Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 226300

1639 questions total · 22pages · All types, answers revealed

Page 3

Page 4 of 22

Page 5
226
MCQmedium

Your organization uses Microsoft Sentinel. You need to configure a playbook that automatically responds to incidents by creating a support ticket in ServiceNow. Which connector should you use?

A.HTTP connector
B.ServiceNow connector
C.Azure Monitor connector
D.Office 365 Outlook connector
AnswerB

Provides native integration for creating tickets.

Why this answer

The ServiceNow connector is the correct choice because it provides a direct, pre-built integration between Microsoft Sentinel and ServiceNow, enabling automated creation of incidents or tickets in ServiceNow when a Sentinel incident is triggered. This connector uses the ServiceNow REST API to map Sentinel fields to ServiceNow ticket fields, eliminating the need for custom HTTP calls or additional middleware.

Exam trap

The trap here is that candidates may choose the HTTP connector thinking it is more flexible, but the ServiceNow connector is the purpose-built, supported solution that handles authentication and field mapping natively, making it the correct choice for this specific integration.

How to eliminate wrong answers

Option A is wrong because the HTTP connector is a generic connector that requires manual configuration of endpoints, authentication, and payload formatting, which is more complex and error-prone than using a dedicated ServiceNow connector. Option C is wrong because the Azure Monitor connector is designed to send data from Azure Monitor to other systems, not to create tickets in ServiceNow from Sentinel incidents. Option D is wrong because the Office 365 Outlook connector is used for email-based actions (e.g., sending notifications) and does not support direct integration with ServiceNow's ticketing system.

227
MCQhard

Your organization uses Microsoft Sentinel in a multi-workspace environment with a central SOC. You need to create a single incident view across all workspaces while minimizing latency. What should you deploy?

A.Use cross-workspace queries in a workbook
B.Enable incident across workspaces in Microsoft Sentinel
C.Merge all workspaces into one Log Analytics workspace
D.Set up Azure Lighthouse and connect workspaces
AnswerB

This feature aggregates incidents from multiple workspaces into one view.

Why this answer

Option B is correct because Microsoft Sentinel's 'Incident across workspaces' feature (enabled via the 'SecurityIncident' table union) provides a single incident view across multiple workspaces with minimal latency by leveraging built-in cross-workspace incident synchronization. This avoids the overhead of manual queries or external orchestration, ensuring near-real-time incident correlation for a central SOC.

Exam trap

The trap here is that candidates often confuse Azure Lighthouse (which provides cross-workspace visibility through delegated access) with the native incident synchronization feature, not realizing that Lighthouse alone does not create a unified incident view and requires additional manual configuration to achieve the same low-latency result.

How to eliminate wrong answers

Option A is wrong because cross-workspace queries in a workbook are read-only and do not create a unified incident management view; they are for ad-hoc analysis, not operational incident handling, and introduce latency from repeated query execution. Option C is wrong because merging workspaces violates multi-workspace architecture requirements, causes data ingestion and retention cost bloat, and is not a scalable solution for a central SOC. Option D is wrong because Azure Lighthouse enables delegated resource management but does not natively provide a single incident view across workspaces; it requires additional configuration and does not minimize latency as effectively as the built-in incident synchronization.

228
MCQmedium

A security analyst is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. Which KQL function is most appropriate to identify anomalous Kerberos service ticket requests?

A.find
B.evaluate
C.search
D.union
AnswerA

find searches across multiple tables for a pattern, ideal for hunting across diverse logs.

Why this answer

The KQL function find() searches across multiple tables, which is useful for hunting in different logs. Option A (union) is for combining tables, not searching across them. Option C (search) is deprecated.

Option D (evaluate) is for plugins. Option B is wrong because it doesn't target Kerberos logs directly.

229
MCQmedium

During an incident, an analyst finds that a user's account was compromised and used to send spam. The analyst needs to revoke all active sessions for that user. What should the analyst do?

A.Reset the user's password.
B.Revoke the user's sessions in Microsoft Entra ID.
C.Create a Conditional Access policy to block the user.
D.Disable the user account in Microsoft Entra ID.
AnswerB

Revoke sessions invalidates all tokens.

Why this answer

Option C is correct because revoking sessions in Microsoft Entra ID invalidates all tokens. Option A is wrong because resetting password does not revoke existing sessions. Option B is wrong because disabling the user stops new sign-ins but may not revoke current sessions.

Option D is wrong because Conditional Access policies do not revoke sessions.

230
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. A security investigator discovers that a user's session token was stolen and used to access sensitive data in SharePoint Online from an anomalous IP address. You need to immediately revoke the attacker's access while minimizing impact on the legitimate user. What should you do?

A.Suspend the user account in Microsoft Entra ID until the investigation is complete.
B.From Microsoft Defender for Cloud Apps, use the 'Require re-authentication' action on the anomalous session.
C.Revoke all refresh tokens for the user in Microsoft Entra ID.
D.Reset the user's password immediately.
AnswerB

This action revokes the compromised session and forces re-auth, minimizing impact.

Why this answer

Option A is correct because using session control to require re-authentication immediately revokes the compromised session without affecting the user's future sessions. Option B is wrong because suspending the user blocks all access, impacting productivity. Option C is wrong because revoking all sessions also affects the legitimate user's other sessions.

Option D is wrong because resetting password does not invalidate the stolen token.

231
Multi-Selectmedium

Which THREE resources can be used as data sources for Microsoft Sentinel to detect security incidents? (Choose three.)

Select 3 answers
A.Microsoft 365 Defender
B.Microsoft Defender for Cloud
C.Azure Activity Log
D.Azure Cost Management
E.Azure Advisor
AnswersA, B, C

Provides integrated threat signals from endpoints, email, etc.

Why this answer

Option A, C, and D are correct: Azure Activity Log provides subscription-level events; Microsoft Defender for Cloud provides security alerts; Microsoft 365 Defender provides integrated signals. Option B is wrong because Azure Advisor provides recommendations, not security events. Option E is wrong because Azure Cost Management is cost-related.

232
MCQhard

During an incident response, you need to collect forensic evidence from a compromised Azure virtual machine that is currently offline. What is the most efficient method to acquire a disk snapshot for analysis while preserving the integrity of the evidence?

A.Attach a new data disk and copy the contents manually
B.Create a snapshot of the OS disk from the Azure portal
C.Start the VM and use Azure Backup to take a backup
D.Export the disk to a storage account using AzCopy
AnswerB

A snapshot creates a read-only point-in-time copy without powering on the VM.

Why this answer

Option B is correct because creating a snapshot from the Azure portal creates a point-in-time copy without affecting the original disk. Option A is wrong because starting the VM changes the state. Option C is wrong because attaching a new disk is for adding storage, not forensic acquisition.

Option D is wrong because exporting the disk to a storage account is a valid method but snapshot is faster and more efficient for preservation.

233
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that was not blocked by the service. You need to improve detection of similar phishing emails. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Create an Attack Simulation Training campaign.
B.Enable Safe Links for all users to block malicious URLs.
C.Submit the email to Microsoft for analysis using the Submissions page in Microsoft 365 Defender.
D.Create a mailbox rule to move similar emails to the Junk folder.
E.Configure an anti-phishing policy to protect against user impersonation.
AnswersC, E

Submissions help improve the filtering algorithms.

Why this answer

Option A and B are correct. Submitting the email for analysis helps improve detection. Configuring anti-phishing policies for user impersonation protection can block similar emails.

Option C is wrong because Safe Links is for URLs, not for detecting phishing emails based on content. Option D is wrong because creating a mailbox rule is a client-side action, not a service-wide improvement. Option E is wrong because Attack Simulation Training educates users but does not improve detection.

234
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A critical incident has been generated from Microsoft Defender for Cloud indicating that a Linux VM in Azure is running a cryptocurrency miner. The VM is part of a production application and cannot be shut down immediately. The incident severity is High. You need to contain the threat while maintaining application availability, investigate the root cause, and prevent recurrence. The environment includes Azure Policy, Microsoft Defender for Endpoint on the VM, and a Log Analytics workspace. You must minimize manual steps. What course of action should you take?

A.Remotely connect to the VM and run a script to kill the miner process, then update antivirus definitions
B.Remove the VM from the load balancer, then use Azure Policy to enforce that all VMs have antivirus enabled
C.Stop the VM immediately, take a snapshot for forensic analysis, and then redeploy a clean VM from a backup
D.Use Microsoft Sentinel automation to apply a block rule on the VM's network security group (NSG) to block outbound traffic to known mining pools, initiate Live Response to collect evidence, and create an Azure Policy to automatically deploy Microsoft Defender for Endpoint on all VMs
AnswerD

Blocks exfiltration, collects evidence, and prevents future occurrences.

Why this answer

Option C is correct because it uses automation to block the miner's network traffic (containment), collects forensic data via Live Response (investigation), and configures Azure Policy to enforce remediation (prevention). Option A is wrong because stopping the VM disrupts production. Option B is wrong because only running a script does not block network communication.

Option D is wrong because removing the VM from the load balancer still allows the miner to run locally and potentially communicate.

235
MCQeasy

You need to ensure that critical incidents in Microsoft Sentinel are automatically assigned to a senior security analyst. What should you configure?

A.Create an analytics rule with a custom schedule.
B.Configure a workbook to filter incidents by owner.
C.Add the analyst to a watchlist used in analytics rules.
D.Create an automation rule that assigns the incident to the analyst.
AnswerD

Automation rules can assign incidents to owners.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to specific users or groups based on conditions like severity or title. By creating an automation rule that triggers on incident creation and sets the owner to the senior security analyst, you ensure critical incidents are assigned without manual intervention.

Exam trap

The trap here is that candidates confuse automation rules (which handle incident lifecycle actions like assignment) with analytics rules (which generate alerts), leading them to pick option A incorrectly.

How to eliminate wrong answers

Option A is wrong because analytics rules with custom schedules are used to generate alerts from log data, not to assign ownership of incidents. Option B is wrong because workbooks are visualization tools that display data, not mechanisms for assigning incident ownership. Option C is wrong because watchlists are used to correlate data or filter alerts in analytics rules, not to assign incidents to specific users.

236
MCQhard

During an incident, you need to isolate a compromised device from the network while allowing communication with Microsoft Defender for Endpoint cloud services. Which isolation type should you choose in Microsoft Defender XDR?

A.Controlled folder access
B.Network protection
C.Block file
D.Full isolation
E.Selective isolation
AnswerE

Allows Defender cloud communication.

Why this answer

Selective isolation (E) is the correct choice because it restricts network communication to only Microsoft Defender for Endpoint cloud services, blocking all other inbound and outbound traffic. This allows the compromised device to remain manageable and receive security updates while preventing lateral movement and further compromise. Full isolation would block all network traffic, including Defender services, rendering the device unmanageable.

