Traditional Flashcards
Question #61 Topic 3
You have a custom Microsoft Sentinel workbook named Workbook1.
You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows.
What should you do?
A. In the grid query, include the take operator.
B. In the grid query, include the project operator.
C. In the query editor interface, configure Settings.
D. In the query editor interface, select Advanced Editor.
A. In the grid query, include the take operator.
Here’s why:
take operator: This Kusto Query Language (KQL) operator is used to limit the number of records returned from a query.
Question #51 Topic 3
You have an Azure subscription that uses Microsoft Sentinel.
You need to create a custom report that will visualise sign-in information over time.
What should you create first?
A. a hunting query
B. a workbook
C. a notebook
D. a playbook
B. a workbook
Workbooks in Microsoft Sentinel are the primary tool for creating custom visualizations and reports.
Question #38 Topic 3
You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.
You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.
What should you use to create the visuals?
A. plotly
B. TensorFlow
C. msticpy
D. matplotlib
C. msticpy
msticpy is a Python library specifically designed for security analysts working in Azure Sentinel (now Microsoft Sentinel) and Azure Notebooks.
Question #9 Topic 4 (CHECK)
You have an Azure subscription.
You need to stream the Microsoft Graph activity logs to a third-party security information and event management (SIEM) tool. The solution must minimize administrative effort.
To where should you stream the logs?
A. an Azure Event Hubs namespace
B. an Azure Storage account
C. an Azure Event Grid namespace
D. a Log Analytics workspace
A. an Azure Event Hubs namespace
Azure Event Hubs is the best option for streaming Microsoft Graph activity logs to a third-party SIEM tool.
Question #23 Topic 2
A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.
The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity.
The alerts appear in Azure Security Center.
You need to ensure that the security administrator receives email alerts for all the activities.
What should you configure in the Security Center settings?
A. the severity level of email notifications
B. a cloud connector
C. the Azure Defender plans
D. the integration settings for Threat detection
A. the severity level of email notifications
Azure Security Center (now Microsoft Defender for Cloud) allows you to configure the severity level of email notifications
Question #8 Topic 2
Your company uses Azure Security Center and Azure Defender.
The security operations team at the company informs you that it does NOT receive email notifications for security alerts.
What should you configure in Security Center to enable the email notifications?
A. Security solutions
B. Security policy
C. Pricing & settings
D. Security alerts
E. Azure Defender
C. Pricing & settings
To configure email notifications for security alerts in Azure Security Center (now Microsoft Defender for Cloud), you need to go to the Pricing & settings section.
Question #15 Topic 5
You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.
You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database.
You need to ensure that an incident is created in WS1 when the new attack vector is detected.
What should you configure?
A. a hunting livestream session
B. a query bookmark
C. a scheduled query rule
D. a Fusion rule
C. a scheduled query rule
To ensure that an incident is automatically created in Microsoft Sentinel when a new attack vector is detected by a query, you need to configure a scheduled query rule.
Question #23 Topic 3
You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
A. notebooks in Azure Sentinel
B. Microsoft Cloud App Security
C. Azure Monitor
D. hunting queries in Azure Sentinel
A. notebooks in Azure Sentinel
Notebooks in Azure Sentinel allow you to visualize data and perform advanced data analysis. They provide the flexibility to integrate with and enrich data from third-party sources, such as threat intelligence feeds, to help identify indicators of compromise (IoCs).
Question #41 Topic 1
You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.
You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.
Which blade should you use in the Microsoft 365 Defender portal?
A. Advanced hunting
B. Threat analytics
C. Incidents & alerts
D. Learning hub
B. Threat analytics
The Threat analytics blade in Microsoft 365 Defender provides detailed information about new attack techniques discovered by Microsoft.
Question #24 Topic 3
You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.
You need to create a query that will be used to display a bar graph.
What should you include in the query?
A. extend
B. bin
C. count
D. workspace
C. count (1x)
Question #21 Topic 3
You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day.
You need to create a query that will be used to display the time chart.
What should you include in the query?
