CCNA Mitigate Threats Using Microsoft Defender Xdr Questions

75 of 108 questions · Page 1/2 · Mitigate Threats Using Microsoft Defender Xdr topic · Answers revealed

1
MCQmedium

A security analyst in Microsoft 365 Defender is investigating an email-based threat. The analyst needs to find all emails that were initially delivered to user inboxes but were later remediated (e.g., moved to junk, deleted, or quarantined) by Zero-Hour Auto Purge (ZAP). Which advanced hunting tables should the analyst query to get both the original email metadata and the post-delivery remediation events?

A.EmailEvents and EmailPostDeliveryEvents
B.EmailEvents and EmailAttachmentInfo
C.EmailPostDeliveryEvents and EmailUrlInfo
D.EmailEvents and CloudAppEvents
AnswerA

Correct. EmailEvents has delivery info; EmailPostDeliveryEvents has ZAP and other post-delivery actions.

Why this answer

To investigate emails that were initially delivered but later remediated by Zero-Hour Auto Purge (ZAP), you need both the original email metadata (from EmailEvents) and the post-delivery remediation actions (from EmailPostDeliveryEvents). EmailEvents provides details like sender, recipient, subject, and delivery status, while EmailPostDeliveryEvents records ZAP actions such as moving to junk, deleting, or quarantining. Querying these two tables together allows you to correlate the initial delivery with the subsequent remediation event.

Exam trap

The trap here is that candidates may think EmailPostDeliveryEvents alone suffices, but without EmailEvents you cannot confirm the original delivery status (e.g., 'Delivered') which is essential to distinguish ZAP from other post-delivery actions like manual user moves.

How to eliminate wrong answers

Option B is wrong because EmailAttachmentInfo only contains metadata about email attachments (e.g., file name, hash) and does not include post-delivery remediation events or original email delivery metadata needed for ZAP investigation. Option C is wrong because EmailUrlInfo only contains URL-related information from emails (e.g., clicked links) and lacks the original email metadata from EmailEvents, so you cannot see the initial delivery status. Option D is wrong because CloudAppEvents tracks activities in Microsoft cloud apps (e.g., SharePoint, OneDrive) and is not related to email delivery or ZAP remediation events in Exchange Online.

2
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst wants to identify all devices that have been accessed from a compromised device via RDP in the past 24 hours. Which advanced hunting table should the analyst query?

A.DeviceEvents
B.DeviceNetworkEvents
C.DeviceLogonEvents
D.DeviceProcessEvents
AnswerC

DeviceLogonEvents contains logon events such as Remote Desktop logons (LogonType = 10), allowing identification of devices accessed via RDP.

Why this answer

DeviceLogonEvents is the correct table because it records authentication events, including remote interactive logons such as RDP (LogonType 10). By filtering for logon type 10 and the compromised device's IP address, the analyst can identify all devices that accepted an RDP connection from that source within the past 24 hours.

Exam trap

The trap here is that candidates often choose DeviceNetworkEvents thinking network connections alone can identify RDP access, but they fail to realize that only DeviceLogonEvents provides the logon type and authentication context necessary to confirm a successful RDP session.

How to eliminate wrong answers

Option A is wrong because DeviceEvents tracks security-related events like antivirus detections and file modifications, not authentication or network connection details. Option B is wrong because DeviceNetworkEvents captures network-level connections (e.g., TCP/UDP flows) but does not include logon type or user authentication context required to confirm RDP access. Option D is wrong because DeviceProcessEvents logs process creation and termination events, which do not directly record RDP logon sessions or authentication outcomes.

3
Matchingmedium

Match each Microsoft Defender for Cloud security alert to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Anomalous process run on a VM

Multiple failed login attempts from an IP

Antimalware scan found a threat

Download of a suspicious file from an external source

Unusual outbound data transfer detected

Why these pairings

These are examples of security alerts from Microsoft Defender for Cloud.

4
MCQhard

A global enterprise uses Microsoft 365 Defender across multiple tenants. During an incident, a security analyst needs to search for a specific file hash indicator of compromise (IOC) across all mailboxes and endpoints in all tenants from a single interface. Which feature allows the analyst to run a query across multiple tenants without switching contexts?

A.Cross-tenant advanced hunting
B.Multi-tenant management
C.Unified audit log
D.Microsoft Graph Security API
AnswerA

This feature allows running advanced hunting queries across multiple tenants in one query, enabling IOC searches across all environments.

Why this answer

Cross-tenant advanced hunting in Microsoft 365 Defender allows a security analyst to run Kusto Query Language (KQL) queries across multiple tenants from a single interface. This feature is specifically designed for hunting for indicators of compromise (IOCs), such as file hashes, across all mailboxes and endpoints in a multi-tenant environment without requiring the analyst to switch between tenant portals.

Exam trap

The trap here is that candidates often confuse multi-tenant management (a centralized policy and settings tool) with cross-tenant advanced hunting (a query tool), assuming that any 'multi-tenant' feature can run cross-tenant queries, but only cross-tenant advanced hunting supports interactive KQL hunting across tenants.

How to eliminate wrong answers

Option B is wrong because multi-tenant management provides a centralized view for managing settings and policies across tenants, but it does not support running ad-hoc hunting queries for IOCs like file hashes across mailboxes and endpoints. Option C is wrong because the unified audit log aggregates audit records from multiple Microsoft 365 services but is limited to audit events and does not support endpoint data or advanced hunting queries for file hashes. Option D is wrong because the Microsoft Graph Security API enables programmatic access to security alerts and incidents but is not a single interface for running interactive hunting queries across multiple tenants; it requires custom development and does not provide the built-in query experience of advanced hunting.

5
MCQmedium

A security analyst is investigating an incident in Microsoft 365 Defender that involves a user who clicked a phishing link. The analyst wants to find all processes executed on the user's device immediately after the email was opened. Which advanced hunting table should the analyst query to obtain process creation events with timestamps relative to the email event?

A.DeviceProcessEvents
B.EmailEvents
C.DeviceNetworkEvents
D.IdentityLogonEvents
AnswerA

This table stores process creation events on endpoints, suitable for identifying processes executed after a phishing click.

Why this answer

DeviceProcessEvents is the correct table because it stores process creation events (including image name, command line, and timestamp) for all devices onboarded to Microsoft Defender for Endpoint. By querying this table with a time range starting immediately after the email event (identified from EmailEvents), the analyst can correlate the phishing click with subsequent process executions on the user's device.

Exam trap

The trap here is that candidates confuse the table that stores the email event (EmailEvents) with the table that stores the resulting process activity (DeviceProcessEvents), forgetting that process creation data is only in the endpoint-specific table.

How to eliminate wrong answers

Option B (EmailEvents) is wrong because it contains email delivery and post-delivery events (e.g., sender, recipient, subject, delivery action) but does not include process creation data. Option C (DeviceNetworkEvents) is wrong because it records network connections (source/destination IP, port, protocol) but not process creation events. Option D (IdentityLogonEvents) is wrong because it tracks authentication and logon activities from Azure AD and Active Directory, not process execution on endpoints.

6
Drag & Dropmedium

Arrange the steps to enable and configure Microsoft Defender for Identity (MDI) sensor on a domain controller.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

MDI sensors are installed on domain controllers to capture and analyze authentication events.

7
MCQhard

An analyst is investigating a data exfiltration incident. They suspect that a user downloaded sensitive files from a SharePoint site and then uploaded them to a non-corporate cloud storage service (e.g., Dropbox) using the same device. Which combination of Advanced Hunting tables should the analyst query to correlate the SharePoint download activity with network connections to external IPs?

A.CloudAppEvents and DeviceNetworkEvents
B.EmailEvents and DeviceNetworkEvents
C.DeviceFileEvents and DeviceNetworkEvents
D.CloudAppEvents and IdentityLogonEvents
AnswerA

CloudAppEvents logs activities in cloud apps like SharePoint, including file downloads. DeviceNetworkEvents logs network connections from devices, which can show connections to external services. Joining on device and timestamp allows correlation.

Why this answer

CloudAppEvents logs user activities in cloud apps like SharePoint, including file downloads. DeviceNetworkEvents logs network connections from devices, including connections to external IPs. Combining these tables allows the analyst to correlate the SharePoint download event (from CloudAppEvents) with subsequent network connections to non-corporate cloud storage IPs (from DeviceNetworkEvents) on the same device, directly mapping the exfiltration path.

Exam trap

The trap here is that candidates often pick DeviceFileEvents (Option C) thinking it logs the SharePoint download locally, but SharePoint downloads are cloud events logged in CloudAppEvents, not local file events.

How to eliminate wrong answers

Option B is wrong because EmailEvents logs email-related activities (send, receive, phishing), not SharePoint file downloads or network connections to external IPs, so it cannot correlate the download with network activity. Option C is wrong because DeviceFileEvents logs local file operations (create, modify, delete) on the device, but SharePoint downloads are cloud-side events not captured locally unless the file is saved to disk; it does not log the cloud download action itself. Option D is wrong because IdentityLogonEvents logs authentication events (logons, logoffs), not SharePoint file activities or network connections, so it cannot correlate the download with external IP connections.

8
MCQeasy

An organization uses Microsoft 365 Defender. A security analyst is investigating a malware incident on a user's device. The automated investigation and response (AIR) has already isolated the device from the network. The analyst now needs to collect a copy of a specific suspicious file from the device for further analysis. Which action should the analyst initiate from the device's entity page?

A.Collect investigation package
B.Run antivirus scan
C.Restrict app execution
D.Initiate a live response session
AnswerA

This action gathers a package of forensic data including files, processes, and registries for analysis.

Why this answer

Option A is correct because the 'Collect investigation package' action on the device entity page in Microsoft 365 Defender gathers a ZIP file containing the device's forensic data, including specific suspicious files, registry keys, and memory dumps. This is the designed method for retrieving a copy of a file for offline analysis without requiring interactive access, and it works even after AIR has isolated the device.

Exam trap

The trap here is that candidates often confuse 'Initiate a live response session' as the go-to for file collection, but fail to remember that live response requires an active network connection to the device, which is blocked when AIR has isolated the device from the network.

How to eliminate wrong answers

Option B is wrong because 'Run antivirus scan' only triggers a Microsoft Defender Antivirus scan on the device; it does not collect a copy of a specific file for export. Option C is wrong because 'Restrict app execution' applies a Windows Defender Application Control policy to block untrusted apps, which is a containment action, not a file collection method. Option D is wrong because 'Initiate a live response session' provides real-time remote shell access to the device, but it is not available when the device is isolated by AIR (isolation blocks all incoming connections, including live response), and the question specifically asks for an action from the entity page that works under isolation.

9
MCQmedium

An organization uses Microsoft Defender for Office 365. The security team wants to automatically remove from all user mailboxes any messages that were already delivered but are later identified as malicious. Which feature should they enable?

A.Automated investigation and response (AIR)
B.Zero-hour auto purge (ZAP)
C.Safe Attachments
D.Safe Links
AnswerB

ZAP automatically moves or deletes already delivered messages that are later identified as phishing, malware, or spam.

Why this answer

Zero-hour auto purge (ZAP) is the correct feature because it automatically detects and removes malicious messages that have already been delivered to user mailboxes, including messages retroactively identified as threats after delivery. ZAP acts on phishing, malware, and spam verdicts by querying the mailbox for the original message and moving it to the Junk Email folder or deleting it, based on the configured policy. This directly meets the requirement to remove already-delivered malicious messages without manual intervention.

Exam trap

The trap here is that candidates confuse ZAP with Safe Attachments or Safe Links, mistakenly thinking those features can retroactively remove delivered messages, when in fact they only protect at the time of delivery or click, respectively.

How to eliminate wrong answers

Option A is wrong because Automated investigation and response (AIR) is a broader incident response capability that orchestrates playbooks across multiple workloads, but it does not automatically remove already-delivered messages from mailboxes; it focuses on investigating and remediating threats at the mailbox or device level after an alert is triggered. Option C is wrong because Safe Attachments is a time-of-delivery protection feature that detonates email attachments in a sandbox before delivery, but it does not retroactively remove messages that were already delivered and later found malicious. Option D is wrong because Safe Links is a time-of-click protection feature that scans URLs in messages and Office documents at the moment a user clicks, but it does not remove already-delivered messages from mailboxes.

10
MCQmedium

In Microsoft 365 Defender, an analyst is investigating an incident where a user's credentials were used to sign in from an unusual geo-location. The analyst wants to find all other sign-in events from the same IP address in the last 7 days. Which Advanced Hunting table should be used?

A.AADSignInEventsBeta
B.IdentityLogonEvents
C.CloudAppEvents
D.DeviceLogonEvents
AnswerA

This table stores Microsoft Entra ID sign-in events, including the source IP, timestamp, and user details.

Why this answer

A is correct because the AADSignInEventsBeta table in Advanced Hunting captures Azure Active Directory sign-in logs, including details like IP address, geo-location, and user principal name. This table is specifically designed for investigating interactive and non-interactive sign-in events from Azure AD, making it the appropriate source to query for all sign-ins from a given IP address over the last 7 days.

Exam trap

The trap here is that candidates often confuse IdentityLogonEvents (on-premises AD) with AADSignInEventsBeta (Azure AD cloud), because both deal with 'logon' events, but the question specifically mentions 'geo-location' and 'Microsoft 365 Defender' context, which points to cloud-based Azure AD sign-ins.

