CCNA Respond Security Incidents Questions

39 of 489 questions · Page 7/7 · Respond Security Incidents topic · Answers revealed

451
Multi-Selecteasy

Which TWO are valid incident response actions in Microsoft Sentinel?

Select 2 answers
A.Change the incident status to Active.
B.Run a KQL query from the incident.
C.Assign the incident to an analyst.
D.Merge the incident with another incident.
E.Add a comment to the incident.
AnswersA, C

Changing incident status is a valid action.

Why this answer

Options A and C are correct. Changing incident status and assigning owner are standard actions. Options B, D, and E are not valid: adding comments is a separate action, running a query is not an incident action, and merging incidents is already done via automation.

452
MCQeasy

During an incident response, your team identifies a suspicious PowerShell command executed on multiple devices. Which Microsoft Defender XDR feature should you use to block the command across all endpoints immediately?

A.Potentially Unwanted Application (PUA) protection
B.Indicators of compromise (IoC)
C.Attack Surface Reduction (ASR) rules
D.Device Control policies
AnswerB

IoC allows blocking of malicious commands via custom indicators.

Why this answer

Option C is correct because Microsoft Defender XDR's Indicator of Compromise (IoC) allows custom indicators to block file hashes, IPs, URLs, or commands. Option A is wrong because ASR rules are broader and not designed for ad-hoc command blocking. Option B is wrong because Device Control manages hardware peripherals.

Option D is wrong because PUA protection targets potentially unwanted applications, not specific commands.

453
MCQmedium

Your Microsoft Sentinel workspace ingests logs from multiple sources. During an incident, you need to quickly identify all user accounts that have been compromised based on a known malicious IP address. Which KQL operator is most efficient for this?

A.summarize
B.where
C.lookup
D.join kind=inner
AnswerC

lookup is optimized for enriching a large table with a small reference table.

Why this answer

Option B is correct because the lookup operator is optimized for joining large tables with a small reference set (the malicious IP). Option A is wrong because join is less efficient for this pattern. Option C is wrong because where clause would require filtering each row individually.

Option D is wrong because summarize is for aggregation, not matching.

454
MCQmedium

You are investigating a potential malicious PowerShell execution in Microsoft Defender for Endpoint using this KQL query in Advanced Hunting. The query returns no results. What is the most likely cause?

A.The column names are incorrect; 'InitiatingProcessFileName' should be 'ParentProcessFileName'.
B.The table name should be 'DeviceProcessEvents' instead of 'DeviceEvents'.
C.The 'take 100' operator limits results to only 100, but the query may return results if more data exists.
D.The query uses 'ago(7d)' which may be too short for historical data.
AnswerB

Process creation events are in DeviceProcessEvents, not DeviceEvents.

Why this answer

Option C is correct because DeviceEvents table is not part of Defender for Endpoint schema; the correct table is DeviceProcessEvents. Option A is wrong because 'take 100' does not affect the query logic. Option B is wrong because the column names are correct.

Option D is wrong because the time range is valid.

455
MCQmedium

Your organization uses Microsoft Sentinel and has enabled User and Entity Behavior Analytics (UEBA). During an incident investigation, you identify that a user account has been exhibiting anomalous behavior, such as logging in from multiple countries within a short time. You need to determine if the account is compromised and take appropriate action. What should you do first?

A.Disable the user account in Microsoft Entra ID.
B.Review the UEBA insights for the user to understand the anomaly.
C.Create a custom automation rule in Sentinel to disable the account on similar alerts.
D.Reset the user's password immediately.
AnswerB

UEBA provides context on whether the behavior is unusual for that user.

Why this answer

Option C is correct because UEBA provides risk scores and peer comparisons that can help determine if the behavior is truly anomalous. Option A is wrong because resetting the password without investigation may not be necessary if the behavior is legitimate. Option B is wrong because disabling the account is premature.

Option D is wrong because creating an automation rule is a response step, not an investigation step.

