CCNA Respond Security Incidents Questions

75 of 489 questions · Page 1/7 · Respond Security Incidents topic · Answers revealed

1
MCQeasy

Your organization uses Microsoft Defender XDR. You receive an alert about a potentially unwanted application (PUA) being installed on a device. The PUA is not blocked by your current policy. You need to prevent future installations of this PUA without affecting other software. What should you do?

A.Enable blocking of all potentially unwanted applications in the antivirus policy.
B.Reset the device to its factory settings.
C.Create a custom indicator of compromise (IoC) to block the specific file's hash.
D.Run a full scan on the device to remove the PUA.
AnswerC

Custom indicators allow precise blocking based on file hash.

Why this answer

Adding the file's SHA-256 hash to the custom indicator allows Defender to block it specifically. Option A is incorrect because blocking all PUAs is too broad. Option C is incorrect because a full scan does not prevent future installations.

Option D is incorrect because resetting the device is excessive.

2
MCQeasy

During a security incident response, you need to collect forensic evidence from a Windows 10 device that is suspected to be compromised. The device is not domain-joined and is located in a remote office. You have remote administrative access. Which Microsoft 365 tool should you use to acquire a memory dump of the device?

A.Microsoft Sentinel
B.Microsoft Purview eDiscovery
C.Microsoft Intune
D.Microsoft Defender for Endpoint
AnswerD

MDE's live response feature allows collection of memory dumps and other forensic artifacts.

Why this answer

Option C is correct because Microsoft Defender for Endpoint (MDE) includes live response capabilities that allow you to collect memory dumps from remote devices. Option A is wrong because Microsoft Intune is for device management, not forensic collection. Option B is wrong because Microsoft Purview eDiscovery is for content searches and legal holds, not live memory acquisition.

Option D is wrong because Microsoft Sentinel is a SIEM, not a tool for direct forensic collection from endpoints.

3
MCQmedium

You are responding to a ransomware incident in Microsoft Defender XDR. You have identified that the malware encrypted files on several devices and then deleted the volume shadow copies. Which of the following actions should you take first to contain the incident?

A.Run a remediation action to delete the detected malware
B.Restore encrypted files from backup
C.Run a full antivirus scan on all devices
D.Isolate affected devices using Microsoft Defender for Endpoint
AnswerD

Isolation prevents further spread.

Why this answer

The correct answer is A because isolating devices prevents the ransomware from spreading to other systems. Option B is wrong because deleting the malware does not address the encryption already done. Option C is wrong because restoring files should wait until containment is achieved.

Option D is wrong because running a full scan is not the first containment step.

4
Multi-Selectmedium

Which THREE are valid investigation actions in Microsoft Sentinel? (Select THREE.)

Select 3 answers
A.View related entities such as IP addresses.
B.Run a playbook.
C.View related incidents.
D.Modify an analytics rule.
E.View related alerts.
AnswersA, C, E

Entities are core to investigation.

Why this answer

Option A is correct because investigation can show related alerts. Option B is correct because investigation can show entities like IPs. Option E is correct because investigation can show related incidents.

Option C is wrong because running a playbook is a remediation action, not an investigation action. Option D is wrong because investigation does not modify analytics rules.

5
Multi-Selecteasy

Your organization uses Microsoft Sentinel. You are investigating an incident that involves multiple alerts. Which TWO actions can you perform from the incident details page to consolidate the investigation?

Select 2 answers
A.Create a bookmark to capture relevant evidence.
B.Delete alerts that are not relevant.
C.Add additional alerts to the incident.
D.Create a new playbook from the incident page.
E.Modify the analytics rule that generated the incident.
AnswersA, C

Bookmarks help preserve evidence for later.

Why this answer

From the incident details page, you can add alerts to the incident and create a bookmark to preserve evidence. Option A is correct because you can add related alerts. Option D is correct because bookmarks can be created.

Option B is wrong because analytics rules are modified in the Analytics blade. Option C is wrong because playbooks are run from the incident page, not created. Option E is wrong because deleting alerts is not a standard action.

6
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An incident is created for a user whose credentials were used from an unusual location to access sensitive HR data. The user's account is a domain admin. The security team needs to ensure the attacker cannot use the account again. What should you do first?

A.Remove the user from the Domain Admins group
B.Force the user to log out of all sessions
C.Reset the user's password and revoke the Kerberos TGT
D.Disable the user's account in Active Directory
AnswerC

Password reset and TGT revocation prevent reuse of credentials.

Why this answer

Option C is correct because resetting the password and revoking the Kerberos TGT ensures the attacker cannot reuse cached credentials. Option A is wrong because disabling the account may disrupt operations but password reset is more precise. Option B is wrong because logging out alone does not invalidate the TGT.

Option D is wrong because removing group membership is secondary.

7
MCQeasy

An analyst in your SOC receives a Microsoft Defender for Cloud Apps alert indicating a suspicious Power Automate flow that is forwarding emails to an external domain. The analyst needs to disable the flow immediately. Which action should they take?

A.Block the external domain in Exchange Online mail flow rules
B.Remove the flow from the Microsoft 365 admin center
C.Disable the user account in Microsoft Entra ID
D.Use the governance action in Microsoft Defender for Cloud Apps to disable the flow
AnswerD

Defender for Cloud Apps can take governance actions on connected apps, including disabling suspicious flows.

Why this answer

Option A is correct because from the Defender for Cloud Apps portal, the analyst can govern the app by disabling the suspicious flow. Option B is wrong because disabling the user account is more disruptive and may not stop the flow if it uses service principal. Option C is wrong because Power Automate flows are not managed via the Microsoft 365 admin center.

Option D is wrong because blocking the external domain in Exchange Online does not stop the flow.

8
MCQmedium

Refer to the exhibit. An incident in Microsoft Sentinel contains the entities shown. Which additional data source would be most useful to investigate this incident?

A.Microsoft Defender for Endpoint device timeline
B.Microsoft Entra ID sign-in logs
C.Microsoft Purview audit logs
D.Microsoft Intune device compliance logs
AnswerB

Sign-in logs provide details about the authentication event.

Why this answer

Option B is correct because the incident involves a suspicious sign-in from an unfamiliar IP. Checking Microsoft Entra ID sign-in logs can provide additional context like authentication details, user agent, and risk level. Option A is wrong because Microsoft Defender for Endpoint focuses on endpoints, not cloud sign-ins.

Option C is wrong because Microsoft Purview is for compliance and data governance. Option D is wrong because Microsoft Intune is for device management, not sign-in events.

9
MCQeasy

A SOC analyst is triaging an incident in Microsoft Sentinel and needs to assign it to a senior analyst for further investigation. What is the correct action?

A.Create a new incident and manually add the senior analyst as a comment.
B.Open the incident and change the Owner field to the senior analyst.
C.Close the incident and reopen it under the senior analyst's name.
D.Run a playbook that sends an email to the senior analyst.
AnswerB

Changing the owner assigns the incident to the specified analyst.

Why this answer

Option A is correct because the incident details blade allows changing the owner. Option B is wrong because creating a new incident is not necessary. Option C is wrong because closing the incident would stop investigation.

Option D is wrong because the playbook is for automation, not for assignment.

10
MCQeasy

A security analyst in Microsoft Sentinel receives an incident with a high severity alert from Microsoft Defender for Identity. The incident description mentions a suspected lateral movement pass-the-hash attack. What should the analyst do first?

