Microsoft Security Operations Analyst Associate Practice Test (SC-200)
Use the form below to configure your Microsoft Security Operations Analyst Associate Practice Test (SC-200). The practice test can be configured to only include certain exam objectives and domains. You can choose between 5-100 questions and set a time limit.
Microsoft Security Operations Analyst Associate SC-200 Information
The Microsoft Security Operations Analyst Associate certification, exam code SC-200, is designed for professionals who monitor, investigate, and respond to security incidents across hybrid and cloud environments. This exam validates the candidate’s ability to use Microsoft Defender, Microsoft Sentinel, and Microsoft 365 Defender to mitigate threats and reduce organizational risk. Preparing with SC-200 practice tests, exam simulations, and practice questions can help test takers strengthen their understanding of security alerts, incident management, and threat hunting—key domains covered in the exam.
SC-200 Practice Tests and Preparation
To pass the SC-200, candidates should become familiar with analyzing threat data, responding to security incidents, and configuring Microsoft security tools. Using Microsoft SC-200 practice exams allows learners to experience real-world scenarios and identify weak areas before sitting for the official test. Many students find that completing practice questions on incident investigation and automated response enhances confidence and helps them retain crucial concepts such as KQL (Kusto Query Language), data connectors, and playbooks in Microsoft Sentinel.
Why Take SC-200 Practice Exams
The Microsoft Security Operations Analyst Associate exam is not just about theory—it tests practical knowledge of security operations in live environments. Regularly using SC-200 practice tests provides exposure to the style and difficulty of Microsoft’s real exam items, ensuring candidates are fully prepared. Whether you’re an aspiring security analyst or already working in cybersecurity, consistent use of practice exams and scenario-based questions can be the difference between a passing score and a retake, making this certification an essential step for anyone pursuing a career in security operations.
Free Microsoft Security Operations Analyst Associate SC-200 Practice Test
- 20 Questions
- Unlimited time
- Manage a security operations environmentConfigure protections and detectionsManage incident responseManage security threats
Your organization ingests data from dozens of sources into a single Microsoft Sentinel workspace. To keep costs predictable, you must receive an alert whenever the amount of data written to any table suddenly surges beyond its historical baseline. You want to rely on Microsoft Sentinel's built-in monitoring features and avoid writing a custom Kusto Query Language (KQL) rule. Which capability should you enable first to meet the requirement?
Configure a daily cap on data ingestion for the workspace.
Enable the Ingestion volume anomalies analytics rule template.
Enable the Entity behavior analytics rule template.
Deploy the Usage and estimated costs workbook and configure email notifications.
Answer Description
Microsoft Sentinel includes a built-in analytics rule template named Ingestion volume anomalies. When enabled, the rule automatically learns normal ingestion patterns for each table and generates an incident if the current volume sharply exceeds the historical baseline. A daily cap limits cost but produces no alert, the Usage and estimated costs workbook is only for interactive review, and the Entity behavior analytics template focuses on user and host behavior rather than ingestion metrics.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
How does the Ingestion volume anomalies analytics rule template work?
What is the difference between the Ingestion volume anomalies analytics rule and the Entity behavior analytics rule?
Why wouldn't a daily cap on data ingestion meet the requirement for alerts on surges?
Your organization uses Microsoft Purview Insider Risk Management. A security operations analyst opens a high-severity insider risk alert in the Microsoft Defender portal but cannot preview the SharePoint documents that triggered the alert; the viewer displays "Preview not available." You must ensure the analyst can see full file and email content during future investigations without giving unnecessary additional rights. Which role group should you assign to the analyst?
Insider Risk Management Analysts
Insider Risk Management Investigators
Compliance Data Administrator
eDiscovery Manager
Answer Description
Only members of the Insider Risk Management Investigators role group can open and read the full content of files and emails referenced in insider risk alerts. Insider Risk Management Analysts can review alert metadata and user activity timelines but cannot see content. Compliance Data Administrators and eDiscovery Managers have capabilities in other Microsoft Purview areas but do not grant the specific permission required to preview insider risk evidence.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the role of Insider Risk Management Investigators in Microsoft Purview?
How does Insider Risk Management Analysts differ from Investigators?
Why can't Compliance Data Administrators or eDiscovery Managers view insider risk alert evidence?
Your organization has already onboarded all Windows 11 client PCs to Microsoft Defender for Endpoint (MDE). You now enable the built-in device discovery feature and leave the settings unchanged, which keeps the feature in its default mode.
