CCNA Manage Secops Environment Questions

75 of 554 questions · Page 5/8 · Manage Secops Environment topic · Answers revealed

301
Multi-Selecteasy

Which TWO of the following are required to enable Microsoft Sentinel to receive alerts from Microsoft Defender for Cloud? (Choose two.)

Select 2 answers
A.Deploy the Log Analytics agent on all VMs.
B.Connect a non-Azure machine using Azure Arc.
C.Install the 'Microsoft Defender for Cloud' data connector in Microsoft Sentinel.
D.Enable Microsoft Defender for Cloud on the Azure subscription.
E.Assign an Azure Policy to enable Defender for Cloud.
AnswersC, D

The connector must be installed and configured.

Why this answer

Options A and B are correct. You need to enable the connector in Sentinel (A) and ensure Defender for Cloud is enabled on the subscription (B). Option C is optional for multi-cloud, not required.

Option D is wrong because Defender for Cloud generates alerts without Azure Policy. Option E is wrong because the Log Analytics agent is not needed for Defender for Cloud alerts.

302
MCQmedium

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the incident category. What should you configure?

A.Create an automation rule that runs a playbook to assign the incident.
B.Create an analytics rule that sets the owner field.
C.Create a custom incident label for each category.
D.Create a workbook that filters incidents by category.
AnswerA

Automation rules with playbooks can assign incidents.

Why this answer

Automation rules in Microsoft Sentinel can trigger a playbook when an incident is created or updated. By configuring an automation rule with a condition based on the incident category, you can invoke a playbook that uses the Microsoft Sentinel API or Logic Apps to set the incident's owner field, thereby assigning it to the appropriate analyst. This is the correct approach because automation rules are designed to run automated responses, including playbooks, on incidents.

Exam trap

The trap here is that candidates often confuse analytics rules (which create incidents) with automation rules (which act on existing incidents), leading them to incorrectly select option B thinking the rule itself can assign ownership during incident creation.

How to eliminate wrong answers

Option B is wrong because analytics rules generate alerts and incidents from log data; they do not have the capability to set the owner field on an incident—owner assignment is a post-creation action. Option C is wrong because custom incident labels are used for tagging and filtering, not for automated assignment or ownership changes. Option D is wrong because workbooks are visualization tools that display data; they cannot modify or assign incidents.

303
MCQhard

Your organization uses Microsoft Sentinel with Azure Policy. You need to ensure that new Log Analytics workspaces are automatically connected to Sentinel and configured with a standard set of data connectors. What should you use?

A.Deploy an ARM template to each new workspace manually.
B.Use Sentinel automation rules to configure new workspaces.
C.Develop a Logic App that runs on a schedule to check for new workspaces.
D.Create Azure Policy definitions that deploy Sentinel and data connectors.
AnswerD

Azure Policy can automatically deploy resources and configure connectors.

Why this answer

Azure Policy can be used to automatically deploy and configure Microsoft Sentinel and its data connectors on new Log Analytics workspaces. By creating policy definitions with 'DeployIfNotExists' or 'Modify' effects, you ensure that any new workspace is automatically onboarded to Sentinel and has the required data connectors installed, meeting the requirement for automated, consistent configuration at scale.

Exam trap

The trap here is confusing automation rules (which handle incident response within Sentinel) with Azure Policy (which handles resource provisioning and compliance), leading candidates to incorrectly choose option B.

How to eliminate wrong answers

Option A is wrong because manually deploying an ARM template to each new workspace does not provide automated enforcement or scalability; it requires human intervention for every new workspace. Option B is wrong because Sentinel automation rules operate on incidents and alerts within an already-configured Sentinel workspace, not on the provisioning or configuration of the workspace itself. Option C is wrong because a scheduled Logic App would introduce latency and complexity, and it is not a native, policy-driven approach; Azure Policy provides real-time, event-driven enforcement without custom polling logic.

304
Multi-Selecthard

Which TWO actions should you take to reduce the cost of Microsoft Sentinel while maintaining security coverage?

Select 2 answers
A.Remove data connectors for non-critical sources.
B.Reduce the retention period of tables that do not require long-term storage.
C.Ingest verbose logs (e.g., DNS events) into Basic Logs tier.
D.Disable analytics rules that generate low-severity incidents.
E.Switch the workspace pricing tier from Capacity Reservations to Pay-as-you-Go.
AnswersB, C

Shorter retention reduces storage costs.

Why this answer

Option B is correct because reducing the retention period for tables that do not require long-term storage directly lowers the data storage costs in Microsoft Sentinel. Sentinel charges per GB of data stored, and by shortening retention (e.g., from 90 days to 30 days) for non-critical tables, you reduce the volume of data retained without affecting security monitoring or incident investigation for the shortened period.

Exam trap

The trap here is that candidates often confuse reducing data ingestion (Option A) with reducing storage costs, but the question explicitly requires maintaining security coverage, so removing data connectors would break that requirement.

305
Multi-Selecthard

Which THREE of the following are capabilities of Microsoft Copilot for Security?

Select 3 answers
A.Manage Azure Policy assignments.
B.Summarize incidents from Microsoft Defender XDR.
C.Automatically configure conditional access policies.
D.Generate KQL queries for Microsoft Sentinel.
E.Analyze scripts for malicious intent.
AnswersB, D, E

Copilot can provide incident summaries.

Why this answer

Options A, C, and E are correct. Copilot can summarize incidents, generate KQL queries, and analyze scripts. Option B is wrong because Copilot does not directly manage access policies.

Option D is wrong because Azure Policy management is not a Copilot capability.

306
MCQmedium

Refer to the exhibit. You run this PowerShell script. What is the effect on the SecurityEvent table in the SOC-Workspace Log Analytics workspace?

A.The table will retain data interactively for 365 days, and data will be archived for an additional 365 days, total 730 days.
B.The table will retain data interactively for 90 days and archived for 275 days.
C.The table will be converted to Basic Logs.
D.The table will retain data for 730 days interactively.
AnswerA

Interactive retention is 365, total retention is 730, so archive is 365.

Why this answer

Option A is correct because the script sets the interactive retention to 365 days and the total retention (including archive) to 730 days. Option B is incorrect because it does not set to 90 and 365. Option C is incorrect because basic logs are not configured.

Option D is incorrect because it does not set both to 730.

307
Multi-Selectmedium

Which TWO actions can reduce the cost of Microsoft Sentinel while maintaining security coverage?

Select 2 answers
A.Remove unused data connectors.
B.Switch to a pay-as-you-go workspace.
C.Configure some tables to use Basic Logs tier.
D.Move older logs to Azure Storage archive tier.
E.Reduce workspace retention to 30 days for all tables.
AnswersC, D

Basic Logs are cheaper for ingestion.

Why this answer

Options A and C are correct because archiving reduces retention cost and Basic Logs reduce ingestion cost. Option B is wrong because deleting logs reduces coverage. Option D is wrong because decreasing retention deletes logs sooner.

Option E is wrong because Sentinel costs are separate from Log Analytics.

308
MCQhard

Refer to the exhibit. You have a Logic Apps playbook that triggers on Microsoft Sentinel alerts. The playbook is not posting messages to Teams. What is the most likely cause?

A.The playbook is using the wrong trigger type.
B.The Teams connector is not authenticated.
C.The trigger body is not referencing the correct alert ID.
D.The JSON syntax is invalid.
AnswerA

The trigger should be 'When a Microsoft Sentinel alert is created'.

Why this answer

The playbook is triggered on Microsoft Sentinel alerts, but Logic Apps requires a specific trigger type to process these alerts correctly. The most likely cause is that the playbook uses a generic HTTP trigger instead of the 'Microsoft Sentinel Incident' or 'Microsoft Sentinel Alert' trigger, which is designed to parse the alert payload and provide the necessary context for downstream actions like posting to Teams. Without the correct trigger, the playbook may not receive the alert data or may fail to execute the Teams connector properly.

Exam trap

The trap here is that candidates often assume authentication issues (Option B) are the default cause for Teams failures, but the question's context of 'not posting messages' without errors points to a trigger mismatch rather than a connectivity problem.

How to eliminate wrong answers

Option B is wrong because if the Teams connector were not authenticated, the playbook would typically fail with an authentication error, not silently fail to post messages; the question implies no error is reported, so authentication is likely valid. Option C is wrong because the trigger body not referencing the correct alert ID would cause a data mapping issue, but the playbook would still attempt to run and likely produce an error or incorrect output, not a complete failure to post. Option D is wrong because invalid JSON syntax would cause the playbook to fail at design time or trigger a validation error, preventing it from running at all, whereas the playbook is running but not posting messages.

309
Multi-Selecthard

Which TWO are valid methods to ingest logs into Microsoft Sentinel from a non-Azure virtual machine? (Select TWO.)

Select 2 answers
A.Azure Monitor Agent (AMA) with Azure Arc
B.Log Analytics agent (MMA) – legacy
C.Microsoft Sentinel agent (standalone)
D.Azure Monitor Agent (AMA) without Azure Arc
E.Log Analytics agent (OMS) – deprecated
AnswersA, B

AMA can be installed on non-Azure VMs via Azure Arc.

Why this answer

Options A and C are correct because AMA and legacy MMA are valid agents. Option B is wrong because the Sentinel agent is not a separate agent; MMA is used. Option D is wrong because Azure Monitor Agent is not yet available for Linux? Actually AMA is available for both Windows and Linux.

But D says 'Azure Monitor Agent' but we already have AMA. However, the question says 'non-Azure VM', and AMA works on non-Azure VMs via Azure Arc. So both A and C are correct.

Option E is wrong because Log Analytics agent is the same as MMA, but it's deprecated.

310
MCQeasy

Your security team needs to assign a custom role in Microsoft Sentinel that allows read and write access to incidents but not to analytics rules. Which built-in role should you use as a base for the custom role?

A.Microsoft Sentinel Responder
B.Microsoft Sentinel Reader
C.Microsoft Sentinel Contributor
D.Global Administrator
AnswerA

Responder can manage incidents but not analytics rules.

Why this answer

The Microsoft Sentinel Responder role has read and write access to incidents and read access to other data, but not write access to analytics rules. Option A is wrong because Microsoft Sentinel Contributor has full access including analytics rules. Option C is wrong because Microsoft Sentinel Reader is read-only.

Option D is wrong because Global Administrator is too broad.

311
MCQhard

You are responsible for Microsoft Defender for Cloud Apps. The security team reports that they are not receiving alerts for suspicious activities from a specific connected app (Salesforce). You verify that the app is connected and the log collection is working. What should you check next?

A.Review the IP address ranges configured for the Salesforce app.
B.Ensure that the anomaly detection policy for Salesforce is enabled in Defender for Cloud Apps.
C.Check if the Salesforce app connector is properly configured in Microsoft Entra ID.
D.Verify that the Salesforce tenant is licensed for Microsoft Entra ID P2.
AnswerB

Anomaly detection policies must be enabled per app to generate alerts.

Why this answer

Option B is correct because Defender for Cloud Apps has anomaly detection policies that need to be enabled for each app. If the policy is not enabled, alerts will not be generated. Option A is wrong because the app is already connected.

