Microsoft Security Operations Analyst SC-200 (SC-200) — Questions 601675

1639 questions total · 22pages · All types, answers revealed

Page 8

Page 9 of 22

Page 10
601
MCQmedium

You are the lead security operations analyst for a company that uses Microsoft Defender XDR. The company has recently deployed Microsoft Copilot for Security to help analysts investigate incidents. During a recent incident involving a potential ransomware attack on multiple devices, the analysts used Copilot to generate an investigation summary and recommended actions. However, the analysts report that Copilot's responses are not specific to the incident; they are generic and do not include device-specific details. You need to ensure that Copilot provides context-aware responses that include specific device information from the incident. What should you do?

A.Assign the Microsoft 365 Defender role to the analysts in Microsoft Entra ID.
B.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel.
C.Instruct analysts to use the 'Investigate' capability in Copilot and provide the incident ID.
D.Configure a custom plugin in Copilot to fetch device data from Defender XDR.
AnswerC

Copilot can access incident details when given the incident ID, providing context-aware responses.

Why this answer

Option B is correct because Copilot for Security can access Defender XDR data, but to get device-specific context, analysts need to use the 'Investigate' capability with the incident ID. Option A is wrong because data connectors are for Sentinel, not Copilot. Option C is wrong because Copilot does not require additional licensing beyond the Copilot license.

Option D is wrong because Copilot does not use plugins in this context.

602
MCQeasy

A security analyst reviews Microsoft Defender for Cloud recommendations for an Azure virtual machine. The VM has a recommendation titled 'Install endpoint protection solution on virtual machines'. The analyst clicks on the recommendation and sees affected resources. Which of the following best describes the purpose of this recommendation in the context of Defender for Cloud?

A.It identifies VMs that have an open network security group inbound rule that should be closed.
B.It suggests enabling Azure Firewall on the virtual network to protect the VM from external threats.
C.It recommends enabling disk encryption for the VM's OS and data disks.
D.It advises deploying a supported endpoint protection solution, such as Microsoft Defender Antivirus, to protect the VM from malware and other threats.
AnswerD

Correct. The recommendation prompts installation of endpoint protection software. Defender for Cloud integrates with Microsoft Defender Antivirus and supports partner solutions.

Why this answer

Option D is correct because the recommendation 'Install endpoint protection solution on virtual machines' in Microsoft Defender for Cloud specifically identifies VMs that lack a supported endpoint protection solution (e.g., Microsoft Defender Antivirus, Trend Micro, Symantec). Its purpose is to ensure that VMs are protected against malware, viruses, and other threats by deploying an endpoint protection solution, which is a core security control in the cloud security posture management (CSPM) framework.

Exam trap

The trap here is that candidates confuse 'endpoint protection' with network-level controls (like NSG rules or Azure Firewall) or data-at-rest protections (like disk encryption), leading them to select options A, B, or C instead of recognizing the specific focus on malware protection at the OS level.

How to eliminate wrong answers

Option A is wrong because it describes a recommendation related to network security groups (NSGs) and open inbound rules, which is a separate recommendation (e.g., 'All network ports should be restricted') and not about endpoint protection. Option B is wrong because it suggests enabling Azure Firewall, which is a network-level security service, not an endpoint protection solution; Defender for Cloud has distinct recommendations for network security. Option C is wrong because it refers to disk encryption (e.g., Azure Disk Encryption), which protects data at rest, not endpoint protection against malware; these are different security controls in Defender for Cloud.

603
MCQeasy

A security operations analyst is creating a scheduled analytics rule in Microsoft Sentinel to detect brute force attempts on Microsoft Entra ID authentication. Which data source is most appropriate for this rule?

A.Azure Activity Logs
B.SigninLogs
C.Office Activity Logs
D.SecurityEvent
AnswerB

SigninLogs contain successful and failed sign-in events needed to detect brute force attacks.

Why this answer

SigninLogs captures user authentication attempts to Microsoft Entra ID, including failed sign-ins, which are essential for detecting brute force attacks. This data source provides detailed properties such as IP address, application, and status codes (e.g., 50076 for invalid password), enabling accurate detection of repeated failed attempts. Azure Activity Logs, Office Activity Logs, and SecurityEvent do not contain Entra ID authentication events.

Exam trap

The trap here is that candidates often confuse Azure Activity Logs (control plane) with SigninLogs (authentication plane), assuming all Azure-related logs are in Activity Logs, but Entra ID sign-in events are a separate data source.

How to eliminate wrong answers

Option A is wrong because Azure Activity Logs record control-plane operations (e.g., resource creation, role assignments) on Azure resources, not user authentication events to Entra ID. Option C is wrong because Office Activity Logs capture actions within Microsoft 365 services (e.g., SharePoint, Exchange), not Entra ID sign-in attempts. Option D is wrong because SecurityEvent logs Windows security events from on-premises or Azure VMs, such as logon type 3 for network logins, and does not include cloud-based Entra ID authentication.

604
MCQhard

A company uses Microsoft Sentinel with the Microsoft 365 Defender connector. The security team notices that alerts from Microsoft Defender for Endpoint (MDE) are not appearing in Sentinel. The MDE data connector status shows 'Connected'. Which step should you take to troubleshoot this issue?

A.Verify that the Microsoft 365 Defender connector is configured to ingest MDE alerts.
B.Check if the Microsoft Defender for Endpoint data connector is added.
C.Verify that the ingestion rules in Sentinel are not filtering out MDE alerts.
D.Check the Microsoft 365 Defender portal to ensure MDE alerts are being generated and forwarded to Microsoft 365 Defender.
AnswerD

If MDE alerts are not in Microsoft 365 Defender, they won't appear in Sentinel.

Why this answer

Option D is correct because the Microsoft 365 Defender connector brings in alerts from all Defender products, including MDE. If the connector is connected but alerts are missing, the issue is likely that the alerts are not being forwarded to Microsoft 365 Defender. Option A is not correct because MDE alerts are not a separate connector; Option B is not correct because the connector is already 'Connected'; Option C is not correct because ingestion rules filter after ingestion.

605
Multi-Selecteasy

Which TWO actions should be taken immediately when a compromised user account is detected in Microsoft Entra ID?

Select 2 answers
A.Revoke all current sessions.
B.Notify the user's manager.
C.Disable the user account.
D.Reset the user's password.
E.Block sign-ins from the user's IP address.
AnswersA, C

Terminates active sessions.

Why this answer

Revoking all current sessions (Option A) is a critical immediate action because it terminates all active authentication tokens and sessions for the compromised account, preventing the attacker from continuing to use existing tokens to access resources. This action leverages Microsoft Entra ID's token revocation capabilities, which invalidate refresh tokens and access tokens issued before the revocation, effectively cutting off the attacker's current access without waiting for password changes or other mitigations.

Exam trap

The trap here is that candidates often choose 'Reset the user's password' as the first action, overlooking that existing sessions remain valid until tokens expire, so session revocation must precede password reset to fully contain the compromise.

606
MCQeasy

You are a security operations analyst. You need to review all incidents from the past 24 hours that have a high severity and involve multiple users. In Microsoft Sentinel, which blade should you use?

A.Incidents
B.Hunting
C.Workbooks
D.Analytics
AnswerA

Incidents blade shows all incidents with filtering capabilities.

Why this answer

Option B is correct because the Incidents blade in Microsoft Sentinel shows all incidents with filters for severity, time, and entities like users. Option A is wrong because Hunting is for proactive threat hunting. Option C is wrong because Workbooks are for dashboards and visualizations.

Option D is wrong because Analytics is for creating rules.

607
MCQhard

Refer to the exhibit. A SOC analyst runs this Advanced Hunting query in Microsoft Defender XDR to detect potential living-off-the-land (LotL) attacks. An alert is triggered when a device shows multiple occurrences of 'mshta.exe' executing with a remote script. Which additional data source should the analyst check to confirm the attack?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceLogonEvents
D.DeviceRegistryEvents
AnswerB

Network events show connections to remote IPs, confirming the remote script execution.

Why this answer

The correct answer is D. Network communication from the device to an external IP would confirm a remote connection attempt. The other options are not directly relevant or are redundant.

608
Multi-Selectmedium

Which TWO techniques are commonly used in threat hunting with Microsoft Sentinel to identify lateral movement? (Choose two.)

Select 2 answers
A.Detecting port scanning activity from internal IPs.
B.Searching for multiple failed logon attempts from a single IP.
C.Looking for mass file deletion events on file servers.
D.Correlating service account usage with anomalous network connections.
E.Identifying remote PowerShell execution across multiple machines.
AnswersD, E

Service accounts used for lateral movement often show anomalous connections.

Why this answer

Lateral movement often involves remote execution and credential theft. Options B and D are correct. Option A is incorrect because failed logins may indicate brute force but not necessarily lateral movement.

Option C is incorrect because port scans are reconnaissance. Option E is incorrect because file deletion is often cleanup.

609
Multi-Selectmedium

Which TWO actions should an analyst take when triaging a Microsoft Sentinel incident that involves a user who clicked a malicious link in a phishing email? (Choose two.)

Select 2 answers
A.Reset the user's password immediately.
B.Block the sender's domain in the tenant's block list.
C.Run a KQL query on EmailEvents to identify the email and recipient.
D.Delete the email from the user's mailbox immediately.
E.Check the email's status in Microsoft Defender for Office 365 Threat Explorer.
AnswersC, E

Identifies the malicious email and affected user.