How to eliminate wrong answers

Option B is wrong because IdentityLogonEvents captures on-premises Active Directory sign-in events (via Microsoft Defender for Identity), not Azure AD cloud sign-ins, and does not include the geo-location or IP address details needed for this cloud-based investigation. Option C is wrong because CloudAppEvents focuses on activities within Microsoft Cloud App Security (e.g., file downloads, admin actions) and does not contain raw sign-in authentication events with IP and geo-location. Option D is wrong because DeviceLogonEvents records local device logon events (Windows security events like 4624) on endpoints, not Azure AD cloud sign-ins from an unusual geo-location.

11
MCQeasy

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a ransomware incident. The analyst wants to find all processes that were created with a specific parent process ID. Which column in the DeviceProcessEvents table should the analyst use to filter the parent process?

A.ProcessId
B.ParentProcessId
C.InitiatingProcessId
D.LogonId
AnswerB

Correct. ParentProcessId holds the ID of the process that created the current process.

Why this answer

The ParentProcessId column in the DeviceProcessEvents table stores the process ID (PID) of the parent process that created a given process. By filtering on this column, the analyst can identify all child processes spawned by a specific parent, which is critical for tracing ransomware execution chains in advanced hunting queries.

Exam trap

The trap here is confusing InitiatingProcessId (used in cross-table joins for email or alert context) with ParentProcessId, which is the direct column for parent-child process relationships in DeviceProcessEvents.

How to eliminate wrong answers

Option A is wrong because ProcessId identifies the current process itself, not its parent. Option C is wrong because InitiatingProcessId refers to the process that initiated the action in other tables (e.g., EmailEvents), not the parent process in DeviceProcessEvents. Option D is wrong because LogonId is a session identifier for the user logon session, unrelated to parent-child process relationships.

12
MCQeasy

A user reports receiving a suspicious email that bypassed the spam filter. An analyst opens the Microsoft 365 Defender portal to investigate. Which component provides a detailed entity view of the email including delivery actions, phish simulation details, and campaign information?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365 (Threat Explorer)
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
AnswerB

Threat Explorer provides a detailed email entity view including delivery actions, phish simulation, and campaign information.

Why this answer

Microsoft Defender for Office 365's Threat Explorer (now part of the unified investigation experience) provides a detailed entity view of an email, including delivery actions (e.g., delivered to Junk, blocked, or allowed), whether the email was part of a phishing simulation, and the associated campaign information. This tool is specifically designed for deep email threat investigation within the Defender for Office 365 portal, leveraging telemetry from Exchange Online Protection (EOP) and Defender for Office 365.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365's Threat Explorer with Microsoft Defender for Endpoint's advanced hunting, but only Threat Explorer provides the specific email entity view with delivery actions, phish simulation flags, and campaign metadata required for this investigation.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint-level threats (e.g., malware, file-based attacks, and process behaviors) and does not provide email-specific entity views, delivery actions, or phish simulation details. Option C is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals for identity-based attacks (e.g., Kerberoasting, pass-the-hash) and has no capability to inspect email transport or campaign data. Option D is wrong because Microsoft Defender for Cloud Apps (formerly MCAS) provides visibility into cloud application usage and shadow IT, but it does not offer granular email delivery actions, phish simulation flags, or campaign tracking for individual messages.

13
Matchingmedium

Match each Microsoft Sentinel incident management action to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Designate an owner for the incident

Resolve the incident as false positive or true positive

Document investigation notes

Adjust impact level based on findings

Trigger automated response actions

Why these pairings

These actions are used to manage incidents in Microsoft Sentinel.

14
Multi-Selecthard

A security analyst is investigating a sophisticated attack where an attacker used a compromised account to send a phishing email. The analyst wants to correlate the email event with the subsequent sign-in activity from the same sender's mailbox using Advanced Hunting. Which two tables should the analyst join to link the email sender to the sign-in IP address?

Select 2 answers
A.EmailEvents and AADSignInEventsBeta
B.EmailPostDeliveryEvents and AADSignInEventsBeta
C.EmailEvents and CloudAppEvents
D.EmailAttachmentInfo and AADSignInEventsBeta
AnswersA, B

EmailEvents provides sender and timestamp; AADSignInEventsBeta provides user sign-in details including IP.

Why this answer

To correlate a phishing email event with the subsequent sign-in activity from the same sender's mailbox, the analyst needs to join the EmailEvents table (which contains email metadata like sender and recipient) with the AADSignInEventsBeta table (which captures Azure AD sign-in logs, including IP addresses). This join allows linking the sender's email address to the sign-in IP address used during the session that sent the email.

Exam trap

The trap here is that candidates often confuse EmailPostDeliveryEvents with EmailEvents, assuming post-delivery events contain sender metadata, but they only track actions taken after delivery and lack the original sender IP correlation.

15
MCQmedium

A security analyst is investigating lateral movement in Microsoft 365 Defender. They have identified a compromised device (DeviceA) and want to find all other devices that have been accessed from DeviceA via RDP in the last 24 hours. Which advanced hunting table contains RDP connection events?

A.DeviceNetworkEvents
B.DeviceLogonEvents
C.DeviceProcessEvents
D.IdentityLogonEvents
AnswerA

Correct. DeviceNetworkEvents contains network connection events, including RDP connections, with source and destination IPs and ports.

Why this answer

DeviceNetworkEvents is the correct table because it captures network-level connection events, including outbound RDP (TCP port 3389) connections. When a compromised device initiates an RDP session to another device, the network event is logged here, allowing the analyst to trace lateral movement by filtering for `RemotePort == 3389` and `RemoteIP` of the target.

Exam trap

The trap here is that candidates confuse 'RDP connection events' with authentication events (DeviceLogonEvents) or process creation (DeviceProcessEvents), but the question specifically asks for the table containing the network connection data, not the logon or process launch.

How to eliminate wrong answers

Option B is wrong because DeviceLogonEvents records authentication events (logon type, account, success/failure) but not the network-level RDP connection details like source/destination IP and port. Option C is wrong because DeviceProcessEvents logs process creation and execution events (e.g., mstsc.exe launch) but not the actual network connection to the remote RDP port. Option D is wrong because IdentityLogonEvents tracks cloud-based identity logons (Azure AD, Microsoft Account) and does not include device-level RDP network connections.

16
MCQhard

A security analyst is investigating a suspected lateral movement attack in Microsoft 365 Defender. The analyst wants to identify all devices where a specific user account (user@contoso.com) had an interactive logon, and then check which of those devices subsequently made outbound RDP connections to other internal IP addresses. Which KQL query approach is most efficient to find this chain?

A.Join DeviceLogonEvents (where AccountName == 'user@contoso.com' and LogonType == 'Interactive') with DeviceNetworkEvents (where RemotePort == 3389) on DeviceName, and filter for NetworkEvents timestamp > LogonEvents timestamp
B.Use IdentityLogonEvents to find the user's logons and join with DeviceNetworkEvents on IP address
C.Query EmailEvents to find emails sent from the user and then check DeviceNetworkEvents on the sender device
D.Union DeviceLogonEvents and DeviceNetworkEvents, then summarize by DeviceName and filter for the user
AnswerA

This joins the two tables on device and ensures temporal ordering to identify lateral movement.

Why this answer

Option A is correct because it directly correlates interactive logon events (DeviceLogonEvents with LogonType == 'Interactive') for the specific user with subsequent outbound RDP connections (DeviceNetworkEvents with RemotePort == 3389) on the same device, using a join on DeviceName and a timestamp filter to ensure the network event occurs after the logon. This approach efficiently identifies the lateral movement chain by linking the initial compromise device to the target device via RDP, leveraging the native schema of Microsoft 365 Defender.

Exam trap

The trap here is that candidates may choose Option B, thinking IdentityLogonEvents covers all logons, but it lacks device-level details and LogonType filtering, which are essential for identifying interactive logons on a specific machine in a lateral movement investigation.

How to eliminate wrong answers

Option B is wrong because IdentityLogonEvents captures cloud identity logons (e.g., Azure AD) and does not include device-level interactive logon details like LogonType, making it unsuitable for identifying interactive logons on specific devices. Option C is wrong because EmailEvents tracks email activities, not logon or network events; it cannot provide the device-level interactive logon or outbound RDP connections needed for lateral movement analysis. Option D is wrong because a union of DeviceLogonEvents and DeviceNetworkEvents would mix disparate event types without preserving the temporal and relational link between a logon and subsequent network connection, and summarizing by DeviceName loses the critical timestamp ordering required to prove the chain.

17
MCQeasy

A security analyst is investigating a suspicious process on an endpoint and wants to see all changes made to the Windows Registry by that process. Which advanced hunting table should the analyst query to find registry modification events associated with the process?

A.DeviceProcessEvents
B.DeviceRegistryEvents
C.DeviceEvents
D.DeviceFileEvents
AnswerB

DeviceRegistryEvents is the dedicated table for registry events and includes the process that made the change.

Why this answer

DeviceRegistryEvents is the correct table because it specifically captures Windows Registry modification events, including create, modify, and delete operations. For a process-based investigation, this table includes the InitiatingProcessId and InitiatingProcessFileName columns, allowing the analyst to filter by the suspicious process's PID or name to see all registry changes it made.

Exam trap

The trap here is that candidates often confuse DeviceEvents (which sounds generic enough to include registry events) with the dedicated DeviceRegistryEvents table, but DeviceEvents only contains security alerts and not raw registry modification telemetry.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation and termination events, not registry modifications. Option C is wrong because DeviceEvents is a generic table that captures security alerts and various system events, but it does not have dedicated registry change columns like DeviceRegistryEvents. Option D is wrong because DeviceFileEvents logs file creation, modification, and deletion events, not registry key or value changes.

18
MCQeasy

In Microsoft 365 Defender, an incident is created automatically. An analyst wants to see all related alerts for that incident. Which tab on the incident details page should the analyst select?

A.Alerts tab
B.Devices tab
C.Users tab
D.Evidence tab
AnswerA

This tab shows all alerts associated with the incident.

Why this answer

The Alerts tab on the incident details page in Microsoft 365 Defender displays all alerts that have been automatically correlated into the incident. Since an incident is a collection of related alerts, selecting the Alerts tab is the correct way for an analyst to view every individual alert that contributed to the incident.

Exam trap

The trap here is that candidates may confuse the Evidence tab (which shows supporting artifacts) with the Alerts tab, not realizing that the Evidence tab only contains a subset of entities and not the full alert list.

How to eliminate wrong answers

Option B (Devices tab) is wrong because it shows the devices involved in the incident, not the alerts themselves. Option C (Users tab) is wrong because it lists the user accounts associated with the incident, not the alerts. Option D (Evidence tab) is wrong because it provides supporting evidence and entities (such as files, IPs, or emails) rather than the full list of alerts.

19
MCQmedium

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to view all processes that initiated outbound network connections to known malicious IPs on a specific device. Which advanced hunting table should the analyst query?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerA

Correct. This table logs outbound network connections, including destination IP and the process that initiated the connection.

Why this answer

The DeviceNetworkEvents table in Microsoft 365 Defender captures network connection events, including outbound connections to IP addresses, ports, and protocols. To investigate processes that initiated outbound connections to known malicious IPs on a specific device, this table provides the necessary data, such as the initiating process ID, remote IP, and port. The DeviceProcessEvents table only logs process creation events, not network activity, making it unsuitable for this query.

Exam trap

Microsoft often tests the distinction between process creation events (DeviceProcessEvents) and network connection events (DeviceNetworkEvents), trapping candidates who assume that process logs include network activity.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it logs process creation and termination events, not network connections; it cannot show which processes initiated outbound connections to specific IPs. Option C (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events, which are unrelated to network connections. Option D (DeviceRegistryEvents) is wrong because it records registry key modifications, which have no bearing on network communication or IP addresses.

20
MCQeasy

A security analyst in Microsoft 365 Defender is investigating an incident that involves a malicious email attachment. Which advanced hunting table should the analyst use to find information about the email including sender, recipient, and subject?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.IdentityLogonEvents
AnswerA

This table stores email metadata including sender, recipient, subject, and delivery status.

Why this answer

The EmailEvents table in Microsoft 365 Defender advanced hunting contains the core email metadata, including sender (SenderFromAddress), recipient (RecipientEmailAddress), and subject (Subject). This table records events such as email delivery, blocking, and filtering actions, making it the primary source for investigating email-related incidents. The other tables focus on specific components like attachments or URLs, not the full email envelope details.

Exam trap

The trap here is that candidates confuse the purpose of the tables, thinking EmailAttachmentInfo or EmailUrlInfo contain the email header data, when in fact they only store metadata about specific elements (attachments or URLs) and require a join with EmailEvents to get sender/recipient/subject.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it stores details about file names, hashes, and sizes of attachments, but not the sender, recipient, or subject of the email. Option C (EmailUrlInfo) is wrong because it contains URLs extracted from the email body or attachments, not the email's routing or header information. Option D (IdentityLogonEvents) is wrong because it tracks user authentication events (logons, logoffs) from Azure Active Directory and has no relation to email message metadata.

21
MCQeasy

A security analyst is reviewing a phishing incident in Microsoft 365 Defender. They need to find all users who received a specific email message by searching for the email's Internet Message ID. Which advanced hunting table should the analyst query?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.AADSignInEventsBeta
AnswerA

EmailEvents stores email message metadata, including the Internet Message ID, allowing the analyst to find all recipients of a specific message.

