Traditional Flashcards

1
Q

Question #61 Topic 3

You have a custom Microsoft Sentinel workbook named Workbook1.

You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows.

What should you do?

A. In the grid query, include the take operator.

B. In the grid query, include the project operator.

C. In the query editor interface, configure Settings.

D. In the query editor interface, select Advanced Editor.

A

A. In the grid query, include the take operator.

Here’s why:

take operator: This Kusto Query Language (KQL) operator is used to limit the number of records returned from a query.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Question #51 Topic 3

You have an Azure subscription that uses Microsoft Sentinel.

You need to create a custom report that will visualise sign-in information over time.

What should you create first?

A. a hunting query

B. a workbook

C. a notebook

D. a playbook

A

B. a workbook

Workbooks in Microsoft Sentinel are the primary tool for creating custom visualizations and reports.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Question #38 Topic 3

You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.

You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.

What should you use to create the visuals?

A. plotly

B. TensorFlow

C. msticpy

D. matplotlib

A

C. msticpy

msticpy is a Python library specifically designed for security analysts working in Azure Sentinel (now Microsoft Sentinel) and Azure Notebooks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Question #9 Topic 4 (CHECK)

You have an Azure subscription.

You need to stream the Microsoft Graph activity logs to a third-party security information and event management (SIEM) tool. The solution must minimize administrative effort.

To where should you stream the logs?

A. an Azure Event Hubs namespace

B. an Azure Storage account

C. an Azure Event Grid namespace

D. a Log Analytics workspace

A

A. an Azure Event Hubs namespace

Azure Event Hubs is the best option for streaming Microsoft Graph activity logs to a third-party SIEM tool.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Question #23 Topic 2

A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.

The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity.

The alerts appear in Azure Security Center.

You need to ensure that the security administrator receives email alerts for all the activities.

What should you configure in the Security Center settings?

A. the severity level of email notifications

B. a cloud connector

C. the Azure Defender plans

D. the integration settings for Threat detection

A

A. the severity level of email notifications

Azure Security Center (now Microsoft Defender for Cloud) allows you to configure the severity level of email notifications

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Question #8 Topic 2

Your company uses Azure Security Center and Azure Defender.

The security operations team at the company informs you that it does NOT receive email notifications for security alerts.

What should you configure in Security Center to enable the email notifications?

A. Security solutions

B. Security policy

C. Pricing & settings

D. Security alerts

E. Azure Defender

A

C. Pricing & settings

To configure email notifications for security alerts in Azure Security Center (now Microsoft Defender for Cloud), you need to go to the Pricing & settings section.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Question #15 Topic 5

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.

You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database.

You need to ensure that an incident is created in WS1 when the new attack vector is detected.

What should you configure?

A. a hunting livestream session

B. a query bookmark

C. a scheduled query rule

D. a Fusion rule

A

C. a scheduled query rule

To ensure that an incident is automatically created in Microsoft Sentinel when a new attack vector is detected by a query, you need to configure a scheduled query rule.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Question #23 Topic 3

You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).

What should you use?

A. notebooks in Azure Sentinel

B. Microsoft Cloud App Security

C. Azure Monitor

D. hunting queries in Azure Sentinel

A

A. notebooks in Azure Sentinel

Notebooks in Azure Sentinel allow you to visualize data and perform advanced data analysis. They provide the flexibility to integrate with and enrich data from third-party sources, such as threat intelligence feeds, to help identify indicators of compromise (IoCs).

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Question #41 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.

You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.

Which blade should you use in the Microsoft 365 Defender portal?

A. Advanced hunting

B. Threat analytics

C. Incidents & alerts

D. Learning hub

A

B. Threat analytics

The Threat analytics blade in Microsoft 365 Defender provides detailed information about new attack techniques discovered by Microsoft.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Question #24 Topic 3

You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.

You need to create a query that will be used to display a bar graph.
What should you include in the query?

A. extend

B. bin

C. count

D. workspace

A

C. count (1x)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Question #21 Topic 3

You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day.

You need to create a query that will be used to display the time chart.

What should you include in the query?

A. extend

B. bin

C. makeset

D. workspace

A

B. bin

To create a custom Azure Sentinel query that tracks anomalous Azure Active Directory (Azure AD) sign-in activity and presents it as a time chart aggregated by day, you should use the bin function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Question #34 Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

You plan to create a hunting query from Microsoft Defender.

You need to create a custom tracked query that will be used to assess the threat status of the subscription.

From the Microsoft 365 Defender portal, which page should you use to create the query?

A. Threat analytics

B. Advanced Hunting

C. Explorer

D. Policies & rules

A

B. Advanced Hunting

In the Microsoft 365 Defender portal, you should use the Advanced Hunting page to create custom tracked queries.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Question #54 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.

Which operator should you use?

A. search *

B. union kind = inner

C. join kind = inner

D. evaluate hint.remote =

A

B. union kind = inner

To link multiple tables and return all rows from those tables in Microsoft 365 Defender for Endpoint, you should use the union operator with the kind = inner option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Question #53 Topic 1

You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams.

You have a team named Team1 that has a project named Project1.

You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.

Which KQL query should you run?

A. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))

B. AuditLogs -
| where FileName contains “Project1”

C. Project1(c:c)(date=2023-02-01..2023-02-10)

D. AuditLogs -
| where Timestamp > ago(10d)
| where FileName contains “Project1”

where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))

A

C. Project1(c:c)(date=2023-02-01..2023-02-10)

where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Question #10 Topic 7 (CHECK)

You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint.

You enable Network device discovery.

You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device.

Which built-in function should you use?

A. SeenBy()

B. DeviceFromIP()

C. next()

D. current_cluster_endpoint()

A

A. SeenBy()

The SeenBy() function is used in Microsoft Defender for Endpoint hunting queries to identify devices that have observed or detected certain network devices.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Question #4 Topic 7

Your on-premises network contains an Active Directory Domain Services (AD DS) forest.

You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.

You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.

Which table should you query?

A. AADServicePrincipalRiskEvents

B. AADDomainServicesAccountLogon

C. SigninLogs

D. IdentityLogonEvents

A

D. IdentityLogonEvents

To identify LDAP simple binds to the Active Directory Domain Services (AD DS) domain controllers, you should query the IdentityLogonEvents table in Microsoft Defender for Identity.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Question #9 Topic 3 (CHECK)

You have an Azure Sentinel workspace.

You need to test a playbook manually in the Azure portal.

From where can you run the test in Azure Sentinel?

A. Playbooks

B. Analytics

C. Threat intelligence

D. Incidents

A

A. Playbooks (2x)

In the Azure Sentinel workspace, playbooks are essentially Azure Logic Apps used for automation and orchestration. You can manually run or test a playbook from the Playbooks section where you can select your playbook and use the “Run” or “Test” option to execute it.

D. Incidents (1x)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Question #78 Topic 3 (CHECK)

You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.

You need to create a new near-real-time (NRT) analytics rule that will use the playbook.

What should you configure for the rule?

A. the incident automation settings

B. the query rule

C. entity mapping

D. the Alert automation settings

A

D. the Alert automation settings (2x)

To use a playbook with a near-real-time (NRT) analytics rule in Microsoft Sentinel, you need to configure the Alert automation settings.

A. the incident automation settings (1x)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Question #3 Topic 6 (CHECK)

You have an Azure subscription that uses Microsoft Sentinel.

You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.

Which two features should you use? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Microsoft Sentinel workbooks

B. Azure Automation runbooks

C. Microsoft Sentinel automation rules

D. Microsoft Sentinel playbooks

E. Azure Functions apps

A

C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks

Automation rules in Microsoft Sentinel allow you to automatically trigger actions based on specific incident conditions, reducing manual intervention.

Playbooks in Microsoft Sentinel automate responses to incidents, helping to remediate threats by performing predefined actions, such as sending notifications or interacting with other Azure services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Question #64 Topic 3

You have an Azure subscription that contains a Microsoft Sentinel workspace.

You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.

What should you create first?

A. a hunting query in Microsoft Sentinel

B. an Azure logic app

C. an automation rule in Microsoft Sentinel

D. a trigger in Azure Functions

A

B. an Azure logic app

To create a playbook that runs automatically in response to a Microsoft Sentinel alert, you first need to create an Azure Logic App.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Question #44 Topic 3 (CHECK)

You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.

You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.

What should you create first?

A. a repository connection

B. a watchlist

C. an analytics rule

D. an automation rule

A

C. an analytics rule

To ensure that a Logic App (app1) launches when Microsoft Sentinel detects an Azure AD-generated alert, you first need to create an analytics rule.

D. an automation rule (top)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Question #28 Topic 3

You are configuring Azure Sentinel.

You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel.

Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Enable Entity behavior analytics.

B. Associate a playbook to the analytics rule that triggered the incident.

C. Enable the Fusion rule.

D. Add a playbook.

E. Create a workbook.

A

B. Associate a playbook to the analytics rule that triggered the incident.
D. Add a playbook.

To send a Microsoft Teams message to a channel when an incident is triggered in Azure Sentinel:

Add a playbook (D) that includes the action to send a Microsoft Teams message.
Associate the playbook to the analytics rule (B) that detects the sign-in risk event, so it runs automatically when the incident is triggered.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Question #22 Topic 3

You are configuring Azure Sentinel.

You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.

Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Add a playbook.

B. Associate a playbook to an incident.

C. Enable Entity behavior analytics.

D. Create a workbook.

E. Enable the Fusion rule.

A

A. Add a playbook.
B. Associate a playbook to an incident.

To send a Microsoft Teams message when a sign-in from a suspicious IP address is detected in Azure Sentinel:

Add a playbook (A) that includes an action to send a message to the Microsoft Teams channel.

Associate the playbook to an incident (B), so the playbook runs when an incident is generated for suspicious sign-ins.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Question #6 Topic 3 (CHECK)

You have a playbook in Azure Sentinel.

When you trigger the playbook, it sends an email to a distribution group.

You need to modify the playbook to send the email to the owner of the resource instead of the distribution group.

What should you do?

A. Add a parameter and modify the trigger.

B. Add a custom data connector and modify the trigger.

C. Add a condition and modify the action.

D. Add an alert and modify the action.

A

C. Add a condition and modify the action.

Here’s what this entails:

Add a condition: You would typically need to add logic or conditions within the playbook to dynamically fetch or determine who the resource owner is. This could involve querying Azure AD or another system where resource ownership is defined.
Modify the action: Change the email action within the playbook to use the resource owner’s email address instead of the static distribution group email. This might involve setting up a variable or parameter at runtime that contains the email address of the resource owner based on the incident or alert details.