Why this answer

Options A and D are correct. A: Running a KQL query on EmailEvents identifies the email and user. D: Checking Microsoft Defender for Office 365 shows the threat status.

Option B is wrong because the analyst should not delete the email yet (investigation first). Option C is wrong because resetting password is premature without evidence of compromise.

610
MCQhard

A SOC analyst needs to write a KQL query for a Microsoft Sentinel scheduled analytics rule that detects impossible travel activity. The rule should alert when a user signs in from two different countries within 60 minutes. The analyst has the SigninLogs table with columns: UserPrincipalName, IPAddress, Location (country), TimeGenerated. Which KQL query pattern correctly triggers an alert for each pair of sign-ins meeting the condition?

A.Self-join SigninLogs on UserPrincipalName, where TimeGenerated difference < 60m and Location != Location, then summarize by bin(TimeGenerated, 1h).
B.Use the `make_list()` function to aggregate all locations per user within a 60-minute window and check if the list has more than one distinct value.
C.Use the `series_decompose()` function to detect outliers in location sequences.
D.Use the `rolling_join()` function to compare each sign-in with the previous one per user.
AnswerA

This pattern correctly identifies pairs and can be used to generate an alert for each pair.

Why this answer

Option A is correct because it uses a self-join on the SigninLogs table to compare each sign-in event with every other sign-in event for the same user (UserPrincipalName). The join condition filters for pairs where the absolute time difference is less than 60 minutes (TimeGenerated difference < 60m) and the locations are different (Location != Location). This directly identifies any two sign-ins from different countries within the 60-minute window, which is the exact definition of impossible travel.

The subsequent summarize by bin(TimeGenerated, 1h) groups the results into hourly buckets to trigger a single alert per detection window, as required by a scheduled analytics rule.

Exam trap

The trap here is that candidates may assume a simple aggregation (like `make_list()`) is sufficient, but they overlook the need for a pairwise comparison with a sliding 60-minute window, which only a self-join can correctly implement in KQL.

How to eliminate wrong answers

Option B is wrong because using `make_list()` to aggregate all locations per user within a 60-minute window and checking for more than one distinct value would only detect that multiple locations exist in that window, but it would not ensure that the sign-ins occurred within 60 minutes of each other (the window is fixed, not sliding) and would not pair specific sign-ins, potentially missing the exact 60-minute constraint or alerting on stale data. Option C is wrong because `series_decompose()` is a time-series decomposition function used for anomaly detection on numerical sequences (e.g., counts over time), not for comparing categorical location data across sign-in events; it cannot detect impossible travel based on pairwise location differences. Option D is wrong because KQL does not have a built-in `rolling_join()` function; the correct approach for comparing each sign-in with the previous one per user would involve the `prev()` function with a partition, not a join, and the option misrepresents the available KQL syntax.

611
MCQmedium

Your Microsoft Sentinel workspace receives logs from multiple sources. You need to ensure that an incident response playbook is triggered automatically when a specific alert is generated. What should you create?

A.A data connector.
B.An analytics rule.
C.An automation rule.
D.A new Logic App.
AnswerC

Automation rules can trigger playbooks on alert creation.

Why this answer

Option C is correct because an automation rule in Microsoft Sentinel can trigger a playbook when an alert is created. Option A is wrong because a logic app is the playbook itself, not the trigger. Option B is wrong because a data connector ingests data, not triggers actions.

Option D is wrong because an analytics rule generates alerts, but the playbook trigger is an automation rule.

612
MCQmedium

Your organization uses Microsoft Sentinel with multiple workspaces. You need to ensure that incidents involving the same alert in different workspaces are automatically grouped into a single incident. What should you configure?

A.Enable UEBA to correlate alerts across workspaces.
B.Set up an automation rule to merge incidents.
C.Create an analytics rule that runs across all workspaces.
D.Configure an incident grouping rule in Microsoft Sentinel.
AnswerD

Incident grouping rules use alert grouping to combine alerts from multiple workspaces.

Why this answer

Incident grouping rules in Sentinel allow grouping of alerts from different workspaces into a single incident based on matching entities or alert details. Option B is correct. Option A is wrong because analytics rules are per workspace.

Option C is wrong because automation rules act on incidents, not grouping. Option D is wrong because UEBA doesn't group incidents.

613
Multi-Selecthard

You are configuring Microsoft Sentinel to ingest data from multiple sources. Which TWO of the following are valid data connectors that can be used to ingest AWS CloudTrail logs?

Select 2 answers
A.Azure Functions connector
B.Office 365 connector
C.AWS S3 connector
D.Microsoft Defender for Cloud connector
E.Syslog connector
AnswersA, C

Azure Functions can be used to pull logs from AWS via custom code.

Why this answer

Option A and D are correct. AWS S3 connector (A) is a standard way to ingest CloudTrail logs. Azure Functions (D) can be used to run custom code to pull logs.

Option B is wrong because Microsoft Defender for Cloud is for Azure, not AWS. Option C is wrong because Syslog is for on-premises Linux systems, not AWS. Option E is wrong because Office 365 connector is for Office 365, not AWS.

614
MCQmedium

A security team uses Microsoft Defender for Cloud to protect Azure virtual machines. They notice that a VM is generating alerts for unusual outbound connections. The team wants to use a Defender for Cloud feature that learns the VM's typical network behavior and provides recommendations to tighten network security group rules, while also alerting on suspicious deviations. Which feature should they enable?

A.Adaptive network hardening
B.Just-In-Time VM access
C.File integrity monitoring
D.Vulnerability scanning
AnswerA

Adaptive network hardening uses learning to lock down NSG rules and can alert on suspicious deviations from learned patterns.

Why this answer

Adaptive network hardening (ANH) is the correct feature because it uses machine learning to learn a VM's typical traffic patterns (including outbound connections), then analyzes the current Network Security Group (NSG) rules against those learned patterns. It provides recommendations to tighten NSG rules to allow only the traffic that is actually used, and it generates security alerts when it detects deviations from the learned baseline, such as unusual outbound connections.

Exam trap

The trap here is that candidates often confuse Just-In-Time VM access (which also deals with network security) with adaptive network hardening, but JIT only manages inbound port access, not outbound traffic analysis or rule tightening based on learned behavior.

How to eliminate wrong answers

Option B (Just-In-Time VM access) is wrong because it focuses on reducing the attack surface by locking down inbound RDP/SSH ports and granting temporary access, not on learning outbound network behavior or tightening NSG rules based on traffic patterns. Option C (File integrity monitoring) is wrong because it monitors changes to critical files, registries, and software, not network traffic or NSG rule recommendations. Option D (Vulnerability scanning) is wrong because it identifies missing patches and misconfigurations in the OS and applications, not network behavior or NSG rule hardening.

615
MCQeasy

Refer to the exhibit. An automation rule is created in Microsoft Sentinel. A new incident is created with severity 'Medium' and two alerts: one 'High' and one 'Medium'. Will the playbook run?

A.No, because the incident severity is Medium.
B.Yes, because the incident contains a High severity alert.
C.Yes, because the playbook runs on all incidents regardless.
D.No, because the condition requires all alerts to be High.
AnswerB

The incident severity is determined by the highest alert severity, so it is High, meeting the condition.

Why this answer

The condition checks 'AlertSeverity', but an incident can have multiple alerts with different severities. The condition evaluates the incident's overall severity, which is set to the highest alert severity. Since there is a High alert, the incident severity becomes High, so condition is met.

616
MCQmedium

You are a security analyst. An incident in Microsoft Sentinel is assigned to you. The incident contains multiple alerts. You want to group related alerts into a single incident to reduce noise. What feature should you use?

A.Automation rules
B.Threat intelligence indicators
C.Incident details tab
D.Incident grouping settings in the analytics rule
AnswerD

Analytics rules have settings to group alerts into a single incident.

Why this answer

Option C is correct because incident grouping settings in analytics rules allow you to group alerts into a single incident based on criteria like entities or time window. Option A is for incident management, not grouping. Option B is for automating actions.

Option D is for enriching alerts with threat intelligence.

617
MCQhard

Your organization, Contoso, uses Microsoft Sentinel in a single Log Analytics workspace. You have ingested logs from Microsoft Defender XDR, Microsoft Entra ID, and Azure Firewall. The SOC team needs to investigate an incident where a user's account was compromised and used to access sensitive data from an external IP address. The incident was created from a Microsoft Defender for Cloud Apps alert. The SOC team wants to automatically block the user from further access and disable the user account in Microsoft Entra ID. You need to design an automated response using Microsoft Sentinel playbooks. The solution must minimize manual intervention. You have the following options: A) Create a playbook that triggers on the incident and uses the Microsoft Graph API to disable the user account and revoke sessions. Configure the playbook to run automatically from an automation rule. B) Create a playbook that triggers on the alert and uses the Defender for Cloud Apps API to suspend the user. Configure the automation rule to run the playbook on incident creation. C) Create a playbook that sends an email to the SOC team to manually disable the user. D) Create an automation rule that automatically changes the incident status to 'Active' and assigns it to a senior analyst. Which option should you choose?

A.Create an automation rule that automatically changes the incident status to 'Active' and assigns it to a senior analyst.
B.Create a playbook that sends an email to the SOC team to manually disable the user.
C.Create a playbook that triggers on the alert and uses the Defender for Cloud Apps API to suspend the user. Configure the automation rule to run the playbook on incident creation.
D.Create a playbook that triggers on the incident and uses the Microsoft Graph API to disable the user account and revoke sessions. Configure the playbook to run automatically from an automation rule.
AnswerD

This is the correct approach. The playbook can directly disable the user in Entra ID and revoke sessions, providing immediate response.

