CCNA Respond Security Incidents Questions

75 of 489 questions · Page 4/7 · Respond Security Incidents topic · Answers revealed

226
MCQmedium

Refer to the exhibit. You are configuring an analytics rule in Microsoft Sentinel. What is the effect of this configuration?

A.All alerts that share any entity are grouped into one incident
B.Each alert creates a separate incident
C.Alerts that share all the same entities are grouped into one incident within 5 hours
D.Alerts are grouped by alert type
AnswerC

Correctly describes 'AllEntities' matching.

Why this answer

Option D is correct because grouping with matchingMethod 'AllEntities' groups alerts that share all entities (like IP, host, user) into a single incident within a 5-hour lookback. Option A is wrong because it does not create incidents per entity. Option B is wrong because it does not create an incident for each alert.

Option C is wrong because it does not create an incident per alert type.

227
MCQmedium

Refer to the exhibit. You run this KQL query in Microsoft Defender XDR to detect suspicious PowerShell activity. Why might this query generate many false positives?

A.The time range is too broad.
B.The query is too specific and misses many attacks.
C.Legitimate administrators often use encoded PowerShell commands.
D.The query does not filter by user.
AnswerC

Encoded commands are used by both attackers and admins, leading to false positives.

Why this answer

Option D is correct because legitimate administrative scripts often use encoded commands. Option A is wrong because the query is specific. Option B is wrong because the time range is narrow.

Option C is wrong because the query does not filter by user.

228
MCQhard

Your organization has deployed Microsoft Sentinel with the Microsoft Defender XDR connector. A high-severity incident is created for a user who received a phishing email that contained a malicious link. The user clicked the link, and the attacker gained access to the user's mailbox. The security team needs to remove the attacker's access and prevent future occurrences. What should you do first?

A.Run a full antivirus scan on the user's device
B.Reset the user's password immediately
C.Report the incident to Microsoft for further investigation
D.Remove any mailbox forwarding rules and delegated access
AnswerD

Removing forwarding rules and delegated access cuts off the attacker's access.

Why this answer

Option A is correct because the immediate priority is to revoke the attacker's access to the mailbox by removing the delegated access or forwarding rule. Option B is wrong while password reset is important, it may not remove the attacker's existing session. Option C is wrong because running antivirus is not applicable for mailbox compromise.

Option D is wrong because reporting the incident is secondary.

229
MCQhard

Refer to the exhibit. You have created an automation rule in Microsoft Sentinel with the above configuration. The playbook isolates the device and disables the user account. After enabling the rule, you notice that a low-severity incident containing an alert titled 'Ransomware Behavior' did NOT trigger the automation. What is the most likely reason?

A.The 'ContainsAny' operator does not match single values
B.The automation rule does not have permission to run the playbook
C.The playbook ID is invalid
D.The incident severity is Low, but the rule only triggers on High severity
AnswerD

The condition requires severity equals High, so low-severity incidents are not processed.

Why this answer

Option B is correct because the trigger condition requires incident severity 'Equals High', so low-severity incidents are excluded. Option A is wrong because the condition uses 'ContainsAny' for alert title, which works for a single value. Option C is wrong because the playbook ID is referenced correctly.

Option D is wrong because automation rules do not require explicit permissions beyond the playbook's permissions.

230
MCQhard

Your organization uses Microsoft Sentinel and Microsoft Defender for Cloud. You receive an alert from Defender for Cloud indicating that a virtual machine has a high severity vulnerability (CVE-2023-XXXX). You need to create an incident in Microsoft Sentinel and trigger a playbook to remediate the vulnerability. However, the incident is not being created automatically. What is the most likely cause?

A.The Microsoft Defender for Cloud connector in Microsoft Sentinel is not enabled or misconfigured
B.An analytics rule with a matching severity threshold has not been created
C.The free trial of Microsoft Sentinel has expired
D.The playbook does not have the correct permissions on the target VM
AnswerA

The connector must be enabled for alert ingestion.

Why this answer

The correct answer is B because the connector must be enabled and configured properly for alerts to flow from Defender for Cloud to Sentinel. Option A is wrong because incorrect playbook permissions would affect playbook execution, not incident creation. Option C is wrong because analytics rules are not required for default incident creation.

Option D is wrong because the free tier is functional but may have limitations.

231
MCQeasy

During an incident, an analyst wants to use Microsoft Defender XDR's automatic attack disruption to contain an ongoing attack. What prerequisite must be met?

A.Devices must be onboarded to Microsoft Defender for Endpoint.
B.Microsoft Purview compliance portal must be configured.
C.Users must have Azure AD Premium P2 licenses.
D.Microsoft Sentinel must be enabled and connected to Defender XDR.
AnswerA

Automatic attack disruption works on Defender for Endpoint devices.

Why this answer

Option A is correct because automatic attack disruption requires the device to be onboarded to Microsoft Defender for Endpoint. Option B is wrong because it's not required. Option C is wrong because Sentinel is not required.

Option D is wrong because it's not required.

232
MCQeasy

Your security operations center (SOC) uses Microsoft Sentinel. An incident is created from a fusion alert. What does Fusion technology do?

A.Uses machine learning to detect suspicious user behavior
B.Runs queries at scheduled intervals to detect threats
C.Detects unusual patterns in Azure activity logs
D.Correlates alerts from different products to detect multi-stage attacks
AnswerD

Fusion uses machine learning to correlate alerts across products.

Why this answer

Option A is correct because Fusion correlates multiple alerts and signals to identify multi-stage attacks. Option B is wrong because that describes Scheduled rules. Option C is wrong because that describes Machine Learning (ML) analytics.

Option D is wrong because that describes Anomaly detection.

233
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You receive an incident: 'Malicious PowerShell command executed on endpoint.' The incident shows that a PowerShell command was executed on a server that attempted to download a payload from a known malicious IP. The process was terminated by MDE, but the server may still be compromised. You need to respond to the incident. Which of the following actions should you take FIRST?

A.Run a Microsoft Sentinel playbook to collect forensic data.
B.Isolate the server using Microsoft Defender for Endpoint.
C.Reset the local administrator password on the server.
D.Block the malicious IP address at the firewall.
AnswerB

Immediately contains the server to prevent further damage.

Why this answer

Option A is correct: isolating the server in MDE ensures that if any malware is present, it cannot communicate or spread. Option B is wrong: blocking the IP does not contain the server. Option C is wrong: resetting passwords is not necessary if no credential compromise.

Option D is wrong: running a playbook for evidence collection can wait until after containment.

234
MCQeasy

After containing a security incident, what is the most important next step in the incident response process?

A.Monitor for signs of recurrence.
B.Recover systems to normal operation.
C.Eradicate the threat from all systems.
D.Conduct a post-incident review.
AnswerD

Post-incident review identifies improvements.

Why this answer

Option C is correct because the 'Lessons Learned' phase helps improve future response. Option A is wrong because eradication should have been done before containment. Option B is wrong because recovery is after eradication.

Option D is wrong because monitoring is ongoing but not the immediate next step.

235
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You receive an alert about a suspicious sign-in from an IP address associated with a known malicious actor. The sign-in was for a privileged account. You need to immediately contain the incident. What should you do first?

