CCNA Manage a security operations environment Questions

29 of 554 questions · Page 8/8 · Manage a security operations environment · Answers revealed

526
MCQeasy

Refer to the exhibit. You deploy this ARM template to your subscription. After deployment, you cannot find the saved search 'Test Search' in the Microsoft Sentinel workspace. What is the most likely reason?

A.The resource type should be for analytics rules, not saved searches.
B.The query 'Heartbeat | summarize Count() by Computer' is invalid.
C.The apiVersion is incorrect.
D.The name concatenation is missing a parameter.
AnswerA

Sentinel uses alertRules, not savedSearches.

Why this answer

Option A is correct because the ARM template deploys a resource of type 'Microsoft.OperationsManagement/solutions' with a saved search, but Microsoft Sentinel does not use saved searches for analytics rules. In Sentinel, detection rules are created as 'Microsoft.SecurityInsights/alertRules', not as saved searches under a Log Analytics workspace. The template's resource type is mismatched for the intended functionality, so the saved search 'Test Search' will not appear as a Sentinel analytics rule.

Exam trap

The trap here is that candidates assume any KQL query deployed via ARM template in a Log Analytics workspace will automatically appear as a Sentinel analytics rule, but Microsoft requires the correct resource provider and type for Sentinel-specific features.

How to eliminate wrong answers

Option B is wrong because the query 'Heartbeat | summarize Count() by Computer' is syntactically valid KQL and would execute successfully in Log Analytics; it is not the reason the saved search is missing. Option C is wrong because the apiVersion '2015-11-01-preview' is a valid and supported version for Log Analytics saved searches and solutions; an incorrect apiVersion would cause a deployment error, not a silent failure to find the search. Option D is wrong because the name concatenation '[concat(parameters('workspaceName'), '/', variables('savedSearchName'))]' is correctly formatted and includes all required parameters; missing a parameter would cause a deployment failure, not a missing search.

527
MCQhard

You are the security operations lead for a multinational company that uses Microsoft Sentinel in a single workspace. You have recently onboarded 10 new business units, each with their own analytics rules and automation. The security team is overwhelmed by the number of low-fidelity incidents generated. You need to reduce noise without disabling critical detections. You must ensure that each business unit retains ownership of their incidents and can customize their own suppression rules. You also need centralized reporting on incident trends across all business units. You have identified that many low-fidelity alerts come from a common set of data sources. What should you do?

A.Disable the data connectors that produce the most noise.
B.Create an automation rule that automatically closes low-severity incidents.
C.Create a separate analytics rule for low-fidelity alerts that uses alert suppression to group similar alerts.
D.Create a workbook that filters out low-severity incidents from the dashboard.
AnswerC

Alert suppression reduces noise while maintaining detection capability.

Why this answer

Option C is correct because creating a separate analytics rule for low-fidelity alerts with alert suppression enabled allows you to group similar alerts into a single incident, reducing noise without disabling the underlying data connectors or critical detections. This approach preserves each business unit's ownership of their incidents and enables them to customize suppression rules via automation rules or analytics rule settings, while centralized reporting on incident trends remains intact because the workspace still ingests all alerts.

Exam trap

The trap here is that candidates often confuse reducing noise with simply hiding or closing incidents after they are generated, rather than preventing the noise at the analytics rule level through alert suppression, which is the only option that reduces incident volume while preserving data fidelity and per-unit customization.

How to eliminate wrong answers

Option A is wrong because disabling data connectors that produce noise would also remove all alerts from those sources, potentially disabling critical detections that rely on the same data, and it does not allow per-business-unit customization. Option B is wrong because automatically closing low-severity incidents via an automation rule does not reduce the number of incidents generated; it only closes them after creation, still overwhelming the queue and potentially hiding legitimate low-severity incidents that require investigation. Option D is wrong because creating a workbook that filters out low-severity incidents only changes the dashboard view, not the actual incident generation or noise reduction, and it does not address the root cause of excessive low-fidelity alerts.

528
MCQhard

The exhibit shows a KQL query used in a Microsoft 365 Defender custom detection rule. The query is intended to detect encoded PowerShell commands executed in the last hour. However, the detection rule is not generating any alerts even though the SOC knows that encoded PowerShell commands are being executed. Which modification would most likely fix the detection rule?

A.Change `contains` to `has` for better performance and accuracy.
B.Add a condition to also look for `-EncodedCommand` in the command line.
C.Modify the query to use `project-away` instead of `project`.
D.Replace `FileName == "powershell.exe"` with `InitiatingProcessFileName == "powershell.exe"`.
AnswerB

The `-enc` flag is an alias for `-EncodedCommand`, but the query should explicitly check for `-EncodedCommand` to ensure detection of all variations.