Why this answer

Option D is correct because it uses a playbook triggered on incident creation and leverages the Microsoft Graph API to disable the user account and revoke sessions, which directly addresses the compromised account in Microsoft Entra ID. This approach minimizes manual intervention by automating the entire response within Microsoft Sentinel, aligning with the requirement to block further access and disable the account automatically.

Exam trap

The trap here is that candidates may choose Option C, mistakenly believing that suspending the user via Defender for Cloud Apps API is sufficient, but it does not disable the account in Microsoft Entra ID or revoke all sessions, leaving potential access paths open.

How to eliminate wrong answers

Option A is wrong because changing the incident status to 'Active' and assigning it to a senior analyst does not perform any automated remediation; it only escalates the incident, leaving the compromised account active. Option B is wrong because sending an email to the SOC team requires manual intervention to disable the user, which contradicts the requirement to minimize manual steps. Option C is wrong because triggering on the alert and using the Defender for Cloud Apps API to suspend the user may not fully disable the account in Microsoft Entra ID or revoke sessions, and the automation rule configured on incident creation would not directly trigger on the alert itself, leading to a mismatch in the trigger condition.

618
MCQeasy

You are hunting for signs of ransomware in your environment using Microsoft 365 Defender. Which advanced hunting table should you primarily query to detect file encryption events?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerC

File events show modifications that indicate encryption activity.

Why this answer

Option B is correct because DeviceFileEvents captures file creation, modification, and deletion events, which are typical for ransomware encryption. Option A is wrong because it's for network connections. Option C is wrong because it's for process creation.

Option D is wrong because it's for registry modifications.

619
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst receives an alert from a custom analytics rule that triggers on a specific sequence of failed logon attempts followed by a successful logon from an unusual location. The incident is generated but the analyst is not sure if the activity is malicious or a user error. What should the analyst do first to quickly gather additional context?

A.Run a KQL query across the entire workspace to find all related events
B.Create a new analytics rule to detect similar patterns
C.Use the Investigation graph to explore related entities and events
D.Modify the existing analytics rule to add more conditions
AnswerC

The Investigation graph provides a visual, entity-based approach to quickly understand incident context.

Why this answer

Option C is correct because using the Investigation graph in Microsoft Sentinel allows the analyst to visually explore related entities and events to understand the scope and context of the incident. Option A is wrong because creating a new analytics rule would not help with immediate investigation. Option B is wrong because running a KQL query across the entire workspace is time-consuming and less efficient.

Option D is wrong because modifying the existing rule is not appropriate for investigating a single incident.

620
MCQmedium

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for identity-related threats. The solution should automatically contain a compromised user by disabling their account. Which setting should you enable?

A.Configure Conditional Access policies to block the user.
B.Enable automatic attack disruption in the Microsoft Defender XDR settings.
C.Use Microsoft Sentinel automation rules to disable the user.
D.Create a custom detection rule to alert on suspicious sign-ins.
AnswerB

This feature automatically contains compromised identities.

Why this answer

Option B is correct because Microsoft Defender XDR's automatic attack disruption feature is specifically designed to contain identity-related threats by automatically disabling compromised user accounts. This setting, found in the Microsoft Defender XDR settings under 'Automated investigation and response', triggers when high-confidence identity attacks (e.g., password spray, lateral movement) are detected, without requiring manual intervention or additional infrastructure.

Exam trap

The trap here is that candidates often confuse 'blocking sign-ins' (Conditional Access) with 'disabling the account' (automatic attack disruption), failing to recognize that only the latter fully contains a compromised user by preventing all authentication attempts, including those from trusted devices or locations.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies block sign-in attempts but do not disable the user account; the account remains active and could be used from non-compliant devices or after policy bypass. Option C is wrong because Microsoft Sentinel automation rules can trigger playbooks to disable users, but this requires custom configuration and is not the built-in automatic attack disruption mechanism within Defender XDR for identity threats. Option D is wrong because custom detection rules only generate alerts and do not automatically contain the user; they lack the automated response capability to disable the account.

621
MCQeasy

You are reviewing an automation rule ARM template for Microsoft Sentinel. What is the result of deploying this automation rule?

A.The rule assigns the incident to SOC-Tier2 only if the severity is Medium.
B.The rule triggers when an incident is updated and resets the severity to High.
C.When a High severity incident is created, the rule changes its severity to Medium and assigns it to SOC-Tier2.
D.The rule triggers when a High severity incident is created but does not change the severity.
AnswerC

Matches the trigger and action configuration.

Why this answer

Option C is correct because the trigger condition is 'Severity Equals High', and the action sets severity to 'Medium' and assigns to SOC-Tier2. So a high-severity incident is created, then changed to medium and assigned. Option A is wrong because it triggers on creation, not on update.

Option B is wrong because the action modifies severity. Option D is wrong because the action does assign an owner.

622
MCQmedium

You are a threat hunter using PowerShell on a Windows 10 device. The command returns no output for a known threat ID. What is the most likely reason?

A.The Get-MpThreat cmdlet is deprecated.
B.The threat ID format is incorrect.
C.The threat has already been remediated and is no longer in the active threats list.
D.PowerShell must be run as administrator.
AnswerC

Get-MpThret only returns active or quarantined threats; remediated threats are not listed.

Why this answer

Option D is correct because Get-MpThreat retrieves threats detected by Windows Defender Antivirus; if the threat was already remediated or removed, the command may return no results. Option A is incorrect because the cmdlet exists. Option B is incorrect because admin rights are not required to query.

Option C is incorrect because the threat ID is a number.

623
Multi-Selecteasy

Which TWO data connectors are available in Microsoft Sentinel to ingest data from Microsoft 365 services?

Select 2 answers
A.Azure Active Directory
B.Microsoft Defender for Cloud
C.Amazon Web Services
D.Microsoft Entra ID
E.Office 365
AnswersD, E

Ingests sign-in and audit logs.

Why this answer

Office 365 and Microsoft Entra ID connectors are native to Sentinel. Amazon Web Services is for AWS, Azure Active Directory is the old name, and Microsoft Defender for Cloud is a separate product.

624
MCQeasy

Your SOC team uses Microsoft Sentinel and Microsoft Defender XDR. A junior analyst creates a custom analytics rule in Sentinel that generates an excessive number of incidents. The rule appears to be running but not producing any results. What is the most likely cause?

A.The analyst does not have permissions to create incidents.
B.The rule is set to a low severity.
C.The rule's query syntax is invalid.
D.The rule is disabled.
AnswerC

Invalid queries return no results, so no incidents.

Why this answer

Option C is correct because if the query syntax is incorrect, the rule may run but return no results, thus no incidents. Option A is wrong because a disabled rule would not run. Option B is wrong because insufficient permissions would cause an error, not silent failure.

Option D is wrong because low severity does not prevent incident creation.

625
MCQmedium

You are using Microsoft Sentinel to manage incidents. You want to automatically close incidents that are older than 90 days and have a status of 'New'. What is the most efficient way to achieve this?

A.Create a workbook that shows old incidents and manually close them.
B.Create a playbook that runs on a schedule (e.g., daily) and closes incidents that meet the criteria.
C.Modify the analytics rule to automatically close incidents after 90 days.
D.Create an automation rule that triggers on incident update and closes the incident if the created time is older than 90 days.
AnswerB

A scheduled playbook can query incidents by age and close them.

Why this answer

Option D is correct because you can use a playbook to query incidents and close them based on conditions. Automation rules do not have a condition for incident age. Option A is wrong because automation rules cannot be triggered by time.

Option B is wrong because analytics rules generate alerts, not close incidents. Option C is wrong because workbooks are for visualization.

626
MCQmedium

Refer to the exhibit. A security analyst runs this PowerShell script to query a Log Analytics workspace. What is the purpose of this query?

A.Count the number of unique devices
B.Identify all PowerShell executions in the last 7 days
C.List all processes run by a specific account
D.Detect suspicious PowerShell activity using encoded commands
E.Find devices that have not run PowerShell recently
AnswerD

The query specifically looks for '-EncodedCommand'.

Why this answer

The query hunts for PowerShell executions with encoded commands, a common technique for obfuscation. It is not limited to specific users, recent activity, or only encoded commands without other criteria.

627
MCQeasy

A security administrator needs to view a list of all virtual machines that have a missing critical security update. Which Microsoft Defender for Cloud dashboard should they use?

A.Secure Score
B.Regulatory Compliance
C.Inventory
D.Recommendations
AnswerD

Recommendations includes 'System updates should be installed on your machines' which lists all VMs missing critical updates.

Why this answer

The Recommendations dashboard in Microsoft Defender for Cloud provides a prioritized list of security recommendations, including missing critical security updates for virtual machines. This dashboard aggregates findings from vulnerability assessments and update management, allowing administrators to identify and remediate specific missing patches across their VM fleet.

Exam trap

The trap here is that candidates confuse the Inventory dashboard (which lists all resources) with the Recommendations dashboard (which provides actionable security findings), leading them to select Inventory instead of the correct Recommendations option.

