CCNA Manage a security operations environment Questions

75 of 554 questions · Page 6/8 · Manage a security operations environment · Answers revealed

376
MCQmedium

Refer to the exhibit. You are using this KQL query in a Microsoft Sentinel scheduled analytics rule to detect brute-force attacks. The rule has been running for a week but has never triggered an alert. What is the most likely reason?

A.The query uses a 24-hour lookback and the rule runs every 5 minutes, so it misses data.
B.The query syntax is incorrect.
C.The query uses 'summarize' which is not allowed in analytics rules.
D.The SecurityEvent table is not being populated because Windows event collection is not configured.
AnswerD

Without data, the query returns no results.

Why this answer

Option B is correct because the query filters EventID 4625 (failed logon) and groups by Account. If the data source (SecurityEvent) is not being ingested, the query returns no results. Option A is wrong because the query is correct syntax.

Option C is wrong because the query uses a 24-hour lookback, which is fine. Option D is wrong because the query is a simple aggregation, not complex.

377
MCQmedium

Your SOC team uses Microsoft Sentinel analytics rules. You need to ensure that a scheduled rule runs every hour, but only during business hours (8 AM to 6 PM). What configuration should you use?

A.Use a custom log with a logic app to only trigger the rule during business hours.
B.Configure the rule to run continuously with an alert threshold of 0.
C.Create two rules: one that runs every hour during business hours and another that runs but suppresses alerts outside business hours.
D.Set the rule to run every hour and use a KQL query to filter events outside business hours.
AnswerC

You can have a rule run continuously but use suppression or separate rules for time-based scheduling.

Why this answer

Option C is correct because Microsoft Sentinel scheduled analytics rules do not natively support time-based scheduling restrictions like 'only during business hours'. The recommended workaround is to create two separate rules: one that runs every hour during business hours to generate alerts, and another that runs every hour outside business hours but is configured to suppress alerts (e.g., by setting a low severity or using a suppression query). This ensures detection logic runs continuously while avoiding alert fatigue outside the desired window.

Exam trap

The trap here is that candidates assume a single rule can be configured with a time-based schedule filter, but Microsoft Sentinel does not support conditional scheduling; the only way to achieve time-restricted alerting is by using multiple rules with suppression logic.

How to eliminate wrong answers

Option A is wrong because using a custom log with a logic app to trigger the rule during business hours introduces unnecessary complexity and latency; Logic Apps are not designed to natively gate the execution of a scheduled analytics rule, and this approach would require custom orchestration that violates the principle of using built-in rule scheduling. Option B is wrong because configuring the rule to run continuously with an alert threshold of 0 does not restrict the rule to business hours; it would generate alerts for every query result at all times, which is the opposite of the requirement. Option D is wrong because setting the rule to run every hour and using a KQL query to filter events outside business hours would still execute the rule every hour, consuming resources and potentially generating suppressed alerts; KQL can filter results but cannot prevent the rule from running or generating alerts outside the intended time window.

378
Multi-Selecthard

Which THREE are valid components of a Microsoft Sentinel automation rule?

Select 3 answers
A.Actions (e.g., Run playbook, Change severity)
B.Watchlist
C.KQL query
D.Conditions (e.g., If severity equals Medium)
E.Trigger (e.g., When incident is created)
AnswersA, D, E

Actions define what happens when conditions are met.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to define actions such as running a playbook or changing the severity of an incident. These actions are executed automatically when the rule's trigger and conditions are met, enabling streamlined incident response without manual intervention.

Exam trap

The trap here is that candidates often confuse the components of an automation rule with those of an analytics rule, mistakenly selecting KQL queries or watchlists as valid automation rule components.

379
MCQeasy

You are a SOC analyst using Microsoft Sentinel. You receive an incident with high severity. You need to quickly gather additional context about the affected user account, including recent sign-in logs and role assignments. Which feature should you use?

A.Sentinel Workbooks
B.Analytics rules
C.Entity pages
D.Hunting queries
AnswerC

Entity pages show timeline, related alerts, and details for users, hosts, etc.

Why this answer

Option D is correct because Entity pages in Sentinel provide contextual information about entities. Option A is wrong because Workbooks are for custom reporting. Option B is wrong because Hunting queries are for proactive threat hunting.

Option C is wrong because Analytics rules create incidents.

380
MCQmedium

Your organization has Microsoft Defender for Office 365. You need to review a user's reported phishing email in Microsoft Defender XDR. Which section of the Microsoft Defender portal should you check?

A.Submissions
B.Threat Explorer
C.Alerts
D.Action center
AnswerA

The Submissions page in Microsoft Defender XDR shows user-reported messages.

Why this answer

Option A is correct because User-reported messages are in the Submissions page. Option B is wrong because Threat Explorer is for hunting, not user reports. Option C is wrong because Action center shows remediation actions.

Option D is wrong because Alerts shows alerts, not submissions.

381
Multi-Selectmedium

Which THREE actions can be performed by automation rules in Microsoft Sentinel?

Select 3 answers
A.Modify a data connector to ingest more logs
B.Create a new analytics rule
C.Assign an incident to a specific owner
D.Run a playbook on an incident
E.Add a tag to an incident
AnswersC, D, E

Automation rules have an 'Assign owner' action.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can automatically assign incidents to specific owners based on conditions such as severity, entity type, or custom criteria. This action helps streamline incident response by ensuring the right personnel are notified and responsible for handling the incident without manual intervention.

Exam trap

The trap here is that candidates may confuse automation rules with analytics rules or data connectors, assuming automation rules can modify data sources or create detection logic, when in fact automation rules are limited to post-ingestion incident management actions.

382
Multi-Selectmedium

Which TWO actions are part of managing a security operations environment in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Configuring physical access controls to the data center
B.Installing the Azure Monitor Agent on servers
C.Creating automation rules to triage incidents
D.Configuring data retention policies for Log Analytics workspaces
E.Creating Microsoft Purview sensitivity labels
AnswersC, D

Automation rules manage incident response workflows.

Why this answer

Managing SOC environment includes configuring data retention and setting up automation. Option A and D are correct. Option B is for compliance, not SOC management.

Option C is for data collection, not management. Option E is for physical security.

383
Multi-Selecteasy

Which TWO permissions are required to configure a data connector in Microsoft Sentinel?

Select 2 answers
A.Log Analytics Contributor
B.Microsoft Sentinel Reader
C.Global Administrator
D.Security Admin
E.Microsoft Sentinel Contributor
AnswersA, E

Contributor can modify workspace settings needed for connectors.

Why this answer

To configure a data connector, you need Microsoft Sentinel Contributor to manage Sentinel resources and Log Analytics Contributor to manage the workspace. Option B and C are correct. Option A (Reader) is insufficient.

Option D (Security Admin) is not a Sentinel-specific role. Option E (Global Admin) is not required.

384
Multi-Selecteasy

Which TWO Microsoft Sentinel features allow you to organize and prioritize incidents for better triage?

Select 2 answers
A.Entity mapping in analytics rules.
B.Automation rules with incident creation triggers.
C.Workbooks for dashboard reporting.
D.Incident assignment to analysts.
E.Incident classification and tagging.
AnswersD, E

Assignment helps in triage.

Why this answer

Options A and D are correct. Option B is wrong because playbooks are for response. Option C is wrong because workbooks are for visualization.

Option E is wrong because entities are components of incidents.

385
MCQeasy

Your company uses Microsoft Defender for Office 365. You want to automatically take action on malicious emails that bypass the filter. What should you configure?

A.Enable anti-phishing policy.
B.Enable Safe Attachments policy.
C.Create a transport rule in Exchange.
D.Configure automated investigation and response (AIR) policies.
AnswerD

AIR automatically remediates threats like malicious emails.

Why this answer

Automated investigation and response (AIR) policies in Microsoft Defender for Office 365 are specifically designed to automatically take action on malicious emails that bypass initial filters. AIR uses playbooks to investigate threats and automatically remediate, such as deleting or moving emails, without manual intervention. This directly addresses the requirement to automatically act on bypassed malicious emails.

Exam trap

The trap here is that candidates often confuse pre-delivery protection policies (like anti-phishing or Safe Attachments) with post-delivery automated response capabilities, assuming any security policy can automatically act on bypassed emails, but only AIR provides the automated investigation and remediation workflow for threats that have already evaded initial filters.

How to eliminate wrong answers

Option A is wrong because anti-phishing policies in Defender for Office 365 are preventive controls that block phishing attempts at the point of delivery, not reactive actions for emails that have already bypassed filters. Option B is wrong because Safe Attachments policies scan attachments in email in real-time to block malicious files, but they do not automatically take action on emails that have already bypassed the filter—they are a pre-delivery protection mechanism. Option C is wrong because transport rules in Exchange (mail flow rules) are used for custom routing, compliance, or filtering based on conditions, but they are not designed to automatically investigate and remediate malicious emails that bypassed Defender filters; they lack the automated investigation and response capabilities of AIR.

386
MCQhard

Refer to the exhibit. You are reviewing an automation rule configuration in Microsoft Sentinel. Based on the JSON snippet, what will happen when a high-severity incident is created?

A.The rule will run a playbook when a high-severity incident is created
B.The rule will change the severity of the incident to Medium
C.The rule will assign the incident to the SOC manager
D.The rule will run the playbook when a new alert is created
AnswerA

The trigger condition is on incident creation with severity equals High, and action is RunPlaybook.