Exam trap

The trap here is that candidates often confuse 'full isolation' with 'selective isolation,' assuming full isolation is always the safest choice, but they overlook that full isolation breaks the device's ability to communicate with Defender cloud services, making it unmanageable.

How to eliminate wrong answers

Option A is wrong because Controlled folder access is a Windows Defender Exploit Guard feature that protects files and folders from unauthorized changes by untrusted applications, not a network isolation mechanism. Option B is wrong because Network protection is a feature that blocks outbound connections to malicious IPs/domains using the Windows Filtering Platform, but it does not isolate a device from the network while selectively allowing Defender cloud services. Option C is wrong because Block file is an action in Microsoft Defender for Endpoint that prevents a specific file from executing or being written, not a device-level network isolation.

Option D is wrong because Full isolation blocks all network traffic, including communication with Microsoft Defender for Endpoint cloud services, which would prevent the device from receiving policy updates or reporting telemetry.

237
Multi-Selecthard

Which THREE are valid methods to collect forensic evidence from a compromised Windows machine during incident response in Microsoft Defender XDR? (Choose three.)

Select 3 answers
A.Reset the device to a clean state
B.Collect a memory dump from the device using Live Response
C.Perform a full disk image using Microsoft Defender for Endpoint
D.Run Live Response commands to collect files and run scripts
E.Export Windows Event Logs using Live Response
AnswersB, D, E

Memory dump captures running processes and network connections.

Why this answer

Option A, B, and D are correct: Live Response allows script execution and file collection; collecting memory dump captures volatile evidence; exporting event logs provides timeline. Option C is wrong because full disk imaging is not natively supported in Microsoft Defender XDR. Option E is wrong because resetting the device destroys evidence.

238
MCQeasy

Your organization uses Microsoft Purview Data Loss Prevention (DLP). You need to receive an alert when a user attempts to share a credit card number via email. What should you configure?

A.Create a sensitivity label that blocks sharing.
B.Create a DLP policy in Microsoft Purview with the credit card number sensitive info type.
C.Create a retention label that identifies credit card data.
D.Create a file policy in Microsoft Defender for Cloud Apps.
AnswerB

DLP policies detect and alert on sensitive info.

Why this answer

Option B is correct because Microsoft Purview DLP policies can be configured to detect sensitive information types, such as credit card numbers, and trigger alerts when users attempt to share that data via email. By creating a DLP policy with the credit card number sensitive info type and setting an action to send an alert, you meet the requirement to receive an alert on such sharing attempts.

Exam trap

The trap here is that candidates often confuse sensitivity labels or retention labels with DLP policies, not realizing that only DLP policies can directly detect and alert on sensitive data in transit like email sharing.

How to eliminate wrong answers

Option A is wrong because sensitivity labels are used for classification and protection (e.g., encryption or visual markings) but do not natively generate alerts on sharing attempts; they require integration with DLP or other mechanisms for alerting. Option C is wrong because retention labels are designed to manage data lifecycle and retention policies, not to detect or alert on sharing of sensitive data. Option D is wrong because a file policy in Microsoft Defender for Cloud Apps focuses on monitoring and controlling cloud app usage, not directly on email sharing within Exchange Online; DLP policies in Purview are the correct tool for email-based sensitive data detection.

239
MCQhard

Your company uses Microsoft Defender XDR. The security team needs to restrict access to the Microsoft Defender portal so that only analysts in the 'Security Operations' group can view incidents. What is the most efficient way to achieve this?

A.Assign the Security Operations group the Defender for Endpoint administrator role.
B.Configure Conditional Access policy to allow only Security Operations group to sign in to the Defender portal.
C.Assign the Security Operations group the Security Reader role in Microsoft Entra ID.
D.Create a custom role in the Microsoft Defender portal with permissions to view incidents and assign it to the Security Operations group.
AnswerD

Custom RBAC roles in Defender XDR can restrict access to specific areas.

Why this answer

Option D is correct because Microsoft Defender XDR uses role-based access control (RBAC) within the portal itself. Creating a custom role with permissions to view incidents and assigning it to the Security Operations group directly controls access to incident data without affecting broader Azure AD roles or requiring Conditional Access policies. This is the most efficient method as it scopes permissions precisely to the Defender portal's incident management functionality.

Exam trap

The trap here is that candidates often confuse Azure AD roles (like Security Reader) with Defender portal RBAC roles, or assume Conditional Access can control data-level permissions, when in fact only custom Defender roles can restrict incident viewing to a specific group without granting broader privileges.

How to eliminate wrong answers

Option A is wrong because the Defender for Endpoint administrator role grants full administrative access to the Defender for Endpoint configuration and settings, not just incident viewing, which is overly permissive and violates the principle of least privilege. Option B is wrong because Conditional Access policies control authentication and sign-in access to the portal, not authorization to view specific data like incidents; they can block sign-in entirely but cannot restrict what a signed-in user sees within the portal. Option C is wrong because the Security Reader role in Microsoft Entra ID provides read-only access to security-related information across Azure services, but it does not grant granular permissions to view incidents specifically within the Microsoft Defender portal; it is a broad Azure AD role, not a Defender-specific RBAC role.

240
MCQeasy

You are configuring Microsoft Sentinel SOAR capabilities. You need to create an automated response that, when a critical incident is created, triggers a playbook that sends a message to a Teams channel. Which connector should you use in the playbook?

A.Microsoft Exchange connector
B.Azure DevOps connector
C.Microsoft Teams connector
D.Microsoft Entra ID connector
AnswerC

Allows sending messages to Teams channels.

Why this answer

The Microsoft Teams connector is the correct choice because it enables the playbook to post messages directly to a Teams channel via an HTTP trigger and the Teams webhook action. This connector is specifically designed for sending notifications and messages to Teams, which aligns with the requirement to alert a channel when a critical incident is created.

Exam trap

The trap here is that candidates may confuse the Microsoft Teams connector with the Microsoft Exchange connector, assuming both can send notifications, but Exchange is strictly for email, not Teams messaging.

How to eliminate wrong answers

Option A is wrong because the Microsoft Exchange connector is used for email-related operations (e.g., sending emails, managing mailboxes), not for posting messages to Teams channels. Option B is wrong because the Azure DevOps connector is designed for managing work items, pipelines, and repositories in Azure DevOps, not for sending messages to Teams. Option D is wrong because the Microsoft Entra ID connector (formerly Azure AD) is used for identity and access management tasks (e.g., managing users, groups, and roles), not for sending messages to Teams channels.

241
MCQmedium

A security analyst detects a suspicious sign-in from an unfamiliar IP address for a user with high privileges. The analyst wants to immediately contain the threat while preserving the user's ability to work with proper approvals. What is the most effective first step?

A.Block the IP address in the firewall.
B.Disable the user account in Microsoft Entra ID.
C.Reset the user's password without revoking sessions.
D.Initiate a user risk remediation in Microsoft Entra ID Protection by confirming compromise and resetting password with session revocation.
AnswerD

This revokes sessions, requires reauthentication, and contains the threat quickly.

Why this answer

Option B is correct because it immediately revokes sessions and requires reauthentication, containing the threat while allowing work after reauth. Option A is wrong because disabling the account permanently is too aggressive and may disrupt work without investigation. Option C is wrong because resetting password doesn't revoke active sessions.

Option D is wrong because the user may be compromised.

242
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The security team wants to automatically create an incident in Microsoft Sentinel when a Microsoft Defender for Endpoint alert is triggered. What should you configure?

A.Enable the Microsoft Defender XDR connector in Microsoft Sentinel and select the incident creation settings.
B.Set up a Logic App custom connector to poll Defender alerts.
C.Configure the Security Events connector to forward Defender alerts.
D.Create analytics rules in Microsoft Sentinel for each Defender alert type.
AnswerA

The Microsoft Defender XDR connector automatically creates incidents from Defender alerts.

Why this answer

Option A is correct because the Microsoft Defender XDR connector in Microsoft Sentinel is specifically designed to ingest alerts and incidents from Microsoft Defender for Endpoint and other Defender products. By enabling this connector and configuring its incident creation settings, Sentinel automatically creates incidents when Defender for Endpoint alerts are triggered, without requiring custom logic or manual polling.

Exam trap

The trap here is that candidates often confuse the purpose of analytics rules (which generate alerts from raw data) with the connector's role (which ingests pre-existing alerts from external sources), leading them to incorrectly select Option D.

How to eliminate wrong answers

Option B is wrong because a Logic App custom connector would require building a custom polling mechanism, which is unnecessary and inefficient when the native Microsoft Defender XDR connector already provides automated, real-time incident ingestion. Option C is wrong because the Security Events connector is used to collect Windows security event logs (e.g., Event ID 4625) from on-premises or cloud-based systems, not Defender for Endpoint alerts. Option D is wrong because analytics rules in Sentinel are used to generate alerts from raw data sources (like Syslog or Windows Events), not to import existing alerts from Defender for Endpoint; the connector handles that ingestion automatically.

243
MCQhard

During a threat hunt, you notice an unusual number of DNS queries for randomly generated subdomains from a single workstation. You suspect data exfiltration via DNS tunneling. Which KQL query in Microsoft Sentinel would best help you identify the suspicious domain names?

A.let entropy_threshold = 4.0; let length_threshold = 20; CommonSecurityLog | where DeviceVendor == "Palo Alto" | extend entropy = strlen(DestinationHostName) - countof(DestinationHostName, 'a', 'z') / strlen(DestinationHostName) | where entropy > entropy_threshold or strlen(DestinationHostName) > length_threshold
B.CommonSecurityLog | where DestinationHostName !endswith ".com"
C.CommonSecurityLog | where DestinationHostName in (dynamic_threat_intel_list)
D.CommonSecurityLog | where DeviceVendor == "Palo Alto" | summarize count() by DestinationHostName | top 10 by count_
AnswerA

Entropy and length thresholds help detect random-looking DGA domains.

Why this answer

Option B is correct because it calculates entropy and length to detect algorithmically generated domains, a common indicator of DNS tunneling. Option A is wrong because it only lists top domains by count, not randomness. Option C is wrong because it filters non-.com domains, missing many DGA domains.

Option D is wrong because it queries a static threat intelligence list, not dynamic analysis.

244
Multi-Selecteasy

Which TWO are valid methods to submit a file for analysis in Microsoft Defender for Endpoint? (Select TWO.)

Select 2 answers
A.Submit a file via live response.
B.Submit a file using the Microsoft 365 Defender API.
C.Submit a file through Microsoft Sentinel.
D.Submit a file via Microsoft Intune.
E.Submit a file from the Microsoft 365 Defender portal.
AnswersB, E

The API allows programmatic submission.

Why this answer

Option A is correct because you can submit via the security portal. Option E is correct because the Microsoft 365 Defender API allows submissions. Option B is wrong because live response is for collecting files, not submitting for analysis.

Option C is wrong because Microsoft Sentinel is not a submission interface. Option D is wrong because Intune manages devices, not file submissions.

