Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 526600

1639 questions total · 22pages · All types, answers revealed

Page 7

Page 8 of 22

Page 9
526
MCQmedium

A SOC team uses Microsoft Sentinel and wants to ingest custom log events from an on-premises Linux application that writes to a local file. The team sets up the Log Analytics agent on the Linux server and configures a data connector. Which of the following is the necessary configuration step to collect the custom log file?

A.Create a Syslog data connector and specify the facility and severity to filter the application logs from /var/log.
B.Configure the Log Analytics agent to collect performance counters for the application process.
C.Use the Custom Logs feature in the Log Analytics workspace to specify the path to the application log file and define the log type name.
D.Deploy a Log Analytics gateway and configure the application to write directly to the gateway using the HTTP Data Collector API.
AnswerC

Correct. Custom Logs allow ingestion of text files by monitoring specified file paths and parsing lines into custom logs.

Why this answer

Option C is correct because the Custom Logs feature in the Log Analytics workspace is specifically designed to ingest text-based log files from on-premises Linux servers via the Log Analytics agent. You must specify the exact file path (e.g., /var/log/myapp.log) and define a custom log type name (e.g., MyApp_CL) to parse the file and send the data to a custom table in the Log Analytics workspace. This is the only method that directly collects custom application log files without requiring syslog or API-based ingestion.

Exam trap

The trap here is that candidates confuse syslog data connectors with custom log file collection, assuming any Linux log file can be ingested via syslog, when in fact syslog only handles logs sent to the syslog daemon, not arbitrary application files.

How to eliminate wrong answers

Option A is wrong because Syslog data connectors collect system logs using the syslog protocol (RFC 5424) from /var/log/syslog or /var/log/messages, not arbitrary application log files; they filter by facility and severity, not by file path. Option B is wrong because performance counters collect metrics like CPU or memory usage, not log file content; they are used for performance monitoring, not log ingestion. Option D is wrong because a Log Analytics gateway is a proxy for forwarding data to Azure, not a collection endpoint; the HTTP Data Collector API requires custom code in the application to send JSON payloads, not file-based collection.

527
MCQmedium

A security analyst is using Microsoft 365 Defender and discovers that a legitimate business application has been incorrectly blocked as malicious by an automated investigation. The analyst needs to unblock this application immediately so it can run on all endpoints in the organization. What action should the analyst take from the file's entity page in Microsoft 365 Defender?

A.Add an indicator to allow the file
B.Submit the file to Microsoft for analysis
C.Remove the existing indicator for the file
D.Restore the file from quarantine
AnswerA

Correct. Creating an allow indicator for the file's hash or certificate forces Microsoft 365 Defender to treat the file as trusted, preventing future blocks.

Why this answer

Adding an indicator to allow the file creates a custom indicator of compromise (IoC) in Microsoft 365 Defender that explicitly overrides the automated investigation's verdict. This action immediately permits the file to run on all endpoints in the organization by adding an 'allow' entry to the threat intelligence feed, which takes precedence over the automated detection logic.

Exam trap

The trap here is that candidates confuse the immediate unblocking action (adding an allow indicator) with the longer-term feedback process (submitting to Microsoft) or with post-remediation steps (restoring from quarantine), failing to recognize that custom indicators provide real-time override capability for automated investigations.

How to eliminate wrong answers

Option B is wrong because submitting the file to Microsoft for analysis is a feedback mechanism for improving detection algorithms, not an immediate remediation action to unblock a file that is already blocked. Option C is wrong because removing an existing indicator would only eliminate a previous custom rule; it does not address the current block caused by the automated investigation's verdict. Option D is wrong because restoring the file from quarantine applies only to files already quarantined on individual endpoints, not to preventing future blocks across all endpoints from the automated investigation.

528
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to receive alerts when a user accesses a cloud app from a location that is not whitelisted. What should you configure?

A.Create a conditional access policy in Microsoft Entra ID.
B.Set up a session policy in Microsoft Defender for Cloud Apps.
C.Configure an access policy in Microsoft Defender for Cloud Apps.
D.Create an activity policy in Microsoft Defender for Cloud Apps.
AnswerD

Activity policies can trigger alerts based on location.

Why this answer

Option D is correct because Defender for Cloud Apps allows creation of activity policies with location conditions. Option A is incorrect because conditional access policies govern access but not alerting. Option B is incorrect because access policies in Defender for Cloud Apps block or allow, but not alert.

Option C is incorrect because session controls are for monitoring sessions, not creating alerts.

529
Drag & Dropmedium

Order the steps to perform a threat hunting exercise using Microsoft 365 Defender advanced hunting.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Threat hunting starts with a hypothesis, then querying, analyzing, and documenting results.

530
Multi-Selectmedium

Which TWO of the following are valid ways to automate incident response in Microsoft Sentinel?

Select 2 answers
A.Create a playbook using Azure Logic Apps.
B.Use Azure Functions to run a script.
C.Use PowerShell to modify incidents via API.
D.Use Microsoft Power Automate to create a flow.
E.Create an automation rule that triggers a playbook.
AnswersA, E

Playbooks are Logic Apps workflows.

Why this answer

Option A is correct because Azure Logic Apps is the native workflow engine for Microsoft Sentinel playbooks, allowing security analysts to automate incident response actions such as blocking IPs, resetting passwords, or enriching alerts. Playbooks are triggered by automation rules or directly from incidents, and they leverage hundreds of connectors to integrate with external systems. This is the primary and recommended method for building automated response workflows in Sentinel.

Exam trap

The trap here is that candidates often confuse 'automation rule' with 'playbook' — an automation rule is the trigger condition, while a playbook is the action workflow; both are required for full automation, and the exam expects you to recognize that creating a playbook (A) and creating an automation rule that triggers a playbook (E) are the two valid steps in the process.

531
MCQhard

A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?

A.Create a Sentinel watchlist of known attacker IPs and compare with server logs
B.Enable Sysmon on the server and use its Event ID 3 (network connection) to find the IP
C.Ingest Windows Security Event logs (Event ID 4624) from the server into a Log Analytics workspace, and join with SigninLogs on account name and timestamp
D.Use the DeviceLogonEvents table in Microsoft Defender XDR advanced hunting
AnswerC

This correlates on-premises logon events with cloud sign-ins to find the compromise path.

Why this answer

Option A is correct because the server's Security Event ID 4624 (account logon) can be used to identify the logon session, and then the account's IP can be correlated with Azure AD SigninLogs. Option B (DeviceLogonEvents) is for Microsoft Defender for Endpoint, not on-premises servers without MDE. Option C (Sysmon) requires additional configuration.

Option D (Sentinel watchlist) is static and not suitable for dynamic correlation.

532
MCQeasy

A SOC analyst needs to investigate a potential data exfiltration incident involving a user uploading files to an external cloud storage service. Which Microsoft Sentinel data source would provide the MOST relevant information?

A.SigninLogs
B.CommonSecurityLog
C.AzureActivity
D.OfficeActivity
AnswerD

Tracks file operations in SharePoint and OneDrive.

Why this answer

Option B is correct because OfficeActivity includes SharePoint and OneDrive audit logs, which track file uploads. Option A is wrong because SigninLogs only shows sign-ins. Option C is wrong because AzureActivity tracks Azure resource actions, not file uploads.

Option D is wrong because CommonSecurityLog is for firewall logs, not file uploads.

533
MCQeasy

A security analyst is investigating a suspicious process on an endpoint and needs to see all network connections initiated by that process. The analyst knows the ProcessId and DeviceName. Which advanced hunting table in Microsoft 365 Defender should the analyst query to retrieve network connection details associated with this process?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceEvents
D.IdentityLogonEvents
AnswerB

Correct. This table logs network connections made by processes, including the initiating ProcessId, allowing correlation with the suspicious process.

Why this answer

The DeviceNetworkEvents table in Microsoft 365 Defender is specifically designed to capture network connection events, including source and destination IP addresses, ports, protocols, and the initiating process ID (ProcessId). By querying this table with the known ProcessId and DeviceName, the analyst can retrieve all network connections initiated by that process, making it the correct choice for this investigation.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which shows process creation) with DeviceNetworkEvents (which shows network activity), assuming process events include network details, but Microsoft Defender XDR separates these concerns into distinct tables for granular hunting.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation and termination events, not network connections; it would show the process start but not its network activity. Option C is wrong because DeviceEvents is a generic table that includes various security events (e.g., Windows Defender alerts, file modifications) but does not specifically contain network connection details with process-to-connection mapping. Option D is wrong because IdentityLogonEvents tracks user authentication and logon events (e.g., successful/failed logins, Kerberos tickets) and has no relation to process-level network connections.

534
Multi-Selecteasy

Which TWO of the following are required to enable Microsoft Sentinel UEBA (User and Entity Behavior Analytics)?

Select 2 answers
A.Enable UEBA in the Microsoft Sentinel workspace settings.
B.Integrate Microsoft Defender for Cloud Apps.
C.Purchase a separate UEBA license.
D.Configure Azure Key Vault to store UEBA data.
E.Ingest Microsoft Entra ID sign-in logs and audit logs.
AnswersA, E

UEBA must be explicitly enabled.

Why this answer

Options A and D are correct. UEBA requires enabling the UEBA feature in the workspace and having sufficient data sources like Microsoft Entra ID sign-in logs. Option B is wrong because Microsoft Defender for Cloud Apps is not required.

Option C is wrong because UEBA is not a separate pricing tier. Option E is wrong because UEBA does not require Azure Key Vault.

535
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule configured as above. An incident was created for multiple alerts triggering within a 5-hour window. The SOC team needs to investigate each alert separately because they involve different user accounts. What should the analyst do to ensure each alert generates a separate incident?

A.Change the matchingMethod to 'AnyAlert'.
B.Set 'enabled' to false under groupingConfiguration.
C.Set 'reopenClosedIncident' to true.
D.Change the lookbackDuration to PT0H.
AnswerB

Disabling grouping ensures each alert creates a new incident.

