CCNA Perform Threat Hunting Questions

51 of 276 questions · Page 4/4 · Perform Threat Hunting topic · Answers revealed

226
MCQmedium

Your threat hunt identifies that an attacker used a previously unknown malware variant to move laterally. Which Microsoft Defender XDR feature would you use to automatically block the file based on behavioral detection?

A.Web Protection
B.Custom file indicators (IoC)
C.Network Protection
D.Attack Surface Reduction (ASR) rules
AnswerD

ASR rules can block behaviors like 'Block executable files from running unless they meet a prevalence, age, or trusted list criterion'.

Why this answer

Option D is correct because Attack Surface Reduction (ASR) rules can block suspicious behavior. Option A (Custom file indicators) blocks based on known IOCs. Option B (Network Protection) blocks network connections.

Option C (Web Protection) blocks web traffic.

227
MCQeasy

You are hunting for signs of ransomware activity. Which of the following behaviors in Microsoft Defender for Endpoint should you prioritize as a high-confidence indicator?

A.A process deleting Volume Shadow Copies
B.A process encrypting or renaming large numbers of files in rapid succession
C.A process creating a scheduled task
D.A process downloading multiple files from the internet
AnswerB

This is a hallmark of ransomware behavior.

Why this answer

Option A is correct because mass file encryption or renaming is a direct sign of ransomware. Option B is wrong because while shadow copy deletion is common after ransomware, it can also be done by legitimate tools. Option C is wrong because large file downloads can be benign.

Option D is wrong because scheduled task creation is common for persistence but not specific to ransomware.

228
MCQeasy

A security analyst is reviewing a threat hunting query in Microsoft Sentinel that uses the Kusto Query Language (KQL) to identify potential lateral movement. The query returns a large number of false positives. What is the most effective way to reduce false positives while maintaining detection coverage?

A.Increase the threshold for the anomaly score in the query.
B.Add allowlist conditions to exclude known administrative tools.
C.Reduce the time range of the query to the last 1 hour.
D.Replace the query with a different data source that has less noise.
AnswerB

Allowlisting known safe tools reduces false positives while keeping the detection logic intact.

Why this answer

Option B is correct because adding allowlist conditions, such as excluding known administrative tools or approved remote management traffic, directly reduces false positives without removing the core logic. Option A is wrong because reducing the time range may miss true positives. Option C is wrong because the question asks to maintain detection coverage, and using a less sensitive data source would reduce coverage.

Option D is wrong because increasing the threshold may also miss true positives.

229
MCQeasy

During a threat hunting exercise, you need to pivot from a suspicious IP address to find all related alerts and incidents in Microsoft Sentinel. Which feature should you use?

A.Workbook
B.Incidents blade
C.Investigation graph
D.Playbook
AnswerC

Allows pivoting on entities and visualizing relationships.

Why this answer

The investigation graph in Microsoft Sentinel allows visual pivoting and exploration of entities. Option A is correct because it provides a graphical view of connections between entities. Option B is incorrect because the incidents blade shows incidents but not entity relationships.

Option C is incorrect because playbooks automate responses. Option D is incorrect because workbooks are for dashboards.

230
MCQeasy

You are threat hunting for credential dumping activity. Which Windows event ID is commonly associated with the use of tools like Mimikatz?

A.4624 (Successful Logon)
B.4768 (Kerberos Authentication Ticket Request)
C.4688 (Process Creation)
D.4672 (Special Logon)
AnswerC

Process creation events can show when Mimikatz or similar tools are launched.

Why this answer

Option C is correct because Windows Event ID 4688 (Process Creation) logs every new process spawned on the system, including the execution of tools like Mimikatz. When Mimikatz runs, it creates a process (e.g., mimikatz.exe), and the 4688 event captures the command line, parent process, and user context, which are critical for detecting credential dumping activity.

Exam trap

Microsoft often tests the misconception that credential dumping is tied to authentication events (like 4624 or 4768), but the key indicator is the process creation event (4688) that captures the execution of the dumping tool itself.

How to eliminate wrong answers

Option A is wrong because Event ID 4624 (Successful Logon) records authentication events, not the execution of a process like Mimikatz; credential dumping occurs after logon, not during it. Option B is wrong because Event ID 4768 (Kerberos Authentication Ticket Request) tracks TGT requests to a domain controller, which is unrelated to local credential dumping via Mimikatz. Option D is wrong because Event ID 4672 (Special Logon) logs when a user is granted special privileges (e.g., SeTcbPrivilege), but it does not directly indicate process creation or execution of a credential dumping tool.

231
MCQeasy

A threat hunter wants to use Microsoft Defender for Cloud Apps to hunt for suspicious OAuth app permissions. Which activity type should the analyst investigate?

A.Failed logon attempts
B.File download from SharePoint
C.Mailbox forwarding rule created
D.OAuth app granting permissions
AnswerD

Granting OAuth permissions can be abused for data access.

Why this answer

Option D is correct because granting OAuth permissions is a key indicator of potential abuse. Option A is wrong because file downloads are not directly related to OAuth permissions. Option B is wrong because mailbox forwarding is an email rule, not OAuth.

Option C is wrong because logon failures are authentication events.

232
MCQmedium

During a threat hunt in Microsoft Sentinel, you find a series of suspicious sign-ins to Microsoft Entra ID from an IP address known to be associated with a threat actor. Which entity should you pivot on to investigate further?

A.IP address
B.User account
C.Application
D.Device
AnswerA

IP address connects multiple sign-ins and is associated with the threat actor.