Why this answer

Option A is correct because the automation rule's trigger condition is set to 'When incident is created' and the condition filters for incidents with a severity of 'High'. When a high-severity incident is created, the rule will execute the associated playbook, which is a common use case for automated response in Microsoft Sentinel.

Exam trap

The trap here is that candidates may confuse the incident creation trigger with alert creation trigger, or assume that any rule with a condition automatically modifies the incident properties like severity or assignment, when in fact the rule only executes the defined actions (playbook) based on the condition.

How to eliminate wrong answers

Option B is wrong because the JSON snippet does not include any action to change the severity of the incident; it only triggers a playbook. Option C is wrong because there is no assignment action configured in the rule; the rule only runs a playbook, not reassigns ownership. Option D is wrong because the trigger is set to 'When incident is created', not 'When alert is created'; alerts are separate entities that can be correlated into incidents, but the rule specifically acts on incident creation.

387
MCQeasy

You need to ensure that Microsoft Sentinel can access threat intelligence feeds from external sources like AlienVault OTX. Which data connector should you use?

A.Microsoft 365 Defender data connector
B.Microsoft Entra ID data connector
C.Amazon Web Services data connector
D.Threat Intelligence - TAXII data connector
AnswerD

Connects to TAXII feeds like AlienVault OTX.

Why this answer

The Threat Intelligence - TAXII data connector is the correct choice because it enables Microsoft Sentinel to ingest threat intelligence feeds from external sources that support the TAXII (Trusted Automated eXchange of Indicator Information) protocol, such as AlienVault OTX. This connector uses the STIX (Structured Threat Information Expression) standard to pull indicators of compromise (IOCs) like IP addresses, domains, and hashes directly into Sentinel for correlation and alerting.

Exam trap

The trap here is that candidates may confuse the 'Threat Intelligence - TAXII' connector with other data connectors that also deal with external data (like AWS or Microsoft 365), but only the TAXII connector is specifically designed to ingest structured threat intelligence feeds using the STIX/TAXII standard.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Defender data connector ingests alerts and incidents from Microsoft 365 Defender (e.g., Defender for Endpoint, Defender for Office 365), not external threat intelligence feeds like AlienVault OTX. Option B is wrong because the Microsoft Entra ID data connector (formerly Azure AD) ingests sign-in logs and audit logs for identity-related security events, not threat intelligence feeds. Option C is wrong because the Amazon Web Services data connector ingests AWS CloudTrail and other AWS service logs, not external threat intelligence feeds.

388
MCQeasy

A junior security analyst reports that they cannot create a new analytics rule in Microsoft Sentinel. They have the 'Microsoft Sentinel Contributor' role on the workspace. What could be the issue?

A.The workspace is in a locked resource group preventing modifications.
B.They need the 'Owner' role to create analytics rules.
C.They do not have the 'Microsoft Sentinel Responder' role.
D.They are assigned the role at the subscription level but not at the workspace level.
AnswerA

Resource locks can prevent any modifications, even with Contributor role.

Why this answer

Option B is correct because custom roles can be restrictive. Option A is not a common requirement. Option C is incorrect because Contributor can create rules.

Option D is incorrect because the role is assigned on the workspace.

389
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that runs an automation rule to create a support ticket in ServiceNow. The playbook fails intermittently with a timeout error. You have verified that the playbook's managed identity has the correct permissions. What should you check next?

A.Ensure the playbook is assigned to an Azure Policy that allows outbound connections.
B.Check if the ServiceNow API has rate limits that are being exceeded.
C.Verify that the logic app's network connectivity allows outbound traffic to the ServiceNow endpoint, including any regional restrictions.
D.Verify that the logic app's workflow is configured to use asynchronous operations.
AnswerC

Intermittent timeouts often indicate network issues like firewall rules or regional routing.

Why this answer

The playbook is a Logic App, and intermittent timeout errors when calling an external API (ServiceNow) often indicate network connectivity issues. Since the managed identity permissions are correct, the next logical step is to verify that the Logic App's outbound traffic is allowed to the ServiceNow endpoint, including any regional restrictions that might block or delay traffic from the East US region. This directly addresses the root cause of the timeout.

Exam trap

The trap here is that candidates confuse authentication/authorization (managed identity) with network connectivity, assuming that correct permissions guarantee successful API calls, when in fact network restrictions or regional IP blocking can cause intermittent timeouts even with valid credentials.

How to eliminate wrong answers

Option A is wrong because Azure Policy does not manage outbound connections for Logic Apps; it enforces compliance rules on Azure resources, not network traffic. Option B is wrong because rate limits typically cause HTTP 429 responses, not timeout errors, and the question states the error is a timeout, not a throttling response. Option D is wrong because asynchronous operations affect how the Logic App handles long-running tasks internally, not the network connectivity to an external endpoint, and the timeout is on the outbound HTTP call, not the workflow execution.

390
MCQeasy

Your Microsoft Sentinel workspace has a Microsoft 365 Defender connector configured. You notice that incidents are being created from Microsoft Defender for Office 365 alerts, but not from Microsoft Defender for Identity alerts. What should you check?

A.Enable the Microsoft Defender for Identity alert streaming in the connector configuration.
B.Verify that the Microsoft 365 Defender connector is connected.
C.Ensure you have licenses for Microsoft Defender for Identity.
D.Check the incident correlation rules in Microsoft Defender XDR.
AnswerA

The connector allows selecting which Microsoft Defender services to stream.

Why this answer

Option D is correct because Microsoft Defender for Identity alert streaming must be enabled in the Microsoft 365 Defender connector configuration. Option A is wrong because the connector is already configured; the issue is selective alert streaming. Option B is wrong because licensing for Identity is required but the question implies it's enabled.

Option C is wrong because correlation rules in Defender XDR affect incident creation from alerts, but the connector separately streams alerts.

391
MCQmedium

Your company uses Microsoft Defender for Cloud to monitor multi-cloud resources. You want to ensure that all critical security recommendations are automatically assigned to the appropriate team leads based on the resource's tags. Which feature should you configure?

A.Configure a regulatory compliance standard to send email notifications.
B.Create a workbook that lists recommendations and manually assign them.
C.Use the 'Assign ownership' feature in Microsoft Defender for Cloud to map tags to owners.
D.Create a governance rule that automatically applies a compliance standard.
AnswerC

This feature assigns recommendations to owners based on tags.

Why this answer

Option C is correct because the 'Assign ownership' feature in Microsoft Defender for Cloud allows you to map resource tags to specific owners (e.g., team leads) via an automated rule. When a critical security recommendation is generated for a resource with a matching tag, the recommendation is automatically assigned to the designated owner, ensuring accountability without manual intervention.

Exam trap

The trap here is confusing governance rules (which enforce compliance standards or auto-remediation) with the 'Assign ownership' feature, which specifically handles tag-based assignment of recommendations to users.

How to eliminate wrong answers

Option A is wrong because regulatory compliance standards are used to assess compliance against frameworks (e.g., CIS, NIST) and send email notifications for compliance drift, not to assign recommendations to owners based on tags. Option B is wrong because creating a workbook only provides a visual list of recommendations; it does not automate assignment to team leads based on tags. Option D is wrong because a governance rule that applies a compliance standard enforces compliance policies (e.g., auto-remediation), but it does not assign ownership of recommendations to specific users based on resource tags.

392
Multi-Selectmedium

Which TWO actions can you perform using Microsoft Sentinel automation rules?

Select 2 answers
A.Create a new analytics rule based on an incident.
B.Assign an incident to a specific analyst.
C.Modify the data connector's polling interval.
D.Run a playbook automatically when an incident is created.
E.Automatically create an incident from a log event.
AnswersB, D

Automation rules can set the incident owner.

Why this answer

Option B is correct because Microsoft Sentinel automation rules can directly assign an incident to a specific analyst using the 'Assign owner' action. This allows security operations teams to automatically route incidents to the appropriate personnel based on criteria such as severity, tactic, or entity, improving response efficiency.

Exam trap

Microsoft often tests the distinction between automation rules (which act on incidents/alerts) and analytics rules (which generate incidents from log data), causing candidates to confuse the scope of automation rule actions.

393
MCQmedium

Refer to the exhibit. You are reviewing a KQL query used in a Microsoft Sentinel scheduled analytics rule. What is the primary purpose of this query?

A.To investigate a new type of attack pattern
B.To identify which accounts are associated with the most incidents
C.To find accounts that have generated false positive alerts
D.To detect accounts that have triggered a high number of suspicious process alerts within 7 days
AnswerD

The query counts alerts per account and filters for >5.

Why this answer

Option C is correct because the query counts alerts per account and filters for >5, indicating a threshold for multiple alerts. Option A is wrong because it's not associating with incidents. Option B is wrong because it's not about false positives.

Option D is wrong because it's not about detecting a new attack.

394
MCQhard

Your company has a hybrid environment with Microsoft Sentinel and Microsoft Defender for Cloud. You notice that the 'Priority' field in Sentinel incidents is not being populated correctly. You need to ensure that Sentinel incidents inherit the priority from Microsoft Defender for Cloud alerts. What should you configure?

A.Enable the 'Sync incidents and alerts' setting in Microsoft Defender XDR.
B.Configure the Microsoft Defender for Cloud data connector to map severity and use an automation rule to set priority based on severity.
C.Use a workbook to display priority and manually update incidents.
D.Create an analytics rule that queries Microsoft Defender for Cloud alerts and sets the priority in the incident creation.
AnswerB

Correct: The data connector can map severity, and automation rules can set priority accordingly.