Why this answer

Option D is correct because setting 'enabled' to false under groupingConfiguration disables grouping, so each alert becomes its own incident. Option A is wrong because increasing lookbackDuration would group more alerts. Option B is wrong because changing matchingMethod to 'AllEntities' is already set and does not affect grouping behavior.

Option C is wrong because enabling 'reopenClosedIncident' is for reopening, not for separating alerts.

536
MCQhard

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics) enabled. The SOC team notices that UEBA is not generating any anomalies for a specific user group. What is the most likely cause?

A.The user group is excluded from Identity Protection.
B.The data history for that user group is less than the required baseline period.
C.The user group is not being monitored by any data connector.
D.The analytics rules for UEBA are not enabled.
AnswerB

UEBA requires a minimum of 21 days of data to establish a baseline before anomalies can be detected.

Why this answer

Option C is correct because UEBA requires a baseline of at least 21 days. Option A is wrong because UEBA uses its own machine learning, not analytics rules. Option B is wrong because UEBA works with any data connector that provides user activity.

Option D is wrong because Identity Protection is for Azure AD, not for UEBA anomalies.

537
MCQmedium

Your organization has a Microsoft Sentinel workspace that ingests logs from Azure resources, Microsoft 365, and third-party firewalls. You need to ensure that data retention for Azure Activity logs complies with a regulatory requirement of 3 years, while keeping costs low for other data types. What should you do?

A.Use the Archive tier for Azure Activity logs and set the total retention period to 3 years.
B.Set the workspace retention to 3 years.
C.Configure a data retention policy on the AzureActivity table to 3 years.
D.Enable Basic Logs plan on the AzureActivity table.
AnswerC

This targets only Azure Activity logs, meeting compliance while keeping costs low.

Why this answer

Option C is correct because Azure Sentinel allows you to configure a custom retention policy on a specific table (e.g., AzureActivity) to retain data for up to 2 years (or longer with Archive tier) independently of the workspace's default retention. This meets the 3-year regulatory requirement for Azure Activity logs without increasing retention costs for other data types, as the workspace default can remain shorter.

Exam trap

The trap here is that candidates often confuse workspace-level retention with table-level retention, assuming that setting the workspace retention to 3 years is the only way to meet the requirement, when in fact table-level policies allow granular control without affecting other data types.

How to eliminate wrong answers

Option A is wrong because the Archive tier is used for long-term, low-cost storage after an initial retention period (typically 30 days for Activity logs), but it does not by itself set the total retention to 3 years; you must also configure a table-level retention policy to define the total retention period, and the Archive tier alone does not guarantee compliance without that policy. Option B is wrong because setting the workspace retention to 3 years would apply that retention to all data types in the workspace, increasing costs unnecessarily for non-Activity logs that do not require 3-year retention. Option D is wrong because enabling Basic Logs plan on the AzureActivity table reduces ingestion costs but does not change the retention period; it still requires a separate retention policy to meet the 3-year requirement.

538
Multi-Selecthard

Which TWO are required to enable Microsoft Sentinel to use AI-generated incident summaries?

Select 2 answers
A.The Security Reader role assigned to the user
B.Microsoft Copilot for Security enabled
C.An Azure OpenAI service instance deployed
D.A Log Analytics workspace with a premium pricing tier
E.A Power BI Pro license
AnswersA, B

Users need appropriate permissions to view AI summaries.

Why this answer

Microsoft Sentinel's AI-generated incident summaries require Microsoft Copilot for Security to be enabled, as this feature leverages Copilot's natural language processing capabilities to summarize incidents. Additionally, the user must have the Security Reader role assigned to access and view these summaries within Sentinel, ensuring proper permissions for security data.

Exam trap

The trap here is that candidates often assume a separate Azure OpenAI service or premium Log Analytics tier is needed, but Microsoft Copilot for Security is a standalone licensed service that handles AI processing without requiring those additional resources.

539
MCQmedium

You are managing a Microsoft Sentinel environment that ingests data from multiple sources: Microsoft 365, Azure Activity, and custom logs via AMA. The SOC manager has requested that all security events from Windows servers be collected and stored for 90 days for compliance purposes. You have configured the Windows Security Events via AMA data connector to collect all events (Event ID 4624, 4625, etc.) and set the workspace retention to 90 days. After a week, you notice that the daily ingested volume is higher than expected, exceeding the budget. You analyze the data and find that many low-severity informational events are being ingested, such as Event ID 5156 (Windows Filtering Platform allowed connection). The manager confirms that only security-relevant events are needed. What should you do to reduce ingestion volume while still meeting compliance requirements?

A.Reduce the workspace retention period to 30 days to lower storage costs.
B.Configure the Azure Activity data connector to filter out low-severity events.
C.Modify the data collection rule (DCR) for the Windows Security Events connector to use a custom XPath query that excludes informational events (e.g., exclude Event ID 5156).
D.Disable the AMA-based connector and use the legacy MMA-based connector instead.
AnswerC

Custom XPath filtering reduces ingestion by excluding non-required events.

Why this answer

Option A is correct because the AMA connector allows you to filter events based on XPath queries. By creating a custom XPath filter, you can exclude informational events like 5156. Option B is wrong because reducing retention would violate compliance.

Option C is wrong because the Azure Activity connector does not collect Windows events. Option D is wrong because turning off the connector and using MMA is not recommended; AMA is the current standard and MMA is deprecated.

540
MCQhard

You are a SOC analyst using Microsoft Sentinel. You have a scheduled analytics rule that generates incidents from KQL queries. Recently, incidents are being created but automatically closed within minutes without any actions taken. You suspect a configuration issue. What should you check first?

A.Verify the 'Alert grouping' settings in the analytics rule; they might be grouping alerts incorrectly.
B.Check if the analytics rule has a 'Suppression' setting enabled that causes the incident to close.
C.Review the incident automation rules that might have a 'Close incident' action triggered by a condition.
D.Examine the entity mapping configuration; it might be causing the incident to close automatically.
AnswerC

Automation rules can automatically close incidents based on conditions like 'Alert severity equals Low'.

Why this answer

Option A is correct because incident automation rules can close incidents based on conditions. Option B is wrong because suppression is about preventing alerts. Option C is wrong because alert grouping affects how alerts are combined, not closure.

Option D is wrong because entity mapping does not close incidents.

541
MCQmedium

You are managing a Microsoft Defender XDR environment. The security team wants to receive email notifications when a new incident is created with severity 'High' or 'Medium'. They also want to ensure that notifications are sent only for incidents that are not automatically resolved by AIR. What should you configure?

A.Create a playbook in Microsoft Sentinel that sends an email when an incident is created.
B.Configure an automation rule in Microsoft Sentinel to send email notifications.
C.Create an email notification rule in Microsoft Defender XDR with conditions for severity and status set to 'Active'.
D.Configure alert service settings in the Microsoft 365 Defender portal to send emails for high and medium severity alerts.
AnswerC

Email notification rules in Defender XDR can filter by severity and status.

Why this answer

Option A is correct because email notification rules in Microsoft Defender XDR allow you to filter by severity and status, including 'Active' status (not resolved). Option B is wrong because playbooks are for automated response, not notification. Option C is wrong because automation rules in Sentinel are for incident management, but this is Defender XDR.

Option D is wrong because alert service settings in Microsoft 365 Defender are for email notifications, but the correct name is 'Email notification rules'.

542
Multi-Selecthard

Which THREE of the following are valid methods to reduce the cost of Microsoft Sentinel data ingestion?

Select 3 answers
A.Configure Basic logs for high-volume, low-value data sources.
B.Use analytics rules with efficient KQL queries to reduce false positives.
C.Set a daily ingestion cap on the Log Analytics workspace.
D.Enable Sentinel on premium storage accounts.
E.Increase the data retention period to 90 days.
AnswersA, B, C

Basic logs are cheaper.

Why this answer

A is correct because Basic logs offer a lower ingestion cost (approximately 25% of the cost of Analytics logs) for high-volume, low-value data sources such as verbose firewall logs or debug events. By routing these logs to the Basic log table tier, you reduce the per-GB ingestion charge while still retaining the data for security investigations when needed.

Exam trap

The trap here is that candidates confuse data retention costs with ingestion costs, assuming that lowering retention (or increasing it) directly reduces the cost of bringing data into Sentinel, when in fact ingestion volume is the primary cost driver and retention is a separate storage charge.

543
Multi-Selecthard

Which THREE data sources in Microsoft Sentinel can be used to detect lateral movement in a network? (Choose three.)

Select 3 answers
A.DNS logs
B.Microsoft Defender for Endpoint (device events)
C.Windows Event Logs (Event ID 5140)
D.Windows Security Events (Event ID 4624)
E.Microsoft Entra ID sign-in logs
AnswersB, C, D

Defender for Endpoint provides process creation and network connections that can reveal lateral movement.

Why this answer

A, B, and D are correct. Windows Security Events (Event ID 4624) show logon attempts. Windows Event Logs (Event ID 5140) show network share accesses.

Microsoft Defender for Endpoint provides process and network connections. C is wrong because Azure AD sign-in logs are for cloud authentication, not lateral movement. E is wrong because DNS logs may show network resolution but not direct lateral movement evidence.

544
Multi-Selecthard

Your organization uses Microsoft Sentinel with multiple workspaces. You need to create a unified incident queue across all workspaces. Which TWO solutions should you consider?

Select 2 answers
A.Use cross-workspace queries in workbooks.
B.Consolidate all data into a single Log Analytics workspace.
C.Configure incident grouping rules in Microsoft Sentinel.
D.Use Azure Policy to enforce workspace configuration.
E.Deploy multiple playbooks to synchronize incidents.
AnswersB, C

A single workspace provides a unified incident queue.

Why this answer

Using a single workspace is the simplest approach, and incident grouping rules can combine alerts from different workspaces into one incident. Option A and D are correct. Option B (cross-workspace queries) can query but not unify the queue.

Option C (multiple playbooks) doesn't unify. Option E (Azure Policy) doesn't create a unified queue.