A. Add a parameter and modify the trigger. (top)

D. Add an alert and modify the action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Question #32 Topic 3

You create a hunting query in Azure Sentinel.

You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.

What should you use?

A. a playbook

B. a notebook

C. a livestream

D. a bookmark

A

C. a livestream

In Azure Sentinel, the livestream feature allows you to continuously run a hunting query in real time and receive immediate notifications in the Azure portal when a match is detected.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

Question #14 Topic 3

A company uses Azure Sentinel.

You need to create an automated threat response.

What should you use?

A. a data connector

B. a playbook

C. a workbook

D. a Microsoft incident creation rule

A

B. a playbook

To create an automated threat response in Azure Sentinel, you should use a playbook. Playbooks in Azure Sentinel are Azure Logic Apps that automate responses to security incidents, such as triggering notifications, executing remediation steps, or integrating with other services.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Question #4 Topic 3

You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.

You deploy Azure Sentinel.

You need to use the existing logic app as a playbook in Azure Sentinel.

What should you do first?

A. And a new scheduled query rule.

B. Add a data connector to Azure Sentinel.

C. Configure a custom Threat Intelligence connector in Azure Sentinel.

D. Modify the trigger in the logic app.

A

D. Modify the trigger in the logic app.

To use the existing Azure Logic App as a playbook in Azure Sentinel, you first need to modify the trigger in the logic app so that it can be triggered by Azure Sentinel alerts. This typically involves changing the logic app’s trigger to a suitable trigger for Azure Sentinel, such as the HTTP request trigger, which allows Azure Sentinel to invoke the playbook in response to specific conditions or alerts. After modifying the trigger, you can then import and configure the playbook within Azure Sentinel.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Question #16 Topic 2

You use Azure Defender.

You have an Azure Storage account that contains sensitive information.

You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. From Azure Security Center, enable workflow automation.

B. Create an Azure logic app that has a manual trigger.

C. Create an Azure logic app that has an Azure Security Center alert trigger.

D. Create an Azure logic app that has an HTTP trigger.

E. From Azure Active Directory (Azure AD), add an app registration.

A

A. From Azure Security Center, enable workflow automation.
C. Create an Azure logic app that has an Azure Security Center alert trigger.

To run a PowerShell script when someone accesses the Azure Storage account from a suspicious IP address:

Enable workflow automation (A) in Azure Security Center. This allows you to set up automated responses to security alerts.
Create an Azure Logic App with an Azure Security Center alert trigger (C) to respond to alerts from Azure Defender. The Logic App can then run the PowerShell script based on the alert conditions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Question #52 Topic 3 (CHECK)

You have a Microsoft Sentinel workspace.

You receive multiple alerts for failed sign-in attempts to an account.

You identify that the alerts are false positives.

You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements:

  • Ensure that failed sign-in alerts are generated for other accounts.
  • Minimize administrative effort

What should do?

A. Modify the analytics rule.

B. Create a watchlist.

C. Add an activity template to the entity behavior.

D. Create an automation rule.

A

D. Create an automation rule.

An automation rule in Microsoft Sentinel can be configured to automatically handle or suppress alerts based on specific conditions. Here’s how it would meet your needs:

Automation Rule: You can set up an automation rule that checks if the alert is for this particular account and if so, it can close or suppress the alert automatically. This way, alerts for this specific account are managed without affecting alerts generated for other accounts.

A. Modify the analytics rule. (top)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Question #22 Topic 6

You have a Microsoft Sentinel workspace named SW1.

In SW1, you investigate an incident that is associated with the following entities:

  • Host
  • IP address
  • User account
  • Malware name

Which entity can be labeled as an indicator of compromise (IoC) directly from the incident’s page?

A. malware name

B. host

C. user account

D. IP address

A

D. IP address

In Microsoft Sentinel, the IP address can be labeled as an indicator of compromise (IoC) directly from the incident’s page. IP addresses are commonly used as IoCs to indicate suspicious or malicious activity and can be directly added to the threat intelligence indicators or watchlist for further investigation or automated responses.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

Question #90 Topic 3

You have a Microsoft Sentinel workspace.

You investigate an incident that has the following entities:
* A user account named User1
* An IP address of 192.168.10.200
* An Azure virtual machine named VM1
* An on-premises server named Server1

You need to label an entity as an indicator of compromise (IoC) directly by using the incidents page.

Which entity can you label?

A. 192.168.10.200

B. VM1

C. Server1

D. User1

A

A. 192.168.10.200

In Microsoft Sentinel, IP addresses can be labeled as indicators of compromise (IoCs) directly from the incident’s page. While entities like user accounts, virtual machines, and on-premises servers are important in investigations, IP addresses are commonly used as IoCs for detecting and responding to potential threats and can be directly added to threat intelligence indicators or watchlists.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Question #85 Topic 3

You have a Microsoft Sentinel workspace.

You enable User and Entity Behavior Analytics (UEBA) by using Audit Logs and Signin Logs.

The following entities are detected in the Azure AD tenant:

  • App name: App1
  • IP address: 192.168.1.2
  • Computer name: Device1
  • Used client app: Microsoft Edge
  • Email address: user1@company.com
  • Sign-in URL: https://www.company.com

Which entities can be investigated by using UEBA?

A. IP address and email address only

B. app name, computer name, IP address, email address, and used client app only

C. IP address only

D. used client app and app name only

A

B. app name, computer name, IP address, email address, and used client app only

User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel can investigate a range of entities related to user and entity activities. For the entities detected in the Azure AD tenant, UEBA can analyze:

App name (App1)
Computer name (Device1)
IP address (192.168.1.2)
Email address (user1@company.com)
Used client app (Microsoft Edge)

These entities are relevant for UEBA as it helps in identifying anomalous behaviors and potential security threats related to user and entity activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Question #79 Topic 3

You need to visualize Microsoft Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).

What should you use?

A. notebooks in Microsoft Sentinel

B. Microsoft Defender for Cloud Apps

C. Azure Monitor

A

A. notebooks in Microsoft Sentinel

Notebooks in Microsoft Sentinel allow you to visualize data and enrich it by integrating third-party data sources. They provide a flexible environment to perform complex data analysis, create visualizations, and incorporate external threat intelligence to identify indicators of compromise (IoC) effectively.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Question #41 Topic 3

You have a Microsoft Sentinel workspace that contains the following incident.

Brute force attack against Azure Portal analytics rule has been triggered.

You need to identify the geolocation information that corresponds to the incident.

What should you do?

A. From Overview, review the Potential malicious events map.

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.

C. From Incidents, review the details of the AccountCustomEntity entity associated with the incident.

D. From Investigation, review insights on the incident entity.

A

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.

To identify the geolocation information for an incident related to a brute force attack, you should review the details of the IPCustomEntity entity associated with the incident. This entity will provide information about the IP address involved, and you can use this IP address to determine the geolocation associated with the attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Question #27 Topic 3

You are investigating an incident in Azure Sentinel that contains more than 127 alerts.

You discover eight alerts in the incident that require further investigation.

You need to escalate the alerts to another Azure Sentinel administrator.

What should you do to provide the alerts to the administrator?

A. Create a Microsoft incident creation rule

B. Share the incident URL

C. Create a scheduled query rule

D. Assign the incident

A

D. Assign the incident

To escalate or delegate the investigation of an incident containing multiple alerts to another Azure Sentinel administrator, you should assign the incident to that administrator. This action ensures that the assigned administrator receives notification and can take ownership of the incident for further investigation and resolution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Question #5 Topic 3

Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.

A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.

You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.

What should you include in the recommendation?

A. built-in queries

B. livestream

C. notebooks

D. bookmarks

A

C. notebooks

Notebooks in Microsoft Sentinel provide a customizable environment where you can use machine learning and data visualization to simplify the investigation of security threats. They allow you to perform advanced analytics, integrate with various data sources, and create visualizations tailored to your specific needs. This can help in handling and interpreting large volumes of incidents from numerous IoT devices, making it easier to identify and infer threats.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Question #68 Topic 3

You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema.

You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.

What should you do first?

A. Copy the parsers to the Azure Monitor Logs page.

B. Create a JSON file based on the DNS template.

C. Create an XML file based on the DNS template.

D. Create a YAML file based on the DNS template.

A

D. Create a YAML file based on the DNS template.

Here’s why:

YAML files are commonly used in Azure for configuration and deployment, including in Microsoft Sentinel for things like parsers, especially when dealing with ASIM (Advanced Security Information Model).
Creating a YAML file allows you to define multiple parsers in a structured format that can be easily imported into Sentinel. This approach is more scalable and less error-prone than manually copying or recreating each parser through the UI or other methods.
Once you have the YAML file with your parsers, you can use Azure’s deployment mechanisms or Sentinel’s import features to apply these configurations, which would significantly reduce the administrative effort compared to manually entering or copying each parser.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

Question #63 Topic 3

You have a Microsoft Sentinel workspace named Workspace1.

You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.

What should you create in Workspace1?

A. an analytic rule

B. a watchlist

C. a workbook

D. a hunting query

A

B. a watchlist

To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create a watchlist in Microsoft Sentinel. Watchlists allow you to specify and manage custom exclusions or include lists that can be used in conjunction with analytic rules and queries to refine the data processed by the ASIM parsers.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Question #60 Topic 3

You have a Microsoft Sentinel workspace.

You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.

What are two ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. Create a hunting query that references the built-in parser.

B. Build a custom unifying parser and include the built-in parser version.

C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.

D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.

E. Create an analytics rule that includes the built-in parser.

A

B. Build a custom unifying parser and include the built-in parser version.
E. Create an analytics rule that includes the built-in parser.

Here’s the reasoning:

Building a custom unifying parser (Option B):
This approach allows you to create your own version of the parser that includes the specific version of the built-in parser you want to use.

By doing this, you’re essentially “freezing” the parser at a specific version, preventing automatic updates.

Creating an analytics rule that includes the built-in parser (Option E):
When you create an analytics rule that references a specific version of a built-in parser, it effectively locks that version in place for that
rule.

This ensures that even if the built-in parser is updated, your analytics rule will continue to use the version it was created with.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Question #31 Topic 3

You use Azure Sentinel.

