CCNA Perform threat hunting Questions

75 of 276 questions · Page 2/4 · Perform threat hunting · Answers revealed

76
Multi-Selectmedium

Which TWO tables in Microsoft Defender XDR advanced hunting provide information about user authentication events?

Select 2 answers
A.AlertInfo
B.AADSignInEventsBeta
C.EmailEvents
D.IdentityLogonEvents
E.DeviceNetworkEvents
AnswersB, D

Contains Azure AD sign-in events.

Why this answer

Options A and D are correct. A is correct because AADSignInEventsBeta contains Azure AD sign-ins. D is correct because IdentityLogonEvents contains on-premises AD logons.

B is incorrect because DeviceNetworkEvents is for network events. C is incorrect because EmailEvents is for email. E is incorrect because AlertInfo is for alerts.

77
MCQhard

A threat hunter is using Microsoft Sentinel and Microsoft Defender XDR to hunt for a potential cross-domain attack where an attacker compromised an on-premises server and then used a privileged account to sign into Microsoft 365 from a new IP. The hunter wants to identify the server using a query that combines Windows Event Logs from the server with Microsoft 365 sign-in logs. Which approach should the hunter take to correlate the data?

A.Create a Sentinel watchlist of known attacker IPs and compare with server logs
B.Enable Sysmon on the server and use its Event ID 3 (network connection) to find the IP
C.Ingest Windows Security Event logs (Event ID 4624) from the server into a Log Analytics workspace, and join with SigninLogs on account name and timestamp
D.Use the DeviceLogonEvents table in Microsoft Defender XDR advanced hunting
AnswerC

This correlates on-premises logon events with cloud sign-ins to find the compromise path.

Why this answer

Option A is correct because the server's Security Event ID 4624 (account logon) can be used to identify the logon session, and then the account's IP can be correlated with Azure AD SigninLogs. Option B (DeviceLogonEvents) is for Microsoft Defender for Endpoint, not on-premises servers without MDE. Option C (Sysmon) requires additional configuration.

Option D (Sentinel watchlist) is static and not suitable for dynamic correlation.

78
MCQhard

Refer to the exhibit. You are reviewing a custom hunting query in Microsoft Defender XDR. The query aims to identify devices with more than 100 outbound connections in the last 30 days to IPs that appear in active threat intelligence indicators. However, the query returns no results. What is the most likely cause?

A.The RemoteIPType filter for 'Public' excludes all internal IPs, but devices connect to internal IPs mostly.
B.The join on RemoteIP and NetworkIP is mismatched because one is IPv4 and the other IPv6.
C.The ThreatIntelligenceIndicator table does not contain any indicators with an Active status that match the remote IPs.
D.The ConnectionCount threshold of 100 is too high; most devices do not exceed this.
AnswerC

Inner join requires matching records; no active matching indicators leads to zero results.

Why this answer

Option D is correct because the join uses inner join; if the ThreatIntelligenceIndicator table does not have any active indicators matching the remote IPs, no results are returned. Option A is wrong because the connection count threshold is reasonable. Option B is wrong because the join key is correct.

Option C is wrong because the RemoteIPType filter is correct for public IPs.

79
MCQeasy

A threat hunter wants to identify anomalous DNS queries that may indicate data exfiltration. In Microsoft Sentinel, which data source is most appropriate for ingesting DNS logs from on-premises servers?

A.Syslog connector
B.DNS connector using Azure Monitor Agent (AMA)
C.Azure DNS connector
D.Windows Event Forwarding (WEF)
AnswerB

The DNS connector with AMA is the recommended method for on-premises DNS logs.

Why this answer

Option C is correct because the DNS connector is designed to collect DNS query logs from Windows DNS servers using AMA. Option A is wrong because Azure DNS is for Azure-hosted zones. Option B is wrong because Syslog may not parse DNS fields natively.

Option D is wrong because Windows Event Forwarding is for Windows events, not DNS logs.

80
Multi-Selectmedium

Which TWO KQL operators are most useful for threat hunting lateral movement in Microsoft Defender XDR? (Select two.)

Select 2 answers
A.project
B.summarize
C.join
D.search
E.where
AnswersC, E

Correlates logon events across devices.

Why this answer

Options B and C are correct. join correlates events across devices, and where filters by remote logons. Option A is for text search, D is for aggregation, E is for column selection.

81
MCQeasy

You are using Microsoft Sentinel UEBA to hunt for insider threats. Which entity type would you investigate to detect unusual access to sensitive data?

A.IP
B.Application
C.Device
D.User
AnswerD

User entity analysis can detect anomalous logon and access patterns.

Why this answer

Option B is correct because UEBA profiles user behavior, making 'User' the primary entity for detecting unusual access. Option A is for device-based anomalies. Option C is for IP-based anomalies.

Option D is for application anomalies.

82
MCQmedium

As a threat hunter, you want to proactively search for signs of privilege escalation using the 'AzureHound' tool within your Microsoft Sentinel environment. Which data source is most relevant to ingest to detect AzureHound usage?

A.Azure VM Insights logs
B.Azure Active Directory Audit Logs (now Microsoft Entra ID Audit Logs)
C.Azure Storage analytics logs
D.Azure Network Watcher logs
AnswerB

AzureHound queries Microsoft Graph, and audit logs capture those API calls.

Why this answer

Option D is correct because AzureHound uses the Microsoft Graph API to collect Azure AD data, and that activity is logged in AuditLogs. Option A is wrong because AzureHound does not run on VMs. Option B is wrong because it's not about networking.

Option C is wrong because AzureHound does not create storage blobs.

83
MCQhard

You are a security analyst at a company that uses Microsoft Sentinel and Microsoft Defender for Identity (now part of Microsoft Defender XDR). During a threat hunt, you need to identify potential golden ticket attacks. You have Windows Security Events (Event ID 4672: Special Logon) and Kerberos service ticket events (Event ID 4769) ingested. A golden ticket attack often involves service ticket requests with unusual encryption types or ticket options. You want to find service ticket requests (4769) that have TicketOptions containing '0x40810000' (forwardable, renewable, canonicalize) and TicketEncryptionType == '0x17' (RC4), which are common in attacks. You need to write a KQL query that returns the top 10 accounts requesting such tickets in the last 7 days. Which query should you use?

A.SecurityEvent | where EventID == 4769 | where TicketOptions == "0x40810000" | summarize count() by AccountName | top 10 by count_
B.SecurityEvent | where EventID == 4769 | where TicketOptions == "0x40810000" and TicketEncryptionType == "0x17" | summarize count() by AccountName | top 10 by count_
C.SecurityEvent | where EventID == 4672 | where TicketOptions == "0x40810000" and TicketEncryptionType == "0x17" | summarize count() by AccountName | top 10 by count_
D.SecurityEvent | where EventID == 4769 | where TicketOptions contains "0x40810000" and TicketEncryptionType contains "0x17" | summarize count() by AccountName | top 10 by count_
AnswerB

Correctly identifies potential golden ticket indicators.

Why this answer

Option A correctly filters for EventID 4769, the specific TicketOptions and encryption type, and summarizes by AccountName. Option B uses wrong event ID. Option C uses wrong field.

Option D does not filter encryption type.

84
MCQhard

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. As a threat hunter, you receive an alert about a potential DCSync attack. You want to hunt for any other instances of this attack across your domain controllers over the past 30 days. Which hunting query should you run in Microsoft 365 Defender advanced hunting?

A.DeviceEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
B.IdentityDirectoryEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
C.IdentityLogonEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
D.IdentityQueryEvents | where Timestamp > ago(30d) and ActionType == 'DCSync'
AnswerB

Correct table and action type for DCSync hunting.

