Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 376450

1639 questions total · 22pages · All types, answers revealed

Page 5

Page 6 of 22

Page 7
376
MCQhard

A threat hunter is using Microsoft Sentinel to hunt for a potential advanced persistent threat (APT) that is using living-off-the-land binaries (LOLBins). The hunter creates a KQL query that lists all instances of certutil.exe making network connections. The query returns many legitimate results. What is the best way to reduce false positives while still detecting malicious use?

A.Replace the query with a Sysmon Event ID 3 (network connect) filter for certutil.exe
B.Remove certutil.exe from the hunting query and focus on other binaries
C.Expand the query to include all LOLBins that make network connections
D.Add additional filters to the query to detect only certutil.exe processes with suspicious command-line arguments (e.g., '-urlcache' or '-split')
AnswerD

Focusing on suspicious arguments reduces false positives because legitimate use typically does not involve these flags.

Why this answer

Option A (add conditions for unusual command-line arguments) is correct because malicious use of LOLBins often involves specific arguments (e.g., -urlcache, -split). Option B (ignore certutil.exe) would miss threats. Option C (switch to Sysmon) adds overhead but does not reduce false positives on its own.

Option D (expand to all LOLBins) increases noise.

377
MCQeasy

You are a security analyst at a company that uses Microsoft Sentinel. You need to ensure that only users with a specific tag in Microsoft Entra ID can access the Sentinel workspace. Which Azure feature should you use?

A.Assign Azure RBAC roles with a condition on the tag.
B.Use Microsoft Entra Privileged Identity Management (PIM) to require approval for access.
C.Apply an Azure Policy to deny access if the user does not have the tag.
D.Configure a Conditional Access policy in Microsoft Entra ID.
AnswerD

Conditional Access can require users to have a specific tag to access the Azure portal.

Why this answer

Conditional Access policies in Microsoft Entra ID can enforce access controls based on user attributes, including tags. By configuring a Conditional Access policy that grants access to Microsoft Sentinel only if the user has a specific tag, you can restrict workspace access at the authentication layer before any Azure RBAC evaluation occurs. This is the correct approach because Conditional Access operates at the identity level, directly controlling which users can authenticate to the Sentinel workspace.

Exam trap

The trap here is that candidates often confuse Azure RBAC with Conditional Access, assuming that RBAC conditions on tags can control initial access, when in fact RBAC only controls authorization after authentication, whereas Conditional Access controls authentication itself.

How to eliminate wrong answers

Option A is wrong because Azure RBAC roles with conditions on tags apply to Azure resources after authentication, but they cannot prevent a user from authenticating to the Sentinel workspace; they only control actions post-authentication. Option B is wrong because Privileged Identity Management (PIM) manages just-in-time elevation and approval for privileged roles, not attribute-based access restrictions like tags. Option C is wrong because Azure Policy enforces compliance on Azure resource configurations (e.g., ensuring resources have tags), not on user identity attributes or authentication-level access to a workspace.

378
Multi-Selecthard

Your organization uses Microsoft Sentinel. A new analytics rule is needed to detect brute-force attacks against your Azure SQL databases. The rule should minimize false positives and trigger only when multiple failed logins occur from a single IP address within a short time window. Which THREE components are essential for building this rule?

Select 3 answers
A.An alert threshold set to trigger when the count exceeds 10 failed attempts in 5 minutes.
B.A reference to the SQLInsights table for performance data.
C.A summarize operator in KQL to count failed login attempts per IP address within a timebin.
D.A KQL query against the AzureDiagnostics table filtering for failed login events.
E.A watchlist containing known malicious IP addresses.
AnswersA, C, D

Threshold reduces false positives.

Why this answer

Options A, B, and E are correct. The rule must query AzureDiagnostics (A) to get SQL logs, use summarize with count and timebin (B) to aggregate failures, and set an alert threshold (E) to trigger only on multiple failures. Option C is wrong because SQLInsights is not a log table.

Option D is wrong because watchlists are not essential for this detection.

379
Multi-Selectmedium

Which TWO actions should a security analyst take when responding to a confirmed malware outbreak in Microsoft Defender for Endpoint?

Select 2 answers
A.Isolate the affected device
B.Run a full scan on the device
C.Create a custom detection rule for the malware
D.Delete the user account
E.Reset the user's password
AnswersA, B

Isolation stops the malware from spreading.

Why this answer

Options A and C are correct. Option A: Isolating the affected device prevents lateral movement. Option C: Running a full scan on the device helps ensure all malware components are detected.

Option B is wrong because resetting the user password does not stop active malware. Option D is wrong because the hunter is for proactive threat hunting, not immediate response. Option E is wrong because deleting the user account is too drastic and does not address the malware.

380
MCQmedium

Your organization uses Microsoft Sentinel with Microsoft Defender XDR integration. You have a scheduled analytics rule that detects failed logon attempts across multiple on-premises domain controllers. The rule is configured to run every 5 minutes and create an incident when more than 10 failed attempts occur from a single IP address within 5 minutes. Recently, the SOC team noticed that the rule is generating a high volume of low-fidelity incidents, mostly from legitimate users mistyping passwords. You need to reduce the number of false positive incidents while still detecting real brute-force attacks. What should you do?

A.Increase the query frequency to every 1 minute and reduce the threshold to 5.
B.Modify the query to require at least 20 failed attempts from a single IP and include a condition that the attempts are against multiple user accounts.
C.Disable the rule and create a new rule based on successful logons followed by failed attempts.
D.Decrease the threshold to 5 and add a condition to exclude known good IP addresses.
AnswerB

Higher threshold and multi-user condition reduce false positives from mistypes.

Why this answer

To reduce false positives, you can increase the threshold to require more failed attempts or add additional conditions like failed attempts across multiple user accounts. Option B is correct because it increases the threshold to 20 and adds a condition for multiple users, which better indicates a brute-force attack. Option A is wrong because increasing the frequency would generate more incidents, not fewer.

Option C is wrong because decreasing the threshold would increase incidents. Option D is wrong because disabling the rule would stop detection entirely.

381
MCQeasy

A security analyst in Microsoft Sentinel wants to create a scheduled analytics rule to detect repeated failed HTTP requests to an Azure Application Gateway, indicating a possible brute force attack. Which Azure Monitor table should the analyst query to capture the access and error logs from the Application Gateway?

A.AzureActivity
B.AzureDiagnostics
C.AzureMetrics
D.SecurityEvent
AnswerB

Correct: AzureDiagnostics contains diagnostic logs from Azure resources, including Application Gateway access and error logs.

Why this answer

AzureDiagnostics is the correct table because it stores resource-level logs for Azure services, including Application Gateway access and error logs. These logs contain detailed HTTP request data (e.g., client IP, URI, status code) necessary to detect repeated failed requests indicative of a brute force attack. Other tables like AzureActivity, AzureMetrics, or SecurityEvent do not capture this specific HTTP-level telemetry.

Exam trap

The trap here is that candidates confuse AzureActivity (control plane) with diagnostic logs (data plane), or assume AzureMetrics contains detailed HTTP error data when it only stores aggregated performance counters.

How to eliminate wrong answers

Option A is wrong because AzureActivity stores subscription-level control plane audit logs (e.g., resource creation, policy changes), not data plane HTTP access logs from Application Gateway. Option C is wrong because AzureMetrics only stores numerical performance counters (e.g., requests per second, latency) and lacks the detailed request/response fields needed to identify failed HTTP status codes. Option D is wrong because SecurityEvent collects Windows security events (e.g., logon attempts, process creation) from virtual machines, not HTTP traffic logs from a network gateway.

382
MCQhard

Your organization uses Microsoft Sentinel with a hybrid environment including on-premises servers and Azure VMs. You notice that some Windows events from on-premises servers are not being collected in Sentinel. Log Analytics agent is installed on all servers. Other events are collected. What should you check first?

A.Confirm that the workspace key is correctly deployed on the servers.
B.Verify that the Log Analytics agent is running and has network connectivity to Azure.
C.Ensure that the servers are listed in the Azure Arc management pane.
D.Check the Windows Event Log collection configuration in the Log Analytics workspace data collection rules.
AnswerD

Specific event IDs may be filtered out in the configuration.

Why this answer

Option B is correct because missing specific event IDs often indicates a filtering issue in the data collection rules. Option A is incorrect because the agent is healthy if it sends other events. Option C is incorrect because connectivity is likely fine if other events arrive.

Option D is incorrect because the workspace key is used for authentication; if it were wrong, no events would be collected.

383
Multi-Selecthard

Your organization uses Microsoft Sentinel and has configured analytics rules for detecting ransomware. You receive an alert indicating possible ransomware activity on a server. Which THREE actions should you take to contain and investigate the incident? (Choose three.)

Select 3 answers
A.Create a new analytics rule to detect similar behavior.
B.Initiate a live response session to collect forensic artifacts.
C.Review the incident timeline in Microsoft 365 Defender.
D.Reset the password of the account that showed anomalous behavior.
E.Isolate the server from the network using Microsoft Defender for Endpoint.
AnswersB, C, E

Live response allows collection of evidence for deeper analysis.

Why this answer

Option A, B, and D are correct. Isolating the server prevents further spread. Reviewing the timeline helps understand the attack.

Running a live response to collect artifacts aids investigation. Option C is wrong because resetting the password of a compromised account may not be effective if the attacker has local access. Option E is wrong because creating a new rule is for detection, not containment.

384
MCQmedium

A cloud security administrator needs to ensure that all Azure virtual machines have the Microsoft Defender for Cloud agent (Log Analytics agent) installed automatically when they are provisioned. Which configuration should be set in Microsoft Defender for Cloud?

A.Enable auto-provisioning in the Defender for Cloud environment settings.
B.Deploy a custom Azure Policy to install the agent on all VMs.
C.Use an Azure Automation runbook to install the agent on newly created VMs.
D.Enable Azure Update Management on the VMs.
AnswerA

Correct. Auto-provisioning automatically deploys the Log Analytics agent to all supported VMs in the subscription, ensuring continuous coverage.

Why this answer

Option A is correct because Microsoft Defender for Cloud includes an auto-provisioning setting that, when enabled, automatically installs the Log Analytics agent (Microsoft Monitoring Agent) on all existing and newly provisioned Azure virtual machines. This setting is configured in the Defender for Cloud environment settings under 'Auto provisioning' and ensures seamless coverage without manual intervention or additional policy management.

Exam trap

The trap here is that candidates may overthink the solution and choose a custom Azure Policy or automation method, not realizing that Defender for Cloud's built-in auto-provisioning is the simplest and most direct configuration to meet the requirement.

How to eliminate wrong answers

Option B is wrong because deploying a custom Azure Policy to install the agent is unnecessary and less efficient; Defender for Cloud's built-in auto-provisioning already handles this automatically without requiring custom policy definitions. Option C is wrong because using an Azure Automation runbook to install the agent on newly created VMs is a manual, reactive approach that does not scale and lacks the native integration and monitoring capabilities of Defender for Cloud's auto-provisioning. Option D is wrong because enabling Azure Update Management on VMs is focused on patching and update compliance, not on installing the Log Analytics agent for security monitoring, and it does not fulfill the requirement for automatic agent installation at provisioning time.

