CCNA Perform threat hunting Questions

75 of 276 questions · Page 3/4 · Perform threat hunting · Answers revealed

151
Multi-Selecthard

Which TWO of the following are key indicators of a potential DCSync attack that a threat hunter should look for in Microsoft Sentinel? (Select two.)

Select 2 answers
A.Failed logon attempts from a single IP
B.A new user account created with domain admin privileges
C.Event ID 4662 with access mask for DS-Replication-Get-Changes
D.Multiple Kerberos ticket requests from a single user
E.Directory replication requests from non-domain controller accounts
AnswersC, E

Direct indicator of replication request.

Why this answer

Options A and D are correct. A: Replication from a non-DC indicates DCSync. D: Event 4662 with DS-Replication-Get-Changes is characteristic.

B is for Kerberos. C is for account creation. E is for logon failure.

152
MCQmedium

You are investigating a potential data exfiltration using Microsoft Defender for Cloud Apps. You find that a user downloaded a large number of files from SharePoint Online to a personal device. Which anomaly detection policy type would have detected this?

A.Activity anomaly detection policy
B.File anomaly detection policy
C.Cloud Discovery anomaly detection policy
D.OAuth app anomaly detection policy
AnswerA

Activity anomaly policies detect unusual user activities like mass downloads.

Why this answer

Option C is correct because Activity anomaly detection policies detect unusual download volumes. Option A is wrong because File anomaly policies focus on file types and metadata. Option B is wrong because OAuth app anomaly policies focus on app permissions.

Option D is wrong because Cloud Discovery anomaly policies focus on shadow IT.

153
Multi-Selecteasy

Which TWO of the following KQL functions are commonly used in threat hunting queries to identify outliers? (Choose TWO.)

Select 2 answers
A.where()
B.percentile()
C.project()
D.extend()
E.bin() with summarize
AnswersB, E

percentile() is used to find values that exceed a certain percentile, useful for anomaly detection.

Why this answer

Options B and D are correct. B: `percentile()` helps find values above a certain threshold. D: `bin()` with `summarize` is used to aggregate data over time for anomaly detection.

Option A is wrong because `extend()` adds columns, not for outlier detection. Option C is wrong because `project` selects columns.

154
MCQhard

In a threat hunt, you discover that a non-admin user account created a scheduled task that executes a PowerShell script to connect to an external IP on port 4444. Which of the following is the most likely interpretation of this activity?

A.The user is performing legitimate remote administration
B.The PowerShell script is a remote assistance tool
C.The scheduled task is part of a software update mechanism
D.The scheduled task is likely a reverse shell for persistence and remote access
AnswerD

Reverse shells often use PowerShell to connect to external IPs on arbitrary high ports.

Why this answer

Option D is correct because PowerShell connecting to an external IP on a non-standard port like 4444 is indicative of a reverse shell. Option A is incorrect because standard admin tasks typically use RDP or WinRM. Option B is incorrect because port 4444 is not typically used for updates.

Option C is incorrect because remote assistance uses different ports and protocols.

155
MCQeasy

You are conducting a threat hunt for possible credential dumping using Mimikatz. Which Windows Security Event ID should you focus on in Microsoft Sentinel to detect potential use of Mimikatz?

A.Event ID 10 (Process accessed)
B.Event ID 4688 (Process creation)
C.Event ID 4625 (Failed logon)
D.Event ID 5156 (WFP connection)
AnswerA

Mimikatz accesses LSASS process; Event ID 10 logs process access attempts.

Why this answer

Option A is correct because Event ID 10 (Lsass process access) is a common indicator of Mimikatz usage. Option B is wrong because Event ID 4688 is process creation, too broad. Option C is wrong because Event ID 4625 is failed logon, unrelated.

Option D is wrong because Event ID 5156 is for Windows Filtering Platform connections, not credential dumping.

156
MCQmedium

You are reviewing a threat hunting KQL query in Microsoft Sentinel. The query references an external CSV containing malicious IPs. The query returns no results despite known malicious activity. What is the most likely issue?

A.The externaldata function is not supported in Microsoft Sentinel.
B.The HuntingTimeRange variable is not being used correctly.
C.The project clause removes the RemoteIP column.
D.The external CSV file is not accessible or the URL is malformed.
AnswerD

If the external data source is unavailable, the join produces no results.

Why this answer

Option B is correct because externaldata reads the file at query time, and if the URL is unreachable or the file format differs, no IPs are loaded, resulting in no matches. Option A is less likely because the syntax is valid. Option C is possible but the query does not filter on time; it uses the variable.

Option D is incorrect because the query projects relevant fields.

157
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You are hunting for a threat that uses 'process hollowing' to evade detection. Which advanced hunting query in Microsoft Defender for Endpoint would be most effective?

A.DeviceProcessEvents | where InitiatingProcessFileName != ImageFileName | where ParentProcessFileName != ImageFileName
B.DeviceProcessEvents | where FileName in~ ('rundll32.exe', 'regsvr32.exe', 'mshta.exe')
C.DeviceFileEvents | where FileName contains 'hollow'
D.AlertInfo | where Title contains 'Process hollowing'
AnswerA

Process hollowing typically involves a process where the original image is replaced; this query finds mismatches between initiating, parent, and image file names.

Why this answer

Option A is correct because process hollowing often involves a child process with a different parent image; DeviceProcessEvents can show such anomalies. Option B is wrong because it looks for specific image names. Option C is wrong because file events are less direct.

Option D is wrong because it waits for alerts.

158
MCQmedium

You are a threat hunter at Fabrikam, a mid-sized company with 2,000 users. Your environment uses: Microsoft 365 E3 licenses; Microsoft Sentinel with the Microsoft 365 Defender connector; Microsoft Defender for Office 365; and Microsoft Defender for Endpoint (without Microsoft Defender for Identity). You are investigating a suspicious email campaign where some users received phishing emails with links to a credential harvesting page. You want to proactively search for any users who may have entered credentials on the phishing page. You have no direct logs from the phishing server. Which hunting approach should you use in Microsoft Sentinel?

A.Query the UrlClickEvents table to identify users who clicked the malicious link, then correlate with AADSignInEventsBeta to find sign-ins from new IPs after the click.
B.Query the DeviceProcessEvents table for any browser process that accessed the phishing URL.
C.Query the AADSignInEventsBeta table for users who signed in shortly after the email campaign from IPs not previously seen.
D.Query the EmailEvents table for users who received the phishing email and then check if they have any subsequent sign-in anomalies.
AnswerA

This directly identifies users who interacted with the phishing link and may have entered credentials, then checks for anomalous sign-ins.

Why this answer

Option C is correct because using URL click verdict data from Defender for Office 365's Safe Links can show which users clicked the malicious link, and correlating with subsequent sign-ins from unusual IPs can indicate credential compromise. Option A is wrong because email events show delivery but not credential entry. Option B is wrong because sign-in logs alone may not be linked to the phishing.

Option D is wrong because endpoint process events are less likely to capture web form submissions.

159
MCQmedium

You are a SOC analyst using Microsoft Sentinel. You need to create a hunting query that searches for unusual outbound RDP connections from workstations. Which KQL operators or functions would be most essential for this query?

A.DeviceProcessEvents and where ProcessCommandLine contains 'mstsc'
B.DeviceNetworkEvents and where LocalPort == 3389 and RemoteIPType == 'Public'
C.DeviceLogonEvents and where LogonType == 'RemoteInteractive'
D.DeviceEvents and where ActionType contains 'RDP'
AnswerB

Outbound RDP uses local port 3389 to public IPs.

