Traditional Flashcards

Question 1

Q

Question #61 Topic 3

You have a custom Microsoft Sentinel workbook named Workbook1.

You need to add a grid to Workbook1. The solution must ensure that the grid contains a maximum of 100 rows.

What should you do?

A. In the grid query, include the take operator.

B. In the grid query, include the project operator.

C. In the query editor interface, configure Settings.

D. In the query editor interface, select Advanced Editor.

Answer

A

A. In the grid query, include the take operator.

Here’s why:

take operator: This Kusto Query Language (KQL) operator is used to limit the number of records returned from a query.

Question 2

Q

Question #51 Topic 3

You have an Azure subscription that uses Microsoft Sentinel.

You need to create a custom report that will visualise sign-in information over time.

What should you create first?

A. a hunting query

B. a workbook

C. a notebook

D. a playbook

Answer

A

B. a workbook

Workbooks in Microsoft Sentinel are the primary tool for creating custom visualizations and reports.

Question 3

Q

Question #38 Topic 3

You have a Microsoft Sentinel workspace named workspace1 that contains custom Kusto queries.

You need to create a Python-based Jupyter notebook that will create visuals. The visuals will display the results of the queries and be pinned to a dashboard. The solution must minimize development effort.

What should you use to create the visuals?

A. plotly

B. TensorFlow

C. msticpy

D. matplotlib

Answer

A

C. msticpy

msticpy is a Python library specifically designed for security analysts working in Azure Sentinel (now Microsoft Sentinel) and Azure Notebooks.

Question 4

Q

Question #9 Topic 4 (CHECK)

You have an Azure subscription.

You need to stream the Microsoft Graph activity logs to a third-party security information and event management (SIEM) tool. The solution must minimize administrative effort.

To where should you stream the logs?

A. an Azure Event Hubs namespace

B. an Azure Storage account

C. an Azure Event Grid namespace

D. a Log Analytics workspace

Answer

A

A. an Azure Event Hubs namespace

Azure Event Hubs is the best option for streaming Microsoft Graph activity logs to a third-party SIEM tool.

Question 5

Q

Question #23 Topic 2

A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks.

The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity.

The alerts appear in Azure Security Center.

You need to ensure that the security administrator receives email alerts for all the activities.

What should you configure in the Security Center settings?

A. the severity level of email notifications

B. a cloud connector

C. the Azure Defender plans

D. the integration settings for Threat detection

Answer

A

A. the severity level of email notifications

Azure Security Center (now Microsoft Defender for Cloud) allows you to configure the severity level of email notifications

Question 6

Q

Question #8 Topic 2

Your company uses Azure Security Center and Azure Defender.

The security operations team at the company informs you that it does NOT receive email notifications for security alerts.

What should you configure in Security Center to enable the email notifications?

A. Security solutions

B. Security policy

C. Pricing & settings

D. Security alerts

E. Azure Defender

Answer

A

C. Pricing & settings

To configure email notifications for security alerts in Azure Security Center (now Microsoft Defender for Cloud), you need to go to the Pricing & settings section.

Question 7

Q

Question #15 Topic 5

You have an Azure subscription that contains a Microsoft Sentinel workspace named WS1.

You create a hunting query that detects a new attack vector. The attack vector maps to a tactic listed in the MITRE ATT&CK database.

You need to ensure that an incident is created in WS1 when the new attack vector is detected.

What should you configure?

A. a hunting livestream session

B. a query bookmark

C. a scheduled query rule

D. a Fusion rule

Answer

A

C. a scheduled query rule

To ensure that an incident is automatically created in Microsoft Sentinel when a new attack vector is detected by a query, you need to configure a scheduled query rule.

Question 8

Q

Question #23 Topic 3

You need to visualize Azure Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).

What should you use?

A. notebooks in Azure Sentinel

B. Microsoft Cloud App Security

C. Azure Monitor

D. hunting queries in Azure Sentinel

Answer

A

A. notebooks in Azure Sentinel

Notebooks in Azure Sentinel allow you to visualize data and perform advanced data analysis. They provide the flexibility to integrate with and enrich data from third-party sources, such as threat intelligence feeds, to help identify indicators of compromise (IoCs).

Question 9

Q

Question #41 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft 365 Defender.

You need to review new attack techniques discovered by Microsoft and identify vulnerable resources in the subscription. The solution must minimize administrative effort.

Which blade should you use in the Microsoft 365 Defender portal?

A. Advanced hunting

B. Threat analytics

C. Incidents & alerts

D. Learning hub

Answer

A

B. Threat analytics

The Threat analytics blade in Microsoft 365 Defender provides detailed information about new attack techniques discovered by Microsoft.

Question 10

Q

Question #24 Topic 3

You plan to create a custom Azure Sentinel query that will provide a visual representation of the security alerts generated by Azure Security Center.

You need to create a query that will be used to display a bar graph.
What should you include in the query?

A. extend

B. bin

C. count

D. workspace

Answer

A

C. count (1x)

Question 11

Q

Question #21 Topic 3

You plan to create a custom Azure Sentinel query that will track anomalous Azure Active Directory (Azure AD) sign-in activity and present the activity as a time chart aggregated by day.

You need to create a query that will be used to display the time chart.

What should you include in the query?

A. extend

B. bin

C. makeset

D. workspace

Answer

A

B. bin

To create a custom Azure Sentinel query that tracks anomalous Azure Active Directory (Azure AD) sign-in activity and presents it as a time chart aggregated by day, you should use the bin function.

Question 12

Q

Question #34 Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

You plan to create a hunting query from Microsoft Defender.

You need to create a custom tracked query that will be used to assess the threat status of the subscription.

From the Microsoft 365 Defender portal, which page should you use to create the query?

A. Threat analytics

B. Advanced Hunting

C. Explorer

D. Policies & rules

Answer

A

B. Advanced Hunting

In the Microsoft 365 Defender portal, you should use the Advanced Hunting page to create custom tracked queries.

Question 13

Q

Question #54 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to create a query that will link the AlertInfo, AlertEvidence, and DeviceLogonEvents tables. The solution must return all the rows in the tables.

Which operator should you use?

A. search *

B. union kind = inner

C. join kind = inner

D. evaluate hint.remote =

Answer

A

B. union kind = inner

To link multiple tables and return all rows from those tables in Microsoft 365 Defender for Endpoint, you should use the union operator with the kind = inner option.

Question 14

Q

Question #53 Topic 1

You have a Microsoft 365 subscription that uses Microsoft Purview and Microsoft Teams.

You have a team named Team1 that has a project named Project1.

You need to identify any Project1 files that were stored on the team site of Team1 between February 1, 2023, and February 10, 2023.

Which KQL query should you run?

A. (c:c)(Project1)(date=(2023-02-01)..date=(2023-02-10))

B. AuditLogs -
| where FileName contains “Project1”

C. Project1(c:c)(date=2023-02-01..2023-02-10)

D. AuditLogs -
| where Timestamp > ago(10d)
| where FileName contains “Project1”

where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))

Answer

A

C. Project1(c:c)(date=2023-02-01..2023-02-10)

where Timestamp between (datetime(2023-02-01)..datetime(2023-02-10))

Question 15

Q

Question #10 Topic 7 (CHECK)

You have 500 on-premises Windows 11 devices that use Microsoft Defender for Endpoint.

You enable Network device discovery.

You need to create a hunting query that will identify discovered network devices and return the identity of the onboarded device that discovered each network device.

Which built-in function should you use?

A. SeenBy()

B. DeviceFromIP()

C. next()

D. current_cluster_endpoint()

Answer

A

A. SeenBy()

The SeenBy() function is used in Microsoft Defender for Endpoint hunting queries to identify devices that have observed or detected certain network devices.