Why this answer

Option C correctly uses the IdentityDirectoryEvents table to filter for DCSync attack type. Option A uses IdentityLogonEvents which is for logons, not directory replication; Option B uses IdentityQueryEvents but DCSync is a directory service attack, not a query; Option D uses the wrong table entirely.

85
MCQhard

You are reviewing a hunting query. What is the primary purpose of this query?

A.List all users with any risk level during sign-in in the last 7 days
B.Detect users who have granted admin consent to malicious OAuth apps
C.Find users with medium-risk sign-ins that share IP addresses with service principal sign-ins, indicating possible token theft or lateral movement
D.Identify service principals that have been compromised and are performing high-risk sign-ins
AnswerC

The join on IP address and count > 5 suggests correlation of user and service principal activity.

Why this answer

Option C is correct because the query filters for users with medium risk sign-ins and joins with service principal sign-ins on IP address, then counts occurrences per user exceeding 5, indicating potential compromise involving both user and service principal activity from the same IP. Option A is wrong because it does not focus on service principal compromise alone. Option B is wrong because it does not look for admin consent grants.

Option D is wrong because it uses only medium risk, not high.

86
MCQmedium

A threat hunter is using Microsoft Defender for Endpoint advanced hunting to investigate a suspicious process that was observed launching from a temporary folder. The hunter wants to find all devices that have executed this specific process (with the same SHA256 hash) in the last 24 hours. Which table and column should be used in the query?

A.DeviceNetworkEvents table, SHA256 column
B.DeviceEvents table, SHA256 column
C.DeviceProcessEvents table, SHA256 column
D.DeviceFileEvents table, SHA256 column
AnswerC

DeviceProcessEvents records process executions with SHA256 hash.

Why this answer

DeviceProcessEvents contains process execution events, and SHA256 stores the hash. Option C is correct. Option A (DeviceFileEvents) is for file creation/modification, not execution.

Option B (DeviceNetworkEvents) is for network connections. Option D (DeviceEvents) is a generic table that may not include process hash.

87
MCQmedium

Refer to the exhibit. You are reviewing a KQL query used in a threat hunting campaign. What is the primary purpose of this query?

A.To identify the top 5 most frequently used IP addresses by each user.
B.To find users who have signed in more than 5 times from a single IP to an app, and correlate with any user risk events.
C.To calculate the average risk score for users with high sign-in activity.
D.To list all sign-ins from IP addresses that have been associated with risk events.
AnswerB

The query counts sign-ins per user/IP/app and joins with risk events to show risk count.

Why this answer

Option A is correct because the query identifies users with high sign-in counts from specific IPs and apps, and joins with risk events to correlate with known risky users. Option B is wrong because it doesn't filter only risky users. Option C is wrong because it aggregates by user, not unique IPs.

Option D is wrong because it compares signin count to a threshold, not risk score.

88
Multi-Selecthard

Which THREE actions are recommended when conducting a threat hunting exercise in Microsoft Sentinel using the MITRE ATT&CK framework?

Select 3 answers
A.Focus only on techniques that have not been seen in your environment before.
B.Use the hunting queries from the Microsoft Sentinel Content hub as a starting point.
C.Rely exclusively on automated detection rules to identify threats.
D.Document your findings and update detection rules based on new patterns discovered.
E.Map your hunting hypotheses to specific MITRE ATT&CK tactics and techniques.
AnswersB, D, E

The Content hub provides community and Microsoft-validated queries.

Why this answer

Options A, C, and E are correct. Mapping hypotheses to MITRE tactics ensures coverage; using hunting queries from the Content hub provides validated queries; and documenting findings supports future hunts. Option B is incorrect because you should not only hunt for known techniques.

Option D is incorrect because you should not rely solely on automated rules.

89
MCQmedium

Your team is using Microsoft 365 Defender advanced hunting to investigate a possible data exfiltration incident. The security team suspects that an internal attacker used a compromised SharePoint Online account to download sensitive files from multiple sites. You need to build a hunting query that identifies all file download activities from SharePoint Online for a specific user account over the past 7 days, and then calculates the total size of downloaded files. Which KQL query should you use?

A.CloudAppEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownload' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
B.CloudAppEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownloaded' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
C.EmailEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownloaded' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
D.FileEvents | where Application == 'SharePoint Online' and ActionType == 'FileDownloaded' and AccountDisplayName == 'targetuser@contoso.com' and Timestamp > ago(7d) | summarize TotalSize = sum(FileSize)
AnswerB

Correct filter and aggregation.

Why this answer

Option B correctly filters SharePoint file download events (FileDownloaded) and sums the FileSize. Option A uses wrong action; Option C uses wrong table; Option D is for email.

90
MCQhard

You are a security analyst at Contoso. You manage a Microsoft Sentinel workspace with Microsoft Defender for Cloud Apps, Microsoft Defender for Endpoint, and Microsoft Entra ID (formerly Azure AD) data connectors. You are performing a proactive threat hunt for potential data exfiltration via external file sharing services like Dropbox and Google Drive. Your organization blocks these services on managed devices but users can access them from personal devices. You want to detect when users log in to these services from a corporate network using Microsoft Entra ID credentials. You have access to CloudAppEvents, AADSignInEventsBeta, and DeviceNetworkEvents tables in Microsoft Defender XDR advanced hunting. You need to create a hunting query that identifies sign-ins to external file sharing apps from corporate IP ranges. The query should also exclude sign-ins from known good service accounts. Which approach should you take?

A.Use DeviceNetworkEvents to find connections to file sharing service IPs, then correlate with AADSignInEventsBeta by user.
B.Filter CloudAppEvents for app categories 'file sharing' and where IP is in corporate range, then join with DeviceInfo for device ownership.
C.Join AADSignInEventsBeta with CloudAppEvents on AccountUpn, filter for app categories containing 'file sharing', and where IPAddress is in the corporate range.
D.Use DeviceNetworkEvents to find high-volume outbound traffic to cloud storage provider IP ranges, then manually investigate users.
AnswerC

Directly identifies the exact sign-in event to file sharing apps from corporate IPs.

Why this answer

Option B is correct because it joins sign-in events with cloud app events on user principal name and filters by app category (file sharing) and corporate IPs, which directly identifies the behavior. Option A only looks at network events, missing the sign-in context. Option C uses device info, which may not capture personal devices.

Option D uses endpoint network events, missing the app context.

91
MCQmedium

You executed this Azure CLI command. What is the result?

A.A new hunting query is created in the Microsoft Sentinel workspace
B.The hunting query is immediately executed and results are displayed
C.An existing hunting query is updated with new query text
D.A new scheduled analytics rule is created
AnswerA

The command creates a hunting query resource.

Why this answer

Option B is correct because the command creates a new hunting query named 'Suspicious PowerShell' in the specified Microsoft Sentinel workspace. Option A is wrong because it does not run the query immediately. Option C is wrong because it does not create an analytics rule.

Option D is wrong because it does not modify an existing query.

92
Multi-Selectmedium

Which TWO techniques are commonly used in threat hunting with Microsoft Sentinel to identify lateral movement? (Choose two.)

Select 2 answers
A.Detecting port scanning activity from internal IPs.
B.Searching for multiple failed logon attempts from a single IP.
C.Looking for mass file deletion events on file servers.
D.Correlating service account usage with anomalous network connections.
E.Identifying remote PowerShell execution across multiple machines.
AnswersD, E

Service accounts used for lateral movement often show anomalous connections.

Why this answer

Lateral movement often involves remote execution and credential theft. Options B and D are correct. Option A is incorrect because failed logins may indicate brute force but not necessarily lateral movement.

Option C is incorrect because port scans are reconnaissance. Option E is incorrect because file deletion is often cleanup.