545
MCQmedium

A SOC analyst needs to create a Microsoft Sentinel scheduled analytics rule that triggers when an Microsoft Entra ID user performs more than 10 failed sign-in attempts from different IP addresses within 15 minutes, using the SigninLogs table. Which KQL query aggregate pattern should be used?

A.SigninLogs | summarize FailedCount = count() by UserPrincipalName, IPAddress, bin(TimeGenerated, 15m) | where FailedCount > 10
B.SigninLogs | summarize DistinctIPs = dcount(IPAddress) by UserPrincipalName, bin(TimeGenerated, 15m) | where DistinctIPs > 10
C.SigninLogs | summarize DistinctIPs = count() by UserPrincipalName, IPAddress | where DistinctIPs > 10
D.SigninLogs | where Status contains 'Failed' | summarize by UserPrincipalName, IPAddress | count > 10
AnswerB

This correctly calculates distinct IPs per user per 15-minute bin and filters for more than 10.

Why this answer

Option B is correct because the query uses `dcount(IPAddress)` to count distinct IP addresses per user within a 15-minute time window, then filters for users with more than 10 distinct IPs. This directly matches the requirement to detect failed sign-ins from different IP addresses, not just total failed attempts.

Exam trap

The trap here is that candidates often confuse counting total events with counting distinct values, leading them to pick Option A which counts all failures instead of distinct IPs.

How to eliminate wrong answers

Option A is wrong because it counts total failed sign-ins per user and IP address, not distinct IPs; a user could have 12 failures from the same IP and trigger the rule incorrectly. Option C is wrong because it lacks a time bin, so it aggregates over all historical data instead of the required 15-minute window. Option D is wrong because it uses invalid KQL syntax (`count > 10` is not a valid filter) and does not count distinct IPs or apply a time range.

546
MCQhard

A security analyst is investigating a complex incident in Microsoft 365 Defender that involves multiple stages: a phishing email, credential theft, and lateral movement. The analyst wants to view a visual representation of the attack chain, showing how alerts and entities are related. Which feature should the analyst use?

A.Incident graph
B.Advanced hunting
C.Automated investigation
D.Alert timeline
AnswerA

This feature shows a graphical representation of the attack chain.

Why this answer

The incident graph in Microsoft 365 Defender provides a visual, interactive map of the entire attack chain, linking alerts, entities (such as users, devices, and IPs), and suspicious activities. This allows the analyst to see the progression from the phishing email to credential theft and lateral movement in a single view, making it the correct tool for understanding complex, multi-stage incidents.

Exam trap

The trap here is that candidates often confuse the alert timeline (a simple chronological list) with the incident graph (a relational visualization), or they assume Advanced hunting is the only way to correlate events, missing the purpose-built visual tool for attack chain analysis.

How to eliminate wrong answers

Option B (Advanced hunting) is wrong because it is a query-based tool for searching raw data across tables (e.g., EmailEvents, IdentityLogonEvents) and does not provide a pre-built visual representation of the attack chain; it requires the analyst to manually construct queries to correlate events. Option C (Automated investigation) is wrong because it focuses on automatically running playbooks and remediation actions on alerts, not on visualizing the relationships between alerts and entities in an attack chain. Option D (Alert timeline) is wrong because it shows a chronological list of alerts for an incident but lacks the graphical entity-relationship mapping that the incident graph provides, making it insufficient for understanding complex lateral movement paths.

547
MCQhard

Refer to the exhibit. You are reviewing a custom hunting query in Microsoft Defender XDR. The query aims to identify devices with more than 100 outbound connections in the last 30 days to IPs that appear in active threat intelligence indicators. However, the query returns no results. What is the most likely cause?

A.The RemoteIPType filter for 'Public' excludes all internal IPs, but devices connect to internal IPs mostly.
B.The join on RemoteIP and NetworkIP is mismatched because one is IPv4 and the other IPv6.
C.The ThreatIntelligenceIndicator table does not contain any indicators with an Active status that match the remote IPs.
D.The ConnectionCount threshold of 100 is too high; most devices do not exceed this.
AnswerC

Inner join requires matching records; no active matching indicators leads to zero results.

Why this answer

Option D is correct because the join uses inner join; if the ThreatIntelligenceIndicator table does not have any active indicators matching the remote IPs, no results are returned. Option A is wrong because the connection count threshold is reasonable. Option B is wrong because the join key is correct.

Option C is wrong because the RemoteIPType filter is correct for public IPs.

548
MCQhard

You are configuring Microsoft Sentinel to use automation rules for incident response. You need to ensure that when an incident is created with a severity of High, a playbook is triggered to isolate the affected device. However, the playbook should not run if the incident is created by a specific analytics rule (RuleID: '12345'). What is the best way to implement this?

A.Create an automation rule for all High severity incidents, then use a playbook to check the rule ID and skip if needed
B.Create two automation rules: one for High severity from rule '12345' with no action, and one for High severity with condition 'Analytics rule name not equals 12345' that triggers the playbook
C.Create one automation rule with condition: Severity equals High and Analytics rule ID not equals '12345'
D.Create one automation rule with conditions: Severity equals High OR Analytics rule name not equals '12345'
AnswerB

The first rule with higher priority can take no action, effectively excluding that rule. The second rule triggers the playbook for all other High incidents.

Why this answer

Option D is correct because automation rules can have conditions based on analytics rule name. Option A is wrong because conditions are OR within the same rule, but you need to exclude specific rule. Option B is wrong because you cannot exclude based on rule ID in a single condition.

Option C is wrong because you cannot use playbook to filter after automation rule triggers.

549
Multi-Selecthard

Which THREE components are required to implement a threat intelligence feed in Microsoft Sentinel using the Threat Intelligence - TAXII data connector?

Select 3 answers
A.Root collection ID
B.A Log Analytics workspace with Microsoft Sentinel enabled
C.TAXII server URL
D.API key for the TAXII server
E.A watchlist named 'ThreatIntelligenceIndicators'
AnswersA, C, D

Correct. The collection ID specifies which feed to pull.

Why this answer

The root collection ID is a required component for the Threat Intelligence - TAXII data connector because it identifies the specific collection of threat indicators on the TAXII server. Without this ID, Microsoft Sentinel cannot determine which set of indicators to ingest, as a single TAXII server may host multiple collections. The connector uses the root collection ID to query the correct STIX/TAXII endpoint and retrieve the relevant threat intelligence feed.

Exam trap

The trap here is that candidates often confuse the prerequisite (a Log Analytics workspace with Sentinel enabled) with a required component for the connector, or mistakenly think a watchlist is needed to store ingested threat indicators, when in fact the indicators are stored directly in the ThreatIntelligenceIndicator table.

550
MCQhard

Your organization uses Microsoft Defender XDR and has a custom detection rule that queries DeviceProcessEvents for suspicious PowerShell commands. You notice that the rule is generating a high number of false positives. You need to reduce false positives while still detecting real threats. What should you do?

A.Add a condition to exclude processes signed by trusted certificates or from known IT admin accounts.
B.Disable the rule and create a new rule with a different MITRE technique.
C.Increase the lookback period from 7 to 30 days.
D.Modify the rule to set the severity to 'Informational'.
AnswerA

Correct. Excluding known benign processes reduces false positives.

Why this answer

Option A is correct because adding a condition to exclude processes signed by trusted certificates or from known IT admin accounts directly reduces false positives by filtering out legitimate administrative activity. Custom detection rules in Microsoft Defender XDR allow you to refine queries with additional conditions, such as excluding specific signers or accounts, which preserves detection of malicious PowerShell commands while ignoring benign ones.

Exam trap

The trap here is that candidates may think lowering severity or changing the detection technique reduces false positives, but only refining the query logic (e.g., excluding trusted signers or accounts) directly addresses the root cause of false alerts.

How to eliminate wrong answers

Option B is wrong because disabling the rule and creating a new rule with a different MITRE technique does not address the false positive issue; it changes the detection focus rather than refining the existing query. Option C is wrong because increasing the lookback period from 7 to 30 days would only expand the data window, potentially increasing false positives and not filtering out legitimate activity. Option D is wrong because setting the severity to 'Informational' merely lowers the alert priority but does not reduce the number of false positives; the rule would still generate the same volume of alerts.

551
Multi-Selecthard

During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)

Select 2 answers
A.Block the unapproved cloud storage app
B.Suspend the user's account
C.Notify the user about the policy violation
D.Initiate a legal hold on the user's data
AnswersA, B

Blocking the app prevents further uploads.

Why this answer

The immediate actions are to suspend the user's access to prevent further data exfiltration and block the unapproved app to stop data uploads. Initiating a legal hold and notifying the user are later steps.

552
MCQeasy

A threat hunter wants to identify anomalous DNS queries that may indicate data exfiltration. In Microsoft Sentinel, which data source is most appropriate for ingesting DNS logs from on-premises servers?

A.Syslog connector
B.DNS connector using Azure Monitor Agent (AMA)
C.Azure DNS connector
D.Windows Event Forwarding (WEF)
AnswerB

The DNS connector with AMA is the recommended method for on-premises DNS logs.

Why this answer

Option C is correct because the DNS connector is designed to collect DNS query logs from Windows DNS servers using AMA. Option A is wrong because Azure DNS is for Azure-hosted zones. Option B is wrong because Syslog may not parse DNS fields natively.

Option D is wrong because Windows Event Forwarding is for Windows events, not DNS logs.

553
MCQhard

A security analyst is preparing to use a Jupyter notebook for threat hunting in Microsoft Sentinel. Which of the following sequences of actions is correct to start executing the notebook?

A.Provision compute → Clone Sentinel notebooks → Connect to workspace → Execute cells
B.Clone Sentinel notebooks → Provision compute → Connect to workspace → Execute cells
C.Connect to workspace → Provision compute → Clone Sentinel notebooks → Execute cells
D.Provision compute → Connect to workspace → Clone Sentinel notebooks → Execute cells
AnswerA

This order follows the recommended setup: compute first, then notebooks, then workspace connection, then execution.