Why this answer

The query uses `contains` which is case-insensitive, but the problem is that the rule might be running on a different time range or the query may not be scheduled to run frequently enough. However, the most likely issue is that the query uses `Project` instead of `project` (case sensitivity in KQL is not an issue), but actually KQL is case-insensitive for keywords. A common mistake is that the query uses `project` correctly.

Actually, the issue might be that the detection rule is not including the right data source or the query is not scheduled. But given the options, the most plausible fix is to change `contains` to `has` because `contains` will match substrings like "-encodedcommand" but also "-enc" inside other words, but the real issue might be that the query is not using `has_any` for performance. However, among the options, the correct one is to add a condition to filter on `InitiatingProcessFileName` to ensure only powershell.exe is considered? No, the query already filters on FileName.

Let's re-analyze: The query uses `DeviceProcessEvents` which is from Microsoft 365 Defender. The detection rule might not be triggering because the query uses `ago(1h)` which is relative to the time the query runs, but if the rule runs every hour, it might miss events that happen just after the query runs. However, the rule should include all events from the last hour.

The more likely issue is that the query uses `contains "-enc"` which will match any string containing "-enc", but the encoded command flag in PowerShell is "-EncodedCommand". However, the query also checks for "-e" which would match many commands. But the real problem might be that the query is not filtering out legitimate uses.

Option A is correct because the query should also look for the `-EncodedCommand` parameter explicitly. Option B is wrong because using `has` instead of `contains` would be more accurate but not the main issue. Option C is wrong because the query already filters on FileName.

Option D is wrong because the query already uses Project.

529
MCQhard

Refer to the exhibit. An automation rule in Microsoft Sentinel is configured as shown. When a high-severity incident is created, what is the expected behavior?

A.All actions execute successfully: task created, playbook runs, incident owner set to SOC-Tier1.
B.The rule fails to run because the actions are not in valid JSON format.
C.The task is created, then the playbook runs, but the incident modification fails because the owner is incorrectly formatted.
D.The playbook runs first, then the task is created, then the incident is modified.
AnswerC

The owner field should be an object with objectId and email.

Why this answer

Option C is correct because the automation rule in Microsoft Sentinel executes actions sequentially. The task creation and playbook run succeed, but the incident modification fails because the owner field is incorrectly formatted. Sentinel expects the incident owner to be specified as a user principal name (UPN) or object ID, not a plain text string like 'SOC-Tier1'.

Exam trap

The trap here is that candidates assume all actions in an automation rule execute independently and ignore the specific formatting requirements for the incident owner field, leading them to select Option A or D.

How to eliminate wrong answers

Option A is wrong because the incident modification action fails due to the invalid owner format, so not all actions execute successfully. Option B is wrong because the rule actions are defined in the Sentinel UI as structured JSON, which is valid; the failure is due to runtime validation of the owner value, not JSON syntax. Option D is wrong because the actions execute in the order listed in the rule: task creation first, then playbook, then incident modification; the playbook does not run first.

530
MCQeasy

Your SOC team receives a high-priority incident related to a potential malware outbreak. You need to quickly identify all affected devices and users across the environment. What Microsoft Defender XDR feature should you use?

A.Advanced hunting
B.Action center
C.Incident graph
D.Microsoft Sentinel workbook
AnswerC

The incident graph provides a visual representation of the attack story.

Why this answer

Option B is correct because the incident graph visually maps the relationships between alerts, devices, users, and entities. Option A is wrong because advanced hunting is query-based and slower for immediate triage. Option C is wrong because action center is for remediation actions.

Option D is wrong because a workbook is for reporting.

531
MCQmedium

You are a security analyst. You notice that Microsoft Sentinel is not receiving logs from Microsoft 365 Defender incidents. The diagnostic settings in Microsoft 365 Defender are configured to send data to the Sentinel workspace. What should you check first?

A.Check if the Microsoft Sentinel solution is installed.
B.Verify that the Log Analytics workspace is in the same region as the Sentinel workspace.
C.Ensure the Microsoft 365 Defender data connector in Microsoft Sentinel is enabled.
D.Check the 'SecurityIncident' table schema for missing columns.
AnswerC

The connector must be enabled to receive the data.

Why this answer

Option C is correct because the Microsoft Sentinel data connector for Microsoft 365 Defender must be enabled to ingest the incidents. Options A and B are irrelevant for data ingestion. Option D is for table schema, not ingestion.

