CCNA Manage a security operations environment Questions

75 of 554 questions · Page 7/8 · Manage a security operations environment · Answers revealed

451
MCQeasy

Your organization wants to use Microsoft Copilot for Security to generate incident summaries. What is the minimum license required?

A.Microsoft 365 E5
B.Microsoft Sentinel
C.Microsoft Defender for Office 365 P2
D.Microsoft Copilot for Security standalone or add-on
AnswerD

This is the required license.

Why this answer

Microsoft Copilot for Security is a standalone product that can be licensed independently or as an add-on to existing security subscriptions. It is not included in any Microsoft 365 or Defender plan by default; therefore, the minimum license required is either the standalone Copilot for Security SKU or the add-on license. This ensures the organization has the necessary entitlements to generate incident summaries using Copilot for Security.

Exam trap

The trap here is that candidates often assume Copilot for Security is included with high-tier licenses like Microsoft 365 E5 or Microsoft Sentinel, but Microsoft explicitly requires a separate Copilot for Security license (standalone or add-on) to use its AI capabilities.

How to eliminate wrong answers

Option A is wrong because Microsoft 365 E5 provides advanced security features like Defender for Office 365 P2 and Microsoft Sentinel, but it does not include Microsoft Copilot for Security; a separate license is required. Option B is wrong because Microsoft Sentinel is a SIEM/SOAR solution that ingests and analyzes security data, but it does not include Copilot for Security; Copilot for Security is a separate AI-powered tool that can integrate with Sentinel but requires its own license. Option C is wrong because Microsoft Defender for Office 365 P2 offers advanced threat protection for email and collaboration tools, but it does not include Copilot for Security; the Copilot for Security add-on or standalone license is needed to access its AI capabilities.

452
MCQmedium

You manage a Microsoft Sentinel workspace with multiple analytics rules. You notice that an analytics rule has not generated any alerts in the past month despite relevant data being ingested. The rule uses a custom KQL query that joins two tables. What is the most likely cause?

A.The join condition in the KQL query is incorrect, resulting in no matching records
B.The rule is using an unsupported KQL function
C.The data connector for the tables is disabled
D.The rule is running on a schedule of 5 minutes but the data arrives every hour
AnswerA

An incorrect join condition would cause the query to return zero results, thus no alerts.

Why this answer

Option C is correct because a missing join field would prevent any results from the KQL query, leading to no alerts. Option A is less likely because the rule would still run. Option B would cause an error, not just silence.

Option D would generate alerts on other data.

453
MCQmedium

You are managing a Microsoft Sentinel environment with multiple workspaces across different regions. You need to centralize incident management and allow security analysts to triage incidents from all workspaces in a single view. What should you configure?

A.Configure a central Microsoft Sentinel workspace with cross-workspace analytics rules.
B.Create a workbook that queries all workspaces.
C.Use the Microsoft Sentinel SIEM Migration experience.
D.Use Azure Lighthouse to manage all workspaces from a single pane of glass.
AnswerA

Central workspace with cross-workspace rules can aggregate incidents.

Why this answer

Option A is correct because cross-workspace analytics rules in Microsoft Sentinel allow you to define a single analytics rule that queries multiple workspaces, enabling centralized incident creation and management. This configuration ensures that security analysts can view and triage incidents from all workspaces in a single Microsoft Sentinel instance, without needing to switch between different workspace blades.

Exam trap

The trap here is that candidates often confuse Azure Lighthouse's cross-tenant management capabilities with the specific need to aggregate incidents into a single view, overlooking that Lighthouse alone does not merge incident queues across workspaces.

How to eliminate wrong answers

Option B is wrong because a workbook is a visualization and reporting tool, not an incident management interface; it cannot centralize incident triage or provide a unified incident queue. Option C is wrong because the SIEM Migration experience is designed to help migrate from a third-party SIEM to Microsoft Sentinel, not to centralize incident management across existing Sentinel workspaces. Option D is wrong because Azure Lighthouse provides cross-tenant management capabilities but does not natively aggregate incidents from multiple Sentinel workspaces into a single incident view; it still requires navigating separate Sentinel instances per workspace.

454
MCQeasy

Your organization uses Microsoft Defender for Cloud Apps. You need to ensure that alerts from Defender for Cloud Apps are forwarded to Microsoft Sentinel. Which connector should you use in Sentinel?

A.Windows Security Events via AMA connector
B.Microsoft Defender for Cloud Apps connector
C.Microsoft 365 Defender connector
D.Azure Activity connector
AnswerB

This is the dedicated connector to ingest alerts from Defender for Cloud Apps.

Why this answer

The Microsoft Defender for Cloud Apps connector (built-in data connector) is the correct way to ingest alerts. Option A is wrong because Microsoft 365 Defender connector covers alerts from Defender for Identity, Defender for Office 365, etc., but not directly from Defender for Cloud Apps. Option C is wrong because Windows Security Events connector is for on-premises events.

Option D is wrong because Azure Activity connector is for Azure resource logs.

455
Multi-Selecteasy

Which TWO roles in Microsoft Entra ID can manage Microsoft Defender for Cloud Apps? (Select two.)

Select 2 answers
A.Compliance Administrator
B.Security Administrator
C.Global Administrator
D.Security Reader
E.Application Administrator
AnswersB, C

Can manage security settings.

Why this answer

The Security Administrator role in Microsoft Entra ID has the necessary permissions to manage Microsoft Defender for Cloud Apps, including configuring policies, investigating alerts, and managing app permissions. This role is specifically designed for security-related tasks within Microsoft 365 security products, making it a correct choice for managing Defender for Cloud Apps.

Exam trap

The trap here is that candidates often confuse the Compliance Administrator role as having security management capabilities due to its name, but it is strictly limited to compliance tasks and cannot manage Defender for Cloud Apps.

456
MCQeasy

You are a security operations analyst. You need to ensure that when a suspicious sign-in is detected by Microsoft Entra ID Protection, an incident is automatically created in Microsoft Sentinel and assigned to the Tier 1 SOC team. What should you configure in Microsoft Sentinel?

A.Create an automation rule that triggers when an incident is created and sets the owner to the Tier 1 SOC group.
B.Create a playbook that is triggered by the Microsoft Entra ID Protection data connector.
C.Enable UEBA and configure role-based access control (RBAC).
D.Configure an analytics rule with a corresponding automation rule to assign the incident.
AnswerA

Automation rules handle incident assignment.

Why this answer

Option A is correct because automation rules trigger on incident creation and can assign ownership. Option B is wrong because playbooks are for complex automation, not simple assignment. Option C is wrong because analytics rules create incidents from raw data, not from existing alerts.

Option D is wrong because UEBA is a behavioral detection feature, not incident assignment.

457
MCQmedium

You are configuring a Microsoft Sentinel workbook to display incident metrics. You want to show the average time to triage incidents over the last 30 days. Which data source should you use?

A.CommonSecurityLog table.
B.SecurityIncident table.
C.SecurityAlert table.
D.SigninLogs table.
AnswerB

The SecurityIncident table contains incident properties including created and triaged times.

Why this answer

Incident data in Sentinel is stored in the SecurityIncident table. Option A is correct. Option B is wrong because Alert is for individual alerts, not incidents.

Option C is wrong because CommonSecurityLog is for syslog data. Option D is wrong because SigninLogs is for authentication logs.

458
MCQmedium

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident is created?

A.The incident severity will be changed
B.A new analytics rule will be created
C.The playbook 'BlockIPPlaybook' will be executed
D.The incident will be automatically closed
AnswerC

Action type is RunPlaybook with the specified playbook.

Why this answer

The exhibit shows an automation rule that triggers on incident creation and runs a playbook. Option C is correct. Option A and B are not actions.

Option D is about analytics rules, not automation.

459
MCQmedium

Refer to the exhibit. You have a Microsoft Sentinel analytic rule configured to detect brute force attacks. The rule runs every 30 minutes and groups alerts into incidents based on Account and IP. You notice that multiple incidents are created for the same user and IP within a short time. What should you do to reduce the number of incidents?

A.Decrease the query frequency to 1 hour
B.Increase the lookback duration to 2 hours
C.Increase the trigger threshold to 10
D.Disable alert grouping
AnswerB

A longer lookback groups more alerts into one incident.

Why this answer

Increasing the lookback duration to 2 hours allows the analytic rule to consider a longer window of historical data when grouping alerts into incidents. This means that alerts for the same Account and IP that occur within that extended timeframe will be merged into a single incident, directly reducing the number of duplicate incidents created for the same user and IP.

Exam trap

Microsoft often tests the distinction between query frequency (how often the rule runs) and lookback duration (the window for grouping alerts), causing candidates to mistakenly adjust the frequency instead of the grouping window.

How to eliminate wrong answers

Option A is wrong because decreasing the query frequency to 1 hour would make the rule run less often, but it does not change the lookback window for grouping; alerts from separate runs would still create separate incidents for the same Account and IP. Option C is wrong because increasing the trigger threshold to 10 would require more alerts before an incident is created, which could suppress legitimate incidents entirely rather than reducing the number of incidents for the same user and IP. Option D is wrong because disabling alert grouping would cause each individual alert to become its own incident, which would dramatically increase the number of incidents, not reduce them.

460
MCQmedium

Your organization has a Microsoft Sentinel workspace in the East US region. You have deployed the Microsoft Defender XDR connector and are ingesting incidents from Microsoft Defender for Endpoint, Defender for Office 365, and Defender for Identity. The SOC team reports that some incidents from Defender for Office 365 are missing in Sentinel, but all incidents from the other sources appear correctly. You have verified that the connector is enabled and that there are no ingestion errors. The missing incidents are related to phishing emails that were detected by Defender for Office 365 and automatically remediated (soft deleted) by the system. The incidents are visible in the Microsoft 365 Defender portal. What should you do to ensure these incidents appear in Sentinel?

A.Create an automation rule that triggers on missing incidents and creates them manually.
B.Create a new analytics rule using the Office 365 connector to generate incidents from Defender for Office 365 alerts.
C.Create a new Microsoft Defender XDR connector in a different region to capture all incidents.
D.Re-enable the Microsoft Defender XDR connector and restart the data ingestion.
AnswerB

This ensures that alerts from Defender for Office 365, including auto-resolved ones, generate incidents in Sentinel.