385
MCQmedium

Your incident response team receives an alert from Microsoft Sentinel for a user account that has been compromised. The alert indicates that the user's credentials were used from an unfamiliar location. What is the first action you should take?

A.Disable the user account in Microsoft Entra ID
B.Review the sign-in logs to confirm the alert
C.Reset the user's password
D.Notify the user and ask them to change their password
AnswerA

Disabling the account immediately stops the attacker's access.

Why this answer

Option B is correct because immediately disabling the compromised user account stops further unauthorized access. Option A is wrong because reviewing logs delays the containment. Option C is wrong because resetting password after disabling is standard, but disabling first is critical.

Option D is wrong because notifying the user before containment could alert the attacker.

386
MCQmedium

Your organization has a Microsoft Sentinel workspace that ingests data from Microsoft 365 Defender (Defender for Endpoint, Office 365, Identity, Cloud Apps). You have configured a scheduled analytics rule to detect possible privilege escalation based on user activity. The rule runs every 5 minutes and looks at the last 5 minutes of data. Recently, the rule has been generating a high number of false positives. You analyze the alerts and find that they are triggered by legitimate administrative actions. You need to reduce false positives without completely disabling the rule. The rule uses a KQL query that joins the IdentityLogonEvents and CloudAppEvents tables. What should you do?

A.Increase the rule's run frequency to every 30 minutes.
B.Reduce the query's lookback period to 1 minute.
C.Modify the KQL query to exclude events from a list of known administrative user accounts or IP addresses.
D.Add an incident suppression rule that closes incidents from known admin accounts.
AnswerC

Excluding known admins reduces false positives while retaining detection for others.

Why this answer

Option C is correct because tuning the KQL query to exclude known administrative accounts or actions is the best way to reduce false positives. Option A is wrong because increasing the frequency would not reduce false positives. Option B is wrong because suppression can cause missed detections for other users.

Option D is wrong because reducing lookback may miss legitimate events.

387
MCQmedium

Your organization uses Microsoft Sentinel and has deployed the Microsoft Defender XDR connector. You notice that some incidents from Defender XDR are not being synchronized to Sentinel. You verify that the connector is enabled and healthy. You also check that the relevant Defender XDR alerts are being generated. What could be the cause of the missing incidents?

A.The Microsoft Defender XDR connector has a filter that only syncs incidents with severity High or Medium, and the missing incidents are Low severity.
B.The Microsoft Defender XDR connector is configured to group alerts by entity, which prevents individual incidents from being created.
C.The diagnostic settings in Microsoft Defender XDR are not configured to send incidents to Sentinel.
D.The data connector is set to ingestion mode 'Raw data' instead of 'Incidents'.
AnswerA

Connector filters can exclude low-severity incidents.

Why this answer

Incidents from Defender XDR are synchronized to Sentinel based on the connector's filtering settings. Option A is correct because the connector might be configured to only sync incidents of certain severities. Option B is wrong because alert grouping is not a connector setting.

Option C is wrong because the data connector is for incidents, not raw data. Option D is wrong because diagnostic settings are for logs, not incidents.

388
MCQhard

A threat hunter in Microsoft Sentinel writes a KQL query in the Logs blade to find possible data exfiltration. The query uses the CommonSecurityLog table to look for large outbound file transfers from a specific IP address. The analyst wants to include only events where the total bytes sent in a 5-minute window exceed 100 MB. Which KQL operator combination would best achieve this?

A.CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize totalBytes = sum(BytesSent) by bin(TimeGenerated, 5m) | where totalBytes > 100000000
B.CommonSecurityLog | where SourceIp == '10.0.0.1' | extend bin = bin(TimeGenerated, 5m) | where BytesSent > 100000000
C.CommonSecurityLog | where SourceIp == '10.0.0.1' | summarize make_list(BytesSent) by TimeGenerated | where array_length(make_list) > 100000000
D.CommonSecurityLog | where SourceIp == '10.0.0.1' | project BytesSent, TimeGenerated | summarize sum(BytesSent) by bin(TimeGenerated, 5m) | where sum_BytesSent > 100000000
AnswerA

Correct. This groups events by 5-minute windows, sums bytes sent per window, and filters those windows exceeding 100 MB (100000000 bytes).

Why this answer

Option A is correct because it first filters the CommonSecurityLog table for the specific source IP, then uses `summarize` with `bin(TimeGenerated, 5m)` to aggregate total bytes sent in 5-minute windows, and finally filters for windows where the sum exceeds 100 MB (100,000,000 bytes). This correctly implements a time-windowed aggregation to detect large outbound transfers, which is the standard pattern for identifying data exfiltration over a period.

Exam trap

The trap here is that candidates often confuse filtering individual events (Option B) with aggregating over a time window (Option A), or they misuse list functions (Option C) instead of sum aggregation, failing to recognize that data exfiltration detection requires cumulative byte totals over a period, not per-event thresholds.

How to eliminate wrong answers

Option B is wrong because it uses `extend bin = bin(TimeGenerated, 5m)` without any aggregation, then filters individual events where `BytesSent > 100000000` — this looks for single events exceeding 100 MB, not the total over a 5-minute window, missing the requirement for cumulative exfiltration. Option C is wrong because `make_list(BytesSent)` creates a list of all bytes sent per timestamp (not binned), and `array_length(make_list)` returns the number of events, not the sum of bytes; it also incorrectly compares the array length to 100,000,000, which is a count of events, not bytes. Option D is wrong because after `summarize sum(BytesSent) by bin(TimeGenerated, 5m)`, the resulting column is named `sum_BytesSent` by default, but the `where` clause references `sum_BytesSent` — while this syntax is valid in KQL, the option fails to include the initial `where SourceIp == '10.0.0.1'` filter before the `project` step, and the `project` step is unnecessary; more critically, the `where` clause uses the wrong column name (it should be `sum_BytesSent` but the option writes `sum_BytesSent` correctly, so the real issue is that the `project` step discards the `TimeGenerated` column needed for binning, and the filter on IP is missing from the final query as written.

389
Multi-Selectmedium

Which TWO of the following are valid actions that can be performed by an automation rule in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Delete a watchlist
B.Create a task
C.Modify an analytics rule
D.Assign incident to an analyst
E.Run a playbook
AnswersD, E

Automation rules can assign incidents.

Why this answer

Option A and Option C are correct. Automation rules can assign incidents to analysts and run playbooks. Option B is wrong because automation rules do not modify analytics rules.

Option D is wrong because automation rules can close incidents, not just create tasks. Option E is wrong because automation rules do not delete watchlists.

390
MCQeasy

A security analyst is using advanced hunting in Microsoft 365 Defender to investigate a potential brute-force attack against an on-premises Exchange server. The analyst wants to find authentication failures from a specific IP address. Which table should the analyst query?

A.EmailEvents
B.IdentityLogonEvents
C.DeviceLogonEvents
D.CloudAppEvents
AnswerB

IdentityLogonEvents collects authentication events from both cloud and on-premises, including Exchange servers integrated with Active Directory.

Why this answer

IdentityLogonEvents is the correct table because it captures authentication events from Microsoft Defender for Identity, including failed logon attempts against on-premises Active Directory and Exchange servers. This table specifically logs interactive and non-interactive logon failures with source IP details, making it ideal for investigating brute-force attacks from a specific IP address.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (endpoint-focused) with IdentityLogonEvents (identity-focused), forgetting that on-premises Exchange authentication is handled by Active Directory and monitored by Defender for Identity, not by endpoint sensors.

How to eliminate wrong answers

Option A is wrong because EmailEvents tracks email delivery and threat events (e.g., phishing, spam), not authentication failures. Option C is wrong because DeviceLogonEvents logs logon events on endpoints (e.g., Windows devices) via Microsoft Defender for Endpoint, not on-premises Exchange server authentication. Option D is wrong because CloudAppEvents records activities from cloud applications (e.g., Office 365, Azure AD), not on-premises Exchange server logon failures.

391
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR (including Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps). You have an incident response team that operates 24/7. Recently, there have been multiple incidents involving users receiving phishing emails that lead to credential theft. The phishing emails are sophisticated and bypass Exchange Online Protection (EOP) and Defender for Office 365's built-in phishing filters. The emails contain links to fake login pages that harvest credentials. Once credentials are stolen, the attacker uses them to sign in from anonymous IP addresses and attempts to access sensitive data in SharePoint Online. You need to design a response strategy that includes automated containment and investigation. The solution must: - Automatically disable user accounts when a phishing incident is confirmed. - Automatically trigger an investigation into the user's activity in Microsoft Defender for Cloud Apps. - Send a notification to the incident response team with a summary of the incident. - Minimize manual effort. You have the following components available: - Microsoft Sentinel with automation rules and playbooks. - Microsoft Defender XDR with advanced hunting. - Microsoft Power Automate. What is the most efficient way to achieve these requirements?

A.Use Microsoft Defender XDR's automated investigation and response (AIR) to automatically disable the user account.
B.Create a playbook in Microsoft Sentinel that uses the Microsoft Graph API to disable the user account in Microsoft Entra ID, trigger an investigation in Microsoft Defender for Cloud Apps, and send an email notification. Associate the playbook with an automation rule that runs when the incident is created.
C.Create an automation rule in Microsoft Sentinel that triggers a webhook to a third-party system, which then disables the user account.
D.Configure a Playbook in Power Automate that monitors Microsoft Sentinel incidents and automatically disables the user account.
AnswerB

This fully automates containment, investigation, and notification.

Why this answer

Creating a playbook in Microsoft Sentinel that uses the Microsoft Graph API to disable the user in Microsoft Entra ID, triggers an investigation in Defender for Cloud Apps, and sends an email notification, then associating it with an automation rule that runs automatically when the incident is created, meets all requirements with minimal manual effort. Option B is incorrect because it requires manual triggering. Option C is incorrect because Power Automate is not as tightly integrated as a Sentinel playbook.

Option D is incorrect because it still requires manual investigation steps.

392
MCQmedium

You are a SOC analyst using Microsoft Defender for Endpoint. You need to investigate a device that is suspected of being compromised. You want to collect a memory dump for offline analysis. Which action should you take from the Microsoft Defender XDR portal?

A.Initiate a live response session and use the 'Collect memory dump' command.
B.Isolate the device from the network to prevent further damage.
C.Run a PowerShell script through live response to copy the memory dump.
D.Run a full antivirus scan on the device.
AnswerA

Live response provides a command to collect a full memory dump.

Why this answer

Microsoft Defender for Endpoint allows you to initiate live response sessions to collect forensic data. Option C is correct. Option A is wrong because antivirus scan does not collect memory dumps.

Option B is wrong because running a PowerShell script through live response is possible, but the direct action to collect a memory dump is using 'Collect memory dump' in live response. Option D is wrong because device isolation does not collect data.