Question 16

Q

Question #4 Topic 7

Your on-premises network contains an Active Directory Domain Services (AD DS) forest.

You have a Microsoft Entra tenant that uses Microsoft Defender for Identity. The AD DS forest syncs with the tenant.

You need to create a hunting query that will identify LDAP simple binds to the AD DS domain controllers.

Which table should you query?

A. AADServicePrincipalRiskEvents

B. AADDomainServicesAccountLogon

C. SigninLogs

D. IdentityLogonEvents

Answer

A

D. IdentityLogonEvents

To identify LDAP simple binds to the Active Directory Domain Services (AD DS) domain controllers, you should query the IdentityLogonEvents table in Microsoft Defender for Identity.

Question 17

Q

Question #9 Topic 3 (CHECK)

You have an Azure Sentinel workspace.

You need to test a playbook manually in the Azure portal.

From where can you run the test in Azure Sentinel?

A. Playbooks

B. Analytics

C. Threat intelligence

D. Incidents

Answer

A

A. Playbooks (2x)

In the Azure Sentinel workspace, playbooks are essentially Azure Logic Apps used for automation and orchestration. You can manually run or test a playbook from the Playbooks section where you can select your playbook and use the “Run” or “Test” option to execute it.

D. Incidents (1x)

Question 18

Q

Question #78 Topic 3 (CHECK)

You have a Microsoft Sentinel playbook that is triggered by using the Azure Activity connector.

You need to create a new near-real-time (NRT) analytics rule that will use the playbook.

What should you configure for the rule?

A. the incident automation settings

B. the query rule

C. entity mapping

D. the Alert automation settings

Answer

A

D. the Alert automation settings (2x)

To use a playbook with a near-real-time (NRT) analytics rule in Microsoft Sentinel, you need to configure the Alert automation settings.

A. the incident automation settings (1x)

Question 19

Q

Question #3 Topic 6 (CHECK)

You have an Azure subscription that uses Microsoft Sentinel.

You need to minimize the administrative effort required to respond to the incidents and remediate the security threats detected by Microsoft Sentinel.

Which two features should you use? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Microsoft Sentinel workbooks

B. Azure Automation runbooks

C. Microsoft Sentinel automation rules

D. Microsoft Sentinel playbooks

E. Azure Functions apps

Answer

A

C. Microsoft Sentinel automation rules
D. Microsoft Sentinel playbooks

Automation rules in Microsoft Sentinel allow you to automatically trigger actions based on specific incident conditions, reducing manual intervention.

Playbooks in Microsoft Sentinel automate responses to incidents, helping to remediate threats by performing predefined actions, such as sending notifications or interacting with other Azure services.

Question 20

Q

Question #64 Topic 3

You have an Azure subscription that contains a Microsoft Sentinel workspace.

You need to create a playbook that will run automatically in response to a Microsoft Sentinel alert.

What should you create first?

A. a hunting query in Microsoft Sentinel

B. an Azure logic app

C. an automation rule in Microsoft Sentinel

D. a trigger in Azure Functions

Answer

A

B. an Azure logic app

To create a playbook that runs automatically in response to a Microsoft Sentinel alert, you first need to create an Azure Logic App.

Question 21

Q

Question #44 Topic 3 (CHECK)

You have an Azure subscription that contains an Azure logic app named app1 and a Microsoft Sentinel workspace that has an Azure Active Directory (Azure AD) connector.

You need to ensure that app1 launches when Microsoft Sentinel detects an Azure AD-generated alert.

What should you create first?

A. a repository connection

B. a watchlist

C. an analytics rule

D. an automation rule

Answer

A

C. an analytics rule

To ensure that a Logic App (app1) launches when Microsoft Sentinel detects an Azure AD-generated alert, you first need to create an analytics rule.

D. an automation rule (top)

Question 22

Q

Question #28 Topic 3

You are configuring Azure Sentinel.

You need to send a Microsoft Teams message to a channel whenever an incident representing a sign-in risk event is activated in Azure Sentinel.

Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Enable Entity behavior analytics.

B. Associate a playbook to the analytics rule that triggered the incident.

C. Enable the Fusion rule.

D. Add a playbook.

E. Create a workbook.

Answer

A

B. Associate a playbook to the analytics rule that triggered the incident.
D. Add a playbook.

To send a Microsoft Teams message to a channel when an incident is triggered in Azure Sentinel:

Add a playbook (D) that includes the action to send a Microsoft Teams message.
Associate the playbook to the analytics rule (B) that detects the sign-in risk event, so it runs automatically when the incident is triggered.

Question 23

Q

Question #22 Topic 3

You are configuring Azure Sentinel.

You need to send a Microsoft Teams message to a channel whenever a sign-in from a suspicious IP address is detected.

Which two actions should you perform in Azure Sentinel? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. Add a playbook.

B. Associate a playbook to an incident.

C. Enable Entity behavior analytics.

D. Create a workbook.

E. Enable the Fusion rule.

Answer

A

A. Add a playbook.
B. Associate a playbook to an incident.

To send a Microsoft Teams message when a sign-in from a suspicious IP address is detected in Azure Sentinel:

Add a playbook (A) that includes an action to send a message to the Microsoft Teams channel.

Associate the playbook to an incident (B), so the playbook runs when an incident is generated for suspicious sign-ins.

Question 24

Q

Question #6 Topic 3 (CHECK)

You have a playbook in Azure Sentinel.

When you trigger the playbook, it sends an email to a distribution group.

You need to modify the playbook to send the email to the owner of the resource instead of the distribution group.

What should you do?

A. Add a parameter and modify the trigger.

B. Add a custom data connector and modify the trigger.

C. Add a condition and modify the action.

D. Add an alert and modify the action.

Answer

A

C. Add a condition and modify the action.

Here’s what this entails:

Add a condition: You would typically need to add logic or conditions within the playbook to dynamically fetch or determine who the resource owner is. This could involve querying Azure AD or another system where resource ownership is defined.
Modify the action: Change the email action within the playbook to use the resource owner’s email address instead of the static distribution group email. This might involve setting up a variable or parameter at runtime that contains the email address of the resource owner based on the incident or alert details.

A. Add a parameter and modify the trigger. (top)

D. Add an alert and modify the action.

Question 25

Q

Question #32 Topic 3

You create a hunting query in Azure Sentinel.

You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort.

What should you use?

A. a playbook

B. a notebook

C. a livestream

D. a bookmark

Answer

A

C. a livestream

In Azure Sentinel, the livestream feature allows you to continuously run a hunting query in real time and receive immediate notifications in the Azure portal when a match is detected.

Question 26

Q

Question #14 Topic 3

A company uses Azure Sentinel.

You need to create an automated threat response.

What should you use?

A. a data connector

B. a playbook

C. a workbook

D. a Microsoft incident creation rule

Answer

A

B. a playbook

To create an automated threat response in Azure Sentinel, you should use a playbook. Playbooks in Azure Sentinel are Azure Logic Apps that automate responses to security incidents, such as triggering notifications, executing remediation steps, or integrating with other services.

Question 27

Q

Question #4 Topic 3

You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually.

You deploy Azure Sentinel.

You need to use the existing logic app as a playbook in Azure Sentinel.

What should you do first?

A. And a new scheduled query rule.

B. Add a data connector to Azure Sentinel.

C. Configure a custom Threat Intelligence connector in Azure Sentinel.

D. Modify the trigger in the logic app.

Answer

A

D. Modify the trigger in the logic app.

To use the existing Azure Logic App as a playbook in Azure Sentinel, you first need to modify the trigger in the logic app so that it can be triggered by Azure Sentinel alerts. This typically involves changing the logic app’s trigger to a suitable trigger for Azure Sentinel, such as the HTTP request trigger, which allows Azure Sentinel to invoke the playbook in response to specific conditions or alerts. After modifying the trigger, you can then import and configure the playbook within Azure Sentinel.