Why this answer

Option D is correct because Defender for Office 365 incidents that are automatically resolved (e.g., soft delete) may not be sent to Sentinel by default. You need to create an analytics rule in Sentinel using the Office 365 connector to generate incidents for those alerts. Option A is wrong because the connector is already enabled.

Option B is wrong because the incidents are present in Defender, so the connector should be ingesting them; the issue is with auto-resolved incidents. Option C is wrong because an automation rule cannot generate incidents from alerts that are not ingested.

461
MCQhard

Refer to the exhibit. You are analyzing a KQL query in Microsoft Sentinel that returns accounts with more than 10 failed logins within 5 minutes. The query is not returning any results even though you know there have been multiple failed logins. What is the most likely reason?

A.The 'startswith' operator is not a valid KQL operator
B.The 'bin' function is used incorrectly
C.The query syntax requires a 'let' statement
D.The filter condition 'Account !startswith "ANONYMOUS LOGON"' is case-sensitive and may be excluding valid results
AnswerD

The 'startswith' operator is case-sensitive; 'ANONYMOUS LOGON' in the event may have different casing.

Why this answer

Option D is correct because the `!startswith` operator in KQL is case-sensitive by default. If the actual account name in the SecurityEvent table is stored as 'ANONYMOUS LOGON' with a different case (e.g., 'Anonymous Logon' or 'anonymous logon'), the filter will exclude those rows, causing the query to return no results even though failed logins occurred. This is a common pitfall when using string comparison operators in KQL without considering case sensitivity.

Exam trap

The trap here is that candidates assume string operators in KQL are case-insensitive by default, when in fact they are case-sensitive, leading them to overlook the filter's exclusion of valid results.

How to eliminate wrong answers

Option A is wrong because `startswith` is a valid KQL operator used to filter strings that start with a specified prefix; it is not invalid. Option B is wrong because the `bin` function is used correctly in time-series aggregations to group events into fixed time intervals (e.g., 5-minute bins), and its misuse would not cause the query to return zero results if failed logins exist—it would only affect the grouping. Option C is wrong because a `let` statement is not required for this query; `let` is used to define variables or reusable expressions, but the query can run without it.

462
Multi-Selectmedium

Which TWO actions can be performed using automation rules in Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.Create a new incident from an alert.
B.Modify the query of an existing analytics rule.
C.Assign an incident to a specific owner.
D.Delete an incident automatically.
E.Trigger a playbook when an incident is created.
AnswersC, E

Assignment is a supported action in automation rules.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can perform actions such as assigning an incident to a specific owner. This is a built-in action within the automation rule configuration, allowing you to automatically set the owner field of an incident based on conditions like severity or rule ID, without requiring a playbook.

Exam trap

The trap here is that candidates often confuse automation rules with analytics rules, mistakenly thinking automation rules can create incidents or modify analytics rule logic, when in fact automation rules only act on existing incidents and cannot alter detection logic or delete incidents.

463
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to implement a solution that automatically suppresses low-severity incidents from specific IP addresses that are known internal scanners. Which THREE configurations should you make?

Select 3 answers
A.Add the IP addresses to a watchlist and reference it in analytics rules.
B.Configure an analytics rule with a suppression condition that includes the IP addresses.
C.Create an automation rule that closes incidents matching the IP addresses.
D.Create a suppression rule in Microsoft Defender for Cloud.
E.Create a playbook that deletes incidents from those IP addresses.
AnswersA, B, C

Correct: Watchlists can be used for filtering.

Why this answer

Options A, C, and D are correct. Analytics rules can be set to suppress, automation rules can close incidents, and watchlists can be used for known IPs. Option B is wrong because Microsoft Defender for Cloud doesn't suppress Sentinel incidents.

Option E is wrong because playbooks cannot suppress incidents before creation.

464
MCQhard

Your SOC team uses Microsoft Sentinel's UEBA to detect insider threats. You want to ensure that UEBA can correlate activities across multiple data sources. Which data source must be enabled for UEBA to function properly?

A.Azure Activity logs
B.Office 365 audit logs
C.Windows Security Events
D.Microsoft Entra ID audit logs
AnswerD

Provides identity context for UEBA.

Why this answer

Microsoft Entra ID (formerly Azure AD) audit logs provide identity context that is essential for UEBA to correlate user activities. Option B is wrong because Azure Activity logs provide resource-level operations. Option C is wrong because Windows Security Events alone lack identity correlation.

Option D is wrong because Office 365 audit logs are useful but not the core requirement.

465
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You are configuring Microsoft Defender for Identity to protect against lateral movement attacks. Which configuration should you prioritize to detect pass-the-hash attacks?

A.Configure port mirroring for domain controllers
B.Enable 'SAM-R' (Remote SAM) in the Microsoft Defender for Identity sensor configuration
C.Configure Windows Event Forwarding (WEF) for domain controllers
D.Enable 'Capture NTLM hashes' in the Microsoft Defender for Identity sensor configuration
AnswerD

Enabling this setting allows the sensor to capture NTLM hashes for pass-the-hash detection.

Why this answer

Option D is correct because enabling 'Capture NTLM hashes' in the Microsoft Defender for Identity sensor configuration allows the sensor to extract NTLM hashes from network traffic. Pass-the-hash attacks rely on capturing and reusing NTLM hashes to authenticate laterally; by capturing these hashes, Defender for Identity can detect anomalies such as a hash being used from a different source or for suspicious logon attempts, directly identifying the attack.

Exam trap

The trap here is that candidates confuse prerequisites (port mirroring) or supporting features (SAM-R for lateral movement paths, WEF for event collection) with the specific configuration needed to detect pass-the-hash, which is the direct capture of NTLM hashes from network traffic.

How to eliminate wrong answers

Option A is wrong because port mirroring for domain controllers is a prerequisite for network traffic capture but does not itself enable detection of pass-the-hash attacks; it only provides the raw data. Option B is wrong because enabling SAM-R (Remote SAM) is used for lateral movement path detection (e.g., enumerating local admin groups) but does not capture or analyze NTLM hashes for pass-the-hash detection. Option C is wrong because configuring Windows Event Forwarding (WEF) for domain controllers collects Windows security events (e.g., 4624 logon events) but does not capture NTLM hashes from network traffic, which is essential for detecting pass-the-hash.

466
MCQhard

Your company uses Microsoft Sentinel and has connected Microsoft 365 Defender. You have configured an automation rule that, when an incident is created with a high severity, triggers a playbook that sends an email to the SOC manager and creates a ticket in ServiceNow. Recently, the automation rule stopped triggering the playbook. You check the automation rule and see it is enabled. You also check the playbook and see it is enabled. However, the playbook's run history shows no new runs for the last 24 hours, even though high-severity incidents have been created. You verify that the incidents are indeed high severity and that the automation rule's conditions match. What is the most likely cause?

A.The incident severity was changed after creation, so the rule condition no longer matches.
B.The automation rule has reached its maximum number of actions (trigger limit) and has been automatically disabled by Sentinel.
C.The playbook has been deleted and needs to be re-created.
D.The automation rule was accidentally disabled by another administrator.
AnswerB

Automation rules have a limit on the number of times they can trigger; once exceeded, they stop.

Why this answer

Option A is correct because automation rules have a trigger limit (number of actions per rule) that might be exceeded if many incidents are created. Once the limit is reached, the rule stops triggering. Option B is wrong because the rule is enabled.

Option C is wrong because the incidents are high severity, so conditions match. Option D is wrong because the playbook is not the issue; the automation rule is not triggering it.

467
MCQmedium

A SOC analyst receives a high-severity alert for a user who downloaded a malicious file from a phishing email. The analyst needs to quickly assess the scope of the incident across endpoints, email, and identities. Which Microsoft Defender XDR feature should the analyst use to get a unified view of the incident?

A.Microsoft Defender XDR incident queue
B.Microsoft Purview compliance portal
C.Microsoft Intune device compliance dashboard
D.Microsoft Sentinel incidents blade
AnswerA

Microsoft Defender XDR incident queue provides a unified view of incidents across all workloads.

Why this answer

The Microsoft Defender XDR incident queue is the correct choice because it aggregates alerts from Microsoft Defender for Endpoint, Office 365, and Identity into a single incident view, enabling the analyst to correlate the malicious file download across endpoints, email, and user identities without switching consoles. This unified incident management is a core feature of Microsoft Defender XDR, designed specifically for rapid triage and scope assessment in multi-domain threats.

Exam trap

The trap here is that candidates often confuse the Microsoft Defender XDR incident queue with Microsoft Sentinel incidents, assuming Sentinel is the primary unified view, but the question specifically asks for the Microsoft Defender XDR feature, not a separate SIEM product.

How to eliminate wrong answers

Option B is wrong because the Microsoft Purview compliance portal focuses on data governance, eDiscovery, and compliance policies (e.g., DLP, retention), not on real-time incident correlation across endpoints, email, and identities. Option C is wrong because the Microsoft Intune device compliance dashboard provides device compliance status and policy enforcement for managed devices, but it does not aggregate security alerts or provide a unified incident view across email and identity domains. Option D is wrong because the Microsoft Sentinel incidents blade is a SIEM/SOAR tool that can ingest alerts from multiple sources, but it is not the native Microsoft Defender XDR incident queue; using Sentinel for this purpose would require additional configuration and is not the direct, built-in feature for unified incident management within the Defender XDR ecosystem.

468
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that only users with the appropriate permissions can run playbooks from within the incident investigation interface. What role should you assign to the security operations team?

A.Microsoft Sentinel Contributor
B.Microsoft Sentinel Reader
C.Microsoft Sentinel Responder
D.Global Administrator in Microsoft Entra ID
AnswerA

Contributor can run playbooks.

Why this answer

The Microsoft Sentinel Contributor role is required to run playbooks from the incident interface. Option B is correct because it includes permissions to use playbooks. Option A is wrong because Reader cannot run playbooks.