393
MCQmedium

You are a security operations analyst at a company that uses Microsoft Sentinel. You need to ensure that all incidents generated from Microsoft Defender for Cloud Apps are automatically assigned to the same SOC team. The team uses Microsoft Teams to collaborate. Which configuration should you implement?

A.Create a playbook that assigns the incident to the team and configure an automation rule to run it.
B.Create an automation rule that sets the owner to the team entity.
C.Configure the Microsoft Defender for Cloud Apps connector to assign incidents to the team.
D.Use a logic app to automatically post incidents to a Teams channel and have the team claim them.
AnswerB

Automation rules can set the owner to a team using a managed identity or predefined team.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can be configured to automatically assign incidents to a specific owner (team) based on conditions like provider. Microsoft Teams integration for collaboration is done via the Teams connector or custom solutions, not directly through automation rules. Automation rules handle assignment, not direct Teams messaging.

Playbooks can post to Teams but assignment is done by automation rules. So B is the most direct and correct answer.

394
MCQhard

During a security incident, you need to create a custom detection rule in Microsoft Sentinel to alert on multiple failed logins followed by a successful login from the same IP within 10 minutes. Which KQL function should you use to group events by IP address and time window?

A.join
B.extend
C.project
D.summarize
AnswerD

summarize groups events and can perform aggregations like count or make_list.

Why this answer

Option C is correct because `summarize` with `make_list` or `count` is used to aggregate events within a time window. Option A is wrong because `project` selects columns, not aggregates. Option B is wrong because `extend` adds computed columns but does not group.

Option D is wrong because `join` combines tables but does not aggregate within a window.

395
MCQeasy

Your security operations center (SOC) uses Microsoft Sentinel. Analysts need to collaborate on incidents by adding comments and changing severity. Which feature should they use?

A.Hunting
B.Playbooks
C.Workbooks
D.Incident management
AnswerD

Incident management provides commenting and severity changes.

Why this answer

Incident management in Sentinel allows commenting, severity changes, and assignment. Option A is wrong because Playbooks automate responses. Option B is wrong because Workbooks are for dashboards.

Option D is wrong because Hunting is for proactive threat detection.

396
MCQmedium

Your team uses Microsoft Sentinel to monitor Azure subscriptions. You need to ensure that only users with the 'Microsoft Sentinel Contributor' role can create and edit analytics rules. You want to enforce this using Azure Policy. What should you do?

A.Create an Azure Policy that denies creation of analytics rules if the user doesn't have the 'Microsoft Sentinel Contributor' role.
B.Use Azure Blueprints to assign the 'Microsoft Sentinel Contributor' role to a security group.
C.Assign the 'Microsoft Sentinel Contributor' role to all users at the subscription level.
D.Create a custom role that denies write access to analytics rules.
AnswerA

Correct. Azure Policy can enforce RBAC requirements.

Why this answer

The correct answer is C because Azure Policy can audit or deny role assignments that do not match the allowed roles. Option A is incorrect because RBAC is not enforced by Azure Policy. Option B is incorrect because Azure Policy does not directly manage RBAC.

Option D is incorrect because Azure Blueprints are for deploying environments, not enforcing RBAC.

397
MCQhard

An analyst is creating a custom detection rule in Microsoft 365 Defender to detect lateral movement. The rule should trigger when a device (DeviceA) connects to another device (DeviceB) via SMB (port 445) and, within 5 minutes, a scheduled task is created on DeviceB. Which Advanced Hunting query pattern correctly correlates these events across devices?

A.Join DeviceNetworkEvents (where RemoteIP is DeviceB's IP and RemotePort 445) with DeviceEvents (where ActionType == 'ScheduledTaskCreated' and DeviceId == DeviceB's ID) using a time window of 5 minutes
B.Use DeviceProcessEvents to find smb.exe on DeviceA, then join with DeviceFileEvents on DeviceB
C.Use only DeviceNetworkEvents on DeviceA and DeviceB separately
D.Use EmailEvents and DeviceEvents on DeviceB
AnswerA

Correct. This joins the network connection from DeviceA with the scheduled task creation on DeviceB within the specified time window.

Why this answer

Option A is correct because it uses a `join` between `DeviceNetworkEvents` (filtered for SMB traffic on port 445 from DeviceA to DeviceB) and `DeviceEvents` (filtered for `ActionType == 'ScheduledTaskCreated'` on DeviceB) with a 5-minute time window. This directly correlates the network connection with the subsequent scheduled task creation, which is a classic lateral movement pattern (e.g., PsExec or WMI abuse). The time window ensures the events are causally related within the detection rule's scope.

Exam trap

The trap here is that candidates might think `DeviceProcessEvents` is needed to capture the SMB connection (Option B), but SMB is a kernel-mode protocol and not logged as a user-mode process, so `DeviceNetworkEvents` is the correct source for network-level correlation.

How to eliminate wrong answers

Option B is wrong because `DeviceProcessEvents` does not reliably capture SMB connections; `smb.exe` is not a standard process name for SMB traffic (SMB is handled by the kernel via `mrxsmb.sys`), and `DeviceFileEvents` on DeviceB would not directly show scheduled task creation. Option C is wrong because using only `DeviceNetworkEvents` on both devices separately cannot correlate the network connection with the specific scheduled task creation event on DeviceB, missing the required behavioral link. Option D is wrong because `EmailEvents` is irrelevant to lateral movement via SMB and scheduled tasks, and `DeviceEvents` alone on DeviceB does not capture the initiating network connection from DeviceA.

398
MCQhard

Refer to the exhibit. An alert in Microsoft Defender for Identity shows suspicious PowerCLI execution on an Exchange server. The service account 'svc_exchange' is used. What is the most likely true-positive scenario?

A.An attacker using a compromised service account to access mailboxes via remote PowerShell
B.A security tool scanning for vulnerabilities
C.A misconfigured backup application running from an external IP
D.A legitimate IT admin running Exchange management scripts
AnswerA

PowerCLI can be used to execute remote PowerShell commands to access Exchange.

Why this answer

Option C is correct because PowerCLI on an Exchange server is unusual for a service account and suggests an attacker using a compromised account to access mailboxes remotely. Option A is wrong because PowerCLI is not a standard Exchange management tool. Option B is wrong because PowerCLI is not used for mail flow troubleshooting.

Option D is wrong because the IP 192.168.1.100 is internal, not external.

399
MCQhard

Refer to the exhibit. This is a snippet from an automation rule in Microsoft Sentinel. What is the purpose of the 'RunQuery' action?

A.To automatically update the incident status to 'Active'.
B.To run a PowerShell script on the affected endpoint.
C.To trigger a playbook that isolates the user's device.
D.To retrieve sign-in logs for the user involved in the incident.
AnswerD

The query filters SigninLogs by the user's UserPrincipalName from the incident.

Why this answer

Option B is correct. The action runs a KQL query using the UserPrincipalName from the incident's entities (the user involved) to pull sign-in logs for further investigation. Option A is wrong because playbooks, not automation rules, run Logic Apps.

Option C is wrong because 'RunQuery' does not update the incident. Option D is wrong because the query is KQL, not a PowerShell script.

400
Multi-Selectmedium

During a security incident response, you need to collect forensic data from multiple endpoints. Which TWO tools can be used to remotely collect forensic data from Windows devices in a Microsoft Defender for Endpoint environment? (Choose two.)

Select 2 answers
A.Microsoft Sentinel UEBA
B.Microsoft Defender for Endpoint live response
C.Microsoft 365 Defender portal
D.Microsoft Intune
E.Microsoft Purview eDiscovery
AnswersB, C

Live response enables real-time forensic collection from remote devices.

Why this answer

Option A and Option D are correct. Microsoft Defender for Endpoint live response allows remote collection of forensic data. Microsoft Sentinel's UEBA does not collect data; it analyzes behavior.

Microsoft Intune is for management. Microsoft 365 Defender portal provides incident management but not direct forensic collection from endpoints.

401
MCQeasy

A security analyst in Microsoft Defender for Cloud is reviewing the Security Alerts for an Azure subscription. The analyst sees an alert titled "Suspicious PowerShell activity detected" on an Azure VM. The analyst needs to view the full command line of the suspicious script and the parent process that launched it. Where in the alert details can the analyst find this information?

A.The "Attack story" tab
B.The "Alert details" pane (general description)
C.The "Take action" tab (recommendations)
D.The "Investigate" tab (with timeline and entities)
AnswerD

The Investigate tab contains a graphical timeline and entity relationships, including a process tree that reveals the full command line and parent process of the suspicious script.

Why this answer

The 'Investigate' tab in Microsoft Defender for Cloud provides a detailed timeline and entity graph that includes the full command line of the suspicious script and the parent process that launched it. This tab is specifically designed for deep forensic analysis, allowing analysts to trace process ancestry and view raw command-line arguments, which are not available in the general alert description or the Attack story tab.

Exam trap

The trap here is that candidates confuse the 'Attack story' tab (which shows a narrative of related alerts) with the 'Investigate' tab (which provides the raw forensic data like command lines and process trees), leading them to select A instead of D.

How to eliminate wrong answers

Option A is wrong because the 'Attack story' tab provides a high-level narrative of the attack chain (e.g., related alerts and entities) but does not expose the raw command line or parent process details. Option B is wrong because the 'Alert details' pane contains only a general description and severity of the alert, not the granular process lineage or script content. Option C is wrong because the 'Take action' tab offers remediation recommendations (e.g., isolate VM, run antivirus) and does not include investigative data like command lines or parent processes.

402
MCQmedium

Your organization uses Microsoft Defender for Endpoint. An endpoint is detected as infected with a trojan. The analyst needs to isolate the device from the network while preserving forensic data. What action should the analyst take?

A.Remove the device from the Active Directory domain.
B.Disable the network adapter on the device.
C.Initiate the 'Isolate device' action from the Microsoft Defender XDR portal.
D.Perform a full reimage of the device.
AnswerC

Isolation disconnects the device while maintaining management channel for forensic data.

Why this answer

Option C is correct because 'Isolate device' in Defender for Endpoint disconnects the device from the network but keeps it connected to Microsoft Defender for analysis. Option A is wrong because disabling the network adapter may lose connection to Defender. Option B is wrong because removing the device from the domain does not isolate it.

Option D is wrong because reimaging destroys forensic data.

403
MCQmedium

During a threat hunt, an analyst discovers a PowerShell script that was executed on multiple servers in the environment. The script connects to an external IP address and downloads a payload. The analyst wants to find all other servers that may have been compromised by the same script. What is the most efficient way to search for this across the environment?

A.Use Sysmon Event ID 1 (process creation) to find PowerShell executions
B.Review the network logs from the firewall for connections to the external IP
C.Use the DeviceProcessEvents table in Microsoft Defender for Endpoint advanced hunting to search for the script's SHA256 hash or command line pattern
D.Query the Windows Event Log for Event ID 4104 (PowerShell script block logging) on each server
AnswerC

This central query can find all instances across the environment if servers are onboarded to MDE.