You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege.

Which role should you assign to the analyst?

A. Azure Sentinel Contributor

B. Security Administrator

C. Azure Sentinel Responder

D. Logic App Contributor

A

A. Azure Sentinel Contributor

The Azure Sentinel Contributor role allows users to edit and manage queries in custom Azure Sentinel workbooks, among other capabilities. This role aligns with the principle of least privilege by providing the necessary permissions to work with Sentinel resources without granting broader permissions than required.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Question #11 Topic 3

Your company uses Azure Sentinel.

A new security analyst reports that she cannot assign and resolve incidents in Azure Sentinel.

You need to ensure that the analyst can assign and resolve incidents. The solution must use the principle of least privilege.

Which role should you assign to the analyst?

A. Azure Sentinel Responder

B. Logic App Contributor

C. Azure Sentinel Contributor

D. Azure Sentinel Reader

A

A. Azure Sentinel Responder

The Azure Sentinel Responder role is specifically designed to allow users to assign and resolve incidents in Azure Sentinel while adhering to the principle of least privilege. This role provides the necessary permissions for handling incidents without giving broader administrative rights.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Question #45 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.

What should you configure first?

A. the User enrichment settings

B. the Azure connector

C. the Office 365 connector

D. the Automatic log upload settings

A

C. the Office 365 connector

To investigate threats using data from the unified audit log of Microsoft Defender for Cloud Apps, you need to ensure that the Office 365 connector is configured. This connector integrates data from Microsoft 365 services, including the unified audit log, into Microsoft Defender for Cloud Apps, allowing for comprehensive threat investigation and analysis.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Question #30 Topic 1

You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.

You need to identify all the changes made to sensitivity labels during the past seven days.

What should you use?

A. the Incidents blade of the Microsoft 365 Defender portal

B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center

C. Activity explorer in the Microsoft 365 compliance center

D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal

A

C. Activity explorer in the Microsoft 365 compliance center

Activity explorer in the Microsoft 365 compliance center allows you to view and investigate activities related to sensitivity labels, including changes made within a specified timeframe. This tool helps you track modifications and understand user actions related to compliance and data protection policies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

Question #31 Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

You need to identify all the entities affected by an incident.

Which tab should you use in the Microsoft 365 Defender portal?

A. Investigations

B. Devices

C. Evidence and Response

D. Alerts

A

C. Evidence and Response

In the Microsoft 365 Defender portal, the Evidence and Response tab provides detailed information about the entities affected by an incident, including associated devices, users, and other relevant data. This tab helps you understand the scope of the incident and plan appropriate response actions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

Question #6 Topic 7 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.

You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:

  • Identify all the active network connections on Device1.
  • Identify all the running processes on Device1.
  • Retrieve the login history of Device1.
  • Minimize administrative effort.

What should you do first from the Microsoft Defender portal?

A. From Devices, click Collect investigation package for Device1.

B. From Advanced features in Endpoints, enable Live Response unsigned script execution.

C. From Devices, initiate a live response session on Device1.

D. From Advanced features in Endpoints, disable Authenticated telemetry.

A

C. From Devices, initiate a live response session on Device1.

Initiating a live response session from the Microsoft Defender portal allows you to interact with Device1 in real-time. This session enables you to execute commands and retrieve information such as active network connections, running processes, and login history, meeting the investigation requirements with minimal administrative effort.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Question #9 Topic 6 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 1,000 Windows devices.

You have a PowerShell script named Script1.ps1 that is signed digitally.

You need to ensure that you can run Script1.ps1 in a live response session on one of the devices.

What should you do first from the live response session?

A. Run the library command.

B. Upload Script1.ps1 to the library.

C. Run the putfile command.

D. Modify the PowerShell execution policy of the device.

A

B. Upload Script1.ps1 to the library.

To run a PowerShell script like Script1.ps1 in a live response session, you first need to upload the script to the library within the live response session. Once the script is in the library, you can then execute it on the device. This ensures that the script is available for execution during the session.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

Question #7 Topic 5

You have a Microsoft 365 E5 subscription that contains a device named Device1. Device1 is enrolled in Microsoft Defender for Endpoint.

Device1 reports an incident that includes a file named File1.exe as evidence.

You initiate the Collect Investigation Package action and download the ZIP file.

You need to identify the first and last time File1.exe was executed.

What should you review in the investigation package?

A. Processes

B. Autoruns

C. Security event log

D. Scheduled tasks

E. Prefetch files

A

E. Prefetch files

Prefetch files in Windows contain data about the execution history of applications, including timestamps of when an executable file was first and last run. By analyzing these files, you can determine the execution times for File1.exe.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
48
Q

Question #40 Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

A remediation action for an automated investigation quarantines a file across multiple devices.

You need to mark the file as safe and remove the file from quarantine on the devices.

What should you use in the Microsoft 365 Defender portal?

A. From the History tab in the Action center, revert the actions.

B. From the investigation page, review the AIR processes.

C. From Quarantine from the Review page, modify the rules.

D. From Threat tracker, review the queries.

A

A. From the History tab in the Action center, revert the actions.

The History tab in the Action center allows you to review past actions taken by automated investigations, and you can revert these actions if necessary. This would include marking the file as safe and removing it from quarantine.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
49
Q

Question #58 Topic 1

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365.

You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal.

Which response action should you use?

A. Run antivirus scan

B. Initiate Automated Investigation

C. Collect investigation package

D. Initiate Live Response Session

A

C. Collect investigation package

This action will gather all relevant forensic data from the devices, which is essential for further analysis and investigation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
50
Q

Question #55 Topic 1

You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices.

You onboard the devices to Microsoft Defender 365.

You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.

What should you do first?

A. Modify the permissions for Microsoft 365 Defender.

B. Create a device group.

C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.

D. Configure role-based access control (RBAC).

A

C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.

Enabling automated investigation is a necessary step to use advanced features, including remote shell capabilities, in Microsoft Defender for Endpoint.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
51
Q

Question #50 Topic 1 (CHECK)

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.

What should you use in the Microsoft 365 Defender portal?

A. incidents

B. Remediation

C. Investigations

D. Advanced hunting

A

D. Advanced hunting: This is a powerful tool for querying and analyzing data but is more suited for custom queries rather than quickly identifying affected devices from malware alerts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
52
Q

Question #18 Topic 6

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You need to identify all the entities affected by an incident.

Which tab should you use in the Microsoft Defender portal?

A. Investigations

B. Assets

C. Evidence and Response

D. Alerts

A

C. Evidence and Response

The “Evidence and Response” tab provides details about the affected entities and allows you to view and manage the evidence related to an incident.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
53
Q

Question #17 Topic 6 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll.

You need to submit files for deep analysis in Microsoft Defender XDR.

Which files can you submit?

A. File1.ps1 only

B. File2.exe only

C. File3.dll only

D. File2.exe and File3.dll only

E. File1.ps1 and File2.exe only

F. File1.ps1, File2.exe, and File3.dll

A

D. File2.exe and File3.dll only

Here’s the reasoning:

File Types: According to the submission guidelines, Microsoft Defender XDR supports the submission of Portable Executable (PE) files, which include .exe and .dll files. Therefore:
File2.exe (an executable file) is eligible for submission.

File3.dll (a dynamic link library file) is also eligible for submission.
File1.ps1: This is a PowerShell script file. While PowerShell scripts can be submitted for analysis, they are not categorized as PE files and may not be supported in the same manner as .exe and .dll files for deep analysis in this context.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
54
Q

Question #39 Topic 1

Your company has an on-premises network that uses Microsoft Defender for Identity.

The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.

You need remediate the security risk.

What should you do?

A. Disable legacy protocols on the computers listed as exposed entities.

B. Enforce LDAP signing on the computers listed as exposed entities.

C. Modify the properties of the computer objects listed as exposed entities.

D. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.

A

C. Modify the properties of the computer objects listed as exposed entities.

In the context of Kerberos delegation, this typically involves configuring the delegation settings in Active Directory to ensure that only secure delegation configurations are applied. This can involve setting delegation to “Trust this computer for delegation to specified services only” and choosing the appropriate services or “Do not trust this computer for delegation.”

55
Q

Question #5 Topic 6

You have an on-premises network.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.

From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.

Suspected identity theft (pass-the-ticket) (external ID 2018)

You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.

What should you do?

A. Disable User1 only.

B. Quarantine Device1 only.

C. Reset the password for all the accounts that previously signed in to Device1.

D. Disable User1 and quarantine Device1.

E. Disable User1, quarantine Device1, and reset the password for all the accounts that previously signed in to Device1.

A

B. Quarantine Device1 only.

Quarantining Device1 will isolate the device from the network to prevent further potential spread of the attack or misuse while minimizing impact on other users and systems. Disabling User1 or resetting passwords may be required later, but quarantining the device is a more immediate and less disruptive containment measure.

56
Q

Question #1 Topic 5

You have a Microsoft 365 subscription that contains the following resources:

  • 100 users that are assigned a Microsoft 365 E5 license
  • 100 Windows 11 devices that are joined to the Microsoft Entra tenant

The users access their Microsoft Exchange Online mailbox by using Outlook on the web.

You need to ensure that if a user account is compromised, the Outlook on the web session token can be revoked. What should you configure?

A. security defaults in Microsoft Entra

B. Microsoft Entra Verified ID

C. a Conditional Access policy in Microsoft Entra

D. Microsoft Entra ID Protection

A

C. a Conditional Access policy in Microsoft Entra

Here’s why:

Conditional Access policies in Microsoft Entra ID (formerly Azure AD) allow you to implement automated access control decisions for accessing your cloud apps, including Exchange Online through Outlook on the web. You can set up policies that respond to signs of a compromised account by enforcing actions like forcing re-authentication or blocking access entirely.

Specifically, Conditional Access can be configured to use signals from Microsoft Entra ID Protection to detect risk, but the policy itself is what enforces the session control or revocation of access.

57
Q

Question #44 Topic 2

You have an Azure subscription that contains a user named User1.

User1 is assigned an Azure Active Directory Premium Plan 2 license.

You need to identify whether the identity of User1 was compromised during the last 90 days.

What should you use?

A. the risk detections report

B. the risky users report

C. Identity Secure Score recommendations

D. the risky sign-ins report

A

B. the risky users report

The risky users report in Azure AD provides information about users who have been flagged as risky based on various risk detections. This report can help you determine if User1’s identity was compromised or if there were any suspicious activities related to their account.

