Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 151225

1639 questions total · 22pages · All types, answers revealed

Data quality score: 70/100 — Review before indexing

2 errors found across 75 questions. This page is set to noindex until issues are resolved.

Page 2

Page 3 of 22

Page 4
151
Multi-Selectmedium

Which TWO actions are appropriate when handling a confirmed ransomware incident in Microsoft 365?

Select 2 answers
A.Run a full antivirus scan on all devices.
B.Restore encrypted files from backup immediately without investigation.
C.Pay the ransom to regain access.
D.Isolate affected devices from the network.
E.Change passwords for all potentially compromised accounts.
AnswersD, E

Isolation contains the spread of ransomware.

Why this answer

Correct: Isolate affected devices to prevent spread, and change passwords for compromised accounts. Wrong: Paying ransom is not recommended; restoring from backup is good but not immediate; scanning with antivirus is reactive and may not remove all traces.

152
MCQmedium

Your threat hunt reveals a series of failed logon attempts from a single IP address across multiple user accounts. Which Microsoft Sentinel analytic rule template is best suited to alert on this brute-force pattern?

A.Malware detected in network traffic
B.Brute force attack against a user account
C.Password spray attack
D.Anomalous logon location
AnswerB

Detects multiple failed logon attempts from a single IP.

Why this answer

Option D is correct because the 'Brute force attack against a user account' rule specifically detects multiple failed logons. Option A is for malware. Option B is for anomalous logons by geo.

Option C is for password spray across users.

153
Multi-Selectmedium

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender XDR?

Select 2 answers
A.Run a full antivirus scan
B.Reset the user's password
C.Restore files from backup
D.Disable the user account
E.Isolate the affected devices
AnswersA, E

Helps identify and remove malware.

Why this answer

Options B and D are correct. Isolating affected devices prevents spread, and running a full antivirus scan helps remove malware. Option A is wrong because resetting passwords is not immediate containment.

Option C is wrong because disabling the account might not be necessary and could hinder investigation. Option E is wrong because restoring files from backup is a recovery step after containment.

154
MCQmedium

Your security team uses Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that all virtual machines have endpoint protection enabled. Which policy initiative should you assign?

A.Enable encryption on Azure VMs
B.Deploy Microsoft Defender for Endpoint
C.Deploy Windows Defender Exploit Guard
D.Azure Security Benchmark
AnswerB

This initiative includes policies to enable endpoint protection on VMs.

Why this answer

Option B is correct because the 'Deploy Microsoft Defender for Endpoint' policy initiative includes policies to install and configure endpoint protection on VMs. Option A is about monitoring logs. Option C is about security configuration baselines.

Option D is about storage encryption.

155
MCQmedium

Your organization is using Microsoft Sentinel and you are responsible for managing the security operations environment. You need to ensure that a new security analyst can triage incidents but cannot modify analytics rules. Which role should you assign?

A.Microsoft Sentinel Responder
B.Microsoft Sentinel Reader
C.Microsoft Sentinel Contributor
D.Microsoft Sentinel Contributor with a custom role denying rule modification
AnswerA

Responder can triage incidents but not modify rules.

Why this answer

The Microsoft Sentinel Responder role allows triaging of incidents (changing status, assigning) but cannot modify analytics rules. Option C is correct. Option A is wrong because Reader cannot triage (cannot change status).

Option B is wrong because Contributor can modify analytics rules. Option D is wrong because although it allows triage, it also allows modifying rules, which is not desired.

156
MCQeasy

Your team uses Microsoft Sentinel to monitor multiple Azure subscriptions. You need to grant a junior analyst the ability to view incidents and run playbooks, but not modify analytics rules or data connectors. Which built-in role should you assign?

A.Microsoft Sentinel Contributor
B.Automation Contributor
C.Microsoft Sentinel Reader
D.Microsoft Sentinel Responder
AnswerD

Responder can view incidents and run playbooks.

Why this answer

Option C is correct because Microsoft Sentinel Responder allows viewing incidents and running playbooks, but not modifying analytics rules or connectors. Reader only allows viewing. Contributor allows modifications.

Automation Contributor is for runbooks/automation accounts, not Sentinel-specific.

157
Multi-Selecteasy

Which TWO are supported data sources for Microsoft Sentinel?

Select 2 answers
A.Google Cloud VPC Flow Logs
B.Windows Server 2008 event logs
C.Microsoft Entra ID audit logs
D.AWS CloudTrail
E.On-premises syslog-ng
AnswersC, D

Supported via Microsoft Entra ID connector (formerly Azure AD).

Why this answer

Options A and D are correct. Microsoft Sentinel supports AWS CloudTrail via the Amazon Web Services connector and Microsoft Entra ID audit logs via the Azure Active Directory connector (now Microsoft Entra ID). Option B is wrong because on-premises syslog-ng is not directly supported; syslog is supported via a connector.

Option C is wrong because Google Cloud VPC Flow Logs are not natively supported. Option E is wrong because Windows Server 2008 is out of support and not recommended.

158
MCQeasy

A security engineer is configuring Microsoft Defender for Cloud in a hybrid environment with on-premises servers connected via Azure Arc. The engineer wants to enable the Defender for Cloud plans for servers (including vulnerability assessment) on all Azure Arc-enabled machines. What is the correct method to deploy the Log Analytics agent (or Azure Monitor Agent) and the Microsoft Defender for Endpoint (MDE) integration?

A.Manually install the Log Analytics agent on each machine and then enable MDE integration
B.Use the Defender for Cloud auto-provisioning feature with the Azure Policy 'Deploy Log Analytics agent' and enable MDE integration
C.Use Azure Arc extensions to install the agents and then configure Defender for Cloud plans
D.Deploy the agents via Configuration Manager
AnswerB

Auto-provisioning automatically deploys the required agents and enables MDE integration on Azure Arc servers via Azure Policy.

Why this answer

Option B is correct because Defender for Cloud's auto-provisioning feature uses built-in Azure Policy initiatives to automatically deploy the Log Analytics agent (or Azure Monitor Agent) to Azure Arc-enabled machines, and it also enables the Microsoft Defender for Endpoint (MDE) integration via the 'Configure machines to receive a vulnerability assessment provider' policy. This ensures consistent, scalable deployment without manual intervention, aligning with the hybrid environment's requirements.

Exam trap

The trap here is that candidates often assume Azure Arc extensions (Option C) are the primary method for agent deployment, but they overlook that Defender for Cloud's auto-provisioning feature uses Azure Policy to automate both agent installation and MDE integration, which is the recommended and correct approach for hybrid environments.

How to eliminate wrong answers

Option A is wrong because manually installing the Log Analytics agent on each machine is not scalable and does not leverage Defender for Cloud's automated policy-driven deployment, which is required for consistent configuration across Azure Arc-enabled servers. Option C is wrong because while Azure Arc extensions can install agents, they do not automatically configure the Defender for Cloud plans or MDE integration; the auto-provisioning feature in Defender for Cloud handles both agent deployment and plan enablement via policy. Option D is wrong because deploying agents via Configuration Manager (SCCM) is a traditional on-premises method that does not integrate with Defender for Cloud's policy-based auto-provisioning and would require additional manual steps to enable MDE integration and vulnerability assessment.

159
MCQhard

Your organization is migrating to Microsoft Sentinel. You need to ensure that the workspace retains data for 2 years for compliance, but you want to reduce costs by using cheaper storage for data older than 90 days. What should you configure?

A.Set the workspace retention to 730 days and enable a data cap.
B.Set workspace retention to 90 days and configure long-term retention in Azure Data Explorer (ADX).
C.Export data older than 90 days to a storage account and delete from workspace.
D.Configure the workspace retention to 90 days and use Azure Storage archiving.
AnswerB

ADX integration allows cost-effective long-term retention with query capabilities.

Why this answer

Option B is correct because Microsoft Sentinel allows you to set the workspace retention to 90 days for interactive, hot-tier access, and then configure long-term retention in Azure Data Explorer (ADX) for data older than 90 days. This approach meets the 2-year compliance requirement while reducing costs, as ADX provides cheaper storage for older data that is queried less frequently.

Exam trap

The trap here is that candidates often confuse Azure Storage archiving or data export with the ability to query the data in Sentinel, not realizing that only ADX provides native, queryable long-term retention integrated with Sentinel's KQL interface.

How to eliminate wrong answers

Option A is wrong because enabling a data cap does not provide cheaper storage for older data; it only limits data ingestion, and setting workspace retention to 730 days keeps all data in the expensive hot tier for the entire period, increasing costs. Option C is wrong because exporting data to a storage account and deleting it from the workspace breaks the ability to query that data within Sentinel, and Sentinel does not natively support querying data from external storage accounts without additional tooling. Option D is wrong because Azure Storage archiving is not natively integrated with Sentinel for querying archived data; Sentinel requires data to be in the workspace or in ADX for long-term retention with query capability.

160
MCQmedium

Your organization uses Microsoft Sentinel and has enabled UEBA. You notice that many low-severity incidents are being created from high-volume informational alerts. You want to reduce noise without disabling data connectors. What should you do?

A.Create an automation rule that closes low-severity incidents immediately.
B.Increase the incident creation threshold in the analytics rule.
C.Modify the analytics rule query to exclude the high-volume informational events using KQL.
D.Disable the Microsoft 365 Defender connector for those data sources.
AnswerC

Tuning the query filters out unwanted alerts.

Why this answer

Option C is correct because analytics rule tuning using KQL allows you to filter out specific events or conditions, reducing false positives. Option A is wrong because disabling connectors would stop all data ingestion, not just noise. Option B is wrong because suppression is typically used for incidents, not at the rule level for noise reduction.