A.Reset the user's password.
B.Disable the user account in Microsoft Entra ID.
C.Create a custom analytics rule in Sentinel to detect similar sign-ins.
D.Block the IP address in the firewall.
AnswerB

Disabling the account immediately prevents further sign-ins.

Why this answer

Option B is correct because disabling the user account immediately stops the attacker from using the compromised credentials. Option A is wrong because resetting the password might not be fast enough if the attacker has an active session. Option C is wrong because blocking the IP in the firewall is reactive and may not be effective if the attacker uses a different IP.

Option D is wrong because creating an analytics rule does not contain the incident immediately.

236
MCQmedium

You are investigating repeated SQL injection alerts. The KQL query returns IP addresses with more than 5 alerts in the last 7 days. What is the purpose of the `summarize` and `where AlertCount > 5` lines?

A.To identify IPs with a high number of alerts, indicating a possible attack.
B.To correlate alerts with other data sources.
C.To remove duplicate alerts from the same IP.
D.To count the number of distinct IP addresses.
AnswerA

High alert counts may indicate ongoing malicious activity.

Why this answer

Option D is correct because the query groups alerts by IP and filters for those with high frequency, indicating a potential attack. Option A is wrong because the query does not remove duplicates. Option B is wrong because it does not count distinct IPs.

Option C is wrong because it does not correlate with other tables.

237
MCQeasy

Your organization uses Microsoft Sentinel. An incident has been identified as a false positive. What is the recommended action to prevent similar false positives in the future?

A.Delete the analytics rule
B.Close the incident and set the classification to 'False positive'
C.Modify the analytics rule to reduce false positives
D.Mark the incident as 'False positive' and add a comment
AnswerC

Tuning the rule reduces future false positives.

Why this answer

Option C is correct because tuning the analytics rule reduces false positives. Option A is wrong because closing the incident without tuning does not prevent recurrence. Option B is wrong because marking as false positive in the incident is good for tracking but doesn't prevent future ones.

Option D is wrong because deleting the rule is too aggressive.

238
MCQhard

A security analyst in your company uses Microsoft Defender XDR to investigate an incident involving a user who received a malicious email. The analyst needs to block the sender's email address across all tenants in the organization. What is the most efficient way to achieve this?

A.In the Microsoft 365 Defender portal, use the action center to block the sender's email address across all tenants.
B.From the Microsoft 365 Defender portal, go to Email & collaboration > Exchange admin center and block the sender.
C.In Microsoft Purview, create a data loss prevention policy to block the sender.
D.In Microsoft Entra ID admin center, create a conditional access policy to block the sender.
AnswerA

The action center in Microsoft 365 Defender can perform global actions like blocking senders.

Why this answer

Microsoft Defender XDR allows you to take action on entities like email senders. Using the action center, you can block the sender's email address globally, which applies to all tenants. Option C is correct.

Option A is wrong because Exchange admin center works per tenant and is not as efficient for cross-tenant blocking. Option B is wrong because Microsoft Entra ID admin center manages identities, not email blocking. Option D is wrong because Microsoft Purview is for compliance, not email threat protection.

239
MCQhard

You are reviewing a scheduled analytics rule in Microsoft Sentinel. What does the suppressionDuration setting affect?

A.It groups alerts into a single incident within that time window.
B.It delays the execution of the query by that amount of time.
C.It determines how often the query runs.
D.It stops the rule from creating new alerts for that duration after an alert is generated.
AnswerD

Suppression duration prevents duplicate alerts within the specified time.

Why this answer

Option C is correct. Suppression duration determines how long to wait before creating another alert from the same rule after an alert is generated, suppressing duplicates. Option A is wrong because it does not affect query execution.

Option B is wrong because it does not affect incident grouping. Option D is wrong because it does not stop the rule from running.

240
MCQeasy

You are reviewing this analytics rule in Microsoft Sentinel. What is the problem with this rule?

A.The query is missing a time range filter
B.The aggregate function should be 'summarize' with 'dcount'
C.The trigger threshold should be set to 5
D.The query syntax is invalid
AnswerA

Without a time filter, it queries all sign-in logs.

Why this answer

Option C is correct because the query does not include a time filter, which would cause it to run on all historical data. Option A is wrong because the syntax is valid. Option B is wrong because the threshold is fine for matching.

Option D is wrong because the aggregate is fine.

241
MCQmedium

Your organization uses Microsoft Defender XDR. The incident queue shows multiple alerts related to a single endpoint: malware detected, suspicious PowerShell execution, and data exfiltration attempts. The analyst needs to investigate the incident. Which tool should the analyst use to correlate these events?

A.Microsoft Defender for Office 365 Explorer.
B.Microsoft Defender for Cloud Apps activity log.
C.Advanced hunting in Microsoft Defender XDR.
D.Microsoft Sentinel incident workspace.
AnswerC

Advanced hunting can query across all domains.

Why this answer

Advanced hunting in Microsoft Defender XDR allows cross-domain queries (endpoint, identity, email). Option A is for email; Option B is for cloud apps; Option D is a different platform.

242
Multi-Selecthard

Which THREE actions should be taken when a phishing attack is detected in Microsoft Defender XDR?

Select 3 answers
A.Run a full antivirus scan on the user's device
B.Report the email as phishing in Microsoft Defender for Office 365
C.Reset the user's password
D.Block the sender's email address or domain
E.Delete the phishing email from the user's mailbox
AnswersB, D, E

Helps improve detection.

Why this answer

Options B, C, and D are correct. Reporting the email trains the system, deleting from user's mailbox removes access, and blocking the sender prevents further emails. Option A is wrong because resetting password is not immediate.

Option E is wrong because running a scan on the user's device may be done later, but not a priority.

243
MCQmedium

The exhibit shows a partial playbook trigger configuration in Microsoft Sentinel. When will this playbook be triggered?

A.When an incident is updated with severity High.
B.When an alert is generated with severity High.
C.When an incident of severity High is created.
D.When any incident is created.
AnswerC

The trigger condition explicitly checks that the incident severity is High.

Why this answer

The trigger is configured to fire when an incident is created with severity equal to High. It does not trigger on alerts, nor on any incident, nor on severity Medium or Low.

244
MCQmedium

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos authentication attempt. What is the best first step to contain the potential threat?

A.Review the Active Directory logs for related events.
B.Disable the account that was used for the authentication.
C.Reset the krbtgt account password twice.
D.Investigate the source IP address of the authentication attempt.
AnswerB

Disabling the account immediately prevents further access.

Why this answer

Option C is correct because disabling the compromised account immediately stops further authentication. Option A is wrong because investigating the source IP does not contain the threat. Option B is wrong because reviewing logs does not contain.

Option D is wrong because resetting the krbtgt account is a drastic step and not the first action.

245
MCQmedium

A security analyst receives an alert in Microsoft Defender XDR indicating a possible credential theft attempt from an external IP. The analyst wants to isolate the affected device immediately while preserving forensic data. What should the analyst do?

A.Use Microsoft Defender for Endpoint to 'contain device' from the device inventory.
B.Disable the user account in Microsoft Entra ID.
C.Initiate a live response session on the device and run the 'isolate device' command.
D.Reset the user's password and enforce sign-out.
AnswerC

Live response allows forensic collection and isolation, preserving evidence while containing the threat.