Option C is wrong because Responder can triage but not run playbooks. Option D is wrong because Global Admin is overly privileged and not recommended.

469
MCQhard

Refer to the exhibit. You are deploying this ARM template to create a saved search in Microsoft Sentinel. What is the purpose of this saved search?

A.Identify computers that have not sent heartbeats in the last 24 hours.
B.Identify computers with low disk space.
C.Identify computers that are generating a high number of heartbeats, which may indicate a potential compromise.
D.Identify computers that have communicated with a malicious IP address.
AnswerC

High heartbeat frequency can indicate malicious activity.

Why this answer

Option B is correct because the query counts heartbeats per computer in the last day and filters for computers with more than 100 heartbeats, indicating high activity. Option A is incorrect because it does not check malicious IP addresses. Option C is incorrect because it does not check missing heartbeats.

Option D is incorrect because it does not check unresponsive computers.

470
MCQeasy

You are configuring Microsoft Sentinel to ingest logs from Azure Active Directory (now Microsoft Entra ID). Which of the following connectors should you use to collect sign-in logs and audit logs?

A.Microsoft Defender for Cloud connector.
B.Office 365 connector.
C.Azure Activity connector.
D.Microsoft Entra ID connector.
AnswerD

This connector collects sign-in logs, audit logs, and provisioning logs.

Why this answer

The Microsoft Entra ID connector provides sign-in logs and audit logs directly to Sentinel. Option A is correct. Option B is wrong because Office 365 connector is for Exchange, SharePoint, etc.

Option C is wrong because Azure Activity connector is for Azure resource logs. Option D is wrong because Microsoft Defender for Cloud is for security alerts.

471
Multi-Selecthard

Which THREE are valid ways to ingest data into Microsoft Sentinel? (Select three.)

Select 3 answers
A.Configuring Syslog using Azure Monitor Agent (AMA)
B.Using the Microsoft Sentinel API to push custom logs
C.Connecting to Azure DevOps directly
D.Importing from Power BI datasets
E.Using a built-in data connector for Microsoft Entra ID
AnswersA, B, E

Syslog is supported via AMA.

Why this answer

Option A is correct because the Azure Monitor Agent (AMA) can collect Syslog events from Linux-based sources and forward them to a Log Analytics workspace, which is the underlying data store for Microsoft Sentinel. By configuring a Data Collection Rule (DCR) that specifies the Syslog facility and severity levels, AMA streams these logs into the Syslog table in the workspace, making them available for detection and analysis within Sentinel.

Exam trap

The trap here is that candidates may assume any Microsoft service (like Azure DevOps or Power BI) can be directly connected via a built-in connector, but Sentinel only provides connectors for services that generate security-relevant logs, not for project management or BI analytics tools.

472
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that incidents created in Microsoft Defender XDR are automatically synchronized to Microsoft Sentinel with the least administrative effort. What should you configure?

A.Create a Logic App that uses the Microsoft Defender XDR API to fetch incidents and push them to Microsoft Sentinel.
B.Use the Microsoft Sentinel API to pull incidents from Microsoft Defender XDR.
C.Enable raw data ingestion from Microsoft Defender for Endpoint to Microsoft Sentinel.
D.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel.
AnswerD

This connector automatically ingests incidents and alerts from Defender XDR.

Why this answer

The Microsoft Defender XDR connector in Microsoft Sentinel automatically streams incidents and alerts from Defender XDR into Sentinel. Option A is correct because it enables bidirectional synchronization out of the box. Option B is wrong because Logic Apps would require custom workflows and more effort.

Option C is wrong because the API connector is for custom integration, not automated synchronization. Option D is wrong because enabling raw data ingestion does not synchronize incidents.

473
Multi-Selecthard

Which TWO actions are valid for automation rules in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Change the severity of an incident.
B.Delete an incident.
C.Run a playbook.
D.Add tags to an incident.
E.Modify an existing analytics rule.
AnswersA, C

Automation rules can change incident severity.

Why this answer

Options A and D are correct because automation rules can run playbooks and change incident severity. Option B is incorrect because automation rules do not modify analytics rules. Option C is incorrect because automation rules do not delete incidents.

Option E is incorrect because automation rules do not add tags directly (tags can be added via playbooks).

474
MCQmedium

Your organization uses Microsoft Defender XDR. You want to ensure that all incidents with severity 'High' are automatically assigned to the 'Tier1' group and have a playbook executed. What should you use?

A.Microsoft Defender XDR incident assignment manually by analysts
B.Custom analytics rules in Microsoft Sentinel
C.Automation rules in Microsoft Sentinel
D.Playbooks in Microsoft Sentinel
AnswerC

Can trigger on incident creation and perform actions like assignment and playbook execution.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically assign incidents to a specific group (e.g., 'Tier1') and trigger a playbook based on incident properties such as severity. This directly meets the requirement to assign 'High' severity incidents to the 'Tier1' group and execute a playbook without manual intervention.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking playbooks alone can handle assignment and triggering, but playbooks are just the action component and require an automation rule to define the trigger and assignment logic.

How to eliminate wrong answers

Option A is wrong because manual assignment by analysts does not automate the process; it requires human action for each incident, which contradicts the requirement for automatic assignment. Option B is wrong because custom analytics rules in Microsoft Sentinel are used to generate alerts from raw data, not to manage incident assignment or trigger playbooks after an incident is created. Option D is wrong because playbooks in Microsoft Sentinel are automated response workflows that can be triggered by automation rules, but they cannot by themselves assign incidents to groups or set conditions for execution; they require an automation rule to define the trigger and assignment logic.

475
Multi-Selectmedium

Which THREE components are part of Microsoft Sentinel's SOAR capabilities? (Choose three.)

Select 3 answers
A.Workbooks
B.Incident management
C.Watchlists
D.Automation rules
E.Playbooks
AnswersB, D, E

Incident management is part of SOAR workflows.

Why this answer

Options A, B, and D are correct as they are core SOAR components. Option C is incorrect because workbooks are for visualization, not automation. Option E is incorrect because watchlists are for enrichment, not automation.

476
MCQmedium

Your company has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You have deployed Microsoft Sentinel and configured the Microsoft Entra ID connector to collect sign-in logs and audit logs. The SOC team wants to be alerted when a user account is created in Entra ID, as this could indicate a malicious insider. You create a scheduled analytics rule that queries the AuditLogs table for 'Add user' activity. The rule runs every hour and looks back 1 hour. After a week, the rule has generated zero incidents. You know that new users are being created regularly. You test the query manually in Log Analytics and get results for the last hour. What is the most likely cause?

A.The Microsoft Entra ID connector is not enabled.
B.The analytics rule is disabled.
C.The analytics rule's query uses a different time filter than the manual query, such as using 'ago(1h)' but the rule's lookback is set to '5 minutes' in the rule settings.
D.The AuditLogs table is not available in the workspace.
AnswerC

The rule's query might have a time filter that doesn't align with the rule's schedule, causing the rule to look at a different time window.

Why this answer

Option C is correct because the query works in Log Analytics but not in the analytics rule, which may be due to the rule's query not including the same time range or having an incorrect time filter. Option A is wrong because the connector is working. Option B is wrong because audit logs are being collected.

Option D is wrong because the rule is enabled.

477
MCQhard

Your security team uses Microsoft Sentinel UEBA to detect anomalous user behavior. You need to configure UEBA to baseline user activities and generate alerts for deviations. What must you do first?

A.Create an Azure Machine Learning workspace for anomaly detection.
B.Enable UEBA in the Sentinel Settings blade and select relevant data sources.
C.Assign Microsoft 365 E5 licenses to all users.
D.Deploy a custom data connector for HR systems.
AnswerB

This is the prerequisite for UEBA to baseline and detect anomalies.

Why this answer

Option B is correct because Microsoft Sentinel UEBA requires explicit enablement in the Sentinel Settings blade under the 'Entity behavior analytics' section. Once enabled, you must select the relevant data sources (e.g., Azure Active Directory sign-in logs, Office 365 audit logs, Windows Security Events) so that Sentinel can baseline normal user behavior patterns and generate alerts for anomalous deviations. Without this initial configuration, UEBA cannot process any data or produce behavioral analytics.

Exam trap

The trap here is that candidates often assume UEBA is automatically enabled or that it requires external ML services (like Azure Machine Learning) or premium licenses (like M365 E5), when in fact the first step is simply toggling the feature on and selecting data sources within Sentinel's own settings.

How to eliminate wrong answers

Option A is wrong because Azure Machine Learning workspace is not required for Sentinel UEBA; UEBA uses built-in machine learning models within Sentinel itself, not an external ML workspace. Option C is wrong because Microsoft 365 E5 licenses are not a prerequisite for UEBA; Sentinel UEBA works with any license that provides the necessary data sources (e.g., Azure AD P1/P2, Office 365 E3/E5) and does not mandate E5 for all users. Option D is wrong because deploying a custom data connector for HR systems is an optional enhancement for enriching entity data (e.g., employee role, manager), but it is not the first step; UEBA must be enabled and data sources selected before any custom connectors can contribute to baselining.

478
MCQmedium

Refer to the exhibit. You have created a scheduled analytics rule in Microsoft Sentinel as shown. The rule is not generating any incidents, even though you know Copilot for Microsoft 365 is accessing sensitive files. What is the most likely cause?

A.The triggerThreshold is too high
B.The table being queried does not contain Copilot events
C.The severity is set to Medium, which suppresses incidents
D.The queryFrequency is too short
AnswerB

Copilot events are in CloudAppEvents.

Why this answer

The rule queries the 'SensitivityLabelEvents' table, which tracks sensitivity label changes but does not contain Copilot for Microsoft 365 events. Copilot events are stored in the 'MicrosoftCopilotAudit' table (or 'CloudAppEvents' with specific filters). Since the query targets the wrong table, no matching records are returned, and no incidents are generated.

Exam trap

The trap here is that candidates assume any table related to sensitivity labels will contain all Copilot events, but Microsoft separates Copilot-specific audit logs into a dedicated table, and the exam tests awareness of this schema distinction.