Why this answer

Option D is correct because the data connector for Microsoft Defender for Cloud maps the alert's severity to Sentinel's severity, and priority can be set via an automation rule. Option A is wrong because analytics rules don't inherit from external alerts. Option B is wrong because Sentinel doesn't sync priority from Microsoft Defender for Cloud directly.

Option C is wrong because workbooks don't modify incident fields.

395
MCQeasy

Your organization has Microsoft Defender for Cloud Apps enabled. You need to generate an alert when a user downloads more than 100 files from SharePoint in one hour. What should you create?

A.A data loss prevention (DLP) policy in Microsoft Purview.
B.A custom alert in Microsoft Sentinel using the CloudAppEvents table.
C.An app governance policy in Microsoft Defender for Cloud Apps.
D.An anomaly detection policy in Microsoft Defender for Cloud Apps.
AnswerD

Anomaly detection policies can detect activity volume anomalies.

Why this answer

An anomaly detection policy in Microsoft Defender for Cloud Apps is designed to detect unusual user behavior, such as mass file downloads, by establishing a baseline and triggering alerts when activity deviates from the norm. This policy type specifically supports the scenario of detecting a user downloading more than 100 files from SharePoint in one hour, as it can be configured with custom thresholds for file download activity.

Exam trap

The trap here is that candidates often confuse anomaly detection policies with DLP policies, assuming that any data exfiltration scenario must be handled by DLP, but DLP policies in Purview are content-based, not volume-based, making anomaly detection the correct choice for this behavioral threshold scenario.

How to eliminate wrong answers

Option A is wrong because a data loss prevention (DLP) policy in Microsoft Purview focuses on preventing data exfiltration by inspecting content and applying actions like blocking or encrypting, not on detecting volume-based anomalies like a high number of downloads. Option B is wrong because a custom alert in Microsoft Sentinel using the CloudAppEvents table would require ingesting logs and writing a KQL query, which is a more complex, post-facto detection method rather than a native, real-time policy within Defender for Cloud Apps. Option C is wrong because an app governance policy in Microsoft Defender for Cloud Apps is specifically for managing and monitoring OAuth-enabled apps (e.g., permissions, consent), not for detecting user behavior anomalies like mass file downloads.

396
MCQhard

You are a security analyst for a company that uses Azure Firewall. You are reviewing a custom rule deployed via Azure Firewall Manager. The exhibit shows the rule configuration. The rule is intended to block inbound traffic from known Tor exit nodes. However, a recent incident involved an attacker using a Tor exit node with IP 138.197.5.5 to access an internal web server on port 8080. The log shows the traffic was ALLOWED. What is the most likely reason the rule did not block the traffic?

A.The destination port 8080 is not listed in the rule.
B.The source address range does not include 138.197.5.5.
C.The rule type is 'Prevention' but should be 'Detection'.
D.The rule priority is too low and is overridden by a higher priority rule.
AnswerA

The rule only blocks ports 443 and 80, but the traffic used port 8080.

Why this answer

The rule only blocks ports 80 and 443 (destinationPorts). The attacker used port 8080, which is not covered by the rule. Option C is correct.

Option A is wrong because the source IP is within the rule's range. Option B is wrong because the rule is of type Prevention, not Detection. Option D is wrong because the priority is not necessarily too low; the rule would still be evaluated if the port matched.

397
MCQmedium

Your organization uses Microsoft Defender for Office 365. You want to automatically isolate a user's mailbox if a high-confidence phishing email is detected. Which Microsoft Sentinel automation should you use?

A.Configure a workbook to display the alert and manually isolate the mailbox.
B.Create a playbook that uses the Microsoft Graph API to apply a mailbox litigation hold or block access.
C.Enable the Office 365 connector and configure automatic response in the data connector.
D.Create a scheduled analytics rule that isolates the mailbox when triggered.
AnswerB

Playbooks can automate response actions using APIs.

Why this answer

Option B is correct because Microsoft Sentinel playbooks, built on Azure Logic Apps, can use the Microsoft Graph API to perform automated remediation actions like applying a mailbox litigation hold or blocking user access. This enables automatic isolation of a user's mailbox when a high-confidence phishing email is detected, which is a key incident response capability in Defender for Office 365.

Exam trap

The trap here is that candidates often confuse data connectors (which only ingest data) with automated response capabilities, or assume that analytics rules can directly execute remediation actions, when in fact only playbooks (or automation rules that invoke playbooks) can perform such actions.

How to eliminate wrong answers

Option A is wrong because workbooks are visualization tools for displaying data and alerts, not automation mechanisms; they cannot perform actions like mailbox isolation. Option C is wrong because the Office 365 data connector ingests logs and alerts into Sentinel but does not provide native automatic response configuration for mailbox isolation; automated responses require playbooks or custom logic. Option D is wrong because scheduled analytics rules only generate alerts based on query schedules; they cannot directly execute remediation actions like mailbox isolation — that requires a playbook or automation rule.

398
Multi-Selecthard

Which THREE of the following are valid ways to ingest logs into Microsoft Sentinel?

Select 3 answers
A.Syslog
B.Windows Event Logs
C.AWS CloudTrail
D.Azure Activity Log
E.Custom logs via direct API
AnswersA, C, D

Syslog is a standard data connector for Linux machines.

Why this answer

Syslog, Azure Activity Log, and AWS CloudTrail are valid data connectors. Windows Event Logs are ingested via the Windows Security Events connector, not directly. Custom logs can be ingested via API or Log Analytics agent, but not directly via a custom connector without configuration.

399
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Microsoft Defender for Cloud are ingested into Sentinel and that incidents are automatically created for alerts with severity 'High' or higher. You have already connected Microsoft Defender for Cloud to Sentinel using the data connector. However, no incidents are being created. What should you do?

A.Create an analytics rule that uses the SecurityAlert table and generates incidents for high severity.
B.Configure a streaming policy to forward Defender for Cloud incidents.
C.Enable 'Create incidents' in the Microsoft Defender for Cloud data connector.
D.Create an automation rule that runs on alert ingestion and creates incidents.
AnswerA

Correct: Analytics rules create incidents from alerts.

Why this answer

Option D is correct because the data connector for Defender for Cloud only brings alerts; to create incidents, you need an analytics rule. Option A is wrong because incident creation is not automatic from that connector. Option B is wrong because automation rules don't create incidents.

Option C is wrong because the connector does not have an incident creation toggle.

400
MCQeasy

You are configuring Microsoft Sentinel to send email notifications to the SOC manager when a high-severity incident is created. What should you use?

A.Configure an analytics rule to send an email when an incident is created.
B.Create a playbook that sends an email and assign it to an automation rule.
C.Use a workbook to track incidents and configure an alert for email.
D.Add the SOC manager's email to a watchlist and configure a scheduled query.
AnswerB

Playbooks can send emails via connectors like Office 365.

Why this answer

Option B is correct because playbooks can be triggered by automation rules to send emails. Option A is wrong because alert rules do not send emails directly; they create alerts. Option C is wrong because workbooks are for visualization, not notifications.

Option D is wrong because watchlists are for reference data.

401
MCQhard

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. You need to create an automated playbook that, when a Microsoft Sentinel incident is created from a Defender for Cloud Apps alert, automatically suspends the user in Microsoft Entra ID and sends a notification to the security team. Which two connectors should you use in the playbook?

A.Microsoft Power BI and Microsoft Teams
B.Microsoft Entra ID and Microsoft Teams
C.Azure Automation and Microsoft Sentinel
D.Microsoft Entra ID and Outlook.com
AnswerB

Correct. Entra ID suspends user, Teams sends notification.

Why this answer

The correct answer is A because Microsoft Entra ID is used to suspend the user, and Microsoft Teams is used to send notifications. Option B is incorrect because Outlook.com is not enterprise-grade and ServiceNow is not a Microsoft connector. Option C is incorrect because Power BI is for visualization, not suspension.

Option D is incorrect because Azure Automation is for scripts, not direct user suspension.

402
MCQhard

You are reviewing a Microsoft Sentinel analytics rule configuration. The rule is not generating incidents as expected. What is the most likely cause?

A.The queryFrequency and queryPeriod are mismatched.
B.The suppressionDuration is set to 5 hours, suppressing alerts.
C.The action type 'MFA disabled' is not supported in IdentityLogonEvents.
D.The query references a table that is not available in the Sentinel workspace.
AnswerD

IdentityLogonEvents requires Microsoft Defender for Identity connector.

Why this answer

Option A is correct because the query uses 'IdentityLogonEvents', which is a table from Microsoft Defender for Identity, not from Microsoft Entra ID. The data source connector for Microsoft Defender for Identity may not be configured. Option B is incorrect because 'MFA disabled' action type is valid.

Option C is incorrect because the suppression is disabled. Option D is incorrect because the query frequency matches the query period.

403
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all security alerts from Defender for Cloud are automatically ingested into Sentinel with the least latency. What should you configure?

A.Configure a custom API connector in Sentinel to pull alerts from Defender for Cloud REST API every 5 minutes.
B.Enable continuous export in Defender for Cloud to send alerts to a Log Analytics workspace and then create a scheduled query in Sentinel.
C.Use the Microsoft Defender for Cloud data connector in Sentinel to stream alerts.
D.Create a Logic App that triggers on Defender for Cloud alerts and sends them to Sentinel via the Azure Monitor HTTP Data Collector API.
AnswerC

The built-in data connector streams alerts in near real-time with minimal latency.