245
MCQmedium

You are configuring Microsoft Sentinel automation rules to handle incidents generated from Microsoft Defender for Cloud. You need to ensure that when a high-severity security alert is triggered, an automated response runs a playbook that creates a support ticket in ServiceNow. However, the playbook fails to execute for some alerts. Upon investigation, you find that the automation rule is triggered only when the incident is created. What is the most likely cause of the failure?

A.The automation rule is configured to trigger only on incident creation, but the playbook requires the incident to be in an updated state.
B.The automation rule lacks permissions to the ServiceNow connector because of Microsoft Entra ID conditional access policies.
C.Playbooks cannot be called by automation rules in Microsoft Sentinel.
D.Automation rules cannot be triggered on incident creation from Microsoft Defender for Cloud.
AnswerA

Some playbooks require incident updates (e.g., after alert grouping) which won't trigger if rule is set only on creation.

Why this answer

Option B is correct because automation rules can run when incidents are created or updated, but the condition 'incident creation' will not trigger again on subsequent updates. If the playbook requires an updated incident (e.g., after alert grouping), it won't run. Option A is wrong because automation rules in Sentinel can trigger on incident creation.

Option C is wrong because playbooks can be called by automation rules. Option D is wrong because the issue is not related to Microsoft Entra ID permissions.

246
MCQeasy

Your organization is using Microsoft Defender for Office 365. A user reports receiving a suspicious email that appears to be from the CEO requesting an urgent wire transfer. You need to investigate the email and take immediate action. What should you do first?

A.Use the Exchange admin center to run a message trace.
B.Use Threat Explorer in the Microsoft 365 Defender portal to find and delete the email.
C.Use the Security & Compliance Center to create a mail flow rule.
D.Submit the email to Microsoft for analysis using the Submissions page.
AnswerB

Threat Explorer provides detailed investigation capabilities including email deletion.

Why this answer

Using Threat Explorer allows you to quickly search for the specific email and take action such as soft delete or quarantine. Option A is incorrect because email trace is less detailed for security investigations. Option C is incorrect because Security & Compliance Center is legacy.

Option D removes the email without proper investigation.

247
MCQhard

Refer to the exhibit. You are troubleshooting an endpoint that is not receiving real-time protection from Microsoft Defender Antivirus. The output shows RealTimeProtectionEnabled is False. Which command should you run next to enable real-time protection?

A.Set-MpPreference -DisableRealtimeMonitoring $false
B.Add-MpPreference -ExclusionPath C:\Temp
C.Start-MpScan
D.Update-MpSignature
AnswerA

Enables real-time monitoring.

Why this answer

The Set-MpPreference cmdlet with the -DisableRealtimeMonitoring $false parameter is the correct command to enable real-time protection in Microsoft Defender Antivirus. The output shows RealTimeProtectionEnabled is False, which directly corresponds to the DisableRealtimeMonitoring setting; setting it to $false re-enables the feature. This cmdlet modifies the local policy for the Microsoft Defender Antivirus engine, immediately activating real-time scanning of file operations and process activity.

Exam trap

The trap here is that candidates often confuse disabling real-time monitoring with other maintenance tasks like scanning or updating signatures, assuming any Defender-related command will fix the protection state, but only Set-MpPreference directly controls the RealTimeProtectionEnabled flag.

How to eliminate wrong answers

Option B is wrong because Add-MpPreference -ExclusionPath C:\Temp adds a file or folder exclusion from scanning, which does not affect the RealTimeProtectionEnabled state; it only prevents Defender from scanning the specified path. Option C is wrong because Start-MpScan initiates a one-time on-demand scan (e.g., quick, full, or custom scan) but does not toggle the real-time protection setting; it runs a scan regardless of whether real-time monitoring is enabled. Option D is wrong because Update-MpSignature downloads and installs the latest security intelligence updates (virus definitions) but has no impact on the RealTimeProtectionEnabled flag; it updates signatures without enabling or disabling real-time protection.

248
MCQhard

Arrange the steps in the correct order to create and save a custom hunting query in Microsoft Sentinel.

A.Open the Microsoft Sentinel workspace in the Azure portal → Navigate to the Hunting blade in the Sentinel menu → Click on the 'New Query' button → Write the KQL query in the query editor → Run the query to verify results → Save the query with a meaningful name and description
B.Verify results before configuring the source or rule settings.
C.Configure alert grouping before defining the detection query or source.
D.Skip validation and enable the rule or plan immediately.
AnswerA

This order follows the required configuration sequence and verifies the result last.

Why this answer

Option A is correct because creating a custom hunting query in Microsoft Sentinel requires first accessing the workspace, then navigating to the Hunting blade, clicking 'New Query', writing the KQL query, running it to validate results, and finally saving it with a meaningful name and description. This sequence ensures the query is tested before being stored, aligning with Sentinel's workflow for ad-hoc threat hunting.

Exam trap

The trap here is that candidates confuse the workflow for creating an analytics rule (which involves configuring source, alert grouping, and rule settings) with the simpler, validation-focused process for creating a hunting query, leading them to select options B, C, or D that describe rule creation steps rather than hunting query steps.

How to eliminate wrong answers

Option B is wrong because it describes verifying results before configuring source or rule settings, which is irrelevant to creating a hunting query—hunting queries are not tied to alert rules or data sources; they are standalone KQL searches. Option C is wrong because alert grouping is a configuration step for analytics rules, not for hunting queries; hunting queries do not involve alert grouping or detection logic. Option D is wrong because skipping validation and enabling the rule or plan immediately ignores the necessary step of running the query to verify its syntax and results, which is critical for ensuring the query returns meaningful data before saving.

249
MCQhard

You are a Microsoft Security Operations Analyst for a large enterprise with 50,000 users. Your organization uses Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Defender for Cloud Apps. The security team has observed an increase in alerts related to SaaS applications (e.g., Box, Salesforce) accessed from unusual locations. You need to design a solution to automatically investigate and respond to these alerts. The solution should: (1) correlate user activity across multiple SaaS apps, (2) automatically isolate a user's account if the risk score exceeds 90, and (3) create an incident in Sentinel. Which approach should you use?

A.Use Microsoft Sentinel UEBA to detect anomalies and manually trigger a playbook to block the user.
B.Deploy Microsoft Defender for Endpoint on all devices and use device risk as a factor for conditional access.
C.Configure Microsoft Defender for Cloud Apps to use session policies that require reauthentication or block access when risk is high, and stream alerts to Sentinel.
D.Create analytics rules in Sentinel for each SaaS app and a playbook to isolate accounts using Microsoft Entra ID conditional access.
AnswerC

Session policies can apply across SaaS apps and enforce actions based on risk.

Why this answer

Option B is correct because Defender for Cloud Apps provides session policies that can block or isolate access based on risk, and it integrates with Sentinel. Option A is not cross-app; Option C is for endpoints; Option D is not automated.

250
MCQmedium

A threat hunter is investigating a potential compromise involving a user account that has been used to sign in from multiple locations within a short time. The hunter wants to use Microsoft Sentinel to find all sign-in events for that user from different IP addresses in the last 24 hours. Which KQL query should be used?

A.SigninLogs | where TimeGenerated > ago(24h) | where UserPrincipalName == "user@domain.com" | summarize count() by IPAddress
B.SecurityEvent | where TimeGenerated > ago(24h) | where TargetUserName == "user@domain.com" | summarize count() by IpAddress
C.AuditLogs | where TimeGenerated > ago(24h) | where InitiatedBy.user.userPrincipalName == "user@domain.com" | summarize count() by IPAddress
D.CommonSecurityLog | where TimeGenerated > ago(24h) | where SourceUserID == "user@domain.com" | summarize count() by SourceIP
AnswerA

SigninLogs contains user sign-in events with IP addresses.

Why this answer

Option D is correct because SigninLogs contains user sign-in data and the query groups by UserPrincipalName and IP address. Option A is wrong because AuditLogs contains administrative actions, not sign-ins. Option B is wrong because SecurityEvent is for Windows events, not cloud sign-ins.

Option C is wrong because CommonSecurityLog is for network devices.

251
Multi-Selecteasy

Which TWO tasks can you perform using Microsoft Sentinel automation rules?

Select 2 answers
A.Send an email notification without a playbook.
B.Assign an incident to an analyst.
C.Delete an incident.
D.Change the severity of an incident.
E.Create a new analytics rule.
AnswersB, D

Automation rules can assign incidents.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can directly assign incidents to specific analysts or groups without requiring a playbook. This is a native action within the automation rule configuration, enabling immediate ownership and accountability for incident response.

Exam trap

The trap here is that candidates often confuse automation rule capabilities with playbook actions, assuming email notifications or deletions are possible natively, but Microsoft Sentinel restricts automation rules to incident property changes and playbook triggers only.

252
MCQeasy

A company wants to enable vulnerability scanning for Azure virtual machines using the integrated Microsoft Defender Vulnerability Management solution. What is the first step?

A.Install the Defender Vulnerability Management extension on each VM.
B.Enable the 'Servers' plan in Defender for Cloud.
C.Configure a vulnerability assessment solution in the VM's security settings.
D.Create a vulnerability assessment rule in Azure Policy.
AnswerB

Enabling the Servers plan for the subscription activates the integrated vulnerability assessment, which auto-deploys the solution.

Why this answer

The first step to enable vulnerability scanning for Azure VMs using the integrated Microsoft Defender Vulnerability Management solution is to enable the 'Servers' plan in Defender for Cloud. This plan activates the Defender for Cloud integration with Microsoft Defender Vulnerability Management, which automatically discovers and assesses vulnerabilities on supported Azure VMs without requiring any additional agent or extension installation. Once the plan is enabled, vulnerability assessment is performed natively by the Defender for Cloud platform.

Exam trap

The trap here is that candidates often assume a separate extension or agent must be installed (Option A) because they are familiar with traditional vulnerability scanning tools, but Microsoft Defender for Cloud's integrated solution is agentless and activated by enabling the 'Servers' plan.

How to eliminate wrong answers

Option A is wrong because the Defender Vulnerability Management extension is not required; the vulnerability scanning is built into the 'Servers' plan and does not need a separate extension to be installed on each VM. Option C is wrong because configuring a vulnerability assessment solution in the VM's security settings is a manual, legacy approach that is not the first step; the integrated solution is automatically enabled when the 'Servers' plan is turned on. Option D is wrong because creating a vulnerability assessment rule in Azure Policy is not the initial step; Azure Policy can be used to enforce compliance, but the prerequisite is enabling the 'Servers' plan in Defender for Cloud.

253
Multi-Selecthard

Which TWO actions should you take to ensure that Microsoft Sentinel can properly ingest logs from a Linux server running rsyslog? (Choose two.)

