Traditional Flashcards

Question

Question #32 Topic 3 You create a hunting query in Azure Sentinel. You need to receive a notification in the Azure portal as soon as the hunting query detects a match on the query. The solution must minimize effort. What should you use? A. a playbook B. a notebook C. a livestream D. a bookmark

Answer 1

C. a livestream In Azure Sentinel, the livestream feature allows you to continuously run a hunting query in real time and receive immediate notifications in the Azure portal when a match is detected.

Answer 2

B. a playbook To create an automated threat response in Azure Sentinel, you should use a playbook. Playbooks in Azure Sentinel are Azure Logic Apps that automate responses to security incidents, such as triggering notifications, executing remediation steps, or integrating with other services.

Answer 3

D. Modify the trigger in the logic app. To use the existing Azure Logic App as a playbook in Azure Sentinel, you first need to modify the trigger in the logic app so that it can be triggered by Azure Sentinel alerts. This typically involves changing the logic app's trigger to a suitable trigger for Azure Sentinel, such as the HTTP request trigger, which allows Azure Sentinel to invoke the playbook in response to specific conditions or alerts. After modifying the trigger, you can then import and configure the playbook within Azure Sentinel.

Answer 4

A. From Azure Security Center, enable workflow automation. C. Create an Azure logic app that has an Azure Security Center alert trigger. To run a PowerShell script when someone accesses the Azure Storage account from a suspicious IP address: Enable workflow automation (A) in Azure Security Center. This allows you to set up automated responses to security alerts. Create an Azure Logic App with an Azure Security Center alert trigger (C) to respond to alerts from Azure Defender. The Logic App can then run the PowerShell script based on the alert conditions.

Answer 5

D. Create an automation rule. An automation rule in Microsoft Sentinel can be configured to automatically handle or suppress alerts based on specific conditions. Here's how it would meet your needs: Automation Rule: You can set up an automation rule that checks if the alert is for this particular account and if so, it can close or suppress the alert automatically. This way, alerts for this specific account are managed without affecting alerts generated for other accounts. A. Modify the analytics rule. (top)

Answer 6

D. IP address In Microsoft Sentinel, the IP address can be labeled as an indicator of compromise (IoC) directly from the incident's page. IP addresses are commonly used as IoCs to indicate suspicious or malicious activity and can be directly added to the threat intelligence indicators or watchlist for further investigation or automated responses.

Answer 7

A. 192.168.10.200 In Microsoft Sentinel, IP addresses can be labeled as indicators of compromise (IoCs) directly from the incident's page. While entities like user accounts, virtual machines, and on-premises servers are important in investigations, IP addresses are commonly used as IoCs for detecting and responding to potential threats and can be directly added to threat intelligence indicators or watchlists.

Answer 8

B. app name, computer name, IP address, email address, and used client app only User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel can investigate a range of entities related to user and entity activities. For the entities detected in the Azure AD tenant, UEBA can analyze: App name (App1) Computer name (Device1) IP address (192.168.1.2) Email address (user1@company.com) Used client app (Microsoft Edge) These entities are relevant for UEBA as it helps in identifying anomalous behaviors and potential security threats related to user and entity activities.

Answer 9

A. notebooks in Microsoft Sentinel Notebooks in Microsoft Sentinel allow you to visualize data and enrich it by integrating third-party data sources. They provide a flexible environment to perform complex data analysis, create visualizations, and incorporate external threat intelligence to identify indicators of compromise (IoC) effectively.

Answer 10

B. From Incidents, review the details of the IPCustomEntity entity associated with the incident. To identify the geolocation information for an incident related to a brute force attack, you should review the details of the IPCustomEntity entity associated with the incident. This entity will provide information about the IP address involved, and you can use this IP address to determine the geolocation associated with the attack.

Answer 11

D. Assign the incident To escalate or delegate the investigation of an incident containing multiple alerts to another Azure Sentinel administrator, you should assign the incident to that administrator. This action ensures that the assigned administrator receives notification and can take ownership of the incident for further investigation and resolution.

Answer 12

C. notebooks Notebooks in Microsoft Sentinel provide a customizable environment where you can use machine learning and data visualization to simplify the investigation of security threats. They allow you to perform advanced analytics, integrate with various data sources, and create visualizations tailored to your specific needs. This can help in handling and interpreting large volumes of incidents from numerous IoT devices, making it easier to identify and infer threats.