A. extend
B. bin
C. makeset
D. workspace
B. bin
To create a custom Azure Sentinel query that tracks anomalous Azure Active Directory (Azure AD) sign-in activity and presents it as a time chart aggregated by day, you should use the bin function.
Question #34 Topic 1
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You plan to create a hunting query from Microsoft Defender.
You need to create a custom tracked query that will be used to assess the threat status of the subscription.
From the Microsoft 365 Defender portal, which page should you use to create the query?
A. Threat analytics
B. Advanced Hunting
C. Explorer
D. Policies & rules
B. Advanced Hunting
In the Microsoft 365 Defender portal, you should use the Advanced Hunting page to create custom tracked queries.
Question #54 Topic 1
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.
Which operator should you use?
A. search *
B. union kind = inner
C. join kind = inner
D. evaluate hint.remote =
B. union kind = inner
To link multiple tables and return all rows from those tables in Microsoft 365 Defender for Endpoint, you should use the union operator with the kind = inner option.
Question #53 Topic 1
You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams.
You have a team named Team1 that has a project named Project1.
You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.
Which KQL query should you run?
A. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))
B. AuditLogs -
| where FileName contains “Project1”
C. Project1(c:c)(date=2023-02-01..2023-02-10)
D. AuditLogs -
| where Timestamp > ago(10d)
| where FileName contains “Project1”
where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))
C. Project1(c:c)(date=2023-02-01..2023-02-10)
where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))
Question #10 Topic 7 (CHECK)
You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint.
You enable Network device discovery.
You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device.
Which built-in function should you use?
A. SeenBy()
B. DeviceFromIP()
C. next()
D. current_cluster_endpoint()
A. SeenBy()
The SeenBy() function is used in Microsoft Defender for Endpoint hunting queries to identify devices that have observed or detected certain network devices.
Question #4 Topic 7
Your on-premises network contains an Active Directory Domain Services (AD DS) forest.
You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.
You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.
Which table should you query?
A. AADServicePrincipalRiskEvents
B. AADDomainServicesAccountLogon
C. SigninLogs
D. IdentityLogonEvents
D. IdentityLogonEvents
To identify LDAP simple binds to the Active Directory Domain Services (AD DS) domain controllers, you should query the IdentityLogonEvents table in Microsoft Defender for Identity.
Question #9 Topic 3 (CHECK)
You have an Azure Sentinel workspace.
You need to test a playbook manually in the Azure portal.
From where can you run the test in Azure Sentinel?
A. Playbooks
B. Analytics
C. Threat intelligence
D. Incidents
A. Playbooks (2x)
In the Azure Sentinel workspace, playbooks are essentially Azure Logic Apps used for automation and orchestration. You can manually run or test a playbook from the Playbooks section where you can select your playbook and use the “Run” or “Test” option to execute it.
D. Incidents (1x)
Question #78 Topic 3 (CHECK)
You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.
You need to create a new near-real-time (NRT) analytics rule that will use the playbook.
What should you configure for the rule?
A. the incident automation settings
B. the query rule
C. entity mapping
D. the Alert automation settings
D. the Alert automation settings (2x)
To use a playbook with a near-real-time (NRT) analytics rule in Microsoft Sentinel, you need to configure the Alert automation settings.
A. the incident automation settings (1x)
Question #3 Topic 6 (CHECK)
You have an Azure subscription that uses Microsoft Sentinel.
You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.
Which two features should you use? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Microsoft Sentinel workbooks
B. Azure Automation runbooks
C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks
E. Azure Functions apps
C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks
Automation rules in Microsoft Sentinel allow you to automatically trigger actions based on specific incident conditions, reducing manual intervention.
Playbooks in Microsoft Sentinel automate responses to incidents, helping to remediate threats by performing predefined actions, such as sending notifications or interacting with other Azure services.
Question #64 Topic 3
You have an Azure subscription that contains a Microsoft Sentinel workspace.
You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.
What should you create first?
A. a hunting query in Microsoft Sentinel
B. an Azure logic app
C. an automation rule in Microsoft Sentinel
D. a trigger in Azure Functions
B. an Azure logic app
To create a playbook that runs automatically in response to a Microsoft Sentinel alert, you first need to create an Azure Logic App.