Why this answer

Option A is correct because the correct sequence to start executing a Jupyter notebook for threat hunting in Microsoft Sentinel is to first provision compute (i.e., create a compute instance in Azure Machine Learning), then clone the Sentinel notebooks from the official GitHub repository, connect to the Sentinel workspace using the msticpy library, and finally execute the cells. This order ensures the compute environment is ready before loading the notebooks and establishing the workspace connection.

Exam trap

The trap here is that candidates often assume the workspace connection should be established first (as in typical cloud workflows), but in Sentinel notebooks, the compute environment must be ready before any authentication or file operations can occur.

How to eliminate wrong answers

Option B is wrong because cloning Sentinel notebooks before provisioning compute would fail, as there is no compute environment to store or run the notebooks. Option C is wrong because connecting to the workspace before provisioning compute is impossible without a compute instance to authenticate and establish the connection. Option D is wrong because connecting to the workspace before cloning the notebooks would result in missing notebook files to execute, and the connection step requires the notebooks to be present for context.

554
MCQmedium

Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?

A.Configure an analytics rule to set the incident owner to the senior analyst and enable Teams integration in Sentinel settings.
B.Create a playbook that reassigns incidents and posts to Teams, and attach it to an automation rule triggered by high-severity incidents.
C.Create a workbook that filters high-severity incidents and configure a Teams webhook in the workbook settings.
D.Create an automation rule that runs when an incident is created with severity High, sets the owner to the senior analyst, and then runs a playbook to post a message to Teams.
AnswerD

Automation rules can assign owners and trigger playbooks that post to Teams.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can directly set the incident owner when an incident is created, and then trigger a playbook to post a message to Microsoft Teams. This two-step configuration ensures high-severity incidents are automatically assigned to the senior analyst on call and the SOC team is notified via Teams without manual intervention.

Exam trap

The trap here is that candidates often assume a playbook alone can handle both assignment and notification, but Microsoft Sentinel automation rules are the correct mechanism for setting incident properties like owner, while playbooks are best suited for external actions like posting to Teams.

How to eliminate wrong answers

Option A is wrong because analytics rules do not have the capability to set the incident owner; that is a function of automation rules or playbooks, and enabling Teams integration in Sentinel settings only provides basic connectivity, not automated assignment. Option B is wrong because while a playbook can reassign incidents and post to Teams, attaching it to an automation rule triggered by high-severity incidents would require the playbook to also set the owner, but the automation rule itself can set the owner more efficiently and reliably without relying on the playbook for assignment. Option C is wrong because workbooks are visualization tools that do not modify incident properties or trigger actions; configuring a Teams webhook in a workbook would only allow manual export or refresh, not automated incident assignment or notification.

555
Multi-Selectmedium

Which TWO KQL operators are most useful for threat hunting lateral movement in Microsoft Defender XDR? (Select two.)

Select 2 answers
A.project
B.summarize
C.join
D.search
E.where
AnswersC, E

Correlates logon events across devices.

Why this answer

Options B and C are correct. join correlates events across devices, and where filters by remote logons. Option A is for text search, D is for aggregation, E is for column selection.

556
Matchingmedium

Match each Microsoft 365 Defender workload to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects endpoints from cyber threats

Safeguards email and collaboration tools

Detects identity-based attacks using Active Directory signals

Provides visibility and control over cloud apps

Secures multicloud and hybrid environments

Why these pairings

These are the main workloads within Microsoft 365 Defender.

557
MCQmedium

An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?

A.Isolate the device from the network
B.Disable the user's account
C.Run a full antivirus scan on the device
D.Collect a memory dump from the device
AnswerA

Isolation prevents further spread and encryption.

Why this answer

The immediate containment action is to isolate the device from the network to stop lateral movement and encryption. Running antivirus or collecting forensic data is secondary. Disabling the user account does not stop the device.

558
MCQhard

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to automatically group related incidents from different rules into a single incident to reduce analyst workload. The grouping should occur within 30 minutes of the first incident creation. What should you do?

A.Use an automation rule with a playbook that queries for related incidents and merges them.
B.Configure incident grouping in the analytics rule settings with a matching condition and a 30-minute time window.
C.Create an incident creation rule that groups alerts from multiple analytics rules based on entity matching.
D.Create a workbook to display related incidents and manually merge them.
AnswerB

Incident grouping can combine alerts from the same rule.

Why this answer

Option B is correct because Microsoft Sentinel's analytics rules support incident grouping, which automatically merges alerts that match specified conditions (e.g., same entity) into a single incident. By setting the grouping time window to 30 minutes, you ensure that related incidents from different rules are combined within that period, reducing analyst workload without requiring manual intervention or custom playbooks.

Exam trap

The trap here is that candidates often confuse automation rules with incident grouping, assuming a playbook can merge incidents, when in fact merging is a built-in analytics rule feature that requires no external automation.

How to eliminate wrong answers

Option A is wrong because automation rules with playbooks can trigger actions on incidents but cannot merge incidents; merging is not supported via playbooks in Sentinel. Option C is wrong because there is no 'incident creation rule' in Sentinel; incident grouping is configured directly within the analytics rule settings, not via a separate rule type. Option D is wrong because workbooks are for visualization and reporting, not for automated incident merging; manual merging is inefficient and does not meet the 30-minute automatic requirement.

559
MCQmedium

Based on the ARM template snippet, what is the purpose of this analytics rule?

A.To detect multiple failed logon attempts within a time window
B.To detect brute force attacks on user accounts
C.To detect successful logins by account
D.To detect account lockouts
AnswerA, B

The rule alerts when failed logon count exceeds 5.

Why this answer

Option C is correct because the query counts failed logon events (EventID 4625) and triggers when count > 5, indicating brute force attempts. Option A is wrong because EventID 4625 is failed logon, not success. Option B is wrong because the query does not include multiple event IDs.

Option D is wrong because the query does not check for account lockouts.

560
MCQeasy

You are using Microsoft Sentinel UEBA to hunt for insider threats. Which entity type would you investigate to detect unusual access to sensitive data?

A.IP
B.Application
C.Device
D.User
AnswerD

User entity analysis can detect anomalous logon and access patterns.

Why this answer

Option B is correct because UEBA profiles user behavior, making 'User' the primary entity for detecting unusual access. Option A is for device-based anomalies. Option C is for IP-based anomalies.

Option D is for application anomalies.

561
MCQhard

During an incident response, a SOC analyst identifies that a malicious PowerShell script was executed on multiple endpoints. The analyst needs to collect relevant files from all affected endpoints for further analysis. What should the analyst use?

A.Microsoft Defender for Cloud Apps file investigation.
B.Microsoft Purview eDiscovery.
C.Microsoft Defender for Endpoint Live Response.
D.Microsoft Sentinel incident investigation graph.
AnswerC

Live Response allows remote file collection from endpoints.

Why this answer

Option D is correct because Microsoft Defender for Endpoint's Live Response allows collecting files from endpoints. Option A is wrong because Microsoft Defender for Cloud Apps does not collect files from endpoints. Option B is wrong because Microsoft Sentinel is for SIEM, not live file collection.

Option C is wrong because Microsoft Purview is for compliance.

562
MCQmedium

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel to investigate devices in the finance subnet. Which result would indicate that a device might be compromised?

A.A device with multiple connected networks, including an external IP.
B.A device named 'finance-server-01' with a single network connection.
C.A device with no network connections in the last 7 days.
D.A device with a LocalIPAddress starting with 10.0.0.
AnswerA

Multiple networks, especially including external, could indicate compromise.

Why this answer

The correct answer is D. A device with multiple connected networks, especially if those networks are unusual (e.g., a finance device connecting to external networks), could indicate lateral movement or command and control. The other options are not inherently suspicious.

563
MCQmedium

A company uses Microsoft Defender for Cloud and wants to automatically ensure that all Azure virtual machines have a specific security configuration baseline applied (e.g., default password policies). Which Defender for Cloud feature should they leverage to audit and enforce these configurations inside the VMs?

A.Security policies
B.Azure Policy Guest Configuration
C.Just-In-Time VM access
D.Adaptive application controls
AnswerB

Correct: Guest Configuration can audit and deploy configurations inside VMs, automating baseline enforcement.

Why this answer

Azure Policy Guest Configuration is the correct feature because it extends Azure Policy to audit and enforce configurations inside the operating system of Azure VMs, including security baseline settings like default password policies. Unlike host-level policies, Guest Configuration can evaluate and remediate settings within the guest OS, making it the appropriate tool for this requirement.

Exam trap

The trap here is that candidates often confuse Azure Policy (which applies to Azure resource properties) with Guest Configuration (which applies to settings inside the VM guest OS), leading them to incorrectly select Security policies or Adaptive application controls.

How to eliminate wrong answers

Option A is wrong because Security policies in Defender for Cloud define security standards and compliance rules at the subscription or resource level, but they do not audit or enforce configurations inside the VM's operating system. Option C is wrong because Just-In-Time VM access controls network access to management ports (e.g., RDP, SSH) and has no capability to audit or enforce OS-level security baselines. Option D is wrong because Adaptive application controls create allowlists for applications running on VMs to prevent malware, but they do not audit or enforce configuration baselines like password policies.

564
MCQhard

A SOC analyst is creating an automation rule in Microsoft Sentinel to trigger a playbook when a new incident is created. The analyst wants the rule to apply only to incidents that have a severity of 'High' and where the 'User' entity is present. Which condition configuration should the analyst use?

A.Set 'Incident severity equals High' and 'Incident tag contains User'
B.Set 'Incident severity equals High' and 'Entity type contains User'
C.Set 'Alert severity equals High' and 'Alert entity type contains User'
D.Set 'Incident provider equals Microsoft Sentinel' and 'Entity type contains User'
AnswerB

This correctly uses incident severity and entity type conditions. The rule will trigger only for high-severity incidents that contain a user entity.

Why this answer

Option B is correct because Microsoft Sentinel automation rules evaluate conditions at the incident level, not the alert level. The 'Incident severity equals High' condition filters by incident severity, and 'Entity type contains User' checks that the incident's entities include a User entity, which is required for the playbook to receive entity context.