Question 28

Q

Question #16 Topic 2

You use Azure Defender.

You have an Azure Storage account that contains sensitive information.

You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address.

Which two actions should you perform? Each correct answer presents part of the solution.

NOTE: Each correct selection is worth one point.

A. From Azure Security Center, enable workflow automation.

B. Create an Azure logic app that has a manual trigger.

C. Create an Azure logic app that has an Azure Security Center alert trigger.

D. Create an Azure logic app that has an HTTP trigger.

E. From Azure Active Directory (Azure AD), add an app registration.

Answer

A

A. From Azure Security Center, enable workflow automation.
C. Create an Azure logic app that has an Azure Security Center alert trigger.

To run a PowerShell script when someone accesses the Azure Storage account from a suspicious IP address:

Enable workflow automation (A) in Azure Security Center. This allows you to set up automated responses to security alerts.
Create an Azure Logic App with an Azure Security Center alert trigger (C) to respond to alerts from Azure Defender. The Logic App can then run the PowerShell script based on the alert conditions.

Question 29

Q

Question #52 Topic 3 (CHECK)

You have a Microsoft Sentinel workspace.

You receive multiple alerts for failed sign-in attempts to an account.

You identify that the alerts are false positives.

You need to prevent additional failed sign-in alerts from being generated for the account. The solution must meet the following requirements:

Ensure that failed sign-in alerts are generated for other accounts.
Minimize administrative effort

What should do?

A. Modify the analytics rule.

B. Create a watchlist.

C. Add an activity template to the entity behavior.

D. Create an automation rule.

Answer

A

D. Create an automation rule.

An automation rule in Microsoft Sentinel can be configured to automatically handle or suppress alerts based on specific conditions. Here’s how it would meet your needs:

Automation Rule: You can set up an automation rule that checks if the alert is for this particular account and if so, it can close or suppress the alert automatically. This way, alerts for this specific account are managed without affecting alerts generated for other accounts.

A. Modify the analytics rule. (top)

Question 30

Q

Question #22 Topic 6

You have a Microsoft Sentinel workspace named SW1.

In SW1, you investigate an incident that is associated with the following entities:

Host
IP address
User account
Malware name

Which entity can be labeled as an indicator of compromise (IoC) directly from the incident’s page?

A. malware name

B. host

C. user account

D. IP address

Answer

A

D. IP address

In Microsoft Sentinel, the IP address can be labeled as an indicator of compromise (IoC) directly from the incident’s page. IP addresses are commonly used as IoCs to indicate suspicious or malicious activity and can be directly added to the threat intelligence indicators or watchlist for further investigation or automated responses.

Question 31

Q

Question #90 Topic 3

You have a Microsoft Sentinel workspace.

You investigate an incident that has the following entities:
* A user account named User1
* An IP address of 192.168.10.200
* An Azure virtual machine named VM1
* An on-premises server named Server1

You need to label an entity as an indicator of compromise (IoC) directly by using the incidents page.

Which entity can you label?

A. 192.168.10.200

B. VM1

C. Server1

D. User1

Answer

A

A. 192.168.10.200

In Microsoft Sentinel, IP addresses can be labeled as indicators of compromise (IoCs) directly from the incident’s page. While entities like user accounts, virtual machines, and on-premises servers are important in investigations, IP addresses are commonly used as IoCs for detecting and responding to potential threats and can be directly added to threat intelligence indicators or watchlists.

Question 32

Q

Question #85 Topic 3

You have a Microsoft Sentinel workspace.

You enable User and Entity Behavior Analytics (UEBA) by using Audit Logs and Signin Logs.

The following entities are detected in the Azure AD tenant:

App name: App1
IP address: 192.168.1.2
Computer name: Device1
Used client app: Microsoft Edge
Email address: user1@company.com
Sign-in URL: https://www.company.com

Which entities can be investigated by using UEBA?

A. IP address and email address only

B. app name, computer name, IP address, email address, and used client app only

C. IP address only

D. used client app and app name only

Answer

A

B. app name, computer name, IP address, email address, and used client app only

User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel can investigate a range of entities related to user and entity activities. For the entities detected in the Azure AD tenant, UEBA can analyze:

App name (App1)
Computer name (Device1)
IP address (192.168.1.2)
Email address (user1@company.com)
Used client app (Microsoft Edge)

These entities are relevant for UEBA as it helps in identifying anomalous behaviors and potential security threats related to user and entity activities.

Question 33

Q

Question #79 Topic 3

You need to visualize Microsoft Sentinel data and enrich the data by using third-party data sources to identify indicators of compromise (IoC).

What should you use?

A. notebooks in Microsoft Sentinel

B. Microsoft Defender for Cloud Apps

C. Azure Monitor

Answer

A

A. notebooks in Microsoft Sentinel

Notebooks in Microsoft Sentinel allow you to visualize data and enrich it by integrating third-party data sources. They provide a flexible environment to perform complex data analysis, create visualizations, and incorporate external threat intelligence to identify indicators of compromise (IoC) effectively.

Question 34

Q

Question #41 Topic 3

You have a Microsoft Sentinel workspace that contains the following incident.

Brute force attack against Azure Portal analytics rule has been triggered.

You need to identify the geolocation information that corresponds to the incident.

What should you do?

A. From Overview, review the Potential malicious events map.

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.

C. From Incidents, review the details of the AccountCustomEntity entity associated with the incident.

D. From Investigation, review insights on the incident entity.

Answer

A

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident.

To identify the geolocation information for an incident related to a brute force attack, you should review the details of the IPCustomEntity entity associated with the incident. This entity will provide information about the IP address involved, and you can use this IP address to determine the geolocation associated with the attack.

Question 35

Q

Question #27 Topic 3

You are investigating an incident in Azure Sentinel that contains more than 127 alerts.

You discover eight alerts in the incident that require further investigation.

You need to escalate the alerts to another Azure Sentinel administrator.

What should you do to provide the alerts to the administrator?

A. Create a Microsoft incident creation rule

B. Share the incident URL

C. Create a scheduled query rule

D. Assign the incident

Answer

A

D. Assign the incident

To escalate or delegate the investigation of an incident containing multiple alerts to another Azure Sentinel administrator, you should assign the incident to that administrator. This action ensures that the assigned administrator receives notification and can take ownership of the incident for further investigation and resolution.

Question 36

Q

Question #5 Topic 3

Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices.

A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents.

You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning.

What should you include in the recommendation?

A. built-in queries

B. livestream

C. notebooks

D. bookmarks

Answer

A

C. notebooks

Notebooks in Microsoft Sentinel provide a customizable environment where you can use machine learning and data visualization to simplify the investigation of security threats. They allow you to perform advanced analytics, integrate with various data sources, and create visualizations tailored to your specific needs. This can help in handling and interpreting large volumes of incidents from numerous IoT devices, making it easier to identify and infer threats.

Question 37

Q

Question #68 Topic 3

You have a Microsoft Sentinel workspace named Workspace1 and 200 custom Advanced Security Information Model (ASIM) parsers based on the DNS schema.

You need to make the 200 parses available in Workspace1. The solution must minimize administrative effort.

What should you do first?

A. Copy the parsers to the Azure Monitor Logs page.

B. Create a JSON file based on the DNS template.

C. Create an XML file based on the DNS template.

D. Create a YAML file based on the DNS template.

Answer

A

D. Create a YAML file based on the DNS template.

Here’s why:

YAML files are commonly used in Azure for configuration and deployment, including in Microsoft Sentinel for things like parsers, especially when dealing with ASIM (Advanced Security Information Model).
Creating a YAML file allows you to define multiple parsers in a structured format that can be easily imported into Sentinel. This approach is more scalable and less error-prone than manually copying or recreating each parser through the UI or other methods.
Once you have the YAML file with your parsers, you can use Azure’s deployment mechanisms or Sentinel’s import features to apply these configurations, which would significantly reduce the administrative effort compared to manually entering or copying each parser.

