Microsoft SC-200

Lakukan tugas rumah & ujian kamu dengan baik sekarang menggunakan Quizwiz!

Azure Sentinel for SAP only supports cloud-based implementations of SAP. A. True B. False

B

By which of the following Azure Defender's main role can be described? A. Cloud configuration management B. Cloud security posture management C. Cloud workload protection D. Cloud Security Management

C

Additional permissions are required to launch a playbook from automation rules. A. True B. False

A

In the query "extend ProcessEntropy = -log2(PCoHValue/TPCoHValue)*(PCoHValue/TPCoHValue)" PCoHValue means the ProcessCountOnHost value. A. True B. False

A

When configuring GCP Connector in Azure Defender, which component is mandatory to have already configured in GCP? A. GCP Security Command Center B. Security Hub C. Google Cloud Console API D. All the options above

A

Which of the following are valid parsers in the ASIM? A. Source-agnostic B. All of the options listed C. Source-explicit D. source-gnostic

A

You are a SOC (Security Operations Center) Analyst working at a company that is in the process of deploying cloud workload protection with Azure Defender. You are the SOC team member working with the application and infrastructure teams to architect the resource architecture for the new web application that uses containers and Azure SQL. You are accountable for ensuring the workloads are secure with Azure Defender and offer options for non-protected workloads. Which attribute of Azure Defender inspects registries and files of application software, operating system, and others for any changes that might point out an attack? A. File integrity monitoring B. Adaptive application controls C. Adaptive network hardening D. Log Inspection

A

You are a SOC Analyst of a company XYZ that has implemented Microsoft Defender for Endpoint. You are allocated an incident with alerts related to a doubtful PowerShell command line. You start by going through the incident and apprehend all the related alerts, devices, and evidence. You open the alert page to evaluate the Alert and choose to perform further analysis on the device. You open the Device page and decide that you require remote access to the device to collect more forensics information using a custom .ps1 script. Which type of information is gathered in an Investigation package? A. Prefetch Files B. Network transactions C. Command History D. Process History

A

You are using Azure Defender and Azure Sentinel to protect your cloud workloads and monitor your environment. You need to use the Kusto Query Language (KQL) to construct a query that identifies Azure Defender alerts. What query should you write to meet this requirements? To answer, complete the query by selecting the correct options from the drop down menus.| where ProductName == "________________________" A. Azure Security Center B. Azure Security Sentinel C. Security Alert D. Security Events

A

What capabilities given below are part of Azure Defender for Servers? A. Adaptive Application Control B. Integration with Qualys for Vulnerability Assessment C. Adaptive Network Hardening D. Fileless attack detection for Windows E. Vulnerability assessment for Azure Container Registries

A, B, C, D

When reviewing Just-in-Time VM access, you noticed that some VMs appear under "Not Applicable". What are the reasons that must be present for a VM to be considered not applicable? A. The VM is not assigned to a network security group B. The VM is not protected by a Firewall C. The VM has JIT already enabled D. VM has been deployed through ARM (Azure Resource Manager)

A,B

You have a playbook in Azure Sentinel. When you trigger the playbook, it sends an email to a distribution group. You need to modify the playbook to send the email to the owner of the resource instead of the distribution group. What should you do? A. Add a parameter and modify the trigger. B. Add a custom data connector and modify the trigger. C. Add a condition and modify the action. D. Add a parameter and modify the action.

A. Add a parameter and modify the trigger. B. Add a custom data connector and modify the trigger. C. Add a condition and modify the action. D. Add a parameter and modify the action.

Your company stores the data of every project in a different Azure subscription. All the subscriptions use the same Azure Active Directory (Azure AD) tenant. Every project consists of multiple Azure virtual machines that run Windows Server. The Windows events of the virtual machines are stored in a Log Analytics workspace in each machine's respective subscription. You deploy Azure Sentinel to a new Azure subscription. You need to perform hunting queries in Azure Sentinel to search across all the Log Analytics workspaces of all the subscriptions. Which two actions should you perform? A. Add the Security Events connector to the Azure Sentinel workspace. B. Create a query that uses the workspace expression and the union operator. C. Use the alias statement. D. Create a query that uses the resource expression and the alias operator. E. Add the Azure Sentinel solution to each workspace.

A. Add the Security Events connector to the Azure Sentinel workspace. B. Create a query that uses the workspace expression and the union operator. C. Use the alias statement. D. Create a query that uses the resource expression and the alias operator. E. Add the Azure Sentinel solution to each workspace.