Select 2 answers
A.Install and configure syslog-ng instead of rsyslog
B.Configure rsyslog to forward logs to the agent on TCP 514
C.Install the Log Analytics agent (or Azure Monitor Agent) on the Linux server
D.Configure Windows Event Forwarding (WEF) to collect logs from the Linux server
E.Configure rsyslog to forward logs to the Log Analytics agent on UDP 25224
AnswersC, E

The agent is required to collect syslog data.

Why this answer

Option C is correct because the Log Analytics agent (or Azure Monitor Agent) must be installed on the Linux server to receive and forward syslog data to Microsoft Sentinel. Without the agent, Sentinel has no direct mechanism to collect logs from the server. The agent listens for syslog messages forwarded by rsyslog and then sends them to the Log Analytics workspace.

Exam trap

The trap here is that candidates often assume syslog must be sent on the standard port 514 (TCP or UDP) or that replacing rsyslog with syslog-ng is necessary, but the Log Analytics agent specifically requires forwarding to UDP 25224 and works with rsyslog out of the box.

254
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in ARM template format. The rule is enabled but no incidents are being created even though matching sign-in events exist. What is the most likely reason?

A.The query uses a dynamic list incorrectly
B.The rule does not have entity mapping configured
C.The suppressionDuration is incorrectly configured
D.The queryFrequency is set too high, causing missed events
AnswerB

Entity mapping is required for incident creation; without it, incidents may not be generated.

Why this answer

Option C is correct because the query uses a static list of IP addresses in the `in` operator but they are not wrapped in quotes as strings; `dynamic(['10.0.0.1', '192.168.1.1'])` is valid but the IPs are strings and should be compared as strings. However, the more critical issue is that the `queryPeriod` and `queryFrequency` are both 5 hours, and the `suppressionDuration` is also 5 hours, but suppression is disabled. The real problem is that the `triggerThreshold` is set to 0 and `triggerOperator` is GreaterThan, meaning it will trigger if any results are found.

But if no incidents are created, the issue could be that the query is not returning results because the IP addresses are not in the log. However, the exhibit says matching events exist. Another possibility: the rule uses `SigninLogs` which is a table in Microsoft Entra ID, but the data source might not be connected.

But the most likely reason is that the `queryPeriod` and `queryFrequency` are the same, which is correct. Actually, the exhibit shows `groupingConfiguration.enabled: false`, so each alert becomes an incident. But the `eventGroupingSettings.aggregationKind` is `SingleAlert`, meaning each alert is a single incident.

If incidents are not created, it could be that the rule is not mapping entities correctly. However, the exhibit does not show entity mapping. Option C highlights that entity mapping is missing, which is required for incident creation in some versions of Sentinel.

But wait, in Sentinel, incident creation does not strictly require entity mapping; it's recommended but not mandatory. The actual issue might be that the `query` is invalid because `IPAddress` is not a field in `SigninLogs`? Actually, `SigninLogs` has `IPAddress` field. Let's think: the query looks correct.

But the rule is set to `createIncident: true`, so incidents should be created. The most plausible answer is that entity mapping is missing because without it, the incident might not be created properly in newer Sentinel versions? Actually, that's not true. The correct answer is that the `queryPeriod` and `queryFrequency` are the same, which is fine.

Maybe the issue is that the `suppressionDuration` is set but not used. I think the most likely is that the query returns results but the incident creation fails due to missing entity mapping. I'll go with Option C.

But the explanation should be clear.

255
MCQeasy

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365 (Threat Explorer)
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerB

Threat Explorer provides a detailed email entity view including delivery actions, phish simulation, and campaign information.

Why this answer

Microsoft Defender for Office 365's Threat Explorer (now part of the unified investigation experience) provides a detailed entity view of an email, including delivery actions (e.g., delivered to Junk, blocked, or allowed), whether the email was part of a phishing simulation, and the associated campaign information. This tool is specifically designed for deep email threat investigation within the Defender for Office 365 portal, leveraging telemetry from Exchange Online Protection (EOP) and Defender for Office 365.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365's Threat Explorer with Microsoft Defender for Endpoint's advanced hunting, but only Threat Explorer provides the specific email entity view with delivery actions, phish simulation flags, and campaign metadata required for this investigation.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint-level threats (e.g., malware, file-based attacks, and process behaviors) and does not provide email-specific entity views, delivery actions, or phish simulation details. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals for identity-based attacks (e.g., Kerberoasting, pass-the-hash) and has no capability to inspect email transport or campaign data. Option D is wrong because Microsoft Defender for Cloud Apps (formerly MCAS) provides visibility into cloud application usage and shadow IT, but it does not offer granular email delivery actions, phish simulation flags, or campaign tracking for individual messages.

256
MCQeasy

While threat hunting in Microsoft Defender for Cloud Apps, you notice a user has an unusually high number of failed login attempts from a single IP address. What is the most effective next step to determine if this is a brute-force attack?

A.Immediately block the IP address
B.Investigate the IP address in the Microsoft Defender for Cloud Apps Activity log to review all failed attempts
C.Create a new anomaly detection policy for that user
D.Check the user's device for malware
AnswerB

The Activity log provides detailed records of each attempt, allowing pattern analysis.

Why this answer

Using the Activity log to filter by the IP and reviewing failures is the most direct method. Option B (Blocking the IP) is premature. Option C (Creating an anomaly detection policy) is for future detection.

Option D (Investigating the user's device) is not relevant for cloud app access.

257
MCQeasy

A SOC analyst wants to create a scheduled analytics rule in Microsoft Sentinel that runs every hour and detects multiple failed user login attempts from a single IP address within a 5-minute window. Which KQL function should be used in the query to group the failed events by 5-minute time intervals?

A.summarize count() by IPAddress, bin(TimeGenerated, 5m)
B.summarize count() by IPAddress, TimeGenerated
C.extend interval = datetime_diff('minute', TimeGenerated, ago(5m))
D.scan with (match all events within 5m by IPAddress)
AnswerA

Correct. bin() creates 5-minute buckets for time-based aggregation.

Why this answer

Option A is correct because the `bin()` function in KQL is specifically designed to group data into fixed-size time buckets, such as 5-minute intervals. By using `summarize count() by IPAddress, bin(TimeGenerated, 5m)`, the query counts failed login attempts per IP address within each 5-minute window, which directly meets the requirement for a scheduled rule that detects multiple failures from a single IP in a 5-minute period.

Exam trap

The trap here is that candidates often confuse the `bin()` function with simple grouping by timestamp (Option B) or mistakenly think that `datetime_diff` (Option C) can be used to group events, when in fact only `bin()` provides the correct fixed-interval bucketing required for time-windowed aggregations.

How to eliminate wrong answers

Option B is wrong because it groups by the exact `TimeGenerated` value (including seconds and milliseconds), not by 5-minute intervals, so it would produce separate counts for each individual timestamp rather than aggregating over the desired window. Option C is wrong because `datetime_diff` calculates the difference between two timestamps, but it does not group or bucket events; it only returns a scalar value for each row, making it unsuitable for aggregating events into time intervals. Option D is wrong because the `scan` operator is used for sequence analysis (e.g., detecting patterns across ordered events), not for simple time-based grouping; it is overly complex and not designed for bucketing by fixed time intervals.

258
Multi-Selecthard

You are responding to a ransomware incident where multiple devices are encrypted. The incident is captured in Microsoft Sentinel. Which TWO actions should you take first to contain the incident?

Select 2 answers
A.Disable user accounts associated with the affected devices in Microsoft Entra ID.
B.Isolate affected devices using Microsoft Defender for Endpoint.
C.Reset passwords for all affected users.
D.Run a malware analysis on a sample of the ransomware.
E.Restore encrypted files from backups.
AnswersA, B

Disabling accounts prevents further access and potential spread.

Why this answer

Options A and C are correct because isolating devices and disabling user accounts are immediate containment actions. Option B is wrong because restoring from backup is recovery, not containment. Option D is wrong because resetting passwords does not stop encryption.

Option E is wrong because analyzing the malware is investigative, not containment.

259
MCQeasy

A junior SOC analyst receives multiple low-severity alerts from Microsoft Sentinel. The alerts are related to failed logon attempts from a single IP address over a short period. The analyst wants to group these alerts into a single incident to reduce noise. What should the analyst do?

A.Use the Microsoft Defender XDR incident queue to group the alerts
B.Configure the analytics rule to group alerts into incidents by the IP address
C.Create an automation rule to close duplicate alerts
D.Manually merge the alerts into one incident in the Sentinel incidents blade
AnswerB

Incident grouping in the analytics rule automatically groups related alerts.

Why this answer

Option B is correct because incident grouping in analytics rules allows merging of alerts into a single incident based on criteria like IP address. Option A is wrong because manually grouping is not scalable. Option C is wrong because the incident queue does not have a built-in grouping feature.

Option D is wrong because automation rules do not group alerts; they act on incidents.

260
Matchingmedium

Match each Microsoft Sentinel incident management action to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Designate an owner for the incident

Resolve the incident as false positive or true positive

Document investigation notes

Adjust impact level based on findings

Trigger automated response actions

Why these pairings

These actions are used to manage incidents in Microsoft Sentinel.

261
MCQhard

You are a security operations analyst for a large enterprise with a hybrid environment. Your organization uses Microsoft Sentinel as the central SIEM, Microsoft Defender for Cloud for Azure workloads, Microsoft Defender for Endpoint for endpoints, and Microsoft Defender for Identity for on-premises Active Directory. Recently, the security team has been overwhelmed by a high volume of low-severity incidents from Defender for Cloud that are not actionable. These incidents are generated from the built-in 'ASC Default' policy initiative. You need to reduce the noise without disabling the entire policy. The security team still wants to be alerted on high-severity incidents. You have been asked to implement a solution that automatically suppresses low-severity incidents from Defender for Cloud but still allows high-severity ones to be created in Sentinel. You must not modify the policy initiative itself. What should you do?

A.Create a new analytics rule that creates incidents only for high-severity alerts from Defender for Cloud.
B.Modify the 'ASC Default' analytics rule in Sentinel to only trigger on high-severity alerts.
C.Turn off the Defender for Cloud data connector in Sentinel.
D.Create an automation rule that triggers when an incident is created from Defender for Cloud with severity Low or Medium, and set the status to Closed.
AnswerD

This automatically closes low-severity incidents, reducing noise.

Why this answer

Option B is correct because creating an automation rule that automatically closes low-severity incidents from Defender for Cloud will reduce noise while still allowing high-severity incidents to be created. Option A is wrong because modifying the analytics rule is not possible for built-in rules; also it would affect all severities. Option C is wrong because creating a separate analytics rule does not suppress the existing ones.

Option D is wrong because turning off the connector would stop all incidents.

262
MCQeasy

You receive an alert in Microsoft Sentinel indicating a potential privilege escalation using the 'AzureHound' tool. You need to determine if the alert is a true positive. What is the first step you should take?