Question #44 Topic 3 (CHECK)
You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.
You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.
What should you create first?
A. a repository connection
B. a watchlist
C. an analytics rule
D. an automation rule
C. an analytics rule
To ensure that a Logic App (app1) launches when Microsoft Sentinel detects an Azure AD-generated alert, you first need to create an analytics rule.
D. an automation rule (top)
Question #28 Topic 3
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Enable Entity behavior analytics.
B. Associate a playbook to the analytics rule that triggered the incident.
C. Enable the Fusion rule.
D. Add a playbook.
E. Create a workbook.
B. Associate a playbook to the analytics rule that triggered the incident.
D. Add a playbook.
To send a Microsoft Teams message to a channel when an incident is triggered in Azure Sentinel:
Add a playbook (D) that includes the action to send a Microsoft Teams message.
Associate the playbook to the analytics rule (B) that detects the sign-in risk event, so it runs automatically when the incident is triggered.
Question #22 Topic 3
You are configuring Azure Sentinel.
You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.
Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Add a playbook.
B. Associate a playbook to an incident.
C. Enable Entity behavior analytics.
D. Create a workbook.
E. Enable the Fusion rule.
A. Add a playbook.
B. Associate a playbook to an incident.
To send a Microsoft Teams message when a sign-in from a suspicious IP address is detected in Azure Sentinel:
Add a playbook (A) that includes an action to send a message to the Microsoft Teams channel.
Associate the playbook to an incident (B), so the playbook runs when an incident is generated for suspicious sign-ins.
Question #6 Topic 3 (CHECK)
You have a playbook in Azure Sentinel.
When you trigger the playbook, it sends an email to a distribution group.
You need to modify the playbook to send the email to the owner of the resource instead of the distribution group.
What should you do?
A. Add a parameter and modify the trigger.
B. Add a custom data connector and modify the trigger.
C. Add a condition and modify the action.
D. Add an alert and modify the action.
C. Add a condition and modify the action.
Here’s what this entails:
Add a condition: You would typically need to add logic or conditions within the playbook to dynamically fetch or determine who the resource owner is. This could involve querying Azure AD or another system where resource ownership is defined.
Modify the action: Change the email action within the playbook to use the resource owner’s email address instead of the static distribution group email. This might involve setting up a variable or parameter at runtime that contains the email address of the resource owner based on the incident or alert details.
A. Add a parameter and modify the trigger. (top)
D. Add an alert and modify the action.
Question #32 Topic 3
You create a hunting query in Azure Sentinel.
You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.
What should you use?
A. a playbook
B. a notebook
C. a livestream
D. a bookmark
C. a livestream
In Azure Sentinel, the livestream feature allows you to continuously run a hunting query in real time and receive immediate notifications in the Azure portal when a match is detected.
Question #14 Topic 3
A company uses Azure Sentinel.
You need to create an automated threat response.
What should you use?
A. a data connector
B. a playbook
C. a workbook
D. a Microsoft incident creation rule
B. a playbook
To create an automated threat response in Azure Sentinel, you should use a playbook. Playbooks in Azure Sentinel are Azure Logic Apps that automate responses to security incidents, such as triggering notifications, executing remediation steps, or integrating with other services.
Question #4 Topic 3
You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.
You deploy Azure Sentinel.
You need to use the existing logic app as a playbook in Azure Sentinel.
What should you do first?
A. And a new scheduled query rule.
B. Add a data connector to Azure Sentinel.
C. Configure a custom Threat Intelligence connector in Azure Sentinel.
D. Modify the trigger in the logic app.
D. Modify the trigger in the logic app.
To use the existing Azure Logic App as a playbook in Azure Sentinel, you first need to modify the trigger in the logic app so that it can be triggered by Azure Sentinel alerts. This typically involves changing the logic app’s trigger to a suitable trigger for Azure Sentinel, such as the HTTP request trigger, which allows Azure Sentinel to invoke the playbook in response to specific conditions or alerts. After modifying the trigger, you can then import and configure the playbook within Azure Sentinel.
