CCNA Describe the capabilities of Microsoft security solutions Questions

20 of 470 questions · Page 7/7 · Describe the capabilities of Microsoft security solutions · Answers revealed

451
MCQeasy

Your organization wants to protect sensitive documents from being copied to unauthorized cloud services. Which Microsoft Purview capability should you use?

A.Audit log
B.Data Loss Prevention (DLP) policy
C.Retention policy
D.Sensitivity label
AnswerB

DLP can block sharing of sensitive data to unauthorized cloud services.

Why this answer

Option B is correct because DLP policies can detect and prevent sharing of sensitive data to unauthorized services. Option A is incorrect because audit logs only record activity, not block. Option C is incorrect because sensitivity labels classify data but do not block sharing.

Option D is incorrect because records management focuses on retention.

452
Multi-Selectmedium

Which TWO features are included in Microsoft Entra ID Identity Protection? (Choose two.)

Select 2 answers
A.Just-in-time privileged access
B.Sign-in risk detection
C.Cloud app discovery
D.Multi-factor authentication registration campaign
E.User risk detection
AnswersB, E

Identity Protection detects risky sign-ins.

Why this answer

Options A and B are correct. Identity Protection includes sign-in risk and user risk detection. Option C is wrong because it's a Conditional Access feature.

Option D is wrong because it's Privileged Identity Management. Option E is wrong because it's Microsoft Defender for Cloud Apps.

453
MCQmedium

A security team needs to detect and investigate advanced attacks targeting on-premises Active Directory accounts, such as Pass-the-Hash (PtH) and Golden Ticket attacks. Which Microsoft security solution should they deploy?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Identity
D.Microsoft Sentinel
AnswerC

Correct. Microsoft Defender for Identity is purpose-built to detect advanced threats targeting on-premises Active Directory, such as Pass-the-Hash, Golden Ticket, and compromised credentials.

Why this answer

Microsoft Defender for Identity (MDI) is specifically designed to detect advanced attacks targeting on-premises Active Directory, such as Pass-the-Hash (PtH) and Golden Ticket attacks. It uses behavioral analytics and machine learning to monitor AD traffic, Kerberos authentication, and NTLM protocol anomalies, identifying lateral movement and privilege escalation attempts that characterize these attacks.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Identity with Microsoft Sentinel or Defender for Endpoint, not realizing that only Defender for Identity provides dedicated, protocol-level detection for on-premises Active Directory attacks like PtH and Golden Ticket.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on shadow IT discovery and data protection in SaaS applications, not on-premises AD attack detection. Option B is wrong because Microsoft Defender for Endpoint is an endpoint detection and response (EDR) solution that monitors devices for malware and suspicious processes, but it does not natively analyze Active Directory authentication protocols like Kerberos or NTLM for PtH or Golden Ticket patterns. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR platform that aggregates logs from multiple sources; while it can ingest AD security events, it lacks the specialized, real-time behavioral analytics for AD-specific attacks that Defender for Identity provides out of the box.

454
Multi-Selecthard

A company uses Microsoft Purview Data Lifecycle Management. To comply with regulatory requirements, the company must retain financial records for 7 years and then delete them. Which THREE actions should the company configure? (Select THREE.)

Select 3 answers
A.Create a data loss prevention policy
B.Create a retention policy for the entire SharePoint site
C.Create a retention label with a retention period of 7 years
D.Configure a disposition review to confirm deletion
E.Create an auto-labeling policy to apply the retention label to financial records
AnswersC, D, E

Retention labels define retention.

Why this answer

Options A, B, and D are correct: Create a retention label for 7 years, auto-apply the label to financial content, and configure a disposition review for deletion. Option C is wrong because a DLP policy is for preventing data loss, not lifecycle management. Option E is wrong because a retention policy is for the entire location, not specific content.

455
MCQhard

A security team needs to collect and analyze security logs from a hybrid environment consisting of on-premises Windows servers, Azure virtual machines, and AWS workloads. They want to correlate events, detect anomalous behavior, and create custom security alerts with automated response playbooks. Which Microsoft security solution should they use?

