Mitigate threats using Microsoft Defender XDR

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user's device was compromised. The analyst wants to determine if the attacker attempted to access sensitive files stored in SharePoint Online from that device. Which advanced hunting table should the analyst query to find file access events from cloud apps?

A security analyst is reviewing an incident in Microsoft 365 Defender where malware was detected on multiple endpoints. The analyst wants to see a visual representation of the attack progression, including the initial entry point and all affected devices. Which feature in the Microsoft 365 Defender portal should the analyst use?

A global enterprise uses Microsoft 365 Defender across multiple tenants. During an incident, a security analyst needs to search for a specific file hash indicator of compromise (IOC) across all mailboxes and endpoints in all tenants from a single interface. Which feature allows the analyst to run a query across multiple tenants without switching contexts?

A security analyst is investigating an incident in Microsoft 365 Defender where a device is detected as infected with a trojan. The analyst wants to use automated investigation to contain the threat. Which action can be automatically taken on the affected device as part of a standard AIR playbook for endpoint detection and response?

An organization uses Microsoft 365 Defender. A security analyst is reviewing an incident that involves a user who clicked a phishing link in an email. The analyst wants to see the email's full timeline, including delivery, click, and any follow-up actions. Which section of the email entity page provides this information?

A security analyst in Microsoft 365 Defender uses advanced hunting to detect possible credential theft. They want to find instances where a user signed in from an IP address that is not in their organization's known IP range. Which table should they query to get sign-in location and IP address?

A security analyst in Microsoft 365 Defender is investigating an incident that involves multiple devices. The analyst wants to see a visual representation of the attack, showing how the attacker moved from one device to another. Which feature provides this view?

A security analyst is investigating a phishing incident in Microsoft 365 Defender. They need to view the original email's sender, delivery action, and any automated remediation steps taken. Which entity page should the analyst open?

A security analyst is using advanced hunting in Microsoft 365 Defender to detect lateral movement. The analyst wants to find all devices where a specific user account had an interactive logon, and then identify which of those devices subsequently initiated outbound Remote Desktop Protocol (RDP) connections to other internal IP addresses. Which KQL approach is most efficient for this investigation?

An organization uses Microsoft Defender for Office 365. The security team wants to automatically remove from all user mailboxes any messages that were already delivered but are later identified as malicious. Which feature should they enable?

A security analyst is investigating an incident in Microsoft 365 Defender that involves a user who clicked a phishing link. The analyst wants to find all processes executed on the user's device immediately after the email was opened. Which advanced hunting table should the analyst query to obtain process creation events with timestamps relative to the email event?

A security analyst is investigating a suspected lateral movement attack in Microsoft 365 Defender. The analyst wants to identify all devices where a specific user account (user@contoso.com) had an interactive logon, and then check which of those devices subsequently made outbound RDP connections to other internal IP addresses. Which KQL query approach is most efficient to find this chain?

A security analyst is reviewing an email-related incident in Microsoft 365 Defender. The analyst wants to see the full delivery details, including the sender IP, authentication status, and the reason why the email was determined to be malicious. Which section of the email entity page should the analyst open?

A security analyst is hunting for a targeted phishing attack in Microsoft 365 Defender. They have identified a phishing email delivered to a user and want to find all devices where the user clicked the link in the email, and any processes that were spawned from the browser on those devices. Which advanced hunting strategy is most effective to correlate the email, network, and process data?

An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?

An organization uses Microsoft Defender for Office 365. The security team wants to automatically investigate and respond to user-reported phishing emails. Which feature should they enable to automate this process?

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user received a phishing email that contained a link to a malicious domain. The user clicked the link, but the domain was blocked by Microsoft Defender for Office 365 at the time of click. The analyst needs to view the full details of the click verdict, including the time of click and the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

A security analyst is using advanced hunting in Microsoft 365 Defender to investigate a potential brute-force attack against an on-premises Exchange server. The analyst wants to find authentication failures from a specific IP address. Which table should the analyst query?