58
Q

Question #32 Topic 1 (CHECK)

You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.

You need to identify all the changes made to Domain Admins group during the past 30 days.

What should you use?

A. the Modifications of sensitive groups report in Microsoft Defender for Identity

B. the identity security posture assessment in Microsoft Defender for Cloud Apps

C. the Azure Active Directory Provisioning Analysis workbook

D. the Overview settings of Insider risk management

A

A. the Modifications of sensitive groups report in Microsoft Defender for Identity

This report provides details about changes to sensitive groups, including the Domain Admins group, and helps track modifications and potentially suspicious activities related to group memberships.

59
Q

Question #89 Topic 3 (CHECK)

You have a Microsoft Sentinel workspace that uses the Microsoft 365 Defender data connector.

From Microsoft Sentinel, you investigate a Microsoft 365 incident.

You need to update the incident to include an alert generated by Microsoft Defender for Cloud Apps.

What should you use?

A. the entity side panel of the Timeline card in Microsoft Sentinel

B. the Timeline tab on the incidents page of Microsoft Sentinel

C. the investigation graph on the incidents page of Microsoft Sentinel

D. the Alerts page in the Microsoft 365 Defender portal

A

A. the entity side panel of the Timeline card in Microsoft Sentinel

60
Q

Question #67 Topic 3

You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector.

You need to customize which details will be included when an alert is created for a specific event.

What should you do?

A. Enable User and Entity Behavior Analytics (UEBA).

B. Create a Data Collection Rule (DCR).

C. Modify the properties of the connector.

D. Create a scheduled query rule.

A

D. Create a scheduled query rule.

Here’s why:

Scheduled query rules in Microsoft Sentinel allow you to define custom detection rules. When you create these rules, you specify the conditions for generating alerts and can customize what information is included in those alerts. This includes defining the severity, the alert details, entity mapping, and other relevant information.

61
Q

Question #40 Topic 2

You have an Azure subscription that has Microsoft Defender for Cloud enabled.

You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed.

You need to simulate an attack on the virtual machine that will generate an alert.

What should you do first?

A. Run the Log Analytics Troubleshooting Tool.

B. Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe.

C. Modify the settings of the Microsoft Monitoring Agent.

D. Run the MMASetup executable and specify the –foo argument.

A

B. Copy an executable and rename the file as ASC_AlertTest_662jfi039N.exe.

This option involves creating a file with a name that triggers test alerts in Microsoft Defender for Cloud, allowing you to simulate an attack and generate an alert for testing purposes.

62
Q

Question #36 Topic 2

You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.

You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.

Which JSON key should you search?

A. Description

B. Intent

C. ExtendedProperies

D. Entities

A

B. Intent

The Intent key typically contains information about the type of attack or tactic being executed, such as Privilege Escalation, which aligns with MITRE ATT&CK tactics.

63
Q

Question #34 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1.

You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.

You need to identify which blobs were deleted.

What should you review?

A. the activity logs of storage1

B. the Azure Storage Analytics logs

C. the alert details

D. the related entities of the alert

A

B. the Azure Storage Analytics logs

Azure Storage Analytics logs provide detailed information about operations performed on the storage account, including blob delete operations.

64
Q

Question #19 Topic 2

You use Azure Security Center.

You receive a security alert in Security Center.

You need to view recommendations to resolve the alert in Security Center.

What should you do?

A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section.

B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.

C. From Regulatory compliance, download the report.

D. From Recommendations, download the CSV report.

A

B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.

This will provide you with specific recommendations and steps to address and resolve the security alert.

65
Q

Question #13 Topic 2

You are responsible for responding to Azure Defender for Key Vault alerts.

During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node.

What should you configure to mitigate the threat?

A. Key Vault firewalls and virtual networks

B. Azure Active Directory (Azure AD) permissions

C. role-based access control (RBAC) for the key vault

D. the access policy settings of the key vault

A

A. Key Vault firewalls and virtual networks

Configuring Key Vault firewalls and virtual networks allows you to restrict access to the Key Vault to only specific IP addresses or ranges, including denying access from unwanted sources like Tor exit nodes. This enhances security by controlling which networks or IP addresses can interact with the Key Vault.

While Azure AD permissions, RBAC, and access policy settings are important for managing who can access the Key Vault and what actions they can perform, controlling network access with firewalls and virtual networks specifically addresses the threat of unauthorized access attempts from external sources.

66
Q

Question #5 Topic 2

You provision a Linux virtual machine in a new Azure subscription.
You enable Azure Defender and onboard the virtual machine to Azure Defender.

You need to verify that an attack on the virtual machine triggers an alert in Azure Defender.

Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. cp /bin/echo ./asc_alerttest_662jfi039n

B. ./alerttest testing eicar pipe

C. cp /bin/echo ./alerttest

D. ./asc_alerttest_662jfi039n testing eicar pipe

A

A. cp /bin/echo ./asc_alerttest_662jfi039n

D. ./asc_alerttest_662jfi039n testing eicar pipe

Here’s the reasoning:

A. This command copies echo to a new file named asc_alerttest_662jfi039n. The filename asc_alerttest_662jfi039n is specifically recognized by Azure Defender as a test file meant to trigger a benign alert for testing purposes.

D. Running this command with the testing eicar pipe argument simulates an action akin to testing with the EICAR test file, a standard method to check if security software is functioning by pretending to deal with a harmless virus signature. This command, when executed with this specific file name, should trigger an alert in Azure Defender.

67
Q

Question #35 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud.

You need to filter the security alerts view to show the following alerts:

  • Unusual user accessed a key vault
  • Log on from an unusual location
  • Impossible travel activity

Which severity should you use?

A. Informational

B. Low

C. Medium

D. High

A

C. Medium

Here’s why:

Medium severity often captures alerts that are suspicious and require investigation but are not necessarily immediately critical or high-risk in every context. Alerts regarding unusual access patterns or behaviors, like the ones listed, would usually fall into this category because they indicate potential security issues that should be investigated to determine if they are indeed malicious or just anomalies.

68
Q

Question #29 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft SharePoint Online.

You delete users from the subscription.

You need to be notified if the deleted users downloaded numerous documents from SharePoint Online sites during the month before their accounts were deleted.

What should you use?

A. a file policy in Microsoft Defender for Cloud Apps

B. an access review policy

C. an alert policy in Microsoft Defender for Office 365

D. an insider risk policy

A

D. an insider risk policy

Here’s why:

Insider risk policies in Microsoft 365 are designed to detect, investigate, and act on risky activities within your organization, including unusual data access or download patterns by users. This includes behavior that might be indicative of data exfiltration or other insider threats, which would cover scenarios where users download large amounts of data before leaving the organization or having their accounts deleted.

69
Q

Question #33 Topic 1

You have a Microsoft 365 subscription. The subscription uses Microsoft 365 Defender and has data loss prevention (DLP) policies that have aggregated alerts configured.

You need to identify the impacted entities in an aggregated alert.

What should you review in the DLP alert management dashboard of the Microsoft 365 compliance center?

A. the Events tab of the alert

B. the Sensitive Info Types tab of the alert

C. Management log

D. the Details tab of the alert

A

A. Review the Events tab of the alert

Here’s why:

The Events tab provides detailed information about each event that triggered the alert. This includes specifics like which files or items were involved, who the actors were (users), what actions were taken (e.g., sharing, downloading), and other contextual details that help you understand which entities were impacted by the policy violation.

70
Q

Question #16 Topic 6 (CHECK)

You have a Microsoft 365 E5 subscription.

Automated investigation and response (AIR) is enabled in Microsoft Defender for Office 365 and devices use full automation in Microsoft Defender for Endpoint.

You have an incident involving a user that received malware-infected email messages on a managed device.

Which action requires manual remediation of the incident?

A. soft deleting the email message

B. hard deleting the email message

C. isolating the device

D. containing the device

A

A or B

71
Q

Question #45 Topic 3

You have a Microsoft Sentinel workspace.

You need to identify which rules are used to detect advanced multistage attacks that comprise two or more alerts or activities.

The solution must minimize administrative effort.

Which rule type should you query?

A. Fusion

B. Microsoft Security

C. ML Behavior Analytics

D. Scheduled

A

A. Fusion

Fusion rules in Microsoft Sentinel are designed to detect advanced multistage attacks by correlating multiple alerts and activities across various sources. They help in identifying complex attack patterns that span multiple stages, which aligns with the requirement of detecting advanced multistage attacks.

72
Q

Question #33 Topic 3

You have an Azure subscription named Sub1 and a Microsoft 365 subscription. Sub1 is linked to an Azure Active Directory (Azure AD) tenant named contoso.com.

You create an Azure Sentinel workspace named workspace1. In workspace1, you activate an Azure AD connector for contoso.com and an Office 365 connector for the Microsoft 365 subscription.

You need to use the Fusion rule to detect multi-staged attacks that include suspicious sign-ins to contoso.com followed by anomalous Microsoft Office 365 activity.

Which two actions should you perform? Each correct answer present part of the solution.

NOTE: Each correct selection is worth one point.

A. Create custom rule based on the Office 365 connector templates.

B. Create a Microsoft incident creation rule based on Azure Security Center.

C. Create a Microsoft Cloud App Security connector.

D. Create an Azure AD Identity Protection connector.

A

D. Create an Azure AD Identity Protection connector.
Azure AD Identity Protection will help in identifying and reacting to identity-based risks. Since you are looking for suspicious sign-ins, this connector will provide insights into risky users, sign-in activities, and vulnerabilities, which can be correlated with Office 365 activities in Fusion rules.

A. Create a custom rule based on the Office 365 connector templates.
By creating a custom rule using the templates from the Office 365 connector, you can tailor the detection to look for anomalous activities specific to your environment. This custom rule can work in conjunction with the Fusion engine to analyze patterns that include both Azure AD sign-in data and Office 365 activity.

73
Q

Question #12 Topic 3

You recently deployed Azure Sentinel.

You discover that the default Fusion rule does not generate any alerts. You verify that the rule is enabled.

You need to ensure that the Fusion rule can generate alerts.

What should you do?

A. Disable, and then enable the rule.

B. Add data connectors

C. Create a new machine learning analytics rule.

D. Add a hunting bookmark.

A

B. Add data connectors

Fusion rules rely on data from various sources connected to Azure Sentinel. If the necessary data connectors are not configured or not collecting data, the Fusion rule won’t generate alerts. Adding the appropriate data connectors ensures that the necessary data is available for the rule to analyze and generate alerts.

