CCNA Respond Security Incidents Questions

75 of 489 questions · Page 5/7 · Respond Security Incidents topic · Answers revealed

301
MCQmedium

You are responding to a phishing incident. The investigation reveals that a user clicked a link in a phishing email and entered credentials on a fake site. You need to contain the incident and prevent further compromise. What should you do first?

A.Report the phishing site to Microsoft.
B.Block the phishing URL in Microsoft Defender for Office 365.
C.Reset the user's password and revoke sessions.
D.Delete the phishing email from the user's mailbox.
AnswerC

This invalidates the stolen credentials and existing sessions.

Why this answer

Option D is correct because resetting the compromised user password immediately prevents further access using stolen credentials. Option A is wrong because blocking the URL does not invalidate already stolen credentials. Option B is wrong because deleting the email from the user's mailbox does not prevent use of stolen credentials.

Option C is wrong because reporting the site to Microsoft is reactive.

302
MCQmedium

Your Microsoft 365 tenant is protected by Microsoft Defender for Office 365. A user reports receiving a suspicious email with a link. You need to investigate whether the link was malicious and if any other users clicked it. Which tool should you use first?

A.Microsoft Entra ID sign-in logs
B.Microsoft Purview compliance portal
C.Email Entity page in Microsoft Defender XDR
D.Threat Explorer
E.Attack Simulation Training
AnswerD

Provides detailed email threat data including URL clicks.

Why this answer

Threat Explorer allows investigation of email threats, including URLs and user clicks. The others are for other purposes.

303
MCQhard

Your company uses Microsoft Defender XDR. During a ransomware incident, you need to isolate a compromised Windows 10 device from the network while allowing connectivity to the Microsoft Defender for Endpoint service. Which action should you take?

A.Initiate a Full isolation from the device's action menu.
B.Contain the device from the Microsoft Defender XDR portal.
C.Apply a firewall rule to block all outbound traffic.
D.Run a selective isolation to block only external connections.
AnswerA

Full isolation blocks all network traffic except to the Defender service.

Why this answer

Option D is correct because the Full isolation type in Microsoft Defender for Endpoint blocks all network traffic except to the Defender service. Option A (Selective isolation) is not a valid isolation type. Option B (Contain) is not an isolation action.

Option C (Block all traffic) would prevent the device from receiving updates and reporting to Defender.

304
MCQmedium

Your security team receives an alert from Microsoft Defender for Endpoint indicating a suspicious PowerShell command was executed on a device. The command attempted to download a payload from a known malicious IP. After confirming the alert is a true positive, what should be your first containment step?

A.Search for similar commands across all devices using advanced hunting
B.Disable the user account in Microsoft Entra ID
C.Isolate the device from the network using Microsoft Defender for Endpoint
D.Reset the user's password
AnswerC

Isolation stops the device from communicating with the attacker and prevents lateral movement.

Why this answer

Option B is correct because immediately isolating the affected device from the network prevents lateral movement and further compromise. Option A is wrong because password reset does not address the existing compromise. Option C is wrong because disabling the user account may not stop the malicious process already running.

Option D is wrong because searching for indicators is part of investigation, not immediate containment.

305
MCQeasy

Your organization uses Microsoft Sentinel. An incident is created for a possible data exfiltration via an unapproved external IP address. Which type of Microsoft Sentinel automation should you use to automatically block the IP address in the firewall?

A.Data connector.
B.Analytics rule.
C.Watchlist.
D.Playbook.
AnswerD

Playbooks automate response actions; they can be triggered from automation rules to block IPs.

Why this answer

An automation rule in Microsoft Sentinel can trigger a playbook (based on Azure Logic Apps) when an incident is created. The playbook can then block the IP. Data connectors ingest data, watchlists are for reference, and analytics rules create alerts.

306
MCQeasy

An organization uses Microsoft Sentinel. A security engineer needs to set up automatic response actions when a high-severity incident is created. The engineer wants to trigger a playbook that sends a notification to a Microsoft Teams channel and creates a ticket in ServiceNow. What should the engineer use?

A.An automation rule that triggers a playbook
B.An analytics rule with incident creation enabled
C.A watchlist to detect the incident
D.A workbook with a custom alert
AnswerA

Automation rules are designed to run playbooks in response to incident creation or update.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can trigger playbooks (Azure Logic Apps) when incidents are created or updated. Option A is wrong because analytics rules create alerts, not incidents directly. Option C is wrong because workbooks are for visualization, not automation.

Option D is wrong because watchlists are for correlation, not automated response.

307
Multi-Selecteasy

Which TWO are valid methods to collect forensic evidence from a compromised Windows endpoint during an incident? (Choose TWO.)

Select 2 answers
A.Run Windows Update to fix vulnerabilities.
B.Reboot the system and boot from a forensic USB drive.
C.Use FTK Imager to create a forensically sound image of the hard drive.
D.Run KAPE (Kroll Artifact Parser and Extractor) to collect artifacts.
E.Take a memory dump using DumpIt or similar tool.
AnswersD, E

KAPE collects forensic artifacts without altering the system.

Why this answer

Option A is correct because KAPE collects live forensic data. Option C is correct because memory dump captures volatile data. Option B is wrong because it overwrites data.

Option D is wrong because it's not a forensic tool. Option E is wrong because it's for disk imaging after shutdown.

308
MCQhard

You run the above KQL query in Microsoft Sentinel to detect encoded PowerShell commands. The query returns no results, even though you know that some devices have executed encoded PowerShell commands. What is the most likely reason?

A.The DecodedCommand column is empty because the ProcessCommandLine does not contain an encoded command.
B.The base64_decode_tostring function cannot decode PowerShell encoded commands.
C.The query only looks for 'powershell.exe', but the command might have been run using 'pwsh.exe' or 'powershell_ise.exe'.
D.The DeviceProcessEvents table does not contain PowerShell process events.
AnswerC

PowerShell Core uses pwsh.exe, and PowerShell ISE uses powershell_ise.exe.

Why this answer

Option B is correct because the query filters where FileName == 'powershell.exe' exactly, but the process might be named 'powershell_ise.exe' or 'pwsh.exe' (PowerShell Core). Option A is wrong because base64_decode_tostring should decode properly if the command is base64-encoded. Option C is wrong because the query does not filter by -EncodedCommand; it uses contains to check if the decoded command contains '-EncodedCommand', which is incorrect logic.

Option D is wrong because the query uses the DeviceProcessEvents table, which should capture process events.

309
MCQmedium

Refer to the exhibit. You are configuring an automation rule in Microsoft Sentinel to block IP addresses from high-severity incidents. The rule triggers on incident creation but fails to block the IP. What is the most likely cause?

A.The trigger type should be 'alertTrigger' instead of 'incidentTrigger'
B.The entity path 'incident.entities.IP' is incorrect; it needs to iterate over entities
C.The action type 'blockIP' is not supported in automation rules
D.The severity condition should be 'GreaterThan' instead of 'Equals'
AnswerB

Entities are an array; the correct path would involve a loop or index.

Why this answer

Option C is correct because the JSON uses 'incident.entities.IP' but the actual path likely requires iterating over entities; the syntax is incorrect. Option A is wrong because the severity condition is correct. Option B is wrong because there is no inconsistency; the trigger type is incidentTrigger.

Option D is wrong because blockIP is a valid action type in automation rules.

310
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. You want to automatically isolate a device when a high-severity incident is created. What is the most efficient way to achieve this?