Option C is wrong because Microsoft Entra ID is not directly involved in alert generation. Option D is wrong because IP address ranges are for categorization, not alert generation.

312
MCQhard

Your organization uses Microsoft Sentinel with Azure Monitor Agent (AMA) to collect Windows security events. You need to collect process creation events (Event ID 4688) and include command-line information. The current Data Collection Rule (DCR) collects only basic security events. What should you modify?

A.Upgrade the AMA to the latest version.
B.Enable the 'Include command line in process creation events' policy in Windows Group Policy.
C.Modify the DCR to include Event ID 4688 in the data source.
D.Switch to the Windows Security Events via Legacy Agent connector.
AnswerB

This policy ensures Windows logs the command line in Event ID 4688.

Why this answer

Option B is correct because Event ID 4688 (process creation) can include command-line arguments, but this data is not captured by default. The 'Include command line in process creation events' Group Policy setting must be enabled on the Windows machines to populate the CommandLine field in the security event log. Without this policy, the AMA and DCR will collect the event but the command-line information will be empty.

Exam trap

The trap here is that candidates assume modifying the DCR to include the event ID is sufficient, but they overlook the prerequisite Windows policy that must be enabled to populate the command-line data within the event itself.

How to eliminate wrong answers

Option A is wrong because upgrading the AMA version does not enable command-line capture; the AMA already supports collecting Event ID 4688 with command-line data if the underlying event contains it. Option C is wrong because modifying the DCR to include Event ID 4688 will collect the event, but the command-line field will remain blank unless the Group Policy setting is enabled first. Option D is wrong because switching to the legacy agent connector does not solve the command-line requirement; the legacy agent also relies on the same Group Policy setting to populate the command-line data.

313
MCQeasy

Your organization wants to use Microsoft Sentinel's built-in threat intelligence feeds to enrich alerts. Which data connector should you enable?

A.Office 365 connector.
B.Threat Intelligence - TAXII connector.
C.Microsoft 365 Defender connector.
D.Microsoft Defender for Cloud connector.
AnswerB

This connector ingests threat indicators from TAXII feeds.

Why this answer

The Threat Intelligence - TAXII connector allows you to ingest threat indicators from STIX/TAXII sources. Option A is correct. Option B is wrong because the Microsoft Defender for Cloud connector is for security alerts.

Option C is wrong because the Microsoft 365 Defender connector is for incidents and alerts from Defender products. Option D is wrong because the Office 365 connector is for productivity logs.

314
Multi-Selecteasy

You are configuring Microsoft Sentinel analytics rules. Which THREE of the following are valid types of analytics rules in Microsoft Sentinel?

Select 3 answers
A.Fusion rule
B.Microsoft Security rule
C.Watchlist rule
D.Scheduled query rule
E.Playbook rule
AnswersA, B, D

Fusion rules use advanced detection.

Why this answer

Option A, B, and C are correct. Scheduled query rules (A) run on a schedule, Microsoft Security (B) rules create incidents from security alerts, and Fusion (C) rules use machine learning to detect multi-stage attacks. Option D is wrong because Watchlist rules are not a rule type; watchlists are used for enrichment.

Option E is wrong because Playbook rules are not a rule type; playbooks are automated responses.

315
MCQhard

Your security operations center uses Microsoft Sentinel and Microsoft Defender XDR. A new type of attack involves a user receiving a malicious email that triggers a macro, which then executes PowerShell to download a payload. You need to create a detection that correlates email, process creation, and network connection events from multiple Microsoft 365 Defender sources. What should you use?

A.Advanced hunting in Microsoft 365 Defender
B.Scheduled query rule in Microsoft Sentinel
C.Custom detection rule in Microsoft 365 Defender
D.Fusion rule in Microsoft Sentinel
AnswerA

Advanced hunting can query across email, process, and network tables.

Why this answer

Advanced hunting in Microsoft 365 Defender is the correct choice because it allows you to write Kusto Query Language (KQL) queries that can join data across multiple tables from different Microsoft 365 Defender sources, such as EmailEvents, DeviceProcessEvents, and DeviceNetworkEvents. This enables correlation of the email receipt, macro-triggered PowerShell process creation, and subsequent network connection to a malicious IP or domain in a single query, which is exactly what the scenario requires.

Exam trap

The trap here is that candidates often confuse the scope of custom detection rules in Microsoft 365 Defender, mistakenly believing they can cross-correlate multiple data sources, when in fact they are limited to a single table or entity type, whereas advanced hunting is designed for cross-table joins.

How to eliminate wrong answers

Option B is wrong because a scheduled query rule in Microsoft Sentinel operates on data ingested into the Log Analytics workspace, which may have latency and does not natively support real-time cross-product correlation across Microsoft 365 Defender tables without additional data connectors and schema mapping. Option C is wrong because a custom detection rule in Microsoft 365 Defender is limited to a single data source (e.g., only device events or only email events) and cannot join tables from different domains like EmailEvents and DeviceProcessEvents in one rule. Option D is wrong because a Fusion rule in Microsoft Sentinel is a prebuilt, machine-learning-based correlation that detects multistage attacks by combining alerts from multiple security products, but it cannot be customized to write a specific KQL query that joins raw event tables from Microsoft 365 Defender.

316
Multi-Selectmedium

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to ensure that high-severity incidents are automatically escalated to the on-call security engineer via Microsoft Teams. Which three components should you configure?

Select 3 answers
A.A playbook that uses a condition to check severity and then sends a Teams message.
B.An automation rule in Microsoft Sentinel that triggers on incident creation with high severity.
C.A Microsoft Teams connector in the playbook to post a message to a channel.
D.An analytics rule that sends a Teams message when a high-severity alert fires.
E.A workbook that displays high-severity incidents for manual escalation.
AnswersA, B, C

Correct: Playbooks can include conditional logic and actions.

Why this answer

Option A is correct because a playbook in Microsoft Sentinel can contain a condition action that evaluates the incident severity. If the severity is 'High', the playbook then uses a Microsoft Teams connector to send a message to the on-call security engineer, automating the escalation process.

Exam trap

The trap here is that candidates may confuse analytics rules with automation rules, thinking an analytics rule can directly send Teams messages, when in fact analytics rules only generate alerts and require a separate automation rule and playbook to perform actions like messaging.

317
MCQhard

Your Microsoft Sentinel workspace has multiple analytics rules generating incidents. You need to ensure that when an incident is created from a specific rule, a Teams message is sent to the security team. What should you configure?

A.Configure a workbook to send an email when an incident appears
B.Modify the incident creation rule in Microsoft 365 Defender
C.Add a custom analytics rule that triggers on incident creation
D.Create an automation rule that runs a playbook when the incident is created
AnswerD

Automation rules can trigger playbooks on incident creation.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can trigger on incident creation and execute a playbook, which can be configured to send a Teams message via a connector. This provides a native, low-code way to automate notifications without custom code or external tools.

Exam trap

The trap here is that candidates often confuse workbooks (visualization) or analytics rules (alert generation) with automation rules, which are the correct mechanism for triggering response actions like Teams messages on incident creation.

How to eliminate wrong answers

Option A is wrong because workbooks are visualization tools for dashboards and analytics, not for sending notifications or triggering actions like Teams messages. Option B is wrong because incident creation rules in Microsoft 365 Defender govern alert-to-incident correlation in the Defender portal, not in Sentinel, and cannot be modified to send Teams messages. Option C is wrong because custom analytics rules generate alerts from log data, not from incident creation events; they cannot directly trigger on incident creation or run playbooks.

318
MCQhard

Your organization uses Microsoft Defender XDR and Microsoft Sentinel. You need to configure a solution that automatically blocks a user's account when a high-severity incident is generated. The solution must use built-in capabilities without custom code. What should you do?

A.Create an automation rule that triggers on incident creation with severity high, and runs a playbook that uses the 'Update user' action to disable the account.
B.Use a scheduled analytics rule that runs every hour and disables accounts found in the results.
C.Configure Microsoft Entra ID to automatically apply a conditional access policy blocking sign-ins when a high-severity alert is raised.
D.Create a playbook that uses the 'Run a query' action to find the device and then uses Microsoft Defender for Endpoint to isolate the device.
AnswerA

A playbook with Graph API can disable a user.

Why this answer

Option A is correct because Microsoft Sentinel's automation rules can trigger a playbook that uses the Microsoft Graph Security API to disable a user account. Option B is incorrect because it disables the device, not the user. Option C is incorrect because it creates a conditional access policy, not immediate blocking.

Option D is incorrect because it runs a query but does not automatically block.

319
MCQeasy

Your organization uses Microsoft Sentinel and you need to ensure that incidents are automatically closed when a related playbook completes successfully. What should you configure?

A.Create an automation rule that triggers after the playbook runs and closes the incident
B.Add a 'Close incident' action in the playbook
C.Configure the analytics rule to close incidents automatically
D.Use a workbook to manually close incidents
AnswerA

Automation rules can close incidents based on conditions.

Why this answer

Option C is correct because automation rules can have conditions and actions, including closing an incident after a playbook runs. Option A is wrong because playbooks can close incidents but the automation rule triggers the playbook and can close the incident. Option B is wrong because analytics rules create incidents, not close them.

Option D is wrong because workbooks are for visualization.

320
Multi-Selectmedium

Which THREE are valid incident management features in Microsoft Sentinel?

Select 3 answers
A.Incident merging
B.Incident creation from analytics rules
C.Incident comments
D.Incident tasks
E.Incident templates
AnswersB, C, D

Analytics rules create incidents.

Why this answer

Incident creation from analytics rules is a core feature in Microsoft Sentinel. When an analytics rule detects a threat or suspicious activity, it automatically generates an incident, which serves as the primary object for investigation and response. This automation is fundamental to Sentinel's security orchestration, automation, and response (SOAR) capabilities.

Exam trap

The trap here is that candidates may confuse 'incident merging' with the ability to link related incidents or alerts, but Sentinel does not have a native 'merge' operation—it only supports grouping alerts under a single incident or manually linking incidents via the 'Add related incidents' action.

321
MCQeasy

You are deploying an ARM template to create a saved search in a Log Analytics workspace. The template fails with an error that the resource type is not valid for Microsoft Sentinel. What is the most likely reason?

A.The query is invalid KQL.
B.The apiVersion is incorrect.
C.The resource type should be Microsoft.SecurityInsights/alertRules, not OperationalInsights/workspaces/savedSearches.
D.The name format is incorrect.
AnswerC

Microsoft Sentinel uses a different resource provider for analytics rules.

Why this answer

In Microsoft Sentinel, analytics rules are defined using the Microsoft.SecurityInsights resource provider, not the OperationalInsights provider. The correct type is Microsoft.SecurityInsights/alertRules. Option B identifies this.

Option A is wrong because the API version is valid. Option C is wrong because the query is valid KQL. Option D is wrong because the name format is fine.

322
MCQmedium

Your organization uses Microsoft Defender for Identity (MDI) to monitor on-premises Active Directory. You want to forward MDI alerts to Microsoft Sentinel. What should you configure?