74
Q

Question #14 Topic 5

You have a Microsoft Sentinel workspace named SW1.

You need to identify which anomaly rules are enabled in SW1.

What should you review in Microsoft Sentinel?

A. Content hub

B. Entity behavior

C. Analytics

D. Settings

A

C. Analytics

In Microsoft Sentinel, the Analytics section provides an overview of the different analytics rules, including anomaly detection rules. Here, you can see which rules are enabled and their configurations.

75
Q

Question #25 Topic 3

You use Azure Sentinel.

You need to receive an alert in near real-time whenever Azure Storage account keys are enumerated.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Create a livestream

B. Add a data connector

C. Create an analytics rule

D. Create a hunting query.

E. Create a bookmark.

A

B. Add a data connector
C. Create an analytics rule

Add a data connector: You need to ensure that you have the appropriate data connector in place to collect logs related to Azure Storage. This is typically the Azure Storage data connector.

Create an analytics rule: Set up an analytics rule in Azure Sentinel to monitor the collected data for events related to the enumeration of Azure Storage account keys. This rule will generate alerts based on the conditions you specify.

76
Q

Question #91 Topic 3

You have a Microsoft Sentinel workspace that has User and Entity Behavior Analytics (UEBA) enabled for Signin Logs.

You need to ensure that failed interactive sign-ins are detected. The solution must minimize administrative effort.

What should you use?

A. a scheduled alert query

B. the Activity Log data connector

C. a UEBA activity template

D. a hunting query

A

C. a UEBA activity template

User and Entity Behavior Analytics (UEBA) templates in Microsoft Sentinel are designed to simplify the detection of specific behaviors, including failed sign-ins, by leveraging pre-built analytics rules. These templates use machine learning and behavioral analysis to detect anomalies and suspicious activities, such as failed interactive sign-ins.

77
Q

Question #49 Topic 3

You have an Azure subscription that uses Microsoft Sentinel.

You detect a new threat by using a hunting query.

You need to ensure that Microsoft Sentinel automatically detects the threat. The solution must minimize administrative effort.

What should you do?

A. Create an analytics rule.

B. Add the query to a workbook.

C. Create a watchlist.

D. Create a playbook.

A

A. Create an analytics rule.

Analytics rules in Microsoft Sentinel allow you to automate the detection of specific threats or anomalies, turning hunting queries into actionable detections that generate alerts automatically. This approach minimizes manual effort and ensures that threats are detected consistently based on the defined criteria.

78
Q

Question #17 Topic 3

You create a custom analytics rule to detect threats in Azure Sentinel.

You discover that the rule fails intermittently.

What are two possible causes of the failures? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. The rule query takes too long to run and times out.

B. The target workspace was deleted.

C. Permissions to the data sources of the rule query were modified.

D. There are connectivity issues between the data sources and Log Analytics

A

A. The rule query takes too long to run and times out.
If the query is too complex or if it’s querying a very large dataset, it might exceed the runtime limits imposed by Azure Sentinel, causing the rule to fail intermittently. Optimizing the query or breaking it down into smaller, more efficient queries could mitigate this issue.

D. There are connectivity issues between the data sources and Log Analytics

79
Q

Question #10 Topic 3

You have a custom analytics rule to detect threats in Azure Sentinel.

You discover that the analytics rule stopped running. The rule was disabled, and the rule name has a prefix of AUTO DISABLED.

What is a possible cause of the issue?

A. There are connectivity issues between the data sources and Log Analytics.

B. The number of alerts exceeded 10,000 within two minutes.

C. The rule query takes too long to run and times out.

D. Permissions to one of the data sources of the rule query were modified.

A

B. The number of alerts exceeded 10,000 within two minutes.

Here’s why:

Azure Sentinel has built-in mechanisms to manage system performance and resource utilization. If an analytics rule generates an excessive number of alerts in a very short time frame (specifically, if it exceeds 10,000 alerts within two minutes), Sentinel will automatically disable the rule to prevent overwhelming the system or the security operations team with too many alerts. This is a protective measure to ensure that both the Sentinel workspace and the analysts using it can operate effectively.

80
Q

Question #12 Topic 5 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices.

You plan to create a Microsoft Defender XDR custom deception rule.

You need to ensure that the rule will be applied to only 10 specific devices.

What should you do first?

A. Add custom lures to the rule.

B. Add the IP address of each device to the list of decoy accounts and hosts of the rule.

C. Add the devices to a group.

D. Assign a tag to the devices.

A

D

81
Q

Question #20 Topic 2

You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server.

You are troubleshooting an issue on the virtual machines.

In Security Center, you need to view the alerts generated by the virtual machines during the last five days.

What should you do?

A. Change the rule expiration date of the suppression rule.

B. Change the state of the suppression rule to Disabled.

C. Modify the filter for the Security alerts page.

D. View the Windows event logs on the virtual machines.

A

B. Change the state of the suppression rule to Disabled.

Explanation:
Suppression rules in Azure Security Center are used to prevent specific alerts from being raised for certain resources (such as virtual machines). If you have a suppression rule applied to the 10 virtual machines, those alerts will not show up in Security Center. To troubleshoot and view the alerts, you need to disable the suppression rule temporarily. This will allow Security Center to display the previously suppressed alerts for the virtual machines.

82
Q

Question #42 Topic 3

You have two Azure subscriptions that use Microsoft Defender for Cloud.

You need to ensure that specific Defender for Cloud security alerts are suppressed at the root management group level. The solution must minimize administrative effort.

What should you do in the Azure portal?

A. Create an Azure Policy assignment.

B. Modify the Workload protections settings in Defender for Cloud.

C. Create an alert rule in Azure Monitor.

D. Modify the alert settings in Defender for Cloud.

A

A. Create an Azure Policy assignment.

Reasoning:

Central Management: Azure Policy allows you to enforce organizational standards and assess compliance at scale. By creating a policy assignment at the root management group level, it applies to all subscriptions and resources under that management group, which aligns with the requirement to minimize administrative effort across multiple subscriptions.

Alert Suppression: Although Azure Policy isn’t specifically designed for alert suppression, you can use it in conjunction with Defender for Cloud’s capabilities. For instance, you might create a policy that defines when certain alerts should be ignored or how they should be treated based on specific conditions.

Automation: Azure Policy can automate many management tasks, making it an ideal choice for maintaining consistency and control across environments.

83
Q

Question #48 Topic 2

You have an Azure subscription that contains a virtual machine named VM1 and uses Microsoft Defender for Cloud.

Microsoft Defender for Cloud has automatic provisioning configured to use Azure Monitor Agent.

You need to create a custom alert suppression rule that will suppress false positive alerts for suspicious use of PowerShell on VM1.

What should you do first?

A. From Microsoft Defender for Cloud, export the alerts to a Log Analytics workspace.

B. From Microsoft Defender for Cloud, add a workflow automation.

C. On VM1, trigger a PowerShell alert.

D. On VM1, run the Get-MPThreatCatalog cmdlet.

A

C. On VM1, trigger a PowerShell alert.

Explanation:
Before you can create a suppression rule for specific alerts, you need the alert to be triggered at least once so that it appears in the Microsoft Defender for Cloud alert list. This will allow you to identify the specific alert (e.g., PowerShell-related) and configure a suppression rule for it.

84
Q

Question #27 Topic 2 (CHECK)

You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning enabled.

You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.

What should you do first?

A. From Azure Security Center, add a workflow automation.

B. On VM1, run the Get-MPThreatCatalog cmdlet.

C. On VM1 trigger a PowerShell alert.

D. From Azure Security Center, export the alerts to a Log Analytics workspace.

A

C or D

85
Q

Question #5 Topic 1

Your company uses Microsoft Defender for Endpoint.

The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company’s accounting team.

You need to hide false positive in the Alerts queue, while maintaining the existing security posture.

Which three actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Resolve the alert automatically.

B. Hide the alert.

C. Create a suppression rule scoped to any device.

D. Create a suppression rule scoped to a device group.

E. Generate the alert.

A

B. Hide the alert.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.

Explanation:
B. Hide the alert: Hiding the alert will ensure that it does not appear in the Alerts queue but still allows other similar alerts to be monitored if they occur on devices outside of the accounting team.

D. Create a suppression rule scoped to a device group: Since the false positives are occurring on the devices used by the accounting team, you can create a suppression rule that is scoped to only those devices. This ensures that the false positives for these known cases are suppressed while maintaining security on other devices.

E. Generate the alert: You need to generate the alert to capture the details of the false positive and apply the suppression rule correctly.

86
Q

Question #16 Topic 5 (CHECK)

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR.

The security team at your company detects command and control (C2) agent traffic on the network. Agents communicate once every 50 hours.

You need to create a Microsoft Defender XDR custom detection rule that will identify compromised devices and establish a pattern of communication. The solution must meet the following requirements:

  • Identify all the devices that have communicated during the past 14 days.
  • Minimize how long it takes to identify the devices.

To what should you set the detection frequency for the rule?

A. Every 12 hours

B. Every 24 hours

C. Every three hours

D. Every hour

A

A B C

87
Q

Question #11 Topic 4 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 500 Windows devices.

As part of an incident investigation, you identify the following suspected malware files:

  • sys
  • pdf
  • docx
  • xlsx

You need to create indicator hashes to block users from downloading the files to the devices.

Which files can you block by using the indicator hashes?

A. File1.sys only

B. File1.sys and File3.docx only

C. File1.sys, File3.docx, and File4.xlsx only

D. File2.pdf, File3.docx, and File4.xlsx only

E. File1.sys, File2.pdf, File3.docx, and File4.xlsx

A

E. File1.sys, File2.pdf, File3.docx, and File4.xlsx

Explanation:
Indicator hashes (such as MD5, SHA-1, or SHA-256) can be used to block files based on their unique cryptographic hashes. This functionality applies to all types of files, including:

File1.sys (System file)
File2.pdf (PDF file)
File3.docx (Word document)
File4.xlsx (Excel document)

Or D

88
Q

Question #56 Topic 2 (CHECK)

You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.

You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and costs.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Configure auto-provisioning by setting the security event storage to Common.

B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.