Question 38

Q

Question #63 Topic 3

You have a Microsoft Sentinel workspace named Workspace1.

You need to exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser.

What should you create in Workspace1?

A. an analytic rule

B. a watchlist

C. a workbook

D. a hunting query

Answer

A

B. a watchlist

To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create a watchlist in Microsoft Sentinel. Watchlists allow you to specify and manage custom exclusions or include lists that can be used in conjunction with analytic rules and queries to refine the data processed by the ASIM parsers.

Question 39

Q

Question #60 Topic 3

You have a Microsoft Sentinel workspace.

You need to prevent a built-in Advanced Security Information Model (ASIM) parser from being updated automatically.

What are two ways to achieve this goal? Each correct answer presents a complete solution.

NOTE: Each correct selection is worth one point.

A. Create a hunting query that references the built-in parser.

B. Build a custom unifying parser and include the built-in parser version.

C. Redeploy the built-in parser and specify a CallerContext parameter of Any and a SourceSpecificParser parameter of Any.

D. Redeploy the built-in parser and specify a CallerContext parameter of Built-in.

E. Create an analytics rule that includes the built-in parser.

Answer

A

B. Build a custom unifying parser and include the built-in parser version.
E. Create an analytics rule that includes the built-in parser.

Here’s the reasoning:

Building a custom unifying parser (Option B):
This approach allows you to create your own version of the parser that includes the specific version of the built-in parser you want to use.

By doing this, you’re essentially “freezing” the parser at a specific version, preventing automatic updates.

Creating an analytics rule that includes the built-in parser (Option E):
When you create an analytics rule that references a specific version of a built-in parser, it effectively locks that version in place for that
rule.

This ensures that even if the built-in parser is updated, your analytics rule will continue to use the version it was created with.

Question 40

Q

Question #31 Topic 3

You use Azure Sentinel.

You need to use a built-in role to provide a security analyst with the ability to edit the queries of custom Azure Sentinel workbooks. The solution must use the principle of least privilege.

Which role should you assign to the analyst?

A. Azure Sentinel Contributor

B. Security Administrator

C. Azure Sentinel Responder

D. Logic App Contributor

Answer

A

A. Azure Sentinel Contributor

The Azure Sentinel Contributor role allows users to edit and manage queries in custom Azure Sentinel workbooks, among other capabilities. This role aligns with the principle of least privilege by providing the necessary permissions to work with Sentinel resources without granting broader permissions than required.

Question 41

Q

Question #11 Topic 3

Your company uses Azure Sentinel.

A new security analyst reports that she cannot assign and resolve incidents in Azure Sentinel.

You need to ensure that the analyst can assign and resolve incidents. The solution must use the principle of least privilege.

Which role should you assign to the analyst?

A. Azure Sentinel Responder

B. Logic App Contributor

C. Azure Sentinel Contributor

D. Azure Sentinel Reader

Answer

A

A. Azure Sentinel Responder

The Azure Sentinel Responder role is specifically designed to allow users to assign and resolve incidents in Azure Sentinel while adhering to the principle of least privilege. This role provides the necessary permissions for handling incidents without giving broader administrative rights.

Question 42

Q

Question #45 Topic 1

You have a Microsoft 365 E5 subscription that uses Microsoft Defender 365.

You need to ensure that you can investigate threats by using data in the unified audit log of Microsoft Defender for Cloud Apps.

What should you configure first?

A. the User enrichment settings

B. the Azure connector

C. the Office 365 connector

D. the Automatic log upload settings

Answer

A

C. the Office 365 connector

To investigate threats using data from the unified audit log of Microsoft Defender for Cloud Apps, you need to ensure that the Office 365 connector is configured. This connector integrates data from Microsoft 365 services, including the unified audit log, into Microsoft Defender for Cloud Apps, allowing for comprehensive threat investigation and analysis.

Question 43

Q

Question #30 Topic 1

You have a Microsoft 365 subscription that has Microsoft 365 Defender enabled.

You need to identify all the changes made to sensitivity labels during the past seven days.

What should you use?

A. the Incidents blade of the Microsoft 365 Defender portal

B. the Alerts settings on the Data Loss Prevention blade of the Microsoft 365 compliance center

C. Activity explorer in the Microsoft 365 compliance center

D. the Explorer settings on the Email & collaboration blade of the Microsoft 365 Defender portal

Answer

A

C. Activity explorer in the Microsoft 365 compliance center

Activity explorer in the Microsoft 365 compliance center allows you to view and investigate activities related to sensitivity labels, including changes made within a specified timeframe. This tool helps you track modifications and understand user actions related to compliance and data protection policies.

Question 44

Q

Question #31 Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

You need to identify all the entities affected by an incident.

Which tab should you use in the Microsoft 365 Defender portal?

A. Investigations

B. Devices

C. Evidence and Response

D. Alerts

Answer

A

C. Evidence and Response

In the Microsoft 365 Defender portal, the Evidence and Response tab provides detailed information about the entities affected by an incident, including associated devices, users, and other relevant data. This tab helps you understand the scope of the incident and plan appropriate response actions.

Question 45

Q

Question #6 Topic 7 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains a macOS device named Device1.

You need to investigate a Defender for Endpoint agent alert on Device1. The solution must meet the following requirements:

Identify all the active network connections on Device1.
Identify all the running processes on Device1.
Retrieve the login history of Device1.
Minimize administrative effort.

What should you do first from the Microsoft Defender portal?

A. From Devices, click Collect investigation package for Device1.

B. From Advanced features in Endpoints, enable Live Response unsigned script execution.

C. From Devices, initiate a live response session on Device1.

D. From Advanced features in Endpoints, disable Authenticated telemetry.

Answer

A

C. From Devices, initiate a live response session on Device1.

Initiating a live response session from the Microsoft Defender portal allows you to interact with Device1 in real-time. This session enables you to execute commands and retrieve information such as active network connections, running processes, and login history, meeting the investigation requirements with minimal administrative effort.

Question 46

Q

Question #9 Topic 6 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender for Endpoint Plan 2 and contains 1,000 Windows devices.

You have a PowerShell script named Script1.ps1 that is signed digitally.

You need to ensure that you can run Script1.ps1 in a live response session on one of the devices.

What should you do first from the live response session?

A. Run the library command.

B. Upload Script1.ps1 to the library.

C. Run the putfile command.

D. Modify the PowerShell execution policy of the device.

Answer

A

B. Upload Script1.ps1 to the library.

To run a PowerShell script like Script1.ps1 in a live response session, you first need to upload the script to the library within the live response session. Once the script is in the library, you can then execute it on the device. This ensures that the script is available for execution during the session.

Question 47

Q

Question #7 Topic 5

You have a Microsoft 365 E5 subscription that contains a device named Device1. Device1 is enrolled in Microsoft Defender for Endpoint.

Device1 reports an incident that includes a file named File1.exe as evidence.

You initiate the Collect Investigation Package action and download the ZIP file.

You need to identify the first and last time File1.exe was executed.

What should you review in the investigation package?

A. Processes

B. Autoruns

C. Security event log

D. Scheduled tasks

E. Prefetch files

Answer

A

E. Prefetch files

Prefetch files in Windows contain data about the execution history of applications, including timestamps of when an executable file was first and last run. By analyzing these files, you can determine the execution times for File1.exe.

Question 48

Q

Question #40 Topic 1

You have a Microsoft 365 subscription that uses Microsoft 365 Defender.