How to eliminate wrong answers

Option A is wrong because Secure Score measures overall security posture based on compliance with recommendations, but does not directly list VMs with missing updates. Option B is wrong because Regulatory Compliance focuses on adherence to compliance standards (e.g., ISO 27001, NIST) and does not surface specific missing security updates. Option C is wrong because Inventory provides a list of all resources (including VMs) but lacks the filtering and recommendation context needed to identify missing critical updates.

628
Multi-Selectmedium

Which TWO actions are appropriate when responding to a confirmed malware outbreak on multiple workstations identified by Microsoft Defender for Endpoint?

Select 2 answers
A.Collect investigation packages from the affected devices for analysis.
B.Add the malware hash to the custom threat indicator list.
C.Run a full antivirus scan on all workstations.
D.Reset passwords of all users who logged into the affected devices.
E.Isolate the affected devices from the network using Microsoft Defender for Endpoint.
AnswersA, E

Investigation packages provide forensic data to understand the scope and impact.

Why this answer

Collecting investigation packages and isolating affected devices are appropriate response actions. Running a full scan is reactive and not immediate. Resetting passwords may be needed later but not first.

Blocking indicators is proactive but doesn't contain already infected devices.

629
MCQmedium

During a threat hunt in Microsoft Sentinel, you find a query that returns a high number of false positives. Which action should you take to refine the hunt?

A.Increase the query time range to gather more data
B.Create a scheduled alert rule based on the query
C.Remove columns from the result set to simplify analysis
D.Add additional filters to the query to exclude known benign activity
AnswerD

Adding filters helps narrow results to only suspicious activity.

Why this answer

Option C is correct because tuning the query by adding more conditions reduces false positives. Option A is wrong because increasing the time range would likely increase false positives. Option B is wrong because removing columns does not affect false positives.

Option D is wrong because creating an alert rule is for ongoing detection, not for refining the hunt.

630
Multi-Selectmedium

Which TWO data sources are essential for threat hunting in Microsoft Sentinel to detect lateral movement?

Select 2 answers
A.Microsoft Entra ID sign-in logs
B.DeviceNetworkEvents (Microsoft Defender for Endpoint)
C.SecurityEvent (Windows Event Logs)
D.CommonSecurityLog (Syslog)
E.DnsEvents
AnswersB, C

Network connections are key for detecting lateral movement.

Why this answer

SecurityEvent (Windows Event Logs) provides process creation and network events. DeviceNetworkEvents provides network connections. Option A is for identity only.

Option D is for DNS. Option E is for web proxy. The correct options are B and C.

631
Multi-Selecthard

Your SOC is implementing a Microsoft Sentinel workspace with multiple content hub solutions. You need to ensure that only approved analytics rules are enabled and that any custom rules are reviewed before activation. Which THREE actions should you take?

Select 3 answers
A.Configure Threat Intelligence - Taxii connector to import rules from an external feed.
B.Use the Hunting blade to create custom hunting queries instead of analytics rules.
C.Use Microsoft Sentinel Repositories (CI/CD) to manage analytics rules via Azure DevOps or GitHub.
D.In Content hub, install only the solutions that contain approved analytics rules.
E.Create an automation rule that disables any newly created analytics rule that is not in an approved list.
AnswersC, D, E

CI/CD pipelines enforce approval workflows before rules are deployed.

Why this answer

Option A (Repositories) allows CI/CD to control rule deployment. Option B (Content hub) allows selecting only approved solutions. Option E (Automation rules) can disable unapproved rules when created.

Option C is for threat intelligence, not rule management. Option D is for hunting, not rule approval.

632
Multi-Selectmedium

Which TWO actions are valid ways to reduce the number of false positive incidents in Microsoft Sentinel without disabling analytics rules?

Select 2 answers
A.Configure the rule to group all alerts into a single incident per entity.
B.Increase the rule run frequency.
C.Change the incident severity to Informational.
D.Modify the rule's query to include additional filters.
E.Create an automation rule to close incidents that match certain criteria.
AnswersD, E

Adding filters can exclude benign activity.

Why this answer

Options B and D are correct. Option B: Automation rules can close incidents based on conditions. Option D: Tuning the rule's query logic (e.g., adding exclusions) reduces false positives.

Option A is wrong because increasing run frequency does not reduce false positives. Option C is wrong because grouping alerts per-entity does not filter false positives. Option E is wrong because changing severity does not reduce incidents.

633
Matchingmedium

Match each Microsoft Sentinel data connector to its data source.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Subscription-level events from Azure Resource Manager

Sign-in logs and audit logs from Azure Active Directory

Security events from Windows machines

Events from Linux and network devices

Exchange Online and SharePoint Online logs

Why these pairings

These connectors ingest data into Microsoft Sentinel from common sources.

634
Multi-Selecthard

Which TWO features in Microsoft Sentinel can help reduce alert fatigue by grouping related alerts into incidents? (Select two.)

Select 2 answers
A.Incident merging
B.Entity behavior analytics
C.Automation rules that run playbooks
D.Analytics rules that create incidents
E.Threat intelligence indicators
AnswersA, D

Merging combines related incidents into one.

Why this answer

Incident creation from analytics rules groups alerts, and incident merging combines related incidents. Option A and D are correct. Option B is for automation, not grouping.

Option C is for threat intel. Option E is for data enrichment.

635
MCQmedium

Your organization is using Microsoft Defender for Cloud Apps to protect cloud applications. The security team wants to be alerted when a user shares a sensitive file with an external user. What should you configure?

A.Activity policy
B.App discovery policy
C.Anomaly detection policy
D.File policy
AnswerD

File policies can monitor file sharing and trigger alerts.

Why this answer

Option B is correct because file policies in Defender for Cloud Apps can monitor file sharing activities and trigger alerts based on conditions like sharing with external users. Option A is wrong because activity policies focus on user activities, not file-specific actions. Option C is wrong because anomaly detection policies detect unusual user behavior, not specific file sharing.

Option D is wrong because app discovery policies are for discovering cloud apps.

636
MCQmedium

A security operations team has Microsoft Defender for Cloud enabled on all subscriptions and wants to forward security alerts and recommendations to Microsoft Sentinel for analysis and automation. Which configuration should the team implement to enable this integration?

A.In Microsoft Sentinel, add the 'Microsoft Defender for Cloud' data connector and select the subscriptions to stream alerts and recommendations.
B.In Microsoft Defender for Cloud, create a continuous export to a Log Analytics workspace that is already connected to Sentinel.
C.Create an Azure Policy that deploys Azure Monitor Agent to all VMs and configures data collection rules to send data to Sentinel.
D.Enable the 'Enable integration with Microsoft Sentinel' option in the Defender for Cloud pricing & settings blade.
AnswerA

This is the correct integration path: enabling the connector in Sentinel to ingest security events from Defender for Cloud.

Why this answer

Option A is correct because the 'Microsoft Defender for Cloud' data connector in Microsoft Sentinel is the native integration point that allows you to stream security alerts and recommendations from Defender for Cloud into Sentinel. By adding this connector and selecting the subscriptions, you enable a direct, bi-directional connection that ingests Defender for Cloud data into Sentinel's Log Analytics workspace for analysis and automation.

Exam trap

The trap here is that candidates confuse the direction of integration, thinking they must configure it from Defender for Cloud (Option D) or use continuous export (Option B), when in fact the integration is initiated from Microsoft Sentinel by adding the data connector.

How to eliminate wrong answers

Option B is wrong because continuous export in Defender for Cloud exports data to a Log Analytics workspace, but it does not automatically connect to Sentinel; you must still use the Sentinel data connector to ingest that data. Option C is wrong because Azure Policy deploying Azure Monitor Agent to VMs and configuring data collection rules sends VM-level telemetry, not Defender for Cloud security alerts and recommendations. Option D is wrong because the 'Enable integration with Microsoft Sentinel' option in Defender for Cloud's pricing & settings blade does not exist; the integration is configured from within Sentinel, not Defender for Cloud.

637
MCQmedium

Refer to the exhibit. You are investigating a user entity in Microsoft Sentinel. The entity details show a riskLevel of 'high' and riskState 'atRisk'. What does this indicate?

A.The user account has been disabled
B.The user account triggered a Sentinel analytics rule
C.The user account has been flagged by Microsoft Entra ID Protection as at risk
D.The user account has been confirmed compromised
AnswerC

The riskLevel and riskState fields come from Microsoft Entra ID Protection integration.

Why this answer

Option C is correct because the riskLevel of 'high' and riskState of 'atRisk' are specific properties populated by Microsoft Entra ID Protection (formerly Azure AD Identity Protection). These values indicate that the user account has been flagged as risky based on real-time risk detections (e.g., leaked credentials, anonymous IP address, atypical travel). This is not a direct result of a Sentinel analytics rule, nor does it mean the account is disabled or confirmed compromised—it means the identity protection service has detected suspicious activity and assigned a risk level.

Exam trap

The trap here is that candidates often confuse the riskLevel and riskState fields from Microsoft Entra ID Protection with Sentinel analytics rule alerts, assuming any 'high risk' label must come from a detection rule, when in fact these fields are native identity protection properties that are enriched into the entity.

How to eliminate wrong answers

Option A is wrong because a disabled user account would show a different entity property (e.g., accountEnabled: false) and would not be reflected in the riskLevel or riskState fields, which are specific to identity risk detection. Option B is wrong because triggering a Sentinel analytics rule would generate an incident or alert, but the riskLevel and riskState fields on the user entity are populated by Microsoft Entra ID Protection, not by Sentinel analytics rules. Option D is wrong because a riskState of 'atRisk' indicates the account is suspected to be compromised but has not yet been confirmed; a confirmed compromise would show a riskState of 'confirmedCompromised'.

638
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that an alert is created when a user accesses a sensitive SharePoint site from an unusual location. What should you create?

A.A watchlist
B.An analytics rule
C.A playbook
D.An automation rule
AnswerB

Analytics rules can detect suspicious access patterns and generate alerts.

Why this answer

An analytics rule can be created to detect user access from unusual locations using Sentinel's built-in templates or custom KQL. Option B is correct. Option A (automation rule) responds to incidents, not creates alerts.

Option C (playbook) is for response. Option D (watchlist) stores data but doesn't generate alerts.

639
MCQeasy

Your organization uses Microsoft Purview Data Loss Prevention (DLP) policies. You need to investigate an incident where sensitive data was shared externally. You want to view the details in Microsoft Sentinel. What should you ensure is configured?

A.The Microsoft 365 data connector in Microsoft Sentinel is enabled and configured to collect DLP alerts.
B.The SharePoint site is configured for external sharing.
C.The DLP policy must be set to 'Audit only' mode.
D.The unified audit log is enabled and the DLP events are being generated.
AnswerA

This connector ingests DLP alerts.

Why this answer

Option B is correct because Microsoft Purview DLP alerts can be ingested into Microsoft Sentinel via the Microsoft 365 connector (now part of Microsoft Defender XDR connector). Option A is for DLP policy management, not ingestion. Option C is for auditing.

Option D is for internal sharing.

640
MCQhard

Refer to the exhibit. A custom detection rule in Microsoft Sentinel uses this JSON definition. An analyst notices that the rule is generating alerts for legitimate administrative scripts launched from File Explorer. What is the best way to reduce false positives while retaining detection of malicious Office-based PowerShell launches?

A.Add an additional filter to exclude PowerShell executions from specific administrative user accounts
B.Increase the query time range to 30 days
C.Change the severity to Informational to suppress alerts
D.Remove the parent process filter and rely only on FileName == 'powershell.exe'
AnswerA

Excluding known admin accounts helps reduce noise while keeping detection for other users.

Why this answer

Option B is correct because adding conditions to exclude known administrative scenarios (e.g., specific user accounts or command-line patterns) reduces false positives without removing the parent process filter entirely. Option A is wrong because removing the parent process filter would broaden detection, likely increasing false positives. Option C is wrong because lowering severity does not reduce false positives.

Option D is wrong because increasing time range does not help.

641
MCQhard

Your organization uses Microsoft Defender XDR incident queue. You want to automatically assign incidents related to a specific campaign to a dedicated SOC group. What should you create?

A.A standard rule in Microsoft Defender for Endpoint.
B.An automation rule in Microsoft Sentinel.
C.A custom detection rule in Microsoft Defender XDR that includes an incident assignment action.
D.A custom role in Microsoft Defender XDR.
AnswerC

Custom detections can assign incidents to groups.

Why this answer

Option B is correct because Microsoft Defender XDR allows creation of custom detection rules that can automatically assign incidents. Option A is wrong because automation rules in Microsoft Sentinel are for Sentinel incidents, not Defender XDR incidents. Option C is wrong because standard rules in MDE do not assign incidents.

Option D is wrong because custom roles are for access control, not automation.

642
MCQhard

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel to trigger a playbook when an alert is created. However, the playbook does not run. What is the most likely cause?

A.The JSON syntax is invalid.
B.The playbook's resource ID is incorrect.
C.The automation rule lacks permissions to the playbook.
D.The displayName is not unique.
AnswerB

An incorrect resource ID prevents the automation rule from finding the playbook.

Why this answer

Option A is correct because the `logicAppResourceId` might be incorrect or the playbook might not be accessible. Option B is wrong because the rule name is irrelevant. Option C is wrong because there is no permission issue indicated.

Option D is wrong because the JSON is valid.

643
MCQeasy

Your organization uses Microsoft Sentinel. A security analyst reports a high number of false positives from a scheduled analytics rule that detects anomalous sign-ins. The rule uses the 'UserAgent' field in the SigninLogs table. What is the best practice to reduce false positives while maintaining detection coverage?

A.Increase the alert threshold to require more than one anomalous sign-in per hour.
B.Create a watchlist of legitimate IP addresses and reference it in the rule.
C.Disable the analytics rule and create a new one with different MITRE tactics.
D.Add a condition to the rule query to filter out known legitimate user agents.
AnswerD

Filtering out known legitimate user agents reduces false positives while maintaining detection.

Why this answer

Option B is correct because adding a filter to exclude known legitimate user agents reduces noise without removing the rule. Option A is wrong because disabling the rule removes coverage. Option C is wrong because creating a watchlist is useful but does not directly reduce false positives from the rule.

Option D is wrong because increasing the threshold may miss real attacks.

644
MCQmedium

An organization wants to enable vulnerability assessment for all Azure virtual machines, including future ones, using the integrated Qualys or Microsoft Defender Vulnerability Management solution. What is the recommended approach in Microsoft Defender for Cloud?

A.Enable the Defender for Servers plan and configure auto-provisioning of the vulnerability assessment solution.
B.Manually install the Log Analytics agent and then configure vulnerability assessment on each VM.
C.Use Azure Policy to assign the built-in initiative that deploys the vulnerability assessment solution and associates it with VMs.
D.Enable Azure Security Center's free tier and manually download the vulnerability assessment tool.
AnswerA

This enables built-in VA and automatically deploys it to all supported VMs.

Why this answer

The recommended approach is to enable the Defender for Servers plan, which automatically provisions the integrated vulnerability assessment solution (Qualys or Microsoft Defender Vulnerability Management) on all existing and future Azure VMs. This ensures continuous scanning without manual intervention, leveraging auto-provisioning to deploy the necessary extension.

Exam trap

The trap here is that candidates often confuse Azure Policy with the primary deployment mechanism, but the correct approach requires enabling the Defender for Servers plan first, as the policy initiative is dependent on that plan being active.

How to eliminate wrong answers

Option B is wrong because manually installing the Log Analytics agent and configuring vulnerability assessment on each VM is not scalable and does not leverage the automated, integrated solution provided by Defender for Cloud. Option C is wrong because while Azure Policy can enforce compliance, the built-in initiative for vulnerability assessment requires the Defender for Servers plan to be enabled first; it is not a standalone deployment method. Option D is wrong because the free tier of Azure Security Center does not include vulnerability assessment capabilities; it only provides basic security recommendations without the integrated scanning solution.

645
Multi-Selecteasy

Which TWO Azure services can be used to automate response actions in Microsoft Sentinel when an incident is created?

Select 2 answers
A.Azure Automation
B.Azure Logic Apps
C.Azure Functions
D.Azure Event Grid
E.Power Automate
AnswersB, C

Logic Apps can be used as playbooks in Sentinel.

Why this answer

Azure Logic Apps (B) is correct because it provides a native connector for Microsoft Sentinel that enables automated incident response workflows, such as triggering playbooks when an incident is created. Azure Functions (C) is correct because it allows custom code execution in response to Sentinel incidents via HTTP triggers or integration with Azure Automation, enabling complex automation beyond Logic Apps' capabilities.

Exam trap

The trap here is that candidates often confuse Azure Automation with Azure Logic Apps, assuming Automation can directly trigger on Sentinel incidents, but Automation runbooks require a separate trigger (e.g., from Logic Apps or Functions) and are not natively integrated with Sentinel's incident creation pipeline.

646
MCQeasy

You are hunting for suspicious scheduled tasks that could be used for persistence. Which Microsoft 365 Defender advanced hunting table contains information about scheduled tasks?

A.IdentityLogonEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceProcessEvents
AnswerB

Contains events like scheduled task creation (EventID 4698).

Why this answer

DeviceEvents includes various system events, including scheduled task creation via EventID 4698. DeviceProcessEvents is for processes. DeviceNetworkEvents is for network.

IdentityLogonEvents is for logons. The correct table is DeviceEvents.

647
MCQmedium

A security team uses Microsoft Defender for Cloud with Defender for Servers enabled. They want to receive an alert whenever a new local user is added to the Administrators group on any Azure Windows virtual machine. Which data source must be configured in Defender for Cloud to capture this event?

A.Windows Security Events (Event ID 4732)
B.Windows Defender Antivirus logs
C.Azure Activity Logs
D.VM Insights
AnswerA

Event 4732 logs when a member is added to a security-enabled local group. Defender for Cloud can collect security events and alert on this specific event.

Why this answer

Option A is correct because the addition of a user to the Administrators group on a Windows system generates Windows Security Event ID 4732. Defender for Cloud with Defender for Servers must have the 'Windows Security Events' data source configured to collect these audit events, which then triggers a security alert for the new local administrator.

Exam trap

The trap here is that candidates often confuse Azure Activity Logs (control-plane) with guest OS security events, assuming any Azure-level log will capture local user changes, but only the Windows Security Events data source collects the necessary Event ID 4732 from within the VM.

How to eliminate wrong answers

Option B is wrong because Windows Defender Antivirus logs contain malware detection and protection events, not user or group membership changes. Option C is wrong because Azure Activity Logs record control-plane operations on Azure resources (e.g., VM creation or deletion), not guest OS-level events like local group modifications. Option D is wrong because VM Insights collects performance metrics, process inventory, and network connections via the Log Analytics agent, but it does not natively capture Windows Security Event ID 4732 unless the Windows Security Events data source is explicitly configured.

