Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

MS-500 M365 Security Administrator Associate > Implement and manage threat protection > Flashcards

Implement and manage threat protection Flashcards

1
Q

How do you set up Azure ATP?

A

After you enter your info in the ATP Portal, you can download the sensor setup file. This zip file will install the Azure ATP agent on a DC or the Azure ATP Standalone agent on a non-domain controller, it contains the installer and a configuration file. you will also have to copy the Access Key which is used to establish the initial connection to your Azure ATP instance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How is Azure ATP authentication managed?

A

Once installed all authentication is through certificates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does Azure ATP establish its connection?

A

An Access Key is used to establish the initial connection to your Azure ATP instance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In Azure ATP, where is it managed?

A

Workspace Health - where issues such as connectivity, disconnected sensors, or service account authentication are reported. The Health icon will indicate whether there is any detected problem by displaying a red dot.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens when you log in to ATP Portal for the first time?

A

You will create the instance of Azure ATP for your environment, you will be prompted for the username (NETBIOS) password, Active Directory domain name for the service account you will use, this account should only have read-only access to your environment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is involved to install and configure ATP?

A

involved connecting to the portal, providing information for your setup, downloading the install pkg, and deploying it to the servers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How do you plan for capacity when planning Azure Advanced Threat Protection? (ATP)

A

You need to download and run the Azure ATP sizing tool,

-> TriSizingTool.exe from Microsoft

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What 4 report types are in Azure ATP reports?

A
  • > Summary
  • > Modifications to Sensitive Groups
  • > Password Exposed in clear text
  • > Lateral Movements Paths to Sensitive Accounts
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

How do you enable Azure ATP integration with Microsoft Defender ATP?

A

You must do so in both Azure ATP Portal and Microsoft Defender ATP Security Center

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What alerts are included in the Azure ATP Portal Security Alerts Timeline?

A
  • > User, computer, and/or resources involved
  • > The time of the activity
  • > Severity
  • > Staus
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

How are ATP alerts categorized?

A

Alerts align with the phases in an attack-kill chain:

  • > Reconnaissance
  • > Compromised Credentials
  • > Lateral Movement
  • > Domain Dominance
  • > Data Exfiltration
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What licensing is required for Microsoft Defender ATP?

A

Microsoft Defender ATP is licensed as part of the M365 E5 suite and is also available with Windows Enterprise E5 (and the educational versions)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

With Microsoft Defender ATP how do you protect servers?

A

To protect servers, you must onboard them to the Azure Security Center, which charges based on a consumption model.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What are the 5 deployment methods for Microsoft Defender ATP?

A
  • > Locally run script
  • > Group Policy Object
  • > SCCM
  • > Intue
  • > Third-Party MDM & Software deployment solutions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In Microsoft Defender ATP, can you change the location where your data will be stored?

A

Once selected, you cannot change this, if you later change your mind, you must tear down and start over again.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How do you access the Microsoft Defender ATP portal?

A

securitycenter.windows.com

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What are the 13 areas of the Microsoft Defender ATP console?

A 
1-> Dashboards
2-> Incidents
3-> Machines List
4-> Alerts queue
5-> Automated Investigations
6-> Advanced Hunting
7-> Reports
8-> Partners & APIs
9-> Threat & Vulnerability Mgmt Dashboard
10-> Simulations & Tutorials (Evaluations)
11-> Service Health
12-> Machine Configuration Mgmt
13-> Settings
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is the Microsoft Defender ATP area - Dashboard?

A

includes information you would want to see first or even to keep on display in a security operations center (SOC) offers high-level insights. The Dashboard includes Security Operations, Secure Score, Threat Analytics

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What is the Microsoft Defender ATP area - Incidents?

A

Anything Microsoft Defender ATP detects is tracked as an incident. The incidents area allows you to view and work with incidents. You can filter, classify, and assign incidents and see details

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the Microsoft Defender ATP area - Machines List?

A

Displays all machines enrolled. Allows you to see all details of the machine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What is the Microsoft Defender ATP area - Alerts queue?

A

Shows all alerts in your Microsoft Defender ATP tenant.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is the Microsoft Defender ATP area - Automated Investigations?

A

lists investigations automatically created by the system. Default only shows past seven days.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is the Microsoft Defender ATP area - Advanced Hunting?

A

Provides an interface to create or paste queries to search data within Microsoft Defender ATP

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is the Microsoft Defender ATP area - Reports subsections?