Why this answer

Option B is correct because initiating a 'real-time response' session with 'isolate device' allows forensic data to be collected before isolation. Option A is wrong because disabling the user account does not prevent lateral movement from the device. Option C is wrong because resetting the password does not isolate the device.

Option D is wrong because 'contain device' in Microsoft Defender for Endpoint is for network containment, not full isolation.

246
MCQhard

Refer to the exhibit. This JSON snippet is from an Azure Web Application Firewall (WAF) policy. What does this rule do?

A.Blocks traffic from the entire 10.0.0.0/24 subnet.
B.Blocks traffic originating from IP address 10.0.0.1.
C.Logs traffic from IP address 10.0.0.1 without blocking.
D.Allows traffic from IP address 10.0.0.1.
AnswerB

The rule matches RemoteAddr with IPMatch operator for '10.0.0.1' and blocks it.

Why this answer

Option B is correct. The rule matches the remote IP address '10.0.0.1' and blocks the request. Option A is wrong because it matches a specific IP, not a range.

Option C is wrong because the action is 'Block'. Option D is wrong because it does not allow.

247
MCQeasy

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user has signed in from a banned country. The analyst needs to block further access from that country for all users. What should the analyst configure?

A.Modify the device compliance policy in Microsoft Intune.
B.Configure a data loss prevention (DLP) policy in Microsoft Purview.
C.Create an IP range group for the country and configure a session policy to block it.
D.Create a conditional access policy in Microsoft Entra ID to block the country.
AnswerC

Session policies can block or allow access based on location.

Why this answer

Option A is correct because Microsoft Defender for Cloud Apps session policy can block access based on location. Option B is wrong because conditional access policies are in Entra ID, not Defender for Cloud Apps. Option C is wrong because DLP policies don't block access.

Option D is wrong because compliance policies don't block access.

248
MCQeasy

Your security team detects a potential data exfiltration incident where an employee emailed sensitive customer data to a personal email address. The email was sent via Exchange Online. What is the immediate action to prevent further data loss?

A.Create a data loss prevention rule to block future emails to that domain
B.Review the user's email archive for other suspicious emails
C.Disable the user's account in Microsoft Entra ID
D.Use Microsoft Purview to perform a content search and purge the email from the recipient's mailbox
AnswerD

Content search and purge can remove the email from the external mailbox if it's within the same organization, but if it's an external address, this may not be possible; however, for internal recipients, it works. For external, the best step is to block the data and notify. The question implies the recipient is external, but typical immediate action is to prevent further sending.

Why this answer

Option A is correct because purging the email from the recipient's mailbox removes the data from the external location. Option B is wrong because blocking the user's account does not remove the already sent email. Option C is wrong because data loss prevention policies are preventive, not reactive.

Option D is wrong while important, it is an investigation step, not immediate containment.

249
MCQmedium

You are responding to an incident where a user's credentials were stolen via a phishing email. The attacker used the credentials to access Microsoft Entra ID and then tried to perform privileged role escalation. Which Microsoft Sentinel solution should you use to detect this type of attack?

A.Network Security Group flow logs
B.Syslog data connector
C.Threat intelligence connectors
D.UEBA (User and Entity Behavior Analytics)
AnswerD

UEBA can detect unusual role assignments or escalation attempts based on behavioral baselines.

Why this answer

Option D is correct. UEBA analytics in Microsoft Sentinel can detect anomalous behavior like role escalation attempts after credential theft. Option A (Syslog) is for generic log collection.

Option B (Threat Intelligence) is for known indicators. Option C (Network Security Groups) is for network traffic.

250
MCQmedium

You are investigating a potential ransomware incident detected by Microsoft Defender XDR. The incident shows multiple machines with suspicious encryption activity. You need to contain the threat immediately. What should you do first?

A.Reset the passwords of all users on the affected machines
B.Run a full antivirus scan on all endpoints
C.Initiate device isolation on affected machines from Microsoft Defender XDR
D.Disable the user accounts associated with the affected machines
AnswerC

Isolation stops network communication and prevents lateral movement.

Why this answer

Option A is correct because isolating devices from the network stops the spread of ransomware immediately. Option B is wrong because running antivirus scan is reactive and may not stop encryption in progress. Option C is wrong because disabling user accounts does not stop the malware on endpoints.

Option D is wrong because resetting passwords does not contain the active infection.

251
MCQeasy

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident in Microsoft Defender XDR is automatically synchronized to Microsoft Sentinel. The incident in Sentinel is closed by the SOC team, but the corresponding incident in Defender remains open. What should you do to ensure that closing an incident in Sentinel also closes its linked incident in Defender?

A.Configure an automation rule in Microsoft Sentinel that triggers on incident closure and runs a playbook that closes the corresponding incident in Microsoft Defender XDR.
B.In the Microsoft Defender XDR portal, enable the setting to automatically close incidents when the linked Sentinel incident is closed.
C.Use the Microsoft Defender XDR API to set up a webhook that listens for Sentinel incident closure.
D.Enable the bi-directional sync in the Microsoft Sentinel data connector for Microsoft Defender XDR.
AnswerA

Automation rules can run playbooks that call APIs to close incidents in Defender.

Why this answer

Microsoft Sentinel can be configured to sync incident status back to Microsoft Defender XDR using automation rules. Option B is correct. Option A is wrong because the bi-directional sync is not automatic and requires configuration.

Option C is wrong because the Defender portal does not automatically sync with Sentinel. Option D is wrong because the integration settings in Defender do not control Sentinel's incident closure.

252
MCQeasy

After a security incident, you need to preserve evidence from a compromised Microsoft 365 tenant. What is the best method to preserve data?

A.Take a backup of the entire tenant
B.Use Microsoft Purview eDiscovery to search and export
C.Export the data to a PST file and delete the original
D.Place the user's mailbox and OneDrive on litigation hold
AnswerD

Preserves all data from deletion.

Why this answer

Option A is correct because litigation hold preserves all data. Option B is wrong because deletion is destructive. Option C is wrong because eDiscovery is for search, not preservation.

Option D is wrong because backup is not immediate preservation.

253
MCQmedium

A SOC analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded 500 GB of data from SharePoint to an unmanaged device. The user has no history of such behavior. What is the best first step in the incident response process?

A.Run a full antivirus scan on the unmanaged device.
B.Contact the user to verify if the download was intentional.
C.Disable the user account in Microsoft Entra ID.
D.Create a detection rule for similar behavior in Microsoft Sentinel.
AnswerC

Immediately stops the user's access and prevents further data download, containing the incident.

Why this answer

Option B is correct because disabling the user account immediately stops the potential data exfiltration and is the recommended containment step in ransomware or data theft scenarios. Option A is reactive and does not prevent further data loss. Option C is premature without containment.

Option D may be necessary but not the first step.

254
MCQmedium

Refer to the exhibit. An analyst runs Get-MpThreat on a device. Based on the output, what is the status of the threat?

A.The threat executed and is now inactive.
B.The threat was quarantined and is still active.
C.The threat is currently active on the device.
D.The threat was blocked and did not execute.
AnswerD

DidThreatExecute is False, IsActive is False.

Why this answer

Option C is correct because DidThreatExecute is False and IsActive is False, meaning the threat was blocked before execution. Option A is wrong because Action:6 (Quarantine) indicates it was handled. Option B is wrong because IsActive is False.