Why this answer

Option C (search Microsoft Defender for Endpoint advanced hunting for the PowerShell script content hash or command line) is correct because it uses the known IOCs from the discovered script to find all occurrences. Option A (all servers' event logs) is inefficient and may miss modern logging. Option B (Sysmon) requires Sysmon to be installed.

Option D (network logs from firewall) may not capture process details.

404
Multi-Selecthard

Which THREE components are required to use Microsoft Sentinel's automation rules to automatically respond to incidents?

Select 3 answers
A.A playbook created in Azure Logic Apps.
B.An analytics rule generating alerts.
C.The appropriate permissions to run playbooks.
D.An automation rule with conditions and actions.
E.A Microsoft Sentinel workspace.
AnswersC, D, E

Permissions are needed for playbook execution.

Why this answer

Option C is correct because automation rules require appropriate permissions (e.g., Microsoft Sentinel Contributor or Automation Contributor) to execute playbooks. Without these permissions, the automation rule cannot invoke the playbook when an incident is created or updated, even if the rule and playbook are properly configured.

Exam trap

The trap here is that candidates often assume a playbook (Option A) or an analytics rule (Option B) is mandatory for automation rules, but Microsoft Sentinel automation rules can function without either—they only require a workspace, the rule itself, and appropriate permissions to execute actions.

405
MCQmedium

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The JSON snippet defines an automation rule. What is the expected behavior of this rule?

A.It creates an incident when a phishing email is detected
B.It sends an email to the security team when an incident is created
C.It runs a playbook to quarantine an email when a specific alert is generated
D.It modifies the incident severity when a playbook runs
AnswerC

The rule triggers on the alert and runs a playbook.

Why this answer

The correct answer is B because the trigger is on an alert with the name 'Phishing email delivered', and the action is to run a playbook. Option A is wrong because it does not create an incident itself. Option C is wrong because it triggers on alert, not on incident creation.

Option D is wrong because it does not change severity.

406
MCQeasy

A threat hunter runs this KQL query to find devices making many outbound SMB connections. The result shows a device 'DC01' connecting to over 100 different IPs on port 445. What is the most likely explanation?

A.DC01 is exfiltrating data via SMB
B.DC01 is scanning the network for open SMB shares
C.DC01 is compromised and spreading malware
D.DC01 is performing normal domain operations like Group Policy distribution
AnswerD

Domain controllers commonly connect to many clients via SMB for management.

Why this answer

A domain controller (DC01) making many outbound SMB connections to unique IPs is typical for normal activity like Group Policy processing or logon scripts. Option A (malware) is possible but less likely given it's a DC. Option C (scanning) is possible but not most likely.

Option D (data exfiltration) is unlikely. The correct answer is B: normal DC behavior.

407
MCQhard

Your organization uses Microsoft Purview Data Loss Prevention (DLP) and Microsoft Defender for Cloud Apps. During an incident, you discover that a user is exfiltrating sensitive data via a sanctioned cloud app. You need to block the user's ability to share files in that app immediately. What should you do?

A.Create a session policy in Microsoft Defender for Cloud Apps to block the user's file sharing activity.
B.Disable the app connector for that cloud app in Microsoft Defender for Cloud Apps.
C.Remove the user from the Microsoft Entra ID group that allows access to the cloud app.
D.Create a Microsoft Purview DLP policy to block sharing of sensitive content.
AnswerA

Session policies can apply real-time controls per user.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps can apply a session policy to block file sharing for a specific user. Option B is wrong because a DLP policy would be reactive and not immediate. Option C is wrong because it would block all users.

Option D is wrong because app connector control is not real-time for sharing.

408
MCQeasy

You are investigating a security incident in Microsoft Sentinel involving a series of failed logon attempts followed by a successful logon from a different geographic location. The user's account is a privileged administrator. The incident is assigned a medium severity. What should you do first to contain the potential breach?

A.Disable the user's account immediately
B.Reset the user's password
C.Review the audit logs for the user's activity
D.Create a new analytics rule to detect similar attempts
AnswerA

Disabling the account stops all access immediately.

Why this answer

Option B is correct because disabling the privileged account prevents any further malicious activity. Option A is wrong because resetting the password alone may not terminate existing sessions. Option C is wrong because reviewing logs is analysis, not containment.

Option D is wrong because creating a rule is preventative, not immediate containment.

409
Multi-Selecteasy

Which TWO actions can be taken directly from the Microsoft Defender XDR incident queue? (Select TWO.)

Select 2 answers
A.Isolate a device involved in the incident
B.Modify a data connector's log collection
C.Change the incident status to 'In progress'
D.Create a new analytics rule
E.Create an automation rule
AnswersA, C

Device actions are available from the incident queue.

Why this answer

Option A is correct because the Microsoft Defender XDR incident queue provides direct actions, including device isolation, to contain threats without navigating to separate device management consoles. This capability is built into the incident investigation pane, allowing security analysts to quickly isolate a device involved in an incident from the unified queue.

Exam trap

The trap here is that candidates confuse the Defender XDR incident queue with the broader Microsoft Sentinel workspace, assuming all security operations tasks (like creating rules or modifying data connectors) are available from the incident queue, when in fact only incident-specific response actions are permitted.

410
MCQeasy

Your organization uses Microsoft Sentinel. You receive a high-severity incident indicating a potential data exfiltration from an Azure Storage account. The incident contains entities such as IP addresses and user accounts. Which step should you perform first to contain the threat?

A.Contact the user associated with the storage account
B.Block the suspicious IP address in the Azure Firewall
C.Investigate the incident to confirm the activity is malicious
D.Disable the storage account
AnswerC

Verification is the standard first step in incident response.

Why this answer

Option C is correct because the first step in incident response is to verify the alert is a true positive before taking containment actions. Option A is wrong because blocking the IP may be premature if the alert is false. Option B is wrong because disabling the storage account could impact legitimate operations.

Option D is wrong because contacting the user may tip off a malicious insider.

411
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert that an administrator performed an unusual bulk download from SharePoint. What is the recommended first step to respond?

A.Report the activity to Microsoft for further analysis.
B.Suspend the administrator's account immediately.
C.Block the IP address of the administrator's device.
D.Review the activity log in Defender for Cloud Apps to determine the context.
AnswerD

Investigating the log provides context to decide if action is needed.

Why this answer

The first step is to investigate the activity by reviewing the user's activity log in Defender for Cloud Apps to understand if it is legitimate or malicious. Suspending the account immediately may disrupt legitimate work. Reporting to Microsoft is not immediate.

Blocking the IP might be too broad.

412
MCQhard

Your organization uses Microsoft Purview Compliance Manager to manage compliance activities. You need to assign a specific improvement action to a colleague for implementation. What should you do?

A.In the 'Improvement actions' tab, select the action and click 'Assign'
B.Create a new alert policy to notify the colleague
C.Modify the assessment to include the colleague as an owner
D.Use the 'Assessments' tab to delegate tasks
AnswerA

Improvement actions can be directly assigned to users.

Why this answer

In Microsoft Purview Compliance Manager, improvement actions are the specific tasks that need to be completed to meet compliance controls. Each improvement action can be directly assigned to a colleague by selecting the action in the 'Improvement actions' tab and clicking the 'Assign' button, which allows you to specify the assignee and due date. This is the intended workflow for delegating implementation responsibilities within Compliance Manager.

Exam trap

Microsoft often tests the distinction between assigning a specific improvement action versus modifying assessment ownership or using alert policies, so candidates mistakenly choose options that involve broader permissions or unrelated notification mechanisms instead of the direct assignment feature.

How to eliminate wrong answers

Option B is wrong because alert policies in Microsoft Purview are used to detect and notify about specific activities or threats (e.g., data loss prevention or insider risk events), not to assign improvement actions; they cannot delegate tasks. Option C is wrong because modifying an assessment to add a colleague as an owner changes the ownership of the entire assessment, not the assignment of a specific improvement action; this would give them broad control over the assessment rather than a single task. Option D is wrong because the 'Assessments' tab is used to manage assessments and their controls, not to delegate individual improvement actions; there is no task delegation feature in that tab.

413
MCQmedium

Refer to the exhibit. You are a security analyst reviewing a KQL query in Microsoft Sentinel. The query is intended to show the count of high-severity malware alerts in the last 24 hours. However, the query returns results only for alerts with exact severity string 'High', but you also need to include 'Informational' severity alerts that are related to malware. What should you modify?

A.Remove the 'summarize' and 'order by' clauses.
B.Remove the 'where AlertName contains "malware"' condition.
C.Change the 'where AlertSeverity == "High"' to 'where AlertSeverity in ("High", "Informational")'.
D.Change 'ago(24h)' to 'ago(48h)'.
AnswerC

This includes both severities.

Why this answer

Option C is correct because the query currently filters only for alerts where AlertSeverity equals 'High', but the requirement is to also include 'Informational' severity alerts related to malware. By changing the condition to 'where AlertSeverity in ("High", "Informational")', the query will return both severity levels while keeping the malware-related filter and the 24-hour time window intact.

Exam trap

The trap here is that candidates may think the issue is with the time range (Option D) or the aggregation (Option A), when the actual problem is a simple missing filter condition for the 'Informational' severity level, which is a common oversight when requirements specify multiple severity values.

How to eliminate wrong answers

Option A is wrong because removing the 'summarize' and 'order by' clauses would only affect the aggregation and sorting of results, not the filtering of severity levels; the query would still exclude 'Informational' alerts. Option B is wrong because removing the 'where AlertName contains "malware"' condition would include all alerts regardless of whether they are related to malware, which violates the requirement to focus on malware alerts. Option D is wrong because changing 'ago(24h)' to 'ago(48h)' would expand the time window to 48 hours, but the requirement specifies the last 24 hours, and this change does not address the missing 'Informational' severity alerts.

414
MCQmedium

A SOC analyst is building a scheduled analytics rule in Microsoft Sentinel to detect PowerShell downloads from external IPs. The rule queries the DeviceProcessEvents table from Microsoft Defender for Endpoint forwarded to Sentinel. The analyst wants to reduce alert fatigue by excluding processes initiated by known system accounts (e.g., SYSTEM). Which KQL operator should the analyst use in the query?

A.where InitiatingProcessAccountName !contains "SYSTEM"
B.where InitiatingProcessAccountName !startswith "NT AUTHORITY"
C.where InitiatingProcessAccountName !has "NT AUTHORITY\SYSTEM"
D.where InitiatingProcessAccountName !matches regex "^NT AUTHORITY\\SYSTEM$"
AnswerC

This filters out records where the account name contains the exact substring 'NT AUTHORITY\SYSTEM', effectively excluding the SYSTEM account.

Why this answer

Option C is correct because the `!has` operator performs a case-sensitive substring match, which is the most reliable way to exclude the exact string `NT AUTHORITY\SYSTEM` from the `InitiatingProcessAccountName` field. This ensures that only processes started by the SYSTEM account (as reported by Microsoft Defender for Endpoint) are filtered out, reducing alert fatigue without accidentally excluding other accounts that might contain similar substrings.