A

1-> Threat Protection - view alert trends
2-> Machine Health & Compliance - you can view machine trends and machine summary for Health State, AV Status, OS & version.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is the Microsoft Defender ATP area - Reports -subsection Threat Protection include?

A 
Unsolved Alert summary includes
Detection Source
Category
Severity
Status
Classification and Determination
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the Microsoft Defender ATP area - Partners & APIs?

A

Partner Applications - displays the many 3rd party applications that can be integrated
Data Export section - is where you can choose the data export settings which are used to push data to other applications, such as SIEMs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the Microsoft Defender ATP area - Threat & Vulnerability Mgmt Dashboard?

A

Gives admins a risk-based, real-time way to discover vulnerabilities in their environments prioritize based on risk, and remediate them easily.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is the Microsoft Defender ATP area - Simulations & Tutorials (Evaluation & Tutorials)?

A

includes the Evaluation Lab and a set of tutorials with simulations so admins can work in the environment without exposing machines to actual malicious files.

29
Q

What is the Microsoft Defender ATP area - Service Health?

A

Where admins go to check on the overall health of the Microsoft Defender ATP service. You can see active incidents and find historical information

30
Q

What is the Microsoft Defender ATP area - Machine Configuration Management?

A

You can onboard machines and configure and apply security baselines to enrolled machines through Intune.

31
Q

What is the Microsoft Defender ATP area - Settings?

A 
Where settings are configured, broken up into several categories:
General
APIs
Rules
Machine Management
32
Q

What is the Microsoft Defender ATP area - Settings category - 2 Machine Mgmt options?

A

Onboarding - you can download onboarding scripts or the installers for downstream clients
Offboarding - you can download offboarding scripts

33
Q

What is the Microsoft Defender ATP area - Settings category - 6 Rules options?

A
  1. Custom Detections
  2. Alert Suppression
  3. Indicators
  4. Automation Allowed/Blocked Lists
  5. Automation Uploads
  6. Automation Folder Exclusions
34
Q

What is the Microsoft Defender ATP area - Settings category 2 API’s options?

A
  1. Threat Intel

2. SIEM

35
Q

What is the Microsoft Defender ATP area - Settings category 2 permission options?

A
  1. Roles

2. Machine Groups

36
Q

What is the Microsoft Defender ATP area - Settings category 5 General options?

A
  1. Data Retention
  2. Alert Notifications
  3. Power BI Reports
  4. Secure Score
  5. Advanced Features
37
Q

Monitoring Microsoft Defender ATP, what can you see?

A

The Security Operations Dashboard is designed to surface the most useful information, making it easy to determine at a glance if any actions are required.

38
Q

What are the 3 sections in the Device Security Dashboard?

A
  1. Core Isolation
  2. Security Processor
  3. Secure Boot
39
Q

What does Windows Defender Application Guard (WDAG) do?

A

uses hardware isolation to protect against attacks that start when a user visits a website hosting malware.

40
Q

How are Windows Defender Application (WDAC) policies created?

A

WDAC policies are created using PowerShell and can be deployed using any method that can deploy MSIs or it can use the Intelligent Security Graph, Intune, or Group Policy.

41
Q

What will WDAC prevent you from doing?

A

It will prevent you from installing any MSI directly from the Internet. To work around this, download the MSI and run it locally.

42
Q

What are the 4 components that makeup Windows Defender Exploit Guard (WDEG)?

A
  1. Attach Surface Reduction (ASR)
  2. Network Protection
  3. Controlled Folder Access
  4. Exploit Protection
43
Q

What is required for Secure Boot?

A

Requires hardware that supports, and it needs to be enabled in the UEFI BIOS before the operating system is installed, if not you will need to reinstall the OS after you make the change

44
Q

What encryption is available with Windows 10 device encryption? What is the best thing?

A

Device Encryption XTS-AES128 & XTS-AES256.
The best thing is that with Azure AD joined machine, they will automatically encrypt drives and store the recovery keys in Azure AD.

45
Q

What is MDM vs MAM?

A

MDM - Mobile Device Mgmt is for company-owned devices
MAM - Mobile Application Mgmt is used to secure the application and enable secure access even when supporting a BYOD environment, you are protecting the managed app rather than the overall devicd

46
Q

What is MAM?

A

Mobile Application Mgmt (MAM) uses Intune to manage applications, publishing, pushing, configuring, security, monitoring, and updating enrolled mobile devices.

47
Q

What is WiP?

A

Windows Information Protection (WIP) is the MAM mechanism for Windows 10 devices. WIP is useful for laptops and Windows tablets.

48
Q

What 3 benefits does WIP provide?