Option D is wrong because IsActive is False.

255
MCQhard

A security analyst is investigating an incident involving a suspicious process that was detected on multiple devices. The analyst wants to check if the same file hash was observed on other devices in the past 30 days. Which Microsoft 365 Defender table should be queried in KQL?

A.DeviceFileEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceEvents
AnswerA

DeviceFileEvents includes file creation, modification, and hash values.

Why this answer

Option B is correct because DeviceFileEvents contains file hash information and can be queried for file occurrences across devices. Option A is wrong because DeviceProcessEvents does not include file hash. Option C is wrong because DeviceNetworkEvents deals with network connections.

Option D is wrong because DeviceEvents includes various events but not file hash.

256
MCQmedium

Refer to the exhibit. A Microsoft Sentinel scheduled rule is configured as shown. The rule generates an alert, but the incident created contains only the first alert, and subsequent alerts do not update the incident. What is the most likely cause?

A.The triggerOperator and triggerThreshold are misconfigured.
B.The KQL query is missing a join to include more data.
C.The severity is set to High, which prevents incident updates.
D.The rule does not have incident grouping enabled.
AnswerD

Without grouping, each alert becomes a separate incident, so subsequent alerts create new incidents instead of updating the existing one.

Why this answer

Option B is correct because the rule does not have incident grouping configured (no incidentConfiguration), so each alert creates a new incident by default. Option A is wrong because the query is valid and returns results. Option C is wrong because the trigger operator and threshold are correct for alerting.

Option D is wrong because the severity is set correctly.

257
MCQmedium

Your organization uses Microsoft Sentinel. You need to create an incident response playbook that automatically isolates a compromised device when a high-severity incident is created. The playbook should only run during business hours (9 AM - 5 PM local time). How should you configure this?

A.Configure the analytics rule to only create incidents during business hours
B.Add a condition in the playbook to check the current time
C.Use a workbook to schedule the playbook
D.Create an automation rule with a condition on the incident creation time
AnswerD

Automation rules support conditions based on time.

Why this answer

Option C is correct because automation rules can have conditions such as time of day. Option A is wrong because playbooks do not have built-in time conditions. Option B is wrong because analytics rules do not support time-based triggers.

Option D is wrong because workbooks are for visualization, not automation.

258
MCQmedium

Your company uses Microsoft Sentinel. A security analyst receives an incident that includes a large number of alerts from a single data source. The analyst needs to identify which alerts are duplicates or related so they can focus on unique threats. Which feature should the analyst use?

A.Alert grouping
B.Investigation graph
C.Entity mapping
D.Automation rules
AnswerA

Alert grouping consolidates related alerts into a single incident.

Why this answer

Option C is correct because alert grouping in Microsoft Sentinel automatically groups similar alerts into a single incident, reducing noise. Option A is wrong because automation rules are for response, not grouping. Option B is wrong because entity mapping is for enriching alerts with entities.

Option D is wrong because the Investigation graph is for exploring relationships, not grouping.

259
MCQeasy

Your organization uses Microsoft Defender for Identity. You receive an alert about a suspicious Kerberos activity that may indicate a golden ticket attack. Which of the following actions should you take to investigate this alert?

A.Immediately reset the krbtgt account password twice
B.Export the Active Directory event logs to Microsoft Sentinel for analysis
C.Review the alert details in the Microsoft Defender for Identity portal and analyze related events
D.Disable the user account that triggered the alert
AnswerC

The portal provides investigation capabilities.

Why this answer

The correct answer is D because the Microsoft Defender for Identity portal provides detailed investigation experiences for identity-based alerts. Option A is wrong because resetting the password might not be sufficient and could alert the attacker. Option B is wrong because disabling the user prematurely might disrupt operations.

Option C is wrong because exporting logs is not an immediate investigation step.

260
MCQhard

During an incident investigation, you find that a compromised account was used to log into a virtual machine via RDP from an IP address in a sanctioned country. The VM has Microsoft Defender for Endpoint installed. Which data source in Microsoft Sentinel would you query to see the RDP connection events?

A.DeviceLogonEvents (Microsoft Defender XDR)
B.CommonSecurityLog
C.SigninLogs (Microsoft Entra ID)
D.SecurityEvent
AnswerD

SecurityEvent collects Windows security events including RDP logons (Event ID 4624) when configured.

Why this answer

Option C is correct because RDP connection events on a Windows machine are captured in the SecurityEvent table (Event ID 4624). Option A is for network traffic logs. Option B is for audit logs from Azure AD.

Option D is for advanced hunting in Defender for Endpoint, but not directly ingested into Sentinel by default.

261
Multi-Selecthard

Which THREE conditions must be met for a Microsoft Sentinel incident to be automatically closed by a playbook?

Select 3 answers
A.The playbook must have the 'Microsoft Sentinel Incident' connector with 'Update incident' action.
B.The analytics rule that generated the incident must have 'Create incident' enabled.
C.The automation rule must have the 'Run playbook' action.
D.The incident must have a classification set.
E.The playbook must be triggered on incident creation.
AnswersA, B, C

To close, the playbook needs to update the incident status.

Why this answer

The playbook must have a trigger for incident update, the rule must have automatic incident creation enabled, and the playbook must be assigned to the automation rule. Closing reason and classification are not required but may be set.

262
MCQhard

You are deploying Microsoft Sentinel using the above ARM template parameters. After deployment, you notice that Microsoft Defender for Cloud alerts are not being ingested. What is the MOST likely reason?

A.UEBA is enabled, which conflicts with Defender for Cloud data ingestion.
B.The workspace location (eastus) does not support Defender for Cloud connector.
C.The 'MicrosoftThreatProtection' connector only ingests Microsoft Defender XDR signals, not Defender for Cloud alerts.
D.The workspace name 'sentinel-workspace' is reserved for internal use.
AnswerC

Defender for Cloud alerts require 'AzureSecurityCenter' connector.

Why this answer

Option C is correct because 'MicrosoftThreatProtection' in the dataConnectors list refers to Microsoft Defender XDR, not Defender for Cloud. Defender for Cloud requires the 'AzureSecurityCenter' data connector. Option A is wrong because UEBA is enabled but does not affect data ingestion.

Option B is wrong because location does not affect connector availability. Option D is wrong because workspace name is valid.

263
MCQeasy

You are responding to a security incident involving a user who clicked on a malicious link in an email. The link led to a website that downloaded a file to the user's device. Microsoft Defender for Endpoint (MDE) detected the file as malware and blocked it. However, the user reports that the device is running slowly. You need to verify if there are any remnants of the malware. Which action should you take?

A.Re-onboard the device to MDE to ensure it's fully managed.
B.Run a full antivirus scan using Microsoft Defender Antivirus.
C.Initiate a live response session and run a PowerShell script to check for persistence mechanisms.
D.Perform a full OS reinstall to ensure the device is clean.
AnswerC

Live response enables remote investigation and remediation.

Why this answer

Option A is correct because MDE's live response allows you to run commands and scripts on the device to check for remnants. Option B is wrong because the malware was already blocked, so an antivirus scan may not find anything new. Option C is wrong because the device is already onboarded to MDE.

Option D is wrong because a full OS reinstall is too drastic and not necessary.