A.Reset the password of the compromised account.
B.Review the Microsoft Defender for Cloud Apps logs.
C.Isolate the affected device from the network.
D.Create a new analytics rule to detect pass-the-hash attacks.
AnswerC

Isolation stops the attack from spreading.

Why this answer

Isolating the affected device prevents further lateral movement. Option A is for future detection; Option C is not immediate; Option D is for cloud apps.

11
MCQmedium

A Microsoft Defender for Endpoint alert indicates that a device has been communicating with a known command-and-control (C2) server. The device is critical for production. What is the most appropriate response?

A.Disconnect the network cable of the device.
B.Run a full antivirus scan on the device.
C.Block the C2 server URL in the firewall.
D.Isolate the device using Microsoft Defender for Endpoint's device isolation feature.
AnswerD

Isolation can be done with a forensic preservation mode, allowing investigation while blocking communication.

Why this answer

The most appropriate response is to isolate the device from the network to prevent further C2 communication while preserving forensic data. Disconnecting the network cable does not preserve data. Running a full scan is reactive.

Blocking the C2 URL is less effective because the device may have other backdoors.

12
MCQmedium

An organization uses Microsoft Sentinel and Microsoft Defender XDR. A critical incident is created when a user is detected as compromised. The incident severity is set to High. The SOC manager wants to ensure that all incidents with severity High or above are automatically assigned to the senior analyst tier. What should the analyst configure?

A.Set a playbook to run when an incident is created.
B.Create an analytics rule with a custom severity.
C.Define an automation rule to assign incidents based on severity.
D.Configure an alert tuning rule.
AnswerC

Automation rules can conditionally assign incidents to specific owners or groups based on severity.

Why this answer

The correct answer is D. Automation rules in Microsoft Sentinel allow setting conditions based on incident properties (like severity) and then assigning the incident to an owner or group. The other options do not provide automatic assignment based on severity.

13
MCQhard

Your organization has Microsoft Sentinel and Microsoft Defender for Identity deployed. An incident is created for a user whose account was used to access a sensitive database from an unusual workstation. The user is a member of the 'Database Admins' group. The security team needs to prevent further unauthorized access and preserve evidence. What should you do first?

A.Disable the user's account in Active Directory
B.Reset the user's password
C.Force the user to log off all sessions
D.Remove the user from the Database Admins group
AnswerA

Disabling the account prevents further access immediately.

Why this answer

Option D is correct because disabling the account immediately prevents further access while preserving the group membership for investigation. Option A is wrong because removing from the group may not stop access if the attacker has cached credentials. Option B is wrong because resetting password alone may not invalidate existing sessions.

Option C is wrong because logging off may not be possible or effective.

14
MCQeasy

An organization uses Microsoft Sentinel for security operations. A security engineer needs to automatically disable a compromised user account in Microsoft Entra ID when a high-severity incident is created in Sentinel. Which feature should the engineer use?

A.Analytics rule
B.Workbook
C.Automation rule with a playbook
D.Hunting query
AnswerC

Automation rules can trigger a playbook that disables the user account.

Why this answer

Option B is correct because automation rules in Sentinel trigger playbooks on incident creation. Option A is wrong because analytics rules only create alerts, not actions on users. Option C is wrong because workbooks are for visualization, not automation.

Option D is wrong because hunting queries are manual.

15
MCQmedium

Your organization uses Microsoft Sentinel with Microsoft Defender XDR integrated. A critical incident has been raised involving a user account that was used to access a confidential SharePoint site from an unusual location at 2:00 AM. The incident includes alerts from Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, and Microsoft Defender for Office 365. The analyst needs to contain the incident, investigate the scope, and begin remediation. The environment has the following: Microsoft Entra ID with conditional access policies, Microsoft Intune for device management, and Microsoft Defender for Endpoint on all devices. The analyst has identified the user account and the device used. Which course of action should the analyst take first?

A.Create a conditional access policy to block the user.
B.Isolate the user's device using Microsoft Defender for Endpoint.
C.Run a KQL query to find all resources accessed by the user.
D.Disable the user account in Microsoft Entra ID and revoke all sessions.
AnswerD

Immediately stops the user from accessing any resources.

Why this answer

Disabling the user account in Microsoft Entra ID is the fastest way to stop access. Option B is secondary; Option C doesn't stop access; Option D is for future, not immediate containment.

16
Multi-Selecteasy

Which TWO Microsoft Defender XDR entities can be managed during incident response?

Select 2 answers
A.Network interfaces
B.Azure subscriptions
C.Devices
D.Microsoft 365 tenants
E.User accounts
AnswersC, E

Devices are core entities in Defender for Endpoint.

Why this answer

Options B and D are correct. Devices and user accounts are managed entities in Defender XDR. Option A is wrong because Azure subscriptions are not entities in Defender XDR.

Option C is wrong because Microsoft 365 tenants are not managed entities. Option E is wrong because network interfaces are not entities.

17
MCQeasy

A SOC analyst is using Microsoft Sentinel to respond to an incident involving multiple compromised user accounts. The analyst needs to quickly see the timeline of all related events. Which feature should the analyst use?

A.Entity behavior page.
B.Analytics rule page.
C.Workbook.
D.Incident timeline.
AnswerD

The incident timeline provides a chronological view of all evidence and activities.

Why this answer

Option A is correct because the incident timeline shows all alerts, bookmarks, and activities in chronological order. Option B is wrong because entity pages provide details about an entity, not a timeline. Option C is wrong because workbooks are for dashboards, not incident-specific timelines.

Option D is wrong because the analytics rule page shows rule configuration, not timeline.

18
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. You receive an alert indicating that a user from the finance department accessed a sensitive SharePoint file from an IP address associated with a known malicious Tor exit node. The file contains payment information. The user's account has not been disabled. What should you do first to contain the incident?

A.Delete the SharePoint file from the site
B.Notify the user of the suspicious activity
C.Block the IP address in Microsoft Defender for Cloud Apps
D.Suspend the user's account in Microsoft Entra ID
AnswerD

Suspending the account prevents further access immediately.

Why this answer

Option C is correct because the first step is to suspend the user's access to the compromised account to prevent further data exfiltration. Option A is wrong because blocking the IP is less effective as the attacker can change IPs. Option B is wrong because deleting the file may destroy evidence.

Option D is wrong because notifying the user could alert the attacker.

19
MCQhard

Your organization uses Microsoft Sentinel as its SIEM and Microsoft Defender XDR for endpoint protection. You have a custom analytics rule that triggers on suspicious PowerShell activity. The rule uses the following KQL query: ```kql DeviceProcessEvents | where Timestamp > ago(1h) | where FileName == "powershell.exe" | where ProcessCommandLine contains "-EncodedCommand" | where InitiatingProcessFileName != "explorer.exe" | project Timestamp, DeviceName, AccountName, ProcessCommandLine ``` The rule generates incidents that are assigned to the SOC team for investigation. However, analysts report that they are spending too much time manually collecting additional process details for each alert. You need to automate the enrichment of these incidents with additional context, such as parent process details, network connections, and file creation events from the same device within the last hour. The enrichment should be triggered automatically when an incident is created, and the results should be added as a comment to the incident. You have access to Azure Logic Apps and Azure Automation. Which approach should you use?

