Microsoft Certified: Security Operations Analyst Associate Intermediate Practice Exam: Medium Difficulty 2025

You are investigating a phishing campaign in Microsoft 365 Defender. Multiple users clicked a malicious link, and you need to quickly identify all affected users, the delivered email(s), and any post-click activity across endpoints. Which approach best supports an end-to-end investigation from a single place?

Your organization uses Microsoft Defender for Endpoint and Microsoft 365 Defender. An endpoint alert indicates suspicious PowerShell activity. You want to immediately stop the ongoing activity, prevent lateral movement from that device, and preserve the device for further investigation. What should you do first?

You manage Azure and hybrid servers in Microsoft Defender for Cloud. Defender for Cloud recommends enabling just-in-time (JIT) VM access and identifies that management ports are open to the internet. Security wants you to reduce exposure while still allowing administrators to manage servers when needed. What should you implement?

Defender for Cloud flags several Azure SQL databases with a recommendation to enable Microsoft Defender for SQL. Your goal is to detect anomalous database activities and potential SQL injection attempts and have these alerts available for SOC triage. What is the best action?

You are onboarding Microsoft Sentinel. Security operations needs to ingest Azure AD sign-in logs and Office 365 activity to hunt for suspicious authentication and mailbox rules. You want the fastest approach with built-in parsing and content. What should you use?

Your SOC wants incidents in Microsoft Sentinel to group related alerts automatically and reduce analyst noise. You have several analytics rules that are generating many similar alerts for the same user and IP within a short timeframe. What Sentinel feature should you configure to address this?

You need to enrich Sentinel incidents with threat intelligence. Your organization has a STIX/TAXII threat feed and wants indicators to be matched against ingested logs (for example, IPs and domains) and surfaced in investigations. What should you implement?

You are building a Sentinel analytics rule to detect impossible travel for sign-ins. Analysts also want to quickly see the impacted user and IP address on the incident page and pivot to related activity. What must you configure in the rule to support this investigation experience?

A Sentinel incident is created from an analytics rule detecting suspected brute force attempts. You want to automatically block the source IP in a network security group (NSG) and notify the on-call channel, but only after a quick validation step by an analyst. What is the best solution?

Your SOC needs to perform proactive threat hunting in Microsoft Sentinel for suspicious persistence mechanisms on endpoints. You ingest Microsoft Defender for Endpoint data into Sentinel. Which approach best supports iterative hunting and turning results into detections?