50 Microsoft Certified: Security Operations Analyst Associate Practice Questions: Question Bank 2025

You are investigating a suspected phishing incident in Microsoft 365 Defender. You want to identify all recipients of the suspicious email and see the delivery actions (delivered, blocked, quarantined). Which feature should you use?

In Microsoft Sentinel, you need to respond to high-severity incidents by automatically disabling the affected user account in Microsoft Entra ID. Which Sentinel capability is used to run this response action?

You need to onboard an Azure subscription to Microsoft Defender for Cloud so it can assess security posture and provide recommendations. Where do you enable this?

In Microsoft Sentinel, you want to minimize false positives by ensuring incidents are created only when multiple related alerts occur within a short time window. Which analytics rule setting helps achieve this?

Your organization wants Microsoft Sentinel to ingest Microsoft Defender for Cloud alerts. After connecting the data connector, no Defender for Cloud alerts appear in Sentinel. Defender for Cloud is enabled and generating alerts. What is the most likely cause?

You have a KQL query in Microsoft Sentinel that works in Logs, but it fails when used in an analytics rule with an error indicating the query returns too many results. You want to keep detections but reduce result size. What is the best approach?

You need to ensure SOC analysts can investigate incidents in Microsoft Sentinel but cannot modify analytics rules, data connectors, or automation. Which Azure role assignment is most appropriate?

In Microsoft Defender for Cloud, you want to reduce the risk of exposed management ports on Azure VMs by enforcing that RDP/SSH access is only allowed through a controlled pathway. Which Defender for Cloud recommendation/feature best addresses this?

You want to create a Microsoft Sentinel detection that identifies when a user signs in from an unfamiliar country within 10 minutes of a successful sign-in from a different country (impossible travel). You also want the incident to show the user as an entity for investigation. Which approach is most appropriate?

Your SOC uses Microsoft 365 Defender and Microsoft Sentinel together. You want Sentinel incidents to automatically include Microsoft 365 Defender incident details and allow analysts to pivot between platforms with minimal duplication. Which integration should you configure?

You are onboarding Microsoft Sentinel in a new workspace. Analysts want to investigate incidents and pivot into related raw events from multiple tables without manually writing KQL each time. Which feature should you use?

Your organization uses Defender for Cloud. You need to ensure regulatory compliance posture is assessed against a standard and surfaced as a score with failing controls. Where in Defender for Cloud should you start?

In Microsoft 365 Defender, an analyst needs to isolate a suspected compromised Windows device to prevent lateral movement while continuing to collect forensic data. What action should the analyst take?

You are integrating Microsoft Sentinel with Microsoft 365 Defender. You want incidents generated in Microsoft 365 Defender (from Defender for Endpoint/Identity/Office 365) to appear in Sentinel with unified incident management and automatic alert grouping. What should you configure?

A SOC team wants Sentinel analytics rules to trigger only when a suspicious sign-in is followed by privileged role assignment within 30 minutes for the same user. Which analytics rule type is most appropriate?

You need to automatically open a ServiceNow ticket whenever a Microsoft Sentinel incident is created, and include incident details in the ticket. What is the recommended approach?

Defender for Cloud shows a recommendation to enable just-in-time (JIT) VM access. What problem does JIT primarily help mitigate?

An analyst investigates a phishing campaign in Microsoft 365 Defender and wants to find all email messages with similar indicators (URLs and sender infrastructure), then take action to remediate them across mailboxes. Which capability should the analyst use?

You have multiple Microsoft Sentinel workspaces (one per region). The CISO wants a single view to hunt and run queries across all regions without manually switching workspaces. What should you implement?

A custom Microsoft Sentinel analytics rule is generating too many incidents. You discover the rule is matching on a noisy indicator list, and the team still needs the rule but only for high-confidence matches. What is the best way to reduce noise while preserving detection coverage?

Your SOC needs to create an incident in Microsoft Sentinel only when an analytics rule generates at least three matching alerts for the same user within 30 minutes. Which feature should you configure in the analytics rule?

In Microsoft 365 Defender, you want to block a single malicious file hash across endpoints immediately. Which action should you use?

Defender for Cloud shows a recommendation that several Azure VMs are missing endpoint protection. You want Defender for Cloud to deploy Microsoft Defender for Endpoint automatically to those VMs. What should you configure?

You are building a Microsoft Sentinel analytics rule that detects suspicious sign-in patterns. You need the rule to include a clickable user entity in the resulting incident so analysts can pivot to investigation graphs and entity pages. What must you configure in the rule?

You need to run a Microsoft Sentinel playbook automatically when an incident is created with Severity = High and Title contains "Impossible travel". Which configuration should you use?

Your organization uses multiple Microsoft Sentinel workspaces (one per region). You need a single view to hunt across all regions without copying data between workspaces. What should you use?