Why this answer

Hunting for outbound RDP requires identifying connections on port 3389 from workstations. Option B is correct because DeviceNetworkEvents includes network connections and port information. Option A is incorrect because DeviceLogonEvents is for logon sessions.

Option C is incorrect because DeviceProcessEvents is for processes. Option D is incorrect because DeviceEvents may not include network details.

160
MCQhard

While threat hunting, you find a suspicious scheduled task that runs a PowerShell script from a temp directory. You want to check if this task exists on other devices in the environment. Which Microsoft Defender for Endpoint advanced hunting table would you query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceEvents
D.DeviceRegistryEvents
AnswerC

DeviceEvents captures scheduled task creation and other system events.

Why this answer

Option B is correct because the `DeviceEvents` table includes scheduled task creation events (ActionType: ScheduledTaskCreated). Option A is wrong because `DeviceProcessEvents` focuses on process execution, not task creation. Option C is wrong because `DeviceNetworkEvents` is for network connections.

Option D is wrong because `DeviceRegistryEvents` is for registry changes.

161
MCQeasy

As a threat hunter, you want to use MITRE ATT&CK techniques to categorize detected behaviors. In Microsoft Sentinel, which feature allows you to map alerts to MITRE techniques automatically?

A.Analytics rules
B.Playbooks
C.Watchlists
D.Workbooks
AnswerA

Analytics rules (scheduled or NRT) allow mapping to MITRE techniques.

Why this answer

Option B is correct because analytics rules can include MITRE ATT&CK technique mapping. Option A is wrong because workbooks are for visualization, not mapping. Option C is wrong because playbooks are for automated response.

Option D is wrong because watchlists are for reference data.

162
MCQeasy

A threat hunter wants to identify all devices that have communicated with a known malicious IP address in the last 7 days. Which table in Microsoft Defender for Endpoint advanced hunting should be queried?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceRegistryEvents
AnswerB

This table contains network connection events.

Why this answer

DeviceNetworkEvents records network connections, including destination IP addresses.

163
Multi-Selectmedium

Which TWO of the following are effective techniques for identifying lateral movement in Microsoft Defender for Endpoint advanced hunting? (Choose two.)

Select 2 answers
A.Check for successful logons from public IP addresses
B.Look for large file uploads to cloud storage
C.Search for remote desktop connections from non-administrative workstations
D.Monitor for phishing emails
E.Analyze NTLM authentication events for pass-the-hash
AnswersC, E

Unexpected RDP connections from workstations can indicate lateral movement.

Why this answer

Option A is correct because anomalous RDP connections can indicate lateral movement. Option B is correct because pass-the-hash can be detected via logon events. Option C is wrong because it is about initial access.

Option D is wrong because it is about data exfiltration. Option E is wrong because it is not a lateral movement technique.

164
Multi-Selecteasy

Which TWO Microsoft Sentinel hunting features can be used to automatically surface suspicious activities without manual query writing?

Select 2 answers
A.Workbooks
B.Analytics rules
C.Livestream
D.Playbooks
E.Hunting queries
AnswersC, E

Real-time hunting by monitoring specific events.

Why this answer

Hunting queries are pre-built queries that run on a schedule. Livestream allows real-time detection of specific events. Option C (Analytics rules) is for detection, not hunting.

Option D (Workbooks) is visualization. Option E (Playbooks) is automation. The correct options are A and B.

165
Multi-Selecteasy

Which TWO are valid KQL operators for performing time-based analysis in threat hunting? (Choose two.)

Select 2 answers
A.project
B.between
C.summarize
D.extend
E.ago()
AnswersB, E

Between filters results within a datetime range.

Why this answer

Option A is correct because 'ago' is used to specify a relative time range. Option B is correct because 'between' is used to filter a column between two datetime values. Option C is wrong because 'extend' creates new columns, not time-based.

Option D is wrong because 'project' selects columns. Option E is wrong because 'summarize' aggregates data.

166
MCQhard

You are reviewing a custom hunting query in Microsoft Sentinel. The query above returns results, but you suspect it misses low-frequency beaconing. Which modification improves detection while reducing false positives?

A.Use a sliding window to count distinct connection times per IP per device
B.Group by DeviceName only
C.Decrease the count threshold to 10
D.Add RemotePort to the summarize clause
AnswerA

Better captures regular intervals of beaconing.

Why this answer

Option C is correct because time-bounded connections better detect regular beaconing. Option A increases false positives. Option B only adds columns.

Option D counts per device, missing cross-device patterns.

167
MCQeasy

A threat hunter wants to identify possible data exfiltration over DNS in Microsoft Sentinel. Which KQL function should the analyst use to extract domain names from DNS queries?

A.split
B.parse_url
C.extract_all
D.substring
AnswerB

parse_url parses a URL and returns its components, including host.

Why this answer

Option B is correct because parse_url extracts URL components, including hostname, from a string. Option A is wrong because extract_all is more general for regex. Option C is wrong because split is for splitting strings, not parsing URLs.

Option D is wrong because substring is for simple substring extraction.

168
Multi-Selectmedium

Which THREE data sources can be used in Microsoft Sentinel for threat hunting involving network traffic?

Select 3 answers
A.DeviceNetworkEvents
B.CommonSecurityLog
C.WireData
D.SigninLogs
E.OfficeActivity
AnswersA, B, C

Endpoint network events from Defender for Endpoint.

Why this answer

Options B, C, and D are correct. B is correct because CommonSecurityLog (Syslog) contains network device logs. C is correct because DeviceNetworkEvents from Microsoft Defender for Endpoint contains network events.

D is correct because WireData logs network traffic from Azure VMs. A is incorrect because SigninLogs is for authentication, not network traffic. E is incorrect because OfficeActivity is for Office 365 logs.

169
MCQmedium

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector to ingest alerts and incidents from Defender for Endpoint, Defender for Office 365, and Defender for Identity. As a threat hunter, you want to proactively search for devices that may be communicating with known malicious IP addresses that have not yet triggered an alert. You have a list of known malicious IP addresses from an external threat intelligence feed. Which approach should you take to perform this hunt efficiently?

A.Create a Logic App that runs hourly and checks each IP against DeviceNetworkEvents, then creates incidents.
B.Create a Watchlist in Microsoft Sentinel containing the IP addresses, then write a KQL query in the Hunting blade that joins the Watchlist with DeviceNetworkEvents from Defender for Endpoint.
C.Use the ThreatIntelligenceIndicator table in Microsoft Sentinel, which automatically ingests the feed if you configure a Threat Intelligence - TAXII connector.
D.Manually add each IP address as a custom detection rule in Microsoft Sentinel for each device.
AnswerB

Watchlists allow efficient joining in queries without hardcoding.

Why this answer

Option A is the most efficient: create a Watchlist in Sentinel with the IP list, then use KQL to join with DeviceNetworkEvents. Option B is inefficient for large lists; Option C uses the wrong connector; Option D is for automation, not hunting.

170
MCQhard

You are a threat hunter at Contoso, a multinational company with 10,000 employees. Your production environment includes: Microsoft 365 E5 licenses; Microsoft Sentinel in a central Log Analytics workspace; Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps; and Microsoft Entra ID P2. You are tasked with hunting for a potential advanced persistent threat (APT) that may have compromised a high-privilege account. The threat intelligence team has reported that the APT group uses living-off-the-land binaries (LOLBins) to execute malicious code and uses encrypted tunnels to C2 servers. You need to design a hunting query in Microsoft Sentinel that correlates multiple data sources to identify suspicious LOLBin usage combined with unusual network connections. Which approach should you take?

