Microsoft Defender
When using the join operator, how do you specify fields from each table? A. $1.columname and $2.columnname B. $left.columname and $right.columnname C. $inner.columname and $outer.columnname
B. $left.columname and $right.columnname
Which filter is included as part of an Alert notification rule? A. Alert Severity B. Account C. Subject IDs
A. Alert Severity
Security Center employs which advanced security analytics? A. Biometric analytics B. Power BI C. Behavioral analytics
C. Behavioral analytics
Which Azure technology is used to automate remediation? A. Azure Functions B. Azure Batch C. Behavioral analytics
C. Behavioral analytics
Which file type can be used to upload Indicators? A. JSON B. XML C. CSV
C. CSV
The Devices page shows information from which Defender product? A. Microsoft Cloud App Security B. Microsoft Defender for Identity C. Microsoft Defender for Endpoint
C. Microsoft Defender for Endpoint
A security operations analyst can create a custom detection from which of the following? A. Advanced Hunting B. An Alert C. An Incident
A. Advanced Hunting
Which information is provided on the user account page? A. Associated alerts B. Security groups C. Threat hunt ID
A. Associated alerts
To make sure Azure Defender covers all resources in a Subscription, which option do you enable? A. Automatic provisioning B. Continuous assessments C. Coverage type
A. Automatic provisioning
Which of the following choices describes threat hunting using Microsoft Defender for Endpoint? A. You can proactively inspect events in your network using a powerful search and query tool. B. Detecting and blocking apps that are considered unsafe but may not be detected as malware. C. Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that help stop malware.
A. You can proactively inspect events in your network using a powerful search and query tool.
How can you get an at-a-glance overview of the kinds of apps are being used within your organization? A. Use Azure Information Protection B. Use Conditional Access C. Use the Cloud Discovery Dashboard
C. Use the Cloud Discovery Dashboard
Which KQL statement should you use to parse external data into a virtual table? A. parse_json B. extract C. externaldata
C. externaldata
The Microsoft Defender for Endpoint agent should be deployed to all Windows 10 devices in your organization. A. True B. False
False
Which type is an accepted indicator type? A. Certificates B. Email subject line C. Code data
A. Certificates
Which of the following choices describe the benefits of Microsoft 365 Defender? A. Coordinate defenses to stop attacks from spreading and auto-heal impacted assets. B. Control and help secure email, documents, and sensitive data inside and outside your company walls. C. Safeguard access to data and applications by requiring a second form of authentication and deliver strong authentication via a range of easy-to-use authentication methods.
A. Coordinate defenses to stop attacks from spreading and auto-heal impacted assets.
Configuring a Microsoft Human Resources (HR) data connector is a dependency for which insider risk management template? A. Departing employee's data theft template B. Data leaks C. Offensive language in email
A. Departing employee's data theft template
The Cloud App Security framework includes which of the following? A. Discover and control the use of Shadow IT B. Block external traffic C. Protect Active Directory
A. Discover and control the use of Shadow IT
Which of the following artifact types has an investigation page? A. Domain B. Hunter C. Threat Actor
A. Domain
The primary use case of information barriers is represented in which of the following statements? A. An individual wants to keep their work private from the public. B. A department is handling information that should not be shared with other groups or departments. C. An organization wants to break down silos and allow searching across all business units.
B. A department is handling information that should not be shared with other groups or departments.
What does Azure Sentinel provide? A. A solution for checking your security posture in the cloud B. An end-to-end solution for security operations C. A solution for securely storing keys and secrets in the cloud
B. An end-to-end solution for security operations
Which option below is an attack surface reduction rule that can be configured? A. Block PowerShell from executing B. Block process creations originating from PSExec and WMI commands C. Block content from mobile devices
B. Block process creations originating from PSExec and WMI commands
Which solution is used to control the applications that must earn trust to be run? A. Exploit protection B. Controlled folder access C. Application control
C. Application control
Which of the following is not part of the typical attack timeline? A. Research and preparation B. Data exfiltration C. Attack discovered before 24 hours
C. Attack discovered before 24 hours
Within Azure Sentinel, which Azure product is used to run automated playbooks in response to alerts? A. Log Analytics B. Azure Monitor C. Azure Logic Apps
C. Azure Logic Apps
Which of the following is not an Attack Simulator scenario? A. Spear phishing B. Password spray C. Bitcoin mining
C. Bitcoin mining
Which of the following is not a component of Microsoft Defender for Endpoint? A. Next generation protection B. Endpoint detection and response C. Cloud device management
C. Cloud device management
How do you protect against identity-based risks by using Azure AD Identity Protection? A. Configure an investigation policy and then remediate. B. Configure a report, remediate, and then configure a policy. C. Configure a policy, investigate by using a report, and remediate.