An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?

A security analyst is investigating lateral movement in Microsoft 365 Defender. They have identified a compromised device (DeviceA) and want to find all other devices that have been accessed from DeviceA via RDP in the last 24 hours. Which advanced hunting table contains RDP connection events?

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

A security analyst is investigating an incident in Microsoft 365 Defender involving a user who received a phishing email. The analyst needs to identify all devices on which the user clicked a link from the email. Which advanced hunting table should the analyst query to find the click events?

A security analyst is investigating an incident in Microsoft 365 Defender where a user's device is suspected to be compromised. The analyst wants to collect a copy of a specific suspicious file from the device for offline analysis without disrupting the user. Which action should the analyst initiate?

An organization uses Microsoft 365 Defender. A security analyst wants to identify all devices that have been accessed from a compromised device via RDP in the past 24 hours. Which advanced hunting table should the analyst query?

A security analyst is reviewing a phishing incident in Microsoft 365 Defender. They need to find all users who received a specific email message by searching for the email's Internet Message ID. Which advanced hunting table should the analyst query?

An organization uses Microsoft Defender for Office 365. A security analyst is investigating a phishing email that was delivered to a user. The user clicked the link, but it was blocked by Defender for Office 365 at the time of click. The analyst needs to view the full click verdict, including the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

A security analyst uses Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst knows the Internet Message ID of a malicious email. Which table should the analyst query to find all users who received that specific email?

An organization uses Microsoft 365 Defender. An automated investigation on a device identifies a malicious file and blocks it. The analyst now wants to allow a specific trusted application that was incorrectly blocked, while keeping other malicious files blocked. Which action should the analyst take from the device's entity page?

A security analyst is using Microsoft 365 Defender advanced hunting to investigate potential lateral movement. The analyst has identified a compromised device (DeviceA) and wants to find all other devices that initiated a remote desktop connection from DeviceA to other devices in the last 24 hours. Which table and query approach should the analyst use?

An analyst is investigating a malware incident in Microsoft 365 Defender and has isolated the compromised device using automated investigation and response. The analyst now needs to collect a copy of a suspicious file from that device for further analysis in a sandbox. Which action should the analyst take from the device's entity page?

A security analyst is investigating a potential data exfiltration incident in Microsoft 365 Defender. They have identified a suspicious email sent to an external recipient containing an attachment. They want to know if the attachment has been opened and if any sensitive data was accessed. Which advanced hunting table should the analyst query to find email attachment activities, such as file download or view?

A security analyst is investigating a compromised user account using Microsoft 365 Defender. The analyst wants to see all the sign-in attempts made by this user in the last 24 hours, including the IP addresses and locations. Which advanced hunting table should the analyst query?

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to view all processes that initiated outbound network connections to known malicious IPs on a specific device. Which advanced hunting table should the analyst query?

An analyst is investigating a sophisticated attack involving a compromised device. The analyst has identified a malicious process that spawned multiple child processes. The analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a specific parent process creates a child process that makes an outbound network connection to any IP not in the organization's internal range. Which KQL query and rule type should the analyst use?

A security analyst is investigating a phishing incident and needs to find the specific email message that was delivered to a user. The analyst knows the subject line and the sender domain. Which advanced hunting table should the analyst query?

A security analyst is investigating a malware incident on an endpoint using Microsoft 365 Defender. The analyst wants to see all processes that were created on the device in the last hour, including the command line arguments. Which advanced hunting table should they query?

An organization uses Microsoft 365 Defender and receives an alert for a suspicious email sent to multiple recipients. The analyst wants to view the email metadata, including the sender, subject, and any attachments. Which advanced hunting table should the analyst use?

A security analyst is investigating a phishing campaign targeting multiple users. The analyst has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to any user and contained this specific attachment. Which advanced hunting table should the analyst query in Microsoft 365 Defender to obtain the message IDs of emails containing the attachment?