A.Create a KQL query in Microsoft Sentinel that joins DeviceProcessEvents with DeviceNetworkEvents on DeviceId and a 1-minute time window, filtering for LOLBin processes and external IP connections.
B.Use the 'DeviceNetworkEvents' table alone to find connections to known malicious IPs from the threat intelligence feed.
C.Run a query in Advanced hunting that filters DeviceProcessEvents for known LOLBin file names like 'rundll32.exe' and 'mshta.exe', then manually review each instance.
D.Set up a custom detection rule in Microsoft Defender for Endpoint to alert on any LOLBin execution, then investigate the alerts.
AnswerA

This correlates process execution with network connections, identifying potential C2 activity.

Why this answer

Option B is correct because the KQL query joins DeviceProcessEvents and DeviceNetworkEvents on DeviceId and timestamp to find processes with suspicious command lines and subsequent network connections to external IPs. Option A is wrong because it does not correlate processes with network connections. Option C is wrong because it uses only network data without process context.

Option D is wrong because it focuses only on alerts, missing proactive hunting.

171
MCQmedium

Your organization uses Microsoft Sentinel with custom analytics rules. During a threat hunt, you want to identify lateral movement using pass-the-hash techniques. Which data source combination is most effective?

A.Azure AD sign-in logs and Office 365 audit logs
B.DeviceEvents and DeviceLogonEvents from Microsoft Defender for Endpoint
C.Sysmon Event ID 3 (Network connect) and Windows Firewall logs
D.Windows Security Event ID 4624 (Logon) with LogonType 3 and NTLM attributes
AnswerD

Event 4624 with LogonType 3 and NTLM can indicate pass-the-hash.

Why this answer

Option C is correct because Windows Event ID 4624 (logon) with logon type 3 (network) and NTLM authentication helps detect pass-the-hash. Option A is wrong because Azure AD sign-in logs cover cloud, not on-premises lateral movement. Option B is wrong because Sysmon Event ID 3 is network connect, not authentication.

Option D is wrong because SecurityEvent is the correct table; DeviceEvents is from Microsoft Defender for Endpoint, less detailed for NTLM.

172
MCQhard

During a threat hunt in Microsoft Defender XDR, an analyst discovers that a specific user account has been executing unusual PowerShell commands from a non-corporate device. The analyst wants to investigate the timeline of these activities across all Microsoft 365 services. Which advanced hunting schema should be used to correlate these events?

A.DeviceEvents
B.CloudAppEvents
C.EmailEvents
D.IdentityLogonEvents
AnswerD

This table contains logon events with device and user information, enabling cross-service correlation.

Why this answer

The IdentityLogonEvents table in advanced hunting captures authentication events, including device and user details, which is essential for correlating activities across services. Option B (DeviceEvents) is for endpoint processes, not logon correlation. Option C (EmailEvents) is for email tracking.

Option D (CloudAppEvents) covers cloud app activities but not logon context.

173
MCQeasy

A threat hunter in Microsoft Sentinel is reviewing a JSON definition for a scheduled analytics rule as shown in the exhibit. The rule is intended to run daily and alert on any device running powershell.exe with an encoded command. However, no alerts have been generated even though the hunter knows such activity exists. What is the most likely cause?

A.The requiredDataConnectors lists MicrosoftThreatProtection, but the actual data may not be ingested if the connector is not configured
B.The triggerThreshold is set to 0, which should trigger on any result
C.The queryFrequency is 1 day, which may miss events if they occur right after the query runs
D.The queryPeriod is 14 days, which may be too short
AnswerA

If the MDE connector is not set up, DeviceProcessEvents will have no data.

Why this answer

Option D is correct because the query uses the table DeviceProcessEvents, which is part of Microsoft Defender for Endpoint (MicrosoftThreatProtection connector), but the data connector specified is MicrosoftThreatProtection; if the connector is not connected or data is not flowing, no results. Option A (queryPeriod) affects how far back the query looks, but if data is present, it should still find some. Option B (triggerThreshold 0) is correct for alerting on any result.

Option C (queryFrequency) is daily, which is fine.

174
MCQmedium

You are hunting for signs of credential dumping using Mimikatz. Which process events in Microsoft Defender for Endpoint would most likely indicate this activity?

A.A process opening lsass.exe with access to process memory (e.g., PROCESS_VM_READ)
B.A process named powershell.exe making network connections to an external IP
C.A process named svchost.exe spawning from explorer.exe
D.A process named cmd.exe executing whoami
AnswerA

Mimikatz opens LSASS to read credential material; such access is suspicious.

Why this answer

Option B is correct because Mimikatz often injects into LSASS to dump credentials, so detecting a process opening LSASS with specific access flags (e.g., PROCESS_VM_READ) is a key indicator. Option A is wrong because svchost.exe is not typically used for credential dumping. Option C is wrong because powershell.exe alone is generic.

Option D is wrong because cmd.exe is generic.

175
Multi-Selectmedium

Which THREE of the following are valid sources of threat intelligence that can be ingested into Microsoft Sentinel for threat hunting? (Select three.)

Select 3 answers
A.Syslog from a firewall
B.Microsoft Threat Intelligence feed
C.TAXII server
D.Custom threat intelligence via API
E.Azure Policy
AnswersB, C, D

Built-in feed from Microsoft.

Why this answer

Options A, C, and D are correct. A: Microsoft Threat Intelligence feed. C: TAXII server for STIX indicators.

D: Custom threat intelligence via API. B is wrong because Syslog is for log collection. E is wrong because Azure Policy is for compliance.

176
MCQmedium

A threat hunter runs the KQL query above in Microsoft Sentinel to detect accounts that have experienced multiple failed sign-in attempts due to a disabled account (ResultType 50057) from the same IP. The query returns no results even though the hunter knows that some disabled accounts are being attacked. What is the most likely reason for the false negatives?

A.The ResultType value 50057 is incorrect; it should be 50058 for disabled account
B.The query should group by UserPrincipalName only, not by IPAddress
C.The time range (1h) is too narrow; the attacks may be spread over several hours
D.The threshold of 5 is too high; reducing it would show results
AnswerC

A larger time window would capture more attempts and meet the threshold.

Why this answer

Option B is correct because the query only looks at the last 1 hour; if attacks occurred over a longer period, they would be missed. Option A (ResultType wrong) is possible but not the most likely since 50057 is correct. Option C (summarize over UserPrincipalName alone) would group by user, but the query already includes IPAddress.

Option D (threshold too high) could be, but the scenario says attacks are happening; time window is the most likely cause.

177
MCQmedium

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a known malicious URL. The script was run on multiple workstations. Which Microsoft Defender XDR action should you take to contain the threat?

A.Run a full antivirus scan on all affected workstations.
B.Add the URL to the custom indicator list in Microsoft Defender XDR.
C.Initiate a device isolation on the affected workstations using Microsoft Defender for Endpoint.
D.Create a custom detection rule in Microsoft Sentinel.
AnswerC

Isolation stops the device from communicating with other devices, containing the threat.

Why this answer

Option D is correct because Microsoft Defender for Endpoint can isolate devices to prevent further spread. Option A only removes the file but does not prevent re-infection. Option B blocks the URL but not the already infected machines.

Option C is a detection, not containment.

178
MCQhard

During a threat hunt, you identify a suspicious process execution chain in Microsoft Defender for Endpoint: `powershell.exe` spawned `cmd.exe` which then executed `rundll32.exe`. To investigate the parent-child relationships, which KQL statement should you use in Advanced Hunting?

A.DeviceProcessEvents | where FileName == "rundll32.exe" and InitiatingProcessFileName == "cmd.exe"
B.DeviceProcessEvents | where ProcessChain has_all ("powershell.exe", "cmd.exe", "rundll32.exe")
C.DeviceProcessEvents | summarize by ProcessChain
D.DeviceProcessEvents | where FileName == "powershell.exe" | join kind=inner DeviceProcessEvents on $left.DeviceId == $right.DeviceId
AnswerB

ProcessChain contains the full sequence of parent processes.