Option D is wrong because automation rules act after incident creation, not prevent it.

161
MCQhard

You are investigating a potential DCSync attack. Which Advanced Hunting query in Microsoft Defender XDR would best detect a process making atypical directory replication requests?

A.IdentityDirectoryEvents | where ActionType == 'Replication'
B.DeviceProcessEvents | where FileName contains 'ntdsutil'
C.IdentityLogonEvents | where ActionType == 'DirectoryReplication'
D.DeviceEvents | where ActionType == 'DirectoryReplicationRequest'
AnswerD

DeviceEvents with ActionType 'DirectoryReplicationRequest' is used for detecting DCSync.

Why this answer

Option C is correct because DeviceEvents captures 'DirectoryReplicationRequest' events from Microsoft Defender for Identity. Option A (IdentityLogonEvents) captures logons. Option B (IdentityDirectoryEvents) captures directory changes but not replication requests.

Option D (DeviceProcessEvents) captures process creation.

162
MCQmedium

An organization uses Microsoft Defender for Cloud and has enabled enhanced security features. They want to receive alerts when a user attempts to connect to an Azure VM via RDP from a public IP address that is not in a predefined list of trusted IP ranges. Which Defender for Cloud plan or feature provides this capability?

A.Adaptive network hardening
B.Network security groups (NSG) flow logs
C.Just-In-Time (JIT) VM access
D.File Integrity Monitoring (FIM)
AnswerC

JIT allows you to define a list of approved source IPs and ports; any connection attempt from an unapproved IP triggers an alert.

Why this answer

Just-In-Time (JIT) VM access in Microsoft Defender for Cloud allows you to lock down inbound traffic to Azure VMs, reducing exposure to attacks while providing easy access when needed. When enabled, JIT creates rules in the network security group (NSG) that permit RDP (TCP 3389) or SSH (TCP 22) traffic only from specific IP addresses or ranges that you define, and only during a requested time window. If a user attempts an RDP connection from a public IP not in the trusted list, Defender for Cloud generates an alert, as the traffic is blocked by the JIT policy.

Exam trap

The trap here is that candidates often confuse Adaptive network hardening (which also adjusts NSG rules) with JIT VM access, but Adaptive network hardening does not enforce a predefined trusted IP list or generate alerts for unauthorized RDP attempts—it only recommends rule changes based on traffic patterns.

How to eliminate wrong answers

Option A is wrong because Adaptive network hardening is a feature that dynamically adjusts NSG rules based on observed traffic patterns to reduce the attack surface, but it does not provide the ability to define a trusted IP list for RDP access or generate alerts for unauthorized connection attempts from specific IPs. Option B is wrong because NSG flow logs capture information about IP traffic flowing through an NSG for network monitoring and analysis, but they do not enforce access control or generate real-time alerts for RDP connection attempts from untrusted IPs. Option D is wrong because File Integrity Monitoring (FIM) monitors changes to critical files, registries, and software on VMs, not network-level access attempts like RDP connections from public IPs.

163
Drag & Dropmedium

Arrange the steps to enable and configure Microsoft Defender for Identity (MDI) sensor on a domain controller.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MDI sensors are installed on domain controllers to capture and analyze authentication events.

164
MCQeasy

A security administrator wants to view the overall security posture of all Azure subscriptions in a single numerical score. Which dashboard in Microsoft Defender for Cloud provides this score based on implemented security controls?

A.Regulatory compliance dashboard
B.Secure Score dashboard
C.Inventory dashboard
D.Recommendations dashboard
AnswerB

The Secure Score dashboard displays the overall security posture score based on the implementation of security controls and recommendations across all subscriptions.

Why this answer

The Secure Score dashboard in Microsoft Defender for Cloud aggregates the security posture across all Azure subscriptions into a single numerical score. This score is calculated based on the implementation of security controls and recommendations, providing a quantifiable measure of your overall security hygiene.

Exam trap

The trap here is that candidates often confuse the Secure Score dashboard with the Recommendations dashboard, thinking that viewing individual recommendations provides the same aggregated score, but the Secure Score dashboard is the only place where the single numerical score is displayed.

How to eliminate wrong answers

Option A is wrong because the Regulatory compliance dashboard shows compliance with specific standards (e.g., ISO 27001, NIST) but does not produce a single numerical score for overall security posture. Option C is wrong because the Inventory dashboard lists all monitored resources and their security configurations, but it does not aggregate them into a single score. Option D is wrong because the Recommendations dashboard lists individual security recommendations and their status, but it does not calculate or display a unified numerical score.

165
Multi-Selectmedium

Your Microsoft Sentinel workspace ingests logs from Microsoft Defender for Cloud and Microsoft 365 Defender. You need to create an incident response playbook that automatically responds to high-severity incidents. Which THREE components are required? (Choose three.)

Select 3 answers
A.A workbook to visualize the incident data
B.An analytics rule that generates the incident
C.An automation rule in Microsoft Sentinel
D.A hunting query to search for similar activity
E.A Logic Apps workflow with Microsoft Sentinel trigger
AnswersB, C, E

Analytics rules detect threats and create incidents.

Why this answer

Option A, B, and C are correct. An automation rule triggers the playbook. A Logic Apps workflow defines the playbook actions.

A Microsoft Sentinel analytics rule generates the incident. Option D is wrong because a workbook is for visualization, not automation. Option E is wrong because a hunting query is for proactive search, not automated response.

166
MCQmedium

A security analyst receives a high-severity alert for a suspicious login from an unusual location. The alert was generated by Microsoft Sentinel from Microsoft Entra ID sign-in logs. The analyst needs to determine if the login was successful and if any data exfiltration occurred. What is the MOST efficient first step?

A.Run a KQL query in Microsoft Sentinel to review the SigninLogs table for the user within the alert time range.
B.Use Microsoft Defender XDR to check the user's device timeline for suspicious activity.
C.Run a KQL query in Microsoft Sentinel to check Microsoft Defender for Cloud Apps alerts for the user.
D.Check the firewall logs in Azure Firewall for outbound connections from the user's IP.
AnswerA

SigninLogs directly shows login success/failure and details.

Why this answer

Option B is correct because examining Microsoft Entra ID sign-in logs in Sentinel provides immediate details about login success/failure. Option A is wrong because Defender for Cloud Apps alerts may not include sign-in details. Option C is wrong because reviewing all firewalls is too broad and inefficient.

Option D is wrong because checking Microsoft Defender XDR does not directly show sign-in details.

167
MCQhard

An analyst is investigating a data exfiltration incident. They suspect that a user downloaded sensitive files from a SharePoint site and then uploaded them to a non-corporate cloud storage service (e.g., Dropbox) using the same device. Which combination of Advanced Hunting tables should the analyst query to correlate the SharePoint download activity with network connections to external IPs?

A.CloudAppEvents and DeviceNetworkEvents
B.EmailEvents and DeviceNetworkEvents
C.DeviceFileEvents and DeviceNetworkEvents
D.CloudAppEvents and IdentityLogonEvents
AnswerA

CloudAppEvents logs activities in cloud apps like SharePoint, including file downloads. DeviceNetworkEvents logs network connections from devices, which can show connections to external services. Joining on device and timestamp allows correlation.

Why this answer

CloudAppEvents logs user activities in cloud apps like SharePoint, including file downloads. DeviceNetworkEvents logs network connections from devices, including connections to external IPs. Combining these tables allows the analyst to correlate the SharePoint download event (from CloudAppEvents) with subsequent network connections to non-corporate cloud storage IPs (from DeviceNetworkEvents) on the same device, directly mapping the exfiltration path.

Exam trap

The trap here is that candidates often pick DeviceFileEvents (Option C) thinking it logs the SharePoint download locally, but SharePoint downloads are cloud events logged in CloudAppEvents, not local file events.

How to eliminate wrong answers

Option B is wrong because EmailEvents logs email-related activities (send, receive, phishing), not SharePoint file downloads or network connections to external IPs, so it cannot correlate the download with network activity. Option C is wrong because DeviceFileEvents logs local file operations (create, modify, delete) on the device, but SharePoint downloads are cloud-side events not captured locally unless the file is saved to disk; it does not log the cloud download action itself. Option D is wrong because IdentityLogonEvents logs authentication events (logons, logoffs), not SharePoint file activities or network connections, so it cannot correlate the download with external IP connections.

168
MCQhard

During a security incident, you need to isolate a compromised Windows device from the network while allowing communication with Microsoft Defender for Endpoint services. Which Microsoft Defender for Endpoint action should you use?

A.Run antivirus scan
B.Isolate device
C.Collect investigation package
D.Restrict app execution
AnswerB

Isolates while allowing Defender services.

Why this answer

Option B is correct because 'Isolate device' allows communication with Defender for Endpoint services while blocking other network traffic. Option A is wrong because 'Run antivirus scan' only scans and does not isolate. Option C is wrong because 'Restrict app execution' limits applications but does not isolate network.

Option D is wrong because 'Collect investigation package' gathers data but does not isolate.

169
MCQeasy

An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?

A.Collect investigation package
B.Run antivirus scan
C.Restrict app execution
D.Initiate a live response session
AnswerA

This action gathers a package of forensic data including files, processes, and registries for analysis.

Why this answer

Option A is correct because the 'Collect investigation package' action on the device entity page in Microsoft 365 Defender gathers a ZIP file containing the device's forensic data, including specific suspicious files, registry keys, and memory dumps. This is the designed method for retrieving a copy of a file for offline analysis without requiring interactive access, and it works even after AIR has isolated the device.