Why this answer

The EmailEvents table in Advanced Hunting stores metadata about email transactions, including the Internet Message ID (a unique identifier defined in RFC 5322). By querying this table with the specific Internet Message ID, the analyst can retrieve all recipients who received that exact email, making it the correct choice for this scenario.

Exam trap

The trap here is that candidates may confuse the Internet Message ID with other identifiers like the NetworkMessageId (a Microsoft-generated ID) or assume attachment or URL tables contain recipient data, leading them to pick EmailAttachmentInfo or EmailUrlInfo instead of EmailEvents.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it stores metadata about email attachments (e.g., file names, hashes), not the email's Internet Message ID or recipient list. Option C (EmailUrlInfo) is wrong because it contains URLs extracted from email bodies, not the email's routing or delivery information. Option D (AADSignInEventsBeta) is wrong because it tracks Azure AD sign-in events (e.g., user authentication), not email delivery or message tracking.

22
MCQeasy

An analyst is investigating a malware incident in Microsoft 365 Defender and has isolated the compromised device using automated investigation and response. The analyst now needs to collect a copy of a suspicious file from that device for further analysis in a sandbox. Which action should the analyst take from the device's entity page?

A.Initiate 'Collect investigation package' action.
B.Run a live response session and manually download the file.
C.Use the 'Add indicator' to allow the file and then collect.
D.Use the 'Device isolation' action to isolate again with different settings.
AnswerA

This action collects a package of files, processes, and other data from the device, including suspicious files, for analysis.

Why this answer

The 'Collect investigation package' action is the correct choice because it is specifically designed to gather a comprehensive set of forensic data from a device, including suspicious files, without requiring interactive access. This action automatically collects the file and other relevant artifacts, which can then be submitted to Microsoft 365 Defender's sandbox for analysis. It is a one-click, automated process that aligns with the analyst's need to obtain a copy of the file for further investigation.

Exam trap

The trap here is that candidates often confuse the 'Collect investigation package' action with a live response session, assuming manual file download is required, but the exam tests the understanding that automated collection is the preferred method for gathering forensic data from an isolated device without interactive overhead.

How to eliminate wrong answers

Option B is wrong because running a live response session and manually downloading the file requires interactive, real-time access to the device, which is unnecessary and less efficient when the device is already isolated; the 'Collect investigation package' action provides a more streamlined, automated collection. Option C is wrong because using 'Add indicator' to allow the file is used for creating allow or block indicators for threat intelligence, not for collecting files; it does not initiate a file collection process. Option D is wrong because using 'Device isolation' again with different settings would only change the isolation level (e.g., full vs. selective), but it does not collect any files; isolation is a containment action, not a data collection action.

23
MCQeasy

A security analyst is using advanced hunting in Microsoft 365 Defender to investigate a potential brute-force attack against an on-premises Exchange server. The analyst wants to find authentication failures from a specific IP address. Which table should the analyst query?

A.EmailEvents
B.IdentityLogonEvents
C.DeviceLogonEvents
D.CloudAppEvents
AnswerB

IdentityLogonEvents collects authentication events from both cloud and on-premises, including Exchange servers integrated with Active Directory.

Why this answer

IdentityLogonEvents is the correct table because it captures authentication events from Microsoft Defender for Identity, including failed logon attempts against on-premises Active Directory and Exchange servers. This table specifically logs interactive and non-interactive logon failures with source IP details, making it ideal for investigating brute-force attacks from a specific IP address.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (endpoint-focused) with IdentityLogonEvents (identity-focused), forgetting that on-premises Exchange authentication is handled by Active Directory and monitored by Defender for Identity, not by endpoint sensors.

How to eliminate wrong answers

Option A is wrong because EmailEvents tracks email delivery and threat events (e.g., phishing, spam), not authentication failures. Option C is wrong because DeviceLogonEvents logs logon events on endpoints (e.g., Windows devices) via Microsoft Defender for Endpoint, not on-premises Exchange server authentication. Option D is wrong because CloudAppEvents records activities from cloud applications (e.g., Office 365, Azure AD), not on-premises Exchange server logon failures.

24
MCQhard

An analyst is creating a custom detection rule in Microsoft 365 Defender to detect lateral movement. The rule should trigger when a device (DeviceA) connects to another device (DeviceB) via SMB (port 445) and, within 5 minutes, a scheduled task is created on DeviceB. Which Advanced Hunting query pattern correctly correlates these events across devices?

A.Join DeviceNetworkEvents (where RemoteIP is DeviceB's IP and RemotePort 445) with DeviceEvents (where ActionType == 'ScheduledTaskCreated' and DeviceId == DeviceB's ID) using a time window of 5 minutes
B.Use DeviceProcessEvents to find smb.exe on DeviceA, then join with DeviceFileEvents on DeviceB
C.Use only DeviceNetworkEvents on DeviceA and DeviceB separately
D.Use EmailEvents and DeviceEvents on DeviceB
AnswerA

Correct. This joins the network connection from DeviceA with the scheduled task creation on DeviceB within the specified time window.

Why this answer

Option A is correct because it uses a `join` between `DeviceNetworkEvents` (filtered for SMB traffic on port 445 from DeviceA to DeviceB) and `DeviceEvents` (filtered for `ActionType == 'ScheduledTaskCreated'` on DeviceB) with a 5-minute time window. This directly correlates the network connection with the subsequent scheduled task creation, which is a classic lateral movement pattern (e.g., PsExec or WMI abuse). The time window ensures the events are causally related within the detection rule's scope.

Exam trap

The trap here is that candidates might think `DeviceProcessEvents` is needed to capture the SMB connection (Option B), but SMB is a kernel-mode protocol and not logged as a user-mode process, so `DeviceNetworkEvents` is the correct source for network-level correlation.

How to eliminate wrong answers

Option B is wrong because `DeviceProcessEvents` does not reliably capture SMB connections; `smb.exe` is not a standard process name for SMB traffic (SMB is handled by the kernel via `mrxsmb.sys`), and `DeviceFileEvents` on DeviceB would not directly show scheduled task creation. Option C is wrong because using only `DeviceNetworkEvents` on both devices separately cannot correlate the network connection with the specific scheduled task creation event on DeviceB, missing the required behavioral link. Option D is wrong because `EmailEvents` is irrelevant to lateral movement via SMB and scheduled tasks, and `DeviceEvents` alone on DeviceB does not capture the initiating network connection from DeviceA.

25
Multi-Selectmedium

A security operations center (SOC) is configuring automated investigation and response (AIR) for Microsoft Defender for Office 365. Which of the following actions can be automatically taken when a malicious email is detected by AIR policies? (Choose all that apply.)

Select 2 answers
A.Soft delete the email from user mailbox
B.Add the sender to the user's blocked sender list
C.Quarantine the email
D.Permanently delete the email from all mailboxes
AnswersA, C

AIR can be configured to soft delete emails, moving them to the Deleted Items folder.

Why this answer

Option A is correct because AIR policies in Microsoft Defender for Office 365 can automatically soft-delete a malicious email from a user's mailbox. Soft deletion moves the email to the Recoverable Items folder, allowing administrators to restore it if needed, which is a standard remediation action for confirmed threats.

Exam trap

The trap here is that candidates often confuse manual user-side actions (like adding a sender to a blocked list) with automated AIR remediation actions, or assume that 'permanently delete' is a valid automated response when Microsoft deliberately avoids irreversible actions in AIR to prevent data loss.

26
MCQeasy

A security analyst is investigating an incident in Microsoft 365 Defender where a device is detected as infected with a trojan. The analyst wants to use automated investigation to contain the threat. Which action can be automatically taken on the affected device as part of a standard AIR playbook for endpoint detection and response?

A.Remove the user account from the device.
B.Execute a full antivirus scan on the device.
C.Disable the network adapter.
D.Initiate a device isolation.
AnswerD

Device isolation is a standard AIR action that quarantines the device from the network while allowing communication with Microsoft 365 Defender services for management.

Why this answer

In Microsoft Defender for Endpoint, the Automated Investigation and Response (AIR) playbook for endpoint detection and response includes the ability to isolate a device from the network. This action stops the device from communicating with other devices or the internet, containing the threat while allowing the investigation to continue. Option D is correct because device isolation is a standard containment action in the AIR playbook for trojan infections.

Exam trap

The trap here is that candidates often confuse 'run a full antivirus scan' (a remediation action) with 'containment' (a first-step action), leading them to select Option B instead of recognizing that isolation is the primary automated containment action in the AIR playbook.

How to eliminate wrong answers

Option A is wrong because removing a user account is not an automated action in the AIR playbook; user account management is a manual remediation step and does not contain the threat at the device level. Option B is wrong because executing a full antivirus scan is a response action that can be triggered manually or via a live response command, but it is not an automated containment action in the standard AIR playbook; the playbook focuses on containment first. Option C is wrong because disabling the network adapter is not a supported automated action in the AIR playbook; device isolation achieves the same goal by blocking network communication at the Defender platform level without physically disabling the adapter.

27
MCQeasy

A security analyst in Microsoft 365 Defender is investigating an incident that contains multiple alerts from different sources (e.g., Microsoft Defender for Endpoint, Microsoft 365 Defender for Office). The analyst wants to see a consolidated list of all alerts associated with the incident, including their severity, status, and detection source. Which tab within the incident details page should the analyst use?

A.Alerts tab
B.Devices tab
C.Users tab
D.Mailboxes tab
AnswerA

Correct. The Alerts tab shows all alerts grouped under the incident.

Why this answer

The Alerts tab on the incident details page in Microsoft 365 Defender provides a consolidated, filterable list of all alerts linked to the incident, regardless of their source (e.g., Microsoft Defender for Endpoint, Microsoft Defender for Office 365). This tab displays each alert's severity, status, and detection source, allowing the analyst to triage and correlate alerts from different workloads in a single view. The other tabs focus on specific entities (devices, users, mailboxes) rather than the unified alert list.

Exam trap

The trap here is that candidates may confuse the entity-specific tabs (Devices, Users, Mailboxes) with the alert-centric view, mistakenly thinking those tabs also show alert metadata, but they only show associated entities and their properties, not the consolidated alert list with severity and detection source.

How to eliminate wrong answers

Option B is wrong because the Devices tab shows only the devices involved in the incident, not a consolidated list of alerts with their severity, status, and detection source. Option C is wrong because the Users tab lists user accounts related to the incident, not the alerts themselves. Option D is wrong because the Mailboxes tab displays only mailboxes associated with the incident, not the cross-source alert summary.

28
Drag & Dropmedium

Arrange the steps to configure an Azure Sentinel data connector for Windows Security Events via Azure Monitor Agent in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

The Azure Monitor Agent uses DCRs to define data sources; the agent must be installed, then a DCR is created with the security events source, associated with the workspace, and finally verified.

29
Multi-Selecthard

An analyst writes an advanced hunting query to investigate a suspicious executable that initiated outbound connections. Which two Microsoft 365 Defender tables are most relevant? (Choose 2.)

Select 2 answers
A.DeviceProcessEvents.
B.DeviceNetworkEvents.
C.EmailAttachmentInfo.
D.IdentityInfo.
AnswersA, B

This table contains process creation and command-line details.

Why this answer

DeviceProcessEvents is correct because it records process creation events, including the executable that initiated the outbound connection. By querying this table, you can identify the suspicious executable's name, command line, and parent process, which is essential for tracing the origin of the malicious activity.

Exam trap

The trap here is that candidates may mistakenly choose EmailAttachmentInfo thinking the executable arrived via email, but the question focuses on the executable's outbound connections, not its delivery method.

30
MCQmedium

A security analyst is using Microsoft 365 Defender and discovers that a legitimate business application has been incorrectly blocked as malicious by an automated investigation. The analyst needs to unblock this application immediately so it can run on all endpoints in the organization. What action should the analyst take from the file's entity page in Microsoft 365 Defender?

A.Add an indicator to allow the file
B.Submit the file to Microsoft for analysis
C.Remove the existing indicator for the file
D.Restore the file from quarantine
AnswerA

Correct. Creating an allow indicator for the file's hash or certificate forces Microsoft 365 Defender to treat the file as trusted, preventing future blocks.

Why this answer

Adding an indicator to allow the file creates a custom indicator of compromise (IoC) in Microsoft 365 Defender that explicitly overrides the automated investigation's verdict. This action immediately permits the file to run on all endpoints in the organization by adding an 'allow' entry to the threat intelligence feed, which takes precedence over the automated detection logic.

Exam trap

The trap here is that candidates confuse the immediate unblocking action (adding an allow indicator) with the longer-term feedback process (submitting to Microsoft) or with post-remediation steps (restoring from quarantine), failing to recognize that custom indicators provide real-time override capability for automated investigations.

How to eliminate wrong answers

Option B is wrong because submitting the file to Microsoft for analysis is a feedback mechanism for improving detection algorithms, not an immediate remediation action to unblock a file that is already blocked. Option C is wrong because removing an existing indicator would only eliminate a previous custom rule; it does not address the current block caused by the automated investigation's verdict. Option D is wrong because restoring the file from quarantine applies only to files already quarantined on individual endpoints, not to preventing future blocks across all endpoints from the automated investigation.

