerD

Automation rules can set incident owner upon creation.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can be used to automatically assign incidents to a specific owner or team. Option A is wrong because playbooks are for complex orchestration, not simple assignment. Option B is wrong because alert enrichment is for adding data, not assignment.

Option D is wrong because custom tables are for storing data.

1631
Multi-Selecthard

You are investigating a data exfiltration incident in Microsoft Defender for Cloud Apps. The investigation reveals that a user downloaded sensitive files from SharePoint and uploaded them to a third-party cloud storage app. Which THREE actions should you take to contain the incident?

Select 3 answers
A.Apply a session policy to block uploads to unauthorized apps.
B.Suspend the user account in Microsoft 365 Defender.
C.Add the third-party app to the blocked apps list in Defender for Cloud Apps.
D.Delete the files from the third-party cloud app.
E.Apply a sensitivity label to the files to prevent sharing.
AnswersA, B, C

Session policies can block uploads in real-time.

Why this answer

Options A, B, and D are correct because suspending the user, revoking access, and blocking the app contain the threat. Option C is wrong because removing files from the third-party app may be recovery but not containment. Option E is wrong because applying sensitivity labels is a classification action, not immediate containment.

1632
MCQeasy

You are investigating a low-severity incident in Microsoft Sentinel where a user reported receiving a phishing email. The email was not blocked by the email security solution. The user did not click any links. What should you do first?

A.Delete the phishing email from the user's inbox
B.Report the email for analysis using the Microsoft 365 Defender portal
C.Reset the user's password as a precaution
D.Isolate the user's device from the network
AnswerB

Reporting helps improve email security.

Why this answer

Option B is correct because reporting the email for analysis helps improve email security and determine if it was a false negative. Option A is wrong because deleting the email destroys evidence. Option C is wrong because resetting password is unnecessary as no credentials were compromised.

Option D is wrong because no device isolation is needed.

1633
Multi-Selecthard

During a security incident, a Microsoft Sentinel analytics rule generated an alert for a suspicious sign-in from an unusual location. The incident involves a user whose account has been compromised. The security team needs to take immediate actions to remediate and prevent further damage. Which THREE actions should the security team prioritize?

Select 3 answers
A.Reset the user's password
B.Revoke the user's session tokens
C.Review audit logs for all users
D.Raise the user's risk level in Identity Protection
E.Disable the user account in Microsoft Entra ID
AnswersA, B, E

Password reset revokes stolen credentials.

Why this answer

Option A is correct because disabling the user account stops further access. Option C is correct because resetting the password ensures the attacker cannot reuse stolen credentials. Option E is correct because revoking session tokens ends active sessions.

Option B is wrong because reviewing audit logs is important but not immediate. Option D is wrong because raising the risk level is a classification, not a remediation.

1634
MCQhard

Refer to the exhibit. You have an automation rule in Microsoft Sentinel that triggers a playbook to isolate a device when a High severity incident is created. However, you notice that the playbook is not triggered for incidents that are created from analytics rules that use entity mapping. What is the most likely cause?

A.The playbook requires a managed identity, which is missing.
B.The playbook is not authorized to run for automation rules.
C.The automation rule is disabled.
D.The analytics rule sets the severity after incident creation, so the condition does not match at creation time.
AnswerD

The condition checks severity at creation; if it's set later, the rule won't fire.

Why this answer

The correct answer is C. The automation rule triggers on incident creation, but the condition checks severity. If the severity is set after creation (e.g., by a playbook or analytics rule), the condition may not match when the incident is created.

The exhibit shows the trigger is 'Created' and condition on severity. If the analytics rule sets severity later, the rule won't fire. The other options are plausible but less likely.

1635
MCQmedium

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network traffic from a compromised virtual machine. Which data source should be prioritized for this hunt?

A.Azure Activity Log
B.Azure Network Watcher flow logs
C.Windows Event Logs (Security, System)
D.Microsoft Entra ID sign-in logs
AnswerB

Flow logs capture IP traffic information, enabling detection of anomalous outbound connections.

Why this answer

Azure Network Watcher flow logs provide detailed information about IP traffic through Azure networks, making them ideal for detecting anomalous outbound traffic patterns. Option A (Azure Activity Log) focuses on control plane events, not network flows. Option C (Windows Event Logs) is for host-level events, not network traffic.