456
MCQmedium

Your organization uses Microsoft Sentinel. You are responsible for responding to incidents. A new 'MFA Denied' incident is created from Microsoft Entra ID sign-in logs, indicating that a user in your organization had multiple MFA denials from a suspicious IP address (203.0.113.5). The user is a sales representative who frequently travels. The incident severity is Medium. The incident contains entities: user 'jsmith@contoso.com', IP address 203.0.113.5, and a device running Windows 11. You need to investigate and determine if this is a true positive. The user is currently on a business trip in Europe, but the sign-in attempts originated from an IP address in a different region. What should you do first?

A.Immediately reset the user's password and revoke sessions.
B.Contact the user to confirm if they attempted to sign in at the time of the alerts.
C.Block the suspicious IP address in the Conditional Access policy.
D.Isolate the user's device using Microsoft Defender for Endpoint.
AnswerB

Verifying with the user helps confirm if the activity is legitimate.

Why this answer

Option B is correct because verifying with the user if they attempted to sign in is the fastest way to confirm if the MFA denials were legitimate. Option A is wrong because changing the password prematurely may lock out the user without confirmation. Option C is wrong because containing the device may disrupt the user's work.

Option D is wrong because blocking the IP may be premature if the user's IP changes frequently.

457
MCQmedium

Your organization uses Microsoft Sentinel and Microsoft Defender XDR. An incident is triggered: 'Lateral movement detected - pass-the-hash attack.' The incident includes alerts from Microsoft Defender for Identity (MDI) showing anomalous NTLM authentication attempts from a compromised workstation to multiple servers. The compromised workstation is a Windows 10 device. You need to contain the incident. Which of the following actions should you take FIRST?

A.Reset the krbtgt account password twice.
B.Isolate the compromised workstation using Microsoft Defender for Endpoint.
C.Disable NTLM authentication across the domain.
D.Reset passwords on all servers that received anomalous authentication attempts.
AnswerB

Immediately stops the workstation from authenticating to other servers.

Why this answer

Option A is correct: isolating the compromised workstation stops lateral movement. Option B is wrong: resetting passwords on servers does not stop the attack from the workstation. Option C is wrong: disabling NTLM globally may cause disruption.

Option D is wrong: resetting the krbtgt account is for Kerberos, not NTLM.

458
MCQmedium

Your organization uses Microsoft Sentinel with the Microsoft 365 Defender connector. You receive an incident indicating that a user's account was used to sign in from an unusual location (Russia) while the user is in the United States. The sign-in was successful and no MFA challenge was prompted because the user had a valid session. The incident severity is High. You need to respond immediately. What should you do first?

A.Block the IP address in the Conditional Access policy.
B.Revoke the user's session in Microsoft Entra ID.
C.Investigate the sign-in logs to determine if there are other compromised accounts.
D.Reset the user's password.
AnswerB

Revoking sessions immediately logs out the attacker.

Why this answer

Option A is correct because revoking the user's session invalidates the attacker's access immediately. Option B is wrong because investigating logs takes time and the attacker is still active. Option C is wrong because resetting password does not invalidate the current session.

Option D is wrong because blocking the IP may be too broad and not stop session hijacking.

459
MCQmedium

Refer to the exhibit. You run this KQL query in Microsoft Defender for Endpoint advanced hunting as part of an incident investigation. The query returns zero results, but you suspect PowerShell execution with encoded commands occurred. What is the most likely reason for no results?

A.The query uses 'contains' which is case-sensitive
B.The table name is incorrect; it should be 'ProcessEvents'
C.The column 'ProcessCommandLine' should be 'CommandLine'
D.The query only looks at the last hour; the event may have occurred earlier
AnswerD

If the event happened more than an hour ago, it would not appear. Also, data ingestion delay could cause the event not to appear yet.

Why this answer

Option D is correct because the query filters on 'DeviceProcessEvents' table, but advanced hunting in Defender for Endpoint uses 'DeviceProcessEvents' only if you are in the Defender portal; however, the table name might be slightly different (e.g., 'DeviceProcessEvents' is correct). The more likely issue is that the time filter is too restrictive (ago(1h) but the event might have occurred earlier, or the data might not yet be ingested. Option A is wrong because the table is correct.