A.Manually isolate the device from the Microsoft Defender for Endpoint console after the incident is created.
B.Create an automation rule in Microsoft Sentinel that runs a PowerShell script to isolate the device.
C.Create a custom detection rule in Microsoft Defender XDR that triggers device isolation.
D.Create an automation rule in Microsoft Sentinel that triggers a playbook, which uses the Microsoft Defender for Endpoint connector to isolate the device.
AnswerD

This is the most efficient integrated approach.

Why this answer

Option C is correct because Microsoft Sentinel automation rules can run a playbook that isolates the device via Microsoft Defender for Endpoint. Option A is wrong because automation rules cannot directly run scripts. Option B is wrong because creating a custom detection rule in Defender does not integrate with Sentinel incident creation.

Option D is wrong because manual isolation is not automatic.

311
MCQmedium

A SOC team uses Microsoft Sentinel and wants to automatically enrich incidents with threat intelligence from a third-party feed. Which feature should they configure to ingest the threat intelligence and correlate it with alerts?

A.Analytics rules
B.Threat intelligence connectors
C.Data connectors
D.Watchlists
AnswerB

These connectors import TI indicators and enable matching.

Why this answer

The correct answer is B. Threat intelligence connectors in Microsoft Sentinel allow ingestion of TI feeds and enable correlation with alerts. The other options do not provide this capability.

312
MCQmedium

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Defender XDR to find devices running encoded PowerShell commands in the last hour. The query returns results showing a device named 'DESKTOP-123' with account 'jdoe'. The analyst suspects malicious activity. Which immediate next step should the analyst take?

A.Delete the query because it returned results
B.Modify the query to increase the time range to 24 hours
C.Click on the result to open the full device timeline and analyze the process tree
D.Isolate the device 'DESKTOP-123' from the network
AnswerC

Investigating the timeline provides context on parent processes and related events.

Why this answer

Option B is correct because the analyst should investigate the device further to understand the context of the encoded command. Option A is wrong because isolating without investigation may be premature. Option C is wrong because changing the threshold does not help with this specific incident.

Option D is wrong because the query is valid and has already run.

313
Multi-Selectmedium

Which TWO actions are appropriate when responding to a confirmed data exfiltration incident via email?

Select 2 answers
A.Block the recipient domain on the email gateway
B.Place a legal hold on the user's mailbox
C.Disable the user's account immediately
D.Delete all sent items from the user's mailbox
E.Run a full antivirus scan on the user's device
AnswersA, B

Prevents further emails to that domain.

Why this answer

Appropriate actions are to block the recipient domain and place a legal hold on the mailbox. Disabling the user account might be premature. Scanning the device is not directly for email.

Deleting sent items is not forensic.

314
MCQhard

Fabrikam uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview Compliance Manager. An incident is generated: 'Insider risk - user deleting large volumes of files from SharePoint Online.' The incident is from Microsoft Purview Insider Risk Management. The user is a senior executive, and disabling the account is not an option without board approval. You need to contain the data deletion. Which of the following is the BEST immediate action?

A.Remove the user's permissions to the SharePoint sites.
B.Block the user's access in Microsoft Entra ID temporarily.
C.Apply a retention hold to the user's OneDrive and SharePoint sites.
D.Create a DLP policy to block deletion of files.
AnswerC

Preserves data without disrupting user access.

Why this answer

Option D is correct: applying a retention hold to the user's OneDrive and SharePoint sites preserves the data without affecting the user's access. Option A is wrong: blocking the user disrupts work. Option B is wrong: deleting permissions may not stop the deletion if the user is the owner.

Option C is wrong: creating a DLP policy does not stop current deletion.

315
MCQmedium

Your organization uses Microsoft Defender XDR. A user reports that their device is behaving erratically, with unexpected pop-ups and high CPU usage. You suspect malware infection. You need to collect forensic data from the device for analysis. What should you do?

A.Create a custom detection rule in Microsoft Defender for Endpoint to capture the behavior.
B.Offboard the device and re-onboard it to trigger a fresh investigation.
C.Initiate a live response session on the device from the Microsoft 365 Defender portal.
D.Run a full antivirus scan using Microsoft Defender Antivirus.
AnswerC

Live response provides remote shell access to collect forensic artifacts.

Why this answer

Initiating a live response session in the Microsoft 365 Defender portal allows you to collect forensic data, run commands, and investigate the device in real-time. Option A is incorrect because a full scan does not collect forensic data. Option C is incorrect because the device is already onboarded.

Option D is incorrect because a custom detection rule is for automated detection, not forensic collection.

316
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. An alert indicates that a user is downloading large amounts of data from SharePoint Online. What should you do first to investigate?

A.Govern the user by suspending their account.
B.Review the user's activity log in Defender for Cloud Apps.
C.Create a new IP address range for the organization.
D.Block the SharePoint Online app for all users in Defender for Cloud Apps.
AnswerB

Reviewing activity logs helps understand the context of the downloads.

Why this answer

Option B is correct because the user's activity log provides detailed information about the downloads and can help identify if it's malicious. Option A is wrong because blocking the app is too broad. Option C is wrong because creating an IP range is proactive but not investigative.

Option D is wrong because it's a reactive step that might be premature.

317
MCQhard

You run the above KQL query in Microsoft Sentinel to detect potential brute-force attacks on Microsoft Teams. After reviewing the results, you notice that some entries have a high LogonCount but are missing from the output. What is the most likely reason?

A.The RiskLevelDuringSignIn field is misspelled as RiskLevelDuringSignIn.
B.The query only considers logons to Microsoft Teams, but the high LogonCount may be from other applications.
C.The inner join excludes entries that do not have a corresponding risky sign-in event.
D.The join condition does not include AccountUpn, so it fails to match.
AnswerC

The inner join only retains rows where the AccountUpn and IPAddress appear in both IdentityLogonEvents and AADSignInEventsBeta with the specified risk level.

Why this answer

Option D is correct because the join is an inner join, which only returns rows that have matching AccountUpn and IPAddress in both tables. If high LogonCount entries do not have a corresponding risky sign-in event (RiskLevelDuringSignIn medium or high), they will be excluded. Option A is wrong because the query uses RiskLevelDuringSignIn, not RiskLevelDuringSignIn.

Option B is wrong because the query filters by Application == 'Microsoft Teams', so it only considers Teams logons. Option C is wrong because the join keys are AccountUpn and IPAddress, not AccountUpn alone.

318
MCQmedium

You are reviewing this ARM template for a Microsoft Sentinel analytics rule. What is the most likely issue with the rule?

A.The rule type is incorrect for this scenario
B.The query syntax is invalid
C.The query references a table that does not exist in Microsoft Sentinel
D.The severity property should be 'Informational'
AnswerC

IdentityInfo is not a standard Sentinel table.

Why this answer

Option A is correct because the query uses 'IdentityInfo' table which is not a standard Sentinel table; it should be 'IdentityLogonEvents' or 'AuditLogs'. Option B is wrong because the syntax is valid. Option C is wrong because severity is valid.

Option D is wrong because the rule type is correct.

319
MCQmedium

A security analyst detects a suspicious sign-in from an unusual location using Microsoft Entra ID. The user has not enabled MFA. Which action should the analyst take first to investigate and potentially contain the incident?

A.Reset the user's password immediately.
B.Enable Conditional Access to block all sign-ins from that location.
C.Disable the user account.
D.Block legacy authentication for the entire tenant.
AnswerC

Disabling the account immediately prevents any further sign-ins and contains the incident while investigation is ongoing.

Why this answer

Disabling the user account is the immediate containment action to prevent further unauthorized access while investigation proceeds. Resetting password alone doesn't stop current session; blocking legacy auth is a broader action that may break legitimate services; MFA is enabling but not immediate containment.