How will MDE detect Windows computers that are still connected to the corporate network but not yet onboarded to MDE?
Each onboarded Windows PC passively listens to local broadcast traffic (for example, ARP and DHCP) to identify nearby hosts that are not sending signals to MDE, and lists them as unmanaged.
The Defender for Endpoint cloud service cross-references Azure AD sign-in logs and flags computer names that have never sent security data.
Every onboarded Windows PC performs an active ICMP ping sweep and TCP port scan of its subnet to locate hosts that are not protected.
An Azure Arc agent is automatically deployed to each subnet to report machines that are not onboarded to MDE.
Answer Description
When device discovery is enabled and left in its default Basic mode, the SenseNDR component on each onboarded Windows device passively captures local network traffic such as ARP, DHCP, DNS, and NetBIOS broadcasts. From this broadcast traffic it infers the presence of other hosts on the same subnet. Any host that appears in the traffic but does not report itself to the MDE service is added to the device inventory as an unmanaged device. Basic mode never initiates active ICMP ping sweeps or TCP port scans. Those active probes are performed only when an administrator explicitly switches discovery to Standard mode. No additional agents such as Azure Arc are required for either mode because the existing Defender for Endpoint sensor performs the discovery work.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the SenseNDR component in Microsoft Defender for Endpoint?
What is the difference between Basic mode and Standard mode in MDE's device discovery?
Why doesn't device discovery in MDE require additional agents like Azure Arc?
You are creating a custom Microsoft Sentinel workbook that must work in any Sentinel-enabled Log Analytics workspace without editing the query each time the workbook is imported. You add a query control and need the Kusto Query Language (KQL) query to refer to the workspace that the workbook is currently connected to. Which KQL construct should you use to make the query automatically scope to the active workspace when the workbook runs?
workspace('Contoso-Sentinel')workspaces(Guid1, Guid2)workspaceGuid()workspace()
Answer Description
When you want a query in an Azure Monitor or Microsoft Sentinel workbook to run against the workspace the workbook is opened from, you do not hard-code the workspace name. Instead, you use the workspace() function without arguments. At run time the workbook engine replaces the empty workspace() call with the ID of the currently selected Log Analytics workspace, so the query always scopes itself correctly after the workbook is copied to or opened from another workspace.
Hard-coding a workspace name inside workspace('Contoso-Sentinel') would force the query to run against that specific workspace only. The workspaceGuid() and workspaces() functions require you to supply one or more explicit workspace identifiers, so they cannot adjust automatically.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the `workspace()` function in KQL?
How does `workspace('Contoso-Sentinel')` differ from `workspace()` in functionality?
Why can't `workspaceGuid()` or `workspaces(Guid1, Guid2)` be used for dynamic scoping?
You are writing a Kusto Query Language (KQL) query for a scheduled analytics rule in Microsoft Sentinel. The query returns a column named UserPrincipalName that contains the sign-in name of the offending account. You need Microsoft Sentinel to recognize this value as a user entity so that it appears automatically on the investigation graph without any further manual mapping in the rule wizard.
What should you add to the query?
extend AccountCustomEntity = UserPrincipalName
extend User = UserPrincipalName
convert_to_entity(UserPrincipalName)
project-rename Account = UserPrincipalName
Answer Description
Microsoft Sentinel detects entities in query results when the column name matches the pattern
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the purpose of the 'extend' operator in KQL?
Why does Microsoft Sentinel require the '<EntityType>CustomEntity' suffix for entity recognition?
What types of entities can Microsoft Sentinel recognize automatically?
While investigating an incident, you open the Device timeline for a Windows 11 computer in the Microsoft Defender portal. The timeline currently shows all event times in the endpoint's local time zone, but your investigation notes are recorded in Coordinated Universal Time (UTC). You need the timeline to display every event in UTC so you can correlate the data with your notes.
What should you do?
Click the Refresh button so the timeline reloads in the portal's default time zone (UTC).
Select the UTC option in a time-zone toggle located above the event list.
In the Microsoft Defender portal, open Settings, select Preferences, and change the time-zone setting to Coordinated Universal Time (UTC), then reload the timeline.
Export the timeline to a CSV file and convert the timestamps to UTC in a spreadsheet.
