3.10 Module Assessment

50 minutes · Module 3 · Free

Module 3 — Final Assessment

Key takeaways

The Defender XDR portal at security.microsoft.com is the single interface for all SOC operations
Navigate top-down: incident → alerts → evidence. The attack story tab gives you the full chain first.
Triage is a 60-second decision: check title, alert count, entities, time. VIP users escalate everything.
Classify every incident (TP, FP, informational) — this feedback improves detection quality over time
Suppression rules must be scoped narrowly to avoid creating blind spots
Advanced hunting queries all data recorded — including activity no detection rule caught
Promote reliable hunting queries to custom detection rules for automated alerting
Match response action severity to investigation confidence — revoke sessions for medium confidence, disable account for confirmed active compromise
Attack disruption fires only for high-confidence threats where human response time is too slow
Threat Analytics connects global threat intelligence to your specific environment exposure
Secure Score is a guide for prioritizing hardening, not a target to chase blindly
Threat Explorer (P2) is the purpose-built email investigation tool — use it for email, Advanced Hunting for cross-table queries
The device timeline shows every process, network connection, and file event — read the parent-child process chain
RBAC follows least privilege: Tier 1 views, Tier 2 acts, Tier 3 configures

Final assessment (10 questions)

1. What is the hierarchy of objects in Defender XDR?

Alert → Incident → Evidence

Incident → Alert → Evidence

Evidence → Alert → Incident

Incidents contain correlated alerts. Each alert contains evidence entities. Navigate top-down to maintain context.

2. A medium-severity incident involves 2 alerts from 2 products. The affected user is the CFO. What should you do?

Escalate to immediate investigation — VIP user involvement overrides the medium severity classification

Queue it for later — medium severity is not urgent

Reassign to a senior analyst

VIP users change the risk calculus. A medium-severity alert for a regular user can wait. The same alert for a CFO, domain admin, or service account with privileged access demands immediate investigation.

3. You discover a recurring false positive that fires 15 times per day. What is the correct tuning action?

Disable the detection rule

Suppress all alerts of that type

Create a narrowly scoped suppression rule matching the specific FP conditions, and document why

Narrow suppression reduces noise while preserving detection for genuine attacks. Disabling or broadly suppressing creates blind spots. Document the reason so future analysts understand the decision.

4. When should you use Threat Explorer instead of Advanced Hunting?

When investigating a specific phishing email, viewing its delivery timeline, and taking bulk email remediation actions

When you need to join email data with sign-in logs

When you need to build a scheduled detection rule

Threat Explorer is purpose-built for email: visual timelines, campaign views, and bulk remediation (soft delete, hard delete across mailboxes). Advanced Hunting is for cross-table KQL and detection rule creation.

5. You see powershell.exe spawned by winword.exe in the device timeline. What does this indicate?

Normal user behavior

A Windows update process

A strong malware indicator — Office applications spawning scripting engines is the signature of macro-based malware delivery

The parent-child process relationship is critical. Word does not legitimately spawn PowerShell. This chain indicates a macro executed a PowerShell command — the classic malware delivery technique that ASR rules are designed to block.

6. What does Attack Disruption do that manual response cannot?

Automatically disables accounts and isolates devices within minutes for high-confidence attacks — faster than any analyst can triage, investigate, and act

Generates better incident reports

Runs more KQL queries per minute

Speed is the differentiator. Ransomware can encrypt a file server in 10 minutes. An analyst takes 30-60 minutes to triage, investigate, and contain. Attack Disruption closes that gap for high-confidence threats.

7. Threat Analytics shows your organization is exposed to an active AiTM campaign. 247 users lack phishing-resistant MFA. What do you do with this information?

Wait for the attack to happen, then investigate

Prioritize deploying compliant device requirements and FIDO2 for the 247 exposed users — use the Threat Analytics data to justify the urgency to leadership

Block all external email until the threat passes

Threat Analytics gives you data-driven prioritization. "247 users exposed to an active campaign" is actionable intelligence for leadership. Deploy the recommended mitigations (device compliance, FIDO2) starting with the highest-value targets.

8. A Security Reader wants to isolate a compromised device. Can they?

Yes — all analysts can take any action

No — Security Reader can view incidents and run queries but cannot take response actions. Security Operator or higher is required for containment actions.

Only if the incident is high severity

RBAC enforces least privilege. Readers view. Operators act. Administrators configure. A Reader who needs to isolate a device must escalate to an Operator or request a role change.

9. You write a KQL query that reliably detects suspicious inbox rule creation. What should you do with it?

Run it manually every morning

Save it as a bookmark in Advanced Hunting

Promote it to a custom detection rule that runs automatically on a schedule and generates alerts

Custom detection rules automate your hunting. A query that runs once finds threats once. A scheduled rule finds threats continuously. This is the natural progression from hunting to detection engineering — covered in depth in Modules 10 and 13.

10. Why should you collect an investigation package from a device BEFORE isolating it?

Isolation changes the device state — active network connections and some process data are only available while connected. The investigation package captures the live state before containment alters it.

Investigation packages cannot be collected after isolation

Microsoft requires it

The investigation package captures running processes, open network connections, scheduled tasks, and autorun entries — all of which may change or become unavailable after isolation. Collect first, then contain.

← 3.9 Device Investigation Page