Exam trap

The trap here is that candidates often confuse 'Initiate a live response session' as the go-to for file collection, but fail to remember that live response requires an active network connection to the device, which is blocked when AIR has isolated the device from the network.

How to eliminate wrong answers

Option B is wrong because 'Run antivirus scan' only triggers a Microsoft Defender Antivirus scan on the device; it does not collect a copy of a specific file for export. Option C is wrong because 'Restrict app execution' applies a Windows Defender Application Control policy to block untrusted apps, which is a containment action, not a file collection method. Option D is wrong because 'Initiate a live response session' provides real-time remote shell access to the device, but it is not available when the device is isolated by AIR (isolation blocks all incoming connections, including live response), and the question specifically asks for an action from the entity page that works under isolation.

170
MCQhard

During a hunt, you find a device that made successive outbound connections to multiple IP addresses on port 445 (SMB) within a short time. Which type of activity does this pattern most likely indicate?

A.Data exfiltration
B.Lateral movement preparation
C.Command and control beaconing
D.Internal reconnaissance
AnswerB

Scanning for SMB shares is a common lateral movement technique.

Why this answer

Port 445 is used for SMB. Rapid successive connections to many IPs on SMB suggests scanning for open SMB shares, often a precursor to lateral movement. Option A (data exfiltration) typically uses HTTP/HTTPS.

Option C (C2 beaconing) uses common ports like 80/443. Option D (reconnaissance) is broad; the specific pattern points to lateral movement via SMB.

171
MCQmedium

Your organization uses Microsoft Defender for Identity. The security team wants to monitor for suspected DCSync attacks. Which Windows Event ID should you monitor to detect DCSync activity?

A.Event ID 4776: The domain controller attempted to validate the credentials for an account.
B.Event ID 4662: An operation was performed on an object.
C.Event ID 4648: A logon was attempted using explicit credentials.
D.Event ID 4624: An account was successfully logged on.
AnswerB

This event can be used to monitor for directory replication operations.

Why this answer

Option C is correct because Event ID 4662 (An operation was performed on an object) is used to detect directory replication requests, which are part of DCSync attacks. Option A is wrong because 4624 is logon. Option B is wrong because 4648 is logon with explicit credentials.

Option D is wrong because 4776 is credential validation.

172
Multi-Selecthard

A SOC analyst needs to create a custom watchlist in Microsoft Sentinel to use in an analytics rule. Order the following steps from first to last to correctly create and use the watchlist (Choose 4.)

Select 4 answers
A.1. Create a new watchlist in Microsoft Sentinel (e.g., from Sentinel > Watchlists > Add new).
B.2. Import a CSV file containing the data (e.g., IP addresses or domains) into the watchlist.
C.3. Write the KQL query for the analytics rule that uses the `_GetWatchlist('WatchlistAlias')` function to reference the watchlist.
D.4. Create a scheduled analytics rule, paste the KQL query, and configure the alert details (e.g., severity, entity mapping).
AnswersA, B, C, D

First step: define the watchlist name, alias, and data source.

Why this answer

Option A is correct because creating a new watchlist in Microsoft Sentinel is the initial step to define a custom data source for threat intelligence or reference data. This is done via Sentinel > Watchlists > Add new, where you specify the alias, description, and other metadata before uploading data. Without this step, there is no container to import the CSV file into, making it the logical first action.

Exam trap

The trap here is that candidates might think the KQL query must be written before importing the CSV, but the watchlist alias must already exist in Sentinel for the _GetWatchlist function to reference it correctly, making the import step second.

How to eliminate wrong answers

All options A, B, C, and D are correct steps in the correct order, so there are no wrong options to eliminate. The question asks to order the steps from first to last, and the provided sequence (A → B → C → D) is accurate: create the watchlist, import the CSV, write the KQL query using _GetWatchlist, then create the scheduled analytics rule with that query.

173
MCQmedium

Your SOC team uses Microsoft Defender XDR. You want to ensure that all incidents are automatically classified and determined by the built-in AI before any manual review. What should you configure?

A.Create a custom detection rule in Microsoft Defender XDR.
B.Enable the incident summarization and classification feature in Microsoft Defender XDR.
C.Enable automation rules in Microsoft Sentinel to classify incidents.
D.Configure a workbook in Microsoft Sentinel to analyze incidents.
AnswerB

This feature uses AI to automatically classify and determine incidents.

Why this answer

Option D is correct because Microsoft Defender XDR incident summarization and classification uses AI to automatically classify incidents. Option A is wrong because automation rules in Sentinel are for Sentinel incidents. Option B is wrong because custom detection rules do not apply AI classification.

Option C is wrong because AI classification is not a workbook feature.

174
MCQeasy

You are configuring a Microsoft Sentinel analytics rule to detect failed logons from multiple IP addresses. The rule should trigger an incident only when the same user account has failed logons from more than three distinct IP addresses within 5 minutes. Which rule setting should you configure?

A.Set the 'Alert threshold' to 'Custom' and define a condition on distinct IP count.
B.Set the 'Group by' field to 'Account' and 'IP address'.
C.Set the 'Event grouping' to 'Group all events into a single alert'.
D.Set the 'Suppression' to '5 minutes' after an alert is generated.
AnswerA

Correct. Custom threshold allows defining distinct count conditions.

Why this answer

Option A is correct because the requirement is to trigger an incident only when the same user account has failed logons from more than three distinct IP addresses within 5 minutes. In Microsoft Sentinel analytics rules, the 'Alert threshold' set to 'Custom' allows you to define a condition on the count of distinct values (e.g., distinct IP addresses) aggregated over the rule's query window, which directly matches the scenario.

Exam trap

The trap here is that candidates often confuse 'Group by' (which splits alerts by field values) with the ability to count distinct values across those groups, leading them to select Option B instead of recognizing that a custom threshold on distinct count is required.

How to eliminate wrong answers

Option B is wrong because setting 'Group by' to 'Account' and 'IP address' would create separate alerts for each combination of account and IP address, not aggregate distinct IPs per account. Option C is wrong because 'Group all events into a single alert' would combine all failed logon events into one alert regardless of distinct IP count, failing to enforce the 'more than three distinct IPs' threshold. Option D is wrong because 'Suppression' pauses alert generation after an alert fires, but does not control the condition for triggering the alert based on distinct IP count within a time window.

175
MCQhard

Your organization uses Microsoft Sentinel and has multiple workspaces for different regions. The security team wants to use a single workbook to display data from all workspaces. What is the correct approach?

A.Create a workbook with cross-workspace queries using the workspace() expression
B.Export data from all workspaces to a single Azure Data Lake
C.Create a workbook in one workspace and configure it to use Azure Lighthouse
D.Create a workbook in each workspace and merge them manually
AnswerA

Cross-workspace queries allow a single workbook to query multiple workspaces.

Why this answer

Option D is correct because you can create a workbook with cross-workspace queries using the workspace() expression to query multiple workspaces. Option A is wrong because workbooks can query multiple workspaces without merging. Option B is wrong because you don't need to export data.

Option C is wrong because a single workbook can handle multiple workspaces via cross-workspace queries.

176
MCQhard

Your organization uses Microsoft Sentinel. You have a custom analytics rule that generates incidents based on a KQL query. The rule is configured to run every 5 minutes. You notice that the rule is generating duplicate incidents for the same event. What should you do to prevent duplicates?

A.Create an automation rule that deletes duplicate incidents.
B.Set the rule to group alerts into a single incident if they occur within 5 minutes.
C.Create a playbook that checks for duplicates before incident creation.
D.Enable entity mapping in the analytics rule and set appropriate entities.
AnswerD

Correct: Entity mapping helps group related alerts.

Why this answer

Option A is correct because enabling entity mapping allows Sentinel to group alerts into incidents based on entities. Option B is wrong because grouping by time is not sufficient. Option C is wrong because suppression logic in automation rules is for actions, not incident creation.

Option D is wrong because playbooks cannot prevent duplicates.

177
MCQhard

Your organization is using Microsoft Defender XDR. During an incident, you need to create a custom detection rule that triggers when a specific file hash is executed on any device. Which component should you use?

A.Attack Surface Reduction (ASR) rules
B.Custom detection rules
C.Automation rules in Microsoft Sentinel
D.Indicators of compromise (IoC)
AnswerB

Custom detection rules use KQL to detect specific behaviors like file execution.

Why this answer

Option B is correct because custom detection rules in Defender XDR allow you to create detection logic based on advanced hunting queries. Option A is wrong because indicators of compromise (IoC) block or alert but are not detection rules. Option C is wrong because automation rules in Sentinel are for incident response, not detection.

Option D is wrong because ASR rules are built-in and cannot be customized for specific file hashes.

178
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During a hunt, you notice that some alerts from Microsoft Defender for Identity are not appearing in Sentinel. You have verified the connector is enabled and data is flowing for other Defender products. What is the most likely cause?

A.The Microsoft Sentinel pricing tier is set to Free, which limits data ingestion.
B.The 'IdentityLogonEvents' data type is disabled in the Microsoft Sentinel connector configuration.
C.The Microsoft Sentinel workspace is in a different region than Microsoft Defender for Identity.
D.Your tenant does not have the required Microsoft Entra ID P2 license for Microsoft Defender for Identity alerts.
AnswerD

Microsoft Defender for Identity alerts require Microsoft Entra ID P2 license to be forwarded to Sentinel.

Why this answer

Option D is correct because Microsoft Defender for Identity alerts require a premium Azure AD P2 license to be ingested via the connector. Option A is wrong because the connector is enabled. Option B is wrong because data ingestion is working for other products.

Option C is wrong because the data types are not disabled.