532
MCQmedium

You are a security analyst for a company that uses Microsoft Defender XDR. You receive a high-severity incident indicating that a user's device has been compromised with a remote access trojan (RAT). The incident is automatically generated by Microsoft Defender XDR. You need to contain the threat immediately while preserving forensic data. You also need to ensure that the user can continue working with minimal disruption. What should you do?

A.Initiate device isolation from Microsoft Defender XDR.
B.Restore the device from a recent backup.
C.Run a full antivirus scan on the device.
D.Reset the user's password and force a sign-out.
AnswerA

Isolation contains the threat and preserves evidence.

Why this answer

Option A is correct because initiating device isolation from Microsoft Defender XDR immediately disconnects the device from the network while preserving forensic data on the device. This contains the RAT's command-and-control communication without disrupting the user's ability to work offline, and it allows the security team to investigate the compromised device without risk of lateral movement or data exfiltration.

Exam trap

The trap here is that candidates may choose a reactive remediation step like running a scan or resetting credentials, failing to recognize that immediate containment via network isolation is the priority to stop active compromise while preserving evidence.

How to eliminate wrong answers

Option B is wrong because restoring from a recent backup would overwrite existing forensic data, potentially destroying evidence of the RAT's installation and persistence mechanisms, and it does not contain the active threat in real time. Option C is wrong because running a full antivirus scan is a reactive, time-consuming step that does not immediately stop the RAT from communicating or spreading; the threat remains active during the scan. Option D is wrong because resetting the user's password and forcing a sign-out does not address the device-level compromise; the RAT would still be present on the device and could re-establish access or capture new credentials.

533
MCQmedium

Your organization has deployed Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all Defender XDR incidents are automatically synchronized into Microsoft Sentinel for a single pane of glass. What should you configure?

A.Enable the Microsoft Sentinel data connector for Microsoft Defender XDR
B.Use Microsoft Graph API to sync incidents daily
C.Create an automation rule in Microsoft Sentinel to create incidents from Defender XDR alerts
D.Configure Microsoft Defender XDR to forward incidents to Sentinel using a webhook
AnswerA

This connector automatically ingests Defender XDR incidents into Sentinel.

Why this answer

Option A is correct because the Microsoft Sentinel data connector for Microsoft Defender XDR is the native integration that automatically synchronizes all Defender XDR incidents into Sentinel. This connector ingests incidents, alerts, and evidence from Defender XDR into the Sentinel workspace, enabling a single pane of glass without requiring custom scripting or manual workflows.

Exam trap

The trap here is that candidates often confuse alert-based connectors (like the Microsoft Defender for Endpoint connector) with the incident-level Microsoft Defender XDR connector, or they assume that automation rules or webhooks are the correct method for incident synchronization, when the native connector is the only supported and recommended approach.

How to eliminate wrong answers

Option B is wrong because using Microsoft Graph API to sync incidents daily would require custom development, polling logic, and manual scheduling, which is not a built-in or supported method for automatic incident synchronization; the native connector handles this in real time. Option C is wrong because creating an automation rule in Sentinel to create incidents from Defender XDR alerts would only process individual alerts, not the correlated incidents that Defender XDR generates, and would bypass the incident-level synchronization provided by the connector. Option D is wrong because configuring Defender XDR to forward incidents to Sentinel using a webhook is not a supported feature; Defender XDR does not have a native webhook export for incidents, and even if implemented via Logic Apps, it would be a custom, non-standard approach compared to the official connector.

534
MCQeasy

You are configuring a Microsoft Sentinel automation rule to automatically assign incidents to a specific owner based on a custom property. Which action type should you use?

A.Run playbook
B.Assign owner
C.Change status
D.Create ticket (preview)
AnswerB

This action sets the incident owner to a specified user or group.

Why this answer

The 'Assign owner' action type is specifically designed to change the owner of an incident in Microsoft Sentinel. When you need to automatically assign incidents to a specific owner based on a custom property (e.g., a tag or custom field), this action directly modifies the incident's 'Owner' property. Other action types serve different purposes: 'Run playbook' executes a logic app, 'Change status' updates the incident's status (e.g., New, Active, Closed), and 'Create ticket (preview)' creates an external ticket in a connected ticketing system.

Exam trap

The trap here is that candidates often confuse 'Assign owner' with 'Run playbook', thinking a playbook is required to change the owner, but Sentinel provides a native action for this simple property change without needing a Logic App.

