CCNA Mitigate Threats Using Microsoft Defender Xdr Questions

33 of 108 questions · Page 2/2 · Mitigate Threats Using Microsoft Defender Xdr topic · Answers revealed

76
Drag & Dropmedium

Order the steps to investigate a user account compromise using Microsoft Sentinel incidents.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Investigation starts with incident details, then reviewing alerts and behavior analytics, followed by deep querying, and finally remediation.

77
MCQeasy

A security analyst is reviewing an email-related incident in Microsoft 365 Defender. The analyst wants to see the full delivery details, including the sender IP, authentication status, and the reason why the email was determined to be malicious. Which section of the email entity page should the analyst open?

A.Detection details
B.Details
C.Timeline
D.Preview
AnswerA

This section includes the sender IP, authentication results (SPF, DKIM, DMARC), and detection technology used.

Why this answer

The Detection details section of the email entity page in Microsoft 365 Defender provides comprehensive information about why an email was determined to be malicious, including the sender IP address, authentication status (SPF, DKIM, DMARC results), and the specific detection technology or policy that triggered the verdict. This section consolidates the full delivery details and threat analysis into a single view, making it the correct choice for the analyst's needs.

Exam trap

The trap here is that candidates often confuse the 'Details' section (which shows basic metadata) with the 'Detection details' section (which provides the full forensic analysis), leading them to select Option B incorrectly because they assume 'Details' is the most comprehensive option.

How to eliminate wrong answers

Option B (Details) is wrong because the Details section shows general email metadata such as subject, sender, and recipient, but does not include the full delivery details, authentication status, or the specific reason for the malicious verdict. Option C (Timeline) is wrong because the Timeline section displays a chronological sequence of events related to the email (e.g., delivery, user actions), but it does not provide the sender IP, authentication results, or the detection reason in a consolidated format. Option D (Preview) is wrong because the Preview section shows the rendered content of the email (body, attachments) for visual inspection, but it lacks the technical delivery details and detection logic needed to understand why the email was flagged as malicious.

78
MCQhard

A security analyst is investigating a ransomware attack in Microsoft 365 Defender and needs to understand how the attacker moved laterally from an initial compromised workstation to a domain controller. Which feature should the analyst use to see a visual timeline of device-to-device connections and process executions?

A.Device timeline view for each affected device
B.Incident graph (attack story)
C.Advanced hunting with DeviceNetworkEvents and DeviceProcessEvents
D.Automated investigation report
AnswerB

This graph maps the entire incident, showing connections between devices and processes, ideal for tracing lateral movement.

Why this answer

The Incident graph (attack story) in Microsoft 365 Defender provides a visual, interactive timeline that correlates alerts, device-to-device connections, and process executions across the entire attack chain. This allows the analyst to trace lateral movement from the initial compromised workstation to the domain controller in a single, consolidated view, which is exactly what the question requires.

Exam trap

The trap here is that candidates often confuse the single-device Device timeline view (Option A) with the multi-device Incident graph, failing to recognize that lateral movement analysis requires a cross-device perspective, not per-device logs.

How to eliminate wrong answers

Option A is wrong because the Device timeline view shows events for a single device only, not the cross-device lateral movement path. Option C is wrong because Advanced hunting with DeviceNetworkEvents and DeviceProcessEvents requires manual query construction and does not provide a built-in visual timeline of the attack story. Option D is wrong because the Automated investigation report summarizes remediation actions and findings for a specific alert, not the full lateral movement timeline across multiple devices.

79
MCQeasy

An organization uses Microsoft Defender for Office 365. A security analyst wants to configure automated investigation and response (AIR) for email threats. When a user reports a phishing email using the Report Message add-in, which automated action can be triggered by an AIR playbook?

A.Trigger a training campaign for the user who reported the email.
B.Move the email to the tenant's shared mailbox for review.
C.Remove the Report Message add-in from Outlook to prevent false reports.
D.Soft-delete the email from the user's mailbox and other mailboxes that received the same message.
AnswerD

Correct. AIR can automatically delete the reported email across the organization to contain the threat.

Why this answer

When a user reports a phishing email via the Report Message add-in, the automated investigation and response (AIR) playbook in Microsoft Defender for Office 365 can automatically soft-delete the email from the user's mailbox and from all other mailboxes that received the same message. This action is part of the built-in remediation steps that AIR can take after confirming the threat, leveraging the email entity's hash or message ID to perform tenant-wide removal via the threat protection pipeline.

Exam trap

The trap here is that candidates may confuse automated remediation actions (like soft-delete) with administrative or training-related tasks, leading them to select options that describe manual or non-automated processes.

How to eliminate wrong answers

Option A is wrong because triggering a training campaign is not an automated action within an AIR playbook; training campaigns are separate features in Defender for Office 365 that require manual configuration and are not triggered automatically by AIR. Option B is wrong because moving the email to a shared mailbox for review is not a standard AIR remediation action; AIR focuses on containment and removal, not manual review workflows. Option C is wrong because removing the Report Message add-in would prevent future reports and is not an automated remediation action; AIR playbooks are designed to respond to threats, not to disable reporting tools.

80
MCQeasy

A security analyst is investigating a ransomware incident in Microsoft 365 Defender. The analyst wants to see a timeline of all actions performed on a specific device, including file creation, registry modifications, and network connections, in chronological order. Which feature should the analyst use?

A.Device timeline
B.Advanced hunting
C.Incident graph
D.Action center
AnswerA

The device timeline displays a chronological sequence of events that occurred on a specific device, allowing analysts to trace attack activities.

Why this answer

The Device timeline in Microsoft Defender for Endpoint provides a chronological view of all events and actions on a specific device, including file creation, registry modifications, and network connections. This feature is specifically designed for forensic investigation of incidents like ransomware, offering a time-ordered list of activities without requiring custom queries.

Exam trap

The trap here is that candidates may confuse the chronological event view of the Device timeline with the query-based flexibility of Advanced hunting, but the question specifically asks for a pre-built timeline without requiring custom queries.

How to eliminate wrong answers

Option B is wrong because Advanced hunting is a query-based tool using Kusto Query Language (KQL) to search across raw data tables, not a pre-built chronological timeline for a single device. Option C is wrong because the Incident graph visualizes the relationships between alerts, assets, and entities within an incident, but it does not provide a sequential timeline of actions on a specific device. Option D is wrong because Action center is used to review and approve remediation actions (e.g., isolating a device or running antivirus scans), not to view historical event timelines.