Why this answer

Option D is correct because the data connector for Microsoft Defender for Cloud (formerly Azure Security Center) provides real-time streaming of alerts into Sentinel. Option A is incorrect because Logic Apps introduce processing delay. Option B is incorrect because the API connector is not optimized for low latency.

Option C is incorrect because continuous export is a feature of Defender for Cloud but does not directly connect to Sentinel without a connector.

404
Multi-Selectmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. The SOC team needs to investigate a cross-tenant incident. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Use the Microsoft Defender XDR unified incident queue to view incidents across tenants.
B.Install the Microsoft Sentinel solution for each tenant separately.
C.Onboard the tenants to Azure Lighthouse and delegate the Sentinel workspace.
D.Create a workspace query using the union operator to combine data from all tenants.
AnswersA, C

The unified incident queue aggregates incidents from all onboarded tenants.

Why this answer

Option A is correct because the Microsoft Defender XDR unified incident queue can display incidents from multiple tenants when properly configured, enabling cross-tenant investigation without additional licensing. This feature leverages Azure Lighthouse delegated access to aggregate alerts and incidents across tenants into a single view, streamlining SOC workflows.

Exam trap

The trap here is that candidates confuse cross-workspace queries (which combine log data) with cross-tenant incident management, assuming the union operator can unify incidents when it only merges raw log tables, not the incident entities themselves.

405
MCQhard

You have a Microsoft Sentinel automation rule that triggers a playbook. The playbook definition is shown in the exhibit. The playbook runs but no email is sent. What is the most likely cause?

A.The JSON syntax is invalid.
B.The email operation 'SendEmailV2' is deprecated.
C.The playbook uses a recurrence trigger instead of a Microsoft Sentinel trigger.
D.The connection name 'office365' is incorrect.
AnswerC

Automation rules require a Sentinel-specific trigger; recurrence triggers don't receive incident context.

Why this answer

The playbook definition shows a 'Recurrence' trigger, but automation rules in Sentinel use 'MicrosoftSentinelIncident' or 'MicrosoftSentinelAlert' triggers. A recurrence trigger is for scheduled playbooks, not incident-triggered. Option C is correct.

Option A is wrong because connection names are typically 'office365' and valid. Option B is wrong because the JSON is valid. Option D is wrong because the operation 'SendEmailV2' is valid.

406
MCQhard

Refer to the exhibit. You create an automation rule in Microsoft Sentinel using the ARM template snippet shown. However, the rule does not trigger when a high-severity incident is created. What is the most likely cause?

A.The playbook resource ID is invalid.
B.The 'triggersWhen' property should be 'Updated' instead of 'Created'.
C.The order property is set to 1, conflicting with another rule.
D.The automation rule does not specify the incident provider condition.
AnswerD

Missing provider condition prevents triggering.

Why this answer

The automation rule is missing the 'Incident Provider' condition, which is required to specify which provider's incidents should trigger the rule (e.g., Microsoft Defender XDR). Without it, the rule may not fire for incidents from certain providers. Option A is wrong because the playbook is referenced correctly.

Option C is wrong because the order is fine. Option D is wrong because the format is correct.

407
MCQeasy

Your organization is migrating from Azure Active Directory to Microsoft Entra ID. You need to ensure that Microsoft Sentinel continues to receive identity logs. What should you do?

A.Install the new Microsoft 365 Defender connector for identity logs.
B.No action is required; the existing connector automatically updates.
C.Reconfigure the diagnostic settings to send logs to a new Log Analytics workspace.
D.Create a new data connector for Microsoft Entra ID.
AnswerB

The connector uses the same underlying API.

Why this answer

Option A is correct because Entra ID is the same service; connectors remain. Option B is wrong because logs are free. Option C is wrong because Microsoft 365 Defender is separate.

Option D is wrong because no migration is needed.

408
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You notice that MDI alerts are not appearing in Sentinel. You have already installed the MDI data connector and configured the workspace. What is the most likely cause?

A.The workspace is in a different region than MDI
B.The Microsoft 365 Defender connector is not installed
C.The data connector is not enabled, even though it is installed
D.Microsoft Defender for Identity is not licensed
AnswerC

Installing a connector does not enable it; you must also enable it in the Sentinel connectors page.

Why this answer

Option A is correct because the connector needs to be enabled. Option B is wrong because it still works. Option C is wrong because it's not required.

Option D is wrong because the connector handles ingestion.

409
MCQmedium

Your SOC team uses Microsoft Sentinel to manage incidents. You want to categorize incidents based on the MITRE ATT&CK technique. You notice that some incidents are not being tagged with the correct technique. What should you check first?

A.The playbook assigned to the incident is overriding the technique tag.
B.The incident creation rule in the automation section is misconfigured.
C.The data connector for the source service is not ingesting the required fields.
D.The analytics rule that generated the incident has the correct MITRE ATT&CK technique selected.
AnswerD

The rule defines the technique mapping.

Why this answer

Option A is correct because the mapping of alerts to MITRE techniques is done in the analytics rule itself. If the rule does not have the correct technique configured, incidents won't be tagged. Option B is for enrichment, not the source.

Option C is about data ingestion. Option D is about automation, not the initial mapping.

410
Multi-Selecthard

Which THREE components are required to automate incident response in Microsoft Sentinel using playbooks? (Choose three.)

Select 3 answers
A.An automation rule in Sentinel.
B.A Logic Apps workflow.
C.A workbook.
D.An analytics rule.
E.A trigger (e.g., when an incident is created).
AnswersA, B, E

Automation rules trigger playbooks.

Why this answer

Option A is correct because playbooks are based on Azure Logic Apps. Option B is correct because automation rules trigger playbooks. Option C is correct because a trigger is required for the logic app.

Option D is wrong because analytics rules create incidents, not playbooks. Option E is wrong because workbooks are visualization, not automation.

411
MCQeasy

Your organization uses Microsoft Sentinel for security operations. You need to ensure that a specific AWS CloudTrail log is ingested into Microsoft Sentinel. Which data connector should you use?

A.AWS CloudTrail Connector
B.Amazon Web Services S3 Connector
C.Azure Functions (AWS)
D.AWS Security Hub Connector
AnswerB

The AWS S3 connector ingests CloudTrail logs.

Why this answer

The Amazon Web Services S3 Connector is the correct choice because AWS CloudTrail logs are stored as JSON files in an S3 bucket. Microsoft Sentinel ingests these logs by connecting directly to the S3 bucket, reading the CloudTrail log files, and pulling them into the Log Analytics workspace. The AWS CloudTrail Connector, by contrast, is a legacy connector that requires a separate AWS Lambda function and is deprecated in favor of the S3 connector.

Exam trap

The trap here is that candidates confuse the legacy AWS CloudTrail Connector (Option A) with the modern Amazon Web Services S3 Connector, assuming the name 'CloudTrail' is the correct match, when in fact the S3 connector is the current recommended method for ingesting CloudTrail logs.

How to eliminate wrong answers

Option A is wrong because the AWS CloudTrail Connector is a legacy connector that requires an AWS Lambda function to forward logs, and it is deprecated in favor of the Amazon Web Services S3 Connector. Option C is wrong because Azure Functions (AWS) is a generic compute service used for custom integrations, not a dedicated data connector for CloudTrail logs. Option D is wrong because the AWS Security Hub Connector ingests security findings from AWS Security Hub, not raw CloudTrail log files.

412
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from a specific app for users outside the corporate network. What should you configure?

A.A session policy
B.An anomaly detection alert
C.A file policy
D.An access policy
AnswerA

Session policies can block downloads based on location.

Why this answer

Conditional Access App Control in Defender for Cloud Apps allows session policies to control actions based on location. Option B is correct. Option A is for access policies.

Option C is for alerts. Option D is for data classification.

413
MCQhard

Refer to the exhibit. A KQL query is used in a Microsoft Sentinel scheduled analytics rule to detect unhealthy agents. The rule runs every 5 minutes and has a lookback period of 5 minutes. What is the potential issue?

A.The query will return all computers as unhealthy because the threshold is too high.
B.The query will not return any results because Heartbeat data is not in the workspace.
C.The query may miss agents with no heartbeat in the last 5 minutes due to the lookback period matching the run frequency.
D.The query will cause a runtime error because ago() is misused.
AnswerC

The lookback period is too short, causing gaps.

Why this answer

Option C is correct because the rule runs every 5 minutes with a 5-minute lookback, creating a gap: if an agent sends a heartbeat at 0:01 and the rule runs at 0:05, the heartbeat falls within the lookback window. However, if the agent misses a heartbeat cycle (e.g., heartbeat interval is 10 minutes), the rule may not detect the absence because the lookback window only covers the last 5 minutes, and the last heartbeat might be older than 5 minutes. This means agents with no heartbeat in the last 5 minutes could be missed, especially if the heartbeat interval is longer than the lookback period.

Exam trap

The trap here is that candidates assume matching the lookback to the run frequency ensures complete coverage, but they overlook that the data source (Heartbeat) may have a longer generation interval, causing missed detections.

How to eliminate wrong answers

Option A is wrong because the threshold is not specified in the query or rule configuration; the issue is about timing, not threshold values. Option B is wrong because Heartbeat data is a standard data type collected by the Log Analytics agent and is typically present in the workspace; the query assumes it exists. Option D is wrong because ago() is used correctly in KQL to reference a time range relative to the current time; there is no misuse that would cause a runtime error.

414
Multi-Selectmedium

Which THREE actions are recommended practices for managing Microsoft Sentinel costs?