How to eliminate wrong answers

Option A is wrong because 'Run playbook' triggers a Logic App workflow, which can include complex logic but is not a direct action to set the incident owner; it is used for automation beyond simple property changes. Option C is wrong because 'Change status' modifies the incident's status (e.g., from New to Active), not the owner assignment. Option D is wrong because 'Create ticket (preview)' generates a ticket in an external system (e.g., ServiceNow) and does not modify the Sentinel incident's owner field.

535
MCQmedium

Refer to the exhibit. You are deploying a Microsoft Sentinel workspace using an ARM template. After deployment, you notice the workspace is in a disabled state for ingesting data. Which parameter is most likely causing this?

A.The location parameter is set to 'eastus' but Sentinel is not available in that region
B.The dailyQuotaInGB parameter sets a daily cap that may have been exceeded
C.The retentionInDays parameter is set to 90, which is less than the default 30 days
D.The workspaceName parameter is set to 'SentinelWorkspace' but the name must be globally unique
AnswerB

The daily cap stops ingestion when reached, causing the workspace to appear disabled for data ingestion.

Why this answer

Option D is correct because the 'dailyQuotaInGB' parameter sets a daily cap on data ingestion. If the cap is reached, ingestion stops until the next day. The workspace will be in a disabled state.

Option A is the workspace name, not an issue. Option B is location, irrelevant. Option C is retention, not ingestion.

536
MCQhard

Refer to the exhibit. You are analyzing a KQL query used in a custom detection rule in Microsoft Defender XDR. The rule is supposed to detect devices where a parent process launched more than 10 instances of PowerShell or cmd.exe in the last 7 days. However, the query returns no results even though you know such activity exists. What is the most likely reason?

A.The 'extend' line creates a new column that is not used in the subsequent summarize, causing the query to not group by parent process as intended.
B.The 'summarize' operator cannot be used with 'count()' in this context.
C.The 'where' clause filters out all events because the FileName list is incorrect.
D.The 'extend' line uses a column that does not exist in the DeviceProcessEvents schema.
AnswerD

Correct. 'InitiatingProcessParentFileName' is not a valid column; the correct column is 'InitiatingProcessFileName'. This causes the query to fail or return no results.

Why this answer

Option D is correct because the 'extend' line references a column named 'ParentProcessFileName' that does not exist in the DeviceProcessEvents schema. The actual column is 'InitiatingProcessFileName' (or 'ParentProcessName' in some schemas). Since the column doesn't exist, the 'extend' operation fails silently or produces null values, causing the subsequent 'summarize' to group by null and return no results.

Exam trap

The trap here is that candidates assume the column name 'ParentProcessFileName' is correct based on intuition or generic naming conventions, without verifying the actual schema of the DeviceProcessEvents table in Microsoft Defender XDR.

How to eliminate wrong answers

Option A is wrong because the 'extend' line creates a new column that is indeed used in the 'summarize' operator (the 'by' clause references 'ParentProcessFileName'), so the grouping is not broken by an unused column. Option B is wrong because 'summarize' with 'count()' is perfectly valid in KQL and commonly used to count rows per group. Option C is wrong because the 'where' clause filters on 'FileName' with 'has' operators, which is syntactically correct; the issue is not with the filter logic but with a missing column upstream.

537
Multi-Selecthard

Your Microsoft Defender XDR environment has an advanced hunting query that returns devices potentially affected by a known vulnerability. You want to create a custom detection rule that triggers an alert when more than 10 devices are affected. Which THREE steps are required?

Select 3 answers
A.Set the rule frequency and threshold to trigger when the query returns more than 10 results.
B.Configure the rule action to generate an alert in Microsoft Defender XDR.
C.Assign the rule to a severity level.
D.Create a Power Automate flow to send an email when the rule triggers.
E.Save the advanced hunting query as a custom detection rule.
AnswersA, B, E

Thresholds and frequencies are configured in the rule settings.

Why this answer

Options A, C, and D are correct. You need to save the query as a custom detection rule, configure the threshold, and set the action to generate an alert. Option B is not required because the rule runs on a scheduled basis; Option E is for Power Automate flows, not necessary.

538
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. A security analyst reports that incidents related to ransomware are not being automatically triaged by the SOC automation playbook. You confirm that the playbook is enabled and connected to the analytics rule. What is the most likely cause of the issue?

A.The Microsoft Sentinel workspace is in a different region than Microsoft Defender XDR.
B.The incident is not being created by the analytics rule.
C.The playbook is not associated with the correct analytics rule in the automation rule.
D.The automation rule that triggers the playbook is set to run only when the incident is created by a specific provider (e.g., Microsoft Defender XDR), but the incident is created by Microsoft Sentinel.
AnswerD

If the automation rule filters by provider, it will not trigger for incidents created by other providers.