Answer Description
Microsoft Defender for Endpoint does not provide a per-timeline time-zone toggle. To change how times are shown, you must adjust the time-zone preference for your session in the Microsoft Defender portal. Go to Settings, open Preferences, set the time-zone setting to Coordinated Universal Time, and then reload the timeline. Exporting the timeline, merely refreshing the view, or changing the locale (which affects only language and number formats) will not switch the displayed timestamps to UTC.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Endpoint's role in incident investigation?
What is a Device timeline in Microsoft Defender for Endpoint?
Why is Coordinated Universal Time (UTC) important in security investigations?
You connected Azure Active Directory (Azure AD) sign-in logs to a Microsoft Sentinel workspace. However, the Entity behavior blade shows zero user anomalies and no user profiles are displayed. To start generating user and entity behavior analytics (UEBA) insights, which action should you perform first?
Create a watchlist that contains all Azure AD user principal names.
Deploy the built-in UEBA workbook from Microsoft Sentinel's Content hub.
Enable the User and entity behavior analytics feature for the workspace in Microsoft Sentinel Settings.
Add the "Behavior analytics" rule type to the existing Sign-in logs analytics rule.
Answer Description
Microsoft Sentinel does not calculate or display UEBA insights until the User and entity behavior analytics (UEBA) feature is explicitly turned on for the workspace. Enabling UEBA in the Settings page activates the profiling pipeline that builds user and host profiles from ingested identity, authentication, and activity data. Without this setting, connecting Azure AD logs alone will not populate the Entity behavior blade, and creating additional workbooks, watchlists, or analytic rules will not start the underlying analytics. Once UEBA is enabled, Sentinel begins processing the Azure AD sign-in data to surface anomalous behaviors.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is UEBA in Microsoft Sentinel?
Why do Azure AD sign-in logs need UEBA enabled in Sentinel?
How do you enable UEBA in Microsoft Sentinel?
You create two Microsoft Defender for Endpoint device groups. FinanceGroup has a rank of 100 and its automation level is set to Full remediation. SensitiveGroup has a rank of 10 and its automation level is set to Semi-automated. A domain-joined workstation meets the membership conditions of both groups and is successfully onboarded. Which automation level will Microsoft Defender for Endpoint enforce on the workstation?
Full remediation, because FinanceGroup has a higher (numerically larger) rank than SensitiveGroup.
Full remediation, because Microsoft Defender for Endpoint always applies the least restrictive automation level when multiple groups match.
Semi-automated, because Microsoft Defender for Endpoint uses the automation level from the group that was created most recently.
Semi-automated, because SensitiveGroup has higher priority due to its lower rank value.
Answer Description
When a device matches more than one Microsoft Defender for Endpoint (MDE) device group, the group with the highest priority (that is, the lowest numeric rank value) takes precedence. Because SensitiveGroup has a rank of 10, it outranks FinanceGroup, which has a rank of 100. Therefore, MDE will apply the automation level configured for SensitiveGroup (Semi-automated) to the device. The platform does not choose the most or least restrictive setting, nor does creation time affect precedence-only the rank value determines which group wins.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the rank value represent in Microsoft Defender for Endpoint device groups?
What is the difference between 'Full remediation' and 'Semi-automated' automation levels?
How does Microsoft Defender for Endpoint manage overlapping device group memberships?
You are investigating a suspected mailbox compromise. Your goal is to verify whether anyone other than the mailbox owner has viewed messages in the mailbox during the last seven days and to learn the source IP address that was used. You decide to run a search in the Microsoft Purview compliance portal's unified audit log. Which audit-log activity and field combination will give you the required evidence in a single record?
Filter for the MailboxLogin activity and read the DeviceId field.
Filter for the AzureActiveDirectoryStsLogon activity and read the IPAddress field.
Filter for the ExchangeAdmin activity and read the MailboxAccessType field.
Filter for the MailItemsAccessed activity and read the ClientIP field.
Answer Description
The MailItemsAccessed activity is logged whenever any user or process opens or previews a message in an Exchange Online mailbox. Each MailItemsAccessed record contains a ClientIP property that stores the IP address from which the access occurred, allowing you to tie the item access to a specific network location. MailboxLogin events record only the act of signing in, not item access, and ExchangeAdmin or Azure AD sign-in events do not show when individual mailbox items were opened.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the Microsoft Purview compliance portal used for?
What is the MailItemsAccessed activity and why is it important?
How does the ClientIP field help in investigations?