320
MCQeasy

An incident is opened in Microsoft Sentinel for multiple sign-in failures from a single IP address targeting a privileged user account. Which action is most effective in automatically responding to this incident?

A.Create a playbook to block the IP address in the firewall.
B.Enable conditional access policy to require MFA for the user.
C.Create a playbook to automatically disable the user account.
D.Report the IP address to Microsoft for threat intelligence.
AnswerA

Blocking the IP stops the attack at the source without affecting the user account.

Why this answer

The most effective automated response is to block the IP address in the firewall via a playbook, as it directly stops the attack source. Disabling the user account is too broad and may affect legitimate access. Enabling MFA does not stop the current attack.

Reporting the IP is not immediate.

321
MCQmedium

Your organization uses Microsoft Sentinel. A security analyst reports that an incident was created for a sign-in from an unfamiliar location, but after investigation, it was determined to be a false positive. You need to ensure that similar sign-ins do not generate incidents in the future. What should you do?

A.Modify the built-in Microsoft analytics rule to exclude the sign-in location.
B.Close the incident with a classification of False Positive.
C.Create an automation rule that automatically closes similar incidents.
D.Create a custom analytics rule with an alert suppression condition matching the sign-in attributes.
AnswerD

Alert suppression allows you to exclude certain events from triggering alerts.

Why this answer

Option B is correct because creating a custom analytics rule with an alert suppression condition based on the specific location or user attributes will prevent future alerts for similar events. Option A is wrong because closing the incident does not suppress future alerts. Option C is wrong because modifying the built-in rule's query is not recommended and may affect other detections.

Option D is wrong because automation rules handle response actions, not alert suppression.

322
MCQhard

Your organization uses Microsoft Sentinel and has several analytics rules that generate incidents from various data sources. The SOC team is overwhelmed by the number of incidents. You need to implement a triage system that automatically assigns incidents to different analysts based on the incident's tactics and severity. You also want to send a notification to the assigned analyst via Teams. What should you do?

A.Create multiple automation rules that trigger on incident creation, each with conditions for specific tactics and severity, and then run a playbook that assigns the incident to an analyst and sends a Teams notification.
B.Use a workbook to create a triage dashboard and instruct analysts to manually claim incidents from the dashboard.
C.Modify each analytics rule to include a custom details field that specifies the analyst, and use a playbook to send Teams notification based on that field.
D.Create a single playbook that checks the incident's tactics and severity, assigns it to the appropriate analyst, and sends a Teams notification, then configure that playbook to run automatically on all new incidents.
AnswerA

Automation rules can filter by properties and run playbooks that perform assignments and notifications.

Why this answer

Automation rules can be used to assign incidents and run playbooks. Option A is correct because multiple automation rules can handle different conditions. Option B is wrong because playbooks cannot assign incidents directly.

Option C is wrong because analytics rules do not assign incidents. Option D is wrong because workbooks are for visualization, not automation.

323
MCQhard

Refer to the exhibit. You run this KQL query in Microsoft 365 Defender advanced hunting to investigate an incident involving IP address 203.0.113.1. The query returns results, but you need to also see which devices communicated with this IP. How should you modify the query?

A.Join with IdentityLogonEvents on AccountUpn
B.Join with DeviceNetworkEvents on DeviceId where RemoteIP == "203.0.113.1"
C.Join with DeviceInfo on DeviceId
D.Join with EmailEvents on AlertId
AnswerB

DeviceNetworkEvents contains network connections from devices, including remote IP.

Why this answer

Option C is correct because you need to join with DeviceNetworkEvents to see device-level network connections to the IP. Option A is wrong because DeviceInfo does not contain network connections. Option B is wrong because EmailEvents contains email data, not device network traffic.

Option D is wrong because IdentityLogonEvents contains authentication events, not network connections.

324
Multi-Selecthard

Which TWO playbook actions can be used to automatically contain a compromised user account in Microsoft Entra ID during an incident? (Choose TWO.)

Select 2 answers
A.Reset the user's password.
B.Send a notification email to the user.
C.Disable the user account via Microsoft Graph API.
D.Add the user to a group that has access to critical resources.
E.Revoke all refresh tokens and sessions for the user.
AnswersC, E

Disabling the account immediately blocks all access.

Why this answer

Option A is correct because disabling the account is a containment action. Option C is correct because revoking sessions ensures the attacker loses access. Option B is wrong because it does not prevent login.

Option D is wrong because it is not containment. Option E is wrong because it is not containment.

325
MCQhard

You are a security analyst at Contoso. Microsoft Sentinel is deployed with the Microsoft Defender for Cloud Apps connector. An incident is generated for a high-risk sign-in from a user named JaneDoe@contoso.com. The incident severity is Medium. The incident details show that the sign-in originated from an IP address in a country where Contoso has no business presence, and the user recently changed their password. You suspect account compromise. You need to take immediate action to contain the threat and prevent further unauthorized access. The user is currently active in Microsoft Entra ID. You have the following options: A) Force the user to re-authenticate by revoking their sessions in Microsoft Entra ID. B) Disable the user account in Microsoft Entra ID. C) Block the IP address in Microsoft Defender for Cloud Apps. D) Create a Sentinel automation rule to automatically disable accounts on similar alerts. Which action should you take first to contain the current incident?

A.Force the user to re-authenticate by revoking their sessions.
B.Disable the user account in Microsoft Entra ID.
C.Block the IP address in Microsoft Defender for Cloud Apps.
D.Create a Sentinel automation rule to automatically disable accounts on similar alerts.
AnswerB

Disabling the account stops all access immediately, containing the threat.

Why this answer

Option B is correct because disabling the user account immediately stops any further access using that account, which is the most direct containment action. Option A (Revoke sessions) would end current sessions but the user could still authenticate again if credentials are compromised. Option C (Block IP) is less effective as the attacker may use other IPs.

Option D (Create automation rule) is a long-term solution, not immediate containment.

326
MCQhard

During a ransomware response in Microsoft Defender XDR, you identify that multiple devices are communicating with a known C2 server over port 443. You need to block this communication across all devices immediately. What is the most effective course of action?

A.Add the C2 server domain to the Microsoft Defender for Office 365 Tenant Allow/Block List
B.Create a firewall rule to block outbound traffic to the C2 server IP address
C.Create an indicator of compromise (IoC) in Microsoft Defender for Endpoint with action 'Alert and block'
D.Add the C2 server URL to the custom indicator list in Microsoft Defender for Cloud Apps
AnswerB

This blocks communication at the network level immediately.

Why this answer

Option C is correct because blocking the IOC at the firewall is immediate and network-wide. Option A is wrong because ISE actions are endpoint-only and may not cover all devices. Option B is wrong because this only affects endpoints, not network traffic.

Option D is wrong because it only blocks at the proxy level, not all traffic.

327
MCQeasy

A security analyst is investigating a phishing incident in Microsoft Defender XDR. The analyst wants to see the full email content and attachments. Where should the analyst look?

A.The incident timeline
B.The action center
C.The email entity page
D.The user entity page
AnswerC

The email entity page displays email details, including content and attachments.

Why this answer

Option D is correct because the Email entity page in Microsoft Defender XDR provides detailed information about an email, including content and attachments. Option A is wrong because the user entity page shows user information, not email content. Option B is wrong because the incident timeline shows events, not full email content.

Option C is wrong because the action center is for response actions.

328
MCQhard

Your organization uses Microsoft Defender XDR. A security administrator reports that a user's device is showing high severity alerts for 'Tampering with Microsoft Defender Antivirus' but the device is not isolated. You need to ensure that when such alerts occur, the device is automatically isolated in Microsoft Defender for Endpoint. What should you do?