Why this answer

Option D is correct because the playbook uses an automation rule that triggers on incident creation, and if the incident is not created by the correct provider (e.g., Microsoft Defender XDR), the playbook won't fire. Option A is wrong because Sentinel workspaces can be in any region; region mismatch affects data residency but not playbook triggering. Option B is wrong because playbooks are triggered by automation rules, not by the analytics rule itself.

Option C is wrong because the incident is already created; the issue is the automation rule trigger.

539
MCQhard

You have a Microsoft Sentinel workspace that ingests logs from multiple sources. The log analytics workspace is in the East US region. You have a requirement to keep logs for 90 days for active investigation, then archive them to an Azure storage account for compliance for 5 years. What should you configure?

A.Set the retention period to 90 days and configure a data export rule to send logs older than 90 days to Azure Blob Storage
B.Set the retention period to 5 years and use purging for data older than 90 days
C.Set the retention period to 90 days and enable 'Archive' in the workspace retention settings
D.Configure diagnostic settings to send logs to storage with a retention of 90 days
AnswerA

Data export rules can continuously export data to storage after the retention period expires.

Why this answer

Option C is correct because Azure Log Analytics allows you to set a retention policy and then enable data archiving to Azure storage using a data export rule. Option A deletes logs after 90 days. Option B is for interactive retention only.

Option D is for diagnostic settings, not for archiving after retention.

540
MCQhard

Your organization uses Microsoft Defender for Office 365. You need to configure a policy that automatically moves emails detected as 'Bulk' to the user's Junk Email folder. However, users must be able to override this by adding the sender to their Safe Senders list. What should you configure?

A.Anti-spam policy with Bulk email threshold set to a value that triggers junk action
B.Anti-phishing policy
C.Malware filter policy
D.Connection filter policy
AnswerA

The anti-spam policy includes a bulk complaint level (BCL) threshold; emails exceeding it are sent to Junk. Safe Senders overrides.

Why this answer

Option B is correct because the anti-spam policy in Defender for Office 365 has a 'Bulk email threshold' that can be set, and users can override via Safe Senders. Option A is for phishing, not bulk; Option C is for malware; Option D is for connection filtering.

541
MCQhard

You are a security administrator for a multinational company using Microsoft Sentinel. You need to ensure that critical incidents are automatically escalated to the on-call team via email and SMS. The on-call schedule uses Microsoft Teams channel. What is the most efficient way to achieve this?

A.Create an automation rule that sends email directly to the on-call team.
B.Build a playbook using Microsoft Teams connector to post a message in the on-call channel with an adaptive card that allows acknowledge and escalate.
C.Configure the analytics rule to send an email when the incident is created.
D.Use a workbook to display critical incidents and expect the team to monitor it.
AnswerB

A playbook can use Teams connector to send notifications and include logic for escalation. An automation rule triggers the playbook on incident creation.

Why this answer

Option B is correct because Playbook with Teams connector can send adaptive cards and use logic for escalation. Option A is wrong because automation rules alone cannot send SMS. Option C is wrong because an analytics rule only triggers incidents.

Option D is wrong because workbooks are for visualization, not automation.

542
Multi-Selecteasy

Which THREE are valid incident classification options in Microsoft Sentinel?

Select 3 answers
A.Informational
B.Benign Positive
C.Malicious
D.False Positive
E.True Positive
AnswersB, D, E

Classification for non-malicious but interesting activity.

Why this answer

Option A is correct because 'True Positive' is a standard classification. Option C is correct because 'False Positive' is standard. Option D is correct because 'Benign Positive' is a classification for non-malicious but relevant activity.

Option B is wrong because 'Malicious' is a sub-classification, not a main classification. Option E is wrong because 'Informational' is not a classification; it's a severity level.

543
MCQeasy

Your organization uses Microsoft Defender for Identity. You need to create a role that allows analysts to view security alerts but not modify them. Which built-in role should you assign?

A.Security Administrator
B.Compliance Administrator
C.Global Administrator
D.Security Reader
AnswerD

Read-only access to security alerts.

Why this answer

The Security Reader role (D) is the correct choice because it provides read-only access to security-related features in Microsoft 365 Defender, including the ability to view security alerts from Microsoft Defender for Identity without the ability to modify or respond to them. This aligns directly with the requirement to allow analysts to view alerts but not modify them, as the role grants no write permissions to security configurations or alert states.

Exam trap

The trap here is that candidates often confuse Security Reader with Security Administrator, assuming the 'Administrator' suffix implies broader access, but the key distinction is that Security Reader is the only built-in role that provides read-only access to security alerts without modification rights.