A security analyst is using Microsoft 365 Defender and discovers that a legitimate business application has been incorrectly blocked as malicious by an automated investigation. The analyst needs to unblock this application immediately so it can run on all endpoints in the organization. What action should the analyst take from the file's entity page in Microsoft 365 Defender?

A security analyst is reviewing phishing emails in Microsoft 365 Defender and wants to identify all messages that were blocked by an anti-phish policy before delivery. The analyst plans to use advanced hunting. Which table column indicates whether an email was blocked as phishing?

A security analyst is investigating a suspicious process on an endpoint and needs to see all network connections initiated by that process. The analyst knows the ProcessId and DeviceName. Which advanced hunting table in Microsoft 365 Defender should the analyst query to retrieve network connection details associated with this process?

A security analyst is investigating a malware incident and has identified a specific parent process ID (PID) on an endpoint. The analyst wants to retrieve all outbound network connections made by any child processes spawned by this parent process. Which advanced hunting table should the analyst query to get the network connection details, including the destination IP and the child process ID?

A security analyst is investigating a potential phishing campaign and has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to users and contained this exact attachment. Which advanced hunting table should the analyst query to obtain the network message IDs of the relevant emails?

A security analyst is investigating a suspicious process on an endpoint and wants to see all changes made to the Windows Registry by that process. Which advanced hunting table should the analyst query to find registry modification events associated with the process?

A security analyst in Microsoft 365 Defender needs to review all actions that were automatically taken by an investigation (e.g., isolating a device, deleting a file) that occurred during an incident. Where should the analyst find this list of executed actions?

A security analyst is investigating a sophisticated attack where an attacker used a compromised account to send a phishing email. The analyst wants to correlate the email event with the subsequent sign-in activity from the same sender's mailbox using Advanced Hunting. Which two tables should the analyst join to link the email sender to the sign-in IP address?

A security analyst is investigating a ransomware incident and needs to find all files that were written to a specific device within a 5-minute window before the ransomware process started. The analyst knows the device name and the ransomware process start time. Which advanced hunting table and KQL operator combination would be most efficient to find the file creation events?

A security analyst wants to see the delivery status and phishing verdict of an email. Which advanced hunting table should the analyst query in Microsoft 365 Defender?

In Microsoft 365 Defender, what is the primary function of the Action center?

An analyst is investigating a file that was detected as malicious on several devices. In Microsoft 365 Defender, where can the analyst find information about the file's prevalence, global reputation, and related incidents?

In Microsoft 365 Defender, after an automated investigation completes, where can an analyst review the specific remediation actions that were taken (e.g., file quarantine, device isolation)?

In Microsoft 365 Defender, a security analyst wants to get a detailed report on a newly discovered malware campaign, including indicators of compromise, recommended actions, and impacted devices. Where should the analyst go to find this information?

A security analyst is investigating a potential business email compromise (BEC) campaign. The analyst wants to find all emails that were sent to external recipients from an internal user's mailbox that also had a login from an unusual location shortly after the email was sent. Which advanced hunting tables should the analyst query to get the email metadata and the sign-in details?

A security analyst in Microsoft 365 Defender is investigating an email-based threat. The analyst needs to find all emails that were initially delivered to user inboxes but were later remediated (e.g., moved to junk, deleted, or quarantined) by Zero-Hour Auto Purge (ZAP). Which advanced hunting tables should the analyst query to get both the original email metadata and the post-delivery remediation events?

A security analyst in Microsoft 365 Defender has just completed an automated investigation on a device. The analyst wants to review the specific remediation actions that were taken automatically, such as file quarantine or process termination, as well as any actions that are still pending approval. Where should the analyst look?

A security analyst in Microsoft 365 Defender is investigating an incident that contains multiple alerts from different sources (e.g., Microsoft Defender for Endpoint, Microsoft 365 Defender for Office). The analyst wants to see a consolidated list of all alerts associated with the incident, including their severity, status, and detection source. Which tab within the incident details page should the analyst use?

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to see a timeline of all actions performed on a specific device, including file creation, registry modifications, and network connections, in chronological order. Which feature should the analyst use?

