Microsoft Sentinel Ninja Cert

Question 1

What is the maximum file size of a Watchlist?

Answer 1

500MB

Question 2

Which AWS logs can be ingested by the Amazon Web Services S3 connector?

Answer 2

AWS GuardDuty
VPC Flow logs
AWS Cloudtrail

Question 3

Which of the following MITRE ATT&CK techniques are classed as Execution?

Answer 3

User Execution
Launchctl

Question 4

Which of the following are examples of Watchlist templates?

Answer 4

All of the options:
Identity Correlation
Terminated Employees
Service Accounts

Question 5

Which of the following is correct regarding the Search feature?

Answer 5

Search jobs use parallel processing to run the search across long time spans, for extremely large data sets.

Question 6

Microsoft Sentinel supports the MITRE ATT&CK framework version 9?

Answer 6

True

Question 7

What actions will the following xPath query take?
Security!*[System[(EventID=4688)]] and * [EventData[Data[@Name=’ProcessName’]=’C:\Windows\System32\consent.exe’]]

Answer 7

Only Security events with Event ID=4688 and a process name of consent.exe will be collected.

Question 8

How can you transform data before it is ingested into Microsoft Sentinel?

Answer 8

All of these options:
Logstash
Data Collection (DCR) rules
Azure Function

Question 9

If you wanted to create a Microsoft Sentinel solution for Sentinel, where would you find the guide to help you do this?

Answer 9

Microsoft Sentinel GitHub Repo

Question 10

Which of the following connectors are support by the SentinelHealth data table?

Answer 10

Dynamics 365
Threat Intelligence Platforms
Office ATP
Office 365

Question 11

Automation rules can be triggered by alerts and incidents.

Answer 11

False

Question 12

Which of the following tables can have data sent to them by the Custom logs API?

Answer 12

WindowsEvents and CommonSecurityLog

Question 13

What KQL operator will specify a type of graph?

Answer 13

render

Question 14

Which of the following are properties in the pollingConfig of a CCP connector?

Answer 14

auth
auth.authType
request

Question 15

You must manually change Sentinel retention policy to 90 days after creating a new workspace.

Answer 15

True

Question 16

Microsoft Sentinel is available in all Azure regions.

Answer 16

False

Question 17

Where in Microsoft Sentinel can you enable the Archive feature?

Answer 17

Tables

Question 18

How can you query data in an Archive log table?

Answer 18

Restoring archived logs
and
Running a search job

Question 19

How do you run a KQL query in a Microsoft Sentinel notebook?

Answer 19

Install the MSTICPy or KQLMagic library and use a %kql magic command at the start of a query.

Question 20

Where can you deploy honey tokens in the Microsoft Sentinel deception solution?

Answer 20

Azure Key Vault

Question 21

Data Connectors will not always be visible in the Sentinel Data Connectors configuration page until the related solution has been deployed from Content Hub.

Answer 21

True

Question 22

What rate can the AMA send data at?

Answer 22

5 K EPS

Question 23

Which of the following are considered limitations of a Searchjob?

Answer 23

Only able to quert one table at a time
Results are limited to one million records in the record set

Question 24

Why would a security analytst benefit from using Microsoft Sentinel notebooks?

Answer 24

Create data visualizations that aren’t provided out-of-the-box in Microsoft Sentinel.
Investigate security incidents at scale
Programmatically scale thret hunts beyound KQL queries
Document security workflows

Question 25

Which of the following are Fusion scenarios?

Answer 25

Crypto-mining
Ransomware
Lateral movement

Question 26

Dynamic content in workbooks in Microsoft Sentinel is:

Answer 26

The ability for tiles to inherit information from aother tile when a row is selected.

Question 27

You cannot create duplicate connections with the same repository and branch, in a single Microsoft Sentinel workspace.

Answer 27

True

Question 28

Which of the following statements are true about the Restore feature?

Answer 28

You can delete restored tables without deleting the underlying source archived table.

It is possible to run KQL queries against the data that has been archived only when the data has been restored to the Log Analyics workspace.

A restored log table will be available in the Log Analytics workspace with the suffix *_RST

Question 29

How does Microsoft Sentinel determine who a user’s peers are?

Answer 29

Azure AD security group membership

Question 30

Which of the following are limitations of NRT rules?

Answer 30

Can reference only one table.

Cannot use unions or joins