Practice Questions Flashcards
You have a Microsoft 365 E5 subscription.
You plan to deploy a Microsoft Defender for Endpoint to meet the following requirements:
- Block executable content from mail messages.
- Block unsigned processes that run from USB drives.
Which Defender for Endpoint capability should you choose?
Attack surface reduction
-Provides rules to target certain software behavior, such as launching executable files and scripts and running unsigned processes.
You have a M365 E5 subscription that uses MS Defender for Cloud.
You have a VM named Server1 that runs Windows Server and is hosted in AWS.
You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.
What should you install on Server1?
The Azure Connected Machine agent
You have an Azure subscription that contains 50 VMs that run Windows Server. The VMs are onboarded to MS Defender for Cloud.
You need to identify the VMs that are missing updates and have Windows Firewall disabled.
What should you configure?
Data collection
You have an Azure subscription that contains five VMs onboarded to MS Defender for Cloud.
You need to reduce the amount of data that is sent to a Log Analytics workspace.
What should you configure?
Data collection
You have an Azure subscription that uses MS Defender for Cloud.
You have an AWS account.
You need to ensure that you can use MS Defender for Cloud to assess the resources in the AWS account.
Which blade in the MS Defender for Cloud portal should you use to configure the AWS connector?
Environment settings
-Allow you to add environments, including AWS and Google Cloud Platform (GCP) environments.
You have the following cloud environment:
-An Azure subscription that uses MS Defender for Cloud
-A M365 tenant
-An AWS account
-A Google Cloud Platform (GCP) project
You need to ensure that you can use Defender for Cloud to perform Cloud Security Posture Management (CSPM) for the environments.
Which environments will require that a connector be deployed?
AWS and GCP
-Defender for Cloud can protect hybrid workloads, including on-premises, AWS, and GCP, but a connector must be deployed for an AWS account or a GCP project.
You have a SOC and a MS Sentinel workspace.
You need to ensure that Tier 1 SOC analysts can manage incidents in MS Sentinel by running preconfigured playbooks. The solution must meet the following requirements:
- Prevent analysts from making changes to playbooks or the MS Sentinel workspace.
- Follow the principle of least privilege.
Which role or roles should you assign to the analysts?
MS Sentinel Responder and Logic App Operator
- Sentinel Responder allows you to view data, incidents, workbooks, and other MS Sentinel resources.
- Logic App Operator lets you read, enable, and disable logic apps, but not edit or update them.
You have an Azure subscription that uses MS Sentinel.
You create a user named Admin1.
You need to ensure that Admin1 can add playbooks in MS Sentinel. The solution must follow the principle of least privilege.
Which role should you assign to Admin1?
MS Sentinel Automation Contributor
Your on-premises network contains multiple devices that provide logs in Comment Event Format (CEF).
You have an Azure subscription and a MS Sentinel workspace named Workspace1.
You need to ingest the logs from the devices into Workspace1.
What should you do first?
Deploy a computer that runs Linux
-To ingest Syslog and CEF logs into MS Sentinel, particularly from devices and appliance onto which you cannot install the Log Analytics agent directly, you must designate and configure a Linux machine that will collect the logs from your devices and forward them to your MS Sentinel workspace. This machine can be a physical or VM in your on-premises environment, an Azure VM, or a VM in another cloud.
You are implementing MS Sentinel.
You add a MS Entra ID Protection data connector to MS Sentinel.
You need to verify whether data is ingested from the connector.
Which table should you query?
SecurityAlert
-When you add a Microsoft Entra ID data connector in MS Sentinel, it stores ingested data to the SecurityAlert table in a Log Analytics workspace.
You have a MS Sentinel workspace.
You plan to deploy a Syslog data connector in MS Sentinel.
You download an agent to a computer that runs Linux.
You need to onboard the agent to MS Sentinel.
What information do you need?
The MS Sentinel workspace ID and the workspace secondary key
-Syslog is an event logging protocol that is common to Linux. You can use the Syslog daemon built into Linux devices and appliances to collect local events of the types you specify and have it sent those events to MS Sentinel by using the Log Analytics agent for Linux.
-During installation of the agent, you must provide the workspace ID and the primary or secondary key of the workspace to install the agent.
You have a MS Sentinel workspace.
You need to enable User and Entity Behavior Analytics (UEBA) in MS Sentinel.
Which two data sources support the use of UEBA?