How to eliminate wrong answers

Option A is wrong because the triggerThreshold of 1 is the minimum value; a higher threshold would reduce incidents, but here the issue is zero incidents, not too few. Option C is wrong because severity settings (Medium, High, etc.) do not suppress incident creation; they only affect the incident's priority in the queue. Option D is wrong because a queryFrequency of 5 hours is reasonable for detecting patterns; making it shorter would increase run frequency but would not fix the root cause of querying the wrong table.

479
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that when a device is identified as compromised by Defender for Endpoint, an incident is automatically created in Sentinel with high severity. What should you configure?

A.Configure the Defender XDR connector to create incidents
B.Write an analytics rule that queries Defender for Endpoint data
C.Create a playbook to create an incident from the alert
D.Create an automation rule that triggers when an incident is created and set severity to High
AnswerD

Automation rules can modify incident properties after creation.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can be configured to run when an incident is created, and they can set the severity of the incident to High. In this scenario, when Defender for Endpoint identifies a compromised device, the Defender XDR connector creates an incident in Sentinel. The automation rule then immediately elevates the severity to High, meeting the requirement without additional manual steps or complex logic.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks, thinking that a playbook is required to modify incident properties, when in fact automation rules can directly change severity without invoking a playbook.

How to eliminate wrong answers

Option A is wrong because configuring the Defender XDR connector to create incidents is already the default behavior that generates the incident, but it does not automatically set the severity to High; severity is inherited from the source alert. Option B is wrong because writing an analytics rule that queries Defender for Endpoint data would create a separate scheduled query rule, which is redundant and less efficient than using the existing incident creation from the connector, and it does not directly set severity on the connector-generated incident. Option C is wrong because creating a playbook to create an incident from the alert adds unnecessary complexity and latency; playbooks are better suited for response actions, while automation rules are the native, lightweight method to modify incident properties like severity.

480
Multi-Selecthard

Which THREE of the following are valid methods to archive logs in Microsoft Sentinel to reduce costs?

Select 3 answers
A.Configure continuous export to Azure Data Lake Storage Gen2
B.Set the workspace to free tier
C.Enable Basic Logs ingestion for all tables
D.Use a Logic App to export logs to Azure Storage
E.Change the table's retention period to include archival
AnswersA, D, E

Continuous export is a feature for long-term retention.

Why this answer

Option A is correct because Microsoft Sentinel supports continuous export of logs to Azure Data Lake Storage Gen2, which allows you to retain raw log data at lower storage costs while still being able to query it using Azure Synapse or other analytics tools. This method reduces the cost of high-volume log retention in Sentinel's native workspace by moving data to a cheaper long-term storage tier.

Exam trap

The trap here is that candidates often confuse 'Basic Logs' (which reduce ingestion cost but not storage cost) with archival methods, or mistakenly think the free tier can be manually selected for cost savings, when in fact it is a temporary promotional offering.

481
MCQhard

You are designing a Microsoft Sentinel deployment for a multinational organization that must comply with GDPR and local data residency requirements. They have offices in the US, EU, and Asia. They want to use a single Microsoft Sentinel workspace for global visibility but need to ensure that data from EU sources remains within the EU. What is the best approach to meet these requirements?

A.Deploy a single Microsoft Sentinel workspace in the US and use Azure Policy to restrict data ingestion from EU sources.
B.Deploy separate Microsoft Sentinel workspaces in the US, EU, and Asia, and use cross-workspace queries and Azure Lighthouse to manage them centrally.
C.Deploy a single workspace in the EU and enable UEBA to analyze all data.
D.Use Azure Lighthouse to project a single workspace into multiple regions, which automatically separates data storage.
AnswerB

Separate workspaces ensure data residency; cross-workspace queries provide a unified view.

Why this answer

Option B is correct because using separate workspaces per region ensures data residency, and cross-workspace queries provide a unified view. Option A is wrong because a single workspace cannot guarantee data residency for EU data. Option C is wrong because enabling UEBA does not control data residency.

Option D is wrong because Azure Lighthouse does not separate data storage.

482
Multi-Selectmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents are reviewed within 24 hours. Which TWO actions should you take?

Select 2 answers
A.Create an automation rule that runs 24 hours after incident creation and escalates if status is not 'In progress'.
B.Create a playbook that runs every hour and checks incident age.
C.Configure Microsoft Defender XDR to automatically reassign incidents after 24 hours.
D.Create a workbook that displays incidents older than 24 hours and alerts the SOC manager.
E.Modify the analytics rule to automatically close incidents after 24 hours.
AnswersA, D

Correct: Automation rules can use conditions based on time.

Why this answer

Options A and D are correct. Automation rules can escalate if not reviewed, and workbooks can track SLA. Option B is wrong because analytics rules don't handle SLA.

Option C is wrong because playbooks don't trigger on time. Option E is wrong because Microsoft Defender XDR doesn't manage Sentinel SLA.

483
Multi-Selectmedium

Your organization uses Microsoft Sentinel. You need to ensure that incident response times are monitored and reported. Which TWO capabilities should you use?

Select 2 answers
A.Playbooks
B.UEBA
C.Automation rules
D.Watchlists
E.Workbooks
AnswersC, E

Automation rules can record timestamps on incidents.

Why this answer

Sentinel workbooks can visualize response times, and automation rules can track timestamps. Option A and D are correct. Option B (playbooks) can perform actions but not directly monitor times.

Option C (watchlists) are for reference data. Option E (UEBA) is for behavioral analytics.

484
MCQeasy

Your company is deploying Microsoft Defender for Endpoint. You need to ensure that all devices report their security baseline compliance to Microsoft Intune. Which configuration should you use?

A.Configure a device configuration profile in Microsoft Intune
B.Deploy Windows Update for Business reports
C.Assign a Security Baseline policy in Microsoft Intune to the device groups
D.Enable Microsoft Defender for Cloud Apps session controls
AnswerC

Security Baselines in Intune provide compliance assessment for security configurations.

Why this answer

Option A is correct because Security Baselines in Intune allow you to assess and enforce compliance. Option B is for device-level configuration, but not specifically for baseline compliance. Option C is for Defender for Cloud Apps, not endpoints.

Option D is for Windows Update, not baseline compliance.

485
MCQmedium

Your organization uses Microsoft Sentinel and has enabled UEBA (User and Entity Behavior Analytics). You notice that the UEBA timeline is not populating for some users. You have verified that the data sources are connected and the UEBA feature is enabled. What could be the issue?

A.There is insufficient data to build baselines for those users; UEBA needs at least 14 days of data.
B.Users must opt in to UEBA tracking.
C.UEBA only works with Azure Active Directory (now Microsoft Entra ID) audit logs.
D.The data sources are not sending logs for those users.
AnswerA

UEBA requires historical data to establish behavioral baselines. If users are new or have sparse logs, timelines may not populate.

Why this answer

Option C is correct because UEBA requires a minimum amount of data over time to establish baselines. Option A is wrong because UEBA does not require user consent. Option B is wrong because data is flowing.

Option D is wrong because UEBA uses existing data.

486
MCQeasy

You run the PowerShell command shown in the exhibit to enable diagnostics on an Azure VM. The VM is running Windows Server 2022. You want to collect security events and send them to a Log Analytics workspace. What should you include in the diagnostics.json configuration file?

A.An EtwProvider element with provider GUID for Microsoft-Windows-Security-Auditing.
B.A WindowsEventLog element with ProviderName set to 'Security' and a query of '*'.
C.A Syslog element with facility set to 'auth' and severity set to 'info'.
D.A PerformanceCounter element with a counter for security incidents.
AnswerB

This collects all security events.

Why this answer

Option B is correct because the Azure Diagnostics extension for Windows VMs uses a WindowsEventLog element in the diagnostics.json configuration to specify which Windows Event Log channels to collect. Setting ProviderName to 'Security' and query to '*' collects all security events from the Security log, which are then forwarded to the Log Analytics workspace.

Exam trap

The trap here is that candidates confuse ETW providers (EtwProvider) with standard Windows Event Log channels, or mistakenly apply Linux-centric concepts like Syslog to a Windows VM, leading them to choose incorrect options A or C.

How to eliminate wrong answers

Option A is wrong because EtwProvider elements are used for collecting ETW (Event Tracing for Windows) providers, not for standard Windows Event Log channels like Security; the Security log is a classic event log, not an ETW provider. Option C is wrong because Syslog is a Linux-specific logging protocol and is not applicable to a Windows Server 2022 VM; the Azure Diagnostics extension for Windows does not support Syslog. Option D is wrong because PerformanceCounter elements collect performance metrics (e.g., CPU, memory), not security events; security incidents are not represented as performance counters.

487
MCQhard

Refer to the exhibit. You are reviewing a Microsoft Sentinel analytics rule created via ARM template. What is the effect of the grouping configuration?

A.Groups alerts into one incident if any entity matches.
B.Creates a separate incident for each alert.
C.Suppresses alerts for 5 hours after the first alert.
D.Groups alerts into one incident if all entities match within a 5-hour lookback.
AnswerD

The grouping config creates a single incident for alerts with matching entities within 5 hours.

Why this answer

The grouping configuration in the exhibit sets the grouping condition to 'Group alerts into a single incident if all entities match' with a 5-hour lookback period. This means that alerts generated within 5 hours that share identical entities (e.g., same IP, host, or account) will be merged into one incident, reducing alert noise. Option D correctly describes this behavior, as it specifies both the entity matching requirement and the time window.

Exam trap

The trap here is confusing the grouping lookback window with alert suppression or mistaking 'any entity matches' for 'all entities match,' which leads candidates to pick Option A or C instead of D.

How to eliminate wrong answers

Option A is wrong because it states 'if any entity matches,' but the configuration requires all entities to match, not any single entity. Option B is wrong because it describes creating a separate incident for each alert, which is the opposite of grouping; the configuration explicitly enables grouping. Option C is wrong because it refers to suppressing alerts for 5 hours after the first alert, which is a different feature (alert suppression) not related to grouping configuration; the 5-hour value here is the lookback window for grouping, not a suppression period.