C. From the Azure portal, create an Azure Event Grid subscription.

D. Configure auto-provisioning by setting the security event storage to All Events.

E. From Defender for Cloud in the Azure portal, enable Microsoft Defender for Servers.

A

E and A

89
Q

Question #47 Topic 1

You have an Azure subscription that uses Microsoft Defender for Servers Plan 1 and contains a server named Server1.

You enable agentless scanning.

You need to prevent Server1 from being scanned. The solution must minimize administrative effort.

What should you do?

A. Create an exclusion tag.

B. Upgrade the subscription to Defender for Servers Plan 2.

C. Create a governance rule.

D. Create an exclusion group.

A

A. Create an exclusion tag.

This approach minimizes administrative effort by allowing you to tag Server1 as an exclusion, preventing it from being scanned without needing to upgrade or create additional governance rules.

90
Q

Question #15 Topic 2

You have an Azure subscription that contains a Log Analytics workspace.

You need to enable just-in-time (JIT) VM access and network detections for Azure resources.

Where should you enable Azure Defender?

A. at the subscription level

B. at the workspace level

C. at the resource level

A

A. at the subscription level

Enabling Azure Defender at the subscription level allows you to apply the security features, including JIT access and network detections, across all relevant resources within that subscription.

91
Q

Question #2 Topic 5

You have an Azure subscription that uses Microsoft Defender for Cloud.

You need to configure Defender for Cloud to mitigate the following risks:

  • Vulnerabilities within the application source code
  • Exploitation toolkits in declarative templates
  • Operations from malicious IP addresses
  • Exposed secrets

Which two Defender for Cloud services should you use? Each correct answer presents part of the solution.

NOTE: Each correct answer is worth one point.

A. Microsoft Defender for Resource Manager

B. Microsoft Defender for DNS

C. Microsoft Defender for App Service

D. Microsoft Defender for Servers

E. Microsoft Defender for DevOps

A

A. Microsoft Defender for Resource Manager
This service helps detect exploitation toolkits in declarative templates and provides security recommendations for resource templates.

E. Microsoft Defender for DevOps
This service addresses vulnerabilities within application source code and helps manage exposed secrets, providing security insights in your DevOps pipelines.

92
Q

Question #36 Topic 1

You have an Azure subscription that uses Microsoft Defender for Endpoint.

You need to ensure that you can allow or block a user-specified range of IP addressed and URLs.

What should you enable first in the Advanced features from the Endpoints Settings in the Microsoft 365 Defender portal?

A. custom network indicators

B. live response for servers

C. endpoint detection and response (EDR) in block mode

D. web content filtering

A

A. custom network indicators

Custom network indicators allow you to define specific IP addresses, IP ranges, or URLs that you want to block or allow. This feature is part of the attack surface reduction capabilities in Microsoft Defender for Endpoint, enabling you to control network traffic based on predefined rules.

93
Q

Question #24 Topic 1

You have a Microsoft 365 subscription that contains 1,000 Windows 10 devices. The devices have Microsoft Office 365 installed.

You need to mitigate the following device threats:
✑ Microsoft Excel macros that download scripts from untrusted websites
✑ Users that open executable attachments in Microsoft Outlook
✑ Outlook rules and forms exploits

What should you use?

A. Microsoft Defender Antivirus

B. attack surface reduction rules in Microsoft Defender for Endpoint

C. Windows Defender Firewall

D. adaptive application control in Azure Defender

A

B. attack surface reduction rules in Microsoft Defender for Endpoint

These rules can help prevent specific actions, such as blocking Excel macros from untrusted sources, preventing the opening of executable attachments in Outlook, and addressing Outlook rules and forms exploits.

94
Q

Question #2 Topic 1

You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in.

Which anomaly detection policy should you use?

A. Impossible travel

B. Activity from anonymous IP addresses

C. Activity from infrequent country

D. Malware detection

A

C. Activity from infrequent country

Activity from infrequent country anomaly detection policy flags sign-ins from countries where sign-ins are rare or have never occurred before for your organization. This policy helps in detecting unusual geographic activity, which aligns with your requirement of monitoring sign-ins from locations not typically used by your users.

95
Q

Question #23 Topic 1

You have a Microsoft 365 tenant that uses Microsoft Exchange Online and Microsoft Defender for Office 365.

What should you use to identify whether zero-hour auto purge (ZAP) moved an email message from the mailbox of a user?

A. the Threat Protection Status report in Microsoft Defender for Office 365

B. the mailbox audit log in Exchange

C. the Safe Attachments file types report in Microsoft Defender for Office 365

D. the mail flow report in Exchange

A

A. the Threat Protection Status report in Microsoft Defender for Office 365

The Threat Protection Status report provides detailed information on various threat protection activities, including actions taken by ZAP. This report can show which messages were purged due to ZAP, giving insight into when and why emails were removed from mailboxes.

96
Q

Question #20 Topic 1

Your company has a single office in Istanbul and a Microsoft 365 subscription.

The company plans to use conditional access policies to enforce multi-factor authentication (MFA).

You need to enforce MFA for all users who work remotely.

What should you include in the solution?

A. a fraud alert

B. a user risk policy

C. a named location

D. a sign-in user policy

A

C. a named location

By defining a named location for your office in Istanbul and then configuring conditional access policies to require MFA for sign-ins that occur outside this location, you can effectively enforce MFA for remote users.

97
Q

Question #13 Topic 1

You implement Safe Attachments policies in Microsoft Defender for Office 365.

Users report that email messages containing attachments take longer than expected to be received.

You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked.

What should you configure in the Safe Attachments policies?

A. Dynamic Delivery

B. Replace

C. Block and Enable redirect

D. Monitor and Enable redirect

A

A. Dynamic Delivery

Dynamic Delivery in Safe Attachments allows attachments to be delivered to the recipient immediately, with the scanning process happening in the background. If malware is detected later, the email can be removed from the recipient’s mailbox or other actions can be taken. This approach balances the need for prompt delivery with thorough security checks, which is ideal for reducing perceived delivery delays.

98
Q

Question #3 Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365.

You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters.

You need to create a data loss prevention (DLP) policy to protect the sensitive documents.

What should you use to detect which documents are sensitive?

A. SharePoint search

B. a hunting query in Microsoft 365 Defender

C. Azure Information Protection

D. RegEx pattern matching

A

D. RegEx pattern matching

RegEx (Regular Expression) pattern matching allows you to define precise patterns for what constitutes sensitive information. In this case, you can create a regular expression that matches strings of 32 alphanumeric characters, which would be used to identify the customer account numbers. This approach is highly customizable and can be integrated into DLP policies to detect when such patterns appear in documents, emails, or other content.

99
Q

Question #59 Topic 1

You need to configure Microsoft Defender for Cloud Apps to generate alerts and trigger remediation actions in response to external sharing of confidential files.

Which two actions should you perform in the Microsoft 365 Defender portal? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. From Settings, select Cloud App, select Microsoft Information Protection, and then select Only scan files for Microsoft Information Protection sensitivity labels and content inspection warnings from this tenant.

B. From Cloud apps, select Files, and then filter File Type to Document.

C. From Settings, select Cloud App, select Microsoft Information Protection, select Files, and then enable file monitoring.

D. From Cloud apps, select Files, and then filter App to Office 365.

E. From Cloud apps, select Files, and then select New policy from search.

F. From Settings, select Cloud App, select Microsoft Information Protection, and then select Automatically scan new files for Microsoft Information Protection sensitivity labels and content inspection warnings.

A

D. From Cloud apps, select Files, and then filter App to Office 365.

E. From Cloud apps, select Files, and then select New policy from search.

Creating a new policy from search allows you to define specific conditions under which alerts should be generated and remediation actions taken. This includes setting up rules for external sharing of files labeled as confidential or sensitive.

100
Q

Question #21 Topic 1

You are configuring Microsoft Cloud App Security.

You have a custom threat detection policy based on the IP address ranges of your company’s United States-based offices.

You receive many alerts related to impossible travel and sign-ins from risky IP addresses.

You determine that 99% of the alerts are legitimate sign-ins from your corporate offices.

You need to prevent alerts for legitimate sign-ins from known locations.

Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Configure automatic data enrichment.

B. Add the IP addresses to the corporate address range category.

C. Increase the sensitivity level of the impossible travel anomaly detection policy.

D. Add the IP addresses to the other address range category and add a tag.

E. Create an activity policy that has an exclusion for the IP addresses.

A

A. Configure automatic data enrichment.
B. Add the IP addresses to the corporate address range category.

Here’s why these are the best choices:

Configure automatic data enrichment (A):
This allows Cloud App Security to automatically enrich IP address data with additional context, which can help in more accurately identifying legitimate corporate traffic versus truly suspicious activity.

Add the IP addresses to the corporate address range category (B):
By explicitly defining the IP ranges of your corporate offices as “corporate” in Cloud App Security, you’re telling the system that traffic from these IPs should be considered trusted. This will significantly reduce false positive alerts for impossible travel and risky IP addresses when the traffic is actually coming from your known office locations.

101
Q

Question #18 Topic 1

You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of confidential files.

Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant.

B. Select Investigate files, and then filter App to Office 365.

C. Select Investigate files, and then select New policy from search.

D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.

E. From Settings, select Information Protection, select Files, and then enable file monitoring.

F. Select Investigate files, and then filter File Type to Document.

A

E. From Settings, select Information Protection, select Files, and then enable file monitoring.

D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.

102
Q

Question #1 Topic 4

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1 and 100 virtual machines that run Windows Server.

You need to configure the collection of Windows Security event logs for ingestion to WS1. The solution must meet the following requirements:

  • Capture a full user audit trail including user sign-in and user sign-out events.
  • Minimize the volume of events.
  • Minimize administrative effort.

Which event set should you select?

A. Minimal

B. Common

C. All events

D. Custom

A

B. Common

The Common event set is designed to capture essential events, including user sign-in and sign-out, without overwhelming the system with unnecessary logs.

103
Q

Question #30 Topic 3

You have the following environment:

Azure Sentinel -
✑ A Microsoft 365 subscription
✑ Microsoft Defender for Identity
✑ An Azure Active Directory (Azure AD) tenant

You configure Azure Sentinel to collect security logs from all the Active Directory member servers and domain controllers.

You deploy Microsoft Defender for Identity by using standalone sensors.

You need to ensure that you can detect when sensitive groups are modified in Active Directory.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.