81
MCQmedium

An organization uses Microsoft 365 Defender. During an incident, the analyst wants to automatically isolate a compromised device from the network while allowing communication with a specific list of trusted IP addresses (e.g., for patching). Which action in an automated investigation and response (AIR) playbook for endpoints can achieve this?

A.Run antivirus scan
B.Isolate device
C.Contain device
D.Restrict app execution
AnswerB

Correct: Isolation can be configured with an allowed list of IPs, such as update servers, while blocking all other traffic.

Why this answer

The 'Isolate device' action in Microsoft Defender for Endpoint's automated investigation and response (AIR) playbook can be configured to isolate a device from the network while allowing communication with a specified list of trusted IP addresses (e.g., for patching or compliance). This is achieved through the 'selective isolation' capability, which uses Windows Filtering Platform (WFP) to block all inbound/outbound traffic except to the defined IPs. Option B is correct because it directly matches the requirement to maintain connectivity to trusted endpoints during isolation.

Exam trap

The trap here is that candidates often confuse 'Contain device' (which only blocks inbound connections from other devices) with 'Isolate device' (which blocks both inbound and outbound traffic, with optional selective allow lists), leading them to choose the wrong option when the question specifies allowing outbound communication to trusted IPs.

How to eliminate wrong answers

Option A is wrong because 'Run antivirus scan' only performs a malware scan and does not involve any network isolation or allow-listing of IP addresses. Option C is wrong because 'Contain device' is a legacy term from Microsoft Defender for Endpoint that typically refers to blocking communication with the device from other devices (network containment), but it does not provide the granular control to allow specific trusted IPs for outbound communication; it is a broader block. Option D is wrong because 'Restrict app execution' limits which applications can run on the device (e.g., via AppLocker or WDAC), but it does not affect network connectivity or allow specific IP addresses.

82
MCQmedium

A security analyst in Microsoft 365 Defender has just completed an automated investigation on a device. The analyst wants to review the specific remediation actions that were taken automatically, such as file quarantine or process termination, as well as any actions that are still pending approval. Where should the analyst look?

A.Action center
B.Incident details page -> Alerts tab
C.Device timeline in advanced hunting
D.Email & collaboration incidents tab
AnswerA

Correct. The Action center lists all remediation actions from automated investigations and allows review and approval.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location to review all automated remediation actions (e.g., file quarantine, process termination) and pending approval actions across devices, email, and identities. It provides a unified view of completed, in-progress, and awaiting-approval actions from automated investigations, ensuring the analyst can track and manage remediation status efficiently.

Exam trap

The trap here is that candidates confuse the Incident details page (which shows alert evidence and investigation graph) with the Action center (which specifically tracks remediation actions and their approval status), leading them to select the Alerts tab instead of the correct centralized action management location.

How to eliminate wrong answers

Option B is wrong because the Incident details page's Alerts tab shows the alerts associated with an incident, not the specific remediation actions taken or pending; it focuses on alert metadata and evidence, not action status. Option C is wrong because the Device timeline in advanced hunting shows raw events and activities on a device (e.g., process creations, file modifications) but does not display remediation actions or their approval status; it is for hunting, not action management. Option D is wrong because the Email & collaboration incidents tab is specific to threats in Exchange Online and Microsoft Teams, not device-level automated remediation actions like file quarantine or process termination.

83
MCQmedium

A security analyst is investigating a potential data exfiltration incident in Microsoft 365 Defender. They have identified a suspicious email sent to an external recipient containing an attachment. They want to know if the attachment has been opened and if any sensitive data was accessed. Which advanced hunting table should the analyst query to find email attachment activities, such as file download or view?

A.DeviceFileEvents
B.EmailEvents
C.EmailAttachmentInfo
D.UrlClickEvents
AnswerB

EmailEvents includes columns for action type, such as EmailAttachmentOpened or EmailAttachmentDownloaded, making it the correct table for this investigation.

Why this answer

B is correct because EmailEvents is the advanced hunting table in Microsoft 365 Defender that captures email-level activities, including whether an attachment was opened or viewed by the recipient. This table contains actions such as 'Email open' and 'Attachment open', which directly answer the analyst's question about attachment access and potential data exfiltration.

Exam trap

The trap here is that candidates often confuse EmailAttachmentInfo (which only provides static metadata) with EmailEvents (which includes user actions), leading them to select the wrong table for activity tracking.

How to eliminate wrong answers

Option A is wrong because DeviceFileEvents logs file operations (create, modify, delete) on endpoints, not email attachment activities like opening or viewing within an email client. Option C is wrong because EmailAttachmentInfo provides metadata about attachments (e.g., file name, size, hash) but does not include actions such as download or view. Option D is wrong because UrlClickEvents tracks clicks on URLs in emails or documents, not attachment open events.

84
MCQmedium

An analyst is investigating a file that was detected as malicious on several devices. In Microsoft 365 Defender, where can the analyst find information about the file's prevalence, global reputation, and related incidents?

A.File entity page
B.Device entity page
C.User entity page
D.Email entity page
AnswerA

The file entity page aggregates all file-related information, making it the central place for investigation.

Why this answer

The File entity page in Microsoft 365 Defender aggregates file-level telemetry, including prevalence (number of devices/users), global reputation (Microsoft's cloud-based threat intelligence), and a timeline of related incidents. This page is the single pane of glass for file-centric investigations, pulling data from Microsoft Defender for Endpoint, Office 365, and other XDR sources.

Exam trap

Microsoft often tests the distinction between entity pages by making candidates confuse the File entity page (which shows prevalence and reputation) with the Device entity page (which shows device-specific alerts but not file-level global data).

How to eliminate wrong answers

Option B is wrong because the Device entity page focuses on device-level details (OS, alerts, logged-on users, network connections) and does not show file prevalence or global reputation. Option C is wrong because the User entity page displays user-centric data (sign-ins, roles, alerts) and lacks file-specific prevalence or reputation metrics. Option D is wrong because the Email entity page is scoped to email messages (headers, attachments, delivery status) and does not provide file prevalence across devices or global reputation scores.

85
MCQmedium

In Microsoft 365 Defender, a security analyst wants to get a detailed report on a newly discovered malware campaign, including indicators of compromise, recommended actions, and impacted devices. Where should the analyst go to find this information?

A.Alerts queue
B.Incident page
C.Threat analytics
D.Action center
AnswerC

Threat analytics delivers detailed reports on active threats, including IoCs, impact, and mitigation guidance.

