CCNA Manage Secops Environment Questions

75 of 554 questions · Page 3/8 · Manage Secops Environment topic · Answers revealed

151
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to create a custom detection rule that triggers when a user is added to a privileged role in Microsoft Entra ID and within 5 minutes performs a mass download from SharePoint. Which approach should you use?

A.Create an advanced hunting query in Microsoft Defender XDR
B.Use a custom detection rule in Microsoft 365 Defender
C.Use a Microsoft Purview insider risk policy
D.Create a scheduled query rule in Microsoft Sentinel
AnswerD

Sentinel scheduled rules can query multiple data sources and join them with time windows.

Why this answer

Option D is correct because the detection requires correlating events across Microsoft Entra ID (privileged role assignment) and SharePoint (mass download) within a 5-minute window. Microsoft Sentinel's scheduled query rules can ingest data from multiple sources (e.g., AuditLogs for Entra ID and SharePoint via Office 365 connector) and use KQL to join these events with a time constraint, making it the only native solution for cross-domain, time-bound custom detections.

Exam trap

The trap here is that candidates assume Microsoft 365 Defender (now Defender XDR) can correlate all Microsoft 365 data, but its custom detection rules are restricted to Defender XDR tables, not Entra ID or SharePoint audit logs, which are only available in Sentinel via dedicated connectors.

How to eliminate wrong answers

Option A is wrong because advanced hunting queries in Microsoft Defender XDR are limited to data within the Defender ecosystem (e.g., device, identity, email signals) and cannot natively query Microsoft Entra ID audit logs or SharePoint activity logs. Option B is wrong because Microsoft 365 Defender custom detection rules (now part of Defender XDR) only support data from Defender XDR tables (e.g., IdentityLogonEvents, CloudAppEvents) and cannot directly ingest Entra ID role assignment events or SharePoint download events with the required granularity. Option C is wrong because Microsoft Purview insider risk policies are designed for user behavior analytics and risk scoring based on predefined indicators, not for creating custom, time-bound correlation rules with specific event thresholds.

152
MCQmedium

Your company is deploying Microsoft Sentinel in a multi-tenant environment using Azure Lighthouse. You need to ensure that SOC analysts can triage incidents across all tenants from a single workspace. What is the minimum configuration required?

A.Create a second Sentinel workspace in the managing tenant and configure cross-workspace queries.
B.Configure Azure AD B2B collaboration to grant external users access to each tenant's Sentinel workspace.
C.Use Azure Policy to enforce a standard analytics rule across all tenants.
D.Onboard each tenant as a delegated resource under Azure Lighthouse, then route all logs to a single Sentinel workspace in the managing tenant.
AnswerD

Azure Lighthouse allows delegated resource management and log routing to a central workspace.

Why this answer

Option B is correct because Azure Lighthouse enables cross-tenant management by delegating permissions to a managing tenant, allowing a single Sentinel workspace to ingest logs from multiple tenants. Option A is wrong because Azure AD B2B is for user access, not workspace management. Option C is wrong because Azure Policy can enforce settings but does not enable cross-tenant incident viewing.

Option D is wrong because a second workspace is unnecessary and would fragment visibility.

153
MCQmedium

Your security operations team uses Microsoft Sentinel workbooks to monitor security posture. You notice that a workbook query is timing out when run against a large workspace. What is the best way to optimize the query without changing its results?

A.Remove some filter conditions to simplify the query.
B.Add a summarize operator at the end of the query.
C.Use the workspace() function to query specific workspaces only.
D.Reduce the time range of the query.
AnswerC

The workspace() function limits the query scope, reducing data volume and improving performance.

Why this answer

Option C is correct because the `workspace()` function in KQL allows you to explicitly scope a query to specific workspaces, reducing the data scanned and improving performance. By targeting only the necessary workspaces, you avoid the overhead of querying the entire large workspace, which is the root cause of the timeout. This optimization does not alter the query logic or results, as it simply restricts the data source.

Exam trap

The trap here is that candidates often confuse query optimization with result modification, choosing to reduce the time range or remove filters, which changes the data returned, rather than using workspace scoping to limit the data source without affecting the query logic.

How to eliminate wrong answers

Option A is wrong because removing filter conditions would likely increase the data volume scanned, worsening performance, and it would change the query results by including more rows. Option B is wrong because adding a `summarize` operator at the end of the query does not reduce the initial data scan; it aggregates results after retrieval, which can actually increase processing time and memory usage. Option D is wrong because reducing the time range changes the query results by excluding older data, which violates the requirement to keep results unchanged.

154
MCQhard

Your company uses Microsoft Defender for Cloud Apps to monitor cloud applications. You have discovered that a user is accessing a sanctioned cloud storage app from an IP address that belongs to a known malicious botnet. You need to automatically block the user's access to the app and require them to re-authenticate. You have already configured session policies in Defender for Cloud Apps. What should you do next?

A.Create an access policy in Defender for Cloud Apps to block the user.
B.Create an app governance policy in Microsoft Purview to block the app.
C.Configure a session policy in Defender for Cloud Apps with the action 'Block' and 'Require re-authentication'.
D.Create a device compliance policy in Microsoft Intune to block the device.
AnswerC

Session policies can block and force re-authentication via conditional access.

Why this answer

Session policies in Defender for Cloud Apps can enforce real-time controls on sanctioned apps. By configuring a session policy with the actions 'Block' and 'Require re-authentication', you can immediately terminate the user's session and force them to re-authenticate, which effectively blocks access from the malicious IP while ensuring the user re-verifies their identity.

Exam trap

The trap here is confusing session policies with access policies; access policies only block or allow at the app level without session-level controls like re-authentication, while session policies provide the granular, real-time actions needed for this scenario.

How to eliminate wrong answers

Option A is wrong because access policies in Defender for Cloud Apps control access based on user, device, or location but cannot enforce re-authentication within an active session; they only allow or block access at the app level. Option B is wrong because app governance policies in Microsoft Purview are designed for managing app permissions and compliance in Microsoft 365, not for blocking user access to cloud storage apps based on IP reputation. Option D is wrong because device compliance policies in Microsoft Intune enforce device-level security requirements (e.g., encryption, OS version) and cannot block access to a specific cloud app based on IP address or require re-authentication.

155
MCQhard

Your SOC uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that all incidents from Defender XDR are automatically synchronized to Sentinel. You have enabled the Defender XDR connector. However, some incidents are not appearing. What should you check first?

A.Check the connector's data filter settings for severity or status.
B.Confirm that the incident is displayed in a Sentinel workbook.
C.Ensure that alert grouping is enabled in Sentinel.
D.Verify that the Microsoft Defender XDR license is active.
AnswerA

Filters can exclude incidents.

Why this answer

The Defender XDR connector in Microsoft Sentinel allows filtering of incidents based on severity and status during configuration. If incidents are not appearing, the most common cause is that the connector's data filter settings are excluding them—for example, filtering out 'Informational' severity or 'Resolved' status incidents. This is the first thing to check because the connector is enabled and working, but the filter is preventing synchronization of certain incidents.

Exam trap

The trap here is that candidates assume the connector is fully functional once enabled, overlooking the granular filter settings that control which incidents are actually ingested.

How to eliminate wrong answers

Option B is wrong because Sentinel workbooks are visualization tools that display data already ingested; they do not control incident ingestion or synchronization. Option C is wrong because alert grouping in Sentinel is a feature for grouping related alerts into incidents, but it does not affect the initial ingestion of incidents from Defender XDR. Option D is wrong because if the Defender XDR license were inactive, the connector would likely fail entirely or show a connection error, not selectively miss some incidents.

156
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You need to block downloads from unmanaged devices for a specific cloud app. What should you configure?

A.Create a file policy with a governance action.
B.Create a session policy with device tag condition.
C.Create an app permissions policy.
D.Create an anomaly detection policy.
AnswerB

Session policies can block downloads from unmanaged devices using conditional access app control.

Why this answer

Option B is correct because session policies in Microsoft Defender for Cloud Apps allow you to control user activities in real time based on device tags. By configuring a session policy with a device tag condition (e.g., 'Device tag equals Unmanaged'), you can enforce actions like blocking downloads from unmanaged devices for a specific cloud app, leveraging reverse proxy architecture to inspect and control traffic.

Exam trap

The trap here is that candidates often confuse session policies (real-time proxy control) with file policies (data-at-rest governance) or anomaly detection (behavioral alerts), failing to recognize that device tag conditions are exclusive to session policies for conditional access on unmanaged devices.

How to eliminate wrong answers

Option A is wrong because file policies are designed to detect and govern data at rest (e.g., files stored in cloud apps) using content inspection and governance actions like quarantine or apply label, not to control real-time download actions from unmanaged devices. Option C is wrong because app permissions policies govern OAuth app permissions (e.g., third-party app access to cloud app data), not device-based download blocking. Option D is wrong because anomaly detection policies identify suspicious user or entity behavior (e.g., impossible travel, mass download) but cannot enforce device-specific conditional access like blocking downloads from unmanaged devices.

157
MCQmedium

You are reviewing a KQL query used in a Microsoft Sentinel analytics rule. The query is intended to alert when there are more than 5 alerts of the same name for the same entity type within the last hour. However, the rule is not triggering as expected. What is the most likely issue?

A.The 'summarize' operator does not support 'AlertCount' as a column name.
B.The query uses 'tostring' incorrectly.
C.The parsing of Entities array may fail if the first entity does not have a 'Type' field.
D.The 'where TimeGenerated > ago(1h)' is outside the allowed range.
AnswerC

The query assumes the first entity always has a 'Type' field, which may not be true, causing null or empty values.

Why this answer

The most likely issue is that the KQL query parses the 'Entities' array, which is a dynamic JSON field in Microsoft Sentinel alerts. If the first entity in the array does not have a 'Type' field, the parsing logic (e.g., using 'mv-expand' or accessing array indices) will fail or return null, causing the query to produce no results. This prevents the rule from triggering even when conditions are otherwise met.

Exam trap

The trap here is that candidates assume the 'Entities' array always has a consistent schema, but in practice, the first entity may lack a 'Type' field, causing the query to fail silently rather than throwing an error.

How to eliminate wrong answers

Option A is wrong because 'summarize' supports any column name, including 'AlertCount', as long as it is a valid identifier; there is no restriction on column names in KQL. Option B is wrong because 'tostring' is a valid KQL function for converting values to strings, and its incorrect use would typically cause a type conversion error, not a silent failure to trigger. Option D is wrong because 'where TimeGenerated > ago(1h)' is a standard and valid time filter in KQL; the range is not limited, and 'ago(1h)' correctly specifies the last hour.

158
MCQeasy

Your SOC team uses Microsoft Sentinel. You need to ensure that all incidents are classified and resolved within 72 hours. Currently, analysts manually update the incident status and classification. You want to automate the following: 1) If an incident is not updated within 48 hours, send a reminder to the assigned analyst via email. 2) If an incident remains open after 72 hours, automatically escalate it to the SOC manager and increase its severity. What should you implement?