A.Create a second analytics rule that triggers on the same events and sends the additional context to a watchlist, then use a playbook to read the watchlist and add comments.
B.Create an automation rule in Microsoft Sentinel that triggers a Logic App playbook when an incident is created. The playbook uses the Microsoft 365 Defender connector to run advanced hunting queries for parent process, network connections, and file creation events from the same device in the last hour, then adds the results as a comment to the incident.
C.Use Microsoft Power Automate to create a flow that is triggered when a new incident appears in Sentinel, then use the flow to query Defender XDR and update the incident.
D.Modify the analytics rule query to join with additional tables to include parent process details, network connections, and file creation events directly in the alert.
AnswerB

Automation rules can trigger playbooks on incident creation; Logic App can perform queries and add comments.

Why this answer

Option A is correct because an automation rule can trigger a playbook (Logic App) when an incident is created. The Logic App can use the advanced hunting connector to query Defender XDR for additional context and add a comment. Option B is wrong because watchlists are for static data, not dynamic queries.

Option C is wrong because analytics rules do not trigger playbooks; automation rules do. Option D is wrong because power automate is not integrated in Sentinel.

20
Multi-Selecthard

Which THREE actions are part of the containment phase in the Microsoft Incident Response process?

Select 3 answers
A.Notify senior management of the incident.
B.Block known malicious IP addresses at the firewall.
C.Disable compromised user accounts.
D.Isolate affected systems from the network.
E.Collect forensic data from affected systems.
AnswersB, C, D

Blocking IPs stops communication with attackers.

Why this answer

Options A, C, and D are correct. Disabling compromised accounts, isolating affected systems, and blocking malicious IPs are containment actions. Option B is wrong because collecting forensic data is part of investigation.

Option E is wrong because notifying stakeholders is communication.

21
MCQmedium

Your organization uses Microsoft Sentinel with a workspace in the East US region. You need to respond to an incident involving data exfiltration from a virtual machine in West Europe. The incident was created from a custom analytics rule that queries the AzureActivity table. What should you do to ensure the incident contains all relevant evidence from the West Europe region?

A.Create the analytics rule in a separate workspace in West Europe
B.Ensure that Azure activity logs from West Europe are streamed to the same Sentinel workspace in East US
C.Configure the analytics rule to query the West Europe workspace
D.Use the incident merge feature to combine incidents from multiple workspaces
AnswerB

Centralizing logs into one workspace allows the rule to query all relevant data.

Why this answer

Option C is correct because the workspace is in East US, but data from West Europe must be ingested into the same workspace for the rule to query it. Option A is wrong because the analytics rule runs in the workspace where it is defined, not in multiple workspaces. Option B is wrong because setting the scope to West Europe does not bring data into the East US workspace.

Option D is wrong because incidents are workspace-scoped and cannot be merged across workspaces by default.

22
MCQhard

Your company uses Microsoft Sentinel and Microsoft Defender for Cloud Apps (MCAS). A security analyst detects that a user is accessing a sanctioned cloud app from an unusual location. The analyst creates an incident in Sentinel. You need to automatically apply a session policy in MCAS to block downloads from that user for the next hour. You have an existing playbook that can apply session policies. What is the most efficient way to automate this response?

A.Create an automation rule in Sentinel that triggers when an incident is created with the relevant conditions and runs the playbook.
B.Instruct the analyst to run the playbook manually from the incident page each time.
C.Configure the incident creation rule in MCAS to automatically run the playbook.
D.Modify the analytics rule that detected the anomaly to run the playbook as an automated response.
AnswerA

Automation rules are designed for automated response.

Why this answer

To automate the response, you can create an automation rule that triggers on incident creation and runs the playbook. Option A is correct. Option B is wrong because analytics rules do not run playbooks directly.

Option C is wrong because the incident creation rule is not for automated response. Option D is wrong because manual actions are not automated.

23
Multi-Selecthard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During a security incident involving a compromised Azure VM, which THREE actions are appropriate to contain and investigate the incident?

Select 3 answers
A.Use Microsoft Defender for Cloud's Just-in-Time VM access to isolate the VM.
B.Create a Microsoft Sentinel automation rule to trigger a playbook that runs investigation actions.
C.Enable network security group flow logs to capture network traffic.
D.Delete the compromised VM to prevent further damage.
E.Update the VM's operating system to the latest patch.
AnswersA, B, C

Limits network access to the VM.

Why this answer

Options A, C, and E are correct because enabling network security group flow logs helps trace lateral movement, isolating the VM in Defender for Cloud stops communication, and creating an automation rule can trigger a playbook for response. Option B is wrong because deleting the VM destroys evidence. Option D is wrong because updating the VM does not contain the incident.

24
Multi-Selectmedium

Your organization is responding to a security incident in Microsoft Defender XDR. You need to contain a compromised on-premises Exchange server. Which TWO actions are appropriate? (Choose two.)

Select 2 answers
A.Disconnect the server from the network.
B.Collect an investigation package from the server.
C.Block the compromised user account in Microsoft Entra ID.
D.Update the antivirus definitions on the server.
E.Run a full antivirus scan on the server.
AnswersA, C

Disconnecting isolates the server.

Why this answer

Options A and C are correct. Blocking the compromised account prevents further access, and disconnecting the server from the network contains the threat. Option B (Running full scan) is a remediation step, not containment.

Option D (Collecting investigation package) is evidence collection. Option E (Updating antivirus) is not immediate containment.

25
MCQmedium

Your organization uses Microsoft Defender for Endpoint (MDE) and Microsoft Sentinel. You receive an alert in MDE about a suspicious PowerShell command executed on a device. You create an incident in Sentinel from this alert. You need to automatically collect a memory dump from the affected device for further analysis. You have a playbook that can initiate a memory dump collection via the MDE API. What is the best way to automate this?

A.Configure the alert details enrichment in Sentinel to automatically add the memory dump to the incident.
B.Create an automation rule that triggers when an incident is created from a MDE alert and runs the playbook to collect the memory dump.
C.Use entity behavior analytics in Sentinel to trigger the playbook when suspicious behavior is detected.
D.Have the analyst manually run the playbook from the incident page.
AnswerB

Automation rules enable automated response.

Why this answer

Automation rules can trigger playbooks on incident creation. Option A is correct because the playbook can collect the memory dump immediately. Option B is wrong because the alert details enrichment is not for running playbooks.

Option C is wrong because the entity behavior analytics is not relevant. Option D is wrong because the playbook should run automatically, not manually.

26
MCQmedium

You deploy the above ARM template to create a scheduled analytics rule in Microsoft Sentinel. After deployment, the rule runs but never generates incidents. What is the MOST likely cause?

A.The severity level 'Medium' is not supported.
B.The rule is disabled because 'enabled' is set to true but there is a typo.
C.The query 'SigninLogs | where ResultType == 50057' is invalid.
D.The saved search resource type is incorrectly used; it should not be included in the template.
AnswerD

The saved search resource is not a valid Sentinel alert rule; the alert rule is defined correctly but the template may cause deployment errors.

Why this answer

Option D is correct because the saved search (savedSearches) resource type is not a valid alert rule in Sentinel; the alert rule resource type should be 'Microsoft.SecurityInsights/alertRules' with the correct schema. The template includes a saved search and an alert rule, but the alert rule's query uses SigninLogs which is valid. However, the issue is that the saved search is incorrectly defined as a resource.