Exam trap

The trap here is that candidates confuse incident-level conditions (severity, entity type) with alert-level conditions (alert severity, alert entity type), leading them to select Option C, which would not work because automation rules evaluate at the incident scope.

How to eliminate wrong answers

Option A is wrong because 'Incident tag contains User' is not a valid condition; tags are custom labels, not entity types, and cannot be used to verify the presence of a User entity. Option C is wrong because 'Alert severity' and 'Alert entity type' operate at the alert level, not the incident level, and automation rules trigger on incidents, not individual alerts. Option D is wrong because 'Incident provider equals Microsoft Sentinel' is a valid condition but does not filter by severity, and it would apply to all incidents from Microsoft Sentinel regardless of severity or entity presence.

565
MCQmedium

As a threat hunter, you want to proactively search for signs of privilege escalation using the 'AzureHound' tool within your Microsoft Sentinel environment. Which data source is most relevant to ingest to detect AzureHound usage?

A.Azure VM Insights logs
B.Azure Active Directory Audit Logs (now Microsoft Entra ID Audit Logs)
C.Azure Storage analytics logs
D.Azure Network Watcher logs
AnswerB

AzureHound queries Microsoft Graph, and audit logs capture those API calls.

Why this answer

Option D is correct because AzureHound uses the Microsoft Graph API to collect Azure AD data, and that activity is logged in AuditLogs. Option A is wrong because AzureHound does not run on VMs. Option B is wrong because it's not about networking.

Option C is wrong because AzureHound does not create storage blobs.

566
MCQhard

Refer to the exhibit. An analyst runs the query to identify the top 10 entities with the most malware alerts. However, the query returns no results. What is the most likely reason?

A.The SecurityAlert table does not contain the AlertName field.
B.The AlertName field does not contain the substring 'Malware' (case-sensitive issue).
C.The 'has' operator requires an exact match.
D.The 'take 10' operator returns no results because there are fewer than 10 alerts.
AnswerB

The 'has' operator is case-insensitive, but the substring might be different.

Why this answer

Option B is correct because the query uses 'has' which is case-insensitive, but 'Malware' may not be the exact substring in the AlertName field. Option A is wrong because the query uses SecurityAlert table, which is correct. Option C is wrong because 'has' works on strings, not just exact matches.

Option D is wrong because 'take 10' limits results, but would not cause zero results.

567
MCQeasy

You receive an incident in Microsoft Sentinel that is a low-confidence alert from Microsoft Defender for Identity. What should be your first step?

A.Investigate the alert by reviewing related entities and logs.
B.Close the incident as a false positive.
C.Escalate to senior management.
D.Isolate the affected account immediately.
AnswerA

Investigation determines if the alert is a true positive before taking action.

Why this answer

Option A is correct. The analyst should first investigate to determine if the alert is a true positive. Option B is premature without investigation.

Option C is a post-investigation step. Option D is not appropriate for a low-confidence alert.

568
Multi-Selecthard

Which THREE of the following are valid components of Microsoft Defender XDR? (Select three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Purview
D.Microsoft Defender for Identity
E.Microsoft Sentinel
AnswersA, B, D

Part of Defender XDR.

Why this answer

Options A, B, and C are correct. Microsoft Defender for Identity, Defender for Office 365, and Defender for Endpoint are core components of Microsoft Defender XDR. Option D is wrong because Microsoft Sentinel is a separate SIEM product, not part of Defender XDR.

Option E is wrong because Microsoft Purview is a compliance product.

569
MCQeasy

You have been tasked with creating an automated response in Microsoft Sentinel for incidents involving lateral movement. Which Azure service allows you to run a playbook to automatically isolate a compromised VM?

A.Azure Logic Apps
B.Kusto Query Language (KQL)
C.Microsoft Defender XDR advanced hunting
D.Azure Event Hubs
AnswerA

Playbooks in Sentinel are implemented as Logic Apps workflows.

Why this answer

Option A is correct because Microsoft Sentinel playbooks are built on Azure Logic Apps, which can execute automated actions like VM isolation. Option B is a query language, not an automation service. Option C is a data ingestion service.

Option D is a query environment, not for automation.

570
MCQhard

You are a security analyst at a company that uses Microsoft Sentinel and Microsoft Defender for Identity (now part of Microsoft Defender XDR). During a threat hunt, you need to identify potential golden ticket attacks. You have Windows Security Events (Event ID 4672: Special Logon) and Kerberos service ticket events (Event ID 4769) ingested. A golden ticket attack often involves service ticket requests with unusual encryption types or ticket options. You want to find service ticket requests (4769) that have TicketOptions containing '0x40810000' (forwardable, renewable, canonicalize) and TicketEncryptionType == '0x17' (RC4), which are common in attacks. You need to write a KQL query that returns the top 10 accounts requesting such tickets in the last 7 days. Which query should you use?

A.SecurityEvent | where EventID == 4769 | where TicketOptions == "0x40810000" | summarize count() by AccountName | top 10 by count_
B.SecurityEvent | where EventID == 4769 | where TicketOptions == "0x40810000" and TicketEncryptionType == "0x17" | summarize count() by AccountName | top 10 by count_
C.SecurityEvent | where EventID == 4672 | where TicketOptions == "0x40810000" and TicketEncryptionType == "0x17" | summarize count() by AccountName | top 10 by count_
D.SecurityEvent | where EventID == 4769 | where TicketOptions contains "0x40810000" and TicketEncryptionType contains "0x17" | summarize count() by AccountName | top 10 by count_
AnswerB

Correctly identifies potential golden ticket indicators.

Why this answer

Option A correctly filters for EventID 4769, the specific TicketOptions and encryption type, and summarizes by AccountName. Option B uses wrong event ID. Option C uses wrong field.

Option D does not filter encryption type.

571
Multi-Selecthard

Which TWO remediation actions are available in Microsoft Defender for Endpoint when responding to a malware infection?

Select 2 answers
A.Run a full antivirus scan
B.Disable the user account
C.Reset the device to factory settings
D.Block the application in Defender for Cloud Apps
E.Isolate the device from the network
AnswersA, E

Can be initiated from the portal.

Why this answer

Option A is correct because Defender for Endpoint can run AV scan. Option B is correct because isolation is a common action. Option C is wrong because this is a post-remediation step.

Option D is wrong because this is done in Microsoft Entra ID. Option E is wrong because this is for cloud apps.

572
MCQmedium

Your security team is investigating an incident in Microsoft Defender XDR where a user received multiple phishing emails. The team needs to create an automated response that blocks the sender's email address across all mailboxes in the organization. Which action should you configure in an automated investigation and response (AIR) playbook?

A.Add a 'Block IP address' action in Microsoft Defender for Cloud Apps.
B.Create a custom detection rule in Microsoft Sentinel.
C.Add a 'Block sender' action in Microsoft Defender for Office 365.
D.Deploy a configuration profile in Microsoft Intune.
AnswerC

Correct. This action blocks the sender across Exchange Online.

Why this answer

Option C is correct because blocking a sender's email address across all mailboxes is a native capability of Microsoft Defender for Office 365. The 'Block sender' action in an AIR playbook directly adds the sender to the tenant's block list, which is enforced at the transport layer for all inbound email, effectively preventing any further delivery from that address.

Exam trap

The trap here is that candidates confuse the scope of Microsoft Defender for Cloud Apps (Option A) with email security controls, mistakenly thinking IP blocking in MDCA can stop email from a specific sender, when in fact email transport blocking is handled exclusively by Defender for Office 365.

How to eliminate wrong answers

Option A is wrong because blocking an IP address in Microsoft Defender for Cloud Apps (MDCA) applies to cloud app sessions and API connections, not to email transport; it cannot block a sender's email address in Exchange Online. Option B is wrong because a custom detection rule in Microsoft Sentinel is for generating alerts from log data, not for executing remediation actions like blocking a sender in mail flow. Option D is wrong because a configuration profile in Microsoft Intune manages device settings and compliance policies, not email sender blocking, which is a mail flow control.

573
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You are configuring a new automation rule in Sentinel to automatically assign incidents to the appropriate SOC tier based on severity: Low and Medium to Tier 1, High to Tier 2, and Critical to Tier 3. You have created three separate automation rules, one for each tier. However, only the rule for Critical incidents is working. The other rules do not assign incidents. You verify that the other rules are enabled and have the correct conditions. What is the most likely cause?

A.The automation rules for Tier 1 and Tier 2 are set to trigger on incident update instead of creation.
B.The automation rule for Critical incidents has a higher order number and is processed first, preventing other rules from running.
C.The SOC Tier 1 and Tier 2 users do not have the appropriate permissions to own incidents.
D.Automation rules cannot be created separately for each severity; you must use a single rule with multiple conditions.
AnswerB

Automation rules are processed in order; if a rule with higher priority matches, subsequent rules may not run.

Why this answer

Option D is correct because automation rules are processed in order, and if the first rule (e.g., for Critical) matches, it will stop processing subsequent rules. The rules for lower severities may never trigger if the incident also meets the conditions of a higher priority rule. Option A is wrong because multiple rules can exist.

Option B is wrong because role assignments are not the issue. Option C is wrong because rules can be ordered.

574
MCQhard

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?

A.The user's account is compromised
B.The alert is a false positive due to user travel
C.The user is an insider threat
D.The user is conducting a ransomware attack
AnswerA

Unusual location and anomalous data access strongly indicate compromise.

Why this answer

The combination of unusual location and mass download of sensitive files by a low-privilege user suggests account compromise. It is not necessarily ransomware or a false positive, and insider threat is less likely without evidence of intent.

575
MCQhard

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. As a threat hunter, you receive an alert about a potential DCSync attack. You want to hunt for any other instances of this attack across your domain controllers over the past 30 days. Which hunting query should you run in Microsoft 365 Defender advanced hunting?

A.DeviceEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
B.IdentityDirectoryEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
C.IdentityLogonEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
D.IdentityQueryEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
AnswerB

Correct table and action type for DCSync hunting.