A.Create an automation rule in Microsoft Sentinel
B.Create an endpoint detection and response policy in Microsoft Intune
C.Create a custom detection rule in Microsoft Defender XDR
D.Configure an attack surface reduction rule
AnswerC

Custom detections can trigger automatic actions like isolation.

Why this answer

Option B is correct because you can create a custom detection rule in Microsoft Defender XDR that triggers an automatic response action like device isolation. Option A is wrong because Endpoint detection and response policies are for baseline settings. Option C is wrong because attack surface reduction rules are for blocking behaviors, not automatic response.

Option D is wrong because automation rules in Sentinel are for incidents, not direct device isolation.

329
MCQeasy

Refer to the exhibit. An analyst runs the command to install the Azure Monitor Agent on a VM. What is the primary purpose of installing this agent in the context of security incident response?

A.To collect security events and performance data for analysis in Microsoft Sentinel.
B.To integrate the VM with Microsoft Defender for Cloud.
C.To scan the VM for vulnerabilities.
D.To enable real-time malware protection on the VM.
AnswerA

The agent collects data for SIEM.

Why this answer

Option A is correct because the Azure Monitor Agent collects logs and performance data, which can be used for security analysis. Option B is wrong because the agent does not block threats. Option C is wrong because Defender for Cloud is a separate service.

Option D is wrong because the agent is for data collection, not vulnerability scanning.

330
MCQhard

Your organization uses Microsoft Sentinel. You have a requirement to automatically add a tag to incidents that involve a specific user. The tag should be added when the incident is created. What should you configure?

A.Add the user to a watchlist and create a fusion rule.
B.Create an automation rule that triggers on incident creation and runs a playbook with the 'Add tag' action.
C.Modify the analytics rule to include a tag in the incident configuration.
D.Enable entity behavior analytics to automatically tag incidents.
AnswerB

Automation rules can run playbooks that add tags.

Why this answer

Option A is correct because an automation rule can run a playbook that adds a tag based on incident properties. Option B is wrong because watchlists are for enrichment, not tagging. Option C is wrong because analytics rules create alerts, not tags.

Option D is wrong because entity behavior analytics does not add tags.

331
Multi-Selecteasy

Which TWO response actions are available in Microsoft Defender for Endpoint for a compromised device? (Choose two.)

Select 2 answers
A.Disable the user account
B.Run a full antivirus scan
C.Change the Windows Firewall rules
D.Isolate the device from the network
E.Reset the device to factory defaults
AnswersB, D

Full scan can be initiated from the Defender for Endpoint console.

Why this answer

Options A and D are correct because Defender for Endpoint supports isolating a device and running a full antivirus scan. Option B is wrong because resetting the device to factory defaults is not a standard response action. Option C is wrong because disabling the user account is an identity action, not a device action.

Option E is wrong because changing the firewall rules is not a predefined response action in Defender for Endpoint.

332
Multi-Selectmedium

An incident in Microsoft Sentinel involves multiple alerts indicating a potential data exfiltration via SharePoint Online. You need to respond and remediate. Which THREE actions should be taken?

Select 3 answers
A.Remove external sharing permissions on SharePoint sites.
B.Block the user account in Microsoft Entra ID.
C.Reset the user's password and enforce MFA.
D.Isolate the user's device using Microsoft Defender for Endpoint.
E.Create a custom detection rule for similar activity.
AnswersA, B, D

Prevents further data exfiltration via sharing.

Why this answer

Blocking the user in Microsoft Entra ID (A) stops further access. Removing external sharing (B) prevents further data leaks. Isolating the user's device (C) is a containment step.

Changing passwords (D) is less immediate than blocking. Running a hunting query (E) is investigative, not containment.

333
Multi-Selecteasy

Which TWO are valid incident classification categories in Microsoft Sentinel? (Select TWO.)

Select 2 answers
A.False Positive
B.Malicious
C.Informational
D.True Positive
E.Benign Positive
AnswersD, E

True Positive is a standard classification.

Why this answer

Option B is correct because True Positive is a valid classification. Option E is correct because Benign Positive is also a valid classification. Option A is wrong because False Positive is a classification, but not listed as a category in the question context? Actually, False Positive is also valid, but we need exactly two correct.

According to Microsoft Sentinel incident classification, True Positive, False Positive, Benign Positive are common. But the question asks for TWO, and the correct ones here are True Positive and Benign Positive. Option C is wrong because Malicious is not a standard classification.

Option D is wrong because Informational is not a classification.

334
MCQeasy

During an incident response, you need to collect forensic data from a compromised Linux server that is not managed by Microsoft Defender for Endpoint. You plan to use a manual collection script. Which tool should you use to securely upload the collected data to Azure for analysis?

A.Azure CLI to upload the data to an Azure Files share.
B.AzCopy to upload the data to Azure Blob Storage.
C.PowerShell to send the data to Log Analytics workspace.
D.The Log Analytics agent to forward the data.
AnswerB

AzCopy is a command-line tool for uploading files to Azure Storage.

Why this answer

Option A is correct because AzCopy can securely upload files to Azure Blob Storage. Option B is wrong because PowerShell is not natively available on Linux. Option C is wrong because Azure CLI requires installation.

Option D is wrong because Log Analytics agent sends data to Log Analytics, not arbitrary files.

335
MCQmedium

Your organization uses Microsoft Defender for Cloud to protect Azure resources. A security alert indicates that a virtual machine (VM) is communicating with a known malicious IP. The analyst needs to isolate the VM from the network to prevent further data exfiltration. What should the analyst do?

A.Use Azure Bastion to connect to the VM and shut it down.
B.Use Azure Monitor to create an alert and then manually stop the VM.
C.Create an Azure Firewall rule to block traffic to the malicious IP.
D.Apply a Just-in-time VM access policy in Microsoft Defender for Cloud to deny all inbound and outbound traffic.
AnswerD

JIT can create NSG rules to isolate the VM.

Why this answer

Option B is correct because Defender for Cloud's Just-in-time VM access can create a network security group (NSG) rule to deny all traffic, effectively isolating the VM. Option A is wrong because Azure Bastion provides RDP/SSH access, not isolation. Option C is wrong because Azure Firewall rules apply to the entire network, not a single VM.

Option D is wrong because Azure Monitor does not isolate VMs.

336
MCQhard

You are investigating a lateral movement incident in Microsoft Defender for Endpoint. The timeline shows that a user's credentials were used from a compromised workstation to access a sensitive server. Which action should you take to contain the incident?

A.Disable the sensitive server's network account.
B.Isolate the compromised workstation only.
C.Block all network traffic from the compromised workstation to the server.
D.Reset the compromised user's password and revoke all active sessions.
AnswerD

This invalidates the stolen credentials and stops lateral movement regardless of source.

Why this answer

Resetting the compromised user's password and revoking sessions is the most effective way to stop lateral movement because it invalidates the stolen credentials. Isolating the workstation is necessary but does not stop credential reuse. Disabling the server account is too broad.

Blocking network traffic may not be feasible.

337
Multi-Selectmedium

Which TWO actions can you perform in Microsoft Defender XDR as part of incident response?

Select 2 answers
A.Create a Microsoft Sentinel workbook
B.Modify a Microsoft Entra ID conditional access policy
C.Run a KQL query in Azure Data Explorer
D.Collect an investigation package from a device
E.Isolate a device from the network
AnswersD, E

Valid response action.

338
MCQeasy

You are working on a security incident in Microsoft Sentinel where you need to contain a compromised virtual machine. What is the most immediate containment action?