93
MCQeasy

You are hunting for signs of ransomware in your environment using Microsoft 365 Defender. Which advanced hunting table should you primarily query to detect file encryption events?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerC

File events show modifications that indicate encryption activity.

Why this answer

Option B is correct because DeviceFileEvents captures file creation, modification, and deletion events, which are typical for ransomware encryption. Option A is wrong because it's for network connections. Option C is wrong because it's for process creation.

Option D is wrong because it's for registry modifications.

94
MCQmedium

You are a threat hunter using PowerShell on a Windows 10 device. The command returns no output for a known threat ID. What is the most likely reason?

A.The Get-MpThreat cmdlet is deprecated.
B.The threat ID format is incorrect.
C.The threat has already been remediated and is no longer in the active threats list.
D.PowerShell must be run as administrator.
AnswerC

Get-MpThret only returns active or quarantined threats; remediated threats are not listed.

Why this answer

Option D is correct because Get-MpThreat retrieves threats detected by Windows Defender Antivirus; if the threat was already remediated or removed, the command may return no results. Option A is incorrect because the cmdlet exists. Option B is incorrect because admin rights are not required to query.

Option C is incorrect because the threat ID is a number.

95
MCQmedium

During a threat hunt in Microsoft Sentinel, you find a query that returns a high number of false positives. Which action should you take to refine the hunt?

A.Increase the query time range to gather more data
B.Create a scheduled alert rule based on the query
C.Remove columns from the result set to simplify analysis
D.Add additional filters to the query to exclude known benign activity
AnswerD

Adding filters helps narrow results to only suspicious activity.

Why this answer

Option C is correct because tuning the query by adding more conditions reduces false positives. Option A is wrong because increasing the time range would likely increase false positives. Option B is wrong because removing columns does not affect false positives.

Option D is wrong because creating an alert rule is for ongoing detection, not for refining the hunt.

96
Multi-Selectmedium

Which TWO data sources are essential for threat hunting in Microsoft Sentinel to detect lateral movement?

Select 2 answers
A.Microsoft Entra ID sign-in logs
B.DeviceNetworkEvents (Microsoft Defender for Endpoint)
C.SecurityEvent (Windows Event Logs)
D.CommonSecurityLog (Syslog)
E.DnsEvents
AnswersB, C

Network connections are key for detecting lateral movement.

Why this answer

SecurityEvent (Windows Event Logs) provides process creation and network events. DeviceNetworkEvents provides network connections. Option A is for identity only.

Option D is for DNS. Option E is for web proxy. The correct options are B and C.

97
MCQhard

Refer to the exhibit. A custom detection rule in Microsoft Sentinel uses this JSON definition. An analyst notices that the rule is generating alerts for legitimate administrative scripts launched from File Explorer. What is the best way to reduce false positives while retaining detection of malicious Office-based PowerShell launches?

A.Add an additional filter to exclude PowerShell executions from specific administrative user accounts
B.Increase the query time range to 30 days
C.Change the severity to Informational to suppress alerts
D.Remove the parent process filter and rely only on FileName == 'powershell.exe'
AnswerA

Excluding known admin accounts helps reduce noise while keeping detection for other users.

Why this answer

Option B is correct because adding conditions to exclude known administrative scenarios (e.g., specific user accounts or command-line patterns) reduces false positives without removing the parent process filter entirely. Option A is wrong because removing the parent process filter would broaden detection, likely increasing false positives. Option C is wrong because lowering severity does not reduce false positives.

Option D is wrong because increasing time range does not help.

98
MCQeasy

You are hunting for suspicious scheduled tasks that could be used for persistence. Which Microsoft 365 Defender advanced hunting table contains information about scheduled tasks?

A.IdentityLogonEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceProcessEvents
AnswerB

Contains events like scheduled task creation (EventID 4698).

Why this answer

DeviceEvents includes various system events, including scheduled task creation via EventID 4698. DeviceProcessEvents is for processes. DeviceNetworkEvents is for network.

IdentityLogonEvents is for logons. The correct table is DeviceEvents.

99
MCQeasy

You are hunting for possible data exfiltration via email in Microsoft 365. Which data source in Microsoft Sentinel provides the most relevant telemetry for email forwarding rules?

A.Microsoft Defender for Cloud Apps logs
B.Windows Security Events
C.Azure AD sign-in logs
D.Office 365 audit logs (Exchange)
AnswerD

Exchange audit logs record changes to mailbox forwarding rules, crucial for exfiltration hunting.

Why this answer

Option D is correct because Office 365 audit logs capture changes to mailbox rules, including forwarding. Option A is wrong because Azure AD sign-in logs show authentication, not mail flow. Option B is wrong because Windows Security Events are for on-premises.

Option C is wrong because Microsoft Defender for Cloud Apps logs cover cloud app activity but not specifically mailbox rules.

100
MCQhard

A threat hunter is investigating a potential data exfiltration incident. The hunter suspects that a user is using an unauthorized cloud storage service. Which Microsoft Defender for Cloud Apps signal would be most useful to detect this activity?

A.Cloud Discovery
B.Microsoft Defender for Endpoint Web Protection
C.Microsoft Defender for Identity
D.Microsoft Defender for Office 365 Safe Links
AnswerA

Cloud Discovery identifies shadow IT and cloud app usage.

Why this answer

Option A is correct because Defender for Cloud Apps can discover shadow IT cloud apps. Option B is wrong because it does not detect cloud app usage. Option C is wrong because it is for web filtering, not cloud apps.

Option D is wrong because it is for email protection.

101
MCQeasy

A threat hunter in Microsoft Sentinel wants to detect attempts to disable security logging on Windows servers using a KQL query. Which Windows Event ID should the query filter on to capture security log clearing events?

A.4688
B.4624
C.5145
D.1102
AnswerD

Event ID 1102 is logged when the security log is cleared.

Why this answer

Event ID 1102 in Windows Security log indicates the security log was cleared, which is a common technique used by attackers to cover tracks. Option A (4688) is for process creation. Option B (4624) is for successful logon.

Option D (5145) is for network share access.

102
Multi-Selectmedium

A threat hunter is using Microsoft Sentinel to hunt for signs of privilege escalation via Azure AD role assignment changes. Which TWO KQL operators or functions are most useful for identifying changes that added a user to a high-privilege role?

Select 2 answers
A.project
B.evaluate
C.mvexpand
D.summarize
E.where
AnswersD, E

Aggregates data to show counts of role assignments per user or role.

Why this answer

Option A (where) filters for specific operations like 'Add member to role'. Option C (summarize) can count changes per user or role. Option B (project) only selects columns.

Option D (mvexpand) expands multi-valued fields. Option E (evaluate) is for plugin operators.

103
Multi-Selecthard

Which THREE techniques are effective for hunting for living-off-the-land (LotL) attacks using Microsoft Sentinel?

Select 3 answers
A.Monitoring for installation of third-party software on endpoints.
B.Hunting for WMI activity using Event ID 5861 and correlating with process creation events.
C.Tracking non-interactive logon sessions (Logon Type 5).
D.Analyzing PowerShell script block logs (Event ID 4104) for encoded commands or unusual parameters.
E.Correlating remote service creation events (Event ID 7045) with network connections from administrative tools.
AnswersB, D, E

WMI is a built-in tool abused for lateral movement and execution.

Why this answer

Options A, B, and C are correct. Option A detects connections from administrative tools (e.g., PsExec). Option B identifies anomalous PowerShell usage.

Option C detects WMI lateral movement. Option D is wrong because it focuses on third-party binaries, opposite of LotL. Option E is wrong because non-interactive logins are common for services, not specific to LotL.

104
MCQhard

You are creating a custom detection rule in Microsoft Sentinel using the JSON above. The rule does not trigger any alerts despite known PowerShell encoded commands executing. What is the most likely cause?