Why this answer

Threat analytics in Microsoft 365 Defender provides detailed reports on active malware campaigns, including indicators of compromise (IoCs), recommended actions, and impacted devices. This is the dedicated workspace for tracking and responding to emerging threats, offering curated intelligence from Microsoft security researchers.

Exam trap

The trap here is that candidates confuse the Incident page (which handles active investigations) with Threat analytics (which provides pre-built campaign intelligence and proactive guidance), leading them to select the Incident page for campaign details instead of the dedicated threat intelligence hub.

How to eliminate wrong answers

Option A is wrong because the Alerts queue shows individual security alerts (e.g., from Defender for Endpoint or Defender for Office 365) but does not aggregate campaign-level context, IoCs, or recommended actions. Option B is wrong because the Incident page groups related alerts into an incident for investigation but does not provide the pre-built campaign analysis, threat intelligence, or remediation guidance found in Threat analytics. Option D is wrong because the Action center lists pending and completed remediation actions (e.g., running antivirus scans or isolating devices) but does not contain threat campaign reports or IoCs.

86
MCQmedium

During an incident investigation, an analyst notices a compromised user account that was used to access sensitive data from SharePoint Online. Which Microsoft 365 Defender workload would provide the most relevant alerts for suspicious file access patterns?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerC

Defender for Cloud Apps monitors cloud app activity including SharePoint Online and can alert on suspicious file access.

Why this answer

Microsoft Defender for Cloud Apps (Option C) is the correct workload because it provides visibility into cloud application usage, including SharePoint Online, and can generate alerts for suspicious file access patterns such as mass download, unusual file sharing, or access from anomalous locations. It uses behavioral analytics and anomaly detection to identify compromised accounts accessing sensitive data in SaaS applications like SharePoint.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud Apps with Microsoft Defender for Office 365, assuming Office 365 covers all cloud workloads, but Cloud Apps is specifically designed for SaaS app security and anomaly detection in services like SharePoint.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint devices (e.g., Windows, macOS, Linux) and detects threats like malware or suspicious processes on those devices, not file access patterns in SharePoint Online. Option B is wrong because Microsoft Defender for Office 365 primarily protects email and collaboration tools (Exchange Online, Teams) from threats like phishing and malware, but does not specialize in monitoring file access patterns in SharePoint. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory and hybrid identities for attacks like Kerberos abuse or lateral movement, not cloud-based SharePoint file access.

87
MCQhard

A security analyst is investigating a ransomware incident and needs to find all files that were written to a specific device within a 5-minute window before the ransomware process started. The analyst knows the device name and the ransomware process start time. Which advanced hunting table and KQL operator combination would be most efficient to find the file creation events?

A.DeviceFileEvents with where
B.DeviceProcessEvents with join
C.DeviceEvents with where
D.DeviceImageLoadEvents with where
AnswerA

DeviceFileEvents contains file creation events; filtering with 'where' on device and time is the simplest approach.

Why this answer

DeviceFileEvents is the correct table because it specifically captures file creation, modification, and deletion events on devices. Using the `where` operator to filter by device name and a timestamp range (5 minutes before the ransomware process start time) is the most efficient way to retrieve the exact file creation events needed for the investigation.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents (process creation) with file creation events, or they think a `join` is needed to correlate process start time with file events, when a simple `where` on DeviceFileEvents is sufficient and more efficient.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents tracks process creation events, not file creation events, and using `join` would be unnecessarily complex and less efficient than a simple `where` filter. Option C is wrong because DeviceEvents is a generic table that captures various security events (e.g., Windows Defender alerts, exploit guard events) but does not specifically log file creation events. Option D is wrong because DeviceImageLoadEvents records when a process loads a DLL or executable image, not file creation events.

88
MCQmedium

A security analyst suspects a user's device is exfiltrating data via DNS queries to a known malicious domain. Which Advanced Hunting table should the analyst query to find DNS requests made from the device?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.IdentityLogonEvents
D.EmailUrlInfo
AnswerA

This table logs network connections, and when the action type is DnsQuery, it captures DNS requests.

Why this answer

DeviceNetworkEvents is the correct table because it contains network-level events, including DNS queries, from devices monitored by Microsoft Defender for Endpoint. The analyst needs to inspect DNS requests to identify exfiltration to a known malicious domain, and this table specifically logs the destination URL (including FQDNs) and the initiating process, making it the appropriate source for such queries.

Exam trap

The trap here is that candidates may confuse DeviceProcessEvents with network activity because processes initiate network connections, but DeviceProcessEvents only logs process creation details, not the actual network traffic or DNS queries.

How to eliminate wrong answers

Option B (DeviceProcessEvents) is wrong because it logs process creation events (e.g., command-line arguments, parent processes), not network traffic like DNS queries. Option C (IdentityLogonEvents) is wrong because it captures authentication and logon events from Azure Active Directory, not network-level DNS activity. Option D (EmailUrlInfo) is wrong because it records URLs found in email messages, not DNS queries made from a device.

89
MCQhard

A security analyst uses advanced hunting in Microsoft 365 Defender to investigate a potential lateral movement attack. The analyst suspects that an attacker used stolen credentials to authenticate to multiple workstations via RDP. Which KQL query would return a list of devices where a single user account (user@contoso.com) had successful interactive logons on more than 5 distinct devices within a 10-minute window?

A.DeviceNetworkEvents | where RemoteIP == 'user@contoso.com' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
B.IdentityLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
C.DeviceLogonEvents | where AccountUpn == 'user@contoso.com' and LogonType == 'Interactive' | summarize dcount(DeviceName) by bin(Timestamp, 10m) | where dcount_DeviceName > 5
D.DeviceLogonEvents | where AccountUpn == 'user@contoso.com' | summarize count() by DeviceName, bin(Timestamp, 10m) | where count_ > 5
AnswerC

Correct. This query filters for the user's interactive logons, groups by 10-minute windows, counts distinct DeviceNames, and returns windows where the count exceeds 5.

Why this answer

Option C is correct because DeviceLogonEvents is the Microsoft 365 Defender table that captures logon events on devices, including RDP interactive logons. The query filters for the specific user account and interactive logon type, then uses summarize with dcount(DeviceName) by bin(Timestamp, 10m) to count distinct devices within each 10-minute window, and finally filters for windows where the distinct device count exceeds 5, which matches the lateral movement scenario.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents with IdentityLogonEvents or DeviceNetworkEvents, mistakenly thinking network events or identity provider logs can reveal device-level interactive logon patterns, but only DeviceLogonEvents contains the necessary fields (AccountUpn, LogonType, DeviceName) for this specific lateral movement detection.