A remediation action for an automated investigation quarantines a file across multiple devices.

You need to mark the file as safe and remove the file from quarantine on the devices.

What should you use in the Microsoft 365 Defender portal?

A. From the History tab in the Action center, revert the actions.

B. From the investigation page, review the AIR processes.

C. From Quarantine from the Review page, modify the rules.

D. From Threat tracker, review the queries.

Answer

A

A. From the History tab in the Action center, revert the actions.

The History tab in the Action center allows you to review past actions taken by automated investigations, and you can revert these actions if necessary. This would include marking the file as safe and removing it from quarantine.

Question 49

Q

Question #58 Topic 1

You have a Microsoft 365 E5 subscription that contains 100 Linux devices. The devices are onboarded to Microsoft Defender 365.

You need to initiate the collection of investigation packages from the devices by using the Microsoft 365 Defender portal.

Which response action should you use?

A. Run antivirus scan

B. Initiate Automated Investigation

C. Collect investigation package

D. Initiate Live Response Session

Answer

A

C. Collect investigation package

This action will gather all relevant forensic data from the devices, which is essential for further analysis and investigation.

Question 50

Q

Question #55 Topic 1

You have a Microsoft 365 E5 subscription that contains 100 Windows 10 devices.

You onboard the devices to Microsoft Defender 365.

You need to ensure that you can initiate remote shell connections to the onboarded devices from the Microsoft 365 Defender portal.

What should you do first?

A. Modify the permissions for Microsoft 365 Defender.

B. Create a device group.

C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.

D. Configure role-based access control (RBAC).

Answer

A

C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation.

Enabling automated investigation is a necessary step to use advanced features, including remote shell capabilities, in Microsoft Defender for Endpoint.

Question 51

Q

Question #50 Topic 1 (CHECK)

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Endpoint.

You need to identify any devices that triggered a malware alert and collect evidence related to the alert. The solution must ensure that you can use the results to initiate device isolation for the affected devices.

What should you use in the Microsoft 365 Defender portal?

A. incidents

B. Remediation

C. Investigations

D. Advanced hunting

Answer

A

D. Advanced hunting: This is a powerful tool for querying and analyzing data but is more suited for custom queries rather than quickly identifying affected devices from malware alerts.

Question 52

Q

Question #18 Topic 6

You have a Microsoft 365 subscription that uses Microsoft Defender XDR.

You need to identify all the entities affected by an incident.

Which tab should you use in the Microsoft Defender portal?

A. Investigations

B. Assets

C. Evidence and Response

D. Alerts

Answer

A

C. Evidence and Response

The “Evidence and Response” tab provides details about the affected entities and allows you to view and manage the evidence related to an incident.

Question 53

Q

Question #17 Topic 6 (CHECK)

You have a Microsoft 365 subscription that uses Microsoft Defender XDR and contains a Windows device named Device1.

The timeline of Device1 includes three files named File1.ps1, File2.exe, and File3.dll.

You need to submit files for deep analysis in Microsoft Defender XDR.

Which files can you submit?

A. File1.ps1 only

B. File2.exe only

C. File3.dll only

D. File2.exe and File3.dll only

E. File1.ps1 and File2.exe only

F. File1.ps1, File2.exe, and File3.dll

Answer

A

D. File2.exe and File3.dll only

Here’s the reasoning:

File Types: According to the submission guidelines, Microsoft Defender XDR supports the submission of Portable Executable (PE) files, which include .exe and .dll files. Therefore:
File2.exe (an executable file) is eligible for submission.

File3.dll (a dynamic link library file) is also eligible for submission.
File1.ps1: This is a PowerShell script file. While PowerShell scripts can be submitted for analysis, they are not categorized as PE files and may not be supported in the same manner as .exe and .dll files for deep analysis in this context.

Question 54

Q

Question #39 Topic 1

Your company has an on-premises network that uses Microsoft Defender for Identity.

The Microsoft Secure Score for the company includes a security assessment associated with unsecure Kerberos delegation.

You need remediate the security risk.

What should you do?

A. Disable legacy protocols on the computers listed as exposed entities.

B. Enforce LDAP signing on the computers listed as exposed entities.

C. Modify the properties of the computer objects listed as exposed entities.

D. Install the Local Administrator Password Solution (LAPS) extension on the computers listed as exposed entities.

Answer

A

C. Modify the properties of the computer objects listed as exposed entities.

In the context of Kerberos delegation, this typically involves configuring the delegation settings in Active Directory to ensure that only secure delegation configurations are applied. This can involve setting delegation to “Trust this computer for delegation to specified services only” and choosing the appropriate services or “Do not trust this computer for delegation.”

Question 55

Q

Question #5 Topic 6

You have an on-premises network.

You have a Microsoft 365 E5 subscription that uses Microsoft Defender for Identity.

From the Microsoft Defender portal, you investigate an incident on a device named Device1 of a user named User1. The incident contains the following Defender for Identity alert.

Suspected identity theft (pass-the-ticket) (external ID 2018)

You need to contain the incident without affecting users and devices. The solution must minimize administrative effort.

What should you do?

A. Disable User1 only.

B. Quarantine Device1 only.

C. Reset the password for all the accounts that previously signed in to Device1.

D. Disable User1 and quarantine Device1.

E. Disable User1, quarantine Device1, and reset the password for all the accounts that previously signed in to Device1.

Answer

A

B. Quarantine Device1 only.

Quarantining Device1 will isolate the device from the network to prevent further potential spread of the attack or misuse while minimizing impact on other users and systems. Disabling User1 or resetting passwords may be required later, but quarantining the device is a more immediate and less disruptive containment measure.

Question 56

Q

Question #1 Topic 5

You have a Microsoft 365 subscription that contains the following resources:

100 users that are assigned a Microsoft 365 E5 license
100 Windows 11 devices that are joined to the Microsoft Entra tenant

The users access their Microsoft Exchange Online mailbox by using Outlook on the web.

You need to ensure that if a user account is compromised, the Outlook on the web session token can be revoked. What should you configure?

A. security defaults in Microsoft Entra

B. Microsoft Entra Verified ID

C. a Conditional Access policy in Microsoft Entra

D. Microsoft Entra ID Protection

Answer

A

C. a Conditional Access policy in Microsoft Entra

Here’s why:

Conditional Access policies in Microsoft Entra ID (formerly Azure AD) allow you to implement automated access control decisions for accessing your cloud apps, including Exchange Online through Outlook on the web. You can set up policies that respond to signs of a compromised account by enforcing actions like forcing re-authentication or blocking access entirely.

Specifically, Conditional Access can be configured to use signals from Microsoft Entra ID Protection to detect risk, but the policy itself is what enforces the session control or revocation of access.

Question 57

Q

Question #44 Topic 2

You have an Azure subscription that contains a user named User1.

User1 is assigned an Azure Active Directory Premium Plan 2 license.

You need to identify whether the identity of User1 was compromised during the last 90 days.

What should you use?

A. the risk detections report

B. the risky users report

C. Identity Secure Score recommendations

D. the risky sign-ins report

Answer

A

B. the risky users report

The risky users report in Azure AD provides information about users who have been flagged as risky based on various risk detections. This report can help you determine if User1’s identity was compromised or if there were any suspicious activities related to their account.

Question 58

Q

Question #32 Topic 1 (CHECK)

You have a Microsoft 365 E5 subscription that is linked to a hybrid Azure AD tenant.

You need to identify all the changes made to Domain Admins group during the past 30 days.

What should you use?