Option B is wrong because the column name is correct. Option C is wrong because the query syntax is valid.

460
Multi-Selectmedium

Which TWO are valid sources of evidence in a Microsoft Sentinel incident? (Choose two.)

Select 2 answers
A.Playbooks
B.Watchlists
C.Alerts
D.Bookmarks
E.Hunting queries
AnswersC, D

Alerts are the primary evidence linked to an incident.

Why this answer

Options A and C are correct. Alerts and bookmarks are evidence items in an incident. Option B is wrong because watchlists are reference data, not evidence.

Option D is wrong because hunting queries are not stored as evidence. Option E is wrong because playbooks are automation, not evidence.

461
MCQmedium

Your security operations center (SOC) uses Microsoft Sentinel with a custom analytics rule that generates an incident when more than 10 failed logons occur within 5 minutes. During a review, you notice that a single user triggered the rule by forgetting their password multiple times. The incident was automatically closed by a playbook. What is the most effective way to reduce false positives for this rule?

A.Increase the threshold to 20 failed logons
B.Create a playbook to automatically close the incident
C.Disable the analytics rule
D.Change the rule to group events by user
AnswerA

A higher threshold reduces noise from password mistakes while still detecting brute-force attacks.

Why this answer

Option D is correct because adjusting the threshold (e.g., to 20 failures) reduces false positives while still capturing brute-force attacks. Option A is wrong because disabling the rule removes detection entirely. Option B is wrong because grouping by user still generates an incident per user.

Option C is wrong because a playbook to close incidents does not prevent generation.

462
MCQeasy

A security analyst needs to contain a compromised device that is spreading malware in the network. The device is enrolled in Microsoft Intune and managed by Microsoft Defender for Endpoint. What is the fastest way to isolate the device from the network?

A.Disable the device in Microsoft Intune.
B.Use Microsoft Defender for Endpoint to initiate device isolation.
C.Perform a remote wipe of the device from Microsoft Intune.
D.Block the user's account in Microsoft Entra ID.
AnswerB

Device isolation blocks all network traffic except communication with Defender for Endpoint cloud services.

Why this answer

Option A is correct because Defender for Endpoint supports device isolation action. Option B is wrong because disabling the device in Intune only prevents new management commands. Option C is wrong because wiping the device is destructive and may not be fastest.

Option D is wrong because blocking the user's account does not isolate the device.

463
MCQmedium

During an incident response, an analyst runs a live response command on a Windows device using Microsoft Defender for Endpoint. The command 'Get-Service -Name BITS' returns no output. What is the most likely cause?

A.The live response session has insufficient privileges.
B.The BITS service is disabled and hidden.
C.The command is blocked due to PowerShell ConstrainedLanguage mode.
D.The BITS service is not installed on the device.
AnswerC

Live response runs in ConstrainedLanguage mode, which restricts cmdlets. Get-Service is not allowed.

Why this answer

Live response uses a restricted PowerShell language mode (ConstrainedLanguage) which blocks many commands. Get-Service may not be available. The service might be stopped but still exist; permissions are usually fine.

464
MCQhard

During a security incident, a SOC analyst uses Microsoft Defender XDR to investigate a compromised device. The analyst needs to collect a memory dump for forensic analysis. Which action should the analyst take from the Microsoft Defender XDR portal?

A.Use the 'Collect investigation package' action.
B.Initiate a live response session.
C.Run a custom detection rule.
D.Submit the file to Microsoft Defender for Cloud Apps.
AnswerA

This action collects a memory dump as part of the package.

Why this answer

The correct answer is C. 'Collect investigation package' collects memory dumps, registry hives, and other forensic data. The other options do not provide memory dumps.

465
Multi-Selecteasy

Which TWO actions should a SOC analyst take immediately after confirming a ransomware incident in Microsoft Defender XDR?