You have an existing Azure logic app that is used to block Azure Active Directory (Azure AD) users. The logic app is triggered manually. You deploy Azure Sentinel. You need to use the existing logic app as a playbook in Azure Sentinel. What should you do first? A. And a new scheduled query rule. B. Add a data connector to Azure Sentinel. C. Configure a custom Threat Intelligence connector in Azure Sentinel. D. Modify the trigger in the logic app.

A. And a new scheduled query rule. B. Add a data connector to Azure Sentinel. C. Configure a custom Threat Intelligence connector in Azure Sentinel. D. Modify the trigger in the logic app.

You implement Safe Attachments policies in Microsoft Defender for Office 365. Users report that email messages containing attachments take longer than expected to be received. You need to reduce the amount of time it takes to deliver messages that contain attachments without compromising security. The attachments must be scanned for malware, and any messages that contain malware must be blocked. What should you configure in the Safe Attachments policies? A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect

A. Dynamic Delivery B. Replace C. Block and Enable redirect D. Monitor and Enable redirect

You are investigating a potential attack that deploys a new ransomware strain. You have three custom device groups. The groups contain devices that store highly sensitive information. You plan to perform automated actions on all devices.You need to be able to temporarily group the machines to perform actions on the devices. Which three actions should you perform? Each correct answer presents part of the solution. A. Assign a tag to the device group. B. Add the device users to the admin role. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. E. Create a new admin role. F. Create a new device group that has a rank of 4.

A. Assign a tag to the device group. B. Add the device users to the admin role. C. Add a tag to the machines. D. Create a new device group that has a rank of 1. E. Create a new admin role. F. Create a new device group that has a rank of 4.

You have an Azure subscription that has Azure Defender enabled for all supported resource types. You need to configure the continuous export of high-severity alerts to enable their retrieval from a third-party security information and event management (SIEM) solution. To which service should you export the alerts? A. Azure Cosmos DB B. Azure Event Grid C. Azure Event Hubs D. Azure Data Lake

A. Azure Cosmos DB B. Azure Event Grid C. Azure Event Hubs D. Azure Data Lake

You have a suppression rule in Azure Security Center for 10 virtual machines that are used for testing. The virtual machines run Windows Server. You are troubleshooting an issue on the virtual machines. In Security Center, you need to view the alerts generated by the virtual machines during the last five days. What should you do? A. Change the rule expiration date of the suppression rule. B. Change the state of the suppression rule to Disabled. C. Modify the filter for the Security alerts page. D. View the Windows event logs on the virtual machines.

A. Change the rule expiration date of the suppression rule. B. Change the state of the suppression rule to Disabled. C. Modify the filter for the Security alerts page. D. View the Windows event logs on the virtual machines.

You have the following advanced hunting query in Microsoft 365 Defender. You need to receive an alert when any process disables System Restore on a device managed by Microsoft Defender during the last 24 hours. Which two actions should you perform? Each correct answer presents part of the solution. A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query.

A. Create a detection rule. B. Create a suppression rule. C. Add | order by Timestamp to the query. D. Replace DeviceProcessEvents with DeviceNetworkEvents. E. Add DeviceId and ReportId to the output of the query.

You have an Azure subscription that contains a virtual machine named VM1 and uses Azure Defender. Azure Defender has automatic provisioning enabled.You need to create a custom alert suppression rule that will supress false positive alerts for suspicious use of PowerShell on VM1.What should you do first? A. From Azure Security Center, add a workflow automation. B. On VM1, run the Get-MPThreatCatalog cmdlet. C. On VM1 trigger a PowerShell alert. D. From Azure Security Center, export the alerts to a Log Analytics workspace.

A. From Azure Security Center, add a workflow automation. B. On VM1, run the Get-MPThreatCatalog cmdlet. C. On VM1 trigger a PowerShell alert. D. From Azure Security Center, export the alerts to a Log Analytics workspace.

You use Azure Defender. You have an Azure Storage account that contains sensitive information. You need to run a PowerShell script if someone accesses the storage account from a suspicious IP address. Which two actions should you perform? Each correct answer presents part of the solution. NOTE: Each correct selection is worth one point. A. From Azure Security Center, enable workflow automation. B. Create an Azure logic app that has a manual trigger. C. Create an Azure logic app that has an Azure Security Center alert trigger. D. Create an Azure logic app that has an HTTP trigger. E. From Azure Active Directory (Azure AD), add an app registration.

