Microsoft 365 Defender

Your company uses Microsoft Defender for Endpoint. The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team. You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Resolve the alert automatically. B.Hide the alert. C.Create a suppression rule scoped to any device. D.Create a suppression rule scoped to a device group. E.Generate the alert.

DRAG DROP - You open the Cloud App Security portal as shown in the following exhibit. Your environment does NOT have Microsoft Defender for Endpoint enabled. You need to remediate the risk for the Launchpad app. Which four actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order. Select and Place:

You are investigating a potential attack that deploys a new ransomware strain. You have three custom device groups. The groups contain devices that store highly sensitive information. You plan to perform automated actions on all devices. You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Assign a tag to the device group. B.Add the device users to the admin role. C.Add a tag to the machines. D.Create a new device group that has a rank of 1. E.Create a new admin role. F.Create a new device group that has a rank of 4.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Entity tags, you add the accounts as Honeytoken accounts. Does this meet the goal? A.Yes B.No

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Azure AD Identity Protection, you configure the sign-in risk policy. Does this meet the goal? A.Yes B.No

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group. Does this meet the goal? A.Yes B.No

You implement Safe Attachments policies in Microsoft Defender for Office 365. Users report that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked. What should you configure in the Safe Attachments policies? A.Dynamic Delivery B.Replace C.Block and Enable redirect D.Monitor and Enable redirect

You receive a security bulletin about a potential attack that uses an image file. You need to create an indicator of compromise (Io

HOTSPOT You purchase a Microsoft 365 subscription. You plan to configure Microsoft Cloud App Security. You need to create a custom template-based policy that detects connections to Microsoft 365 apps that originate from a botnet network. What should you use? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

Your company has a single office in Istanbul and a Microsoft 365 subscription. The company plans to use conditional access policies to enforce multi-factor authentication (MFA). You need to enforce MFA for all users who work remotely. What should you include in the solution? A.a fraud alert B.a user risk policy C.a named location D.a sign-in user policy

You are configuring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A.Configure automatic data enrichment. B.Add the IP addresses to the corporate address range category. C.Increase the sensitivity level of the impossible travel anomaly detection policy. D.Add the IP addresses to the other address range category and add a tag. E.Create an activity policy that has an exclusion for the IP addresses.

Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution. After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen. You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add each account as a Sensitive account. Does this meet the goal? A.Yes B.No

You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365. What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user? A.the Threat Protection Status report in Microsoft Defender for Office 365 B.the mailbox audit log in Exchange C.the Safe Attachments file types report in Microsoft Defender for Office 365 D.the mail flow report in Exchange

HOTSPOT You have a Microsoft 365 E5 subscription that contains 200 Windows 10 devices enrolled in Microsoft Defender for Endpoint. You need to ensure that users can access the devices by using a remote shell connection directly from the Microsoft 365 Defender portal. The solution must use the principle of least privilege. What should you do in the Microsoft 365 Defender portal? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft 365 Defender and contains a user named User1. You are notified that the account of User1 is compromised. You need to review the alerts triggered on the devices to which User1 signed in. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point. Hot Area:

You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured. You need to identify the impacted entities in an aggregated alert. What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center? A.the Events tab of the alert B.the Sensitive Info Types tab of the alert C.Management log D.the Details tab of the alert

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint. You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort. What should you do in the Microsoft 365 Defender portal? A.Create an import file that contains the individual IP addresses in the range. Select Import and import the file. B.Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file. C.Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63. D.Select Add indicator and set the IP address to 171.23.34.32/27.

You have an Azure subscription that uses Microsoft Defender for Endpoint. You need to ensure that you can allow or block a user-specified range of IP addressed and URLs. What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal? A.custom network indicators B.live response for servers C.endpoint detection and response (EDR) in block mode D.web content filtering

You have a Microsoft 365 subscription that uses Microsoft 365 Defender. A remediation action for an automated investigation quarantines a file across multiple devices. You need to mark the file as safe and remove the file from quarantine on the devices. What should you use in the Microsoft 365 Defender portal? A.From the History tab in the Action center, revert the actions. B.From the investigation page, review the AIR processes. C.From Quarantine from the Review page, modify the rules. D.From Threat tracker, review the queries.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365. You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps. What should you configure first? A.the User enrichment settings B.the Azure connector C.the Office 365 connector D.the Automatic log upload settings

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Purview and contains a user named User1. User1 shares a Microsoft Power BI report file from the Microsoft OneDrive folder of your company to an external user by using Microsoft Teams. You need to identify which Power BI report file was shared. How should you configure the search? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint. You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables. Which operator should you use? A.search * B.union kind = inner C.join kind = inner D.evaluate hint.remote =

You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices. You onboard the devices to Microsoft Defender 365. You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal. What should you do first? A.Modify the permissions for Microsoft 365 Defender. B.Create a device group. C.From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation. D.Configure role-based access control (RBAC).