Option A is wrong because the query is valid. Option B is wrong because severity is valid. Option C is wrong because the rule is enabled.

27
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. During an incident investigation, you find that a device is exfiltrating data to an external IP. You need to isolate the device from the network using automated response. Which action should you configure in an automation rule?

A.Trigger a Microsoft Purview data loss prevention policy.
B.Run a Microsoft Entra ID playbook to disable the device.
C.Run a playbook that triggers a Microsoft Defender for Endpoint 'Isolate device' action.
D.Create an automation rule in Microsoft Intune to wipe the device.
AnswerC

This action isolates the device from the network, containing the exfiltration.

Why this answer

Option B is correct because Microsoft Defender for Endpoint provides the 'Isolate device' action that can be triggered from Sentinel automation rules. Option A is wrong because Microsoft Entra ID does not have device isolation. Option C is wrong because Intune is for device management but not immediate isolation.

Option D is wrong because Microsoft Purview is for data governance, not device isolation.

28
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. During an incident, you discover that a user is downloading large amounts of data from SharePoint to an unmanaged device. You need to automatically block further downloads from that device. What should you configure?

A.Create a session policy in Microsoft Defender for Cloud Apps to block download.
B.Create a Conditional Access policy to require a compliant device.
C.Configure Microsoft Intune device compliance policy.
D.Create a DLP policy in Microsoft Purview.
AnswerA

Session policies can monitor and control actions in real time.

Why this answer

Option B is correct because Defender for Cloud Apps session policies can block downloads from unmanaged devices. Option A is wrong because conditional access policies block access but not specific actions. Option C is wrong because DLP policies generate alerts but do not block.

Option D is wrong because device compliance policies require Intune enrollment.

29
MCQmedium

A company uses Microsoft Defender XDR and has enabled automatic attack disruption for human-operated ransomware. During an incident, the system automatically contains a compromised account. However, the SOC team wants to ensure that the containment action is reversible and that the account can be restored after investigation. What should the team do before restoring the account?

A.Change the account's password and enable multi-factor authentication.
B.Verify that no other accounts were compromised.
C.Remove the account from all administrative roles.
D.Run a full antivirus scan on the account's devices.
AnswerA

Resetting the password and enabling MFA ensures the account is secured before restoration.

Why this answer

The correct answer is D. The account must be reset and verified clean to prevent the attacker from regaining access. The other options are not sufficient or incorrect.

30
MCQeasy

Your organization uses Microsoft Sentinel. A security incident is created, and the assigned analyst needs to perform initial triage. What is the first step the analyst should take according to Microsoft best practices for incident response?

A.Contain the affected resources immediately to prevent further damage.
B.Run a full investigation using Microsoft 365 Defender hunting queries.
C.Review the incident details and verify the alert is a true positive.
D.Escalate the incident to the senior security team.
AnswerC

First step is to validate the alert.

Why this answer

Option C is correct because the first step in the Microsoft incident response process is to verify the alert and determine its validity. Option A is wrong because containment should follow after verification. Option B is wrong because escalating before verification bypasses triage.

Option D is wrong because detailed investigation comes after initial triage.

31
Multi-Selecthard

Which THREE of the following are valid incident types in Microsoft 365 Defender? (Choose three.)

Select 3 answers
A.Insider risk
B.Phishing
C.Misconfiguration
D.Data exfiltration
E.Malware
AnswersB, D, E

Phishing incidents come from Defender for Office 365.

Why this answer

Options A, B, and D are correct because Microsoft 365 Defender incidents include categories like 'Malware', 'Phishing', and 'Data exfiltration'. Option C is wrong because 'Misconfiguration' is not an incident type; it is a finding. Option E is wrong because 'Insider risk' is managed in Microsoft Purview, not as a primary incident type in Defender.

32
MCQhard

Your organization uses Microsoft Sentinel. You need to implement a custom incident response process that requires approval before taking action on an incident. What should you use?

A.Automation rules with conditions
B.Watchlist for approval status
C.Playbook with Microsoft Teams connector for approval
D.Analytics rule with custom details
AnswerC

Enables human-in-the-loop approval.

Why this answer

Option C is correct because Microsoft Teams integration with Adaptive Cards allows approval workflows in playbooks. Option A is wrong because automation rules cannot require approval. Option B is wrong because analytics rules do not support approval.

Option D is wrong because watchlists are for reference data, not workflows.

33
Multi-Selecteasy

Your organization uses Microsoft Sentinel. You are investigating an incident and need to gather additional context about a suspicious IP address. Which TWO Microsoft Sentinel features can you use to enrich the investigation?

Select 2 answers
A.Threat intelligence
B.Watchlist
C.Hunting
D.Entity behavior analytics
E.User and Entity Behavior Analytics (UEBA)
AnswersA, D

Threat intelligence can indicate if the IP is known malicious.

Why this answer

Entity behavior analytics provides insights into user and entity activities. Threat intelligence feeds provide context about known malicious IPs. The watchlist feature is for storing data, not enrichment.

The hunting feature is for proactive searches. The UEBA feature is similar to entity behavior analytics but not specifically for IP enrichment.

34
MCQeasy

A security analyst receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request. What is the first step the analyst should take?

A.Disable the user account
B.Reset the user's password
C.Run a full antivirus scan on the user's device
D.Validate the alert by checking the user's recent activity
AnswerD

Confirms the alert.

Why this answer

Option B is correct because validating the alert confirms if it is a true positive before taking action. Option A is wrong because disabling the user is premature. Option C is wrong because resetting the password may alert the attacker.

Option D is wrong because running a scan may not be relevant.

35
MCQeasy

You are investigating an incident in Microsoft Defender XDR. The incident involves multiple alerts from different workloads. You need to view all related alerts in a single timeline. What should you use?

A.Incident page
B.Advanced hunting
C.Action center
D.Device timeline
AnswerA

Shows all related alerts.

Why this answer

Option A is correct because the incident page in Defender XDR shows all related alerts. Option B is wrong because the action center shows remediation actions. Option C is wrong because the hunting page is for proactive queries.

Option D is wrong because the device timeline is per device.

36
MCQmedium

You are a security analyst investigating a detected phishing campaign targeting users in your organization. The Microsoft Defender for Office 365 alert indicates that several users clicked on a malicious link. Which action should you take first to prevent further compromise?

A.Add the malicious URL to the Microsoft Defender for Endpoint custom threat indicator list.
B.Isolate all affected users' devices from the network.
C.Report the email to Microsoft for analysis.
D.Block the sender email address in the tenant.
AnswerA

This blocks the URL across all devices and is the fastest way to prevent further clicks.

Why this answer

The first priority is to block the malicious URL across all endpoints using Microsoft Defender for Endpoint's IOC capabilities to prevent any other users from clicking the link. Isolating users would be disruptive and may not be necessary for all. Reporting to Microsoft is not immediate.

Blocking the sender may help but does not stop users who already have the email.

37
MCQeasy

Your organization uses Microsoft Defender for Office 365. You detect a phishing email that was delivered to a user's inbox. You want to remove the email from all recipients. What should you do?

A.Submit the email to Microsoft for analysis.
B.Create a mail flow rule to delete similar emails in the future.
C.Block the sender using the Tenant Allow/Block List.
D.Use Threat Explorer to find the email and take action to delete it.
AnswerD

Threat Explorer allows bulk removal of emails.