A.Isolate the VM by applying a network security group (NSG) rule
B.Apply the latest security patches to the VM
C.Run a full antivirus scan on the VM
D.Take a snapshot of the VM for forensic analysis
AnswerA

Immediate network containment.

Why this answer

Option A is correct because isolating the VM prevents lateral movement. Option B is wrong because patching is not immediate containment. Option C is wrong because a snapshot is for forensics.

Option D is wrong because this is for endpoints.

339
MCQeasy

Your organization uses Microsoft Sentinel. You receive an incident for a potential malware outbreak. You need to quickly see which entities are involved (e.g., IPs, hosts, accounts). Where should you look?

A.Incident timeline
B.Comments section
C.Entities tab
D.Alerts tab
AnswerC

Entities tab shows all related entities in the incident.

Why this answer

Option D is correct because the Entities tab in an incident shows all related entities. Option A (Timeline) shows events over time. Option B (Alerts) lists individual alerts.

Option C (Comments) is for collaboration.

340
MCQhard

The KQL query above is used in a Microsoft Sentinel analytics rule. What is the purpose of this rule?

A.Detect when a disabled user account attempts to sign in.
B.Identify users who have been disabled due to inactivity.
C.Detect brute force attempts against disabled user accounts.
D.Monitor sign-in attempts from suspicious IP addresses.
AnswerC

The threshold on count per IP and the condition on disabled accounts makes this a brute force detection for disabled accounts.

Why this answer

The query looks for sign-in failures (ResultType 50057) for disabled accounts (AccountEnabled == false) from the same IP exceeding a threshold. This indicates potential brute force attacks against disabled accounts, which could be a sign of reconnaissance or credential stuffing.

341
MCQhard

During an incident, you need to prevent a malicious process from running on all endpoints using Microsoft Defender for Endpoint. The process is not yet detected by antivirus signatures. Which action should you use?

A.Run antivirus scan
B.Add an indicator to block the process
C.Collect investigation package
D.Initiate Live Response
AnswerB

Blocks by hash or other indicator.

Why this answer

Option C is correct because 'Indicators' allow you to block or allow specific hashes, IPs, or certificates. Option A is wrong because 'Initiate Live Response' is for live interaction. Option B is wrong because 'Run antivirus scan' may not detect unknown processes.

Option D is wrong because 'Collect investigation package' is for data collection.

342
MCQeasy

A SOC analyst receives a Microsoft Defender for Cloud Apps alert about a mass download of files from a SharePoint site by a single user. The analyst needs to contain the incident. Which action should be taken first?

A.Increase the SharePoint download limit.
B.Notify the user's manager.
C.Suspend the user account in Microsoft Entra ID.
D.Run a malware scan on the downloaded files.
AnswerC

Suspending the account stops all access immediately.

Why this answer

Suspending the user in Microsoft Entra ID stops all account activity. Option A doesn't prevent further downloads; Option C is reactive; Option D is for other scenarios.

343
Multi-Selectmedium

Which THREE are valid ways to automatically respond to a security incident in Microsoft Defender XDR?

Select 3 answers
A.Configure an automated investigation and response (AIR) playbook.
B.Create a custom detection rule that triggers an automatic remediation action.
C.Integrate threat intelligence to automatically block indicators.
D.Manually run a playbook from the incident.
E.Use attack simulation training to automatically isolate devices.
AnswersA, B, E

AIR automatically responds to incidents.

Why this answer

Options A, B, and D are correct. Automated investigation and response (AIR) is a core feature, custom detection rules can trigger actions, and attack simulation training can be automated. Option C is wrong because manual playbooks are not automatic.

Option E is wrong because threat intelligence integration does not automatically respond.

344
MCQhard

You have an automation rule in Microsoft Sentinel configured as shown. An incident with severity Medium is created, but the playbook does not run. What is the most likely reason?

A.The triggerType should be 'Alert' instead of 'Incident'.
B.The automation rule trigger is set to 'When incident is created', but the incident may have been created with a lower severity and later updated to Medium.
C.The playbook does not have permissions to run in the Sentinel resource group.
D.The playbookId is incorrect or the playbook has been deleted.
AnswerB

The rule only triggers on creation, not on update; if severity changes later, it won't trigger.

Why this answer

Option D is correct because automation rules require a trigger condition; if the incident is created with a different severity and later updated to Medium, the rule will not trigger because it is set to 'When incident is created'. Option A is wrong because permissions can cause issues, but typically the rule would show as created. Option B is wrong because the trigger type is incident, not alert.

Option C is wrong because playbook ID is valid.

345
MCQmedium

You have detected a suspicious PowerShell command running on several workstations. The command appears to be downloading a payload from a known malicious URL. What is the most effective immediate response using Microsoft Defender for Endpoint?

A.Add the URL to the custom threat indicator list in Microsoft Defender for Endpoint.
B.Quarantine the affected workstations.
C.Enable attack surface reduction rule to block PowerShell scripts.
D.Initiate a Live Response session to investigate each workstation.
AnswerA

This immediately blocks the URL across all endpoints, preventing further downloads.

Why this answer

The most effective immediate response is to block the malicious URL via custom threat indicators, which will prevent the download on all devices. Live Response is for investigation, not blocking. Quarantine disrupts users.

ASR rules are pre-configured and may not cover this specific URL.

346
MCQmedium

Your organization has Microsoft Defender XDR enabled. An incident is generated for a user who clicked a phishing link in an email. The analyst needs to automatically disable the user's mailbox for suspicious activity. Which automated action should the analyst configure in a Microsoft Sentinel automation rule?

A.Run a playbook that deletes the phishing email from the user's inbox.
B.Configure an automation rule to block the sender IP address in Defender for Cloud Apps.
C.Run a playbook that resets the user's password.
D.Run a playbook that uses the Microsoft 365 Defender connector to disable the mailbox.
AnswerD

The Microsoft 365 Defender connector allows disabling a mailbox as a remediation action.

Why this answer

Option A is correct because disabling the mailbox is a remediation action available in Microsoft 365 Defender. Option B is wrong because deleting the email does not prevent future access. Option C is wrong because blocking the sender IP is not a direct action from Sentinel.

Option D is wrong because resetting password is a different action.

347
MCQmedium

During a ransomware incident, an analyst needs to identify which files were encrypted on an endpoint. The endpoint is running Windows and is managed by Microsoft Defender for Endpoint. Which data source should the analyst query in Advanced hunting?

A.DeviceRegistryEvents
B.DeviceNetworkEvents
C.DeviceProcessEvents
D.DeviceFileEvents
AnswerD

File events show modifications like encryption.

Why this answer

DeviceFileEvents tracks file creation, modification, and deletion. Option A is for processes; Option C is for network; Option D is for registry.

348
MCQeasy

A security analyst receives a Microsoft Defender for Cloud Apps alert about a user performing unusual file downloads from SharePoint. The analyst needs to investigate the user's activity in the last 24 hours. Which log source should the analyst query first?

A.Microsoft Entra ID sign-in logs
B.Microsoft Intune device logs
C.Office 365 audit logs
D.Cloud App Security logs in Microsoft Sentinel
AnswerD

Cloud App Security logs contain detailed user activities, including file downloads from SharePoint.

Why this answer

Option A is correct because Defender for Cloud Apps logs user activity in the cloud app activities log. Option B is wrong because Azure AD sign-in logs show authentication events, not file downloads. Option C is wrong because Office 365 audit logs include SharePoint file activities, but Defender for Cloud Apps provides a more consolidated view.

Option D is wrong because Microsoft Intune logs focus on device management.