A.Create an analytics rule that runs every hour and queries for old incidents.
B.Use Azure Logic Apps with a recurrence trigger to query the Sentinel API and update incidents.
C.Create a single playbook that runs on a schedule and checks all incidents.
D.Create automation rules with triggers on 'incident updated' and scheduled conditions to run playbooks for reminders and escalation.
AnswerD

Automation rules can be triggered on a schedule and perform actions on incidents.

Why this answer

Option B is correct because automation rules in Sentinel can be configured to trigger on a schedule (e.g., every 1 hour) and check incident properties. Using conditions on 'last update time' and 'status', you can send reminders via playbooks and escalate. Option A is wrong because analytics rules are for creating incidents, not for post-creation actions.

Option C is wrong because playbooks are triggered by automation rules or alerts, not directly on a schedule for existing incidents. Option D is wrong because a separate Logic App would require custom polling, which is more complex than built-in automation rules.

159
MCQmedium

Your organization uses Microsoft Defender for Cloud and you need to ensure that security recommendations are automatically remediated for non-compliant resources. You have enabled 'Auto provisioning' for the Log Analytics agent. What additional step is required to enable automatic remediation?

A.No additional step is required; auto provisioning automatically remediates
B.Configure manual remediation in Defender for Cloud
C.Enable the 'DeployIfNotExists' policy for specific recommendations
D.Create a custom Azure Policy initiative with audit effect
AnswerC

DeployIfNotExists policies can automatically remediate non-compliant resources.

Why this answer

Option C is correct because enabling 'Auto provisioning' for the Log Analytics agent only ensures the agent is installed on VMs, but does not automatically remediate security recommendations. To achieve automatic remediation, you must enable the 'DeployIfNotExists' effect on specific Azure Policy definitions (e.g., 'System updates should be installed on your machines'), which triggers remediation tasks when resources are non-compliant. This is a separate step in Defender for Cloud's 'Security policy' blade under 'Settings & monitoring'.

Exam trap

The trap here is that candidates confuse 'Auto provisioning' (which only deploys the Log Analytics agent) with automatic remediation of all security recommendations, leading them to incorrectly select Option A.

How to eliminate wrong answers

Option A is wrong because 'Auto provisioning' only handles agent deployment, not remediation of recommendations; it does not automatically fix non-compliant resources. Option B is wrong because 'manual remediation' requires human intervention to apply fixes, which contradicts the goal of automatic remediation. Option D is wrong because creating a custom Azure Policy initiative with 'audit' effect only logs non-compliance without taking any corrective action; you need 'DeployIfNotExists' or 'Modify' effects for automatic remediation.

160
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that all cloud security alerts are automatically ingested into Sentinel. What should you configure?

A.Configure the Microsoft 365 Defender data connector.
B.Configure the Azure Activity data connector.
C.Create a custom log table and a PowerShell script to push alerts.
D.Configure the Microsoft Defender for Cloud data connector (Legacy).
AnswerD

This connector ingests security alerts from Defender for Cloud into Sentinel.

Why this answer

The Microsoft Defender for Cloud data connector (Legacy) is the correct choice because it specifically ingests security alerts from Microsoft Defender for Cloud into Microsoft Sentinel. This connector ensures that all alerts generated by Defender for Cloud's security policies and threat detection are automatically streamed into Sentinel for centralized monitoring and incident response.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender data connector (which handles endpoint and office alerts) with the Defender for Cloud data connector (which handles cloud security alerts), leading them to select option A incorrectly.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Defender data connector ingests alerts from Microsoft 365 Defender (e.g., Defender for Endpoint, Defender for Office 365), not from Microsoft Defender for Cloud. Option B is wrong because the Azure Activity data connector ingests subscription-level operational logs (e.g., resource creation, policy changes) from the Azure Activity Log, not security alerts from Defender for Cloud. Option C is wrong because creating a custom log table and a PowerShell script is an inefficient, manual workaround that bypasses the native, automated integration provided by the Defender for Cloud data connector; it is not the recommended or supported method for this requirement.

161
MCQmedium

You are a security analyst for a company that uses Microsoft Defender for Office 365. You receive an incident indicating that a user reported a phishing email. You need to investigate the email and determine if it was delivered to other users. You also need to ensure that similar emails are blocked in the future. What should you do?

A.Use Threat Explorer to search for similar emails and delete them.
B.Submit the email to Microsoft for analysis and quarantine it.
C.Create a Safe Links policy to block URLs in the email.
D.Run a simulated phishing attack to test user awareness.
AnswerA

Threat Explorer can find and take action on similar emails.

Why this answer

Threat Explorer in Microsoft Defender for Office 365 allows you to search for and take bulk action on emails matching specific criteria, such as sender, subject, or URL. By using Threat Explorer, you can identify all instances of the reported phishing email across your tenant and delete them from user mailboxes, which directly addresses the need to determine if the email was delivered to other users and to remediate it. This tool is designed for hunting and remediation, making it the correct choice for this investigation.

Exam trap

The trap here is that candidates often confuse the investigative and remediation capabilities of Threat Explorer with the policy-based prevention features of Safe Links or Safe Attachments, leading them to choose a policy creation option (C) instead of the correct hunting and removal tool (A).

How to eliminate wrong answers

Option B is wrong because submitting the email to Microsoft for analysis is a reactive step that helps improve detection but does not immediately identify other recipients or remove the email from their mailboxes; quarantine is a separate action that may not cover all delivery scenarios. Option C is wrong because creating a Safe Links policy blocks URLs in future emails but does not help investigate whether the current phishing email was delivered to other users or remove it from their inboxes. Option D is wrong because running a simulated phishing attack tests user awareness but does not investigate the current incident or block similar emails in the future.

162
Multi-Selecteasy

Which TWO features are available in Microsoft Sentinel to automate incident response?

Select 2 answers
A.Playbooks based on Azure Logic Apps.
B.Workbooks.
C.Kusto Query Language (KQL) queries.
D.UEBA.
E.Automation rules.
AnswersA, E

Playbooks automate response actions.

Why this answer

Playbooks based on Azure Logic Apps are correct because they provide a native, low-code automation framework within Microsoft Sentinel. They allow security analysts to define and execute complex, multi-step response actions—such as isolating a compromised VM, blocking an IP address, or opening a ticket—triggered by alerts or incidents. This directly automates incident response workflows without manual intervention.

Exam trap

The trap here is that candidates often confuse detection or analysis tools (Workbooks, KQL, UEBA) with automation tools, failing to recognize that only Playbooks and Automation Rules provide the actual execution of response actions in Sentinel.

163
MCQmedium

You are reviewing an automation rule in Microsoft Sentinel with the configuration shown in the exhibit. The rule is intended to delete a custom analytics rule when an incident is created. What is the most likely issue with this configuration?

A.The displayName should not contain spaces.
B.Automation rules cannot delete analytics rules; they are designed to automate incident response.
C.The playbook does not have permissions to delete analytics rules.
D.The incidentType should be set to 'AnalyticsRule' instead of 'Alert'.
AnswerB

Automation rules are for incident actions, not for managing analytics rules.

Why this answer

Automation rules in Microsoft Sentinel are designed to automate incident response actions, such as assigning ownership, changing status, or running playbooks. They cannot directly delete or modify analytics rules; that capability is not part of the automation rule schema or actions. The intended action in the exhibit (deleting a custom analytics rule) is outside the scope of what automation rules can perform.

Exam trap

The trap here is that candidates may confuse the scope of automation rules with the broader capabilities of playbooks or Logic Apps, assuming that any action possible via a playbook is also available as a direct automation rule action.

How to eliminate wrong answers

Option A is wrong because displayName values in automation rules can contain spaces; there is no restriction against spaces in the display name field. Option B is correct as stated. Option C is wrong because the issue is not about permissions; automation rules do not have an action to delete analytics rules, regardless of playbook permissions.

Option D is wrong because incidentType is not a configurable property in automation rules; the trigger condition for automation rules is based on incident creation or update, not a property called 'incidentType'.

164
Multi-Selectmedium

You are configuring Microsoft Defender for Identity (MDI) in your on-premises Active Directory environment. You need to ensure that MDI can detect lateral movement attacks. Which two configurations are required?

Select 2 answers
A.Enable port mirroring on the domain controller switches.
B.Install the MDI sensor on all domain controllers.
C.Integrate with Microsoft Defender for Cloud.
D.Configure Azure AD Connect to sync identities.
E.Configure site-to-site VPN to Azure.
AnswersA, B

Correct: Allows sensor to see network traffic.

Why this answer

Option A is correct because MDI sensors must be installed on domain controllers. Option C is correct because port mirroring or network capture is required. Option B is incorrect because Azure AD Connect is not required for MDI.

Option D is incorrect because MDI does not require VPN. Option E is incorrect because Microsoft Defender for Cloud is separate.

165
MCQeasy

You are a security operations analyst for a company that uses Microsoft Sentinel. You need to create a workbook that displays the top 10 most common alert types over the last 7 days. The workbook will be used by the SOC manager to identify trends. You have already created a new workbook and added a query step. Which KQL query should you use in the query step?

A.AlertInfo | where TimeGenerated > ago(7d) | project AlertName
B.AlertInfo | where TimeGenerated > ago(7d) | project AlertName, count()
C.AlertInfo | where TimeGenerated > ago(7d) | summarize Count = count() by AlertName | top 10 by Count desc | render barchart
D.AlertInfo | where TimeGenerated > ago(7d) | summarize count() by bin(TimeGenerated, 1d) | render timechart
AnswerC

Correctly produces top 10 bar chart.

Why this answer

Option C is correct because it uses the `summarize` operator to count alerts by `AlertName`, then `top 10 by Count desc` to return the ten most frequent alert types, and `render barchart` to visualize the data in the workbook. This directly meets the requirement to display the top 10 most common alert types over the last 7 days.

Exam trap

The trap here is that candidates often confuse the `project` operator with `summarize`, mistakenly thinking they can use `count()` in a `project` clause, or they choose a query that shows alert volume over time instead of the top alert types by name.

How to eliminate wrong answers

Option A is wrong because it only projects the `AlertName` column without any aggregation, so it would return a list of all individual alerts rather than a count of the most common types. Option B is wrong because `project AlertName, count()` is invalid syntax; `count()` is an aggregation function that must be used within a `summarize` operator, not in a `project` clause. Option D is wrong because it summarizes by `bin(TimeGenerated, 1d)`, which groups alerts by day rather than by alert name, and renders a timechart showing alert volume over time, not the top 10 alert types.

166
MCQmedium

Refer to the exhibit. You are configuring a Microsoft Sentinel Windows Security Events via AMA connector using an ARM template. After deployment, you notice that no Windows events are being ingested. The AMA agent is installed on the Windows servers. What is the most likely issue?

A.The WindowsEvent and SecurityEvent data types are disabled.
B.The Azure Monitor Agent is not installed on the servers.
C.The data collection rule is not associated with the virtual machines.
D.The workspace ID is missing from the template.
AnswerC

Missing DCR association prevents data ingestion.

Why this answer

The data collection rule (DCR) must be associated with the virtual machines. The ARM template shown only configures the connector but does not create the DCR association. Option A is wrong because the agent is installed.