Why this answer

The IP address is the key entity linking the sign-ins. Option C is correct. Option A is incorrect because the user is a target, not the pivot.

Option B is incorrect because the device may be compromised but is not the initial pivot. Option D is incorrect because the application is secondary.

233
MCQhard

You are creating a custom hunting query in Microsoft Sentinel for PowerShell Empire indicators. After deploying, the query never returns results, even though you know empire activity exists in the environment. What is the most likely cause?

A.The query should use 'and' instead of 'or'
B.The required data connector should be 'MicrosoftThreatProtection'
C.The query logic is flawed; it should group the conditions with parentheses
D.The 'contains' operator should be 'startswith'
AnswerC

Without parentheses, the 'or' applies to the whole condition, including FileName, so it matches any process with WebClient.

Why this answer

The query uses 'or' incorrectly; the condition 'ProcessCommandLine contains 'System.Net.WebClient'' is evaluated separately from the FileName condition, so it would match any process with WebClient, not just PowerShell. Option A: 'contains' is correct for substring. Option B: 'and' would make it too restrictive.

Option C: The connector is fine. The correct answer is D: the logical operator precedence is wrong.

234
MCQhard

An analyst is reviewing a series of alerts in Microsoft Defender XDR indicating potential lateral movement. Which KQL query in Microsoft Sentinel would best identify anomalous RDP connections to servers not typically accessed remotely?

A.DeviceProcessEvents | where ProcessCommandLine contains '3389'
B.DeviceRegistryEvents | where RegistryKey contains 'Remote Desktop'
C.DeviceNetworkEvents | where RemotePort == 3389 | summarize dcount(DestinationIP) by DeviceName | where dcount_DestinationIP > 5
D.DeviceLogonEvents | where LogonType == '10' | summarize dcount(DeviceName) by AccountName
AnswerC

DeviceNetworkEvents captures network connections; filtering by RDP port and counting distinct destinations helps detect lateral movement.

Why this answer

Option D is correct because the `DeviceNetworkEvents` table in Microsoft Defender XDR logs network connections, and filtering for RDP port 3389 with a count of distinct destination IPs over a threshold helps identify unusual RDP patterns. Option A is wrong because `DeviceProcessEvents` logs process creation, not network connections. Option B is wrong because `DeviceLogonEvents` logs authentication events, not network connections.

Option C is wrong because `DeviceRegistryEvents` logs registry changes.

235
MCQhard

You are a threat hunter at Northwind Traders. The organization uses Microsoft Defender for Identity (MDI) and Microsoft Sentinel. You suspect a golden ticket attack may have occurred in the domain. You need to create a hunting query in Microsoft Sentinel that leverages data from MDI to detect possible golden ticket usage. Which of the following queries or approaches is most appropriate?

A.Query DeviceProcessEvents for processes related to Kerberos
B.Query SecurityAlert where AlertName contains 'Golden Ticket' or 'Suspicious Kerberos'
C.Query CommonSecurityLog for unusual DNS queries related to Kerberos
D.Query IdentityLogonEvents for failed Kerberos authentication
AnswerB

MDI generates alerts for golden ticket activity, stored in SecurityAlert.

Why this answer

Option B is correct because golden ticket attacks often involve anomalous Kerberos service ticket requests that are not preceded by an authentication request. MDI generates alerts for such anomalies, which are stored in the SecurityAlert table. Option A is incorrect because DeviceProcessEvents is for endpoints, not authentication servers.

Option C is incorrect because IdentityLogonEvents may contain logon events but not specifically golden ticket indicators. Option D is incorrect because CommonSecurityLog is for network devices.

236
MCQmedium

You are investigating a series of failed logon attempts across multiple on-premises servers. You want to use Microsoft Sentinel to hunt for patterns of brute-force attacks. Which data source should you ingest to capture detailed authentication events from domain controllers?

A.Syslog from domain controllers
B.Windows Security Events via Windows Event Forwarding
C.Azure Activity Log
D.Microsoft 365 Defender events
AnswerB

Windows Security Events from domain controllers provide Event IDs like 4625 for failed logons, essential for brute-force hunting.

Why this answer

Option C is correct because Windows Security Events from domain controllers include Event ID 4625 (failed logon) necessary for brute-force hunting. Option A is wrong because Azure Activity Log does not include on-premises authentication. Option B is wrong because Microsoft 365 Defender events focus on cloud identities.

Option D is wrong because Syslog typically contains network device logs, not Windows authentication.

237
MCQmedium

You are a security analyst performing threat hunting in Microsoft Sentinel. You suspect an adversary is using living-off-the-land binaries (LOLBins) to execute code. Which KQL function should you use to search for processes spawned by a specific parent process across multiple machines?

A.search
B.find
C.evaluate
D.union
AnswerA

Search can be used to find patterns across tables, and for process ancestry, you can use it in combination with other functions.

Why this answer

Option C is correct because 'search' can scan across tables for a pattern, but for process ancestry queries, joining DeviceProcessEvents with DeviceEvents is common. However, the best approach is to use 'let' to define a lookup and then use 'join'. The question expects knowledge of 'search' as a broad tool.

Option A is wrong because 'union' combines tables, not specifically parent-child relationships. Option B is wrong because 'find' searches across tables but is less efficient. Option D is wrong because 'evaluate' is for plugin execution.

238
MCQeasy

A security team uses Microsoft Sentinel to hunt for signs of credential theft. They want to detect when a user account has been used to log in from an unusual location and then immediately performs a password reset for another user. Which hunting approach is most effective for this scenario?