How to eliminate wrong answers

Option A is wrong because DeviceNetworkEvents captures network-level events (like connections), not logon events, and filtering RemoteIP by a UPN (user@contoso.com) is semantically incorrect—RemoteIP is an IP address, not a user identifier. Option B is wrong because IdentityLogonEvents tracks authentication events from identity providers (like Azure AD) and does not include device-level interactive logon details such as RDP logons on workstations. Option D is wrong because it uses count() instead of dcount(DeviceName), which counts total logon events per device rather than distinct devices, and it lacks the LogonType filter for 'Interactive', so it would include non-interactive logons and fail to identify lateral movement via RDP.

90
MCQmedium

A security analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a user receives more than 5 emails with the same attachment name within 1 hour, indicating a possible malware campaign. Which advanced hunting tables should be joined to achieve this detection?

A.Join EmailEvents and EmailAttachmentInfo on NetworkMessageId
B.Join EmailEvents and EmailUrlInfo on NetworkMessageId
C.Use only EmailAttachmentInfo table with a filter on file name
D.Join EmailEvents and DeviceFileEvents on SHA1 hash
AnswerA

This join allows counting emails per attachment name per user within a time window.

Why this answer

To detect when a user receives more than 5 emails with the same attachment name within 1 hour, you need to correlate email metadata with attachment details. The EmailEvents table contains email-level information (e.g., recipient, timestamp), while the EmailAttachmentInfo table stores attachment-level data (e.g., file name). Joining these on NetworkMessageId allows you to count occurrences of the same attachment name per recipient within a time window, enabling the custom detection rule.

Exam trap

The trap here is that candidates may think they need to join with endpoint file events (DeviceFileEvents) to detect malware, but the question specifically requires detecting the email receipt pattern, not post-delivery execution.

How to eliminate wrong answers

Option B is wrong because EmailUrlInfo contains URL data from emails, not attachment names, so it cannot be used to count attachments by file name. Option C is wrong because using only EmailAttachmentInfo lacks recipient and timestamp fields from EmailEvents, making it impossible to filter by user and time window. Option D is wrong because DeviceFileEvents tracks files on endpoints, not email attachments, and joining on SHA1 hash would require hash values, not file names, and would not capture email-specific metadata like recipient.

91
MCQhard

A security analyst is writing a Kusto Query Language (KQL) advanced hunting query in Microsoft 365 Defender to detect lateral movement using Remote Desktop Protocol (RDP). Which table should the analyst join with the DeviceNetworkEvents table to identify processes initiating outgoing RDP connections?

A.DeviceProcessEvents
B.DeviceLogonEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerA

DeviceProcessEvents contains process creation events, which can be joined with network events to identify the process initiating the RDP connection.

Why this answer

The DeviceNetworkEvents table logs network connections, including outgoing RDP traffic (port 3389). To identify which process initiated a specific outgoing RDP connection, you must join with the DeviceProcessEvents table on DeviceId and Timestamp (or ProcessId), because DeviceProcessEvents contains the process creation details (e.g., mstsc.exe) that launched the network connection. This join reveals the parent process responsible for the lateral movement attempt.

Exam trap

The trap here is that candidates often confuse DeviceLogonEvents (which logs RDP logon events) with the process initiation side, but the question asks for the table that identifies the process initiating the outgoing connection, not the authentication event on the target machine.

How to eliminate wrong answers

Option B is wrong because DeviceLogonEvents tracks authentication events (logon sessions), not process-to-network mappings; it cannot identify which process initiated the RDP connection. Option C is wrong because DeviceFileEvents logs file creation, modification, and deletion events, which are unrelated to network connection initiation. Option D is wrong because DeviceRegistryEvents records registry key changes, which have no direct role in identifying the process that started an outgoing RDP session.

92
MCQmedium

A security analyst is investigating a potential malware outbreak detected by Microsoft 365 Defender. The analyst needs to identify all devices that have executed a specific parent process with a given ProcessId. Which column in the DeviceProcessEvents table should be used to find processes whose parent is the specified process?

A.ParentProcessId
B.InitiatingProcessId
C.ProcessId
D.LogonId
AnswerA

ParentProcessId directly identifies the process that spawned the current process, allowing filtering for child processes.

Why this answer

The ParentProcessId column in the DeviceProcessEvents table stores the process ID (PID) of the parent process that initiated the current process. To find all child processes spawned by a specific parent process with a known ProcessId, you query the ParentProcessId column for that value. This directly links child processes to their parent, enabling the analyst to trace the malware's execution chain.

Exam trap

The trap here is that candidates confuse InitiatingProcessId (which often appears in alert schemas for the root process of an incident) with ParentProcessId, not realizing that in DeviceProcessEvents, the direct parent-child relationship is stored in ParentProcessId, not InitiatingProcessId.

How to eliminate wrong answers

Option B (InitiatingProcessId) is wrong because it refers to the process ID of the process that initiated the event, which is often the same as the parent process in some contexts, but in Microsoft 365 Defender's schema, InitiatingProcessId is used for the process that started the entire chain (e.g., from an alert), not for direct parent-child relationships in DeviceProcessEvents. Option C (ProcessId) is wrong because it is the unique identifier of the current process itself, not its parent; using it would only find the process with that specific PID, not its children. Option D (LogonId) is wrong because it identifies the user logon session under which the process runs, not the parent process relationship; it is used for grouping processes by session, not for parent-child lineage.

93
MCQeasy

A security analyst in Microsoft 365 Defender is investigating an incident that involves multiple devices. The analyst wants to see a visual representation of the attack, showing how the attacker moved from one device to another. Which feature provides this view?

A.Alert queue
B.Incident graph
C.Advanced hunting
D.Action center
AnswerB

The Incident graph maps the entire attack story, showing how the attacker moved across devices and other entities.

Why this answer

The Incident graph in Microsoft 365 Defender provides a visual, interactive representation of an attack, showing how the attacker moved from one device to another, including lateral movement paths and related alerts. This feature is specifically designed to help analysts understand the full scope of an incident by mapping out the relationships between entities such as devices, users, and alerts.

Exam trap

The trap here is that candidates often confuse the Incident graph with Advanced hunting, thinking that a query-based tool is needed to visualize attack paths, but the Incident graph provides this visualization automatically without requiring any query writing.