C. Configure a policy, investigate by using a report, and remediate.
Which option can't be performed in the Action center? A. Manage pending actions. B. Review completed actions. C. Configure action email notifications.
C. Configure action email notifications.
You can classify an Incident as which of the following? A. True alert B. High alert C. Test alert
A. True alert
Instead of blocking communications between two segments, you decide you want to allow communications to occur between certain segments. What should you do? A. Edit a policy B. Edit a segment C. Edit user account attributes
A. Edit a policy
In advanced features, which setting should be turned on to block files even if a third-party antivirus is used? A. Enable EDR in block mode B. Allow or block file C. Automated Investigation
A. Enable EDR in block mode
Which of the case actions opens a new Advanced eDiscovery case in your Microsoft O365 investigation? A. Escalate for investigation B. Send a notice C. Resolve the case
A. Escalate for investigation
In the Remediate phase, which option allows for inputting multiple reviewers within the organization to help resolve the incident? A. Escalate to another reviewer B. Tag a message C. Notify the user
A. Escalate to another reviewer
A security operations analyst needs to exclude a custom executable file c:\myapp\myapp.exe, which exclusion type should they use? A. File B. Extension C. Folder
A. File
Which is a deployment option for Windows 10? A. Group policy B. Microsoft Store C. General install package
A. Group policy
Microsoft has had built-in intelligence to detect profanities for a while. Which of the following represents a new enhancement in this area? A. Identify threats for the individual to potentially harm themselves B. Identify insider trading C. Identify possible legal exposure
A. Identify threats for the individual to potentially harm themselves
Which anomaly detection policy triggers an alert if the same user credentials originate from two geographically distant locations within a short time? A. Impossible travel B. Impossible distance C. Impossible twins
A. Impossible travel
The alert severity field contains which option? A. Informational B. Not Applicable C. Testing
A. Informational
What should you install on a new Azure Windows VM if you are not using auto provisioning? A. Log Analytics Agent B. Sysmon C. Windows Firewall
A. Log Analytics Agent
What is a protection provided by Azure Defender for DNS? A. Malware communicating with C&C server B. Malware encrypting data on a Device C. Malware enumerating users on a Device
A. Malware communicating with C&C server
What describes Safe Attachments from Microsoft Defender for Office 365? A. Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent. B. Protects your users from malicious URLs in a message or in an Office document. C. A powerful report that enables your Security Operations team to investigate and respond to threats effectively and efficiently.
A. Messages and attachments are routed to a special environment where Microsoft Defender for Office 365 uses a variety of machine learning and analysis techniques to detect malicious intent.
When you union two tables, the two tables need matching columns? A. No. B. Yes. C. Only when the project operator is used.
A. No.
Which of the following is an auto provisioning extension? A. Policy Add-on for Kubernetes B. Windows Events C. Policy for Azure Policy
A. Policy Add-on for Kubernetes
Which of the following is a deployment option? A. PowerShell B. ASRConfig.exe C. Microsoft Deployment System
A. PowerShell
Which of the following describes advanced threats Microsoft Defender for Identity detects along the cyber-attack kill-chain? A. Reconnaissance B. Vertical movements C. Bitcoin mining
A. Reconnaissance
A healthcare employee left work with an unencrypted work laptop, which was stolen days later in a burglary. Data containing sensitive information for 100 patients is on the laptop. This is an example of which type of internal risk? A. Regulatory compliance violation B. Sabotage C. Data leak
A. Regulatory compliance violation
Which report would you review to find devices that were identified as part of a detected risk? A. Risky sign-in report B. Risky user report C. Risky registration report
A. Risky sign-in report (Information like device details and location details is included in risky sign-in reports.)
What does the search operator do? A. Searches across tables and is not column-specific. B. Searches only data in the last hour. C. Searches in columns specified.