Azure Activity
Security Events
You have a M365 E5 subscription.
You plan to create a MS Defender XDR hunting query to identify users that have been affected by clicking a suspicious URL.
You need to create a detection rule that will mark the user as compromised.
Which two properties should you include in the rule?
AccountUpn
ReportId
You have a M365 E5 subscription.
You are using MS Defender portal.
You needed to create a custom detection rule by using a hunting query.
Which two columns should the query return?
ReportId
Timestamp
You have a MS Sentinel workspace.
You need to create a livestream session in MS Sentinel.
Which MS Sentinel resource can you add to the livestream?
Hunting query
-You can use livestream to create interactive sessions that let you test newly created queries as events occur, get notifications from the sessions when a match is found, and launch investigations if necessary. You can quickly create a livestream session by using any Log Analytics query. You can create a livestream session from an existing hunting query or create your session from scratch.
You have a MS Sentinel workspace.
You have the following hunting query:
SigninLogs
| where TimeGenerated > ago(7d)
| extend ErrorCode = tostring(Status.errorCode)
| extend FailureReason = tostring(Status.failureReason)
| where ErrorCode in (“50053”, “50079”)
| project UserPrincipalName, IPAddress, AppDisplayName, [‘Error Code’] = ErrorCode, [‘Reason’]= FailureReason
You run the query and select results to add as a bookmark.
Which projected column does NOT map to an entity?
Reason
-Does not have an appropriate entity mapping when creating a hunting query.
You have a MS Sentinel workspace.
You have the following query:
SecurityEvent
| where TimeGenerated > ago(7d)
| where EventID == 4625
| summarize count() by TargetAccount
You need to use the query as a hunting query. The solution must generate result deltas.
What should you do?
Remove “where TimeGenerated > ago(7d)
-Delta values for hunting queries cannot be calculate for queries with hard-coded time filters. The time filter should be removed.
You have a M365 E5 subscription and a MS Sentinel workspace.
You create a custom query named Query1.
You need to test the Query1 against events as they occur in the subscription.
What should you use?
Livestream
-You can use a hunting livestream to test queries against live events as they occur. Livestream provides interactive sessions that can notify you when MS Sentinel finds matching events for your query.
-A livestream is always based on a query. Typically, you use the query to narrow down streaming log events, so only the events that are related to your threat hunting efforts appear. You can use a livestream to:
—Test new queries against live events
—Generate notifications for threats
—Launch investigations
You have an Azure subscription that uses MS Sentinel.
You need to create a report that will visualize alert information over time.
What should you create first?
Workbook
You have a MS Sentinel workspace that has a MS Entra ID data connector.
You need to create a report that visualizes sign-in information over time.
What should you use?
Workbook
-Once you have connected data sources to MS Sentinel, you can visualize and monitor the data by using MS Sentinel workbooks, which provide versatility in creating custom dashboards.
You have a MS Sentinel workspace.
You plan to add a workbook to MS Sentinel.
You create a workbook query.
You need to display the query results in a time chart.
Which keyword should you include in the query?
Render
-In KQL, the render keyword renders results as a graphical output.
-Other keywords do not provide graphical result and have the following functions:
Print: outputs a single row with one or more scalar expressions
Project: selects the columns to include in the order specified
Extend: creates a calculated column and adds it to the result set
Summarize: groups the rows according to the by group columns and calculates aggregations over each group
You have a SOC and a MS Sentinel workspace.
You plan to provide the SOC manager with a MS Sentinel workbook that includes the following metrics:
-Incident created over time
-Mean time to triage
You need to create the workbook by using a template. The solution must minimize administrative effort.
Which template should you use?
Security operations efficiency
-You can use the Security Operations efficiency workbook template to monitor SOC operations. The workbook contains many metrics, including incidents created over time and mean time to triage. These metrics are unavailable in other workbook templates, so you will minimize administrative effort if you use the Security Operations efficiency workbook template.
You have a M365 E5 subscription that includes a user named User1.
You need to ensure all emails sent to User1, including malicious email, is excluded from filtering by MS Defender for Office 365.
What should you configure?
SecOps mailbox
-Dedicated mailbox that is used by security teams to collect and analyze unfiltered messages. Filters in the EOP and Defender for Office 365 take no action on email messages sent to a SecOps mailbox.
You have a M365 E5 subscription that uses MS Defender for Cloud Apps.