264
MCQeasy

Your organization uses Microsoft Sentinel. You receive an alert for a suspicious sign-in from an unusual location. You want to automatically create an incident and assign it to the security team for investigation. What should you configure?

A.Add the user to a watchlist and configure a fusion rule.
B.Create a playbook that triggers on the alert and creates an incident manually.
C.Modify the analytics rule to set the incident creation setting to 'Create incident from alert'.
D.Configure an automation rule that runs when the alert is generated, creates an incident, and sets the owner to the security team.
AnswerD

Automation rules can automatically create incidents from alerts and assign them to analysts.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can automatically create incidents from alerts and assign them to analysts. Option A is wrong because playbooks are for automated responses, not incident creation. Option C is wrong because analytics rules create alerts, not incidents directly.

Option D is wrong because watchlists are for enrichment, not incident creation.

265
MCQhard

Your organization uses Microsoft 365 Defender. An incident is created for a user who received a phishing email that contained a link to a malicious website. The user clicked the link but did not enter any credentials. The incident includes the alert 'Phishing delivered' from Microsoft Defender for Office 365. You need to remediate the incident and prevent future occurrences. The user is in the Finance department and frequently receives emails from external vendors. What is the best course of action?

A.Use Threat Explorer to delete the email from the user's mailbox and create a Safe Links policy to block the malicious URL.
B.Report the email to Microsoft for analysis and block the sender domain.
C.Provide security awareness training to the user and mark the incident as resolved.
D.Add the sender's domain to the Tenant Allow/Block List as allowed to avoid future false positives.
AnswerA

Deleting the email removes the immediate threat, and Safe Links prevents future clicks.

Why this answer

Option B is correct because using Threat Explorer to delete the email from the user's mailbox removes the threat, and creating a Safe Links policy blocks future similar links. Option A is wrong because reporting to Microsoft does not clean the mailbox. Option C is wrong because training alone does not remove the current email.

Option D is wrong because allowing the domain would increase risk.

266
MCQeasy

An analyst is investigating a phishing campaign that targeted multiple users. The analyst needs to identify if any users clicked a malicious link in the email. Which Microsoft Defender for Office 365 feature should be used?

A.Safe Attachments
B.Threat Explorer
C.Attack Simulator
D.Safe Links
AnswerB

Threat Explorer provides URL click data.

Why this answer

Option A is correct because the Threat Explorer in Defender for Office 365 shows click activity on URLs. Option B is wrong because Safe Attachments checks attachments, not links. Option C is wrong because Safe Links protects in real-time but does not provide historical click data.

Option D is wrong because the Attack Simulator is for testing, not investigation.

267
MCQmedium

Your organization uses Microsoft Sentinel. You receive an incident for a potential data exfiltration involving a sensitive blob storage container. You need to determine if the data was accessed from an unusual IP address. What should you do?

A.Modify the analytics rule that triggered the incident.
B.Run a playbook to collect IP information.
C.Open the Sentinel workbook for storage monitoring.
D.Use the Incident details pane to review the entity timeline.
AnswerD

Entity timelines show historical activities for entities like IP addresses.

Why this answer

Option C is correct because the Incident details pane in Microsoft Sentinel includes entity timelines, which show activities related to the entities involved, such as IP addresses accessing the storage. Option A is wrong because the workbook may not have the specific query. Option B is wrong because playbooks are for automated response, not investigation.

Option D is wrong because analytics rules define alert conditions, not provide investigation details.

268
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. You detect a suspicious app that has high data access and unusual API calls. You want to automatically block the app and notify the user. What should you implement?

A.Create an access policy that blocks the app based on the risk level.
B.Create an app governance policy that automatically blocks the app and sends a notification to the user.
C.Create a session policy to monitor the app's API calls.
D.Create a DLP policy to prevent data exfiltration from the app.
AnswerB

App governance policies can block apps and notify users automatically.

Why this answer

Option C is correct because app governance policies in Defender for Cloud Apps allow automated actions like blocking apps and sending notifications. Option A is wrong because access policies are for user or device access, not app blocking. Option B is wrong because session policies control real-time sessions, not app blocking.

Option D is wrong because DLP policies are for data loss prevention, not app control.

269
MCQhard

During an incident response, you need to collect forensic data from Microsoft Defender for Endpoint (MDE) on a remote device that is currently offline. What is the best approach?

A.Initiate a live response session when the device comes online
B.Wait until the device is online and then collect manually
C.Run a remotely scheduled antivirus scan
D.Collect the data from the device's cloud store
AnswerA

Live response provides access to collect forensic data interactively.

Why this answer

The best approach is to initiate a live response once the device is online, because live response allows command execution and data collection. Collecting from cloud store is not direct. Remotely scheduled scan is not forensic collection.

Waiting is passive.

270
MCQmedium

Your organization uses Microsoft Sentinel. A fusion incident was created involving multiple alerts from different sources. You need to investigate the incident to determine if it is a true positive. What is the first step you should take?

A.Run a KQL query on the raw logs to see if the alerts are connected.
B.Assign the incident to a senior analyst for further investigation.
C.Review the incident timeline and entity mapping in the incident details.
D.Close the incident as a false positive if the alerts seem unrelated.
AnswerC

The timeline shows the sequence of events and helps correlate alerts.

Why this answer

Option C is correct because the first step is to review the incident timeline to understand the sequence of events and correlate the alerts. Option A is wrong because you should not immediately dismiss the incident. Option B is wrong because running KQL queries without context is inefficient.

Option D is wrong because assigning to another analyst without investigation delays response.

271
MCQmedium

A company uses Microsoft Sentinel as its SIEM. The security team is investigating an incident that involves multiple alerts from different data sources. The team wants to see a timeline of all related activities across all data sources in one view. Which Microsoft Sentinel feature should they use?

A.Workbooks
B.Incident timeline
C.Investigation graph
D.Hunting page
AnswerB

The Incident timeline shows a chronological list of all alerts and events for the incident.

Why this answer

Option D is correct because the Incident timeline in Microsoft Sentinel provides a unified chronological view of all alerts and events related to an incident. Option A is wrong because the Investigation graph is more about entity relationships. Option B is wrong because workbooks are for custom dashboards.

Option C is wrong because the Hunting page is for proactive searches, not incident investigation.

272
MCQhard

Your company uses Microsoft Defender XDR. A critical server is exhibiting signs of a potential ransomware attack, with files being encrypted and a ransom note appearing. The incident has been escalated to the security operations center (SOC). What is the most immediate action to contain the threat and prevent further spread?

A.Collect an investigation package for analysis
B.Disable the user account that was logged on
C.Initiate the 'Contain device' action from Microsoft Defender XDR
D.Run a full antivirus scan on the server
AnswerC

This isolates the device, stopping lateral movement and encryption.

Why this answer

Option B is correct because deploying the 'Contain device' action in Microsoft Defender XDR immediately isolates the device from the network, stopping the ransomware from spreading. Option A is wrong because running a full antivirus scan takes time and does not contain the threat. Option C is wrong because collecting an investigation package is for analysis, not containment.

Option D is wrong because removing the user's access does not stop the ransomware already running on the device.

273
Multi-Selectmedium

Which TWO actions should an analyst take when a user reports receiving a suspicious email with an attachment? (Select TWO.)