Why this answer

The `make_list` function with `ProcessChain` parameter can construct the process chain, but the standard approach is to use `DeviceProcessEvents` and join on `InitiatingProcessFileName` and `FileName`. However, the correct answer involves using `scan` or `join`. Actually, the best practice is to use the `ProcessChain` column if available, or use `make_list`.

Option C is the most direct.

179
MCQeasy

A threat hunter wants to identify potential command and control (C2) communication by looking for DNS queries to domains with a high entropy and short TTL. Which advanced hunting query in Microsoft Defender XDR should be used?

A.DeviceNetworkEvents
B.AlertInfo
C.IdentityLogonEvents
D.EmailEvents
AnswerA

DeviceNetworkEvents includes DNS queries and responses, including domain name and TTL.

Why this answer

Option B is correct because DeviceNetworkEvents includes DNS queries. Option A is wrong because IdentityLogonEvents is for logons. Option C is wrong because EmailEvents is for email.

Option D is wrong because AlertInfo does not contain DNS details.

180
MCQhard

You are analyzing the KQL query above in Microsoft Sentinel. The query is designed to find devices with high outbound SMB (port 445) connections to suspicious public IPs. However, the query returns no results. What is the most likely issue?

A.Port 445 is not used for SMB.
B.The column RemoteIPType does not exist in DeviceNetworkEvents.
C.The materialize function is not allowed in this context.
D.The syntax for the second query is incorrect.
AnswerB

DeviceNetworkEvents uses 'RemoteIPType'? Actually it is 'RemoteIPType' may not exist; typical columns are 'RemoteIP', 'RemotePort', etc. This likely causes the where clause to fail.

Why this answer

Option A is correct because RemoteIPType is not a standard column in DeviceNetworkEvents; the actual column is RemoteIPType, but it might be spelled differently or not exist, causing the filter to exclude all rows. Option B is incorrect because materialize is used correctly. Option C is incorrect because the syntax is valid.

Option D is incorrect because port 445 is standard SMB.

181
MCQhard

A threat hunter suspects a data exfiltration attempt via DNS tunneling. Which KQL query would best detect unusual DNS query patterns in Microsoft Sentinel?

A.DnsEvents | summarize count() by ClientIP, Subdomain | where count_ > 100
B.DnsEvents | where ResponseSize > 1000
C.DnsEvents | where ResultCode != 0
D.DnsEvents | where QueryType == 'A'
AnswerA

High count of queries to the same IP with many subdomains suggests tunneling.

Why this answer

To detect DNS tunneling, you need to look for high volume of queries to many unique domains or subdomains. Option A looks for large size (not typical for tunneling). Option B looks for failed queries.

Option D is too broad. Option C (queries with many unique subdomains) is a classic sign of DNS tunneling.

182
MCQeasy

A threat hunter wants to correlate alerts from multiple Microsoft security products in Microsoft Sentinel. Which feature should be used to create a unified incident?

A.Threat Intelligence
B.Jupyter Notebooks
C.Analytics Rules
D.Investigation Graph
AnswerC

Analytics rules can create incidents from alerts, correlating multiple signals.

Why this answer

Option D is correct because Incident creation rules (or analytics rules) can create incidents from alerts across products. Option A is wrong because it is for notebooks. Option B is wrong because it is for external threat intelligence.

Option C is wrong because it is for investigation.

183
MCQmedium

During a threat hunt, you notice an anomalous number of failed logon attempts from a single IP address across multiple user accounts in Microsoft Entra ID sign-in logs. What is the most effective next step to determine if this is a brute-force attack?

A.Immediately block the IP address in the firewall
B.Reset passwords for all affected accounts
C.Disable the accounts that had failed logons
D.Correlate with successful logon events from the same IP for those accounts
AnswerD

A successful logon after many failures strongly indicates a brute-force attack.

Why this answer

Option B is correct because correlating failed logons with successful ones from the same IP helps confirm if the attacker eventually succeeded. Option A is incorrect as blocking prematurely may not be justified. Option C is incorrect as resetting passwords does not address the source.

Option D is incorrect as disabling accounts may impact legitimate users.

184
MCQeasy

During a threat hunt, an analyst notices multiple failed logon events from a single user account across different workstations within a short time window. Which hunting technique is most appropriate to detect potential lateral movement?

A.Search for multiple instances of special privileges assigned to new logon (Event ID 4672).
B.Search for large outbound RDP connections from a single host.
C.Search for failed logon events (Event ID 4625) followed by successful logon (Event ID 4624) from the same account on different machines.
D.Search for creation of new user accounts (Event ID 4720).
AnswerC

This pattern indicates an attacker trying to move laterally after obtaining credentials.

Why this answer

Option A is correct because failed logons followed by successful logons from the same account can indicate lateral movement. Option B is wrong because it focuses on privilege escalation, not lateral movement. Option C is wrong because it's about data exfiltration.

Option D is wrong because it's about account creation.

185
Multi-Selecthard

Which THREE of the following are best practices for performing threat hunting in Microsoft Defender XDR? (Select THREE.)

Select 3 answers
A.Focus only on alerts generated by automated detection rules.
B.Limit hunting to a single data source to reduce complexity.
C.Start with a hypothesis based on threat intelligence or recent incidents.
D.Use a combination of KQL queries and built-in hunting capabilities.
E.Leverage advanced hunting across devices, email, and identities.
AnswersC, D, E

Hypothesis-driven hunting is a fundamental best practice.

Why this answer

Options A, B, and D are correct. A: Documenting hypotheses is key. B: Using multiple data sources enriches hunting.

D: Hunting across endpoints, email, and identities provides full coverage. C: Relying solely on alerts is reactive. E: Using sample data may miss threats in other segments.

186
MCQhard

An organization uses Microsoft Defender for Endpoint (MDE) to hunt for signs of credential dumping. An analyst runs a custom advanced hunting query that searches for processes accessing LSASS.exe. The query uses DeviceProcessEvents and DeviceFileEvents. The analyst notices that some known credential dumping tools are detected, but they want to find previously unknown variants. Which approach should the analyst take to improve the hunt?

A.Enable LSASS auditing via Windows Security Event Log.
B.Focus on file reputation data to exclude clean files.
C.Add more signature-based indicators to the query.
D.Look for anomalous LSASS access patterns using process lineage and call stacks.
AnswerD

Anomaly detection helps uncover unknown tools by identifying unusual behavior.

Why this answer

Option C is correct because hunting for anomalous LSASS access patterns (e.g., unusual call stacks, rare processes) helps discover novel tools. Option A is wrong because adding more signatures only catches known variants. Option B is wrong because focusing on file reputation may miss fileless or signed malicious tools.

Option D is wrong because MDE already collects LSASS access events; enabling additional logging is not the primary issue.

187
MCQeasy

You are a security analyst at Wingtip Toys, a small business with 500 users. You have Microsoft 365 Business Premium licenses and Microsoft Sentinel deployed. You are conducting a threat hunt for signs of brute-force attacks against your Azure AD tenant. You want to identify IP addresses that have attempted multiple failed sign-ins across different user accounts within a short time window. You have access to the SigninLogs table in Microsoft Sentinel. Which KQL query should you use?