31
MCQeasy

A security analyst is investigating a suspicious process on an endpoint and needs to see all network connections initiated by that process. The analyst knows the ProcessId and DeviceName. Which advanced hunting table in Microsoft 365 Defender should the analyst query to retrieve network connection details associated with this process?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceEvents
D.IdentityLogonEvents
AnswerB

Correct. This table logs network connections made by processes, including the initiating ProcessId, allowing correlation with the suspicious process.

Why this answer

The DeviceNetworkEvents table in Microsoft 365 Defender is specifically designed to capture network connection events, including source and destination IP addresses, ports, protocols, and the initiating process ID (ProcessId). By querying this table with the known ProcessId and DeviceName, the analyst can retrieve all network connections initiated by that process, making it the correct choice for this investigation.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which shows process creation) with DeviceNetworkEvents (which shows network activity), assuming process events include network details, but Microsoft Defender XDR separates these concerns into distinct tables for granular hunting.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation and termination events, not network connections; it would show the process start but not its network activity. Option C is wrong because DeviceEvents is a generic table that includes various security events (e.g., Windows Defender alerts, file modifications) but does not specifically contain network connection details with process-to-connection mapping. Option D is wrong because IdentityLogonEvents tracks user authentication and logon events (e.g., successful/failed logins, Kerberos tickets) and has no relation to process-level network connections.

32
MCQhard

A security analyst is investigating a complex incident in Microsoft 365 Defender that involves multiple stages: a phishing email, credential theft, and lateral movement. The analyst wants to view a visual representation of the attack chain, showing how alerts and entities are related. Which feature should the analyst use?

A.Incident graph
B.Advanced hunting
C.Automated investigation
D.Alert timeline
AnswerA

This feature shows a graphical representation of the attack chain.

Why this answer

The incident graph in Microsoft 365 Defender provides a visual, interactive map of the entire attack chain, linking alerts, entities (such as users, devices, and IPs), and suspicious activities. This allows the analyst to see the progression from the phishing email to credential theft and lateral movement in a single view, making it the correct tool for understanding complex, multi-stage incidents.

Exam trap

The trap here is that candidates often confuse the alert timeline (a simple chronological list) with the incident graph (a relational visualization), or they assume Advanced hunting is the only way to correlate events, missing the purpose-built visual tool for attack chain analysis.

How to eliminate wrong answers

Option B (Advanced hunting) is wrong because it is a query-based tool for searching raw data across tables (e.g., EmailEvents, IdentityLogonEvents) and does not provide a pre-built visual representation of the attack chain; it requires the analyst to manually construct queries to correlate events. Option C (Automated investigation) is wrong because it focuses on automatically running playbooks and remediation actions on alerts, not on visualizing the relationships between alerts and entities in an attack chain. Option D (Alert timeline) is wrong because it shows a chronological list of alerts for an incident but lacks the graphical entity-relationship mapping that the incident graph provides, making it insufficient for understanding complex lateral movement paths.

33
Matchingmedium

Match each Microsoft 365 Defender workload to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Protects endpoints from cyber threats

Safeguards email and collaboration tools

Detects identity-based attacks using Active Directory signals

Provides visibility and control over cloud apps

Secures multicloud and hybrid environments

Why these pairings

These are the main workloads within Microsoft 365 Defender.

34
MCQhard

A security analyst is investigating an advanced persistent threat campaign that involves lateral movement using RDP. The analyst suspects that an attacker uses RDP from DeviceA to DeviceB, and then within a few minutes executes a malicious PowerShell script on DeviceB. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when this pattern occurs. Which KQL query pattern should be used to correlate these events across devices?

A.Use a self-join: query DeviceProcessEvents for mstsc.exe, extract the target device (e.g., from command line), and then join with another query on DeviceProcessEvents for PowerShell on the target device where the time difference between the events is less than 10 minutes.
B.Query DeviceNetworkEvents for RDP connections (port 3389) and then join with DeviceProcessEvents for PowerShell on the same device.
C.Use the 'union' operator to combine all mstsc.exe and PowerShell events, then summarize by device and time.
D.Query DeviceLogonEvents for RDP logon type and then join with DeviceProcessEvents for PowerShell on the same device.
AnswerA

This pattern correctly joins the two event sequences: the RDP client process on the source device and the subsequent script execution on the target device, with a time constraint to correlate them.

Why this answer

Option A is correct because it uses a self-join on DeviceProcessEvents to first detect the mstsc.exe process (RDP client) on DeviceA, extract the target device name from the command line, and then join with a second query on DeviceProcessEvents for PowerShell on DeviceB. The join condition includes a time difference of less than 10 minutes, which directly correlates the lateral movement (RDP) with the subsequent malicious script execution across devices, matching the described attack pattern.

Exam trap

The trap here is that candidates often choose options that only correlate events on a single device (like B or D) or use aggregation operators like 'union' (C) that lose the cross-device temporal sequence, failing to recognize that the self-join pattern is required to correlate events across different devices in a lateral movement scenario.

How to eliminate wrong answers

Option B is wrong because it queries DeviceNetworkEvents for RDP connections (port 3389) and joins with DeviceProcessEvents on the same device, which would only correlate events on a single device (e.g., DeviceB) and fails to capture the cross-device lateral movement from DeviceA to DeviceB. Option C is wrong because using the 'union' operator to combine all mstsc.exe and PowerShell events and then summarizing by device and time loses the critical sequence and cross-device correlation; it cannot enforce that the RDP connection from DeviceA precedes the PowerShell execution on DeviceB within a specific time window. Option D is wrong because querying DeviceLogonEvents for RDP logon type (type 10) and joining with DeviceProcessEvents on the same device only captures events on the target device (DeviceB) and does not identify the source device (DeviceA) or the specific RDP client process (mstsc.exe) used for lateral movement.

35
MCQeasy

In Microsoft 365 Defender, what is the primary function of the Action center?

A.Manage user roles and permissions for the security portal.
B.View and manage pending and completed remediation actions from automated investigations.
C.Create custom detection rules using advanced hunting queries.
D.Manage threat intelligence feeds and indicators.
AnswerB

The Action center lists all actions taken by automated investigations and allows analysts to approve or reject them.

Why this answer

The Action center in Microsoft 365 Defender is the centralized console for tracking and managing remediation actions generated by automated investigations. It consolidates both pending actions (requiring approval) and completed actions (e.g., quarantining a file, blocking an IP) across Defender for Endpoint, Office 365, Identity, and Cloud Apps, ensuring security teams can review and approve or reject responses without switching contexts.

Exam trap

The trap here is that candidates confuse the Action center with the 'Hunting' or 'Indicators' sections, mistakenly thinking it is for creating custom rules or managing threat intelligence, when its sole purpose is remediation action tracking and approval from automated investigations.

How to eliminate wrong answers

Option A is wrong because managing user roles and permissions is handled via Azure AD roles and the Microsoft 365 Defender portal's permissions settings, not the Action center. Option C is wrong because creating custom detection rules using advanced hunting queries is done through the 'Custom detection rules' section under 'Hunting', not the Action center. Option D is wrong because managing threat intelligence feeds and indicators is performed in the 'Indicators' settings under 'Settings > Endpoints' or via the Microsoft Defender Threat Intelligence portal, not the Action center.

36
MCQhard

An analyst is using advanced hunting in Microsoft 365 Defender. A device made outbound RDP connections shortly after a suspicious PowerShell process started. Which join is most useful to identify the initiating process for those network connections?

A.Join EmailEvents with UrlClickEvents
B.Join IdentityInfo with SecureScoreControls
C.Join CloudAppEvents with AlertEvidence only
D.Join DeviceNetworkEvents with DeviceProcessEvents by device and process identifiers/time window
AnswerD

DeviceNetworkEvents records network connections, while DeviceProcessEvents records process creation details needed to identify the initiating process.

Why this answer

Option D is correct because it joins DeviceNetworkEvents (which contain outbound RDP connection details) with DeviceProcessEvents (which contain process creation data like the suspicious PowerShell process) using device ID, process ID, and a time window. This join allows the analyst to directly correlate the network connection to the initiating process, identifying whether the PowerShell process spawned the RDP connection.

Exam trap

The trap here is that candidates may choose a join involving cloud or email tables (A, B, C) because they focus on the 'suspicious PowerShell' aspect, forgetting that the question specifically asks for the initiating process of network connections, which requires device-level process and network event correlation.

How to eliminate wrong answers

Option A is wrong because EmailEvents and UrlClickEvents deal with email and URL click data, which are irrelevant to identifying the initiating process of outbound RDP connections from a device. Option B is wrong because IdentityInfo and SecureScoreControls relate to user identity and security posture scores, not process-to-network correlation. Option C is wrong because CloudAppEvents and AlertEvidence focus on cloud application activities and alerts, not device-level process and network events; joining them would not reveal the initiating process for RDP connections on a device.

37
Drag & Dropmedium

Order the steps to set up a Microsoft Sentinel workspace and connect Microsoft 365 Defender data.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Sentinel is enabled on a Log Analytics workspace, then data connectors like M365 Defender are configured to ingest data.

38
MCQmedium

A security analyst is creating a custom detection rule in Microsoft 365 Defender using Advanced Hunting. The rule should alert when a user signs in from an IP address that is not in the company's approved IP range (192.168.0.0/16). Which KQL function should be used to compare the sign-in IP against the approved range?

A.ipv4_is_in_range(SigninIP, '192.168.0.0/16')
B.has_any(SigninIP, dynamic(['192.168.0.0/16']))
C.ipv4_is_private(SigninIP)
D.SigninIP startswith '192.168.'
AnswerA

Correct. This function directly checks if the IP is within the given CIDR range.

Why this answer

The correct KQL function is `ipv4_is_in_range()` because it is specifically designed to check whether an IPv4 address falls within a given CIDR range. In this scenario, the function compares the `SigninIP` field against the company's approved range `192.168.0.0/16` and returns `true` if the IP is within that range, enabling the rule to alert on out-of-range sign-ins. This function handles subnet mask calculations natively, ensuring accurate and efficient IP range matching without manual parsing.

Exam trap

The trap here is that candidates may choose `ipv4_is_private()` thinking it covers all internal ranges, but it does not account for custom or non-RFC 1918 ranges, and it misses the requirement to match a specific CIDR block like 192.168.0.0/16.

How to eliminate wrong answers

Option B is wrong because `has_any()` is a string-matching operator that checks if any substring from a dynamic array exists in a field; it does not perform CIDR range calculations and would incorrectly treat the CIDR notation as a literal string. Option C is wrong because `ipv4_is_private()` only checks if an IP belongs to any private address space (RFC 1918), not whether it falls within a specific custom range like `192.168.0.0/16`; it would also match other private ranges (e.g., 10.0.0.0/8, 172.16.0.0/12), causing false positives. Option D is wrong because `startswith` performs a simple prefix match on the string representation of the IP, which fails for IPs like `192.168.255.255` (correctly in range) but also fails to exclude IPs like `192.169.0.1` (outside the /16 range) because it only checks the first three octets.

39
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst is reviewing an incident that involves a user who clicked a phishing link in an email. The analyst wants to see the email's full timeline, including delivery, click, and any follow-up actions. Which section of the email entity page provides this information?

A.Detection details
B.Email timeline
C.Threat types
D.Investigation graph
AnswerB

The Email timeline provides a chronological view of all actions and events associated with the email, including delivery, user clicks, and system responses.

Why this answer

The Email timeline section on the email entity page in Microsoft 365 Defender provides a chronological view of the email's lifecycle, including delivery, user clicks on the phishing link, and subsequent remediation actions such as soft delete or quarantine. This directly meets the analyst's need to see the full sequence of events for the incident.

Exam trap

The trap here is that candidates often confuse the Investigation graph (which shows entity relationships) with the Email timeline (which shows chronological events), leading them to select the graph option when they need a sequential log of actions.

How to eliminate wrong answers

Option A is wrong because Detection details only show the specific detection technologies (e.g., anti-malware, anti-phishing) that flagged the email, not the chronological sequence of delivery, click, and follow-up actions. Option C is wrong because Threat types categorize the email by threat classification (e.g., phishing, malware) but do not provide a timeline of events. Option D is wrong because Investigation graph is a visual representation of related entities and alerts, not a dedicated timeline for a single email's lifecycle.

40
MCQmedium

A security analyst in Microsoft 365 Defender needs to review all actions that were automatically taken by an investigation (e.g., isolating a device, deleting a file) that occurred during an incident. Where should the analyst find this list of executed actions?

A.Action center
B.Hunting queries
C.Incidents page
D.Alerts page
AnswerA

Action center lists all automated and manual actions taken during investigations, including status and results.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location that records all manual and automated response actions taken during investigations, such as device isolation, file deletion, or process termination. This includes actions automatically executed by automated investigation and response (AIR) playbooks during an incident. The analyst can filter the Action center by 'Automated' to see only those actions taken without manual intervention.

Exam trap

The trap here is that candidates confuse the Incidents page (which shows the overall story) with the Action center (which is the specific repository for executed actions), leading them to select the Incidents page instead of the correct Action center.

How to eliminate wrong answers

Option B is wrong because Hunting queries are used for proactive threat hunting using Kusto Query Language (KQL) to search for raw telemetry and logs, not to review a list of already-executed response actions. Option C is wrong because the Incidents page shows the incident summary, timeline, and related alerts, but it does not provide a dedicated, filterable list of all executed actions; the Action center is the specific location for that. Option D is wrong because the Alerts page lists individual alerts triggered by suspicious activities, but it does not aggregate the automated response actions taken; those actions are recorded in the Action center after an alert triggers an investigation.