A.Microsoft 365 Defender connector
B.Azure Advanced Threat Protection connector
C.Microsoft Defender for Cloud Apps connector
D.Microsoft Defender for Identity connector
AnswerD

Direct connector for MDI alerts.

Why this answer

Option D is correct because Microsoft Defender for Identity (MDI) alerts are forwarded to Microsoft Sentinel by configuring the Microsoft Defender for Identity data connector. This connector ingests MDI security alerts, such as suspicious Kerberos activity or lateral movement attempts, directly into Sentinel for advanced correlation and incident response. The connector uses the Microsoft Graph Security API to pull alerts from the MDI service, enabling seamless integration without additional agents.

Exam trap

The trap here is that candidates confuse the Microsoft Defender for Identity connector with the Microsoft 365 Defender connector, assuming the unified portal connector is the correct way to forward MDI alerts, but the exam expects the specific product-named connector for direct integration.

How to eliminate wrong answers

Option A is wrong because the Microsoft 365 Defender connector ingests alerts from the unified Microsoft 365 Defender portal (which includes MDI, MDE, and MDCA), but it is not the specific connector for forwarding MDI alerts directly; using it would require enabling the broader M365D integration, which may include unrelated data. Option B is wrong because Azure Advanced Threat Protection (Azure ATP) is the predecessor to Microsoft Defender for Identity; the current product is MDI, and the connector name has been updated to reflect the rebranding, so selecting this option indicates confusion with the legacy name. Option C is wrong because the Microsoft Defender for Cloud Apps connector is designed to ingest alerts from Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security), not from MDI; it handles shadow IT and SaaS app anomalies, not on-premises Active Directory threats.

323
MCQhard

Your organization uses Microsoft Sentinel with multiple watchlists. You need to create a KQL query that joins log data with a watchlist to enrich alerts. Which KQL operator should you use?

A.lookup
B.union
C._GetWatchlist
D.join
AnswerC

_GetWatchlist('watchlistname') returns the watchlist as a table.

Why this answer

The '_GetWatchlist' function is the recommended way to access watchlists in KQL. Option C is correct. Option A and B are for static tables.

Option D is for time series.

324
MCQmedium

Your organization uses Microsoft Defender for Identity. You need to monitor for potential lateral movement attacks using pass-the-hash techniques. Which entity type in Microsoft Defender for Identity should you focus on in the security alert timeline?

A.IP address
B.Account
C.Device
D.Computer
AnswerB

Defender for Identity alerts for pass-the-hash typically highlight the compromised account.

Why this answer

Option B is correct because pass-the-hash attacks involve compromised accounts, and Defender for Identity alerts include 'Account' entities. The other options are not the primary entity for lateral movement alerts.

325
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You need to create a policy that alerts when a user downloads more than 10 files from SharePoint in 5 minutes. What type of policy should you create?

A.Activity policy
B.App permissions policy
C.Session policy
D.Anomaly detection policy
AnswerA

Allows custom activity thresholds.

Why this answer

An activity policy in Defender for Cloud Apps monitors specific user activities and can trigger alerts based on frequency thresholds. Option A is wrong because Anomaly detection policies use machine learning. Option C is wrong because Session policies control activities in real-time via proxy.

Option D is wrong because App permissions policies manage OAuth apps.

326
MCQhard

Your organization uses Microsoft Defender for Cloud Apps to monitor SaaS application usage. You need to generate an alert when a user performs more than 50 failed login attempts in 10 minutes, and the alert must be based on a built-in anomaly detection policy. What should you do?

A.Create a data loss prevention (DLP) policy in Microsoft Purview that triggers on failed logins.
B.Deploy a session policy in Defender for Cloud Apps that blocks after 50 failed logins.
C.Configure an app connector for each SaaS app and then create a custom activity policy.
D.Enable the 'Multiple failed login attempts' anomaly detection policy in Defender for Cloud Apps.
AnswerD

Anomaly detection policies include built-in templates for failed login attempts.

Why this answer

Option D is correct because Microsoft Defender for Cloud Apps includes a built-in anomaly detection policy named 'Multiple failed login attempts' that specifically monitors for a high volume of failed logins from a single user within a short time window. This policy is enabled by default and can be customized to trigger alerts when the threshold (e.g., more than 50 failed attempts in 10 minutes) is exceeded, without requiring any additional configuration or custom policy creation.

Exam trap

The trap here is that candidates often confuse the purpose of session policies (which control real-time access) with anomaly detection policies (which detect behavioral patterns), leading them to incorrectly select Option B, or they assume a custom policy is always required (Option C) when a built-in policy already exists for this exact scenario.

How to eliminate wrong answers

Option A is wrong because data loss prevention (DLP) policies in Microsoft Purview are designed to detect and protect sensitive information (e.g., credit card numbers, PII) in content, not to monitor or alert on failed login attempts. Option B is wrong because session policies in Defender for Cloud Apps control real-time access and actions during a user session (e.g., blocking downloads), but they cannot be used to block after a specific number of failed logins; that logic belongs to anomaly detection policies. Option C is wrong because while app connectors are required to collect activity logs from SaaS apps, creating a custom activity policy would require manual definition of the detection logic; the question explicitly asks for a built-in anomaly detection policy, making a custom policy unnecessary and incorrect.

327
MCQmedium

Refer to the exhibit. You are reviewing an Azure Security Center automation (now Microsoft Defender for Cloud) that should automatically trigger a Logic App when an alert is generated. However, the automation is not triggering. What is the most likely cause?

A.The action type is incorrect; it should be 'EventHub'
B.The logicAppResourceId is missing
C.The apiVersion is invalid
D.The automation is missing the 'triggers' property to filter on specific alert types
AnswerD

Without triggers, the automation does not know which alerts to act on.

Why this answer

Option D is correct because Microsoft Defender for Cloud automation requires a 'triggers' property to define which alert types should invoke the Logic App. Without this property, the automation is created but never fires, as it has no conditions to match incoming alerts. The exhibit shows the automation resource is configured, but missing the triggers array means no alerts will trigger the Logic App.

Exam trap

The trap here is that candidates assume the automation will trigger on all alerts by default, but Microsoft Defender for Cloud requires explicit trigger conditions; otherwise, the automation exists but never fires.

How to eliminate wrong answers

Option A is wrong because the action type 'LogicApp' is correct for invoking a Logic App; 'EventHub' would be used to send alerts to an event hub, not to trigger a Logic App. Option B is wrong because the logicAppResourceId is present in the exhibit (it is a required property and shown in the JSON), so its absence is not the issue. Option C is wrong because the apiVersion '2019-01-01-preview' is a valid and supported version for Microsoft Defender for Cloud automation resources; an invalid apiVersion would cause a deployment error, not a silent failure to trigger.

328
MCQeasy

You are configuring Microsoft Defender for Cloud Apps session controls for a SharePoint site containing sensitive data. Which condition must be met to apply real-time monitoring?

A.The SharePoint site must be added as a custom app in Defender for Cloud Apps.
B.Users must access the site through Microsoft Entra ID application proxy.
C.A browser extension must be installed on all client devices.
D.Users must be configured with Conditional Access policies from Microsoft Entra ID.
AnswerB

Session control uses reverse proxy; Entra ID app proxy is required.

Why this answer

Microsoft Defender for Cloud Apps session controls for SharePoint require traffic to be routed through Microsoft Entra ID (formerly Azure AD) to enable real-time monitoring and control. The Microsoft Entra ID application proxy acts as a reverse proxy that intercepts user requests, allowing Defender for Cloud Apps to inspect and apply policies on the fly. Without this proxy, the session control cannot intercept traffic at the application layer for SharePoint Online.

Exam trap

The trap here is that candidates often assume a browser extension is needed for session control, but Microsoft Entra ID application proxy provides the server-side interception required for SharePoint without client-side software.

How to eliminate wrong answers

Option A is wrong because SharePoint is already a recognized app in Defender for Cloud Apps; adding it as a custom app is unnecessary and does not enable session controls. Option B is correct as explained. Option C is wrong because session controls for SharePoint do not require a client-side browser extension; the proxy handles interception server-side.

Option D is wrong because while Conditional Access policies are used to route traffic to the session control, they are not the condition that enables real-time monitoring—the proxy is the prerequisite.

329
MCQeasy

Your organization uses Microsoft Defender XDR. You need to ensure that incidents are automatically classified as 'True positive' when a specific indicator of compromise (IOC) is detected. What should you configure?

A.Configure a suppression rule in Microsoft Defender XDR.
B.Create a custom detection rule in Microsoft 365 Defender that sets the classification to 'True positive' when the IOC is detected.
C.Create a transport rule in Exchange Online.
D.Add the IOC to the Microsoft Defender for Endpoint indicator list.
AnswerB

Custom detection rules can include actions to classify incidents.

Why this answer

Option D is correct because custom detection rules can be configured to automatically classify incidents. Option A is for email filtering. Option B is for file reputation.

Option C is for alert suppression, not classification.

330
MCQhard

Your Microsoft Defender XDR environment is experiencing high false positive rates for a specific type of alert. You need to reduce the noise without completely disabling the alert. What is the most effective method?

A.Create a custom detection rule to tune the detection logic.
B.Create a suppression rule for the alert.
C.Use an automation rule to automatically close the false positive incidents.
D.Disable the built-in detection rule.
AnswerA

Custom detections allow fine-tuning to reduce false positives.

Why this answer

Custom detections in Microsoft Defender XDR allow you to create custom rules that tune the detection logic, e.g., by adding conditions to reduce false positives. Option A is wrong because suppression rules hide alerts but do not address the root cause. Option C is wrong because disabling the alert removes detection entirely.

Option D is wrong because automation rules can only handle incidents after generation, not prevent false alerts.

331
MCQmedium

Your company uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You need to ensure that when a device is determined to be compromised, the device is automatically isolated from the network and a Sentinel incident is updated with the isolation status. What is the most efficient way to achieve this?

A.Have the SOC analyst manually isolate the device from the MDE console and update the incident in Sentinel
B.Configure Microsoft Intune to automatically isolate the device when a compliance policy is violated
C.Use Microsoft Defender XDR conditional access to block the device
D.Create a Microsoft Sentinel automation rule with a playbook that isolates the device and updates the incident
AnswerD

This automates the response and updates the incident in Sentinel.

Why this answer

Option D is correct because it leverages Microsoft Sentinel's automation capabilities to respond to security incidents without manual intervention. By creating an automation rule that triggers a playbook (an Azure Logic Apps workflow), you can automatically isolate a compromised device via Microsoft Defender for Endpoint APIs and simultaneously update the Sentinel incident with the isolation status. This provides the most efficient, end-to-end automated response directly within the security operations workflow.

Exam trap

The trap here is that candidates may confuse Microsoft Intune compliance policies or conditional access with automated incident response actions, not realizing that only a Sentinel automation rule with a playbook can directly orchestrate both device isolation and incident update in a single, efficient workflow.

How to eliminate wrong answers

Option A is wrong because manual isolation and incident update are inefficient, error-prone, and do not meet the requirement for an automated response. Option B is wrong because Microsoft Intune compliance policies are designed for device configuration and health checks, not for real-time incident response to a compromise detected by Defender for Endpoint; Intune cannot trigger isolation based on a Defender alert. Option C is wrong because Microsoft Defender XDR conditional access controls access to cloud apps based on risk, but it does not perform network isolation of a device or update a Sentinel incident; it is a conditional access policy, not an automated response action.