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Teams. You need to perform a content search of Teams chats for a user by using the Microsoft Purview compliance portal. The solution must minimize the scope of the search. How should you configure the content search? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365. You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal. Which response action should you use? A.Run antivirus scan B.Initiate Automated Investigation C.Collect investigation package D.Initiate Live Response Session

You have a Microsoft 365 subscription that uses Microsoft Purview. Your company has a project named Project1. You need to identify all the email messages that have the word Project1 in the subject line. The solution must search only the mailboxes of users that worked on Project1. What should you do? A.Perform a user data search. B.Create a records management disposition. C.Perform an audit search. D.Perform a content search.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You discover that when Microsoft Defender for Endpoint generates alerts for a commonly used executable file, it causes alert fatigue. You need to tune the alerts. Which two actions can an alert tuning rule perform for the alerts? Each correct answer presents a complete solution. NOTE: Each correct selection is worth one point. A.delete B.hide C.resolve D.merge E.assign

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem. After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen. You have a Microsoft 365 subscription. You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode. You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product. Solution: You configure endpoint detection and response (EDR) in block mode. Does this meet the goal? A.Yes B.No

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem. After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen. You have a Microsoft 365 subscription. You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode. You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product. Solution: You configure Controlled folder access. Does this meet the goal? A.Yes B.No

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem. After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen. You have a Microsoft 365 subscription. You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode. You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product. Solution: You enable automated investigation and response (AIR). Does this meet the goal? A.Yes B.No

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to implement deception rules. The solution must ensure that you can limit the scope of the rules. What should you create first? A.device groups B.device tags C.honeytoken entity tags D.sensitive entity tags

Note: This section contains one or more sets of questions with the same scenario and problem. Each question presents a unique solution to the problem. You must determine whether the solution meets the stated goals. More than one solution in the set might solve the problem. It is also possible that none of the solutions in the set solve the problem. After you answer a question in this section, you will NOT be able to return. As a result, these questions do not appear on the Review Screen. You have a Microsoft 365 subscription. You have 1,000 Windows devices that have a third-party antivirus product installed and Microsoft Defender Antivirus in passive mode. All Windows devices are onboarded to Microsoft Defender for Endpoint. You need to ensure that the devices are protected from malicious artifacts that were undetected by the third-party antivirus product. Solution: You enable Live Response. Does this meet the goal? A.Yes B.No

HOTSPOT You have an on-premises datacenter that contains a custom web app named App1. App1 uses Active Directory Domain Services (AD DS) authentication and is accessible by using Microsoft Entra application proxy. You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You receive an alert that a user downloaded highly confidential documents. You need to remediate the risk associated with the alert by requiring multi-factor authentication (MF

The issue for which team can be resolved by using Microsoft Defender for Endpoint? A.executive B.sales C.marketing

The issue for which team can be resolved by using Microsoft Defender for Office 365? A.executive B.marketing C.security D.sales

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a user named User1. You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege. Which role should you assign to User1? A.Security Administrator B.Security Operator C.Cloud Device Administrator D.Desktop Analytics Administrator

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains two users named User1 and User2. You need to ensure that the users can perform searches by using the Microsoft Purview portal. The solution must meet the following requirements: •Ensure that User1 can search the Microsoft Purview Audit service logs and review the Microsoft Purview Audit service configuration. •Ensure that User2 can search Microsoft Exchange Online mailboxes. •Follow the principle of least privilege. To which Microsoft Purview role group should you add each user? To answer, select the appropriate options in the answer area NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains a user named User1 and a Microsoft 365 group named Group1. All users are assigned a Defender for Endpoint Plan 1 license. You enable Microsoft Defender XDR Unified role-based access control (RBA

You have a Microsoft 365 E5 subscription that contains two users named User1 and User2 and uses Microsoft Copilot for Security. From the Copilot for Security portal, User1 starts a session and creates the following prompts: •Prompt1: Provides access to the Entra plugin •Prompt2: Provides access to the Intune plugin •Prompt3: Provides access to the Entra plugin User1 shares the session with User2. User2 does NOT have access to Microsoft Intune. For which prompts can User2 view results during the shared session? A.Prompt1 only B.Prompt1 and Prompt2 only C.Prompt3 only D.Prompt1 and Prompt3 only E.Prompt1, Prompt2, and Prompt3