A.Check the user's recent activity and the targeted resource in Microsoft Entra ID audit logs
B.Review the Microsoft Defender for Cloud recommendation for the resource
C.Block the user account immediately
D.Run a full antivirus scan on all devices
AnswerA

This allows you to confirm if the activity is legitimate or malicious.

Why this answer

Option B is correct because the alert provides the user and resource details that should be verified. Option A is wrong because blocking the user may be premature. Option C is wrong because it's too broad.

Option D is wrong because it doesn't investigate the specific alert.

263
Multi-Selectmedium

Your organization uses Microsoft Sentinel and you are designing a data retention strategy. You have a Log Analytics workspace with the following tables: SecurityEvent, SigninLogs, and CommonSecurityLog. The compliance team requires that SigninLogs be retained for 7 years, while other tables can be retained for 1 year. Which THREE steps must you take to meet this requirement?

Select 3 answers
A.Set an archiving policy to move SigninLogs to cold storage after 1 year.
B.Set the workspace retention to 7 years.
C.Enable Azure Data Explorer (ADX) for long-term storage.
D.Configure table-level retention for SigninLogs to 7 years.
E.Ensure that the workspace is in a region that supports 7-year retention.
AnswersB, D, E

Workspace retention must be at least as long as the longest table-level retention.

Why this answer

Option A, B, and D are correct. Option A is required to set workspace retention to the maximum (7 years) to allow for table-level retention. Option B is required to configure table-level retention for SigninLogs.

Option D is required because the compliance team needs to retain for 7 years. Option C is wrong because archiving is not needed if retention is set to 7 years. Option E is wrong because interactive retention can be set to 7 years without archiving.

264
Multi-Selecthard

Which THREE components are required to ingest Microsoft Entra ID (Azure AD) audit logs into Microsoft Sentinel?

Select 3 answers
A.A Log Analytics workspace in the same region as Microsoft Entra ID.
B.A user account with Security Administrator or Global Administrator role to configure the connector.
C.A playbook to parse the audit logs.
D.Microsoft Sentinel's Microsoft Entra ID data connector.
E.Microsoft Entra ID P1 or P2 license.
AnswersB, D, E

Permissions are required to set up the connector.

Why this answer

Option B is correct because configuring the Microsoft Entra ID (Azure AD) data connector in Microsoft Sentinel requires a user account with at least the Security Administrator role (or Global Administrator) to grant the necessary permissions for the connector to read audit logs and sign-in logs from Microsoft Entra ID via the Microsoft Graph API. Without this role, the connector cannot authenticate and retrieve the required data.

Exam trap

The trap here is that candidates often assume a Log Analytics workspace must be regionally aligned with the data source, but Microsoft Entra ID is a global service and the workspace region is irrelevant for ingestion.

265
MCQhard

You are analyzing sign-in logs in Microsoft Sentinel. The KQL query shown in the exhibit returns a list of users who have signed into Office 365 Exchange Online more than 10 times in the last 24 hours. You need to identify potential brute-force attacks. What additional information should you add to the query to improve detection?

A.Include both successful and failed sign-in attempts, then filter for users with a high number of failed attempts and at least one successful attempt.
B.Change the time window to 1 hour to detect rapid attempts.
C.Add a condition to only include sign-ins from unusual geographic locations.
D.Add a condition to exclude users who have multi-factor authentication (MFA) enabled.
AnswerA

Brute-force often involves many failures and eventual success.

Why this answer

To detect brute-force attacks, you need to look for multiple failed sign-in attempts followed by a success. The current query only shows successful sign-ins. Option A is correct because adding a condition to include failed attempts (ResultType != 0) and then filtering for users with many failures and at least one success would better indicate brute-force.

Option B (excluding MFA) does not help. Option C (filtering by location) may reduce false positives but not detect brute-force. Option D (time bin) is already there.

266
MCQmedium

A company runs SQL Server on Azure Virtual Machines (IaaS). They want to enable Advanced Threat Protection (ATP) for these instances to detect SQL injection attempts. What must they do first?

A.Deploy the Azure Security Center agent on the VM
B.Enable Azure Defender for SQL on the server
C.Enable Azure Defender for Servers
D.Configure SQL Server auditing manually
AnswerB

Azure Defender for SQL includes Advanced Threat Protection for SQL Server instances on VMs. It must be enabled either at the subscription level or per-server to start detecting threats like SQL injection.

Why this answer

Azure Defender for SQL is the specific plan within Microsoft Defender for Cloud that provides Advanced Threat Protection (ATP) for Azure SQL resources, including SQL Server on Azure VMs. Enabling this plan activates threat detection capabilities such as SQL injection alerts, anomalous access patterns, and vulnerability assessments. Without this plan, the VM's SQL Server instance is not monitored by Defender for Cloud's SQL-specific threat detection engine.

Exam trap

The trap here is that candidates confuse Azure Defender for Servers (which protects the OS) with Azure Defender for SQL (which protects the database engine), leading them to select the server-level plan when the question specifically asks for SQL injection detection.

How to eliminate wrong answers

Option A is wrong because the Azure Security Center agent (now the Log Analytics agent or Azure Monitor Agent) is used for collecting OS-level security events and is not required for SQL-specific ATP; Defender for SQL uses SQL-specific telemetry collected via the SQL IaaS Agent extension, not the general VM agent. Option C is wrong because Azure Defender for Servers provides threat detection for the VM's operating system and network layer, but does not include SQL-specific protections like SQL injection detection; that requires the dedicated Azure Defender for SQL plan. Option D is wrong because manual SQL Server auditing is a separate compliance and logging feature that does not enable ATP's real-time threat detection; ATP uses its own built-in detection logic and does not depend on manual auditing configuration.

267
MCQhard

Your organization uses Microsoft Sentinel and has enabled UEBA (User and Entity Behavior Analytics). You notice a series of incidents involving anomalous logon times for a privileged user. You want to automate the response to disable the user's account in Microsoft Entra ID when such incidents are created. What should you configure?

A.Create an automation rule that runs a playbook when an incident from the UEBA analytics rule is created, and configure the playbook to disable the user in Microsoft Entra ID.
B.Create an analytics rule that triggers on UEBA anomalies and directly disables the user.
C.Add the user to a watchlist and create a playbook that runs on a schedule.
D.Configure UEBA to automatically disable the user when anomalous behavior is detected.
AnswerA

This is the correct automated response flow.

Why this answer

Option D is correct because an automation rule can trigger a playbook that uses the Microsoft Entra ID connector to disable a user. Option A is wrong because UEBA does not directly trigger actions. Option B is wrong because analytics rules create alerts, not direct account actions.

Option C is wrong because watchlists are for enrichment.

268
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You suspect a compromised on-premises admin account that has been used to modify security groups. You want to quickly contain the threat. What should you do first?

A.Move the user account to an Organizational Unit (OU) with blocked logon hours.
B.Reset the user's password in on-premises Active Directory.
C.Revoke the user's sessions in Microsoft Entra ID and reset the password in both on-premises AD and Entra ID.
D.Disable the user account in Microsoft Entra ID.
AnswerC

This immediately terminates current sessions and prevents further authentication.

Why this answer

Option D is correct because revoking the user's session tokens and resetting the password in both on-premises AD and Entra ID immediately stops further activity. Option A is wrong because disabling the user in Entra ID alone does not block on-premises access. Option B is wrong because resetting password in on-premises AD does not revoke current tokens.

Option C is wrong because moving the user to a blocked OU may not take effect immediately.

269
MCQeasy

Your organization uses Microsoft Sentinel. An incident is created from an Azure Active Directory (now Microsoft Entra ID) sign-in alert. You need to determine if the sign-in was from a compromised token. What data source should you examine?

A.Audit logs in Microsoft Entra ID
B.Azure Activity Log
C.Sign-in logs in Microsoft Entra ID
D.Microsoft Defender for Cloud Apps logs
AnswerC

Sign-in logs contain token information and sign-in properties.

Why this answer

Option D is correct because sign-in logs show token details such as token issuer and session info. Option A is wrong because audit logs track changes, not sign-in details. Option B is wrong because Azure activity logs are for resource operations.

Option C is wrong because Microsoft Defender for Cloud Apps logs are for cloud app sessions, not token details.

270
MCQmedium

Refer to the exhibit. Your SOC manager runs this KQL query in Microsoft Sentinel to see which analysts have the most active high-severity incidents in the past 7 days. The query returns no results. What is the most likely reason?

A.The query has a syntax error.
B.The table name is misspelled.
C.No high-severity incidents were created in the last 7 days.
D.The SecurityIncident table is not available in the Logs workspace; it is only accessible through the Sentinel incidents blade.
AnswerD

SecurityIncident is a Sentinel-specific table not directly queryable.

Why this answer

Option D is correct because the SecurityIncident table is not available in the standard Log Analytics workspace; it is a Sentinel-specific table that is only accessible through the Microsoft Sentinel incidents blade or via the SecurityIncident table in the Sentinel Logs workspace when Sentinel is enabled. The query fails because the table does not exist in the workspace's schema, not because of syntax or data absence.

Exam trap

Microsoft often tests the misconception that all Sentinel data is available in the standard Log Analytics workspace, when in fact the SecurityIncident table is Sentinel-specific and requires the Sentinel solution to be enabled and the user to be in the Sentinel Logs context.

How to eliminate wrong answers

Option A is wrong because the KQL query syntax appears valid (e.g., 'SecurityIncident | where Severity == 'High' and TimeGenerated > ago(7d) | summarize count() by Owner') and would not cause a 'no results' return if the table existed. Option B is wrong because the table name 'SecurityIncident' is correctly spelled and is the standard Sentinel table name; a misspelling would typically generate a 'table not found' error, not an empty result. Option C is wrong because while it is possible no high-severity incidents were created, the question states the query 'returns no results'—in KQL, a valid query against a non-existent table returns an error, not an empty result set, making table unavailability the more likely cause.

271
Multi-Selectmedium

Which TWO actions require the Global Administrator role in Microsoft 365?

Select 2 answers
A.Create a data loss prevention (DLP) policy in Microsoft Purview
B.Create a custom role in Microsoft Defender XDR
C.View the Microsoft 365 Defender incident queue
D.Configure tenant-wide settings in Microsoft 365
E.Manage roles and administrators in Microsoft Entra ID
AnswersD, E

Many tenant-wide settings require Global Admin.

Why this answer

Correct options are A and B because managing roles in Azure AD (Entra ID) and configuring Microsoft 365 tenant-level settings both require Global Administrator. Option C can be done by Security Administrator. Option D can be done by Security Reader.

Option E can be done by Compliance Administrator.

272
MCQeasy

After a security incident, the SOC team needs to preserve forensic evidence from a compromised Microsoft Entra ID joined Windows 10 device. The device is still online. Which tool should the team use to collect a forensic image of the hard drive?

A.Microsoft BitLocker Administration and Monitoring
B.Microsoft Entra ID
C.Microsoft Intune
D.Microsoft Defender for Endpoint
AnswerD

Defender for Endpoint can collect forensic images via Live Response.