Answer 13

D. Create a YAML file based on the DNS template. Here's why: YAML files are commonly used in Azure for configuration and deployment, including in Microsoft Sentinel for things like parsers, especially when dealing with ASIM (Advanced Security Information Model). Creating a YAML file allows you to define multiple parsers in a structured format that can be easily imported into Sentinel. This approach is more scalable and less error-prone than manually copying or recreating each parser through the UI or other methods. Once you have the YAML file with your parsers, you can use Azure's deployment mechanisms or Sentinel's import features to apply these configurations, which would significantly reduce the administrative effort compared to manually entering or copying each parser.

Answer 14

B. a watchlist To exclude a built-in, source-specific Advanced Security Information Model (ASIM) parser from a built-in unified ASIM parser, you should create a watchlist in Microsoft Sentinel. Watchlists allow you to specify and manage custom exclusions or include lists that can be used in conjunction with analytic rules and queries to refine the data processed by the ASIM parsers.

Answer 15

B. Build a custom unifying parser and include the built-in parser version. E. Create an analytics rule that includes the built-in parser. Here's the reasoning: Building a custom unifying parser (Option B): This approach allows you to create your own version of the parser that includes the specific version of the built-in parser you want to use. By doing this, you're essentially "freezing" the parser at a specific version, preventing automatic updates. Creating an analytics rule that includes the built-in parser (Option E): When you create an analytics rule that references a specific version of a built-in parser, it effectively locks that version in place for that rule. This ensures that even if the built-in parser is updated, your analytics rule will continue to use the version it was created with.

Answer 16

A. Azure Sentinel Contributor The Azure Sentinel Contributor role allows users to edit and manage queries in custom Azure Sentinel workbooks, among other capabilities. This role aligns with the principle of least privilege by providing the necessary permissions to work with Sentinel resources without granting broader permissions than required.

Answer 17

A. Azure Sentinel Responder The Azure Sentinel Responder role is specifically designed to allow users to assign and resolve incidents in Azure Sentinel while adhering to the principle of least privilege. This role provides the necessary permissions for handling incidents without giving broader administrative rights.

Answer 18

C. the Office 365 connector To investigate threats using data from the unified audit log of Microsoft Defender for Cloud Apps, you need to ensure that the Office 365 connector is configured. This connector integrates data from Microsoft 365 services, including the unified audit log, into Microsoft Defender for Cloud Apps, allowing for comprehensive threat investigation and analysis.

Answer 19

C. Activity explorer in the Microsoft 365 compliance center Activity explorer in the Microsoft 365 compliance center allows you to view and investigate activities related to sensitivity labels, including changes made within a specified timeframe. This tool helps you track modifications and understand user actions related to compliance and data protection policies.

Answer 20

C. Evidence and Response In the Microsoft 365 Defender portal, the Evidence and Response tab provides detailed information about the entities affected by an incident, including associated devices, users, and other relevant data. This tab helps you understand the scope of the incident and plan appropriate response actions.

Answer 21

C. From Devices, initiate a live response session on Device1. Initiating a live response session from the Microsoft Defender portal allows you to interact with Device1 in real-time. This session enables you to execute commands and retrieve information such as active network connections, running processes, and login history, meeting the investigation requirements with minimal administrative effort.

Answer 22

B. Upload Script1.ps1 to the library. To run a PowerShell script like Script1.ps1 in a live response session, you first need to upload the script to the library within the live response session. Once the script is in the library, you can then execute it on the device. This ensures that the script is available for execution during the session.

Answer 23

E. Prefetch files Prefetch files in Windows contain data about the execution history of applications, including timestamps of when an executable file was first and last run. By analyzing these files, you can determine the execution times for File1.exe.

Answer 24

A. From the History tab in the Action center, revert the actions. The History tab in the Action center allows you to review past actions taken by automated investigations, and you can revert these actions if necessary. This would include marking the file as safe and removing it from quarantine.

Answer 25

C. Collect investigation package This action will gather all relevant forensic data from the devices, which is essential for further analysis and investigation.

Answer 26

C. From Advanced features in the Endpoints settings of the Microsoft 365 Defender portal, enable automated investigation. Enabling automated investigation is a necessary step to use advanced features, including remote shell capabilities, in Microsoft Defender for Endpoint.

Answer 27

D. Advanced hunting: This is a powerful tool for querying and analyzing data but is more suited for custom queries rather than quickly identifying affected devices from malware alerts.