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. Copilot for Security has the default settings configured. You need to ensure that a user named User can use Copilot for Security to perform the following tasks: •Upload files. •View the usage dashboard. •Share promptbooks with all users. The solution must follow the principle of least privilege Which role should you assign to User? A.Copilot owner B.Cloud Application Administrator C.Security Administrator D.Copilot Contributor

You have a Microsoft 365 E5 subscription. You have a PowerShell script that queries the unified audit log. You discover that the query returns only the first page of results due to server-side paging. You need to ensure that you get all the results. Which property should you query in the results? [email protected] [email protected] [email protected] [email protected]

You have a Microsoft 365 E5 subscription that contains a database server named DB1. DB1 is onboarded to Microsoft Defender XDR. You need to ensure that DB1 appears on the attack surface map. What should you configure? A.an asset rule B.a critical asset rule C.a sensitive entity tag D.a honeytoken entity tag

You have a Microsoft 365 E5 subscription that contains the users shown in the following table. You configure Microsoft Entra Internet Access. Which users can manage Microsoft Entra Internet Access? A.User1 only B.User2 only C.User3 only D.User1 and User2 only E.User1, User2 and User3

You have a Microsoft 365 E5 subscription. You need to search the Microsoft Purview audit log by using PowerShell on a Windows device. What should you do first? A.Install the Microsoft Graph PowerShell module. B.Enable PowerShell remoting. C.Install the Microsoft Exchange Online PowerShell module. D.Modify the TrustedHosts list.

HOTSPOT You have a Microsoft 365 subscription. The subscription contains 500 Windows 11 devices that are onboarded to Microsoft Defender for Endpoint. You need to configure Defender for Endpoint to meet the following requirements: •Ensure that security operation analysts can run PowerShell scripts on client computers. •Perform the automatic remediation of threats on client computers. Which Endpoints settings should you configure in the Microsoft Defender XDR portal? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that contains 500 Windows 11 devices. You have a Microsoft Defender for Endpoint deployment that has the following settings: •Discovery mode: Basic •Live Response: Disabled •Enable EDR in block mode: Off •Tamper Protection: Off You need to implement automatic attack disruption in Microsoft Defender XDR. What should you do?

You have a Microsoft 365 subscription that uses Microsoft Security Copilot. You plan to configure a custom GPT plugin for Copilot. Which GPT model should you use?

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender for Endpoint. You need to ensure that you can initiate remote shell connections to Windows servers by using the Microsoft 365 Defender portal. What should you configure? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have 500 on-premises devices. You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365. You onboard 100 devices to Microsoft Defender 365. You need to identify any unmanaged on-premises devices. The solution must ensure that only specific onboarded devices perform the discovery. What should you do first? A.Create a device group. B.Create an exclusion. C.Set Discovery mode to Basic. D.Create a tag.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table. You need to search for malicious activities in your organization. Which tactics can you analyze by using the MicrosoftGraphActivityLogs table? A.Tactic2 only B.Tactic1 and Tactic2 only C.Tactic2 and Tactic3 only D.Tactic1, Tactic2, and Tactic3

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices. You plan to create a Microsoft Defender XDR custom deception rule. You need to ensure that the rule will be applied to only 10 specific devices. What should you do first? A.Add custom lures to the rule. B.Add the IP address of each device to the list of decoy accounts and hosts of the rule. C.Add the devices to a group. D.Assign a tag to the devices.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. The security team at your company detects command and control (C2) agent traffic on the network. Agents communicate once every 50 hours. You need to create a Microsoft Defender XDR custom detection rule that will identify compromised devices and establish a pattern of communication. The solution must meet the following requirements: •Identify all the devices that have communicated during the past 14 days. •Minimize how long it takes to identify the devices. To what should you set the detection frequency for the rule? A.Every 12 hours B.Every 24 hours C.Every three hours D.Every hour

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You have a query that contains the following statements. You need to configure a custom detection rule that will use the query. The solution must minimize how long it takes to be notified about events that match the query. Which frequency should you select for the rule? A.Every hour B.Continuous (NRT) C.Every 12 hours D.Every 3 hours