You are writing an advanced hunting query in Microsoft Defender XDR to locate executable files whose SHA256 value matches any hash in a predefined string array named targetHashes. The comparison must be case-sensitive and must match the whole hash value only, not a substring. Which Kusto Query Language (KQL) operator should you use in the where clause to meet the requirement?
has_any
contains_cs
in
contains
Answer Description
The in operator compares the value of a column to a comma-separated list (or to the contents of a scalar dynamic array) using case-sensitive, whole-string equality. This satisfies the need to match the complete SHA256 value exactly as it appears in targetHashes.
- in is case-sensitive by default and does not perform substring matching.
- contains and contains_cs perform substring searches, so they would return false positives for hashes that only partially match.
- has_any is designed to look for any element of an array inside a dynamic array column, not to compare a scalar column against an external list.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the SHA256 value mentioned in the question?
What is the purpose of case sensitivity in the **in** operator?
How does the **has_any** operator differ from the **in** operator?
Your organization has deployed Microsoft Security Copilot (preview) by adding its enterprise application to Microsoft Entra ID. You must give members of the Security Operations Center the ability to ask questions, upload investigation data, and create or run promptbooks in Security Copilot, but they must not be allowed to manage plugins, change workspace settings, or assign access to other users. Which built-in application role should you assign to the SOC group in the Security Copilot enterprise application?
Security Copilot Contributor
Security Copilot Reader
Security Copilot Administrator
Security Copilot Responder
Answer Description
Security Copilot provides four built-in application roles that can be assigned in Microsoft Entra ID:
- Security Copilot Administrator - full control, including managing settings, plugins, and access assignments.
- Security Copilot Contributor - can interact with Copilot, upload data, and create or run promptbooks, but cannot manage plugins, workspace settings, or role assignments.
- Security Copilot Responder - can run prompts and view responses but cannot create promptbooks.
- Security Copilot Reader - can only view existing content.
Because the SOC analysts need to create and run promptbooks and upload investigation data, they require more than Reader or Responder rights. However, they must be prevented from tenant-level administration, so the Administrator role is too permissive. The Contributor role meets all requirements without granting unnecessary administrative privileges, making it the correct choice.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a promptbook in Microsoft Security Copilot?
How does the Security Copilot Contributor role differ from the Responder role?
Why is the Administrator role not suitable for SOC analysts?
Your organization has three device groups in Microsoft Defender XDR. The Cross-Tenant group is set to Full - remediate automatically. You need devices in the Finance group to generate automated investigations but hold each recommended action until an analyst approves it, while still allowing other groups to auto-remediate. Which automation level should you assign to the Finance group?
Semi - require approval for non-severe remediation
No automatic remediation
Semi - require approval for any remediation
Full - remediate automatically
Answer Description
Automation levels are configured per device group in Microsoft Defender XDR.
- Full - remediate automatically: every remediation action is applied without analyst input.
- Semi - require approval for any remediation: investigations run automatically but no remediation action is implemented until an analyst approves it.
- Semi - require approval for non-severe remediation: only actions with low or medium impact require approval; high-impact actions are applied automatically.
- No automatic remediation: automated investigations are not run at all.
Because Finance must still benefit from automated investigations but must always wait for analyst confirmation before any remediation occurs, you must select Semi - require approval for any remediation. This satisfies the requirement while leaving other groups at the Full level.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender XDR?
How do automation levels work in Microsoft Defender XDR?
Why would an organization use 'Semi - require approval for any remediation'?
Several employees report a suspicious email that was delivered four days ago and is still sitting in multiple mailboxes. Your company has Microsoft 365 E5 licenses with Microsoft Defender for Office 365 Plan 2. You must immediately remove the message from every mailbox but still keep a copy available to Security Operations Center (SOC) investigators for eDiscovery. Which action should you take in the Microsoft Defender portal?
Trigger an Automated Investigation and Response (AIR) playbook for phishing from the Email entity page.
Add the sender's domain to the Tenant Allow/Block List to block future messages from the sender.
Use Threat Explorer to locate the message and run the Soft delete action across all affected mailboxes.
Enable or update a Safe Links policy that rewrites the URL contained in the email.
Answer Description
In Microsoft Defender for Office 365, Threat Explorer (or Real-time detections) lets you locate a specific message and take remediation actions across all mailboxes. Choosing the Soft delete action removes the mail item from users' visible folders and places it in the Recoverable Items folder, so end users can no longer access it while investigators can still retrieve the message through eDiscovery. An Automated Investigation or Safe Links policy does not retroactively delete already-delivered mail, and blocking the sender prevents future messages but leaves the existing message in place.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Threat Explorer in Microsoft Defender for Office 365?