Question #16 Topic 2
You use Azure Defender.
You have an Azure Storage account that contains sensitive information.
You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. From Azure Security Center, enable workflow automation.
B. Create an Azure logic app that has a manual trigger.
C. Create an Azure logic app that has an Azure Security Center alert trigger.
D. Create an Azure logic app that has an HTTP trigger.
E. From Azure Active Directory (Azure AD), add an app registration.
A. From Azure Security Center, enable workflow automation.
C. Create an Azure logic app that has an Azure Security Center alert trigger.
To run a PowerShell script when someone accesses the Azure Storage account from a suspicious IP address:
Enable workflow automation (A) in Azure Security Center. This allows you to set up automated responses to security alerts.
Create an Azure Logic App with an Azure Security Center alert trigger (C) to respond to alerts from Azure Defender. The Logic App can then run the PowerShell script based on the alert conditions.
Question #52 Topic 3 (CHECK)
You have a Microsoft Sentinel workspace.
You receive multiple alerts for failed sign-in attempts to an account.
You identify that the alerts are false positives.
You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements:
- Ensure that failed sign-in alerts are generated for other accounts.
- Minimize administrative effort
What should do?
A. Modify the analytics rule.
B. Create a watchlist.
C. Add an activity template to the entity behavior.
D. Create an automation rule.
D. Create an automation rule.
An automation rule in Microsoft Sentinel can be configured to automatically handle or suppress alerts based on specific conditions. Here’s how it would meet your needs:
Automation Rule: You can set up an automation rule that checks if the alert is for this particular account and if so, it can close or suppress the alert automatically. This way, alerts for this specific account are managed without affecting alerts generated for other accounts.
A. Modify the analytics rule. (top)
Question #22 Topic 6
You have a Microsoft Sentinel workspace named SW1.
In SW1, you investigate an incident that is associated with the following entities:
- Host
- IP address
- User account
- Malware name
Which entity can be labeled as an indicator of compromise (IoC) directly from the incident’s page?
A. malware name
B. host
C. user account
D. IP address
D. IP address
In Microsoft Sentinel, the IP address can be labeled as an indicator of compromise (IoC) directly from the incident’s page. IP addresses are commonly used as IoCs to indicate suspicious or malicious activity and can be directly added to the threat intelligence indicators or watchlist for further investigation or automated responses.
Question #90 Topic 3
You have a Microsoft Sentinel workspace.
You investigate an incident that has the following entities:
* A user account named User1
* An IP address of 192.168.10.200
* An Azure virtual machine named VM1
* An on-premises server named Server1
You need to label an entity as an indicator of compromise (IoC) directly by using the incidents page.
Which entity can you label?
A. 192.168.10.200
B. VM1
C. Server1
D. User1
A. 192.168.10.200
In Microsoft Sentinel, IP addresses can be labeled as indicators of compromise (IoCs) directly from the incident’s page. While entities like user accounts, virtual machines, and on-premises servers are important in investigations, IP addresses are commonly used as IoCs for detecting and responding to potential threats and can be directly added to threat intelligence indicators or watchlists.
Question #85 Topic 3
You have a Microsoft Sentinel workspace.
You enable User and Entity Behavior Analytics (UEBA) by using Audit Logs and Signin Logs.
The following entities are detected in the Azure AD tenant:
- App name: App1
- IP address: 192.168.1.2
- Computer name: Device1
- Used client app: Microsoft Edge
- Email address: user1@company.com
- Sign-in URL: https://www.company.com
Which entities can be investigated by using UEBA?
A. IP address and email address only
B. app name, computer name, IP address, email address, and used client app only
C. IP address only
D. used client app and app name only
B. app name, computer name, IP address, email address, and used client app only
User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel can investigate a range of entities related to user and entity activities. For the entities detected in the Azure AD tenant, UEBA can analyze:
App name (App1)
Computer name (Device1)
IP address (192.168.1.2)
Email address (user1@company.com)
Used client app (Microsoft Edge)
These entities are relevant for UEBA as it helps in identifying anomalous behaviors and potential security threats related to user and entity activities.