A.Use a Microsoft Sentinel playbook to automatically flag any password reset
B.Write a KQL query that joins SigninLogs with AuditLogs on user principal name and times within a short window
C.Search the SigninLogs table for logins from unusual locations
D.Create a watchlist of known unusual locations and use it in a query against AuditLogs
AnswerB

This correlates the two events to detect the sequence of unusual login followed by password reset.

Why this answer

Option B (KQL query using join between two tables) is correct because it allows correlating login events from one table with password reset events from another table, combining the two conditions. Option A (single table) cannot correlate two different event types. Option C (watchlist) is for static data, not real-time correlation.

Option D (playbook) is for automated response, not hunting.

239
MCQhard

During a threat hunt, you discover a previously unknown malware variant that communicates over HTTPS to a command-and-control (C2) server. You want to create a custom detection in Microsoft Sentinel that triggers when any device in the organization resolves the C2 domain via DNS. Which data connector should you ensure is enabled?

A.DNS (Preview) via AMA
B.Azure Activity
C.Office 365 (Preview)
D.Windows Security Events via AMA
AnswerA

The DNS connector ingests DNS query logs for detection.

Why this answer

Option B is correct because the DNS connector in Microsoft Sentinel ingests DNS query logs from Windows DNS servers, which can be used to detect domain resolutions. Option A is wrong because the Windows Security Events connector focuses on security events like logons. Option C is wrong because the Azure Activity connector logs Azure resource operations, not DNS queries.

Option D is wrong because Office 365 connector ingests audit logs, not DNS.

240
MCQhard

During a threat hunt, you discover a suspicious PowerShell command that decoded a base64 string and executed a script. Which Microsoft Defender for Endpoint advanced hunting table should you query to find the decoded command line?

A.IdentityLogonEvents
B.DeviceProcessEvents
C.DeviceNetworkEvents
D.DeviceEvents
AnswerB

DeviceProcessEvents includes the command line in ProcessCommandLine.

Why this answer

DeviceProcessEvents stores process creation events including command lines. DeviceEvents stores raw events but not command lines. DeviceNetworkEvents is for network connections.

IdentityLogonEvents is for logons. The correct table for command lines is DeviceProcessEvents.

241
Multi-Selectmedium

Which THREE data sources should be included in a threat hunt to detect data exfiltration via DNS tunneling in Microsoft Sentinel?

Select 3 answers
A.Network flow logs (e.g., Azure Network Watcher)
B.Azure Key Vault diagnostic logs
C.DNS server logs (e.g., from Windows DNS Server or Azure DNS)
D.Windows Event Logs (System and DNS Server events)
E.Microsoft 365 audit logs
AnswersA, C, D

Flow logs help correlate DNS query volumes with network traffic.

Why this answer

DNS events (from DNS servers or Azure DNS), network flow logs (to see volume), and Windows Event Logs (if DNS server logs are not directly available) can help detect DNS tunneling. Option C (Azure Key Vault logs) are for secret access. Option E (Microsoft 365 audit logs) are for user activities.

242
MCQeasy

While hunting for lateral movement, you want to find out which devices have established remote PowerShell sessions to other devices. Which Microsoft Defender for Endpoint advanced hunting table should you query?

A.DeviceProcessEvents
B.DeviceEvents
C.DeviceNetworkEvents
D.DeviceLogonEvents
AnswerC

Contains network connections, including remote management ports.

Why this answer

Option B is correct because DeviceNetworkEvents contains network connections that can indicate remote PowerShell sessions (port 5985/5986). Option A is incorrect because DeviceProcessEvents shows process creation, not network connections. Option C is incorrect because DeviceEvents shows general events.

Option D is incorrect because DeviceLogonEvents shows logon events, not network sessions.

243
MCQmedium

During threat hunting, you identify a suspicious PowerShell process that executed encoded commands. Which Microsoft Defender XDR hunting capability would best help you trace the parent process and command-line arguments across the enterprise?

A.Automated investigation and response
B.Threat analytics
C.Device inventory
D.Advanced hunting
AnswerD

Advanced hunting enables KQL queries to trace process creation events across devices.

Why this answer

Option C is correct because advanced hunting in Microsoft Defender XDR allows KQL queries to correlate process events across devices. Option A is wrong because device inventory lacks process lineage. Option B is wrong because automated investigation and response focuses on containment, not deep tracing.

Option D is wrong because threat analytics provides intelligence, not raw event data.

244
MCQhard

Refer to the exhibit. The query is designed to hunt for potentially compromised accounts that are not on the suspicious list but have many network logons. However, the query returns zero results even though the analyst suspects there should be some hits. What is the most likely issue?

A.The time range filter is missing; no events are returned.
B.The LogonProcessName filter uses an incorrect string.
C.The dynamic array syntax is incorrect.
D.The summarize function cannot be used after a where clause.
AnswerB

The correct process name is 'NtLmSsp' (capital L and M), not 'NtLmSsp'.

Why this answer

Option C is correct because the typo 'NtLmSsp' should be 'NtLmSsp' (note the capital L and M). The correct process name is 'NtLmSsp' (spelled with capital L and M). Option A is wrong because the time range is not specified but defaults to last 24h; this would not cause zero results.

Option B is wrong because the dynamic array syntax is correct. Option D is wrong because the summarize function works correctly.

245
MCQhard

Refer to the exhibit. The KQL query is used for threat hunting in Microsoft Defender XDR. What is the most likely scenario this query is designed to detect?