Option D (Azure AD sign-in logs) is for authentication events.

1636
Multi-Selectmedium

Which TWO actions should you take when handling a confirmed ransomware incident in an environment protected by Microsoft Defender for Endpoint?

Select 2 answers
A.Block the ransomware file hash using threat intelligence indicators in Microsoft Defender.
B.Initiate device isolation from the Microsoft Defender for Endpoint console.
C.Disable Windows Defender real-time protection.
D.Submit the ransomware sample to Microsoft for analysis.
E.Reimage all affected servers immediately.
AnswersA, B

Blocking the hash prevents further execution on other endpoints.

Why this answer

Options A and C are correct. Option A isolates affected devices to prevent spread. Option C blocks indicators of compromise (IoCs) to stop further execution.

Option B is not immediate; Option D is unnecessary if Defender manages updates; Option E is reactive and not a containment step.

1637
MCQeasy

A security operations center (SOC) uses Microsoft Sentinel. The team wants to automatically assign incidents to the appropriate analyst based on the severity level of the alert. Which feature should be configured to achieve this automation?

A.Automation rules
B.Playbooks
C.Analytics rules
D.Watchlists
AnswerA

Automation rules can automatically assign incidents to analysts based on criteria like severity, reducing manual triage effort.

Why this answer

Automation rules in Microsoft Sentinel allow you to define conditions (such as alert severity) and corresponding actions (like assigning an incident to a specific analyst or group) without requiring custom code. This directly meets the SOC's requirement to automatically route incidents based on severity levels, as automation rules can trigger on incident creation or update and perform assignment actions.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking playbooks are required for any automated action, but automation rules handle simple, condition-based assignments natively without needing a Logic App.

How to eliminate wrong answers

Option B is wrong because playbooks are automated workflows (often using Azure Logic Apps) that execute complex, multi-step responses, but they are not the primary feature for simple, rule-based assignment; they are typically triggered by automation rules for advanced orchestration. Option C is wrong because analytics rules are used to generate alerts and incidents from data sources (e.g., KQL queries), not to manage incident assignment or routing after creation. Option D is wrong because watchlists are collections of static data (e.g., IP addresses, usernames) used for correlation or enrichment in analytics rules, not for automating incident assignment actions.

1638
MCQeasy

A security analyst is investigating a phishing campaign using Microsoft 365 Defender advanced hunting. The analyst needs to find all emails sent from a specific sender address in the last 7 days. Which table should be queried?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.DeviceEvents
AnswerA

Correct. EmailEvents contains sender, recipient, subject, and other email delivery properties. It is the primary table for email metadata.

Why this answer

The EmailEvents table in Microsoft 365 Defender advanced hunting stores metadata about email messages, including sender addresses, recipients, timestamps, and delivery actions. To find all emails from a specific sender in the last 7 days, you query EmailEvents because it contains the 'SenderFromAddress' or 'SenderMailFromAddress' fields needed to filter by sender. The other tables focus on attachments, URLs, or device-level events, which are not relevant for identifying emails by sender address.

Exam trap

The trap here is that candidates may confuse the purpose of EmailAttachmentInfo or EmailUrlInfo, thinking they contain sender data, when in fact they only store attachment or URL details and require a join with EmailEvents to correlate back to the sender.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it stores information about email attachments (e.g., file names, hashes) but does not contain the sender address field needed to filter by sender. Option C (EmailUrlInfo) is wrong because it tracks URLs found in email bodies or attachments, not sender metadata. Option D (DeviceEvents) is wrong because it logs endpoint-level activities (e.g., process creation, network connections) and has no email-related data, making it irrelevant for querying email sender addresses.

1639
MCQhard

You run the KQL query above in Microsoft Sentinel. The query returns zero results even though you know some devices have connected to malicious IPs. What is the most likely cause?

A.The externaldata source URL is inaccessible from the Sentinel workspace.
B.The malicious IPs are not in the list.
C.The DeviceNetworkEvents table does not contain the RemoteIP column.
D.The let statement syntax is incorrect.
AnswerA

If the workspace cannot reach the URL, no IPs are loaded.

Why this answer

Option A is correct because externaldata requires the cluster to access the URL, which may be blocked. Option B is wrong because the syntax is correct. Option C is wrong because DeviceNetworkEvents is valid.

Option D is wrong because the IPs are in the list.

Page 21

Page 22 of 22