A.The query uses 'contains' which is not supported in custom detections.
B.The query is missing a time filter.
C.The JSON has a syntax error.
D.The filename 'powershell.exe' is case-sensitive and may not match actual events.
AnswerD

KQL is case-sensitive; 'powershell.exe' may need to be compared using 'has' or case-insensitive operators.

Why this answer

Option B is correct because the query is case-sensitive and 'powershell.exe' may be invoked as 'PowerShell.exe' with different casing. Option A is plausible but less likely because the file name is often lowercase. Option C is incorrect because the JSON has correct syntax.

Option D is incorrect because the query is valid KQL.

105
MCQeasy

As part of a threat hunt, you want to find instances where a user successfully authenticated to multiple applications within a short time using different IP addresses. Which Microsoft 365 Defender data source would be most appropriate?

A.CloudAppEvents
B.DeviceLogonEvents
C.IdentityLogonEvents
D.AlertInfo
AnswerC

IdentityLogonEvents track user authentications to applications.

Why this answer

IdentityLogonEvents contains authentication events for cloud apps, with columns like Application, IP address, and Timestamp.

106
MCQhard

Refer to the exhibit. You are reviewing a custom scheduled analytics rule in Microsoft Sentinel. The rule is enabled but has not fired any alerts despite users having multiple locations in the last day. What is the most likely reason?

A.The UserPrincipalName field is case-sensitive and the data has mixed case.
B.The query frequency is set to 1 hour, but the query period is 1 day, causing a mismatch.
C.The rule is disabled.
D.The 'Location' field does not exist in SigninLogs; the query returns an error silently.
AnswerD

Location is not a column; it's inside LocationDetails.

Why this answer

Option B is correct because the query uses the default SigninLogs schema which includes 'Location' as a string, not 'Location' as a column. The correct column is 'LocationDetails' or the query should parse location from IP. Option A is incorrect because the rule is enabled.

Option C is incorrect because the query period and frequency are set correctly. Option D is incorrect because the query summarizes by UserPrincipalName, which is a common field.

107
MCQhard

A threat hunter runs the above KQL query in Microsoft Defender Advanced Hunting. What is the primary purpose of this query?

A.Detect logon attempts from new IP addresses for existing users.
B.Create a list of all unique logon events in the last day.
C.Identify users who have not logged in within the past 30 days.
D.Find all logon events from IPs that have never been seen before.
AnswerA

The leftanti join removes known pairs, leaving only new IPs for known users.

Why this answer

The query creates a baseline of known AccountUpn and RemoteIP pairs from the past 30 days (excluding last day), then selects new logon events from the last day where the AccountUpn exists in baseline but the RemoteIP is not in the paired IP for that user. This detects logons from new IPs for existing users.

108
MCQmedium

You are a security analyst at Fabrikam using Microsoft Sentinel. You are conducting a threat hunt for signs of remote code execution (RCE) via the Windows Event Log. You want to detect suspicious service creation that could indicate lateral movement. Specifically, you want to find events where a service was created (Event ID 7045) on a server, and within 5 minutes, a network connection was established from that server to another internal server. You have SecurityEvent and CommonSecurityLog tables ingested. Which KQL query should you use?

A.SecurityEvent | where EventID == 7045 | union CommonSecurityLog | where TimeGenerated > ago(1d)
B.SecurityEvent | where EventID == 7045 | project Computer, TimeGenerated | where TimeGenerated > ago(1h)
C.SecurityEvent | where EventID == 7045 | where TimeGenerated between (ago(1d) .. now()) | summarize by Computer
D.let ServiceCreation = SecurityEvent | where EventID == 7045 | project Computer, TimeGenerated; let NetworkConn = CommonSecurityLog | where DeviceAction == 'Allow' | project SourceIP, TimeGenerated; ServiceCreation | join kind=inner NetworkConn on $left.Computer == $right.SourceIP and abs(TimeGenerated - TimeGenerated) <= 5m
AnswerD

This joins service creation and network events within 5 minutes to detect lateral movement.

Why this answer

Option B is correct because it uses a join with a time window to correlate service creation and network connection. Option A is wrong because it lacks the join. Option C is wrong because it uses a time filter on creation, not correlation.

Option D is wrong because it uses a union which is incorrect.

109
MCQeasy

You are threat hunting for signs of credential dumping via LSASS access. Which Advanced Hunting schema table in Microsoft Defender XDR should you primarily query to find processes that opened a handle to LSASS?

A.DeviceProcessEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceRegistryEvents
AnswerB

DeviceEvents includes LSASS access events (ActionType: 'LsassAccessedByProcess').

Why this answer

Option D is correct because DeviceEvents includes events like 'LsassAccessedByProcess' from the Microsoft Defender for Identity sensor. Option A (DeviceProcessEvents) records process creation, not handle open. Option B (DeviceNetworkEvents) is for network.

Option C (DeviceRegistryEvents) is for registry.

110
Multi-Selectmedium

Which THREE data sources in Microsoft Sentinel are most useful for threat hunting activities related to identity compromise?

Select 3 answers
A.SecurityEvent
B.SigninLogs
C.CommonSecurityLog
D.AuditLogs
E.OfficeActivity
AnswersA, B, D

Windows security events including logon types.

Why this answer

SigninLogs (Azure AD), AuditLogs (Azure AD), and SecurityEvent (Windows) provide identity-related data. CommonSecurityLog is for network appliances, OfficeActivity for M365 workloads.

111
MCQeasy

A security analyst is hunting for signs of credential dumping using Microsoft Defender for Endpoint. Which advanced hunting query should the analyst use to detect the use of Mimikatz?

A.DeviceRegistryEvents where RegistryKey contains 'mimikatz'
B.DeviceProcessEvents where ProcessCommandLine contains 'mimikatz'
C.DeviceFileEvents where FileName contains 'mimikatz'
D.DeviceNetworkEvents where RemoteIP contains 'mimikatz'
AnswerB

Mimikatz is typically executed as a process with command-line arguments that include the tool name.

Why this answer

Option C is correct because DeviceProcessEvents records process creation events, and Mimikatz often appears as a process. Option A is wrong because network events are not directly related to local credential dumping. Option B is wrong because registry events may show persistence but not the dumping itself.

Option D is wrong because file creation events are less direct for process-based tools.

112
Multi-Selecteasy

Which TWO are common indicators of compromise (IOCs) used in threat hunting with Microsoft Sentinel?

Select 2 answers
A.File hashes (MD5, SHA256)
B.Usernames
C.IP addresses
D.Device names
E.Registry keys
AnswersA, C

File hashes uniquely identify known malicious files.

Why this answer

Options B and D are correct because file hashes and IP addresses are standard IOCs. Option A is wrong because usernames are not IOCs; they are artifacts. Option C is wrong because device names are not IOCs.

Option E is wrong because registry keys can be IOCs but are less common than hashes and IPs.

113
MCQhard

A threat hunter wants to proactively identify devices that may have been compromised by a known adversary using DLL side-loading techniques. Which Microsoft Sentinel solution or feature should the hunter leverage to create custom detection rules based on the latest threat intelligence?

A.User and Entity Behavior Analytics (UEBA)
B.Automation rules with playbooks
C.Custom workbooks
D.Threat Intelligence integration with analytics rules
AnswerD

TI indicators can be used in scheduled query rules to match against events.

Why this answer

Option B is correct because Microsoft Sentinel's Threat Intelligence integration allows importing TI indicators and creating analytics rules. Option A is wrong because UEBA focuses on user behavior, not specific TI. Option C is wrong because workbook is for visualization, not detection.

Option D is wrong because playbook is for response automation.