A.Persistence mechanism via startup folder
B.Ransomware dropping executables on desktops and spreading via SMB
C.Registry modification to disable security tools
D.Phishing campaign delivering .lnk files
AnswerB

.scr files on desktop and SMB connections are common in ransomware outbreaks.

Why this answer

The query looks for .scr files (screensaver, but also used to disguise executables) with names matching 8 lowercase letters on the desktop, and correlates with SMB connections to private IPs. Option A is correct because ransomware often drops executables on desktops and spreads via SMB. Option B is incorrect because the file is on the desktop, not in startup.

Option C is incorrect because no registry events are involved. Option D is incorrect because the file is .scr, not .lnk.

246
Multi-Selecteasy

Which TWO data sources in Microsoft Sentinel are commonly used for threat hunting related to lateral movement?

Select 2 answers
A.DeviceNetworkEvents
C.SecurityEvent
D.DnsEvents
E.AzureActivity
AnswersA, C

Shows network connections from endpoints to other internal IPs.

Why this answer

Options B and D are correct. SecurityEvent (Windows Event Logs) contains Event ID 4624 (logon) and 4688 (process), useful for lateral movement. DeviceNetworkEvents (Microsoft Defender for Endpoint) shows network connections.

Option A is for syslog, not Windows events. Option C is for DNS, which is less direct. Option E is for Azure activity, not lateral movement.

247
MCQhard

A threat hunter writes the KQL query above in Microsoft Defender for Endpoint advanced hunting to find devices where a script host process was launched with encoded commands and then connected to an HTTPS endpoint within 10 minutes. The query is syntactically correct but returns no results. The hunter knows that such activity has occurred. What is the most likely reason?

A.The join on Timestamp with exact match is too restrictive; should use a time window between the two events
B.The FileName list does not include other script hosts like 'mshta.exe'
C.The time range of 7 days is too short; should be 30 days
D.The RemotePort filter should include 80 for HTTP connections
AnswerA

Exact timestamp match is unrealistic; a time difference of up to 10 minutes should be allowed.

Why this answer

Option D is correct because the join condition uses Timestamp which is not precise enough; the join should use a time window, not an exact match. The where clause after join tries to use Timestamp1 (not defined) and also compares incorrectly. Option A (time range too short) is possible but less likely given 7 days.

Option B (filename list) is broad enough. Option C (RemotePort 443) is expected for HTTPS.

248
MCQeasy

A threat hunter wants to investigate a potential data exfiltration event involving large outbound file transfers to an unusual external IP. Which Microsoft Defender XDR advanced hunting table is most appropriate to start the investigation?

A.DeviceNetworkEvents
B.DeviceProcessEvents
C.IdentityDirectoryEvents
D.DeviceFileEvents
AnswerD

Can show large file creation or modification events that might indicate exfiltration.

Why this answer

Option B is correct because DeviceFileEvents shows file creation and modification events, which can indicate large file copies. Option A is wrong because DeviceNetworkEvents shows network connections, not file transfers. Option C is wrong because DeviceProcessEvents shows process creation, not file transfers.

Option D is wrong because IdentityDirectoryEvents shows identity events, not file transfers.

249
MCQmedium

Your organization uses Microsoft Sentinel to monitor a hybrid environment consisting of on-premises servers and cloud workloads in Azure. As a threat hunter, you have been tasked with identifying potential lateral movement using pass-the-hash (PtH) attacks. You have enabled UEBA and connected Windows Event Logs, including Event ID 4624 (logon) and 4648 (explicit credentials). You need to create a hunting query that surfaces anomalous remote logons where the same account logon from a non-domain joined machine using NTLM authentication. Which KQL query should you use to start your hunt?

A.SecurityEvent | where EventID == 4624 and AccountType == 'User' and LogonType == 3 | where IpAddress != '' | summarize count() by Account, IpAddress
B.SecurityEvent | where EventID == 4624 and LogonType == 3 and LogonProcessName contains 'NTLM' | where TargetUserName !endswith '$' | where Computer !in (list of domain controllers) | project TimeGenerated, Account=TargetUserName, SourceWorkstation=WorkstationName, LogonProcessName
C.SecurityEvent | where EventID == 4624 and LogonType == 2 and LogonProcessName contains 'NTLM' | project TimeGenerated, Account=TargetUserName
D.SecurityEvent | where EventID == 4624 and LogonType == 10 and AuthenticationPackageName == 'NTLM' | project TimeGenerated, Account=TargetUserName, SourceIP=IpAddress
AnswerB

Correctly filters NTLM network logons from non-domain controllers.

Why this answer

Correct: Option B filters for logon type 3 (network), NTLM authentication (LogonProcessName contains NTLM), and non-domain joined workstations (WorkstationName not in list of domain controllers). Option A misses PtH indicators; Option C incorrectly uses RDP logon type 10; Option D focuses on interactive logons.

250
MCQeasy

During a threat hunt, you identify a user account that has been logging in from multiple geographic regions within a short time. Which Microsoft Defender for Cloud Apps feature should you use to investigate this anomaly?

A.Cloud Discovery
B.App permissions
C.File policy
D.Activity log
AnswerD

The activity log shows login events with geographic locations.

Why this answer

Option B is correct because the activity log provides detailed user activities including location. Option A is wrong because App permissions is for OAuth apps. Option C is wrong because file policy is for data protection.

Option D is wrong because Cloud Discovery is for shadow IT, not user login anomalies.