A. the Modifications of sensitive groups report in Microsoft Defender for Identity

B. the identity security posture assessment in Microsoft Defender for Cloud Apps

C. the Azure Active Directory Provisioning Analysis workbook

D. the Overview settings of Insider risk management

Answer

A

A. the Modifications of sensitive groups report in Microsoft Defender for Identity

This report provides details about changes to sensitive groups, including the Domain Admins group, and helps track modifications and potentially suspicious activities related to group memberships.

Question 59

Q

Question #89 Topic 3 (CHECK)

You have a Microsoft Sentinel workspace that uses the Microsoft 365 Defender data connector.

From Microsoft Sentinel, you investigate a Microsoft 365 incident.

You need to update the incident to include an alert generated by Microsoft Defender for Cloud Apps.

What should you use?

A. the entity side panel of the Timeline card in Microsoft Sentinel

B. the Timeline tab on the incidents page of Microsoft Sentinel

C. the investigation graph on the incidents page of Microsoft Sentinel

D. the Alerts page in the Microsoft 365 Defender portal

Answer

A

A. the entity side panel of the Timeline card in Microsoft Sentinel

Question 60

Q

Question #67 Topic 3

You have an Azure subscription that contains a Microsoft Sentinel workspace. The workspace contains a Microsoft Defender for Cloud data connector.

You need to customize which details will be included when an alert is created for a specific event.

What should you do?

A. Enable User and Entity Behavior Analytics (UEBA).

B. Create a Data Collection Rule (DCR).

C. Modify the properties of the connector.

D. Create a scheduled query rule.

Answer

A

D. Create a scheduled query rule.

Here’s why:

Scheduled query rules in Microsoft Sentinel allow you to define custom detection rules. When you create these rules, you specify the conditions for generating alerts and can customize what information is included in those alerts. This includes defining the severity, the alert details, entity mapping, and other relevant information.

Question 61

Q

Question #40 Topic 2

You have an Azure subscription that has Microsoft Defender for Cloud enabled.

You have a virtual machine that runs Windows 10 and has the Log Analytics agent installed.

You need to simulate an attack on the virtual machine that will generate an alert.

What should you do first?

A. Run the Log Analytics Troubleshooting Tool.

B. Copy and executable and rename the file as ASC_AlertTest_662jfi039N.exe.

C. Modify the settings of the Microsoft Monitoring Agent.

D. Run the MMASetup executable and specify the –foo argument.

Answer

A

B. Copy an executable and rename the file as ASC_AlertTest_662jfi039N.exe.

This option involves creating a file with a name that triggers test alerts in Microsoft Defender for Cloud, allowing you to simulate an attack and generate an alert for testing purposes.

Question 62

Q

Question #36 Topic 2

You plan to review Microsoft Defender for Cloud alerts by using a third-party security information and event management (SIEM) solution.

You need to locate alerts that indicate the use of the Privilege Escalation MITRE ATT&CK tactic.

Which JSON key should you search?

A. Description

B. Intent

C. ExtendedProperies

D. Entities

Answer

A

B. Intent

The Intent key typically contains information about the type of attack or tactic being executed, such as Privilege Escalation, which aligns with MITRE ATT&CK tactics.

Question 63

Q

Question #34 Topic 2

You have an Azure subscription that uses Microsoft Defender for Cloud and contains a storage account named storage1.

You receive an alert that there was an unusually high volume of delete operations on the blobs in storage1.

You need to identify which blobs were deleted.

What should you review?

A. the activity logs of storage1

B. the Azure Storage Analytics logs

C. the alert details

D. the related entities of the alert

Answer

A

B. the Azure Storage Analytics logs

Azure Storage Analytics logs provide detailed information about operations performed on the storage account, including blob delete operations.

Question 64

Q

Question #19 Topic 2

You use Azure Security Center.

You receive a security alert in Security Center.

You need to view recommendations to resolve the alert in Security Center.

What should you do?

A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section.

B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.

C. From Regulatory compliance, download the report.

D. From Recommendations, download the CSV report.

Answer

A

B. From Security alerts, select Take Action, and then expand the Mitigate the threat section.

This will provide you with specific recommendations and steps to address and resolve the security alert.

Answer 65

A

A. Key Vault firewalls and virtual networks

Configuring Key Vault firewalls and virtual networks allows you to restrict access to the Key Vault to only specific IP addresses or ranges, including denying access from unwanted sources like Tor exit nodes. This enhances security by controlling which networks or IP addresses can interact with the Key Vault.

While Azure AD permissions, RBAC, and access policy settings are important for managing who can access the Key Vault and what actions they can perform, controlling network access with firewalls and virtual networks specifically addresses the threat of unauthorized access attempts from external sources.

Answer 66

A

A. cp /bin/echo ./asc_alerttest_662jfi039n

D. ./asc_alerttest_662jfi039n testing eicar pipe

Here’s the reasoning:

A. This command copies echo to a new file named asc_alerttest_662jfi039n. The filename asc_alerttest_662jfi039n is specifically recognized by Azure Defender as a test file meant to trigger a benign alert for testing purposes.

D. Running this command with the testing eicar pipe argument simulates an action akin to testing with the EICAR test file, a standard method to check if security software is functioning by pretending to deal with a harmless virus signature. This command, when executed with this specific file name, should trigger an alert in Azure Defender.

Answer 67

A

C. Medium

Here’s why:

Medium severity often captures alerts that are suspicious and require investigation but are not necessarily immediately critical or high-risk in every context. Alerts regarding unusual access patterns or behaviors, like the ones listed, would usually fall into this category because they indicate potential security issues that should be investigated to determine if they are indeed malicious or just anomalies.

Answer 68

A

D. an insider risk policy

Here’s why:

Insider risk policies in Microsoft 365 are designed to detect, investigate, and act on risky activities within your organization, including unusual data access or download patterns by users. This includes behavior that might be indicative of data exfiltration or other insider threats, which would cover scenarios where users download large amounts of data before leaving the organization or having their accounts deleted.

Answer 69

A

A. Review the Events tab of the alert

Here’s why:

The Events tab provides detailed information about each event that triggered the alert. This includes specifics like which files or items were involved, who the actors were (users), what actions were taken (e.g., sharing, downloading), and other contextual details that help you understand which entities were impacted by the policy violation.

Answer 70

A

A. Fusion

Fusion rules in Microsoft Sentinel are designed to detect advanced multistage attacks by correlating multiple alerts and activities across various sources. They help in identifying complex attack patterns that span multiple stages, which aligns with the requirement of detecting advanced multistage attacks.

Answer 71

A

D. Create an Azure AD Identity Protection connector.
Azure AD Identity Protection will help in identifying and reacting to identity-based risks. Since you are looking for suspicious sign-ins, this connector will provide insights into risky users, sign-in activities, and vulnerabilities, which can be correlated with Office 365 activities in Fusion rules.

A. Create a custom rule based on the Office 365 connector templates.
By creating a custom rule using the templates from the Office 365 connector, you can tailor the detection to look for anomalous activities specific to your environment. This custom rule can work in conjunction with the Fusion engine to analyze patterns that include both Azure AD sign-in data and Office 365 activity.

Answer 72

A

B. Add data connectors

Fusion rules rely on data from various sources connected to Azure Sentinel. If the necessary data connectors are not configured or not collecting data, the Fusion rule won’t generate alerts. Adding the appropriate data connectors ensures that the necessary data is available for the rule to analyze and generate alerts.

Answer 73

A

C. Analytics

In Microsoft Sentinel, the Analytics section provides an overview of the different analytics rules, including anomaly detection rules. Here, you can see which rules are enabled and their configurations.

Answer 74

A

B. Add a data connector
C. Create an analytics rule

Add a data connector: You need to ensure that you have the appropriate data connector in place to collect logs related to Azure Storage. This is typically the Azure Storage data connector.

Create an analytics rule: Set up an analytics rule in Azure Sentinel to monitor the collected data for events related to the enumeration of Azure Storage account keys. This rule will generate alerts based on the conditions you specify.