In Defender for Cloud, you want to identify which internet-facing VMs have management ports exposed and prioritize remediation based on exploitability. Which Defender for Cloud capability best fits this need?

A Microsoft Sentinel scheduled analytics rule is producing duplicate alerts. The query uses a 1-hour lookback and the rule runs every 5 minutes. You need to reduce duplicates while still detecting events quickly. What is the BEST approach?

You have a Defender for Cloud security alert for a suspected container escape attempt in an Azure Kubernetes Service (AKS) cluster. You want to investigate related Kubernetes audit events and container logs in Microsoft Sentinel. What prerequisite is MOST important to ensure this data is available in Sentinel?

In Microsoft 365 Defender, an analyst is investigating a phishing campaign. They need to trace a malicious URL from email delivery to user click, and then to any resulting endpoint process activity, using a single unified investigation experience. Which feature should they use?

You are configuring Microsoft Sentinel to onboard Windows servers that cannot have the Azure Monitor agent installed due to policy restrictions. You still need to collect Windows Security Event Logs in Sentinel. What is the best approach?

You need to reduce alert fatigue in Microsoft 365 Defender by automatically closing alerts that are determined to be benign and already remediated by automated investigation. Which feature should you configure?

A SOC team wants to create a Microsoft Sentinel automation that runs a playbook only when an incident is created with the "High" severity and contains an account entity. What should you use?

You are reviewing Defender for Cloud recommendations and want to ensure security findings can be exported to a SIEM and a ticketing system in near real time. What should you configure?

In Microsoft Sentinel, you need to quickly determine which users and IP addresses are most frequently associated with incidents over the last 30 days. Which Sentinel component is best suited for this requirement?

A customer wants to onboard Microsoft Sentinel and ensure analysts can investigate incidents but cannot modify analytics rules, connectors, or automation. Which Azure role assignment best meets this requirement?

You are troubleshooting why a Microsoft Sentinel data connector shows "Connected" but no events are arriving in the Log Analytics workspace. You confirm the source system is sending logs. What is the most likely cause to check first?

You want Microsoft 365 Defender incidents to appear in Microsoft Sentinel and you also want to enrich those incidents with Sentinel automation playbooks. What should you configure?

Your organization has multiple Microsoft Sentinel workspaces for different regions. You need a single place to manage analytics rules and automation consistently, while allowing local teams to handle incidents in their own workspace. Which design is recommended?

You need to correlate Microsoft Defender for Cloud alerts with Microsoft Sentinel incidents while minimizing duplicate incidents. Alerts should contribute evidence and entities to an existing Sentinel incident when possible. What is the best approach?

You need to ensure that all incidents in Microsoft Sentinel automatically create a ticket in a third-party ITSM system that exposes a REST API. You also need to enrich the ticket with incident entities (accounts, hosts, IPs). What is the best approach?

You are investigating a suspected compromised user in Microsoft 365 Defender. You need to quickly view all related alerts, affected devices, mail events, and identity signals in a single, unified view. Where should you start?

In Defender for Cloud, you want to prevent administrators from accidentally exposing management ports on virtual machines to the internet. Which Defender for Cloud capability helps you reduce this exposure by recommending or enforcing just-in-time access?

You created a scheduled analytics rule in Microsoft Sentinel. It returns results in Logs, but it never generates alerts or incidents. The rule query includes a join and returns a table with many columns, but no explicit timestamp field is included in the final projection. What is the most likely cause?

Your SOC wants to reduce false positives from a Microsoft Sentinel analytics rule by only alerting when at least 5 failed sign-ins from the same IP occur within 10 minutes for any user. Which KQL pattern best fits this requirement?

You onboard Azure Kubernetes Service (AKS) to Defender for Cloud and want to detect suspicious container behavior (for example, crypto-mining tools running inside a container). Which Defender for Cloud plan is primarily responsible for runtime threat detection for containers?

You must give a Tier 1 analyst access to work on Microsoft Sentinel incidents and run hunting queries, but you must prevent them from deleting data or modifying data connectors and analytics rules. Which built-in Azure role is the best fit at the Sentinel workspace scope?

You are investigating an alert in Microsoft 365 Defender for suspicious PowerShell activity on an endpoint. You want to remotely collect an investigation package and run an antivirus scan without disrupting the user more than necessary. Which action should you take from the device page?

Your Microsoft Sentinel workspace receives data from multiple sources. You need to meet a requirement that certain logs must be searchable for 180 days but should not remain in the hot (Analytics) tier for cost and performance reasons. What should you configure?

A regulator requires that only approved IP addresses can access the Microsoft Sentinel portal and Azure resources used for investigation. Your SOC analysts connect from a fixed corporate egress range. You must enforce this with the least operational overhead. What should you implement?