Select 3 answers
A.Set daily caps on high-volume tables.
B.Use Basic Logs tier for verbose logs.
C.Implement ingestion-time data transformation to filter out noise.
D.Ingest all logs to ensure complete visibility.
E.Increase retention period to 1 year for all tables.
AnswersA, B, C

Prevents runaway costs.

Why this answer

Setting daily caps on high-volume tables is a recommended practice because it prevents unexpected cost overruns by limiting the amount of data ingested into expensive tables like SecurityEvent or CommonSecurityLog. Microsoft Sentinel bills per GB ingested, so capping tables that generate large volumes of noise (e.g., verbose Windows event logs) directly controls costs without necessarily impacting security visibility, as critical alerts can still be generated from other sources.

Exam trap

The trap here is that candidates often confuse 'complete visibility' (Option D) with best practice, but Microsoft Sentinel explicitly recommends filtering noise at ingestion to reduce costs and improve signal-to-noise ratio, not ingesting everything.

415
Multi-Selectmedium

Which TWO roles are included in Microsoft Sentinel built-in roles? (Choose two.)

Select 2 answers
A.Microsoft Sentinel Responder
B.Microsoft Sentinel Administrator
C.Microsoft Sentinel Reader
D.Microsoft Sentinel Operator
E.Global Administrator
AnswersA, C

Responder is a built-in role for incident triage.

Why this answer

Microsoft Sentinel has built-in roles: Reader, Responder, Contributor, and Automation Contributor. Operator is not a built-in role. Global Administrator is a Microsoft Entra ID role, not a Sentinel built-in role.

416
Multi-Selecthard

Which THREE conditions can you use to trigger a Microsoft Sentinel scheduled analytics rule?

Select 3 answers
A.Custom threshold on a specific field
B.Query results include a specific IP address
C.Query results contain a specific entity type
D.Number of query results exceeds a threshold
E.Time since last alert for a given entity exceeds a value
AnswersA, C, D

Rules can trigger when a custom field meets a condition.

Why this answer

Option A is correct because Microsoft Sentinel scheduled analytics rules allow you to set a custom threshold on a specific field within the query results. This condition triggers an alert when the aggregated value of that field (e.g., count, sum, or average) meets or exceeds the defined threshold, enabling precise detection of anomalies like excessive failed logins from a single user.

Exam trap

The trap here is that candidates confuse the query's WHERE clause (e.g., filtering for a specific IP) with a rule-level trigger condition, but Microsoft Sentinel only supports the three listed conditions (custom threshold, entity type, and result count) for scheduled rules.

417
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A new security policy requires that all incidents involving 'Credential Access' tactics be automatically assigned to the Tier 1 SOC team and have a severity of 'High'. You need to configure this automation. What should you do?

A.Configure an automated investigation rule in Microsoft Defender XDR to assign incidents.
B.Create a playbook in Microsoft Sentinel that runs on incident creation and assigns the incident to Tier 1 SOC.
C.Create an automation rule in Microsoft Sentinel with conditions for tactic 'Credential Access' and actions to assign to Tier 1 SOC and set severity to High.
D.Modify the analytics rule that generates the incidents to include the assignment and severity settings.
AnswerC

Correct: Automation rules can set incident properties based on conditions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can be set to trigger when an incident is created, with conditions based on tactic (e.g., Credential Access) and actions to assign owner and set severity. Option B is wrong because playbooks require an automation rule to trigger them. Option C is wrong because analytics rules create incidents but cannot assign or change severity after creation.

Option D is wrong because Microsoft Defender XDR doesn't manage Sentinel incident assignment.

418
MCQeasy

Refer to the exhibit. You execute the Azure CLI command to create an analytics rule in Microsoft Sentinel. The rule is created but never triggers. What is the most likely cause?

A.The query references a column that does not exist in SigninLogs
B.The --enabled parameter should be set to false
C.The severity must be set to Low for the rule to trigger
D.The resource group name is incorrect
AnswerA

Correct column is 'riskLevelDuringSignIn' (camelCase).

Why this answer

Option A is correct because if the KQL query in the analytics rule references a column that does not exist in the SigninLogs table, the query will run but return zero results (or an error depending on the query structure), causing the rule to never trigger an alert. In Microsoft Sentinel, analytics rules rely on the query to produce matching results; if the column name is misspelled or absent, no events will match the rule conditions, so no incidents are generated.

Exam trap

The trap here is that candidates may assume a rule creation success means the query is valid, but Microsoft Sentinel does not validate column existence in KQL queries at creation time—only at execution time, leading to silent failures.

How to eliminate wrong answers

Option B is wrong because setting --enabled to false would disable the rule entirely, but the question states the rule is created and never triggers—implying it is enabled but not firing; the issue is not about the enabled state. Option C is wrong because severity (Low, Medium, High) does not affect whether a rule triggers; severity only determines the classification of the incident once the rule fires. Option D is wrong because if the resource group name were incorrect, the Azure CLI command would fail during creation with a resource-not-found error, but the rule was successfully created, so the resource group name is valid.

419
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule created via ARM template. You notice that the rule is not triggering the playbook when a high-severity incident is created. What is the most likely cause?

A.The playbook resource ID is missing the 'locations' parameter.
B.The automation rule is disabled by default and needs to be enabled.
C.The playbook does not have a trigger for Microsoft Sentinel.
D.The condition syntax is invalid; automation rules in ARM templates require specific operator properties.
AnswerD

The condition must use a valid operator like 'equals'.

Why this answer

Option D is correct because automation rules in ARM templates require explicit operator properties (e.g., 'Equals', 'Contains') in the condition syntax. If the condition is written without these operators or uses invalid JSON structure, the rule will fail to evaluate triggers correctly, preventing the playbook from being invoked when a high-severity incident is created.

Exam trap

Microsoft often tests the nuance that ARM templates require explicit operator properties in automation rule conditions, while the portal UI may hide this complexity, leading candidates to overlook syntax validation errors.

How to eliminate wrong answers

Option A is wrong because the 'locations' parameter is not a required property for a playbook resource ID in an automation rule; the resource ID only needs the subscription, resource group, and playbook name. Option B is wrong because automation rules created via ARM templates are not disabled by default; they are enabled unless explicitly set to 'disabled' in the template. Option C is wrong because the playbook does not need a separate trigger for Microsoft Sentinel; the automation rule itself invokes the playbook via its action, and the playbook's first step is typically a Microsoft Sentinel connector trigger.

420
MCQmedium

You are a SOC analyst using Microsoft Defender XDR. You notice that a user's account has been compromised and is being used to send phishing emails. You need to prevent the user from sending any more emails while preserving the ability to receive emails for investigation. What should you do?

A.Remove the user's Microsoft 365 license.
B.Disable the user account in Microsoft Entra ID.
C.Restrict the user from sending email using Microsoft Defender for Office 365 mailbox restrictions.
D.Delete the user's mailbox in Exchange Online.
AnswerC

This blocks outgoing email while allowing incoming email for investigation.

Why this answer

In Microsoft Defender XDR, you can restrict a user from sending email by applying a mailbox restriction. Option B is correct. Option A is wrong because disabling the user in Entra ID prevents all access.

Option C is wrong because deleting the mailbox removes all data. Option D is wrong because removing licenses removes access to all Microsoft 365 services.

421
Multi-Selecthard

Which THREE components are part of Microsoft's unified security operations platform (Microsoft Defender XDR)?

Select 3 answers
A.Microsoft Defender for Endpoint.
B.Microsoft Intune.
C.Microsoft Defender for Office 365.
D.Microsoft Defender for Identity.
E.Microsoft Sentinel.
AnswersA, C, D

Defender for Endpoint is a core component of Microsoft Defender XDR.

Why this answer

Microsoft Defender XDR is Microsoft's unified security operations platform that integrates signals from across the Microsoft 365 ecosystem. Microsoft Defender for Endpoint is a core component, providing endpoint detection and response (EDR) capabilities, including behavioral-based detection, automated investigation, and threat hunting on Windows, macOS, Linux, Android, and iOS devices. It contributes telemetry such as process creation, network connections, and file events to the unified incident and alert correlation in the Defender XDR portal.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel as a component of Microsoft Defender XDR, when in fact Sentinel is a separate SIEM that can ingest data from Defender XDR but is not part of the unified platform itself.

422
MCQhard

Refer to the exhibit. You have an automation rule in Microsoft Sentinel configured as shown. An analyst reports that low-severity incidents are not being closed automatically. The rule is enabled and has the highest order. What is the most likely reason?

A.The rule is triggered by alerts, not incidents.
B.The automation rule does not have the required permissions to modify incidents.
C.The rule is set to close incidents with classification 'TruePositive' but low-severity incidents are not true positives.
D.The rule is disabled due to a conflict with another rule.
AnswerB

The rule's identity must have Microsoft Sentinel Contributor role to close incidents.

Why this answer

Option C is correct because the rule triggers on "Incidents" (should be "Incident") and the trigger condition is "Created". However, the rule might not have permission to modify incidents. The most common cause is that the automation rule's managed identity or service principal does not have the required role (e.g., Microsoft Sentinel Contributor) to modify incidents.

Option A is wrong because the rule triggers on incident creation, not alert creation. Option B is wrong because the rule is enabled. Option D is wrong because the rule is set to close incidents.

423
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to ensure that incidents generated in Microsoft 365 Defender are automatically synchronized to Microsoft Sentinel. What should you configure?