Option C is wrong because the data types are enabled. Option D is wrong because the workspace ID is typically provided.

167
Multi-Selecteasy

Your organization plans to implement Microsoft Sentinel. Which THREE components are required for a basic deployment? (Choose three.)

Select 3 answers
A.User and Entity Behavior Analytics (UEBA) enabled.
B.Analytics rules to generate incidents.
C.At least one data connector enabled.
D.Bookmarks for incident investigations.
E.A Log Analytics workspace.
AnswersB, C, E

Analytics rules detect threats.

Why this answer

Analytics rules are required to generate incidents from the data ingested into Microsoft Sentinel. Without analytics rules, the raw log data remains unprocessed and no security incidents are created, making the deployment non-functional for detection and response.

Exam trap

The trap here is that candidates often mistake optional advanced features like UEBA or bookmarks as required components, when in fact only the workspace, a data connector, and analytics rules are necessary to establish a basic, functional Sentinel deployment.

168
MCQhard

You are a security operations architect for a company that uses Microsoft Sentinel in a hybrid environment with multiple workspaces. The company has a central SOC team that needs to view incidents from all workspaces in a single pane of glass. Each workspace belongs to a different business unit and has its own retention and access policies. You need to design a solution that provides centralized incident management without duplicating data or requiring users to switch workspaces. You also need to ensure that the SOC team can perform actions on incidents across workspaces. What should you do?

A.Create a playbook that copies incidents from all workspaces to a central workspace.
B.Use Microsoft Sentinel incident multi-view to connect all workspaces.
C.Use the Microsoft Sentinel data connector to connect all workspaces to a central workspace.
D.Create a new Log Analytics workspace that ingests data from all workspaces via diagnostic settings.
AnswerB

Incident multi-view provides centralized incident management.

Why this answer

Microsoft Sentinel incident multi-view allows SOC teams to view and manage incidents across multiple workspaces from a single interface without duplicating data. This feature provides a centralized pane of glass while respecting each workspace's independent retention and access policies, and it enables cross-workspace incident actions without requiring users to switch contexts.

Exam trap

The trap here is that candidates often confuse data connectors or workspace aggregation with incident-level cross-workspace management, failing to realize that incident multi-view is the only native feature that provides a single pane of glass without data duplication or policy compromise.

How to eliminate wrong answers

Option A is wrong because creating a playbook to copy incidents duplicates data, increases storage costs, and violates the requirement to avoid data duplication; it also introduces latency and complexity. Option C is wrong because the Microsoft Sentinel data connector ingests log data into a central workspace, which duplicates data and merges retention/access policies, contradicting the requirement for each workspace to maintain its own policies. Option D is wrong because creating a new Log Analytics workspace that ingests data via diagnostic settings duplicates all log data, incurs additional ingestion and storage costs, and does not provide native incident management capabilities across workspaces.

169
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You need to ensure that a new SOC analyst can triage incidents without being able to delete or modify analytics rules. Which role should you assign?

A.Security Reader
B.Microsoft Sentinel Reader
C.Global Reader
D.Security Operator
AnswerB

This role grants read access to Sentinel data, including incidents, without modification rights.

Why this answer

Microsoft Sentinel Reader provides read-only access to Sentinel data, including incidents, workbooks, and analytics rules, but explicitly prevents any modifications or deletions. This role is ideal for SOC analysts who need to triage incidents without altering detection configurations. Security Reader and Global Reader lack Sentinel-specific incident triage permissions, while Security Operator allows modification of incidents, which exceeds the required scope.

Exam trap

The trap here is that candidates often confuse Security Reader (which provides broad read-only access across security services) with Sentinel Reader (which is Sentinel-specific), or they assume Security Operator is sufficient because it allows incident management, but it does not grant the Sentinel-specific read permissions needed to view analytics rules without modification capabilities.

How to eliminate wrong answers

Option A is wrong because Security Reader provides read-only access to security configurations and alerts in Microsoft Defender XDR but does not include the Sentinel-specific permissions needed to triage incidents in the Sentinel portal. Option C is wrong because Global Reader grants read-only access across all Azure services, including Sentinel, but it is overly broad and not scoped to Sentinel incident triage; it also does not provide the precise Sentinel Reader permissions required. Option D is wrong because Security Operator allows management of incidents (e.g., changing status, assigning ownership) in Microsoft Defender XDR, which would permit modifications beyond triage, and it does not grant the Sentinel-specific read-only access needed for analytics rules.

170
Multi-Selecteasy

You are investigating a phishing incident in Microsoft Defender for Office 365. Which THREE pieces of information are available in the Threat Explorer?

Select 3 answers
A.Email body content
B.User's mailbox audit log
C.Sender IP address
D.Delivery action (e.g., blocked, delivered to Junk)
E.Email subject and sender address
AnswersC, D, E

Sender IP is available in Threat Explorer.

Why this answer

Options A, B, and C are correct. Threat Explorer provides email details, delivery actions, and sender IP. Option D is available in a different tool; Option E is not available.

171
MCQmedium

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email via the built-in Outlook add-in, an automated investigation is triggered in Microsoft 365 Defender. What should you configure?

A.Define a safe links policy.
B.Enable user-reported message settings in the Microsoft 365 Defender portal.
C.Configure an anti-phishing policy.
D.Set up a safe attachments policy.
AnswerB

User-reported message settings allow you to configure how reported emails are handled, including triggering automated investigation and response.

Why this answer

Option D is correct because the user-reported message settings define how reported emails trigger automated actions. Option A is wrong because anti-phishing policies protect against phishing, not handling user reports. Option B is wrong because safe attachments policies handle attachments.

Option C is wrong because safe links policies handle URLs.

172
MCQmedium

Your organization is using Microsoft Defender for Identity (MDI) and Microsoft Sentinel. The security team wants to correlate alerts from MDI with other data sources in Sentinel. What is the recommended approach?

A.Export MDI logs manually to Sentinel
B.Configure MDI to send syslog to Sentinel
C.Create a playbook to pull MDI alerts
D.Enable the Microsoft Defender for Identity data connector in Sentinel
AnswerD

The data connector automatically ingests MDI alerts into Sentinel.

Why this answer

Option B is correct because the MDI data connector ingests alerts into Sentinel for correlation with other data sources. Option A is wrong because manual export is not scalable. Option C is wrong because MDI does not directly integrate with Sentinel via API without a connector.

Option D is wrong because playbooks are for response, not data ingestion.

173
MCQeasy

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel. What is the purpose of this query?

A.Detect brute force attempts by finding users with many failed sign-ins from a single IP
B.List all successful sign-ins in the last hour
C.Identify users who successfully signed in from multiple IPs
D.Find users with more than 5 failed sign-ins from an IP address in the last hour
AnswerD

The query counts failed sign-ins per user and IP, and filters for >5.

Why this answer

The KQL query filters for events where the result type is 'Failure' (failed sign-ins), then groups by account and IP address, counting occurrences. The `where count_ > 5` clause ensures only accounts with more than 5 failed sign-ins from a single IP are returned, which is a classic indicator of a brute force attack. This directly matches option D.

Exam trap

The trap here is that candidates may confuse 'failed sign-ins from a single IP' (option D) with 'many failed sign-ins' (option A), missing the explicit threshold of >5 in the query.

How to eliminate wrong answers

Option A is wrong because the query specifically counts failed sign-ins per IP and user, not just any user with many failed sign-ins from a single IP—it requires more than 5 failures, not just 'many'. Option B is wrong because the query filters for 'Failure' events, not successful sign-ins, and it groups by IP and user rather than listing all successful sign-ins. Option C is wrong because the query focuses on failed sign-ins, not successful ones, and it groups by single IP per user, not multiple IPs.

174
MCQhard

Your organization uses Microsoft Defender XDR and you are configuring attack surface reduction (ASR) rules. You need to implement a rule that blocks executable files from running unless they meet a prevalence, age, or trusted list criterion. Which ASR rule should you enable?

A.Block untrusted and unsigned processes that run from USB
B.Block Office applications from creating executable content
C.Block credential stealing from the Windows local security authority subsystem (lsass.exe)
D.Block executable files from running unless they meet a prevalence, age, or trusted list criterion
AnswerD

This ASR rule matches the description.

Why this answer

Option D is correct because the ASR rule 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion' (GUID: 01443614-cd74-433a-b99e-2ecdc07bfc25) is specifically designed to prevent executable files (e.g., .exe, .dll, .scr) from running unless they have been seen in the organization (prevalence), are old enough (age), or are on a trusted list. This rule uses cloud-delivered protection and Microsoft's reputation-based intelligence to evaluate files before execution, directly matching the requirement described in the question.

Exam trap

The trap here is that candidates often confuse this ASR rule with the 'Block untrusted and unsigned processes that run from USB' rule, mistakenly thinking that 'untrusted' means the same as 'not meeting prevalence/age/trusted list criteria,' but the USB rule only applies to removable drives, not all executable files from any location.

How to eliminate wrong answers

Option A is wrong because 'Block untrusted and unsigned processes that run from USB' (GUID: b2b3f03d-6a4c-4b7e-8f6f-0c7f8f8e8f8f) only blocks processes launched from USB removable drives, not all executable files regardless of source. Option B is wrong because 'Block Office applications from creating executable content' (GUID: 3b576869-a4ec-4529-8536-b80a7769e899) specifically targets Office apps (Word, Excel, etc.) creating executable content, not all executable files from any source. Option C is wrong because 'Block credential stealing from the Windows local security authority subsystem (lsass.exe)' (GUID: 9e6c4e1f-7d60-472f-b1a0-3f2d6d7e8f9a) is an ASR rule that protects LSASS from credential dumping attacks, not a rule that evaluates executable files based on prevalence, age, or trusted list criteria.

175
MCQeasy

Refer to the exhibit. You deploy this ARM template to deploy a saved search in a Microsoft Sentinel workspace. After deployment, the saved search does not appear in Sentinel. What is the most likely reason?

A.The query syntax is invalid.
B.The resource type is incorrect.
C.The name parameter is incorrectly formatted.
D.The apiVersion is outdated for saved searches in Sentinel.
AnswerD

Newer apiVersions are required for Sentinel saved searches.

Why this answer

The apiVersion specified in the ARM template is outdated for saved searches in Microsoft Sentinel. Saved searches require a specific apiVersion (e.g., '2021-04-01' or later) that supports the 'Microsoft.OperationalInsights/workspaces/savedSearches' resource type. An outdated apiVersion can cause the deployment to fail silently or not register the saved search in Sentinel, even if the template syntax is otherwise valid.

Exam trap

The trap here is that candidates assume the apiVersion is just a formality and focus on syntax or resource type errors, but Microsoft specifically tests that you know saved searches in Sentinel require a recent apiVersion (e.g., '2021-04-01' or later) to be properly registered.