Why this answer

Option B is correct because the Threat Explorer in Defender for Office 365 allows you to take action on emails, such as deleting them. Option A is wrong because creating a mail flow rule is reactive but not immediate removal. Option C is wrong because submitting to Microsoft is for analysis.

Option D is wrong because blocking the sender does not remove already delivered emails.

38
MCQhard

Your organization uses Microsoft Defender for Identity and Microsoft Defender XDR. You receive an alert about a suspicious LDAP query originating from a domain controller. The alert indicates potential use of the DCSync attack technique. What is the most effective immediate action to contain the attack?

A.Block all LDAP traffic at the firewall.
B.Restart the domain controller to clear any malicious processes.
C.Disable the account that initiated the suspicious replication request.
D.Reset the krbtgt account password twice.
AnswerC

Disabling the account stops the attack by removing the ability to replicate.

Why this answer

The DCSync attack uses replication requests to extract credentials. Disabling the replication permission for the compromised account stops the attack. Option A is incorrect because restarting the domain controller does not stop the attack if the account still has permissions.

Option B is incorrect because resetting the krbtgt password is a long-term remediation. Option C is incorrect because blocking LDAP may disrupt legitimate operations.

39
MCQhard

During a ransomware incident, security team needs to prevent encryption while preserving forensic data. Which action best achieves this balance?

A.Shut down all affected servers immediately.
B.Run a full antivirus scan on all endpoints.
C.Enable network micro-segmentation to isolate affected systems from file servers and take memory snapshots.
D.Disconnect the network but leave systems running.
AnswerC

Isolation prevents lateral movement and encryption; memory snapshots preserve forensic data.

Why this answer

Option C is correct because it prevents encryption and contains the threat without destroying data. Option A is wrong because it destroys data. Option B is wrong because it allows encryption to continue.

Option D is wrong because it only notifies.

40
MCQhard

Refer to the exhibit. A security analyst creates a scheduled analytics rule in Microsoft Sentinel based on the JSON shown. After enabling the rule, the analyst notices that the rule generates alerts every hour for the same user accounts even after the incidents are resolved. What is the most likely cause?

A.The severity is set to High, causing multiple alerts
B.The query period is too short, causing the rule to refetch old data
C.Suppression is disabled, so the rule fires every hour with overlapping results
D.The trigger threshold is too low, causing the rule to fire too often
AnswerC

Without suppression, the rule re-alerts on the same entities every hour.

Why this answer

Option C is correct because suppression is disabled, so the rule fires every hour regardless of previous alerts. Option A is wrong because the query period is 1 day, which is appropriate. Option B is wrong because severity is High, not causing duplicates.

Option D is wrong because the trigger threshold is 10, which controls when an alert fires, not duplicate suppression.

41
MCQmedium

Your organization uses Microsoft Sentinel. A security incident is generated by a scheduled analytics rule. You need to automatically assign the incident to the SOC team and set its severity. What should you create?

A.An analytics rule
B.An automation rule
C.A workbook
D.A playbook
AnswerB

Assigns owner and severity.

Why this answer

Option D is correct because automation rules in Sentinel can perform actions like assigning owner and changing severity. Option A is wrong because playbooks are for complex tasks, but automation rules are simpler. Option B is wrong because workbooks are for visualization.

Option C is wrong because analytics rules generate incidents, not handle them.

42
MCQhard

Your organization uses Microsoft Sentinel and has enabled the Microsoft 365 Defender connector. You want to automatically assign incidents to a specific analyst team based on the incident severity and type. Which component should you configure?

A.Analytics rule in Microsoft Sentinel
B.Workbook in Microsoft Sentinel
C.Automation rule in Microsoft Sentinel
D.Custom playbook in Microsoft Sentinel
AnswerC

Automation rules can set owner and assign incidents.

Why this answer

The correct answer is A because automation rules in Sentinel can set owner and assign to a team based on conditions. Option B is wrong because playbooks are for complex automation but assignment can be done with automation rules. Option C is wrong because analytics rules define alert conditions, not incident assignment.

Option D is wrong because workbooks are for reporting.

43
MCQhard

During a security incident, you need to collect forensic evidence from a compromised Linux server running in Azure. The server is not domain-joined and has the Azure Monitor Agent installed. You need to capture volatile data such as running processes and network connections. What is the most efficient method?

A.Use Event Viewer to export logs
B.Use Microsoft Defender for Endpoint live response to run commands
C.Use a custom script via Azure Custom Script Extension to collect data and send to Log Analytics
D.Take a snapshot of the OS disk for later analysis
AnswerC

Custom script can execute commands to capture volatile data and forward it to the workspace for analysis.

Why this answer

Option D is correct because the Azure Monitor Agent can collect syslog and custom logs, but to capture volatile data like processes and connections, you need to run a script or use a tool like PowerShell or bash. Using a Azure Automation Runbook or a Custom Script Extension can execute commands and forward the output to Log Analytics. Option A is wrong because Azure Disk Snapshots capture disk state, not memory or processes.

Option B is wrong because Event Viewer is Windows-only. Option C is wrong because Microsoft Defender for Endpoint may not be installed and its live response may not be available.

44
Multi-Selecthard

Which TWO actions can you perform in Microsoft Defender XDR's automated investigation and response (AIR) to contain a threat? (Select TWO.)

Select 2 answers
A.Isolate a device from the network.
B.Add a firewall rule to block an IP.
C.Disable a user account.
D.Reset a user's password.
E.Soft-delete an email message.
AnswersA, E

Isolation is a standard AIR action.

Why this answer

Option A is correct because AIR can isolate devices. Option D is correct because AIR can soft-delete an email message. Option B is wrong because disabling a user account is not an AIR action; it's manual.

Option C is wrong because resetting a password is not part of AIR. Option E is wrong because adding a firewall rule is not an AIR capability.

45
MCQmedium

A security analyst is investigating a Microsoft Defender for Cloud Apps alert about a suspicious OAuth app that has high permissions. The analyst needs to disable the app immediately. What is the correct action?

A.Revoke all tokens for the app in Microsoft Entra ID.
B.Generate a new client secret for the app.
C.From the Microsoft Defender for Cloud Apps alert, select 'Disable app'.
D.Go to Microsoft Entra ID admin center and delete the app registration.
AnswerC

Defender for Cloud Apps provides a direct action to disable OAuth apps.

Why this answer

Option B is correct because Microsoft Defender for Cloud Apps allows disabling OAuth apps from the app governance page. Option A is wrong because Microsoft Entra ID admin center can also manage OAuth apps, but the question specifies from the Defender for Cloud Apps alert. Option C is wrong because revoking user tokens does not disable the app.

Option D is wrong because generating a new secret does not revoke existing tokens.

46
MCQmedium

An analyst is investigating a potential data exfiltration incident involving a user who accessed sensitive files from a personal device. The analyst wants to gather evidence about the device's compliance status and recent activity. Which Microsoft Intune feature should the analyst use?

A.Exchange Online message trace
B.Microsoft Intune device inventory and compliance reports
C.Azure Activity Log
D.Microsoft 365 Defender's service health dashboard
AnswerB

Provides device compliance status and recent activities.

Why this answer

Option D is correct because Microsoft Intune's device compliance and inventory provide the needed information. Option A is wrong because it audits Azure resource changes. Option B is wrong because it's for service health.