349
MCQmedium

An incident in Microsoft Sentinel involves a phishing campaign that delivered a malicious macro-enabled document. The document was opened by 15 users. Which playbook action should be triggered automatically to contain the threat?

A.Isolate all affected devices from the network
B.Block the sender's IP address on the email gateway
C.Block the file hash using Microsoft Defender for Endpoint
D.Disable the user accounts of those who opened the document
AnswerC

Blocking the hash stops the malware from running on any device.

Why this answer

The automatic playbook action should block the file hash at the endpoint to prevent further execution. Isolating devices may be too aggressive. Blocking sender IP is not effective against phishing.

Disabling user accounts is not direct.

350
MCQeasy

Your organization uses Microsoft Sentinel. You have a playbook that sends an email notification to the SOC team when a new incident is created. The playbook is currently triggered manually. You want the playbook to run automatically every time an incident of severity High is created. What should you do?

A.Edit the analytics rule that generates the incident to include the playbook as an automated response.
B.Create an automation rule that triggers when an incident is created with severity High and runs the playbook.
C.Modify the playbook to add a trigger of 'When an incident is created' and set the severity condition.
D.Configure the playbook's Logic Apps designer to use an HTTP trigger that polls Sentinel for new incidents.
AnswerB

Automation rules are the correct way to automate playbook execution.

Why this answer

Automation rules in Sentinel can automatically trigger playbooks based on incident conditions. Option A is correct. Option B is wrong because automation rules are created in the Automation blade.

Option C is wrong because the analytics rule does not directly run playbooks. Option D is wrong because the playbook trigger is not configured in Logic Apps designer.

351
MCQeasy

Your organization uses Microsoft Defender for Office 365. A user reports receiving a phishing email that bypassed the default policy. You need to create a custom anti-phishing policy to block similar emails in the future. What should you configure?

A.Enable Safe Attachments for the organization.
B.Configure impersonation protection for the user's domain.
C.Enable spoof intelligence and add the sender domain to the blocked senders list.
D.Create a mail flow rule to block the sender's domain.
AnswerC

Spoof intelligence detects spoofed domains and blocks them.

Why this answer

Option D is correct because spoof intelligence identifies and blocks spoofed senders. Option A is wrong because impersonation protection addresses CEO fraud, not general phishing. Option B is wrong because mail flow rules are transport rules, not anti-phishing.

Option C is wrong because Safe Attachments handles attachments, not phishing content.

352
MCQeasy

Your organization uses Microsoft Sentinel. A security analyst receives an alert for a suspicious sign-in from an unfamiliar IP address. The analyst wants to quickly check if the same IP address has been associated with any other alerts in the past 30 days. Which action should the analyst take?

A.Create an automation rule to block the IP address.
B.Submit the IP address to Microsoft for threat intelligence.
C.Create a new analytics rule to detect the IP address.
D.Run a KQL query in the Logs blade to search the Alert table for the IP.
AnswerD

KQL query on the Alert table can show all alerts involving the IP.

Why this answer

Using KQL to query the Alert table for the specific IP address allows the analyst to quickly find related alerts. Option A is too broad; Option B doesn't involve event correlation; Option D is for automation.

353
Multi-Selecthard

Which TWO of the following are valid methods to retrieve data from Microsoft Sentinel for external analysis during an incident?

Select 2 answers
A.Use Microsoft Sentinel PowerShell cmdlets.
B.Create a Power BI dashboard.
C.Use the Export to CSV feature in the Logs blade.
D.Connect Log Analytics workspace to external tools via API.
E.Use the Microsoft Sentinel API to query incidents and alerts.
AnswersD, E

Log Analytics API allows external querying.

Why this answer

Export data to Log Analytics workspace for external querying and use the Microsoft Sentinel API to programmatically access data. Option A is not a standard method; Option D is for management; Option E is for visualization.

354
Multi-Selecteasy

Your organization uses Microsoft Defender for Cloud. You need to remediate a security recommendation that indicates a virtual machine is missing critical security updates. Which TWO actions should you take to remediate this recommendation?

Select 2 answers
A.Add a network security group to block inbound traffic to the VM.
B.Connect to the VM and install the missing updates.
C.Create an exemption for the recommendation in Defender for Cloud.
D.Configure the VM to automatically install updates from Windows Update.
E.Restart the VM to trigger update installation.
AnswersB, D

Installing updates remediates the specific recommendation.

Why this answer

Options A and B are correct. Installing missing updates (A) directly remediates the recommendation, and enabling automatic updates (B) prevents future issues. Option C is wrong because restarting the VM does not install updates.

Option D is wrong because the recommendation is about updates, not NSGs. Option E is wrong because creating an exception would ignore the recommendation.

355
Multi-Selectmedium

Your team uses Microsoft Defender for Endpoint. An incident involving a device is identified as a high-severity malware infection. Which THREE remediation actions can be performed directly from the incident in Microsoft 365 Defender?

Select 3 answers
A.Wipe the device remotely.
B.Collect an investigation package from the device.
C.Isolate the device from the network.
D.Run a full antivirus scan on the device.
E.Reset the device's local administrator password.
AnswersB, C, D

Action to gather forensic data.

Why this answer

Options A, C, and E are correct because Microsoft 365 Defender incident response actions include isolating the device, running antivirus scan, and collecting investigation package. Option B is wrong because device wipe is not a standard Defender for Endpoint action (it's Intune). Option D is wrong because resetting password is for user accounts, not devices.

356
MCQeasy

You are investigating a phishing incident in Microsoft Defender XDR. The user reported receiving an email with a malicious link. You need to identify all users who received the same email. Which feature should you use?

A.Automation & investigations
B.Incidents view
C.Threat Explorer
D.Advanced Hunting
AnswerC

Threat Explorer enables detailed email search and tracking.

Why this answer

Option A is correct because Threat Explorer in Microsoft Defender for Office 365 allows you to search and filter email messages by various attributes, including subject, sender, and recipients, to identify all users who received a specific email. Option B (Hunting) is for proactive threat hunting, not for investigating a known email. Option C (Incidents) shows aggregated alerts but not detailed email tracking.

Option D (Automation) is for automated investigation and response.

357
MCQhard

Your organization uses Microsoft Sentinel. You have a scheduled analytics rule that queries Windows Security Events to detect local admin group modifications. The rule runs every hour and looks back 1 hour. However, you are missing events that occur within the first few minutes of the hour. What is the most likely cause?

A.The event time is in local time, and the query uses UTC, causing events near the boundary to be excluded.
B.The query period is too short; it should be 2 hours.
C.The rule is using 'Last activity' instead of 'TimeGenerated'.
D.There is a 5-minute ingestion delay for Windows events.
AnswerA

Time zone mismatch can cause events to fall outside the query window.

Why this answer

By default, Sentinel uses UTC time, but the Windows event time may be in local time. If the local time is ahead of UTC, events near the hour boundary may fall outside the query period due to time conversion. Option A is incorrect because ingestion delay is usually not minutes.

Option C is incorrect because the query period is already 1 hour. Option D is incorrect because the rule's schedule should capture events within the lookback period.

358
MCQmedium

Your company uses Microsoft Sentinel with the Microsoft Defender XDR connector. You receive an incident: 'Suspicious mailbox forwarding rule created.' The incident indicates that a user's mailbox in Exchange Online has a forwarding rule to an external email address. The user's account shows no other suspicious activity. You need to respond to the incident. The company policy requires preserving evidence for 30 days. Which action should you take FIRST?

A.Run an automated playbook to collect additional evidence.
B.Reset the user's password and require MFA.
C.Block the external email domain in Exchange Online.
D.Remove the mailbox forwarding rule.
AnswerD

Immediately stops the exfiltration.