Exam trap

The trap here is that candidates often confuse `!contains` (case-insensitive) with `!has` (case-sensitive) or use `!startswith` without accounting for the full account name format, leading to either over-filtering or under-filtering of the SYSTEM account.

How to eliminate wrong answers

Option A is wrong because `!contains` performs a case-insensitive substring match, which could inadvertently exclude accounts with 'SYSTEM' in their name (e.g., 'SYSTEM32' or 'DOMAIN\SYSTEMUSER'), leading to missed detections. Option B is wrong because `!startswith` only checks if the field begins with 'NT AUTHORITY', but the actual account name in the DeviceProcessEvents table is typically formatted as 'NT AUTHORITY\SYSTEM' (with a backslash), so this would not exclude the SYSTEM account if the field starts with 'NT AUTHORITY\' but the operator does not match the full string. Option D is wrong because `!matches regex` is overly precise and can fail if the account name includes a domain or other variations (e.g., 'NT AUTHORITY\SYSTEM' might appear as 'NT AUTHORITY\SYSTEM' with a trailing space or different casing), and regex is unnecessary for this simple exclusion.

415
MCQmedium

A SOC analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect potential account compromise. The rule should trigger when a user account is created in Microsoft Entra ID and, within one hour, that same account is used to sign in from an unfamiliar location. The queries use the AuditLogs table for account creation and the SigninLogs table for sign-ins. Which KQL operator should be used to correlate these two events from different tables within a specific time window?

A.where
B.join
C.union
D.summarize
AnswerB

Correct. The 'join' operator can combine rows from two tables based on a common key and a time window, enabling correlation of account creation and sign-in events.

Why this answer

The correct answer is B (join) because the scenario requires correlating two events from different tables (AuditLogs and SigninLogs) based on a common field (e.g., UserPrincipalName) and within a specific time window (one hour). The join operator in KQL allows you to combine rows from two tables by matching keys, and you can use the 'where' clause on the time fields to enforce the one-hour window. This is the only operator that supports row-wise correlation across tables with a time constraint.

Exam trap

The trap here is that candidates often confuse union (which stacks rows) with join (which correlates rows), especially when the question mentions 'different tables' and 'time window' — union cannot enforce a time-based relationship between rows from separate tables.

How to eliminate wrong answers

Option A (where) is wrong because the where operator filters rows in a single table based on conditions; it cannot correlate events from two different tables. Option C (union) is wrong because union concatenates rows from multiple tables into a single result set without matching or correlating rows by a common key or time window. Option D (summarize) is wrong because summarize aggregates data (e.g., counts, averages) over groups; it does not perform row-level correlation between two tables.

416
MCQmedium

You are investigating a security incident in Microsoft Sentinel where a user received a phishing email containing a link to a malicious domain. The link was clicked, but no further actions were observed. Which playbook action should you take immediately to prevent potential lateral movement?

A.Disable the user's account
B.Revoke the user's active sessions
C.Reset the user's password
D.Block the malicious domain on the firewall
AnswerD

Blocking the domain prevents further access to the malicious site, containing the threat.

Why this answer

The correct action is to block the malicious domain at the firewall or proxy to prevent further access. Disabling the user account might be premature if no compromise is confirmed. Resetting password and revoking sessions are post-compromise steps.

Blocking the domain is immediate containment.

417
MCQeasy

A SOC analyst is investigating a phishing campaign that targets Microsoft 365 users. The analyst needs to collect email message headers from multiple users' mailboxes. Which Microsoft 365 Defender action should the analyst use?

A.Use Microsoft 365 Defender > Actions & submissions to view email headers.
B.Use Microsoft 365 Defender > Threat hunters to search for email headers.
C.Use Microsoft 365 Defender > Attack simulation training to collect headers.
D.Use Microsoft 365 Defender > Email & collaboration > Explorer to query email headers.
AnswerD

Explorer allows hunting and exporting email headers for investigation.

Why this answer

Option C is correct because 'Email & collaboration > Explorer' allows hunting for email messages and collecting headers. Option A is wrong because 'Threat hunters' is a Microsoft Defender XDR role, not a specific action. Option B is wrong because 'Actions & submissions' is for submitting suspicious items, not for collecting headers.

Option D is wrong because 'Attack simulation training' is for testing, not investigation.

418
Multi-Selectmedium

Which TWO actions should you take to improve the performance of Microsoft Sentinel analytics rules that are running slowly? (Choose two.)

Select 2 answers
A.Assign a higher severity to the rule
B.Reduce the query time window
C.Use summarized data in the query
D.Increase the rule run frequency
E.Add additional entity mapping
AnswersB, C

A smaller time window reduces data scanned.

Why this answer

Reducing the query time window (Option B) directly limits the volume of data the analytics rule must process per execution, which reduces query latency and overall rule execution time. This is a common performance optimization because Sentinel analytics rules run KQL queries against the Log Analytics workspace, and smaller time ranges mean fewer log records to scan.

Exam trap

The trap here is that candidates often confuse rule configuration settings (like severity or frequency) with query performance optimizations, mistakenly thinking that increasing frequency or adding mappings will somehow speed up execution, when in fact they degrade it.

419
MCQeasy

You run the above KQL query in Microsoft Sentinel to identify ransomware alerts from the last day. The result shows zero rows. Which is the most likely reason?

A.The table name 'SecurityAlert' is incorrect; it should be 'Alert'
B.No alerts with 'ransomware' in the name occurred in the last day
C.The user does not have permission to access the SecurityAlert table
D.The time filter of 1 day is too restrictive; need to increase range
AnswerB

The query is correct; simply no matching alerts.

Why this answer

The query uses 'SecurityAlert' which may not be the correct table name for alerts in Sentinel. Also, the time filter is 1d, but the issue is likely table name or that no alerts match. However, the most likely reason is that the table name is incorrect; alerts are stored in 'SecurityIncident' or 'Alert' depending on version.

But the official table is 'SecurityAlert'? Actually, it's 'SecurityAlert' in common schema. Yet, if no alerts, maybe the name is wrong. Option B suggests table name incorrect.

Also, time range could be too short. But given the options, 'SecurityAlert' is correct? Wait, the correct table for alerts is 'SecurityAlert' in Sentinel. But if it returns zero rows, maybe no ransomware alerts.

However, the question expects a diagnostic: the query is correct, but maybe the alert name doesn't contain 'ransomware' because it's named differently. Option A suggests that. But let's evaluate: The query uses 'contains' which is case-insensitive.

The most plausible reason is that the alert name does not contain 'ransomware' exactly; it might be 'Ransomware' with capital R? No, 'contains' is case-insensitive. Option C: time range is too short? Possibly, but 1d is typical. Option D: user lacks permissions? Unlikely.

The best answer is that the alert name does not contain 'ransomware' because Microsoft uses 'Ransomware' with capital R? Actually, 'contains' is case-insensitive in KQL. So it should match. However, the alert name might be 'Ransomware activity' which contains 'ransomware'? Yes.

So maybe the table name is wrong. The correct table is 'SecurityAlert' but sometimes it's 'Alert'? In Sentinel's common schema, it's 'SecurityAlert'. I recall that in some workspaces, the table is 'Alert'.

So Option B is plausible. But the exhibit explicitly shows 'SecurityAlert'. Let's go with Option A: no alerts with that substring because the naming convention might be different.

I'll choose A.

420
MCQmedium

A security analyst receives a Microsoft Defender for Cloud Apps alert about a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately prevent further access from that IP. What should the analyst do?

A.Create a mailbox rule to delete emails from that IP.
B.Create a Conditional Access policy in Microsoft Entra ID to block the IP.
C.Create an IP address-based access policy in Microsoft Defender for Cloud Apps.
D.Reset the user's password and require MFA re-registration.
AnswerC

Access policies in Defender for Cloud Apps can block specific IPs.

Why this answer

Option C is correct because creating an IP-based access policy in Defender for Cloud Apps allows blocking the specific IP. Option A is wrong because Conditional Access policies are managed in Microsoft Entra ID, not directly from the alert. Option B is wrong because resetting the user's password does not block the IP.

Option D is wrong because a mailbox rule cannot block IP access.

421
MCQmedium

A security administrator wants to enforce Just-in-Time (JIT) VM access for all Azure virtual machines in a management group to reduce the attack surface. The administrator wants to automatically enable JIT on any new VM and remediate existing non-compliant VMs. What should the administrator configure in Microsoft Defender for Cloud?

A.Manually enable JIT in Defender for Cloud's 'Just-in-time VM access' blade for each subscription.
B.Assign the built-in policy initiative 'Configure just-in-time network access on virtual machines' at the management group level.
C.Configure Azure Policy Guest Configuration to require JIT on virtual machines.
D.Create a custom Azure Policy definition to enforce JIT and assign it to each subscription.
AnswerB

This initiative automatically deploys JIT configuration to VMs, covers new VMs, and remediates non-compliant ones.

Why this answer

The built-in policy initiative 'Configure just-in-time network access on virtual machines' can be assigned at the management group scope to automatically enable JIT on new VMs and remediate existing non-compliant VMs via a DeployIfNotExists effect. This ensures consistent enforcement across all subscriptions under that management group without manual per-subscription configuration.

Exam trap

The trap here is that candidates may think manual configuration (A) or custom policies (D) are needed, but the exam tests knowledge of built-in policy initiatives that can be assigned at a management group for automated, scalable enforcement.

How to eliminate wrong answers

Option A is wrong because manually enabling JIT per subscription does not provide automatic enforcement for new VMs or remediate existing non-compliant VMs at scale; it requires ongoing manual effort. Option C is wrong because Azure Policy Guest Configuration is used for in-guest settings (e.g., OS configuration, compliance) and does not control network-level JIT access on Azure VMs. Option D is wrong because creating a custom Azure Policy definition is unnecessary when a built-in policy initiative already exists for this exact purpose, and assigning it per subscription is less efficient than a single management group assignment.

422
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to create a custom detection rule that triggers when a user is added to a privileged role in Microsoft Entra ID and within 5 minutes performs a mass download from SharePoint. Which approach should you use?

A.Create an advanced hunting query in Microsoft Defender XDR
B.Use a custom detection rule in Microsoft 365 Defender
C.Use a Microsoft Purview insider risk policy
D.Create a scheduled query rule in Microsoft Sentinel
AnswerD

Sentinel scheduled rules can query multiple data sources and join them with time windows.

Why this answer

Option D is correct because the detection requires correlating events across Microsoft Entra ID (privileged role assignment) and SharePoint (mass download) within a 5-minute window. Microsoft Sentinel's scheduled query rules can ingest data from multiple sources (e.g., AuditLogs for Entra ID and SharePoint via Office 365 connector) and use KQL to join these events with a time constraint, making it the only native solution for cross-domain, time-bound custom detections.

Exam trap

The trap here is that candidates assume Microsoft 365 Defender (now Defender XDR) can correlate all Microsoft 365 data, but its custom detection rules are restricted to Defender XDR tables, not Entra ID or SharePoint audit logs, which are only available in Sentinel via dedicated connectors.