How to eliminate wrong answers

Option A is wrong because the Alert queue is a list of individual alerts, not a visual graph showing lateral movement between devices. Option C is wrong because Advanced hunting is a query-based tool for searching raw data using KQL, not a pre-built visual attack path. Option D is wrong because the Action center is used to view and approve remediation actions (e.g., isolating devices, running antivirus scans), not to visualize attack progression.

94
MCQeasy

A security analyst wants to identify all devices in the organization that have a specific software vulnerability (CVE-2023-1234) installed using Microsoft 365 Defender Advanced Hunting. Which table should be queried?

A.DeviceInfo
B.DeviceTvmSoftwareVulnerabilities
C.DeviceTvmSoftwareInventory
D.DeviceNetworkInfo
AnswerB

This table contains records of software vulnerabilities identified by TVM, including the CVE ID, device, and software. It is the correct source to find devices with a specific CVE.

Why this answer

The DeviceTvmSoftwareVulnerabilities table in Microsoft 365 Defender Advanced Hunting contains records of software vulnerabilities discovered on devices, including specific CVE identifiers like CVE-2023-1234. This table is designed to answer questions about which devices have a particular vulnerability installed, as it links device IDs to vulnerability details such as CVE ID, severity, and exploitability.

Exam trap

The trap here is that candidates often confuse DeviceTvmSoftwareInventory (which lists installed software) with DeviceTvmSoftwareVulnerabilities (which lists actual vulnerabilities), leading them to pick Option C because they think software inventory implies vulnerability presence.

How to eliminate wrong answers

Option A is wrong because DeviceInfo provides general device metadata (e.g., OS version, device name, last seen time) but does not include vulnerability or software inventory details. Option C is wrong because DeviceTvmSoftwareInventory lists installed software products and versions on devices, but it does not map those to specific CVEs or vulnerabilities. Option D is wrong because DeviceNetworkInfo contains network-related data such as IP addresses, network adapters, and connection details, and has no relation to software vulnerabilities.

95
MCQmedium

In Microsoft 365 Defender, an analyst is investigating an incident involving a malicious script. The analyst wants to see the command-line arguments executed by the script on a specific device. Which Advanced Hunting table should the analyst query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceFileEvents
D.DeviceEvents
AnswerA

This table logs process creation events and includes the command line, allowing the analyst to see executed arguments.

Why this answer

The DeviceProcessEvents table in Advanced Hunting captures process creation events, including the command-line arguments used to execute a process. Since the analyst needs to see the command-line arguments executed by a malicious script on a specific device, querying DeviceProcessEvents is the correct approach because it records the ProcessCommandLine column for each process creation event.

Exam trap

The trap here is that candidates often confuse DeviceProcessEvents with DeviceEvents, assuming the latter includes all process-related data, but DeviceEvents is a catch-all for miscellaneous events and does not contain the ProcessCommandLine column.

How to eliminate wrong answers

Option B is wrong because DeviceNetworkEvents logs network connections (e.g., source/destination IPs, ports, protocols) and does not contain command-line arguments. Option C is wrong because DeviceFileEvents records file creation, modification, and deletion events, but does not capture process command-line arguments. Option D is wrong because DeviceEvents is a generic table that includes various system-level events (e.g., security alerts, sensor events) but does not specifically store process command-line arguments; that data is in DeviceProcessEvents.

96
MCQhard

An analyst is investigating a sophisticated attack involving a compromised device. The analyst has identified a malicious process that spawned multiple child processes. The analyst wants to create a custom detection rule in Microsoft 365 Defender that alerts when a specific parent process creates a child process that makes an outbound network connection to any IP not in the organization's internal range. Which KQL query and rule type should the analyst use?

A.Create a custom detection rule (Advanced Hunting rule) with a query that joins DeviceProcessEvents and DeviceNetworkEvents, filtering for the parent process and external IP addresses
B.Create a scheduled rule in Sentinel and export the data from M365 Defender
C.Use a custom detection rule with DeviceEvents only
D.Use a Microsoft Defender for Endpoint custom detection rule (built-in) that already detects child process connections
AnswerA

Correct. Custom detection rules in M365 Defender allow multi-table joins and scheduled alerting, exactly what this scenario requires.

Why this answer

Option A is correct because the analyst needs to correlate process creation events with network connection events across two separate tables (DeviceProcessEvents and DeviceNetworkEvents) in Advanced Hunting. A custom detection rule (Advanced Hunting rule) in Microsoft 365 Defender allows joining these tables to identify when a specific parent process spawns a child that makes an outbound connection to an external IP address, which is exactly the required detection logic.

Exam trap

The trap here is that candidates may think DeviceEvents contains all necessary telemetry or that a built-in rule already covers this specific scenario, but they must recognize that joining two distinct tables (DeviceProcessEvents and DeviceNetworkEvents) in an Advanced Hunting custom detection rule is required to correlate process creation with outbound network connections.

How to eliminate wrong answers

Option B is wrong because creating a scheduled rule in Sentinel and exporting data from M365 Defender is unnecessary and inefficient; the detection can be built natively within Microsoft 365 Defender using Advanced Hunting rules without exporting data. Option C is wrong because DeviceEvents alone do not contain network connection details (like destination IP addresses) needed to filter for external IPs; DeviceNetworkEvents is required for that data. Option D is wrong because there is no built-in custom detection rule in Microsoft Defender for Endpoint that specifically detects child process connections to external IPs; the analyst must create a custom rule.

97
MCQmedium

A security analyst is investigating a phishing campaign targeting multiple users. The analyst has identified a malicious attachment with a known SHA256 hash. The analyst needs to find all email messages that were delivered to any user and contained this specific attachment. Which advanced hunting table should the analyst query in Microsoft 365 Defender to obtain the message IDs of emails containing the attachment?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailPostDeliveryEvents
D.DeviceFileEvents
AnswerB

Correct. This table stores each attachment's details (filename, SHA256, size) and links them to the email's NetworkMessageId. Filtering on the SHA256 hash yields the relevant message IDs.

Why this answer

The EmailAttachmentInfo table in Microsoft 365 Defender advanced hunting contains metadata about attachments on email messages, including the SHA256 hash of each attachment. By querying this table with the known malicious SHA256 hash, the analyst can retrieve the NetworkMessageId values for all emails that contained that specific attachment, regardless of whether the email was delivered or blocked.

Exam trap

The trap here is that candidates often confuse EmailAttachmentInfo with EmailEvents, mistakenly thinking that EmailEvents contains attachment details, when in fact EmailEvents only provides delivery-level metadata and requires a join to access attachment-specific information.