You need to create a Defender for Cloud Apps policy that will generate alerts based on a trainable classifier.
Which type of policy should you create?
File Policy
-allow you to enforce a wide range of automated processes by using the cloud provider’s APIs. Policies can be set to provide continuous compliance scans, legal eDiscovery tasks, DLP for sensitive content shared publicly, and many more use cases. Defender for Cloud Apps can monitor any file type based on more than 20 metadata filters, such as access level, file type, and trainable classifiers.
You have a M365 E5 subscription that uses MS Defender for Endpoint.
You deploy an app named App1. App1 clears logs from an application server.
When App1 runs, it triggers a MS Defender alert.
You need to prevent App1 from triggering alerts. The solution must ensure that other apps will still trigger alerts.
What should you configure?
A suppression rule
You have a MS Sentinel workspace.
You need to create a variable named WLVar1 that will contain a list of available watchlists.
Which query should you run?
- let WLVar1 = Watchlist;
-lists all the available watchlists in watchlists in the workspace. When saved to a variable, the information can be used to select the appropriate watchlist as part of the query.
You have a MS Sentinel playbook named Playbook1.
Playbook1 is triggered when a new MS Sentinel incident is created.
You create a custom near-real-time (NRT) analytics rule named NRTRule1.
You need to ensure that NRTRule1 can use Playbook1.
What should you do?
Add an automation rule to NRTRule1
-For playbooks that are triggered by an incident creation and receive incidents as their inputs (their first step is “When a MS Sentinel incident is triggered”), can create an automation rule and define a Run playbook action in the rule to trigger the playbook.
You have a MS Sentinel workspace that contains the following rules:
1) a near-real-time (NRT) rule named Rule1
2) a fusion rule named Rule2
3) a scheduled rule named Rule3
4) a machine learning (ML) behavior analytics rule named Rule4
Which rules can you review?
Rule1 and Rule3 only
-Fusion rules use a correlation engine based on scalable ML algorithms to automatically detect multistage attacks.
-Because they are based on proprietary ML algorithms, you cannot see their logic.
-NRT rules are designed to run once every minute and capture events ingested in the preceding minute, to supply you with information that is as up-to-the-minute as possible.
-ML Behavior analytics are based on proprietary MS ML algorithms, so you cannot see or change the query logic.
-Rule1 and Rule3 are not based on ML.
You have a MS Sentinel workspace that has a MS Defender for Cloud data connector.
You create a MS incident creation rule named Rule1.
You need to ensure that Rule1 creates incidents based on Defender for Cloud alerts.
What should you configure in Rule1?
Analytics rule logic
You have a MS Sentinel workspace that contains the following query:
OfficeActivity
| where TimeGenerated > ago(7h)
| where Operation !contains “Mail”
| project TimeGenerated, UserId, Operation, OfficeWorkload, RecordType, _ResourceId
| sort by TimeGenerated desc nulls last
The query filters the office activity table to remove results that refer to email, and project selected information from the table in descending order.
You need to create a custom parser named Parser1 that will run the query.
What should you do first?
Remove | where TimeGenerated > ago(7h)
-A parser should not include a filter by time. The query that uses the parser will apply the required time range.
You have a MS Sentinel workspace.
You need to create a parameter-less custom parser for an authentication information model.
Which syntax should you use?
ASimAuthentication
ASiAuthentication<vendor><Product>
imAuthentication
vimAuthentication<vendor><Product></Product></vendor></Product></vendor>
ASiAuthentication<vendor><Product></Product></vendor>
——
ASimAuthentication - is the parameter-less parser table and should not be used for a custom parser name
You have a MS Sentinel workspace.
You are testing a parser.
You need to improve query performance during the testing.
What should you do?
Add filtering parameters
You have a M365 E5 subscription that contains five MS SharePoint Online sites.
You apply DLP policies to the SharePoint Online items.
You need to review the DLP alerts.
Which two portals can you use?
Microsoft Purview compliance portal
Microsoft Defender portal
You have a hybrid MS Entra tenant and a M365 E5 subscription.
You need to review all changes made to the AD Enterprise Admins group during the last 14 days.
What should you use?
The MS Defender for Identity Modifications to sensitive groups report
-lists every time a modification is made to sensitive groups, such as admin or manually tagged accounts or groups.
You have a hybrid MS Entra tenant and a M365 E5 subscription.
You need to identify any high-risk users that have performed a password reset during the last 14 days.