A. From Azure Security Center, enable workflow automation. B. Create an Azure logic app that has a manual trigger. C. Create an Azure logic app that has an Azure Security Center alert trigger. D. Create an Azure logic app that has an HTTP trigger. E. From Azure Active Directory (Azure AD), add an app registration.

You create an Azure subscription named sub1. In sub1, you create a Log Analytics workspace named workspace1. You enable Azure Security Center and configure Security Center to use workspace1. You need to collect security event logs from the Azure virtual machines that report to workspace1. What should you do? A. From Security Center, enable data collection B. In sub1, register a provider. C. From Security Center, create a Workflow automation. D. In workspace1, create a workbook.

A. From Security Center, enable data collection B. In sub1, register a provider. C. From Security Center, create a Workflow automation. D. In workspace1, create a workbook.

You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. What should you do? A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section. B. From Security alerts, select Take Action, and then expand the Mitigate the threat section. C. From Regulatory compliance, download the report. D. From Recommendations, download the CSV report.

A. From Security alerts, select the alert, select Take Action, and then expand the Prevent future attacks section. B. From Security alerts, select Take Action, and then expand the Mitigate the threat section. C. From Regulatory compliance, download the report. D. From Recommendations, download the CSV report.

You need to configure Microsoft Cloud App Security to generate alerts and trigger remediation actions in response to external sharing of confidential files. Which two actions should you perform in the Cloud App Security portal? Each correct answer presents part of the solution. A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant. B. Select Investigate files, and then filter App to Office 365. C. Select Investigate files, and then select New policy from search. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring. F. Select Investigate files, and then filter File Type to Document.

A. From Settings, select Information Protection, select Azure Information Protection, and then select Only scan files for Azure Information Protection classification labels and content inspection warnings from this tenant. B. Select Investigate files, and then filter App to Office 365. C. Select Investigate files, and then select New policy from search. D. From Settings, select Information Protection, select Azure Information Protection, and then select Automatically scan new files for Azure Information Protection classification labels and content inspection warnings. E. From Settings, select Information Protection, select Files, and then enable file monitoring. F. Select Investigate files, and then filter File Type to Document.

You need to receive a security alert when a user attempts to sign in from a location that was never used by the other users in your organization to sign in. Which anomaly detection policy should you use? A. Impossible travel B. Activity from anonymous IP addresses C. Activity from infrequent country D. Malware detection

A. Impossible travel B. Activity from anonymous IP addresses C. Activity from infrequent country D. Malware detection

You create an Azure subscription. You enable Azure Defender for the subscription. You need to use Azure Defender to protect on-premises computers. What should you do on the on-premises computers? A. Install the Log Analytics agent. B. Install the Dependency agent. C. Configure the Hybrid Runbook Worker role. D. Install the Connected Machine agent.

A. Install the Log Analytics agent. B. Install the Dependency agent. C. Configure the Hybrid Runbook Worker role. D. Install the Connected Machine agent.

You are responsible for responding to Azure Defender for Key Vault alerts. During an investigation of an alert, you discover unauthorized attempts to access a key vault from a Tor exit node. What should you configure to mitigate the threat? A. Key Vault firewalls and virtual networks B. Azure Active Directory (Azure AD) permissions C. role-based access control (RBAC) for the key vault D. the access policy settings of the key vault

A. Key Vault firewalls and virtual networks B. Azure Active Directory (Azure AD) permissions C. role-based access control (RBAC) for the key vault D. the access policy settings of the key vault

You receive an alert from Azure Defender for Key Vault. You discover that the alert is generated from multiple suspicious IP addresses. You need to reduce the potential of Key Vault secrets being leaked while you investigate the issue. The solution must be implemented as soon as possible and must minimize the impact on legitimate users. What should you do first? A. Modify the access control settings for the key vault. B. Enable the Key Vault firewall. C. Create an application security group. D. Modify the access policy for the key vault.

A. Modify the access control settings for the key vault. B. Enable the Key Vault firewall. C. Create an application security group. D. Modify the access policy for the key vault.

You are configuring Microsoft Cloud App Security. You have a custom threat detection policy based on the IP address ranges of your company's United States-based offices. You receive many alerts related to impossible travel and sign-ins from risky IP addresses. You determine that 99% of the alerts are legitimate sign-ins from your corporate offices. You need to prevent alerts for legitimate sign-ins from known locations. Which two actions should you perform? Each correct answer presents part of the solution. A. Override automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. E. Create an activity policy that has an exclusion for the IP addresses.