488
Multi-Selecthard

Which THREE of the following are features of Microsoft Defender XDR that help manage a security operations environment?

Select 3 answers
A.Sentinel SIEM integration
B.Threat analytics
C.Automated investigation and response
D.Advanced hunting
E.Unified incident management
AnswersC, D, E

AIR is a key feature of Defender XDR.

Why this answer

Microsoft Defender XDR includes incident management, automated investigation and response, and advanced hunting. Threat analytics is a feature of Microsoft Defender for Endpoint, but not a core feature of XDR. Sentinel is a separate SIEM.

Custom detection rules are part of Defender XDR.

489
MCQeasy

Your organization uses Microsoft Defender for Cloud. You need to view a list of all security recommendations for your Azure subscriptions. Which blade should you use?

A.Workbooks
B.Regulatory Compliance
C.Inventory
D.Recommendations
AnswerD

This blade lists all security recommendations.

Why this answer

The Recommendations blade in Microsoft Defender for Cloud is the centralized hub that lists all security recommendations for your Azure subscriptions, including those from Azure Security Benchmark and custom initiatives. It provides a prioritized view of security posture improvements, such as remediating vulnerabilities or enabling encryption, directly actionable from the blade.

Exam trap

The trap here is that candidates confuse the Inventory blade (which shows resources and their security state) with the Recommendations blade (which shows the actionable list of security improvements), leading them to select Inventory instead of the correct Recommendations blade.

How to eliminate wrong answers

Option A is wrong because Workbooks are used for creating custom visualizations and reports from Azure Monitor data, not for viewing the list of security recommendations. Option B is wrong because Regulatory Compliance focuses on compliance scores and controls against standards like SOC 2 or ISO 27001, not the full set of security recommendations. Option C is wrong because Inventory shows a list of Azure resources and their security posture, but it does not display the aggregated list of recommendations; it is a resource-centric view, not a recommendation-centric one.

490
MCQmedium

You are reviewing the KQL query shown in the exhibit. What is the purpose of this query?

A.Count the number of high-severity alerts per hour
B.Return the timestamp of each high-severity alert
C.Identify high-severity alert names that occurred more than 10 times in the last 24 hours
D.List all high-severity incidents in the last 24 hours
AnswerC

The query filters, groups, and returns alert names with count > 10.

Why this answer

Option C is correct because the query filters high-severity alerts in the last 24 hours, groups by AlertName, and returns names with more than 10 alerts. Option A is wrong because it counts alerts, not incidents. Option B is wrong because it counts by AlertName, not by time.

Option D is wrong because it returns AlertName and AlertCount, not timestamps.

491
MCQeasy

Your organization uses Microsoft Sentinel with a pay-as-you-go pricing tier. You need to reduce costs by archiving older logs that are rarely accessed. Which action should you take?

A.Switch the Log Analytics workspace to Basic Logs tier for the Sentinel tables.
B.Configure a lifecycle management policy in Azure Storage to transition logs to the archive tier after the retention period.
C.Reduce the workspace retention period from 90 days to 30 days.
D.Create a Data Collection Rule to filter out logs before ingestion.
AnswerB

Archiving reduces cost while preserving data.

Why this answer

Option A is correct because Sentinel supports archiving logs to Azure Storage with lifecycle policies. Option B is wrong because Basic Logs still incur query costs and are not archival. Option C is wrong because decreasing retention deletes logs immediately.

Option D is wrong because Data Collection Rules don't archive existing logs.

492
MCQhard

Your organization uses Microsoft Defender for Endpoint. You need to configure a device group that automatically assigns devices to the group based on their domain membership. Devices joined to 'contoso.com' should be in the 'Corporate' group, and all others in 'Non-Corporate'. What should you use?

A.Use a custom detection rule to move devices based on risk level.
B.Create a device group with a rule using the device tag 'Contoso' and assign tags via GPO.
C.Create two device groups and manually move devices.
D.Create a device group with a rule using the domain field 'contoso.com'.
AnswerB

Tags can be set via GPO and then device groups use tag rules.

Why this answer

Option B is correct because Microsoft Defender for Endpoint device groups can use device tags to automatically assign devices based on domain membership. By creating a device group with a rule that matches the device tag 'Contoso' and assigning that tag to domain-joined machines via Group Policy Object (GPO), you ensure that devices joined to 'contoso.com' are placed in the 'Corporate' group, while all others fall into the default 'Non-Corporate' group.

Exam trap

The trap here is that candidates assume the domain field can be used directly in device group rules, but Defender for Endpoint does not expose the domain attribute for rule creation; instead, you must use tags applied via GPO or other management tools to achieve domain-based grouping.

How to eliminate wrong answers

Option A is wrong because custom detection rules are used for creating custom alerts and automated actions based on threat indicators, not for assigning devices to groups based on domain membership. Option C is wrong because manually moving devices is not scalable and does not meet the requirement for automatic assignment based on domain membership. Option D is wrong because device group rules in Defender for Endpoint do not support filtering directly on the domain field; they support tags, device names, OS platforms, and other attributes, but not the domain field itself.

493
Multi-Selecteasy

Which TWO data sources can you connect to Microsoft Sentinel to ingest security logs? (Select TWO.)

Select 2 answers
A.Google Cloud Platform audit logs
B.Azure Active Directory (Microsoft Entra ID) audit logs
C.Amazon Web Services (AWS) CloudTrail
D.Trello activity logs
E.GitHub Actions logs
AnswersB, C

Sentinel has a connector for Azure AD logs.

Why this answer

Azure Active Directory (Microsoft Entra ID) audit logs are a native data source for Microsoft Sentinel. They can be connected directly via the Azure AD connector, which ingests sign-in logs, audit logs, and provisioning logs into the Log Analytics workspace. This integration is essential for monitoring identity-related security events and is a standard requirement for SC-200 scenarios.

Exam trap

The trap here is that candidates often assume any cloud or SaaS service can be connected via a generic API, but Microsoft Sentinel only supports specific, pre-built connectors for security-relevant sources like AWS CloudTrail and Azure AD, not for productivity tools like Trello or GitHub Actions logs.

494
MCQeasy

Your organization uses Microsoft Sentinel. You need to design a solution to automatically respond to a specific type of incident by sending an email to the SOC manager and creating a ticket in ServiceNow. What should you use?

A.Create an analytics rule that directly sends an email.
B.Create a workbook that triggers a webhook.
C.Create an automation rule that sends an email and creates a ticket.
D.Create a playbook in Microsoft Sentinel and trigger it with an automation rule.
AnswerD

Correct: Playbooks can integrate with external systems.

Why this answer

Option C is correct because playbooks (based on Logic Apps) can perform multiple actions like sending email and creating tickets. Option A is wrong because automation rules cannot directly integrate with external systems like ServiceNow. Option B is wrong because workbooks are for reporting.

Option D is wrong because analytics rules only generate incidents.

495
Multi-Selecteasy

Which TWO roles can be used to manage Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Compliance Administrator
B.Microsoft Sentinel Responder
C.Security Reader
D.Global Administrator
E.Microsoft Sentinel Contributor
AnswersB, E

Responder role allows managing incidents and playbooks.

Why this answer

Options A and C are correct as they are built-in roles for Sentinel management. Option B is incorrect because Compliance Administrator has limited Sentinel access. Option D is incorrect because Security Reader is read-only.

Option E is incorrect because Global Administrator has wide access but is not the primary role for Sentinel management.

496
MCQmedium

Your company has a hybrid identity environment with Microsoft Entra ID and on-premises Active Directory. You recently deployed Microsoft Defender for Identity (MDI) to monitor on-premises domain controllers. The SOC team needs to receive alerts from MDI in Microsoft Sentinel. You have already installed the MDI sensor on all domain controllers and confirmed that the MDI portal shows alerts. However, no MDI alerts appear in Sentinel. The Microsoft Defender for Identity data connector in Sentinel shows 'Connected'. What should you do next?

A.Update the MDI sensor to the latest version.
B.Enable the Microsoft 365 Defender connector in Sentinel, as MDI alerts are ingested through that connector.
C.Reconfigure the MDI data connector to select all alert severities.
D.Check the MDI sensor health status on each domain controller.
AnswerB

MDI alerts are part of Microsoft 365 Defender alerts and require the Microsoft 365 Defender connector.

Why this answer

Option B is correct because MDI alerts are ingested into Sentinel via the Microsoft 365 Defender connector, not the MDI connector directly. The MDI connector is for other data. Option A is not needed; Option C is for health; Option D is incorrect because the connector is already connected.

497
MCQeasy

Your Microsoft Sentinel workspace is ingesting data from multiple sources. You need to ensure that data from a specific source is retained for 2 years while other data remains at the default retention. What should you do?

A.Create a custom table for that source and set its retention to 2 years.
B.Adjust the data ingestion settings for that source.
C.Set the workspace retention to 2 years.
D.Configure archiving for that source's data.
AnswerA

Custom tables allow per-table retention policies.

Why this answer

In Microsoft Sentinel, retention is set at the table level. By creating a custom table for the specific data source and configuring its retention period to 2 years, you can override the default workspace retention for that table only. This allows other tables to retain the default retention setting while the custom table retains data for the required duration.

Exam trap

The trap here is that candidates often assume retention is set globally at the workspace level, but Microsoft Sentinel allows per-table retention, which is the correct method for applying different retention policies to different data sources.

How to eliminate wrong answers

Option B is wrong because data ingestion settings (like data source connectors or diagnostic settings) control what data is collected, not how long it is retained. Option C is wrong because setting the workspace retention to 2 years would apply to all tables in the workspace, not just the specific source. Option D is wrong because archiving is a separate tier for older data (e.g., after the interactive retention period ends) and does not set a specific retention duration for a source; it complements retention but does not replace the need for table-level retention configuration.

498
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to create a custom alert that triggers when users receive external emails with attachments from untrusted domains. What should you configure?

A.Create an alert policy in Microsoft 365 Defender.
B.Create a mail flow rule in Exchange admin center.
C.Set up a conditional access policy in Microsoft Entra ID.
D.Configure a data sensitivity label in Microsoft Purview.
AnswerA

Alert policies can trigger on email events.