Answer 28

C. Evidence and Response The "Evidence and Response" tab provides details about the affected entities and allows you to view and manage the evidence related to an incident.

Answer 29

D. File2.exe and File3.dll only Here's the reasoning: File Types: According to the submission guidelines, Microsoft Defender XDR supports the submission of Portable Executable (PE) files, which include .exe and .dll files. Therefore: File2.exe (an executable file) is eligible for submission. File3.dll (a dynamic link library file) is also eligible for submission. File1.ps1: This is a PowerShell script file. While PowerShell scripts can be submitted for analysis, they are not categorized as PE files and may not be supported in the same manner as .exe and .dll files for deep analysis in this context.

Answer 30

C. Modify the properties of the computer objects listed as exposed entities. In the context of Kerberos delegation, this typically involves configuring the delegation settings in Active Directory to ensure that only secure delegation configurations are applied. This can involve setting delegation to "Trust this computer for delegation to specified services only" and choosing the appropriate services or "Do not trust this computer for delegation."

Answer 31

B. Quarantine Device1 only. Quarantining Device1 will isolate the device from the network to prevent further potential spread of the attack or misuse while minimizing impact on other users and systems. Disabling User1 or resetting passwords may be required later, but quarantining the device is a more immediate and less disruptive containment measure.

Answer 32

C. a Conditional Access policy in Microsoft Entra Here's why: Conditional Access policies in Microsoft Entra ID (formerly Azure AD) allow you to implement automated access control decisions for accessing your cloud apps, including Exchange Online through Outlook on the web. You can set up policies that respond to signs of a compromised account by enforcing actions like forcing re-authentication or blocking access entirely. Specifically, Conditional Access can be configured to use signals from Microsoft Entra ID Protection to detect risk, but the policy itself is what enforces the session control or revocation of access.

Answer 33

B. the risky users report The risky users report in Azure AD provides information about users who have been flagged as risky based on various risk detections. This report can help you determine if User1's identity was compromised or if there were any suspicious activities related to their account.

Answer 34

A. the Modifications of sensitive groups report in Microsoft Defender for Identity This report provides details about changes to sensitive groups, including the Domain Admins group, and helps track modifications and potentially suspicious activities related to group memberships.

Answer 35

A. the entity side panel of the Timeline card in Microsoft Sentinel

Answer 36

D. Create a scheduled query rule. Here's why: Scheduled query rules in Microsoft Sentinel allow you to define custom detection rules. When you create these rules, you specify the conditions for generating alerts and can customize what information is included in those alerts. This includes defining the severity, the alert details, entity mapping, and other relevant information.

Answer 37

B. Copy an executable and rename the file as ASC_AlertTest_662jfi039N.exe. This option involves creating a file with a name that triggers test alerts in Microsoft Defender for Cloud, allowing you to simulate an attack and generate an alert for testing purposes.

Answer 38

B. Intent The Intent key typically contains information about the type of attack or tactic being executed, such as Privilege Escalation, which aligns with MITRE ATT&CK tactics.

Answer 39

B. the Azure Storage Analytics logs Azure Storage Analytics logs provide detailed information about operations performed on the storage account, including blob delete operations.

Answer 40

B. From Security alerts, select Take Action, and then expand the Mitigate the threat section. This will provide you with specific recommendations and steps to address and resolve the security alert.

Answer 41

A. Key Vault firewalls and virtual networks Configuring Key Vault firewalls and virtual networks allows you to restrict access to the Key Vault to only specific IP addresses or ranges, including denying access from unwanted sources like Tor exit nodes. This enhances security by controlling which networks or IP addresses can interact with the Key Vault. While Azure AD permissions, RBAC, and access policy settings are important for managing who can access the Key Vault and what actions they can perform, controlling network access with firewalls and virtual networks specifically addresses the threat of unauthorized access attempts from external sources.

Answer 42

A. cp /bin/echo ./asc_alerttest_662jfi039n D. ./asc_alerttest_662jfi039n testing eicar pipe Here's the reasoning: A. This command copies echo to a new file named asc_alerttest_662jfi039n. The filename asc_alerttest_662jfi039n is specifically recognized by Azure Defender as a test file meant to trigger a benign alert for testing purposes. D. Running this command with the testing eicar pipe argument simulates an action akin to testing with the EICAR test file, a standard method to check if security software is functioning by pretending to deal with a harmless virus signature. This command, when executed with this specific file name, should trigger an alert in Azure Defender.