How to eliminate wrong answers

Option A is wrong because the query syntax being invalid would typically cause a deployment error or a warning, not a silent failure where the saved search does not appear; the ARM template would still deploy but the search might not run correctly. Option B is wrong because the resource type 'Microsoft.OperationalInsights/workspaces/savedSearches' is correct for saved searches in Sentinel; an incorrect resource type would result in a deployment error. Option C is wrong because the name parameter being incorrectly formatted would cause a validation error during deployment, preventing the template from deploying at all, not a silent absence of the saved search.

176
MCQhard

Your organization uses Microsoft Sentinel. You need to ensure that only specific IP addresses from your corporate network can access the Sentinel workspace via the Azure portal. What should you configure?

A.Configure network security groups (NSGs) on the subnet hosting the Log Analytics workspace.
B.Configure a conditional access policy in Microsoft Entra ID.
C.Use Azure Firewall to restrict outbound traffic from the workspace.
D.Enable Azure Private Link for the workspace.
AnswerA

NSGs can filter traffic by source IP address.

Why this answer

Option B is correct because Azure RBAC controls access to the workspace, but network access control is done via network security groups or Azure Firewall. Option A is wrong because Conditional Access policies apply to user authentication, not network-level access. Option C is wrong because Private Link restricts access to private network, not specific IPs.

Option D is correct because network security groups (NSGs) can filter inbound traffic to the workspace's subnet.

177
Multi-Selecteasy

Your SOC team needs to ensure that all incidents in Microsoft Sentinel are assigned to an analyst within 30 minutes of creation. Which TWO configurations should you implement?

Select 2 answers
A.Create a playbook that uses the Update Incident action to set the owner field.
B.Set up a playbook that sends an email to the SOC manager when an incident is created.
C.Create an automation rule that triggers when an incident is created and sets the owner.
D.Configure a Microsoft Teams connector to post incidents to a channel.
E.Modify the analytics rule to include a custom details field for analyst name.
AnswersA, C

Playbooks can update incident properties including owner.

Why this answer

Option A (Automation rules) can automatically assign incidents based on criteria. Option D (Playbooks) can trigger on incident creation and assign. Option B is for collaboration, not assignment.

Option C is for email notification, not assignment. Option E is for analytics, not assignment.

178
MCQeasy

Your organization uses Microsoft Sentinel. The SOC manager wants to track the average time to triage incidents. You need to create a report that shows this metric. What should you use?

A.Create a workbook that uses KQL to query incident data and display the average time.
B.Create a playbook that sends a report via email.
C.Create an automation rule that logs the triage time to a custom table.
D.Create an analytics rule that calculates the time to triage.
AnswerA

Correct: Workbooks can visualize data from tables.

Why this answer

Option C is correct because workbooks can query the SecurityIncident table and compute average time. Option A is wrong because analytics rules generate alerts, not reports. Option B is wrong because automation rules don't create reports.

Option D is wrong because playbooks are for automation, not reporting.

179
MCQmedium

Your organization has Microsoft Sentinel deployed in a single workspace. You need to implement role-based access control (RBAC) so that only senior analysts can modify analytics rules, while junior analysts can only view incidents. You have created custom roles in Azure. You assign the junior analysts the 'Microsoft Sentinel Reader' role. However, you find that junior analysts can still create and modify analytics rules. What is the most likely reason?

A.The 'Microsoft Sentinel Reader' role does not exist; you used the wrong role.
B.The junior analysts are members of a group that has a role assignment on the workspace.
C.The junior analysts have been assigned the 'Contributor' role on the resource group containing the workspace.
D.You need to create a custom role instead of using built-in roles.
AnswerC

Contributor role at a higher scope overrides the Reader role on the workspace.

Why this answer

Option D is correct because RBAC assignments can be overridden if the user is also assigned a higher role at a higher scope (e.g., subscription). Option A is incorrect because there is no 'Analytics Rules' specific role. Option B is incorrect because custom roles are allowed.

Option C is incorrect because inherited permissions do not automatically grant write access.

180
MCQhard

Your organization has Microsoft Sentinel with UEBA enabled. An incident is generated for a user with high risk score. You need to identify if the user's recent behavior deviates from their baseline. Which Sentinel feature should you use?

A.A custom hunting query using the BehaviorAnalytics table.
B.The user's Azure AD sign-in logs.
C.The UEBA timeline in the entity page.
D.The incident investigation graph.
AnswerC

UEBA timeline shows baseline deviations.

Why this answer

The UEBA timeline in the entity page is the correct feature because it provides a chronological view of a user's activities, including deviations from their established behavioral baseline. When UEBA is enabled, Sentinel profiles normal behavior for each user and flags anomalies; the timeline directly visualizes these deviations, such as unusual login times, locations, or resource access, which aligns with the need to identify if recent behavior deviates from the baseline.

Exam trap

The trap here is that candidates often confuse the BehaviorAnalytics table (option A) as the primary tool for deviation analysis, overlooking that the UEBA timeline is the purpose-built, no-code interface for visualizing baseline deviations directly on the entity page.

How to eliminate wrong answers

Option A is wrong because a custom hunting query using the BehaviorAnalytics table, while capable of surfacing UEBA data, is not the dedicated feature for quickly viewing a user's behavioral timeline and deviations; it requires writing and executing a KQL query, which is less efficient than the built-in timeline. Option B is wrong because Azure AD sign-in logs only show authentication events and do not incorporate UEBA's behavioral baseline analysis or deviations; they lack the contextual anomaly scoring and timeline of behavioral changes. Option D is wrong because the incident investigation graph focuses on mapping relationships between entities and alerts within an incident, not on displaying a user's behavioral timeline or baseline deviations.

181
MCQmedium

Your organization has a Microsoft Sentinel workspace that ingests logs from multiple sources. You need to implement a process to review and approve changes to analytics rules before they are deployed to production. What should you use?

A.Create a playbook that emails the SOC manager when an analytics rule is modified.
B.Use a workbook to track changes to analytics rules.
C.Configure Microsoft Sentinel repository integration with Azure DevOps and use branch policies for approval.
D.Export analytics rules to a notebook for manual review.
AnswerC

CI/CD with approval workflows.

Why this answer

Option A is correct because Microsoft Sentinel's repository integration with Azure DevOps or GitHub supports CI/CD with pull requests for approval. Option B is wrong because playbooks are for automation, not rule management. Option C is wrong because workbooks are for visualization.

Option D is wrong because notebooks are for advanced analytics.

182
Multi-Selecteasy

Your organization uses Microsoft Defender XDR (formerly Microsoft 365 Defender). You need to configure role-based access control (RBAC) for the security team. Which TWO built-in roles can be assigned in Microsoft 365 Defender to manage incidents and alerts?

Select 2 answers
A.Global Administrator
B.Compliance Administrator
C.Security Operator
D.Security Administrator
E.Security Reader
AnswersC, D

Security Operators can view and respond to incidents and alerts.

Why this answer

Option A and B are correct as these roles can manage incidents and alerts. Option C is wrong because Security Reader is read-only. Option D is wrong because Compliance Administrator manages compliance.

Option E is wrong because Global Administrator is too broad.

183
MCQmedium

Refer to the exhibit. You have a KQL query in a Microsoft Sentinel analytics rule. The rule is not generating incidents even though there are 'Suspicious sign-in' alerts from non-contoso.com users. What is the most likely issue?

A.The 'extend' line is incorrectly parsing the entity.
B.The query is querying the wrong table. 'Suspicious sign-in' alerts may be in a different table.
C.The 'where' clause using !endswith is incorrect.
D.The query does not filter by AlertName correctly.
AnswerB

Sign-in alerts are often in SigninLogs or other tables.

Why this answer

Option B is correct because the query is likely querying the 'Alert' table, but 'Suspicious sign-in' alerts from non-contoso.com users are generated by Microsoft Defender for Identity or Azure AD Identity Protection and stored in the 'SecurityAlert' table (or 'AlertEvidence' in the new schema). The rule's query must reference the correct table to retrieve these alerts; otherwise, no matching records are found, and no incidents are created.

Exam trap

The trap here is that candidates assume all security alerts are stored in a single 'Alert' table, but Microsoft Sentinel separates alerts into multiple tables (e.g., 'SecurityAlert', 'AlertEvidence', 'SigninLogs') based on the source service, and the exam tests your knowledge of which table corresponds to which alert type.

How to eliminate wrong answers

Option A is wrong because the 'extend' line is used to add or modify columns, not to parse entities; entity parsing is done via the 'EntityMapping' section of the analytics rule, not within the KQL query itself. Option C is wrong because the 'where' clause using '!endswith' is syntactically correct for filtering out domains that do not end with a specific suffix (e.g., 'contoso.com'); the logic is valid if the field contains the full user principal name. Option D is wrong because the query does not need to filter by AlertName if the rule is triggered by the presence of any alert from the 'Suspicious sign-in' category; the rule's trigger condition is based on the query returning results, not on a specific alert name filter.

184
MCQmedium

Your Microsoft Sentinel workspace is ingesting logs from multiple sources. You notice that the data ingestion cost is higher than expected. You want to reduce costs without losing security value. Which action should you take?

A.Reduce the retention period for all data to 30 days.
B.Switch the pricing tier from Capacity Reservations to Pay-as-you-go.
C.Disable analytics rules that generate high volume of alerts.
D.Configure basic logs ingestion for verbose data sources such as firewall logs.
AnswerD

Basic logs are cheaper and still searchable for incident response.

Why this answer

Option C is correct because using basic logs for high-volume, low-value data reduces costs while retaining the ability to search it. Option A is wrong because reducing retention for all tables might cause loss of important data. Option B is wrong because disabling analytics rules reduces detection capabilities.

Option D is wrong because changing to Pay-as-you-go might increase costs if volume is high.

185
MCQhard

Your organization uses Microsoft Defender XDR. You need to configure a custom detection rule that runs every hour and alerts when a specific process is executed on multiple devices within 10 minutes. Which type of rule should you create?

A.Hunting query saved as a detection
B.Behavioral rule
C.Custom detection rule
D.Advanced hunting query
AnswerC

Custom detection rules support scheduled queries with time-based aggregations.

Why this answer

Custom detection rules in Microsoft Defender XDR allow you to create scheduled queries that run on a schedule (e.g., every hour) and can use aggregations like count of devices within a time window. Option A is correct. Option B is wrong because hunting queries are one-time or scheduled but not custom detection rules.

Option C is wrong because advanced hunting is a query interface, not a rule type. Option D is wrong because behavioral rules are for specific behaviors, not scheduled queries.

186
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You need to ensure that security alerts from Defender for Cloud are automatically ingested into Sentinel. What should you configure?

A.Enable diagnostic settings on the Defender for Cloud subscription.
B.Configure the 'Azure Activity' data connector.
C.Create an automation rule in Sentinel to fetch alerts from Defender for Cloud.
D.Add the 'Microsoft Defender for Cloud' data connector in Microsoft Sentinel.
AnswerD

The data connector ingests security alerts from Defender for Cloud.

Why this answer

Sentinel can ingest alerts from Defender for Cloud via a data connector specifically for that purpose. Option B is correct. Option A is wrong because diagnostic settings export logs, not alerts directly.

Option C is wrong because automation rules work on incidents, not ingestion. Option D is wrong because the connector is for Azure Activity, not Defender for Cloud alerts.