Select 2 answers
A.Isolate affected devices from the network.
B.Begin restoring data from backups.
C.Disable all mailboxes in the organization.
D.Reset passwords for compromised accounts and enforce MFA.
E.Collect a full memory dump from each affected device.
AnswersA, D

Isolation prevents ransomware from spreading.

Why this answer

Correct answers are A and D. Isolating affected devices and resetting compromised account credentials are immediate containment steps. Collecting forensic data is important but after containment.

Starting recovery can wait. Disabling mailboxes is not necessary unless email is a vector.

466
MCQhard

You are reviewing an automation rule in Microsoft Sentinel. The rule triggers on incident creation with severity High. However, during a recent High severity incident, the playbook did not run. What is the most likely cause?

A.The action order is set to 1, but another action has a higher priority.
B.The automation rule does not have an owner assigned.
C.The condition requires IncidentSeverity equals High, but the incident was classified as Medium.
D.The rule triggers on incident creation, but the incident was first closed and then reopened.
AnswerB

Automation rules must have an owner to run playbooks.

Why this answer

Option B is correct because automation rules require an assigned owner to run playbooks. Option A is wrong because the rule triggers on creation, not closure. Option C is wrong because the condition is correct for High severity.

Option D is wrong because the action order is fine.

467
MCQhard

Your organization's Microsoft Sentinel workspace ingests logs from multiple regions. During an incident, you need to search for a specific user's activity across all workspaces in a single query. What is the most efficient way to accomplish this?

A.Use a cross-workspace query with the workspace() expression.
B.Run separate queries in each workspace and combine results manually.
C.Create a new analytics rule that queries all workspaces.
D.Use the Microsoft Sentinel search feature with the workspace filter.
AnswerA

Cross-workspace queries enable searching across workspaces efficiently.

Why this answer

A cross-workspace query using the workspace() expression allows querying multiple workspaces in one KQL query. Option B is manual; Option C is for search; Option D is for analytics.

468
MCQhard

Your organization uses Microsoft Sentinel with the Microsoft Defender XDR connector. During an incident, you receive a critical alert for a user who is reported as compromised. You need to verify if the compromise is real and respond quickly. Which feature should you use to automatically trigger a playbook that contains the account?

A.An automation rule that triggers a playbook when the alert is created.
B.An analytics rule configured to run a playbook when the alert is generated.
C.A workbook that displays the user's activity for manual investigation.
D.A watchlist that includes the user's name to block the account.
AnswerA

Automation rules can run playbooks automatically on alert or incident creation.

Why this answer

Option D is correct because automation rules in Microsoft Sentinel can trigger playbooks based on alert creation. Option A is wrong because analytics rules generate alerts but do not trigger playbooks directly. Option B is wrong because watchlists are for enrichment, not response.

Option C is wrong because workbooks are visualization tools.

469
MCQmedium

You are investigating a Microsoft Sentinel incident involving a user who clicked a phishing link. The incident includes alerts from Microsoft Defender for Office 365. You need to identify if any other users received the same phishing email. What should you do?

A.Check the incident timeline for related alerts
B.Review the incident graph in Microsoft Sentinel
C.Run a KQL query in Advanced Hunting
D.Use the Threat Explorer in Microsoft Defender for Office 365
AnswerD

Threat Explorer can search for similar emails across all users.

Why this answer

Option C is correct because the Threat Explorer in Microsoft Defender for Office 365 can search for emails by subject, sender, or URL. Option A is wrong because the incident graph shows only linked entities. Option B is wrong because the timeline shows events for the current incident only.

Option D is wrong because Advanced Hunting is more complex and not the quickest method.

470
Multi-Selecthard

Which THREE are valid containment actions in Microsoft Defender for Endpoint? (Choose three.)

Select 3 answers
A.Reset password
B.Contain device
C.Run antivirus scan
D.Collect investigation package
E.Isolate device
AnswersB, C, E

Contain device limits network communication to specific IPs.

Why this answer

Options A, B, and D are correct. 'Isolate device', 'Contain device', and 'Run antivirus scan' are built-in actions. Option C is wrong because 'Reset password' is not a containment action in Defender for Endpoint; it is done in Microsoft Entra ID. Option E is wrong because 'Collect investigation package' is a forensic action, not containment.