Why this answer

Option B is correct: removing the forwarding rule stops data exfiltration immediately. Option A is wrong because resetting password is not needed if account is not compromised. Option C is wrong because blocking the external domain may be too broad.

Option D is wrong because running a playbook is investigative, not immediate.

359
MCQeasy

Your organization uses Microsoft Defender for Cloud. You receive a security alert about a suspicious process on a virtual machine. You want to investigate the process further. What should you do?

A.Create a custom detection rule to alert on similar processes.
B.Run a vulnerability assessment scan on the VM.
C.Initiate a live response session on the VM from Microsoft Defender for Cloud.
D.Initiate an automated investigation on the VM.
AnswerC

Live response provides real-time investigation capabilities.

Why this answer

Option A is correct because live response allows real-time investigation of a VM. Option B is wrong because creating a custom detection rule is for future alerts. Option C is wrong because initiating an automated investigation is for incident response, not ad-hoc investigation.

Option D is wrong because running a vulnerability scan is for vulnerabilities, not process investigation.

360
Multi-Selecthard

Which THREE of the following are key steps when containing a ransomware incident in Microsoft Defender XDR? (Select THREE.)

Select 3 answers
A.Restore encrypted files from backup
B.Block known malicious file hashes via Indicators of compromise
C.Disable compromised user accounts in Microsoft Entra ID
D.Analyze the root cause of the outbreak
E.Isolate compromised devices using Microsoft Defender for Endpoint
AnswersB, C, E

Blocking IoCs prevents further execution.

Why this answer

Options A, B, and D are correct. Isolating devices, blocking indicators, and disabling user accounts are key containment steps. Option C is wrong because restoring from backup is part of recovery, not containment.

Option E is wrong because analyzing the root cause is part of investigation after containment.

361
MCQhard

Your organization uses Microsoft Defender for Cloud Apps. You receive an alert about an impossible travel activity for a user. What is the best first step to validate if this is a true positive?

A.Block the user immediately
B.Run an advanced hunting query in Microsoft Sentinel
C.Contact the user's manager
D.Review the user's sign-in logs in Microsoft Entra ID
E.Check the user's device compliance in Microsoft Intune
AnswerD

Corroborate the activity.

Why this answer

Option D is correct because impossible travel alerts in Microsoft Defender for Cloud Apps are generated based on sign-in activity and user location data. The most direct way to validate whether the alert is a true positive is to review the user's sign-in logs in Microsoft Entra ID (formerly Azure AD), which provides detailed information about each sign-in attempt, including IP addresses, locations, timestamps, and authentication details. This allows you to confirm whether the two sign-ins occurred within an unrealistic time frame for the geographic distance, or if there are anomalies such as VPN usage or IP spoofing that indicate a false positive.

Exam trap

The trap here is that candidates often jump to advanced hunting in Sentinel (Option B) as the first step, forgetting that the alert originates from Defender for Cloud Apps and the most immediate and authoritative source for sign-in details is the Entra ID sign-in logs, which are the same data that Defender for Cloud Apps uses to generate the alert.

How to eliminate wrong answers

Option A is wrong because immediately blocking the user without investigation could disrupt legitimate access and does not validate the alert; it is a reactive action, not a validation step. Option B is wrong because running an advanced hunting query in Microsoft Sentinel is a deeper investigation step that may be appropriate after initial validation, but it is not the best first step when the alert originates from Defender for Cloud Apps and the sign-in logs in Entra ID are the primary source for immediate verification. Option C is wrong because contacting the user's manager is a secondary step that relies on human confirmation and does not provide technical evidence; it should be done after reviewing logs to gather context.

Option E is wrong because checking the user's device compliance in Microsoft Intune addresses device health and policy compliance, which is unrelated to verifying the geographic plausibility of sign-in events in an impossible travel scenario.

362
Multi-Selecthard

Your organization uses Microsoft Sentinel. You need to design a solution that automatically responds to incidents with severity High and enriches them with threat intelligence from Microsoft Defender Threat Intelligence. Which TWO actions should you include?

Select 2 answers
A.Create an automation rule that triggers when an incident is created with severity High and runs a playbook to enrich the incident with threat intelligence.
B.Set the automation rule to modify the analytics rule's query to include threat intelligence.
C.Configure the playbook to run directly from the analytics rule that generates the incident.
D.Use the analytics rule's incident configuration to automatically run the playbook.
E.Add an action in the automation rule to change the incident severity after enrichment.
AnswersA, E

Automation rules can trigger on incident creation and run playbooks.

Why this answer

To respond to incidents automatically, you use automation rules. Option A is correct because automation rules run playbooks. Option D is correct because automation rules can also change severity.

Option B is wrong because playbooks are triggered by automation rules, not directly. Option C is wrong because automation rules cannot modify queries. Option E is wrong because analytics rules do not automatically run playbooks without an automation rule.

363
Multi-Selecteasy

Which TWO are valid incident management actions in Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Merge two incidents into one
B.Export the incident to a CSV file
C.Change the incident status to 'Closed'
D.Delete an incident
E.Assign the incident to another analyst
AnswersC, E

Status can be changed to Closed or Resolved.

Why this answer

Options B and D are correct. B: Changing the status to 'Closed' is a valid action. D: Assigning the incident to another analyst is a valid action.

Option A is wrong because deleting incidents is not supported; they can be closed or archived. Option C is wrong because merging incidents is not a direct action; incidents can be linked via groups. Option E is wrong because exporting incidents to a CSV is not a built-in action.

364
Multi-Selecteasy

Your organization uses Microsoft 365 Defender. During an incident, which TWO actions can be taken directly from the Microsoft 365 Defender portal to remediate a compromised email account?

Select 2 answers
A.Remove mailbox delegation permissions.
B.Block the sender's email address in the tenant's allow/block list.
C.Soft delete malicious emails from the user's mailbox.
D.Reset the user's password and revoke sessions.
E.Isolate the user's mailbox from receiving emails.
AnswersC, D

Action available in Threat Explorer or email entity page.

Why this answer

Options A and D are correct because the Microsoft 365 Defender portal allows soft-deleting emails and resetting passwords for compromised accounts. Option B is wrong because sender reputation is not directly manageable. Option C is wrong because mailbox delegation is not a remediation action.

Option E is wrong because email isolation is not a feature for individual accounts.

365
MCQeasy

Refer to the exhibit. The KQL query runs in Microsoft Sentinel and returns no results. The analyst expects to see failed logon attempts. What is the most likely reason?

A.The Application filter is incorrect.
B.The ResultType field does not exist in IdentityLogonEvents.
C.The summarize operator is misused.
D.The TimeRange variable is too short.
AnswerB

IdentityLogonEvents uses 'Result' or 'LogonResult' not 'ResultType'. Using a non-existent field causes no results.

Why this answer

The query filters on ResultType == 'Failed', but the field is likely named 'Result' or uses different values like 'Failure'. Also, the table 'IdentityLogonEvents' may not exist; it might be 'AADSignInEventsBeta' or similar. But the most common issue is incorrect field name for result type.

366
MCQeasy

The exhibit shows the output of a Microsoft Defender for Endpoint API call to get machine information. What does the isolationStatus value indicate?

A.The device is healthy and has no issues.
B.The device is currently being scanned for malware.
C.The device is not isolated and is fully connected.
D.The device has been isolated from the network.
AnswerD

IsolationStatus of 'Isolated' means the device is cut off from the network to prevent spread.

Why this answer

The isolationStatus value 'Isolated' indicates that the device has been isolated from the network. The health status is separate and shows the device is healthy. It does not mean it is being scanned, nor that it is not isolated.