Option C is wrong because it's for email flow.

47
MCQeasy

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Sentinel during an investigation. The analyst expects to see alerts related to malware from IP 10.0.0.5 but receives no results. The SecurityAlert table contains data from the last 24 hours. What is the most likely reason for no results?

A.The ExtendedProperties column does not contain a key named 'IPAddress' for these alerts.
B.The 'contains' operator is case-sensitive.
C.The time filter 'ago(1d)' is too restrictive; should use 'ago(7d)'.
D.The 'project' statement drops the necessary columns.
AnswerA

The property might be named differently (e.g., 'IpAddress').

Why this answer

Option D is correct because the ExtendedProperties column may not contain the exact property name 'IPAddress' as a key; the analyst may need to check the actual schema. Option A is wrong because the query uses a 1-day time range. Option B is wrong because the contains operator is case-insensitive unless specified.

Option C is wrong because the query projects the parsed IPAddress correctly.

48
Multi-Selectmedium

Which TWO actions are appropriate when handling a confirmed ransomware incident in Microsoft 365?

Select 2 answers
A.Run a full antivirus scan on all devices.
B.Restore encrypted files from backup immediately without investigation.
C.Pay the ransom to regain access.
D.Isolate affected devices from the network.
E.Change passwords for all potentially compromised accounts.
AnswersD, E

Isolation contains the spread of ransomware.

Why this answer

Correct: Isolate affected devices to prevent spread, and change passwords for compromised accounts. Wrong: Paying ransom is not recommended; restoring from backup is good but not immediate; scanning with antivirus is reactive and may not remove all traces.

49
Multi-Selectmedium

Which TWO actions should you take when responding to a confirmed ransomware incident in Microsoft Defender XDR?

Select 2 answers
A.Run a full antivirus scan
B.Reset the user's password
C.Restore files from backup
D.Disable the user account
E.Isolate the affected devices
AnswersA, E

Helps identify and remove malware.

Why this answer

Options B and D are correct. Isolating affected devices prevents spread, and running a full antivirus scan helps remove malware. Option A is wrong because resetting passwords is not immediate containment.

Option C is wrong because disabling the account might not be necessary and could hinder investigation. Option E is wrong because restoring files from backup is a recovery step after containment.

50
Multi-Selectmedium

Your Microsoft Sentinel workspace ingests logs from Microsoft Defender for Cloud and Microsoft 365 Defender. You need to create an incident response playbook that automatically responds to high-severity incidents. Which THREE components are required? (Choose three.)

Select 3 answers
A.A workbook to visualize the incident data
B.An analytics rule that generates the incident
C.An automation rule in Microsoft Sentinel
D.A hunting query to search for similar activity
E.A Logic Apps workflow with Microsoft Sentinel trigger
AnswersB, C, E

Analytics rules detect threats and create incidents.

Why this answer

Option A, B, and C are correct. An automation rule triggers the playbook. A Logic Apps workflow defines the playbook actions.

A Microsoft Sentinel analytics rule generates the incident. Option D is wrong because a workbook is for visualization, not automation. Option E is wrong because a hunting query is for proactive search, not automated response.

51
MCQmedium

A security analyst receives a high-severity alert for a suspicious login from an unusual location. The alert was generated by Microsoft Sentinel from Microsoft Entra ID sign-in logs. The analyst needs to determine if the login was successful and if any data exfiltration occurred. What is the MOST efficient first step?

A.Run a KQL query in Microsoft Sentinel to review the SigninLogs table for the user within the alert time range.
B.Use Microsoft Defender XDR to check the user's device timeline for suspicious activity.
C.Run a KQL query in Microsoft Sentinel to check Microsoft Defender for Cloud Apps alerts for the user.
D.Check the firewall logs in Azure Firewall for outbound connections from the user's IP.
AnswerA

SigninLogs directly shows login success/failure and details.

Why this answer

Option B is correct because examining Microsoft Entra ID sign-in logs in Sentinel provides immediate details about login success/failure. Option A is wrong because Defender for Cloud Apps alerts may not include sign-in details. Option C is wrong because reviewing all firewalls is too broad and inefficient.

Option D is wrong because checking Microsoft Defender XDR does not directly show sign-in details.

52
MCQhard

During a security incident, you need to isolate a compromised Windows device from the network while allowing communication with Microsoft Defender for Endpoint services. Which Microsoft Defender for Endpoint action should you use?

A.Run antivirus scan
B.Isolate device
C.Collect investigation package
D.Restrict app execution
AnswerB

Isolates while allowing Defender services.

Why this answer

Option B is correct because 'Isolate device' allows communication with Defender for Endpoint services while blocking other network traffic. Option A is wrong because 'Run antivirus scan' only scans and does not isolate. Option C is wrong because 'Restrict app execution' limits applications but does not isolate network.

Option D is wrong because 'Collect investigation package' gathers data but does not isolate.

53
MCQhard

Your organization is using Microsoft Defender XDR. During an incident, you need to create a custom detection rule that triggers when a specific file hash is executed on any device. Which component should you use?

A.Attack Surface Reduction (ASR) rules
B.Custom detection rules
C.Automation rules in Microsoft Sentinel
D.Indicators of compromise (IoC)
AnswerB

Custom detection rules use KQL to detect specific behaviors like file execution.

Why this answer

Option B is correct because custom detection rules in Defender XDR allow you to create detection logic based on advanced hunting queries. Option A is wrong because indicators of compromise (IoC) block or alert but are not detection rules. Option C is wrong because automation rules in Sentinel are for incident response, not detection.

Option D is wrong because ASR rules are built-in and cannot be customized for specific file hashes.

54
MCQmedium

Your Microsoft Defender XDR environment generates an incident indicating that a user's account was used to sign in from an anonymous IP address and then accessed sensitive data in SharePoint Online. After confirming the account is compromised, what should be your first containment step?

A.Disable the user account in Microsoft Entra ID
B.Block the anonymous IP address in the firewall
C.Review audit logs to determine the extent of data access
D.Revoke the user's session and require reauthentication using Microsoft Entra ID Protection
AnswerD

Revoking session terminates current access, and reauthentication ensures only the legitimate user can continue.

Why this answer

Option C is correct because revoking the user's session and requiring reauthentication immediately stops the ongoing access. Option A is wrong because disabling the account prevents further logins but does not terminate existing sessions. Option B is wrong because blocking the IP may affect other users.

Option D is wrong because reviewing audit logs is investigation, not containment.

55
Multi-Selectmedium

Your organization uses Microsoft Sentinel. You have been asked to configure automated responses to security incidents. Which TWO of the following can be used to automate responses in Microsoft Sentinel?

Select 2 answers
A.Workbooks
B.Power Automate flows
C.Playbooks (Azure Logic Apps)
D.Custom connectors
E.Automation rules
AnswersC, E

Playbooks automate response workflows.

Why this answer

Playbooks based on Azure Logic Apps and automation rules are both built-in features for automation in Microsoft Sentinel. Workbooks are for visualization, not automation. Power Automate is not directly integrated, and custom connectors are not a primary automation method.

56
MCQmedium

You have a Microsoft Sentinel analytical rule with the above configuration. During a security incident, multiple high-severity alerts are generated within a 5-minute window. How does the rule handle these alerts?