A

Separation between personal data and enterprise data that is enforced.
Existing applications can be protected without requiring an update or rewrite
Corporate data can be wiped without wiping personal data

49
Q

How do you access MAM?

A

Azure Portal -> access Intune blade

50
Q

What are the 4 sections of the Intune blade?

A
  1. Manage
  2. Monitor
  3. Setup
  4. Help and Support
51
Q

What are the 4 different protection/mgmt modes for WIP policies?

A
  1. Block
  2. Allow Overrides
  3. Silent
  4. Off
52
Q

How do you create WIP policies?

A

By using Microsoft Intune

  • > Access Client Apps in the Intune blade
  • > clock Ap Protection Policies
  • > click Create Policy
53
Q

What does Office 365 ATP provide?

A

One part of the Microsoft Threat Protection.

It provides advanced threat protection for the SaaS applications and data that enterprises use with O365

54
Q

What does O365 ATP include?

A

Anti-Phishing Protection
Safe Attachments -> Protections against zero-day & advanced malware
Safe Links -> Protection against malicious links in email, instant msgs and files

55
Q

How do you configure O365 ATP anti-phishing policies?

A

Go to Security & Compliance Portal protection.microsoft.com

  • > click Threat Management
  • > click Policy
  • > click ATP Anti-Phishing tile
56
Q

What are 3 sections for any anti-phishing policy?

A
  1. Impersonation
  2. Spoof
  3. Advanced Settings
57
Q

What 6 actions can be configured against impersonation? Which is recommended by Microsoft?

A
  1. Quarantine message - Recommended
  2. Redirect Msg to other Email Addresses
  3. Move msgs To the Recipients Junk Email Folders
  4. Deliver the Msg and Add other Addresses to BCC line
  5. Delete The Message Before it’s Delivered
  6. Don’t Apply Any Action
58
Q

What is Impersonation Safety Tips?

A

Recommended should be enabled. if a msg is released from quarantine or otherwise delivered to the user, the user will see visual warnings indicating that the message is an impersonation attempt.

59
Q

What license is required for O365 ATP anti-spam?

A

O365 ATP P2 - you will see the Spoof Intelligence Policy

To Access -> Security & Compliance -> Policy

60
Q

What are the 4 groups of Policies setting for ATP anti-spam?

A
  1. Spam Filter Policy
  2. Connection Filter Policy
  3. Outbound Spam Filter Policy
  4. Spoof Intelligence Policy
61
Q

In Spam Properties, which 3 settings should be adjusted to block more spam?

A
  1. SPF Record: Hard Fail
  2. Conditional Sender ID Filtering: Hard Fail
  3. NDR Backscatter
62
Q

What is O365 ATP Safe Attachments?

A

check attachments in email and files shared through SharePoint Online, OneDrive for Business, and Teams to ensure they are not malicious by evaluating how the attachments act when opened in a hypervisor environment. Rather than relying on signatures ATP analyses the attachment.

63
Q

O365 ATP Safe Attachment policies can be configured to take which 5 actions?

A
  1. Off -> No action taken
  2. Monitor -> detections are logged, but malicious files are still delivered
  3. Block - msg and attachments are blocked
  4. Replace - msgs are delivered but malicious attachments are replaced by text file noting files were removed.
  5. Dynamic Delivery - function like replace, but msg is delivered while attachment is scanned
64
Q

What is O365 ATP Safe Link?

A

checks links in emails and attachments to ensure that they do not link to a malicious site

65
Q

What are 2 types of O365 ATP Safe Link Policies

A
  1. Policies that Apply to the Entire Organization

2. Policies that Apply to Specific Recipients

66
Q

What does O365 Threat Intelligence include? What are the 5 sections?

A

It includes both threat investigation and response capabilities.

  1. Threat Mgmt - Dashboard
  2. Investigation - view Automated investigations
  3. Explorer - view & analyze threats
  4. Submission - submit mail & files to Microsoft
  5. Review
67
Q

What license & Roles are required for O365 Threat Intelligence (TI)?

A

included in )365 ATP Plan 2
required Global Admin, Security Admin or a Security Reader, or custom RBAC role
you can access TI in Security & Compliance protectoin.office.com

68
Q

How do you integrate O365 Threat Intelligence with Microsoft Defender ATP?

A

In Security & Compliance Portal

  • > choose Threat Mgmt -> Explorer
  • > in upper-right corcer
  • > click WDATP Settings
  • > set Connect to Windows ATP switch to “On”

MS-500 M365 Security Administrator Associate (6 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions