CCNA Manage a security operations environment Questions

75 of 554 questions · Page 1/8 · Manage a security operations environment · Answers revealed

1
MCQeasy

Your SOC team uses Microsoft Sentinel incident investigation. An analyst needs to quickly see all related entities (users, IPs, machines) for an incident. Which feature should the analyst use?

A.Incident timeline
B.Hunting blade
C.Entity behavior analytics page
D.Incident investigation graph
AnswerD

The investigation graph shows all related entities.

Why this answer

The Incident investigation graph in Microsoft Sentinel provides a visual, interactive map of all entities (users, IPs, machines) linked to an incident, allowing analysts to quickly see relationships and pivot between entities. This is the dedicated feature for entity-centric incident exploration, unlike other options that serve different purposes.

Exam trap

Microsoft often tests the distinction between a chronological timeline (incident timeline) and a relational graph (investigation graph), leading candidates to confuse the incident timeline's alert sequence with the entity relationship view.

How to eliminate wrong answers

Option A is wrong because the Incident timeline shows a chronological list of alerts and activities within an incident, not a visual graph of related entities. Option B is wrong because the Hunting blade is used for proactive threat hunting with KQL queries, not for viewing entities tied to an existing incident. Option C is wrong because the Entity behavior analytics page provides behavioral insights and anomalies for a single entity over time, not a consolidated view of all entities related to an incident.

2
MCQeasy

Refer to the exhibit. You are running a PowerShell script to enable the Anomalies setting in Microsoft Sentinel. After running the script, you check the Sentinel settings in the portal and see that Anomalies is still disabled. What is the most likely reason?

A.The cmdlet 'Set-AzSentinelSetting' does not exist in the Az module.
B.The user does not have Contributor permissions on the workspace.
C.The script requires the -PassThru parameter to apply changes.
D.The workspace was not retrieved correctly because the name is misspelled.
AnswerA

The correct cmdlet is 'Update-AzSentinelSetting' or similar.

Why this answer

The cmdlet 'Set-AzSentinelSetting' does not exist in the official Az.SecurityInsights module. Microsoft Sentinel settings, including Anomalies, are managed via the REST API or the 'Update-AzSentinelSetting' cmdlet (part of the Az.SecurityInsights preview module). Running a non-existent cmdlet would produce an error, not apply any changes, leaving Anomalies disabled in the portal.

Exam trap

The trap here is that candidates assume all Azure PowerShell cmdlets follow the 'Set-*' naming convention, but Microsoft Sentinel settings specifically use 'Update-*' in the Az.SecurityInsights module, leading to the mistaken belief that 'Set-AzSentinelSetting' is valid.

How to eliminate wrong answers

Option B is wrong because Contributor permissions on the workspace are sufficient to modify Sentinel settings; the issue is the cmdlet itself, not permissions. Option C is wrong because the -PassThru parameter is used to output the result object but is not required for the change to apply; its absence does not prevent the setting from being saved. Option D is wrong because even if the workspace name were misspelled, the script would fail with a 'workspace not found' error, not silently leave Anomalies disabled; the question states the script ran, implying no retrieval error.

3
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to reduce data ingestion costs while retaining security events for one year. You have enabled Azure Monitor Agent on all servers. What should you do?

A.Configure a daily ingestion cap and enable archiving for data older than 90 days.
B.Configure a daily ingestion cap and enable Basic Logs for the workspace.
C.Set a daily ingestion cap and convert the workspace to Auxiliary Logs.
D.Reduce the data retention period to 90 days and set a daily ingestion cap.
AnswerB

Basic Logs reduce storage cost and can be retained for up to one year.

Why this answer

Option B is correct because configuring a daily ingestion cap limits the total data ingested per day, directly controlling costs. Enabling Basic Logs for the workspace allows you to store security events at a lower ingestion cost while retaining them for up to one year, as Basic Logs support up to 365 days of retention by default. This combination meets the requirement to reduce costs and retain security events for one year without losing data.

Exam trap

The trap here is that candidates confuse archiving or retention reduction with cost savings, but the question specifically requires retaining security events for one year, so only Basic Logs (which offer low-cost long-term retention) combined with a daily ingestion cap satisfy both cost reduction and retention requirements.

How to eliminate wrong answers

Option A is wrong because enabling archiving for data older than 90 days does not reduce ingestion costs; archiving only reduces storage costs for data already ingested, and the daily ingestion cap alone does not address the need for one-year retention of security events. Option C is wrong because Auxiliary Logs are not a valid log category in Microsoft Sentinel; the correct low-cost log plan is Basic Logs, and converting the workspace to Auxiliary Logs would break Sentinel functionality. Option D is wrong because reducing the data retention period to 90 days directly contradicts the requirement to retain security events for one year, and a daily ingestion cap alone does not provide the necessary retention duration.

4
MCQhard

Your organization uses Microsoft Sentinel with UEBA enabled. You need to identify anomalous user behavior that indicates a potential compromise. Which entity behavior analytics feature should you use?

A.Automation rules
B.Hunting queries
C.Entity behavior analytics peer comparison
D.Anomaly rules in analytics
AnswerC

UEBA compares user behavior to peers to detect anomalies.

Why this answer

UEBA in Sentinel uses anomaly detection models to baseline user behavior and alert on deviations. Option D is correct. Option A is for alerts.

Option B is for automation. Option C is for hunting.

5
MCQmedium

Your security team uses Microsoft Defender XDR to investigate incidents. You have a custom detection rule that runs a KQL query every hour. Recently, the rule stopped generating alerts. You verify that the query syntax is correct and that data is being ingested. What is the most likely cause?

A.The alert suppression threshold is configured too high.
B.The Microsoft Defender XDR license has expired.
C.An automation rule is deleting the alerts.
D.The query is not returning any results.
AnswerA

Suppression may prevent alerts from being generated.

Why this answer

The custom detection rule uses an alert suppression threshold, which prevents alerts from being generated unless the query results exceed a specified count. If this threshold is set too high, the rule may stop generating alerts even though the query returns valid results, because the number of matching events no longer meets the suppression limit. This is the most likely cause given that the query syntax is correct and data is being ingested.

Exam trap

The trap here is that candidates often assume a query returning no results (Option D) is the cause, but the question explicitly confirms data ingestion and correct syntax, so the issue is more likely a misconfigured suppression threshold that silently drops alerts.

How to eliminate wrong answers

Option B is wrong because if the Microsoft Defender XDR license had expired, the entire service would be affected, not just a single custom detection rule, and you would likely see broader licensing errors or service degradation. Option C is wrong because automation rules in Microsoft Defender XDR can take actions on alerts (e.g., assign, resolve, or trigger playbooks), but they do not delete alerts; they modify alert properties or trigger automated responses, not remove alerts from the system. Option D is wrong because the scenario states that data is being ingested and the query syntax is correct, so the query should return results; if it returned no results, the rule would not generate alerts, but the question explicitly says data is being ingested, making this unlikely.

6
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Microsoft Defender XDR are synchronized to Microsoft Sentinel with the same status (e.g., 'Active', 'Resolved'). What should you configure?

A.Create a custom playbook to poll Defender XDR API and update Sentinel incidents.
B.Connect Microsoft Defender XDR to Microsoft Sentinel using the official data connector.
C.Manually update status in both systems.
D.Disable the Microsoft Defender XDR connector and use separate connectors for each workload.
AnswerB

The connector provides bi-directional sync of incidents and status.

Why this answer

Option A is correct because bi-directional synchronization is built-in when you connect Microsoft Defender XDR to Sentinel. Option B is wrong because a playbook would be unnecessary and could cause duplicates. Option C is wrong because manual synchronization is not practical.

Option D is wrong because the Microsoft Defender XDR connector does sync status by default.

7
MCQhard

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. An incident is created from a Defender for Endpoint alert about a malware detection on a device. The incident has low priority, but you want to automatically isolate the device from the network if the alert is confirmed as a true positive by the SOC. What is the recommended approach?

A.Create a separate analytics rule that triggers on the same alert and uses a playbook to isolate the device.
B.Use automatic attack disruption in Microsoft Defender XDR to isolate the device automatically.
C.Configure an automated response in Defender for Endpoint to isolate the device immediately when an alert is generated.
D.Create an automation rule in Microsoft Sentinel that triggers a playbook with an approval step before executing device isolation.
AnswerD

This ensures human confirmation before taking action.

Why this answer

Option C is correct because automation rules can trigger a playbook that requires manual approval before isolating the device, ensuring a human confirms the alert. Option A is wrong because immediate isolation without confirmation could impact productivity. Option B is wrong because automatic attack disruption may isolate based on severity but does not wait for SOC confirmation.

Option D is wrong because a separate analytics rule cannot isolate devices; it only generates incidents.

8
MCQmedium

Your security team receives frequent false positive alerts from Microsoft Defender for Cloud Apps. You need to reduce noise without disabling any threat detection policies. What should you do?

A.Disable the built-in anomaly detection policies that generate false positives.
B.Configure suppression rules based on user, IP, or app to automatically dismiss matching alerts.
C.Adjust the alert severity thresholds in the policy settings.
D.Create custom detection policies to override default rules.
AnswerB

Suppression rules allow dismissing alerts without disabling detection.

Why this answer

Option B is correct because suppression rules in Microsoft Defender for Cloud Apps allow you to automatically dismiss alerts that match specific criteria (e.g., user, IP address, or app) without disabling the underlying threat detection policy. This reduces false positive noise while keeping the detection engine active for genuine threats. Disabling policies or adjusting severity thresholds would either remove detection entirely or fail to address the root cause of false positives.

Exam trap

The trap here is that candidates often confuse 'suppression' with 'disabling' or 'tuning' policies, assuming that reducing noise requires altering detection logic or severity, rather than using the dedicated suppression feature that automatically dismisses matching alerts without affecting detection.

How to eliminate wrong answers

Option A is wrong because disabling built-in anomaly detection policies would remove threat detection capabilities entirely, contradicting the requirement to not disable any threat detection policies. Option C is wrong because adjusting alert severity thresholds only changes the classification of alerts (e.g., from high to medium) but does not suppress or dismiss them, so false positives would still appear in the console. Option D is wrong because creating custom detection policies adds new rules but does not reduce noise from existing default policies; it would not suppress false positives generated by the built-in policies.

9
MCQhard

A SOC manager wants to implement a new workflow where high-severity Microsoft Defender for Cloud Apps alerts are automatically sent to a Teams channel for immediate action. The solution must not require custom code. What should the manager configure?

A.Use Microsoft Power Automate to monitor the alerts and send a Teams message
B.Configure a rule in Microsoft Defender XDR to send email notifications
C.Create an automation rule in Microsoft Sentinel with a playbook that posts to Teams
D.Configure Microsoft Entra ID to send the alerts to Teams
AnswerC

Microsoft Sentinel can ingest Defender for Cloud Apps alerts and use playbooks to post to Teams.

Why this answer

Option C is correct because Microsoft Sentinel's automation rules can trigger a playbook (built on Azure Logic Apps) when a high-severity alert is generated, and the playbook can post a message to a Teams channel without requiring custom code. This directly meets the requirement of automatically sending high-severity Microsoft Defender for Cloud Apps alerts to Teams for immediate action, leveraging built-in connectors.

Exam trap

The trap here is that candidates may confuse Microsoft Defender XDR's email notification rules with the ability to send Teams messages, or assume Power Automate is the correct low-code solution, but the question's requirement for no custom code and direct integration with Microsoft Defender for Cloud Apps alerts points specifically to Sentinel's automation rules with playbooks.

How to eliminate wrong answers

Option A is wrong because Microsoft Power Automate does not natively integrate with Microsoft Defender for Cloud Apps alerts to trigger on them directly; it would require custom connectors or workarounds, and the question explicitly states no custom code is allowed. Option B is wrong because configuring a rule in Microsoft Defender XDR to send email notifications only sends emails, not Teams messages, and does not meet the requirement of sending alerts to a Teams channel. Option D is wrong because Microsoft Entra ID (formerly Azure AD) is an identity and access management service and does not have the capability to send alerts from Microsoft Defender for Cloud Apps to Teams.

10
MCQeasy

Your organization is planning to deploy Microsoft Sentinel. You need to ensure that security events from on-premises servers are sent to Sentinel. Which connector should you use?

A.Install the Log Analytics agent (MMA) on the servers and connect to Sentinel workspace.
B.Use the Microsoft Defender for Cloud (MDC) connector to stream security events.
C.Enable Azure Arc on the servers and use the Arc agent to forward events.
D.Install the Azure Monitor Agent (AMA) on the servers and configure a Data Collection Rule (DCR) to send events to Sentinel.
AnswerD

AMA is the current agent for collecting logs to Azure Monitor / Sentinel.

Why this answer

The Azure Monitor Agent (AMA) is the recommended agent for collecting logs from Windows and Linux servers to Azure Monitor and Sentinel. Option A is correct. Option B is wrong because the Log Analytics agent is legacy and being deprecated.

Option C is wrong because Microsoft Defender for Cloud is for cloud security posture, not log collection. Option D is wrong because Azure Arc is for managing servers outside Azure, but the actual log collection still uses AMA.

11
MCQmedium

The exhibit shows a Conditional Access policy configuration in Microsoft Entra ID. The policy is intended to require MFA and compliant device for all users accessing all applications from trusted locations. However, users are reporting that they are being prompted for MFA even when accessing from the office (which is a trusted location). What is the most likely issue?

A.The policy should target specific applications instead of 'All applications'.
B.The grant controls should be 'Require MFA' only, not 'Require compliant device'.
C.The policy should exclude the 'All Users' group and instead assign specific users.
D.The location condition should include 'All untrusted locations' and exclude 'All trusted locations'.
AnswerD

The policy currently applies to trusted locations, but it should apply to untrusted locations to require MFA only when not trusted.

Why this answer

The policy includes 'All trusted locations' but the condition 'exclude' is set to 'All untrusted locations', which is redundant and may not be the issue. Actually, the problem might be that the condition 'locations' is misconfigured: 'include' should be 'All trusted locations' and 'exclude' should be left empty or set to something else. However, the correct answer is that the policy does not have a condition to 'Exclude' trusted locations? Wait, the policy is supposed to apply to trusted locations, but it includes 'All trusted locations' and excludes 'All untrusted locations', which means it applies only to trusted locations (since untrusted are excluded).

The issue is that the policy is set to apply to all users and all applications, but the grant controls require MFA and compliant device. If the policy applies to trusted locations, users at the office (trusted) will get prompted. But the intent is to require MFA only from untrusted locations.

So the policy should include untrusted locations, not trusted. Option A is correct because the location condition is inverted: it should include untrusted locations and exclude trusted ones. Option B is wrong because the grant controls are correct.

Option C is wrong because the policy applies to all apps. Option D is wrong because the assignments seem fine.

12
MCQmedium

You are managing a Microsoft Sentinel environment. You need to ensure that only security analysts with specific roles can modify automation rules. The solution must use least privilege. What should you do?

A.Use Azure Policy to restrict access to automation rules.
B.Assign the 'Microsoft Sentinel Contributor' role to all security analysts.
C.Assign the 'Microsoft Sentinel Reader' role to the analysts and grant them 'Automation' permissions via a separate policy.
D.Create a custom role with 'Microsoft Sentinel Automation Contributor' permission and assign it to the analysts.
AnswerD

This custom role provides least privilege for automation rule management.

Why this answer

Option B is correct because the Microsoft Sentinel Contributor role includes permissions to modify automation rules. Option A gives full access to all Sentinel resources. Option C is for read-only access.

Option D is for Log Analytics, not Sentinel.

13
MCQmedium

You have deployed Microsoft Defender for Endpoint and integrated it with Microsoft Sentinel. You notice that alerts from Defender for Endpoint are not appearing in Sentinel. What should you check first?

A.Verify that the Microsoft 365 Defender connector in Sentinel is enabled and configured.
B.Confirm that Defender for Endpoint is licensed for all users.
C.Check that the alert severity is not being filtered out by analytics rules.
D.Ensure that all devices are onboarded to Defender for Endpoint.
AnswerA

The connector must be enabled to receive alerts.

Why this answer

The Microsoft 365 Defender connector in Microsoft Sentinel is the specific data connector responsible for ingesting alerts from Microsoft Defender for Endpoint (and other Defender products). If this connector is not enabled or misconfigured, alerts will not flow into Sentinel regardless of licensing, device onboarding, or analytics rules. This is the first and most direct check because the connector acts as the ingestion pipeline.

Exam trap

The trap here is that candidates often jump to troubleshooting device onboarding or licensing, forgetting that the Sentinel connector is the explicit integration point that must be verified first.

How to eliminate wrong answers

Option B is wrong because licensing for Defender for Endpoint is a prerequisite for generating alerts, but it does not control the data ingestion pipeline into Sentinel; even with full licensing, alerts will not appear if the connector is disabled. Option C is wrong because analytics rules in Sentinel process events that have already been ingested; if alerts are not arriving, filtering by severity is irrelevant. Option D is wrong because device onboarding is necessary for Defender for Endpoint to generate alerts, but it does not affect the Sentinel connector's ability to receive those alerts; onboarded devices with alerts still require the connector to be enabled.

14
Multi-Selecteasy

Which TWO actions can a Microsoft Sentinel automation rule perform when an incident is created?

Select 2 answers
A.Create a new analytics rule
B.Query Log Analytics workspaces
C.Run a playbook
D.Change the incident severity
E.Ingest data from a new source
AnswersC, D

Correct. Automation rules can trigger playbooks.

Why this answer

Microsoft Sentinel automation rules can trigger actions when an incident is created, including running a playbook (Option C) and changing the incident severity (Option D). Playbooks are automated workflows based on Azure Logic Apps that can perform complex response actions, while severity changes allow dynamic triage based on incident properties.

Exam trap

The trap here is that candidates may confuse automation rule actions with analytics rule capabilities, incorrectly assuming automation rules can create rules or query workspaces directly, when in fact those are separate functions within Sentinel.

15
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You notice that a large number of log entries from Defender for Cloud Apps are being dropped at ingestion due to 'malformed data' errors. The data connector shows a healthy status. What is the most likely cause?

A.The log type is not supported by Sentinel.
B.The Log Analytics workspace key has expired.
C.The data volume exceeds the workspace's ingestion capacity, causing data truncation.
D.The Defender for Cloud Apps connector is blocked by a firewall.
AnswerC

Throttling can cause partial logs that are malformed.

Why this answer

Option A is correct because excessive data volume can cause throttling or truncation, leading to malformed data errors even if the connector appears healthy. Option B is wrong because an expired workspace key would cause authentication failures, not malformed data. Option C is wrong because a firewall block would prevent connectivity entirely.

Option D is wrong because unsupported log types would result in schema errors, not malformed data.

16
MCQeasy

Your organization uses Microsoft Defender for Cloud to manage security posture. You need to assign a custom initiative to a specific management group to track compliance. Which two components must you create?

A.An Azure Blueprint and a role assignment.
B.A policy definition and an initiative definition.
C.An Azure RBAC role and a Log Analytics workspace.
D.An Azure Monitor workbook and an alert rule.
AnswerB

Custom initiatives require policy definitions and an initiative definition to group them.

Why this answer

To track compliance for a custom initiative in Microsoft Defender for Cloud, you must first create a custom policy definition that specifies the rules or effects to enforce. Then, you must create an initiative definition (a group of policy definitions) that can be assigned to a management group. This assignment enables Defender for Cloud to evaluate resources against the custom initiative and report compliance.

Exam trap

The trap here is that candidates confuse Azure Blueprints (which also group resources) with policy initiatives, or they think a Log Analytics workspace is required to store compliance data, when in fact compliance data is stored and reported by Defender for Cloud itself without needing a separate workspace.

How to eliminate wrong answers

Option A is wrong because Azure Blueprints are used for deploying repeatable environments and templates, not for creating custom compliance initiatives in Defender for Cloud; role assignments control permissions, not policy definitions. Option C is wrong because Azure RBAC roles manage access control, and Log Analytics workspaces store monitoring data, but neither component defines the compliance rules required for a custom initiative. Option D is wrong because Azure Monitor workbooks and alert rules are for visualizing and responding to telemetry, not for defining or assigning compliance policies.

17
MCQmedium

Your security operations team receives an alert from Microsoft Sentinel about a suspicious sign-in from an unfamiliar IP address. You need to investigate the alert by correlating it with user activity and device information. Which data sources should you query first?

A.Microsoft Purview audit logs and Microsoft Intune device compliance
B.Microsoft 365 Defender alerts and Microsoft Sentinel incidents
C.Microsoft Entra ID sign-in logs and Microsoft Defender for Endpoint device events
D.Azure Activity Logs and Azure Firewall logs
AnswerC

Entra ID sign-in logs provide user authentication details; Defender for Endpoint provides device context.

Why this answer

Option C is correct because investigating a suspicious sign-in requires correlating the sign-in event with user activity and device context. Microsoft Entra ID sign-in logs provide the authentication details (IP address, timestamp, user), while Microsoft Defender for Endpoint device events supply device-level telemetry (processes, network connections, logged-on users). This combination directly enables the correlation needed to validate whether the sign-in was legitimate or malicious.

Exam trap

The trap here is that candidates often confuse aggregated alert sources (like Microsoft 365 Defender alerts) with raw telemetry sources (like sign-in logs and device events), leading them to pick Option B instead of the correct raw data sources needed for correlation.

How to eliminate wrong answers

Option A is wrong because Microsoft Purview audit logs focus on data governance and compliance events (e.g., file access, eDiscovery), not real-time sign-in or device activity; Intune device compliance checks device policy adherence but lacks the granular sign-in and process-level events needed for alert correlation. Option B is wrong because Microsoft 365 Defender alerts and Sentinel incidents are aggregated alert outputs, not raw data sources; querying them first would only re-consume the same alert without underlying telemetry for correlation. Option D is wrong because Azure Activity Logs track control-plane operations (e.g., resource creation) and Azure Firewall logs capture network traffic, neither of which provides user sign-in details or device process-level events required for this investigation.

18
Multi-Selecteasy

Which TWO of the following are valid data connectors in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Windows Defender Firewall
B.Office 365
C.Microsoft Forms
D.Azure DevOps
E.Azure Activity
AnswersB, E

Office 365 is a standard data connector.

Why this answer

Option A and Option D are correct. The Azure Activity connector and Office 365 connector are standard data connectors in Sentinel. Option B is wrong because Windows Defender Firewall is not a standard connector; firewall logs can be ingested via other connectors.

Option C is wrong because Azure DevOps is not a standard Sentinel connector. Option E is wrong because Microsoft Forms is not a standard connector.

19
MCQhard

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS applications. You discover that a user is downloading a large number of files from SharePoint Online to an unmanaged device. You need to automatically block the download and require the user to acknowledge a policy violation. Which action should you configure in a session policy?

A.Set the action to 'Monitor only'.
B.Set the action to 'Redirect to Microsoft Entra ID conditional access'.
C.Set the action to 'Block' and enable 'Notify user' with a customized message.
D.Set the action to 'Block' and enable 'Custom block message'.
AnswerC

Correct. Block stops the download and Notify user sends a message to acknowledge.

Why this answer

Option C is correct because a session policy in Microsoft Defender for Cloud Apps can enforce real-time controls on SaaS app traffic. Setting the action to 'Block' stops the download immediately, and enabling 'Notify user' with a customized message both blocks the action and requires the user to acknowledge the policy violation, satisfying the requirement to automatically block and obtain acknowledgment.

Exam trap

The trap here is that candidates confuse 'Custom block message' (a static notification) with 'Notify user' (which includes an interactive acknowledgment), leading them to select Option D instead of the correct Option C.

How to eliminate wrong answers

Option A is wrong because 'Monitor only' only logs the activity without blocking it, failing to meet the requirement to automatically block the download. Option B is wrong because 'Redirect to Microsoft Entra ID conditional access' redirects the session for additional authentication or device compliance checks but does not block the download or require acknowledgment of a policy violation. Option D is wrong because 'Block' with 'Custom block message' blocks the download but does not require the user to acknowledge the violation; it simply displays a message without an interactive acknowledgment step.

20
MCQhard

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule is enabled but never runs. The playbook exists and is in the same resource group. What is the most likely cause?

A.The condition uses 'Contains' operator, but 'AlertProvider' requires 'Equals'.
B.The automation rule is in a 'Disabled' state.
C.The trigger type is incorrect; it should be 'Microsoft.SecurityInsights/Alert'.
D.The playbookId is missing the subscription ID.
AnswerC

Automation rules for alerts use 'Alert' trigger, not 'AlertRule'.

Why this answer

Option C is correct because the exhibit shows the trigger type set to 'Microsoft.SecurityInsights/Incident', but the playbook is designed to run on alerts, not incidents. Automation rules in Microsoft Sentinel require the trigger type to match the data type the playbook expects; for alert-triggered playbooks, the trigger must be 'Microsoft.SecurityInsights/Alert'. Since the rule is enabled and the playbook exists in the same resource group, the mismatch in trigger type is the most likely reason the rule never runs.

Exam trap

The trap here is that candidates assume any enabled automation rule with a valid playbook will run, overlooking the critical requirement that the trigger type must exactly match the playbook's intended data source (alert vs. incident).

How to eliminate wrong answers

Option A is wrong because the 'Contains' operator is valid for string conditions in automation rules; 'AlertProvider' does not require 'Equals' exclusively. Option B is wrong because the question explicitly states the rule is enabled, so a 'Disabled' state cannot be the cause. Option D is wrong because the playbookId in an automation rule does not require the subscription ID to be included; the resource ID format is sufficient as long as the playbook is in the same resource group.

21
MCQhard

Your organization uses Microsoft Defender for Cloud to assess security posture. You need to ensure that any new Azure subscription automatically has Microsoft Defender for Cloud enabled with the 'Defender for Cloud (CSPM)' plan active. What should you do?

A.Create an automation account that runs a PowerShell script daily to check and enable Defender for Cloud.
B.Configure Azure Arc to enforce the plan on new subscriptions.
C.Assign a built-in Azure Policy initiative that deploys Microsoft Defender for Cloud configuration to subscriptions.
D.Use Microsoft Sentinel's 'Subscription Migration' playbook.
AnswerC

Azure Policy can auto-deploy and configure Defender for Cloud on new subscriptions.

Why this answer

Option D is correct because Azure Policy can be used to enforce that Defender for Cloud is enabled on subscriptions. Specifically, the built-in policy 'Configure Azure Defender to be enabled on SQL Servers' but for general CSPM you need custom or built-in 'Deploy Microsoft Defender for Cloud configuration'. Option A is manual.

Option B is for on-boarding to Sentinel. Option C is for Azure Arc, not subscriptions.

22
MCQhard

You are configuring an automated investigation and response (AIR) playbook in Microsoft Sentinel. The playbook should automatically block a user in Microsoft Entra ID when a high-severity incident is created. Which action should you include in the playbook?

A.Use the 'Block user' action from the Microsoft Entra ID connector in Azure Logic Apps.
B.Call the Microsoft Graph API to update the user's accountEnabled property to false.
C.Add a 'Block IP' action from the Azure Firewall connector.
D.Add a 'Change incident status' action to close the incident.
AnswerB

Graph API can disable accounts.

Why this answer

Option B is correct because the 'Block user' action is not available in the Microsoft Entra ID connector for Azure Logic Apps; instead, you must call the Microsoft Graph API to update the user's `accountEnabled` property to `false`. This directly disables the user account in Microsoft Entra ID, effectively blocking their access. The playbook in Microsoft Sentinel uses Azure Logic Apps, and the Graph API is the appropriate method to perform this action programmatically.

Exam trap

The trap here is that candidates assume a 'Block user' action exists in the Microsoft Entra ID connector, but Microsoft Sentinel playbooks rely on Logic Apps connectors, which lack that specific action, forcing the use of the Graph API instead.

How to eliminate wrong answers

Option A is wrong because the Microsoft Entra ID connector in Azure Logic Apps does not include a 'Block user' action; it only supports actions like 'Get user' or 'Update user', and blocking requires a Graph API call. Option C is wrong because a 'Block IP' action from the Azure Firewall connector blocks network traffic from an IP address, not a user account in Microsoft Entra ID, which is irrelevant for blocking a user identity. Option D is wrong because changing the incident status to closed does not perform any blocking action; it only updates the incident's lifecycle in Microsoft Sentinel, leaving the user unblocked.

23
Multi-Selecthard

Which TWO permissions are required to create and manage automation rules in Microsoft Sentinel?

Select 2 answers
A.Microsoft Sentinel Reader
B.Microsoft Sentinel Automation Contributor
C.Microsoft Sentinel Responder
D.Log Analytics Contributor
E.Microsoft Sentinel Contributor
AnswersB, E

Specifically for automation rules.

Why this answer

Microsoft Sentinel Contributor and Microsoft Sentinel Automation Contributor both allow managing automation rules. Sentinel Reader is read-only, Sentinel Responder does not include automation rule management, and Log Analytics Contributor is not sufficient alone.

24
Multi-Selectmedium

Which THREE components are part of the Microsoft Sentinel SOAR capabilities? (Select THREE.)

Select 3 answers
A.Connectors
B.Workbooks
C.Playbooks
D.Analytics rules
E.Automation rules
AnswersA, C, E

Connectors enable integration with external systems for playbooks.

Why this answer

Options A, C, and E are correct because Automation rules, Playbooks, and Connectors are core SOAR components. Option B is wrong because Workbooks are for visualization. Option D is wrong because Analytics rules are for detection.

25
MCQeasy

You are a security analyst at a company that uses Microsoft 365 Defender. You receive an automated email indicating that a user has been flagged for possible credential theft. The email includes a link to investigate the alert in the Microsoft 365 Defender portal. Which role is responsible for sending this email?

A.A mail flow rule in Exchange Online configured to forward alerts.
B.Microsoft 365 Defender email notification settings.
C.Microsoft Defender for Cloud Apps notification settings.
D.A Microsoft Sentinel analytics rule configured to send email notifications.
AnswerB

Microsoft 365 Defender can send email alerts for incidents and alerts.

Why this answer

The automated email alerting a user about possible credential theft is sent by Microsoft 365 Defender's built-in email notification settings. These settings allow security teams to configure notifications for specific alert severities or categories, such as credential theft, directly from the Microsoft 365 Defender portal. The email includes a link to investigate the alert, which aligns with the notification functionality within Microsoft 365 Defender.

Exam trap

The trap here is that candidates may confuse the source of the alert (Microsoft 365 Defender) with other Microsoft security tools like Microsoft Defender for Cloud Apps or Microsoft Sentinel, which have their own notification settings but are not responsible for this specific credential theft alert.

How to eliminate wrong answers

Option A is wrong because a mail flow rule in Exchange Online is used to route, filter, or modify email messages based on conditions like sender or content, not to generate security alerts from Microsoft 365 Defender. Option C is wrong because Microsoft Defender for Cloud Apps notification settings are specific to cloud app security alerts, such as anomalous activity in SaaS apps, not credential theft alerts from Microsoft 365 Defender. Option D is wrong because a Microsoft Sentinel analytics rule can send email notifications, but Sentinel is a separate SIEM tool; the question explicitly states the alert originates from Microsoft 365 Defender, not Sentinel.

26
MCQmedium

Your organization is using Microsoft Sentinel and has deployed the Microsoft Entra ID (Azure AD) connector. You need to create an analytics rule that triggers an incident when a user from a specific IP address is assigned the Global Administrator role. The IP address is not in your trusted IP list. Which KQL query should you use as the rule logic?

A.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress == '10.0.0.1'
B.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress !in (dynamic(['10.0.0.1', '10.0.0.2']))
C.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress !has '10.0.'
D.AuditLogs | where ActivityDisplayName == 'Add member to role' and TargetResources[0].displayName == 'Global Administrator' and InitiatedBy.app.ipAddress !in ('trusted IP list')
AnswerB

Correctly filters for Global Administrator role assignment and excludes trusted IPs using dynamic array.

Why this answer

Option C is correct because it filters AuditLogs for 'Add member to role' activity for the Global Administrator role and checks that the IP address is not in the trusted IP list. The other options have incorrect logic or syntax.

27
Multi-Selecteasy

Your organization uses Microsoft Sentinel as the primary SIEM. The SOC team reports that many low-severity incidents are overwhelming the queue. You need to reduce noise while ensuring that high-severity incidents are not missed. Which two actions should you take? (Choose two.)

Select 2 answers
A.Increase the data retention period for low-severity alerts.
B.Adjust the analytics rule settings to only create incidents for alerts with a severity of Medium or higher.
C.Use playbooks to manually review each low-severity incident.
D.Create additional analytics rules to better differentiate between true and false positives.
E.Configure automation rules to automatically close incidents with specific low-severity alert types.
AnswersB, E

This prevents low-severity alerts from becoming incidents.

Why this answer

Option A helps automatically close low-severity incidents that are false positives. Option D sets a severity threshold for alerts to be created as incidents. Option B is incorrect because creating more analytics rules would increase noise.

Option C is incorrect because increasing retention does not reduce noise. Option E is incorrect because playbooks do not suppress incidents.

28
Multi-Selecteasy

Which TWO data sources are natively supported by Microsoft Sentinel for ingesting security events? (Choose two.)

Select 2 answers
A.Salesforce audit logs
B.GitHub audit logs
C.Google Cloud Platform (GCP) logs
D.Windows Security Events
E.Azure Activity Logs
AnswersD, E

Native connector via Log Analytics agent.

Why this answer

Windows Security Events are natively supported by Microsoft Sentinel via the Windows Security Events via AMA connector or the legacy Log Analytics agent. This connector ingests security event logs (e.g., Event ID 4625 for failed logons) directly into Sentinel without requiring a third-party parser or custom data connector. Azure Activity Logs are also natively supported through the Azure Activity connector, which streams subscription-level operational events (e.g., resource creation, policy changes) into Sentinel at no additional cost.

Exam trap

The trap here is that candidates often confuse 'natively supported' with 'available via a connector in the content hub,' but Microsoft Sentinel defines native support as built-in data connectors that require no additional custom code or third-party services, excluding connectors that rely on Azure Functions or partner solutions.

29
MCQmedium

Your team uses Microsoft Sentinel to investigate incidents. You need to create a custom analytic rule that triggers an incident when a user signs in from an unfamiliar location. What is the most efficient way to achieve this?

A.Create a playbook triggered by Microsoft Entra ID alerts.
B.Write a custom KQL query using SigninLogs.
C.Configure a Microsoft Purview insider risk policy.
D.Use a built-in Anomalous Sign-in Location rule template.
AnswerD

This template uses UEBA to detect anomalous sign-ins without custom KQL.

Why this answer

Option D is correct because Microsoft Sentinel provides a built-in 'Anomalous Sign-in Location' rule template that leverages Microsoft Entra ID Identity Protection data to detect sign-ins from unfamiliar locations. This template is pre-configured with the necessary KQL logic and alerting, making it the most efficient method without requiring custom development or additional data sources.

Exam trap

The trap here is that candidates may assume a custom KQL query (Option B) is the most flexible and efficient approach, overlooking that Sentinel's built-in templates are pre-optimized and require no manual logic for defining 'unfamiliar' locations.

How to eliminate wrong answers

Option A is wrong because playbooks are automated response actions (e.g., sending emails or blocking users) triggered by alerts, not the mechanism to create detection rules for unfamiliar location sign-ins. Option B is wrong because while a custom KQL query using SigninLogs could detect unfamiliar locations, it requires manual logic to define 'unfamiliar' (e.g., comparing against historical geolocation data) and is less efficient than using the built-in template. Option C is wrong because Microsoft Purview insider risk policies focus on detecting risky user activities like data exfiltration or policy violations, not sign-in location anomalies.

30
MCQhard

You manage a Microsoft Sentinel workspace that ingests logs from multiple sources. You notice that the workspace is approaching its daily ingestion quota, and some data sources are being dropped. You need to ensure that security-related logs are prioritized and that non-critical logs are not ingested. What should you configure?

A.Create analytic rules with entity mapping to prioritize alerts
B.Use data collection rules (DCRs) to filter log ingestion
C.Set a daily cap on the Log Analytics workspace
D.Configure diagnostic settings to exclude certain logs
AnswerB

DCRs allow granular filtering and transformation before ingestion.

Why this answer

Data collection rules (DCRs) allow you to define transformations that filter logs before they are ingested into a Log Analytics workspace. By configuring a DCR with a KQL-based transformation, you can drop non-critical logs while ensuring security-related logs are always ingested, preventing them from being dropped when the daily quota is approached.

Exam trap

The trap here is that candidates often confuse data collection rules (which filter at ingestion) with diagnostic settings (which control log routing) or daily caps (which stop all ingestion), failing to recognize that DCRs provide the granular control needed to prioritize specific log types.

How to eliminate wrong answers

Option A is wrong because analytic rules with entity mapping are used to generate alerts and correlate events, not to control which logs are ingested or to prioritize ingestion. Option C is wrong because setting a daily cap on the Log Analytics workspace stops all ingestion when the cap is reached, including security logs, which does not prioritize critical data. Option D is wrong because diagnostic settings control which logs are sent from Azure resources to destinations like Log Analytics, but they do not provide granular filtering or prioritization within a single workspace; they either include or exclude entire log categories.

31
MCQhard

You are reviewing an analytics rule in Microsoft Sentinel. The rule is supposed to alert when a Confidential sensitivity label file is accessed. However, no alerts have been generated despite known accesses. What is the most likely reason?

A.The suppression duration is set to 5 hours, which suppresses alerts.
B.The required data connector for Microsoft Purview Information Protection is not connected.
C.The query frequency and period are too short to capture the events.
D.The trigger condition is set to 'GreaterThan' 0, which should fire on any event.
AnswerB

The SensitivityLabelEvent table requires the Microsoft Purview Information Protection connector to be enabled in Sentinel.

Why this answer

Microsoft Sentinel relies on data connectors to ingest logs from external sources. For alerts based on sensitivity labels (e.g., Confidential), the required data source is Microsoft Purview Information Protection (formerly Azure Information Protection). If this connector is not connected, Sentinel has no way to receive the label-related events, so no alerts can be generated regardless of the rule logic.

Exam trap

Microsoft often tests the misconception that a rule's logic or scheduling is the root cause, when in fact the underlying data source is missing or misconfigured — candidates overlook the prerequisite of having the correct data connector enabled.

How to eliminate wrong answers

Option A is wrong because suppression duration only temporarily hides alerts after a match is triggered; it does not prevent the rule from firing in the first place. Option C is wrong because query frequency and period affect how often the rule runs and how far back it looks, but if the events are never ingested, no query will find them. Option D is wrong because 'GreaterThan' 0 is a correct trigger condition that would fire on any positive match; the issue is that no matches exist due to missing data.

32
MCQeasy

Your team uses Microsoft Sentinel workbooks to visualize security data. You want to allow team members to customize a workbook without affecting the original. What should you do?

A.Edit the original workbook to add personalization
B.Assign the team the Microsoft Sentinel Reader role
C.Create a copy of the workbook and save it as a custom workbook
D.Share the workbook directly with the team
AnswerC

Each user can then modify their copy.

Why this answer

Option C is correct because creating a copy of the workbook and saving it as a custom workbook allows team members to modify their own version without altering the original. In Microsoft Sentinel, workbooks are based on Azure Monitor Workbooks, and saving a copy creates an independent resource with its own settings and queries. This preserves the original workbook for reference or reuse while enabling customization.

Exam trap

The trap here is that candidates may confuse the Microsoft Sentinel Reader role with the ability to customize workbooks, not realizing that Reader only allows viewing, not editing or saving copies, which requires at least Contributor permissions on the workbook resource.

How to eliminate wrong answers

Option A is wrong because editing the original workbook directly would modify the shared resource, affecting all users who access it, which contradicts the requirement to avoid impacting the original. Option B is wrong because the Microsoft Sentinel Reader role grants read-only access to Sentinel resources, including workbooks, but does not allow any customization or saving of copies. Option D is wrong because sharing the workbook directly with the team provides only read access by default; users cannot customize or save changes unless they have contributor permissions on the workbook resource, which still modifies the original.

33
Multi-Selectmedium

Which TWO actions are valid methods to ingest non-Microsoft security logs into Microsoft Sentinel?

Select 2 answers
A.Use Azure Policy to automatically enable diagnostics settings.
B.Configure Syslog forwarding to the Sentinel workspace.
C.Configure the Microsoft 365 Defender data connector.
D.Use Microsoft Intune to push a custom log collector.
E.Deploy the Log Analytics agent on the source device.
AnswersB, E

Syslog is a common protocol for forwarding logs from network devices.

Why this answer

Option B is correct because Syslog is a standard protocol for logging from network devices and other non-Microsoft sources. By configuring Syslog forwarding to a Log Analytics agent (or the new Azure Monitor Agent) running on a Linux machine, logs can be collected and ingested into the Microsoft Sentinel workspace. Option E is correct because the Log Analytics agent (or its successor, the Azure Monitor Agent) can be installed directly on a non-Microsoft device to collect custom logs, performance data, and event logs, which are then sent to the Sentinel workspace.

Exam trap

The trap here is that candidates often confuse Azure Policy (which only applies to Azure resources) with a general-purpose log collection tool, or they mistakenly think Microsoft 365 Defender connectors can ingest non-Microsoft logs.

34
Multi-Selecteasy

You are a security analyst at a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects failed logon attempts from multiple IP addresses within 5 minutes. Which two KQL operators should you use?

Select 2 answers
A.where
B.project
C.bin
D.join
E.summarize
AnswersC, E

Correct: bin creates time windows.

Why this answer

Option B is correct because summarize with count and dcount helps aggregate. Option E is correct because the bin function is used for time windows. Option A is incorrect because where filters rows.

Option C is incorrect because project selects columns. Option D is incorrect because join combines tables.

35
MCQhard

A security analyst receives a high-severity incident in Microsoft Sentinel for a user who is suspected of lateral movement. The analyst wants to automatically run a playbook that isolates the user's machine and disables their account when such an incident is created. What is the most efficient way to achieve this?

A.Configure a Logic Apps trigger to poll for new incidents every minute
B.Train analysts to manually run the playbook when they see the incident
C.Create an analytics rule that runs a playbook as part of its alert generation
D.Create an automation rule that triggers the playbook when the incident is created
AnswerD

Automation rules are designed to run playbooks automatically based on incident creation or update.

Why this answer

Option D is correct because it uses an automation rule to trigger the playbook on incident creation, which is the recommended approach. Option A and B add unnecessary latency. Option C is manual and not automated.

36
MCQmedium

Refer to the exhibit. A SOC analyst runs the KQL query in Microsoft Sentinel to identify the top 10 alert names by count. They notice the results include alerts with low severity that are not relevant. What should they add to the query to focus on high-severity alerts only?

A.Add 'order by Severity' to the query.
B.Add 'where Severity == "High"' after the summarize clause.
C.Change the time range to last 24 hours.
D.Add 'where Severity == "High"' before the summarize clause.
AnswerD

Filters before aggregation.

Why this answer

Adding a filter on the Severity column with 'where Severity == "High"' will restrict results to high-severity alerts. Option B is wrong because filtering after summarize would not reduce the data processed. Option C is wrong because changing the time range doesn't filter severity.