Why this answer

A custom alert policy in Microsoft 365 Defender can be configured to detect when users receive external emails with attachments from untrusted domains. This leverages the built-in threat detection capabilities of Defender for Office 365, allowing you to define conditions such as sender domain reputation and attachment presence, and trigger an alert when the criteria are met.

Exam trap

The trap here is that candidates often confuse alert policies (which detect and notify) with mail flow rules (which enforce actions like blocking or quarantining), leading them to choose Option B when the question specifically asks for creating a custom alert.

How to eliminate wrong answers

Option B is wrong because a mail flow rule (transport rule) in Exchange admin center can block or modify messages based on sender domain or attachment presence, but it cannot generate a custom alert in the Microsoft 365 Defender portal; it only applies actions during message transport. Option C is wrong because a conditional access policy in Microsoft Entra ID controls access to cloud apps based on user, device, or location signals, not email content or attachments from untrusted domains. Option D is wrong because a data sensitivity label in Microsoft Purview is used to classify and protect sensitive data (e.g., via encryption or visual markings), not to detect or alert on external emails with attachments from untrusted domains.

499
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to use a Microsoft Copilot for Security to summarize an incident in Microsoft Defender XDR. What is the minimum role required?

A.Security Administrator
B.Reader
C.Security Reader
D.Global Administrator
AnswerC

Security Reader can read security data, which is sufficient for Copilot to summarize.

Why this answer

Option A is correct because the Security Reader role can view incidents but not edit; Copilot for Security requires at least Security Reader to access incident data. Option B is overly permissive for just viewing summaries. Option C is for managing security settings.

Option D is an Azure role, not a Microsoft 365 role.

500
MCQhard

You are managing Microsoft Defender XDR. The security team reports that some automated investigations are closing prematurely without sufficient evidence. You need to ensure that investigations only close when a minimum confidence level is reached. What should you modify?

A.Change the action center settings to require manual approval.
B.Modify the tenant-level advanced features in Microsoft Defender XDR.
C.Create a custom detection rule to override default behavior.
D.Adjust the automation level in the Microsoft 365 Defender security settings.
AnswerD

The automation level includes a confidence threshold for automatic closure.

Why this answer

In Defender XDR, you can set the automation level for investigations, including the confidence level required for automatic closure. Option A is correct. Option B is wrong because action center handles manual actions.

Option C is wrong because it's not a tenant-level setting in that location. Option D is wrong because rules don't control investigation closure confidence.

501
MCQhard

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You discover that a user is performing unusual bulk downloads from SharePoint. You need to automatically create an incident in Sentinel and suspend the user in Microsoft Entra ID. What should you use?

A.Create a scheduled analytics rule in Sentinel and use automation rules to trigger a playbook that suspends the user.
B.Configure a Microsoft Entra ID Protection policy to require password reset for risky users.
C.Use a playbook triggered by an incident creation rule to suspend the user.
D.Configure a policy in Defender for Cloud Apps with a governance action to suspend the user.
AnswerA

Automation rules run playbooks, which can use Microsoft Graph to suspend the user.

Why this answer

A scheduled analytics rule in Sentinel can detect the unusual bulk download behavior from SharePoint (via ingested logs from Defender for Cloud Apps or Office 365 connector). An automation rule on that analytics rule triggers a playbook (Azure Logic App) that uses the Microsoft Graph API to suspend the user in Microsoft Entra ID, creating an incident automatically as part of the rule's configuration.

Exam trap

The trap here is that candidates assume Defender for Cloud Apps governance actions alone can satisfy both requirements, but they forget that creating a Sentinel incident requires an analytics rule and automation rule orchestration, not just a cloud app policy.

How to eliminate wrong answers

Option B is wrong because Microsoft Entra ID Protection policies focus on sign-in risk and user risk (e.g., leaked credentials, anonymous IP) but do not directly detect bulk download anomalies from SharePoint; they also cannot trigger a Sentinel incident. Option C is wrong because 'incident creation rule' is not a valid Sentinel construct—incidents are created by analytics rules, and playbooks are triggered by automation rules, not by a rule named 'incident creation rule'. Option D is wrong because while Defender for Cloud Apps can apply governance actions (like suspend user) directly, it does not automatically create an incident in Sentinel; the question requires both an incident in Sentinel AND user suspension, which requires the orchestration of a playbook.

502
MCQhard

You are configuring Microsoft Sentinel to ingest logs from a third-party firewall via Syslog. The data connector shows 'Connected' but no events are being received. You have verified network connectivity and firewall configuration. What should you check next?

A.Validate that the Data Collection Rule (DCR) is properly configured to ingest the Syslog facility and severity.
B.Verify that the connector has the necessary OAuth permissions in Microsoft Entra ID.
C.Check that the user who configured the connector has the Microsoft Sentinel Contributor role.
D.Ensure the firewall is registered in Azure Policy as a compliant resource.
AnswerA

The DCR defines how logs are ingested; if misconfigured, events may not appear.

Why this answer

Option A is correct because when a Syslog data connector shows 'Connected' but no events are received, the most common cause is a misconfigured Data Collection Rule (DCR). The DCR defines which Syslog facilities and severities to collect; if it does not match the firewall's actual Syslog output (e.g., facility 'local0' with severity 'informational'), events will be filtered out before ingestion. Network connectivity and firewall configuration are already verified, so the DCR is the next logical check.

Exam trap

The trap here is that candidates assume 'Connected' means data is flowing, but in Syslog connectors, 'Connected' only indicates the agent can reach the Log Analytics workspace—the DCR's filtering logic is the hidden gate that stops events from being ingested.

How to eliminate wrong answers

Option B is wrong because Syslog data connectors do not use OAuth permissions; they rely on the Log Analytics agent or Azure Monitor Agent (AMA) and a DCR, not Microsoft Entra ID authentication. Option C is wrong because the connector configuration does not require the user to have the Microsoft Sentinel Contributor role; the connector setup uses the Log Analytics workspace permissions, and the role is irrelevant to event ingestion. Option D is wrong because Azure Policy compliance is unrelated to Syslog ingestion; firewalls are not registered in Azure Policy as resources, and policy compliance does not affect data flow from on-premises or third-party devices.

503
MCQmedium

Your organization uses Microsoft Defender for Cloud. You need to recommend a solution to automatically remediate misconfigurations in Azure VMs without manual intervention. What should you use?

A.Use Azure Advisor recommendations
B.Configure Azure Backup
C.Set up Update Management in Azure Automation
D.Enable 'Remediate' option in Defender for Cloud recommendations
AnswerD

Automates remediation using Azure Policy.

Why this answer

Microsoft Defender for Cloud's 'Remediate' option in security recommendations can automatically apply fixes via Azure Policy's 'deployIfNotExists' effect. Option A is correct. Option B is a manual tool.

Option C is for backup, not remediation. Option D is for patching, not all misconfigurations.

504
MCQeasy

Your organization has recently deployed Microsoft Sentinel and Microsoft Defender XDR. You are tasked with configuring the environment to ensure that incidents created by Microsoft Defender for Cloud Apps are automatically synchronized to Microsoft Sentinel. The security operations team wants to manage all incidents from within Sentinel. You have already connected the Microsoft Defender XDR connector to Sentinel. However, you notice that incidents from Defender for Cloud Apps are not appearing in Sentinel. You verify that the Defender for Cloud Apps connector is not listed in the data connectors blade. What should you do to resolve this issue?

A.Enable the Microsoft Sentinel integration in the Defender for Cloud Apps portal.
B.Configure a data collection rule in Microsoft Purview to forward alerts to Sentinel.
C.Install the Microsoft Defender for Cloud Apps connector from Sentinel data connectors.
D.Ensure the Microsoft Defender XDR connector is configured to include Defender for Cloud Apps incidents.
AnswerD

The Defender XDR connector automatically includes incidents from Defender for Cloud Apps.

Why this answer

When Microsoft Defender XDR connector is enabled in Sentinel, it can ingest incidents from all Microsoft Defender products, including Defender for Cloud Apps, provided the connector's configuration includes the option to synchronize those incidents. Since the Defender for Cloud Apps connector is not listed separately, the correct approach is to verify and adjust the Microsoft Defender XDR connector's settings to include Defender for Cloud Apps incidents. Option D directly addresses this by ensuring the existing connector is configured to forward those incidents.

Exam trap

The trap here is that candidates assume each Microsoft Defender product requires its own dedicated data connector in Sentinel, when in fact the Microsoft Defender XDR connector serves as the unified ingestion point for all Defender incidents, including those from Defender for Cloud Apps.

How to eliminate wrong answers

Option A is wrong because enabling the Sentinel integration in the Defender for Cloud Apps portal is used to send alerts from Defender for Cloud Apps to Sentinel via a legacy method, but when the Microsoft Defender XDR connector is already connected, incidents flow through the unified Microsoft 365 Defender pipeline, not through a separate portal toggle. Option B is wrong because data collection rules in Microsoft Purview are used for managing data lifecycle and compliance, not for forwarding security alerts or incidents to Sentinel. Option C is wrong because the Defender for Cloud Apps connector is not listed in the data connectors blade; this indicates that incidents from Defender for Cloud Apps are ingested through the Microsoft Defender XDR connector, not through a standalone connector.

505
MCQmedium

Your organization uses Microsoft Defender XDR. You need to ensure that when a user reports a phishing email in Outlook, it automatically triggers an investigation in Microsoft Defender XDR. What should you configure?

A.Enable user-reported message settings in Microsoft Defender for Office 365 and configure automated investigation.
B.Create a playbook in Microsoft Sentinel triggered by a custom connector.
C.Configure a data loss prevention policy in Microsoft Purview.
D.Set up a session policy in Microsoft Defender for Cloud Apps.
AnswerA

User-reported messages can trigger automated investigation and response.

Why this answer

Option D is correct because Microsoft Defender for Office 365's reporting and automation can trigger automated investigation and response (AIR) when users report phishing. Option A is incorrect because Microsoft Sentinel is not directly integrated with Outlook reporting. Option B is incorrect because Microsoft Purview is for compliance.