A.Set up an automation rule to import incidents
B.Configure the Microsoft Sentinel connector in Microsoft Defender XDR
C.Create an analytics rule to query Defender XDR data
D.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel
AnswerD

This connector synchronizes incidents automatically.

Why this answer

Option D is correct because the Microsoft Defender XDR data connector in Microsoft Sentinel is specifically designed to synchronize incidents from Microsoft 365 Defender into Sentinel. When enabled, this connector uses the Microsoft Graph Security API to ingest incidents, alerts, and evidence, ensuring automatic and bidirectional synchronization without requiring additional automation rules or analytics queries.

Exam trap

The trap here is that candidates often confuse automation rules (which handle incident orchestration) with data connectors (which handle ingestion), leading them to select Option A instead of the correct data connector configuration.

How to eliminate wrong answers

Option A is wrong because automation rules in Sentinel are used to automate responses to incidents already in Sentinel, not to import incidents from external sources. Option B is wrong because the Microsoft Sentinel connector in Microsoft Defender XDR is not a standard configuration; the data flow is from Defender XDR to Sentinel, not the reverse, and the connector is configured in Sentinel, not in Defender XDR. Option C is wrong because analytics rules query data already ingested into Sentinel to generate new incidents, but they cannot import or synchronize existing incidents from Microsoft 365 Defender.

424
Multi-Selectmedium

Which TWO of the following are valid methods to ingest custom logs into Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Use Windows Event Forwarding to send custom logs to Sentinel.
B.Use the Azure Monitor Agent to collect custom logs via data collection rules.
C.Use the Application Insights connector to ingest custom logs.
D.Configure the Log Analytics agent to collect custom logs from a file.
E.Configure the syslog daemon to forward custom application logs.
AnswersB, D

AMA supports custom log ingestion via DCRs.

Why this answer

Options A and D are correct. Custom logs can be ingested via Log Analytics agent using custom log collection (A) or via Azure Monitor Agent with custom log upload (D). Option B is for Windows events, not custom logs.

Option C is for Linux syslog. Option E is for Application Insights, not custom logs.

425
MCQhard

Refer to the exhibit. You are deploying an Azure Resource Manager (ARM) template to create a saved search in Microsoft Sentinel. However, the template does not create an analytics rule. What is missing to turn this saved search into a scheduled analytics rule?

A.A Schedule section with frequency and period
B.An IncidentConfiguration section
C.A Microsoft.OperationalInsights/workspaces/savedSearches/schedules resource
D.A Query property with a valid KQL
AnswerC

To create a scheduled alert, you need a schedule resource linked to the saved search, or better, use the alert rule resource type.

Why this answer

Option D is correct because a saved search alone is not an analytics rule; you need to create an alert rule resource. Option A is wrong because IncidentConfiguration is part of the alert rule. Option B is wrong because the saved search already has a query.

Option C is wrong because the template does not have a schedule property.

426
Multi-Selecthard

Which THREE components are required to enable automated investigation and response (AIR) in Microsoft Defender XDR for alerts from Microsoft Defender for Identity?

Select 3 answers
A.Microsoft Sentinel workspace configured to ingest Defender for Identity alerts.
B.Automated investigation and response enabled in Microsoft Defender XDR.
C.A Microsoft 365 E5 license.
D.Microsoft Defender for Identity onboarded and connected to Microsoft Defender XDR.
E.A custom playbook in Microsoft Sentinel.
AnswersB, C, D

AIR must be turned on.

Why this answer

Option B is correct because automated investigation and response (AIR) must be explicitly enabled in Microsoft Defender XDR to allow the platform to automatically respond to alerts. Without this setting enabled, even if other components are in place, the system will not trigger automated actions for Defender for Identity alerts.

Exam trap

The trap here is that candidates often confuse the need for a SIEM (Sentinel) or custom automation (playbooks) with the built-in, native AIR capabilities of Microsoft Defender XDR, leading them to select unnecessary components like A or E.

427
MCQeasy

Your organization uses Microsoft Sentinel and has a requirement to retain log data for two years for compliance purposes. You have configured the Log Analytics workspace with a retention policy of 90 days. You need to extend the retention to two years while minimizing costs. The data must remain queryable. What should you do?

A.Increase the workspace retention to 730 days.
B.Export logs to Azure Blob Storage with cool access tier.
C.Enable unlimited retention for the workspace.
D.Configure an archive policy to move older data to Azure Storage hot tier and use Log Analytics workspace archive retention.
AnswerD

Archive retention allows querying archived data and is cost-effective.

Why this answer

Option D is correct because long-term retention with queryability is best achieved by configuring archive to Azure Storage with hot access. Option A is costly; Option B is costly; Option C is for cold storage and not queryable.

428
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that an external user from a partner organization can access a specific Sentinel workbook without having access to the entire Log Analytics workspace. What should you do?

A.Create a new Log Analytics workspace dedicated to the external partner and deploy the workbook there.
B.Use Azure AD B2B collaboration to invite the external user and assign the Sentinel Reader role on the workbook.
C.Share the workbook as a shared dashboard in the Azure portal.
D.Add the external user to the resource group containing the workspace with Reader role.
AnswerB

Azure AD B2B allows external user access with fine-grained RBAC on the workbook.

Why this answer

Azure AD B2B collaboration allows you to invite an external user from a partner organization into your Azure AD tenant. By assigning the Sentinel Reader role specifically on the workbook resource (not the workspace), the user can view the workbook without gaining access to the underlying Log Analytics workspace data or other Sentinel resources. This meets the requirement of granular, scoped access.

Exam trap

The trap here is that candidates confuse sharing a workbook (which requires RBAC on the workbook resource) with sharing a dashboard (which is a visual-only artifact in the Azure portal and does not grant any data access permissions).

How to eliminate wrong answers

Option A is wrong because creating a dedicated Log Analytics workspace for the partner is unnecessary overhead and still requires managing separate data ingestion and retention, whereas the requirement is to share only a specific workbook. Option C is wrong because sharing a workbook as a shared dashboard in the Azure portal does not grant the external user access to the workbook’s underlying data queries or Sentinel context; dashboards are visual only and cannot enforce Sentinel RBAC. Option D is wrong because adding the external user to the resource group with Reader role grants them read access to all resources in that group, including the entire Log Analytics workspace and its data, which violates the requirement to restrict access to only the workbook.

429
MCQhard

Your organization uses Microsoft Sentinel with UEBA enabled. You notice that the UEBA entity pages are not showing any insights for Azure resources. What is the most likely cause?

A.UEBA is not enabled for the workspace.
B.The user accounts are not synchronized with Microsoft Entra ID.
C.The Azure Activity data connector is not configured.
D.The resource context data is not being ingested from Azure Resource Manager.
AnswerD

Resource context is needed for Azure resource insights in UEBA.

Why this answer

UEBA entity pages for Azure resources rely on resource context data, which includes metadata about Azure resources such as virtual machines, storage accounts, and their activities. This data is ingested from Azure Resource Manager (ARM) via the Azure Activity data connector. If the resource context data is not being ingested, UEBA cannot correlate activities to specific Azure resources, resulting in no insights on entity pages.

Option D correctly identifies this missing data source as the root cause.

Exam trap

The trap here is that candidates often confuse the Azure Activity data connector (which handles subscription-level logs) with the Azure Resource Manager data connector (which provides resource context data), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because UEBA is explicitly stated as enabled in the question, so the issue is not about UEBA being disabled. Option B is wrong because user accounts not synchronized with Microsoft Entra ID would affect user entity insights, not Azure resource insights, which are based on resource metadata rather than user identities. Option C is wrong because the Azure Activity data connector is responsible for ingesting Azure subscription-level logs (e.g., resource creation, deletion), but the specific data needed for UEBA resource insights is the resource context data from ARM, which is a separate ingestion pipeline; the connector alone does not guarantee resource context data is being ingested.

430
MCQhard

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You have enabled bi-directional incident synchronization. The SOC team uses Microsoft Teams to collaborate on incidents. They have configured a playbook that posts incident details to a Teams channel whenever an incident is created. Recently, the playbook stopped posting messages. You check the playbook's run history in Azure Logic Apps and see that the run was successful with a 200 status code from the Teams connector. However, no message appears in the channel. You verify that the Teams webhook URL is correct and that the channel is active. What is the most likely cause?

A.The Microsoft Teams connector is not installed in the Logic Apps environment.
B.The playbook is disabled and needs to be re-enabled.
C.The service principal or managed identity used by the Logic App has lost permissions to post messages in the Teams channel.
D.The Teams channel has been deleted and re-created with a different ID.
AnswerC

Permissions can expire or be revoked, causing the message to fail silently.

Why this answer

Option D is correct because the Teams connector may require specific permissions that were changed or expired. Even though the HTTP request succeeded, the message might be blocked by Teams permissions. Option A is wrong because the run history shows success.

Option B is wrong because the webhook URL is correct. Option C is wrong because the connector is working (HTTP 200).

431
MCQeasy

Your organization uses Microsoft Defender for Endpoint. You need to ensure that when a malware alert is generated, an automated investigation is triggered. What should you configure?

A.Configure the Action center settings.
B.Create custom indicators of compromise (IOCs).
C.Use threat analytics to trigger investigations.
D.Enable automated investigation and remediation in the Microsoft 365 Defender portal.
AnswerD

This setting enables automatic investigation on alerts.

Why this answer

Defender for Endpoint has automated investigation and remediation settings that can be enabled. Option C is correct. Option A is wrong because action center is for reviewing actions, not configuring automation.