Option D is wrong because sorting differently doesn't filter.

37
MCQhard

Your organization is implementing Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. The SOC team needs to investigate incidents across all tenants from a single interface. Which configuration is required?

A.Use Azure AD B2B to grant users from other tenants access to the workspace.
B.Create a single workspace and have all tenants send logs to it.
C.Assign custom roles in each tenant's Sentinel workspace.
D.Onboard multiple workspaces to Azure Lighthouse and use a central workspace for investigation.
AnswerD

Azure Lighthouse delegates resources across tenants, enabling centralized management in Sentinel.

Why this answer

Option D is correct because Azure Lighthouse enables cross-tenant management by allowing the SOC team to delegate access to multiple Sentinel workspaces from a single control plane. This configuration lets investigators view and manage incidents across all tenants without needing separate sign-ins or duplicating data, which is essential for a multi-tenant SOC environment.

Exam trap

The trap here is that candidates often confuse Azure AD B2B (external user access) with Azure Lighthouse (delegated resource management), assuming that granting external identities access to a single workspace is sufficient for multi-tenant incident investigation, when in fact Lighthouse is required to project multiple workspaces into a single management plane.

How to eliminate wrong answers

Option A is wrong because Azure AD B2B provides external user access to a single tenant's resources but does not aggregate incidents from multiple tenants into one interface; each tenant would still require separate workspace access. Option B is wrong because sending logs from all tenants to a single workspace violates data residency and isolation requirements, and Microsoft Sentinel does not support ingesting logs from external tenants into a workspace without proper delegation. Option C is wrong because assigning custom roles in each tenant's Sentinel workspace still requires the SOC team to switch between tenants to investigate incidents, failing to provide a unified investigation interface.

38
MCQhard

You have a Microsoft Sentinel workspace that uses Customer-Managed Keys (CMK). A security audit requires that all data at rest be encrypted with the CMK. You recently onboarded a new data connector that sends logs to a Log Analytics workspace in a different region. You need to ensure the new workspace uses CMK. What should you do?

A.Associate the new Log Analytics workspace with an Azure Key Vault containing the CMK before ingesting data.
B.Update the data connector settings to enable CMK at the source.
C.Use Azure Policy to enforce CMK on the new workspace.
D.Configure CMK on the new workspace's tables individually.
AnswerA

CMK association must be done before data ingestion.

Why this answer

Option D is correct because CMK must be configured at the Log Analytics workspace level before ingestion. Option A is wrong because CMK is per workspace, not per table. Option B is wrong because the connector itself doesn't handle encryption.

Option C is wrong because CMK is set at workspace creation or later via Azure Policy.

39
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Copilot for Security. You want to improve incident response efficiency. Which THREE features should you implement? (Choose three.)

Select 3 answers
A.Enable Microsoft Copilot for Security to assist with incident investigations.
B.Use watchlists to track known malicious IP addresses.
C.Configure workbooks to display real-time incident trends.
D.Develop playbooks to automate response actions for common threats.
E.Create automation rules to automatically assign and triage incidents based on severity.
AnswersA, D, E

Copilot can generate incident summaries and recommended actions.

Why this answer

Option A is correct because Microsoft Copilot for Security integrates directly with Microsoft Sentinel to provide AI-driven natural language assistance for incident investigations, enabling analysts to query data, summarize incidents, and generate KQL queries without manual scripting. This directly improves incident response efficiency by reducing investigation time and cognitive load.

Exam trap

The trap here is that candidates confuse passive features (watchlists, workbooks) with active response features (Copilot, automation rules, playbooks), leading them to select options that provide visibility rather than efficiency improvements in incident handling.

40
MCQmedium

Your organization uses Microsoft Sentinel with multiple workspaces for different business units. You need to provide a single-pane-of-glass view for incident management across all workspaces. You have deployed Azure Lighthouse to manage multiple workspaces from a single portal. The SOC team is able to see incidents from all workspaces, but when they try to investigate an incident by clicking on it, they receive a 'Resource not found' error. The team has the necessary permissions on the Sentinel resources. What is the most likely cause of this error?

A.The workspace is in a different Azure region.
B.The user does not have the 'Microsoft Sentinel Contributor' role on the subscription containing the workspace.
C.Cross-workspace queries are not enabled in Sentinel.
D.The incidents are generated by analytics rules that are not deployed in the user's workspace.
AnswerB

Lighthouse requires subscription-level role assignments for full access.

Why this answer

The 'Resource not found' error when clicking an incident in a cross-workspace view typically occurs because the user lacks the 'Microsoft Sentinel Contributor' role at the subscription level that contains the workspace. While Azure Lighthouse enables cross-workspace visibility, each workspace's Sentinel resources require the user to have the Contributor role on the subscription (or at least the resource group) to access incident details, not just the workspace itself. Without this role, the portal cannot resolve the resource path for the incident.

Exam trap

The trap here is that candidates assume Azure Lighthouse alone grants full access to all resources, but they overlook that Sentinel-specific RBAC roles must be assigned at the subscription scope, not just the workspace, for incident detail retrieval.

How to eliminate wrong answers

Option A is wrong because Azure regions do not affect resource access permissions; cross-region workspace views are fully supported with Azure Lighthouse. Option C is wrong because cross-workspace queries are a feature for running KQL queries across workspaces, not a prerequisite for viewing incident details from a Lighthouse-managed view. Option D is wrong because the incident's source analytics rule does not need to be deployed in the user's workspace; the incident exists in the workspace where it was created, and the error is about resource access, not rule deployment.

41
Multi-Selecteasy

Which TWO actions can you perform in the Microsoft Defender XDR unified alert queue? (Select TWO.)

Select 2 answers
A.Link the alert to an existing incident
B.Assign an alert to a SOC analyst
C.Create a hunting query from the alert details
D.Edit the analytics rule that generated the alert
E.Run a playbook to automatically remediate the alert
AnswersA, B

You can link alerts to incidents from the queue.

Why this answer

Options A and C are correct because the unified alert queue allows managing alerts (assign, change status) and investigating related incidents. Option B is wrong because run a playbook is a Sentinel feature. Option D is wrong because editing analytics rules is done in the rules configuration.

Option E is wrong because creating hunting queries is in Advanced hunting.

42
MCQeasy

You manage Microsoft Sentinel. You need to ensure that an automated response is triggered when a specific type of incident is created. The response should send an email to the on-call security engineer. What should you use?

A.Use a watchlist to map incident types to email addresses and configure a scheduled query.
B.Create an automation rule that runs a playbook when an incident is created.
C.Modify the analytics rule to include an email action in the rule settings.
D.Create a workbook that alerts via email when new incidents appear.
AnswerB

Automation rules can trigger playbooks on incident creation.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can trigger a playbook (an Azure Logic Apps workflow) when an incident is created. The playbook can include an action to send an email to the on-call security engineer, providing the automated response required by the scenario.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rule settings or workbooks, mistakenly thinking that email actions can be configured directly in the analytics rule or that workbooks can send alerts, when in fact only automation rules with playbooks provide the necessary automated response capability.

How to eliminate wrong answers

Option A is wrong because watchlists are used for correlation and enrichment of data in queries, not for triggering automated email responses; a scheduled query can generate alerts but does not directly send emails based on incident types. Option C is wrong because analytics rules do not have a built-in email action in their settings; they generate alerts or incidents, but email notifications must be handled by automation rules or playbooks. Option D is wrong because workbooks are visualization tools that do not send alerts via email; they display data but cannot trigger automated responses like email notifications.

43
MCQmedium

A security incident in Microsoft Sentinel has been classified as a true positive and remediated. According to your SOC playbook, the incident should be closed with a classification of 'True Positive' and a sub-classification of 'Confirmed activity'. What is the correct way to close the incident in Microsoft Sentinel?

A.In the Microsoft Sentinel incident, set Status to 'Closed', Classification to 'True Positive', and Sub-classification to 'Confirmed activity'.
B.Close the incident in Microsoft Defender XDR and let it sync to Microsoft Sentinel.
C.Change the incident status to 'Closed' without adding a classification.
D.Use the Microsoft Security Graph API to close the incident with the appropriate classification.
AnswerA

This matches the playbook requirements.

Why this answer

Option A is correct because closing the incident in the Microsoft Sentinel incident blade allows setting classification and sub-classification. Option B is wrong because changing status to 'Closed' without classification doesn't meet requirements. Option C is wrong because the API requires the correct parameters.

Option D is wrong because closing in Microsoft Defender XDR may not carry the same classification options.

44
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails containing malware to quarantine before delivery. Which policy type should you use?

A.Anti-spam policy.
B.Antimalware policy.
C.Safe Attachments policy.
D.Anti-phishing policy.
AnswerB

Antimalware policies detect and quarantine malware in email.

Why this answer

Antimalware policies in Microsoft Defender for Office 365 are specifically designed to scan inbound and outbound email messages for malware (e.g., viruses, worms, trojans) and automatically quarantine detected threats before delivery. This policy type uses the built-in malware detection engine to inspect attachments and message bodies, ensuring malicious content is blocked at the transport layer.

Exam trap

The trap here is that candidates often confuse Safe Attachments (post-delivery sandboxing) with antimalware (pre-delivery quarantine), because both deal with malware, but only antimalware policies automatically quarantine before delivery.

How to eliminate wrong answers

Option A is wrong because anti-spam policies target unwanted bulk email (spam) and phishing attempts, not malware in attachments; they use SCL thresholds and allow/block lists, not malware scanning. Option C is wrong because Safe Attachments policies provide time-of-click protection by detonating attachments in a sandbox environment after delivery, not pre-delivery quarantine; they are a supplementary layer, not the primary pre-delivery malware quarantine mechanism. Option D is wrong because anti-phishing policies focus on impersonation detection (e.g., domain spoofing, user impersonation) and do not scan for malware payloads in attachments.

45
MCQhard

The exhibit shows a KQL query used in a Microsoft Sentinel analytics rule. The rule is intended to detect brute-force attacks by identifying IP addresses that have more than 10 failed sign-ins (result code 50057) followed by a successful sign-in (result code 0) within an hour. However, the rule is not triggering alerts even though you are confident such patterns exist. What is the most likely issue?

A.The threshold is too high.
B.The time window is too short to capture the pattern.
C.The query does not ensure the successful sign-in occurred after the failed attempts.
D.The query does not consider the same IP address across different users.
AnswerC

Without temporal ordering, the successful sign-in could have occurred before the failed attempts, which would not indicate a successful brute-force.

Why this answer

The query uses an inner join, which only returns IP addresses that have both failed and successful sign-ins. However, the join condition uses both UserPrincipalName and IPAddress. If the same IP address is used by multiple users, the join might still work.

The more likely issue is that the query does not account for the fact that the successful sign-in might occur after the failed attempts, but the join does not enforce temporal order. However, the biggest problem is that the query uses `join kind=inner` which could be correct. Actually, the issue might be that the query uses `where ResultType == "0"` which is a string, but the actual value might be an integer.