Question #79 Topic 3
You need to visualize Microsoft Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).
What should you use?
A. notebooks in Microsoft Sentinel
B. Microsoft Defender for Cloud Apps
C. Azure Monitor
A. notebooks in Microsoft Sentinel
Notebooks in Microsoft Sentinel allow you to visualize data and enrich it by integrating third-party data sources. They provide a flexible environment to perform complex data analysis, create visualizations, and incorporate external threat intelligence to identify indicators of compromise (IoC) effectively.
Question #41 Topic 3
You have a Microsoft Sentinel workspace that contains the following incident.
Brute force attack against Azure Portal analytics rule has been triggered.
You need to identify the geolocation information that corresponds to the incident.
What should you do?
A. From Overview, review the Potential malicious events map.
B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.
C. From Incidents, review the details of the AccountCustomEntity entity associated with the incident.
D. From Investigation, review insights on the incident entity.
B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.
To identify the geolocation information for an incident related to a brute force attack, you should review the details of the IPCustomEntity entity associated with the incident. This entity will provide information about the IP address involved, and you can use this IP address to determine the geolocation associated with the attack.
Question #27 Topic 3
You are investigating an incident in Azure Sentinel that contains more than 127 alerts.
You discover eight alerts in the incident that require further investigation.
You need to escalate the alerts to another Azure Sentinel administrator.
What should you do to provide the alerts to the administrator?
A. Create a Microsoft incident creation rule
B. Share the incident URL
C. Create a scheduled query rule
D. Assign the incident
D. Assign the incident
To escalate or delegate the investigation of an incident containing multiple alerts to another Azure Sentinel administrator, you should assign the incident to that administrator. This action ensures that the assigned administrator receives notification and can take ownership of the incident for further investigation and resolution.
Question #5 Topic 3
Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.
A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.
You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.
What should you include in the recommendation?
A. built-in queries
B. livestream
C. notebooks
D. bookmarks
C. notebooks
Notebooks in Microsoft Sentinel provide a customizable environment where you can use machine learning and data visualization to simplify the investigation of security threats. They allow you to perform advanced analytics, integrate with various data sources, and create visualizations tailored to your specific needs. This can help in handling and interpreting large volumes of incidents from numerous IoT devices, making it easier to identify and infer threats.
Question #68 Topic 3
You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema.
You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.
What should you do first?
A. Copy the parsers to the Azure Monitor Logs page.
B. Create a JSON file based on the DNS template.
C. Create an XML file based on the DNS template.
D. Create a YAML file based on the DNS template.
D. Create a YAML file based on the DNS template.
Here’s why:
YAML files are commonly used in Azure for configuration and deployment, including in Microsoft Sentinel for things like parsers, especially when dealing with ASIM (Advanced Security Information Model).
Creating a YAML file allows you to define multiple parsers in a structured format that can be easily imported into Sentinel. This approach is more scalable and less error-prone than manually copying or recreating each parser through the UI or other methods.
Once you have the YAML file with your parsers, you can use Azure’s deployment mechanisms or Sentinel’s import features to apply these configurations, which would significantly reduce the administrative effort compared to manually entering or copying each parser.
Question #63 Topic 3
You have a Microsoft Sentinel workspace named Workspace1.
You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.
What should you create in Workspace1?
A. an analytic rule
B. a watchlist
C. a workbook
D. a hunting query
B. a watchlist
To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create a watchlist in Microsoft Sentinel. Watchlists allow you to specify and manage custom exclusions or include lists that can be used in conjunction with analytic rules and queries to refine the data processed by the ASIM parsers.
Question #60 Topic 3
You have a Microsoft Sentinel workspace.
You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.
What are two ways to achieve this goal? Each correct answer presents a complete solution.
NOTE: Each correct selection is worth one point.
A. Create a hunting query that references the built-in parser.
B. Build a custom unifying parser and include the built-in parser version.
C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.
D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.