Option C is incorrect because Microsoft Defender for Cloud Apps focuses on cloud apps.

506
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that all incidents are classified with a specific classification when closed. The classification must be chosen from a predefined list. What should you configure?

A.Modify the analytics rule to require classification.
B.Create a playbook that validates classification before closure.
C.Create an automation rule that enforces classification on closure.
D.Configure incident settings in Sentinel to define custom classifications.
AnswerD

Correct: Sentinel allows you to define custom classifications.

Why this answer

Option D is correct because you can create a custom classification in the Sentinel settings under 'Incident settings'. Option A is wrong because automation rules can set classification but not define the list. Option B is wrong because playbooks can set classification but not define options.

Option C is wrong because analytics rules don't handle incident closure.

507
MCQeasy

Your SOC team uses Microsoft Sentinel workbooks to monitor the security posture. One workbook shows a chart of incidents by severity over the last 7 days. The workbook uses a KQL query that queries the SecurityIncident table. Recently, the workbook stopped displaying data. You check the workspace and confirm that incidents are being created and are visible in the Sentinel portal. You also verify that the workbook has not been modified. What is the most likely cause?

A.The workbook was accidentally deleted and needs to be re-created.
B.The workspace has been switched to a different pricing tier that does not support workbooks.
C.The Log Analytics workspace linked to the workbook has been moved or renamed.
D.The KQL query in the workbook has a syntax error.
AnswerC

Workbooks are tied to a specific workspace; if the workspace is moved, the workbook loses its data source.

Why this answer

Option B is correct because workbooks rely on the Log Analytics workspace for queries. If the workspace was moved to a different resource group or subscription, the workbook may lose its connection. Option A is wrong because the workbook hasn't been modified.

Option C is wrong because the query is fine; data is being ingested. Option D is wrong because a different license doesn't affect workbook functionality.

508
MCQeasy

You are a security analyst at a company that uses Microsoft Defender for Cloud Apps. You receive an alert that an anomalous activity was detected from a user's device. You need to investigate the activity to determine if it is a true positive. What should you do first?

A.Use Microsoft Power BI to analyze user activity data.
B.In the Microsoft Defender for Cloud Apps portal, open the alert and then click 'View activity' to see the detailed activity log.
C.Open the user's page in Microsoft Entra ID to review sign-in logs.
D.Create an IP address range policy to block the user's IP.
AnswerB

This is the direct way to investigate the specific activity.

Why this answer

Option B is correct because the first step in investigating an anomalous activity alert in Microsoft Defender for Cloud Apps is to open the alert and click 'View activity' to examine the detailed activity log. This log provides the raw telemetry—such as IP address, user agent, timestamp, and activity type—needed to determine if the behavior is malicious or benign. Without reviewing this evidence, you cannot make an informed judgment about the alert's validity.

Exam trap

The trap here is that candidates confuse the investigation phase with the remediation phase, incorrectly choosing to block the IP (Option D) or review sign-in logs (Option C) before examining the actual activity details that confirm the threat.

How to eliminate wrong answers

Option A is wrong because Microsoft Power BI is a business analytics tool for visualizing data, not a security investigation interface; it cannot directly access the granular activity logs within Defender for Cloud Apps alerts. Option C is wrong because reviewing sign-in logs in Microsoft Entra ID only shows authentication events, not the full activity context (e.g., file downloads, app permissions) that Defender for Cloud Apps captures for anomaly detection. Option D is wrong because creating an IP address range policy to block the user's IP is a reactive remediation step, not a first investigative action; you must first confirm the activity is malicious before applying blocking policies.

509
MCQmedium

Your organization has deployed Microsoft Sentinel and configured a workspace with data connectors for Microsoft 365 Defender, Azure Activity, and Office 365. You need to ensure that security incidents are automatically assigned to the appropriate analyst based on the incident type. What should you configure?

A.Create a playbook triggered by incident creation that assigns the incident to a user based on the incident title.
B.Add a watchlist that maps incident types to analyst email addresses and configure a scheduled analytics rule.
C.Create an automation rule that runs when an incident is created, with conditions on the incident title, and an action to assign the incident to a specific owner.
D.Configure a Microsoft 365 Defender incident assignment rule in the Microsoft 365 Defender portal.
AnswerC

Automation rules can assign incidents based on conditions like title or severity.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel allow you to define conditions (e.g., incident title containing specific keywords) and actions (e.g., assign incident to a specific owner) that run automatically when an incident is created. This directly meets the requirement to assign incidents to the appropriate analyst based on incident type without manual intervention.

Exam trap

The trap here is that candidates often confuse automation rules with playbooks or think that Microsoft 365 Defender incident assignment rules can manage all Sentinel incidents, but automation rules are the correct native mechanism for incident assignment within Sentinel across all data connectors.

How to eliminate wrong answers

Option A is wrong because playbooks triggered by incident creation can assign incidents, but they require custom logic and are more complex than necessary; automation rules provide a simpler, native way to assign incidents based on conditions. Option B is wrong because watchlists are used for correlation and enrichment in analytics rules, not for assigning incidents; scheduled analytics rules generate alerts, not incidents, and cannot assign ownership. Option D is wrong because Microsoft 365 Defender incident assignment rules apply only to incidents generated within the Microsoft 365 Defender portal, not to incidents ingested into Microsoft Sentinel from other connectors like Azure Activity or Office 365.

510
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that an Azure function app can send custom logs to a Log Analytics workspace. What should you configure?

A.Threat intelligence data connector
B.Diagnostic settings on the function app
C.Data collection rule (DCR) with Azure Monitor Agent
D.Microsoft Sentinel automation rule
AnswerC

DCRs define how to collect and transform data from sources like function apps.

Why this answer

The Log Analytics agent (now replaced by Azure Monitor Agent) is used to send custom logs from a function app to Log Analytics. Option A is correct. Option B is for automation, not ingestion.

Option C is for threat intelligence, not custom logs. Option D is for exporting data, not ingestion.

511
MCQeasy

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What is the purpose of the query?

A.To list all incidents in the last 7 days
B.To count alerts by severity over the last week
C.To find the most recent high-severity alert
D.To identify hunting results
AnswerB

Summarize count by AlertSeverity.

Why this answer

The query counts alerts by severity over the last 7 days and orders by severity descending. Option B is correct. Option A is not about incidents.

Option C is about a single alert. Option D is about hunting.

512
Multi-Selecteasy

You are managing Microsoft Defender for Cloud Apps. Which TWO actions can be performed using the Microsoft Defender XDR integration?

Select 2 answers
A.Quarantine malicious emails.
B.Investigate user activities across cloud apps.
C.Govern discovered apps with access policies.
D.Manage device compliance policies in Microsoft Intune.
E.Onboard devices to Microsoft Defender for Endpoint.
AnswersB, C

Defender XDR provides a unified investigation experience.

Why this answer

Defender for Cloud Apps integrated with Defender XDR allows governing apps and investigating user activities. Option B and D are correct. Option A (onboarding devices) is for Defender for Endpoint.

Option C (quarantining emails) is for Office 365. Option E (managing Intune devices) is separate.

513
Multi-Selectmedium

Your organization uses Microsoft Sentinel with the Azure Activity connector. Which TWO actions should you take to ensure that all subscription-level activity logs are being ingested into Sentinel?

Select 2 answers
A.Install the Azure Activity solution from the content hub.
B.Enable diagnostic settings on each subscription to stream logs to the Sentinel Log Analytics workspace.
C.Assign the 'Reader' role to the Sentinel managed identity on each subscription.
D.Configure the Azure Activity data connector to include all subscriptions.
E.Use the Azure Policy initiative to deploy the connector.
AnswersC, D

The managed identity needs Reader permission to read activity logs.

Why this answer

Options A and C are correct because the connector must have the required permissions and be configured for the correct subscriptions. Option B is not needed for Activity logs; Option D is for diagnostics settings, not necessary; Option E is incorrect.

514
MCQhard

Your SOC uses Microsoft Sentinel with multiple workspaces for different business units. You want to create a single dashboard that shows key performance indicators (KPIs) across all workspaces. Which approach minimizes complexity and query latency?

A.Export data to Azure Data Explorer and build the dashboard there.
B.Ingest all logs into a single workspace and create the dashboard there.
C.Use Power BI to query each workspace separately and combine data.
D.Use cross-workspace queries in a single dashboard that references all workspaces.
AnswerD

Cross-workspace queries allow real-time aggregation without moving data.

Why this answer

Option B is correct because cross-workspace queries in a single dashboard are efficient and avoid data duplication. Option A is wrong because a separate workspace for dashboards adds complexity and latency. Option C is wrong because Azure Data Explorer is not needed for this simple aggregation.

Option D is wrong because Power BI would require data export, adding latency.

515
MCQmedium

You are a security operations analyst for a company that uses Microsoft Sentinel and Microsoft Defender for Cloud. You have configured the Microsoft Defender for Cloud connector to stream security alerts into Sentinel. However, you notice that some alerts from Defender for Cloud are not appearing in Sentinel. You have verified that the connector is enabled and the subscription is connected. The missing alerts are of the type 'Security misconfiguration' from Azure Policy. You need to ensure all alerts appear in Sentinel. What should you do?

A.Create a custom analytics rule to detect misconfigurations.
B.Re-enable the Microsoft Defender for Cloud data connector.
C.Enable the Defender for Cloud plan on the subscription in Azure Policy.
D.Create a new Microsoft Defender for Cloud data connector for the same subscription.
AnswerC

Required for policy-based alerts to be generated.

Why this answer

The 'Security misconfiguration' alerts from Azure Policy are generated only when the Defender for Cloud plan is enabled on the subscription. The Microsoft Defender for Cloud data connector streams alerts from Defender for Cloud into Sentinel, but if the Defender for Cloud plan is not enabled, those specific policy-based alerts are never generated. Enabling the Defender for Cloud plan on the subscription in Azure Policy ensures that Azure Policy evaluations produce security misconfiguration alerts, which are then ingested by the connector into Sentinel.