41
MCQeasy

A security analyst is investigating a phishing incident in Microsoft 365 Defender. They need to view the original email's sender, delivery action, and any automated remediation steps taken. Which entity page should the analyst open?

A.User entity page
B.Device entity page
C.Email entity page
D.IP entity page
AnswerC

The email entity page contains full email metadata including sender, delivery action, and any automated remediation steps taken.

Why this answer

The Email entity page in Microsoft 365 Defender (part of Microsoft Defender XDR) is specifically designed to provide a comprehensive view of an email message, including the original sender, delivery action (e.g., delivered, quarantined, blocked), and any automated remediation steps (e.g., zero-hour auto purge, soft delete). This page aggregates data from Exchange Online Protection (EOP) and Microsoft Defender for Office 365, making it the correct choice for investigating phishing incidents.

Exam trap

The trap here is that candidates may confuse the User entity page with email investigation because user accounts are often involved in phishing, but the User entity page lacks the specific email message-level details (sender, delivery action, remediation) that only the Email entity page provides.

How to eliminate wrong answers

Option A is wrong because the User entity page focuses on user-related activities, sign-ins, and alerts, but does not expose the original email's sender, delivery action, or remediation steps for a specific message. Option B is wrong because the Device entity page is used for investigating device-level threats, such as malware or suspicious processes, and has no context for email-specific attributes like sender or delivery action. Option D is wrong because the IP entity page provides information about network traffic and IP reputation, but it cannot show the original email's sender or automated remediation steps taken on a message.

42
Multi-Selectmedium

An analyst is building a custom detection rule in Microsoft 365 Defender to identify potential data exfiltration. The rule should alert when a process (e.g., powershell.exe) initiates multiple outbound network connections to an external IP address that is not in the company's corporate IP range within a short time. Which two Advanced Hunting tables must be joined to correlate process execution with network connection details?

Select 2 answers
A.DeviceProcessEvents and DeviceNetworkEvents
B.DeviceProcessEvents and DeviceFileEvents
C.DeviceLogonEvents and DeviceNetworkEvents
D.DeviceProcessEvents and EmailEvents
AnswersA, C

Correct. DeviceProcessEvents provides process start details, and DeviceNetworkEvents provides network connection records. They can be joined to identify processes making outbound connections.

Why this answer

The rule requires correlating process execution (e.g., powershell.exe) with outbound network connections to external IPs. DeviceProcessEvents logs process creation events, while DeviceNetworkEvents logs network connection details including destination IP and port. Joining these two tables on DeviceId and Timestamp (within a short time window) allows the analyst to identify which process initiated the suspicious outbound connections, making A correct.

Exam trap

The trap here is that candidates may confuse DeviceNetworkEvents with DeviceFileEvents or DeviceLogonEvents, mistakenly thinking file or logon events are needed to correlate process execution with network connections, when only DeviceNetworkEvents contains the necessary IP and port data.

43
MCQmedium

A security analyst wants to identify all users who received a phishing email that contained a known malicious URL. The analyst has the URL. Which advanced hunting table should the analyst query first to find the emails that contained this URL?

A.EmailEvents
B.EmailUrlInfo
C.EmailAttachmentInfo
D.EmailPostDeliveryEvents
AnswerB

EmailUrlInfo stores each URL found in an email along with the NetworkMessageId. Querying this table filtered by the malicious URL will return the network message IDs of the emails containing it.

Why this answer

The EmailUrlInfo table in Microsoft Defender XDR contains records of URLs extracted from email messages, including the specific URL and the email's unique identifier (NetworkMessageId). By querying this table for the known malicious URL, the analyst can retrieve the NetworkMessageIds of all emails containing that URL, which can then be joined with the EmailEvents table to identify the recipients. This is the most direct and efficient first step because EmailUrlInfo is purpose-built to map URLs to email messages.

Exam trap

The trap here is that candidates often jump to EmailEvents thinking it contains all email details, but they forget that URL content is stored in a separate table (EmailUrlInfo) and must be queried first to identify the specific emails.

How to eliminate wrong answers

Option A is wrong because EmailEvents contains metadata about email delivery (sender, recipient, subject, delivery action) but does not include the actual URL content; it cannot be queried directly to find emails containing a specific URL. Option C is wrong because EmailAttachmentInfo stores information about email attachments (file names, hashes, sizes) and is used for malware or attachment-based threats, not for identifying URLs within the email body. Option D is wrong because EmailPostDeliveryEvents tracks actions taken on emails after delivery (e.g., user clicks, admin moves, ZAP actions) and does not contain the original URL content from the email.

44
MCQhard

In Microsoft 365 Defender advanced hunting, an analyst is investigating a case where a user's device was compromised via a malicious base64-encoded PowerShell script. The analyst wants to find all processes that were created by this script by decoding the command line. Which KQL function should be applied to the ProcessCommandLine column in the DeviceProcessEvents table?

A.base64_decode_tostring(ProcessCommandLine)
B.parse_base64(ProcessCommandLine)
C.decode_base64(ProcessCommandLine)
D.convertstring(ProcessCommandLine, 'base64')
AnswerA

This function decodes a base64-encoded string to its original text, revealing the obfuscated PowerShell commands.

Why this answer

The correct KQL function to decode a Base64-encoded string into a readable text format in Microsoft 365 Defender advanced hunting is `base64_decode_tostring()`. This function takes a string column (like ProcessCommandLine) and returns the decoded plaintext, allowing the analyst to see the actual PowerShell commands executed. The other options are either invalid KQL functions or do not exist in the Kusto Query Language used in advanced hunting.

Exam trap

The trap here is that Microsoft tests whether candidates know the exact KQL function name `base64_decode_tostring()` versus common but incorrect variations like `decode_base64()` or `parse_base64()`, which are not part of the Kusto Query Language.

How to eliminate wrong answers

Option B is wrong because `parse_base64()` is not a valid KQL function; the correct function is `base64_decode_tostring()`. Option C is wrong because `decode_base64()` is not a recognized KQL function; Kusto uses `base64_decode_tostring()` for this purpose. Option D is wrong because `convertstring(ProcessCommandLine, 'base64')` is not a valid KQL syntax; the correct function for Base64 decoding is `base64_decode_tostring()`, and `convertstring()` is used for different encoding conversions like UTF-8 or ASCII.

45
MCQmedium

A security analyst is investigating a potential malware outbreak using Microsoft 365 Defender advanced hunting. The analyst wants to find all devices where a file with a specific SHA256 hash was first created and then later deleted, which may indicate a cleanup attempt. Which query pattern on the DeviceFileEvents table is appropriate?

A.DeviceFileEvents | where SHA256 == "<hash>" | summarize Actions = make_set(ActionType) by DeviceId | where Actions has_all ("FileCreated", "FileDeleted")
B.DeviceFileEvents | where SHA256 == "<hash>" and ActionType == "FileDeleted" | project DeviceId
C.DeviceFileEvents | where FileHash == "<hash>" | summarize Actions = make_set(ActionType) by DeviceId | where Actions has "FileCreated"
D.DeviceFileEvents | summarize by DeviceId, ActionType | where ActionType in ("FileCreated", "FileDeleted")
AnswerA

Correct. This query groups by DeviceId and checks that both 'FileCreated' and 'FileDeleted' actions exist in the set for that device, ensuring the file was both created and deleted.

Why this answer

Option A is correct because it first filters by the specific SHA256 hash, then uses `make_set(ActionType)` to collect all actions per device, and finally checks that both 'FileCreated' and 'FileDeleted' appear in the set. This precisely identifies devices where the file was both created and later deleted, indicating a potential cleanup attempt.

Exam trap

The trap here is that candidates may confuse the column name `SHA256` with `FileHash` (which does not exist in DeviceFileEvents) or forget to filter by the specific hash before summarizing, leading to false positives from unrelated file operations.

How to eliminate wrong answers

Option B is wrong because it only looks for 'FileDeleted' events, missing the requirement that the file must have been first created on the same device. Option C is wrong because it uses `FileHash` instead of `SHA256` (the correct column name in DeviceFileEvents) and only checks for 'FileCreated', not both actions. Option D is wrong because it summarizes by DeviceId and ActionType without filtering by the specific hash, returning all devices with any create/delete actions rather than those related to the target file.

46
MCQmedium

An organization uses Microsoft 365 Defender. An automated investigation on a device has determined that a file is malicious and has been blocked. The analyst wants to verify that the file was blocked and see the action taken (e.g., block, allow). Which entity page provides this information?

A.File entity page
B.Device entity page
C.User entity page
D.Email entity page
AnswerA

Correct. The file entity page displays detection status and actions taken on the file across devices.

Why this answer

The File entity page in Microsoft Defender XDR provides a centralized view of a file's reputation, detection details, and the specific actions taken (e.g., blocked, allowed, quarantined) during automated investigations. Since the analyst needs to confirm the block action on a specific malicious file, this page directly displays the investigation result and the applied remediation action.

Exam trap

The trap here is that candidates often confuse the Device entity page (which shows that an investigation ran) with the File entity page (which shows the specific action taken on the file), leading them to incorrectly select the Device page.

How to eliminate wrong answers

Option B is wrong because the Device entity page shows device-level alerts, investigations, and software inventory, but does not display the specific action taken on a file (e.g., block vs. allow) — it only indicates that an investigation occurred. Option C is wrong because the User entity page focuses on user-related alerts, sign-in logs, and compromised accounts, not file-level remediation actions. Option D is wrong because the Email entity page is specific to email messages, attachments, and phishing detections within Microsoft Defender for Office 365, not for file actions on endpoints.

47
MCQmedium

A phishing email was delivered to several users. The analyst wants to find all messages in the campaign, see delivery actions, and perform remediation from the Microsoft 365 Defender portal. Which tool should they use?

A.Threat Explorer.
B.Microsoft Secure Score.
C.Azure Activity log.
D.Microsoft Defender Vulnerability Management software inventory.
AnswerA

Threat Explorer is designed for email threat investigation and remediation.

Why this answer

Threat Explorer (also known as Explorer) in Microsoft 365 Defender is the correct tool because it provides a comprehensive view of email threats, including phishing campaigns. It allows analysts to search for all messages in a campaign, review delivery actions (e.g., blocked, delivered to junk, or delivered), and perform remediation actions such as soft delete, hard delete, or move to quarantine directly from the portal.

Exam trap

The trap here is that candidates may confuse Threat Explorer with the general-purpose Activity log or Secure Score, assuming any security-related tool can handle email threats, but only Threat Explorer is designed for deep email threat hunting and remediation within Microsoft 365 Defender.

How to eliminate wrong answers

Option B is wrong because Microsoft Secure Score is a security posture measurement tool that assesses an organization's security configuration and recommends improvements; it does not provide message-level threat hunting, campaign visibility, or remediation capabilities for phishing emails. Option C is wrong because Azure Activity log records control-plane operations on Azure resources (e.g., creating VMs, modifying RBAC roles) and does not capture email delivery actions or phishing campaign data. Option D is wrong because Microsoft Defender Vulnerability Management software inventory focuses on identifying and managing software vulnerabilities on endpoints, not on email threat analysis or remediation.

48
MCQmedium

A security analyst is investigating an incident in Microsoft 365 Defender where a user's device is suspected to be compromised. The analyst wants to collect a copy of a specific suspicious file from the device for offline analysis without disrupting the user. Which action should the analyst initiate?

A.Initiate a Live Response session
B.Isolate the device from the network
C.Initiate an automated investigation
D.Run a full antivirus scan
AnswerA

Live Response provides a remote command-line interface to the device, enabling the analyst to collect files and perform investigation without isolating or disrupting the user.

Why this answer

A Live Response session allows the analyst to remotely connect to the device in real time, collect a specific suspicious file via commands like 'getfile', and download it for offline analysis without interrupting the user's workflow. This is the only action that provides targeted file collection while the device remains operational.

Exam trap

The trap here is that candidates confuse 'Live Response' with 'isolation' or 'automated investigation', thinking that any remediation action can collect files, but only Live Response provides the granular, non-disruptive file collection capability required for offline analysis.

How to eliminate wrong answers

Option B is wrong because isolating the device from the network disconnects it from all network communications, which disrupts the user and prevents file collection without additional steps. Option C is wrong because an automated investigation runs predefined playbooks to detect and remediate threats, but it does not allow the analyst to manually collect a specific file for offline analysis. Option D is wrong because a full antivirus scan scans for malware and may delete or quarantine the file, but it does not provide a copy of the file for offline analysis and can disrupt the user by consuming system resources.

49
MCQhard

A security analyst is using advanced hunting in Microsoft 365 Defender to detect lateral movement. The analyst wants to find all devices where a specific user account had an interactive logon, and then identify which of those devices subsequently initiated outbound Remote Desktop Protocol (RDP) connections to other internal IP addresses. Which KQL approach is most efficient for this investigation?

A.Use DeviceLogonEvents and DeviceNetworkEvents with a join on DeviceId and a time range
B.Use IdentityLogonEvents and DeviceNetworkEvents with a join on IP address
C.Use DeviceProcessEvents and DeviceNetworkEvents with a join on DeviceId
D.Use EmailEvents and DeviceLogonEvents with a join on RecipientEmail
AnswerA

DeviceLogonEvents provides logon data per device; DeviceNetworkEvents provides outbound connections. Joining by DeviceId within a short time after logon can reveal lateral movement via RDP.