332
MCQhard

Your organization uses Microsoft Sentinel with multiple workspaces across different regions. You need to centrally manage all security incidents from a single pane of glass. The solution must allow analysts to investigate incidents across workspaces without switching contexts. What should you configure?

A.Deploy Microsoft Sentinel in a single region and use Azure Arc to connect other workspaces.
B.Create a union query across workspaces using the workspace() expression.
C.Use Azure Lighthouse to manage multiple workspaces and enable cross-workspace incident view in Microsoft Sentinel.
D.Configure a single workspace and use diagnostic settings to send all logs to it.
AnswerC

Azure Lighthouse allows managing multiple workspaces from a single view.

Why this answer

Option C is correct because Microsoft Sentinel's incident management supports cross-workspace views via Azure Lighthouse or unified incident management. Option A is for queries, not incident management. Option B is for data collection.

Option D is for event management, not Sentinel.

333
MCQmedium

Your security team receives alerts from Microsoft Defender for Cloud. You need to configure automated response to remediate a specific alert type. What should you create in Microsoft Sentinel?

A.An analytics rule
B.A workbook
C.A watchlist
D.An automation rule
AnswerD

Automation rules trigger playbooks or other actions in response to incidents.

Why this answer

In Microsoft Sentinel, automation rules are the correct mechanism to define automated responses triggered by alerts, including those from Microsoft Defender for Cloud. They allow you to run playbooks, change incident severity, assign ownership, or add comments when a specific alert type fires, enabling remediation without manual intervention.

Exam trap

The trap here is that candidates often confuse 'automation rule' with 'analytics rule', mistakenly thinking the rule that generates the alert can also handle the response, but Sentinel separates detection (analytics rules) from response (automation rules).

How to eliminate wrong answers

Option A is wrong because analytics rules are used to generate alerts or incidents from raw data (e.g., querying Log Analytics), not to automate responses to existing alerts. Option B is wrong because workbooks are interactive dashboards for visualizing data, not for triggering automated remediation actions. Option C is wrong because watchlists are collections of data (e.g., IP addresses or hostnames) used for correlation or filtering in queries, not for executing response actions.

334
MCQmedium

Refer to the exhibit. You are creating a scheduled analytics rule in Microsoft Sentinel using the ARM template snippet. The rule runs every 5 minutes and queries the last 5 minutes of data. The rule is not generating alerts even though malware detections are occurring. What is the most likely issue?

A.The queryPeriod and queryFrequency are the same, causing overlapping windows.
B.The triggerThreshold is set to 0, which should always trigger.
C.The ARM template is missing the required 'kind' property.
D.The table DeviceEvents is not ingested into the Log Analytics workspace.
AnswerD

Without data, no alerts.

Why this answer

Option B is correct because the query uses DeviceEvents, which is a table in Microsoft Defender for Endpoint but not in Sentinel by default unless the connector is configured and data is mapped to that table. Option A is wrong because the query period and frequency are consistent. Option C is wrong because the threshold is 0, so any result should trigger.

Option D is wrong because the ARM template is valid.

335
MCQmedium

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You have configured the Microsoft Defender for Endpoint connector in Sentinel to ingest alerts and incidents. The security team wants to automatically create a Sentinel incident when an MDE alert of severity 'High' or 'Critical' is generated. Additionally, they want to assign the incident to a specific SOC tier based on the alert title. For example, if the alert title contains 'Ransomware', assign to Tier 3; otherwise assign to Tier 2. You need to implement this automation efficiently. You have already enabled the connector and verified that MDE alerts are flowing into Sentinel. What is the best approach?

A.Create an automation rule that triggers when an incident is created with a condition on alert severity, and set the owner to the appropriate group. Then create another automation rule for 'Ransomware' alerts.
B.Configure an automation rule with a condition on the alert title using KQL, then set the owner.
C.Create an automation rule that triggers on incident creation for High and Critical severity. The rule runs a playbook that uses Logic Apps to parse the alert title and assign the incident to the appropriate tier using the Microsoft Sentinel connector 'Update incident' action.
D.Modify the Microsoft Defender for Endpoint analytics rule to include a custom mapping that assigns the incident to a specific owner based on the alert title.
AnswerC

A playbook can parse the alert title and assign the incident to the correct owner.

Why this answer

Option B is correct because it uses a playbook triggered by an automation rule on incident creation, which can then parse the alert title and assign the incident. Option A is wrong because automation rules cannot assign based on alert content directly. Option C is wrong because it's not efficient to modify the analytics rule.

Option D is wrong because automation rules cannot assign owners directly based on dynamic conditions.

336
MCQhard

You are the security operations lead for a multinational company using Microsoft Sentinel. You have deployed a custom analytics rule that uses a KQL query to detect anomalous outbound network traffic. The rule runs every hour and looks back 24 hours. Recently, the rule has been generating a high number of false positives. You need to tune the rule to reduce false positives without missing genuine threats. The rule currently triggers when the count of outbound connections to a single IP exceeds 100 in an hour. You analyze the data and find that legitimate cloud services often trigger the rule. What should you do?

A.Disable the rule and create a new one with a different query.
B.Increase the threshold to 200 connections per hour.
C.Configure a suppression rule to automatically close incidents from those IPs.
D.Modify the KQL query to exclude traffic to known benign IP ranges.
AnswerD

Excluding known good IPs reduces false positives without changing threshold.

Why this answer

Option A is correct because adding known benign IPs to the exclusion list directly reduces false positives from legitimate cloud services while keeping the detection logic intact. Option B is incorrect because suppressing alerts only hides them, not reducing false positives. Option C is incorrect because increasing the threshold may miss real threats.

Option D is incorrect because disabling the rule is not tuning.

337
MCQhard

Your organization uses Microsoft Defender for Cloud with enhanced security features enabled. You need to ensure that all Azure subscriptions are covered by a single Defender for Cloud policy that enforces specific security standards. The policy must be automatically applied to new subscriptions. What should you do?

A.Enable the default Defender for Cloud policy from the Azure portal.
B.Manually assign the policy to each subscription using PowerShell.
C.Create a custom policy initiative and assign it to the root management group.
D.Configure the security contact email for each subscription.
AnswerC

Assigning to the root management group ensures inheritance to all subscriptions.

Why this answer

Assigning a custom policy initiative to the root management group ensures that the policy is inherited by all subscriptions under that management group, including new subscriptions as they are added. This approach enforces consistent security standards across the entire Azure environment without requiring manual intervention for each subscription.

Exam trap

The trap here is that candidates may think enabling the default Defender for Cloud policy (Option A) is sufficient for all subscriptions, but that only applies to the current subscription and does not enforce a custom standard or automatically cover new subscriptions.

How to eliminate wrong answers

Option A is wrong because enabling the default Defender for Cloud policy from the Azure portal only applies the built-in security policy to the current subscription, not to all subscriptions automatically, and does not enforce a single custom standard across multiple subscriptions. Option B is wrong because manually assigning the policy to each subscription using PowerShell does not automatically cover new subscriptions; each new subscription would require a separate manual assignment, defeating the requirement for automatic application. Option D is wrong because configuring the security contact email for each subscription only sets notification recipients for security alerts, not the enforcement of security standards or policies.

338
MCQhard

You are the security operations analyst for a large enterprise that uses Microsoft Sentinel and Microsoft Defender XDR. The environment includes: - 10,000 Windows 11 devices managed by Microsoft Intune - 5,000 macOS devices managed by Jamf Pro - 2,000 Linux servers running Ubuntu 22.04 - Microsoft 365 E5 licenses for all users - Microsoft Sentinel in the East US region - Microsoft Defender for Cloud Apps enabled - Microsoft Defender for Identity deployed - Microsoft Defender for Office 365 configured You need to design a solution to meet the following requirements: 1. Ingest security events from all devices (Windows, macOS, Linux) into Microsoft Sentinel. 2. Ensure that all alerts from Microsoft Defender XDR components (including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Defender for Cloud Apps) are automatically correlated into incidents in Microsoft Sentinel. 3. Minimize latency between alert generation in Defender XDR and incident creation in Sentinel. 4. Use the least amount of administrative overhead. What should you implement?

A.Enable the Microsoft Defender XDR connector for incident correlation. Deploy the Log Analytics agent on all devices to collect events.
B.Enable the Microsoft Defender XDR connector for incident correlation. For Windows devices, use the Windows Security Events via AMA connector. For Linux and macOS, use the Syslog via AMA connector.
C.Use a Logic App to fetch incidents from Microsoft Defender XDR and create incidents in Sentinel. Install the Azure Monitor Agent on all devices.
D.Enable the Microsoft Defender XDR connector and use the Microsoft Graph API to ingest logs from all devices directly into Sentinel.
AnswerB

This meets all requirements with native connectors and minimal overhead.

Why this answer

The Microsoft Defender XDR connector streams incidents from all Defender products into Sentinel with low latency and minimal overhead. For device logs, the Windows Security Events via AMA (Azure Monitor Agent) connector ingests Windows events, and Syslog via AMA ingests Linux and macOS logs (since Jamf Pro can forward logs via Syslog). Option A is correct because it uses the native connectors.

Option B is wrong because Log Analytics agent is deprecated and not recommended. Option C is wrong because a Logic App adds latency and overhead. Option D is wrong because direct API ingestion is complex and not scalable.

339
MCQeasy

Your organization uses Microsoft Sentinel. You need to provide a SOC analyst with the ability to create and modify incident comments but not delete incidents. Which role should you assign?

A.Global Administrator
B.Microsoft Sentinel Contributor
C.Microsoft Sentinel Reader
D.Microsoft Sentinel Responder
AnswerD

Responder can manage incidents and add comments.

Why this answer

Option B is correct because Microsoft Sentinel Responder role allows managing incidents including comments but not deletion. Option A is incorrect because Reader is read-only. Option C is incorrect because Contributor can delete incidents.

Option D is incorrect because Global Administrator has full access.

340
MCQeasy

Your organization is implementing Microsoft Sentinel. You need to ensure that security events from AWS CloudTrail are collected. What should you configure?

A.Azure Policy to audit AWS resources.
B.AWS S3 connector in Sentinel.
C.Microsoft Defender for Cloud to monitor AWS.
D.A REST API connector to call CloudTrail API.
AnswerB

Directly ingests CloudTrail logs.

Why this answer

The AWS S3 connector in Microsoft Sentinel ingests CloudTrail logs from an S3 bucket. Option A is wrong because Azure Policy is for Azure resources. Option B is wrong because Microsoft Defender for Cloud does not natively ingest AWS logs.

Option D is wrong because a REST API connector would require custom development.

341
MCQeasy

As a security operations analyst, you receive an alert from Microsoft Defender for Identity about a suspicious Kerberos activity. You need to investigate the alert and determine if it is a true positive. What should you use to pivot from the alert to the related user and device timeline?