A.Microsoft Defender for Cloud
B.Microsoft Sentinel
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Sentinel is a scalable SIEM/SOAR that can collect logs from on-premises, Azure, and other clouds, correlate events, and enable custom alerts and playbooks.

Why this answer

Microsoft Sentinel is the correct solution because it is a cloud-native SIEM (Security Information and Event Management) and SOAR (Security Orchestration, Automation, and Response) solution designed to ingest logs from hybrid and multi-cloud environments, including on-premises Windows servers, Azure VMs, and AWS workloads. It provides advanced correlation of events across these sources, built-in anomaly detection using machine learning, and the ability to create custom security alerts and automated response playbooks via Azure Logic Apps. This directly matches the requirement for collecting, analyzing, correlating, detecting anomalies, and automating responses.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Cloud (a CSPM/CWPP tool) with a full SIEM solution, but Defender for Cloud lacks the log correlation, custom alert creation, and SOAR playbook capabilities that are exclusive to Microsoft Sentinel.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud is a Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platform (CWPP) that focuses on assessing and hardening security configurations across Azure, AWS, and GCP, but it does not provide native SIEM capabilities for log correlation, custom alert creation, or automated response playbooks. Option C is wrong because Microsoft Defender for Office 365 is specifically designed to protect email, SharePoint, OneDrive, and Teams from threats like phishing and malware, and it cannot ingest or analyze logs from on-premises Windows servers, Azure VMs, or AWS workloads. Option D is wrong because Microsoft Defender for Identity is an on-premises Active Directory security solution that uses signals from domain controllers to detect identity-based attacks, but it lacks the multi-source log ingestion, correlation, and SOAR capabilities required for a hybrid environment with AWS workloads.

456
MCQhard

Your organization uses Microsoft Purview Information Protection to classify and protect documents. You have created a sensitivity label that applies encryption to documents marked as 'Confidential'. Users are able to apply the label manually. However, you need to ensure that all documents containing personally identifiable information (PII) are automatically labeled as 'Confidential' when they are saved to SharePoint Online. What should you configure?

A.Create an auto-labeling policy in Microsoft Purview that scans for PII sensitive info types and applies the 'Confidential' label.
B.Configure a default label for SharePoint libraries so that all documents are labeled 'Confidential'.
C.Create a Data Loss Prevention (DLP) policy that blocks sharing of PII.
D.Train users to apply the 'Confidential' label manually when they create documents with PII.
AnswerA

Auto-labeling policies can scan and apply labels automatically.

Why this answer

Option D is correct because auto-labeling policies in Microsoft Purview can scan documents for sensitive info types and apply labels automatically. Option A is wrong because manual labeling doesn't meet the automatic requirement. Option B is wrong because DLP policies block but do not apply labels.

Option C is wrong because default labeling applies to new documents but does not scan existing content.

457
MCQeasy

A company uses Microsoft Defender for Cloud to improve their cloud security posture. They want to see an aggregated score that reflects how well their resources are protected against threats. Which feature in Defender for Cloud provides this?

A.Compliance dashboard
B.Security Score
C.Cloud Security Posture Management (CSPM)
D.Workload protections
AnswerB

Correct. The Security Score is an aggregated metric based on implemented security controls and recommendations, reflecting the overall security posture.

Why this answer

The Security Score in Microsoft Defender for Cloud aggregates findings from security assessments and controls into a single percentage score, reflecting how well resources are protected against threats. It is based on the Secure Score algorithm, which calculates the ratio of passed controls to total controls, weighted by the potential impact of each control. This provides a unified, quantitative measure of cloud security posture.

Exam trap

The trap here is that candidates confuse the broader Cloud Security Posture Management (CSPM) capability with the specific Security Score feature, but CSPM is the umbrella term for posture management, while Security Score is the concrete metric that provides the aggregated score.