367
MCQeasy

You are investigating a phishing incident in Microsoft Defender XDR. The alert indicates that a user clicked a malicious link in an email. After confirming the email was delivered to the user's inbox, what should be your first action?

A.Add the URL to the tenant block list in Microsoft Defender for Office 365
B.Send a training notification to the user
C.Reset the user's password immediately
D.Use Microsoft Defender for Office 365 to soft-delete the email from the user's mailbox and other recipients
AnswerD

Soft-delete removes the email from inboxes, preventing further clicks.

Why this answer

Option A is correct because soft-deleting the email from all mailboxes removes the threat from the user's and possibly other recipients' inboxes. Option B is wrong because blocking the URL is important but does not remove the already delivered email. Option C is wrong because resetting the password is necessary only if credentials were compromised, but the immediate action is to remove the email.

Option D is wrong because training is a long-term prevention, not an immediate response.

368
MCQmedium

Your organization uses Microsoft Defender for Cloud Apps. A security analyst receives an alert about suspicious activity from a user account indicating a potential ransomware attack. The analyst needs to quickly isolate the user's device and revoke the user's access to all cloud apps. What is the most efficient way to achieve this?

A.Create a Microsoft 365 Defender incident response playbook that triggers on the alert and runs automated actions.
B.Use Microsoft Defender for Cloud Apps Governance log to apply a user quarantine policy.
C.Disable the Microsoft Defender for Cloud Apps app connector for the affected cloud app.
D.Manually disable the user account in Microsoft Entra ID.
AnswerA

Correct: Playbooks can automate device isolation and user account restriction across services.

Why this answer

Option C is correct because Microsoft 365 Defender integrates alerts and supports automated response actions like device isolation and user account restriction across Microsoft Defender for Cloud Apps and Defender for Endpoint. Option A is wrong because incident-based response is less efficient for a single alert. Option B is wrong because manually disabling the user in Entra ID does not isolate the device.

Option D is wrong because disabling the app connector doesn't revoke access for that user only.

369
MCQhard

During a security incident, you need to block a malicious IP address at the network level for all Azure resources in a subscription. You have Azure Firewall deployed. What is the MOST efficient method to implement the block?

A.Block the IP using Microsoft Defender for Cloud's adaptive network hardening.
B.Use Azure Firewall Manager to create a global deny rule for the IP address across all firewalls.
C.Create a network security group (NSG) rule on each virtual network subnet to deny the IP.
D.Add a rule to the Azure Firewall policy to deny outbound traffic to the IP address.
AnswerB

Firewall Manager can apply a policy to multiple firewalls, ensuring consistent blocking.

Why this answer

Option D is correct because Azure Firewall Manager allows central management of firewall policies, including application and network rules across subscriptions. Option A is wrong because NSGs are per-subnet and not as efficient. Option B is wrong because Azure Firewall policies are not automatically applied to all VMs.

Option C is wrong because each Azure Firewall rule applies to that firewall only.

370
MCQmedium

Your security team is investigating a suspicious sign-in from an unfamiliar IP address. The user has Microsoft Entra ID P2 licenses and is assigned a Conditional Access policy that requires MFA for all cloud apps. During the incident response, you find that the sign-in succeeded despite the user not completing MFA. Which action should you take first to investigate the discrepancy?

A.Review the user risk detection in Microsoft Entra ID Protection
B.Check the Microsoft Entra audit logs for policy changes
C.Use the Conditional Access What If tool
D.Review the Microsoft Entra sign-in logs for the specific sign-in event
AnswerD

Sign-in logs show whether MFA was satisfied, interrupted, or bypassed, and which Conditional Access policies applied.

Why this answer

Option B is correct because the sign-in logs provide detailed authentication details, including whether MFA was satisfied or bypassed. Option A is wrong because the user risk policy triggers on detected risk, but the issue is about MFA enforcement. Option C is wrong because the audit logs show administrative actions, not authentication details.

Option D is wrong because the sign-in logs show the policy applied, not the policy configuration itself.

371
MCQmedium

Your organization uses Microsoft Defender XDR. You receive an automated investigation that found a malicious file on a device. The investigation recommends 'Block the file'. What does this action do?

A.Adds the file hash to the block list in Microsoft Defender for Endpoint.
B.Isolates the device where the file was found.
C.Initiates a full antivirus scan on all devices.
D.Deletes the file from all devices in the organization.
AnswerA

Blocking the file prevents it from running on any device.

Why this answer

Option A is correct because blocking the file adds it to the global indicator of compromise (IOC) list, preventing future execution. Option B is wrong because it does not delete the file from all devices. Option C is wrong because it does not isolate the device.

Option D is wrong because it does not scan other devices automatically.

372
MCQmedium

Refer to the exhibit. You are reviewing an automation rule in Microsoft Sentinel that triggers a playbook. The rule is not triggering. What is the most likely cause?

A.The Logic App resource ID is incorrect
B.The subscription ID is missing
C.The condition 'Status equals Active' is incorrect; incidents are created with status 'New'
D.The trigger type should be 'IncidentUpdated' instead of 'IncidentCreated'
AnswerC

Incidents start as 'New', not 'Active'.

Why this answer

Option A is correct because the condition filters for incidents with Status equals 'Active', but when an incident is created, its status is 'New', so the condition never matches. Option B is wrong because Logic App resource ID is correct. Option C is wrong because trigger type is correct.

Option D is wrong because subscription issue would cause a different error.

373
MCQmedium

Refer to the exhibit. An automation rule is configured as shown. When will the playbook be triggered?

A.When any incident is created from Microsoft Defender for Endpoint
B.When a new incident with any severity contains 'Malware' in the title
C.When an incident is updated to High severity
D.When a new incident is created with severity High, from Microsoft Defender for Endpoint, and with 'Malware' in the title
AnswerD

All conditions must match.

Why this answer

Option A is correct because the rule triggers on incident creation with conditions: severity is High, provider is Microsoft Defender for Endpoint, and title contains 'Malware'. All conditions must be met. Option B is wrong because the condition is IncidentCreated, not IncidentUpdated.

Option C is wrong because the provider condition restricts to Defender for Endpoint only. Option D is wrong because severity must be High, not any.

374
MCQhard

A user reports that they cannot access their Microsoft 365 apps after clicking a link in an email. You suspect token theft. In Microsoft Defender XDR, which incident investigation action should you take first to verify the scope?

A.Review the user's sign-in logs in Microsoft Entra ID for anomalous locations
B.Isolate the user's device from the network
C.Check the user's device for malware using Microsoft Defender for Endpoint
D.Investigate the email in Microsoft Defender for Office 365
AnswerA

Token theft often shows logins from unusual IPs.

Why this answer

Option B is correct because reviewing sign-in logs reveals token usage from unusual locations. Option A is wrong because it's not about apps. Option C is wrong because email investigation is secondary.

Option D is wrong because device isolation is not the first step.

375
MCQeasy

Your security team uses Microsoft Sentinel analytics rules to detect brute-force attacks. A rule triggers when more than 10 failed logins occur within 5 minutes from a single IP. An incident is generated. Which first step should the analyst take?

A.Block the source IP address on the firewall
B.Investigate the incident details
C.Notify the users of the failed login attempts
D.Reset passwords for all affected accounts
AnswerB

Investigation confirms the attack and provides context.

Why this answer

The first step is to investigate the incident to confirm it's a true positive and assess scope. Blocking the IP might be premature without verification. Resetting passwords and notifying users come after confirmation.

← PreviousPage 5 of 7 · 489 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Respond Security Incidents questions.