A.SigninLogs | where ResultType != 0 | summarize FailedAttempts = count() by IPAddress | where FailedAttempts > 10
B.SigninLogs | where ResultType !in ('0', '50125') | summarize FailedAttempts = count(), DistinctUsers = dcount(UserPrincipalName) by IPAddress | where FailedAttempts > 10 and DistinctUsers > 5 | order by FailedAttempts desc
C.SigninLogs | where ResultType != 0 | top 10 by IPAddress
D.SigninLogs | where ResultType == 0 | summarize SuccessAttempts = count() by IPAddress | order by SuccessAttempts desc
AnswerB

This identifies IPs with many failed attempts across multiple users, indicative of brute-force.

Why this answer

Option A is correct because it summarizes failed sign-ins by IP and counts distinct users, filtering for IPs with many attempts across many users. Option B is wrong because it counts total attempts without requiring multiple users. Option C is wrong because it only returns the top IP.

Option D is wrong because it counts success, not failures.

188
MCQmedium

A threat hunter is analyzing a suspicious email that bypassed Microsoft Defender for Office 365. The email contains a link to a malicious website. The hunter wants to identify all users who clicked the link. Which hunting query in Microsoft 365 Defender should be used?

A.EmailAttachmentInfo
B.EmailUrlInfo
C.EmailEvents
D.DeviceFileEvents
AnswerB

EmailUrlInfo contains URL clicks from email messages.

Why this answer

Option C is correct because EmailUrlInfo contains URL clicks from email. Option A is wrong because it contains email events, not click data. Option B is wrong because it contains email attachment info.

Option D is wrong because it contains file creation events.

189
MCQeasy

You are a threat hunter and you want to identify potential lateral movement in your environment. Which Microsoft Defender XDR hunting table would you query to find network connections from a compromised workstation to other internal devices?

A.DeviceProcessEvents
B.DeviceLogonEvents
C.DeviceNetworkEvents
D.DeviceFileEvents
AnswerC

This table records network connections, which are key for detecting lateral movement.

Why this answer

Option A is correct because DeviceNetworkEvents contains network connection events. Option B is for logon events. Option C is for process creation.

Option D is for file creation events.

190
MCQeasy

During a threat hunt in Microsoft Defender XDR, you notice repeated failed logon attempts from an IP address that belongs to a known anonymizer service. What is the first action you should take?

A.Block the IP address in Microsoft Defender for Cloud Apps.
B.Create an analytics rule in Microsoft Sentinel to alert on all anonymizer IP addresses.
C.Initiate an investigation by reviewing the impacted user accounts and endpoints for signs of compromise.
D.Report the IP to the Microsoft Sentinel Threat Intelligence team.
AnswerC

Threat hunting requires understanding the context before taking action.

Why this answer

Option C is correct because the first step is to investigate the affected accounts and endpoints to determine if any compromise occurred. Option A may alert on false positives. Option B blocks access but may break legitimate business.

Option D is premature without investigation.

191
MCQhard

You are a security operations analyst at a company that uses Microsoft Defender for Cloud Apps (now part of Microsoft Defender XDR) and Microsoft Sentinel. During a threat hunt, you suspect that an attacker may be using a compromised user account to access sensitive data in SharePoint Online from an unusual location. You have Microsoft Defender for Cloud Apps logs integrated into Sentinel. The log schema includes fields: TimeGenerated, UserId, AppName, ActivityType, IPAddress, Location, ObjectId (the document ID). You need to write a KQL query that returns a list of users who accessed the same sensitive document (ObjectId == 'SensitiveDocument123') from more than 3 unique IP addresses in the last hour, which could indicate a distributed access pattern. Which KQL query should you use?

A.CloudAppEvents | where TimeGenerated > ago(1h) | where ObjectId == 'SensitiveDocument123' | summarize dcount(IPAddress) by UserId | where dcount_IPAddress > 3
B.CloudAppEvents | where TimeGenerated > ago(24h) | where ObjectId == 'SensitiveDocument123' | summarize dcount(IPAddress) by UserId | where dcount_IPAddress > 3
C.CloudAppEvents | where TimeGenerated > ago(1h) | summarize dcount(IPAddress) by UserId | where dcount_IPAddress > 3
D.CloudAppEvents | where TimeGenerated > ago(1h) | where ObjectId == 'SensitiveDocument123' | summarize count() by UserId, IPAddress | where count_ > 3
AnswerA

Correctly counts unique IPs per user for the specific document.

Why this answer

Option A correctly filters for the sensitive document and the last hour, summarizes dcount(IPAddress) by UserId, and filters for more than 3 unique IPs. Option B uses count() instead of dcount(). Option C uses the wrong time range.

Option D does not filter for the specific document.

192
MCQmedium

During a threat hunting exercise, an analyst discovers a suspicious PowerShell process that executed encoded commands and made outbound connections to an unknown IP address. The process tree shows it was spawned by a Microsoft Word instance. What is the most likely attack technique being observed?

A.Service Execution
B.Phishing with malicious macro
C.Execution via Rundll32
D.Lateral Movement via WMI
AnswerB

Word spawning PowerShell with encoded commands is typical of macro-based phishing.

Why this answer

Option B is correct because the scenario describes a malicious document (Word) executing PowerShell with encoded commands, which is classic phishing with macro-based payload. Option A is wrong because execution via rundll32 is not indicated. Option C is wrong because the attack originates from a document, not a service.

Option D is wrong because there is no evidence of lateral movement.

193
MCQmedium

You are performing a threat hunt in Microsoft Sentinel and have a KQL query that returns a high number of false positives. You want to reduce the noise without missing real threats. Which approach should you take?

A.Write a KQL query that looks for uncommon process chains, such as wscript.exe launched from Microsoft Office.
B.Add a filter to exclude all Microsoft signed processes.
C.Remove the time filter and run the query against all historical data.
D.Broaden the time range to capture more data.
AnswerA

This targets known suspicious patterns and reduces noise while keeping relevant events.

Why this answer

Option B is correct because filtering on specific process names and parent processes in KQL narrows the results to likely malicious activity. Option A may miss legitimate processes. Option C increases false positives.

Option D removes the time filter which is essential for hunting.

194
MCQmedium

Your threat hunting hypothesis is that a user's credentials were used to sign in from two geographically distant locations within a short time. In Microsoft Defender for Cloud Apps, which log type would you query in Microsoft Sentinel to detect impossible travel?

A.SigninLogs
B.AuditLogs
C.CommonSecurityLog
D.OfficeActivity
AnswerA

SigninLogs record user sign-in events with location and time.

Why this answer

SigninLogs contain user sign-in activities with IP address and timestamp, essential for detecting impossible travel.

195
MCQeasy

During a threat hunting exercise in Microsoft Sentinel, you want to identify all cloud application events where a user accessed a resource from an IP address not previously associated with that user. Which KQL operator should you use to compare current access patterns with a baseline of known IPs?

A.join
B.lookup
C.summarize
D.union
AnswerA

Join matches rows from two tables based on a key, enabling comparison of IPs.

Why this answer

The `join` operator allows combining two tables based on a key, such as UserId, and then filtering for rows where the IP does not match the baseline.

196
MCQhard

An analyst uses this KQL query in Microsoft Sentinel to hunt for potential brute-force attacks. What is the primary purpose of the join operation?

A.To filter out IP addresses that have only successful logons
B.To identify accounts that had both a high number of failed logons and at least one successful logon from the same IP
C.To calculate the ratio of failed to successful logons for each account
D.To remove duplicate entries of account and IP combinations
AnswerB

This correlation helps detect successful brute-force attacks.

Why this answer

Option C is correct because the join is used to correlate failed and successful logons from the same account and IP, which helps identify accounts that eventually succeeded after many failures, a classic brute-force pattern. Option A is wrong because the query does not filter out IPs with only successes. Option B is wrong because the join is not filtering anything; it's enriching.