648
MCQeasy

You are hunting for possible data exfiltration via email in Microsoft 365. Which data source in Microsoft Sentinel provides the most relevant telemetry for email forwarding rules?

A.Microsoft Defender for Cloud Apps logs
B.Windows Security Events
C.Azure AD sign-in logs
D.Office 365 audit logs (Exchange)
AnswerD

Exchange audit logs record changes to mailbox forwarding rules, crucial for exfiltration hunting.

Why this answer

Option D is correct because Office 365 audit logs capture changes to mailbox rules, including forwarding. Option A is wrong because Azure AD sign-in logs show authentication, not mail flow. Option B is wrong because Windows Security Events are for on-premises.

Option C is wrong because Microsoft Defender for Cloud Apps logs cover cloud app activity but not specifically mailbox rules.

649
MCQeasy

You need to grant a junior analyst the ability to view and investigate incidents in Microsoft Sentinel, but not make any changes. Which built-in role should you assign?

A.Microsoft Sentinel Responder
B.Microsoft Sentinel Contributor
C.Microsoft Sentinel Automation Contributor
D.Microsoft Sentinel Reader
AnswerD

Read-only role for Sentinel.

Why this answer

The Microsoft Sentinel Reader role provides read-only access to Sentinel resources, including incidents, workbooks, and analytics rules, without allowing any modifications. This aligns with the requirement to view and investigate incidents without making changes, as the role explicitly denies write, delete, or action permissions on Sentinel data.

Exam trap

The trap here is that candidates often confuse 'view and investigate' with the ability to update incident status or run playbooks, leading them to choose the Responder role, which actually allows changes.

How to eliminate wrong answers

Option A is wrong because the Microsoft Sentinel Responder role allows updating incidents (e.g., changing status, assigning ownership) and running playbooks, which includes making changes, not just viewing. Option B is wrong because the Microsoft Sentinel Contributor role grants full write access to Sentinel resources, including creating and modifying incidents, analytics rules, and automation rules, which exceeds the read-only requirement. Option C is wrong because the Microsoft Sentinel Automation Contributor role is specifically designed to manage automation rules and playbooks, not for viewing or investigating incidents, and it includes write permissions to automation components.

650
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Defender XDR advanced hunting. What is the most likely purpose of this query?

A.To find accounts with failed logon attempts indicating brute force
B.To find devices that made outbound network connections to known malicious IPs
C.To identify accounts or devices with high volumes of suspicious PowerShell activity
D.To detect persistence mechanisms like scheduled tasks
AnswerC

The query focuses on PowerShell with encoding/switches and high counts.

Why this answer

Option B is correct because the query filters for PowerShell executions with encoded or command-line switches and groups by device and account, looking for devices/accounts with more than 5 such executions in the last 7 days. This is typical for detecting excessive use of PowerShell for suspicious activity. Option A is wrong because the query does not check for network connections.

Option C is wrong because the query counts executions, not persistence mechanisms. Option D is wrong because the query is not about weak credentials.

651
Multi-Selectmedium

Which TWO actions can be performed using automation rules in Microsoft Sentinel?

Select 2 answers
A.Run a playbook
B.Assign an incident to an owner
C.Create an incident
D.Modify an analytics rule
E.Delete an incident
AnswersA, B

Automation rules can trigger playbooks as an action.

Why this answer

Automation rules can run playbooks and assign incidents to owners. They cannot create incidents (that's done by analytics rules) or modify analytics rules (that's done manually or via API). They also cannot delete incidents.

652
MCQmedium

A company has enabled Microsoft Defender for Cloud on their subscription containing Azure SQL databases. They receive an alert about a potential SQL injection attack. The analyst wants to see the actual query that was executed. Where can the analyst find the query details associated with the alert?

A.In the alert's entity tab
B.By opening the SQL database's threat detection logs
C.In the Azure Activity Log
D.In the alert's diagnostic data
AnswerA

The entity tab within an alert details page shows the related entities, including the SQL query that was flagged.

Why this answer

Option A is correct because when Microsoft Defender for Cloud detects a SQL injection attack, the alert details include an 'Entities' tab that contains the actual SQL query that was executed. This tab provides the raw query text, which is essential for the analyst to understand the exact payload used in the attack and to assess the impact on the database.

Exam trap

The trap here is that candidates often confuse the Azure Activity Log (control-plane) with data-plane logs, or assume that threat detection logs are the primary source for query details, when in fact the alert's entity tab is the direct, curated source for the executed query.

How to eliminate wrong answers

Option B is wrong because SQL database's threat detection logs (e.g., Azure SQL Auditing or Advanced Threat Protection logs) may show query patterns but do not directly expose the specific query associated with a Defender for Cloud alert; the alert itself surfaces the query in its entities. Option C is wrong because the Azure Activity Log records control-plane operations (e.g., resource creation, policy changes) and does not capture data-plane events like SQL queries executed against a database. Option D is wrong because the alert's diagnostic data typically includes metadata such as severity, timestamp, and affected resources, but not the actual SQL query text; that is stored in the entities tab.

653
MCQhard

A threat hunter is investigating a potential data exfiltration incident. The hunter suspects that a user is using an unauthorized cloud storage service. Which Microsoft Defender for Cloud Apps signal would be most useful to detect this activity?

A.Cloud Discovery
B.Microsoft Defender for Endpoint Web Protection
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365 Safe Links
AnswerA

Cloud Discovery identifies shadow IT and cloud app usage.

Why this answer

Option A is correct because Defender for Cloud Apps can discover shadow IT cloud apps. Option B is wrong because it does not detect cloud app usage. Option C is wrong because it is for web filtering, not cloud apps.

Option D is wrong because it is for email protection.

654
MCQhard

Your company uses Microsoft Defender for Cloud to assess the security posture of hybrid workloads. You are configuring a governance rule to automatically remediate a specific recommendation that is out of compliance. The recommendation is 'Virtual machines should be migrated to new Azure Resource Manager resources'. You need to ensure that the remediation is applied at scale across all subscriptions in the management group. What should you do?

A.Create a PowerShell script that runs on each VM to migrate it, and execute it via Azure Automation.
B.Create an Azure Policy initiative that includes the recommendation and assign it with a remediation task at the management group level.
C.Create a governance rule in Microsoft Defender for Cloud with scope set to the management group, condition on the recommendation, and action set to 'Automatic'.
D.Create a governance rule in Microsoft Defender for Cloud with scope set to a single subscription and action set to 'Automatic'.
AnswerC

Governance rules can be scoped to management groups and perform automatic remediation.

Why this answer

Option C is correct because governance rules in Microsoft Defender for Cloud allow you to define automatic remediation actions for specific recommendations at scale. By setting the scope to the management group, the rule applies to all subscriptions within that group, and the 'Automatic' action triggers the built-in remediation script for the 'Virtual machines should be migrated to new Azure Resource Manager resources' recommendation without requiring custom scripting or policy assignments.

Exam trap

The trap here is that candidates may confuse Azure Policy remediation tasks with Defender for Cloud governance rules, not realizing that governance rules provide a simpler, built-in mechanism for automatic remediation of specific recommendations at scale without requiring separate policy assignments.

How to eliminate wrong answers

Option A is wrong because creating a PowerShell script and executing it via Azure Automation is a manual, custom approach that does not leverage Defender for Cloud's native governance rule capability for automatic, at-scale remediation across all subscriptions in a management group. Option B is wrong because Azure Policy initiatives can enforce compliance but do not directly integrate with Defender for Cloud's governance rules for automatic remediation of specific recommendations; a governance rule is the correct mechanism for this scenario. Option D is wrong because setting the scope to a single subscription would not apply the remediation across all subscriptions in the management group, failing the requirement for at-scale application.

655
MCQhard

Refer to the exhibit. You are analyzing a KQL query for a Microsoft Sentinel scheduled rule. The query is intended to detect devices that have both a high number of process executions and network connections to a single IP within an hour. However, the query returns no results even though there are devices meeting the criteria. What is the most likely cause?

A.The threshold variable is not used correctly
B.The join condition does not include a time window, causing mismatches
C.The DeviceProcessEvents and DeviceNetworkEvents tables are from different data sources
D.The summarize function cannot count process executions
AnswerB

Without a time window, the join may not align events from the same time period.

Why this answer

Option B is correct because the join between DeviceProcessEvents and DeviceNetworkEvents lacks a time window constraint (e.g., 'on $left.Timestamp between ($right.Timestamp - 1h) and ($right.Timestamp + 1h)'). Without this, the join matches events across arbitrary time ranges, causing mismatches where a device's process executions and network connections to a single IP occur at different times, even if both happen within the same hour. This results in no rows being returned when the intended detection requires temporal proximity.

Exam trap

The trap here is that candidates assume a simple key-based join (e.g., on DeviceId) is sufficient, overlooking the critical need for a time window to correlate events that occur within the same detection window, which is a common pitfall in KQL-based detection rules.

How to eliminate wrong answers

Option A is wrong because the threshold variable (e.g., 'let threshold = 10;') is used correctly in the query to filter aggregated counts; the issue is not with variable usage but with the join logic. Option C is wrong because DeviceProcessEvents and DeviceNetworkEvents are both Microsoft Defender for Endpoint tables in the same Advanced Hunting schema, so they are from the same data source and can be joined directly. Option D is wrong because the summarize function can count process executions using 'count()' or 'dcount()' on the DeviceProcessEvents table; the failure is not due to a limitation of summarize.