A.Search for the user in Azure AD audit logs.
B.Open the alert in Microsoft Sentinel and use the investigation graph.
C.From the Microsoft 365 Defender portal, open the alert and click on the user or device name to view their timeline.
D.Use the Microsoft 365 compliance portal to run an eDiscovery search.
AnswerC

Defender for Identity alerts in Microsoft 365 Defender provide direct links to user and device timelines.

Why this answer

Option C is correct because in the Microsoft 365 Defender portal, when you open a Microsoft Defender for Identity alert, you can directly click on the user or device name to pivot to their timeline. This timeline provides a consolidated view of activities, including Kerberos events, authentication attempts, and other related signals, enabling you to quickly assess whether the suspicious Kerberos activity is a true positive without leaving the portal.

Exam trap

The trap here is that candidates may assume they need to use a separate tool like Microsoft Sentinel or Azure AD audit logs for deeper investigation, but the exam tests the knowledge that the Microsoft 365 Defender portal provides a built-in, integrated timeline for direct pivoting from Defender for Identity alerts.

How to eliminate wrong answers

Option A is wrong because Azure AD audit logs focus on directory-level administrative actions (e.g., user creation, password changes) and do not include detailed Kerberos authentication events or device timelines needed for this investigation. Option B is wrong because while Microsoft Sentinel has an investigation graph, the question specifically asks about pivoting from a Defender for Identity alert; the native integration within the Microsoft 365 Defender portal provides the most direct and efficient path to the user and device timeline without requiring a separate SIEM. Option D is wrong because the Microsoft 365 compliance portal and eDiscovery are designed for legal and compliance searches (e.g., mailbox, SharePoint content), not for real-time security event investigation of Kerberos activity.

342
MCQmedium

You are a security analyst for a multinational company with Microsoft Sentinel deployed in a central workspace. You need to grant a team of analysts in the European branch the ability to view incidents and run queries, but they should not be able to modify analytics rules or data connectors. The team already has Microsoft Sentinel Reader role assigned. However, they report that they cannot run KQL queries in the Logs blade. You need to provide the minimum additional permissions. What should you do?

A.Assign the Log Analytics Contributor role to the team on the Sentinel workspace.
B.Assign the Microsoft Sentinel Contributor role to the team on the Sentinel workspace.
C.Assign the Log Analytics Reader role to the team on the Sentinel workspace.
D.Assign the Reader role to the team on the Sentinel workspace.
AnswerC

Log Analytics Reader allows running queries and reading log data.

Why this answer

The Microsoft Sentinel Reader role grants read access to Sentinel data, including incidents, but does not include the ability to run KQL queries in the Logs blade because that requires read permissions on the underlying Log Analytics workspace. The Log Analytics Reader role provides the necessary read access to log data and the ability to execute queries without granting write permissions to analytics rules or data connectors, fulfilling the requirement with minimal privileges.

Exam trap

The trap here is that candidates assume the Microsoft Sentinel Reader role is sufficient for all read operations, but they overlook that running KQL queries in the Logs blade requires separate Log Analytics read permissions, which is a common cross-service dependency tested in SC-200.

How to eliminate wrong answers

Option A is wrong because Log Analytics Contributor role includes write permissions to the Log Analytics workspace, which would allow modifying data connectors and other settings, exceeding the required minimal permissions. Option B is wrong because Microsoft Sentinel Contributor role grants full write access to Sentinel resources, including analytics rules and data connectors, which violates the requirement that the team should not be able to modify these components. Option D is wrong because the Reader role at the Sentinel workspace level does not include the Log Analytics Reader permissions needed to run KQL queries in the Logs blade; it only provides read access to Sentinel-specific resources like incidents and workbooks.

343
MCQeasy

You are managing a Microsoft Sentinel environment. An analyst reports that a scheduled analytics rule is not generating alerts. The rule has been enabled for a week. What is the most likely cause?

A.The rule is disabled due to a cost threshold.
B.The rule has a short lookback period that misses data.
C.The rule's query does not match any events in the workspace.
D.The rule is configured as a real-time rule instead of scheduled.
AnswerC

If the query returns no results, the rule will not generate alerts.

Why this answer

Option A is correct because if the rule's query is not returning results, no alerts are generated. Option B is wrong because the rule is enabled. Option C is wrong because the rule is scheduled, not real-time.

Option D is wrong because the rule has been enabled for a week.

344
MCQmedium

Your security team uses Microsoft Defender XDR to investigate a potential malware outbreak. You need to collect a full memory dump from an affected Windows 10 device for forensic analysis. Which action should you take from the Microsoft Defender XDR portal?

A.Initiate a 'Collect investigation package' action.
B.Isolate the device from the network.
C.Run a full antivirus scan on the device.
D.Restrict app execution on the device.
AnswerA

Correct. This action collects memory dumps and forensic data.

Why this answer

To collect a full memory dump for forensic analysis from a Windows 10 device during a potential malware outbreak, you must initiate a 'Collect investigation package' action from the Microsoft Defender XDR portal. This action gathers a comprehensive set of forensic data, including a full memory dump, event logs, registry hives, and other artifacts, which is essential for deep analysis of malware behavior and persistence mechanisms.

Exam trap

The trap here is that candidates often confuse 'Collect investigation package' with a simple log collection, not realizing it specifically includes a full memory dump, which is the only option that meets the forensic requirement for volatile memory analysis.

How to eliminate wrong answers

Option B is wrong because isolating the device from the network is a containment step to prevent lateral movement, but it does not collect a memory dump or any forensic data. Option C is wrong because running a full antivirus scan only detects and removes known malware based on signatures; it does not capture a volatile memory snapshot needed for forensic analysis. Option D is wrong because restricting app execution is a mitigation technique to block untrusted software, but it does not gather a memory dump or any investigative data.

345
MCQmedium

You are investigating a security incident in Microsoft Sentinel. You need to preserve a snapshot of the investigation including comments, bookmarks, and entities for future reference. What should you do?

A.Create an automation rule to tag the incident
B.Create a bookmark with the relevant data
C.Add the entities to a watchlist
D.Close the incident as a false positive
AnswerB

Bookmarks capture query results, comments, and entities for later use.

Why this answer

Option B is correct because bookmarks in Microsoft Sentinel allow you to preserve a snapshot of an investigation, including comments, bookmarks, and entities, for future reference. Bookmarks capture the state of an investigation at a specific point in time, enabling you to revisit and share the context later.

Exam trap

The trap here is that candidates often confuse bookmarks with watchlists or automation rules, thinking that static data storage or automated actions can preserve an investigation snapshot, but only bookmarks capture the full interactive context including comments and entities.

How to eliminate wrong answers

Option A is wrong because automation rules are used to automate incident response actions (e.g., assigning, changing severity, or triggering playbooks) and do not preserve a snapshot of investigation data like comments and entities. Option C is wrong because watchlists are used to store static data for correlation and matching against events, not to capture a dynamic investigation snapshot with comments and bookmarks. Option D is wrong because closing an incident as a false positive dismisses it without preserving the investigation context; it does not create a persistent record of comments, bookmarks, or entities.

346
MCQeasy

Your organization uses Microsoft Defender for Office 365. You need to ensure that when a user reports a phishing email, the email is automatically analyzed and remediated. What should you configure?

A.Configure User Reported Message settings to use the built-in reporting tool and automated investigation.
B.Configure Anti-Phish policy to move messages to quarantine.
C.Enable Safe Attachments policy.
D.Enable Safe Links policy.
AnswerA

User reported message settings handle reported emails.

Why this answer

Option C is correct because the User Reported Message settings in Defender for Office 365 allow you to configure what happens when users report messages, including automated investigation and remediation. Option A is wrong because Safe Attachments is for scanning attachments. Option B is wrong because Safe Links is for URL protection.

Option D is wrong because Anti-Phish policies detect phishing but don't handle user reports.

347
MCQhard

You are responsible for Microsoft Sentinel pricing. You notice that data ingestion costs are high due to verbose logs from Windows security events. You need to reduce costs while still collecting critical security events. What should you do?

A.Use Common Event Format (CEF) connector instead of Windows Events
B.Change the table plan to Basic Logs
C.Increase the workspace retention period to archive warm data
D.Configure Windows Security Events via AMA connector with event filtering
AnswerD

Filter logs at source to reduce volume.

Why this answer

Option D is correct because the Azure Monitor Agent (AMA) connector for Windows Security Events allows granular filtering of event IDs and levels, enabling you to collect only critical security events (e.g., 4624, 4625) while excluding verbose logs like Event ID 5156 (Windows Filtering Platform permit connections). This reduces ingestion volume and cost without losing essential security visibility.

Exam trap

The trap here is that candidates confuse 'reducing costs' with 'changing retention' (Option C) or 'using a different connector' (Option A), when the real solution is to filter data at the source using the AMA's event filtering capability, which directly addresses ingestion volume.

How to eliminate wrong answers

Option A is wrong because the Common Event Format (CEF) connector is used for syslog-based appliances (e.g., firewalls, network devices), not for Windows Security Events; it does not reduce costs from Windows event logs. Option B is wrong because changing the table plan to Basic Logs reduces the log retention and query capabilities (no KQL full-text search, limited analytics), which is unsuitable for security events that require advanced hunting and detection rules. Option C is wrong because increasing the workspace retention period to archive warm data actually increases storage costs (warm data is interactive, not archived) and does not reduce ingestion costs; archiving cold data would reduce costs but is not relevant to ingestion volume.

348
MCQeasy

Your organization uses Microsoft Sentinel to manage security incidents. The security team wants to automatically close low-severity incidents after 24 hours if no activity has occurred. Which feature should you use?

A.Playbooks
B.Automation rules
C.Watchlists
D.Analytics rules
AnswerB

Automation rules can close incidents based on conditions.

Why this answer

Option A is correct because automation rules can automatically close incidents based on conditions like severity and time since last update. Option B is wrong because playbooks are for complex actions, but automation rules are simpler. Option C is wrong because analytics rules generate incidents, they don't close them.

Option D is wrong because watchlists are not used for incident lifecycle.

349
MCQhard

Your SOC uses Microsoft Sentinel and Microsoft Defender for Identity (MDI). You have configured MDI to send alerts to Microsoft 365 Defender. From there, Microsoft Sentinel ingests the alerts via the Microsoft 365 Defender connector. You want to ensure that when MDI detects a suspicious activity, the incident in Microsoft Sentinel is created within 5 minutes. Which factors should you consider?

A.The latency is determined solely by the MDI sensor health and network speed.
B.The incident creation time is controlled by the Microsoft Defender for Cloud Apps connector.
C.The incident will be created within 5 minutes because MDI writes directly to Microsoft Sentinel.
D.The latency depends on the Microsoft 365 Defender connector's polling interval and the analytics rule's frequency.
AnswerD

The connector polls every few minutes, and the analytics rule runs on a schedule.

Why this answer

Option D is correct because the incident creation latency in this architecture depends on two factors: the Microsoft 365 Defender connector's polling interval (which retrieves alerts from Microsoft 365 Defender) and the frequency of the Microsoft Sentinel analytics rule that creates incidents from those ingested alerts. Even if MDI sends alerts quickly to Microsoft 365 Defender, the connector polls at a configurable interval (default every 5 minutes), and the analytics rule runs on its own schedule (typically every 5 minutes). Thus, the total time to incident creation is the sum of these intervals, not a fixed 5 minutes.