Answer 43

C. Medium Here's why: Medium severity often captures alerts that are suspicious and require investigation but are not necessarily immediately critical or high-risk in every context. Alerts regarding unusual access patterns or behaviors, like the ones listed, would usually fall into this category because they indicate potential security issues that should be investigated to determine if they are indeed malicious or just anomalies.

Answer 44

D. an insider risk policy Here's why: Insider risk policies in Microsoft 365 are designed to detect, investigate, and act on risky activities within your organization, including unusual data access or download patterns by users. This includes behavior that might be indicative of data exfiltration or other insider threats, which would cover scenarios where users download large amounts of data before leaving the organization or having their accounts deleted.

Answer 45

A. Review the Events tab of the alert Here's why: The Events tab provides detailed information about each event that triggered the alert. This includes specifics like which files or items were involved, who the actors were (users), what actions were taken (e.g., sharing, downloading), and other contextual details that help you understand which entities were impacted by the policy violation.

Answer 46

A. Fusion Fusion rules in Microsoft Sentinel are designed to detect advanced multistage attacks by correlating multiple alerts and activities across various sources. They help in identifying complex attack patterns that span multiple stages, which aligns with the requirement of detecting advanced multistage attacks.

Answer 47

D. Create an Azure AD Identity Protection connector. Azure AD Identity Protection will help in identifying and reacting to identity-based risks. Since you are looking for suspicious sign-ins, this connector will provide insights into risky users, sign-in activities, and vulnerabilities, which can be correlated with Office 365 activities in Fusion rules. A. Create a custom rule based on the Office 365 connector templates. By creating a custom rule using the templates from the Office 365 connector, you can tailor the detection to look for anomalous activities specific to your environment. This custom rule can work in conjunction with the Fusion engine to analyze patterns that include both Azure AD sign-in data and Office 365 activity.

Answer 48

B. Add data connectors Fusion rules rely on data from various sources connected to Azure Sentinel. If the necessary data connectors are not configured or not collecting data, the Fusion rule won't generate alerts. Adding the appropriate data connectors ensures that the necessary data is available for the rule to analyze and generate alerts.

Answer 49

C. Analytics In Microsoft Sentinel, the Analytics section provides an overview of the different analytics rules, including anomaly detection rules. Here, you can see which rules are enabled and their configurations.

Answer 50

B. Add a data connector C. Create an analytics rule Add a data connector: You need to ensure that you have the appropriate data connector in place to collect logs related to Azure Storage. This is typically the Azure Storage data connector. Create an analytics rule: Set up an analytics rule in Azure Sentinel to monitor the collected data for events related to the enumeration of Azure Storage account keys. This rule will generate alerts based on the conditions you specify.

Answer 51

C. a UEBA activity template User and Entity Behavior Analytics (UEBA) templates in Microsoft Sentinel are designed to simplify the detection of specific behaviors, including failed sign-ins, by leveraging pre-built analytics rules. These templates use machine learning and behavioral analysis to detect anomalies and suspicious activities, such as failed interactive sign-ins.

Answer 52

A. Create an analytics rule. Analytics rules in Microsoft Sentinel allow you to automate the detection of specific threats or anomalies, turning hunting queries into actionable detections that generate alerts automatically. This approach minimizes manual effort and ensures that threats are detected consistently based on the defined criteria.

Answer 53

A. The rule query takes too long to run and times out. If the query is too complex or if it's querying a very large dataset, it might exceed the runtime limits imposed by Azure Sentinel, causing the rule to fail intermittently. Optimizing the query or breaking it down into smaller, more efficient queries could mitigate this issue. D. There are connectivity issues between the data sources and Log Analytics

Answer 54

B. The number of alerts exceeded 10,000 within two minutes. Here's why: Azure Sentinel has built-in mechanisms to manage system performance and resource utilization. If an analytics rule generates an excessive number of alerts in a very short time frame (specifically, if it exceeds 10,000 alerts within two minutes), Sentinel will automatically disable the rule to prevent overwhelming the system or the security operations team with too many alerts. This is a protective measure to ensure that both the Sentinel workspace and the analysts using it can operate effectively.

Answer 55

B. Change the state of the suppression rule to Disabled. Explanation: Suppression rules in Azure Security Center are used to prevent specific alerts from being raised for certain resources (such as virtual machines). If you have a suppression rule applied to the 10 virtual machines, those alerts will not show up in Security Center. To troubleshoot and view the alerts, you need to disable the suppression rule temporarily. This will allow Security Center to display the previously suppressed alerts for the virtual machines.