How to eliminate wrong answers

Option A is wrong because advanced hunting queries in Microsoft Defender XDR are limited to data within the Defender ecosystem (e.g., device, identity, email signals) and cannot natively query Microsoft Entra ID audit logs or SharePoint activity logs. Option B is wrong because Microsoft 365 Defender custom detection rules (now part of Defender XDR) only support data from Defender XDR tables (e.g., IdentityLogonEvents, CloudAppEvents) and cannot directly ingest Entra ID role assignment events or SharePoint download events with the required granularity. Option C is wrong because Microsoft Purview insider risk policies are designed for user behavior analytics and risk scoring based on predefined indicators, not for creating custom, time-bound correlation rules with specific event thresholds.

423
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email. You need to investigate the email and take action. Which TWO actions can you perform? (Choose two.)

Select 2 answers
A.Use the email entity page to take action like 'Soft delete'.
B.Use Threat Explorer to find the email and delete it.
C.Create a mail flow rule to block similar emails.
D.Submit the email to Microsoft for analysis.
E.Block the sender's email address.
AnswersA, B

Email entity page provides remediation actions.

Why this answer

Options B and D are correct. Threat Explorer allows you to find the email and take actions like delete or soft delete. Option A (Submitting to Microsoft) is for analysis, not direct action.

Option C (Creating a mail flow rule) is not immediate. Option E (Blocking sender) is possible but not directly from the incident investigation.

424
MCQmedium

Your company is deploying Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. You need to ensure that SOC analysts can triage incidents across all tenants from a single workspace. What is the minimum configuration required?

A.Create a second Sentinel workspace in the managing tenant and configure cross-workspace queries.
B.Configure Azure AD B2B collaboration to grant external users access to each tenant's Sentinel workspace.
C.Use Azure Policy to enforce a standard analytics rule across all tenants.
D.Onboard each tenant as a delegated resource under Azure Lighthouse, then route all logs to a single Sentinel workspace in the managing tenant.
AnswerD

Azure Lighthouse allows delegated resource management and log routing to a central workspace.

Why this answer

Option B is correct because Azure Lighthouse enables cross-tenant management by delegating permissions to a managing tenant, allowing a single Sentinel workspace to ingest logs from multiple tenants. Option A is wrong because Azure AD B2B is for user access, not workspace management. Option C is wrong because Azure Policy can enforce settings but does not enable cross-tenant incident viewing.

Option D is wrong because a second workspace is unnecessary and would fragment visibility.

425
MCQeasy

A security engineer needs to ensure that all Azure subscriptions under a management group are continuously assessed against the Azure Security Benchmark. They want to see the aggregated compliance score at the management group level. What should the engineer do in Microsoft Defender for Cloud?

A.Assign the Azure Security Benchmark initiative to each subscription individually and use the secure score dashboard.
B.Assign the Azure Security Benchmark initiative to the management group.
C.Enable the Regulatory Compliance dashboard and select the Azure Security Benchmark from the built-in standards list.
D.Configure Secure Score policies at the management group and enable Azure Security Benchmark.
AnswerB

When assigned to a management group, the initiative applies to all subscriptions under it, and the Regulatory Compliance dashboard shows aggregated compliance.

Why this answer

Assigning the Azure Security Benchmark initiative to the management group ensures that all subscriptions under that management group are continuously assessed against the benchmark. The aggregated compliance score is then visible at the management group level in the Regulatory Compliance dashboard, providing a single view of compliance across the entire hierarchy.

Exam trap

The trap here is that candidates often think they need to enable the Regulatory Compliance dashboard (Option C) or configure Secure Score policies (Option D) to see aggregated scores, but the critical step is assigning the initiative at the correct scope—the management group—to enable both continuous assessment and aggregation.

How to eliminate wrong answers

Option A is wrong because assigning the initiative to each subscription individually does not provide an aggregated compliance score at the management group level; it only shows per-subscription scores. Option C is wrong because enabling the Regulatory Compliance dashboard and selecting the Azure Security Benchmark from the built-in standards list only enables the dashboard view, it does not assign the initiative to the management group or subscriptions, so no continuous assessment occurs. Option D is wrong because there is no 'Secure Score policies' configuration at the management group; secure score is derived from the assigned initiatives, and the Azure Security Benchmark must be assigned as an initiative, not just 'enabled' as a policy.

426
MCQmedium

Your security operations team uses Microsoft Sentinel workbooks to monitor security posture. You notice that a workbook query is timing out when run against a large workspace. What is the best way to optimize the query without changing its results?

A.Remove some filter conditions to simplify the query.
B.Add a summarize operator at the end of the query.
C.Use the workspace() function to query specific workspaces only.
D.Reduce the time range of the query.
AnswerC

The workspace() function limits the query scope, reducing data volume and improving performance.

Why this answer

Option C is correct because the `workspace()` function in KQL allows you to explicitly scope a query to specific workspaces, reducing the data scanned and improving performance. By targeting only the necessary workspaces, you avoid the overhead of querying the entire large workspace, which is the root cause of the timeout. This optimization does not alter the query logic or results, as it simply restricts the data source.

Exam trap

The trap here is that candidates often confuse query optimization with result modification, choosing to reduce the time range or remove filters, which changes the data returned, rather than using workspace scoping to limit the data source without affecting the query logic.

How to eliminate wrong answers

Option A is wrong because removing filter conditions would likely increase the data volume scanned, worsening performance, and it would change the query results by including more rows. Option B is wrong because adding a `summarize` operator at the end of the query does not reduce the initial data scan; it aggregates results after retrieval, which can actually increase processing time and memory usage. Option D is wrong because reducing the time range changes the query results by excluding older data, which violates the requirement to keep results unchanged.

427
MCQeasy

You are threat hunting for signs of Microsoft 365 mailbox compromise. Which hunting query in Microsoft 365 Defender would be most effective for identifying suspicious mailbox forwarding rules?

A.EmailEvents | where EmailAction == 'Forward'
B.DeviceEvents | where ActionType contains 'Mailbox'
C.AlertInfo | where Title contains 'forward'
D.EmailPostDeliveryEvents | where Action == 'Forward'
AnswerA

EmailEvents includes forwarding actions.

Why this answer

Mailbox forwarding rules are captured in the EmailEvents table. Option A is correct because it filters for forwarding actions. Option B is incorrect because EmailPostDeliveryEvents is for post-delivery actions.

Option C is incorrect because DeviceEvents is for devices. Option D is incorrect because AlertInfo is for alerts, not raw events.

428
MCQhard

Your company uses Microsoft Defender for Cloud Apps to monitor cloud applications. You have discovered that a user is accessing a sanctioned cloud storage app from an IP address that belongs to a known malicious botnet. You need to automatically block the user's access to the app and require them to re-authenticate. You have already configured session policies in Defender for Cloud Apps. What should you do next?

A.Create an access policy in Defender for Cloud Apps to block the user.
B.Create an app governance policy in Microsoft Purview to block the app.
C.Configure a session policy in Defender for Cloud Apps with the action 'Block' and 'Require re-authentication'.
D.Create a device compliance policy in Microsoft Intune to block the device.
AnswerC

Session policies can block and force re-authentication via conditional access.

Why this answer

Session policies in Defender for Cloud Apps can enforce real-time controls on sanctioned apps. By configuring a session policy with the actions 'Block' and 'Require re-authentication', you can immediately terminate the user's session and force them to re-authenticate, which effectively blocks access from the malicious IP while ensuring the user re-verifies their identity.

Exam trap

The trap here is confusing session policies with access policies; access policies only block or allow at the app level without session-level controls like re-authentication, while session policies provide the granular, real-time actions needed for this scenario.

How to eliminate wrong answers

Option A is wrong because access policies in Defender for Cloud Apps control access based on user, device, or location but cannot enforce re-authentication within an active session; they only allow or block access at the app level. Option B is wrong because app governance policies in Microsoft Purview are designed for managing app permissions and compliance in Microsoft 365, not for blocking user access to cloud storage apps based on IP reputation. Option D is wrong because device compliance policies in Microsoft Intune enforce device-level security requirements (e.g., encryption, OS version) and cannot block access to a specific cloud app based on IP address or require re-authentication.

429
MCQeasy

During a security incident, you need to collect email messages associated with a phishing campaign from multiple mailboxes in Microsoft 365. Which tool should you use to search and export these emails?

A.Advanced Hunting in Microsoft Defender XDR.
B.Incident investigation in the Microsoft 365 Defender portal.
C.Mail Flow in the Exchange admin center.
D.Content Search in the Microsoft Purview compliance portal.
AnswerD

Content Search supports searching and exporting emails from multiple mailboxes.

Why this answer

Option A is correct because Content Search in the Microsoft Purview compliance portal allows searching across mailboxes and exporting results. Option B is wrong because Advanced Hunting is for threat hunting, not email export. Option C is wrong because Mail Flow is for mail routing.

Option D is wrong because the Microsoft 365 Defender portal provides incident management but not bulk email export.

430
MCQhard

Your organization uses Microsoft Sentinel with Fusion and Microsoft Security incident creation rules. You receive a high-severity incident from Microsoft Defender for Cloud Apps. The incident has a low confidence score. What should you do first?

A.Dismiss the incident as a false positive due to low confidence.
B.Suppress all future alerts from Defender for Cloud Apps with low confidence.
C.Escalate the incident to the SOC manager immediately.
D.Validate the alert by correlating with other logs.
AnswerD

Validation helps determine if the alert is a true positive before taking further action.

Why this answer

Option B is correct because validating the alert ensures that the incident is actionable before escalating. Option A is wrong because escalating without validation may waste resources. Option C is wrong because dismissing without investigation may miss a real threat.

Option D is wrong because suppressing low confidence alerts may cause missed detections.

431
MCQeasy

You are a security analyst at a company using Microsoft Sentinel. You have been asked to perform a threat hunt to identify potential brute-force attacks against your on-premises Active Directory. The relevant data is ingested into Sentinel from Windows Event Logs (Event ID 4625) and Azure ATP (now Microsoft Defender for Identity). Your hunting query should focus on failed logon attempts with high frequency from the same source IP within a short time window. You need to write a KQL query that returns the top 10 source IPs with the most failed logon attempts in the last 24 hours. Which KQL query should you use?

A.SecurityEvent | where EventID == 4625 | summarize count() by IpAddress | top 10 by count_
B.SecurityEvent | where EventID == 4625 | summarize count() by SourceIp | top 10 by count_
C.SecurityEvent | where EventID == 4624 | summarize count() by IpAddress | top 10 by count_
D.SecurityEvent | where EventID in (4624,4625) | summarize count() by IpAddress | top 10 by count_
AnswerA

Correctly filters failed logons and summarizes by source IP.

Why this answer

Option B correctly filters for EventID 4625 (failed logon), summarizes by SourceIp, and orders by count descending. Option A uses EventID 4624 (successful logon). Option C uses an incorrect field.

Option D includes successful logons.

432
MCQeasy

During a threat hunt, you want to identify processes that have made network connections to known malicious IP addresses. Which data source in Microsoft Defender for Endpoint would provide the necessary information?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceRegistryEvents
AnswerB

DeviceNetworkEvents captures outbound and inbound network connections, including destination IPs.