Why this answer

Option D is correct because Microsoft Defender for Endpoint can collect a full forensic image from the device via Live Response. Option A is wrong because BitLocker is encryption, not imaging. Option B is wrong because Intune does not support forensic imaging.

Option C is wrong because Azure AD is identity, not device management for imaging.

273
MCQhard

A security analyst is configuring Microsoft Sentinel scheduled analytics rules to detect brute-force attacks on Microsoft Entra ID. Arrange the steps in the correct order from first to last.

A.Create a query using KQL to count failed sign-ins. → Set the rule schedule (run every 5 minutes). → Set the alert threshold (e.g., >5 failed sign-ins from same IP in 5 minutes). → Define incident properties (title, severity, tactics). → Configure grouping settings to group alerts into incidents.
B.Verify results before configuring the source or rule settings.
C.Configure alert grouping before defining the detection query or source.
D.Skip validation and enable the rule or plan immediately.
AnswerA

This order follows the required configuration sequence and verifies the result last.

Why this answer

Option A is correct because the standard workflow for creating a scheduled analytics rule in Microsoft Sentinel begins with defining the detection logic via a KQL query, then configuring the schedule and threshold, followed by incident properties and grouping settings. This sequence ensures the rule has a valid query before setting operational parameters like run frequency and alert aggregation.

Exam trap

The trap here is that candidates often assume alert grouping or incident configuration can be done before the detection query is written, but Microsoft Sentinel requires the query to be defined first because grouping settings depend on the query's output schema.

How to eliminate wrong answers

Option B is wrong because verifying results (e.g., via the 'Run Query' button) should occur after the query is written, not before configuring the source or rule settings; the order implies skipping essential configuration steps. Option C is wrong because alert grouping (how alerts are combined into incidents) must be configured after the detection query and threshold are defined, as grouping depends on the alert output structure. Option D is wrong because skipping validation and enabling the rule immediately violates best practices; validation (testing the query and reviewing alerts) is critical to avoid false positives or missed detections.

274
MCQmedium

A SOC analyst is creating a Microsoft Sentinel scheduled analytics rule to detect failed sign-in attempts from a specific list of known malicious IP addresses. The IP addresses are stored in a CSV file that is updated weekly. The analyst uploads the file as a new table in the Log Analytics workspace. Which KQL operator should the analyst use to reference this table within the rule's query?

A.Use the custom table name directly in the query, e.g., 'MaliciousIPs_CL'.
B.Use 'externaldata()' to point to the CSV file in Azure Blob storage.
C.Use 'union' with the workspace name to include the CSV data.
D.Use 'watchlist' function, because CSV files are automatically treated as watchlists.
AnswerA

Once the CSV is ingested as a custom table (with '_CL' suffix), it can be referenced directly like any other table.

Why this answer

Option A is correct because when a CSV file is uploaded as a new table in the Log Analytics workspace, it becomes a custom table with a '_CL' suffix (e.g., 'MaliciousIPs_CL'). The analyst can then reference this table directly in the KQL query, just like any other table in the workspace. This is the standard method for using custom log data ingested via the Log Analytics agent or direct upload.

Exam trap

The trap here is that candidates may confuse the 'externaldata()' operator (used for ad-hoc queries on external files) with the direct table reference for already-ingested custom logs, or assume that any uploaded CSV becomes a watchlist, when in fact watchlists require explicit creation and are accessed via a dedicated function.

How to eliminate wrong answers

Option B is wrong because 'externaldata()' is used to query data from external storage (like Azure Blob or ADLS) without ingesting it into the workspace, but the CSV has already been uploaded as a table, so externaldata() is unnecessary and would bypass the ingested table. Option C is wrong because 'union' is used to combine results from multiple tables or queries, not to reference a single table; the custom table can be queried directly without union. Option D is wrong because CSV files are not automatically treated as watchlists; watchlists are a separate feature in Microsoft Sentinel that must be explicitly created and managed via the watchlist UI or API, and they are accessed using the '_GetWatchlist()' function, not by direct table reference.

275
MCQeasy

You are configuring Microsoft Sentinel to detect potential ransomware activity. The security team wants to be alerted when a single host contacts multiple suspicious domains within a short time. Which analytic rule type should you create?

A.NRT (Near-Real-Time) rule
B.Scheduled query rule
C.Anomaly rule
D.Microsoft security rule
AnswerA

NRT rules process events continuously and can detect rapid sequences.

Why this answer

A NRT (Near-Real-Time) rule is the correct choice because it continuously processes events with a minimum latency of about 1 minute, making it ideal for detecting patterns like a single host contacting multiple suspicious domains within a short time window. Unlike scheduled rules that run on a fixed interval (e.g., every 5 minutes), NRT rules evaluate data as it arrives, enabling rapid detection of multi-event sequences such as DNS queries to known malicious domains.

Exam trap

The trap here is that candidates often confuse NRT rules with scheduled query rules, assuming a scheduled rule can achieve the same low latency by setting a short interval, but scheduled rules still incur a processing delay and cannot match the continuous streaming evaluation of NRT rules.

How to eliminate wrong answers

Option B (Scheduled query rule) is wrong because it runs on a predefined schedule (e.g., every 5 or 15 minutes), which introduces latency that could miss the tight time window required for detecting rapid multi-domain contacts. Option C (Anomaly rule) is wrong because it uses machine learning to baseline normal behavior and flag statistical outliers, not to match a specific pattern of a single host contacting multiple known suspicious domains. Option D (Microsoft security rule) is wrong because it ingests alerts from other Microsoft security products (e.g., Microsoft Defender for Endpoint) and does not allow custom detection logic based on raw event sequences like DNS queries.

276
MCQhard

Refer to the exhibit. You run the KQL query in Microsoft Sentinel to identify analysts with high incident assignments. The query returns no results, but you know incidents exist. What is the most likely reason?

A.The summarize operator is incorrectly used
B.The SecurityIncident table does not exist
C.The query period is too short to capture incidents
D.Incidents are not assigned to any owner, so the Owner field is null
AnswerD

Null values are grouped but not counted in the condition if null.

Why this answer

Option D is correct because if incidents have no assigned owner, the Owner field is null. The KQL query likely filters or groups by Owner, and null values are excluded from results by default in aggregation operations like summarize. Since incidents exist but are unassigned, the query returns no results.

Exam trap

Microsoft often tests the nuance that KQL aggregation operators like summarize exclude null group-by keys by default, leading candidates to overlook the data quality issue and instead blame syntax or table existence.

How to eliminate wrong answers

Option A is wrong because the summarize operator is correctly used for grouping by owner; the issue is not syntax but data content. Option B is wrong because the SecurityIncident table does exist in Microsoft Sentinel; it is a standard table for incident data. Option C is wrong because the query period is not specified as too short; the problem is that incidents exist but lack owner assignments, not that they fall outside the time range.

277
MCQhard

You are designing a Microsoft Sentinel deployment. You need to minimize ingestion costs while ensuring that all security-relevant events are collected. Which strategy should you use?

A.Use Analytic Logs for all data sources to ensure full query capabilities
B.Use Basic Logs for verbose data sources like Windows firewall logs, and Analytic Logs for high-value security logs
C.Set short retention periods for all logs and export to storage
D.Collect only logs from Microsoft 365 Defender and ignore other sources
AnswerB

Basic Logs are low-cost and suitable for high-volume logs that are rarely queried.

Why this answer

Option A is correct because Basic Logs are cheaper and suitable for verbose logs. Option B is wrong because Analytic logs are more expensive. Option C is wrong because you need some logs.

Option D is wrong because not all logs need full retention.

278
Multi-Selecteasy

Which TWO Microsoft 365 security solutions include capabilities for managing security incidents?

Select 2 answers
A.Microsoft Intune
B.Microsoft Defender XDR
C.Microsoft Entra ID Protection
D.Microsoft Purview
E.Microsoft Sentinel
AnswersB, E

Defender XDR has an incident queue for managing correlated alerts.

Why this answer

Correct options are A and B. Microsoft Sentinel is a SIEM that manages incidents, and Microsoft Defender XDR has an incident management queue. Option C is for endpoint management.

Option D is for compliance. Option E is for identity protection but not incident management in the same sense.

279
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to configure a solution that automatically escalates incidents that have been in 'New' status for more than 4 hours. The escalation should change the status to 'Active' and assign the incident to a senior analyst. What should you do?

A.Create an automation rule that triggers when an incident is created, with a condition 'Time since created > 4 hours' and actions to set status and owner.
B.Modify the analytics rule to update the incident after 4 hours.
C.Configure Microsoft Defender XDR to escalate incidents older than 4 hours.
D.Create a playbook that runs every hour and updates incidents.
AnswerA

Correct: Automation rules can have time-based conditions.

Why this answer

Option C is correct because automation rules can be created with a condition 'Incident created time older than 4 hours' and actions to change status and owner. Option A is wrong because playbooks need to be triggered by an automation rule. Option B is wrong because analytics rules don't run on existing incidents.

Option D is wrong because Microsoft Defender XDR doesn't manage Sentinel incidents.

280
MCQeasy

Your organization uses Microsoft Sentinel. An analyst reports that a scheduled analytics rule is not firing. You verify that the rule is enabled and the query returns results when run manually. What is the most likely cause?

A.The alert threshold is set too high
B.The data connector is disconnected
C.The workspace is in a different region
D.The query uses unsupported KQL functions
AnswerA

The rule may require more results than currently exist.

Why this answer

If the query returns results manually but the rule doesn't fire, the issue is often the alert threshold setting. Option A is correct. Option B would prevent manual runs too.

Option C would affect all rules. Option D is unrelated.

281
MCQmedium

You are the security analyst for a company that uses Microsoft Sentinel. You notice that a critical analytics rule has not generated any incidents in the past week, but you know that relevant logs are being ingested. You need to troubleshoot why the rule is not firing. What is the first step you should take?

A.Check the incident creation rule configuration.
B.Verify that the log sources are connected and sending data to the workspace.
C.Disable and re-enable the analytics rule.
D.Run the analytics rule's query directly in Log Analytics to see if it returns results.
AnswerD

Running the query helps identify if the rule logic is correct.

Why this answer

Option D is correct because the first step in troubleshooting a Sentinel analytics rule that is not generating incidents despite relevant logs being ingested is to run the rule's query directly in Log Analytics. This isolates whether the issue is with the query logic itself (e.g., syntax errors, time range misconfiguration, or data not matching the KQL conditions) rather than with data ingestion or rule settings. If the query returns results in Log Analytics, the problem lies elsewhere; if it returns no results, the query needs adjustment.

Exam trap

The trap here is that candidates often jump to checking data ingestion (Option B) even when the question states logs are being ingested, or they assume a rule reset (Option C) will fix a logic problem, missing the fundamental step of validating the query itself.