179
MCQeasy

You are setting up Microsoft Sentinel for the first time. You need to ingest Windows security events from on-premises servers using the Azure Monitor Agent. Which data connector should you enable in Microsoft Sentinel?

A.Common Event Format (CEF) via AMA
B.Windows Security Events via AMA
C.Syslog via AMA
D.DNS via AMA
AnswerB

Correct. This connector uses Azure Monitor Agent to collect Windows security events.

Why this answer

The Windows Security Events via AMA data connector is specifically designed to collect Windows security events (e.g., Event ID 4625, 4688) from on-premises servers using the Azure Monitor Agent (AMA). This connector leverages the AMA's Data Collection Rules (DCRs) to filter and ingest security-relevant logs directly into Microsoft Sentinel, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse 'Syslog via AMA' with Windows event collection, but Syslog is a Linux-centric protocol (UDP/TCP 514) and cannot natively read Windows Event Log files.

How to eliminate wrong answers

Option A is wrong because Common Event Format (CEF) via AMA is used for ingesting logs from security appliances (e.g., firewalls, IDS/IPS) that output CEF-formatted syslog messages, not native Windows security events. Option C is wrong because Syslog via AMA is designed for Linux-based syslog data (RFC 3164/5424) and does not natively collect Windows Event Log data. Option D is wrong because DNS via AMA is a specialized connector for collecting DNS query/response logs from Windows DNS servers, not general Windows security events.

180
MCQmedium

Your Microsoft Defender XDR environment generates an incident indicating that a user's account was used to sign in from an anonymous IP address and then accessed sensitive data in SharePoint Online. After confirming the account is compromised, what should be your first containment step?

A.Disable the user account in Microsoft Entra ID
B.Block the anonymous IP address in the firewall
C.Review audit logs to determine the extent of data access
D.Revoke the user's session and require reauthentication using Microsoft Entra ID Protection
AnswerD

Revoking session terminates current access, and reauthentication ensures only the legitimate user can continue.

Why this answer

Option C is correct because revoking the user's session and requiring reauthentication immediately stops the ongoing access. Option A is wrong because disabling the account prevents further logins but does not terminate existing sessions. Option B is wrong because blocking the IP may affect other users.

Option D is wrong because reviewing audit logs is investigation, not containment.

181
MCQeasy

Your organization uses Microsoft Defender XDR. You need to ensure that all cloud app alerts are forwarded to Microsoft Sentinel for correlation. What should you configure?

A.Create an analytics rule in Sentinel that queries Defender for Cloud Apps API.
B.Configure Microsoft Defender for Cloud Apps to export alerts to Azure Event Hubs.
C.In Microsoft Sentinel, enable the data connector for Microsoft Defender for Cloud Apps.
D.In Microsoft Sentinel, enable the data connector for Microsoft Defender for Endpoint.
AnswerC

This connector ingests alerts from Defender for Cloud Apps.

Why this answer

Option C is correct because the Microsoft Defender for Cloud Apps data connector in Microsoft Sentinel is specifically designed to ingest alerts and cloud discovery logs from Defender for Cloud Apps. Enabling this connector ensures that all cloud app alerts are automatically forwarded to Sentinel for correlation without requiring custom API queries or external export pipelines.

Exam trap

The trap here is that candidates may confuse the purpose of data connectors for different Microsoft Defender products, mistakenly selecting the Defender for Endpoint connector when the question specifically targets cloud app alerts.

How to eliminate wrong answers

Option A is wrong because creating an analytics rule that queries the Defender for Cloud Apps API would require custom logic and does not provide automated, continuous ingestion of alerts; analytics rules are for detection, not data ingestion. Option B is wrong because exporting alerts to Azure Event Hubs is an alternative method for custom integration, but it is not the standard or recommended configuration for forwarding all cloud app alerts to Sentinel; the built-in data connector is simpler and directly supported. Option D is wrong because the Microsoft Defender for Endpoint data connector ingests endpoint detection and response alerts, not cloud app alerts; it addresses a different security domain.

182
MCQmedium

An organization uses Microsoft Defender for Office 365. The security team wants to automatically remove from all user mailboxes any messages that were already delivered but are later identified as malicious. Which feature should they enable?

A.Automated investigation and response (AIR)
B.Zero-hour auto purge (ZAP)
C.Safe Attachments
D.Safe Links
AnswerB

ZAP automatically moves or deletes already delivered messages that are later identified as phishing, malware, or spam.

Why this answer

Zero-hour auto purge (ZAP) is the correct feature because it automatically detects and removes malicious messages that have already been delivered to user mailboxes, including messages retroactively identified as threats after delivery. ZAP acts on phishing, malware, and spam verdicts by querying the mailbox for the original message and moving it to the Junk Email folder or deleting it, based on the configured policy. This directly meets the requirement to remove already-delivered malicious messages without manual intervention.

Exam trap

The trap here is that candidates confuse ZAP with Safe Attachments or Safe Links, mistakenly thinking those features can retroactively remove delivered messages, when in fact they only protect at the time of delivery or click, respectively.

How to eliminate wrong answers

Option A is wrong because Automated investigation and response (AIR) is a broader incident response capability that orchestrates playbooks across multiple workloads, but it does not automatically remove already-delivered messages from mailboxes; it focuses on investigating and remediating threats at the mailbox or device level after an alert is triggered. Option C is wrong because Safe Attachments is a time-of-delivery protection feature that detonates email attachments in a sandbox before delivery, but it does not retroactively remove messages that were already delivered and later found malicious. Option D is wrong because Safe Links is a time-of-click protection feature that scans URLs in messages and Office documents at the moment a user clicks, but it does not remove already-delivered messages from mailboxes.

183
Multi-Selectmedium

Which TWO actions are valid ways to integrate on-premises firewall logs into Microsoft Sentinel for analysis?

Select 2 answers
A.Enable the Office 365 connector.
B.Configure the firewall to send Common Event Format (CEF) logs to a syslog server running Azure Monitor Agent.
C.Install the Windows DNS Server connector.
D.Connect the Azure Activity log connector.
E.Use the Microsoft Sentinel Data Collector API to send custom logs.
AnswersB, E

Correct. CEF via AMA is a standard integration.

Why this answer

Option B is correct because on-premises firewall logs can be forwarded in Common Event Format (CEF) over syslog to a server running the Azure Monitor Agent (AMA), which then ingests them into Microsoft Sentinel. CEF is a standard log format supported by many security appliances, and the AMA replaces the older Log Analytics Agent for this purpose. This setup allows Sentinel to parse and analyze the firewall events for security monitoring.

Exam trap

The trap here is that candidates often confuse the Azure Activity log connector (which only covers Azure resource operations) with a general-purpose log ingestion method, or they mistakenly think the Office 365 connector can handle any external log source.

184
MCQmedium

Your organization uses Microsoft Defender XDR. You need to investigate a potential ransomware incident that has affected multiple devices. The security team wants to identify the initial access vector. Which advanced hunting table should you query to find the process that initiated the encryption?

A.DeviceRegistryEvents
B.DeviceFileEvents
C.DeviceNetworkEvents
D.DeviceProcessEvents
AnswerD

DeviceProcessEvents logs process creation, essential for tracking the initial process.

Why this answer

Option A is correct because DeviceProcessEvents contains process creation events, which can show which process started the ransomware. Option B has file creation, not process; Option C has network connections; Option D has registry events.

185
Multi-Selectmedium

Your organization uses Microsoft Sentinel. You have been asked to configure automated responses to security incidents. Which TWO of the following can be used to automate responses in Microsoft Sentinel?

Select 2 answers
A.Workbooks
B.Power Automate flows
C.Playbooks (Azure Logic Apps)
D.Custom connectors
E.Automation rules
AnswersC, E

Playbooks automate response workflows.

Why this answer

Playbooks based on Azure Logic Apps and automation rules are both built-in features for automation in Microsoft Sentinel. Workbooks are for visualization, not automation. Power Automate is not directly integrated, and custom connectors are not a primary automation method.

186
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that suspicious email messages are automatically moved to quarantine and an incident is raised in Microsoft Sentinel. What should you configure?

A.Configure the Microsoft Defender for Office 365 data connector in Sentinel.
B.Configure the Microsoft Defender for Cloud data connector in Sentinel.
C.Use the Microsoft Defender for Identity data connector.
D.Enable the Microsoft Defender for Endpoint data connector.
AnswerA

This connector ingests Office 365 alerts and incidents into Sentinel.

Why this answer

Defender for Office 365 can automatically quarantine emails based on policies. To raise an incident in Sentinel, you need to stream the alerts to Sentinel via a data connector. Option D is correct.

Option A is wrong because the connector is for Defender for Cloud, not Office 365. Option B is wrong because the connector is for Defender for Endpoint. Option C is wrong because the connector is for identity alerts.

187
MCQmedium

You have a Microsoft Sentinel analytical rule with the above configuration. During a security incident, multiple high-severity alerts are generated within a 5-minute window. How does the rule handle these alerts?

A.Only the first alert creates an incident; subsequent alerts are ignored.
B.Each alert creates a separate incident.
C.Alerts with the same entities are grouped into a single incident.
D.Alerts are suppressed for 5 minutes after the first alert.
AnswerC

Grouping with 'All' entities matching method groups alerts sharing all entities.

Why this answer

Option C is correct because grouping is enabled with a 5-minute lookback and 'All' entities matching method, meaning alerts with identical entities are grouped into one incident. Option A is wrong because grouping is enabled, not disabled. Option B is wrong because alerts are grouped, not created separately.

Option D is wrong because alerts are not suppressed; suppression is disabled.