Why this answer

Option C is correct because DeviceNetworkEvents logs network connections including destination IP addresses. Option A is wrong because DeviceProcessEvents logs process creation, not network connections. Option B is wrong because DeviceFileEvents logs file operations.

Option D is wrong because DeviceRegistryEvents logs registry changes.

433
MCQmedium

Your organization uses Microsoft Sentinel. You have an incident that involves multiple alerts. You want to automatically assign the incident to the appropriate analyst based on the alert type. What should you use?

A.Create a playbook that assigns the incident.
B.Configure the analytics rule to set the incident owner.
C.Use a workbook to filter incidents by alert type.
D.Create an automation rule with an 'Assign incident to owner' action.
AnswerD

Automation rules can automatically assign incidents based on criteria.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can perform actions like assigning incidents to specific owners based on conditions. Option B (Playbooks) are for complex automation but not ideal for simple assignment. Option C (Workbooks) are for visualization.

Option D (Analytics rules) define alert conditions, not incident management.

434
MCQhard

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Defender XDR are automatically synchronized to Sentinel. You have enabled the Defender XDR connector. However, some incidents are not appearing. What should you check first?

A.Check the connector's data filter settings for severity or status.
B.Confirm that the incident is displayed in a Sentinel workbook.
C.Ensure that alert grouping is enabled in Sentinel.
D.Verify that the Microsoft Defender XDR license is active.
AnswerA

Filters can exclude incidents.

Why this answer

The Defender XDR connector in Microsoft Sentinel allows filtering of incidents based on severity and status during configuration. If incidents are not appearing, the most common cause is that the connector's data filter settings are excluding them—for example, filtering out 'Informational' severity or 'Resolved' status incidents. This is the first thing to check because the connector is enabled and working, but the filter is preventing synchronization of certain incidents.

Exam trap

The trap here is that candidates assume the connector is fully functional once enabled, overlooking the granular filter settings that control which incidents are actually ingested.

How to eliminate wrong answers

Option B is wrong because Sentinel workbooks are visualization tools that display data already ingested; they do not control incident ingestion or synchronization. Option C is wrong because alert grouping in Sentinel is a feature for grouping related alerts into incidents, but it does not affect the initial ingestion of incidents from Defender XDR. Option D is wrong because if the Defender XDR license were inactive, the connector would likely fail entirely or show a connection error, not selectively miss some incidents.

435
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from unmanaged devices for a specific cloud app. What should you configure?

A.Create a file policy with a governance action.
B.Create a session policy with device tag condition.
C.Create an app permissions policy.
D.Create an anomaly detection policy.
AnswerB

Session policies can block downloads from unmanaged devices using conditional access app control.

Why this answer

Option B is correct because session policies in Microsoft Defender for Cloud Apps allow you to control user activities in real time based on device tags. By configuring a session policy with a device tag condition (e.g., 'Device tag equals Unmanaged'), you can enforce actions like blocking downloads from unmanaged devices for a specific cloud app, leveraging reverse proxy architecture to inspect and control traffic.

Exam trap

The trap here is that candidates often confuse session policies (real-time proxy control) with file policies (data-at-rest governance) or anomaly detection (behavioral alerts), failing to recognize that device tag conditions are exclusive to session policies for conditional access on unmanaged devices.

How to eliminate wrong answers

Option A is wrong because file policies are designed to detect and govern data at rest (e.g., files stored in cloud apps) using content inspection and governance actions like quarantine or apply label, not to control real-time download actions from unmanaged devices. Option C is wrong because app permissions policies govern OAuth app permissions (e.g., third-party app access to cloud app data), not device-based download blocking. Option D is wrong because anomaly detection policies identify suspicious user or entity behavior (e.g., impossible travel, mass download) but cannot enforce device-specific conditional access like blocking downloads from unmanaged devices.

436
MCQmedium

You are reviewing a KQL query used in a Microsoft Sentinel analytics rule. The query is intended to alert when there are more than 5 alerts of the same name for the same entity type within the last hour. However, the rule is not triggering as expected. What is the most likely issue?

A.The 'summarize' operator does not support 'AlertCount' as a column name.
B.The query uses 'tostring' incorrectly.
C.The parsing of Entities array may fail if the first entity does not have a 'Type' field.
D.The 'where TimeGenerated > ago(1h)' is outside the allowed range.
AnswerC

The query assumes the first entity always has a 'Type' field, which may not be true, causing null or empty values.

Why this answer

The most likely issue is that the KQL query parses the 'Entities' array, which is a dynamic JSON field in Microsoft Sentinel alerts. If the first entity in the array does not have a 'Type' field, the parsing logic (e.g., using 'mv-expand' or accessing array indices) will fail or return null, causing the query to produce no results. This prevents the rule from triggering even when conditions are otherwise met.

Exam trap

The trap here is that candidates assume the 'Entities' array always has a consistent schema, but in practice, the first entity may lack a 'Type' field, causing the query to fail silently rather than throwing an error.

How to eliminate wrong answers

Option A is wrong because 'summarize' supports any column name, including 'AlertCount', as long as it is a valid identifier; there is no restriction on column names in KQL. Option B is wrong because 'tostring' is a valid KQL function for converting values to strings, and its incorrect use would typically cause a type conversion error, not a silent failure to trigger. Option D is wrong because 'where TimeGenerated > ago(1h)' is a standard and valid time filter in KQL; the range is not limited, and 'ago(1h)' correctly specifies the last hour.

437
MCQeasy

To hunt for malicious PowerShell encoded commands, which columns in the DeviceProcessEvents table in Microsoft 365 Defender advanced hunting should you focus on?

A.DeviceName
B.FileName
C.ProcessCommandLine
D.InitiatingProcessFileName
AnswerC

Contains the full command line, including encoded parts.

Why this answer

The ProcessCommandLine column contains the full command line, including encoded commands. Option A (FileName) only shows the executable name. Option B (InitiatingProcessFileName) shows parent process.

Option D (DeviceName) is the machine name. The correct column is ProcessCommandLine.

438
MCQmedium

You are a threat hunter investigating a potential data exfiltration via Microsoft Teams. You need to identify if any users have shared sensitive files externally. Which hunting approach should you use?

A.Analyze Microsoft Defender for Endpoint device timeline for file activity related to Teams.
B.Run a custom detection rule in Microsoft Defender for Cloud Apps to alert on large file uploads to Teams.
C.Query the Office 365 audit log for file download events from Teams.
D.Use Microsoft Purview DLP reports to review incidents where sensitive files were shared externally via Teams.
AnswerD

DLP policies can detect and report on sensitive data shared externally, providing relevant hunting data.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) provides detailed reports on policy matches, including external sharing. Option A is wrong because audit logs alone are too raw. Option C is wrong because it focuses on malware.

Option D is wrong because it's about endpoint devices.

439
MCQmedium

A company uses Microsoft Defender for Cloud and wants to automatically remediate non-compliant Azure resources by deploying missing configurations (e.g., enabling diagnostics when not enabled). Which feature should they enable?

A.Azure Policy's DeployIfNotExists effect
B.Just-In-Time VM access
C.Adaptive network hardening
D.File integrity monitoring
AnswerA

Correct: DeployIfNotExists automatically deploys required configurations when a resource is non-compliant, enabling auto-remediation.

Why this answer

Azure Policy's DeployIfNotExists effect is the correct feature because it automatically remediates non-compliant Azure resources by deploying missing configurations, such as enabling diagnostic settings, when the resource is created or updated. This effect evaluates resources against a policy definition and, if the specified configuration does not exist, triggers a deployment task to apply the required settings. In Defender for Cloud, this is used to enforce security baselines by automatically correcting non-compliant resources without manual intervention.

Exam trap

The trap here is that candidates may confuse 'automatic remediation' with security controls like JIT or network hardening, but the question specifically asks about deploying missing configurations, which is a policy-based remediation feature, not a threat mitigation control.

How to eliminate wrong answers

Option B is wrong because Just-In-Time (JIT) VM access is a Defender for Cloud feature that reduces the attack surface by controlling network access to VMs, not for deploying missing configurations like diagnostics. Option C is wrong because Adaptive network hardening uses machine learning to recommend and enforce network security group rules based on traffic patterns, not for deploying missing resource configurations. Option D is wrong because File integrity monitoring (FIM) tracks changes to files and registries on VMs to detect unauthorized modifications, not for deploying missing configurations like enabling diagnostics.

440
MCQmedium

A security analyst receives an alert in Microsoft Defender XDR indicating that a user account was compromised. The analyst needs to isolate the affected device to prevent lateral movement. Which action should the analyst take first?

A.Run a full antimalware scan on the device
B.Initiate device isolation from Microsoft Defender for Endpoint
C.Reset the user's password in Microsoft Entra ID
D.Create a custom detection rule in Microsoft Sentinel
AnswerB

Device isolation immediately blocks network communication to contain the threat.

Why this answer

Option C is correct because initiating device isolation in Microsoft Defender for Endpoint is the quickest way to contain a compromised device. Option A is wrong because resetting the password alone does not isolate the device. Option B is wrong because a full scan is slow and may not stop ongoing activity.

Option D is wrong because creating a detection rule does not take immediate action.

441
MCQeasy

Your SOC team uses Microsoft Sentinel. You need to ensure that all incidents are classified and resolved within 72 hours. Currently, analysts manually update the incident status and classification. You want to automate the following: 1) If an incident is not updated within 48 hours, send a reminder to the assigned analyst via email. 2) If an incident remains open after 72 hours, automatically escalate it to the SOC manager and increase its severity. What should you implement?

A.Create an analytics rule that runs every hour and queries for old incidents.
B.Use Azure Logic Apps with a recurrence trigger to query the Sentinel API and update incidents.
C.Create a single playbook that runs on a schedule and checks all incidents.
D.Create automation rules with triggers on 'incident updated' and scheduled conditions to run playbooks for reminders and escalation.
AnswerD

Automation rules can be triggered on a schedule and perform actions on incidents.

Why this answer

Option B is correct because automation rules in Sentinel can be configured to trigger on a schedule (e.g., every 1 hour) and check incident properties. Using conditions on 'last update time' and 'status', you can send reminders via playbooks and escalate. Option A is wrong because analytics rules are for creating incidents, not for post-creation actions.

Option C is wrong because playbooks are triggered by automation rules or alerts, not directly on a schedule for existing incidents. Option D is wrong because a separate Logic App would require custom polling, which is more complex than built-in automation rules.

442
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft 365 Defender. You have a playbook that automatically isolates a device when a malware incident is confirmed. The playbook uses the Microsoft Defender for Endpoint connector. During a recent incident, the playbook failed to isolate a device because the device was not found in Defender for Endpoint. Upon investigation, you find that the device is onboarded to Microsoft Defender for Endpoint but the playbook is using an incorrect device ID format. What should you do to ensure the playbook works correctly?