But in KQL, it should work. Another common issue is that the query might not be scheduled to run frequently enough to capture the pattern. But among the options, the most plausible is that the query does not ensure the successful sign-in happened after the failed attempts.

Option D is correct. Option A is wrong because the time window is defined. Option B is wrong because the threshold is defined.

Option C is wrong because the query does consider the same IP address.

46
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Defender for Cloud's Cloud Security Posture Management (CSPM) plan? (Select THREE.)

Select 3 answers
A.Compliance dashboard that shows your posture against regulatory standards.
B.Continuous assessment of your cloud resources against security best practices.
C.Endpoint detection and response for on-premises machines.
D.Secure score calculation based on implemented security controls.
E.Integrated vulnerability assessment for virtual machines.
AnswersA, B, D

CSPM includes compliance monitoring.

Why this answer

Option A is correct because Microsoft Defender for Cloud's CSPM plan includes a compliance dashboard that continuously assesses your cloud resources against regulatory standards such as SOC 2, ISO 27001, and PCI DSS. This dashboard provides a real-time view of your compliance posture, mapping security controls to specific regulatory requirements and highlighting non-compliant resources.

Exam trap

The trap here is that candidates often confuse the CSPM plan's compliance and secure score capabilities with workload protection features like vulnerability assessment or EDR, which belong to separate Defender plans (e.g., Defender for Servers or Defender for Endpoint).

47
MCQmedium

Your organization has Microsoft Defender for Cloud Apps (MDA) connected to Microsoft Sentinel. The SOC team wants to receive alerts when a user accesses a sanctioned cloud app from an anonymous IP address. What should you configure?

A.Create a file policy in Defender for Cloud Apps.
B.Create an activity policy in Defender for Cloud Apps and connect it to Sentinel.
C.Enable the Defender for Cloud Apps connector in Sentinel without additional configuration.
D.Create a session policy in Defender for Cloud Apps.
AnswerB

Activity policies can detect specific behaviors like anonymous IP access and send alerts to Sentinel.

Why this answer

Option B is correct because an activity policy in Defender for Cloud Apps can be configured to trigger alerts on specific user activities, such as accessing a sanctioned app from an anonymous IP address. This policy can then be connected to Microsoft Sentinel via the Defender for Cloud Apps data connector, which ingests alerts as incidents for SOC review. File policies (A) focus on file-level actions like sharing or malware detection, not user access events, while session policies (D) control real-time access but do not generate alerts for historical or post-access monitoring.

Exam trap

The trap here is that candidates confuse file policies with activity policies, assuming any policy in Defender for Cloud Apps can detect access events, but only activity policies are designed to monitor user sign-in and access behaviors against IP-based conditions.

How to eliminate wrong answers

Option A is wrong because file policies monitor file-related activities (e.g., sharing, upload, download) and cannot detect user access events like logging into an app from an anonymous IP. Option C is wrong because simply enabling the Defender for Cloud Apps connector in Sentinel without additional configuration only ingests default alerts (e.g., from anomaly detection policies), not custom activity-based alerts for anonymous IP access. Option D is wrong because session policies are designed for real-time access control and monitoring during a user session (e.g., blocking downloads), not for generating alerts on access events that have already occurred.

48
MCQmedium

You are configuring automated responses in Microsoft Sentinel. You have created an automation rule that runs a playbook when an incident is created. The playbook performs actions in Microsoft Entra ID and Microsoft Defender for Cloud. However, the playbook fails with a permissions error. What should you do?

A.Assign the managed identity of the playbook the required roles in Microsoft Entra ID and Defender for Cloud.
B.Enable 'Allow playbooks to use managed identity' in the Sentinel settings.
C.Configure the Microsoft Entra ID connector in Sentinel with delegated permissions.
D.Grant the security analyst's account Contributor permissions on the automation rule.
AnswerA

The playbook's managed identity needs permissions to execute actions.

Why this answer

The playbook fails with a permissions error because it uses a managed identity to authenticate to Microsoft Entra ID and Microsoft Defender for Cloud, but that identity has not been granted the necessary Azure RBAC roles (e.g., Security Reader, Security Admin) on the target resources. Assigning the required roles to the managed identity directly resolves the authorization failure.

Exam trap

The trap here is that candidates often confuse enabling the managed identity feature (Option B) with actually assigning the necessary RBAC roles to that identity, assuming the setting alone grants permissions.

How to eliminate wrong answers

Option B is wrong because 'Allow playbooks to use managed identity' is a setting that enables the use of managed identities for authentication, but it does not grant the actual permissions needed to perform actions in Entra ID or Defender for Cloud; permissions must be assigned separately via RBAC. Option C is wrong because configuring the Microsoft Entra ID connector with delegated permissions is used for user-based authentication (OAuth 2.0 authorization code flow), not for a playbook’s managed identity; the playbook uses a system-assigned or user-assigned managed identity, not delegated permissions. Option D is wrong because granting the security analyst's account Contributor permissions on the automation rule does not affect the permissions of the playbook’s managed identity; the playbook runs under its own identity, not the analyst’s account.

49
MCQmedium

Your security team uses Microsoft Defender for Cloud to assess the security posture of Azure resources. You need to ensure that all virtual machines have endpoint protection enabled. Which policy initiative should you assign?

A.Enable encryption on Azure VMs
B.Deploy Microsoft Defender for Endpoint
C.Deploy Windows Defender Exploit Guard
D.Azure Security Benchmark
AnswerB

This initiative includes policies to enable endpoint protection on VMs.

Why this answer

Option B is correct because the 'Deploy Microsoft Defender for Endpoint' policy initiative includes policies to install and configure endpoint protection on VMs. Option A is about monitoring logs. Option C is about security configuration baselines.

Option D is about storage encryption.

50
MCQmedium

Your organization is using Microsoft Sentinel and you are responsible for managing the security operations environment. You need to ensure that a new security analyst can triage incidents but cannot modify analytics rules. Which role should you assign?

A.Microsoft Sentinel Responder
B.Microsoft Sentinel Reader
C.Microsoft Sentinel Contributor
D.Microsoft Sentinel Contributor with a custom role denying rule modification
AnswerA

Responder can triage incidents but not modify rules.

Why this answer

The Microsoft Sentinel Responder role allows triaging of incidents (changing status, assigning) but cannot modify analytics rules. Option C is correct. Option A is wrong because Reader cannot triage (cannot change status).

Option B is wrong because Contributor can modify analytics rules. Option D is wrong because although it allows triage, it also allows modifying rules, which is not desired.

51
MCQeasy

Your team uses Microsoft Sentinel to monitor multiple Azure subscriptions. You need to grant a junior analyst the ability to view incidents and run playbooks, but not modify analytics rules or data connectors. Which built-in role should you assign?

A.Microsoft Sentinel Contributor
B.Automation Contributor
C.Microsoft Sentinel Reader
D.Microsoft Sentinel Responder
AnswerD

Responder can view incidents and run playbooks.

Why this answer

Option C is correct because Microsoft Sentinel Responder allows viewing incidents and running playbooks, but not modifying analytics rules or connectors. Reader only allows viewing. Contributor allows modifications.

Automation Contributor is for runbooks/automation accounts, not Sentinel-specific.

52
Multi-Selecteasy

Which TWO are supported data sources for Microsoft Sentinel?

Select 2 answers
A.Google Cloud VPC Flow Logs
B.Windows Server 2008 event logs
C.Microsoft Entra ID audit logs
D.AWS CloudTrail
E.On-premises syslog-ng
AnswersC, D

Supported via Microsoft Entra ID connector (formerly Azure AD).

Why this answer

Options A and D are correct. Microsoft Sentinel supports AWS CloudTrail via the Amazon Web Services connector and Microsoft Entra ID audit logs via the Azure Active Directory connector (now Microsoft Entra ID). Option B is wrong because on-premises syslog-ng is not directly supported; syslog is supported via a connector.

Option C is wrong because Google Cloud VPC Flow Logs are not natively supported. Option E is wrong because Windows Server 2008 is out of support and not recommended.

53
MCQhard

Your organization is migrating to Microsoft Sentinel. You need to ensure that the workspace retains data for 2 years for compliance, but you want to reduce costs by using cheaper storage for data older than 90 days. What should you configure?

A.Set the workspace retention to 730 days and enable a data cap.
B.Set workspace retention to 90 days and configure long-term retention in Azure Data Explorer (ADX).
C.Export data older than 90 days to a storage account and delete from workspace.
D.Configure the workspace retention to 90 days and use Azure Storage archiving.
AnswerB

ADX integration allows cost-effective long-term retention with query capabilities.

Why this answer

Option B is correct because Microsoft Sentinel allows you to set the workspace retention to 90 days for interactive, hot-tier access, and then configure long-term retention in Azure Data Explorer (ADX) for data older than 90 days. This approach meets the 2-year compliance requirement while reducing costs, as ADX provides cheaper storage for older data that is queried less frequently.

Exam trap

The trap here is that candidates often confuse Azure Storage archiving or data export with the ability to query the data in Sentinel, not realizing that only ADX provides native, queryable long-term retention integrated with Sentinel's KQL interface.

How to eliminate wrong answers

Option A is wrong because enabling a data cap does not provide cheaper storage for older data; it only limits data ingestion, and setting workspace retention to 730 days keeps all data in the expensive hot tier for the entire period, increasing costs. Option C is wrong because exporting data to a storage account and deleting it from the workspace breaks the ability to query that data within Sentinel, and Sentinel does not natively support querying data from external storage accounts without additional tooling. Option D is wrong because Azure Storage archiving is not natively integrated with Sentinel for querying archived data; Sentinel requires data to be in the workspace or in ADX for long-term retention with query capability.

54
MCQmedium

Your organization uses Microsoft Sentinel and has enabled UEBA. You notice that many low-severity incidents are being created from high-volume informational alerts. You want to reduce noise without disabling data connectors. What should you do?

A.Create an automation rule that closes low-severity incidents immediately.
B.Increase the incident creation threshold in the analytics rule.
C.Modify the analytics rule query to exclude the high-volume informational events using KQL.
D.Disable the Microsoft 365 Defender connector for those data sources.
AnswerC

Tuning the query filters out unwanted alerts.

Why this answer

Option C is correct because analytics rule tuning using KQL allows you to filter out specific events or conditions, reducing false positives. Option A is wrong because disabling connectors would stop all data ingestion, not just noise. Option B is wrong because suppression is typically used for incidents, not at the rule level for noise reduction.

Option D is wrong because automation rules act after incident creation, not prevent it.

55
MCQmedium

Your organization uses Microsoft Defender for Identity. The security team wants to monitor for suspected DCSync attacks. Which Windows Event ID should you monitor to detect DCSync activity?

A.Event ID 4776: The domain controller attempted to validate the credentials for an account.
B.Event ID 4662: An operation was performed on an object.
C.Event ID 4648: A logon was attempted using explicit credentials.
D.Event ID 4624: An account was successfully logged on.
AnswerB

This event can be used to monitor for directory replication operations.