How to eliminate wrong answers

Option A is wrong because the Security Administrator role has full write permissions to security policies and alerts, including the ability to modify alert statuses and configurations, which violates the requirement to prevent modifications. Option B is wrong because the Compliance Administrator role is focused on compliance settings (e.g., data classification, DLP, retention policies) and does not grant access to security alerts from Defender for Identity; it is not designed for security operations viewing. Option C is wrong because the Global Administrator role has unrestricted access to all administrative features, including full control over security alerts, which far exceeds the read-only requirement and introduces unnecessary privilege.

544
MCQmedium

Your SOC team uses Microsoft Sentinel to manage incidents. You want to improve the efficiency of incident triage by automatically enriching incidents with threat intelligence data from Microsoft Threat Intelligence. What should you configure?

A.Enable the Threat Intelligence - TAXII connector to ingest threat indicators.
B.Create a playbook that queries the Threat Intelligence API and adds a comment to the incident.
C.Create a watchlist containing threat intelligence data and use it in an automation rule to add tags or comments.
D.Enable User and Entity Behavior Analytics (UEBA) to detect anomalies.
AnswerC

Watchlists can be used in automation rules to enrich incidents with additional data.

Why this answer

Option C is correct because watchlists in Microsoft Sentinel allow you to store and reference static threat intelligence data directly within automation rules. By creating a watchlist with threat indicators and configuring an automation rule to add tags or comments based on matches, you can enrich incidents without requiring external API calls or complex playbooks, thus improving triage efficiency.

Exam trap

The trap here is that candidates often confuse the purpose of the TAXII connector (ingestion) with incident enrichment, or assume that a playbook is always the best automation method, overlooking the simpler and more efficient watchlist-based approach for static data.

How to eliminate wrong answers

Option A is wrong because the Threat Intelligence - TAXII connector ingests threat indicators into Sentinel's ThreatIntelligenceIndicator table, but it does not automatically enrich incidents; it only populates the threat intelligence repository. Option B is wrong because while a playbook can query the Threat Intelligence API and add a comment, this approach is less efficient than using a watchlist with an automation rule, as playbooks require manual or scheduled execution and introduce latency. Option D is wrong because UEBA detects behavioral anomalies and generates alerts, but it does not directly enrich incidents with threat intelligence data; it focuses on user and entity behavior rather than external threat indicator matching.

545
MCQeasy

You are configuring Microsoft Defender for Cloud Apps to enhance visibility into your organization's SaaS app usage. You need to ensure that risky user activities are automatically suspended. What should you configure?

A.Set up IP address range policies.
B.Configure app discovery policies.
C.Create a session policy to block or limit activities based on risk.
D.Define file policies to protect sensitive data.
AnswerC

Session policies allow real-time monitoring and control of user sessions, such as blocking downloads from risky sessions.

Why this answer

Option B is correct because session policies allow real-time control of user sessions based on risk level. Option A is wrong because app discovery only identifies apps used. Option C is wrong because file policies govern data protection.

Option D is wrong because IP address ranges are used for location-based policies, not activity control.

546
MCQmedium

You are reviewing a PowerShell script used for automated response on a Windows 10 device managed by Microsoft Defender for Endpoint. What is the intended outcome of this script?

A.It removes all Trojan threats from the device.
B.It updates the antimalware signatures and then performs a scan.
C.It triggers a quick scan if any Trojan detection exists.
D.It configures Windows Defender to exclude Trojan files.
AnswerC

The condition checks for Trojan detections and then runs a quick scan.

Why this answer

Option D is correct because the script retrieves threat detections containing 'Trojan' and if found, initiates a quick scan. Option A is wrong because the script doesn't remove threats, only scans. Option B is wrong because it doesn't exclude anything.

Option C is wrong because it doesn't update signatures.

547
MCQhard

Your security team uses Microsoft Defender XDR (formerly Microsoft 365 Defender) to investigate incidents. You notice that some alerts from Microsoft Defender for Endpoint are not being automatically correlated into incidents as expected. You have confirmed that the relevant alert sources are enabled in the Microsoft Defender XDR portal. What is the most likely cause?

A.Alert tuning rules are causing the alerts to be excluded.
B.Incident correlation rules are not enabled for the relevant alert sources.
C.Automation rules in Microsoft Sentinel are deleting the alerts.
D.Alert suppression rules are blocking the alerts.
AnswerB

Correlation rules must be enabled to automatically create incidents from alerts.