251
MCQmedium

Your organization uses Microsoft Defender for Endpoint and Microsoft Sentinel. As part of a threat hunting exercise, you need to detect potential lateral movement using remote desktop protocol (RDP). You want to identify devices that have initiated multiple RDP connections to different internal IP addresses within a short time frame. Which hunting query should you use in Microsoft Sentinel's Log Analytics workspace?

A.Syslog | where Facility == 'auth' and Message contains 'RDP' | summarize count() by HostName
B.DeviceProcessEvents | where ProcessCommandLine contains 'mstsc.exe' | summarize count() by DeviceName
C.DeviceNetworkEvents | where RemotePort == 3389 and ActionType == 'ConnectionSuccess' | summarize dcount(RemoteIP) by DeviceName
D.IdentityLogonEvents | where LogonType == 'RemoteInteractive' | summarize dcount(IPAddress) by DeviceName
AnswerC

This directly counts distinct RDP destinations per device.

Why this answer

Option C is correct because DeviceNetworkEvents contains network connections including RDP (destination port 3389). Summarizing by DeviceName and destination IP, then counting distinct destinations, can identify devices connecting to multiple internal IPs. Option A is incorrect because DeviceProcessEvents does not include network connections.

Option B is incorrect because IdentityLogonEvents focuses on authentication, not network connections. Option D is incorrect because Syslog is for Linux systems, not Windows RDP connections.

252
MCQmedium

You are hunting for signs of Pass-the-Hash attacks using Microsoft Defender for Identity. Which alert should you look for in Microsoft Defender XDR?

A.Honeytoken activity
B.Privilege escalation
C.Suspected brute force attack
D.Suspected overpass-the-hash attack
AnswerD

This alert specifically detects overpass-the-hash (Pass-the-Hash).

Why this answer

Microsoft Defender for Identity has a specific alert for suspected overpass-the-hash (Pass-the-Hash). Option A is for brute force. Option B is for honeytoken activity.

Option D is for privilege escalation. The correct alert is 'Suspected overpass-the-hash attack'.

253
MCQmedium

During a threat hunt, you discover that a PowerShell script executed on multiple servers and established outbound connections to an external IP address. Which data source should you query in Microsoft Defender XDR to identify the specific command-line arguments used?

A.DeviceEvents
B.DeviceImageLoadEvents
C.DeviceProcessEvents
D.DeviceNetworkEvents
AnswerC

DeviceProcessEvents includes process creation events with command-line arguments.

Why this answer

Option C is correct because DeviceProcessEvents captures process creation events including command-line arguments. Option A (DeviceNetworkEvents) captures network connections but not command-line arguments. Option B (DeviceEvents) captures various events but not specifically process command lines.

Option D (DeviceImageLoadEvents) captures DLL loads, not command lines.

254
MCQhard

Your organization uses Microsoft Defender XDR for threat hunting. You suspect a threat actor is using scheduled tasks for persistence. Which hunting query would you use in Microsoft 365 Defender advanced hunting to find newly created scheduled tasks?

A.DeviceEvents | where ActionType == 'ScheduledTaskCreated'
B.DeviceRegistryEvents | where RegistryKey contains 'Tasks'
C.DeviceProcessEvents | where FileName == 'schtasks.exe'
D.DeviceFileEvents | where FolderPath contains 'Tasks'
AnswerA

DeviceEvents captures scheduled task creation actions.

Why this answer

Advanced hunting uses tables like DeviceEvents. Option B is correct because the ScheduledTaskCreated action in DeviceEvents captures scheduled task creation. Option A is incorrect because DeviceProcessEvents records process events, not scheduled tasks.

Option C is incorrect because DeviceRegistryEvents is for registry changes. Option D is incorrect because DeviceFileEvents tracks file creation, not scheduled tasks directly.

255
MCQhard

Refer to the exhibit. The KQL query is used in a threat hunting campaign. Which of the following best describes the hunting activity this query is designed to detect?

A.Macro-based PowerShell execution from Office documents
B.Encoded PowerShell commands executed from the command line
C.Lateral movement using PowerShell remoting
D.Data exfiltration via PowerShell over HTTP
AnswerA

The query specifically looks for PowerShell spawned from Office apps, indicating macro execution.

Why this answer

Option A is correct because the query detects PowerShell launched from Microsoft Office applications, which is a common technique for macro-based attacks. Option B is incorrect because the query does not filter by encoded command. Option C is incorrect because it does not look for lateral movement.

Option D is incorrect because there is no external IP or network connection in the query.

256
Multi-Selecteasy

A threat hunter wants to use Jupyter Notebooks in Microsoft Sentinel for hypothesis-driven hunting. Which THREE steps should the hunter take to set up and use this capability?

Select 3 answers
A.Enable Machine Learning-based analytics in Microsoft Sentinel under 'Entity behavior' settings
B.Provision an Azure Machine Learning (AML) workspace in the same subscription
C.Install the MSTICpy Python library on each hunting analyst's workstation
D.Connect Microsoft Sentinel to the AML workspace using the 'Notebooks' blade in Sentinel
E.Create a PowerShell runbook to automate notebook execution
AnswersA, B, D

This enables the notebooks feature.

Why this answer

Enabling ML-based analytics in Microsoft Sentinel provides access to notebooks; provisioning an Azure Machine Learning workspace is required to run notebooks; connecting Microsoft Sentinel to an AML workspace is the final step to access data. Installing the MSTICpy library separately is not needed; notebooks use KQL, not PowerShell.