How to eliminate wrong answers

Option A is wrong because incident creation rule configuration is not a concept in Microsoft Sentinel; analytics rules define incident creation, and checking this is premature before verifying the query returns data. Option B is wrong because the question explicitly states that relevant logs are being ingested, so verifying connectivity is unnecessary and wastes time. Option C is wrong because disabling and re-enabling the rule is a brute-force reset that does not diagnose the root cause and may reset rule state without addressing underlying query or scheduling issues.

282
MCQeasy

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. The security operations center (SOC) team frequently receives false positive alerts for a specific user login pattern from a legacy application. You need to reduce alert fatigue without disabling the underlying detection rule. What should you configure?

A.Use Microsoft Sentinel bookmarks to mark the alerts as false positives.
B.Configure an automated investigation and remediation rule in Microsoft Defender XDR to suppress alerts matching the legacy application pattern.
C.Create a watchlist in Microsoft Sentinel containing the legacy application's user accounts and use it in the rule.
D.Modify the analytics rule in Microsoft Sentinel to exclude the legacy application IP range.
AnswerB

Automated investigation rules can suppress false positives based on conditions.

Why this answer

Option C is correct because automated investigation and remediation rules in Microsoft Defender XDR allow you to take action on alerts, including suppressing false positives based on conditions. Option A is wrong because modifying the analytics rule in Sentinel would affect all detections of that rule, not just the legacy app pattern. Option B is wrong because a watchlist in Sentinel is used for correlation, not suppression.

Option D is wrong because bookmarks are for preserving evidence, not suppressing alerts.

283
MCQmedium

A SOC team ingests Microsoft 365 Defender advanced hunting data into Microsoft Sentinel. They want to create a scheduled analytics rule that detects when a user receives more than 5 emails from an external sender containing a specific attachment name within 1 hour. Which KQL tables and approach should the analyst use?

A.EmailEvents and EmailAttachmentInfo; summarize count() by AccountUpn, AttachmentFileName, bin(Timestamp,1h)
B.EmailEvents and EmailUrlInfo; summarize count() by SenderObjectId
C.EmailEvents only; filter by AttachmentFileName
D.EmailPostDeliveryEvents; summarize count() by RecipientEmailAddress
AnswerA

EmailEvents provides email metadata like sender and recipient; EmailAttachmentInfo provides the file name. Joining these and counting by recipient and filename with a 1-hour bin is the correct approach.

Why this answer

Option A is correct because the detection requires joining EmailEvents (which contains sender/recipient metadata) with EmailAttachmentInfo (which contains attachment file names) to filter by external senders and a specific attachment name, then using summarize count() with bin(Timestamp,1h) to group events into 1-hour windows and identify users receiving more than 5 such emails. This approach directly maps to the requirement: external sender, attachment name, user identity (AccountUpn), and time-based aggregation.

Exam trap

The trap here is that candidates often assume EmailEvents contains all email data including attachments, but attachment details are stored in a separate table (EmailAttachmentInfo) and require a join to access the file name.

How to eliminate wrong answers

Option B is wrong because EmailUrlInfo contains URL data, not attachment names, and summarizing by SenderObjectId does not capture the recipient user or attachment name. Option C is wrong because EmailEvents alone does not include attachment file names; that data resides in EmailAttachmentInfo, so filtering by AttachmentFileName on EmailEvents is invalid. Option D is wrong because EmailPostDeliveryEvents tracks post-delivery actions (like phishing report or delete), not the original email receipt or attachment metadata, and summarizing by RecipientEmailAddress ignores the attachment name and external sender filter.

284
MCQmedium

You are investigating an incident in Microsoft Sentinel where a PowerShell script was executed on multiple servers with suspicious parameters. The incident is high severity. You need to determine if the script is malicious and if lateral movement occurred. What should you do?

A.Use Microsoft Defender for Endpoint live response to collect forensic data
B.Restart the affected servers to stop the script
C.Review the incident timeline in Microsoft Sentinel
D.Run a custom KQL hunting query to find similar script executions on other machines
AnswerD

Hunting queries can identify lateral movement patterns.

Why this answer

Option D is correct because hunting queries can search for related activities across time and entities, revealing lateral movement. Option A is wrong because restarting machines destroys evidence. Option B is wrong because the incident timeline shows events in one workspace but may not show lateral movement across resources.

Option C is wrong because live response is for immediate containment, not investigation.

285
Multi-Selecteasy

Which TWO are valid incident classification categories in Microsoft Sentinel?

Select 2 answers
A.Benign positive
B.Unknown
C.True positive
D.Informational
E.False positive
AnswersC, E

Standard classification.

Why this answer

Options B and D are correct. 'False positive' and 'True positive' are standard classification categories. Option A is wrong because 'Informational' is not a classification category. Option C is wrong because 'Benign positive' is not a standard category.

Option E is wrong because 'Unknown' is not a classification category.

286
MCQeasy

A threat hunter is investigating a potential data exfiltration via DNS tunneling. Which Microsoft Defender XDR advanced hunting table should the analyst primarily use to examine DNS queries from endpoints?

A.DeviceNetworkEvents
B.IdentityLogonEvents
C.AlertInfo
D.EmailEvents
AnswerA

This table includes DNS query events from devices.

Why this answer

Option A is correct because DeviceNetworkEvents contains DNS query records from endpoints. Option B is wrong because IdentityLogonEvents is for authentication events. Option C is wrong because EmailEvents is for email-related events.

Option D is wrong because AlertInfo provides alert metadata, not raw DNS queries.

287
MCQmedium

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that generates an incident for users with more than 5 failed sign-in attempts (error code 50057 indicates user account is disabled) from a single IP in the last hour. After enabling the rule, you receive too many incidents from a service account that legitimately fails frequently. How should you modify the query to reduce false positives?

A.Change the error code to 50126
B.Add a filter to exclude the service account: and UserPrincipalName !="svc-account@domain.com"
C.Remove the IPAddress from the summarize clause and group only by UserPrincipalName
D.Increase the Threshold to 10
AnswerB

Excluding the known noisy account eliminates false positives while preserving detection for others.

Why this answer

Option C is correct because excluding the service account from the query prevents incidents from that account. Option A is wrong because increasing the threshold may miss real attacks. Option B is wrong because error code 50057 specifically indicates disabled accounts; changing it would alter detection logic.

Option D is wrong because grouping by user alone does not exclude the service account.

288
MCQmedium

You are a threat hunter for an organization that uses Microsoft Defender XDR. You suspect that an attacker may be using PowerShell to perform reconnaissance on domain controllers. You need to write an advanced hunting query in Microsoft Defender XDR that returns PowerShell commands executed on domain controllers in the last 7 days that contain cmdlets related to Active Directory reconnaissance, such as Get-ADUser or Get-ADGroupMember. The query should also include the device name, account name, and command line. Which query should you use?

A.DeviceProcessEvents | where Timestamp > ago(7d) | where ProcessCommandLine has_any ("Get-ADUser","Get-ADGroupMember") | project DeviceName, AccountName, ProcessCommandLine
B.DeviceProcessEvents | where Timestamp > ago(7d) | where DeviceName contains "DC" | where ProcessCommandLine has_any ("Get-ADUser","Get-ADGroupMember","Get-ADComputer") | project DeviceName, AccountName, ProcessCommandLine
C.DeviceProcessEvents | where Timestamp > ago(7d) | where DeviceName contains "DC" | project DeviceName, AccountName, ProcessCommandLine
D.DeviceNetworkEvents | where Timestamp > ago(7d) | where DeviceName contains "DC" | project DeviceName, AccountName, RemoteIP
AnswerB

Correctly filters domain controllers and AD reconnaissance cmdlets.

Why this answer

Option A correctly filters by DeviceName containing 'DC' (domain controllers), ProcessCommandLine containing relevant AD reconnaissance cmdlets, and projects the required fields. Option B misses the domain controller filter. Option C uses wrong table.

Option D does not filter for AD cmdlets.

289
MCQhard

Your organization has deployed Microsoft Sentinel in multiple regions. You need to ensure that incidents created in one workspace are available for correlation in a central workspace. What should you implement?

A.Cross-workspace queries in KQL
B.Sentinel workspace manager (incident replication)
C.Automated export of incidents to central workspace using Logic Apps
D.Azure Lighthouse
AnswerB

Replicates incidents to a central workspace.

Why this answer

Sentinel Workspace Manager (incident replication) is the correct choice because it provides native, built-in replication of incidents from multiple workspaces to a central workspace without requiring custom code or external automation. This feature ensures that incidents created in regional workspaces are automatically synchronized to a designated central workspace, enabling unified correlation and investigation across regions.

Exam trap

The trap here is that candidates often confuse cross-workspace queries (which allow querying data across workspaces but do not replicate incidents) with the native incident replication feature, leading them to select Option A instead of the correct Workspace Manager solution.

How to eliminate wrong answers

Option A is wrong because cross-workspace queries in KQL allow querying data across multiple workspaces but do not replicate incidents; they require manual querying and do not provide automatic incident synchronization. Option C is wrong because automated export using Logic Apps is a custom, complex solution that introduces latency and maintenance overhead, whereas Sentinel Workspace Manager provides a native, low-latency replication mechanism without additional components. Option D is wrong because Azure Lighthouse enables cross-tenant management and visibility but does not replicate incidents between workspaces; it allows administrators to manage multiple workspaces from a single pane but does not synchronize incident data.

290
Multi-Selectmedium

Which TWO actions are valid for containing a compromised user account in Microsoft 365 Defender? (Choose two.)

Select 2 answers
A.Disable the user account in Microsoft Entra ID.
B.Block the user's IP address in Defender for Cloud Apps.
C.Reset the user's password.
D.Revoke the user's session tokens.
E.Delete the user's mailbox in Exchange Online.
AnswersA, C

Disabling the account prevents any sign-in.

Why this answer

A and D are correct. Disabling the user account immediately blocks access. Resetting the password forces the user to change credentials.

B is wrong because deleting the mailbox is destructive and may be unnecessary. C is wrong because blocking the user's IP may affect other users. E is wrong because revoking session tokens does not prevent new sign-ins with valid credentials.

291
MCQhard

You are configuring Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 100 files in 10 minutes from SharePoint. Which policy type should you use?

A.Anomaly detection policy
B.Activity policy
C.File policy
D.Cloud discovery policy
AnswerB

Activity policies allow custom conditions like number of downloads in a time window.

Why this answer

Option B is correct because Activity policies in Microsoft Defender for Cloud Apps allow you to define conditions based on a single activity or multiple activities from a user. Option A is for OAuth apps. Option C is for detecting anomalous file sharing.

Option D is for cloud discovery.

292
MCQeasy

Your SOC team uses Microsoft Sentinel incident management. You need to ensure that when an incident is created, it automatically runs a playbook to gather additional context from threat intelligence sources. What should you create?