Option B is wrong because indicators are for blocking, not automated investigations. Option D is wrong because threat analytics provides reports, not automated investigation triggers.

432
MCQmedium

Your organization uses Microsoft Defender XDR. You need to ensure that alerts from Microsoft Defender for Identity are automatically correlated with alerts from Microsoft Defender for Endpoint in the unified incidents queue. What should you verify?

A.Microsoft Defender for Office 365 is enabled
B.Microsoft Defender XDR incident correlation is enabled
C.Microsoft Sentinel is connected to Microsoft Defender XDR
D.Custom detection rules are created in Microsoft 365 Defender
AnswerB

This setting aggregates alerts from all Defender workloads.

Why this answer

Automatic correlation requires that both workloads are integrated and the unified incident feature is enabled. Option B is correct. Option A is for MDO, not correlation.

Option C is for Sentinel, not Defender XDR. Option D is for custom detections, not correlation.

433
MCQmedium

You are managing Microsoft Defender for Cloud Apps. You discover that a user is downloading large amounts of data from a sanctioned cloud app. You need to automatically suspend the user's access when the download exceeds 5 GB in 10 minutes. What should you create?

A.An anomaly detection policy with a mass download detection template.
B.A session policy to block downloads.
C.An app connector for the cloud app.
D.A data loss prevention (DLP) policy in Microsoft Purview.
AnswerA

Anomaly detection policies can detect mass download and suspend user access.

Why this answer

An anomaly detection policy in Microsoft Defender for Cloud Apps can detect unusual user behavior, such as mass file downloads, using predefined templates like 'Mass download by a single user'. This policy can be configured to trigger automatic governance actions, including suspending the user, when the download exceeds a threshold like 5 GB in 10 minutes. It directly addresses the need to automatically suspend access based on volume and time.

Exam trap

The trap here is that candidates often confuse session policies (which block actions in real-time) with anomaly detection policies (which trigger automated responses like suspension based on behavioral patterns), leading them to choose Option B instead of A.

How to eliminate wrong answers

Option B is wrong because a session policy blocks downloads in real-time but does not automatically suspend the user's access; it only prevents the download action during the session. Option C is wrong because an app connector is used to connect Defender for Cloud Apps to a cloud app for visibility and control, but it does not create policies to suspend users based on download thresholds. Option D is wrong because a DLP policy in Microsoft Purview focuses on preventing data loss by inspecting content (e.g., sensitive information) rather than monitoring download volume or triggering user suspension based on size and time.

434
MCQhard

Your organization has a Microsoft Sentinel workspace that ingests data from multiple sources. You notice that the cost of data ingestion is higher than expected. You need to reduce costs without affecting security visibility. Which action should you take?

A.Reduce the data retention period for all tables to 30 days.
B.Disable the collection of Windows event logs from domain controllers.
C.Configure specific tables to use the Basic Logs tier instead of Analytics Logs.
D.Export logs to Azure Storage and use Azure Data Explorer for analysis.
AnswerC

Basic Logs are cheaper and suitable for verbose logs that are less frequently queried.

Why this answer

Basic Logs in Microsoft Sentinel are a lower-cost option for high-volume, verbose logs that are used for infrequent querying. Option B is correct because you can move verbose logs (e.g., from VMs) to Basic Logs tier. Option A (reducing retention) affects visibility.

Option C (turning off connectors) reduces visibility. Option D (using Azure Storage) is not integrated with Sentinel for queries.

435
MCQmedium

You have a Microsoft Sentinel automation rule as shown in the exhibit. The rule triggers a playbook that blocks a user in Microsoft Entra ID. The rule is enabled but never fires. What is the most likely reason?

A.The automation rule is disabled.
B.The playbook does not have a Microsoft Sentinel trigger.
C.No incidents with High severity are created.
D.The JSON syntax is invalid.
AnswerB

The playbook must start with a Sentinel trigger to be invoked by an automation rule.

Why this answer

The automation rule trigger specifies 'severity: High' and 'status: New'. However, automation rules trigger on incident creation, but the status condition may be incorrect because incidents are typically created with status 'New' unless changed by another rule. The exhibit shows correct syntax.

However, the most common issue is that automation rules require the playbook to have a Sentinel trigger; but the rule itself seems fine. Option D is a plausible misconfiguration: if the playbook doesn't have a Sentinel trigger, it won't run. Option A is wrong because the rule is enabled.

Option B is wrong because the JSON is valid. Option C is wrong because high severity incidents exist.

436
Multi-Selectmedium

Your security team uses Microsoft Sentinel and Microsoft Purview. You need to classify incidents that involve sensitive data according to Microsoft Purview's sensitivity labels. Which THREE components should you use?

Select 3 answers
A.Microsoft Defender for Cloud to apply sensitivity labels.
B.Analytics rules that trigger on data sensitivity events from Microsoft Purview.
C.Automation rules in Microsoft Sentinel to check for sensitivity labels in the incident.
D.Playbooks in Microsoft Sentinel to query Microsoft Purview for label information.
E.Microsoft Intune compliance policies to label data.
AnswersB, C, D

Correct: Analytics rules can ingest logs from Purview.

Why this answer

Options A, D, and E are correct. Automation rules can trigger on label conditions, playbooks can query Purview, and analytics rules can detect data sensitivity. Option B is wrong because Microsoft Intune manages devices.

Option C is wrong because Microsoft Defender for Cloud doesn't integrate with Purview labels.

437
MCQhard

Your organization uses Microsoft Sentinel and has enabled UEBA. A security analyst observes that a user account with no prior administrative activity performed a high volume of Azure Resource Manager operations. The analyst wants to investigate further. Which Microsoft Sentinel feature should the analyst use to quickly identify if this behavior is anomalous based on the user's historical profile?

A.Hunting queries
B.Workbooks
C.User and Entity Behavior Analytics (UEBA)
D.Analytics rules
AnswerC

UEBA uses machine learning to establish baselines and detect anomalous behavior for users and entities.

Why this answer

Option D is correct because UEBA in Microsoft Sentinel provides user entity analytics that profile normal behavior and detect anomalies. The other options are not primarily designed for user behavior anomaly detection based on historical profiles.

438
Multi-Selectmedium

Your organization uses Microsoft Sentinel. You need to automatically classify incidents based on MITRE ATT&CK techniques. Which THREE methods can be used to accomplish this?

Select 3 answers
A.Enable the MITRE ATT&CK data connector.
B.Create a watchlist with MITRE techniques.
C.Use analytics rules that include MITRE ATT&CK mapping.
D.Use UEBA to detect techniques.
E.Create an automation rule that tags incidents with MITRE techniques.
AnswersA, C, E

This connector provides threat intelligence and enriches incidents.

Why this answer

Analytics rules can map to MITRE techniques, the MITRE ATT&CK connector can enrich incidents, and automation rules can add tags. Option A, B, and E are correct. Option C (watchlists) can store mappings but not automatically classify.

Option D (UEBA) doesn't classify incidents by MITRE techniques.

439
MCQeasy

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What is the effect of this rule?

A.It assigns the incident to the SOC team.
B.It changes the status of newly created incidents from 'New' to 'Active'.
C.It suppresses the incident if it is a false positive.
D.It creates a task in the incident for investigation.
AnswerB

The action type 'ChangeStatus' with status 'Active' does exactly that.

Why this answer

Option B is correct because the rule triggers on incident creation with status 'New' and changes status to 'Active'. Option A is incorrect because it does not assign owner. Option C is incorrect because it does not suppress.

Option D is incorrect because it does not create tasks.

440
Multi-Selecthard

You are managing a Microsoft Sentinel workspace that ingests data from multiple sources. You need to reduce the cost of log ingestion while maintaining security visibility. Which two actions should you take?

Select 2 answers
A.Remove all custom log connectors that are not used frequently.
B.Increase the retention period for all tables to 90 days to avoid data loss.
C.Enable analytics rules to run only on high-value data sources.
D.Configure data collection rules to send non-critical logs to the Basic Logs tier.
E.Use compression algorithms in Log Analytics to reduce log size.
AnswersC, D

Correct: Focusing rules on critical data reduces processing cost.

Why this answer

Option C is correct because enabling analytics rules to run only on high-value data sources reduces the volume of data that must be queried and processed, directly lowering ingestion and analytics costs while preserving security visibility on critical logs. In Microsoft Sentinel, analytics rules incur costs based on the data scanned; by scoping rules to high-value sources, you avoid unnecessary processing of low-signal data.

Exam trap

The trap here is that candidates often confuse reducing ingestion cost with reducing storage cost, leading them to choose retention-related options (B) or connector removal (A) instead of focusing on data tiering and query scoping.

441
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Sentinel automation rules? (Select TWO.)

Select 2 answers
A.Assign an incident to a specific SOC analyst
B.Modify a data connector's configuration
C.Create a new analytics rule
D.Create a new watchlist
E.Run a playbook on an incident
AnswersA, E

Automation rules can set incident owner.

Why this answer

Options A and C are correct because automation rules can assign incidents to owners and run playbooks. Option B is wrong because automation rules do not create analytics rules. Option D is wrong because automation rules do not modify data connectors.

Option E is wrong because automation rules do not create watchlists.

442
MCQhard

Your organization uses Microsoft Sentinel with UEBA enabled. You are investigating a suspicious incident where a user's account is reported to have accessed an unusual amount of data from a SharePoint site. The incident alert points to the user 'jdoe@contoso.com'. You open the incident and see that the entity timeline for jdoe shows several activities, including file downloads. However, you notice that the timeline does not include any Azure AD sign-in events for this user. You need to include sign-in events in the entity timeline to get a complete picture. What should you do?