471
MCQeasy

During an incident response, you need to collect a forensic image of a Windows 10 device managed by Microsoft Intune. Which Microsoft Defender XDR feature should you use?

A.Microsoft Defender for Cloud Apps
B.Microsoft Purview eDiscovery
C.Microsoft Defender for Endpoint Live Response
D.Microsoft Sentinel
AnswerC

Allows remote forensic data collection.

Why this answer

Option B is correct because Microsoft Defender for Endpoint's Live Response allows you to collect forensic data from devices. Option A is wrong because Microsoft Purview eDiscovery is for content search and legal hold. Option C is wrong because Microsoft Defender for Cloud Apps is for cloud app security.

Option D is wrong because Microsoft Sentinel is a SIEM, not for live forensic collection.

472
MCQmedium

A security analyst receives an alert from Microsoft Defender for Cloud Apps indicating that a user from the finance department downloaded 500 files from SharePoint Online in 10 minutes. The analyst needs to determine if this is a true positive and, if so, contain the incident. Which action should the analyst take first?

A.Run a KQL query in Microsoft Sentinel to correlate with other alerts.
B.Suspend the user's account in Microsoft Entra ID.
C.Create an alert in Microsoft Sentinel for similar behavior.
D.Check the user's risk score in Microsoft Entra ID Identity Protection.
AnswerB

Suspending the account immediately prevents further data exfiltration while investigation proceeds.

Why this answer

The correct answer is B. Google Dorking is a technique used by attackers to find exposed sensitive information via Google search queries. Searching for the domain with site: and filetype: is an example of Google Dorking, which is not a standard security tool.

The other options are legitimate security features.

473
MCQeasy

Your team uses Microsoft Sentinel to manage incidents. You want to automatically assign incidents with a severity of 'High' to the Tier 2 security team. Which feature should you configure?

A.Playbook
B.Analytics rule
C.Automation rule
D.Workbook
AnswerC

Automation rules can assign incidents to owners based on properties.

Why this answer

Option B is correct because automation rules in Microsoft Sentinel can automatically assign incidents based on conditions like severity. Option A is wrong because analytics rules generate alerts, not assign incidents. Option C is wrong because playbooks are for response actions, not assignment.

Option D is wrong because workbooks are for visualization.

474
Multi-Selecthard

A security analyst is investigating a potential data exfiltration incident in Microsoft Sentinel. The analyst needs to identify which users may have been compromised. Which THREE data sources should be queried to gather the most relevant evidence?

Select 3 answers
A.WindowsEvent from Microsoft Defender for Endpoint.
B.AzureActivity from Azure Monitor.
C.SigninLogs and AuditLogs from Microsoft Entra ID.
D.OfficeActivity from Microsoft 365.
E.CloudAppEvents from Microsoft Defender for Cloud Apps.
AnswersC, D, E

Provides authentication and user activity in Entra ID.

Why this answer

Options A, C, and D are correct because SigninLogs and AuditLogs (Entra ID) provide authentication and activity logs; OfficeActivity provides Exchange and SharePoint logs; and CloudAppEvents (Defender for Cloud Apps) provides shadow IT and app activity. Option B (AzureActivity) is for Azure resource logs, not user activity. Option E (WindowsEvent) is for device-level events, less relevant for cloud exfiltration.

475
Multi-Selecteasy

Which THREE steps are part of the incident response process when using Microsoft Sentinel?

Select 3 answers
A.Identify the incident by creating an analytics rule.
B.Investigate the incident using hunting queries and entity timelines.
C.Remediate the incident by running playbooks or manual actions.
D.Report the incident to the security team via email.
E.Triage the incident to determine severity.
AnswersB, C, E

Investigation is a key step to understand the scope and impact.

Why this answer

The three correct steps are triage, investigation, and remediation. Identification is a precursor, and reporting is a final step but not always part of the core process in Sentinel.