How to eliminate wrong answers

Option A is wrong because the Compliance dashboard maps security controls to regulatory standards (e.g., SOC 2, ISO 27001) and shows compliance status, not an aggregated threat protection score. Option C is wrong because Cloud Security Posture Management (CSPM) is the overarching capability that includes security assessments, hardening recommendations, and the Security Score; the question asks for the specific feature that provides the aggregated score, not the broader capability. Option D is wrong because Workload protections focus on advanced threat detection and response for specific workloads (e.g., servers, databases) using tools like Just-In-Time VM access and adaptive application controls, not an aggregated security score.

458
MCQeasy

Your organization uses Microsoft Entra ID for identity management. You need to require multi-factor authentication (MFA) for all users when accessing the Azure portal. Which feature should you use?

A.Privileged Identity Management
B.Identity Protection user risk policy
C.Entra ID P1 license
D.Conditional Access policy
AnswerD

Conditional Access allows you to require MFA for specific cloud apps.

Why this answer

Option C is correct because Conditional Access policies in Entra ID allow you to enforce MFA for specific applications. Option A is wrong because Entra ID P1 includes Conditional Access but the feature itself is Conditional Access. Option B is wrong because Identity Protection detects risks but does not enforce MFA directly.

Option D is wrong because Privileged Identity Management manages elevated roles, not MFA.

459
MCQhard

A security team needs to detect and automatically respond to ransomware attacks on Windows servers and desktops. They require the solution to automatically isolate affected devices from the network and, if necessary, roll back files that have been modified by ransomware using a built-in recovery feature. Which Microsoft security solution provides these specific capabilities?

A.Microsoft Defender for Cloud Apps
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Defender for Identity
AnswerB

Correct. Defender for Endpoint provides endpoint detection and response (EDR), including automated investigation, device isolation, and the ability to roll back files modified by ransomware using cloud-delivered protection and continuous monitoring.

Why this answer

Microsoft Defender for Endpoint (MDE) provides automated investigation and remediation capabilities that include network containment (isolating a device from the network) and rollback of files modified by ransomware using its built-in recovery feature. This is achieved through MDE's endpoint detection and response (EDR) and automated investigation capabilities, which can trigger device isolation and file restoration from Volume Shadow Copy or MDE's own rollback mechanism.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud Apps (a CASB) with endpoint protection, or assume that Defender for Office 365 covers all ransomware scenarios, when in fact only Defender for Endpoint provides the specific combination of device isolation and file rollback on Windows endpoints.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Cloud Apps is a cloud access security broker (CASB) focused on securing cloud applications and data, not on endpoint-level ransomware detection, device isolation, or file rollback on Windows servers and desktops. Option C is wrong because Microsoft Defender for Office 365 protects email, SharePoint, OneDrive, and Teams from threats like phishing and malware, but it does not provide endpoint isolation or file rollback on Windows servers and desktops. Option D is wrong because Microsoft Defender for Identity monitors on-premises Active Directory for identity-based attacks (e.g., lateral movement, privilege escalation) and does not include endpoint device isolation or ransomware file recovery capabilities.

460
MCQmedium

A company has deployed Microsoft Defender for Endpoint, Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Defender for Cloud Apps. The security operations team wants a single, unified portal where they can view alerts from all these products, perform cross-domain investigations, and orchestrate automated response actions. Which Microsoft security solution should they use?

A.Microsoft Sentinel
B.Microsoft 365 Defender
C.Microsoft Defender for Cloud
D.Microsoft Defender for Endpoint
AnswerB

Correct. Microsoft 365 Defender is the unified portal that correlates alerts and incidents from Defender for Endpoint, Office 365, Identity, and Cloud Apps, enabling cross-domain investigations and automated response.

Why this answer

Microsoft 365 Defender is the correct answer because it is a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and cloud applications. It provides a single portal (security.microsoft.com) where alerts from Defender for Endpoint, Defender for Office 365, Defender for Identity, and Defender for Cloud Apps are correlated into incidents, enabling cross-domain investigation and automated response via playbooks and the Microsoft 365 Defender API.