What is the Soft delete action in Threat Explorer?
What is eDiscovery and how does it work with Microsoft 365?
You manage Microsoft Defender for Cloud Apps for an organization that uses SharePoint Online and OneDrive for Business. Compliance requires that any document uploaded by users that contains a U.S. Social Security number must automatically receive the Confidential sensitivity label so that encryption is enforced. Which Defender for Cloud Apps configuration should you implement to meet the requirement?
Create an activity policy that monitors upload events for sensitive information and sends an alert email to administrators.
Enable a built-in anomaly detection policy that identifies publicly shared files containing sensitive data and triggers a security investigation.
Create a file policy that detects the U.S. Social Security Number sensitivity information type and uses the Apply sensitivity label governance action to assign the Confidential label.
Create a session policy that blocks file downloads unless users provide a business justification when sensitive information is detected.
Answer Description
Only a file policy can inspect files at rest across connected cloud storage services and take governance actions on the affected files. By selecting the built-in U.S. Social Security Number data classification as the content inspection criterion and choosing the Apply sensitivity label governance action, Defender for Cloud Apps will automatically apply the Confidential label to matching files in SharePoint Online or OneDrive for Business. Activity policies and session policies work in near real time but cannot assign Microsoft Purview Information Protection labels, and anomaly detection policies are limited to behavioral anomalies rather than deterministic DLP actions.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a file policy in Microsoft Defender for Cloud Apps?
What does the Apply sensitivity label governance action do?
How does the U.S. Social Security Number classification work in Defender for Cloud Apps?
You are investigating a Pass-the-Ticket alert raised by Microsoft Defender for Identity in the Microsoft Defender portal. The alert shows the service account svc-sql01 requesting Kerberos tickets for many resources in a short period, originating from the server SRV-APP01. No legitimate maintenance was scheduled. To block any further lateral movement while still allowing incident responders to gather evidence, which response action should you initiate directly from the alert page?
Trigger a Kerberos ticket cache purge on the domain controller hosting SRV-APP01.
Suspend the svc-sql01 user account in Active Directory by using the Suspend user in Active Directory response action.
Reset the machine account password for SRV-APP01 by using remote PowerShell.
Isolate SRV-APP01 from the network by using Microsoft Defender for Endpoint.
Answer Description
Microsoft Defender for Identity surfaces the Suspend user in Active Directory response action. Suspending the svc-sql01 account immediately blocks new Kerberos authentications but leaves the account intact, preserving forensic evidence. Although the Isolate device action is also available, it targets the host and could disrupt evidence collection on SRV-APP01. Resetting the computer account password affects only the machine account, and purging the Kerberos ticket cache on a domain controller cannot be triggered from the portal.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a Pass-the-Ticket attack in cybersecurity?
Why is suspending the user account better than isolating the device during such an alert?
What is the purpose of purging Kerberos ticket caches in this scenario?
You manage Windows 10 devices that are onboarded to Microsoft Defender for Endpoint and enrolled in Intune. Two endpoint security profiles target the same devices. Profile A sets the attack surface reduction rule "Block Office applications from creating child processes" to Audit, whereas Profile B sets the same rule to Block. Both profiles apply successfully. After policy processing, which enforcement mode will the rule use on the devices?
The rule runs in Audit mode on the devices.
The rule is disabled because the conflicting settings cancel each other.
The rule alternates between Audit and Block depending on which policy applies last.
The rule runs in Block mode on the devices.
Answer Description
When multiple Intune policies configure the same ASR rule, Windows applies the most restrictive action. The order of restrictiveness is Block (enabled), then Warn, Audit, and finally Disabled. Because one profile sets the rule to Block and another to Audit, Block is considered more restrictive and therefore wins. The rule will run in Block mode, preventing Office applications from starting child processes. The Audit setting is ignored.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Microsoft Defender for Endpoint?
What is attack surface reduction (ASR)?
How does Intune prioritize conflicting security profiles?
You deployed Microsoft Defender for Cloud Apps (MDCA) and connected it to Microsoft 365. Compliance requires that users must be stopped during a download if the SharePoint Online file they request carries the Confidential sensitivity label. The users should also see a notification that explains why the download is blocked. Which MDCA policy type and control should you configure to meet this requirement?