A.Install the Azure Active Directory connector to ingest sign-in logs.
B.Enable UEBA for Azure AD in the Sentinel settings.
C.Install the Office 365 connector to ingest Azure AD logs.
D.Configure the entity timeline to include Azure AD events manually.
AnswerA

The Azure AD connector provides sign-in logs for UEBA.

Why this answer

The entity timeline in Microsoft Sentinel relies on data already ingested into the workspace. Since Azure AD sign-in events are not appearing, the most likely cause is that the Azure Active Directory connector has not been installed or configured. Installing this connector ingests sign-in logs (and audit logs) into Sentinel, which then populates the entity timeline with sign-in activities for users like jdoe.

Exam trap

The trap here is that candidates confuse the Office 365 connector (which handles SharePoint, Exchange, Teams) with the Azure AD connector (which handles sign-in and audit logs), leading them to choose Option C instead of A.

How to eliminate wrong answers

Option B is wrong because enabling UEBA for Azure AD in Sentinel settings does not ingest data; it only enables behavioral analytics on already-ingested data. Option C is wrong because the Office 365 connector ingests Exchange, Teams, and SharePoint logs, not Azure AD sign-in logs (those require the Azure AD connector). Option D is wrong because the entity timeline cannot be manually configured to include Azure AD events; it automatically displays any ingested entity-related data from connected sources.

443
MCQeasy

Refer to the exhibit. You are viewing an incident in Microsoft Sentinel via the API. The incident is missing an owner. Which automation rule action would assign this incident to the SOC manager?

A.Change incident status to: Active
B.Run playbook (SimplePlaybook)
C.Add tags: ["Malware", "Endpoint"]
D.Assign incident to: SOC Manager
AnswerD

The Assign incident action allows specifying an owner.

Why this answer

Option B is correct because the 'Assign incident' action is used to assign an owner. Option A is wrong because 'Run playbook' triggers a playbook but does not directly assign. Option C is wrong because 'Change status' only changes status.

Option D is wrong because 'Add tags' adds labels.

444
MCQmedium

Your SOC uses Microsoft Defender XDR. You need to create a custom detection rule that triggers when a specific process is executed on multiple devices within an hour. Which feature should you use?

A.Advanced hunting query
B.Microsoft Sentinel scheduled analytics rule
C.Attack simulation training
D.Microsoft Defender XDR custom detection rule
AnswerD

Custom detections in Defender XDR allow creation of detection rules using KQL.

Why this answer

Option B is correct because Custom detection rules in Microsoft Defender XDR allow KQL-based detection across devices. Option A is wrong because Scheduled analytics rules are in Sentinel. Option C is wrong because Hunting queries don't create alerts.

Option D is wrong because Attack simulation is for testing.

445
MCQeasy

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. After configuring the data connector, you notice that no logs are appearing. You verify that the firewall is sending logs to the Syslog collector. What is the most likely cause?

A.The firewall is sending logs in a format incompatible with the Azure Monitor Agent.
B.The ingestion cost is too high and Sentinel throttled the connection.
C.The syslog daemon on the collector is not configured to forward logs to the Log Analytics workspace.
D.The data connector is disabled in the Log Analytics workspace.
AnswerC

The collector needs to forward logs; if not configured, logs won't reach Sentinel.

Why this answer

Option A is correct because a common issue is that the Syslog collector (e.g., Linux VM) does not have the required syslog daemon (rsyslog) properly configured to forward logs to Log Analytics. Option B is less likely because connectors are usually enabled by default. Option C is wrong because KQL is for querying, not ingestion.

Option D is wrong because the data connector for Syslog uses the Log Analytics agent, not AMA by default.

446
MCQmedium

You are configuring a Microsoft Sentinel analytics rule to detect brute-force attacks on your Azure Virtual Machines. The rule uses the 'SecurityEvent' table. You notice that the rule is not generating incidents even though you see failed logon events in the logs. What should you check?

A.An automation rule is suppressing incidents with the same name.
B.The workspace retention period is set to less than 90 days.
C.The Log Analytics agent is not installed on the VMs.
D.The analytics rule is enabled and the query is correctly filtering for event ID 4625.
AnswerD

If the rule is disabled or query is wrong, incidents won't be created.

Why this answer

Option A is correct because the 'SecurityEvent' table collects Windows security events, but the event ID for failed logon (4625) must be included in the query and the rule must be enabled. If the rule is not enabled, it won't generate incidents. Option B is about data source configuration, but the table is already populated.

Option C is about retention, not detection. Option D is about automation rules, not analytics rules.

447
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to ingest security logs from Azure resources in the West Europe region. The solution must minimize data transfer costs. What should you configure?

A.Configure diagnostic settings to send logs directly to the East US workspace.
B.Use Azure Monitor Agent to collect logs and send them to the East US workspace.
C.Configure diagnostic settings on the West Europe resources to send logs to a Log Analytics workspace in West Europe, and then use a cross-workspace query from the East US workspace.
D.Export logs to a storage account in West Europe and then import them to the East US workspace using Azure Data Factory.
AnswerC

This avoids cross-region transfer costs for ingestion.

Why this answer

Option A is correct because using a diagnostic setting to send logs to a Log Analytics workspace in the same region as the resources minimizes cross-region data transfer costs. Option B would increase costs. Option C is for storage, not real-time ingestion.

Option D is an alternative but not minimal cost.

448
MCQeasy

Your Microsoft Sentinel workspace is experiencing high ingestion costs. Which of the following actions will most effectively reduce costs while maintaining security visibility?

A.Delete unused analytics rules to reduce log ingestion.
B.Configure Basic Logs for verbose logs like Windows events from non-critical servers.
C.Disable collection of all informational logs.
D.Reduce the data retention period to 30 days.
AnswerB

Basic Logs are cheaper and suitable for high-volume logs that are rarely queried.

Why this answer

Option B is correct because configuring Basic Logs for verbose logs (e.g., Windows Event ID 4688 from non-critical servers) reduces ingestion costs by storing them in a lower-cost tier while still retaining them for security investigations. Basic Logs are charged at a lower ingestion rate and support simple queries and search jobs, preserving visibility for incident response without the full cost of Analytics Logs.

Exam trap

The trap here is that candidates confuse reducing data retention (Option D) with reducing ingestion costs, but retention only affects storage charges, not the per-GB ingestion fee, which is the primary cost driver in Sentinel.

How to eliminate wrong answers

Option A is wrong because deleting unused analytics rules does not reduce log ingestion; analytics rules only consume data already ingested, and removing them does not lower the volume of logs sent to the workspace. Option C is wrong because disabling all informational logs can blind security operations to critical events like user logon failures (Event ID 4625) or privilege escalations, violating the requirement to maintain security visibility. Option D is wrong because reducing the retention period to 30 days may lower storage costs but does not address the ingestion cost itself, which is the primary driver of high costs; it also risks losing historical data needed for long-term threat hunting and compliance.

449
MCQeasy

Refer to the exhibit. You are reviewing a playbook configuration for Microsoft Sentinel. What does this playbook do?

A.It runs only on medium severity incidents
B.It runs when a new alert is generated with high severity
C.It runs on all incidents regardless of severity
D.It runs when a high severity incident is created
AnswerD

The trigger condition checks for incident severity equal to 'High'.

Why this answer

The playbook is configured with a trigger condition that specifies 'When a high severity incident is created'. This means the playbook will only execute when an incident with a severity level of 'High' is generated in Microsoft Sentinel. The condition filters out incidents of other severity levels, ensuring the playbook runs exclusively for high-severity incidents.

Exam trap

The trap here is that candidates may confuse the trigger for incident creation versus alert generation, or overlook the severity filter in the condition, leading them to incorrectly select option B or C.

How to eliminate wrong answers

Option A is wrong because the trigger condition explicitly checks for 'high severity', not 'medium severity', so the playbook does not run on medium severity incidents. Option B is wrong because the trigger is based on incident creation, not alert generation; the playbook runs when an incident is created, not when a new alert is generated. Option C is wrong because the trigger condition includes a severity filter, so it does not run on all incidents regardless of severity; it only runs on high severity incidents.

450
MCQmedium

Your organization uses Microsoft Defender for Office 365 and Microsoft Sentinel. You discover that phishing emails are bypassing Defender for Office 365 and being reported by users. You need to ensure that user-reported emails are automatically analyzed and incidents are created in Sentinel for high-confidence phishing. What should you configure?

A.Set up a custom connector using Microsoft Graph API to ingest user-reported messages into Sentinel.
B.Use the Microsoft 365 Defender portal to create a submission rule for user-reported messages.
C.Configure a mail flow rule to forward user-reported messages to a dedicated mailbox monitored by Sentinel.
D.Enable the 'User reported messages' feature in Defender for Office 365 and ensure the Microsoft Defender XDR connector is enabled in Sentinel.
AnswerD

This integrates automated analysis and incident creation.

Why this answer

Option D is correct because the User Reported Messages feature in Defender for Office 365 can trigger automated analysis and, when integrated with Sentinel via the connector, can create incidents. Option A is wrong because a mail flow rule cannot create Sentinel incidents. Option B is wrong because creating a submission rule manually does not automate analysis.

Option C is wrong because a custom connector would be more complex than using the built-in integration.

← PreviousPage 6 of 8 · 554 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage a security operations environment questions.