Perform threat hunting Questions
Practice questions for Perform threat hunting topic in Microsoft Certified: Security Operations Analyst Associate. 44 questions covering this domain.
Which Microsoft Defender XDR feature provides curated reports about active threats, impacted assets, and recommended actions?
A hunter wants to aggregate recurring query results into a reusable table for easier later analysis. Which Sentinel feature should be used?
A hunter wants to look for suspicious outbound connections from endpoints. Which Advanced Hunting table is the most appropriate starting point?
A threat hunter wants to analyze how users, devices, and other entities relate to one another during a suspected attack. Which capability should be us...
Which Advanced Hunting table in Microsoft Defender XDR is used to investigate process creation and related process activity?
A hunter starts from one compromised device and wants to understand possible attack paths to additional critical assets and the broader scope of impac...
An analyst needs to investigate which entities are associated with a previously generated Defender XDR alert and then pivot across related evidence du...
Which language is used to create hunting queries in Microsoft Defender XDR and Microsoft Sentinel?
A SOC wants recurring long-running hunts executed in the Sentinel data lake instead of being run manually every time. Which capability should be used?
A Sentinel analyst creates a useful hunting query and wants to preserve it for future reuse and monitoring. What should the analyst do?
A security engineer wants an interactive environment for investigations that can combine documentation, KQL, visualizations, and connection to the Sen...
A SOC wants to assess current detection coverage by adversary tactic and technique and pivot to hunts where coverage is weak. Which Microsoft Sentinel...
A Defender XDR custom detection rule based on an Advanced Hunting query keeps creating excessive duplicate alerts on the same entity. Which rule setti...
A hunter wants to investigate suspicious Microsoft 365 SaaS application activity such as file downloads, sharing, and admin actions. Which Advanced Hu...
An analyst wants to detect impossible-travel-style sign-ins by combining identity sign-in data with geo-IP context inside an Advanced Hunting query. W...
An analyst wants to monitor a specific Sentinel KQL query continuously and receive notifications as new matching events arrive in near real time durin...
Which Advanced Hunting table contains delivered email metadata such as sender, recipient, and verdict for hunting email-borne threats?
A KQL hunt query needs to count distinct sign-in IPs per user over the last 24 hours and list them. Which KQL operator combination is appropriate?
Which Advanced Hunting table is the right starting point for hunting interactive and non-interactive identity sign-in events?
A hunter must correlate process events on an endpoint with related network connections from the same device using a shared key. Which KQL operator bes...
Sign in to see all 44 questions
Create a free account to browse all questions — completely free during our launch phase.