Create an activity policy that sends an alert email when a Confidential file is downloaded from SharePoint Online.
Create a file policy that applies the Remove sharing governance action when a file is labeled Confidential.
Create an anomaly detection policy for potential data exfiltration and configure it to suspend user sessions when triggered.
Create a session policy that uses the Block download (with custom message) control and targets files whose sensitivity label is Confidential.
Answer Description
Real-time inspection of traffic to and from a cloud app is achieved in MDCA through session policies, which rely on Conditional Access App Control. A session policy can examine each download request as it happens and, based on file attributes such as Microsoft Purview sensitivity labels, enforce controls like Block download (with custom message). File or activity policies act after the operation is complete, and anomaly detection policies are intended for behavioral analytics, so none of them can stop the download in real time or present an immediate block message.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is Conditional Access App Control?
How do session policies in MDCA differ from file or activity policies?
What is the purpose of sensitivity labels in Microsoft Purview?
During an advanced hunting investigation in Microsoft Defender XDR, you need to locate any process that attempted to start PowerShell with a Base64-encoded command (for example, the command line contains "powershell.exe -enc"). Which advanced hunting table should you query to retrieve the full command-line string for each process creation event?
DeviceNetworkEvents
DeviceFileEvents
DeviceRegistryEvents
DeviceProcessEvents
Answer Description
The DeviceProcessEvents table records every process creation on protected endpoints and stores the complete command-line string in its CommandLine field. By filtering this table for values such as "powershell.exe" and "-enc", you can identify instances where PowerShell was launched with Base64-encoded input. Although tables like DeviceNetworkEvents, DeviceRegistryEvents, and DeviceFileEvents include an InitiatingProcessCommandLine value for the process that triggered the respective network, registry, or file event, they are not guaranteed to capture all process launches. DeviceProcessEvents is the authoritative source for comprehensive process-creation details.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the DeviceProcessEvents table used for?
What type of information is stored in the CommandLine field of the DeviceProcessEvents table?
Why are DeviceNetworkEvents, DeviceRegistryEvents, and DeviceFileEvents tables not ideal for tracking process creation events?
You are investigating a widespread phishing attack in Microsoft Defender for Office 365. In Threat Explorer you have selected all instances of the malicious message. You need to ensure that the email is removed from every affected mailbox so users cannot interact with it, but you also want to keep a copy that security analysts can later download for forensic analysis. Which remediation action should you choose?
Hard delete the message
Submit the message to Microsoft for analysis
Soft delete the message
Move message to quarantine
Answer Description
Choose Move message to quarantine. This action pulls the email from every mailbox and places a copy in quarantine, where administrators or security analysts (with the necessary roles) can later review or download it.
Soft delete only moves the message to each user's Deleted Items folder, so users could still restore it themselves. Hard delete removes the message from visible folders and moves it to the mailbox's Recoverable Items\Purges subfolder, making it unavailable to users and harder for analysts to access. Submitting a message for analysis sends a copy to Microsoft but does not remove messages already delivered to mailboxes.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is phishing in the context of cybersecurity?
What is Threat Explorer in Microsoft Defender for Office 365?
How does 'Move message to quarantine' differ from 'Soft delete' and 'Hard delete'?
You create a scheduled analytics rule in Microsoft Sentinel that runs every five minutes. The query often returns many rows for the same user within an hour, and each row currently produces a separate incident. You need to reduce noise so that only one incident is created for each user during that hour without suppressing events for other users. Which rule setting should you configure?
Enable alert suppression for 60 minutes after each trigger.
Set the alert threshold to require at least 12 query results before firing.
Configure the Alert grouping section to combine alerts that share the same Account entity within a 1-hour window.
Change the rule scheduling frequency from 5 minutes to 60 minutes.
Answer Description
Use the Alert grouping settings in the analytics rule. Alert grouping lets you specify a time window and the condition that alerts must share-such as the same Account entity-so that all qualifying alerts are merged into a single incident. Suppression would block all alerts for the period, not just duplicates for the same user. An alert-threshold controls how many results in one query run create a single alert, but does not aggregate alerts across runs. Changing the query frequency simply slows detection and still allows multiple incidents if several matching results appear in subsequent runs.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is alert grouping in Microsoft Sentinel?
How does alert suppression differ from alert grouping?
Why doesn’t changing the rule frequency solve the issue in this scenario?
Neat!
Looks like that's it! You can go back and review your answers or click the button below to grade your test.