A.Only the first alert creates an incident; subsequent alerts are ignored.
B.Each alert creates a separate incident.
C.Alerts with the same entities are grouped into a single incident.
D.Alerts are suppressed for 5 minutes after the first alert.
AnswerC

Grouping with 'All' entities matching method groups alerts sharing all entities.

Why this answer

Option C is correct because grouping is enabled with a 5-minute lookback and 'All' entities matching method, meaning alerts with identical entities are grouped into one incident. Option A is wrong because grouping is enabled, not disabled. Option B is wrong because alerts are grouped, not created separately.

Option D is wrong because alerts are not suppressed; suppression is disabled.

57
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to reduce similar false positives in the future without affecting legitimate detections. What should you do?

A.Disable the analytics rule that created the incident.
B.Add the location to a watchlist and reference it in the analytics rule.
C.Create an automation rule to close similar incidents automatically.
D.Modify the analytics rule query to exclude sign-ins from the specific location.
AnswerD

Adding an exclusion to the KQL query reduces false positives while keeping the rule active.

Why this answer

Using an analytics rule with a KQL query allows you to add specific conditions to filter out false positives while maintaining detection capabilities. Option A is incorrect because turning off analytics rules disables all detections. Option C is incorrect because automation rules act after detection.

Option D is incorrect because watchlists are for reference, not direct filtering.

58
MCQeasy

A SOC analyst is investigating an incident where a user's credentials were compromised. The analyst uses Microsoft Sentinel to find all activities performed by the user in the last 24 hours. Which data source should the analyst query FIRST to get the most comprehensive view of the user's actions across Microsoft 365?

A.DeviceEvents
B.OfficeActivity
C.AzureActivity
D.SigninLogs
AnswerB

OfficeActivity provides a comprehensive audit log of user actions in Microsoft 365.

Why this answer

Option B is correct because OfficeActivity (Unified Audit Log) captures user actions across Exchange Online, SharePoint, Teams, etc. Option A is wrong because SigninLogs only shows sign-ins, not activities. Option C is wrong because AzureActivity shows Azure resource actions, not Microsoft 365.

Option D is wrong because DeviceEvents are for endpoints, not Microsoft 365.

59
MCQmedium

Your organization uses Microsoft Sentinel. You receive an incident that involves a potential lateral movement detected by Microsoft Defender for Identity. You need to investigate the timeline of the attack. Which Microsoft Sentinel feature should you use?

A.Workbooks
B.Automation rules
C.Investigation graph
D.Analytics rules
AnswerC

Visual timeline for investigation.

Why this answer

Option C is correct because the investigation graph in Sentinel provides a visual timeline of related alerts and entities. Option A is wrong because workbooks are for reporting, not investigation. Option B is wrong because analytics rules generate alerts, not investigate.

Option D is wrong because automation rules trigger playbooks, not investigation.

60
MCQeasy

An incident response playbook in Microsoft Sentinel has a step: 'Investigate the user's recent activities using Microsoft 365 Defender.' Which data source would provide the most relevant information for this step?

A.Azure Activity Log
B.Microsoft Purview Data Loss Prevention reports
C.Microsoft 365 Defender's user investigation page
D.Azure Resource Graph
AnswerC

Provides unified view of user's alerts, incidents, and activities across M365.

Why this answer

Option B is correct because Microsoft 365 Defender provides user investigation details across email, endpoints, and apps. Option A is wrong because it's for configuration changes. Option C is wrong because it's for Azure resources.

Option D is wrong because it's for data loss prevention, not investigation.

61
Multi-Selectmedium

A SOC analyst in your organization is investigating an incident in Microsoft Defender XDR that involves a compromised user account. The analyst needs to gather more information about the user's recent activities. Which THREE actions can the analyst take directly from the incident page?

Select 3 answers
A.Run an advanced hunting query related to the user.
B.Trigger a playbook to investigate the user.
C.View the user's timeline of activities.
D.Delete the user account.
E.Reset the user's password directly from the incident.
AnswersA, B, C

Advanced hunting can be launched from the incident.

Why this answer

From the incident page, the analyst can view the user's timeline, run advanced hunting queries, and take action like disabling the account. Option A is correct because the user timeline is accessible. Option B is correct because advanced hunting can be initiated from the incident.

Option D is correct because the analyst can trigger a playbook from the incident. Option C is wrong because resetting password typically requires going to Microsoft Entra ID admin center. Option E is wrong because deleting the user account is not a standard action from the incident page.

62
MCQmedium

Your organization uses Microsoft Sentinel. An incident with severity Medium is created from an analytics rule that detects brute-force attempts against on-premises domain controllers. The incident contains alerts from multiple machines. You need to automatically run a playbook that collects evidence from affected machines and then changes the incident severity to High. What should you configure?

A.Create an automation rule that triggers on incident creation with severity Medium, runs the playbook, and then changes severity to High.
B.Configure the incident creation settings to enrich the incident with the playbook output.
C.Modify the analytics rule to include the playbook as an automated response.
D.Edit the playbook to include a step that changes incident severity after collecting evidence.
AnswerA

Automation rules can run playbooks and modify incident properties.

Why this answer

Automation rules in Microsoft Sentinel allow you to trigger playbooks automatically based on conditions. The automation rule can be set to trigger when an incident is created, check the severity condition, run a playbook, and then change the severity. Option A is correct because it enables a single automation rule to orchestrate both the playbook execution and severity change.

Option B is wrong because analytics rules only trigger alert creation, not incident-level actions. Option C is wrong because playbooks cannot change severity directly without an automation rule. Option D is wrong because the alert details enrichment is for adding context, not running playbooks or changing severity.

63
MCQeasy

You are investigating a suspicious sign-in to a privileged account. You need to determine if the sign-in was from a known malicious IP address. Which Microsoft Sentinel data source should you query?

A.ThreatIntelligenceIndicator
B.SecurityEvent
C.SigninLogs
D.AuditLogs
AnswerA

This table contains threat intelligence data such as malicious IPs.

Why this answer

Option B is correct because Threat Intelligence in Sentinel contains known malicious IPs. Option A is wrong because SigninLogs show sign-in events but not threat intelligence. Option C is wrong because AuditLogs are for directory changes.

Option D is wrong because SecurityEvent is for Windows event logs.

64
MCQhard

During a ransomware incident, the security team needs to prevent the encryption of files while allowing the investigation to continue. Which feature in Microsoft Defender for Endpoint should be used to achieve this?

A.Controlled folder access.
B.Device isolation.
C.Attack surface reduction (ASR) rules.
D.Custom detection rules.
AnswerA

CFA is designed to protect files from unauthorized changes by ransomware and other malicious apps.

Why this answer

Controlled folder access (CFA) blocks unauthorized applications from modifying files in protected folders, which is exactly what ransomware does. ASR rules are broader and may not target file encryption specifically. Device isolation disconnects the device from the network but stops the investigation.

Custom detection rules are reactive.

65
MCQeasy

Refer to the exhibit. You are reviewing an alert in Microsoft Defender for Endpoint. The alert details are shown. Which of the following actions should you take first?

A.Investigate the device and the alert details
B.Mark the alert as a false positive
C.Initiate device isolation to contain the threat
D.Run a full antivirus scan on the device
AnswerA

Investigation is the first step.

Why this answer

The correct answer is A because the first step is to investigate the alert to understand the scope. Option B is wrong because initiating isolation without investigation may be premature. Option C is wrong because running a scan is a later step.