A security analyst wants to identify all users who received a phishing email that contained a known malicious URL. The analyst has the URL. Which advanced hunting table should the analyst query first to find the emails that contained this URL?

In Microsoft 365 Defender, an analyst is investigating an incident involving a malicious script. The analyst wants to see the command-line arguments executed by the script on a specific device. Which Advanced Hunting table should the analyst query?

A security analyst suspects a user's device is exfiltrating data via DNS queries to a known malicious domain. Which Advanced Hunting table should the analyst query to find DNS requests made from the device?

In Microsoft 365 Defender, a security analyst reviews an automated investigation that found a potentially unwanted application on multiple devices. The analyst wants to manually approve the suggested remediation action of uninstalling the application. Where should the analyst go?

A security analyst in Microsoft 365 Defender is using advanced hunting to investigate a suspected data exfiltration. The analyst wants to find all outbound network connections from a specific device that occurred in the last hour, ordered by timestamp. Which table and KQL query should the analyst use?

In Microsoft 365 Defender, an incident is created automatically. An analyst wants to see all related alerts for that incident. Which tab on the incident details page should the analyst select?

A security analyst is investigating a complex incident in Microsoft 365 Defender that involves multiple stages: a phishing email, credential theft, and lateral movement. The analyst wants to view a visual representation of the attack chain, showing how alerts and entities are related. Which feature should the analyst use?

A security analyst in Microsoft 365 Defender is investigating an incident that involves a malicious email attachment. Which advanced hunting table should the analyst use to find information about the email including sender, recipient, and subject?

A security analyst is investigating a ransomware attack in Microsoft 365 Defender and needs to understand how the attacker moved laterally from an initial compromised workstation to a domain controller. Which feature should the analyst use to see a visual timeline of device-to-device connections and process executions?

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a user receives more than 5 emails with the same attachment name within 1 hour, indicating a possible malware campaign. Which advanced hunting tables should be joined to achieve this detection?

A security analyst is investigating a user who may have been compromised. The analyst sees a sign-in from an unusual location and then a series of suspicious actions performed by that user, including deleting files and sending emails. The analyst wants to find all emails sent by the user after the anomalous sign-in. Which advanced hunting tables should be used?

In Microsoft 365 Defender advanced hunting, an analyst is investigating a case where a user's device was compromised via a malicious base64-encoded PowerShell script. The analyst wants to find all processes that were created by this script by decoding the command line. Which KQL function should be applied to the ProcessCommandLine column in the DeviceProcessEvents table?

In Microsoft 365 Defender, an analyst is investigating an incident where a user's credentials were used to sign in from an unusual geo-location. The analyst wants to find all other sign-in events from the same IP address in the last 7 days. Which Advanced Hunting table should be used?

A security analyst is investigating a sophisticated attack chain that started with a user clicking a link in a phishing email, which led to a drive-by download from a malicious website. The analyst wants to see the full list of URLs visited from the user's browser on the device. Which Advanced Hunting table contains this information?

A security analyst is investigating a sophisticated attack that involved multiple devices. The analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a process with a specific SHA256 hash is executed on any device AFTER an attacker-controlled file is created on another device. Which approach should the analyst use to build this detection?

A security analyst is investigating a suspicious email that was reported by a user. The email contains an attachment with a known malicious macro. The analyst wants to find all instances of this same email being delivered to other users in the organization. Which Advanced Hunting table should the analyst query to find the delivery events?

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a ransomware incident. The analyst wants to find all processes that were created with a specific parent process ID. Which column in the DeviceProcessEvents table should the analyst use to filter the parent process?

A security analyst is investigating a potential malware outbreak using Microsoft 365 Defender advanced hunting. The analyst wants to find all devices where a file with a specific SHA256 hash was first created and then later deleted, which may indicate a cleanup attempt. Which query pattern on the DeviceFileEvents table is appropriate?