Why this answer

Microsoft Defender XDR uses built-in correlation logic to automatically group related alerts from different sources (e.g., Defender for Endpoint, Defender for Office 365) into incidents. If alerts from a specific source, such as Defender for Endpoint, are not being correlated, the most likely cause is that the incident correlation rules for that source are not enabled in the Microsoft Defender XDR portal. Enabling the alert source alone is insufficient; the correlation engine must be explicitly activated for each source to aggregate alerts into incidents.

Exam trap

The trap here is that candidates assume enabling an alert source in the Microsoft Defender XDR portal automatically enables incident correlation for that source, but in reality, correlation rules must be explicitly enabled separately for each source.

How to eliminate wrong answers

Option A is wrong because alert tuning rules in Microsoft Defender XDR are used to reduce noise by suppressing or grouping alerts, but they do not prevent alerts from being correlated into incidents; they only affect alert generation. Option C is wrong because automation rules in Microsoft Sentinel are separate from Microsoft Defender XDR and operate on Sentinel incidents, not on Defender XDR alert correlation; Sentinel automation rules cannot delete alerts from Defender XDR. Option D is wrong because alert suppression rules in Defender for Endpoint are designed to suppress alerts based on criteria like device groups or severity, but they do not block alerts from being correlated into incidents; suppression only prevents alert creation, not correlation.

548
MCQeasy

Refer to the exhibit. You run this KQL query in Microsoft Sentinel. What does it return?

A.Number of high-severity incidents per status.
B.Total count of high-severity incidents in the last 7 days.
C.Top 5 incident owners by number of high-severity incidents in the last 7 days.
D.Top 5 users assigned to high-severity incidents.
AnswerC

The query summarizes by Owner and returns top 5.

Why this answer

The KQL query uses `summarize` with `count()` by `Owner`, then `top 5 by count_`, and filters with `where Severity == 'High'` and `TimeGenerated > ago(7d)`. This returns the top 5 incident owners ranked by the number of high-severity incidents they own in the last 7 days, making option C correct.

Exam trap

The trap here is that candidates confuse `Owner` (the incident owner, often a person or automation rule) with `User` (a user entity involved in the incident), leading them to pick option D, which incorrectly assumes the query returns users assigned to incidents rather than owners.

How to eliminate wrong answers

Option A is wrong because the query does not group or summarize by `Status`; it groups by `Owner` and counts incidents, not statuses. Option B is wrong because the query returns a top 5 list of owners with counts, not a single total count of incidents. Option D is wrong because the query filters by `Owner` (the incident owner, typically a security analyst or automation account), not by `User` (which would refer to a user entity or account involved in the incident).

549
MCQhard

Your organization uses Microsoft Sentinel with a workspace in the East US region. You have a playbook that escalates incidents to ServiceNow. Due to compliance requirements, all data must remain in the West Europe region. You need to ensure that the playbook execution and any data it processes stays within West Europe. What should you do?

A.Use a different Sentinel workspace in West Europe for the incidents.
B.Move the Sentinel workspace to West Europe.
C.Configure the ServiceNow connector to use a West Europe endpoint.
D.Create the playbook as a Logic App in the West Europe region and ensure it uses a managed identity for authentication.
AnswerD

Playbooks run in the region of the Logic App; creating it in West Europe ensures compliance.

Why this answer

Playbooks run in the same region as the Logic Apps resource, which can be created in West Europe. By creating the playbook in West Europe, it will process data there. Option D is correct.

Option A is wrong because moving the Sentinel workspace is not possible without redeployment. Option B is wrong because the API connector does not control data location. Option C is wrong because using a different workspace would require changing all data collection.

550
Multi-Selecteasy

Which THREE components are part of Microsoft Defender XDR? (Select three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Entra ID
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud
E.Microsoft Defender for Office 365
AnswersA, C, E

Endpoint protection is a core component.

Why this answer

Defender XDR includes Defender for Endpoint, Defender for Office 365, and Defender for Identity. Option A, B, and D are correct. Option C is a cloud security solution, not part of Defender XDR.

Option E is an identity management service.

551
MCQeasy

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a custom analytics rule that detects when a user account is created and then deleted within 24 hours, which could indicate a test account used for malicious purposes. The rule should only run on the SecurityEvent table. You have written the KQL query and now need to configure the rule settings. Which alert scheduling configuration should you set to minimize latency while ensuring that the rule catches the pattern?

A.Run query every 1 hour with a 1-hour lookback.
B.Run query every 24 hours with a 24-hour lookback.
C.Run query every 1 hour with no lookback.
D.Run query every 5 minutes with a 5-minute lookback.
AnswerA

Balances latency and detection coverage.