656
Multi-Selecteasy

Which TWO options are valid ways to create an incident in Microsoft Sentinel?

Select 2 answers
A.By creating a workbook
B.From an alert generated by an analytics rule
C.By importing data from a watchlist
D.By running a hunting query
E.By synchronizing incidents from Microsoft Defender XDR
AnswersB, E

Analytics rules create alerts that are grouped into incidents.

Why this answer

Options A and B are correct. Analytics rules generate alerts that become incidents, and Microsoft Defender XDR incidents are synchronized. Option C is wrong because workbooks are read-only.

Option D is wrong because watchlists are for enrichment. Option E is wrong because hunting queries require manual creation of incidents.

657
MCQeasy

A threat hunter in Microsoft Sentinel wants to detect attempts to disable security logging on Windows servers using a KQL query. Which Windows Event ID should the query filter on to capture security log clearing events?

A.4688
B.4624
C.5145
D.1102
AnswerD

Event ID 1102 is logged when the security log is cleared.

Why this answer

Event ID 1102 in Windows Security log indicates the security log was cleared, which is a common technique used by attackers to cover tracks. Option A (4688) is for process creation. Option B (4624) is for successful logon.

Option D (5145) is for network share access.

658
Multi-Selectmedium

A threat hunter is using Microsoft Sentinel to hunt for signs of privilege escalation via Azure AD role assignment changes. Which TWO KQL operators or functions are most useful for identifying changes that added a user to a high-privilege role?

Select 2 answers
A.project
B.evaluate
C.mvexpand
D.summarize
E.where
AnswersD, E

Aggregates data to show counts of role assignments per user or role.

Why this answer

Option A (where) filters for specific operations like 'Add member to role'. Option C (summarize) can count changes per user or role. Option B (project) only selects columns.

Option D (mvexpand) expands multi-valued fields. Option E (evaluate) is for plugin operators.

659
MCQmedium

An organization has enabled Microsoft Defender for Cloud's enhanced security features. They want to ensure that newly provisioned Azure virtual machines automatically have the built-in vulnerability assessment solution installed. Which configuration should they enable in Defender for Cloud?

A.Auto-provisioning of the Log Analytics agent
B.Auto-provisioning of the vulnerability assessment solution
C.Automatic provisioning of all security agents
D.Azure Policy assignment for Update Management
AnswerB

This setting automatically deploys a vulnerability assessment agent (e.g., Qualys or Microsoft built-in) to new VMs, ensuring continuous scanning.

Why this answer

Option B is correct because Microsoft Defender for Cloud's enhanced security features include a dedicated auto-provisioning setting specifically for the built-in vulnerability assessment solution (powered by Qualys). When enabled, this setting automatically deploys the vulnerability assessment extension to all new and existing Azure VMs, ensuring continuous vulnerability scanning without manual intervention.

Exam trap

The trap here is that candidates often confuse the Log Analytics agent's auto-provisioning (which enables data collection for security alerts) with the separate vulnerability assessment auto-provisioning, assuming that log collection alone covers vulnerability scanning, when in fact a dedicated extension is required for that purpose.

How to eliminate wrong answers

Option A is wrong because auto-provisioning of the Log Analytics agent collects security events and telemetry for monitoring, but it does not install the vulnerability assessment solution; the vulnerability scanner is a separate extension. Option C is wrong because 'automatic provisioning of all security agents' is not a specific configuration in Defender for Cloud; the platform offers individual auto-provisioning toggles for specific agents (e.g., Log Analytics, vulnerability assessment, endpoint protection), not a single 'all agents' option. Option D is wrong because Azure Policy assignment for Update Management manages OS patch compliance via Azure Automation Update Management, not the installation of a vulnerability assessment solution.

660
MCQhard

Your company uses Microsoft Defender for Endpoint (MDE) on all Windows 10 devices. You are investigating a machine that is suspected of being part of a botnet. The machine is communicating with a known C2 server at IP 203.0.113.55. You have confirmed that the IP is malicious. You need to block all outbound traffic from the machine to that IP immediately, and also ensure that no other devices in the organization can communicate with that IP. The solution must be implemented without deploying additional network appliances. What should you do?

A.Create a network protection policy in Microsoft Intune to block the IP
B.Create a custom network indicator in Microsoft Defender for Endpoint with action 'Alert and block'
C.Use the Microsoft Defender for Endpoint portal to block the IP globally
D.Create a firewall rule in Windows Defender Firewall to block outbound traffic to the IP, and deploy via Group Policy
AnswerB

Custom network indicators allow blocking IPs across all MDE devices.

Why this answer

Option B is correct because custom network indicators in MDE can block IPs at the device level, and the action applies to all MDE-enrolled devices. Option A is wrong because MDE network protection does not support custom IP blocking via policy. Option C is wrong because Windows Defender Firewall rules would need to be deployed via GPO or Intune, which is slower and more complex.

Option D is wrong because the MDE portal does not have a global IP blocklist feature.

661
Multi-Selecthard

Which TWO indicators of compromise (IOCs) are most likely to be included in a Microsoft Sentinel threat intelligence feed to detect a known malware campaign?

Select 2 answers
A.Domain name
B.File hash (SHA-256)
C.Email address
D.Registry key
E.IP address
AnswersB, E

File hashes are widely used to identify malware samples.

Why this answer

Correct answers are A and E. File hashes and IP addresses are common IOCs used in threat intelligence feeds. Domain names and email addresses are also used but less common for malware detection.

Registry keys are not typical IOCs in feeds.

662
Multi-Selectmedium

Your organization uses Microsoft 365 Defender. You are investigating a potential malware outbreak on several endpoints. Which TWO actions should you take to isolate affected devices and prevent lateral movement?

Select 2 answers
A.Use Microsoft Defender for Endpoint to initiate device isolation on affected devices.
B.Run a full antivirus scan on all endpoints.
C.Reset the passwords of all users on the affected devices.
D.Delete the user accounts that logged into the affected devices.
E.Block the file hash of the malware in Microsoft Defender for Endpoint indicators.
AnswersA, E

Isolation stops network communication, preventing lateral spread.

Why this answer

Options B and D are correct. Isolating devices from the network (B) prevents communication with other devices, and blocking the malicious file hash (D) prevents execution on other endpoints. Option A is wrong because resetting passwords does not stop lateral movement.

Option C is wrong because running a full scan takes time and does not immediately isolate. Option E is wrong because deleting user accounts is too drastic and not focused on lateral movement.

663
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule defined in JSON. The rule is intended to trigger an incident when more than 5 sign-ins from anomalous locations occur within an hour. However, the rule is not triggering as expected. What is the most likely cause?

A.The severity is set to 'Medium', but it must be an integer.
B.The query references a column that does not exist in the SigninLogs table.
C.The triggerThreshold is set to 5, but it should be a string like '5'.
D.The queryFrequency and queryPeriod are set to the same value, which is not allowed.
AnswerB

Correct. 'RiskLevelDuringSignIn' is not a valid column; the correct column is 'RiskLevelDuringSignIn'.

Why this answer

Option B is correct because the query references a column that does not exist in the SigninLogs table. In Microsoft Sentinel, if a scheduled analytics rule's KQL query references a non-existent column, the query will fail silently or return no results, preventing the rule from triggering an incident. The rule logic depends on the query returning a result set that meets the trigger threshold, and a missing column causes the query to fail or return zero rows.

Exam trap

The trap here is that candidates may focus on the JSON syntax or rule configuration parameters (like severity type or triggerThreshold) instead of recognizing that the core issue is a KQL query referencing a non-existent column, which is a common data source mismatch error.

How to eliminate wrong answers

Option A is wrong because the 'severity' field in a Sentinel analytics rule JSON must be a string (e.g., 'Medium'), not an integer; the rule would fail to validate if it were an integer. Option C is wrong because 'triggerThreshold' is not a valid field in a Sentinel scheduled analytics rule; the correct field is 'triggerOperator' and 'triggerThreshold' is used in other contexts like Azure Monitor alerts, and it must be an integer, not a string. Option D is wrong because setting 'queryFrequency' and 'queryPeriod' to the same value is allowed and is actually common for rules that look back exactly one frequency window; the rule would still run correctly.

664
Multi-Selectmedium

Which THREE indicators of compromise (IOCs) are commonly used in Microsoft Sentinel to detect advanced persistent threats (APTs)? (Choose THREE.)

Select 3 answers
A.Suspicious domains and URLs.
B.Vulnerability scan results.
C.File hashes (SHA256) of known malware.
D.Windows event IDs for successful logins.
E.IP addresses of known command and control servers.
AnswersA, C, E

Domains and URLs are common IOCs.

Why this answer

Option A, B, and D are common IOCs. Option C is not an IOC, it's a security product. Option E is not typically used as an IOC.

665
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID (Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Identity (MDI) integrated with Microsoft Defender XDR. An incident is raised indicating that a user account has been compromised because of an anomaly in Kerberos protocol activity. The incident severity is High. You need to contain the incident immediately by disabling the user account across both on-premises and cloud. However, you also want to preserve the account for forensic analysis. What is the recommended course of action?

A.Delete the user account from Microsoft Entra ID and on-premises AD immediately.
B.Reset the user's password in Microsoft Entra ID and force a password change at next logon on-premises.
C.Enable conditional access policy to require MFA for the user and revoke all refresh tokens.
D.From Microsoft Defender XDR incident, use the action to disable the user account in Microsoft Entra ID and also disable the on-premises account using a playbook that runs a PowerShell script.
AnswerD

Disabling the account stops access and preserves the account for forensics.