Why this answer

Option C correctly uses the IdentityDirectoryEvents table to filter for DCSync attack type. Option A uses IdentityLogonEvents which is for logons, not directory replication; Option B uses IdentityQueryEvents but DCSync is a directory service attack, not a query; Option D uses the wrong table entirely.

576
Multi-Selecthard

Which THREE data sources should be included in a Microsoft Sentinel workspace to comprehensively monitor for lateral movement within an Azure environment?

Select 3 answers
A.Azure AD sign-in logs
B.Power BI audit logs
C.Azure Network Security Group flow logs
D.Azure DevOps audit logs
E.Azure Activity logs
AnswersA, C, E

Sign-in logs reveal authentication attempts from compromised accounts.

Why this answer

Options A, B, and C are correct because they cover compute, network, and identity aspects of lateral movement. Option D is wrong because Azure DevOps is for development, not runtime. Option E is wrong because Power BI is not involved in lateral movement.

577
MCQeasy

Your organization uses Microsoft Sentinel and wants to ensure that all incident-related data is retained for at least 90 days for compliance purposes. Which configuration should you check?

A.Log Analytics workspace retention settings
B.Watchlist settings
C.Analytics rule settings
D.Incident settings in Sentinel
AnswerA

Data retention is configured in the Log Analytics workspace.

Why this answer

Option B is correct because data retention in Microsoft Sentinel is set at the Log Analytics workspace level. Option A is wrong because analytics rules generate incidents but don't control retention. Option C is wrong because watchlists are for data correlation, not retention.

Option D is wrong because the incidents blade shows incidents but does not configure retention.

578
MCQhard

You are reviewing a hunting query. What is the primary purpose of this query?

A.List all users with any risk level during sign-in in the last 7 days
B.Detect users who have granted admin consent to malicious OAuth apps
C.Find users with medium-risk sign-ins that share IP addresses with service principal sign-ins, indicating possible token theft or lateral movement
D.Identify service principals that have been compromised and are performing high-risk sign-ins
AnswerC

The join on IP address and count > 5 suggests correlation of user and service principal activity.

Why this answer

Option C is correct because the query filters for users with medium risk sign-ins and joins with service principal sign-ins on IP address, then counts occurrences per user exceeding 5, indicating potential compromise involving both user and service principal activity from the same IP. Option A is wrong because it does not focus on service principal compromise alone. Option B is wrong because it does not look for admin consent grants.

Option D is wrong because it uses only medium risk, not high.

579
MCQmedium

Match each Microsoft Defender for Cloud feature on the left with its primary purpose on the right.

A.Just-In-Time VM Access → Provides time-limited access to management ports via NSG rules; Adaptive Application Controls → Allowlists known safe applications to run on VMs; File Integrity Monitoring → Detects changes to sensitive registry keys and files; Regulatory Compliance Dashboard → Assesses Azure resources against industry standards
B.The first and second mappings are reversed; the remaining mappings are unchanged.
C.All features map to the same monitoring purpose.
D.The compliance and access-control mappings are swapped.
AnswerA

This mapping pairs each feature with its primary purpose.

Why this answer

Option A is correct because it accurately matches each Microsoft Defender for Cloud feature to its primary purpose. Just-In-Time (JIT) VM Access reduces the attack surface by locking down management ports (e.g., RDP 3389, SSH 22) and granting time-limited access via NSG rules only when requested. Adaptive Application Controls uses machine learning to create an allowlist of known safe applications, blocking unknown executables on VMs.

File Integrity Monitoring (FIM) tracks changes to sensitive registry keys, files, and certificates, alerting on unauthorized modifications. The Regulatory Compliance Dashboard continuously assesses Azure resources against built-in standards like CIS, NIST, and Azure Security Benchmark, providing a compliance score and recommendations.

Exam trap

The trap here is that candidates often confuse Just-In-Time VM Access with Adaptive Application Controls because both reduce attack surface, but JIT controls network-level access to management ports while Adaptive Application Controls controls which applications can execute at the OS level.

How to eliminate wrong answers

Option B is wrong because it claims the first two mappings are reversed, but JIT VM Access and Adaptive Application Controls are correctly paired in Option A; reversing them would incorrectly assign time-limited port access to application allowlisting and vice versa, which misrepresents their distinct security functions. Option C is wrong because it states all features map to the same monitoring purpose, which is false—each feature serves a unique purpose: JIT controls network access, Adaptive Application Controls controls software execution, FIM monitors file integrity, and the dashboard assesses compliance; they are not interchangeable. Option D is wrong because it swaps the compliance and access-control mappings, but the Regulatory Compliance Dashboard is correctly matched with assessing industry standards, and JIT VM Access is correctly matched with time-limited management port access; swapping them would inaccurately assign compliance assessment to JIT and access control to the dashboard.

580
MCQeasy

As a SOC analyst, you need to quickly identify if a specific user account has been involved in any incidents in the past week. Which feature in Microsoft Sentinel allows you to search for user-related incidents?

A.Incidents blade with time range filter
B.Hunting blade with user query
C.Entity behavior blade
D.Workbooks with KQL query
AnswerC

Entity behavior shows incident history for that entity.

Why this answer

Option C is correct because the Entity behavior blade in Microsoft Sentinel provides a user-centric view that aggregates all incidents, alerts, and activities associated with a specific user account. By selecting a user entity and navigating to the 'Incidents' tab within the blade, you can quickly filter incidents involving that user over a defined time range, such as the past week. This feature is designed specifically for investigating user-related security events without needing to write custom queries.

Exam trap

Microsoft often tests the misconception that the Incidents blade (Option A) is sufficient for user-specific searches, but the trap is that it lacks entity-level filtering, requiring analysts to manually correlate users across incidents, whereas the Entity behavior blade provides a consolidated user-centric view.

How to eliminate wrong answers

Option A is wrong because the Incidents blade with a time range filter shows all incidents across the workspace, but it does not allow you to search or filter by a specific user account directly; you would need to manually inspect each incident or use a KQL query to correlate user entities. Option B is wrong because the Hunting blade is used for proactive threat hunting with KQL queries to find potential threats, not for quickly identifying incidents already raised against a specific user; it requires writing and running custom queries, which is less efficient for this task. Option D is wrong because Workbooks with KQL queries are customizable dashboards for reporting and visualization, not a direct feature for searching user-related incidents; they require pre-built queries and are not designed for ad-hoc user lookups.

581
MCQmedium

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?

A.DeviceNetworkEvents table, SHA256 column
B.DeviceEvents table, SHA256 column
C.DeviceProcessEvents table, SHA256 column
D.DeviceFileEvents table, SHA256 column
AnswerC

DeviceProcessEvents records process executions with SHA256 hash.

Why this answer

DeviceProcessEvents contains process execution events, and SHA256 stores the hash. Option C is correct. Option A (DeviceFileEvents) is for file creation/modification, not execution.

Option B (DeviceNetworkEvents) is for network connections. Option D (DeviceEvents) is a generic table that may not include process hash.

582
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select THREE.)

Select 3 answers
A.Identify users whose behavior deviates from their peers
B.Provide a timeline of a user's recent activities on the entity page
C.Automatically run playbooks when anomalies are detected
D.Detect anomalous sign-in locations and times
E.Create watchlists for high-value users
AnswersA, B, D

Peer anomaly detection is a key UEBA feature.

Why this answer

Option A is correct because Microsoft Sentinel's UEBA uses machine learning models to establish a baseline of normal behavior for each user and then compares individual user activity against peer group behavior. When a user's actions deviate significantly from their peers, such as accessing unusual resources or performing atypical data transfers, an anomaly is generated, enabling security analysts to investigate potential insider threats or compromised accounts.

Exam trap

The trap here is that candidates may confuse UEBA's anomaly detection with the broader automation capabilities of Microsoft Sentinel, mistakenly thinking that UEBA itself automatically runs playbooks, when in fact playbook execution requires separate automation rules and is not a built-in UEBA feature.

583
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You receive a high-severity incident indicating that a user's credentials were used to access a sensitive SharePoint site from an unmanaged device. The user, 'jdoe@contoso.com', is a senior executive. The IP address is from a public Wi-Fi hotspot. The incident includes a recommendation to apply session policy to block download of sensitive files. You need to create a policy in Microsoft Defender for Cloud Apps that blocks downloads from unmanaged devices for this specific user when accessing the sensitive site. The policy should trigger only when the user accesses the specific SharePoint site named 'ExecConfidential'. What should you do?

A.Create an app connector for SharePoint and a session policy that targets the user, site, and device tag 'Unmanaged' with the action 'Block download'.
B.Create a device compliance policy in Microsoft Intune to block unmanaged devices from accessing SharePoint.
C.Create a Conditional Access policy in Microsoft Entra ID to require compliant device for the SharePoint site.
D.Create a file policy in Defender for Cloud Apps to quarantine files downloaded from the site.
AnswerA

Session policies in Defender for Cloud Apps can block specific actions like download for unmanaged devices.

Why this answer

Option D is correct because creating an app connector for SharePoint, then a session policy that targets the specific site, user, and device tag 'Unmanaged' with the action 'Block download' meets all requirements. Option A is wrong because a device compliance policy is in Intune, not Defender for Cloud Apps. Option B is wrong because an access policy in Microsoft Entra ID does not have the granularity to block downloads.

Option C is wrong because a file policy monitors file sharing, not session control.

584
MCQmedium

Refer to the exhibit. You are reviewing a KQL query used in a threat hunting campaign. What is the primary purpose of this query?

A.To identify the top 5 most frequently used IP addresses by each user.
B.To find users who have signed in more than 5 times from a single IP to an app, and correlate with any user risk events.
C.To calculate the average risk score for users with high sign-in activity.
D.To list all sign-ins from IP addresses that have been associated with risk events.
AnswerB

The query counts sign-ins per user/IP/app and joins with risk events to show risk count.

Why this answer

Option A is correct because the query identifies users with high sign-in counts from specific IPs and apps, and joins with risk events to correlate with known risky users. Option B is wrong because it doesn't filter only risky users. Option C is wrong because it aggregates by user, not unique IPs.