Why this answer

Option A is correct because running the query every 1 hour with a 1-hour lookback ensures that any account creation and deletion occurring within a 24-hour window is captured with minimal latency. The 1-hour lookback allows the rule to detect events that span across the current and previous execution windows, which is essential for catching the creation and deletion pattern without missing events due to scheduling gaps.

Exam trap

The trap here is that candidates often choose a lookback equal to the pattern duration (24 hours) or a very short frequency (5 minutes), failing to realize that the combination of frequency and lookback must ensure overlapping windows to capture events that span across execution boundaries.

How to eliminate wrong answers

Option B is wrong because running the query every 24 hours with a 24-hour lookback introduces up to 24 hours of latency, which is not minimal and could delay detection of malicious activity. Option C is wrong because running the query every 1 hour with no lookback means the rule only evaluates events from the current hour, so it would miss the creation event if it occurred in a previous hour and the deletion in the current hour. Option D is wrong because running the query every 5 minutes with a 5-minute lookback would require the creation and deletion to occur within the same 5-minute window, which is too restrictive for a 24-hour pattern and would likely miss most occurrences.

552
MCQeasy

Refer to the exhibit. You are reviewing a custom Azure Policy definition that should block deployments from specific IP addresses. However, the policy does not seem to be evaluating any resources. What is the most likely issue?

A.The 'in' operator cannot be used with an array parameter
B.The policy definition has not been assigned to any scope
C.The policy mode should be 'Indexed' for network policies
D.The 'effect' should be 'audit' instead of 'deny'
AnswerB

A policy must be assigned to a scope to evaluate resources.

Why this answer

The exhibit shows a custom Azure Policy definition that is syntactically correct, but the policy is not evaluating any resources. The most likely cause is that the policy definition has not been assigned to a scope (e.g., management group, subscription, or resource group). In Azure Policy, a definition alone does nothing; it must be assigned to a scope to take effect and begin evaluating resources.

Exam trap

The trap here is that candidates focus on syntax errors or operator misuse in the policy definition, overlooking the prerequisite that a policy must be assigned to a scope before it can evaluate any resources.

How to eliminate wrong answers

Option A is wrong because the 'in' operator can be used with an array parameter in Azure Policy; the issue is not with the operator but with the missing assignment. Option C is wrong because the policy mode should be 'All' (or 'Microsoft.Network.Data') for network policies that evaluate resource properties, not 'Indexed', which is used for resource provider modes like 'Microsoft.Kubernetes.Data'. Option D is wrong because changing the effect from 'deny' to 'audit' would not cause the policy to fail to evaluate resources; it would only change the enforcement behavior, and the policy would still need to be assigned to a scope.

553
MCQeasy

Your team uses Microsoft Defender XDR to manage incidents. You need to ensure that all incidents with a severity of 'High' are automatically assigned to a specific SOC analyst group. What should you configure?

A.Set up an advanced hunting query to detect high severity incidents and send email.
B.Create an automation rule in Microsoft Defender XDR to automatically assign incidents.
C.Configure a playbook in Microsoft Sentinel triggered by incidents.
D.Use the 'New-MTPIncidentAssignment' cmdlet in a scheduled task.
AnswerB

Automation rules can apply actions like assignment based on conditions.

Why this answer

Option A is correct because Microsoft Defender XDR allows you to create automation rules that can assign incidents based on criteria like severity. Option B is incorrect because it is for automated investigation and response. Option C is incorrect because it is a PowerShell cmdlet, not a configuration.

Option D is incorrect because advanced hunting is for querying data, not automation.

554
MCQeasy

Your organization uses Microsoft Sentinel for security information and event management (SIEM). You need to ensure that all incidents from a specific analytics rule are automatically assigned to the 'SOC Tier 1' team. What should you configure in Microsoft Sentinel?

A.Configure alert enrichment in the analytics rule to add the owner.
B.Modify the analytics rule to write the incident to a custom table accessible by the SOC team.
C.Create a playbook that assigns the incident and attach it to the analytics rule.
D.Create an automation rule that triggers when the incident is created and sets the owner.
AnswerD

Automation rules can set incident owner upon creation.

Why this answer

Option C is correct because automation rules in Microsoft Sentinel can be used to automatically assign incidents to a specific owner or team. Option A is wrong because playbooks are for complex orchestration, not simple assignment. Option B is wrong because alert enrichment is for adding data, not assignment.

Option D is wrong because custom tables are for storing data.

← PreviousPage 8 of 8 · 554 questions total

Ready to test yourself?

Try a timed practice session using only Manage a security operations environment questions.