114
Multi-Selecthard

Which THREE of the following are valid techniques for threat hunting using Microsoft Defender for Cloud Apps? (Choose 3)

Select 3 answers
A.Create custom activity policies to detect suspicious behaviors
B.Investigate user activities and generate alerts
C.Create custom detections in Microsoft Sentinel
D.Use IP address ranges to define trusted locations
E.Use advanced hunting queries
AnswersA, B, D

Custom activity policies are a core hunting feature.

Why this answer

Options A, B, and D are correct. Option A: you can create custom activity policies to detect anomalies. Option B: IP address ranges can be used to define trusted locations.

Option D: User investigation allows examining user activities. Option C is wrong because custom detections in Microsoft Sentinel are not part of Defender for Cloud Apps. Option E is wrong because hunting queries are in Microsoft Defender for Endpoint, not Cloud Apps.

115
MCQeasy

A threat hunter wants to use KQL in Microsoft Sentinel to find all events from the SecurityEvent table where the event ID is 4625 (failed logon) and the account name is not 'SYSTEM'. Which query achieves this?

A.SecurityEvent | where EventID equals 4625 and Account not equals 'SYSTEM'
B.SecurityEvent | where EventID == 4625 and Account != 'SYSTEM'
C.SecurityEvent | where EventID == 4625 and Account != 'SYSTEM'
D.SecurityEvent | where EventID == 4625 and not Account == 'SYSTEM'
AnswerB

'!=' is the correct KQL operator for not equal.

Why this answer

Option D is correct because it filters EventID and then excludes 'SYSTEM' account. Option A is wrong because it uses '!=' incorrectly. Option B is wrong because 'not' without parentheses may cause syntax error.

Option C is wrong because 'equals' is not a KQL operator.

116
MCQmedium

You are a security analyst at Fabrikam. The company uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you need to identify users who are accessing cloud applications from multiple geographic locations in a short time, which could indicate credential theft or token replay. You want to create a hunting query in Microsoft Sentinel using the CloudAppEvents table. Which approach should you take?

A.Query CommonSecurityLog for VPN connections
B.Query OfficeActivity for sign-in logs
C.Query SecurityAlert for location-related alerts
D.Query CloudAppEvents, summarize by AccountDisplayName and bin(TimeGenerated, 1h), then use dcount(CountryCode) > 1
AnswerD

This directly identifies users with activities in multiple countries within an hour.

Why this answer

Option A is correct because CloudAppEvents contains location data (CountryCode or IPLocation). By summarizing per user and bin by time, you can group activities by user and time window, then filter for those with multiple distinct countries. Option B is incorrect because SecurityAlert contains alerts, not raw events.

Option C is incorrect because OfficeActivity only covers Office 365, not all cloud apps. Option D is incorrect because CommonSecurityLog is for on-premises network devices, not cloud apps.

117
MCQmedium

You are a security analyst using Microsoft Sentinel. During a threat hunt, you need to identify potential data exfiltration via DNS tunneling. You have DNS query logs ingested from your DNS servers via Syslog. The log schema includes fields: TimeGenerated, QueryName, QueryType, ClientIP, ResponseIP. You want to find DNS queries that are unusually long (over 50 characters in the query name) and have a high count of unique responses, which may indicate tunneling. You need to write a KQL query that returns the top 10 client IPs with the most unique response IPs for queries with query name length > 50 in the last 24 hours. Which query should you use?

A.Syslog | where TimeGenerated > ago(24h) | extend QueryNameLength = strlen(QueryName) | where QueryNameLength > 50 | summarize dcount(ResponseIP) by ClientIP | top 10 by dcount_ResponseIP
B.Syslog | where TimeGenerated > ago(24h) | extend QueryNameLength = strlen(QueryName) | where QueryNameLength > 50 | summarize count() by ClientIP | top 10 by count_
C.Syslog | where TimeGenerated > ago(24h) | extend QueryNameLength = strlen(QueryName) | where QueryNameLength > 50 | summarize dcount(ResponseIP) by ClientIP | top 10 by dcount_ResponseIP | project ClientIP
D.Syslog | where TimeGenerated > ago(24h) | summarize dcount(ResponseIP) by ClientIP | top 10 by dcount_ResponseIP
AnswerA

Correctly counts unique response IPs for long queries.

Why this answer

Option A correctly filters for long query names, summarizes distinct ResponseIPs per ClientIP, and orders by dcount. Option B counts all responses, not unique. Option C uses wrong field.

Option D does not filter length.

118
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. During a threat hunt, you find that a user accessed a sensitive SharePoint site from an anonymous IP address. Which hunting method would best identify all users who accessed the same site from similar anonymous IPs?

A.Query CloudAppEvents in Advanced hunting for the SharePoint site URL and filter by IP category 'AnonymousProxy'
B.Query DeviceEvents for network connections from the anonymous IP
C.Use Microsoft Purview to scan for sensitive data accessed from anonymous IPs
D.Search Azure AD sign-in logs for the same IP
AnswerA

CloudAppEvents captures cloud app activities, including SharePoint access, and IP categories help identify anonymous proxies.

Why this answer

Using KQL to query CloudAppEvents for the specific SharePoint site and filtering by IP address categories (e.g., AnonymousProxy) is the most direct method. Option A (Azure AD sign-in logs) may not include SharePoint site-level access. Option B (Microsoft Defender for Endpoint) is for endpoint activities.

Option D (Microsoft Purview) focuses on data classification and governance.

119
MCQmedium

During a threat hunt, a security analyst uses Microsoft Sentinel and identifies a series of failed logon attempts from a single IP address targeting multiple user accounts. The analyst wants to create a scheduled analytics rule that generates an alert when the same IP address fails to logon to more than 10 different accounts within 5 minutes. Which KQL operator should be used to count distinct accounts per IP?

A.count()
B.summarize count() by Account
C.distinct Account
D.dcount(Account)
AnswerD

dcount provides an approximate distinct count of accounts, suitable for performance.

Why this answer

Option B is correct because dcount is an approximate distinct count that is efficient for large datasets. Option A is wrong because count counts all events, not distinct accounts. Option C is wrong because distinct is used to return unique rows, not to count.

Option D is wrong because summarize with count() counts all rows.

120
MCQmedium

You are conducting a threat hunt to find evidence of credential dumping on Windows servers. Which event ID in Windows Security Event Log (SecurityEvent) is most indicative of LSASS process access?

A.4656 (Handle to an object requested)
B.4688 (Process creation)
C.4672 (Special privileges assigned)
D.4624 (Logon)
AnswerA

4656 can indicate access to LSASS process handle.

Why this answer

Event ID 4656 is generated when a handle to an object (like LSASS) is requested, often used in credential dumping.

121
MCQeasy

You are threat hunting for indicators of compromise related to a known malware family. Which data source in Microsoft Defender XDR would provide the most direct evidence of malware execution on endpoints?

A.EmailEvents
B.DeviceProcessEvents
C.IdentityLogonEvents
D.DeviceNetworkEvents
AnswerB

Process creation events directly indicate execution.

Why this answer

Option C is correct because DeviceProcessEvents captures process creation events, which directly indicate malware execution. Option A is incorrect because EmailEvents only covers email, not execution. Option B is incorrect because DeviceNetworkEvents shows network connections after execution.

Option D is incorrect because IdentityLogonEvents focuses on authentication.

122
MCQmedium

A threat hunter is investigating a potential malware outbreak in Microsoft Defender for Cloud Apps. The hunter notices that multiple users have installed a new app with high permissions that accesses their email. The app was not requested by IT. What is the most effective way to hunt for all instances of this app across the organization?