476
MCQhard

Wide World Importers uses Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Purview for data loss prevention (DLP). An incident is generated: 'DLP policy violation - sensitive data shared externally.' The incident shows that a user shared a document containing credit card numbers via SharePoint Online with an external guest. The user is a finance department employee. You need to respond to the incident. The organization wants to minimize business disruption while protecting data. Which of the following is the BEST immediate action?

A.Delete the document from SharePoint Online.
B.Modify the DLP policy to block sharing of credit card numbers.
C.Remove the external guest's access to the document in SharePoint Online.
D.Disable the user's account in Microsoft Entra ID and investigate.
AnswerC

Immediately stops unauthorized access while preserving the document and user productivity.

Why this answer

Option C is correct: removing the external guest's access to the document stops data exposure without affecting the user's work. Option A is wrong: disabling the user prevents all work and may be too drastic. Option B is wrong: deleting the document destroys evidence.

Option D is wrong: DLP policy change takes time and does not stop current exposure.

477
MCQhard

Refer to the exhibit. An analyst runs this Azure CLI command and receives no output. The workspace has many High severity incidents in 'New' status. What is the most likely reason?

A.The analyst does not have read permissions for the workspace.
B.The query syntax is incorrect; the pipe between conditions is invalid.
C.No incidents match both conditions.
D.The --query parameter is not supported for this command.
AnswerB

JMESPath uses comma or boolean operators, not pipe. The correct query would be '[?status==`New` && severity==`High`]'.

Why this answer

The JMESPath query uses '||' operator incorrectly; the correct syntax for filtering is '&&' or multiple filters. The query as written tries to combine two conditions with '|' which is not valid. Also the index [0] might be wrong if no matches, but the issue is the query syntax.

478
MCQmedium

Your organization uses Microsoft Defender XDR. You are investigating an incident that involves a malware infection on a Windows 10 device. The device is currently isolated from the network. The incident shows that the malware attempted to communicate with a command-and-control (C2) server. You have collected an investigation package. Now you need to remediate the device and bring it back to a clean state. The device has critical data that must not be lost. Which remediation action should you take? A) Run a full antivirus scan and remove threats. B) Perform a factory reset of the device. C) Reimage the device from a clean backup. D) Initiate a live response to manually remove the malware. Which option best balances thorough remediation with data preservation?

A.Initiate a live response to manually remove the malware.
B.Run a full antivirus scan and remove threats.
C.Reimage the device from a clean backup.
D.Perform a factory reset of the device.
AnswerC

Reimaging from a known good backup removes malware and restores data.

Why this answer

Option C is correct because reimaging from a clean backup ensures the malware is completely removed while preserving data from the backup. Option A (Full scan) may not detect all malware. Option B (Factory reset) loses all data.

Option D (Live response) may miss persistent threats and is not as thorough as reimaging.

479
MCQeasy

Your organization uses Microsoft 365 Defender. A security analyst detects a malware infection on a single endpoint named 'SalesPC01'. The malware is identified as 'Trojan:Win32/Emotet'. The endpoint is currently isolated from the network by the automatic response. You need to remediate the infection. The malware has been detected and the endpoint is isolated. What should you do next?

A.Delete the user account that was logged in when the malware was detected.
B.Disconnect the endpoint from the network manually.
C.Reimage the endpoint to ensure complete removal.
D.Initiate a full antivirus scan using Microsoft Defender Antivirus.
AnswerD

A full scan will detect and remove the malware.

Why this answer

Option B is correct because running a full scan or using Microsoft Defender for Endpoint's 'Run antivirus scan' action can remove the malware. Option A is wrong because the endpoint is already isolated. Option C is wrong because reimaging is a last resort.

Option D is wrong because deleting the user account is not necessary.