Why this answer

Option A is correct because it uses DeviceLogonEvents to identify interactive logons for the specific user account on devices, then joins those results with DeviceNetworkEvents on DeviceId within a time range to find subsequent outbound RDP connections (destination port 3389) to internal IPs. This approach directly correlates the user's logon activity with network connections from the same device, which is the most efficient and precise method for detecting lateral movement via RDP.

Exam trap

The trap here is that candidates may confuse IdentityLogonEvents (cloud identity) with DeviceLogonEvents (device-level logon), leading them to choose Option B, but the correct approach requires device-specific logon data to correlate with network events on the same device.

How to eliminate wrong answers

Option B is wrong because IdentityLogonEvents captures cloud identity logons (e.g., Azure AD) rather than device-level interactive logons, and joining on IP address is unreliable due to NAT and shared IPs, making it ineffective for correlating a specific device's network activity. Option C is wrong because DeviceProcessEvents tracks process creation events, not interactive logons; while it could indirectly indicate logon activity, it is less direct and less efficient than using DeviceLogonEvents for the specific user account. Option D is wrong because EmailEvents deals with email delivery and recipient data, which is irrelevant to device logons or RDP network connections; joining on RecipientEmail has no bearing on lateral movement detection.

50
MCQeasy

A security analyst is investigating a compromised user account using Microsoft 365 Defender. The analyst wants to see all the sign-in attempts made by this user in the last 24 hours, including the IP addresses and locations. Which advanced hunting table should the analyst query?

A.IdentityLogonEvents
B.AlertInfo
C.EmailAttachmentInfo
D.DeviceLogonEvents
AnswerA

IdentityLogonEvents logs user sign-in activities in Microsoft Entra ID, including IP addresses and geography, making it the correct table.

Why this answer

The IdentityLogonEvents table in Microsoft 365 Defender advanced hunting captures authentication events from Azure Active Directory, including sign-in attempts, IP addresses, and geographic locations. This makes it the correct table for an analyst investigating a compromised user account to review all sign-in activity over the last 24 hours.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (which covers local Windows logons) with IdentityLogonEvents (which covers cloud-based Azure AD sign-ins), leading them to select the wrong table for investigating cloud account compromises.

How to eliminate wrong answers

Option B (AlertInfo) is wrong because it contains metadata about alerts generated by detection mechanisms, not raw sign-in logs or IP addresses. Option C (EmailAttachmentInfo) is wrong because it focuses on email attachment metadata from Microsoft Defender for Office 365, unrelated to user authentication events. Option D (DeviceLogonEvents) is wrong because it records logon events on endpoints (Windows devices), not cloud-based Azure AD sign-ins, and does not include location data.

51
Multi-Selectmedium

An analyst is investigating a ransomware outbreak using Microsoft 365 Defender Advanced Hunting. They need to find all devices where a file with the extension '.locked' was created within one hour after a known malicious process (e.g., 'ransomware.exe') was executed on the same device. Which two tables should be joined in the query? (Choose 2.)

Select 2 answers
A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswersA, C

Correct. This table records process creation events, including the malicious executable.

Why this answer

DeviceProcessEvents is correct because it logs process creation events, including the execution of 'ransomware.exe'. This table is essential to identify the timestamp and device where the malicious process ran, which serves as the starting point for the time-bound investigation.

Exam trap

The trap here is that candidates may mistakenly choose DeviceNetworkEvents thinking network activity is key, but the question specifically requires file creation events, which only DeviceFileEvents provides.

52
MCQmedium

A security analyst is investigating a potential business email compromise (BEC) campaign. The analyst wants to find all emails that were sent to external recipients from an internal user's mailbox that also had a login from an unusual location shortly after the email was sent. Which advanced hunting tables should the analyst query to get the email metadata and the sign-in details?

A.EmailEvents and AADSignInEventsBeta
B.EmailPostDeliveryEvents and DeviceLogonEvents
C.EmailAttachmentInfo and IdentityLogonEvents
D.EmailUrlInfo and CloudAppEvents
AnswerA

EmailEvents provides email send metadata, and AADSignInEventsBeta provides sign-in details. Joining on the sender's email address and the sign-in user principal name enables correlation.

Why this answer

Option A is correct because EmailEvents stores email metadata (sender, recipient, subject, etc.) and AADSignInEventsBeta captures Azure AD sign-in logs, including location data. Joining these tables on the user's account object ID allows the analyst to correlate emails sent to external recipients with unusual sign-in locations shortly after the email was sent, directly addressing the BEC investigation scenario.

Exam trap

The trap here is that candidates confuse DeviceLogonEvents or IdentityLogonEvents with Azure AD sign-in logs, not realizing that AADSignInEventsBeta is the only table that captures cloud-based sign-in location data for Microsoft 365 services like Exchange Online.

How to eliminate wrong answers

Option B is wrong because EmailPostDeliveryEvents contains post-delivery actions (e.g., remediation, ZAP) and DeviceLogonEvents captures device-level logons (e.g., Windows sign-ins), not mailbox sign-ins or email metadata; this combination cannot correlate email sends with Azure AD sign-in locations. Option C is wrong because EmailAttachmentInfo only provides attachment metadata (file name, hash) and IdentityLogonEvents records identity-based logons (e.g., on-premises Active Directory), not Azure AD sign-ins with location details; it lacks the core email metadata needed. Option D is wrong because EmailUrlInfo stores URL click data from emails and CloudAppEvents tracks activities in cloud apps (e.g., Office 365 operations), but CloudAppEvents does not provide the precise sign-in location and timestamp needed for the unusual login correlation; it focuses on app-level actions rather than authentication events.

53
MCQmedium

A security analyst is investigating a phishing incident and needs to find the specific email message that was delivered to a user. The analyst knows the subject line and the sender domain. Which advanced hunting table should the analyst query?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.EmailPostDeliveryEvents
AnswerA

Correct. EmailEvents contains the subject, sender domain, recipient, and delivery status.

Why this answer

The EmailEvents table in Microsoft Defender XDR's advanced hunting schema contains the core properties of email messages, including subject line, sender domain, recipient details, and delivery status. Since the analyst needs to find a specific email by subject and sender domain, this table is the correct starting point for querying delivered messages.

Exam trap

The trap here is that candidates confuse EmailEvents with EmailPostDeliveryEvents, thinking post-delivery actions are needed to find the original message, but EmailEvents is the only table that stores the subject and sender domain for delivered emails.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it focuses on attachment metadata (file name, hash, size) and does not include the subject line or sender domain fields needed to locate the email by those criteria. Option C (EmailUrlInfo) is wrong because it stores URLs extracted from email bodies or attachments, not the email's subject or sender domain. Option D (EmailPostDeliveryEvents) is wrong because it records actions taken after delivery (e.g., ZAP, user-reported phishing) and lacks the original subject line and sender domain required to identify the initial message.

54
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user received a phishing email that contained a link to a malicious domain. The user clicked the link, but the domain was blocked by Microsoft Defender for Office 365 at the time of click. The analyst needs to view the full details of the click verdict, including the time of click and the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

A.Attachments tab
B.Detection details section
C.Timeline section
D.User entity page
AnswerB

The Detection details section on the email entity page provides the click verdict, block reason, and action taken for URLs.

Why this answer

The Detection details section in the Microsoft 365 Defender portal provides the full click verdict for a URL, including the exact time of the click and the specific block action (e.g., blocked by custom block list, blocked by reputation). This information is part of the URL click verdict data logged by Microsoft Defender for Office 365 when Safe Links evaluates a clicked link. The analyst can access this by navigating to the incident's URL entity and selecting the Detection details tab.

Exam trap

The trap here is that candidates often confuse the Timeline section (which shows general event chronology) with the Detection details section (which provides the specific URL click verdict and block action), leading them to select Option C incorrectly.

How to eliminate wrong answers

Option A is wrong because the Attachments tab only shows details about email attachments (e.g., file hashes, malware detections), not URL click verdicts or block actions. Option C is wrong because the Timeline section provides a chronological view of alerts and events but does not expose the granular click verdict details like the specific block action or exact click time for a URL. Option D is wrong because the User entity page shows user-related information (e.g., risk level, activity, alerts) but does not contain the URL click verdict data, which is tied to the URL entity itself.

55
MCQmedium

An organization uses Microsoft 365 Defender. An automated investigation on a device identifies a malicious file and blocks it. The analyst now wants to allow a specific trusted application that was incorrectly blocked, while keeping other malicious files blocked. Which action should the analyst take from the device's entity page?

A.Initiate a live response session and delete the file manually.
B.Use the 'Add indicator' feature to create a custom IOC for the file hash with action 'Allow'.
C.Change the automated investigation settings to 'No action' and rerun investigation.
D.Collect the file for analysis; the allow decision must be made by Microsoft after analysis.
AnswerB

Adding a custom indicator with action 'Allow' tells Defender to treat that file as clean, overriding automation blocks.

Why this answer

The 'Add indicator' feature in Microsoft Defender XDR allows analysts to create custom indicators of compromise (IOCs) based on file hashes, IPs, or domains. By setting the action to 'Allow' for the specific file hash, the analyst can override the automated block for that trusted application while keeping other malicious files blocked. This is the correct approach because it provides granular control without affecting the overall automated investigation settings.

Exam trap

The trap here is that candidates may confuse the 'Add indicator' feature with manual file deletion or changing global investigation settings, not realizing that a custom IOC with an Allow action is the precise mechanism to override a block for a specific trusted file.

How to eliminate wrong answers

Option A is wrong because initiating a live response session to delete the file manually does not create an allow rule; it only removes the file, and the block action from the automated investigation would still prevent the application from running. Option C is wrong because changing the automated investigation settings to 'No action' would disable all automated responses for future detections, not selectively allow a specific file. Option D is wrong because collecting the file for analysis does not immediately allow the file; Microsoft analysis is for threat intelligence, not for overriding a block on a trusted application.

56
MCQhard

A security analyst is investigating a sophisticated attack chain that started with a user clicking a link in a phishing email, which led to a drive-by download from a malicious website. The analyst wants to see the full list of URLs visited from the user's browser on the device. Which Advanced Hunting table contains this information?

A.DeviceEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceFileEvents
AnswerA

DeviceEvents includes browser telemetry events like 'UrlClicked' which record the full URL visited.

Why this answer

DeviceEvents in Microsoft Defender XDR captures browser-based activities, including URL visits, via the 'ActionType' field (e.g., 'BrowserUrlClicked' or 'BrowserUrlNavigation'). This table is specifically designed to log web navigation events from browsers like Microsoft Edge or Chrome, making it the correct source for the full list of URLs visited during the phishing attack chain.

Exam trap

The trap here is that candidates often confuse DeviceNetworkEvents (which shows network connections) with browser URL tracking, but DeviceNetworkEvents lacks the URL-level detail needed for web navigation analysis, while DeviceEvents is the dedicated table for browser activity.

How to eliminate wrong answers

Option B (DeviceNetworkEvents) is wrong because it logs network-level connections (IP addresses, ports, protocols) but does not capture the full URL path or browser navigation context; it focuses on raw network flows, not HTTP/HTTPS URL details. Option C (DeviceProcessEvents) is wrong because it records process creation and termination events (e.g., executable launches, command lines) but does not include browser URL navigation data; it would show the browser process starting but not the specific URLs visited. Option D (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events on the filesystem, which is irrelevant to browser URL history; it would capture downloaded files but not the URLs that led to them.

57
MCQmedium

A security analyst is using Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst wants to find emails that were delivered to users (DeliveryAction != 'Blocked') and contained a specific malicious URL (e.g., 'https://malicious.com'). The EmailEvents table contains delivery information, and the EmailUrlInfo table contains URL details. Which KQL query correctly joins these two tables to find the desired emails?

A.EmailEvents | where DeliveryAction != 'Blocked' | join kind=inner EmailUrlInfo on NetworkMessageId | where Url == 'https://malicious.com'
B.EmailEvents | where DeliveryAction != 'Blocked' | join kind=leftouter EmailUrlInfo on NetworkMessageId | where Url == 'https://malicious.com'
C.EmailEvents | where DeliveryAction != 'Blocked' | join kind=inner EmailUrlInfo on Name | where Url == 'https://malicious.com'
D.EmailEvents | where DeliveryAction != 'Blocked' | join kind=inner EmailUrlInfo on SenderFromDomain | where Url == 'https://malicious.com'
AnswerA

This query correctly joins on NetworkMessageId, filters delivered emails, and then filters for the specific URL.

Why this answer

Option A is correct because it uses an inner join on the `NetworkMessageId` column, which is the common key between `EmailEvents` and `EmailUrlInfo` tables in Microsoft 365 Defender advanced hunting. The query first filters `EmailEvents` to only delivered emails (`DeliveryAction != 'Blocked'`), then joins with `EmailUrlInfo` to match URLs to those emails, and finally filters for the specific malicious URL. This ensures only emails that were delivered and contained the target URL are returned.

Exam trap

The trap here is that candidates may choose a `leftouter` join (Option B) thinking it is safer to include all delivered emails, but the requirement is to find only emails that actually contained the malicious URL, making an `inner` join the correct choice.