HOTSPOT You have a Microsoft 365 E5 subscription that contains the hosts shown in the following table. You have indicators in Microsoft Defender for Endpoint as shown in the following table. ID1 and ID2 reference the same file as ID3. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 subscription that contains three users named User1, User2 and User3 and the resources shown in the following table. You have a Microsoft Defender XDR detection rule named Rule1 that has the following configurations: •Scope:DevGroup1 •File hash: File1.exe •Actions o Devices: Collect investigation package o User: Mark as compromised o Files: Block Each user attempts to run File1.exe on their device. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that contains Windows 11 and Linux CentOS devices. In Microsoft Defender XDR, Deception is set to On. You plan to create a deception rule that will use a custom lure. You need to specify the type of file, and the planting path for the custom lure. What should you specify? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription. You need to ensure that an alert is generated in Microsoft Defender XDR when attackers attempt to connect to a specific device. The solution must minimize administrative effort. What should you do in the Microsoft Defender portal? A.Create a deception rule that includes a decoy. B.Tag an existing device as a honeytoken entity. C.Create a deception rule that includes a lure. D.Tag an existing device as a sensitive entity.

HOTSPOT You have a Microsoft 365 E5 subscription that has a Conditional Access policy named Policy1. You need to perform the following actions: •Create a Conditional Access App Control custom policy named Custom1. •Configure Policy1 to use Custom1. What should you use co create Custom1, and in which settings of Policy1 should you enable Conditional Access App Control? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR. You are implementing a deception rule. You need to provide a custom lure file. For the custom lure, you set Planting path to HOM

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1. You investigate a suspicious process named Prod on Device1 by using a live response session. You need to perform the following actions: •Stop Prod. •Send Prod for further review. Which live response command should you run for each action? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint and contains a Windows device named Device1. You need to investigate a suspicious executable file detected on Device1. The solution must meet the following requirements: •Identify the image file path of the file. •Identify when the file was first detected on Device1. What should you review from the timeline of the detection event? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 1,000 Windows devices. You have a PowerShell script named Script1.ps1 that is signed digitally. You need to ensure that you can run Script1.ps1 in a live response session on one of the devices. What should you do first from the live response session? A.Run the library command. B.Upload Script1.ps1 to the library. C.Run the putfile command. D.Modify the PowerShell execution policy of the device.

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device1. You initiated a live response session on Device1. You need to run a command that will download a 250-MB file named File1.exe from the live response library to Device1. The solution must ensure that File1.exe is downloaded as a background process. How should you complete the live response command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1. You investigate Device1 for malicious activity and discover a suspicious file named File1.exe. You collect an investigation package from Device1. You need to review the following forensic data points: •Is an attacker currently accessing Device1 remotely? •When was File1.exe first executed? Which folder in the investigation package should you review for each data point? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device1. Twenty files on Device1 are quarantined by custom indicators as part of an investigation. You need to release the 20 files from quarantine. How should you complete the command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1. The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll. You need to submit files for deep analysis in Microsoft Defender XDR. Which files can you submit? A.File1.ps1 only B.File2.exe only C.File3.dll only D.File2.exe and File3.dll only E.File1.ps1 and File2.exe only F.File1.ps1, File2.exe, and File3.dll

You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You are investigating an attacker that is known to use the Microsoft Graph API as an attack vector. The attacker performs the tactics shown the following table. You need to search for malicious activities in your organization. Which tactics can you analyze by using the MicrosoftGraphActivityLogs table? A.Tactic1 only B.Tactic2 only C.Tactic1 and Tactic3 only D.Tactic2 and Tactic3 only E.Tactic1, Tactic2, and Tactic3

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a Windows device named Device1. You initiate a live response session on Device1 and launch an executable file named File1.exe in the background. You need to perform the following actions: •Identify the command ID of File1.exe. •Interact with File1.exe. Which live response command should you run for each action? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Purview and contains a Microsoft SharePoint Online site named Site1. Site1 contains the files shown in the following table. From Microsoft Purview, you create the content search queries shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT - You have a Microsoft 365 subscription that uses Microsoft Defender XDR and Microsoft Defender for Endpoint. The subscription contains the devices shown in the following table. You discover the following forensic data: •During the startup of Device1, a connection is established to Device2 via port 5555. •Device2 connects to Device3 by using port 5555. •Device4 connects to Device1 by using port 5555. You perform the following actions: • Initiate a live response session on Device1 and run the processes • From Devices in the Microsoft Defender portal, isolate Device1 and Device2. For each of the following statements, select Yes if True. Otherwise select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1. You detect malicious activity on Device1. You initiate a live response session on Device1. You need to perform the following actions: •Download a file from the live response library. •Stop a process that is running on Device1. Which live response command should you run for each action? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the devices shown in the following table. You initiate a live response session on each device. You need to collect a Defender for Endpoint investigation package from each device. On which devices can you collect the package by running advanced live response commands from the commandline interface (CLI)? A.Device1 and Device2 only B.Device1, Device2, and Device3 only C.Device3 and Device4 only D.Device1, Device2, Device3, and Device4