Why this answer

Option C is correct because Event ID 4662 (An operation was performed on an object) is used to detect directory replication requests, which are part of DCSync attacks. Option A is wrong because 4624 is logon. Option B is wrong because 4648 is logon with explicit credentials.

Option D is wrong because 4776 is credential validation.

56
MCQmedium

Your SOC team uses Microsoft Defender XDR. You want to ensure that all incidents are automatically classified and determined by the built-in AI before any manual review. What should you configure?

A.Create a custom detection rule in Microsoft Defender XDR.
B.Enable the incident summarization and classification feature in Microsoft Defender XDR.
C.Enable automation rules in Microsoft Sentinel to classify incidents.
D.Configure a workbook in Microsoft Sentinel to analyze incidents.
AnswerB

This feature uses AI to automatically classify and determine incidents.

Why this answer

Option D is correct because Microsoft Defender XDR incident summarization and classification uses AI to automatically classify incidents. Option A is wrong because automation rules in Sentinel are for Sentinel incidents. Option B is wrong because custom detection rules do not apply AI classification.

Option C is wrong because AI classification is not a workbook feature.

57
MCQeasy

You are configuring a Microsoft Sentinel analytics rule to detect failed logons from multiple IP addresses. The rule should trigger an incident only when the same user account has failed logons from more than three distinct IP addresses within 5 minutes. Which rule setting should you configure?

A.Set the 'Alert threshold' to 'Custom' and define a condition on distinct IP count.
B.Set the 'Group by' field to 'Account' and 'IP address'.
C.Set the 'Event grouping' to 'Group all events into a single alert'.
D.Set the 'Suppression' to '5 minutes' after an alert is generated.
AnswerA

Correct. Custom threshold allows defining distinct count conditions.

Why this answer

Option A is correct because the requirement is to trigger an incident only when the same user account has failed logons from more than three distinct IP addresses within 5 minutes. In Microsoft Sentinel analytics rules, the 'Alert threshold' set to 'Custom' allows you to define a condition on the count of distinct values (e.g., distinct IP addresses) aggregated over the rule's query window, which directly matches the scenario.

Exam trap

The trap here is that candidates often confuse 'Group by' (which splits alerts by field values) with the ability to count distinct values across those groups, leading them to select Option B instead of recognizing that a custom threshold on distinct count is required.

How to eliminate wrong answers

Option B is wrong because setting 'Group by' to 'Account' and 'IP address' would create separate alerts for each combination of account and IP address, not aggregate distinct IPs per account. Option C is wrong because 'Group all events into a single alert' would combine all failed logon events into one alert regardless of distinct IP count, failing to enforce the 'more than three distinct IPs' threshold. Option D is wrong because 'Suppression' pauses alert generation after an alert fires, but does not control the condition for triggering the alert based on distinct IP count within a time window.

58
MCQhard

Your organization uses Microsoft Sentinel and has multiple workspaces for different regions. The security team wants to use a single workbook to display data from all workspaces. What is the correct approach?

A.Create a workbook with cross-workspace queries using the workspace() expression
B.Export data from all workspaces to a single Azure Data Lake
C.Create a workbook in one workspace and configure it to use Azure Lighthouse
D.Create a workbook in each workspace and merge them manually
AnswerA

Cross-workspace queries allow a single workbook to query multiple workspaces.

Why this answer

Option D is correct because you can create a workbook with cross-workspace queries using the workspace() expression to query multiple workspaces. Option A is wrong because workbooks can query multiple workspaces without merging. Option B is wrong because you don't need to export data.

Option C is wrong because a single workbook can handle multiple workspaces via cross-workspace queries.

59
MCQhard

Your organization uses Microsoft Sentinel. You have a custom analytics rule that generates incidents based on a KQL query. The rule is configured to run every 5 minutes. You notice that the rule is generating duplicate incidents for the same event. What should you do to prevent duplicates?

A.Create an automation rule that deletes duplicate incidents.
B.Set the rule to group alerts into a single incident if they occur within 5 minutes.
C.Create a playbook that checks for duplicates before incident creation.
D.Enable entity mapping in the analytics rule and set appropriate entities.
AnswerD

Correct: Entity mapping helps group related alerts.

Why this answer

Option A is correct because enabling entity mapping allows Sentinel to group alerts into incidents based on entities. Option B is wrong because grouping by time is not sufficient. Option C is wrong because suppression logic in automation rules is for actions, not incident creation.

Option D is wrong because playbooks cannot prevent duplicates.

60
MCQeasy

You are setting up Microsoft Sentinel for the first time. You need to ingest Windows security events from on-premises servers using the Azure Monitor Agent. Which data connector should you enable in Microsoft Sentinel?

A.Common Event Format (CEF) via AMA
B.Windows Security Events via AMA
C.Syslog via AMA
D.DNS via AMA
AnswerB

Correct. This connector uses Azure Monitor Agent to collect Windows security events.

Why this answer

The Windows Security Events via AMA data connector is specifically designed to collect Windows security events (e.g., Event ID 4625, 4688) from on-premises servers using the Azure Monitor Agent (AMA). This connector leverages the AMA's Data Collection Rules (DCRs) to filter and ingest security-relevant logs directly into Microsoft Sentinel, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates often confuse 'Syslog via AMA' with Windows event collection, but Syslog is a Linux-centric protocol (UDP/TCP 514) and cannot natively read Windows Event Log files.

How to eliminate wrong answers

Option A is wrong because Common Event Format (CEF) via AMA is used for ingesting logs from security appliances (e.g., firewalls, IDS/IPS) that output CEF-formatted syslog messages, not native Windows security events. Option C is wrong because Syslog via AMA is designed for Linux-based syslog data (RFC 3164/5424) and does not natively collect Windows Event Log data. Option D is wrong because DNS via AMA is a specialized connector for collecting DNS query/response logs from Windows DNS servers, not general Windows security events.

61
MCQeasy

Your organization uses Microsoft Defender XDR. You need to ensure that all cloud app alerts are forwarded to Microsoft Sentinel for correlation. What should you configure?

A.Create an analytics rule in Sentinel that queries Defender for Cloud Apps API.
B.Configure Microsoft Defender for Cloud Apps to export alerts to Azure Event Hubs.
C.In Microsoft Sentinel, enable the data connector for Microsoft Defender for Cloud Apps.
D.In Microsoft Sentinel, enable the data connector for Microsoft Defender for Endpoint.
AnswerC

This connector ingests alerts from Defender for Cloud Apps.

Why this answer

Option C is correct because the Microsoft Defender for Cloud Apps data connector in Microsoft Sentinel is specifically designed to ingest alerts and cloud discovery logs from Defender for Cloud Apps. Enabling this connector ensures that all cloud app alerts are automatically forwarded to Sentinel for correlation without requiring custom API queries or external export pipelines.

Exam trap

The trap here is that candidates may confuse the purpose of data connectors for different Microsoft Defender products, mistakenly selecting the Defender for Endpoint connector when the question specifically targets cloud app alerts.

How to eliminate wrong answers

Option A is wrong because creating an analytics rule that queries the Defender for Cloud Apps API would require custom logic and does not provide automated, continuous ingestion of alerts; analytics rules are for detection, not data ingestion. Option B is wrong because exporting alerts to Azure Event Hubs is an alternative method for custom integration, but it is not the standard or recommended configuration for forwarding all cloud app alerts to Sentinel; the built-in data connector is simpler and directly supported. Option D is wrong because the Microsoft Defender for Endpoint data connector ingests endpoint detection and response alerts, not cloud app alerts; it addresses a different security domain.

62
Multi-Selectmedium

Which TWO actions are valid ways to integrate on-premises firewall logs into Microsoft Sentinel for analysis?

Select 2 answers
A.Enable the Office 365 connector.
B.Configure the firewall to send Common Event Format (CEF) logs to a syslog server running Azure Monitor Agent.
C.Install the Windows DNS Server connector.
D.Connect the Azure Activity log connector.
E.Use the Microsoft Sentinel Data Collector API to send custom logs.
AnswersB, E

Correct. CEF via AMA is a standard integration.

Why this answer

Option B is correct because on-premises firewall logs can be forwarded in Common Event Format (CEF) over syslog to a server running the Azure Monitor Agent (AMA), which then ingests them into Microsoft Sentinel. CEF is a standard log format supported by many security appliances, and the AMA replaces the older Log Analytics Agent for this purpose. This setup allows Sentinel to parse and analyze the firewall events for security monitoring.

Exam trap

The trap here is that candidates often confuse the Azure Activity log connector (which only covers Azure resource operations) with a general-purpose log ingestion method, or they mistakenly think the Office 365 connector can handle any external log source.

63
MCQmedium

Your organization uses Microsoft Defender XDR. You need to investigate a potential ransomware incident that has affected multiple devices. The security team wants to identify the initial access vector. Which advanced hunting table should you query to find the process that initiated the encryption?

A.DeviceRegistryEvents
B.DeviceFileEvents
C.DeviceNetworkEvents
D.DeviceProcessEvents
AnswerD

DeviceProcessEvents logs process creation, essential for tracking the initial process.

Why this answer

Option A is correct because DeviceProcessEvents contains process creation events, which can show which process started the ransomware. Option B has file creation, not process; Option C has network connections; Option D has registry events.

64
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that suspicious email messages are automatically moved to quarantine and an incident is raised in Microsoft Sentinel. What should you configure?

A.Configure the Microsoft Defender for Office 365 data connector in Sentinel.
B.Configure the Microsoft Defender for Cloud data connector in Sentinel.
C.Use the Microsoft Defender for Identity data connector.
D.Enable the Microsoft Defender for Endpoint data connector.
AnswerA

This connector ingests Office 365 alerts and incidents into Sentinel.

Why this answer

Defender for Office 365 can automatically quarantine emails based on policies. To raise an incident in Sentinel, you need to stream the alerts to Sentinel via a data connector. Option D is correct.

Option A is wrong because the connector is for Defender for Cloud, not Office 365. Option B is wrong because the connector is for Defender for Endpoint. Option C is wrong because the connector is for identity alerts.

65
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Select 2 answers
A.Create a new analytics rule
B.Modify a data connector
C.Change incident status
D.Run a playbook
E.Delete an incident
AnswersC, D

Automation rules can set status to Active, Resolved, etc.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically manage incidents by changing their status (e.g., from 'New' to 'Active' or 'Closed') based on conditions like severity or title. They can also trigger playbooks (automated response workflows) when incidents are created or updated, enabling actions such as enrichment, investigation, or remediation. These capabilities are defined in the automation rule's 'Actions' section, where you set the incident status or select a playbook to run.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules or playbooks, mistakenly thinking automation rules can create or delete incidents, when in fact they only modify existing incidents or trigger playbooks.

66
MCQhard

You run the above KQL query in Microsoft Sentinel. The query returns no results. What is the most likely reason?

