Microsoft Certified: Security Operations Analyst Associate Practice Exam: Test Your Knowledge 2025

Your organization uses Microsoft 365 Defender and you need to investigate an alert about a suspicious email attachment that was opened by multiple users. Which Microsoft 365 Defender portal feature should you use to track the attack progression across identities, endpoints, and email?

You are a security analyst investigating a compromised user account. You need to isolate the user's device from the network while still allowing Microsoft Defender for Endpoint to communicate with the device. What action should you take in Microsoft 365 Defender?

Your security team needs to proactively hunt for indicators of compromise across email, identities, endpoints, and cloud apps using Microsoft 365 Defender. You want to search for events where a user account was created and then used to access sensitive SharePoint files within 10 minutes. Which feature should you use?

A security operations analyst needs to configure automated investigation and response for Microsoft Defender for Endpoint. The organization wants most threats remediated automatically but requires manual approval for high-value servers. Which automation level should be configured for the high-value servers device group?

You need to create a custom detection rule in Microsoft 365 Defender that triggers an alert when a user downloads more than 100 files from SharePoint Online within 5 minutes. After creating the advanced hunting query, what additional configuration is required to generate alerts?

Your organization has deployed Microsoft Defender for Cloud across Azure subscriptions. You need to ensure that security recommendations are automatically remediated where possible. What should you configure?

A company wants to protect their Azure VMs against file-less attacks and malicious PowerShell scripts. Which Microsoft Defender for Cloud capability should be enabled?

You are reviewing security alerts in Microsoft Defender for Cloud and notice multiple alerts about cryptocurrency mining activities on several Azure VMs. You need to understand the complete attack timeline and affected resources. What should you use?

Your organization needs to protect multi-cloud workloads running in Azure, AWS, and Google Cloud Platform. You need to implement a unified security management solution that provides security recommendations across all cloud environments. What should you implement?

You need to configure Microsoft Sentinel to automatically collect security alerts and recommendations from Microsoft Defender for Cloud. What type of connector should you configure?

A security analyst is investigating an incident in Microsoft Sentinel. The analyst needs to document their investigation steps, add comments, and track the overall status of the incident. What feature should be used?

Your organization wants to create a detection rule in Microsoft Sentinel that correlates multiple events across different data sources to detect lateral movement attacks. The rule should trigger when a user logs into more than 5 different machines within 10 minutes. What type of analytics rule should you create?

You need to configure Microsoft Sentinel to automatically respond to incidents involving compromised user accounts by disabling the accounts in Azure AD and creating a ServiceNow ticket. What should you configure?

A security team needs to analyze historical security data in Microsoft Sentinel to identify patterns over the past 18 months. The queries are resource-intensive and should not impact real-time security operations. What should you configure?

You are deploying Microsoft Sentinel for a large enterprise with multiple Azure subscriptions and on-premises infrastructure. You need to ensure all security logs are centralized while optimizing costs. What architectural approach should you use?

Your organization has deployed Microsoft Sentinel and needs to monitor network traffic from on-premises firewalls. The firewalls support Common Event Format (CEF) over Syslog. What components are required to ingest this data?

You need to create a Microsoft Sentinel workbook that displays a dashboard with statistics about security incidents, including incident trends over time, incidents by severity, and mean time to resolution. What should you use to build this workbook?

A security analyst needs to hunt for indicators of compromise in Microsoft Sentinel using threat intelligence feeds. The organization subscribes to multiple threat intelligence providers. How should threat intelligence be integrated into hunting activities?

Your organization's Microsoft Sentinel deployment is generating too many false positive alerts from a specific analytics rule. You need to reduce false positives while maintaining detection of true threats. The rule detects failed login attempts, but legitimate users occasionally mistype passwords. What approach should you take?

You are implementing User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel to detect anomalous user activities. After enabling UEBA, when will the system start generating behavioral insights and anomalies?