Exam trap

The trap here is that candidates assume MDI alerts flow directly into Microsoft Sentinel with minimal delay, overlooking the polling-based Microsoft 365 Defender connector and the scheduled analytics rule that together introduce cumulative latency.

How to eliminate wrong answers

Option A is wrong because latency is not solely determined by MDI sensor health and network speed; the Microsoft 365 Defender connector's polling interval and analytics rule frequency are the primary bottlenecks. Option B is wrong because the Microsoft Defender for Cloud Apps connector is not involved in this alert flow; MDI alerts go to Microsoft 365 Defender, not directly to Defender for Cloud Apps. Option C is wrong because MDI does not write directly to Microsoft Sentinel; alerts flow through Microsoft 365 Defender and the Microsoft 365 Defender connector, which introduces polling and rule processing delays.

350
MCQmedium

You are a security operations analyst at a company that uses Microsoft Sentinel. You have enabled User and Entity Behavior Analytics (UEBA) to detect anomalies. A new alert fires indicating a user is logging in from an unusual location. However, the user is a known traveler. How can you reduce false positives without disabling the UEBA rule?

A.Add the user to the entity behavior analytics exclusion list.
B.Disable the UEBA anomaly rule for unusual locations.
C.Change the alert severity to Informational.
D.Increase the lookback period for the anomaly detection.
AnswerA

Exclusion list prevents alerts for that user while keeping the rule active.

Why this answer

Option A is correct because Microsoft Sentinel's UEBA allows you to add specific users to an entity behavior analytics exclusion list. This prevents the UEBA engine from generating alerts for that user's anomalous activities, such as logins from unusual locations, without disabling the underlying detection rule. This approach maintains detection coverage for other users while suppressing false positives for known travelers.

Exam trap

The trap here is that candidates may think disabling the rule or changing severity is the correct approach, but Microsoft specifically tests the ability to use entity-level exclusions to handle known exceptions without compromising overall detection coverage.

How to eliminate wrong answers

Option B is wrong because disabling the UEBA anomaly rule for unusual locations would stop all alerts for that anomaly type across all users, not just the known traveler, which is an overly broad and disruptive solution. Option C is wrong because changing the alert severity to Informational does not prevent the alert from being generated; it only changes its classification, so false positives would still clutter the security operations queue. Option D is wrong because increasing the lookback period for anomaly detection would make the UEBA model consider older baseline data, potentially making the detection less sensitive to recent changes and not specifically addressing the false positive for a single known traveler.

351
MCQmedium

Your organization, Fabrikam, has a hybrid environment with on-premises Active Directory and Microsoft Entra ID. You are using Microsoft Sentinel and Microsoft Defender XDR. You have enabled Microsoft Defender for Identity (MDI) to protect on-premises Active Directory. Recently, you received an incident in Microsoft Sentinel indicating a potential DCSync attack from a domain controller. The incident was generated from an MDI alert. You need to investigate the incident and determine if the attack was successful. You have the following options: A) Use the Microsoft Sentinel incident investigation graph to view entities and relationships. Then query the IdentityDirectoryEvents table for the domain controller to see if any directory replication requests were made. B) Use the Microsoft Defender XDR advanced hunting to query the IdentityLogonEvents table for the domain controller. C) Use the Microsoft Sentinel workbook for MDI to visualize the attack timeline. D) Use the Microsoft Defender for Cloud Apps activity log to review the domain controller's activities. Which option should you choose?

A.Use the Microsoft Sentinel workbook for MDI to visualize the attack timeline.
B.Use the Microsoft Defender XDR advanced hunting to query the IdentityLogonEvents table for the domain controller.
C.Use the Microsoft Sentinel incident investigation graph to view entities and relationships. Then query the IdentityDirectoryEvents table for the domain controller to see if any directory replication requests were made.
D.Use the Microsoft Defender for Cloud Apps activity log to review the domain controller's activities.
AnswerC

The investigation graph helps identify related entities, and IdentityDirectoryEvents contains the necessary replication events.

Why this answer

Option C is correct because a DCSync attack involves an attacker impersonating a domain controller to request directory replication via the MS-DRSR protocol. The IdentityDirectoryEvents table in Microsoft Defender for Identity captures directory service replication activities, including the DirectoryReplication request action. Querying this table for the domain controller allows you to confirm if unauthorized replication requests were made, directly indicating a successful DCSync attack.

Exam trap

The trap here is that candidates may confuse the IdentityLogonEvents table (logon events) with the IdentityDirectoryEvents table (directory service events), or assume a visualization workbook can replace direct querying for forensic evidence of a DCSync attack.

How to eliminate wrong answers

Option A is wrong because the Microsoft Sentinel workbook for MDI provides visualizations and timelines but does not allow direct querying of the IdentityDirectoryEvents table to confirm specific replication requests; it is a reporting tool, not an investigative query tool. Option B is wrong because the IdentityLogonEvents table tracks authentication events (logons), not directory replication activities; DCSync attacks are not logon events but directory service replication requests. Option D is wrong because Microsoft Defender for Cloud Apps activity log focuses on cloud application activities, not on-premises Active Directory replication events; it would not capture MS-DRSR replication requests from a domain controller.

352
MCQhard

Your organization uses Microsoft Sentinel with a Log Analytics workspace in the East US region. You have deployed the Microsoft Defender for Cloud connector. You notice that security alerts from Defender for Cloud are not appearing as incidents in Sentinel. You have confirmed that the connector is enabled and data is flowing. What is the most likely cause?

A.The Sentinel workspace does not have required permissions to create incidents.
B.There is a delay in incident creation; wait for 24 hours.
C.You need to create an analytics rule with a rule template that uses the SecurityAlert table.
D.The Microsoft Defender for Cloud connector is not properly configured.
AnswerC

Sentinel requires analytics rules to generate incidents from incoming alerts. The connector only ingests the alerts.

Why this answer

Option C is correct because analytics rules must be created to generate incidents from alerts. Option A is wrong because the connector is working. Option B is wrong because incident creation is not automatic from the connector alone.

Option D is wrong because permissions are not the issue if data is flowing.

353
MCQhard

Your company uses Microsoft Sentinel and has enabled the Microsoft Defender XDR connector. You notice that incidents from Microsoft Defender for Cloud Apps are not appearing in Microsoft Sentinel. All other Defender XDR incidents appear correctly. What is the most likely cause?

A.The security operations team does not have the appropriate permissions.
B.The Microsoft Defender XDR connector only ingests incidents from Microsoft Defender for Endpoint.
C.The Microsoft 365 E5 license is not assigned to the users.
D.The Microsoft Defender for Cloud Apps data connector is not enabled in Microsoft Sentinel.
AnswerD

You need to enable the Microsoft Defender for Cloud Apps connector separately to ingest its incidents.

Why this answer

Microsoft Defender for Cloud Apps incidents are ingested into Microsoft Sentinel via the Microsoft Defender XDR connector, but only if the data connector for Microsoft Defender for Cloud Apps is also enabled separately in Sentinel. Option A is correct. Option B is wrong because license requirements are for other connectors.

Option C is wrong because roles are not the issue. Option D is wrong because the connector is for Defender XDR, not for Cloud Apps specifically.

354
Multi-Selectmedium

Which TWO actions should you take to optimize cost in Microsoft Sentinel while maintaining security coverage? (Choose two.)

Select 2 answers
A.Enable continuous export for all tables.
B.Purchase a Pay-as-you-go commitment tier.
C.Adjust the interactive retention period for tables that don't need long-term interactive access.
D.Add more tables to ingest data.
E.Use Basic Logs for high-volume, low-value data sources.
AnswersC, E

Reduces storage cost.

Why this answer

Option C is correct because reducing interactive retention for tables that do not require long-term, fast query access directly lowers storage costs. Microsoft Sentinel charges per GB for data stored in the interactive retention tier, while data moved to long-term retention (up to 12 years) is significantly cheaper. By tailoring retention periods to actual operational needs, you avoid paying premium rates for data that is rarely queried interactively.

Exam trap

The trap here is that candidates often confuse 'commitment tiers' (which reduce per-GB cost) with a direct cost-optimization action, but the question asks for specific actions you take, not pricing models; also, 'continuous export' sounds like a way to offload data, but it actually adds cost and complexity unless used for a specific purpose.

355
MCQeasy

Your organization is implementing Microsoft Sentinel. You need to design a solution to automatically disable a user account in Microsoft Entra ID when a high-severity incident is triggered in Microsoft Sentinel related to that user. Which component should you use?

A.A playbook that uses the Microsoft Graph API to disable the user.
B.An analytics rule that includes a query to disable the user.
C.An automation rule that runs a PowerShell script on a hybrid worker.
D.A workbook that triggers a webhook to disable the user.
AnswerA

Playbooks can automate response actions like disabling a user.

Why this answer

A playbook is the correct component because it is an automated workflow that can be triggered by a Microsoft Sentinel incident. By using the Microsoft Graph API within the playbook, you can programmatically disable a user account in Microsoft Entra ID, which is the required action for a high-severity incident. This aligns with the need for an automated response that integrates Sentinel with identity management.

Exam trap

The trap here is that candidates may confuse automation rules with playbooks, thinking that automation rules can directly execute scripts or API calls, when in fact automation rules only trigger playbooks or run actions like changing incident status, not performing external remediation.

How to eliminate wrong answers

Option B is wrong because an analytics rule is designed to generate alerts based on query results, not to execute remediation actions like disabling a user; it lacks the capability to perform API calls or modify Entra ID objects. Option C is wrong because an automation rule in Sentinel can trigger a playbook or run a script on a hybrid worker, but running a PowerShell script directly on a hybrid worker does not natively integrate with Microsoft Graph API to disable a user without additional custom logic; the standard pattern is to use a playbook for such actions. Option D is wrong because a workbook is a visualization tool for data analysis and reporting; it cannot trigger webhooks or execute actions to disable user accounts.

356
MCQhard

Your organization has Microsoft Defender for Endpoint deployed. You need to configure automatic attack disruption for ransomware attacks. What should you enable?

A.Attack surface reduction rules.
B.Live Response capabilities.
C.Device discovery settings.
D.Automatic attack disruption in Microsoft 365 Defender.
AnswerD

This feature automatically contains compromised assets during active attacks.

Why this answer

Automatic attack disruption in Microsoft 365 Defender is the correct feature to enable because it uses advanced detection signals to automatically contain compromised assets during ransomware attacks, such as isolating devices or blocking accounts, without manual intervention. This capability is specifically designed to stop the spread of ransomware in real time by leveraging Microsoft's threat intelligence and behavioral analytics.

Exam trap

The trap here is that candidates often confuse preventive controls like Attack surface reduction rules with reactive automated response capabilities, assuming that blocking malware execution is equivalent to disrupting an active attack, but automatic attack disruption is a distinct, post-breach containment feature.