What should you use?
The Risky users report in MS Entra ID Protection
-allows you to review risky sign-ins and flag each one as either safe or compromised based on the results of an investigation and the information provided by the console. The information can be filtered by using the filters across the top of the report. The Risky users report has a filter for risk detail that includes the following setting: User performed secured password reset.
You have a M365 E5 subscription that uses MS Defender for Identity.
You need to download a Defender for Identity detailed alert report.
Which format will the report use?
XLSX
You have a hybrid M365 E5 subscription.
You need to monitor an AD DS domain and identify and investigate any detected threats.
What should you use?
MS Defender for Identity
You have a M365 E5 subscription that uses MS Defender for Cloud.
You have a lab environment that uses an IP address range of 14.38.2.0/24.
You receive multiple alerts from the lab environment.
You need to remove all alerts that originate from the lab environment network. The solution must meet the following requirements:
- Automatically close all future alerts from the lab environment
- Minimize administrative effort
What should you create?
Suppression rule
You have an Azure VM named VM1 that runs Windows Server and is protected by using MS Defender for Cloud.
Defender for Cloud generates multiple alerts for VM1. You review the alerts and establish the alerts are false positives.
You need to prevent new VM1 alerts from being shown in Defender for Cloud for seven days.
What should you do?
Create a suppression rule
Your company uses MS Defender for Cloud.
You need to create a Defender for Cloud workflow automation.
What should you create first?
A logic app
You have a M365 E5 subscription that uses MS Defender for Endpoint and contains a device named Device1.
Device1 triggered a high-severity alert.
You need to review the events that occurred before the alert was triggered.
What should you do in the MS Defender portal?
From the Device page, select the Timeline tab
You manage MS Sentinel for 20 customers. Each customer has its own MS Sentinel workspace.
You plan to use Multiple workspace view in MS Sentinel.
You need to identify which MS Sentinel features you can use in Multiple workspace view.
What can you use?
Incidents ONLY
You have a MS Sentinel workspace.
You need to investigate incidents by using MS Sentinel.
What is the maximum age of incidents that can be investigated?
30 Days
You have a MS Sentinel workspace and an Azure VM named VM1.
You open an investigation graph for the incident.
What does the investigation graph show if you hover over VM1?
The processes running on VM1
You have an Azure subscription that contains a user named User1 and a MS Sentinel workspace.
You receive multiple sign-in-related alerts for User1.
You need to view all insights for the user account.
What should you use?
Entity behavior
You have a MS Sentinel workspace and a playbook named Playbook1.
You need to ensure that you can manually run Playbook1 from an incident investigation. The solution must ensure that Playbook1 is available from Actions on the incident information window.
What should you do?
Update Playbook1 to use the incident trigger
You have a M365 E5 subscription and an Azure subscription.
You use a MS Sentinel with the following data connectors:
- MS Entra ID
- MS Entra ID Protection
- M365
- MS Defender for Office 365
From MS Sentinel, you create an automation rule named Rule1.
You need to configure an Incident provider condition for Rule1.
Which two incident providers can you specify in the condition?
MS Sentinel
MS Defender for Office 365
You have a MS Sentinel workspace.
You need to create a playbook that will run automatically in response to a MS Sentinel incident.
What should you create first?
A logic app
-Sentinel integrates with Azure Logic Apps, enabling you to create automated workflows, or playbooks, in response to events.
You have an Azure subscription that uses MS Sentinel.
You plan to create a playbook that will be triggered when an incident is created in Sentinel.
What should be used to implement the automated trigger action?
Azure Logic Apps
-Playbooks in Sentinel are based on workflows built in Azure Logic Apps, which provides all the power, customizability, and built-in templates of Logic Apps.
You have an Azure subscription that contains a resource group named RG1 and a MS Sentinel workspace.
In RG1, you create a playbook named Play1.
You need to ensure that the Azure Security Insights identity can run Play1. The solution must follow the principle of least privilege.
What should you do?
Delegate the MS Sentinel Automation Contributor role on RG1
-Sentinel must be granted explicit permissions to run playbooks based on the incident trigger, whether manually or from automation rules. If a playbook ion the drop-down list is unavailable, it means that Sentinel does not have permissions to that playbook’s resource group.
-You must delegate MS Sentinel Automation Contributor role to the Azure Security Insights identity on the resource group in which the playbook is deployed.