187
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to receive alerts when a user accesses a cloud app from a location that is not whitelisted. What should you configure?

A.Create a conditional access policy in Microsoft Entra ID.
B.Set up a session policy in Microsoft Defender for Cloud Apps.
C.Configure an access policy in Microsoft Defender for Cloud Apps.
D.Create an activity policy in Microsoft Defender for Cloud Apps.
AnswerD

Activity policies can trigger alerts based on location.

Why this answer

Option D is correct because Defender for Cloud Apps allows creation of activity policies with location conditions. Option A is incorrect because conditional access policies govern access but not alerting. Option B is incorrect because access policies in Defender for Cloud Apps block or allow, but not alert.

Option C is incorrect because session controls are for monitoring sessions, not creating alerts.

188
Multi-Selectmedium

Which TWO of the following are valid ways to automate incident response in Microsoft Sentinel?

Select 2 answers
A.Create a playbook using Azure Logic Apps.
B.Use Azure Functions to run a script.
C.Use PowerShell to modify incidents via API.
D.Use Microsoft Power Automate to create a flow.
E.Create an automation rule that triggers a playbook.
AnswersA, E

Playbooks are Logic Apps workflows.

Why this answer

Option A is correct because Azure Logic Apps is the native workflow engine for Microsoft Sentinel playbooks, allowing security analysts to automate incident response actions such as blocking IPs, resetting passwords, or enriching alerts. Playbooks are triggered by automation rules or directly from incidents, and they leverage hundreds of connectors to integrate with external systems. This is the primary and recommended method for building automated response workflows in Sentinel.

Exam trap

The trap here is that candidates often confuse 'automation rule' with 'playbook' — an automation rule is the trigger condition, while a playbook is the action workflow; both are required for full automation, and the exam expects you to recognize that creating a playbook (A) and creating an automation rule that triggers a playbook (E) are the two valid steps in the process.

189
Multi-Selecteasy

Which TWO of the following are required to enable Microsoft Sentinel UEBA (User and Entity Behavior Analytics)?

Select 2 answers
A.Enable UEBA in the Microsoft Sentinel workspace settings.
B.Integrate Microsoft Defender for Cloud Apps.
C.Purchase a separate UEBA license.
D.Configure Azure Key Vault to store UEBA data.
E.Ingest Microsoft Entra ID sign-in logs and audit logs.
AnswersA, E

UEBA must be explicitly enabled.

Why this answer

Options A and D are correct. UEBA requires enabling the UEBA feature in the workspace and having sufficient data sources like Microsoft Entra ID sign-in logs. Option B is wrong because Microsoft Defender for Cloud Apps is not required.

Option C is wrong because UEBA is not a separate pricing tier. Option E is wrong because UEBA does not require Azure Key Vault.

190
MCQhard

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics) enabled. The SOC team notices that UEBA is not generating any anomalies for a specific user group. What is the most likely cause?

A.The user group is excluded from Identity Protection.
B.The data history for that user group is less than the required baseline period.
C.The user group is not being monitored by any data connector.
D.The analytics rules for UEBA are not enabled.
AnswerB

UEBA requires a minimum of 21 days of data to establish a baseline before anomalies can be detected.

Why this answer

Option C is correct because UEBA requires a baseline of at least 21 days. Option A is wrong because UEBA uses its own machine learning, not analytics rules. Option B is wrong because UEBA works with any data connector that provides user activity.

Option D is wrong because Identity Protection is for Azure AD, not for UEBA anomalies.

191
MCQmedium

Your organization has a Microsoft Sentinel workspace that ingests logs from Azure resources, Microsoft 365, and third-party firewalls. You need to ensure that data retention for Azure Activity logs complies with a regulatory requirement of 3 years, while keeping costs low for other data types. What should you do?

A.Use the Archive tier for Azure Activity logs and set the total retention period to 3 years.
B.Set the workspace retention to 3 years.
C.Configure a data retention policy on the AzureActivity table to 3 years.
D.Enable Basic Logs plan on the AzureActivity table.
AnswerC

This targets only Azure Activity logs, meeting compliance while keeping costs low.

Why this answer

Option C is correct because Azure Sentinel allows you to configure a custom retention policy on a specific table (e.g., AzureActivity) to retain data for up to 2 years (or longer with Archive tier) independently of the workspace's default retention. This meets the 3-year regulatory requirement for Azure Activity logs without increasing retention costs for other data types, as the workspace default can remain shorter.

Exam trap

The trap here is that candidates often confuse workspace-level retention with table-level retention, assuming that setting the workspace retention to 3 years is the only way to meet the requirement, when in fact table-level policies allow granular control without affecting other data types.

How to eliminate wrong answers

Option A is wrong because the Archive tier is used for long-term, low-cost storage after an initial retention period (typically 30 days for Activity logs), but it does not by itself set the total retention to 3 years; you must also configure a table-level retention policy to define the total retention period, and the Archive tier alone does not guarantee compliance without that policy. Option B is wrong because setting the workspace retention to 3 years would apply that retention to all data types in the workspace, increasing costs unnecessarily for non-Activity logs that do not require 3-year retention. Option D is wrong because enabling Basic Logs plan on the AzureActivity table reduces ingestion costs but does not change the retention period; it still requires a separate retention policy to meet the 3-year requirement.

192
Multi-Selecthard

Which TWO are required to enable Microsoft Sentinel to use AI-generated incident summaries?

Select 2 answers
A.The Security Reader role assigned to the user
B.Microsoft Copilot for Security enabled
C.An Azure OpenAI service instance deployed
D.A Log Analytics workspace with a premium pricing tier
E.A Power BI Pro license
AnswersA, B

Users need appropriate permissions to view AI summaries.

Why this answer

Microsoft Sentinel's AI-generated incident summaries require Microsoft Copilot for Security to be enabled, as this feature leverages Copilot's natural language processing capabilities to summarize incidents. Additionally, the user must have the Security Reader role assigned to access and view these summaries within Sentinel, ensuring proper permissions for security data.

Exam trap

The trap here is that candidates often assume a separate Azure OpenAI service or premium Log Analytics tier is needed, but Microsoft Copilot for Security is a standalone licensed service that handles AI processing without requiring those additional resources.

193
MCQmedium

You are managing a Microsoft Sentinel environment that ingests data from multiple sources: Microsoft 365, Azure Activity, and custom logs via AMA. The SOC manager has requested that all security events from Windows servers be collected and stored for 90 days for compliance purposes. You have configured the Windows Security Events via AMA data connector to collect all events (Event ID 4624, 4625, etc.) and set the workspace retention to 90 days. After a week, you notice that the daily ingested volume is higher than expected, exceeding the budget. You analyze the data and find that many low-severity informational events are being ingested, such as Event ID 5156 (Windows Filtering Platform allowed connection). The manager confirms that only security-relevant events are needed. What should you do to reduce ingestion volume while still meeting compliance requirements?

A.Reduce the workspace retention period to 30 days to lower storage costs.
B.Configure the Azure Activity data connector to filter out low-severity events.
C.Modify the data collection rule (DCR) for the Windows Security Events connector to use a custom XPath query that excludes informational events (e.g., exclude Event ID 5156).
D.Disable the AMA-based connector and use the legacy MMA-based connector instead.
AnswerC

Custom XPath filtering reduces ingestion by excluding non-required events.

Why this answer

Option A is correct because the AMA connector allows you to filter events based on XPath queries. By creating a custom XPath filter, you can exclude informational events like 5156. Option B is wrong because reducing retention would violate compliance.

Option C is wrong because the Azure Activity connector does not collect Windows events. Option D is wrong because turning off the connector and using MMA is not recommended; AMA is the current standard and MMA is deprecated.

194
MCQhard

You are a SOC analyst using Microsoft Sentinel. You have a scheduled analytics rule that generates incidents from KQL queries. Recently, incidents are being created but automatically closed within minutes without any actions taken. You suspect a configuration issue. What should you check first?

A.Verify the 'Alert grouping' settings in the analytics rule; they might be grouping alerts incorrectly.
B.Check if the analytics rule has a 'Suppression' setting enabled that causes the incident to close.
C.Review the incident automation rules that might have a 'Close incident' action triggered by a condition.
D.Examine the entity mapping configuration; it might be causing the incident to close automatically.
AnswerC

Automation rules can automatically close incidents based on conditions like 'Alert severity equals Low'.

Why this answer

Option A is correct because incident automation rules can close incidents based on conditions. Option B is wrong because suppression is about preventing alerts. Option C is wrong because alert grouping affects how alerts are combined, not closure.

Option D is wrong because entity mapping does not close incidents.

195
MCQmedium

You are managing a Microsoft Defender XDR environment. The security team wants to receive email notifications when a new incident is created with severity 'High' or 'Medium'. They also want to ensure that notifications are sent only for incidents that are not automatically resolved by AIR. What should you configure?

A.Create a playbook in Microsoft Sentinel that sends an email when an incident is created.
B.Configure an automation rule in Microsoft Sentinel to send email notifications.
C.Create an email notification rule in Microsoft Defender XDR with conditions for severity and status set to 'Active'.
D.Configure alert service settings in the Microsoft 365 Defender portal to send emails for high and medium severity alerts.
AnswerC

Email notification rules in Defender XDR can filter by severity and status.

Why this answer

Option A is correct because email notification rules in Microsoft Defender XDR allow you to filter by severity and status, including 'Active' status (not resolved). Option B is wrong because playbooks are for automated response, not notification. Option C is wrong because automation rules in Sentinel are for incident management, but this is Defender XDR.

Option D is wrong because alert service settings in Microsoft 365 Defender are for email notifications, but the correct name is 'Email notification rules'.

196
Multi-Selecthard

Which THREE of the following are valid methods to reduce the cost of Microsoft Sentinel data ingestion?

Select 3 answers
A.Configure Basic logs for high-volume, low-value data sources.
B.Use analytics rules with efficient KQL queries to reduce false positives.
C.Set a daily ingestion cap on the Log Analytics workspace.
D.Enable Sentinel on premium storage accounts.
E.Increase the data retention period to 90 days.
AnswersA, B, C

Basic logs are cheaper.

Why this answer

A is correct because Basic logs offer a lower ingestion cost (approximately 25% of the cost of Analytics logs) for high-volume, low-value data sources such as verbose firewall logs or debug events. By routing these logs to the Basic log table tier, you reduce the per-GB ingestion charge while still retaining the data for security investigations when needed.

Exam trap

The trap here is that candidates confuse data retention costs with ingestion costs, assuming that lowering retention (or increasing it) directly reduces the cost of bringing data into Sentinel, when in fact ingestion volume is the primary cost driver and retention is a separate storage charge.

197
Multi-Selecthard

Your organization uses Microsoft Sentinel with multiple workspaces. You need to create a unified incident queue across all workspaces. Which TWO solutions should you consider?

Select 2 answers
A.Use cross-workspace queries in workbooks.
B.Consolidate all data into a single Log Analytics workspace.
C.Configure incident grouping rules in Microsoft Sentinel.
D.Use Azure Policy to enforce workspace configuration.
E.Deploy multiple playbooks to synchronize incidents.
AnswersB, C

A single workspace provides a unified incident queue.