A.Ensure the device is properly onboarded to Microsoft Defender for Endpoint by running the onboarding script again.
B.Reconfigure the Microsoft Defender for Endpoint connector in Sentinel to use a different API version.
C.Modify the playbook to use the device ID from the incident's entities instead of a manually entered ID.
D.Use the device name instead of the device ID in the playbook.
AnswerC

Using the entity's device ID ensures correct format.

Why this answer

The device ID format must match what Defender for Endpoint expects. Option A is correct because using the correct device ID from the incident entity ensures the playbook can isolate the device. Option B is wrong because the connector is already configured.

Option C is wrong because the device is onboarded. Option D is wrong because the device ID is the issue.

443
MCQeasy

A security analyst is configuring a Microsoft Sentinel workspace. The analyst needs to connect a third-party firewall that sends logs via Syslog and supports a common event format (CEF). Which data connector should the analyst use to ingest these logs?

A.Common Event Format (CEF) via AMA
B.Windows Security Events via AMA
C.Azure Activity Log
D.Office 365 connector
AnswerA

This connector ingests CEF-formatted logs from syslog sources.

Why this answer

The Common Event Format (CEF) via AMA data connector is specifically designed to ingest logs from security appliances that send Syslog messages in CEF format. CEF is an industry-standard format that allows firewalls and other devices to send structured event data, and the Azure Monitor Agent (AMA) replaces the older Log Analytics Agent for this purpose. This connector parses the CEF headers and maps the fields to the appropriate Microsoft Sentinel tables, enabling efficient threat detection and analysis.

Exam trap

The trap here is that candidates may confuse the older Log Analytics Agent (which also supports CEF) with the newer AMA-based connector, or mistakenly think that any Syslog connector can handle CEF without the specific parsing logic, leading them to choose a generic Syslog option not listed here.

How to eliminate wrong answers

Option B is wrong because Windows Security Events via AMA is used to collect security logs from Windows machines, not from third-party firewalls sending Syslog/CEF data. Option C is wrong because the Azure Activity Log connector ingests subscription-level events from Azure itself, such as resource creation or policy changes, not external firewall logs. Option D is wrong because the Office 365 connector collects audit and activity logs from Microsoft 365 services like Exchange and SharePoint, not from third-party network devices.

444
MCQmedium

Your organization uses Microsoft Defender for Cloud and you need to ensure that security recommendations are automatically remediated for non-compliant resources. You have enabled 'Auto provisioning' for the Log Analytics agent. What additional step is required to enable automatic remediation?

A.No additional step is required; auto provisioning automatically remediates
B.Configure manual remediation in Defender for Cloud
C.Enable the 'DeployIfNotExists' policy for specific recommendations
D.Create a custom Azure Policy initiative with audit effect
AnswerC

DeployIfNotExists policies can automatically remediate non-compliant resources.

Why this answer

Option C is correct because enabling 'Auto provisioning' for the Log Analytics agent only ensures the agent is installed on VMs, but does not automatically remediate security recommendations. To achieve automatic remediation, you must enable the 'DeployIfNotExists' effect on specific Azure Policy definitions (e.g., 'System updates should be installed on your machines'), which triggers remediation tasks when resources are non-compliant. This is a separate step in Defender for Cloud's 'Security policy' blade under 'Settings & monitoring'.

Exam trap

The trap here is that candidates confuse 'Auto provisioning' (which only deploys the Log Analytics agent) with automatic remediation of all security recommendations, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because 'Auto provisioning' only handles agent deployment, not remediation of recommendations; it does not automatically fix non-compliant resources. Option B is wrong because 'manual remediation' requires human intervention to apply fixes, which contradicts the goal of automatic remediation. Option D is wrong because creating a custom Azure Policy initiative with 'audit' effect only logs non-compliance without taking any corrective action; you need 'DeployIfNotExists' or 'Modify' effects for automatic remediation.

445
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all cloud security alerts are automatically ingested into Sentinel. What should you configure?

A.Configure the Microsoft 365 Defender data connector.
B.Configure the Azure Activity data connector.
C.Create a custom log table and a PowerShell script to push alerts.
D.Configure the Microsoft Defender for Cloud data connector (Legacy).
AnswerD

This connector ingests security alerts from Defender for Cloud into Sentinel.

Why this answer

The Microsoft Defender for Cloud data connector (Legacy) is the correct choice because it specifically ingests security alerts from Microsoft Defender for Cloud into Microsoft Sentinel. This connector ensures that all alerts generated by Defender for Cloud's security policies and threat detection are automatically streamed into Sentinel for centralized monitoring and incident response.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender data connector (which handles endpoint and office alerts) with the Defender for Cloud data connector (which handles cloud security alerts), leading them to select option A incorrectly.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Defender data connector ingests alerts from Microsoft 365 Defender (e.g., Defender for Endpoint, Defender for Office 365), not from Microsoft Defender for Cloud. Option B is wrong because the Azure Activity data connector ingests subscription-level operational logs (e.g., resource creation, policy changes) from the Azure Activity Log, not security alerts from Defender for Cloud. Option C is wrong because creating a custom log table and a PowerShell script is an inefficient, manual workaround that bypasses the native, automated integration provided by the Defender for Cloud data connector; it is not the recommended or supported method for this requirement.

446
MCQeasy

A security administrator in Microsoft Defender for Cloud notices that the Secure Score is lower than expected. Which action would most effectively improve the Secure Score by reducing the attack surface?

A.Enable Just-in-Time (JIT) VM access for all virtual machines.
B.Configure auditing on all SQL databases.
C.Disable all low-severity security alerts in the subscription.
D.Install EDR agents on all on-premises servers.
AnswerA

JIT is a built-in recommendation in Defender for Cloud's Secure Score controls; enabling it improves the score and reduces attack surface.

Why this answer

Enabling Just-in-Time (JIT) VM access reduces the attack surface by locking down inbound traffic to Azure VMs, allowing only authorized users to open specific ports (e.g., RDP 3389, SSH 22) for a limited time. This directly improves the Secure Score because Microsoft Defender for Cloud includes JIT recommendations as a high-impact security control, and implementing it reduces the number of exposed management ports that attackers can target.

Exam trap

The trap here is that candidates often confuse 'reducing the attack surface' with 'improving detection' (e.g., enabling auditing or installing EDR agents), but the Secure Score's attack surface reduction category specifically rewards proactive controls like JIT that limit exposure, not reactive monitoring or alert management.

How to eliminate wrong answers

Option B is wrong because configuring auditing on SQL databases improves compliance and threat detection but does not directly reduce the attack surface; it is a monitoring control, not a preventive one that lowers the Secure Score's attack surface reduction category. Option C is wrong because disabling low-severity security alerts does not improve the Secure Score; it only suppresses notifications and may hide real threats, while the Secure Score is based on implementing security recommendations, not alert suppression. Option D is wrong because installing EDR agents on on-premises servers enhances detection and response but does not directly reduce the attack surface in the context of Microsoft Defender for Cloud's Secure Score; the score focuses on cloud-specific controls like JIT, adaptive application controls, and vulnerability assessments.

447
MCQmedium

You are a security analyst for a company that uses Microsoft Defender for Office 365. You receive an incident indicating that a user reported a phishing email. You need to investigate the email and determine if it was delivered to other users. You also need to ensure that similar emails are blocked in the future. What should you do?

A.Use Threat Explorer to search for similar emails and delete them.
B.Submit the email to Microsoft for analysis and quarantine it.
C.Create a Safe Links policy to block URLs in the email.
D.Run a simulated phishing attack to test user awareness.
AnswerA

Threat Explorer can find and take action on similar emails.

Why this answer

Threat Explorer in Microsoft Defender for Office 365 allows you to search for and take bulk action on emails matching specific criteria, such as sender, subject, or URL. By using Threat Explorer, you can identify all instances of the reported phishing email across your tenant and delete them from user mailboxes, which directly addresses the need to determine if the email was delivered to other users and to remediate it. This tool is designed for hunting and remediation, making it the correct choice for this investigation.

Exam trap

The trap here is that candidates often confuse the investigative and remediation capabilities of Threat Explorer with the policy-based prevention features of Safe Links or Safe Attachments, leading them to choose a policy creation option (C) instead of the correct hunting and removal tool (A).

How to eliminate wrong answers

Option B is wrong because submitting the email to Microsoft for analysis is a reactive step that helps improve detection but does not immediately identify other recipients or remove the email from their mailboxes; quarantine is a separate action that may not cover all delivery scenarios. Option C is wrong because creating a Safe Links policy blocks URLs in future emails but does not help investigate whether the current phishing email was delivered to other users or remove it from their inboxes. Option D is wrong because running a simulated phishing attack tests user awareness but does not investigate the current incident or block similar emails in the future.

448
MCQmedium

After a security incident, you need to collect forensic evidence from a Windows 10 machine. Which Microsoft tool should you use to create a memory dump?

A.Remote Desktop Protocol (RDP)
B.Microsoft Defender for Endpoint Live Response
C.Microsoft Crash Dump Tool (e.g., NotMyFault or Sysinternals tools)
D.Microsoft Defender for Cloud Apps
AnswerC

Sysinternals tools like NotMyFault can create memory dumps, but more commonly WinDbg or similar are used; however, in the context of Microsoft tools, the correct answer is the Crash Dump Tool set.

Why this answer

Option A is correct. Microsoft's official tool for memory dump creation is the Microsoft Crash Dump Tool (or other Sysinternals tools). Option B is for remote connectivity.

Option C is for incident response. Option D is for endpoint detection.

449
Multi-Selecthard

Which THREE elements are essential when creating a custom incident response playbook in Microsoft Sentinel? (Choose THREE.)

Select 3 answers
A.Appropriate permissions via managed identity or service principal for the playbook to execute actions.
B.A mandatory approval step before any action is taken.
C.One or more actions using connectors like Azure Automation or Logic Apps.
D.An analytics rule that generates the incident.
E.A trigger condition based on an incident creation or alert.
AnswersA, C, E

Permissions are required for the playbook to interact with other services.

Why this answer

Option A is correct because triggers define when the playbook runs. Option B is correct because actions are the core of the playbook. Option D is correct because playbooks need proper permissions.

Option C is wrong because playbooks are separate from analytics rules. Option E is wrong because playbooks can be triggered manually or automatically.

450
MCQhard

Your company uses Microsoft Defender for Cloud Apps. You discover that a user's account is compromised and used to access a sensitive SharePoint site from an unfamiliar IP. You need to immediately revoke the user's session and force them to re-authenticate. Which action should you take?

A.Add the IP to the blocked IP addresses list.
B.Create a governance action to suspend the user.
C.Send a notification to the user to change their password.
D.Apply a policy with the 'Revoke session' action.
AnswerD

Revoking the session forces re-authentication and ends the current access.

Why this answer

Option B is correct because the 'Revoke session' policy action in Defender for Cloud Apps terminates the user's current session and forces re-authentication. Option A (Suspend user) is too drastic and may disrupt legitimate access. Option C (Block IP) would block all users from that IP, which may not be desired.

Option D (Notify user) is not immediate and does not stop the session.

Page 5

Page 6 of 22

Page 7