How to eliminate wrong answers

Option A is wrong because Attack surface reduction rules are a set of policies that block common malware behaviors (e.g., script execution, Office macro abuse) but do not provide automatic containment of an ongoing ransomware attack; they are preventive, not reactive. Option B is wrong because Live Response capabilities allow security analysts to remotely investigate and remediate devices via a command-line interface, but they require manual initiation and do not automatically disrupt attacks. Option C is wrong because Device discovery settings control how endpoints are identified and inventoried on the network (e.g., via passive or active scanning), which is unrelated to automatic attack disruption.

357
MCQeasy

Your incident response team uses Microsoft Sentinel. You need to automatically assign incidents to the appropriate analyst based on the type of alert. What should you create?

A.An automation rule with an 'Assign owner' action
B.A playbook that runs when an incident is created
C.A watchlist containing analyst names
D.A hunting bookmark to track assignments
AnswerA

Automation rules can directly assign incidents to an owner.

Why this answer

Automation rules in Microsoft Sentinel allow you to define conditions (e.g., alert type) and corresponding actions, including 'Assign owner' to automatically route incidents to the appropriate analyst. This is the native, no-code mechanism for incident assignment based on alert properties, making it the correct choice for this requirement.

Exam trap

The trap here is that candidates often confuse playbooks (which can also assign owners via a Microsoft Teams or Azure Logic Apps connector) with the simpler, purpose-built automation rule action, leading them to choose the more complex option unnecessarily.

How to eliminate wrong answers

Option B is wrong because playbooks are designed for complex, multi-step automation (e.g., enrichment, remediation) and require additional logic to assign ownership, whereas automation rules provide a simpler, direct 'Assign owner' action. Option C is wrong because a watchlist is a static reference list used for correlation or enrichment, not a mechanism to automatically assign incidents to analysts. Option D is wrong because a hunting bookmark is used to save and track interesting queries or results during threat hunting, not to manage incident assignments.

358
Multi-Selectmedium

Which THREE components are part of the Microsoft Defender XDR incident management process?

Select 3 answers
A.Entities
B.Alerts
C.User settings
D.Playbooks
E.Evidence
AnswersA, B, E

Entities like users, devices, IPs are linked to incidents.

Why this answer

Entities are a core component of the Microsoft Defender XDR incident management process because they represent the assets (such as users, devices, mailboxes, and applications) that are involved in an incident. The incident graph automatically links related entities to provide a unified view of the attack story, enabling analysts to pivot from an alert to the affected resources for investigation and response.

Exam trap

The trap here is that candidates often confuse the components of the Microsoft Defender XDR incident management process (entities, alerts, evidence) with automation features like playbooks, which belong to Microsoft Sentinel, not Defender XDR.

359
MCQmedium

You are a SOC analyst investigating a high-severity incident. The incident involves a user who received a phishing email and clicked a link. Microsoft Defender for Office 365 detected the email as phishing and blocked the URL at time of click, but a follow-up investigation reveals that the user's mailbox has suspicious forwarding rules. You need to ensure that similar incidents are automatically remediated in the future. What should you configure in Microsoft Sentinel?

A.Configure entity behavior analytics to automatically block the user.
B.Create an analytics rule that detects suspicious forwarding rules and automatically removes them.
C.Create an automation rule that triggers a playbook to remove the forwarding rule when an incident with the 'Phishing' tactic is created.
D.Add the user to a watchlist that triggers an automated investigation.
AnswerC

Automation rules can trigger playbooks that perform remediation actions like removing forwarding rules.

Why this answer

Automation rules in Microsoft Sentinel allow you to automatically trigger playbooks (e.g., to remove forwarding rules) when incidents are created. Option A is correct because automation rules can invoke a playbook that removes the forwarding rule. Option B is wrong because analytics rules create alerts, not automated actions on incidents.

Option C is wrong because watchlists are for reference data, not automation. Option D is wrong because entity behavior analytics is for detecting anomalies, not automated remediation.

360
Multi-Selecteasy

Your organization plans to use Microsoft Sentinel for incident management. Which TWO are native incident management features in Sentinel?

Select 2 answers
A.Incident comments and collaboration
B.Incident assignment to specific analysts
C.Automated email notifications on incident creation
D.Integration with ServiceNow via out-of-the-box connector
E.Integration with Microsoft Teams for incident chat
AnswersA, B

Sentinel supports comments on incidents.

Why this answer

Options B and D are correct because Sentinel supports assignment to analysts and incident comments. Options A and C are not native features; Option E is not part of incident management.

361
MCQmedium

A SOC analyst suspects a user account is compromised based on anomalous sign-in activity detected by Microsoft Entra ID Protection. The analyst needs to confirm and contain the threat. What is the first action the analyst should take?

A.Reset the user's password immediately
B.Review the user's risk level and sign-in logs in Microsoft Entra ID Protection
C.Disable the user account in Microsoft Entra ID
D.Block the user's sign-in from all locations
AnswerB

First confirm the compromise by reviewing risk and logs.

Why this answer

Option B is correct because the first step when investigating a potential account compromise is to review the user's risk level and sign-in logs in Microsoft Entra ID Protection. This allows the analyst to confirm the threat by examining risk detections, sign-in patterns, and contextual details before taking any containment actions. Prematurely resetting passwords or disabling accounts could disrupt legitimate user activity or alert the attacker without a full understanding of the scope.

Exam trap

The trap here is that candidates often jump to containment actions like resetting passwords or disabling accounts, but the SC-200 exam emphasizes the 'investigate before remediate' principle, where reviewing risk detections and sign-in logs in Entra ID Protection is the mandatory first step to confirm the threat.

How to eliminate wrong answers

Option A is wrong because resetting the user's password immediately without first reviewing the risk level and sign-in logs may lock out a legitimate user or fail to address the root cause, such as a token theft or MFA bypass. Option C is wrong because disabling the user account in Microsoft Entra ID is a containment step that should only be taken after confirming the compromise through risk investigation, as it could cause unnecessary service disruption. Option D is wrong because blocking the user's sign-in from all locations is a reactive containment measure that should follow confirmation of the threat, not precede it, and may not address risks like leaked credentials or session hijacking.

362
Multi-Selectmedium

Your organization uses Microsoft Defender for Cloud and Microsoft Sentinel. You need to ensure that security alerts from Defender for Cloud are automatically synchronized to Sentinel and assigned to the cloud security team. Which three actions should you take?

Select 3 answers
A.Create an automation rule that sets the incident owner to the cloud security team.
B.Manually export alerts from Defender for Cloud to Sentinel daily.
C.Create a playbook that periodically pulls alerts from Defender for Cloud.
D.Enable the Microsoft Defender for Cloud data connector in Sentinel.
E.Configure the connector to create incidents automatically from alerts.
AnswersA, D, E

Correct: Automation rules can assign ownership.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel allow you to automatically assign incident owners based on conditions such as alert severity or source connector. By creating an automation rule that sets the incident owner to the cloud security team, you ensure that every Defender for Cloud alert synchronized to Sentinel is immediately assigned to the appropriate team without manual intervention.

Exam trap

The trap here is that candidates may think a custom playbook or manual export is needed for synchronization, when in fact the native data connector handles ingestion automatically, and automation rules handle assignment without custom code.

363
Multi-Selecthard

You are configuring Microsoft Defender for Cloud Apps with Cloud Discovery. You need to ensure that logs from your network proxies are processed correctly. Which THREE steps are required?

Select 3 answers
A.Upload the log files manually or configure automatic log upload using the log collector.
B.Install the Microsoft Defender for Cloud Apps connector in Sentinel.
C.Enable Azure Information Protection for labeling.
D.Ensure proxy logs are in a supported format such as Common Log Format (CLF).
E.Configure the source IP address ranges of your organization in Defender for Cloud Apps settings.
AnswersA, D, E

Logs must be uploaded for analysis.

Why this answer

Options A, B, and E are correct. Logs must be in a supported format, uploaded to Defender for Cloud Apps, and matched with the source IP ranges of your organization. Option C is not required; Option D is not required for Cloud Discovery.

364
MCQhard

Your organization uses Microsoft Sentinel with User and Entity Behavior Analytics (UEBA) enabled. You notice that the UEBA is not generating any anomalies for a particular user who has been inactive for 30 days. You have verified that the user's data is being ingested into the workspace. What is the most likely reason?

A.UEBA requires a minimum of 14 days of activity to establish a baseline.
B.The user's license does not include UEBA.
C.UEBA only works with Active Directory data, not Microsoft Entra ID.
D.UEBA is not enabled for the workspace.
AnswerA

Without a baseline, UEBA cannot detect anomalies.

Why this answer

UEBA requires a baseline of at least 14 days of activity to establish normal behavior. If the user has been inactive for 30 days, there is no baseline to compare against, so no anomalies are generated. Option D is correct.

Option A is wrong because UEBA can work with any data source if configured. Option B is wrong because UEBA is enabled by default when you enable UEBA. Option C is wrong because the user's data is being ingested, so it's not a licensing issue.

365
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender for Office 365. You have configured incident creation from Microsoft Defender for Office 365 alerts in Microsoft Sentinel. However, you notice that some alerts are not creating incidents. Which step should you take to troubleshoot this issue?

A.Examine the analytics rule that creates incidents from Microsoft Defender for Office 365 alerts and verify the severity threshold.
B.Check the Microsoft 365 Defender portal to confirm that the alerts are being generated.
C.Review the Microsoft Sentinel workbooks for any visualization errors.
D.Verify that the Microsoft Defender for Office 365 data connector in Microsoft Sentinel is connected and data is ingested.
AnswerA

The analytics rule filters alerts; a severity threshold may be too high.

Why this answer

Option A is correct because the analytics rule that maps Microsoft Defender for Office 365 alerts to incidents in Microsoft Sentinel includes a severity threshold filter. If the rule is configured to only create incidents for alerts with a severity of 'High' or 'Medium', alerts with 'Low' severity or 'Informational' will be silently dropped and not generate incidents. Verifying and adjusting this threshold directly addresses the root cause of missing incidents.

Exam trap

The trap here is that candidates often assume the issue is with data ingestion (Option D) or alert generation (Option B), but the actual cause is a misconfigured severity threshold within the analytics rule that silently filters out lower-severity alerts before they can become incidents.

How to eliminate wrong answers

Option B is wrong because checking the Microsoft 365 Defender portal only confirms that alerts are generated at the source, but it does not troubleshoot why those alerts fail to create incidents in Microsoft Sentinel; the issue is in the ingestion or rule logic, not in alert generation. Option C is wrong because Microsoft Sentinel workbooks are visualization tools that display data already ingested; they do not affect incident creation and cannot diagnose why alerts are not being turned into incidents. Option D is wrong because verifying the data connector status ensures data ingestion from Microsoft Defender for Office 365, but if the connector is connected and data is flowing, the problem lies in the analytics rule's configuration (e.g., severity threshold or rule logic), not in the connector itself.

366
MCQhard

You are a security operations engineer for a company that uses Microsoft Defender XDR. You need to create a custom detection rule that alerts when a user performs more than 10 failed logon attempts within 5 minutes from different IP addresses. The rule should use the IdentityLogonEvents table. You have written the KQL query and now need to configure the rule settings in Microsoft 365 Defender. Which configuration should you use for the rule frequency and lookback period to minimize false positives while ensuring timely detection?