Why this answer

Using a single workspace is the simplest approach, and incident grouping rules can combine alerts from different workspaces into one incident. Option A and D are correct. Option B (cross-workspace queries) can query but not unify the queue.

Option C (multiple playbooks) doesn't unify. Option E (Azure Policy) doesn't create a unified queue.

198
MCQhard

You are configuring Microsoft Sentinel to use automation rules for incident response. You need to ensure that when an incident is created with a severity of High, a playbook is triggered to isolate the affected device. However, the playbook should not run if the incident is created by a specific analytics rule (RuleID: '12345'). What is the best way to implement this?

A.Create an automation rule for all High severity incidents, then use a playbook to check the rule ID and skip if needed
B.Create two automation rules: one for High severity from rule '12345' with no action, and one for High severity with condition 'Analytics rule name not equals 12345' that triggers the playbook
C.Create one automation rule with condition: Severity equals High and Analytics rule ID not equals '12345'
D.Create one automation rule with conditions: Severity equals High OR Analytics rule name not equals '12345'
AnswerB

The first rule with higher priority can take no action, effectively excluding that rule. The second rule triggers the playbook for all other High incidents.

Why this answer

Option D is correct because automation rules can have conditions based on analytics rule name. Option A is wrong because conditions are OR within the same rule, but you need to exclude specific rule. Option B is wrong because you cannot exclude based on rule ID in a single condition.

Option C is wrong because you cannot use playbook to filter after automation rule triggers.

199
Multi-Selecthard

Which THREE components are required to implement a threat intelligence feed in Microsoft Sentinel using the Threat Intelligence - TAXII data connector?

Select 3 answers
A.Root collection ID
B.A Log Analytics workspace with Microsoft Sentinel enabled
C.TAXII server URL
D.API key for the TAXII server
E.A watchlist named 'ThreatIntelligenceIndicators'
AnswersA, C, D

Correct. The collection ID specifies which feed to pull.

Why this answer

The root collection ID is a required component for the Threat Intelligence - TAXII data connector because it identifies the specific collection of threat indicators on the TAXII server. Without this ID, Microsoft Sentinel cannot determine which set of indicators to ingest, as a single TAXII server may host multiple collections. The connector uses the root collection ID to query the correct STIX/TAXII endpoint and retrieve the relevant threat intelligence feed.

Exam trap

The trap here is that candidates often confuse the prerequisite (a Log Analytics workspace with Sentinel enabled) with a required component for the connector, or mistakenly think a watchlist is needed to store ingested threat indicators, when in fact the indicators are stored directly in the ThreatIntelligenceIndicator table.

200
MCQhard

Your organization uses Microsoft Defender XDR and has a custom detection rule that queries DeviceProcessEvents for suspicious PowerShell commands. You notice that the rule is generating a high number of false positives. You need to reduce false positives while still detecting real threats. What should you do?

A.Add a condition to exclude processes signed by trusted certificates or from known IT admin accounts.
B.Disable the rule and create a new rule with a different MITRE technique.
C.Increase the lookback period from 7 to 30 days.
D.Modify the rule to set the severity to 'Informational'.
AnswerA

Correct. Excluding known benign processes reduces false positives.

Why this answer

Option A is correct because adding a condition to exclude processes signed by trusted certificates or from known IT admin accounts directly reduces false positives by filtering out legitimate administrative activity. Custom detection rules in Microsoft Defender XDR allow you to refine queries with additional conditions, such as excluding specific signers or accounts, which preserves detection of malicious PowerShell commands while ignoring benign ones.

Exam trap

The trap here is that candidates may think lowering severity or changing the detection technique reduces false positives, but only refining the query logic (e.g., excluding trusted signers or accounts) directly addresses the root cause of false alerts.

How to eliminate wrong answers

Option B is wrong because disabling the rule and creating a new rule with a different MITRE technique does not address the false positive issue; it changes the detection focus rather than refining the existing query. Option C is wrong because increasing the lookback period from 7 to 30 days would only expand the data window, potentially increasing false positives and not filtering out legitimate activity. Option D is wrong because setting the severity to 'Informational' merely lowers the alert priority but does not reduce the number of false positives; the rule would still generate the same volume of alerts.

201
MCQmedium

Your SOC team needs to ensure that all high-severity Microsoft Sentinel incidents are automatically assigned to the senior analyst on call. The team uses Microsoft Teams for communication. Which configuration should you implement?

A.Configure an analytics rule to set the incident owner to the senior analyst and enable Teams integration in Sentinel settings.
B.Create a playbook that reassigns incidents and posts to Teams, and attach it to an automation rule triggered by high-severity incidents.
C.Create a workbook that filters high-severity incidents and configure a Teams webhook in the workbook settings.
D.Create an automation rule that runs when an incident is created with severity High, sets the owner to the senior analyst, and then runs a playbook to post a message to Teams.
AnswerD

Automation rules can assign owners and trigger playbooks that post to Teams.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can directly set the incident owner when an incident is created, and then trigger a playbook to post a message to Microsoft Teams. This two-step configuration ensures high-severity incidents are automatically assigned to the senior analyst on call and the SOC team is notified via Teams without manual intervention.

Exam trap

The trap here is that candidates often assume a playbook alone can handle both assignment and notification, but Microsoft Sentinel automation rules are the correct mechanism for setting incident properties like owner, while playbooks are best suited for external actions like posting to Teams.

How to eliminate wrong answers

Option A is wrong because analytics rules do not have the capability to set the incident owner; that is a function of automation rules or playbooks, and enabling Teams integration in Sentinel settings only provides basic connectivity, not automated assignment. Option B is wrong because while a playbook can reassign incidents and post to Teams, attaching it to an automation rule triggered by high-severity incidents would require the playbook to also set the owner, but the automation rule itself can set the owner more efficiently and reliably without relying on the playbook for assignment. Option C is wrong because workbooks are visualization tools that do not modify incident properties or trigger actions; configuring a Teams webhook in a workbook would only allow manual export or refresh, not automated incident assignment or notification.

202
MCQhard

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to automatically group related incidents from different rules into a single incident to reduce analyst workload. The grouping should occur within 30 minutes of the first incident creation. What should you do?

A.Use an automation rule with a playbook that queries for related incidents and merges them.
B.Configure incident grouping in the analytics rule settings with a matching condition and a 30-minute time window.
C.Create an incident creation rule that groups alerts from multiple analytics rules based on entity matching.
D.Create a workbook to display related incidents and manually merge them.
AnswerB

Incident grouping can combine alerts from the same rule.

Why this answer

Option B is correct because Microsoft Sentinel's analytics rules support incident grouping, which automatically merges alerts that match specified conditions (e.g., same entity) into a single incident. By setting the grouping time window to 30 minutes, you ensure that related incidents from different rules are combined within that period, reducing analyst workload without requiring manual intervention or custom playbooks.

Exam trap

The trap here is that candidates often confuse automation rules with incident grouping, assuming a playbook can merge incidents, when in fact merging is a built-in analytics rule feature that requires no external automation.

How to eliminate wrong answers

Option A is wrong because automation rules with playbooks can trigger actions on incidents but cannot merge incidents; merging is not supported via playbooks in Sentinel. Option C is wrong because there is no 'incident creation rule' in Sentinel; incident grouping is configured directly within the analytics rule settings, not via a separate rule type. Option D is wrong because workbooks are for visualization and reporting, not for automated incident merging; manual merging is inefficient and does not meet the 30-minute automatic requirement.

203
Multi-Selecthard

Which THREE of the following are valid components of Microsoft Defender XDR? (Select three.)

Select 3 answers
A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Purview
D.Microsoft Defender for Identity
E.Microsoft Sentinel
AnswersA, B, D

Part of Defender XDR.

Why this answer

Options A, B, and C are correct. Microsoft Defender for Identity, Defender for Office 365, and Defender for Endpoint are core components of Microsoft Defender XDR. Option D is wrong because Microsoft Sentinel is a separate SIEM product, not part of Defender XDR.

Option E is wrong because Microsoft Purview is a compliance product.

204
MCQmedium

Your security team is investigating an incident in Microsoft Defender XDR where a user received multiple phishing emails. The team needs to create an automated response that blocks the sender's email address across all mailboxes in the organization. Which action should you configure in an automated investigation and response (AIR) playbook?

A.Add a 'Block IP address' action in Microsoft Defender for Cloud Apps.
B.Create a custom detection rule in Microsoft Sentinel.
C.Add a 'Block sender' action in Microsoft Defender for Office 365.
D.Deploy a configuration profile in Microsoft Intune.
AnswerC

Correct. This action blocks the sender across Exchange Online.

Why this answer

Option C is correct because blocking a sender's email address across all mailboxes is a native capability of Microsoft Defender for Office 365. The 'Block sender' action in an AIR playbook directly adds the sender to the tenant's block list, which is enforced at the transport layer for all inbound email, effectively preventing any further delivery from that address.

Exam trap

The trap here is that candidates confuse the scope of Microsoft Defender for Cloud Apps (Option A) with email security controls, mistakenly thinking IP blocking in MDCA can stop email from a specific sender, when in fact email transport blocking is handled exclusively by Defender for Office 365.

How to eliminate wrong answers

Option A is wrong because blocking an IP address in Microsoft Defender for Cloud Apps (MDCA) applies to cloud app sessions and API connections, not to email transport; it cannot block a sender's email address in Exchange Online. Option B is wrong because a custom detection rule in Microsoft Sentinel is for generating alerts from log data, not for executing remediation actions like blocking a sender in mail flow. Option D is wrong because a configuration profile in Microsoft Intune manages device settings and compliance policies, not email sender blocking, which is a mail flow control.

205
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You are configuring a new automation rule in Sentinel to automatically assign incidents to the appropriate SOC tier based on severity: Low and Medium to Tier 1, High to Tier 2, and Critical to Tier 3. You have created three separate automation rules, one for each tier. However, only the rule for Critical incidents is working. The other rules do not assign incidents. You verify that the other rules are enabled and have the correct conditions. What is the most likely cause?

A.The automation rules for Tier 1 and Tier 2 are set to trigger on incident update instead of creation.
B.The automation rule for Critical incidents has a higher order number and is processed first, preventing other rules from running.
C.The SOC Tier 1 and Tier 2 users do not have the appropriate permissions to own incidents.
D.Automation rules cannot be created separately for each severity; you must use a single rule with multiple conditions.
AnswerB

Automation rules are processed in order; if a rule with higher priority matches, subsequent rules may not run.

Why this answer

Option D is correct because automation rules are processed in order, and if the first rule (e.g., for Critical) matches, it will stop processing subsequent rules. The rules for lower severities may never trigger if the incident also meets the conditions of a higher priority rule. Option A is wrong because multiple rules can exist.

Option B is wrong because role assignments are not the issue. Option C is wrong because rules can be ordered.

206
MCQeasy

Your organization uses Microsoft Sentinel and wants to ensure that all incident-related data is retained for at least 90 days for compliance purposes. Which configuration should you check?