A.Review Conditional Access app control policies for any block rules
B.Check Microsoft 365 Defender alerts for malicious OAuth apps
C.Query the Microsoft 365 Defender advanced hunting table 'CloudAppEvents' for app installation events and then use 'AppGovernance' to list all apps
D.Use the Cloud App Security activity log to search for 'Install app' events and then review the 'App governance' dashboard for all instances
AnswerD

This allows hunting for the app installations and then investigating all instances via app governance.

Why this answer

Option D (use the Activity log to search for app installations and then investigate using App Governance or Cloud App Security) is correct because it first identifies the app via installations and then uses app analytics to scope all instances. Option A (conditional access policy) is reactive and not hunting. Option B (alerts) only catches known threats.

Option C (OAuth apps page) can list apps but may not show all historical installations; activity log is more comprehensive for hunting.

123
MCQmedium

You are investigating a potential brute-force attack against Microsoft 365. Which KQL query in Microsoft Sentinel would best identify failed logon attempts from a single IP address across multiple users?

A.SigninLogs | summarize dcount(IPAddress) by UserId | where dcount_ > 10
B.SigninLogs | summarize count() by UserId | where count_ > 10
C.SigninLogs | summarize count() by IPAddress | where count_ > 10
D.SigninLogs | summarize dcount(UserId) by IPAddress | where dcount_ > 10
AnswerD

This query counts distinct users per IP, indicating a brute-force against multiple accounts.

Why this answer

Option A is correct because it counts distinct UserId per IP and filters for high counts. Option B is wrong because it counts total attempts, not distinct users. Option C is wrong because it groups by UserId, not IP.

Option D is wrong because it counts distinct IPs per user, the opposite of what is needed.

124
MCQeasy

During a threat hunt, you identify a suspicious process that spawned from Microsoft Word with a command-line argument containing ' -enc '. Which hunting technique is most appropriate to investigate this further?

A.Review the PowerShell script block logging
B.Initiate network traffic analysis for the host
C.Check the file hash against threat intelligence feeds
D.Decode the base64-encoded command-line argument
AnswerD

Base64 decoding reveals the actual command executed, aiding in understanding the threat.

Why this answer

Option B is correct because base64-encoded command lines are commonly used in malicious documents to obfuscate payloads. Decoding the argument reveals the intended command. Option A is incorrect because decoding is not limited to PowerShell.

Option C is incorrect because network traffic analysis may follow but is not the immediate next step. Option D is incorrect because file hash lookup is less relevant for the encoded command.

125
MCQmedium

Refer to the exhibit. The KQL query is used for threat hunting. What is the primary purpose of this query?

A.Identify devices where cmd.exe launched PowerShell and made outbound HTTPS connections.
B.Find devices where PowerShell was used to download files.
C.Detect lateral movement using remote services.
D.Identify cmd.exe running with high integrity.
AnswerA

The join on DeviceName ensures both events occurred on the same device.

Why this answer

Option D is correct because the query joins cmd.exe executions containing 'powershell' with network connections to port 443 on the same device, indicating possible PowerShell download cradles. Option A is wrong because the query does not inspect process integrity levels. Option B is wrong because the query focuses on cmd.exe, not generic script execution.

Option C is wrong because the query is not limited to lateral movement; it targets command and control activity.

126
MCQeasy

Your organization uses Microsoft Defender for Office 365. You want to hunt for phishing emails that bypassed the initial filtering. Which feature should you use to manually submit suspicious emails for analysis and then review the results in the Threat Explorer?

A.Attack Simulator
B.Threat Explorer
C.Quarantine portal
D.Email trace in Exchange admin center
AnswerB

Threat Explorer provides investigation capabilities and manual submission.

Why this answer

Option A is correct because the Threat Explorer allows investigation of email threats and manual submissions. Option B is wrong because the Attack Simulator is for conducting simulated attacks. Option C is wrong because the Security & Compliance Center's email trace is for message flow, not deep threat analysis.

Option D is wrong because the Quarantine portal is for managing quarantined messages, not submitting for analysis.

127
Multi-Selecthard

Which THREE approaches are effective for hunting threats in Microsoft Defender XDR using advanced hunting? (Choose three.)

Select 3 answers
A.Using known indicators of compromise (IOCs) from threat intelligence feeds.
B.Establishing a baseline of normal behavior and hunting for deviations.
C.Reviewing all alerts generated by automated detection rules.
D.Searching for any single event that appears unusual.
E.Applying machine learning models to detect anomalous patterns.
AnswersA, B, E

IOCs help search for known threats.

Why this answer

Effective hunting includes using known IOCs, behavioral baselines, and anomaly detection. Options B, C, and E are correct. Option A is incorrect because alerts are reactive.

Option D is incorrect because a single event is not sufficient.

128
MCQeasy

While threat hunting in Microsoft Sentinel, you want to create a hunting query that identifies all attempts to disable security controls. Which data table would be most appropriate to query for such activity?

A.Syslog
B.SecurityEvent
C.CommonSecurityLog
D.OfficeActivity
AnswerB

Windows security events log process and service changes.

Why this answer

Option A is correct because SecurityEvents (Windows Event Logs) contain events like 4688 (process creation) and 4689 (process termination) which can show attempts to stop security services. Option B is incorrect because CommonSecurityLog is for firewall logs. Option C is incorrect because Syslog is for Linux events.

Option D is incorrect because OfficeActivity is for Office 365.

129
MCQmedium

You are a security analyst at Wingtip Toys using Microsoft Defender XDR. You are hunting for signs of privilege escalation via the SeDebugPrivilege abuse. You want to find processes that have enabled SeDebugPrivilege and then accessed LSASS (Event ID 10). You have DeviceProcessEvents and DeviceEvents tables available. Which advanced hunting query would best identify this pattern?

A.DeviceProcessEvents | where FileName == 'lsass.exe'
B.DeviceEvents | where ActionType == 'LsassAccess' | summarize by DeviceId
C.DeviceEvents | where ActionType == 'SeDebugPrivilegeEnabled' | project DeviceId
D.DeviceProcessEvents | where FileName in ('procexp.exe', 'procmon.exe', 'cmd.exe', 'powershell.exe') | join kind=inner (DeviceEvents | where ActionType == 'SeDebugPrivilegeEnabled') on DeviceId | join kind=inner (DeviceEvents | where ActionType == 'LsassAccess') on DeviceId
AnswerD

This correlates process execution with privilege enablement and LSASS access.

Why this answer

Option A is correct because it joins process creation with privilege enablement and LSASS access. Option B is wrong because it only checks privilege enablement. Option C is wrong because it only checks LSASS access.

Option D is wrong because it filters by process name, missing other processes.

130
MCQeasy

You are performing a threat hunt in Microsoft Sentinel. You want to identify devices that have been communicating with known malicious IP addresses. Which data source should you query?

A.SecurityEvent
B.CommonSecurityLog
C.DnsEvents
D.DeviceNetworkEvents
AnswerB

Contains network traffic logs from firewalls and other security appliances.

Why this answer

Option A is correct because CommonSecurityLog contains network traffic logs from security appliances. Option B is for Windows events, not network. Option C is for DNS queries.

Option D is for device events from Defender for Endpoint, but not IP communications.

131
Multi-Selectmedium

Which TWO of the following are valid methods to initiate a threat hunting session in Microsoft Sentinel?

Select 2 answers
A.Create a custom analytics rule
B.Import a watchlist as a hunting query
C.Start from a specific detection rule
D.Use a predefined hunting query from the Microsoft Sentinel content hub
E.Enable live mode on a hunting query
AnswersC, D

You can pivot from a detection rule to hunt for related activity.

Why this answer

Starting from a specific detection rule and using a predefined hunting query are both valid methods. Live mode is not a feature; custom analytics rules are for detection, not hunting; and watchlists are used for enrichment, not for initiating hunting.