Option D is wrong because it compares signin count to a threshold, not risk score.

585
MCQhard

Your company deploys Microsoft Sentinel in a multi-workspace environment. You need to centralize incident management across workspaces while maintaining data residency. You configure Sentinel workspaces in each region. What additional configuration is required to view all incidents from a single pane?

A.Deploy the Microsoft Sentinel solution across workspaces.
B.Assign the same Azure RBAC roles to all users in each workspace.
C.Merge the workspaces into a single workspace.
D.Use an incident manager with a cross-workspace view.
AnswerD

Cross-workspace views centralize incidents.

Why this answer

Option D is correct because Microsoft Sentinel supports cross-workspace incident management through the incident manager, which can be configured to display incidents from multiple workspaces in a single view. This is achieved by using the 'cross-workspace view' feature, which leverages Azure Resource Graph to query incidents across workspaces without moving data, thus maintaining data residency requirements.

Exam trap

The trap here is that candidates often confuse deploying the Sentinel solution (Option A) with enabling cross-workspace views, but the solution deployment is a separate prerequisite and does not itself provide centralized incident management.

How to eliminate wrong answers

Option A is wrong because deploying the Microsoft Sentinel solution across workspaces is a prerequisite for enabling Sentinel in each workspace, but it does not provide a centralized incident view; it only installs the solution components. Option B is wrong because assigning the same Azure RBAC roles to all users in each workspace ensures consistent permissions but does not aggregate incidents into a single pane; RBAC controls access, not data aggregation. Option C is wrong because merging workspaces into a single workspace would violate data residency requirements by centralizing data in one region, and it is not a supported operation in Sentinel; workspaces are region-bound and cannot be merged.

586
MCQmedium

Your organization has Microsoft Defender for Endpoint deployed. A security analyst receives an alert about a suspicious PowerShell command executed on a device. The analyst needs to investigate the process tree. Which feature should the analyst use?

A.Device isolation
B.Live response
C.Timeline (process timeline)
D.Advanced hunting
AnswerC

Timeline shows process tree and events.

Why this answer

The correct answer is C because the timeline in Defender for Endpoint provides a detailed process tree and events. Option A is wrong because Advanced hunting is for querying, not visual process tree. Option B is wrong because the device isolation is for containment.

Option D is wrong because live response is for remote commands, not investigation.

587
Multi-Selectmedium

Which TWO actions should you take to ensure that Microsoft Sentinel can detect and respond to threats across your multicloud environment, including AWS and GCP?

Select 2 answers
A.Use Azure Policy to deploy the connectors automatically.
B.Create analytics rules in Microsoft Sentinel to detect threats from the ingested multicloud logs.
C.Configure the AWS S3 and GCP Pub/Sub data connectors.
D.Enable the Microsoft Defender XDR connector for AWS and GCP.
E.Create a separate Microsoft Sentinel workspace for each cloud provider.
AnswersB, C

Analytics rules are required to generate incidents.

Why this answer

Option A is correct because Microsoft Sentinel supports connectors for AWS (CloudTrail) and GCP (via the GCP connector). Option C is correct because custom KQL analytics rules are needed to create incidents from those logs. Option B is wrong because a separate workspace is not required; you can use one workspace.

Option D is wrong because the Microsoft Defender XDR connector is for Microsoft services, not third-party clouds. Option E is wrong because Azure Policy doesn't configure connectors.

588
Multi-Selecthard

Which THREE actions are recommended when conducting a threat hunting exercise in Microsoft Sentinel using the MITRE ATT&CK framework?

Select 3 answers
A.Focus only on techniques that have not been seen in your environment before.
B.Use the hunting queries from the Microsoft Sentinel Content hub as a starting point.
C.Rely exclusively on automated detection rules to identify threats.
D.Document your findings and update detection rules based on new patterns discovered.
E.Map your hunting hypotheses to specific MITRE ATT&CK tactics and techniques.
AnswersB, D, E

The Content hub provides community and Microsoft-validated queries.

Why this answer

Options A, C, and E are correct. Mapping hypotheses to MITRE tactics ensures coverage; using hunting queries from the Content hub provides validated queries; and documenting findings supports future hunts. Option B is incorrect because you should not only hunt for known techniques.

Option D is incorrect because you should not rely solely on automated rules.

589
Multi-Selecteasy

Which TWO data connectors can be used to ingest Microsoft 365 audit logs into Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Microsoft Defender for Cloud Apps connector.
B.Microsoft 365 Defender connector.
C.Office 365 connector (Exchange, SharePoint, Teams).
D.Azure Activity connector.
E.Azure AD connector (sign-in logs).
AnswersB, C

Ingests unified audit logs.

Why this answer

The Microsoft 365 Defender connector (Option B) ingests unified audit logs from Microsoft 365 Defender, which includes security-related events from Microsoft 365 services. The Office 365 connector (Option C) directly ingests audit logs from Exchange Online, SharePoint Online, and Microsoft Teams, which are part of the Microsoft 365 audit log. Both connectors are designed to bring Microsoft 365 audit log data into Microsoft Sentinel.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender connector with the Office 365 connector, thinking they are redundant, or they mistakenly select the Azure AD connector because they assume sign-in logs are part of Microsoft 365 audit logs, when in fact the Azure AD connector only captures Azure AD-specific events, not the full Microsoft 365 audit log.

590
MCQmedium

Your team is using Microsoft 365 Defender advanced hunting to investigate a possible data exfiltration incident. The security team suspects that an internal attacker used a compromised SharePoint Online account to download sensitive files from multiple sites. You need to build a hunting query that identifies all file download activities from SharePoint Online for a specific user account over the past 7 days, and then calculates the total size of downloaded files. Which KQL query should you use?

A.CloudAppEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownload' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
B.CloudAppEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownloaded' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
C.EmailEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownloaded' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
D.FileEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownloaded' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
AnswerB

Correct filter and aggregation.

Why this answer

Option B correctly filters SharePoint file download events (FileDownloaded) and sums the FileSize. Option A uses wrong action; Option C uses wrong table; Option D is for email.

591
MCQeasy

Your company uses Microsoft Sentinel to monitor security events. You have configured a daily email report that summarizes the top 10 incidents from the past 24 hours. The report is sent using a Logic App playbook triggered by a scheduled query. Recently, the report has stopped being delivered. You check the Logic App run history and see that the last run failed with an HTTP 403 error when connecting to the Microsoft Sentinel API. The Logic App uses a managed identity for authentication. What is the most likely cause of the failure?

A.The managed identity does not have the required permissions on the Sentinel workspace.
B.The managed identity's client ID has changed.
C.The Logic App is not connected to Microsoft Entra ID.
D.The scheduled query is no longer running.
AnswerA

The managed identity needs at least Sentinel Reader role.

Why this answer

The HTTP 403 error indicates a permissions failure when the Logic App attempted to call the Microsoft Sentinel API. Since the Logic App uses a managed identity for authentication, the most likely cause is that the managed identity lacks the necessary role assignments on the Sentinel workspace, such as 'Microsoft Sentinel Contributor' or 'Microsoft Sentinel Reader', which are required to query incidents via the API.

Exam trap

The trap here is that candidates may confuse an HTTP 403 (forbidden/permissions) with an HTTP 401 (unauthenticated) or assume the managed identity itself is broken, when in fact the identity is valid but lacks the required RBAC role on the Sentinel workspace.

How to eliminate wrong answers

Option B is wrong because a managed identity's client ID is immutable and does not change; if it did, the identity itself would be broken, not just the permissions. Option C is wrong because a Logic App using a managed identity is inherently connected to Microsoft Entra ID (formerly Azure AD) — the managed identity is a feature of Entra ID, so a missing connection would prevent authentication entirely, not cause a 403. Option D is wrong because the scheduled query not running would result in no data or a different error (e.g., empty report), not an HTTP 403 from the Sentinel API; the 403 specifically indicates an authorization failure during the API call.

592
MCQhard

A security analyst is configuring a Microsoft Sentinel playbook to automatically respond to phishing incidents. The playbook should only run when an incident of severity 'High' is created and the incident is not already assigned to a user. Which automation rule condition and trigger configuration should the analyst use?

A.Configure an automation rule with trigger 'When incident is created', conditions for severity equals High and 'Assigned to' is empty, and action to run the playbook.
B.Configure a playbook trigger 'When an incident is updated' and add a condition in the playbook logic app to check severity and assignment.
C.Schedule the playbook to run every 5 minutes and query for new incidents with required properties.
D.Configure an automation rule with trigger 'When incident is created' and only condition for severity equals High; the playbook will handle unassigned checks internally.
AnswerA

This correctly triggers on incident creation with the specified conditions.

Why this answer

Option A is correct because the automation rule trigger 'When incident is created' ensures the playbook runs immediately upon incident creation, and the conditions for severity equals 'High' and 'Assigned to' is empty filter incidents precisely as required. This configuration offloads the filtering to Sentinel's automation rule engine, which is more efficient and reliable than handling it inside the playbook logic.

Exam trap

The trap here is that candidates often think the playbook itself should handle all logic (like checking assignment) via conditions inside the Logic App, but the automation rule's condition engine is designed for this filtering and is more efficient, leading them to choose Option D instead of A.

How to eliminate wrong answers

Option B is wrong because using the trigger 'When an incident is updated' would cause the playbook to run on every update, not just creation, and adding conditions inside the Logic App is less efficient and can introduce latency or missed triggers. Option C is wrong because scheduling a playbook to run every 5 minutes with a query is a polling approach that introduces delay and is not event-driven, violating the requirement for immediate response. Option D is wrong because while the automation rule triggers on creation and filters severity, it does not include the 'Assigned to' condition; relying on the playbook to check assignment internally is less efficient and can cause the playbook to run unnecessarily for assigned incidents, consuming resources and potentially causing unintended actions.

593
Multi-Selecthard

Which TWO actions should be taken to respond to a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

Select 2 answers
A.Block the IP address of the user's device at the firewall.
B.Suspend the user account in Microsoft Entra ID.
C.Report the user to Microsoft for investigation.
D.Revoke all active sessions for the user in Defender for Cloud Apps.
E.Run a full antivirus scan on the user's device.
AnswersB, D

Suspending the account stops the user from accessing any cloud apps immediately.