A. Searches across tables and is not column-specific.
Which is a valid remediation level? A. Semi - require approval for any remediation B. Semi - user accounts only C. Semi - files only
A. Semi - require approval for any remediation
With communication compliance policies, you can choose to scan messages in one or more platforms. Which of the following supported communication types includes LinkedIn? A. Third-party sources B. Microsoft Teams C. Skype for Business online
A. Third-party sources
If available, which report provides Attackers tactics, tools, and procedures? A. Threat Intelligence B. Secure Score C. Incident
A. Threat Intelligence
Microsoft Defender for Identity requires an on-premises Active Directory environment. A. True B. False
A. True
Threats are the potential weakness that attackers can use to infiltrate your organization. A. True B. False
A. True
You want to use a risky sign-in report to find information on risky sign-ins for the past 29 days. How can you access this report? A. You can access and download the report from the Azure portal. B. You can't access the report from the portal because the data isn't retained any longer. C. You can't access the report from the portal, but only if you downloaded it in the first 30 days.
A. You can access and download the report from the Azure portal. (The report data is retained for 30 days.)
Which of the following describe Azure Defender's primary role? A. Cloud security posture management B. Cloud workload protection C. Cloud configuration management
B. Cloud workload protection
One of the first steps in investigating a possible violation is understanding the intent of the communication. Which of the following flexible remediation workflows will provide insight into the context of the communication during investigation? A. Keyword highlighting B. Conversation threading C. Exact and near duplicated detection
B. Conversation threading
Which DLP component has the logic to protect content in locations such as SharePoint Online? A. Sensitive info types B. DLP Policy C. Sensitivity label
B. DLP Policy
Which Behavioral blocking can be used with third-party antivirus? A. Client behavior blocking. B. EDR in block mode C. Feedback-loop blocking
B. EDR in block mode
In the Vulnerable Devices Report, which graphs show each device counted only once based on the highest level of known exploit? A. Vulnerability age graphs B. Exploit availability graphs C. Severity level graphs
B. Exploit availability graphs
Microsoft Defender for Office 365 requires an agent to be deployed to all Windows 10 devices in your organization for the best protection. A. True B. False
B. False
In Cloud App Security, which types of Policy is used for DLP? A. Access Policy B. File Policy C. Activity Policy
B. File Policy
To create a virtual table, save your KQL as a which type? A. Module. B. Function. C. Definition.
B. Function.
Which Cloud provider has a Cloud connector in Security Center? A. IBM Cloud B. GCP C. Oracle
B. GCP
A Dynamic field contains which of the following items? A. Calculated data. B. Key-value pair data. C. External data.
B. Key-value pair data.
Which Azure service stores the log data that is ingested into Azure Sentinel? A. Azure Data Factory B. Log Analytics C. Azure Monitor
B. Log Analytics
Which security permission allows the configuration of storage settings? A. Manage security settings in Security Center B. Manage portal system settings C. Advanced commands
B. Manage portal system settings
Can you use address book policies and information barrier policies at the same time? A. Yes B. No C. Only when address book policies were in place first
B. No
If you want to define past and future review periods that are triggered after policy matches based on events and activities for the insider risk management policy templates, which policy setting do you select? A. Indicators B. Policy timeframes C. Intelligent detections
B. Policy timeframes
Which join flavor contains a row in the output for every combination of matching rows from left and right? A. kind=leftouter B. kind=inner C. kind=fullouter
B. kind=inner
Which type of information is collected in an Investigation package? A. Command History B. Prefetch Files C. Network transactions
B. Prefetch Files
What information is provided by a deep file analysis? A. Command history B. Registry Modifications C. Code change history
B. Registry Modifications
Which resource can Azure Defender protect in a hybrid environment? A. Word Documents B. SQL Databases C. Cosmos DB
B. SQL Databases
You want to analyze risks that describe authentication requests for sign-ins that probably weren't authorized by users. Which type of risks will you analyze? A. User risk B. Sign-in risk C. Authentication risk
B. Sign-in risk
The default data retention period in Microsoft Defender for Endpoint is? A. One month B. Six months C. Three months
B. Six months
Which is an option to connect your non-Azure computers? A. Windows Store B. Using Azure Arc enabled servers C. From an Excel spreadsheet
B. Using Azure Arc enabled servers
Which report lists the software vulnerabilities your devices are exposed to by listing the Common Vulnerabilities and Exposures (CVE) ID? A. Event Timeline B. Weakness C. Software Inventory
B. Weakness
How can you ensure that a file is sent into quarantine for review by an administrator? A. When creating a file policy, select Quarantine for admin B. When creating a file policy, select Put in admin quarantine C. When creating a file policy, select Put in review for admin
B. When creating a file policy, select Put in admin quarantine
The bin() function provides the most value to which type of chart? A. scatter chart B. time chart C. bar chart
B. time chart
Which one of the following apply to Microsoft Insider Risk Management policies and templates? A. Insider risk settings for Privacy and Policy Indicators can be configured to apply for a specific policy. B. Microsoft Insider Risk Management policies and templates are for malicious intent violations. C. Each policy must have a template assigned in the policy creation wizard before the policy is created.