E. Create an analytics rule that includes the built-in parser.
B. Build a custom unifying parser and include the built-in parser version.
E. Create an analytics rule that includes the built-in parser.
Here’s the reasoning:
Building a custom unifying parser (Option B):
This approach allows you to create your own version of the parser that includes the specific version of the built-in parser you want to use.
By doing this, you’re essentially “freezing” the parser at a specific version, preventing automatic updates.
Creating an analytics rule that includes the built-in parser (Option E):
When you create an analytics rule that references a specific version of a built-in parser, it effectively locks that version in place for that
rule.
This ensures that even if the built-in parser is updated, your analytics rule will continue to use the version it was created with.
Question #31 Topic 3
You use Azure Sentinel.
You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege.
Which role should you assign to the analyst?
A. Azure Sentinel Contributor
B. Security Administrator
C. Azure Sentinel Responder
D. Logic App Contributor
A. Azure Sentinel Contributor
The Azure Sentinel Contributor role allows users to edit and manage queries in custom Azure Sentinel workbooks, among other capabilities. This role aligns with the principle of least privilege by providing the necessary permissions to work with Sentinel resources without granting broader permissions than required.
Question #11 Topic 3
Your company uses Azure Sentinel.
A new security analyst reports that she cannot assign and resolve incidents in Azure Sentinel.
You need to ensure that the analyst can assign and resolve incidents. The solution must use the principle of least privilege.
Which role should you assign to the analyst?
A. Azure Sentinel Responder
B. Logic App Contributor
C. Azure Sentinel Contributor
D. Azure Sentinel Reader
A. Azure Sentinel Responder
The Azure Sentinel Responder role is specifically designed to allow users to assign and resolve incidents in Azure Sentinel while adhering to the principle of least privilege. This role provides the necessary permissions for handling incidents without giving broader administrative rights.
Question #45 Topic 1
You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.
You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.
What should you configure first?
A. the User enrichment settings
B. the Azure connector
C. the Office 365 connector
D. the Automatic log upload settings
C. the Office 365 connector
To investigate threats using data from the unified audit log of Microsoft Defender for Cloud Apps, you need to ensure that the Office 365 connector is configured. This connector integrates data from Microsoft 365 services, including the unified audit log, into Microsoft Defender for Cloud Apps, allowing for comprehensive threat investigation and analysis.
Question #30 Topic 1
You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.
You need to identify all the changes made to sensitivity labels during the past seven days.
What should you use?
A. the Incidents blade of the Microsoft 365 Defender portal
B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center
C. Activity explorer in the Microsoft 365 compliance center
D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal
C. Activity explorer in the Microsoft 365 compliance center
Activity explorer in the Microsoft 365 compliance center allows you to view and investigate activities related to sensitivity labels, including changes made within a specified timeframe. This tool helps you track modifications and understand user actions related to compliance and data protection policies.
Question #31 Topic 1
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft 365 Defender portal?
A. Investigations
B. Devices
C. Evidence and Response
D. Alerts
C. Evidence and Response
In the Microsoft 365 Defender portal, the Evidence and Response tab provides detailed information about the entities affected by an incident, including associated devices, users, and other relevant data. This tab helps you understand the scope of the incident and plan appropriate response actions.
Question #6 Topic 7 (CHECK)
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.
You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:
- Identify all the active network connections on Device1.
- Identify all the running processes on Device1.
- Retrieve the login history of Device1.
- Minimize administrative effort.
What should you do first from the Microsoft Defender portal?
A. From Devices, click Collect investigation package for Device1.
B. From Advanced features in Endpoints, enable Live Response unsigned script execution.
C. From Devices, initiate a live response session on Device1.
D. From Advanced features in Endpoints, disable Authenticated telemetry.
C. From Devices, initiate a live response session on Device1.
Initiating a live response session from the Microsoft Defender portal allows you to interact with Device1 in real-time. This session enables you to execute commands and retrieve information such as active network connections, running processes, and login history, meeting the investigation requirements with minimal administrative effort.
Question #9 Topic 6 (CHECK)
You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 1,000 Windows devices.
You have a PowerShell script named Script1.ps1 that is signed digitally.
You need to ensure that you can run Script1.ps1 in a live response session on one of the devices.