How to eliminate wrong answers

Option B is wrong because a `leftouter` join would include all delivered emails even if they have no matching URL in `EmailUrlInfo`, and the subsequent `where Url == 'https://malicious.com'` would filter those nulls out, but it is less efficient and conceptually incorrect for this requirement (inner join is appropriate since we only want emails with the URL). Option C is wrong because it joins on `Name`, which is not a common key between `EmailEvents` and `EmailUrlInfo`; the correct join key is `NetworkMessageId`. Option D is wrong because it joins on `SenderFromDomain`, which is not a unique identifier for individual emails and would produce incorrect matches across different emails from the same domain.

58
MCQeasy

A security analyst is reviewing an incident in Microsoft 365 Defender where malware was detected on multiple endpoints. The analyst wants to see a visual representation of the attack progression, including the initial entry point and all affected devices. Which feature in the Microsoft 365 Defender portal should the analyst use?

A.Incident graph
B.Advanced hunting
C.Threat analytics
D.Action center
AnswerA

The incident graph visually maps the attack chain, showing entity relationships and progression.

Why this answer

The incident graph in Microsoft 365 Defender provides a visual, interactive map of the entire attack progression, showing the initial entry point, lateral movement, and all affected devices and users. It correlates alerts and evidence into a single timeline, enabling the analyst to understand the full scope of the incident at a glance. This directly meets the requirement for a visual representation of the attack progression.

Exam trap

The trap here is that candidates confuse the incident graph (visual attack path) with Advanced hunting (raw data querying) because both are used for investigation, but only the graph provides a pre-built visual map of the attack progression.

How to eliminate wrong answers

Option B (Advanced hunting) is wrong because it is a query-based tool for searching raw data using Kusto Query Language (KQL), not a visual representation of an attack progression. Option C (Threat analytics) is wrong because it provides reports on active threats, vulnerabilities, and mitigations, but does not show the specific attack path for a given incident. Option D (Action center) is wrong because it lists pending and completed remediation actions (e.g., isolating devices, running antivirus scans), not a visual attack timeline or device map.

59
MCQmedium

In Microsoft 365 Defender, a security analyst reviews an automated investigation that found a potentially unwanted application on multiple devices. The analyst wants to manually approve the suggested remediation action of uninstalling the application. Where should the analyst go?

A.The Action center
B.The Incidents page
C.The Alerts queue
D.The Device inventory
AnswerA

The Action center displays pending and completed actions from automated investigations, allowing analysts to approve or reject them.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location where security analysts can view and manually approve or reject remediation actions that were suggested by automated investigations, such as uninstalling a potentially unwanted application. This is the correct place because the Action center consolidates all pending and completed actions across devices, allowing the analyst to take direct manual intervention on the recommended remediation.

Exam trap

The trap here is that candidates often confuse the Incidents page or Alerts queue as the place to approve remediation actions, not realizing that the Action center is the sole interface for managing pending remediation actions from automated investigations.

How to eliminate wrong answers

Option B is wrong because the Incidents page is used to view and manage the full scope of an incident, including alerts, devices, and evidence, but it does not provide the interface to manually approve or reject specific remediation actions like uninstalling an application. Option C is wrong because the Alerts queue lists individual security alerts, but it does not show the suggested remediation actions from automated investigations; those actions are only visible and actionable in the Action center. Option D is wrong because the Device inventory shows the list of devices and their details, but it does not contain the pending remediation actions or the ability to approve them; it is purely an inventory view.

60
MCQmedium

A security analyst is investigating a suspicious email that was reported by a user. The email contains an attachment with a known malicious macro. The analyst wants to find all instances of this same email being delivered to other users in the organization. Which Advanced Hunting table should the analyst query to find the delivery events?

A.EmailAttachmentInfo
B.EmailEvents
C.EmailUrlInfo
D.DeviceFileEvents
AnswerB

Correct. EmailEvents contains the delivery records, including the recipient addresses and delivery status. It can be filtered or joined with attachment data to find all recipients.

Why this answer

The EmailEvents table in Microsoft Defender XDR Advanced Hunting contains records of email delivery events, including sender, recipient, subject, and delivery status. Since the analyst needs to find all instances where the same email (with the malicious macro attachment) was delivered to other users, querying EmailEvents with the email's unique identifier (e.g., NetworkMessageId) will return all delivery events across the organization.

Exam trap

The trap here is that candidates confuse EmailAttachmentInfo (which contains attachment hashes) with EmailEvents, assuming attachment data alone can identify all recipients, but only EmailEvents holds the delivery event records needed to find every user who received the email.

How to eliminate wrong answers

Option A is wrong because EmailAttachmentInfo stores metadata about attachments (e.g., filename, SHA256 hash) but does not include delivery event details like recipient or delivery status; it is used to correlate attachments with emails, not to find delivery instances. Option C is wrong because EmailUrlInfo contains information about URLs in the email body or attachments, not delivery events; it is used for phishing URL investigations, not for locating all recipients of a specific email. Option D is wrong because DeviceFileEvents tracks file creation, modification, and deletion events on endpoints, not email delivery events; it is irrelevant for finding email recipients.

61
MCQhard

A security analyst is investigating a sophisticated attack that involved multiple devices. The analyst needs to create a custom detection rule in Microsoft 365 Defender that triggers when a process with a specific SHA256 hash is executed on any device AFTER an attacker-controlled file is created on another device. Which approach should the analyst use to build this detection?

A.Create a custom detection rule using an advanced hunting query that joins DeviceFileEvents and DeviceProcessEvents, and schedule it in Microsoft 365 Defender.
B.Use the Microsoft 365 Defender incident creation rule to generate an incident when the behavior is observed.
C.Use Microsoft Sentinel analytics rules with a data connector to Microsoft 365 Defender.
D.Use Microsoft Defender for Cloud's workload protection alerts.
AnswerA

Correct. Custom detection rules allow complex multi-table and multi-device correlations using KQL, and they can alert when specific sequences occur, such as a file creation followed by process execution.

Why this answer

Option A is correct because the requirement is to correlate two distinct events (file creation on one device and process execution on another) across time and devices. An advanced hunting query in Microsoft 365 Defender can join DeviceFileEvents and DeviceProcessEvents tables using a common indicator (e.g., attacker-controlled file hash) and schedule the query as a custom detection rule. This is the only native Microsoft 365 Defender approach that supports multi-device, multi-event correlation with scheduled evaluation.

Exam trap

The trap here is that candidates often confuse incident creation rules (which only react to existing alerts) with custom detection rules (which can query raw telemetry), leading them to select Option B despite its inability to perform cross-table joins.

How to eliminate wrong answers

Option B is wrong because incident creation rules in Microsoft 365 Defender only trigger on existing alerts or incidents, not on raw telemetry; they cannot perform multi-table joins or detect custom behavioral sequences. Option C is wrong because while Microsoft Sentinel can ingest Microsoft 365 Defender data and create analytics rules, the question explicitly asks for a detection built within Microsoft 365 Defender, not a separate SIEM. Option D is wrong because Microsoft Defender for Cloud's workload protection alerts focus on cloud infrastructure and resource-level threats, not on device-level process and file events across endpoints.

62
MCQeasy

A security analyst is investigating a potential phishing campaign and has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to users and contained this exact attachment. Which advanced hunting table should the analyst query to obtain the network message IDs of the relevant emails?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.EmailPostDeliveryEvents
AnswerB

EmailAttachmentInfo includes the SHA256 hash of each attachment and the NetworkMessageId of the email.

Why this answer

The EmailAttachmentInfo table in Microsoft 365 Advanced Hunting contains records of every attachment in email messages, including the SHA256 hash. By querying this table with the known hash, the analyst can retrieve the NetworkMessageId values for all emails that contained that specific malicious attachment, enabling further investigation into delivery and impact.

Exam trap

The trap here is that candidates often confuse EmailEvents (which has delivery status) with EmailAttachmentInfo (which has attachment hashes), failing to recognize that only the latter contains the SHA256 hash needed to match a known malicious file.

How to eliminate wrong answers

Option A is wrong because EmailEvents contains metadata about email delivery events (e.g., delivery status, sender, recipient) but does not include attachment-level details like SHA256 hashes. Option C is wrong because EmailUrlInfo stores information about URLs present in email bodies or attachments, not attachment file hashes. Option D is wrong because EmailPostDeliveryEvents records actions taken on emails after delivery (e.g., user clicks, ZAP actions) and does not contain attachment hash data.

63
MCQmedium

An organization uses Microsoft 365 Defender. A security analyst is investigating an incident where a user's device was compromised. The analyst wants to determine if the attacker attempted to access sensitive files stored in SharePoint Online from that device. Which advanced hunting table should the analyst query to find file access events from cloud apps?

A.CloudAppEvents
B.IdentityLogonEvents
C.DeviceFileEvents
D.EmailEvents
AnswerA

This table contains events from cloud apps like SharePoint, including file access, which is directly relevant to the scenario.

Why this answer

The CloudAppEvents table in Microsoft 365 Defender captures audit logs for cloud applications, including SharePoint Online. It records file access events such as viewing, downloading, or modifying files, making it the correct table to query when investigating attacker attempts to access sensitive files from a compromised device.

Exam trap

The trap here is that candidates confuse DeviceFileEvents (local file events) with cloud file access events, not realizing that SharePoint Online actions are logged only in CloudAppEvents, not in device-level tables.

How to eliminate wrong answers

Option B (IdentityLogonEvents) is wrong because it tracks authentication events (logon attempts, success/failure) but does not include file-level access events within cloud apps. Option C (DeviceFileEvents) is wrong because it captures file events on the local device (e.g., file creation, modification, deletion) but not access to files stored in SharePoint Online. Option D (EmailEvents) is wrong because it focuses on email-related events (delivery, phishing, malware) and has no data on SharePoint file access.

64
MCQmedium

An organization uses Microsoft 365 Defender and receives an alert for a suspicious email sent to multiple recipients. The analyst wants to view the email metadata, including the sender, subject, and any attachments. Which advanced hunting table should the analyst use?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.DeviceEmailEvents
AnswerA

This table contains core email metadata including sender, subject, recipients, and delivery actions.

Why this answer

The EmailEvents table in Advanced Hunting stores the core metadata for every email processed by Microsoft Defender for Office 365, including sender, subject, recipient, and delivery status. Since the analyst needs to view the sender, subject, and attachments for a suspicious email sent to multiple recipients, EmailEvents is the correct starting point because it contains the primary email envelope information.

Exam trap

The trap here is that candidates often confuse the purpose of EmailAttachmentInfo (which only has attachment metadata) with EmailEvents (which has the full email header), or they mistakenly choose DeviceEmailEvents thinking it covers all email activity, when it only logs client-side email events on endpoints.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it only contains details about the attachment file name, size, and hash, but does not include the sender or subject metadata. Option C (EmailUrlInfo) is wrong because it stores URLs extracted from the email body or attachments, not the email's sender or subject. Option D (DeviceEmailEvents) is wrong because it is part of Microsoft Defender for Endpoint and logs email events on devices (e.g., from Outlook client), not server-side email metadata from Exchange Online or Defender for Office 365.

65
MCQeasy

A security analyst wants to see the delivery status and phishing verdict of an email. Which advanced hunting table should the analyst query in Microsoft 365 Defender?

A.EmailEvents
B.EmailPostDeliveryEvents
C.EmailAttachmentInfo
D.EmailUrlInfo
AnswerA

Contains delivery status, threat types, and phishing verdict for each email.

Why this answer

The EmailEvents table in Microsoft 365 Defender's advanced hunting schema contains the delivery status (e.g., Delivered, Failed, Filtered as spam) and the phishing verdict (e.g., Phish, Normal) for each email. This table records the initial processing and classification of the email, making it the correct source for both pieces of information.

Exam trap

The trap here is that candidates often confuse EmailEvents (initial delivery and verdict) with EmailPostDeliveryEvents (post-delivery actions), mistakenly thinking the latter includes the original verdict when it only records changes after delivery.

How to eliminate wrong answers

Option B (EmailPostDeliveryEvents) is wrong because it captures actions taken after delivery (e.g., user clicks, ZAP actions), not the initial delivery status or phishing verdict. Option C (EmailAttachmentInfo) is wrong because it stores metadata about email attachments (e.g., file name, SHA-256 hash), not delivery or verdict data. Option D (EmailUrlInfo) is wrong because it contains URLs found in the email body or attachments, not the email's delivery status or phishing classification.

66
MCQmedium

A security analyst in Microsoft 365 Defender is using advanced hunting to investigate a suspected data exfiltration. The analyst wants to find all outbound network connections from a specific device that occurred in the last hour, ordered by timestamp. Which table and KQL query should the analyst use?

A.DeviceNetworkEvents | where DeviceName == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
B.DeviceProcessEvents | where DeviceName == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
C.DeviceFileEvents | where DeviceName == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
D.EmailEvents | where SenderUpn == "deviceA" and Timestamp > ago(1h) | project Timestamp, RemoteIP, RemotePort | order by Timestamp asc
AnswerA

DeviceNetworkEvents logs network connections; the query filters to the device and last hour, ordering by time.

Why this answer

Option A is correct because the DeviceNetworkEvents table in Microsoft 365 Defender captures outbound network connections, including remote IP addresses and ports. The query filters for a specific device (DeviceName == 'deviceA'), limits results to the last hour using Timestamp > ago(1h), projects the relevant columns, and orders by Timestamp ascending to show the earliest connections first.