Answer 56

A. Create an Azure Policy assignment. Reasoning: Central Management: Azure Policy allows you to enforce organizational standards and assess compliance at scale. By creating a policy assignment at the root management group level, it applies to all subscriptions and resources under that management group, which aligns with the requirement to minimize administrative effort across multiple subscriptions. Alert Suppression: Although Azure Policy isn't specifically designed for alert suppression, you can use it in conjunction with Defender for Cloud's capabilities. For instance, you might create a policy that defines when certain alerts should be ignored or how they should be treated based on specific conditions. Automation: Azure Policy can automate many management tasks, making it an ideal choice for maintaining consistency and control across environments.

Answer 57

C. On VM1, trigger a PowerShell alert. Explanation: Before you can create a suppression rule for specific alerts, you need the alert to be triggered at least once so that it appears in the Microsoft Defender for Cloud alert list. This will allow you to identify the specific alert (e.g., PowerShell-related) and configure a suppression rule for it.

Answer 58

B. Hide the alert. D. Create a suppression rule scoped to a device group. E. Generate the alert. Explanation: B. Hide the alert: Hiding the alert will ensure that it does not appear in the Alerts queue but still allows other similar alerts to be monitored if they occur on devices outside of the accounting team. D. Create a suppression rule scoped to a device group: Since the false positives are occurring on the devices used by the accounting team, you can create a suppression rule that is scoped to only those devices. This ensures that the false positives for these known cases are suppressed while maintaining security on other devices. E. Generate the alert: You need to generate the alert to capture the details of the false positive and apply the suppression rule correctly.

Answer 59

E. File1.sys, File2.pdf, File3.docx, and File4.xlsx Explanation: Indicator hashes (such as MD5, SHA-1, or SHA-256) can be used to block files based on their unique cryptographic hashes. This functionality applies to all types of files, including: File1.sys (System file) File2.pdf (PDF file) File3.docx (Word document) File4.xlsx (Excel document) Or D

Answer 60

A. Create an exclusion tag. This approach minimizes administrative effort by allowing you to tag Server1 as an exclusion, preventing it from being scanned without needing to upgrade or create additional governance rules.

Answer 61

A. at the subscription level Enabling Azure Defender at the subscription level allows you to apply the security features, including JIT access and network detections, across all relevant resources within that subscription.

Answer 62

A. Microsoft Defender for Resource Manager This service helps detect exploitation toolkits in declarative templates and provides security recommendations for resource templates. E. Microsoft Defender for DevOps This service addresses vulnerabilities within application source code and helps manage exposed secrets, providing security insights in your DevOps pipelines.

Answer 63

A. custom network indicators Custom network indicators allow you to define specific IP addresses, IP ranges, or URLs that you want to block or allow. This feature is part of the attack surface reduction capabilities in Microsoft Defender for Endpoint, enabling you to control network traffic based on predefined rules.

Answer 64

B. attack surface reduction rules in Microsoft Defender for Endpoint These rules can help prevent specific actions, such as blocking Excel macros from untrusted sources, preventing the opening of executable attachments in Outlook, and addressing Outlook rules and forms exploits.

Answer 65

C. Activity from infrequent country Activity from infrequent country anomaly detection policy flags sign-ins from countries where sign-ins are rare or have never occurred before for your organization. This policy helps in detecting unusual geographic activity, which aligns with your requirement of monitoring sign-ins from locations not typically used by your users.

Answer 66

A. the Threat Protection Status report in Microsoft Defender for Office 365 The Threat Protection Status report provides detailed information on various threat protection activities, including actions taken by ZAP. This report can show which messages were purged due to ZAP, giving insight into when and why emails were removed from mailboxes.

Answer 67

C. a named location By defining a named location for your office in Istanbul and then configuring conditional access policies to require MFA for sign-ins that occur outside this location, you can effectively enforce MFA for remote users.

Answer 68

A. Dynamic Delivery Dynamic Delivery in Safe Attachments allows attachments to be delivered to the recipient immediately, with the scanning process happening in the background. If malware is detected later, the email can be removed from the recipient's mailbox or other actions can be taken. This approach balances the need for prompt delivery with thorough security checks, which is ideal for reducing perceived delivery delays.