How to eliminate wrong answers

Option A is wrong because EmailEvents contains information about email delivery events (e.g., send, receive, deliver, fail) but does not include attachment metadata such as SHA256 hashes; it only provides the NetworkMessageId, which can then be joined with EmailAttachmentInfo. Option C is wrong because EmailPostDeliveryEvents records actions taken after delivery (e.g., user clicks, ZAP actions) and does not contain attachment hash information. Option D is wrong because DeviceFileEvents tracks file events on endpoints (e.g., file creation, modification) and is not related to email attachments in transit; it would only show files after they have been saved to a device.

98
MCQeasy

In Microsoft 365 Defender, after an automated investigation completes, where can an analyst review the specific remediation actions that were taken (e.g., file quarantine, device isolation)?

A.Incident timeline
B.Action center
C.Threat analytics
D.Device inventory
AnswerB

The Action center lists all remediation actions (pending, approved, or rejected) from automated investigations and manual response actions, making it the correct place to review actions taken.

Why this answer

The Action center in Microsoft 365 Defender is the centralized location where all manual and automated remediation actions (such as file quarantine, device isolation, and process termination) are tracked and can be reviewed or approved. After an automated investigation completes, the specific actions taken are recorded in the Action center's history tab, allowing analysts to see exactly what was executed and the outcome. This is distinct from the Incident timeline, which shows alerts and events but not the detailed remediation action records.

Exam trap

The trap here is that candidates confuse the Incident timeline (which shows investigation steps and alerts) with the Action center (which is the sole location for reviewing and managing remediation actions), leading them to select the Incident timeline instead of the correct Action center.

How to eliminate wrong answers

Option A is wrong because the Incident timeline displays alerts, events, and investigation steps in chronological order, but it does not provide a dedicated view of remediation actions taken; those actions are logged in the Action center. Option C is wrong because Threat analytics provides threat intelligence, vulnerability reports, and mitigation guidance, not a record of specific remediation actions performed on endpoints. Option D is wrong because Device inventory lists managed devices and their properties (e.g., OS, health status) but does not show remediation actions like file quarantine or device isolation.

99
MCQeasy

A security analyst is investigating a malware incident on an endpoint using Microsoft 365 Defender. The analyst wants to see all processes that were created on the device in the last hour, including the command line arguments. Which advanced hunting table should they query?

A.DeviceProcessEvents
B.DeviceNetworkEvents
C.DeviceFileEvents
D.DeviceRegistryEvents
AnswerA

This table records process creation events, including the full command line arguments.

Why this answer

The DeviceProcessEvents table in Microsoft 365 Defender's advanced hunting schema captures process creation events, including the command line arguments used to start each process. This directly meets the analyst's need to see all processes created in the last hour with their command-line details, making it the correct table for investigating malware that spawns processes.

Exam trap

The trap here is that candidates often confuse process creation events with network or file events, mistakenly choosing DeviceNetworkEvents or DeviceFileEvents because they associate malware with network traffic or file drops, rather than recognizing that command-line arguments are exclusively stored in DeviceProcessEvents.

How to eliminate wrong answers

Option B (DeviceNetworkEvents) is wrong because it records network connections (e.g., IP addresses, ports, protocols) and not process creation or command-line arguments. Option C (DeviceFileEvents) is wrong because it logs file creation, modification, and deletion events, not process creation or command-line data. Option D (DeviceRegistryEvents) is wrong because it tracks registry key modifications, not process creation or command-line arguments.

100
MCQmedium

A security analyst is building a custom detection rule in Microsoft 365 Defender to identify ransomware activity. The rule should trigger when files with specific extensions (e.g., .encrypted, .locked) are created on multiple devices within a short time frame, suggesting a widespread attack. Which combination of advanced hunting tables should be used to obtain both file creation events and device information?

A.DeviceFileEvents and DeviceInfo
B.DeviceProcessEvents and DeviceInfo
C.DeviceFileEvents and DeviceNetworkEvents
D.DeviceFileEvents and DeviceLogonEvents
AnswerA

Correct. DeviceFileEvents contains file creation (ActionType 'FileCreated') details including SHA256, file name, and folder path. Joining with DeviceInfo provides device metadata like device name and OS. This combination directly supports the requirement.

Why this answer

Option A is correct because DeviceFileEvents captures file creation events, including the specific extensions like .encrypted and .locked, while DeviceInfo provides device metadata such as device name, OS platform, and device group. Joining these tables on DeviceId allows the analyst to correlate file creation events across multiple devices, enabling detection of widespread ransomware activity within a short time frame.

Exam trap

The trap here is that candidates may confuse file creation events with process creation events (DeviceProcessEvents) or network events (DeviceNetworkEvents), overlooking that only DeviceFileEvents directly captures the file extension data needed for ransomware detection.

How to eliminate wrong answers

Option B is wrong because DeviceProcessEvents logs process creation events (e.g., command-line executions), not file creation events; it cannot directly identify files with specific extensions being created. Option C is wrong because DeviceNetworkEvents captures network connections and DNS queries, not file creation events; it provides no visibility into local file system changes. Option D is wrong because DeviceLogonEvents records authentication events (logon/logoff), not file creation events; it cannot detect the creation of encrypted or locked files.

101
MCQmedium

An analyst is investigating an incident where a user's mailbox was compromised. The analyst wants to find all mailbox access events (e.g., logins, message access) performed from a specific IP address. Which Advanced Hunting table in Microsoft 365 Defender should be queried?

A.CloudAppEvents
B.EmailEvents
C.EmailAttachmentInfo
D.AADSignInEventsBeta
AnswerA

Correct. This table logs actions in cloud apps including mailbox access events.

Why this answer

The CloudAppEvents table in Microsoft 365 Defender captures audit logs for cloud applications, including Exchange Online mailbox operations such as logins, message access, and folder bindings. This table contains the 'IPAddress' field, allowing the analyst to filter events from a specific IP address. Other tables lack the necessary scope of mailbox access events or the IP address field for this query.

Exam trap

The trap here is that candidates confuse Azure AD sign-in logs (AADSignInEventsBeta) with mailbox access logs, but Azure AD logs only capture authentication events, not the subsequent application-level operations within Exchange Online.

How to eliminate wrong answers

Option B (EmailEvents) is wrong because it tracks email delivery and transport events (e.g., send, receive, spam verdicts), not mailbox access events like logins or message reads. Option C (EmailAttachmentInfo) is wrong because it focuses on attachment metadata (e.g., file name, hash) and does not include user access logs or IP addresses. Option D (AADSignInEventsBeta) is wrong because it records Azure AD authentication events for user sign-ins to cloud apps, but it does not capture granular mailbox-level operations such as message access or folder browsing within Exchange Online.