Option D is wrong because marking as false positive requires investigation first.

66
MCQeasy

A SOC analyst is reviewing an incident in Microsoft Sentinel that involves a user receiving a phishing email with a malicious attachment. The attachment was opened on a device managed by Microsoft Intune. Which Microsoft Defender XDR component would have provided the earliest detection of the malicious file?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Office 365
C.Microsoft Defender for Endpoint
D.Microsoft Purview Data Loss Prevention
AnswerC

Defender for Endpoint detects malware on the device via real-time protection.

Why this answer

The correct answer is B. Microsoft Defender for Endpoint (now part of Microsoft Defender XDR) provides real-time antimalware protection and would detect the file when opened. The other options are either not involved in file detection or are cloud-specific.

67
MCQmedium

A security operations center (SOC) analyst is investigating an incident involving a user who received a phishing email with a malicious macro. The analyst needs to determine if any other users received the same email. Which Microsoft 365 Defender feature should the analyst use?

A.Advanced Hunting
B.Alert queue filtering
C.Threat Explorer (Investigation)
D.Email entity page
AnswerC

Threat Explorer provides a search interface to find all instances of a specific email across the organization.

Why this answer

Threat Explorer in Microsoft 365 Defender allows hunting for email messages by sender, subject, or other attributes. Advanced Hunting is for raw queries; Email entity page shows one email; Alert queue filters by alert not email.

68
Multi-Selecthard

Which THREE are valid response actions when using Microsoft Sentinel automation rules?

Select 3 answers
A.Assign the incident to a specific analyst
B.Tag the incident with custom labels
C.Run a playbook
D.Change the incident status to 'Active' or 'Closed'
E.Disable a compromised user account
AnswersA, C, D

Automation rules can set the owner of an incident.

Why this answer

The correct answers are A, B, and D. Automation rules can assign incidents, run playbooks, and change incident status. Disabling a user account is not a direct action; it must be done via a playbook.

Tagging incidents is not a built-in action; it can be done via playbook or manual editing.

69
MCQhard

A SOC analyst is using Microsoft Sentinel to investigate an incident involving a user who accessed a sensitive database from an unusual location. The analyst wants to find all activities performed by this user within the last 24 hours from multiple data sources. Which KQL operator should the analyst use to combine the results of two queries that return different schemas?

A.summarize
B.join
C.union
D.where
AnswerC

union combines multiple tables with different schemas by appending rows and adding nulls for missing columns.

Why this answer

The correct answer is C. The union operator combines tables or query results with different schemas by adding columns. Join requires a common column.

The other operators are not appropriate.

70
MCQeasy

Your organization uses Microsoft Sentinel. You have configured a data connector to ingest events from a third-party firewall. However, you notice that the logs are not appearing in Sentinel. What is the first thing you should check?

A.Check the firewall's syslog server configuration.
B.Verify that the workspace is in the correct region.
C.Reinstall the Log Analytics agent on the firewall.
D.Check the connector health page in Microsoft Sentinel.
AnswerD

The connector health page shows if the connector is connected and any errors.

Why this answer

The connector health page provides status and error messages for data connectors, making it the first place to troubleshoot. Options A, C, and D are less direct or irrelevant to connector issues.

71
MCQmedium

During an incident, an analyst finds that a user's account was compromised and used to send spam. The analyst needs to revoke all active sessions for that user. What should the analyst do?

A.Reset the user's password.
B.Revoke the user's sessions in Microsoft Entra ID.
C.Create a Conditional Access policy to block the user.
D.Disable the user account in Microsoft Entra ID.
AnswerB

Revoke sessions invalidates all tokens.

Why this answer

Option C is correct because revoking sessions in Microsoft Entra ID invalidates all tokens. Option A is wrong because resetting password does not revoke existing sessions. Option B is wrong because disabling the user stops new sign-ins but may not revoke current sessions.

Option D is wrong because Conditional Access policies do not revoke sessions.

72
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. A security investigator discovers that a user's session token was stolen and used to access sensitive data in SharePoint Online from an anomalous IP address. You need to immediately revoke the attacker's access while minimizing impact on the legitimate user. What should you do?

A.Suspend the user account in Microsoft Entra ID until the investigation is complete.
B.From Microsoft Defender for Cloud Apps, use the 'Require re-authentication' action on the anomalous session.
C.Revoke all refresh tokens for the user in Microsoft Entra ID.
D.Reset the user's password immediately.
AnswerB

This action revokes the compromised session and forces re-auth, minimizing impact.

Why this answer

Option A is correct because using session control to require re-authentication immediately revokes the compromised session without affecting the user's future sessions. Option B is wrong because suspending the user blocks all access, impacting productivity. Option C is wrong because revoking all sessions also affects the legitimate user's other sessions.

Option D is wrong because resetting password does not invalidate the stolen token.

73
Multi-Selectmedium

Which THREE resources can be used as data sources for Microsoft Sentinel to detect security incidents? (Choose three.)

Select 3 answers
A.Microsoft 365 Defender
B.Microsoft Defender for Cloud
C.Azure Activity Log
D.Azure Cost Management
E.Azure Advisor
AnswersA, B, C

Provides integrated threat signals from endpoints, email, etc.

Why this answer

Option A, C, and D are correct: Azure Activity Log provides subscription-level events; Microsoft Defender for Cloud provides security alerts; Microsoft 365 Defender provides integrated signals. Option B is wrong because Azure Advisor provides recommendations, not security events. Option E is wrong because Azure Cost Management is cost-related.

74
MCQhard

During an incident response, you need to collect forensic evidence from a compromised Azure virtual machine that is currently offline. What is the most efficient method to acquire a disk snapshot for analysis while preserving the integrity of the evidence?

A.Attach a new data disk and copy the contents manually
B.Create a snapshot of the OS disk from the Azure portal
C.Start the VM and use Azure Backup to take a backup
D.Export the disk to a storage account using AzCopy
AnswerB

A snapshot creates a read-only point-in-time copy without powering on the VM.

Why this answer

Option B is correct because creating a snapshot from the Azure portal creates a point-in-time copy without affecting the original disk. Option A is wrong because starting the VM changes the state. Option C is wrong because attaching a new disk is for adding storage, not forensic acquisition.

Option D is wrong because exporting the disk to a storage account is a valid method but snapshot is faster and more efficient for preservation.

75
Multi-Selecteasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that was not blocked by the service. You need to improve detection of similar phishing emails. Which TWO actions should you take? (Choose two.)

Select 2 answers
A.Create an Attack Simulation Training campaign.
B.Enable Safe Links for all users to block malicious URLs.
C.Submit the email to Microsoft for analysis using the Submissions page in Microsoft 365 Defender.
D.Create a mailbox rule to move similar emails to the Junk folder.
E.Configure an anti-phishing policy to protect against user impersonation.
AnswersC, E

Submissions help improve the filtering algorithms.

Why this answer

Option A and B are correct. Submitting the email for analysis helps improve detection. Configuring anti-phishing policies for user impersonation protection can block similar emails.

Option C is wrong because Safe Links is for URLs, not for detecting phishing emails based on content. Option D is wrong because creating a mailbox rule is a client-side action, not a service-wide improvement. Option E is wrong because Attack Simulation Training educates users but does not improve detection.

Page 1 of 7 · 489 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Respond Security Incidents questions.