Select 2 answers
A.Submit the email to Microsoft for analysis using the Submissions page in Microsoft 365 Defender.
B.Run a PowerShell script to automatically forward the email to IT.
C.Delete the email from the user's mailbox using Microsoft 365 Defender.
D.Open the attachment to verify if it is malicious.
E.Block the sender in the user's Outlook settings.
AnswersA, C

Submissions help analyze the threat.

Why this answer

Option A is correct because submitting the email to Microsoft for analysis helps improve detection. Option D is correct because deleting the email from the mailbox removes it from the user's environment. Option B is wrong because opening the attachment would be unsafe.

Option C is wrong because blocking the sender in Outlook only affects that user. Option E is wrong because running a script is not recommended.

274
MCQmedium

A SOC analyst needs to automate response to a phishing email reported by a user. The playbook should automatically block the sender in Exchange Online and delete the email from all recipients. Which Microsoft Sentinel automation action should the analyst use?

A.Use the Azure Automation connector to run a runbook that deletes the email only.
B.Use the Microsoft Teams connector to post an adaptive card for approval, then use the Exchange Online PowerShell connector to run a script to block sender and delete email.
C.Use the Microsoft 365 Defender connector with an action to run an advanced hunting query.
D.Use the ServiceNow connector to create an incident ticket.
AnswerB

This automates with approval and performs the required actions.

Why this answer

Option C is correct because Microsoft Teams connector can trigger adaptive cards to get analyst approval before blocking. Option A is wrong because email connector sends emails, not blocks. Option B is wrong because ServiceNow is for ticketing, not immediate blocking.

Option D is wrong because Azure Automation can run scripts but is not the primary connector for Exchange Online actions.

275
MCQhard

An organization uses Microsoft Purview Communication Compliance to detect insider trading. An alert is generated for a user who sent a message containing sensitive financial data. The compliance officer needs to initiate a legal hold on the user's mailbox to preserve evidence. Which role must the officer have to perform this action?

A.Communication Compliance admin
B.Compliance Administrator (Global)
C.eDiscovery Manager (Legal Hold)
D.Exchange Online Mailbox Search role
AnswerC

The eDiscovery Manager role with the 'Legal Hold' sub-role is required to place a mailbox on hold.

Why this answer

Legal hold requires the 'Legal Hold' role in Microsoft Purview (eDiscovery). Communication Compliance roles alone do not include hold capabilities. Exchange Online roles may not have cross-functional hold.

276
MCQhard

Your company uses Microsoft Defender for Endpoint. A device shows signs of compromise with suspicious PowerShell execution. You need to collect forensic evidence before performing remediation. Which action should you use?

A.Isolate the device from the network.
B.Run a full antivirus scan.
C.Collect investigation package.
D.Initiate a live response session.
AnswerC

This collects forensic evidence without altering the system state.

Why this answer

Option B is correct because 'Collect investigation package' gathers a comprehensive set of forensic data from the device, including files, processes, and registry. Option A (Run antivirus scan) is a remediation step. Option C (Initiate live response) allows real-time investigation but does not collect a full package.

Option D (Isolate device) is a containment measure.

277
MCQhard

Your incident response team uses Microsoft Sentinel with automation rules and playbooks. During an incident, you need to automatically collect a memory dump from an affected Windows server and upload it to an Azure storage account for analysis. Which type of playbook should you use?

A.A playbook that installs a script on the server to collect the dump.
B.A playbook triggered directly from the analytics rule that generates the alert.
C.A playbook that must be run manually from the incident page.
D.A playbook triggered by an automation rule when the incident is created.
AnswerD

Automation rules allow triggering playbooks automatically on incident creation.

Why this answer

Option A is correct because automation rules can trigger playbooks on incident creation or update. Option B is wrong because playbooks can be triggered by automation rules, not directly by analytics rules. Option C is wrong because playbooks can be triggered automatically.

Option D is wrong because playbooks run in Azure, not on the server.

278
MCQeasy

Refer to the exhibit. An admin creates this activity policy in Microsoft Defender for Cloud Apps. What will happen when a user fails to log in from 3 different IP addresses within 10 minutes?

A.The policy will generate an alert but not block the user.
B.The user will be blocked immediately after the third failed login from any IP.
C.The user will be blocked after 10 minutes regardless of the number of IPs.
D.The user will be blocked only if the third IP is different from the first two.
AnswerD

The policy requires 3 distinct IP addresses; after the third distinct IP, the user is blocked.

Why this answer

The policy triggers when the count of different IPs for failed logins reaches 3 within 10 minutes. The action is to block the user. 'DifferentCount' means distinct IPs, not total attempts. So exactly 3 different IPs trigger it.

279
MCQmedium

Your company uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. The email contains an external link to a credential harvesting site. You need to block similar emails in the future. What should you do?

A.Create an anti-spam policy to block the sender's domain.
B.Create a Safe Links policy and add the malicious domain to the blocked URLs list.
C.Create an anti-malware policy to block the attachment type.
D.Add the sender's domain to the Tenant Allow/Block List.
AnswerB

Safe Links policies can block URLs at click time, protecting users.

Why this answer

Option D is correct because creating a Safe Links policy and adding the domain to the blocked URLs list prevents users from clicking malicious links. Option A is wrong because anti-spam policies do not block specific URLs. Option B is wrong because tenant allow/block lists are for sender/domain blocking, not URLs.

Option C is wrong because anti-malware policies do not handle link blocking.

280
MCQhard

A company uses Microsoft Sentinel with Microsoft Defender for Cloud Apps. An incident is created when a user downloads 500 GB from SharePoint in one hour. The analyst wants to create a playbook that automatically suspends the user in Microsoft Entra ID when such activity is detected. Which connector and action should the analyst use in the playbook?

A.Microsoft Teams connector with 'Post message' action to notify admin.
B.Microsoft Entra ID connector with 'Update user' action to set accountEnabled to false.
C.Microsoft 365 Defender connector with 'Run advanced hunting' action.
D.Exchange Online connector with 'Set mailbox' action.
AnswerB

Directly disables the user account in Entra ID.

Why this answer

Option C is correct because the Microsoft Entra ID connector can update user settings, and the action to disable account is available. Option A is wrong because Defender for Cloud Apps connector does not directly disable users. Option B is wrong because Exchange Online is for mailboxes.

Option D is wrong because Microsoft Teams is for communication.

281
Multi-Selecthard

Which THREE actions can you take in Microsoft Sentinel to respond to an incident?

Select 3 answers
A.Assign the incident to a user
B.Create an automation rule
C.Run a playbook
D.Modify a KQL query in an analytics rule
E.Export logs to Azure Storage
AnswersA, B, C

Part of incident management.

282
MCQhard

A security administrator receives an alert from Microsoft Defender for Identity about a suspicious Kerberos ticket request from a domain controller. The alert suggests a possible Golden Ticket attack. Which action should the administrator take to validate the alert?

A.Review Microsoft Defender for Identity alerts for brute force attempts.
B.Check the domain controller's Security event log for Event ID 4769 with suspicious attributes.
C.Reset the krbtgt account password twice.
D.Verify if the user account associated with the ticket is disabled.
AnswerB

Event ID 4769 logs Kerberos service ticket requests; anomalous entries can indicate forged tickets.