B. Modify the permissions of the Domain Controllers organizational unit (OU).

C. Configure auditing in the Microsoft 365 compliance center.

D. Configure Windows Event Forwarding on the domain controllers.

A

A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.

D. Configure Windows Event Forwarding on the domain controllers.

These actions will help you collect the necessary audit logs for monitoring changes to sensitive groups in Active Directory.

104
Q

Question #59 Topic 2

You create an Azure subscription named sub1.

In sub1, you create a Log Analytics workspace named workspace1.

You enable Microsoft Defender for Cloud and configure Defender for Cloud to use workspace1.

You need to collect security event logs from the Azure virtual machines that report to workspace1.

What should you do?

A. From Defender for Cloud, modify Microsoft Defender for Servers plan settings.

B. In sub1, register a provider.

C. From Defender for Cloud, create a workflow automation.

D. In workspace1, create a workbook.

A

A. From Defender for Cloud, modify Microsoft Defender for Servers plan settings.

This action allows you to configure the necessary settings for collecting security logs from your virtual machines and directing them to the specified Log Analytics workspace.

105
Q

Question #42 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud and contains 100 virtual machines that run Windows Server.

You need to configure Defender for Cloud to collect event data from the virtual machines. The solution must minimize administrative effort and costs.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. From the workspace created by Defender for Cloud, set the data collection level to Common.

B. From the Microsoft Endpoint Manager admin center, enable automatic enrollment.

C. From the Azure portal, create an Azure Event Grid subscription.

D. From the workspace created by Defender for Cloud, set the data collection level to All Events.

E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.

A

A. From the workspace created by Defender for Cloud, set the data collection level to Common.

E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.

These actions will ensure that necessary data is collected efficiently and with minimal administrative overhead.

106
Q

Question #6 Topic 2

You create an Azure subscription named sub1.

In sub1, you create a Log Analytics workspace named workspace1.

You enable Azure Security Center and configure Security Center to use workspace1.

You need to collect security event logs from the Azure virtual machines that report to workspace1.

What should you do?

A. From Security Center, enable data collection

B. In sub1, register a provider.

C. From Security Center, create a Workflow automation.

D. In workspace1, create a workbook.

A

A. From Security Center, enable data collection.

This action will ensure that security event logs from your virtual machines are collected and sent to the configured Log Analytics workspace.

107
Q

Question #46 Topic 3

You have an Azure subscription that uses Microsoft Sentinel and contains 100 Linux virtual machines.

You need to monitor the virtual machines by using Microsoft Sentinel. The solution must meet the following requirements:
✑ Minimize administrative effort.
✑ Minimize the parsing required to read fog data.

What should you configure?

A. a Log Analytics Data Collector API

B. REST API integration

C. a Common Evert Format (CEF) connector

D. a Syslog connector

A

C. a Common Evert Format (CEF) connector

108
Q

Question #25 Topic 1

You have a third-party security information and event management (SIEM) solution.

You need to ensure that the SIEM solution can generate alerts for Azure Active Directory (Azure AD) sign-events in near real time.

What should you do to route events to the SIEM solution?

A. Create an Azure Sentinel workspace that has a Security Events connector.

B. Configure the Diagnostics settings in Azure AD to stream to an event hub.

C. Create an Azure Sentinel workspace that has an Azure Active Directory connector.

D. Configure the Diagnostics settings in Azure AD to archive to a storage account.

A

B. Configure the Diagnostics settings in Azure AD to stream to an event hub.

Streaming Azure AD diagnostics logs to an Event Hub allows for near real-time data transmission. From the event hub, you can then configure your SIEM solution to ingest this data. Event Hubs are designed for high-throughput, real-time data ingestion, making them ideal for scenarios where timely alerts are crucial.

109
Q

Question #8 Topic 3

Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant.

Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine’s respective subscription.

You deploy Azure Sentinel to a new Azure subscription.

You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions.

Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Add the Security Events connector to the Azure Sentinel workspace.

B. Create a query that uses the workspace expression and the union operator.

C. Use the alias statement.

D. Create a query that uses the resource expression and the alias operator.

E. Add the Azure Sentinel solution to each workspace.

A

B. Create a query that uses the workspace expression and the union operator.

The workspace() function in Azure Sentinel allows you to specify which workspace’s data you want to query. By using the union operator, you can combine data from multiple workspaces. This would be key in searching across all your subscription’s workspaces simultaneously.

E. Add the Azure Sentinel solution to each workspace.

Each Log Analytics workspace needs to have the Azure Sentinel solution added to it. This step enables these workspaces to be queried by Azure Sentinel. Even though the Sentinel workspace itself is in a new subscription, data from other workspaces can be queried if the right permissions and configurations are in place.

110
Q

Question #11 Topic 7

You have an Azure subscription that contains a resource group named RG1. RG1 contains a Microsoft Sentinel workspace. The subscription is linked to a Microsoft Entra tenant that contains a user named User1.

You need to ensure that User1 can deploy and customize Microsoft Sentinel workbook templates. The solution must follow the principle of least privilege.

Which role should you assign to User1 for RG1?

A. Microsoft Sentinel Contributor

B. Workbook Contributor

C. Microsoft Sentinel Automation Contributor

D. Contributor

A

A. Microsoft Sentinel Contributor

The Microsoft Sentinel Contributor role provides permissions to manage all aspects of Microsoft Sentinel, including workbooks, analytics rules, data connectors, and other Sentinel features. This role allows User1 to create, edit, and manage Sentinel workbooks without granting broader access to resources outside of Sentinel.

111
Q

Question #16 Topic 3

You have an Azure Sentinel deployment in the East US Azure region.

You create a Log Analytics workspace named LogsWest in the West US Azure region.

You need to ensure that you can use scheduled analytics rules in the existing Azure Sentinel deployment to generate alerts based on queries to LogsWest.

What should you do first?

A. Deploy Azure Data Catalog to the West US Azure region.

B. Modify the workspace settings of the existing Azure Sentinel deployment.

C. Add Azure Sentinel to a workspace.

D. Create a data connector in Azure Sentinel.

A

C. Add Azure Sentinel to a workspace.

This step allows you to link the Azure Sentinel instance with the Log Analytics workspace, enabling you to run queries and set up analytics rules.

112
Q

Question #95 Topic 3

You have 50 Microsoft Sentinel workspaces.

You need to view all the incidents from all the workspaces on a single page in the Azure portal. The solution must minimize administrative effort.

Which page should you use in the Azure portal?

A. Microsoft Sentinel - Incidents

B. Microsoft Sentinel - Workbooks

C. Microsoft Sentinel

D. Log Analytics workspaces

A

A. Microsoft Sentinel - Incidents

This page consolidates incidents from all linked workspaces, allowing you to manage and view them in one place.

113
Q

Question #2 Topic 2

You receive an alert from Azure Defender for Key Vault.

You discover that the alert is generated from multiple suspicious IP addresses.

You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as possible and must minimize the impact on legitimate users.

What should you do first?

A. Modify the access control settings for the key vault.

B. Enable the Key Vault firewall.

C. Create an application security group.

D. Modify the access policy for the key vault.

A

B. Enable the Key Vault firewall.

Enabling the firewall will restrict access to the Key Vault to only trusted IP addresses, minimizing the risk of unauthorized access while allowing legitimate users to access it if their IPs are whitelisted.

114
Q

Question #46 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a resource group named RG1. RG1 contains 20 virtual machines that run Windows Server 2019.

You need to configure just-in-time (JIT) access for the virtual machines in RG1. The solution must meet the following requirements:

  • Limit the maximum request time to two hours.
  • Limit protocols access to Remote Desktop Protocol (RDP) only.
  • Minimize administrative effort.

What should you use?

A. Azure AD Privileged Identity Management (PIM)

B. Azure Policy

C. Azure Bastion

D. Azure Front Door

A

B. Azure Policy

Azure Policy allows you to define policies that can enforce configurations across your resources, including settings for Microsoft Defender for Cloud’s JIT VM access. You can create or assign a policy that limits JIT access to only RDP, and configure the maximum session time to two hours. This approach minimizes administrative effort as you can apply the policy to the entire resource group at once.

115
Q

Question #13 Topic 5

You have an Azure subscription named Sub1 that uses Microsoft Defender for Cloud.

You need to assign the PCI DSS 4.0 initiative to Sub1 and have the initiative displayed in the Defender for Cloud Regulatory compliance dashboard.

From Security policies in the Environment settings, you discover that the option to add more industry and regulatory standards is unavailable.

What should you do first?

A. Configure the Continuous export settings for Log Analytics.

B. Enable the Cloud Security Posture Management (CSPM) plan for the subscription.

C. Configure the Continuous export settings for Azure Event Hubs.

D. Disable the Microsoft Cloud Security Benchmark (MCSB) assignment.

A

B. Enable the Cloud Security Posture Management (CSPM) plan for the subscription.

Enabling the CSPM plan will allow you to add more industry and regulatory standards, including the PCI DSS initiative, to your Defender for Cloud environment.

116
Q

Question #57 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud.

You have an Amazon Web Services (AWS) subscription. The subscription contains multiple virtual machines that run Windows Server.

You need to enable Microsoft Defender for Servers on the virtual machines.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct answer is worth one point.

A. From Defender for Cloud, enable agentless scanning.

B. Onboard the virtual machines to Microsoft Defender for Endpoint.

C. From Defender for Cloud, configure the AWS connector.

D. Install the Azure Virtual Machine Agent (VM Agent) on each virtual machine.

E. From Defender for Cloud, configure auto-provisioning.

A

C. From Defender for Cloud, configure the AWS connector.
E. From Defender for Cloud, configure auto-provisioning.

Here’s why these actions are appropriate:

Configure the AWS Connector (C):
Setting up the AWS connector is essential for integrating your AWS environment with Microsoft Defender for Cloud. This step allows Defender for Cloud to access and manage resources in your AWS account.
The connector facilitates communication between Azure and AWS, enabling Defender for Cloud to monitor and protect your AWS resources, including the Windows Server virtual machines.

Configure Auto-Provisioning (E):
Enabling auto-provisioning allows Defender for Cloud to automatically install the necessary agents on your EC2 instances. This minimizes administrative effort by automating the deployment process.
Auto-provisioning ensures that all relevant security features, including those provided by Microsoft Defender for Servers, are consistently applied to your virtual machines without requiring manual intervention.