Exam trap

The trap here is that candidates often confuse Microsoft Sentinel (a SIEM) with the unified Microsoft 365 Defender portal, not realizing that Sentinel is an aggregator for multiple data sources, while Microsoft 365 Defender is the native unified console for the Defender product family itself.

How to eliminate wrong answers

Option A is wrong because Microsoft Sentinel is a cloud-native SIEM and SOAR solution that ingests logs and alerts from multiple sources, but it is not the unified portal for Microsoft 365 Defender products; it aggregates data from those products and others, requiring additional configuration and cost. Option C is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and cloud workload protection platform (CWPP) focused on securing Azure, hybrid, and multi-cloud resources, not a unified incident response portal for the Microsoft 365 Defender product family. Option D is wrong because Microsoft Defender for Endpoint is specifically an endpoint detection and response (EDR) solution; while it has its own portal, it does not natively unify alerts from Defender for Office 365, Defender for Identity, and Defender for Cloud Apps into a single cross-domain investigation experience.

461
Multi-Selecthard

Which TWO of the following are capabilities of Microsoft Sentinel? (Choose two.)

Select 2 answers
A.Security information and event management (SIEM)
B.Security orchestration, automation, and response (SOAR)
C.Endpoint detection and response (EDR)
D.Vulnerability scanning
E.Data classification and labeling
AnswersA, B

Sentinel is a cloud-native SIEM solution for collecting and analyzing security data.

Why this answer

Microsoft Sentinel is a cloud-native Security Information and Event Management (SIEM) solution that aggregates log data from across an organization to detect, investigate, and respond to threats. It also provides Security Orchestration, Automation, and Response (SOAR) capabilities through built-in playbooks and automation rules, enabling automated incident response workflows.

Exam trap

The trap here is that candidates confuse Microsoft Sentinel's ability to ingest and correlate EDR alerts with actually performing EDR functions, leading them to select 'Endpoint detection and response' as a Sentinel capability.

462
Multi-Selectmedium

Which THREE are features of Microsoft Defender for Cloud?

Select 3 answers
A.Just-in-time VM access
B.Secure Score
C.Data classification
D.Regulatory compliance dashboard
E.Incident investigation
AnswersA, B, D

JIT access reduces exposure by controlling VM access.

Why this answer

Just-in-time (JIT) VM access is a feature of Microsoft Defender for Cloud that reduces exposure to brute-force attacks by locking down inbound traffic to VMs. It allows you to control when specific ports (e.g., RDP port 3389 or SSH port 22) are opened on demand, based on role-based access control (RBAC) and approved requests, and automatically closes them after a configured time window.

Exam trap

The trap here is that candidates confuse Microsoft Defender for Cloud's security alerts and recommendations with the full incident investigation and hunting capabilities of Microsoft Sentinel, or they mistakenly associate data classification (a Purview feature) with Defender for Cloud's workload protection.

463
MCQmedium

A company uses Microsoft 365 and wants to protect against sophisticated phishing attacks that use malicious links in email. They also want real-time analysis of URLs at the time of click. Which Microsoft Defender for Office 365 feature provides this?

A.Safe Links
B.Safe Attachments
C.Anti-spam
D.Anti-malware
AnswerA

Correct. Safe Links proactively protects users from malicious URLs by scanning links at the time of click, blocking access to harmful sites.

Why this answer

Safe Links is the correct answer because it provides URL scanning and real-time click-time verification of links in email messages and Office documents. When a user clicks a link, Defender for Office 365 checks the URL against a dynamic list of known malicious sites and performs a real-time analysis to determine if the link is safe at that moment, protecting against sophisticated phishing attacks that use malicious links.

Exam trap

The trap here is that candidates often confuse Safe Links with Safe Attachments, but Safe Attachments focuses on file-based malware detonation, not on real-time URL analysis at the moment of click.