Why this answer

To validate a Golden Ticket attack, the administrator should check the domain controller's event logs for Event ID 4769 (Kerberos service ticket request) with anomalous attributes such as ticket encryption type 0x17 (RC4) or non-existent user accounts. Checking user accounts for anomalies is less direct. Resetting passwords does not invalidate a Golden Ticket.

Checking for brute force is unrelated.

283
MCQeasy

A security analyst in your SOC receives an alert from Microsoft Defender for Cloud Apps indicating that a user downloaded a large number of files from SharePoint in a short time. What is the most likely classification of this activity?

A.Ransomware
B.Lateral movement
C.Data exfiltration
D.Privilege escalation
AnswerC

Downloading many files suggests theft of data.

Why this answer

Option A is correct because this behavior is indicative of data exfiltration. Option B is wrong because privilege escalation involves gaining higher permissions. Option C is wrong because ransomware would encrypt files.

Option D is wrong because lateral movement involves moving between systems.

284
MCQmedium

A security operations center (SOC) team uses Microsoft Defender XDR and Microsoft Sentinel. An incident is created in Defender XDR that involves a malicious email and a compromised device. The team wants the incident to automatically sync to Sentinel. What is the minimum configuration required?

A.Configure the Microsoft Defender for Office 365 connector in Sentinel
B.Configure the Azure AD Identity Protection connector in Sentinel
C.Configure the Microsoft Defender XDR connector in Sentinel
D.Configure the Microsoft 365 Defender connector in Sentinel
AnswerC

This connector synchronizes all Defender XDR incidents to Sentinel.

Why this answer

Option A is correct because the connector for Microsoft Defender XDR automatically syncs incidents to Sentinel. Option B is wrong because the connector for Microsoft 365 Defender is the same. Option C is wrong because the connector for Microsoft Defender for Office 365 only syncs email-related alerts.

Option D is wrong because the connector for Azure AD Identity Protection only syncs identity alerts.

285
MCQeasy

Your company uses Microsoft Sentinel with the Microsoft Defender for Cloud Apps connector. An incident is created when a user performs an unusual mass download from SharePoint Online. The playbook assigned to the incident automatically suspends the user account in Microsoft Entra ID. However, after investigation, the user's activity is determined to be legitimate (they were backing up data for a migration). You need to restore the user's account and ensure that the user can access all resources immediately. You also need to update the incident to reflect the findings. What should you do?

A.Send a new invitation to the user via Microsoft Entra ID and close the incident as resolved.
B.Reset the user's password in Microsoft Entra ID and force a password change at next sign-in.
C.Edit the playbook to remove the suspend action and re-run it for the incident.
D.Re-enable the user account in Microsoft Entra ID and set the incident status to Closed with classification 'False positive'.
AnswerD

Re-enabling restores access; closing with classification documents the finding.

Why this answer

Option B is correct because re-enabling the account in Entra ID restores access, and closing the incident with a classification updates the record. Option A is wrong because resetting password is unnecessary. Option C is wrong because re-inviting is for guest users.

Option D is wrong because editing the playbook is not needed.

286
Multi-Selecteasy

Which TWO Microsoft 365 Defender portals provide automated investigation and response capabilities? (Choose two.)

Select 2 answers
A.Microsoft Purview compliance portal
B.Microsoft Sentinel (portal.azure.com)
C.Microsoft Intune admin center
D.Microsoft Defender for Endpoint (security.microsoft.com)
E.Microsoft 365 Defender (security.microsoft.com)
AnswersD, E

Defender for Endpoint has automated investigation and response for endpoint threats.

Why this answer

A and D are correct. Microsoft 365 Defender (https://security.microsoft.com) provides automated investigation for incidents. Microsoft Defender for Endpoint has its own AIR capabilities.

B is wrong because Microsoft Sentinel is a SIEM, not a portal for automated response. C is wrong because Microsoft Purview is for compliance. E is wrong because Microsoft Intune is for device management.

287
Multi-Selectmedium

Which TWO are recommended first steps when responding to a confirmed ransomware incident in Microsoft Defender XDR?

Select 2 answers
A.Assess the financial impact of the incident
B.Disable all user accounts
C.Run a full antivirus scan on all devices
D.Isolate affected devices using Microsoft Defender for Endpoint
E.Revoke user sessions and require reauthentication
AnswersD, E

Isolation stops lateral movement and communication with C2.

Why this answer

The correct answers are A and D. Isolating affected devices and revoking user sessions are immediate containment steps. Disabling accounts is also important but can be done after revoking sessions.

Running a full antivirus scan is not a first step; it may alert the attacker. Assessing impact is part of investigation, not first containment.

288
MCQeasy

Your organization uses Microsoft Defender for Cloud to protect hybrid cloud workloads. An alert indicates that a container in Azure Kubernetes Service (AKS) is running a privileged container. Which response action should you take first?

A.Investigate the alert details in Microsoft Defender for Cloud
B.Disable the container immediately
C.Restart the AKS cluster
D.Delete the container and its image
AnswerA

Investigation is the first step.

Why this answer

The correct answer is A because the first step is to investigate the alert to confirm the behavior. Option B is wrong because disabling the container without investigation could impact services. Option C is wrong because restarting is not a containment measure.

Option D is wrong because deleting the container is too drastic without investigation.

289
MCQhard

Refer to the exhibit. You are investigating a malware outbreak in Microsoft Sentinel. The KQL query returns no results. What is the most likely reason?

A.The time range is too restrictive.
B.The alert name in the query does not match the actual alert name.
C.No alerts were generated in the last hour.
D.The query syntax is incorrect.
AnswerB

Alert names are case-sensitive and must match exactly.

Why this answer

Option B is correct because the alert name must match exactly; 'Malware detected' might not be the correct name. Option A is wrong because if no alerts were generated, the table would be empty but the query would still run. Option C is wrong because the syntax is correct.

Option D is wrong because the time filter is not the issue.

290
MCQmedium

You are investigating a security incident in Microsoft Sentinel where a user reported receiving a phishing email with a malicious attachment. You need to identify all users who received the same email within the last 24 hours. Which KQL query should you use?

A.EmailEvents | where RecipientEmailAddress == 'user@contoso.com' and Timestamp > ago(24h) | project SenderFromAddress, Subject
B.EmailUrlInfo | where Url == 'http://malicious.com' | project RecipientEmailAddress
C.EmailAttachmentInfo | where FileName == 'malicious.doc' | project RecipientEmailAddress
D.EmailEvents | where SenderFromAddress == 'attacker@example.com' and Subject == 'Invoice' and Timestamp > ago(24h) | project RecipientEmailAddress
AnswerD

This retrieves all recipients who received the same email from the same sender and subject.

Why this answer

The correct query uses EmailEvents table and filters by sender and subject. Option A is wrong because EmailAttachmentInfo does not contain recipient info. Option B is wrong because it would only show the specific user.

Option D is wrong because EmailUrlInfo is for URLs, not attachments.

291
MCQeasy

An incident in Microsoft Sentinel was assigned to you. After investigation, you determine it is a false positive. What should you do to resolve the incident?

A.Add a comment and leave it open
B.Close the incident with classification 'FalsePositive'
C.Delete the incident
D.Reassign to another analyst
E.Change the status to 'Active'
AnswerB

Properly closes the incident and provides reason.