117
Q

Question #2 Topic 4

You have a Microsoft 365 subscription that uses Microsoft Defender for Cloud Apps and has Cloud Discovery enabled.

You need to enrich the Cloud Discovery data. The solution must ensure that usernames in the Cloud Discovery traffic logs are associated with the user principal name (UPN) of the corresponding Microsoft Entra ID user accounts.

What should you do first?

A. From Conditional Access App Control, configure User monitoring.

B. Create a Microsoft 365 app connector.

C. Enable automatic redirection to Microsoft 365 Defender.

D. Create an Azure app connector.

A

B. Create a Microsoft 365 app connector.

This will allow you to link your Microsoft 365 environment with Cloud Discovery, enabling the association of usernames with UPNs.

118
Q

Question #53 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud.

You have a GitHub account named Account1 that contains 10 repositories.

You need to ensure that Defender for Cloud can access the repositories in Account1.

What should you do first in the Microsoft Defender for Cloud portal?

A. Enable integrations.

B. Enable a plan.

C. Add an environment.

D. Enable security policies.

A

C. Add an environment.

119
Q

Question #12 Topic 2

You have an Azure subscription that has Azure Defender enabled for all supported resource types.

You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event management (SIEM) solution.

To which service should you export the alerts?

A. Azure Cosmos DB

B. Azure Event Grid

C. Azure Event Hubs

D. Azure Data Lake

A

C. Azure Event Hubs.

Azure Event Hubs allows for real-time data streaming and is suitable for integrating with SIEM solutions.

120
Q

Question #8 Topic 5

You have an Azure subscription that has Microsoft Defender for Cloud enabled.

You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).

You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.

What should you install first on Server1?

A. the Microsoft Monitoring Agent

B. the Azure Monitor agent

C. the Azure Connected Machine agent

D. the Azure Pipelines agent

A

C. the Azure Connected Machine agent.

This agent enables you to connect your non-Azure machines to Azure and use Defender for Cloud capabilities.

121
Q

Question #45 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud.

You have an Amazon Web Services (AWS) account that contains an Amazon Elastic Compute Cloud (EC2) instance named EC2-1.

You need to onboard EC2-1 to Defender for Cloud.

What should you install on EC2-1?

A. the Log Analytics agent

B. the Azure Connected Machine agent

C. the unified Microsoft Defender for Endpoint solution package

D. Microsoft Monitoring Agent

A

B. the Azure Connected Machine agent.

This agent allows non-Azure machines, such as AWS EC2 instances, to connect to Defender for Cloud and leverage its security capabilities.

122
Q

Question #33 Topic 2

You have an Azure subscription that has Microsoft Defender for Cloud enabled.

You have a virtual machine named Server1 that runs Windows Server 2022 and is hosted in Amazon Web Services (AWS).

You need to collect logs and resolve vulnerabilities for Server1 by using Defender for Cloud.

What should you install first on Server1?

A. the Microsoft Monitoring Agent

B. the Azure Monitor agent

C. the Azure Arc agent

D. the Azure Pipelines agent

A

C. the Azure Arc agent.

The Azure Arc agent allows non-Azure resources to be managed and monitored within Azure, enabling Defender for Cloud capabilities.

123
Q

Question #30 Topic 2

You have five on-premises Linux servers.

You have an Azure subscription that uses Microsoft Defender for Cloud.

You need to use Defender for Cloud to protect the Linux servers.

What should you install on the servers first?

A. the Dependency agent

B. the Log Analytics agent

C. the Azure Connected Machine agent

D. the Guest Configuration extension

A

C. the Azure Connected Machine agent.

Here’s why this is the correct choice:
Integration with Azure Services: The Azure Connected Machine agent is specifically designed to connect machines hosted outside of Azure (like your on-premises Linux servers) to Azure services, including Microsoft Defender for Cloud. This integration allows you to manage and monitor your Linux servers through Azure.
Log Collection and Vulnerability Assessment: Installing the Azure Connected Machine agent enables Defender for Cloud to collect logs from your Linux servers and perform vulnerability assessments, which are essential for maintaining security compliance.
Management and Security Features: Once the Azure Connected Machine agent is installed, you can leverage various Defender for Cloud features, such as security recommendations and alerts, which help in protecting your infrastructure.

124
Q

Question #22 Topic 2

You create an Azure subscription.

You enable Azure Defender for the subscription.

You need to use Azure Defender to protect on-premises computers.

What should you do on the on-premises computers?

A. Install the Log Analytics agent.

B. Install the Dependency agent.

C. Configure the Hybrid Runbook Worker role.

D. Install the Connected Machine agent.

A

A. Install the Log Analytics agent.

The Log Analytics agent (also referred to as the Microsoft Monitoring Agent or MMA) is essential for sending security logs and performance data from your on-premises computers to Azure. This agent allows Defender for Cloud to monitor, alert, and provide security recommendations for these machines.

125
Q

Question #6 Topic 5

You have 500 on-premises devices.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

You onboard 100 devices to Microsoft Defender 365.

You need to identify any unmanaged on-premises devices. The solution must ensure that only specific onboarded devices perform the discovery.

What should you do first?

A. Create a device group.

B. Create an exclusion.

C. Set Discovery mode to Basic.

D. Create a tag.

A

D. Create a tag.

126
Q

Question #5 Topic 4

You have a Microsoft 365 E5 subscription that uses Microsoft Defender XDR and contains a user named User1.

You need to ensure that User1 can manage Microsoft Defender XDR custom detection rules and Endpoint security policies. The solution must follow the principle of least privilege.

Which role should you assign to User1?

A. Security Administrator

B. Security Operator

C. Cloud Device Administrator

D. Desktop Analytics Administrator

A

A. Security Administrator

This role allows User1 to manage security-related policies and settings without granting excessive permissions.

127
Q

Question #43 Topic 3

You have an Azure subscription that has the enhanced security features in Microsoft Defender for Cloud enabled and contains a user named User1.

You need to ensure that User1 can export alert data from Defender for Cloud. The solution must use the principle of least privilege.

Which role should you assign to User1?

A. User Access Administrator

B. Owner

C. Contributor

D. Reader

A

D. Reader

This role allows User1 to view alert data without granting permissions to modify resources.

128
Q

Question #43 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a user named User1.

You need to ensure that User1 can modify Microsoft Defender for Cloud security policies. The solution must use the principle of least privilege.

Which role should you assign to User1?

A. Security operator

B. Security Admin

C. Owner

D. Contributor

A

B. Security Admin

This role specifically provides permissions to manage security policies and configurations in Microsoft Defender for Cloud.

129
Q

Question #4 Topic 2

You have a Microsoft 365 subscription that uses Azure Defender.

You have 100 virtual machines in a resource group named RG1.

You assign the Security Admin roles to a new user named SecAdmin1.

You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of least privilege.

Which role should you assign to SecAdmin1?

A. the Security Reader role for the subscription

B. the Contributor for the subscription

C. the Contributor role for RG1

D. the Owner role for RG1

A

C. the Contributor role for RG1

This role allows SecAdmin1 to make necessary changes and apply quick fixes specifically within the resource group RG1, without granting broader permissions at the subscription level.

130
Q

Question #16 Topic 1

Your company deploys the following services:
✑ Microsoft Defender for Identity
✑ Microsoft Defender for Endpoint
✑ Microsoft Defender for Office 365

You need to provide a security analyst with the ability to use the Microsoft 365 security center.

The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege.

Which two roles should assign to the analyst? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. the Compliance Data Administrator in Azure Active Directory (Azure AD)

B. the Active remediation actions role in Microsoft Defender for Endpoint

C. the Security Administrator role in Azure Active Directory (Azure AD)

D. the Security Reader role in Azure Active Directory (Azure AD)

A

B. the Active remediation actions role in Microsoft Defender for Endpoint

This role specifically allows the analyst to manage active remediation actions, including approving or rejecting pending actions, within Microsoft Defender for Endpoint.

D. the Security Reader role in Azure Active Directory (Azure AD)

131
Q

Question #9 Topic 1

You are investigating a potential attack that deploys a new ransomware strain.

You have three custom device groups. The groups contain devices that store highly sensitive information.

You plan to perform automated actions on all devices.

You need to be able to temporarily group the machines to perform actions on the devices.

Which three actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.

A. Assign a tag to the device group.

B. Add the device users to the admin role.

C. Add a tag to the machines.

D. Create a new device group that has a rank of 1.

E. Create a new admin role.

F. Create a new device group that has a rank of 4.

A

A. Assign a tag to the device group.

C. Add a tag to the machines.

D. Create a new device group that has a rank of 1.

These steps will allow you to create a temporary grouping based on tags and manage the devices effectively during the investigation.

132
Q

Question #12 Topic 4

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint and contains a user named User1 and a Microsoft 365 group named Group1. All users are assigned a Defender for Endpoint Plan 1 license.

You enable Microsoft Defender XDR Unified role-based access control (RBAC) for Endpoints & Vulnerability Management.

You need to ensure that User1 can configure alerts that will send email notifications to Group1. The solution must follow the principle of least privilege.

Which permissions should you assign to User1?

A. Defender Vulnerability Management - Remediation handling

B. Alerts investigation

C. Live response capabilities: Basic

D. Manage security settings

A

D. Manage security settings

This permission allows User1 to configure various security settings within Microsoft Defender for Endpoint, which includes setting up and managing alert notifications. Configuring alerts to send email notifications to a specific group like Group1 falls under the scope of managing security settings.

133
Q

Question #35 Topic 1

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint.

You need to add threat indicators for all the IP addresses in a range of 171.23.34.32-171.23.34.63. The solution must minimize administrative effort.

What should you do in the Microsoft 365 Defender portal?

A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.

B. Create an import file that contains the IP address of 171.23.34.32/27. Select Import and import the file.

C. Select Add indicator and set the IP address to 171.23.34.32-171.23.34.63.

D. Select Add indicator and set the IP address to 171.23.34.32/27.

A

A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.

134
Q

Question #15 Topic 1

You receive a security bulletin about a potential attack that uses an image file.

You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack.

Which indicator type should you use?

A. a URL/domain indicator that has Action set to Alert only

B. a URL/domain indicator that has Action set to Alert and block

C. a file hash indicator that has Action set to Alert and block

D. a certificate indicator that has Action set to Alert and block

A

C. a file hash indicator that has Action set to Alert and block.

This will specifically target the image file by its hash, allowing you to block it and receive alerts if it is encountered.