188
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Select 2 answers
A.Create a new analytics rule
B.Modify a data connector
C.Change incident status
D.Run a playbook
E.Delete an incident
AnswersC, D

Automation rules can set status to Active, Resolved, etc.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically manage incidents by changing their status (e.g., from 'New' to 'Active' or 'Closed') based on conditions like severity or title. They can also trigger playbooks (automated response workflows) when incidents are created or updated, enabling actions such as enrichment, investigation, or remediation. These capabilities are defined in the automation rule's 'Actions' section, where you set the incident status or select a playbook to run.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules or playbooks, mistakenly thinking automation rules can create or delete incidents, when in fact they only modify existing incidents or trigger playbooks.

189
Multi-Selectmedium

Which TWO Microsoft 365 Defender advanced hunting tables would you use together to investigate a potential data exfiltration via email?

Select 2 answers
A.EmailEvents
B.EmailAttachmentInfo
C.DeviceNetworkEvents
D.CloudAppEvents
E.DeviceProcessEvents
AnswersA, B

Contains sender, recipient, subject, and other email properties.

Why this answer

Option A (EmailEvents) and Option D (EmailAttachmentInfo) are correct because EmailEvents contains email metadata and EmailAttachmentInfo provides attachment details. Option B is for network events, not email. Option C is for cloud app activities.

Option E is for endpoint processes.

190
MCQhard

You run the above KQL query in Microsoft Sentinel. The query returns no results. What is the most likely reason?

A.The column 'AlertSeverity' does not exist in the SecurityAlert table.
B.The 'summarize' operator is misspelled.
C.The 'has' operator is case-sensitive and the alert names are capitalized differently.
D.The query does not specify a time range, so it may be querying data older than the default 24-hour lookback.
AnswerD

Without a time filter, only last 24 hours are queried.

Why this answer

Option A is correct because the 'SecurityAlert' table is not a standard table in Microsoft Sentinel; the correct table is 'SecurityAlert' (no hyphen) but actually the table is 'SecurityAlert'? Wait, the table is 'SecurityAlert' indeed in Microsoft Sentinel. However, the query uses 'has' operator which is case-insensitive but the column name 'AlertName' might be 'AlertName'? Actually, the column is 'AlertName' (capital N). But the most common reason for no results is that the 'SecurityAlert' table may not be populated if no alerts have been generated, or the time range is not specified.

However, the exhibit shows no time filter, so the query runs on the default 24-hour range. Option A is plausible. Option B is wrong because 'has' works on strings.

Option C is wrong because 'AlertSeverity' is a valid column. Option D is wrong because 'summarize' works fine.

191
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to reduce similar false positives in the future without affecting legitimate detections. What should you do?

A.Disable the analytics rule that created the incident.
B.Add the location to a watchlist and reference it in the analytics rule.
C.Create an automation rule to close similar incidents automatically.
D.Modify the analytics rule query to exclude sign-ins from the specific location.
AnswerD

Adding an exclusion to the KQL query reduces false positives while keeping the rule active.

Why this answer

Using an analytics rule with a KQL query allows you to add specific conditions to filter out false positives while maintaining detection capabilities. Option A is incorrect because turning off analytics rules disables all detections. Option C is incorrect because automation rules act after detection.

Option D is incorrect because watchlists are for reference, not direct filtering.

192
MCQmedium

In Microsoft 365 Defender, an analyst is investigating an incident where a user's credentials were used to sign in from an unusual geo-location. The analyst wants to find all other sign-in events from the same IP address in the last 7 days. Which Advanced Hunting table should be used?

A.AADSignInEventsBeta
B.IdentityLogonEvents
C.CloudAppEvents
D.DeviceLogonEvents
AnswerA

This table stores Microsoft Entra ID sign-in events, including the source IP, timestamp, and user details.

Why this answer

A is correct because the AADSignInEventsBeta table in Advanced Hunting captures Azure Active Directory sign-in logs, including details like IP address, geo-location, and user principal name. This table is specifically designed for investigating interactive and non-interactive sign-in events from Azure AD, making it the appropriate source to query for all sign-ins from a given IP address over the last 7 days.

Exam trap

The trap here is that candidates often confuse IdentityLogonEvents (on-premises AD) with AADSignInEventsBeta (Azure AD cloud), because both deal with 'logon' events, but the question specifically mentions 'geo-location' and 'Microsoft 365 Defender' context, which points to cloud-based Azure AD sign-ins.

How to eliminate wrong answers

Option B is wrong because IdentityLogonEvents captures on-premises Active Directory sign-in events (via Microsoft Defender for Identity), not Azure AD cloud sign-ins, and does not include the geo-location or IP address details needed for this cloud-based investigation. Option C is wrong because CloudAppEvents focuses on activities within Microsoft Cloud App Security (e.g., file downloads, admin actions) and does not contain raw sign-in authentication events with IP and geo-location. Option D is wrong because DeviceLogonEvents records local device logon events (Windows security events like 4624) on endpoints, not Azure AD cloud sign-ins from an unusual geo-location.

193
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that incident investigation is efficient by automatically grouping related alerts into incidents. Which configuration should you use?

A.Create an automation rule to group alerts
B.Configure alert grouping in the analytics rule wizard
C.Use a playbook to merge incidents
D.Define a watchlist to consolidate alerts
AnswerB

Correct: Alert grouping settings are part of the analytics rule creation or editing.

Why this answer

Option B is correct because Microsoft Sentinel's analytics rule wizard includes a dedicated 'Alert grouping' configuration that allows you to specify how alerts from the same analytics rule are automatically combined into a single incident. This setting is essential for efficient incident investigation, as it reduces alert noise by grouping related alerts based on criteria such as matching entities, time windows, or custom alert details, ensuring that security analysts work with consolidated incidents rather than individual alerts.

Exam trap

The trap here is that candidates often confuse automation rules (which operate on existing incidents) with the alert grouping feature (which operates during incident creation), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because automation rules in Microsoft Sentinel are used to trigger automated responses (e.g., changing incident status, assigning owners) after an incident is created, not to group alerts into incidents during the creation process. Option C is wrong because playbooks are automated workflows (often using Azure Logic Apps) that respond to incidents or alerts after they exist; they cannot merge incidents or group alerts at the point of incident creation. Option D is wrong because watchlists are collections of data (e.g., IP addresses, hostnames) used for correlation, enrichment, or filtering within analytics rules, not for consolidating alerts into incidents.

194
Multi-Selecthard

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You notice that the cost is higher than expected. You need to reduce costs without losing critical security data. Which two actions should you take? (Choose two.)

Select 2 answers
A.Set a daily cap on tables that generate high volumes but low security value.
B.Move verbose logs to Auxiliary logs (Basic Logs) tier.
C.Increase the retention period for all tables to 90 days.
D.Change the workspace pricing tier to 'Pay-as-you-go Gen2'.
E.Turn off data connectors for non-critical sources.
AnswersA, B

Limits ingestion for non-critical tables.

Why this answer

Setting daily caps on specific tables prevents them from exceeding a certain volume, and moving verbose logs to Auxiliary logs (Basic Logs) reduces cost. Option B is wrong because turning off data connectors stops all ingestion. Option C is wrong because increasing retention increases cost.

Option D is wrong because changing to Gen2 pricing is not a cost-saving measure.

195
MCQeasy

Your team is conducting a threat hunt for data exfiltration using Microsoft Defender for Cloud Apps. Which activity is most suspicious and should be included in the hunting query?

A.A user viewing files in OneDrive for Business.
B.A user downloading a single file from SharePoint Online.
C.A user sharing a file with an internal colleague.
D.A user downloading hundreds of files from SharePoint Online in a short time.
AnswerD

Bulk download indicates potential exfiltration.

Why this answer

Mass download of files from a cloud app is a classic exfiltration indicator. Option B is correct. Option A is incorrect because single file download is normal.

Option C is incorrect because viewing files is not exfiltration. Option D is incorrect because sharing within the organization is less suspicious than external sharing.

196
MCQeasy

A SOC analyst is investigating an incident where a user's credentials were compromised. The analyst uses Microsoft Sentinel to find all activities performed by the user in the last 24 hours. Which data source should the analyst query FIRST to get the most comprehensive view of the user's actions across Microsoft 365?

A.DeviceEvents
B.OfficeActivity
C.AzureActivity
D.SigninLogs
AnswerB

OfficeActivity provides a comprehensive audit log of user actions in Microsoft 365.

Why this answer

Option B is correct because OfficeActivity (Unified Audit Log) captures user actions across Exchange Online, SharePoint, Teams, etc. Option A is wrong because SigninLogs only shows sign-ins, not activities. Option C is wrong because AzureActivity shows Azure resource actions, not Microsoft 365.

Option D is wrong because DeviceEvents are for endpoints, not Microsoft 365.

197
MCQmedium

Your organization uses Microsoft Sentinel. You receive an incident that involves a potential lateral movement detected by Microsoft Defender for Identity. You need to investigate the timeline of the attack. Which Microsoft Sentinel feature should you use?

A.Workbooks
B.Automation rules
C.Investigation graph
D.Analytics rules
AnswerC

Visual timeline for investigation.

Why this answer

Option C is correct because the investigation graph in Sentinel provides a visual timeline of related alerts and entities. Option A is wrong because workbooks are for reporting, not investigation. Option B is wrong because analytics rules generate alerts, not investigate.

Option D is wrong because automation rules trigger playbooks, not investigation.

198
Multi-Selecthard

Which THREE are essential components of a threat hunting hypothesis in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Adversary goal or objective
B.Alert severity level
C.Data sources to query
D.Automated response plan
E.Expected indicators of compromise (IOCs)
AnswersA, C, E

The hypothesis should state what the adversary is trying to achieve.