A.Workbook that queries threat intelligence.
B.Watchlist that maps to the incident.
C.Automation rule with a trigger on incident creation.
D.Analytics rule that generates an alert.
AnswerC

Automation rules run playbooks on incident creation.

Why this answer

Option C is correct because Microsoft Sentinel automation rules can be configured with a trigger on incident creation to automatically run a playbook. This allows the SOC team to gather additional context from threat intelligence sources without manual intervention, directly addressing the requirement to execute a playbook when an incident is created.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, thinking that analytics rules can directly trigger playbooks on incident creation, when in fact automation rules are the dedicated mechanism for incident-triggered playbook execution.

How to eliminate wrong answers

Option A is wrong because a Workbook in Microsoft Sentinel is a visualization and reporting tool that queries data for analysis, not an automated action that runs a playbook upon incident creation. Option B is wrong because a Watchlist is a static reference data source used for correlation and enrichment within analytics rules or queries, not a mechanism to trigger playbooks automatically. Option D is wrong because an Analytics rule generates alerts based on detection logic, but it does not directly trigger a playbook on incident creation; playbook execution on incident creation requires an automation rule, not the analytics rule itself.

293
MCQmedium

Your security team uses Microsoft Sentinel automation rules to respond to incidents. You need to ensure that critical incidents are automatically assigned to a senior analyst in the Americas time zone and that a Teams message is sent to a specific channel. Which configuration should you use?

A.Use a watchlist to map critical incidents to senior analysts and trigger an email
B.Configure the analytics rule to set the incident owner and add a playbook action
C.Create a custom connector in Power Automate to monitor Sentinel incidents
D.Create a playbook that assigns the incident and sends a Teams message, then attach it to a automation rule
AnswerD

Automation rules run playbooks that can assign incidents and send Teams messages.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can trigger a playbook when an incident is created or updated. By creating a playbook that assigns the incident to a specific senior analyst (using Microsoft Entra ID or a watchlist for mapping) and sends a Teams message via the Teams connector, then attaching that playbook to an automation rule with conditions for critical severity, you meet both requirements. This approach leverages native Sentinel automation without custom connectors or manual email triggers.

Exam trap

The trap here is that candidates often confuse the capabilities of analytics rules versus automation rules, thinking that analytics rules can directly execute playbooks or set owners, when in fact automation rules are the correct mechanism for triggering playbooks and modifying incident properties after creation.

How to eliminate wrong answers

Option A is wrong because a watchlist alone cannot trigger actions; it is a static data source, and the email action would require a playbook or automation rule, not just a watchlist. Option B is wrong because analytics rules can set the incident owner via the 'Alert Details' configuration, but they cannot directly add a playbook action; playbooks are attached via automation rules, not analytics rules. Option C is wrong because creating a custom connector in Power Automate is unnecessary and overly complex; Sentinel already provides native connectors for Teams and incident management through automation rules and playbooks.

294
MCQeasy

Your SOC uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You need to configure a policy that triggers when a user downloads a large number of files from SharePoint Online within a short period. Which policy type should you use?

A.Session policy
B.File policy
C.Anomaly detection policy
D.Activity policy
AnswerD

Activity policies allow custom detection of specific activities like mass downloads.

Why this answer

An activity policy in Microsoft Defender for Cloud Apps is designed to monitor and respond to specific user activities, such as downloading a large number of files from SharePoint Online within a short period. This policy type allows you to set thresholds and triggers based on user actions, making it the correct choice for detecting anomalous download behavior.

Exam trap

The trap here is that candidates often confuse anomaly detection policies (which are predefined and use machine learning) with activity policies (which are customizable and rule-based), leading them to select anomaly detection when a custom threshold-based trigger is required.

How to eliminate wrong answers

Option A is wrong because session policies are used for real-time monitoring and control of user sessions, such as blocking downloads during a session, but they do not trigger based on historical activity thresholds like a large number of downloads over time. Option B is wrong because file policies focus on detecting specific file types, content, or metadata (e.g., sensitive data in files), not on the volume or frequency of file downloads. Option C is wrong because anomaly detection policies in Defender for Cloud Apps use machine learning to detect unusual patterns across users, but they are predefined and cannot be customized to trigger specifically on a high volume of downloads from SharePoint Online within a short period.

295
MCQhard

Your company uses Microsoft Sentinel as its SIEM and has enabled User and Entity Behavior Analytics (UEBA) to detect insider threats. The UEBA timeline for a user shows several high-risk events, including unusual data exfiltration to an external site and multiple failed logons from a new geographic location. You are asked to create a custom analytics rule that generates an incident when a user exhibits both high-risk behaviors within a 24-hour period. You have the necessary KQL skills. However, when you test the rule, it does not generate any incidents even though the behavior exists. You have confirmed that the UEBA tables (BehaviorAnalytics, IdentityInfo) are populated and that the rule is enabled with a frequency of 1 hour. What is the most likely reason the rule is not firing?

A.The analytics rule is not enabled for the correct workspace.
B.The KQL query is referencing the wrong tables.
C.The UEBA data has not yet been fully processed and may take up to 24 hours to appear in the tables.
D.The rule's frequency is too long; it should be set to 5 minutes.
AnswerC

UEBA data can have a processing delay, causing the rule to not find matching events.

Why this answer

Option D is correct because UEBA data may not be immediately available for querying; there can be a delay (up to 24 hours) before behavior data is fully processed and available in the tables. Option A is wrong because the rule is enabled and the tables are populated. Option B is wrong because the rule is set to run every hour.

Option C is wrong because the rule is using the correct tables.

296
MCQeasy

A SOC analyst receives a phishing alert in Microsoft Defender for Office 365. The analyst needs to quickly determine if any users clicked the malicious link. Which action should the analyst take first?

A.Use Threat Explorer to search for the email subject
B.Open the user entity page for each recipient
C.Open the email entity page to view click details
D.Run a hunting query in Microsoft Sentinel
AnswerC

The email entity page shows whether recipients clicked the link.

Why this answer

Option B is correct because the email entity page in Defender for Office 365 shows click verdicts. Option A is wrong because the user entity page does not show email-specific actions. Option C is wrong because Threat Explorer is useful but slower.

Option D is wrong because a hunting query is manual and slower.

297
MCQeasy

You are investigating a brute force attack on a user account in Microsoft Entra ID. The sign-in logs show multiple failed attempts from different IP addresses. Which property in the sign-in logs indicates the type of authentication used?

A.riskEventTypes
B.conditionalAccessStatus
C.clientAppUsed
D.authenticationRequirement
AnswerD

authenticationRequirement shows the strength of authentication, such as MFA.

Why this answer

Option C is correct because authenticationRequirement indicates the type of authentication (e.g., multi-factor authentication). Option A is wrong because conditionalAccessStatus is for policy evaluation. Option B is wrong because riskEventTypes is for risk detection.

Option D is wrong because clientAppUsed indicates the application, not authentication type.

298
MCQhard

Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint detection. A critical incident has been generated: 'Possible ransomware activity detected on multiple endpoints.' The incident includes alerts from Microsoft Defender for Endpoint (MDE) about file encryption behaviors and from Microsoft Defender for Identity (MDI) about anomalous service account logins. You have been assigned the incident and need to contain the threat effectively. You have Microsoft Sentinel automation rules that can trigger playbooks, and you have Microsoft Defender XDR actions available. The environment includes 500 Windows 10 devices managed by Microsoft Intune, and 50 servers on-premises. Some servers are domain controllers. Which of the following is the BEST first course of action?

A.Disable all compromised service accounts in Microsoft Entra ID and reset their passwords.
B.Reset passwords for all domain administrator accounts and enforce MFA.
C.Trigger a Microsoft Sentinel playbook to collect forensic evidence from affected endpoints before remediation.
D.Isolate the affected devices using Microsoft Defender for Endpoint device isolation.
AnswerD

Isolation stops the ransomware from spreading and encrypting more files.

Why this answer

Option C is correct: isolating the affected devices in MDE immediately stops the ransomware from spreading while preserving forensic data. Option A is wrong because disabling service accounts alone does not stop the encryption already in progress. Option B is wrong because running a playbook that collects data is investigative, not urgent containment.

Option D is wrong because resetting passwords on domain controllers is time-consuming and does not halt active encryption.

299
MCQhard

A SOC analyst is configuring a multi-region deployment of Microsoft Sentinel. The requirement is to ingest security logs from Azure resources located in three different Azure regions. The analyst needs to create the workspace in one region and then use cross-workspace queries to view data from all regions. What is the correct sequence of steps?

A.Step 1: Create Log Analytics workspaces in each region. Step 2: Enable Sentinel on each workspace. Step 3: Connect data sources. Step 4: Configure cross-workspace queries.
B.Step 1: Enable Sentinel in one region. Step 2: Create workspaces in other regions. Step 3: Connect data sources. Step 4: Configure cross-workspace queries.
C.Step 1: Connect data sources. Step 2: Create workspaces. Step 3: Enable Sentinel. Step 4: Configure cross-workspace queries.
D.Step 1: Create a central workspace. Step 2: Enable Sentinel on it. Step 3: Connect data sources from all regions to the central workspace. Step 4: Configure cross-workspace queries.
AnswerA

Correct. This sequence ensures all prerequisites are met before configuring queries.

Why this answer

Option A is correct because to use cross-workspace queries in Microsoft Sentinel, you must first create a Log Analytics workspace in each region, enable Sentinel on each workspace, connect the data sources to their respective regional workspaces, and then configure cross-workspace queries to unify the data. This sequence ensures that each region's logs are ingested locally, which is required for cross-workspace queries to reference them via the `workspace()` expression.

Exam trap

The trap here is that candidates often assume a single central workspace can ingest logs from all regions, but the question explicitly requires using cross-workspace queries, which necessitates separate workspaces per region.

How to eliminate wrong answers

Option B is wrong because you cannot enable Sentinel on a workspace that does not yet exist; the workspace must be created first before Sentinel can be enabled on it. Option C is wrong because data sources cannot be connected before the workspaces are created and Sentinel is enabled, as the data connectors depend on the workspace and Sentinel being provisioned. Option D is wrong because connecting all data sources from multiple regions to a single central workspace violates the requirement to ingest logs from each region into their own regional workspace, and cross-workspace queries are used to query across separate workspaces, not within a single workspace.

300
Multi-Selectmedium

Which TWO of the following are valid sources for creating incidents in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Hunting query results
B.Microsoft 365 Defender alerts
C.Analytics rule triggering
D.Workbook creation
E.Playbook execution
AnswersB, C

Alerts from Defender can create incidents via connector.

Why this answer

The correct answers are B and C. Incidents can be created from analytics rules or from Microsoft 365 Defender alerts. Option A is wrong because playbooks are for response, not incident creation.

Option D is wrong because workbooks are for visualization. Option E is wrong because hunting queries do not create incidents automatically.

Page 3

Page 4 of 22

Page 5