Why this answer

The correct action is to close the incident with a classification of 'FalsePositive'. Changing status or adding comments does not resolve it properly. Deleting is not recommended.

292
MCQhard

During a security incident, the Microsoft Sentinel workspace is receiving high volume of low-severity alerts causing analyst fatigue. You need to reduce noise while ensuring critical alerts are not missed. What should you configure?

A.Disable analytics rules for low-severity alerts
B.Change the severity of low-severity alerts to Informational in the analytics rule
C.Create an automation rule to close low-severity incidents automatically
D.Modify the incident creation rule to only create incidents for alerts with severity High or Medium
AnswerD

This filters alerts before incident creation, reducing noise.

Why this answer

Option C is correct because incident creation rules can filter by alert severity to only create incidents for high and medium severity, reducing noise. Option A is wrong because disabling analytics rules would stop all alerts. Option B is wrong because automation rules trigger after incident creation, not before.

Option D is wrong because setting severity to Informational would not help filter.

293
MCQeasy

You are investigating a phishing incident in Microsoft Defender XDR. The incident involves a user who clicked a malicious link in an email. Which data source would you use to trace the email's origin?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Office 365
C.Microsoft Defender for Cloud Apps
D.Microsoft Defender for Identity
AnswerB

Covers email threats.

Why this answer

Option A is correct because Microsoft Defender for Office 365 provides email and phishing data. Option B is wrong because Defender for Endpoint focuses on devices. Option C is wrong because Defender for Identity focuses on on-premises identity threats.

Option D is wrong because Defender for Cloud Apps focuses on cloud applications.

294
MCQmedium

You are analyzing a firewall policy in Azure Firewall deployed via Azure Policy. What is the effect of this rule?

A.Allows outbound traffic from any source to IP 10.0.0.5.
B.Allows inbound traffic from IP 10.0.0.5 to any destination.
C.Denies inbound traffic from IP 10.0.0.5 to any destination.
D.Denies outbound traffic from any source to IP 10.0.0.5.
AnswerC

The rule denies inbound traffic from the specified source IP.

Why this answer

Option B is correct because the rule denies inbound traffic from IP 10.0.0.5 to any destination. Option A is wrong because it denies, not allows. Option C is wrong because the direction is inbound.

Option D is wrong because it blocks all traffic from that IP, not just specific ports.

295
Multi-Selecteasy

You are investigating a security incident involving a compromised user account. The attacker used the account to access sensitive data in SharePoint Online. Which TWO actions should you take to remediate the incident? (Choose two.)

Select 2 answers
A.Reset the user's password.
B.Revoke all refresh tokens for the user.
C.Disable the user account in Microsoft Entra ID.
D.Review the sign-in logs to determine the extent of the breach.
E.Create a Conditional Access policy to require MFA for the user.
AnswersB, C

Revoking tokens terminates active sessions.

Why this answer

Option A and D are correct. Disabling the account immediately stops further access. Revoking sessions ensures the attacker's current sessions are terminated.

Option B is wrong because reviewing sign-in logs is investigation, not remediation. Option C is wrong because resetting the password is good but may not kill active sessions without revocation. Option E is wrong because creating a Conditional Access policy is a long-term preventive measure, not immediate remediation.

296
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. You have a critical incident that involves multiple alerts across different services. The incident is being updated with new alerts. You need to ensure that a specific playbook runs only when the incident severity is updated to High. How should you configure the automation rule?

A.Set the trigger to 'When an alert is created' and filter for alerts with High severity.
B.Set the trigger to 'When incident is updated' and add a condition on severity equals High.
C.Set the trigger to 'When incident is created' and add a condition on severity equals High.
D.Configure the condition inside the playbook to check severity and exit if not High.
AnswerB

This triggers the playbook only when the incident is updated to High severity.

Why this answer

Option B is correct because automation rules can trigger on incident update and filter by severity. Option A is wrong because condition 'when incident is created' would not trigger on update. Option C is wrong because the trigger condition should be on incident update, not alert creation.

Option D is wrong because automation rules are not configured inside playbooks.

297
MCQhard

You deploy the above ASR rule in Microsoft Defender for Endpoint. After deployment, you notice that .exe files are still being executed from Outlook attachments. What is the most likely reason?

A.The rule only applies when the initiating process is outlook.exe, but the attachment may be launched from another process.
B.The rule does not block .vbs files, which are also commonly used in attacks.
C.The ASR rule is configured in audit mode instead of block mode.
D.The rule is not applied because fileExtension is not a supported field in ASR rules.
AnswerC

ASR rules need to be set to 'block' mode to actually block execution; otherwise they only generate audit events.

Why this answer

Option B is correct because ASR rules require the block action to be set to 'block' or 'audit' mode via the tenant's security settings; the policyContent snippet shows the rule definition but does not specify the enforcement mode. The default mode is audit, so the rule only logs events without blocking. Option A is wrong because the rule targets file extensions, not script files.

Option C is wrong because the rule targets initiating process outlook.exe, not all processes. Option D is wrong because the rule is correctly formatted for ASR.

298
MCQhard

A Microsoft Defender XDR incident shows that a user's device has been communicating with a known malicious C2 server. The device is online and the user is actively working. You need to contain the threat with minimal business disruption. What should you do?

A.Remove the device from the network by disabling the switch port
B.Shut down the device remotely
C.Run a full antivirus scan on the device
D.Initiate device isolation from Microsoft Defender XDR
AnswerD

Isolation blocks network traffic except to Microsoft services, minimizing disruption.

Why this answer

Option A is correct because isolating the device stops communication while allowing the user to continue work if they switch to another device. Option B is wrong because shutting down the device causes immediate disruption. Option C is wrong because removing network connectivity may not be possible remotely.

Option D is wrong because running antivirus scan does not stop ongoing C2 communication.

299
MCQeasy

You are responding to an incident where a user's device may be compromised. You need to collect forensic data from the device using Microsoft Defender for Endpoint. Which action should you take?

A.Isolate device
B.Initiate Live Response
C.Collect investigation package
D.Run antivirus scan
AnswerC

Gathers forensic data.

Why this answer

Option B is correct because 'Collect investigation package' gathers forensic data. Option A is wrong because 'Initiate Live Response' is for live remote shell, not just data collection. Option C is wrong because 'Run antivirus scan' is for malware detection.

Option D is wrong because 'Isolate device' is for containment.

300
MCQhard

You are investigating a ransomware incident in Microsoft Sentinel. The incident contains multiple alerts from Microsoft Defender for Endpoint, Microsoft Defender for Office 365, and Microsoft Defender for Identity. You need to correlate the alerts and identify the initial entry point. Which KQL function should you use to combine the alerts?

A.materialize()
B.union
C.mv-expand
D.make_set()
AnswerD

make_set() creates an array of unique values, ideal for aggregating alert titles for correlation.

Why this answer

Option D is correct because the make_set function creates an array of unique values from an expression, which is useful for aggregating alert titles. Option A is wrong because materialize is for caching query results. Option B is wrong because the mv-expand operator expands multi-value arrays.

Option C is wrong because the union operator combines tables, not useful for correlating within a single table.

← PreviousPage 4 of 7 · 489 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Respond Security Incidents questions.