Why this answer

Option A is correct because a hypothesis should identify the adversary's objective. Option C is correct because it should specify the data sources to analyze. Option E is correct because it should define expected indicators of compromise.

Option B is wrong because the response plan is separate from the hypothesis. Option D is wrong because the alert severity is determined after detection.

199
MCQmedium

A security administrator wants to enable vulnerability assessment for all existing and future Azure virtual machines in a subscription using the integrated Microsoft Defender Vulnerability Management solution. What is the recommended action in Microsoft Defender for Cloud?

A.Enable the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page.
B.Manually install the Microsoft Defender Vulnerability Management agent on each VM via an Azure Policy initiative.
C.Create an Azure Policy that assigns the 'Configure machines to receive a vulnerability assessment provider' built-in policy to the subscription.
D.Enable 'Vulnerability assessment for machines' in the Azure Security Benchmark compliance dashboard.
AnswerA

This action enables automatic deployment of the vulnerability assessment agent to all VMs in the subscription.

Why this answer

Option A is correct because enabling the 'Vulnerability assessment for machines' component in the Defender for Servers plan settings within the subscription's pricing & settings page automatically provisions the integrated Microsoft Defender Vulnerability Management (MDVM) solution to all existing and future Azure VMs without manual agent installation. This is the recommended and native method in Microsoft Defender for Cloud to enable vulnerability assessment at scale, leveraging the built-in Qualys or MDVM scanner that is managed by the platform.

Exam trap

The trap here is that candidates often confuse the 'Vulnerability assessment for machines' component with a separate policy assignment or manual agent installation, not realizing that the correct action is a simple toggle in the Defender for Servers plan settings that automatically handles provisioning and lifecycle management.

How to eliminate wrong answers

Option B is wrong because manually installing the Microsoft Defender Vulnerability Management agent on each VM is not the recommended action; Defender for Cloud can automatically provision the agent via the plan settings, and manual installation is inefficient and error-prone for scaling. Option C is wrong because the 'Configure machines to receive a vulnerability assessment provider' built-in policy assigns a specific provider (e.g., Qualys or a BYOL solution) but does not enable the integrated MDVM solution; it requires additional configuration and does not automatically cover future VMs without policy assignment scope management. Option D is wrong because the Azure Security Benchmark compliance dashboard is a compliance monitoring tool, not a configuration pane for enabling vulnerability assessment; it does not have a setting to enable vulnerability assessment for machines.

200
Multi-Selecthard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a user reports a phishing email in Microsoft 365 Defender, the incident in Microsoft Sentinel is automatically updated with the user's comments. Which THREE components are required?

Select 3 answers
A.A logic app in Azure that is triggered by the Microsoft 365 Defender alert.
B.The Microsoft 365 Defender data connector in Microsoft Sentinel.
C.The Microsoft Entra ID data connector in Microsoft Sentinel.
D.A playbook in Microsoft Sentinel that updates the incident with the user's comments.
E.An automation rule in Microsoft Sentinel that triggers the playbook when an incident is created from a Microsoft 365 Defender alert.
AnswersB, D, E

This connector ingests alerts from Microsoft 365 Defender.

Why this answer

Options A, C, and D are correct. A playbook is needed to process the alert. The Microsoft 365 Defender connector enables the playbook to receive the alert.

Automation rules trigger the playbook. Option B is incorrect because the connector for Microsoft Entra ID is not needed. Option E is incorrect because a logic app is a type of playbook, not an additional component.

201
MCQeasy

An incident response playbook in Microsoft Sentinel has a step: 'Investigate the user's recent activities using Microsoft 365 Defender.' Which data source would provide the most relevant information for this step?

A.Azure Activity Log
B.Microsoft Purview Data Loss Prevention reports
C.Microsoft 365 Defender's user investigation page
D.Azure Resource Graph
AnswerC

Provides unified view of user's alerts, incidents, and activities across M365.

Why this answer

Option B is correct because Microsoft 365 Defender provides user investigation details across email, endpoints, and apps. Option A is wrong because it's for configuration changes. Option C is wrong because it's for Azure resources.

Option D is wrong because it's for data loss prevention, not investigation.

202
MCQeasy

A security analyst wants to create a custom detection rule in Microsoft Sentinel that alerts when a user logs in from an IP address that is not in the company's approved IP range. The analyst has an existing watchlist named 'ApprovedIPs' containing the allowed ranges. Which KQL operator should the analyst use to compare the IP address from the SigninLogs table against the watchlist?

A.join
B.lookup
C.evaluate
D.where
AnswerB

Correct. The 'lookup' operator seamlessly enriches query results with data from a watchlist, making it ideal for comparing IP addresses against known approved ranges.

Why this answer

The `lookup` operator is the correct choice because it is specifically designed to enrich or filter data in one table based on a dimension table (like a watchlist) without requiring a full merge of columns. In this scenario, the analyst needs to compare IP addresses from the SigninLogs table against the ApprovedIPs watchlist to find logins from non-approved ranges, and `lookup` performs this efficiently by matching on a key field (the IP address) and returning only rows that do not have a match in the watchlist when used with a `kind=leftanti` parameter.

Exam trap

The trap here is that candidates often confuse `lookup` with `join` because both can combine data from two sources, but `lookup` is the correct operator for watchlist-based enrichment in Microsoft Sentinel, while `join` is overkill and less efficient for this specific use case.

How to eliminate wrong answers

Option A is wrong because `join` merges two tables based on a key, but it requires both tables to be fully materialized in the query and can introduce performance overhead and duplicate rows; it is not optimized for simple lookups against a small dimension table like a watchlist. Option C is wrong because `evaluate` is used to invoke plugins or functions (e.g., `evaluate bag_unpack()`) and is not an operator for comparing data between tables or watchlists. Option D is wrong because `where` is a filtering operator that evaluates a Boolean expression on a single table; it cannot directly reference or compare against an external watchlist without first using another operator to bring the watchlist data into the query context.

203
MCQeasy

You are reviewing a custom analytics rule in Microsoft Sentinel. The rule is enabled but you notice that no alerts have been generated even though there are many matching events. What is the most likely cause?

A.The rule is not associated with a data connector.
B.The triggerThreshold of 5 requires at least 5 matching events in each hour.
C.The queryPeriod is too short to capture events.
D.The rule is suppressed due to suppressionDuration of 5 hours.
AnswerB

If fewer than 5 events occur, no alert is created.

Why this answer

The rule suppresses alerts for 5 hours after an alert is generated. Since suppression is enabled (suppressionEnabled: true? Actually the value is false, but the duration is set. Wait, suppressionEnabled is false, so suppression is disabled.

However, the queryFrequency and queryPeriod are both 1 hour, and triggerThreshold is 5. If there are many matching events, the threshold might not be met if events are spread out. But the exhibit shows suppressionEnabled: false, so suppression is not the issue.

The most likely cause is that the rule has a triggerThreshold of 5, meaning it requires at least 5 events in the query period. If there are fewer than 5, no alert is generated.

204
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security incidents from Defender for Cloud are automatically sent to Sentinel. What should you configure?

A.Configure the Azure Active Directory data connector
B.Configure the Microsoft Defender for Cloud data connector
C.Create an Azure Event Hub and push Defender for Cloud alerts to Sentinel via a custom connector
D.Configure the Microsoft 365 Defender data connector
AnswerB

This connector directly ingests incidents and alerts from Defender for Cloud.

Why this answer

The data connector 'Microsoft Defender for Cloud' (formerly Azure Security Center) in Sentinel enables continuous ingestion of alerts and incidents. Option B is correct. Option A is a legacy connector for Azure Active Directory (now Entra ID).

Option C is for Microsoft 365 Defender. Option D is a custom connector that requires extra setup.

205
MCQmedium

A security analyst receives an alert in Microsoft Defender for Cloud about a suspicious process on an Azure VM. The alert indicates a potential credential dumping tool. The analyst needs to see the full command line and parent process of the suspicious process. Which Defender for Cloud feature should the analyst use?

A.Live Response
B.Fileless attack detection
C.Just-In-Time VM access
D.Adaptive application controls
AnswerA

Live Response provides a remote shell to the VM, enabling the analyst to run commands to retrieve process information, including command line and parent process.

Why this answer

Live Response in Microsoft Defender for Cloud provides the analyst with the ability to remotely investigate a live Azure VM. It allows the analyst to run commands, collect forensic artifacts, and view detailed process information, including the full command line and parent process of the suspicious process, which is essential for analyzing a potential credential dumping tool.

Exam trap

The trap here is that candidates often confuse Live Response with other Defender for Cloud features like Fileless attack detection or Adaptive application controls, mistakenly thinking those features provide forensic process investigation capabilities when they are actually focused on detection or prevention, not post-breach analysis.

How to eliminate wrong answers

Option B is wrong because Fileless attack detection is a feature that identifies threats that execute code without writing to disk, such as PowerShell scripts or WMI activity; it does not provide the ability to view the full command line or parent process of a specific alert. Option C is wrong because Just-In-Time VM access is a network security feature that controls inbound traffic to VMs by opening ports only when needed; it is unrelated to investigating process details. Option D is wrong because Adaptive application controls are a whitelisting mechanism that defines which applications are allowed to run on VMs; they do not offer forensic investigation capabilities like viewing command-line arguments or parent processes.

206
MCQmedium

You are a security analyst at a company that uses Microsoft Defender XDR. You receive an alert about a potential ransomware activity on a workstation. The alert is generated by Microsoft Defender for Endpoint. You need to contain the threat by isolating the workstation from the network while allowing forensic analysis to proceed. You want to use Microsoft Defender XDR's built-in actions. What should you do?