Exam trap

The trap here is that candidates may confuse the purpose of different Microsoft 365 Defender tables, mistakenly selecting DeviceProcessEvents or DeviceFileEvents for network-related queries because they associate processes or files with data exfiltration, rather than recognizing that network connections are stored exclusively in DeviceNetworkEvents.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation events, not network connections, and does not contain RemoteIP or RemotePort fields. Option C is wrong because DeviceFileEvents logs file creation, modification, and deletion events, not network connections, and lacks RemoteIP/RemotePort. Option D is wrong because EmailEvents tracks email messages, not device network connections, and uses SenderUpn (a user principal name) instead of DeviceName, making the filter invalid.

67
MCQmedium

A security analyst in Microsoft 365 Defender uses advanced hunting to detect possible credential theft. They want to find instances where a user signed in from an IP address that is not in their organization's known IP range. Which table should they query to get sign-in location and IP address?

A.DeviceLogonEvents
B.IdentityLogonEvents
C.EmailEvents
D.AlertInfo
AnswerB

IdentityLogonEvents captures cloud and on-premises identity authentication attempts, including the source IP address and user details.

Why this answer

IdentityLogonEvents is the correct table because it contains cloud identity logon data from Microsoft Entra ID (formerly Azure AD), including sign-in location, IP address, and user details. This table is specifically designed for hunting authentication-related events like credential theft, where you need to correlate user sign-ins with IP addresses to detect anomalies against known IP ranges.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (local device logs) with IdentityLogonEvents (cloud identity logs), failing to recognize that credential theft via cloud sign-ins requires cloud authentication data, not local OS event logs.

How to eliminate wrong answers

Option A is wrong because DeviceLogonEvents captures local device logon events (e.g., Windows security events like Event ID 4624) and does not include cloud sign-in IP addresses or location data from Microsoft Entra ID. Option C is wrong because EmailEvents focuses on email-related events (e.g., delivery, phishing) and does not contain sign-in location or IP address data. Option D is wrong because AlertInfo provides metadata about alerts (e.g., severity, title) but does not contain raw sign-in logs with IP addresses or location information.

68
MCQeasy

A security analyst is investigating a malware outbreak and needs to find all devices where a specific malicious file with a known SHA1 hash has been observed in the last 24 hours. Which Advanced Hunting table in Microsoft 365 Defender should be the primary source for this query?

A.DeviceFileEvents
B.EmailAttachmentInfo
C.DeviceProcessEvents
D.DeviceNetworkEvents
AnswerA

Correct. DeviceFileEvents records file creation and modification events with SHA1 hashes, making it suitable for finding devices with a specific file hash.

Why this answer

DeviceFileEvents is the correct table because it specifically records file creation, modification, and deletion events on endpoints, including the SHA1 hash of files. To find all devices where a specific malicious file with a known SHA1 hash has been observed, this table provides the direct file-level telemetry needed for the query.

Exam trap

The trap here is that candidates may confuse file observation with process execution or network activity, leading them to choose DeviceProcessEvents or DeviceNetworkEvents, but DeviceFileEvents is the only table that directly records the presence of a file by its hash on a device.

How to eliminate wrong answers

Option B is wrong because EmailAttachmentInfo tracks email attachments and their metadata, but it does not record file events on devices after the attachment is opened or saved, so it cannot show where the file was observed on endpoints. Option C is wrong because DeviceProcessEvents logs process creation events, not file events; while a malicious file might be executed as a process, the table does not directly record the SHA1 hash of the file itself unless it is the process image. Option D is wrong because DeviceNetworkEvents logs network connections and traffic, not file-level events, so it cannot be used to find devices where a specific file was observed.

69
Matchingmedium

Match each threat intelligence indicator type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

IPv4 or IPv6 address associated with malicious activity

Domain name used for phishing or C2

Full URL path involved in an attack

MD5, SHA1, or SHA256 hash of a malicious file

Sender address from a phishing campaign

Why these pairings

These are common STIX indicator types used in threat intelligence.

70
MCQeasy

An organization uses Microsoft Defender for Office 365. The security team wants to automatically investigate and respond to user-reported phishing emails. Which feature should they enable to automate this process?

A.Attack simulation training
B.Automated investigation and response (AIR)
C.Campaign views
D.Threat Explorer
AnswerB

Correct: AIR can be configured to automatically investigate and remediate threats in user-reported emails.

Why this answer

Automated investigation and response (AIR) in Microsoft Defender for Office 365 automatically triggers a playbook when a user reports a phishing email via the Report Message or Report Phishing add-in. It collects the email, analyzes it using threat intelligence and machine learning, and takes remediation actions such as soft-deleting the message or blocking the sender, all without manual intervention.

Exam trap

The trap here is that candidates often confuse 'Attack simulation training' (a proactive training tool) with the automated response capability, or they think 'Threat Explorer' or 'Campaign views' can automate responses, when in fact those are manual investigation and visualization tools, not automated response engines.

How to eliminate wrong answers

Option A is wrong because Attack simulation training is used to create and run simulated phishing campaigns to train users, not to automatically investigate or respond to actual user-reported phishing emails. Option C is wrong because Campaign views provide a consolidated dashboard to identify and analyze coordinated phishing or malware campaigns across the organization, but they do not automate the investigation and response process for individual user-reported emails. Option D is wrong because Threat Explorer is a real-time investigation tool that allows security analysts to query and hunt for threats across email and collaboration data, but it does not automatically trigger responses based on user reports.

71
MCQmedium

A security analyst is investigating a malware incident and has identified a specific parent process ID (PID) on an endpoint. The analyst wants to retrieve all outbound network connections made by any child processes spawned by this parent process. Which advanced hunting table should the analyst query to get the network connection details, including the destination IP and the child process ID?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceEvents
D.IdentityNetworkEvents
AnswerB

DeviceNetworkEvents captures network connections initiated by processes, including destination IP and initiating process ID.

Why this answer

DeviceNetworkEvents is the correct table because it specifically captures outbound network connections, including destination IP addresses and process IDs (PID). By filtering on the parent process ID and then joining or filtering on child process IDs, the analyst can trace all network connections initiated by child processes spawned from the identified parent PID.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (which shows process ancestry) with DeviceNetworkEvents (which shows actual network flows), mistakenly thinking process creation logs include network details, when in fact you need the network-specific table to retrieve destination IPs and child process IDs.

How to eliminate wrong answers

Option A is wrong because DeviceProcessEvents logs process creation events (e.g., command lines, parent PID) but does not include network connection details such as destination IP or port. Option C is wrong because DeviceEvents captures security-related events (e.g., Windows Defender alerts, file modifications) but not raw network connection logs. Option D is wrong because IdentityNetworkEvents is part of Microsoft Defender for Identity and tracks network activities related to identity-based attacks (e.g., Kerberos, NTLM) on domain controllers, not endpoint outbound connections from arbitrary child processes.

72
MCQhard

A security analyst is using Microsoft 365 Defender advanced hunting to investigate potential lateral movement. The analyst has identified a compromised device (DeviceA) and wants to find all other devices that initiated a remote desktop connection from DeviceA to other devices in the last 24 hours. Which table and query approach should the analyst use?

A.Query DeviceNetworkEvents for events from DeviceA with RemotePort 3389, then join with DeviceInfo to get target device names.
B.Query DeviceLogonEvents for LogonType 10 (RemoteInteractive), filtering by initiating device.
C.Query IdentityLogonEvents to find logons associated with DeviceA.
D.Query EmailEvents to find emails sent from DeviceA that contain RDP configuration files.
AnswerA

DeviceNetworkEvents captures network connections including destination IP and port. RemoteDesktop connections typically use port 3389. From the IP, the analyst can identify target devices via DeviceInfo.

Why this answer

Option A is correct because DeviceNetworkEvents logs network connections, including outbound RDP traffic (port 3389). By filtering for events from DeviceA with RemotePort 3389, the analyst captures all RDP connections initiated by DeviceA. Joining with DeviceInfo resolves the target IP addresses to device names, providing a complete list of devices that received an RDP connection from DeviceA in the last 24 hours.

Exam trap

The trap here is that candidates confuse 'initiating an RDP connection' (network-level outbound connection) with 'successful RDP logon' (authentication event on the target), leading them to incorrectly choose DeviceLogonEvents with LogonType 10 instead of DeviceNetworkEvents.

How to eliminate wrong answers

Option B is wrong because DeviceLogonEvents with LogonType 10 (RemoteInteractive) records successful interactive logons on the target device, not the initiation of an RDP connection from the source device; it would show logons on DeviceA from other devices, not connections from DeviceA to others. Option C is wrong because IdentityLogonEvents tracks authentication events at the identity level (e.g., Azure AD logons), not device-level network connections or RDP session initiations. Option D is wrong because EmailEvents logs email traffic, not network connections; RDP configuration files attached to emails are irrelevant to detecting actual RDP connections made from DeviceA.

73
MCQmedium

A security analyst is investigating a user who may have been compromised. The analyst sees a sign-in from an unusual location and then a series of suspicious actions performed by that user, including deleting files and sending emails. The analyst wants to find all emails sent by the user after the anomalous sign-in. Which advanced hunting tables should be used?

A.EmailEvents and IdentityLogonEvents
B.EmailEvents and DeviceFileEvents
C.IdentityLogonEvents and DeviceEvents
D.EmailAttachmentInfo and EmailUrlInfo alone
AnswerA

EmailEvents provides the email data, and IdentityLogonEvents provides sign-in times to correlate and find emails sent after the suspicious sign-in.

Why this answer

Option A is correct because the investigation requires correlating a specific sign-in event (from IdentityLogonEvents) with subsequent email activity (from EmailEvents). IdentityLogonEvents captures authentication details including location, while EmailEvents records email send/receive metadata. Joining these tables on the user principal name (UPN) and timestamp allows the analyst to filter all emails sent after the anomalous sign-in.

Exam trap

The trap here is that candidates often confuse DeviceFileEvents or DeviceEvents with email-related tables, forgetting that email actions are logged in EmailEvents, not in endpoint-level event tables.

How to eliminate wrong answers

Option B is wrong because DeviceFileEvents tracks file operations on endpoints, not email activity; it cannot identify emails sent by the user. Option C is wrong because DeviceEvents captures system-level events like process creation or registry changes, not email send actions; it lacks the email-specific fields needed. Option D is wrong because EmailAttachmentInfo and EmailUrlInfo alone provide details about attachments and URLs in emails but do not include the email send event itself or the sign-in context; they cannot identify which emails were sent after a specific sign-in.

74
MCQhard

An organization uses Microsoft Defender for Office 365. A security analyst is investigating a phishing email that was delivered to a user. The user clicked the link, but it was blocked by Defender for Office 365 at the time of click. The analyst needs to view the full click verdict, including the specific block action (e.g., blocked by custom block list). Where can the analyst find this information?

A.Threat Explorer in Microsoft 365 Defender
B.The email entity page in Microsoft 365 Defender
C.The advanced hunting table EmailEvents
D.The Attack simulation training dashboard
AnswerB

The email entity page includes a 'Click verdict' section that displays details about the user's click, including the verdict and the reason for blocking.

Why this answer

The email entity page in Microsoft 365 Defender provides the full click verdict for a specific email, including the exact block action (e.g., blocked by custom block list, blocked by URL reputation). This page aggregates all detection and verdict details for a single email, making it the correct location for the analyst to view the specific block action at time of click.

Exam trap

The trap here is that candidates often assume Threat Explorer (Option A) is the go-to for all email investigation details, but it aggregates data and requires navigation to the email entity page to see the specific click verdict and block action.

How to eliminate wrong answers

Option A is wrong because Threat Explorer shows aggregated threat data and trends, but does not display the full click verdict with the specific block action for a single email; it requires drilling into the email entity page for that detail. Option C is wrong because the advanced hunting table EmailEvents contains raw event data but does not include the full click verdict or the specific block action; it requires joining with other tables and does not present the verdict in a user-friendly format. Option D is wrong because the Attack simulation training dashboard is used for managing simulated phishing campaigns and training, not for viewing real click verdicts or block actions from actual phishing emails.

75
MCQeasy

A security analyst uses Microsoft 365 Defender advanced hunting to investigate a phishing campaign. The analyst knows the Internet Message ID of a malicious email. Which table should the analyst query to find all users who received that specific email?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.EmailPostDeliveryEvents
AnswerA

EmailEvents stores records of email delivery, including sender, recipient, subject, and InternetMessageId. Querying this table by InternetMessageId will return all relevant email events.

Why this answer

The EmailEvents table in Microsoft 365 Defender advanced hunting stores records of email transactions, including the Internet Message ID and recipient information. By querying this table with the known Internet Message ID, the analyst can retrieve all users who received that specific email, as it contains the RecipientEmailAddress field for each delivery event.

Exam trap

The trap here is that candidates often confuse EmailEvents with EmailPostDeliveryEvents, assuming post-delivery actions include recipient data, but EmailPostDeliveryEvents only logs post-delivery events like user clicks or remediation actions, not the original recipient list.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it stores metadata about email attachments, such as file names and hashes, but does not contain the Internet Message ID or recipient details needed to identify who received the email. Option C (EmailUrlInfo) is wrong because it logs URLs found in email bodies or attachments, not the email delivery recipients or the Internet Message ID. Option D (EmailPostDeliveryEvents) is wrong because it records actions taken after delivery (e.g., user clicks, ZAP actions), not the initial delivery recipients; it lacks the Internet Message ID field for mapping back to the original email.

Page 1 of 2 · 108 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Mitigate Threats Using Microsoft Defender Xdr questions.