480
MCQhard

You are a SOC analyst at Contoso Ltd. The company uses Microsoft Sentinel and Microsoft Defender XDR. A high-severity incident is generated from a Sentinel analytics rule that detects multiple failed logins followed by a successful login from a geographically unusual location for a user. The incident includes an alert from Microsoft Defender for Identity indicating a possible brute-force attack. The user's account is a privileged administrator. Your organization has strict compliance requirements: any privileged account compromise must be contained within 15 minutes of detection. You have the following tools available: Microsoft Entra ID with Privileged Identity Management (PIM), Microsoft Defender for Cloud Apps, and Microsoft 365 Defender automation rules. The incident is now 5 minutes old. What should you do to meet the compliance requirement?

A.Create an automation rule in Microsoft 365 Defender to alert the security team.
B.Disable the user account in Microsoft Entra ID immediately.
C.Create a conditional access policy to block the user's sign-ins.
D.Activate PIM and remove the user's role assignments.
AnswerB

Disabling stops all access within seconds.

Why this answer

Disabling the account is the fastest containment; PIM may take extra steps; alerting is not containment; policies are slower.

481
MCQeasy

During a ransomware incident, you need to prevent the encryption of files in SharePoint Online and OneDrive for Business. You have already identified the compromised user account. What should you do?

A.Disable external sharing for SharePoint Online
B.Lock the compromised user account in Microsoft Entra ID
C.Delete the compromised user's OneDrive files
D.Apply a retention policy to all SharePoint sites
AnswerB

Locking the account prevents further access to files.

Why this answer

Option B is correct because locking the account stops the attacker from accessing files. Option A is wrong because deleting files does not prevent encryption. Option C is wrong because applying a retention policy does not block access.

Option D is wrong because disabling external sharing does not stop internal encryption.

482
MCQhard

You are investigating an incident where a user reported receiving a suspicious email with a malicious attachment. Microsoft Defender for Office 365 did not block it. The email originated from a known malicious sender domain. What configuration should you check first?

A.User-reported message settings
B.SPF record for the sender domain
C.Safe Attachments policy
D.Anti-phishing policy in Microsoft Defender for Office 365
AnswerD

Anti-phishing policies can block emails from known malicious domains or impersonation attempts.

Why this answer

Option C is correct. The most likely reason for the email not being blocked is that the anti-phishing policy is not properly configured or the sender is bypassed. Option A (SPF) is relevant but less likely if the domain is known malicious.

Option B (safe attachments) may not catch all. Option D (user reporting) is not about blocking.

483
MCQeasy

Refer to the exhibit. You are configuring a Microsoft Sentinel scheduled analytics rule with the above incident creation settings. What is the effect of setting 'groupingConfiguration.enabled' to false?

A.Alerts will be suppressed for 5 minutes
B.The rule will run every 5 minutes
C.No incidents will be created
D.Each alert will generate a separate incident
AnswerD

With grouping disabled, every alert triggers a new incident.

Why this answer

Option A is correct because grouping configuration controls whether alerts are grouped into a single incident. Disabling it means each alert creates its own incident. Option B is wrong because the rule still creates incidents.

Option C is wrong because the rule runs on the schedule defined elsewhere. Option D is wrong because suppression is a different setting.

484
MCQeasy

You receive a Microsoft Defender XDR incident alert about a suspicious sign-in from an unfamiliar location. The user confirms they did not perform the sign-in. What should you do to immediately secure the account?

A.Disable the user account in Microsoft Entra ID
B.Reset the user's password
C.Block the IP address used for the suspicious sign-in
D.Require the user to register for Microsoft Entra Multi-Factor Authentication
AnswerA

Disabling the account immediately blocks all sign-ins.

Why this answer

Option B is correct because disabling the user account in Microsoft Entra ID immediately prevents further use. Option A is wrong because resetting password alone does not block active sessions. Option C is wrong because MFA registration does not stop ongoing compromise.

Option D is wrong because blocking the IP may not be effective if the attacker uses multiple IPs.

485
Multi-Selecthard

You are investigating a data exfiltration incident in Microsoft Defender for Cloud Apps. The investigation reveals that a user downloaded sensitive files from SharePoint and uploaded them to a third-party cloud storage app. Which THREE actions should you take to contain the incident?