132
MCQmedium

The exhibit shows a hunting query definition in Microsoft Sentinel. What is the primary issue with this hunting query?

A.The ActionType filter is invalid
B.The query does not filter by timestamp
C.The ipv4_lookup function does not exist in KQL
D.The ipv4_lookup function is used incorrectly because it requires a data source parameter
AnswerD

ipv4_lookup requires a second parameter specifying the lookup table or dataset, not just a string.

Why this answer

The query uses ipv4_lookup with a static lookup table 'solorigate_ips', but this function expects a parameter for the lookup data source. The correct syntax should reference a table or inline list. Option A is incorrect because the function exists.

Option C is incorrect because the query scans the entire DeviceEvents table. Option D is incorrect because there is no syntax error with ActionType.

133
Multi-Selecthard

A threat hunter is investigating a potential data exfiltration via DNS tunneling using Microsoft Defender for Endpoint advanced hunting. Which THREE columns from the DeviceNetworkEvents table should the hunter include in a query to detect anomalous DNS queries?

Select 3 answers
A.RemoteUrl
B.ActionType
C.RemoteIP
D.Timestamp
E.InitiatingProcessFileName
AnswersA, D, E

Contains the domain name being resolved, critical for detecting tunneling.

Why this answer

Option A (RemoteIP) is the destination IP of the DNS server; not the queried domain. Option B (RemoteUrl) contains the domain name being queried. Option C (InitiatingProcessFileName) shows which process made the query.

Option D (Timestamp) is essential for time patterns. Option E (ActionType) indicates if it's a DNS query. Correct: RemoteUrl, InitiatingProcessFileName, Timestamp.

ActionType is not a column in DeviceNetworkEvents for DNS; it's in DeviceEvents.

134
Multi-Selecthard

Which THREE of the following are key considerations when designing a threat hunting program in Microsoft Defender XDR and Microsoft Sentinel? (Choose THREE.)

Select 3 answers
A.Understanding the data schema and available tables in the advanced hunting schema
B.Operational security (OpSec) to avoid tipping off adversaries during manual hunting
C.Implementing multi-factor authentication for all users
D.Using only built-in detection rules to identify threats
E.Data retention policies for logs in Microsoft Sentinel and Microsoft Defender XDR
AnswersA, B, E

Knowing schema is essential to write effective queries.

Why this answer

Options A, B, and E are correct. A: Data retention policies affect how far back you can hunt. B: Understanding data sources ensures you use the right tables.

E: OpSec is critical to avoid alerting adversaries. Option C is wrong because hunting often requires custom queries, not just built-in rules. Option D is wrong because MFA is an identity protection measure, not a hunting consideration.

135
MCQmedium

While hunting in Microsoft Sentinel, you find a KQL query that uses the `evaluate` operator with `bag_unpack` to expand JSON properties. The query runs slowly and times out. What is the best practice to optimize this query?

A.Increase the cluster's concurrency and nodes.
B.Remove the `evaluate` operator and use `extend` with `parse_json`.
C.Add a `where` clause to filter rows before applying `bag_unpack`.
D.Use the `materialize` function to cache the entire table before expansion.
AnswerC

Filtering early reduces the number of rows processed by the expansion.

Why this answer

Option B is correct because filtering before expanding reduces the dataset size. Option A is wrong because materializing entire table is inefficient. Option C is wrong because increasing nodes may not help if the dataset is too large.

Option D is wrong because reducing nodes starves resources.

136
MCQmedium

During a threat hunt in Microsoft Sentinel, you identify a series of successful logins from an unusual IP address to multiple Azure VM instances. The logins occur outside business hours. Which hunting technique would be most effective to correlate these events with potential lateral movement?

A.Run a KQL query that correlates sign-in logs with Azure activity logs using a common timestamp window.
B.Create a custom analytics rule in Microsoft Sentinel to alert on repeated logins from the same IP.
C.Use Microsoft Defender for Cloud Apps to perform session replay of the user's activities during that time.
D.Enable User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel to detect anomalies.
AnswerC

Session replay provides a detailed reconstruction of user actions, revealing lateral movement steps.

Why this answer

Option B is correct because session replay allows you to reconstruct the sequence of events and identify lateral movement patterns. Option A is wrong because timeline correlation might miss the specific sequence. Option C is wrong because anomaly detection alone doesn't link the events.

Option D is wrong because it's a detection, not hunting.

137
MCQhard

A threat hunter is analyzing a potential advanced persistent threat (APT) that uses living-off-the-land binaries (LOLBins) like certutil.exe to download payloads. The hunter wants to find instances where certutil.exe was used to download files from the internet in the last week. Which KQL query in Microsoft Sentinel would be most effective?

A.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-enc" | project Timestamp, DeviceName, ProcessCommandLine
B.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "mshta.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine
C.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "certutil.exe" | where ProcessCommandLine contains "-urlcache" or ProcessCommandLine contains "-split" | project Timestamp, DeviceName, ProcessCommandLine
D.DeviceProcessEvents | where TimeGenerated > ago(7d) | where FileName == "wscript.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine
AnswerC

certutil.exe with -urlcache is commonly used to download files.

Why this answer

Option A is correct because it looks for certutil.exe with a URL parameter in the command line. Option B is wrong because it looks for mshta.exe. Option C is wrong because it looks for wscript.exe.

Option D is wrong because it looks for powershell.exe.

138
MCQhard

You are a threat hunter for a company that uses Microsoft Defender for Endpoint (now part of Microsoft Defender XDR). You need to investigate a potential privilege escalation attack. You have collected process creation events from endpoints and want to identify instances where a process with low integrity level spawned a process with high integrity level. The DeviceProcessEvents table includes fields: DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessIntegrityLevel, ProcessFileName, ProcessIntegrityLevel. You need to write an advanced hunting query that returns the top 10 devices where this escalation occurred most frequently in the last 7 days. Which query should you use?

A.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessIntegrityLevel == "Low" and ProcessIntegrityLevel == "High" | summarize count() by DeviceName | top 10 by count_
B.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessIntegrityLevel == "Medium" and ProcessIntegrityLevel == "High" | summarize count() by DeviceName | top 10 by count_
C.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessIntegrityLevel != ProcessIntegrityLevel | summarize count() by DeviceName | top 10 by count_
D.DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName != ProcessFileName | summarize count() by DeviceName | top 10 by count_
AnswerA

Correctly detects low-to-high integrity transitions.

Why this answer

Option A correctly filters for low to high integrity transitions and counts per device. Option B uses wrong integrity levels. Option C does not filter by integrity.

Option D uses wrong fields.

139
Multi-Selecteasy

Which TWO of the following are recommended practices when performing threat hunting in Microsoft Sentinel? (Choose 2)

Select 2 answers
A.Create custom hunting queries based on hypothesis
B.Rely solely on automated detection rules
C.Disable all built-in analytics rules to avoid noise
D.Delete log data older than 30 days to improve query performance
E.Use watchlists to maintain high-value indicators for matching
AnswersA, E

Hypothesis-driven hunting is a best practice.

Why this answer

Options B and D are correct. Option B: Using watchlists to store known indicators helps in matching. Option D: Creating custom hunting queries is essential for proactive hunting.

Option A is wrong because disabling alerts would miss possible incidents. Option C is wrong because deleting data reduces hunting scope. Option E is wrong because manual analysis is necessary alongside automation.

140
MCQhard

Refer to the exhibit. An analyst is reviewing a custom detection rule in Microsoft Sentinel. The rule is triggering many false positives from legitimate remote desktop connections. What should the analyst do to reduce false positives while keeping detection of pass-the-hash attacks?