A.Log Analytics workspace retention settings
B.Watchlist settings
C.Analytics rule settings
D.Incident settings in Sentinel
AnswerA

Data retention is configured in the Log Analytics workspace.

Why this answer

Option B is correct because data retention in Microsoft Sentinel is set at the Log Analytics workspace level. Option A is wrong because analytics rules generate incidents but don't control retention. Option C is wrong because watchlists are for data correlation, not retention.

Option D is wrong because the incidents blade shows incidents but does not configure retention.

207
MCQeasy

As a SOC analyst, you need to quickly identify if a specific user account has been involved in any incidents in the past week. Which feature in Microsoft Sentinel allows you to search for user-related incidents?

A.Incidents blade with time range filter
B.Hunting blade with user query
C.Entity behavior blade
D.Workbooks with KQL query
AnswerC

Entity behavior shows incident history for that entity.

Why this answer

Option C is correct because the Entity behavior blade in Microsoft Sentinel provides a user-centric view that aggregates all incidents, alerts, and activities associated with a specific user account. By selecting a user entity and navigating to the 'Incidents' tab within the blade, you can quickly filter incidents involving that user over a defined time range, such as the past week. This feature is designed specifically for investigating user-related security events without needing to write custom queries.

Exam trap

Microsoft often tests the misconception that the Incidents blade (Option A) is sufficient for user-specific searches, but the trap is that it lacks entity-level filtering, requiring analysts to manually correlate users across incidents, whereas the Entity behavior blade provides a consolidated user-centric view.

How to eliminate wrong answers

Option A is wrong because the Incidents blade with a time range filter shows all incidents across the workspace, but it does not allow you to search or filter by a specific user account directly; you would need to manually inspect each incident or use a KQL query to correlate user entities. Option B is wrong because the Hunting blade is used for proactive threat hunting with KQL queries to find potential threats, not for quickly identifying incidents already raised against a specific user; it requires writing and running custom queries, which is less efficient for this task. Option D is wrong because Workbooks with KQL queries are customizable dashboards for reporting and visualization, not a direct feature for searching user-related incidents; they require pre-built queries and are not designed for ad-hoc user lookups.

208
Multi-Selecthard

Which THREE capabilities are provided by Microsoft Sentinel's UEBA (User and Entity Behavior Analytics)? (Select THREE.)

Select 3 answers
A.Identify users whose behavior deviates from their peers
B.Provide a timeline of a user's recent activities on the entity page
C.Automatically run playbooks when anomalies are detected
D.Detect anomalous sign-in locations and times
E.Create watchlists for high-value users
AnswersA, B, D

Peer anomaly detection is a key UEBA feature.

Why this answer

Option A is correct because Microsoft Sentinel's UEBA uses machine learning models to establish a baseline of normal behavior for each user and then compares individual user activity against peer group behavior. When a user's actions deviate significantly from their peers, such as accessing unusual resources or performing atypical data transfers, an anomaly is generated, enabling security analysts to investigate potential insider threats or compromised accounts.

Exam trap

The trap here is that candidates may confuse UEBA's anomaly detection with the broader automation capabilities of Microsoft Sentinel, mistakenly thinking that UEBA itself automatically runs playbooks, when in fact playbook execution requires separate automation rules and is not a built-in UEBA feature.

209
MCQhard

Your company deploys Microsoft Sentinel in a multi-workspace environment. You need to centralize incident management across workspaces while maintaining data residency. You configure Sentinel workspaces in each region. What additional configuration is required to view all incidents from a single pane?

A.Deploy the Microsoft Sentinel solution across workspaces.
B.Assign the same Azure RBAC roles to all users in each workspace.
C.Merge the workspaces into a single workspace.
D.Use an incident manager with a cross-workspace view.
AnswerD

Cross-workspace views centralize incidents.

Why this answer

Option D is correct because Microsoft Sentinel supports cross-workspace incident management through the incident manager, which can be configured to display incidents from multiple workspaces in a single view. This is achieved by using the 'cross-workspace view' feature, which leverages Azure Resource Graph to query incidents across workspaces without moving data, thus maintaining data residency requirements.

Exam trap

The trap here is that candidates often confuse deploying the Sentinel solution (Option A) with enabling cross-workspace views, but the solution deployment is a separate prerequisite and does not itself provide centralized incident management.

How to eliminate wrong answers

Option A is wrong because deploying the Microsoft Sentinel solution across workspaces is a prerequisite for enabling Sentinel in each workspace, but it does not provide a centralized incident view; it only installs the solution components. Option B is wrong because assigning the same Azure RBAC roles to all users in each workspace ensures consistent permissions but does not aggregate incidents into a single pane; RBAC controls access, not data aggregation. Option C is wrong because merging workspaces into a single workspace would violate data residency requirements by centralizing data in one region, and it is not a supported operation in Sentinel; workspaces are region-bound and cannot be merged.

210
Multi-Selectmedium

Which TWO actions should you take to ensure that Microsoft Sentinel can detect and respond to threats across your multicloud environment, including AWS and GCP?

Select 2 answers
A.Use Azure Policy to deploy the connectors automatically.
B.Create analytics rules in Microsoft Sentinel to detect threats from the ingested multicloud logs.
C.Configure the AWS S3 and GCP Pub/Sub data connectors.
D.Enable the Microsoft Defender XDR connector for AWS and GCP.
E.Create a separate Microsoft Sentinel workspace for each cloud provider.
AnswersB, C

Analytics rules are required to generate incidents.

Why this answer

Option A is correct because Microsoft Sentinel supports connectors for AWS (CloudTrail) and GCP (via the GCP connector). Option C is correct because custom KQL analytics rules are needed to create incidents from those logs. Option B is wrong because a separate workspace is not required; you can use one workspace.

Option D is wrong because the Microsoft Defender XDR connector is for Microsoft services, not third-party clouds. Option E is wrong because Azure Policy doesn't configure connectors.

211
Multi-Selecteasy

Which TWO data connectors can be used to ingest Microsoft 365 audit logs into Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Microsoft Defender for Cloud Apps connector.
B.Microsoft 365 Defender connector.
C.Office 365 connector (Exchange, SharePoint, Teams).
D.Azure Activity connector.
E.Azure AD connector (sign-in logs).
AnswersB, C

Ingests unified audit logs.

Why this answer

The Microsoft 365 Defender connector (Option B) ingests unified audit logs from Microsoft 365 Defender, which includes security-related events from Microsoft 365 services. The Office 365 connector (Option C) directly ingests audit logs from Exchange Online, SharePoint Online, and Microsoft Teams, which are part of the Microsoft 365 audit log. Both connectors are designed to bring Microsoft 365 audit log data into Microsoft Sentinel.

Exam trap

The trap here is that candidates often confuse the Microsoft 365 Defender connector with the Office 365 connector, thinking they are redundant, or they mistakenly select the Azure AD connector because they assume sign-in logs are part of Microsoft 365 audit logs, when in fact the Azure AD connector only captures Azure AD-specific events, not the full Microsoft 365 audit log.

212
MCQeasy

Your company uses Microsoft Sentinel to monitor security events. You have configured a daily email report that summarizes the top 10 incidents from the past 24 hours. The report is sent using a Logic App playbook triggered by a scheduled query. Recently, the report has stopped being delivered. You check the Logic App run history and see that the last run failed with an HTTP 403 error when connecting to the Microsoft Sentinel API. The Logic App uses a managed identity for authentication. What is the most likely cause of the failure?

A.The managed identity does not have the required permissions on the Sentinel workspace.
B.The managed identity's client ID has changed.
C.The Logic App is not connected to Microsoft Entra ID.
D.The scheduled query is no longer running.
AnswerA

The managed identity needs at least Sentinel Reader role.

Why this answer

The HTTP 403 error indicates a permissions failure when the Logic App attempted to call the Microsoft Sentinel API. Since the Logic App uses a managed identity for authentication, the most likely cause is that the managed identity lacks the necessary role assignments on the Sentinel workspace, such as 'Microsoft Sentinel Contributor' or 'Microsoft Sentinel Reader', which are required to query incidents via the API.

Exam trap

The trap here is that candidates may confuse an HTTP 403 (forbidden/permissions) with an HTTP 401 (unauthenticated) or assume the managed identity itself is broken, when in fact the identity is valid but lacks the required RBAC role on the Sentinel workspace.

How to eliminate wrong answers

Option B is wrong because a managed identity's client ID is immutable and does not change; if it did, the identity itself would be broken, not just the permissions. Option C is wrong because a Logic App using a managed identity is inherently connected to Microsoft Entra ID (formerly Azure AD) — the managed identity is a feature of Entra ID, so a missing connection would prevent authentication entirely, not cause a 403. Option D is wrong because the scheduled query not running would result in no data or a different error (e.g., empty report), not an HTTP 403 from the Sentinel API; the 403 specifically indicates an authorization failure during the API call.

213
MCQeasy

You are reviewing the automation rule configuration shown in the exhibit. What is the purpose of this rule?

A.Automatically resolve incidents related to malware
B.Automatically close incidents with 'Malware' in the title
C.Run a playbook to isolate a device when an incident with 'Malware' in the alert title is created
D.Create a playbook for malware alerts
AnswerC

The rule triggers on incident creation with title containing 'Malware' and runs a playbook.

Why this answer

Option B is correct because the rule triggers on incidents with alert title containing 'Malware' and runs a playbook named 'IsolateDevice'. Option A is wrong because the condition is on alert title, not severity. Option C is wrong because the condition is on incident creation, not resolution.

Option D is wrong because the trigger type is 'Incident', not 'Alert'.

214
MCQmedium

You are the lead security operations analyst for a company that uses Microsoft Defender XDR. The company has recently deployed Microsoft Copilot for Security to help analysts investigate incidents. During a recent incident involving a potential ransomware attack on multiple devices, the analysts used Copilot to generate an investigation summary and recommended actions. However, the analysts report that Copilot's responses are not specific to the incident; they are generic and do not include device-specific details. You need to ensure that Copilot provides context-aware responses that include specific device information from the incident. What should you do?

A.Assign the Microsoft 365 Defender role to the analysts in Microsoft Entra ID.
B.Enable the Microsoft Defender XDR data connector in Microsoft Sentinel.
C.Instruct analysts to use the 'Investigate' capability in Copilot and provide the incident ID.
D.Configure a custom plugin in Copilot to fetch device data from Defender XDR.
AnswerC

Copilot can access incident details when given the incident ID, providing context-aware responses.

Why this answer

Option B is correct because Copilot for Security can access Defender XDR data, but to get device-specific context, analysts need to use the 'Investigate' capability with the incident ID. Option A is wrong because data connectors are for Sentinel, not Copilot. Option C is wrong because Copilot does not require additional licensing beyond the Copilot license.

Option D is wrong because Copilot does not use plugins in this context.

215
MCQhard

A company uses Microsoft Sentinel with the Microsoft 365 Defender connector. The security team notices that alerts from Microsoft Defender for Endpoint (MDE) are not appearing in Sentinel. The MDE data connector status shows 'Connected'. Which step should you take to troubleshoot this issue?