257
Multi-Selecteasy

Which TWO data sources in Microsoft Sentinel are most valuable for hunting for command-and-control (C2) communications? (Choose two.)

Select 2 answers
A.Windows Event Logs (e.g., Security, System)
B.Azure Activity log
C.DNS logs (e.g., from DNS servers or Azure DNS Analytics)
D.Syslog from Linux servers
E.Network traffic logs (e.g., from firewalls or network security groups)
AnswersC, E

DNS queries to known malicious domains indicate C2.

Why this answer

C2 communications generate network traffic and DNS queries. Options A and D are correct. Option B is incorrect because Windows event logs are less direct.

Option C is incorrect because syslog may not capture all network traffic. Option E is incorrect because Azure Activity focuses on management plane.

258
Multi-Selecteasy

Which TWO tables in Microsoft Defender XDR advanced hunting are most useful for detecting data exfiltration attempts? (Select two.)

Select 2 answers
A.DeviceProcessEvents
B.DeviceNetworkEvents
C.CloudAppEvents
D.EmailEvents
E.DeviceInfo
AnswersB, C

Shows outbound connections to unusual destinations.

Why this answer

Options A and C are correct. DeviceNetworkEvents shows outbound connections; CloudAppEvents shows cloud app activity. B is for device info, D is for emails, E is for process events.

259
MCQhard

Refer to the exhibit. This KQL query is used for threat hunting in Microsoft Defender XDR. What is the primary goal of this query?

A.Detect brute force attacks by correlating multiple users from the same IP.
B.Identify logons from unusual geographic locations.
C.Find users with an unusually high number of successful logons compared to their own baseline.
D.Identify users with failed logon attempts exceeding a threshold.
AnswerC

Anomaly detection based on user's historical average.

Why this answer

The query calculates a baseline of daily logon counts per user over 30 days, then identifies users whose logon count in the last day exceeds 2 standard deviations above the mean. Option C is correct. Option A is incorrect because it counts logons, not failed logons.

Option B is incorrect because it compares to the user's own baseline, not peers. Option D is incorrect because it does not filter by location.

260
Multi-Selecteasy

Which TWO are common techniques used during threat hunting to identify suspicious behavior in Microsoft Defender XDR?

Select 2 answers
A.Updating antivirus signatures.
B.Searching for known indicators of compromise (IOCs).
C.Applying anomaly detection models to user behavior.
D.Configuring mail flow rules in Exchange Online.
E.Performing vulnerability scans on endpoints.
AnswersB, C

IOC search is a core hunting technique.

Why this answer

Options B and D are correct. B is correct because anomaly detection is a common hunting technique. D is correct because searching for known IOCs (indicators of compromise) is fundamental.

A is incorrect because vulnerability scanning is not a hunting technique. C is incorrect because patch management is a maintenance activity. E is incorrect because configuring mail flow is administrative.

261
MCQeasy

Your team uses Microsoft Defender for Endpoint to hunt for signs of credential theft. You want to query for events where a process accesses the LSASS process memory. Which event type should you look for?

A.Process access (Event 4656)
B.Network connection (Event 5156)
C.Registry modification (Event 4657)
D.Process creation (Event 4688)
AnswerA

Event 4656 logs when a process opens another process, such as LSASS.

Why this answer

Option C is correct because LSASS access is logged as a process access event (Event ID 4656) with specific access flags. Option A is wrong because process creation events show new processes, not access to existing ones. Option B is wrong because registry events do not capture process access.

Option D is wrong because network events are unrelated.

262
MCQhard

Refer to the exhibit. A threat hunter creates a scheduled analytics rule in Microsoft Sentinel using this query. The rule triggers frequently but generates many false positives. What is the best way to improve the rule's precision?

A.Add a filter on Severity to only include High and Medium alerts.
B.Disable MITRE ATT&CK technique mapping.
C.Add EntityMapping to map the compromised entity to an account.
D.Increase the query frequency to run every hour.
AnswerA

Filtering by severity reduces false positives from low-severity alerts.

Why this answer

Option D is correct because adding a condition like Severity reduces false positives by filtering out informational alerts. Option A is wrong because adding EntityMapping doesn't change the query logic. Option B is wrong because increasing the frequency may cause more false positives.

Option C is wrong because turning off MITRE ATT&CK mapping doesn't affect false positives.

263
MCQhard

The KQL query above is used in a threat hunt. What is the most likely scenario this query is designed to detect?

A.Identification of lateral movement using PsExec
B.Discovery of data exfiltration using FTP
C.Hunting for code execution via rundll32.exe loading JavaScript
D.Detection of regsvr32.exe being used to execute scriptlet files
AnswerC

The combination of PowerShell spawning rundll32 with 'javascript:' indicates potential code execution via JavaScript.

Why this answer

The query looks for PowerShell spawning rundll32.exe with a command line containing 'javascript:', which is a common technique to execute JavaScript via rundll32 as a form of code execution or bypass. Option A is incorrect because regsvr32.exe is not involved. Option B is for lateral movement, not shown.

Option D is for data exfiltration, not indicated.

264
MCQhard

Your team is using Microsoft Sentinel to hunt for signs of Kerberos golden ticket attacks. You have enabled Advanced Security Audit Policy on domain controllers to log Kerberos service ticket operations (Event ID 4769). You need to create a KQL query that identifies potential golden ticket use by looking for service tickets that have anomalous attributes, such as ticket encryption type 0x17 (RC4) combined with a long lifetime or unusual service names. Which KQL query should you use?