A.Create a firewall rule in Microsoft Defender for Cloud Apps to block the device's IP.
B.Use the 'Isolate device' action from the Microsoft Defender XDR portal.
C.Unenroll the device from Microsoft Intune.
D.Disable the network adapter on the workstation remotely.
AnswerB

Isolation blocks most network traffic but allows forensic connections.

Why this answer

The 'Isolate device' action in Microsoft Defender XDR (specifically from the Microsoft Defender for Endpoint component) disconnects the device from all network traffic except for the Defender for Endpoint service and a few authorized services (such as Windows Update and the Microsoft Update Service). This allows forensic analysis tools (like Live Response) to continue communicating with the device while preventing the ransomware from spreading laterally or communicating with command-and-control servers. This is the built-in, recommended containment action for such scenarios.

Exam trap

The trap here is that candidates may confuse network isolation with other security controls (like blocking an IP in a CASB or unenrolling from MDM) and fail to recognize that Microsoft Defender XDR's 'Isolate device' is the only built-in action that both contains the threat and preserves forensic access.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps (MCAS) is a cloud access security broker that controls access to cloud applications, not a tool for isolating a workstation from the network; blocking an IP in MCAS would not isolate the device itself. Option C is wrong because unenrolling the device from Microsoft Intune removes management and policy enforcement, but does not contain the threat—it actually removes the ability to perform any further actions on the device and does not stop network communication. Option D is wrong because disabling the network adapter remotely is not a built-in action in Microsoft Defender XDR; it would require separate remote management tools (e.g., PowerShell, RMM) and would also cut off the forensic analysis channel, preventing Live Response or any other remote investigation.

207
Multi-Selectmedium

A SOC analyst in your organization is investigating an incident in Microsoft Defender XDR that involves a compromised user account. The analyst needs to gather more information about the user's recent activities. Which THREE actions can the analyst take directly from the incident page?

Select 3 answers
A.Run an advanced hunting query related to the user.
B.Trigger a playbook to investigate the user.
C.View the user's timeline of activities.
D.Delete the user account.
E.Reset the user's password directly from the incident.
AnswersA, B, C

Advanced hunting can be launched from the incident.

Why this answer

From the incident page, the analyst can view the user's timeline, run advanced hunting queries, and take action like disabling the account. Option A is correct because the user timeline is accessible. Option B is correct because advanced hunting can be initiated from the incident.

Option D is correct because the analyst can trigger a playbook from the incident. Option C is wrong because resetting password typically requires going to Microsoft Entra ID admin center. Option E is wrong because deleting the user account is not a standard action from the incident page.

208
MCQmedium

Your organization uses Microsoft Sentinel. An incident with severity Medium is created from an analytics rule that detects brute-force attempts against on-premises domain controllers. The incident contains alerts from multiple machines. You need to automatically run a playbook that collects evidence from affected machines and then changes the incident severity to High. What should you configure?

A.Create an automation rule that triggers on incident creation with severity Medium, runs the playbook, and then changes severity to High.
B.Configure the incident creation settings to enrich the incident with the playbook output.
C.Modify the analytics rule to include the playbook as an automated response.
D.Edit the playbook to include a step that changes incident severity after collecting evidence.
AnswerA

Automation rules can run playbooks and modify incident properties.

Why this answer

Automation rules in Microsoft Sentinel allow you to trigger playbooks automatically based on conditions. The automation rule can be set to trigger when an incident is created, check the severity condition, run a playbook, and then change the severity. Option A is correct because it enables a single automation rule to orchestrate both the playbook execution and severity change.

Option B is wrong because analytics rules only trigger alert creation, not incident-level actions. Option C is wrong because playbooks cannot change severity directly without an automation rule. Option D is wrong because the alert details enrichment is for adding context, not running playbooks or changing severity.

209
MCQeasy

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a ransomware incident. The analyst wants to find all processes that were created with a specific parent process ID. Which column in the DeviceProcessEvents table should the analyst use to filter the parent process?

A.ProcessId
B.ParentProcessId
C.InitiatingProcessId
D.LogonId
AnswerB

Correct. ParentProcessId holds the ID of the process that created the current process.

Why this answer

The ParentProcessId column in the DeviceProcessEvents table stores the process ID (PID) of the parent process that created a given process. By filtering on this column, the analyst can identify all child processes spawned by a specific parent, which is critical for tracing ransomware execution chains in advanced hunting queries.

Exam trap

The trap here is confusing InitiatingProcessId (used in cross-table joins for email or alert context) with ParentProcessId, which is the direct column for parent-child process relationships in DeviceProcessEvents.

How to eliminate wrong answers

Option A is wrong because ProcessId identifies the current process itself, not its parent. Option C is wrong because InitiatingProcessId refers to the process that initiated the action in other tables (e.g., EmailEvents), not the parent process in DeviceProcessEvents. Option D is wrong because LogonId is a session identifier for the user logon session, unrelated to parent-child process relationships.

210
MCQeasy

You are investigating a suspicious sign-in to a privileged account. You need to determine if the sign-in was from a known malicious IP address. Which Microsoft Sentinel data source should you query?

A.ThreatIntelligenceIndicator
B.SecurityEvent
C.SigninLogs
D.AuditLogs
AnswerA

This table contains threat intelligence data such as malicious IPs.

Why this answer

Option B is correct because Threat Intelligence in Sentinel contains known malicious IPs. Option A is wrong because SigninLogs show sign-in events but not threat intelligence. Option C is wrong because AuditLogs are for directory changes.

Option D is wrong because SecurityEvent is for Windows event logs.

211
MCQhard

During a ransomware incident, the security team needs to prevent the encryption of files while allowing the investigation to continue. Which feature in Microsoft Defender for Endpoint should be used to achieve this?

A.Controlled folder access.
B.Device isolation.
C.Attack surface reduction (ASR) rules.
D.Custom detection rules.
AnswerA

CFA is designed to protect files from unauthorized changes by ransomware and other malicious apps.

Why this answer

Controlled folder access (CFA) blocks unauthorized applications from modifying files in protected folders, which is exactly what ransomware does. ASR rules are broader and may not target file encryption specifically. Device isolation disconnects the device from the network but stops the investigation.

Custom detection rules are reactive.

212
Multi-Selecteasy

Which TWO are valid methods to connect a non-Azure Windows server to Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Install the Azure Monitor Agent (AMA)
B.Install the Azure Security Center agent
C.Configure Windows Event Forwarding (WEF) and point it to Sentinel
D.Install the Log Analytics agent (MMA)
E.Configure the server to forward syslog to Sentinel
AnswersA, D

AMA supports Windows and Linux.

Why this answer

Option A is correct because the Azure Monitor Agent (AMA) is the current, recommended agent for collecting data from non-Azure Windows servers and sending it to Microsoft Sentinel. It replaces the older Log Analytics agent and supports data collection via Data Collection Rules (DCRs), which allow granular control over which events and performance counters are ingested. Option D is correct because the Log Analytics agent (MMA) was the original method to connect Windows servers to Sentinel, and while it is being phased out in favor of AMA, it remains a valid supported method for existing deployments.

Exam trap

The trap here is that candidates may confuse Windows Event Forwarding (WEF) as a direct data connector to Sentinel, when in fact WEF only centralizes events on a collector server, which still requires an agent to forward to Sentinel, making it an indirect method not listed as a direct connection option.

213
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents generated by Microsoft Defender for Cloud are automatically assigned to the security operations team. What should you configure in Microsoft Sentinel?

A.Create a playbook that uses the Microsoft Teams connector to send a message to the security team.
B.Use the incident creation rule in Microsoft Defender for Cloud to assign incidents.
C.Create an automation rule that runs when an incident is created with provider: 'Microsoft Defender for Cloud' and sets the owner to a specific group.
D.Configure analytics rules to set the incident owner in the rule settings.
AnswerC

Automation rules can conditionally assign incidents to a team or individual.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can be used to automatically assign incidents to a specific team or owner based on conditions such as provider. Options A and B are for other purposes. Option C is a legacy feature not best for this.

214
MCQhard

A security analyst uses Microsoft Defender for Cloud to monitor Azure SQL Databases. The analyst wants to generate alerts for SQL injection attempts but only for databases that contain sensitive data (e.g., credit card numbers). What is the most efficient way to configure alerting to focus on these databases?

A.Enable a custom alert rule in Microsoft Sentinel that queries Azure SQL audit logs and filters based on database classification tags.
B.Use Data Discovery & Classification in Azure SQL to label sensitive columns, then configure Advanced Threat Protection to alert only when a SQL injection event is detected against a database with those labels.
C.Disable Advanced Threat Protection for all databases except those that contain sensitive data by manually enabling ATP per database.
D.Create a workflow automation in Defender for Cloud that filters SQL injection alerts based on database name.
AnswerB

Correct. SQL ATP can be linked with data classification to focus alerts on databases containing sensitive data, reducing noise.

Why this answer

Option B is correct because it uses Azure SQL's Data Discovery & Classification to label sensitive columns (e.g., credit card numbers) and then configures Advanced Threat Protection (ATP) to alert only when a SQL injection event is detected against databases with those labels. This approach directly ties the alert trigger to the presence of sensitive data, ensuring alerts are generated only for relevant databases without manual per-database management. It is the most efficient method as it leverages built-in classification and ATP integration, avoiding unnecessary overhead or external dependencies.

Exam trap

The trap here is that candidates often assume that manually enabling/disabling ATP per database (Option C) is the simplest approach, overlooking the built-in classification-based filtering that provides automated, scalable, and precise alert targeting without administrative overhead.