102
MCQeasy

An analyst wants to find all devices that have run a specific process named 'malware.exe' in the last 24 hours using Microsoft 365 Defender Advanced Hunting. Which table should be the primary source for this query?

A.DeviceProcessEvents
B.DeviceEvents
C.DeviceFileEvents
D.DeviceNetworkEvents
AnswerA

DeviceProcessEvents logs process creation events, including the process name. Filtering on FileName == 'malware.exe' will return all executions.

Why this answer

The DeviceProcessEvents table in Microsoft 365 Defender Advanced Hunting is the primary source for querying process creation events, including the execution of a specific process name like 'malware.exe'. This table captures process creation and termination events, making it the correct choice for finding devices that have run a specific process within a given time frame.

Exam trap

The trap here is that candidates may confuse DeviceProcessEvents with DeviceEvents, assuming the latter covers all events, but DeviceEvents is limited to security alerts and audit events, not process creation.

How to eliminate wrong answers

Option B (DeviceEvents) is wrong because it primarily captures system-level events such as security alerts, Windows Defender AV detections, and other audit events, not process creation events. Option C (DeviceFileEvents) is wrong because it tracks file creation, modification, and deletion events, not process execution. Option D (DeviceNetworkEvents) is wrong because it records network connections and related events, not process execution.

103
MCQhard

A security analyst is investigating an advanced persistent threat (APT) campaign that involves lateral movement using RDP. The analyst wants to create a custom detection rule in Microsoft 365 Defender that triggers when a device remotely connects to another device via RDP (process: mstsc.exe) and, within 10 minutes, the remote device executes a suspicious script (e.g., PowerShell.exe with encoded command). Which KQL query pattern in advanced hunting should be used to correlate these events across devices?

A.DeviceProcessEvents | where FileName == 'mstsc.exe' | join DeviceProcessEvents on DeviceName | where (Timestamp2 - Timestamp1) between (0m..10m) and FileName == 'powershell.exe'
B.DeviceProcessEvents | where FileName == 'mstsc.exe' | project SourceDevice = DeviceName, TimeGenerated, RemoteDevice = extract(remote device from command line) | join kind=inner (DeviceProcessEvents | where FileName == 'powershell.exe') on $left.RemoteDevice == $right.DeviceName and $left.TimeGenerated between ($right.TimeGenerated-10m .. $right.TimeGenerated)
C.DeviceProcessEvents | where FileName in~ ('mstsc.exe', 'powershell.exe') and TimeGenerated > ago(1h) | summarize makelist(DeviceName) by bin(TimeGenerated, 10m)
D.DeviceProcessEvents | where FileName == 'mstsc.exe' | extend RemoteDevice = extract(...,1, ProcessCommandLine) | join kind=inner (DeviceProcessEvents | where FileName == 'powershell.exe') on $left.RemoteDevice == $right.DeviceName and $left.TimeGenerated between ($right.TimeGenerated - 10m .. $right.TimeGenerated)
AnswerB

This pattern extracts the remote device from the mstsc command line and joins with PowerShell events on the remote device within a 10-minute window after the RDP connection.

Why this answer

Option B is correct because it uses the `extract()` function to parse the remote device name from the `mstsc.exe` command line (e.g., `mstsc.exe /v:REMOTE_PC`), then performs an inner join with `DeviceProcessEvents` for `powershell.exe` on the condition that the remote device name matches and the `mstsc.exe` timestamp falls within a 10-minute window before the PowerShell execution. This precisely correlates the lateral movement (RDP connection) with the subsequent suspicious script execution on the target device, which is the required detection pattern.

Exam trap

The trap here is that candidates often overlook the need to extract the remote device from the `mstsc.exe` command line and instead join on `DeviceName`, which would incorrectly correlate events on the same device rather than across devices, or they misorder the time window (checking after instead of before).

How to eliminate wrong answers

Option A is wrong because it joins on `DeviceName` instead of extracting the remote device from the command line, so it would only match events on the same device, not across devices; also, `Timestamp2` and `Timestamp1` are not valid fields in `DeviceProcessEvents`. Option C is wrong because it simply groups both process events into 10-minute bins without correlating the RDP connection to a specific remote device, producing a list of devices rather than a cross-device sequence. Option D is wrong because it uses an incomplete `extract()` syntax (missing the capture group index and the regex pattern), and the join condition uses `$left.TimeGenerated between ($right.TimeGenerated - 10m .. $right.TimeGenerated)` which incorrectly checks if the RDP event occurred after the PowerShell event, whereas the correct logic requires the RDP event to occur before the PowerShell event.

104
MCQhard

A security analyst is hunting for a targeted phishing attack in Microsoft 365 Defender. They have identified a phishing email delivered to a user and want to find all devices where the user clicked the link in the email, and any processes that were spawned from the browser on those devices. Which advanced hunting strategy is most effective to correlate the email, network, and process data?

A.Query EmailEvents for the email, then DeviceLogonEvents for user logons, then DeviceProcessEvents for process creations after logon.
B.Query EmailUrlInfo for the URL, then DeviceNetworkEvents for devices that connected to that URL, then DeviceProcessEvents for processes on those devices that started shortly after the connection.
C.Query EmailAttachmentInfo, then DeviceFileEvents for files dropped.
D.Query IdentityLogonEvents, then DeviceEvents from the device where the logon occurred.
AnswerB

Correct: This directly ties the URL to network connections (clicks) and then to processes, providing a precise chain of events.

Why this answer

Option B is correct because it directly correlates the malicious URL from the email (via EmailUrlInfo) with devices that connected to that URL (via DeviceNetworkEvents), then identifies any processes spawned on those devices shortly after the connection (via DeviceProcessEvents). This sequence maps the attack chain from email delivery to network connection to post-click process execution, which is exactly what the analyst needs to find devices where the link was clicked and any resulting processes.

Exam trap

The trap here is that candidates often choose Option A, mistakenly thinking that user logon events are a reliable proxy for link clicks, but logons do not indicate that the user actually clicked the URL or that any malicious process was spawned from the browser.

How to eliminate wrong answers

Option A is wrong because DeviceLogonEvents captures user authentication events, not the specific act of clicking a link in a browser; correlating logons with process creations is too broad and misses the direct network connection to the phishing URL. Option C is wrong because it focuses on email attachments and file drops, but the question specifies a phishing email with a link, not an attachment; DeviceFileEvents would not capture browser network connections or spawned processes from clicking a URL. Option D is wrong because IdentityLogonEvents tracks identity-based logon events, not email or network activity; it cannot correlate the specific phishing email or URL with device processes.