Answer 75

A

C. a UEBA activity template

User and Entity Behavior Analytics (UEBA) templates in Microsoft Sentinel are designed to simplify the detection of specific behaviors, including failed sign-ins, by leveraging pre-built analytics rules. These templates use machine learning and behavioral analysis to detect anomalies and suspicious activities, such as failed interactive sign-ins.

Answer 76

A

A. Create an analytics rule.

Analytics rules in Microsoft Sentinel allow you to automate the detection of specific threats or anomalies, turning hunting queries into actionable detections that generate alerts automatically. This approach minimizes manual effort and ensures that threats are detected consistently based on the defined criteria.

Answer 77

A

A. The rule query takes too long to run and times out.
If the query is too complex or if it’s querying a very large dataset, it might exceed the runtime limits imposed by Azure Sentinel, causing the rule to fail intermittently. Optimizing the query or breaking it down into smaller, more efficient queries could mitigate this issue.

D. There are connectivity issues between the data sources and Log Analytics

Answer 78

A

B. The number of alerts exceeded 10,000 within two minutes.

Here’s why:

Azure Sentinel has built-in mechanisms to manage system performance and resource utilization. If an analytics rule generates an excessive number of alerts in a very short time frame (specifically, if it exceeds 10,000 alerts within two minutes), Sentinel will automatically disable the rule to prevent overwhelming the system or the security operations team with too many alerts. This is a protective measure to ensure that both the Sentinel workspace and the analysts using it can operate effectively.

Answer 79

A

B. Change the state of the suppression rule to Disabled.

Explanation:
Suppression rules in Azure Security Center are used to prevent specific alerts from being raised for certain resources (such as virtual machines). If you have a suppression rule applied to the 10 virtual machines, those alerts will not show up in Security Center. To troubleshoot and view the alerts, you need to disable the suppression rule temporarily. This will allow Security Center to display the previously suppressed alerts for the virtual machines.

Answer 80

A

A. Create an Azure Policy assignment.

Reasoning:

Central Management: Azure Policy allows you to enforce organizational standards and assess compliance at scale. By creating a policy assignment at the root management group level, it applies to all subscriptions and resources under that management group, which aligns with the requirement to minimize administrative effort across multiple subscriptions.

Alert Suppression: Although Azure Policy isn’t specifically designed for alert suppression, you can use it in conjunction with Defender for Cloud’s capabilities. For instance, you might create a policy that defines when certain alerts should be ignored or how they should be treated based on specific conditions.

Automation: Azure Policy can automate many management tasks, making it an ideal choice for maintaining consistency and control across environments.

Answer 81

A

C. On VM1, trigger a PowerShell alert.

Explanation:
Before you can create a suppression rule for specific alerts, you need the alert to be triggered at least once so that it appears in the Microsoft Defender for Cloud alert list. This will allow you to identify the specific alert (e.g., PowerShell-related) and configure a suppression rule for it.

Answer 82

A

B. Hide the alert.
D. Create a suppression rule scoped to a device group.
E. Generate the alert.

Explanation:
B. Hide the alert: Hiding the alert will ensure that it does not appear in the Alerts queue but still allows other similar alerts to be monitored if they occur on devices outside of the accounting team.

D. Create a suppression rule scoped to a device group: Since the false positives are occurring on the devices used by the accounting team, you can create a suppression rule that is scoped to only those devices. This ensures that the false positives for these known cases are suppressed while maintaining security on other devices.

E. Generate the alert: You need to generate the alert to capture the details of the false positive and apply the suppression rule correctly.

Answer 83

A

E. File1.sys, File2.pdf, File3.docx, and File4.xlsx

Explanation:
Indicator hashes (such as MD5, SHA-1, or SHA-256) can be used to block files based on their unique cryptographic hashes. This functionality applies to all types of files, including:

File1.sys (System file)
File2.pdf (PDF file)
File3.docx (Word document)
File4.xlsx (Excel document)

Or D

Answer 84

A

A. Create an exclusion tag.

This approach minimizes administrative effort by allowing you to tag Server1 as an exclusion, preventing it from being scanned without needing to upgrade or create additional governance rules.

Answer 85

A

A. at the subscription level

Enabling Azure Defender at the subscription level allows you to apply the security features, including JIT access and network detections, across all relevant resources within that subscription.

Answer 86

A

A. Microsoft Defender for Resource Manager
This service helps detect exploitation toolkits in declarative templates and provides security recommendations for resource templates.

E. Microsoft Defender for DevOps
This service addresses vulnerabilities within application source code and helps manage exposed secrets, providing security insights in your DevOps pipelines.

Answer 87

A

A. custom network indicators

Custom network indicators allow you to define specific IP addresses, IP ranges, or URLs that you want to block or allow. This feature is part of the attack surface reduction capabilities in Microsoft Defender for Endpoint, enabling you to control network traffic based on predefined rules.

Answer 88

A

B. attack surface reduction rules in Microsoft Defender for Endpoint

These rules can help prevent specific actions, such as blocking Excel macros from untrusted sources, preventing the opening of executable attachments in Outlook, and addressing Outlook rules and forms exploits.

Answer 89

A

C. Activity from infrequent country

Activity from infrequent country anomaly detection policy flags sign-ins from countries where sign-ins are rare or have never occurred before for your organization. This policy helps in detecting unusual geographic activity, which aligns with your requirement of monitoring sign-ins from locations not typically used by your users.

Answer 90

A

A. the Threat Protection Status report in Microsoft Defender for Office 365

The Threat Protection Status report provides detailed information on various threat protection activities, including actions taken by ZAP. This report can show which messages were purged due to ZAP, giving insight into when and why emails were removed from mailboxes.

Answer 91

A

C. a named location

By defining a named location for your office in Istanbul and then configuring conditional access policies to require MFA for sign-ins that occur outside this location, you can effectively enforce MFA for remote users.

Answer 92

A

A. Dynamic Delivery

Dynamic Delivery in Safe Attachments allows attachments to be delivered to the recipient immediately, with the scanning process happening in the background. If malware is detected later, the email can be removed from the recipient’s mailbox or other actions can be taken. This approach balances the need for prompt delivery with thorough security checks, which is ideal for reducing perceived delivery delays.

Answer 93

A

D. RegEx pattern matching

RegEx (Regular Expression) pattern matching allows you to define precise patterns for what constitutes sensitive information. In this case, you can create a regular expression that matches strings of 32 alphanumeric characters, which would be used to identify the customer account numbers. This approach is highly customizable and can be integrated into DLP policies to detect when such patterns appear in documents, emails, or other content.

Answer 94

A

D. From Cloud apps, select Files, and then filter App to Office 365.

E. From Cloud apps, select Files, and then select New policy from search.

Creating a new policy from search allows you to define specific conditions under which alerts should be generated and remediation actions taken. This includes setting up rules for external sharing of files labeled as confidential or sensitive.

Answer 95

A

A. Configure automatic data enrichment.
B. Add the IP addresses to the corporate address range category.

Here’s why these are the best choices:

Configure automatic data enrichment (A):
This allows Cloud App Security to automatically enrich IP address data with additional context, which can help in more accurately identifying legitimate corporate traffic versus truly suspicious activity.

Add the IP addresses to the corporate address range category (B):
By explicitly defining the IP ranges of your corporate offices as “corporate” in Cloud App Security, you’re telling the system that traffic from these IPs should be considered trusted. This will significantly reduce false positive alerts for impossible travel and risky IP addresses when the traffic is actually coming from your known office locations.

Answer 96

A

E. From Settings, select Information Protection, select Files, and then enable file monitoring.

D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.