Option D is wrong because the query does not calculate a ratio.

197
MCQeasy

During a threat hunt, you discover a PowerShell script that downloads and executes a payload from a remote server. Which Microsoft Defender for Endpoint action type would most likely capture this behavior in DeviceEvents?

A.PowerShellCommand
B.ProcessCreated
C.FileCreated
D.NetworkConnection
AnswerA

Captures PowerShell script commands and execution.

Why this answer

Option D is correct because PowerShell commands that download and execute scripts are typically logged as 'PowerShellCommand' in DeviceEvents. Option A is incorrect because 'ProcessCreated' would show the PowerShell process creation but not the script content. Option B is incorrect because 'FileCreated' would show the payload file but not the download execution.

Option C is incorrect because 'NetworkConnection' would show the connection but not the script execution.

198
MCQmedium

A security analyst is performing threat hunting in Microsoft Sentinel using KQL. The analyst wants to identify all network connections initiated from a specific internal IP address (10.0.0.5) to external IP addresses in the last 24 hours. Which KQL query should the analyst use?

A.DeviceNetworkEvents | where TimeGenerated > ago(24h) | where LocalIP == "10.0.0.5" | where RemoteIP !startswith "10."
B.CommonSecurityLog | where TimeGenerated > ago(24h) | where SourceIP == "10.0.0.5" | where ipv4_is_private(DestinationIP) == false
C.CommonSecurityLog | where TimeGenerated > ago(24h) | where DestinationIP == "10.0.0.5" | where ipv4_is_private(DestinationIP) == false
D.CommonSecurityLog | where TimeGenerated > ago(1h) | where SourceIP == "10.0.0.5" | where ipv4_is_private(DestinationIP) == false
AnswerB

Correctly filters source IP and external destinations over 24h.

Why this answer

Option C is correct because it filters on the source IP and only includes connections to external IPs using a where clause for not having a private IP range. Option A is wrong because it checks destination IP instead of source. Option B is wrong because it only checks last hour.

Option D is wrong because it uses the wrong table.

199
MCQhard

During a threat hunt in Microsoft Sentinel, an analyst creates a custom hunting query that uses the 'externaldata' operator to reference a CSV file stored in Azure Blob Storage. The hunt identifies several suspicious IP addresses that need to be added to a threat intelligence indicator. Which method should the analyst use to persist the findings as indicators of compromise (IOCs) for automated alerting?

A.Upload the CSV to a custom threat intelligence feed using the Threat Intelligence - Upload Indicators API
B.Add the IPs to a Microsoft Sentinel watchlist and reference the watchlist in an analytics rule
C.Create a custom analytics rule that includes the IPs as inline indicators
D.Use Azure Logic Apps to create a playbook that blocks the IPs automatically
AnswerA

This makes the IPs available as threat intelligence indicators for use in detection rules.

Why this answer

Option C is correct because Microsoft Sentinel can ingest threat intelligence from custom CSV files via a Threat Intelligence - Upload Indicators API or TAXII connector; the analyst can upload the CSV as a new threat intelligence feed. Option A (watchlist) is for temporary lookups, not persistent IOCs for detection. Option B (custom analytics rule) would require the rule to reference the data, but the IOCs are not stored as indicators.

Option D (Azure Logic Apps) could automate but is not the primary method for persisting IOCs.

200
MCQmedium

You are reviewing a hunting query that identifies accounts with failed logons followed by successful logons from the same IP. The query returns no results even though you suspect brute force activity. What is the most likely issue?

A.The time range is too short
B.The join condition is too strict; the SourceIP might differ between failed and successful logons
C.The threshold is too low
D.The EventID for successful logon is incorrect
AnswerB

An attacker may switch IPs after a failed attempt, causing join to miss.

Why this answer

The join uses 'inner', which requires matching keys in both sides. If the IP is different for failed and successful logons (e.g., attacker changes IP), the join fails. Option A (time range) is unlikely.

Option C (EventID) is correct. Option D (threshold) is not the issue. The correct answer is B.

201
MCQmedium

Refer to the exhibit. This JSON defines a scheduled analytics rule in Microsoft Sentinel. Which type of threat is the rule primarily designed to detect?

A.Script-based malware execution attempting C2 communication
B.Lateral movement using remote desktop
C.Credential dumping via LSASS
D.Data exfiltration via DNS tunneling
AnswerA

Combination of script execution and outbound HTTP.

Why this answer

The query combines rundll32.exe with javascript (often used for script-based execution) and outbound HTTP connections (C2). Option B is correct. Option A is incorrect because no lateral movement is detected.

Option C is incorrect because credential theft is not indicated. Option D is incorrect because the query is about outbound connections, not file exfiltration.

202
MCQeasy

Your threat hunting team uses Microsoft Sentinel. They want to search for anomalous network connections to known malicious IP addresses over the past 7 days. Which KQL operator should they use to match the source IP addresses against a watchlist containing the malicious IPs?

A.where
B.in
C.has
D.contains
AnswerB

The `in` operator returns true if the value is in the list.

Why this answer

Option A is correct because the `in` operator checks if a value exists in a list or dynamic array. Option B is wrong because `has` is for string containment, not list membership. Option C is wrong because `where` is a clause, not an operator for list matching.

Option D is wrong because `contains` is for substring matching.

203
MCQmedium

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network connections from a compromised workstation. The analyst suspects that a beaconing pattern is present. Which KQL function is most appropriate to detect periodic beaconing behavior over time?

A.series_decompose(TimeGenerated)
B.make_list(TimeGenerated)
C.startofday(TimeGenerated)
D.bin(TimeGenerated, 1h)
AnswerC

startofday groups by day, making it easy to count daily beacons and detect periodicity.

Why this answer

Option C is correct because the `startofday` function can be used to aggregate events by day and then count occurrences to detect regular beaconing. Option A is wrong because `make_list` is for creating arrays, not for time-series detection. Option B is wrong because `bin` can help but `startofday` is more natural for daily beaconing.

Option D is wrong because `series_decompose` is for anomaly detection but not specifically for periodic beaconing.

204
Multi-Selectmedium

Which TWO of the following are valid methods to detect Kerberoasting attacks during a threat hunt? (Select TWO.)

Select 2 answers
A.Service account logon events with RC4 encryption type.
B.Multiple Kerberos TGS requests from a single user account to multiple service accounts.
C.Unusual number of LDAP queries from a domain controller.
D.High volume of NTLM authentication failures from a single IP.
E.Detection of forged Kerberos tickets (Golden Ticket) in the domain.
AnswersA, B

Kerberoasting often results in RC4-encrypted tickets.

Why this answer

Options B and D are correct. B: Unusual TGS requests from a single user can indicate Kerberoasting. D: Service account usage with RC4 encryption is a sign of Kerberoasting.

A: NTLM authentication is not specific. C: Golden ticket attacks involve different artifacts.

205
MCQmedium

While hunting, you notice a user account has been created and then immediately added to the Domain Admins group. Which table in Microsoft 365 Defender should you query to find this event?

A.IdentityQueryEvents
B.IdentityLogonEvents
C.DeviceEvents
D.IdentityDirectoryEvents
AnswerD

Captures directory service changes including group membership.

Why this answer

IdentityDirectoryEvents captures directory service changes like group membership modifications. IdentityLogonEvents is for logons. IdentityQueryEvents is for LDAP queries.

DeviceEvents is for system events. The correct table is IdentityDirectoryEvents.

206
MCQmedium

During a threat hunt, you find an alert for a suspicious PowerShell script that encoded a payload. You want to decode the script to understand its intent. Which Microsoft Sentinel feature can assist with this task?