Exam trap

The trap here is that candidates assume the data connector is the sole pipeline for all Defender for Cloud alerts, but they overlook that certain alert types (like security misconfigurations) require the Defender for Cloud plan to be explicitly enabled on the subscription to generate those alerts in the first place.

How to eliminate wrong answers

Option A is wrong because creating a custom analytics rule in Sentinel detects events already in the workspace, but it does not generate the missing alerts from Azure Policy; the alerts must first be produced by Defender for Cloud. Option B is wrong because re-enabling the connector does not address the root cause—the connector is already enabled and the subscription is connected, but the alerts are not being generated due to the missing Defender for Cloud plan. Option D is wrong because creating a new data connector for the same subscription is redundant and does not enable the Defender for Cloud plan required to produce the security misconfiguration alerts.

516
Multi-Selectmedium

Your organization uses Microsoft Sentinel and wants to reduce alert fatigue. Which TWO actions should you take to improve the quality of incidents?

Select 2 answers
A.Create separate incidents for each alert.
B.Create automation rules to close all low-severity incidents automatically.
C.Configure alert grouping in analytics rules to combine related alerts into one incident.
D.Use suppression and tuning rules to filter out known benign activity.
E.Increase the severity of all low-severity alerts to high.
AnswersC, D

Grouping reduces the number of incidents and correlates related alerts.

Why this answer

Options B and D are correct because grouping related alerts into incidents and using tuning rules reduce noise. Option A increases noise; Option C is not recommended; Option E is for automation, not quality.

517
Multi-Selecthard

Which TWO steps are necessary to configure Microsoft Sentinel to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created?

Select 2 answers
A.Create a playbook that uses the Microsoft Entra ID 'Disable user' action.
B.Create an automation rule that triggers the playbook when a high-severity incident is created.
C.Enable the Microsoft Defender XDR connector.
D.Enable the Microsoft Entra ID Protection data connector.
E.Create an analytics rule that detects compromised user accounts.
AnswersA, B

The playbook performs the remediation.

Why this answer

Option B is correct because a playbook with a Microsoft Entra ID action can disable the user. Option D is correct because an automation rule triggers the playbook when an incident is created. Option A is wrong because analytics rules create incidents but don't trigger remediation.

Option C is wrong because the Microsoft Entra ID Protection connector is not required; the playbook can connect directly. Option E is wrong because the Microsoft Defender XDR connector is not needed for this scenario.

518
Multi-Selecteasy

Which TWO are supported methods to ingest syslog data into Microsoft Sentinel?

Select 2 answers
A.Common Event Format (CEF) connector
B.Logstash output plugin
C.Azure Event Hubs
D.Syslog connector using Azure Monitor Agent (AMA)
E.Direct Azure Monitor Agent ingestion without connector
AnswersA, D

CEF is a syslog format.

Why this answer

The Common Event Format (CEF) connector is a supported method because it uses a syslog daemon on a Linux log collector to receive CEF-formatted syslog messages over UDP/TCP (port 514 or 25226) and forwards them to the Log Analytics workspace via the Log Analytics agent. This connector specifically parses CEF headers and maps fields to Sentinel's schema, making it a native ingestion path for security appliances like Palo Alto Networks or Fortinet.

Exam trap

The trap here is that candidates confuse Azure Event Hubs as a direct ingestion method for syslog data, when it is actually a transport layer that requires additional components (like a syslog collector or Logstash) to forward data to Sentinel.

519
MCQmedium

Your organization uses Microsoft Sentinel and you have configured a fusion analytics rule for advanced multistage attack detection. You notice that the rule is generating a high number of false positives. What should you do to reduce the false positives without disabling the rule?

A.Disable the fusion rule and create custom analytics rules
B.Add entity exclusions to the fusion rule configuration
C.Modify the fusion rule’s incident creation conditions
D.Reduce the severity threshold for the fusion rule
AnswerB

Fusion rules allow exclusions to reduce false positives.

Why this answer

Option C is correct because fusion rules support tuning by excluding specific entities or alert types. Option A is wrong because disabling the rule is not desired. Option B is wrong because reducing severity does not reduce false positives.

Option D is wrong because the fusion rule is a built-in rule; it cannot be edited for conditions.

520
MCQeasy

Your organization uses Microsoft Defender XDR to protect endpoints. You need to ensure that all endpoints are reporting to the Defender for Endpoint service and that any devices that have not checked in for more than 7 days are flagged. You have created a custom detection rule in Microsoft Sentinel that queries the DeviceInfo table and generates an incident for devices with a last check-in time older than 7 days. After a week, you notice that no incidents have been generated, even though you know there are some inactive devices. You verify that the DeviceInfo table is populated with data. What is the most likely issue?

A.The KQL query has a logic error, such as using 'where LastSeen > ago(7d)' instead of 'where LastSeen < ago(7d)'.
B.The Microsoft Defender XDR connector is not configured to send DeviceInfo data.
C.The DeviceInfo table requires a special license to query.
D.The analytics rule is not enabled.
AnswerA

Incorrect comparison operator would result in no matching devices.

Why this answer

Option B is correct because the time filter in the query (LastSeen > 7 days) might be incorrectly applied. For example, using 'ago(7d)' instead of 'ago(7d)' in the wrong direction. Option A is wrong because data is being ingested.

Option C is wrong because the rule is enabled. Option D is wrong because the table is populated.

521
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Entra ID. You need to implement a solution that automatically disables a user account in Microsoft Entra ID when a high-severity incident involving that user is created in Sentinel. The solution must also send a notification to the security team. You have a playbook that disables the user and sends an email. What should you configure to trigger the playbook?

A.Configure the playbook to run on a schedule and query incidents.
B.Create a workbook that triggers the playbook when a high-severity incident appears.
C.Create an automation rule that runs when an incident is created with severity High and triggers the playbook.
D.Configure the playbook as a response action in the analytics rule that generates the incident.
AnswerC

Correct: Automation rules can trigger playbooks on incident creation.

Why this answer

Option B is correct because automation rules can trigger playbooks on incident creation with conditions. Option A is wrong because analytics rules trigger playbooks but on alert creation, not incident creation. Option C is wrong because playbooks must be triggered by automation rules or analytics rules.

Option D is wrong because workbooks cannot trigger playbooks.

522
MCQmedium

Your Microsoft Sentinel environment is not generating incidents from a custom KQL detection rule. The rule runs successfully in the Log Analytics query editor but no incidents appear. What is the most likely cause?

A.The rule's alert grouping settings are misconfigured
B.The rule is set to create alerts but not incidents
C.The rule's query schedule is too long
D.The rule does not have entity mapping configured
AnswerD

Entity mapping is required for incident creation from custom rules.

Why this answer

The most likely cause is that the rule is set to create alerts but not incidents. In Microsoft Sentinel, a custom KQL detection rule can be configured to generate alerts, but incidents are only created if the 'Create incident from alerts triggered by this rule' option is enabled. Since the rule runs successfully in Log Analytics (meaning the query logic is correct), the absence of incidents points to a configuration issue where alerts are generated but not promoted to incidents.

Exam trap

The trap here is that candidates often assume a successful query execution guarantees incident creation, but they overlook the separate incident creation toggle, which is a distinct configuration step in the analytics rule wizard.

How to eliminate wrong answers

Option A is wrong because alert grouping settings control how alerts are grouped into a single incident (e.g., by entity or time window), but they do not prevent incidents from being created entirely; if incidents are enabled, misconfigured grouping might cause unexpected grouping, not a total absence of incidents. Option B is wrong because this is the correct description of the issue—the rule is set to create alerts but not incidents, which directly explains why no incidents appear despite successful query execution. Option C is wrong because a long query schedule (e.g., running every 24 hours) would delay incident creation but not prevent it; incidents would still appear after the scheduled run if the rule is configured to create them.

523
MCQmedium

Your organization uses Microsoft Defender for Identity. You need to receive alerts when suspicious LDAP queries are detected. What should you configure?

A.Set up an anomaly detection policy in Microsoft Defender for Cloud Apps.
B.Configure alert rules in Microsoft Defender for Identity.
C.Assign the Security Administrator role in Microsoft Entra ID.
D.Create a custom sensitivity label in Microsoft Purview.
AnswerB

Defender for Identity has built-in alert rules for LDAP reconnaissance.

Why this answer

Option B is correct because Microsoft Defender for Identity includes a set of default alert rules that cover LDAP queries. Option A is incorrect because Microsoft Purview is for compliance. Option C is incorrect because Microsoft Defender for Cloud Apps is for cloud apps.

Option D is incorrect because Microsoft Entra ID roles are for identity governance.

524
MCQmedium

Your organization has Microsoft Defender for Cloud Apps and Microsoft Sentinel integrated. The security team wants to receive alerts when a user's activity from an anonymous IP address exceeds a certain risk score. What should you configure in Defender for Cloud Apps?

A.Anomaly detection policy
B.File policy
C.Activity policy
D.App discovery policy
AnswerC

Activity policies can monitor and alert on specific user activities based on conditions like IP category and risk score.

Why this answer

Option C is correct because activity policies in Defender for Cloud Apps allow you to monitor and alert on specific user activities, such as those from anonymous IP addresses, and can trigger alerts based on risk score thresholds. Option A is wrong because anomaly detection policies detect unusual behavior patterns, not specific activity from anonymous IPs. Option B is wrong because app discovery policies are for discovering cloud apps, not user activities.

Option D is wrong because file policies are for monitoring file access and sharing.

525
MCQhard

You are reviewing the ARM template snippet shown in the exhibit. What is the purpose of this template?

A.Create a workbook in Azure Monitor
B.Create an analytics rule in Microsoft Sentinel
C.Create a saved search in a Log Analytics workspace
D.Create a data connector in Microsoft Sentinel
AnswerC

The resource type is savedSearches, which creates a saved search.

Why this answer

Option A is correct because the template creates a saved search (which is a query) in a Log Analytics workspace. Option B is wrong because it creates a saved search, not a workbook. Option C is wrong because it creates a saved search, not an analytics rule.

Option D is wrong because it creates a saved search, not a data connector.

← PreviousPage 7 of 8 · 554 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage a security operations environment questions.