A security analyst is investigating a phishing campaign using Microsoft 365 Defender advanced hunting. The analyst needs to find all emails sent from a specific sender address in the last 7 days. Which table should be queried?

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify ransomware activity. The rule should trigger when files with specific extensions (e.g., .encrypted, .locked) are created on multiple devices within a short time frame, suggesting a widespread attack. Which combination of advanced hunting tables should be used to obtain both file creation events and device information?

A security analyst is investigating a potential malware outbreak detected by Microsoft 365 Defender. The analyst needs to identify all devices that have executed a specific parent process with a given ProcessId. Which column in the DeviceProcessEvents table should be used to find processes whose parent is the specified process?

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst wants to find emails that were delivered to users (DeliveryAction != 'Blocked') and contained a specific malicious URL (e.g., 'https://malicious.com'). The EmailEvents table contains delivery information, and the EmailUrlInfo table contains URL details. Which KQL query correctly joins these two tables to find the desired emails?

A security analyst is investigating an advanced persistent threat (APT) campaign that involves lateral movement using RDP. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a device remotely connects to another device via RDP (process: mstsc.exe) and, within 10 minutes, the remote device executes a suspicious script (e.g., PowerShell.exe with encoded command). Which KQL query pattern in advanced hunting should be used to correlate these events across devices?

A security analyst is investigating an advanced persistent threat campaign that involves lateral movement using RDP. The analyst suspects that an attacker uses RDP from DeviceA to DeviceB, and then within a few minutes executes a malicious PowerShell script on DeviceB. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when this pattern occurs. Which KQL query pattern should be used to correlate these events across devices?

A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?

An analyst is investigating a ransomware outbreak using Microsoft 365 Defender Advanced Hunting. They need to find all devices where a file with the extension '.locked' was created within one hour after a known malicious process (e.g., 'ransomware.exe') was executed on the same device. Which two tables should be joined in the query? (Choose 2.)

An analyst is creating a custom detection rule in Microsoft 365 Defender to detect lateral movement. The rule should trigger when a device (DeviceA) connects to another device (DeviceB) via SMB (port 445) and, within 5 minutes, a scheduled task is created on DeviceB. Which Advanced Hunting query pattern correctly correlates these events across devices?

An analyst is investigating an incident where a user's mailbox was compromised. The analyst wants to find all mailbox access events (e.g., logins, message access) performed from a specific IP address. Which Advanced Hunting table in Microsoft 365 Defender should be queried?

An analyst is investigating a data exfiltration incident. They suspect that a user downloaded sensitive files from a SharePoint site and then uploaded them to a non-corporate cloud storage service (e.g., Dropbox) using the same device. Which combination of Advanced Hunting tables should the analyst query to correlate the SharePoint download activity with network connections to external IPs?

An analyst wants to find all devices that have run a specific process named 'malware.exe' in the last 24 hours using Microsoft 365 Defender Advanced Hunting. Which table should be the primary source for this query?

A security analyst wants to identify all devices in the organization that have a specific software vulnerability (CVE-2023-1234) installed using Microsoft 365 Defender Advanced Hunting. Which table should be queried?

A security analyst is investigating a malware outbreak and needs to find all devices where a specific malicious file with a known SHA1 hash has been observed in the last 24 hours. Which Advanced Hunting table in Microsoft 365 Defender should be the primary source for this query?

An analyst is building a custom detection rule in Microsoft 365 Defender to identify potential data exfiltration. The rule should alert when a process (e.g., powershell.exe) initiates multiple outbound network connections to an external IP address that is not in the company's corporate IP range within a short time. Which two Advanced Hunting tables must be joined to correlate process execution with network connection details?

An analyst writes an advanced hunting query to investigate a suspicious executable that initiated outbound connections. Which two Microsoft 365 Defender tables are most relevant? (Choose 2.)

A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?

A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)

An analyst is using advanced hunting in Microsoft 365 Defender. A device made outbound RDP connections shortly after a suspicious PowerShell process started. Which join is most useful to identify the initiating process for those network connections?