HOTSPOT You have an Azure subscription that contains the users shown in the following table. The subscription contains instances of Azure Firewall as shown in the following table. You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You have the Copilot for Security role assignments shown in the following table. Each user runs a Copilot for Security session. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

DRAG DROP - You have an on-premises Windows 11 Pro device named Device1 that is onboarded to Microsoft Defender for Endpoint. You have a Microsoft 365 subscription. You need to identify the processes running on Device1 and which network connections the processes have open. The solution must minimize administrative effort. Which four actions should you perform in the Microsoft Defender portal in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

HOTSPOT You have a Microsoft 365 E5 subscription that contains a Microsoft SharePoint Online site named Site1. In Site1, you identify the suspicious files shown in the following table. In Microsoft Purview, you create the content searches shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains the following devices: •Device1: Runs Windows 11 Pro •Device2: Runs Windows Server •Device3: Runs Ubuntu Linux You identify three suspicious files named File1.exe, File2.zip, and File3.ps1. You need to investigate the files by using deep analysis. Which devices support deep analysis, and which files can be submitted for deep analysis? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

DRAG DROP You have a Microsoft 365 E5 subscription that contains a Windows 11 device named Device1. Device1 is onboarded to Microsoft Defender XDR. You perform the following actions: •Create a PowerShell script named Script1.ps1. •From the Microsoft Defender XDR portal, establish a live response session to Device1. You need to ensure that you can run Script1.ps1 on Device1. Which three actions should you perform in sequence? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1. You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements: •Identify all the active network connections on Device1. •Identify all the running processes on Device1. •Retrieve the login history of Device1. •Minimize administrative effort. What should you do first from the Microsoft Defender portal? A.From Devices, click Collect investigation package for Device1. B.From Advanced features in Endpoints, enable Live Response unsigned script execution. C.From Devices, initiate a live response session on Device1. D.From Advanced features in Endpoints, disable Authenticated telemetry.

HOTSPOT You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You need to create a custom detection rule that will identify devices that had more than five antivirus detections within the last 24 hours. How should you complete the query? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 subscription that contains a user named User1 and two Windows devices named Device1 and Device2. Device1 and Device2 are onboarded to Microsoft Defender for Endpoint. The following events occur. •User1 signs in to Device1. •Automatic attack disruption in Microsoft Defender XDR responds to an attack on Device1 and contains User1. •User1 attempts to connect to Device2. Which protocols will Device2 block when User1 attempts to connect to Device2? A.RDP only B.RPC only C.SMB only D.RDP and RPC only E.SMB and RPC only F.RDP, RPC, and SMB

HOTSPOT You have a Microsoft 365 subscription that contains a Windows device named Device1. Device1 is onboarded to Microsoft Defender for Endpoint. You initiate a live response session on Device1. You need to execute a long running script. The solution must ensure that you can run additional commands during the session while the script is running. How should you complete the live response command? To answer, select the appropriate options in the answer area. NOTE: Each correct selection is worth one point.

HOTSPOT You have a Microsoft 365 E5 subscription that uses Microsoft Exchange Online. You identify the suspicious emails shown in the following table. In Microsoft Purview, you create the content searches shown in the following table. For each of the following statements, select Yes if the statement is true. Otherwise, select No. NOTE: Each correct selection is worth one point.

You have a Microsoft 365 E5 subscription that uses Microsoft Copilot for Security. You start a Copilot for Security session and enter five prompts that each provide responses. You need to create a promptbook that will use the prompts but will NOT contain the responses. The solution must minimize administrative effort. What should you do? A.Select each prompt, and then select Create promptbook. B.Create a new promptbook and include each prompt. C.Enter a new prompt that has the following input: Create a promptbook from my session prompts. D.Share the session, and then select Create promptbook.

You have 1,000 on-premises Windows 11 Pro devices that are onboarded to Microsoft Defender for Endpoint. You have a Microsoft 365 subscription that uses Microsoft Defender XDR. You identify that an attacker performed the following actions on a device: •Modified the filesystem path of a registry-based antivirus exclusion •Downloaded a malicious file to the file system path You initiate a live response session on the device. You need to undo the registry change. Which command should you run? A.remediate B.registry C.scan D.analyze

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2. The subscription contains 1,000 Windows 11 devices that run a third-party antivirus software and have Smart App Control enabled. You need to ensure that if Defender for Endpoint detects a malicious artifact that was missed by the third-party software, it will remediate the artifact automatically. What should you configure?