How to eliminate wrong answers

Option A is wrong because it relies on Microsoft Sentinel custom alert rules querying Azure SQL audit logs, which introduces latency, additional cost, and complexity compared to using Defender for Cloud's native ATP, and it does not directly integrate with Data Discovery & Classification labels for efficient filtering. Option C is wrong because manually enabling or disabling ATP per database is inefficient and error-prone, especially in large environments, and it does not leverage the automated classification-based filtering that ATP supports. Option D is wrong because creating a workflow automation in Defender for Cloud that filters alerts based on database name is a post-alert workaround that does not prevent alerts from being generated for non-sensitive databases, wasting resources and potentially causing alert fatigue.

215
MCQeasy

Your organization has deployed Microsoft Sentinel. You need to ensure that user and entity behavior analytics (UEBA) is enabled for all data sources. What is the minimum role required to enable UEBA in Microsoft Sentinel?

A.Microsoft Sentinel Contributor
B.Global Administrator
C.Security Reader
D.Log Analytics Contributor
AnswerA

Microsoft Sentinel Contributor can enable UEBA.

Why this answer

Option C is correct because to enable UEBA, you need at least 'Microsoft Sentinel Contributor' role on the workspace. Option A is wrong because Global Admin is not required. Option B is wrong because Security Reader is read-only.

Option D is wrong because Log Analytics Contributor does not include Sentinel-specific permissions.

216
MCQmedium

Refer to the exhibit. You run the PowerShell command against Microsoft Defender for Endpoint. What is the result?

A.The investigation package is collected.
B.An antivirus scan runs on the device.
C.The device is isolated from the network.
D.A Live Response session is started.
AnswerB

The action type initiates a scan.

Why this answer

The `Start-MpScan` cmdlet initiates a Microsoft Defender Antivirus scan on the device. The `-ScanType` parameter with value `QuickScan` specifies a quick scan of common malware locations, not a full scan. This is a direct antivirus action, not an investigation package collection, isolation, or Live Response session.

Exam trap

The trap here is that candidates confuse the `Start-MpScan` cmdlet with other Defender for Endpoint actions like investigation package collection or device isolation, because all are available under the 'Actions' menu in the portal, but each uses a distinct PowerShell cmdlet or API call.

How to eliminate wrong answers

Option A is wrong because collecting an investigation package requires the `Start-MpInvestigation` cmdlet or the `CollectInvestigationPackage` action via Microsoft Defender for Endpoint API, not `Start-MpScan`. Option C is wrong because device isolation is performed using the `Isolate-Device` cmdlet or the corresponding API action, not a scan command. Option D is wrong because starting a Live Response session requires the `Start-MpLiveResponse` cmdlet or initiating a session via the Defender portal, not a scan cmdlet.

217
MCQeasy

Refer to the exhibit. You are reviewing an alert in Microsoft Defender for Endpoint. The alert details are shown. Which of the following actions should you take first?

A.Investigate the device and the alert details
B.Mark the alert as a false positive
C.Initiate device isolation to contain the threat
D.Run a full antivirus scan on the device
AnswerA

Investigation is the first step.

Why this answer

The correct answer is A because the first step is to investigate the alert to understand the scope. Option B is wrong because initiating isolation without investigation may be premature. Option C is wrong because running a scan is a later step.

Option D is wrong because marking as false positive requires investigation first.

218
Multi-Selecteasy

Which TWO permissions are required for a user to manage Microsoft Sentinel playbooks?

Select 2 answers
A.Microsoft Sentinel Reader
B.Logic App Contributor
C.Microsoft Sentinel Contributor
D.Automation Operator
E.Global Administrator
AnswersB, C

Playbooks are Logic Apps, so this role is needed.

Why this answer

Microsoft Sentinel playbooks are built on Azure Logic Apps, so managing them requires the Logic App Contributor role to create, edit, and delete the underlying logic app resources. Additionally, Microsoft Sentinel Contributor is needed to attach playbooks to analytics rules or automation rules within Sentinel, as this involves modifying Sentinel-specific configurations. Without both roles, a user cannot fully manage playbooks in the Sentinel context.

Exam trap

The trap here is that candidates often assume only a Sentinel-specific role (like Microsoft Sentinel Contributor) is sufficient, forgetting that playbooks are built on Azure Logic Apps and thus require the Logic App Contributor role for direct management of the playbook resource itself.

219
MCQmedium

A security analyst reports that a scheduled analytics rule in Microsoft Sentinel has stopped generating incidents after a recent update. The rule still runs but produces no alerts. What should you check first?

A.Verify that the rule is enabled and not paused.
B.Check the entity mapping configuration for missing fields.
C.Review the rule's query logic for changes or syntax errors.
D.Ensure that the automation rule triggering the incident is still active.
AnswerC

A broken query produces no results, hence no alerts.

Why this answer

Option C is correct because the most likely cause of a scheduled analytics rule running but producing no alerts is a change or error in the KQL query logic. Since the rule still executes, the issue is not with the rule being disabled or paused, but rather with the query failing to return results due to syntax errors, schema changes, or logic flaws introduced during the update.

Exam trap

The trap here is that candidates assume a rule that 'still runs' is functioning correctly, but Microsoft tests the distinction between execution and result generation—a rule can execute its query yet produce zero alerts due to query logic issues, not configuration or automation problems.

How to eliminate wrong answers

Option A is wrong because the rule is explicitly stated to still run, so it is enabled and not paused; checking this would not resolve the issue. Option B is wrong because entity mapping configuration affects how alerts are structured, not whether alerts are generated; missing fields would cause mapping errors, not a lack of alerts. Option D is wrong because automation rules trigger actions after an incident is created; if no alerts are generated, no incidents exist to trigger automation rules, so checking automation rules is premature.

220
MCQeasy

A SOC analyst is reviewing an incident in Microsoft Sentinel that involves a user receiving a phishing email with a malicious attachment. The attachment was opened on a device managed by Microsoft Intune. Which Microsoft Defender XDR component would have provided the earliest detection of the malicious file?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Purview Data Loss Prevention
AnswerC

Defender for Endpoint detects malware on the device via real-time protection.

Why this answer

The correct answer is B. Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) provides real-time antimalware protection and would detect the file when opened. The other options are either not involved in file detection or are cloud-specific.

221
MCQmedium

A security operations center (SOC) analyst is investigating an incident involving a user who received a phishing email with a malicious macro. The analyst needs to determine if any other users received the same email. Which Microsoft 365 Defender feature should the analyst use?

A.Advanced Hunting
B.Alert queue filtering
C.Threat Explorer (Investigation)
D.Email entity page
AnswerC

Threat Explorer provides a search interface to find all instances of a specific email across the organization.

Why this answer

Threat Explorer in Microsoft 365 Defender allows hunting for email messages by sender, subject, or other attributes. Advanced Hunting is for raw queries; Email entity page shows one email; Alert queue filters by alert not email.

222
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You are responsible for managing the security operations environment. Recently, the SOC team reported that incidents from Microsoft Defender for Endpoint are not appearing in Microsoft Sentinel. You have already configured the data connector for Microsoft Defender XDR and verified that logs are flowing into the 'SecurityAlert' table. However, incidents are not being created in Sentinel. What should you do?

A.Enable 'Create incidents from Microsoft 365 Defender' in the Microsoft Defender XDR data connector.
B.Create an analytics rule that queries the SecurityAlert table and generates incidents.
C.Verify the Azure Sentinel solution is installed and enable the streaming of incidents.
D.Configure the Microsoft Defender for Endpoint data connector.
AnswerA

Correct: This setting creates Sentinel incidents from Defender XDR incidents.

Why this answer

Option A is correct because incident creation from Defender XDR requires enabling the 'Microsoft 365 Defender' incident creation in the data connector. Option B is wrong because analytics rules are not needed; incidents come from the connector. Option C is wrong because that connector is for alerts, not incidents.

Option D is wrong because streaming is not the issue.

223
Multi-Selecthard

Which THREE are valid response actions when using Microsoft Sentinel automation rules?

Select 3 answers
A.Assign the incident to a specific analyst
B.Tag the incident with custom labels
C.Run a playbook
D.Change the incident status to 'Active' or 'Closed'
E.Disable a compromised user account
AnswersA, C, D

Automation rules can set the owner of an incident.

Why this answer

The correct answers are A, B, and D. Automation rules can assign incidents, run playbooks, and change incident status. Disabling a user account is not a direct action; it must be done via a playbook.

Tagging incidents is not a built-in action; it can be done via playbook or manual editing.

224
MCQhard

A SOC analyst is using Microsoft Sentinel to investigate an incident involving a user who accessed a sensitive database from an unusual location. The analyst wants to find all activities performed by this user within the last 24 hours from multiple data sources. Which KQL operator should the analyst use to combine the results of two queries that return different schemas?

A.summarize
B.join
C.union
D.where
AnswerC

union combines multiple tables with different schemas by appending rows and adding nulls for missing columns.

Why this answer

The correct answer is C. The union operator combines tables or query results with different schemas by adding columns. Join requires a common column.

The other operators are not appropriate.

225
MCQeasy

Your organization uses Microsoft Sentinel. You have configured a data connector to ingest events from a third-party firewall. However, you notice that the logs are not appearing in Sentinel. What is the first thing you should check?

A.Check the firewall's syslog server configuration.
B.Verify that the workspace is in the correct region.
C.Reinstall the Log Analytics agent on the firewall.
D.Check the connector health page in Microsoft Sentinel.
AnswerD

The connector health page shows if the connector is connected and any errors.

Why this answer

The connector health page provides status and error messages for data connectors, making it the first place to troubleshoot. Options A, C, and D are less direct or irrelevant to connector issues.

Page 2

Page 3 of 22

Page 4