Answer 69

D. RegEx pattern matching RegEx (Regular Expression) pattern matching allows you to define precise patterns for what constitutes sensitive information. In this case, you can create a regular expression that matches strings of 32 alphanumeric characters, which would be used to identify the customer account numbers. This approach is highly customizable and can be integrated into DLP policies to detect when such patterns appear in documents, emails, or other content.

Answer 70

D. From Cloud apps, select Files, and then filter App to Office 365. E. From Cloud apps, select Files, and then select New policy from search. Creating a new policy from search allows you to define specific conditions under which alerts should be generated and remediation actions taken. This includes setting up rules for external sharing of files labeled as confidential or sensitive.

Answer 71

A. Configure automatic data enrichment. B. Add the IP addresses to the corporate address range category. Here's why these are the best choices: Configure automatic data enrichment (A): This allows Cloud App Security to automatically enrich IP address data with additional context, which can help in more accurately identifying legitimate corporate traffic versus truly suspicious activity. Add the IP addresses to the corporate address range category (B): By explicitly defining the IP ranges of your corporate offices as "corporate" in Cloud App Security, you're telling the system that traffic from these IPs should be considered trusted. This will significantly reduce false positive alerts for impossible travel and risky IP addresses when the traffic is actually coming from your known office locations.

Answer 72

E. From Settings, select Information Protection, select Files, and then enable file monitoring. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings.

Answer 73

B. Common The Common event set is designed to capture essential events, including user sign-in and sign-out, without overwhelming the system with unnecessary logs.

Answer 74

A. Configure the Advanced Audit Policy Configuration settings for the domain controllers. D. Configure Windows Event Forwarding on the domain controllers. These actions will help you collect the necessary audit logs for monitoring changes to sensitive groups in Active Directory.

Answer 75

A. From Defender for Cloud, modify Microsoft Defender for Servers plan settings. This action allows you to configure the necessary settings for collecting security logs from your virtual machines and directing them to the specified Log Analytics workspace.

Answer 76

A. From the workspace created by Defender for Cloud, set the data collection level to Common. E. From Defender for Cloud in the Azure portal, enable automatic provisioning for the virtual machines. These actions will ensure that necessary data is collected efficiently and with minimal administrative overhead.

Answer 77

A. From Security Center, enable data collection. This action will ensure that security event logs from your virtual machines are collected and sent to the configured Log Analytics workspace.

Answer 78

C. a Common Evert Format (CEF) connector

Answer 79

B. Configure the Diagnostics settings in Azure AD to stream to an event hub. Streaming Azure AD diagnostics logs to an Event Hub allows for near real-time data transmission. From the event hub, you can then configure your SIEM solution to ingest this data. Event Hubs are designed for high-throughput, real-time data ingestion, making them ideal for scenarios where timely alerts are crucial.

Answer 80

B. Create a query that uses the workspace expression and the union operator. The workspace() function in Azure Sentinel allows you to specify which workspace's data you want to query. By using the union operator, you can combine data from multiple workspaces. This would be key in searching across all your subscription's workspaces simultaneously. E. Add the Azure Sentinel solution to each workspace. Each Log Analytics workspace needs to have the Azure Sentinel solution added to it. This step enables these workspaces to be queried by Azure Sentinel. Even though the Sentinel workspace itself is in a new subscription, data from other workspaces can be queried if the right permissions and configurations are in place.

Answer 81

A. Microsoft Sentinel Contributor The Microsoft Sentinel Contributor role provides permissions to manage all aspects of Microsoft Sentinel, including workbooks, analytics rules, data connectors, and other Sentinel features. This role allows User1 to create, edit, and manage Sentinel workbooks without granting broader access to resources outside of Sentinel.

Answer 82

C. Add Azure Sentinel to a workspace. This step allows you to link the Azure Sentinel instance with the Log Analytics workspace, enabling you to run queries and set up analytics rules.

Answer 83

A. Microsoft Sentinel - Incidents This page consolidates incidents from all linked workspaces, allowing you to manage and view them in one place.

Answer 84

B. Enable the Key Vault firewall. Enabling the firewall will restrict access to the Key Vault to only trusted IP addresses, minimizing the risk of unauthorized access while allowing legitimate users to access it if their IPs are whitelisted.

Answer 85

B. Azure Policy Azure Policy allows you to define policies that can enforce configurations across your resources, including settings for Microsoft Defender for Cloud's JIT VM access. You can create or assign a policy that limits JIT access to only RDP, and configure the maximum session time to two hours. This approach minimizes administrative effort as you can apply the policy to the entire resource group at once.