Why this answer

Suspending the user account and revoking active sessions are immediate containment actions. Blocking IP is good but may not be sufficient if the user is compromised. Reporting to Microsoft is not immediate.

Running a full scan is not for cloud apps.

594
MCQhard

A company has multiple Azure subscriptions managed by Microsoft Defender for Cloud with enhanced security features enabled. The security team wants to ensure that all Azure SQL Servers have Advanced Data Security (ADS) enabled, including Vulnerability Assessment. They decide to use Azure Policy to enforce this at scale. Which built-in policy initiative should they assign to achieve this?

A.Enable Azure Monitor for VMs
B.Azure Security Benchmark
C.Deploy Diagnostics Settings for SQL Databases
D.Enable Advanced Threat Protection for SQL servers
AnswerB

The Azure Security Benchmark initiative includes policies to enable Advanced Data Security and Vulnerability Assessment on SQL servers.

Why this answer

The Azure Security Benchmark initiative includes built-in policies to enforce Advanced Data Security (ADS) and Vulnerability Assessment on Azure SQL Servers. Assigning this initiative at scale ensures compliance with security best practices across all subscriptions, as it contains the specific policy effect to enable ADS and VA automatically.

Exam trap

The trap here is that candidates often confuse a single policy (like 'Enable Advanced Threat Protection for SQL servers') with a policy initiative that bundles multiple related policies, leading them to select option D instead of the broader Azure Security Benchmark initiative that covers both ADS and Vulnerability Assessment enforcement.

How to eliminate wrong answers

Option A is wrong because 'Enable Azure Monitor for VMs' is an initiative focused on deploying the Log Analytics agent and VM insights, not on SQL Server security configurations. Option C is wrong because 'Deploy Diagnostics Settings for SQL Databases' only configures diagnostic logging to a Log Analytics workspace, but does not enable Advanced Data Security or Vulnerability Assessment. Option D is wrong because 'Enable Advanced Threat Protection for SQL servers' is a single policy, not a policy initiative; the question asks for a built-in policy initiative that enforces both ADS and Vulnerability Assessment at scale.

595
MCQmedium

During an incident investigation in Microsoft Sentinel, you need to gather related events from multiple data sources into a single view for analysis. Which feature should you use?

A.Workbooks
B.Investigation graph
C.Watchlists
D.Logs blade
E.Analytics rules
AnswerB

Provides a visual map of entities and related data.

Why this answer

The Investigation graph in Microsoft Sentinel is specifically designed to visually correlate and explore related entities and events across multiple data sources within a single investigation. It allows you to pivot from an alert or entity to see connected users, hosts, IP addresses, and other events, providing a unified view for analysis. This feature directly addresses the need to gather related events from disparate sources into one cohesive view during incident response.

Exam trap

The trap here is that candidates often confuse the Investigation graph with Workbooks or the Logs blade, mistakenly thinking that any visualization or query tool can serve the same purpose, but the Investigation graph is the only feature purpose-built for interactive, entity-centric incident exploration in Sentinel.

How to eliminate wrong answers

Option A is wrong because Workbooks are used for creating custom dashboards and reports for visualizing data trends, not for interactive, entity-based incident investigation. Option C is wrong because Watchlists are static collections of data (e.g., IP addresses or hashes) used for correlation or enrichment in queries, not for dynamic event gathering across sources. Option D is wrong because the Logs blade is a query interface for running KQL queries against raw log data, but it does not provide a built-in, visual entity relationship view for incident investigation.

Option E is wrong because Analytics rules are used to create detection logic that generates alerts, not to investigate or correlate events after an alert has been triggered.

596
MCQhard

You are a security analyst at Contoso. You manage a Microsoft Sentinel workspace with Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID (formerly Azure AD) data connectors. You are performing a proactive threat hunt for potential data exfiltration via external file sharing services like Dropbox and Google Drive. Your organization blocks these services on managed devices but users can access them from personal devices. You want to detect when users log in to these services from a corporate network using Microsoft Entra ID credentials. You have access to CloudAppEvents, AADSignInEventsBeta, and DeviceNetworkEvents tables in Microsoft Defender XDR advanced hunting. You need to create a hunting query that identifies sign-ins to external file sharing apps from corporate IP ranges. The query should also exclude sign-ins from known good service accounts. Which approach should you take?

A.Use DeviceNetworkEvents to find connections to file sharing service IPs, then correlate with AADSignInEventsBeta by user.
B.Filter CloudAppEvents for app categories 'file sharing' and where IP is in corporate range, then join with DeviceInfo for device ownership.
C.Join AADSignInEventsBeta with CloudAppEvents on AccountUpn, filter for app categories containing 'file sharing', and where IPAddress is in the corporate range.
D.Use DeviceNetworkEvents to find high-volume outbound traffic to cloud storage provider IP ranges, then manually investigate users.
AnswerC

Directly identifies the exact sign-in event to file sharing apps from corporate IPs.

Why this answer

Option B is correct because it joins sign-in events with cloud app events on user principal name and filters by app category (file sharing) and corporate IPs, which directly identifies the behavior. Option A only looks at network events, missing the sign-in context. Option C uses device info, which may not capture personal devices.

Option D uses endpoint network events, missing the app context.

597
MCQhard

A security analyst is investigating an advanced persistent threat campaign that involves lateral movement using RDP. The analyst suspects that an attacker uses RDP from DeviceA to DeviceB, and then within a few minutes executes a malicious PowerShell script on DeviceB. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when this pattern occurs. Which KQL query pattern should be used to correlate these events across devices?

A.Use a self-join: query DeviceProcessEvents for mstsc.exe, extract the target device (e.g., from command line), and then join with another query on DeviceProcessEvents for PowerShell on the target device where the time difference between the events is less than 10 minutes.
B.Query DeviceNetworkEvents for RDP connections (port 3389) and then join with DeviceProcessEvents for PowerShell on the same device.
C.Use the 'union' operator to combine all mstsc.exe and PowerShell events, then summarize by device and time.
D.Query DeviceLogonEvents for RDP logon type and then join with DeviceProcessEvents for PowerShell on the same device.
AnswerA

This pattern correctly joins the two event sequences: the RDP client process on the source device and the subsequent script execution on the target device, with a time constraint to correlate them.

Why this answer

Option A is correct because it uses a self-join on DeviceProcessEvents to first detect the mstsc.exe process (RDP client) on DeviceA, extract the target device name from the command line, and then join with a second query on DeviceProcessEvents for PowerShell on DeviceB. The join condition includes a time difference of less than 10 minutes, which directly correlates the lateral movement (RDP) with the subsequent malicious script execution across devices, matching the described attack pattern.

Exam trap

The trap here is that candidates often choose options that only correlate events on a single device (like B or D) or use aggregation operators like 'union' (C) that lose the cross-device temporal sequence, failing to recognize that the self-join pattern is required to correlate events across different devices in a lateral movement scenario.

How to eliminate wrong answers

Option B is wrong because it queries DeviceNetworkEvents for RDP connections (port 3389) and joins with DeviceProcessEvents on the same device, which would only correlate events on a single device (e.g., DeviceB) and fails to capture the cross-device lateral movement from DeviceA to DeviceB. Option C is wrong because using the 'union' operator to combine all mstsc.exe and PowerShell events and then summarizing by device and time loses the critical sequence and cross-device correlation; it cannot enforce that the RDP connection from DeviceA precedes the PowerShell execution on DeviceB within a specific time window. Option D is wrong because querying DeviceLogonEvents for RDP logon type (type 10) and joining with DeviceProcessEvents on the same device only captures events on the target device (DeviceB) and does not identify the source device (DeviceA) or the specific RDP client process (mstsc.exe) used for lateral movement.

598
MCQmedium

You executed this Azure CLI command. What is the result?

A.A new hunting query is created in the Microsoft Sentinel workspace
B.The hunting query is immediately executed and results are displayed
C.An existing hunting query is updated with new query text
D.A new scheduled analytics rule is created
AnswerA

The command creates a hunting query resource.

Why this answer

Option B is correct because the command creates a new hunting query named 'Suspicious PowerShell' in the specified Microsoft Sentinel workspace. Option A is wrong because it does not run the query immediately. Option C is wrong because it does not create an analytics rule.

Option D is wrong because it does not modify an existing query.

599
MCQeasy

You are reviewing the automation rule configuration shown in the exhibit. What is the purpose of this rule?

A.Automatically resolve incidents related to malware
B.Automatically close incidents with 'Malware' in the title
C.Run a playbook to isolate a device when an incident with 'Malware' in the alert title is created
D.Create a playbook for malware alerts
AnswerC

The rule triggers on incident creation with title containing 'Malware' and runs a playbook.

Why this answer

Option B is correct because the rule triggers on incidents with alert title containing 'Malware' and runs a playbook named 'IsolateDevice'. Option A is wrong because the condition is on alert title, not severity. Option C is wrong because the condition is on incident creation, not resolution.

Option D is wrong because the trigger type is 'Incident', not 'Alert'.

600
Multi-Selecthard

Which THREE steps are part of the containment phase of incident response in Microsoft Sentinel? (Select THREE.)

Select 3 answers
A.Disable compromised user accounts in Microsoft Entra ID.
B.Isolate affected devices using Microsoft Defender for Endpoint.
C.Collect forensic data from affected endpoints.
D.Block malicious IP addresses and domains in Microsoft Defender for Cloud Apps.
E.Restore encrypted files from backup.
AnswersA, B, D

Disabling accounts stops further misuse.

Why this answer

Option A is correct because isolating affected resources prevents further damage. Option C is correct because blocking indicators helps stop attacks. Option E is correct because disabling compromised accounts stops unauthorized access.

Option B is wrong because collecting forensic data is part of investigation, not containment. Option D is wrong because restoring from backup is part of recovery.

Page 7

Page 8 of 22

Page 9