Answer 97

A

B. Common

The Common event set is designed to capture essential events, including user sign-in and sign-out, without overwhelming the system with unnecessary logs.

Answer 98

A

A. Configure the Advanced Audit Policy Configuration settings for the domain controllers.

D. Configure Windows Event Forwarding on the domain controllers.

These actions will help you collect the necessary audit logs for monitoring changes to sensitive groups in Active Directory.

Answer 99

A

A. From Defender for Cloud, modify Microsoft Defender for Servers plan settings.

This action allows you to configure the necessary settings for collecting security logs from your virtual machines and directing them to the specified Log Analytics workspace.

Answer 100

A

A. From the workspace created by Defender for Cloud, set the data collection level to Common.

E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines.

These actions will ensure that necessary data is collected efficiently and with minimal administrative overhead.

Answer 101

A

A. From Security Center, enable data collection.

This action will ensure that security event logs from your virtual machines are collected and sent to the configured Log Analytics workspace.

Answer 102

A

C. a Common Evert Format (CEF) connector

Answer 103

A

B. Configure the Diagnostics settings in Azure AD to stream to an event hub.

Streaming Azure AD diagnostics logs to an Event Hub allows for near real-time data transmission. From the event hub, you can then configure your SIEM solution to ingest this data. Event Hubs are designed for high-throughput, real-time data ingestion, making them ideal for scenarios where timely alerts are crucial.

Answer 104

A

B. Create a query that uses the workspace expression and the union operator.

The workspace() function in Azure Sentinel allows you to specify which workspace’s data you want to query. By using the union operator, you can combine data from multiple workspaces. This would be key in searching across all your subscription’s workspaces simultaneously.

E. Add the Azure Sentinel solution to each workspace.

Each Log Analytics workspace needs to have the Azure Sentinel solution added to it. This step enables these workspaces to be queried by Azure Sentinel. Even though the Sentinel workspace itself is in a new subscription, data from other workspaces can be queried if the right permissions and configurations are in place.

Answer 105

A

A. Microsoft Sentinel Contributor

The Microsoft Sentinel Contributor role provides permissions to manage all aspects of Microsoft Sentinel, including workbooks, analytics rules, data connectors, and other Sentinel features. This role allows User1 to create, edit, and manage Sentinel workbooks without granting broader access to resources outside of Sentinel.

Answer 106

A

C. Add Azure Sentinel to a workspace.

This step allows you to link the Azure Sentinel instance with the Log Analytics workspace, enabling you to run queries and set up analytics rules.

Answer 107

A

A. Microsoft Sentinel - Incidents

This page consolidates incidents from all linked workspaces, allowing you to manage and view them in one place.

Answer 108

A

B. Enable the Key Vault firewall.

Enabling the firewall will restrict access to the Key Vault to only trusted IP addresses, minimizing the risk of unauthorized access while allowing legitimate users to access it if their IPs are whitelisted.

Answer 109

A

B. Azure Policy

Azure Policy allows you to define policies that can enforce configurations across your resources, including settings for Microsoft Defender for Cloud’s JIT VM access. You can create or assign a policy that limits JIT access to only RDP, and configure the maximum session time to two hours. This approach minimizes administrative effort as you can apply the policy to the entire resource group at once.

Answer 110

A

B. Enable the Cloud Security Posture Management (CSPM) plan for the subscription.

Enabling the CSPM plan will allow you to add more industry and regulatory standards, including the PCI DSS initiative, to your Defender for Cloud environment.

Answer 111

A

C. From Defender for Cloud, configure the AWS connector.
E. From Defender for Cloud, configure auto-provisioning.

Here’s why these actions are appropriate:

Configure the AWS Connector (C):
Setting up the AWS connector is essential for integrating your AWS environment with Microsoft Defender for Cloud. This step allows Defender for Cloud to access and manage resources in your AWS account.
The connector facilitates communication between Azure and AWS, enabling Defender for Cloud to monitor and protect your AWS resources, including the Windows Server virtual machines.

Configure Auto-Provisioning (E):
Enabling auto-provisioning allows Defender for Cloud to automatically install the necessary agents on your EC2 instances. This minimizes administrative effort by automating the deployment process.
Auto-provisioning ensures that all relevant security features, including those provided by Microsoft Defender for Servers, are consistently applied to your virtual machines without requiring manual intervention.

Answer 112

A

B. Create a Microsoft 365 app connector.

This will allow you to link your Microsoft 365 environment with Cloud Discovery, enabling the association of usernames with UPNs.

Answer 113

A

C. Add an environment.

Answer 114

A

C. Azure Event Hubs.

Azure Event Hubs allows for real-time data streaming and is suitable for integrating with SIEM solutions.

Answer 115

A

C. the Azure Connected Machine agent.

This agent enables you to connect your non-Azure machines to Azure and use Defender for Cloud capabilities.

Answer 116

A

B. the Azure Connected Machine agent.

This agent allows non-Azure machines, such as AWS EC2 instances, to connect to Defender for Cloud and leverage its security capabilities.

Answer 117

A

C. the Azure Arc agent.

The Azure Arc agent allows non-Azure resources to be managed and monitored within Azure, enabling Defender for Cloud capabilities.

Answer 118

A

C. the Azure Connected Machine agent.

Here’s why this is the correct choice:
Integration with Azure Services: The Azure Connected Machine agent is specifically designed to connect machines hosted outside of Azure (like your on-premises Linux servers) to Azure services, including Microsoft Defender for Cloud. This integration allows you to manage and monitor your Linux servers through Azure.
Log Collection and Vulnerability Assessment: Installing the Azure Connected Machine agent enables Defender for Cloud to collect logs from your Linux servers and perform vulnerability assessments, which are essential for maintaining security compliance.
Management and Security Features: Once the Azure Connected Machine agent is installed, you can leverage various Defender for Cloud features, such as security recommendations and alerts, which help in protecting your infrastructure.

Answer 119

A

A. Install the Log Analytics agent.

The Log Analytics agent (also referred to as the Microsoft Monitoring Agent or MMA) is essential for sending security logs and performance data from your on-premises computers to Azure. This agent allows Defender for Cloud to monitor, alert, and provide security recommendations for these machines.

Answer 120

A

D. Create a tag.

Answer 121

A

A. Security Administrator

This role allows User1 to manage security-related policies and settings without granting excessive permissions.

Answer 122

A

D. Reader

This role allows User1 to view alert data without granting permissions to modify resources.

Answer 123

A

B. Security Admin

This role specifically provides permissions to manage security policies and configurations in Microsoft Defender for Cloud.

Answer 124

A

C. the Contributor role for RG1

This role allows SecAdmin1 to make necessary changes and apply quick fixes specifically within the resource group RG1, without granting broader permissions at the subscription level.

Answer 125

A

B. the Active remediation actions role in Microsoft Defender for Endpoint

This role specifically allows the analyst to manage active remediation actions, including approving or rejecting pending actions, within Microsoft Defender for Endpoint.

D. the Security Reader role in Azure Active Directory (Azure AD)

Answer 126

A

A. Assign a tag to the device group.

C. Add a tag to the machines.

D. Create a new device group that has a rank of 1.

These steps will allow you to create a temporary grouping based on tags and manage the devices effectively during the investigation.

Answer 127

A

D. Manage security settings

This permission allows User1 to configure various security settings within Microsoft Defender for Endpoint, which includes setting up and managing alert notifications. Configuring alerts to send email notifications to a specific group like Group1 falls under the scope of managing security settings.

Answer 128

A

A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.

Answer 129

A

C. a file hash indicator that has Action set to Alert and block.

This will specifically target the image file by its hash, allowing you to block it and receive alerts if it is encountered.

Brainscape's Knowledge GenomeTM

Traditional Flashcards

Brainscape's Knowledge Genome^TM