A.Run every 5 minutes with a 5-minute lookback.
B.Run every 5 minutes with a 1-hour lookback.
C.Run every 1 hour with no lookback.
D.Run every 24 hours with a 24-hour lookback.
AnswerA

Matches the detection window exactly.

Why this answer

Option A is correct because running every 5 minutes with a 5-minute lookback ensures the rule catches the pattern within the same window and minimizes false positives by not aggregating over longer periods. Option B is incorrect because a 1-hour lookback may capture multiple sessions. Option C is incorrect because a 24-hour run period is too coarse.

Option D is incorrect because no lookback misses past events.

367
MCQeasy

Your organization uses Microsoft Sentinel. You need to ensure that an incident is automatically assigned to a specific analyst when it is created. What should you create?

A.An analytics rule with an output to a specific user.
B.A playbook triggered by incident creation.
C.An automation rule with an 'Assign incident' action.
D.A watchlist that maps incident types to owners.
AnswerC

Automation rules can assign owner on incident creation.

Why this answer

Automation rules in Sentinel can trigger on incident creation and include actions like assigning owner. Option A is correct. Option B is wrong because playbooks require a trigger; automation rules are simpler.

Option C is wrong because watchlists are for reference data. Option D is wrong because analytics rules create alerts, not assign incidents.

368
MCQhard

A security operations center (SOC) uses Microsoft Sentinel for log management. The SOC manager wants to reduce storage costs by automatically archiving logs that are older than 90 days to long-term retention, but retains the ability to search them if needed. What should the manager configure?

A.Change the table plan to Basic Logs for logs older than 90 days
B.Create a retention policy that deletes logs older than 90 days
C.Configure a data archiving policy in the Log Analytics workspace to archive logs after 90 days
D.Export logs older than 90 days to an Azure Storage account
AnswerC

Archived logs remain searchable (with additional cost).

Why this answer

Option C is correct because configuring a data archiving policy in the Log Analytics workspace automatically moves logs older than 90 days to long-term, low-cost storage while keeping them searchable via the search job or restore feature. This directly meets the SOC manager's requirement to reduce costs without losing the ability to query archived data.

Exam trap

The trap here is that candidates confuse 'archiving' with 'deleting' or 'exporting,' assuming that moving data to cheaper storage must mean losing queryability, whereas Microsoft Sentinel's archive tier preserves searchability through restore or search jobs.

How to eliminate wrong answers

Option A is wrong because changing the table plan to Basic Logs affects all data in the table, not just logs older than 90 days, and Basic Logs have reduced query capabilities and higher ingestion costs, not archival. Option B is wrong because a retention policy that deletes logs older than 90 days permanently removes the data, eliminating the ability to search them later. Option D is wrong because exporting logs to an Azure Storage account moves them out of Log Analytics, making them unsearchable via KQL without additional tooling and breaking the requirement for retained searchability.

369
Multi-Selectmedium

Which TWO of the following are valid methods to reduce Microsoft Sentinel data ingestion costs?

Select 2 answers
A.Disable all analytics rules.
B.Switch all data sources to basic logs.
C.Configure basic logs for high-volume verbose data sources.
D.Increase the retention period for all tables.
E.Set a daily data ingestion cap.
AnswersC, E

Basic logs cost less than analytics logs.

Why this answer

Options A and D are correct. Using basic logs for verbose data reduces cost, and setting daily cap stops ingestion when limit is reached. Option B is wrong because increasing retention increases cost.

Option C is wrong because it may reduce security. Option E is wrong because not all sources can be switched to basic logs.

370
MCQhard

You are designing an automation rule in Microsoft Sentinel that should automatically assign incidents to the appropriate analyst based on the incident type. However, the rule fails to assign correctly for some incidents. What should you verify?

A.The order of conditions in the automation rule; ensure more specific conditions are evaluated first.
B.That a playbook has been created to perform the assignment.
C.That the incident assignment rule in Microsoft Entra ID is configured correctly.
D.That the owner (analyst) has the required permissions in Microsoft Sentinel.
AnswerA

Automation rules use top-down evaluation; specific conditions must precede general ones.

Why this answer

Automation rules in Microsoft Sentinel evaluate conditions in order, and the first matching condition triggers the associated action. If a broad condition (e.g., 'all incidents') is placed before a more specific condition (e.g., 'incident type equals Phishing'), the broad rule will match first and assign incorrectly, preventing the specific rule from ever running. Reordering conditions so that the most specific ones are evaluated first ensures correct assignment based on incident type.

Exam trap

Microsoft often tests the misconception that automation rules run in parallel or that all matching conditions are applied, when in fact they are evaluated sequentially and only the first match executes its action.

How to eliminate wrong answers

Option B is wrong because a playbook is not required for simple assignment; automation rules can directly set the owner (analyst) without invoking a playbook. Option C is wrong because Microsoft Entra ID (formerly Azure AD) does not have an 'incident assignment rule'—incident ownership is managed within Microsoft Sentinel, not via Entra ID configuration. Option D is wrong because the owner (analyst) does not need special permissions in Microsoft Sentinel to be assigned an incident; the automation rule itself runs with the system's permissions, and the assigned user only needs standard Sentinel reader/responder roles to interact with the incident.

371
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos ticket request. What is the most appropriate first step?

A.Disable the user account.
B.Investigate the alert in the Microsoft 365 Defender portal.
C.Reset the user's password.
D.Reset the krbtgt account password.
AnswerB

Investigation helps determine if the alert is a true positive before taking action.

Why this answer

Option B is correct because the first step when receiving any security alert, including a suspicious Kerberos ticket request from Microsoft Defender for Identity, is to investigate the alert in the Microsoft 365 Defender portal. This portal provides the unified security operations console where you can view the full alert details, related entities, and the MITRE ATT&CK mapping to understand the scope and severity before taking any remediation actions. Prematurely disabling accounts or resetting passwords without investigation can destroy forensic evidence and potentially disrupt legitimate user activity.

Exam trap

The trap here is that candidates often jump to immediate remediation actions like disabling accounts or resetting passwords, forgetting that the first step in any incident response process (as per NIST 800-61 and Microsoft's own guidance) is always investigation and triage to confirm the alert and understand the attack context.

How to eliminate wrong answers

Option A is wrong because disabling the user account without investigation may be premature; the alert could be a false positive or part of a larger attack chain that requires analysis before containment. Option C is wrong because resetting the user's password does not address the root cause of a suspicious Kerberos ticket request, which may involve ticket forgery (e.g., Golden Ticket or Silver Ticket) or Kerberoasting, and password reset alone will not invalidate already issued tickets. Option D is wrong because resetting the krbtgt account password is a drastic, high-impact action that should only be performed as part of a structured response to a confirmed domain compromise (e.g., KRBTGT reset procedure), not as a first step for a single suspicious ticket alert.

372
Multi-Selecthard

Your Microsoft Sentinel workspace ingests logs from multiple regions. You need to reduce data ingestion costs while ensuring that all security events are retained for at least one year for compliance. Which two actions should you take? (Choose two.)

Select 2 answers
A.Configure the table's plan to 'Analytics' for security events and set a retention policy of 90 days, then create an archive policy for up to 1 year.
B.Set the retention policy on the SecurityEvent table to 365 days.
C.Configure the diagnostic setting to send security logs to a separate low-cost storage account.
D.Use Basic Logs for the SecurityEvent table to reduce costs.
AnswersA, B

Analytics plan with archive is cost-effective for long retention.

Why this answer

Options A and B are correct. Option A reduces costs by archiving less frequently accessed data. Option B enables long-term retention beyond the default.

Option C is incorrect because Basic Logs are for debugging, not security events. Option D is incorrect because the diagnostic setting should be separate for security events.

373
MCQeasy

Your SOC team uses Microsoft Sentinel incident management. They want to automatically assign high-severity incidents to a senior analyst and send a notification to Microsoft Teams. What should you use?

A.Create an automation rule that triggers on incident creation, assigns the incident, and runs a playbook to post to Teams.
B.Create a playbook and attach it directly to the analytics rule.
C.Create a watchlist to define assignment rules and configure a workbook for notifications.
D.Create an analytics rule with incident grouping and assignment.
AnswerA

Automation rules provide the necessary trigger and actions.

Why this answer

Option A is correct because automation rules in Microsoft Sentinel can trigger on incident creation (e.g., when severity is 'High'), automatically assign the incident to a specific owner (senior analyst), and then invoke a playbook (Azure Logic App) to post a message to Microsoft Teams. This combines assignment logic with automated notification in a single, manageable rule.

Exam trap

The trap here is that candidates confuse analytics rules (which only generate alerts) with automation rules (which handle post-creation actions like assignment and playbook execution), leading them to incorrectly select option B or D.

How to eliminate wrong answers

Option B is wrong because playbooks cannot be attached directly to analytics rules; they must be invoked via automation rules or as part of an incident trigger. Option C is wrong because watchlists are used for reference data (e.g., IP addresses) and workbooks are for visualization, not for automated assignment or notification. Option D is wrong because analytics rules generate alerts and can group incidents, but they do not support assignment or notification actions; those require automation rules or playbooks.

374
Multi-Selectmedium

Which TWO conditions must be met to enable Microsoft Sentinel UEBA? (Choose two.)

Select 2 answers
A.Microsoft Entra ID P2 licenses must be assigned to users.
B.KQL queries must be created for entity behavior.
C.Microsoft Defender XDR must be onboarded.
D.The SecurityInsights solution must be installed in the workspace.
E.Azure SQL Database must be deployed.
AnswersA, D

Entra ID P2 provides identity protection and user entity data.

Why this answer

Microsoft Sentinel UEBA requires the SecurityInsights solution to be installed in the Log Analytics workspace, as this solution provides the UEBA data connectors and analytics rules. Additionally, Microsoft Entra ID P2 licenses are required because UEBA relies on the identity protection and risk detection capabilities that are only available with P2 licensing, enabling the enrichment of entity behavior profiles with risk data.

Exam trap

The trap here is that candidates often confuse enabling UEBA with simply having Sentinel deployed, overlooking the specific licensing requirement (Entra ID P2) and the need for the SecurityInsights solution to be installed, rather than assuming UEBA is automatically available with any Sentinel workspace.

375
MCQhard

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel. The rule is enabled but does not assign incidents. What is the most likely issue?

A.The action 'AssignIncident' is not a supported automation rule action.
B.The condition 'Owner' property does not support 'Equals' operator.
C.The trigger type 'Microsoft.SecurityInsights/Incident' is incorrect.
D.The 'assignedTo' value should be a user principal name instead of an email alias.
AnswerA

Automation rules do not support direct assignment; assignment must be done via playbook.

Why this answer

Option C is correct because the action type 'AssignIncident' is not a valid automation rule action. Valid actions include 'RunPlaybook' and 'ChangeSeverity'. Option A is incorrect because the trigger type is valid.

Option B is incorrect because the conditions are valid. Option D is incorrect because the action is not valid.

← PreviousPage 5 of 8 · 554 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Manage Secops Environment questions.