Why this answer

To contain the incident, you can disable the account in Microsoft Entra ID and on-premises AD. However, to preserve the account for forensics, you should disable it rather than delete it. Option A is correct because disabling the account in both locations stops access while preserving the account.

Option B is wrong because resetting password alone does not prevent Kerberos abuse if the account is already compromised. Option C is wrong because requiring MFA does not block on-premises authentication. Option D is wrong because deleting the account would lose forensic evidence.

666
MCQmedium

You are investigating a potential ransomware incident in Microsoft Defender XDR. The incident has a high severity alert indicating that a user installed a suspicious application. Which initial response action should you take to contain the threat while preserving evidence?

A.Isolate the device using Microsoft Defender for Endpoint.
B.Reset the user's password and enforce MFA.
C.Uninstall the suspicious application via Intune.
D.Disable the user account in Microsoft Entra ID.
AnswerA

Isolation stops communication and contains the threat while preserving evidence.

Why this answer

Option B is correct because isolating the device from the network immediately stops lateral movement and data exfiltration while preserving forensic data. Option A is wrong because disabling the user account does not stop the malware from running. Option C is wrong because deleting the application may remove evidence.

Option D is wrong because resetting the password does not contain the threat.

667
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud that a virtual machine has a high severity vulnerability: 'CVE-2023-XXXX' with a CVSS score of 9.8. The virtual machine is running a critical application for the finance department. You need to remediate the vulnerability as quickly as possible while minimizing downtime. The application vendor has not yet released a patch but has provided a workaround. What should you do?

A.Dismiss the alert as a false positive because no patch is available.
B.Shut down the virtual machine until a patch is available.
C.Implement the workaround provided by the vendor and create a custom remediation task in Defender for Cloud to track the issue.
D.Apply a network security group to block all inbound traffic to the VM.
AnswerC

Workaround reduces risk while minimizing downtime.

Why this answer

Option C is correct because applying the vendor-provided workaround reduces the risk while waiting for a patch. Option A is wrong because shutting down the VM causes downtime. Option B is wrong because network isolation may not be sufficient.

Option D is wrong because ignoring the alert is not acceptable.

668
MCQeasy

In Microsoft 365 Defender, what is the primary function of the Action center?

A.Manage user roles and permissions for the security portal.
B.View and manage pending and completed remediation actions from automated investigations.
C.Create custom detection rules using advanced hunting queries.
D.Manage threat intelligence feeds and indicators.
AnswerB

The Action center lists all actions taken by automated investigations and allows analysts to approve or reject them.

Why this answer

The Action center in Microsoft 365 Defender is the centralized console for tracking and managing remediation actions generated by automated investigations. It consolidates both pending actions (requiring approval) and completed actions (e.g., quarantining a file, blocking an IP) across Defender for Endpoint, Office 365, Identity, and Cloud Apps, ensuring security teams can review and approve or reject responses without switching contexts.

Exam trap

The trap here is that candidates confuse the Action center with the 'Hunting' or 'Indicators' sections, mistakenly thinking it is for creating custom rules or managing threat intelligence, when its sole purpose is remediation action tracking and approval from automated investigations.

How to eliminate wrong answers

Option A is wrong because managing user roles and permissions is handled via Azure AD roles and the Microsoft 365 Defender portal's permissions settings, not the Action center. Option C is wrong because creating custom detection rules using advanced hunting queries is done through the 'Custom detection rules' section under 'Hunting', not the Action center. Option D is wrong because managing threat intelligence feeds and indicators is performed in the 'Indicators' settings under 'Settings > Endpoints' or via the Microsoft Defender Threat Intelligence portal, not the Action center.

669
MCQhard

Refer to the exhibit. You are investigating incidents related to suspicious process injection. The KQL query above is run in Microsoft Sentinel. What is the purpose of this query?

A.To find alerts that occurred within a specific time range
B.To list all alerts of type 'Suspicious process injection' in the last 7 days
C.To get a count of 'Suspicious process injection' alerts grouped by compromised entity and severity, sorted by count
D.To identify the compromised entities with the highest severity alerts
AnswerC

This matches the query logic.

Why this answer

The correct answer is C because the query summarizes alerts by compromised entity and severity, then orders by count. Option A is wrong because it does not show all alerts. Option B is wrong because it does not filter by time.

Option D is wrong because it does not list all entities.

670
MCQeasy

You are investigating an incident where a user reported receiving a suspicious email with an attachment. The attachment is a .docm file that contains macros. The email was not blocked by Exchange Online Protection. You need to ensure that similar emails are blocked in the future. What should you configure?

A.Create a Safe Links policy to block links in the email.
B.Create a Safe Attachments policy that blocks .docm files.
C.Create an anti-phishing policy to block the sender's domain.
D.Create a transport rule to block emails with .docm attachments.
AnswerB

Safe Attachments detonates attachments in a sandbox and blocks malicious content.

Why this answer

Option A is correct because a Safe Attachments policy in Microsoft Defender for Office 365 will scan attachments and block malicious ones. Option B is wrong because Safe Links scans URLs, not attachments. Option C is wrong because anti-phishing policies protect against impersonation, not malicious attachments.

Option D is wrong because anti-malware policies in Exchange Online Protection are basic and may not detect macro-based malware effectively.

671
Multi-Selecthard

Your organization uses Microsoft Defender XDR. A security incident involving a compromised user account has been identified. Which THREE actions should you take to contain and remediate the incident?

Select 3 answers
A.Disable the user account in Microsoft Entra ID.
B.Reset the user's password.
C.Block all IP addresses that the user has connected from.
D.Revoke all active sessions and tokens for the user.
E.Restore the user's mailbox from a backup.
AnswersA, B, D

Disabling the account stops further access.

Why this answer

Disabling the user account prevents further access. Resetting the password ensures the attacker cannot use the old credentials. Revoking sessions forces termination of active sessions.

Option A is incorrect because blocking all IPs is too broad and may affect legitimate users. Option D is incorrect because restoring from backup is not immediate and may not address the root cause.

672
Multi-Selecthard

Which THREE techniques are effective for hunting for living-off-the-land (LotL) attacks using Microsoft Sentinel?

Select 3 answers
A.Monitoring for installation of third-party software on endpoints.
B.Hunting for WMI activity using Event ID 5861 and correlating with process creation events.
C.Tracking non-interactive logon sessions (Logon Type 5).
D.Analyzing PowerShell script block logs (Event ID 4104) for encoded commands or unusual parameters.
E.Correlating remote service creation events (Event ID 7045) with network connections from administrative tools.
AnswersB, D, E

WMI is a built-in tool abused for lateral movement and execution.

Why this answer

Options A, B, and C are correct. Option A detects connections from administrative tools (e.g., PsExec). Option B identifies anomalous PowerShell usage.

Option C detects WMI lateral movement. Option D is wrong because it focuses on third-party binaries, opposite of LotL. Option E is wrong because non-interactive logins are common for services, not specific to LotL.

673
Multi-Selectmedium

Which TWO capabilities are provided by Microsoft Copilot for Security within the Microsoft Sentinel experience?

Select 2 answers
A.Suggest KQL queries based on a description of what you want to detect.
B.Deploy a new workbook template from a description.
C.Modify an existing playbook by adding steps through natural language.
D.Generate a natural language summary of an incident.
E.Automatically create an automation rule based on a chat prompt.
AnswersA, D

Copilot can assist with KQL.

Why this answer

Option A is correct because Microsoft Copilot for Security in Microsoft Sentinel can generate KQL queries from natural language descriptions, allowing analysts to quickly create detection rules without manually writing KQL syntax. This capability leverages AI to interpret the analyst's intent and produce a query that matches the described detection logic.

Exam trap

The trap here is that candidates may assume Copilot can automate operational tasks like deploying templates or modifying playbooks, but its capabilities are limited to generating KQL queries and summarizing incidents, not performing infrastructure changes.

674
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed without investigation. You need to identify why the incident was closed automatically. Which Sentinel feature should you review?

A.Analytics rules
B.Automation rules
C.Playbooks
D.Workbooks
E.Watchlists
AnswerB

Automation rules can automatically close incidents based on conditions such as severity or title.

Why this answer

Automation rules can be configured to automatically close incidents based on conditions. Playbooks require manual triggering or automation rules. Analytics rules create incidents, not close them.

Workbooks and watchlists do not close incidents.

675
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. A security analyst discovers that a user's account has been compromised and is exfiltrating sensitive data from SharePoint Online. The analyst needs to immediately block the suspicious activities while allowing legitimate user activities to continue. What should the analyst do?

A.Reset the user's password and require MFA
B.Suspend the user from Defender for Cloud Apps
C.Revoke all OAuth tokens for the user
D.Block the user's IP address in the firewall
AnswerB

Suspending the user immediately blocks access to all cloud apps.

Why this answer

Option C is correct because the 'Suspend user' action in Defender for Cloud Apps immediately blocks the user's access to cloud apps, stopping exfiltration. Option A is wrong because revoking all OAuth tokens might affect other apps and is less targeted. Option B is wrong because changing the password does not immediately stop active sessions.

Option D is wrong because blocking the IP address may affect other users if the IP is shared.

Page 8

Page 9 of 22

Page 10