A.SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x17'
B.SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x12' and TicketOptions contains '0x2'
C.SecurityEvent | where EventID == 4769 and TicketEncryptionType == '0x17' and (TicketOptions contains '0x2' or ServiceName !startswith 'krbtgt')
D.SecurityEvent | where EventID == 4768 and TicketEncryptionType == '0x17'
AnswerC

Correctly identifies RC4 tickets with renewable flag or non-default service.

Why this answer

Option A correctly filters for RC4 encryption type (0x17), a common indicator of forged tickets, and checks for long lifetime (TicketOptions contains '0x2' for renewable) and unusual services. Option B uses wrong encryption type; Option C only filters for encryption type without anomaly checks; Option D uses wrong event ID (4768 is for TGT requests).

265
MCQmedium

Your threat hunt involves correlating alerts from Microsoft Defender for Cloud Apps with Microsoft Defender for Endpoint. Which Microsoft Sentinel integration should you use to unify these alerts for hunting?

A.Microsoft Sentinel's unified analytics rules and incident creation
B.Power Automate flows to merge alerts
C.Microsoft Graph API to pull alerts into a custom database
D.Azure Monitor Workbooks to display alerts side by side
AnswerA

Microsoft Sentinel ingests alerts from all Microsoft Defender products and allows cross-correlation.

Why this answer

Option A is correct because Microsoft Sentinel provides built-in connectors and analytics rules to correlate alerts across Microsoft Defender XDR, including Defender for Cloud Apps and Defender for Endpoint. Option B (Microsoft Graph API) is programmatic but not a unified hunting experience. Option C (Azure Monitor Workbooks) visualizes but does not correlate.

Option D (Power Automate) automates responses but not correlation.

266
Multi-Selecthard

Which TWO of the following are valid approaches to perform threat hunting using Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Using Fusion analytics rule
B.Using the Hunting blade and Livestream
C.Using Automation rules to trigger playbooks
D.Using KQL queries in the Logs blade
E.Using Azure Policy to enforce compliance
AnswersB, D

Hunting blade provides predefined queries and livestream for real-time hunting.

Why this answer

The Hunting blade in Microsoft Sentinel provides a dedicated interface for proactive threat hunting, allowing analysts to run KQL queries and pivot through results. Livestream extends this by enabling continuous, real-time query execution against incoming data, which is essential for detecting patterns that evolve over minutes or hours. Both features are explicitly designed for iterative, hypothesis-driven threat hunting rather than automated detection.

Exam trap

The trap here is that candidates confuse automated detection rules (like Fusion) or response automation (like playbooks) with the manual, iterative process of threat hunting, which requires interactive querying and live monitoring rather than passive alerting.

267
MCQhard

During a hunt, you discover that an attacker used a valid but compromised service principal to authenticate to Azure Key Vault and export secrets. Which Microsoft Sentinel hunting query would best identify similar activity across your environment?

A.AADManagedIdentitySignInLogs | where ResultType == 0
B.ServicePrincipalSignInLogs | where ResultType == 0 | where ResourceDisplayName contains 'Key Vault'
C.SigninLogs | where ResultType == 0 | where AppDisplayName contains 'Key Vault'
D.AADUserRiskEvents | where RiskEventType == 'compromised'
AnswerB

ServicePrincipalSignInLogs captures sign-ins for non-user identities, and filtering on Key Vault resource identifies access to secrets.

Why this answer

Option C is correct because ServicePrincipalSignInLogs track service principal sign-ins, and auditing for successful access to Key Vault can reveal similar compromises. Option A is wrong because it's about user sign-ins. Option B is wrong because it's for user risk.

Option D is wrong because it's for managed identity, not all service principals.

268
MCQmedium

Your threat hunt identifies a process that is making outbound connections to an unknown IP address. Which Microsoft Defender for Endpoint action can you take to immediately isolate the device?

A.Isolate device
B.Collect investigation package
C.Block file
D.Run antivirus scan
AnswerA

Immediately disconnects the device from the network.

Why this answer

Option A is correct because Isolate device disconnects the device from the network. Option B only runs a scan. Option C collects investigation package.

Option D blocks the file but doesn't isolate.

269
MCQmedium

You are investigating a potential data exfiltration incident. You notice a user uploading large amounts of data to a cloud storage service that the organization has not approved. Which Microsoft Defender XHR feature would best help you hunt for similar patterns across all users?

A.Custom detection rules in Microsoft Sentinel
B.Advanced hunting in Microsoft Defender XDR
C.Incident investigation graph in Microsoft Defender XDR
D.Automation rules in Microsoft Sentinel
AnswerB

Advanced hunting provides a KQL interface to query raw data across endpoints, identities, and cloud apps for hunting.

Why this answer

Option B is correct because advanced hunting allows you to write custom KQL queries to detect patterns like large uploads to unapproved cloud storage. Option A is wrong because custom detection rules are for creating alerts based on queries, but the question asks for hunting. Option C is wrong because incident investigation focuses on a single incident, not proactive hunting.

Option D is wrong because automation rules automate responses, not hunting.

270
MCQmedium

You are a threat hunter using Microsoft Sentinel. You have ingested syslog data from a Palo Alto firewall. You want to create a scheduled query rule that alerts when more than 10 outbound connections to a known bad IP address occur within 5 minutes. Which KQL function should you use to summarize the count?

A.project SourceIp, DestinationIp
B.extend Count = 1
C.summarize count() by SourceIp, DestinationIp
D.join kind=inner (Syslog)
AnswerC

summarize with count() provides the aggregation needed for threshold detection.