What should you do first from the live response session?
A. Run the library command.
B. Upload Script1.ps1 to the library.
C. Run the putfile command.
D. Modify the PowerShell execution policy of the device.
B. Upload Script1.ps1 to the library.
To run a PowerShell script like Script1.ps1 in a live response session, you first need to upload the script to the library within the live response session. Once the script is in the library, you can then execute it on the device. This ensures that the script is available for execution during the session.
Question #7 Topic 5
You have a Microsoft 365 E5 subscription that contains a device named Device1. Device1 is enrolled in Microsoft Defender for Endpoint.
Device1 reports an incident that includes a file named File1.exe as evidence.
You initiate the Collect Investigation Package action and download the ZIP file.
You need to identify the first and last time File1.exe was executed.
What should you review in the investigation package?
A. Processes
B. Autoruns
C. Security event log
D. Scheduled tasks
E. Prefetch files
E. Prefetch files
Prefetch files in Windows contain data about the execution history of applications, including timestamps of when an executable file was first and last run. By analyzing these files, you can determine the execution times for File1.exe.
Question #40 Topic 1
You have a Microsoft 365 subscription that uses Microsoft 365 Defender.
A remediation action for an automated investigation quarantines a file across multiple devices.
You need to mark the file as safe and remove the file from quarantine on the devices.
What should you use in the Microsoft 365 Defender portal?
A. From the History tab in the Action center, revert the actions.
B. From the investigation page, review the AIR processes.
C. From Quarantine from the Review page, modify the rules.
D. From Threat tracker, review the queries.
A. From the History tab in the Action center, revert the actions.
The History tab in the Action center allows you to review past actions taken by automated investigations, and you can revert these actions if necessary. This would include marking the file as safe and removing it from quarantine.
Question #58 Topic 1
You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365.
You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal.
Which response action should you use?
A. Run antivirus scan
B. Initiate Automated Investigation
C. Collect investigation package
D. Initiate Live Response Session
C. Collect investigation package
This action will gather all relevant forensic data from the devices, which is essential for further analysis and investigation.
Question #55 Topic 1
You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices.
You onboard the devices to Microsoft Defender 365.
You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.
What should you do first?
A. Modify the permissions for Microsoft 365 Defender.
B. Create a device group.
C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.
D. Configure role-based access control (RBAC).
C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.
Enabling automated investigation is a necessary step to use advanced features, including remote shell capabilities, in Microsoft Defender for Endpoint.
Question #50 Topic 1 (CHECK)
You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.
You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.
What should you use in the Microsoft 365 Defender portal?
A. incidents
B. Remediation
C. Investigations
D. Advanced hunting
D. Advanced hunting: This is a powerful tool for querying and analyzing data but is more suited for custom queries rather than quickly identifying affected devices from malware alerts.
Question #18 Topic 6
You have a Microsoft 365 subscription that uses Microsoft Defender XDR.
You need to identify all the entities affected by an incident.
Which tab should you use in the Microsoft Defender portal?
A. Investigations
B. Assets
C. Evidence and Response
D. Alerts
C. Evidence and Response
The “Evidence and Response” tab provides details about the affected entities and allows you to view and manage the evidence related to an incident.
Question #17 Topic 6 (CHECK)
You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.
The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll.
You need to submit files for deep analysis in Microsoft Defender XDR.
Which files can you submit?
A. File1.ps1 only
B. File2.exe only
C. File3.dll only
D. File2.exe and File3.dll only
E. File1.ps1 and File2.exe only
F. File1.ps1, File2.exe, and File3.dll
D. File2.exe and File3.dll only
Here’s the reasoning:
File Types: According to the submission guidelines, Microsoft Defender XDR supports the submission of Portable Executable (PE) files, which include .exe and .dll files. Therefore:
File2.exe (an executable file) is eligible for submission.
File3.dll (a dynamic link library file) is also eligible for submission.
File1.ps1: This is a PowerShell script file. While PowerShell scripts can be submitted for analysis, they are not categorized as PE files and may not be supported in the same manner as .exe and .dll files for deep analysis in this context.