105
MCQeasy

A security analyst is reviewing phishing emails in Microsoft 365 Defender and wants to identify all messages that were blocked by an anti-phish policy before delivery. The analyst plans to use advanced hunting. Which table column indicates whether an email was blocked as phishing?

A.EmailEvents table, the 'DeliveryAction' column
B.EmailPostDeliveryEvents table, the 'Action' column
C.EmailAttachmentInfo table, the 'FileType' column
D.EmailUrlInfo table, the 'Url' column
AnswerA

Correct. The EmailEvents table records the delivery action (Delivered, Blocked, Junked) determined by policies like anti-phish policies.

Why this answer

The EmailEvents table records actions taken on emails before delivery, including whether a message was blocked by anti-phish policies. The 'DeliveryAction' column specifically indicates the final disposition, such as 'Blocked' for phishing. This makes it the correct source for identifying pre-delivery phishing blocks in advanced hunting.

Exam trap

The trap here is that candidates confuse the EmailPostDeliveryEvents table (which shows post-delivery remediation actions like 'Move to Junk' or 'Soft Delete') with pre-delivery blocking, but the correct table for pre-delivery phishing blocks is EmailEvents with the 'DeliveryAction' column.

How to eliminate wrong answers

Option B is wrong because the EmailPostDeliveryEvents table captures actions taken after delivery (e.g., Zero-Hour Auto Purge), not pre-delivery blocks. Option C is wrong because the EmailAttachmentInfo table stores metadata about attachments (e.g., file type), not the delivery action or phishing disposition. Option D is wrong because the EmailUrlInfo table contains URLs found in emails, not the action taken on the email itself.

106
MCQmedium

A security analyst is investigating an incident in Microsoft 365 Defender involving a user who received a phishing email. The analyst needs to identify all devices on which the user clicked a link from the email. Which advanced hunting table should the analyst query to find the click events?

A.UrlClickEvents
B.EmailEvents
C.DeviceEvents
D.NetworkEvents
AnswerA

Correct. UrlClickEvents logs all clicks on URLs in emails, including phishing links, with device and user details.

Why this answer

UrlClickEvents is the correct table because it specifically records click events on URLs in Microsoft Defender for Office 365, including clicks on links in phishing emails. This table captures the user's click action, the URL, and the verdict (e.g., allowed, blocked), enabling the analyst to identify all devices where the user clicked the link.

Exam trap

The trap here is that candidates often confuse EmailEvents (which tracks email delivery) with UrlClickEvents (which tracks user interaction with URLs), leading them to select EmailEvents when they need click-specific data.

How to eliminate wrong answers

Option B is wrong because EmailEvents contains email metadata (sender, recipient, subject, delivery status) but does not include user click events on URLs. Option C is wrong because DeviceEvents logs system-level events (e.g., process creation, file modifications) on endpoints, not user click actions on email links. Option D is wrong because NetworkEvents records network traffic flows (e.g., connections, IP addresses) but lacks the granularity to capture specific URL click events from email clients.

107
MCQmedium

During an incident investigation in Microsoft 365 Defender, an analyst examines an email that was reported as phishing. The analyst opens the email entity page and looks at the 'Detection details' section. Which piece of information would the analyst find there?

A.The delivery location and whether the email was delivered to Inbox, Junk, or Quarantine.
B.The authentication statuses (SPF, DKIM, DMARC) for the sender domain.
C.The sender IP address and the recipient email address.
D.The detection technology (e.g., Advanced ML, Reputation) and if the email was part of a phish simulation or a campaign.
AnswerD

Correct. Detection details show how the email was flagged, including specific technologies, simulation tags, and campaign information.

Why this answer

Option D is correct because the 'Detection details' section on the email entity page in Microsoft 365 Defender specifically shows the detection technology used (e.g., Advanced ML, Reputation, Bulk) and whether the email was part of a phishing simulation or a campaign. This information helps analysts understand how the email was identified as malicious and its context within broader threat activity.

Exam trap

The trap here is that candidates confuse the 'Detection details' section with other sections like 'Summary' or 'Authentication', leading them to select options that describe information found elsewhere on the email entity page.

How to eliminate wrong answers

Option A is wrong because the delivery location (Inbox, Junk, Quarantine) is found in the 'Email details' or 'Summary' section, not in 'Detection details'. Option B is wrong because authentication statuses (SPF, DKIM, DMARC) are displayed in the 'Authentication' section of the email entity page, not in 'Detection details'. Option C is wrong because the sender IP address and recipient email address are shown in the 'Summary' or 'Details' sections, not in 'Detection details'.

108
MCQeasy

A security analyst is investigating a phishing campaign using Microsoft 365 Defender advanced hunting. The analyst needs to find all emails sent from a specific sender address in the last 7 days. Which table should be queried?

A.EmailEvents
B.EmailAttachmentInfo
C.EmailUrlInfo
D.DeviceEvents
AnswerA

Correct. EmailEvents contains sender, recipient, subject, and other email delivery properties. It is the primary table for email metadata.

Why this answer

The EmailEvents table in Microsoft 365 Defender advanced hunting stores metadata about email messages, including sender addresses, recipients, timestamps, and delivery actions. To find all emails from a specific sender in the last 7 days, you query EmailEvents because it contains the 'SenderFromAddress' or 'SenderMailFromAddress' fields needed to filter by sender. The other tables focus on attachments, URLs, or device-level events, which are not relevant for identifying emails by sender address.

Exam trap

The trap here is that candidates may confuse the purpose of EmailAttachmentInfo or EmailUrlInfo, thinking they contain sender data, when in fact they only store attachment or URL details and require a join with EmailEvents to correlate back to the sender.

How to eliminate wrong answers

Option B (EmailAttachmentInfo) is wrong because it stores information about email attachments (e.g., file names, hashes) but does not contain the sender address field needed to filter by sender. Option C (EmailUrlInfo) is wrong because it tracks URLs found in email bodies or attachments, not sender metadata. Option D (DeviceEvents) is wrong because it logs endpoint-level activities (e.g., process creation, network connections) and has no email-related data, making it irrelevant for querying email sender addresses.

← PreviousPage 2 of 2 · 108 questions total

Ready to test yourself?

Try a timed practice session using only Mitigate Threats Using Microsoft Defender Xdr questions.