How to eliminate wrong answers

Option B (Safe Attachments) is wrong because it scans email attachments for malware by detonating them in a sandbox environment, not by analyzing URLs at the time of click. Option C (Anti-spam) is wrong because it filters incoming email based on spam criteria (e.g., bulk mail, spoofing) and does not perform real-time URL analysis at click time. Option D (Anti-malware) is wrong because it detects and removes known malware signatures from email and files, but it does not provide dynamic, click-time URL verification against phishing links.

464
MCQmedium

A company uses Microsoft 365 and stores many business documents in SharePoint Online and OneDrive. The security team wants to automatically detect and block malicious files (e.g., those containing ransomware or other malware) that are uploaded to these document libraries. Files should be scanned and held until proven safe. Which Microsoft security solution should they enable to provide this protection?

A.Microsoft Defender for Endpoint
B.Microsoft Defender for Identity
C.Microsoft Defender for Office 365
D.Microsoft Defender for Cloud
AnswerC

Defender for Office 365 includes Safe Attachments for SharePoint, OneDrive, and Teams, which scans and blocks malicious files in those locations. It also provides Safe Links and anti-phishing protection.

Why this answer

Microsoft Defender for Office 365 includes Safe Attachments for SharePoint, OneDrive, and Microsoft Teams, which automatically scans files uploaded to these document libraries. If a file is detected as malicious (e.g., ransomware or malware), it is blocked and held in quarantine until it is proven safe, providing the exact protection described in the scenario.

Exam trap

The trap here is that candidates often confuse Microsoft Defender for Office 365 with Microsoft Defender for Endpoint, assuming endpoint protection covers cloud storage scanning, but Safe Attachments is a specific feature of Defender for Office 365 that protects SharePoint and OneDrive at the file level.

How to eliminate wrong answers

Option A is wrong because Microsoft Defender for Endpoint focuses on endpoint detection and response (EDR) for devices, not on scanning files in cloud storage like SharePoint or OneDrive. Option B is wrong because Microsoft Defender for Identity monitors on-premises Active Directory signals to detect identity-based attacks, not file uploads in cloud document libraries. Option D is wrong because Microsoft Defender for Cloud is a cloud security posture management (CSPM) and workload protection solution for Azure, AWS, and GCP resources, not for scanning files in Microsoft 365 document libraries.

465
Multi-Selecthard

Which THREE Microsoft Purview solutions support data classification and labeling? (Choose THREE.)

Select 3 answers
A.Information Protection
B.Insider Risk Management
C.Data Lifecycle Management
D.Communication Compliance
E.Data Loss Prevention
AnswersA, C, E

Information Protection provides classification and labeling capabilities.

Why this answer

Microsoft Purview Information Protection handles classification and labeling of data. Data Loss Prevention uses labels to enforce policies. Data Lifecycle Management uses labels for retention and deletion.

Communication Compliance monitors communications but does not directly classify or label data. Insider Risk Management identifies risky activities but does not classify data.

466
MCQmedium

A security administrator needs to enforce that all Microsoft 365 documents containing credit card numbers are automatically encrypted before being shared externally. Which Microsoft Purview solution should they use?

A.Microsoft Purview Audit
B.Microsoft Purview Communication Compliance
C.Microsoft Purview Data Loss Prevention
D.Microsoft Purview Information Protection
AnswerC

Correct: DLP policies can detect sensitive data and apply encryption automatically.

Why this answer

Data Loss Prevention (DLP) policies can detect sensitive information like credit card numbers and automatically apply encryption. Option C is correct. Option A (Information Protection) applies labels but does not auto-encrypt based on content.

Option B (Audit) logs events. Option D (Communication Compliance) monitors communications.

467
MCQhard

During a security incident, a SOC analyst needs to investigate a compromised user account that accessed multiple cloud apps. Which Microsoft Defender XDR feature provides a unified view of the attack timeline across endpoints, identities, and cloud apps?