Select 3 answers
A.Apply a session policy to block uploads to unauthorized apps.
B.Suspend the user account in Microsoft 365 Defender.
C.Add the third-party app to the blocked apps list in Defender for Cloud Apps.
D.Delete the files from the third-party cloud app.
E.Apply a sensitivity label to the files to prevent sharing.
AnswersA, B, C

Session policies can block uploads in real-time.

Why this answer

Options A, B, and D are correct because suspending the user, revoking access, and blocking the app contain the threat. Option C is wrong because removing files from the third-party app may be recovery but not containment. Option E is wrong because applying sensitivity labels is a classification action, not immediate containment.

486
MCQeasy

You are investigating a low-severity incident in Microsoft Sentinel where a user reported receiving a phishing email. The email was not blocked by the email security solution. The user did not click any links. What should you do first?

A.Delete the phishing email from the user's inbox
B.Report the email for analysis using the Microsoft 365 Defender portal
C.Reset the user's password as a precaution
D.Isolate the user's device from the network
AnswerB

Reporting helps improve email security.

Why this answer

Option B is correct because reporting the email for analysis helps improve email security and determine if it was a false negative. Option A is wrong because deleting the email destroys evidence. Option C is wrong because resetting password is unnecessary as no credentials were compromised.

Option D is wrong because no device isolation is needed.

487
Multi-Selecthard

During a security incident, a Microsoft Sentinel analytics rule generated an alert for a suspicious sign-in from an unusual location. The incident involves a user whose account has been compromised. The security team needs to take immediate actions to remediate and prevent further damage. Which THREE actions should the security team prioritize?

Select 3 answers
A.Reset the user's password
B.Revoke the user's session tokens
C.Review audit logs for all users
D.Raise the user's risk level in Identity Protection
E.Disable the user account in Microsoft Entra ID
AnswersA, B, E

Password reset revokes stolen credentials.

Why this answer

Option A is correct because disabling the user account stops further access. Option C is correct because resetting the password ensures the attacker cannot reuse stolen credentials. Option E is correct because revoking session tokens ends active sessions.

Option B is wrong because reviewing audit logs is important but not immediate. Option D is wrong because raising the risk level is a classification, not a remediation.

488
MCQhard

Refer to the exhibit. You have an automation rule in Microsoft Sentinel that triggers a playbook to isolate a device when a High severity incident is created. However, you notice that the playbook is not triggered for incidents that are created from analytics rules that use entity mapping. What is the most likely cause?

A.The playbook requires a managed identity, which is missing.
B.The playbook is not authorized to run for automation rules.
C.The automation rule is disabled.
D.The analytics rule sets the severity after incident creation, so the condition does not match at creation time.
AnswerD

The condition checks severity at creation; if it's set later, the rule won't fire.

Why this answer

The correct answer is C. The automation rule triggers on incident creation, but the condition checks severity. If the severity is set after creation (e.g., by a playbook or analytics rule), the condition may not match when the incident is created.

The exhibit shows the trigger is 'Created' and condition on severity. If the analytics rule sets severity later, the rule won't fire. The other options are plausible but less likely.

489
Multi-Selectmedium

Which TWO actions should you take when handling a confirmed ransomware incident in an environment protected by Microsoft Defender for Endpoint?

Select 2 answers
A.Block the ransomware file hash using threat intelligence indicators in Microsoft Defender.
B.Initiate device isolation from the Microsoft Defender for Endpoint console.
C.Disable Windows Defender real-time protection.
D.Submit the ransomware sample to Microsoft for analysis.
E.Reimage all affected servers immediately.
AnswersA, B

Blocking the hash prevents further execution on other endpoints.

Why this answer

Options A and C are correct. Option A isolates affected devices to prevent spread. Option C blocks indicators of compromise (IoCs) to stop further execution.

Option B is not immediate; Option D is unnecessary if Defender manages updates; Option E is reactive and not a containment step.

← PreviousPage 7 of 7 · 489 questions total

Ready to test yourself?

Try a timed practice session using only Respond Security Incidents questions.