A.The column 'AlertSeverity' does not exist in the SecurityAlert table.
B.The 'summarize' operator is misspelled.
C.The 'has' operator is case-sensitive and the alert names are capitalized differently.
D.The query does not specify a time range, so it may be querying data older than the default 24-hour lookback.
AnswerD

Without a time filter, only last 24 hours are queried.

Why this answer

Option A is correct because the 'SecurityAlert' table is not a standard table in Microsoft Sentinel; the correct table is 'SecurityAlert' (no hyphen) but actually the table is 'SecurityAlert'? Wait, the table is 'SecurityAlert' indeed in Microsoft Sentinel. However, the query uses 'has' operator which is case-insensitive but the column name 'AlertName' might be 'AlertName'? Actually, the column is 'AlertName' (capital N). But the most common reason for no results is that the 'SecurityAlert' table may not be populated if no alerts have been generated, or the time range is not specified.

However, the exhibit shows no time filter, so the query runs on the default 24-hour range. Option A is plausible. Option B is wrong because 'has' works on strings.

Option C is wrong because 'AlertSeverity' is a valid column. Option D is wrong because 'summarize' works fine.

67
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that incident investigation is efficient by automatically grouping related alerts into incidents. Which configuration should you use?

A.Create an automation rule to group alerts
B.Configure alert grouping in the analytics rule wizard
C.Use a playbook to merge incidents
D.Define a watchlist to consolidate alerts
AnswerB

Correct: Alert grouping settings are part of the analytics rule creation or editing.

Why this answer

Option B is correct because Microsoft Sentinel's analytics rule wizard includes a dedicated 'Alert grouping' configuration that allows you to specify how alerts from the same analytics rule are automatically combined into a single incident. This setting is essential for efficient incident investigation, as it reduces alert noise by grouping related alerts based on criteria such as matching entities, time windows, or custom alert details, ensuring that security analysts work with consolidated incidents rather than individual alerts.

Exam trap

The trap here is that candidates often confuse automation rules (which operate on existing incidents) with the alert grouping feature (which operates during incident creation), leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because automation rules in Microsoft Sentinel are used to trigger automated responses (e.g., changing incident status, assigning owners) after an incident is created, not to group alerts into incidents during the creation process. Option C is wrong because playbooks are automated workflows (often using Azure Logic Apps) that respond to incidents or alerts after they exist; they cannot merge incidents or group alerts at the point of incident creation. Option D is wrong because watchlists are collections of data (e.g., IP addresses, hostnames) used for correlation, enrichment, or filtering within analytics rules, not for consolidating alerts into incidents.

68
Multi-Selecthard

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You notice that the cost is higher than expected. You need to reduce costs without losing critical security data. Which two actions should you take? (Choose two.)

Select 2 answers
A.Set a daily cap on tables that generate high volumes but low security value.
B.Move verbose logs to Auxiliary logs (Basic Logs) tier.
C.Increase the retention period for all tables to 90 days.
D.Change the workspace pricing tier to 'Pay-as-you-go Gen2'.
E.Turn off data connectors for non-critical sources.
AnswersA, B

Limits ingestion for non-critical tables.

Why this answer

Setting daily caps on specific tables prevents them from exceeding a certain volume, and moving verbose logs to Auxiliary logs (Basic Logs) reduces cost. Option B is wrong because turning off data connectors stops all ingestion. Option C is wrong because increasing retention increases cost.

Option D is wrong because changing to Gen2 pricing is not a cost-saving measure.

69
Multi-Selecthard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a user reports a phishing email in Microsoft 365 Defender, the incident in Microsoft Sentinel is automatically updated with the user's comments. Which THREE components are required?

Select 3 answers
A.A logic app in Azure that is triggered by the Microsoft 365 Defender alert.
B.The Microsoft 365 Defender data connector in Microsoft Sentinel.
C.The Microsoft Entra ID data connector in Microsoft Sentinel.
D.A playbook in Microsoft Sentinel that updates the incident with the user's comments.
E.An automation rule in Microsoft Sentinel that triggers the playbook when an incident is created from a Microsoft 365 Defender alert.
AnswersB, D, E

This connector ingests alerts from Microsoft 365 Defender.

Why this answer

Options A, C, and D are correct. A playbook is needed to process the alert. The Microsoft 365 Defender connector enables the playbook to receive the alert.

Automation rules trigger the playbook. Option B is incorrect because the connector for Microsoft Entra ID is not needed. Option E is incorrect because a logic app is a type of playbook, not an additional component.

70
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security incidents from Defender for Cloud are automatically sent to Sentinel. What should you configure?

A.Configure the Azure Active Directory data connector
B.Configure the Microsoft Defender for Cloud data connector
C.Create an Azure Event Hub and push Defender for Cloud alerts to Sentinel via a custom connector
D.Configure the Microsoft 365 Defender data connector
AnswerB

This connector directly ingests incidents and alerts from Defender for Cloud.

Why this answer

The data connector 'Microsoft Defender for Cloud' (formerly Azure Security Center) in Sentinel enables continuous ingestion of alerts and incidents. Option B is correct. Option A is a legacy connector for Azure Active Directory (now Entra ID).

Option C is for Microsoft 365 Defender. Option D is a custom connector that requires extra setup.

71
MCQmedium

You are a security analyst at a company that uses Microsoft Defender XDR. You receive an alert about a potential ransomware activity on a workstation. The alert is generated by Microsoft Defender for Endpoint. You need to contain the threat by isolating the workstation from the network while allowing forensic analysis to proceed. You want to use Microsoft Defender XDR's built-in actions. What should you do?

A.Create a firewall rule in Microsoft Defender for Cloud Apps to block the device's IP.
B.Use the 'Isolate device' action from the Microsoft Defender XDR portal.
C.Unenroll the device from Microsoft Intune.
D.Disable the network adapter on the workstation remotely.
AnswerB

Isolation blocks most network traffic but allows forensic connections.

Why this answer

The 'Isolate device' action in Microsoft Defender XDR (specifically from the Microsoft Defender for Endpoint component) disconnects the device from all network traffic except for the Defender for Endpoint service and a few authorized services (such as Windows Update and the Microsoft Update Service). This allows forensic analysis tools (like Live Response) to continue communicating with the device while preventing the ransomware from spreading laterally or communicating with command-and-control servers. This is the built-in, recommended containment action for such scenarios.

Exam trap

The trap here is that candidates may confuse network isolation with other security controls (like blocking an IP in a CASB or unenrolling from MDM) and fail to recognize that Microsoft Defender XDR's 'Isolate device' is the only built-in action that both contains the threat and preserves forensic access.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps (MCAS) is a cloud access security broker that controls access to cloud applications, not a tool for isolating a workstation from the network; blocking an IP in MCAS would not isolate the device itself. Option C is wrong because unenrolling the device from Microsoft Intune removes management and policy enforcement, but does not contain the threat—it actually removes the ability to perform any further actions on the device and does not stop network communication. Option D is wrong because disabling the network adapter remotely is not a built-in action in Microsoft Defender XDR; it would require separate remote management tools (e.g., PowerShell, RMM) and would also cut off the forensic analysis channel, preventing Live Response or any other remote investigation.

72
Multi-Selecteasy

Which TWO are valid methods to connect a non-Azure Windows server to Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Install the Azure Monitor Agent (AMA)
B.Install the Azure Security Center agent
C.Configure Windows Event Forwarding (WEF) and point it to Sentinel
D.Install the Log Analytics agent (MMA)
E.Configure the server to forward syslog to Sentinel
AnswersA, D

AMA supports Windows and Linux.

Why this answer

Option A is correct because the Azure Monitor Agent (AMA) is the current, recommended agent for collecting data from non-Azure Windows servers and sending it to Microsoft Sentinel. It replaces the older Log Analytics agent and supports data collection via Data Collection Rules (DCRs), which allow granular control over which events and performance counters are ingested. Option D is correct because the Log Analytics agent (MMA) was the original method to connect Windows servers to Sentinel, and while it is being phased out in favor of AMA, it remains a valid supported method for existing deployments.

Exam trap

The trap here is that candidates may confuse Windows Event Forwarding (WEF) as a direct data connector to Sentinel, when in fact WEF only centralizes events on a collector server, which still requires an agent to forward to Sentinel, making it an indirect method not listed as a direct connection option.

73
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents generated by Microsoft Defender for Cloud are automatically assigned to the security operations team. What should you configure in Microsoft Sentinel?

A.Create a playbook that uses the Microsoft Teams connector to send a message to the security team.
B.Use the incident creation rule in Microsoft Defender for Cloud to assign incidents.
C.Create an automation rule that runs when an incident is created with provider: 'Microsoft Defender for Cloud' and sets the owner to a specific group.
D.Configure analytics rules to set the incident owner in the rule settings.
AnswerC

Automation rules can conditionally assign incidents to a team or individual.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can be used to automatically assign incidents to a specific team or owner based on conditions such as provider. Options A and B are for other purposes. Option C is a legacy feature not best for this.

74
MCQeasy

Your organization has deployed Microsoft Sentinel. You need to ensure that user and entity behavior analytics (UEBA) is enabled for all data sources. What is the minimum role required to enable UEBA in Microsoft Sentinel?

A.Microsoft Sentinel Contributor
B.Global Administrator
C.Security Reader
D.Log Analytics Contributor
AnswerA

Microsoft Sentinel Contributor can enable UEBA.

Why this answer

Option C is correct because to enable UEBA, you need at least 'Microsoft Sentinel Contributor' role on the workspace. Option A is wrong because Global Admin is not required. Option B is wrong because Security Reader is read-only.

Option D is wrong because Log Analytics Contributor does not include Sentinel-specific permissions.

75
MCQmedium

Refer to the exhibit. You run the PowerShell command against Microsoft Defender for Endpoint. What is the result?

A.The investigation package is collected.
B.An antivirus scan runs on the device.
C.The device is isolated from the network.
D.A Live Response session is started.
AnswerB

The action type initiates a scan.

Why this answer

The `Start-MpScan` cmdlet initiates a Microsoft Defender Antivirus scan on the device. The `-ScanType` parameter with value `QuickScan` specifies a quick scan of common malware locations, not a full scan. This is a direct antivirus action, not an investigation package collection, isolation, or Live Response session.

Exam trap

The trap here is that candidates confuse the `Start-MpScan` cmdlet with other Defender for Endpoint actions like investigation package collection or device isolation, because all are available under the 'Actions' menu in the portal, but each uses a distinct PowerShell cmdlet or API call.

How to eliminate wrong answers

Option A is wrong because collecting an investigation package requires the `Start-MpInvestigation` cmdlet or the `CollectInvestigationPackage` action via Microsoft Defender for Endpoint API, not `Start-MpScan`. Option C is wrong because device isolation is performed using the `Isolate-Device` cmdlet or the corresponding API action, not a scan command. Option D is wrong because starting a Live Response session requires the `Start-MpLiveResponse` cmdlet or initiating a session via the Defender portal, not a scan cmdlet.

Page 1 of 8 · 554 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage a security operations environment questions.