A.Change the data source from SecurityEvent to Event.
B.Remove the AuthenticationPackage filter to include all packages.
C.Change LogonType to 10 to target remote interactive logons.
D.Add an exclusion for known administrative jump boxes.
AnswerD

Excluding known safe sources reduces false positives while keeping detection for other systems.

Why this answer

Option A is correct because adding a condition to exclude management jump boxes that use NTLM would remove known legitimate activity. Option B is wrong because changing logon type to 10 (remote interactive) would exclude many legitimate RDP connections. Option C is wrong because removing the NTLM filter would include all authentication packages, increasing false positives.

Option D is wrong because the query already uses SecurityEvent; switching to Event table would not help.

141
Multi-Selectmedium

Which THREE techniques are commonly used in Microsoft Sentinel threat hunting to identify command and control (C2) communication? (Select THREE.)

Select 3 answers
A.Analyzing email headers for phishing
B.Detecting DNS tunneling
C.Analyzing network beaconing patterns
D.Examining SSL/TLS certificate anomalies
E.Identifying brute force attempts
AnswersB, C, D

DNS tunneling is a known C2 technique.

Why this answer

Options A, B, and E are correct because analyzing beaconing patterns, detecting DNS tunneling, and examining SSL/TLS certificates are common C2 detection methods. Option C is wrong because brute force detection is for credential attacks, not C2. Option D is wrong because analyzing email headers is for phishing, not C2.

142
MCQeasy

You are hunting for signs of pass-the-hash (PtH) attacks. Which Windows Security Event ID should you focus on to detect anomalous NTLM authentication using a hash?

A.4672 (Special Logon)
B.4648 (Explicit Credential)
C.4776 (Credential Validation)
D.4624 (Logon) with LogonType 3
AnswerD

Event 4624 with LogonType 3 indicates network logon, which can be used for PtH detection.

Why this answer

Option A is correct because Event ID 4624 (successful logon) with LogonType 3 (network) can indicate PtH if paired with unusual source IP. Option B (4776) is for credential validation but not necessarily PtH. Option C (4648) is for explicit credentials.

Option D (4672) is for special privileges.

143
MCQhard

You are hunting for signs of Kerberoasting in Microsoft Sentinel. Which hunting query using KQL would you use to identify service principal names (SPNs) being queried via Kerberos TGS requests?

A.SecurityEvent | where EventID == 4769 and TicketEncryptionType == 0x17
B.DeviceEvents | where ActionType == 'KerberosTicketRequest'
C.DeviceLogonEvents | where LogonType == 'Kerberos' and AccountDomain == 'Service'
D.SecurityEvent | where EventID == 4768 and TicketEncryptionType == 0x17
AnswerA

Event 4769 is TGS request; 0x17 is RC4 encryption.

Why this answer

Kerberoasting involves requesting TGS tickets for SPNs. Option D is correct because SecurityEvent 4769 logs TGS requests, and TicketEncryptionType 0x17 indicates RC4 encryption used in Kerberoasting. Option A is incorrect because Event 4768 is for TGT requests.

Option B is incorrect because DeviceLogonEvents may not contain SPN details. Option C is incorrect because DeviceEvents may not capture this security event.

144
MCQhard

You are analyzing the query above in Microsoft 365 Defender advanced hunting. The goal is to identify potentially compromised accounts used only once. The query returns thousands of results including many normal single logons. How can you refine the query to reduce false positives?

A.Change the where clause to LogonCount > 1.
B.Remove the filter on AccountUpn endswith "@contoso.com".
C.Add a filter to only include accounts that have never logged on before.
D.Add a filter to exclude IP addresses from the corporate VPN range and common applications like Outlook Web Access.
AnswerD

This removes expected single logons from known sources.

Why this answer

Option A is correct because filtering out known corporate IP ranges and common applications helps isolate anomalous single logons. Option B removes all single logons. Option C filters too broadly.

Option D may miss external logons.

145
Multi-Selecteasy

Which TWO of the following are common techniques used by attackers to bypass security controls that a threat hunter should look for?

Select 2 answers
A.Process injection into trusted processes
B.Enabling multi-factor authentication
C.Regular software updates
D.Enforcing strong password policies
E.DLL sideloading
AnswersA, E

Attackers inject malware into trusted processes to evade detection.

Why this answer

Options A and D are correct. Process injection is a classic technique to hide malicious code within legitimate processes. DLL sideloading exploits legitimate application load order to run malicious DLLs.

Option B is incorrect because strong passwords are a defense, not an attack technique. Option C is incorrect because MFA is a security control, not a bypass. Option E is incorrect because software updates are mitigation, not an attack.

146
MCQeasy

You are using the Microsoft Sentinel Threat Hunting experience to create a new hunting query. Which tab should you select to bookmark a suspicious event for further investigation?

A.Results
B.Queries
C.Bookmarks
D.Entities
AnswerC

Allows creating bookmarks from events.

Why this answer

Option B is correct because the Bookmarks tab allows you to save and annotate events. Option A is for query results. Option C is for saved queries.

Option D is for entity pages.

147
MCQhard

You are hunting for lateral movement in your environment. In Microsoft Defender for Identity, which activity is a strong indicator of a potential pass-the-hash attack?

A.A user logging on with a smart card.
B.An NTLM authentication originating from a machine that is not the user's usual machine.
C.A remote desktop connection from a non-admin workstation to a domain controller.
D.A service account logging on to multiple servers simultaneously.
AnswerB

This suggests the use of stolen credentials/hashes.

Why this answer

Pass-the-hash attacks involve an attacker using a hash to authenticate as another user. An NTLM authentication using a hash from a different machine indicates this.

148
MCQhard

Your threat hunting team is using Microsoft Sentinel with User and Entity Behavior Analytics (UEBA). You want to identify anomalous outbound data transfers that may indicate data exfiltration. Which KQL function should you use to compare current activity against a baseline?

A.behavioranalytics
B.series_decompose
C.summarize
D.make-series
AnswerA

The behavioranalytics function in Microsoft Sentinel leverages UEBA to detect anomalous behavior.

Why this answer

Option D is correct because the behavior analytics function in KQL is used to detect anomalies based on UEBA profiles. Option A is for summarization. Option B is for time series decomposition.

Option C is for data summarization.

149
MCQeasy

Which Microsoft Sentinel feature allows you to query data across multiple workspaces in a single KQL query?

A.The union operator with workspace names
B.The externaldata operator with workspace URLs
C.The workspace() function in KQL
D.The join operator with workspace identifiers
AnswerC

workspace() allows querying multiple workspaces in one query.

Why this answer

Option A is correct because the `workspace()` function in KQL allows cross-workspace queries. Option B is wrong because cross-resource queries use `workspace()`, not `union()`. Option C is wrong because `join` is used to combine tables, not workspaces.

Option D is wrong because `externaldata` is for external data sources.

150
MCQeasy

A security analyst is using KQL in Microsoft Sentinel to hunt for potential data exfiltration by a user who has been sending unusually large amounts of data to an external IP address. Which KQL operator should the analyst use to identify the top source IP addresses and total bytes sent over the last 7 days?

A.... | where SentBytes > 1000000 | project SourceIP, SentBytes
B.... | extend TotalBytes=SentBytes | summarize count() by SourceIP
C.... | project SourceIP, SentBytes | sort by SentBytes desc
D.... | summarize TotalBytes=sum(SentBytes) by SourceIP | top 10 by TotalBytes desc
AnswerD

Correctly uses summarize with sum and top to find top source IPs by total sent bytes.

Why this answer

The summarize operator with sum() aggregation computes total bytes per source IP, and top 10 limits to the top results. Option A is correct. Option B (where) filters but does not aggregate.

Option C (project) only selects columns. Option D (extend) adds computed columns without aggregation.

← PreviousPage 2 of 4 · 276 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Perform threat hunting questions.