Answer 86

B. Enable the Cloud Security Posture Management (CSPM) plan for the subscription. Enabling the CSPM plan will allow you to add more industry and regulatory standards, including the PCI DSS initiative, to your Defender for Cloud environment.

Answer 87

C. From Defender for Cloud, configure the AWS connector. E. From Defender for Cloud, configure auto-provisioning. Here's why these actions are appropriate: Configure the AWS Connector (C): Setting up the AWS connector is essential for integrating your AWS environment with Microsoft Defender for Cloud. This step allows Defender for Cloud to access and manage resources in your AWS account. The connector facilitates communication between Azure and AWS, enabling Defender for Cloud to monitor and protect your AWS resources, including the Windows Server virtual machines. Configure Auto-Provisioning (E): Enabling auto-provisioning allows Defender for Cloud to automatically install the necessary agents on your EC2 instances. This minimizes administrative effort by automating the deployment process. Auto-provisioning ensures that all relevant security features, including those provided by Microsoft Defender for Servers, are consistently applied to your virtual machines without requiring manual intervention.

Answer 88

B. Create a Microsoft 365 app connector. This will allow you to link your Microsoft 365 environment with Cloud Discovery, enabling the association of usernames with UPNs.

Answer 89

C. Add an environment.

Answer 90

C. Azure Event Hubs. Azure Event Hubs allows for real-time data streaming and is suitable for integrating with SIEM solutions.

Answer 91

C. the Azure Connected Machine agent. This agent enables you to connect your non-Azure machines to Azure and use Defender for Cloud capabilities.

Answer 92

B. the Azure Connected Machine agent. This agent allows non-Azure machines, such as AWS EC2 instances, to connect to Defender for Cloud and leverage its security capabilities.

Answer 93

C. the Azure Arc agent. The Azure Arc agent allows non-Azure resources to be managed and monitored within Azure, enabling Defender for Cloud capabilities.

Answer 94

C. the Azure Connected Machine agent. Here's why this is the correct choice: Integration with Azure Services: The Azure Connected Machine agent is specifically designed to connect machines hosted outside of Azure (like your on-premises Linux servers) to Azure services, including Microsoft Defender for Cloud. This integration allows you to manage and monitor your Linux servers through Azure. Log Collection and Vulnerability Assessment: Installing the Azure Connected Machine agent enables Defender for Cloud to collect logs from your Linux servers and perform vulnerability assessments, which are essential for maintaining security compliance. Management and Security Features: Once the Azure Connected Machine agent is installed, you can leverage various Defender for Cloud features, such as security recommendations and alerts, which help in protecting your infrastructure.

Answer 95

A. Install the Log Analytics agent. The Log Analytics agent (also referred to as the Microsoft Monitoring Agent or MMA) is essential for sending security logs and performance data from your on-premises computers to Azure. This agent allows Defender for Cloud to monitor, alert, and provide security recommendations for these machines.

Answer 96

D. Create a tag.

Answer 97

A. Security Administrator This role allows User1 to manage security-related policies and settings without granting excessive permissions.

Answer 98

D. Reader This role allows User1 to view alert data without granting permissions to modify resources.

Answer 99

B. Security Admin This role specifically provides permissions to manage security policies and configurations in Microsoft Defender for Cloud.

Answer 100

C. the Contributor role for RG1 This role allows SecAdmin1 to make necessary changes and apply quick fixes specifically within the resource group RG1, without granting broader permissions at the subscription level.

Answer 101

B. the Active remediation actions role in Microsoft Defender for Endpoint This role specifically allows the analyst to manage active remediation actions, including approving or rejecting pending actions, within Microsoft Defender for Endpoint. D. the Security Reader role in Azure Active Directory (Azure AD)

Answer 102

A. Assign a tag to the device group. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. These steps will allow you to create a temporary grouping based on tags and manage the devices effectively during the investigation.

Answer 103

D. Manage security settings This permission allows User1 to configure various security settings within Microsoft Defender for Endpoint, which includes setting up and managing alert notifications. Configuring alerts to send email notifications to a specific group like Group1 falls under the scope of managing security settings.

Answer 104

A. Create an import file that contains the individual IP addresses in the range. Select Import and import the file.

Answer 105

C. a file hash indicator that has Action set to Alert and block. This will specifically target the image file by its hash, allowing you to block it and receive alerts if it is encountered.