A.Incident response
B.Microsoft Secure Score
C.Advanced hunting
D.Action center
AnswerA

Incidents aggregate related alerts from all workloads.

Why this answer

Incident response in Microsoft Defender XDR correlates alerts across domains. Option A is correct. Option B (Advanced hunting) is for custom queries.

Option C (Secure Score) is for posture improvement. Option D (Action center) is for remediation actions.

468
MCQmedium

A company runs Azure SQL databases containing customer transaction data. The security team needs to detect and alert on suspicious database access patterns, such as SQL injection attempts or access from unusual locations. Which Microsoft security solution should they enable?

A.Microsoft Defender for Cloud
B.Microsoft Defender for Endpoint
C.Microsoft Defender for Office 365
D.Microsoft Sentinel
AnswerA

Defender for Cloud includes advanced threat protection for Azure SQL databases, detecting suspicious activities like SQL injection and unusual access patterns.

Why this answer

Microsoft Defender for Cloud provides advanced threat protection for Azure SQL databases, including anomaly detection for suspicious activities like SQL injection and unusual access patterns. It uses machine learning to baseline normal database behavior and triggers alerts when deviations occur, such as access from atypical geographic locations or malicious query patterns.

Exam trap

The trap here is that candidates may confuse Microsoft Defender for Cloud's database-specific threat detection with Microsoft Sentinel's broader SIEM capabilities, but the question explicitly asks for a solution that detects and alerts on suspicious database access patterns, which is a built-in feature of Defender for Cloud, not Sentinel.

How to eliminate wrong answers

Option B is wrong because Microsoft Defender for Endpoint focuses on protecting endpoints (e.g., workstations, servers) from malware and advanced attacks, not on monitoring database access patterns or SQL injection attempts. Option C is wrong because Microsoft Defender for Office 365 is designed to secure email and collaboration tools (e.g., Exchange Online, SharePoint) against phishing and malware, not Azure SQL databases. Option D is wrong because Microsoft Sentinel is a SIEM/SOAR solution for aggregating and analyzing security logs from multiple sources, but it does not natively provide the built-in, database-specific threat detection for Azure SQL that Defender for Cloud offers; Sentinel would require additional configuration and data ingestion to achieve similar detection.

469
MCQhard

Refer to the exhibit. A security analyst runs the KQL query in Microsoft Defender for Endpoint. The query returns no results. What is the most likely cause?

A.The device has a risk score of zero
B.The device runs macOS
C.The analyst lacks permissions to view the device
D.The device is not onboarded to Defender for Endpoint
AnswerD

If the device is not onboarded, no DeviceInfo record exists.

Why this answer

The table name is DeviceInfo, but in Microsoft Defender for Endpoint the correct table is DeviceInfo (it exists). However, the query may fail if the device is not onboarded. Option C is correct.

Option A (risk score) would still show if device exists. Option B (OS) is not a filter. Option D (permissions) would cause an error, not empty results.

470
MCQmedium

A global company uses Microsoft Teams and SharePoint Online. They need to automatically detect and prevent sharing of intellectual property files containing 'Project X' with external users. What should they configure?

A.Microsoft Entra ID Access Reviews
B.Microsoft Purview Sensitivity Labels
C.Microsoft Purview Data Loss Prevention policy for SharePoint and OneDrive
D.Microsoft Defender for Cloud Apps Session Policy
AnswerC

DLP policies can detect and block sharing of sensitive content.

Why this answer

Option D is correct because Microsoft Purview DLP policies can monitor and block sharing of sensitive content in Teams and SharePoint. Option A is wrong because sensitivity labels manually classify, but don't automatically block. Option B is wrong because Microsoft Defender for Cloud Apps focuses on SaaS app security, not DLP.

Option C is wrong because Microsoft Entra ID Access Reviews are for identity governance.

← PreviousPage 7 of 7 · 470 questions total

Ready to test yourself?

Try a timed practice session using only Describe the capabilities of Microsoft security solutions questions.