A.Playbooks
B.Workbooks
C.Hunting blade with KQL using base64_decode_tostring()
D.Analytics rules
AnswerC

KQL provides string functions like base64_decode_tostring() to decode Base64 content.

Why this answer

Sentinel's Entity behavior analytics can provide context, but for decoding, using a custom notebook or Azure Functions with PowerShell is more direct. However, the question asks for a feature; the correct answer is to use the 'Hunting' blade with a custom KQL query that uses base64_decode_tostring() function. Option A (Playbooks) are for automated response.

Option B (Workbooks) for visualization. Option D (Analytics rules) for detection.

207
Multi-Selectmedium

Which THREE of the following are key components of a successful threat hunting program in a Microsoft Defender XDR environment?

Select 3 answers
A.Deep understanding of normal network behavior
B.A clear hypothesis based on threat intelligence
C.Use of MITRE ATT&CK framework
D.Automated incident response playbooks
E.Reactive response to alerts
AnswersA, B, C

Knowing normal helps spot anomalies.

Why this answer

Options A, B, and E are correct. A success hypothesis guides the hunt. Deep knowledge of the environment helps identify anomalies.

The MITRE ATT&CK framework provides a structured approach. Option C is incorrect because threat hunting is proactive, not reactive to alerts. Option D is incorrect because threat hunting is a skill distinct from incident response, though related.

208
Multi-Selecteasy

Which TWO data sources are commonly used in Microsoft Sentinel for threat hunting related to lateral movement? (Select TWO.)

Select 2 answers
A.SigninLogs
B.SecurityEvent
C.OfficeActivity
D.DeviceNetworkEvents
E.AuditLogs
AnswersB, D

SecurityEvent contains Windows security events like logon and process creation that can indicate lateral movement.

Why this answer

Options B and C are correct because SecurityEvent (Windows events) and DeviceNetworkEvents (network connections) are key for detecting lateral movement. Option A is wrong because SigninLogs are for cloud sign-ins, not lateral movement. Option D is wrong because OfficeActivity is for Office 365, not lateral movement.

Option E is wrong because AuditLogs are for directory changes, not lateral movement.

209
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a threat hunt, you want to identify AWS resources that have been compromised by correlating AWS CloudTrail logs with Microsoft Defender for Cloud security alerts. How should you ingest AWS CloudTrail logs into Microsoft Sentinel?

A.Configure Microsoft Defender for Cloud to receive AWS CloudTrail logs.
B.Use the AWS S3 connector in Microsoft Sentinel.
C.Use the Microsoft 365 Defender connector to ingest CloudTrail logs.
D.Use Azure Policy to export CloudTrail logs to Log Analytics.
AnswerB

The AWS S3 connector ingests CloudTrail logs into Sentinel.

Why this answer

Option A is correct because AWS CloudTrail logs can be ingested via the AWS S3 connector in Microsoft Sentinel. Option B is incorrect because Microsoft Defender for Cloud does not natively ingest CloudTrail logs. Option C is incorrect because Azure Policy cannot ingest AWS logs.

Option D is incorrect because the Microsoft 365 Defender connector is for Microsoft 365 data, not AWS.

210
Multi-Selecthard

Which TWO actions are part of the threat hunting process in Microsoft Sentinel?

Select 2 answers
A.Creating custom hunting queries based on hypotheses.
B.Using bookmarks to preserve interesting findings.
C.Setting up data connectors to ingest logs.
D.Fine-tuning the severity of analytical rules.
E.Configuring scheduled analytics rules.
AnswersA, B

Hunting queries are used to search for threats.

Why this answer

Options A and C are correct. A is correct because creating hunting queries is a key activity. C is correct because bookmarks allow tracking interesting findings.

B is incorrect because configuring alert rules is part of detection, not hunting. D is incorrect because setting up data connectors is an initial setup step, not a hunting activity. E is incorrect because fine-tuning analytical rules is detection engineering.

211
Multi-Selecthard

Which THREE actions should a threat hunter take when using Microsoft Defender XDR advanced hunting to investigate a potential ransomware outbreak? (Select THREE.)

Select 3 answers
A.Check for service installation events that mimic system services.
B.Review mailbox audit logs for email forwarding rules.
C.Inspect scheduled tasks for persistence mechanisms.
D.Correlate process creation events with file modification events.
E.Review password change events for service accounts.
AnswersA, C, D

Ransomware may install services to maintain persistence.

Why this answer

Options A, C, and E are correct because correlating process creation with file modifications, inspecting scheduled tasks, and checking for service installation are key steps to identify ransomware behavior. Option B is wrong because reviewing mailbox audit logs is not relevant for ransomware on endpoints. Option D is wrong because reviewing password changes is not directly related to ransomware.

212
MCQeasy

A threat hunter wants to proactively search for signs of ransomware activity in the environment using Microsoft Sentinel. Which data source is most likely to provide early indicators of ransomware, such as mass file renaming or encryption?

A.Azure AD sign-in logs
B.Microsoft Defender for Endpoint advanced hunting tables like DeviceFileEvents and DeviceProcessEvents
C.Azure Activity Log
D.Office 365 audit logs (UnifiedAuditLog)
AnswerB

These tables capture file modifications and process executions that can indicate ransomware.

Why this answer

Option B (Microsoft Defender for Endpoint) provides advanced hunting on endpoint processes and file events, which can detect mass file modifications indicative of ransomware. Option A (Azure Activity Log) logs control plane operations. Option C (Office 365 audit logs) logs cloud app activities.

Option D (Azure AD sign-in logs) logs authentication events.

213
MCQhard

During a hunt, you find that a user account has logged in from an IP address associated with a known command-and-control (C2) server. The hunt also reveals that the same IP accessed a SharePoint site containing sensitive documents. Which Microsoft Purview feature should you use to investigate data exfiltration?

A.Microsoft Purview Data Loss Prevention (DLP)
B.Microsoft Purview Information Protection
C.Microsoft Purview Compliance Manager
D.Microsoft Purview Audit (Standard)
AnswerA

DLP policies and activity explorer can identify if sensitive data was exfiltrated via SharePoint.

Why this answer

Option B is correct because Microsoft Purview Data Loss Prevention (DLP) policies and activity explorer can show if sensitive data was accessed or shared externally. Option A (Information Protection) labels data but does not track exfiltration. Option C (Audit Log) logs events but lacks context of sensitive data.

Option D (Compliance Manager) is for assessments, not investigation.

214
Multi-Selectmedium

Which TWO actions are valid when performing threat hunting in Microsoft Sentinel using hunting queries? (Choose two.)

Select 2 answers
A.Bookmark specific rows of results for later investigation.
B.Create a custom detection rule based on a hunting query.
C.Schedule a hunting query to run every hour.
D.Automatically trigger an alert when a hunting query returns results.
E.Export results directly to Azure Blob Storage.
AnswersA, B

Bookmarking is a feature in Sentinel for hunting.

Why this answer

Option A is correct because you can bookmark results for later investigation. Option C is correct because you can create a custom detection rule from a hunting query. Option B is wrong because hunting queries do not automatically trigger alerts; they are manual.

Option D is wrong because you cannot directly export results to Azure Storage, only to a CSV file or Log Analytics. Option E is wrong because you cannot schedule a hunting query to run automatically; you would need to create an analytics rule.

215
MCQhard

Refer to the exhibit. You are threat hunting for possible lateral movement using cmd.exe. The KQL query returns no results even though you know cmd.exe was executed. What is the most likely reason?