C. Each policy must have a template assigned in the policy creation wizard before the policy is created.
There are several communication remediation actions available to organizations. Which of the following remediation actions cannot be re-opened? A. Escalate B. Tag as C. False positive
C. False positive
Which feature of Azure Defender for Servers examines files and registries of the operating system, application software, and others for changes that might indicate an attack? A. Adaptive application controls B. Adaptive network hardening C. File integrity monitoring
C. File integrity monitoring
The security operations analyst has found an interesting event, what should be done to mark it for further review? A. Tag B. Highlight C. Flag
C. Flag
You want to search for insider risk alerts that occurred in the past 30 days and are high severity risks. The easiest way to accomplish this is to do which of the following? A. From the Alerts dashboard search for "last 30 days." B. Click "Export" to download a CSV file with all alerts. Import this into Excel and use the filter function. C. From the Alerts dashboard, select the Filter control.
C. From the Alerts dashboard, select the Filter control.
Which of the following is not a supported integration for Azure Microsoft Defender for Office 365? A. Microsoft Defender for Endpoint B. Microsoft Cloud App Security C. Intune
C. Intune
The workflow for identifying and resolving compliance issues with communication compliance in Microsoft 365 can be broken down into four phases. In which phase do you review user activity history? A. Remediate B. Configure C. Investigate
C. Investigate
Which of the actions below is a Device action? A. Reboot B. Reformat device C. Isolate device
C. Isolate device
Which language is used to query data within Azure Sentinel? A. SQL B. GraphQL C. KQL
C. KQL
Where is your log data stored? A. Azure Sentinel Workspace B. Azure Lighthouse C. Log Analytics workspace
C. Log Analytics workspace
The Incident page contains which tab? A. Networks B. Machines C. Mailboxes
C. Mailboxes
Which is a Windows security events configuration? A. Reasonable B. Maximum C. Minimal
C. Minimal
Which Security Center feature enables you to see the topology of your workloads? A. Inventory B. Secure Score C. Network map
C. Network map
What are project operators? A. Project operators filter a table to the subset of rows that satisfy a predicate. B. Project operators create summarized columns and append them to the result set. C. Project operators add, remove, or rename columns in a result set.
C. Project operators add, remove, or rename columns in a result set.
Which of these is a feature of Conditional Access App Control policies? A. Remote access B. Require multi-factor authentication C. Protect on download
C. Protect on download
When does Azure Defender for Container Registries scan an image? A. Weekly B. Nightly C. Recently pulled
C. Recently pulled
The dcount() function will do which of the following? A. Return a day count on the expression difference provided to the function. B. Return a difference count on the expression provided to the function. C. Return a distinct count on the expression provided to the function.
C. Return a distinct count on the expression provided to the function.
The arg_max() function will do which of the following? A. Return the maximum value across a group. B. Return a JSON Array of the max values. C. Return the most current row.
C. Return the most current row.
Which DLP component is used to classify a document? A. Sensitive info types B. Retention Policy C. Sensitivity label
C. Sensitivity label
You create a new policy by stepping through the policy wizard and policy settings. Which of the following is optional when creating a new policy? A. The users or groups the policy will apply to B. Alert indicators C. Specify content to prioritize
C. Specify content to prioritize
A Windows 10 Device doesn't appear in the device list, what could be the problem? A. The Device was renamed. B. The Device is missing the latest KB's C. The Device hasn't had alerts in the past 30 days.
C. The Device hasn't had alerts in the past 30 days.
Which report or dashboard provides a list of the most recently published threat reports? A. Vulnerable devices report B. Threat protection C. Threat Analytics
C. Threat Analytics