A.Verify that the Microsoft 365 Defender connector is configured to ingest MDE alerts.
B.Check if the Microsoft Defender for Endpoint data connector is added.
C.Verify that the ingestion rules in Sentinel are not filtering out MDE alerts.
D.Check the Microsoft 365 Defender portal to ensure MDE alerts are being generated and forwarded to Microsoft 365 Defender.
AnswerD

If MDE alerts are not in Microsoft 365 Defender, they won't appear in Sentinel.

Why this answer

Option D is correct because the Microsoft 365 Defender connector brings in alerts from all Defender products, including MDE. If the connector is connected but alerts are missing, the issue is likely that the alerts are not being forwarded to Microsoft 365 Defender. Option A is not correct because MDE alerts are not a separate connector; Option B is not correct because the connector is already 'Connected'; Option C is not correct because ingestion rules filter after ingestion.

216
MCQeasy

You are a security operations analyst. You need to review all incidents from the past 24 hours that have a high severity and involve multiple users. In Microsoft Sentinel, which blade should you use?

A.Incidents
B.Hunting
C.Workbooks
D.Analytics
AnswerA

Incidents blade shows all incidents with filtering capabilities.

Why this answer

Option B is correct because the Incidents blade in Microsoft Sentinel shows all incidents with filters for severity, time, and entities like users. Option A is wrong because Hunting is for proactive threat hunting. Option C is wrong because Workbooks are for dashboards and visualizations.

Option D is wrong because Analytics is for creating rules.

217
MCQmedium

Your organization uses Microsoft Sentinel with multiple workspaces. You need to ensure that incidents involving the same alert in different workspaces are automatically grouped into a single incident. What should you configure?

A.Enable UEBA to correlate alerts across workspaces.
B.Set up an automation rule to merge incidents.
C.Create an analytics rule that runs across all workspaces.
D.Configure an incident grouping rule in Microsoft Sentinel.
AnswerD

Incident grouping rules use alert grouping to combine alerts from multiple workspaces.

Why this answer

Incident grouping rules in Sentinel allow grouping of alerts from different workspaces into a single incident based on matching entities or alert details. Option B is correct. Option A is wrong because analytics rules are per workspace.

Option C is wrong because automation rules act on incidents, not grouping. Option D is wrong because UEBA doesn't group incidents.

218
Multi-Selecthard

You are configuring Microsoft Sentinel to ingest data from multiple sources. Which TWO of the following are valid data connectors that can be used to ingest AWS CloudTrail logs?

Select 2 answers
A.Azure Functions connector
B.Office 365 connector
C.AWS S3 connector
D.Microsoft Defender for Cloud connector
E.Syslog connector
AnswersA, C

Azure Functions can be used to pull logs from AWS via custom code.

Why this answer

Option A and D are correct. AWS S3 connector (A) is a standard way to ingest CloudTrail logs. Azure Functions (D) can be used to run custom code to pull logs.

Option B is wrong because Microsoft Defender for Cloud is for Azure, not AWS. Option C is wrong because Syslog is for on-premises Linux systems, not AWS. Option E is wrong because Office 365 connector is for Office 365, not AWS.

219
MCQmedium

You are a security analyst. An incident in Microsoft Sentinel is assigned to you. The incident contains multiple alerts. You want to group related alerts into a single incident to reduce noise. What feature should you use?

A.Automation rules
B.Threat intelligence indicators
C.Incident details tab
D.Incident grouping settings in the analytics rule
AnswerD

Analytics rules have settings to group alerts into a single incident.

Why this answer

Option C is correct because incident grouping settings in analytics rules allow you to group alerts into a single incident based on criteria like entities or time window. Option A is for incident management, not grouping. Option B is for automating actions.

Option D is for enriching alerts with threat intelligence.

220
MCQhard

Your organization, Contoso, uses Microsoft Sentinel in a single Log Analytics workspace. You have ingested logs from Microsoft Defender XDR, Microsoft Entra ID, and Azure Firewall. The SOC team needs to investigate an incident where a user's account was compromised and used to access sensitive data from an external IP address. The incident was created from a Microsoft Defender for Cloud Apps alert. The SOC team wants to automatically block the user from further access and disable the user account in Microsoft Entra ID. You need to design an automated response using Microsoft Sentinel playbooks. The solution must minimize manual intervention. You have the following options: A) Create a playbook that triggers on the incident and uses the Microsoft Graph API to disable the user account and revoke sessions. Configure the playbook to run automatically from an automation rule. B) Create a playbook that triggers on the alert and uses the Defender for Cloud Apps API to suspend the user. Configure the automation rule to run the playbook on incident creation. C) Create a playbook that sends an email to the SOC team to manually disable the user. D) Create an automation rule that automatically changes the incident status to 'Active' and assigns it to a senior analyst. Which option should you choose?

A.Create an automation rule that automatically changes the incident status to 'Active' and assigns it to a senior analyst.
B.Create a playbook that sends an email to the SOC team to manually disable the user.
C.Create a playbook that triggers on the alert and uses the Defender for Cloud Apps API to suspend the user. Configure the automation rule to run the playbook on incident creation.
D.Create a playbook that triggers on the incident and uses the Microsoft Graph API to disable the user account and revoke sessions. Configure the playbook to run automatically from an automation rule.
AnswerD

This is the correct approach. The playbook can directly disable the user in Entra ID and revoke sessions, providing immediate response.

Why this answer

Option D is correct because it uses a playbook triggered on incident creation and leverages the Microsoft Graph API to disable the user account and revoke sessions, which directly addresses the compromised account in Microsoft Entra ID. This approach minimizes manual intervention by automating the entire response within Microsoft Sentinel, aligning with the requirement to block further access and disable the account automatically.

Exam trap

The trap here is that candidates may choose Option C, mistakenly believing that suspending the user via Defender for Cloud Apps API is sufficient, but it does not disable the account in Microsoft Entra ID or revoke all sessions, leaving potential access paths open.

How to eliminate wrong answers

Option A is wrong because changing the incident status to 'Active' and assigning it to a senior analyst does not perform any automated remediation; it only escalates the incident, leaving the compromised account active. Option B is wrong because sending an email to the SOC team requires manual intervention to disable the user, which contradicts the requirement to minimize manual steps. Option C is wrong because triggering on the alert and using the Defender for Cloud Apps API to suspend the user may not fully disable the account in Microsoft Entra ID or revoke sessions, and the automation rule configured on incident creation would not directly trigger on the alert itself, leading to a mismatch in the trigger condition.

221
MCQmedium

Your organization uses Microsoft Defender XDR. You need to configure automatic attack disruption for identity-related threats. The solution should automatically contain a compromised user by disabling their account. Which setting should you enable?

A.Configure Conditional Access policies to block the user.
B.Enable automatic attack disruption in the Microsoft Defender XDR settings.
C.Use Microsoft Sentinel automation rules to disable the user.
D.Create a custom detection rule to alert on suspicious sign-ins.
AnswerB

This feature automatically contains compromised identities.

Why this answer

Option B is correct because Microsoft Defender XDR's automatic attack disruption feature is specifically designed to contain identity-related threats by automatically disabling compromised user accounts. This setting, found in the Microsoft Defender XDR settings under 'Automated investigation and response', triggers when high-confidence identity attacks (e.g., password spray, lateral movement) are detected, without requiring manual intervention or additional infrastructure.

Exam trap

The trap here is that candidates often confuse 'blocking sign-ins' (Conditional Access) with 'disabling the account' (automatic attack disruption), failing to recognize that only the latter fully contains a compromised user by preventing all authentication attempts, including those from trusted devices or locations.

How to eliminate wrong answers

Option A is wrong because Conditional Access policies block sign-in attempts but do not disable the user account; the account remains active and could be used from non-compliant devices or after policy bypass. Option C is wrong because Microsoft Sentinel automation rules can trigger playbooks to disable users, but this requires custom configuration and is not the built-in automatic attack disruption mechanism within Defender XDR for identity threats. Option D is wrong because custom detection rules only generate alerts and do not automatically contain the user; they lack the automated response capability to disable the account.

222
MCQeasy

You are reviewing an automation rule ARM template for Microsoft Sentinel. What is the result of deploying this automation rule?

A.The rule assigns the incident to SOC-Tier2 only if the severity is Medium.
B.The rule triggers when an incident is updated and resets the severity to High.
C.When a High severity incident is created, the rule changes its severity to Medium and assigns it to SOC-Tier2.
D.The rule triggers when a High severity incident is created but does not change the severity.
AnswerC

Matches the trigger and action configuration.

Why this answer

Option C is correct because the trigger condition is 'Severity Equals High', and the action sets severity to 'Medium' and assigns to SOC-Tier2. So a high-severity incident is created, then changed to medium and assigned. Option A is wrong because it triggers on creation, not on update.

Option B is wrong because the action modifies severity. Option D is wrong because the action does assign an owner.

223
Multi-Selecteasy

Which TWO data connectors are available in Microsoft Sentinel to ingest data from Microsoft 365 services?

Select 2 answers
A.Azure Active Directory
B.Microsoft Defender for Cloud
C.Amazon Web Services
D.Microsoft Entra ID
E.Office 365
AnswersD, E

Ingests sign-in and audit logs.

Why this answer

Office 365 and Microsoft Entra ID connectors are native to Sentinel. Amazon Web Services is for AWS, Azure Active Directory is the old name, and Microsoft Defender for Cloud is a separate product.

224
MCQeasy

Your SOC team uses Microsoft Sentinel and Microsoft Defender XDR. A junior analyst creates a custom analytics rule in Sentinel that generates an excessive number of incidents. The rule appears to be running but not producing any results. What is the most likely cause?

A.The analyst does not have permissions to create incidents.
B.The rule is set to a low severity.
C.The rule's query syntax is invalid.
D.The rule is disabled.
AnswerC

Invalid queries return no results, so no incidents.

Why this answer

Option C is correct because if the query syntax is incorrect, the rule may run but return no results, thus no incidents. Option A is wrong because a disabled rule would not run. Option B is wrong because insufficient permissions would cause an error, not silent failure.

Option D is wrong because low severity does not prevent incident creation.

225
MCQmedium

You are using Microsoft Sentinel to manage incidents. You want to automatically close incidents that are older than 90 days and have a status of 'New'. What is the most efficient way to achieve this?

A.Create a workbook that shows old incidents and manually close them.
B.Create a playbook that runs on a schedule (e.g., daily) and closes incidents that meet the criteria.
C.Modify the analytics rule to automatically close incidents after 90 days.
D.Create an automation rule that triggers on incident update and closes the incident if the created time is older than 90 days.
AnswerB

A scheduled playbook can query incidents by age and close them.

Why this answer

Option D is correct because you can use a playbook to query incidents and close them based on conditions. Automation rules do not have a condition for incident age. Option A is wrong because automation rules cannot be triggered by time.

Option B is wrong because analytics rules generate alerts, not close incidents. Option C is wrong because workbooks are for visualization.

← PreviousPage 3 of 8 · 554 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Secops Environment questions.