A.The join key should be on DeviceName instead of DeviceId because DeviceProcessEvents uses DeviceName.
B.The query filters on a specific device name that is missing from the data.
C.The join type should be leftouter to include all process events even if no corresponding device event exists.
D.The join condition should include a time window; process creation events may have slightly different timestamps.
AnswerA

DeviceProcessEvents typically uses DeviceName, while DeviceEvents may use DeviceId or another field.

Why this answer

Option B is correct because the join key is DeviceId, but DeviceProcessEvents and DeviceEvents may use different column names (e.g., DeviceName vs DeviceId). Option A is wrong because timestamps are often not exactly equal; a join on time is not required. Option C is wrong because the join type is inner, which returns only matching rows.

Option D is wrong because the query does not filter on a specific device, so all devices are included.

216
MCQmedium

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft 365 Defender. What is the primary purpose of this query?

A.List all scheduled tasks created in the last 7 days.
B.Correlate scheduled task creation with known threat actor techniques.
C.Identify periods of high scheduled task creation activity that may indicate lateral movement.
D.Calculate the baseline of scheduled task creation per hour.
AnswerC

The query highlights hours with >10 events, suggesting bursts.

Why this answer

The query filters for scheduled task events, groups by ActionType and hourly buckets, then returns only those hours with more than 10 events. Option A is correct because it identifies high-frequency scheduled task activity, which could indicate lateral movement or persistence. Option B is incorrect because it does not compare to a baseline.

Option C is incorrect because it does not list specific tasks. Option D is incorrect because it does not correlate with known threats.

217
Multi-Selecthard

Which THREE techniques would you use in Microsoft Sentinel to hunt for data exfiltration over DNS?

Select 3 answers
A.Analyze DNS query logs for high volume or long subdomains
B.Examine network traffic logs for large data transfers to known cloud storage IPs
C.Correlate DNS events with process creation events to identify the process making queries
D.Review email forwarding rules for external domains
E.Use ASIM DNS parsers to normalize DNS logs and detect anomalies
AnswersA, C, E

High volume or long subdomains are indicators of DNS tunneling.

Why this answer

Correct options: A, B, D. DNS query analysis (A) identifies unusual domains. Correlating DNS with process creation (B) identifies which process made the query.

Using ASIM DNS parsers (D) standardizes DNS logs. Option C (Network traffic logs) covers IP traffic but not DNS queries specifically. Option E (Email events) is unrelated.

218
Multi-Selecthard

Which THREE Microsoft Sentinel features are specifically designed to assist with threat hunting?

Select 3 answers
A.Livestream for real-time hunting.
B.Workbooks for interactive dashboards.
C.Bookmarks to record interesting results.
D.Automation rules to respond to incidents.
E.The Hunting blade with built-in and custom queries.
AnswersA, C, E

Livestream allows live querying.

Why this answer

Options A, C, and D are correct. A is correct because the Hunting blade is dedicated to hunting. C is correct because bookmarks allow preserving findings.

D is correct because Livestream provides real-time hunting. B is incorrect because Workbooks are for visualization, not hunting. E is incorrect because Automation rules are for incident response, not hunting.

219
Multi-Selectmedium

Which TWO are valid methods for performing threat hunting in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Using playbooks to respond to incidents
B.Using the Hunting blade with built-in queries
C.Using the MITRE ATT&CK dashboard
D.Using Jupyter notebooks with MSTICpy
E.Using watchlists to create alerts
AnswersB, D

The Hunting blade provides pre-built queries for threat hunting.

Why this answer

Option B is correct because Jupyter notebooks allow custom hunting queries. Option C is correct because the Hunting blade provides built-in queries. Option A is wrong because the MITRE ATT&CK dashboard is a visualization, not a hunting method.

Option D is wrong because watchlists are data sources, not hunting methods. Option E is wrong because playbooks are for automation.

220
MCQmedium

During a threat hunt, you discover suspicious PowerShell commands executed on multiple workstations. Which KQL function in Microsoft Sentinel is most effective for aggregating similar commands to identify a pattern?

A.summarize
B.extend
C.search
D.project
AnswerA

Aggregates events by common fields like command hash.

Why this answer

Option C is correct because summarize with make_list groups similar events. Option A is wrong because search is for raw text. Option B is wrong because project is for column selection.

Option D is wrong because extend adds computed columns.

221
MCQeasy

A threat hunter is using Microsoft Defender XDR Advanced hunting to find evidence of credential dumping. Which table should be queried to detect use of tools like Mimikatz?

A.CloudAppEvents
B.DeviceEvents
C.IdentityLogonEvents
D.EmailEvents
AnswerB

DeviceEvents contain endpoint behavioral alerts, including credential dumping detections.

Why this answer

DeviceEvents table includes events from security sensors, including detection of credential dumping tools like Mimikatz. Option B (IdentityLogonEvents) is for logon events. Option C (EmailEvents) for email.

Option D (CloudAppEvents) for cloud apps.

222
MCQeasy

You are hunting for privileged account abuse in Microsoft Entra ID. Which table in Microsoft Sentinel contains audit logs for changes to directory roles?

A.IdentityLogonEvents
B.AuditLogs
C.SigninLogs
D.DeviceLogonEvents
AnswerB

Contains directory role changes and other audit events.

Why this answer

Option D is correct because AuditLogs in Microsoft Entra ID contain directory role changes. Option A is incorrect because SigninLogs contains sign-in events. Option B is incorrect because DeviceLogonEvents is for device logons.

Option C is incorrect because IdentityLogonEvents is for identity protection events.

223
MCQhard

Refer to the exhibit. An analyst is reviewing this custom detection rule in Microsoft Sentinel. The rule is not generating any alerts even though services are being installed on servers. What is the most likely reason?

A.The where clause filters for legitimate services only.
B.The extend functions are incorrectly parsing the AdditionalFields.
C.The ActionType filter is incorrect.
D.The triggerThreshold should be set to a higher value.
AnswerA

The condition 'ServiceName startswith 'Legit'' matches only services starting with 'Legit', so it alerts on legitimate services, not suspicious ones.

Why this answer

Option B is correct because the where clause filters for ServiceName starting with 'Legit', which is a legitimate prefix, so it will only alert on services that start with 'Legit', which is the opposite of what is intended. Option A is wrong because ActionType is correct. Option C is wrong because the extend functions are correct.

Option D is wrong because the trigger threshold is 0, meaning any result triggers an alert.

224
Multi-Selecteasy

Which TWO techniques are commonly used in threat hunting to identify potential malicious activity? (Choose two.)

Select 2 answers
A.Searching for known indicators of compromise (IoCs).
B.Disabling security controls to observe attacker behavior.
C.Analyzing anomalies in baseline behavior.
D.Waiting for alerts from automated detection tools.
E.Automatically blocking all suspicious traffic.
AnswersA, C

IoCs help identify known threats.

Why this answer

Option A is correct because searching for known indicators of compromise (IoCs) is a common technique. Option D is correct because analyzing anomalies in baseline behavior is a core hunting technique. Option B is wrong because threat hunting is proactive, not just reactive.

Option C is wrong because disabling security controls is not a hunting technique. Option E is wrong because threat hunting is typically performed by humans, not fully automated.

225
Multi-Selecthard

Which THREE techniques are commonly used in threat hunting within Microsoft Defender XDR to detect privilege escalation?

Select 3 answers
A.Spearphishing attachment
B.Data exfiltration
C.Token manipulation
D.Access token manipulation
E.Process injection
AnswersC, D, E

Involves stealing or creating tokens to gain higher privileges.

Why this answer

Token manipulation, process injection, and access token manipulation are common privilege escalation techniques. Data exfiltration is a goal, not technique; spearphishing is initial access.

← PreviousPage 3 of 4 · 276 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Perform threat hunting questions.