Why this answer

Option A is correct because `summarize` aggregates data by specified columns, and `count()` counts rows. Option B is wrong because `project` selects columns, does not aggregate. Option C is wrong because `extend` adds new columns.

Option D is wrong because `join` merges tables.

271
MCQhard

You are a security operations analyst for Contoso Ltd. The company uses Microsoft Sentinel as its SIEM and Microsoft Defender for Cloud Apps for SaaS security. You are tasked with threat hunting for potential data exfiltration via Microsoft SharePoint Online. You need to create a hunting query that identifies users who have downloaded an unusually high number of files from SharePoint within a short time window compared to their historical baseline. The query should be run in Microsoft Sentinel using the OfficeActivity table. Which of the following approaches should you take?

A.Use the HuntingBookmark table to search for user activity
B.Query the CommonSecurityLog table for SharePoint events and look for high volumes of outbound traffic
C.Query the OfficeActivity table, filter for Operation=='FileDownloaded', summarize by UserId and bin(TimeGenerated, 1h), then use a join with a historical baseline table to detect deviations
D.Query the SecurityAlert table for alerts related to data exfiltration
AnswerC

This approach uses the correct data source and method to compare current activity with historical baseline.

Why this answer

Option A is correct because using the OfficeActivity table with summarize and bin() allows you to count download events (Operation=='FileDownloaded') per user per hour and then compare the current count to a historical average to detect anomalies. Option B is incorrect because the CommonSecurityLog table does not contain SharePoint download events. Option C is incorrect because the HuntingBookmark table is for storing bookmarks, not for running analytics.

Option D is incorrect because the SecurityAlert table contains alerts, not raw events needed for baseline calculation.

272
MCQmedium

An analyst runs this PowerShell script to query Microsoft Sentinel data. The query returns no results. What is the most likely reason?

A.The timestamp filter is invalid; it should use TimeGenerated instead of Timestamp
B.The query syntax is incorrect; summarize cannot be used after where
C.No events matched the specific combination of process name and command line in the last 7 days
D.The API endpoint URL is incorrect; it should be /v2/workspaces
AnswerC

rundll32.exe with javascript is rare; likely no such events occurred.

Why this answer

Option B is correct because the query uses `rundll32.exe` with `javascript` in the command line, which is an uncommon but known technique for executing JavaScript via rundll32. Option A is wrong because the API endpoint is correct for Log Analytics. Option C is wrong because the date range is valid.

Option D is wrong because 7-day range is valid.

273
Multi-Selecthard

Which TWO actions are effective when threat hunting for lateral movement using remote desktop protocol (RDP) in Microsoft Defender XDR?

Select 2 answers
A.Query DeviceNetworkEvents for inbound connections on port 3389
B.Review CloudAppEvents for access to cloud apps from multiple IPs
C.Correlate RDP connections with successful logon events (Event ID 4624) with LogonType 10
D.Check for unusual email forwarding rules
E.Search for SMB file share connections
AnswersA, C

Port 3389 is used by RDP; inbound connections may indicate lateral movement.

Why this answer

Querying DeviceNetworkEvents for inbound RDP connections (port 3389) helps identify potential lateral movement. Correlating with LogonEvents for successful RDP logins confirms the movement. Option B (looking for SMB connections) is more for file sharing.

Option D (checking email forwarding) is for exfiltration. Option E (reviewing cloud app activities) is not directly RDP-related.

274
MCQmedium

During a threat hunt, you suspect a user may have exfiltrated data via email. Which Microsoft 365 Defender advanced hunting table should you query to review email attachments and their file hashes?

A.EmailUrlInfo
B.EmailAttachmentInfo
C.EmailEvents
D.EmailPostDeliveryEvents
AnswerB

This table includes attachment information and hashes.

Why this answer

EmailAttachmentInfo contains details about email attachments, including file name, size, and SHA256 hash.

275
MCQmedium

A security analyst is performing threat hunting in Microsoft Sentinel and wants to identify anomalous outbound network traffic from a compromised virtual machine. Which data source should be prioritized for this hunt?

A.Azure Activity Log
B.Azure Network Watcher flow logs
C.Windows Event Logs (Security, System)
D.Microsoft Entra ID sign-in logs
AnswerB

Flow logs capture IP traffic information, enabling detection of anomalous outbound connections.

Why this answer

Azure Network Watcher flow logs provide detailed information about IP traffic through Azure networks, making them ideal for detecting anomalous outbound traffic patterns. Option A (Azure Activity Log) focuses on control plane events, not network flows. Option C (Windows Event Logs) is for host-level events, not network traffic.

Option D (Azure AD sign-in logs) is for authentication events.

276
MCQhard

You run the KQL query above in Microsoft Sentinel. The query returns zero results even though you know some devices have connected to malicious IPs. What is the most likely cause?

A.The externaldata source URL is inaccessible from the Sentinel workspace.
B.The malicious IPs are not in the list.
C.The DeviceNetworkEvents table does not contain the RemoteIP column.
D.The let statement syntax is incorrect.
AnswerA

If the workspace cannot reach the URL, no IPs are loaded.

Why this answer

Option A is correct because externaldata requires the cluster to access the URL, which may be blocked. Option B is wrong because the syntax is correct. Option C is wrong because DeviceNetworkEvents is valid.

Option D is wrong because the IPs are in the list.

← PreviousPage 4 of 4 · 276 questions total

Ready to test yourself?

Try a timed practice session using only Perform Threat Hunting questions.