A. Override automatic data enrichment. B. Add the IP addresses to the corporate address range category. C. Increase the sensitivity level of the impossible travel anomaly detection policy. D. Add the IP addresses to the other address range category and add a tag. E. Create an activity policy that has an exclusion for the IP addresses.

You have an Azure Sentinel workspace. You need to test a playbook manually in the Azure portal. From where can you run the test in Azure Sentinel? A. Playbooks B. Analytics C. Threat intelligence D. Incidents

A. Playbooks B. Analytics C. Threat intelligence D. Incidents

Your company uses Microsoft Defender for Endpoint. The company has Microsoft Word documents that contain macros. The documents are used frequently on the devices of the company's accounting team. You need to hide false positive in the Alerts queue, while maintaining the existing security posture. Which three actions should you perform? Each correct answer presents part of the solution. A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert.

A. Resolve the alert automatically. B. Hide the alert. C. Create a suppression rule scoped to any device. D. Create a suppression rule scoped to a device group. E. Generate the alert. B -> C -> E

Your company uses Azure Security Center and Azure Defender. The security operations team at the company informs you that it does NOT receive email notifications for security alerts. What should you configure in Security Center to enable the email notifications? A. Security solutions B. Security policy C. Pricing & settings D. Security alerts E. Azure Defender

A. Security solutions B. Security policy C. Pricing & settings D. Security alerts E. Azure Defender

You have a Microsoft 365 subscription that uses Microsoft Defender for Office 365. You have Microsoft SharePoint Online sites that contain sensitive documents. The documents contain customer account numbers that each consists of 32 alphanumeric characters. You need to create a data loss prevention (DLP) policy to protect the sensitive documents. What should you use to detect which documents are sensitive? A. SharePoint search B. a hunting query in Microsoft 365 Defender C. Azure Information Protection D. RegEx pattern matching

A. SharePoint search B. a hunting query in Microsoft 365 Defender C. Azure Information Protection D. RegEx pattern matching

You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Azure AD Identity Protection, you configure the sign-in risk policy. Does this meet the goal?

A. Yes B. No

You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: From Entity tags, you add the accounts as Honeytoken accounts. Does this meet the goal?

A. Yes B. No

You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add the accounts to an Active Directory group and add the group as a Sensitive group. Does this meet the goal?

A. Yes B. No

You are configuring Microsoft Defender for Identity integration with Active Directory. From the Microsoft Defender for identity portal, you need to configure several accounts for attackers to exploit. Solution: You add each account as a Sensitive account. Does this meet the goal?

A. Yes B. No

You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Regulatory compliance, you download the report. Does this meet the goal?

A. Yes B. No

You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Security alerts, you select the alert, select Take Action, and then expand the Mitigate the threat section. Does this meet the goal?

A. Yes B. No

You use Azure Security Center. You receive a security alert in Security Center. You need to view recommendations to resolve the alert in Security Center. Solution: From Security alerts, you select the alert, select Take Action, and then expand the Prevent future attacks section. Does this meet the goal?

A. Yes B. No You need to resolve the existing alert, not prevent future alerts. Therefore, you need to select the 'Mitigate the threat' option.

You receive a security bulletin about a potential attack that uses an image file. You need to create an indicator of compromise (IoC) in Microsoft Defender for Endpoint to prevent the attack. Which indicator type should you use? A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a file hash indicator that has Action set to Alert and block D. a certificate indicator that has Action set to Alert and block

A. a URL/domain indicator that has Action set to Alert only B. a URL/domain indicator that has Action set to Alert and block C. a file hash indicator that has Action set to Alert and block D. a certificate indicator that has Action set to Alert and block

Your company has a single office in Istanbul and a Microsoft 365 subscription. The company plans to use conditional access policies to enforce multi-factor authentication (MFA). You need to enforce MFA for all users who work remotely. What should you include in the solution? A. a fraud alert B. a user risk policy C. a named location D. a sign-in user policy

A. a fraud alert B. a user risk policy C. a named location D. a sign-in user policy

You have an Azure subscription that contains a Log Analytics workspace. You need to enable just-in-time (JIT) VM access and network detections for Azure resources. Where should you enable Azure Defender? A. at the subscription level B. at the workspace level C. at the resource level

A. at the subscription level B. at the workspace level C. at the resource level

Your company uses Azure Sentinel to manage alerts from more than 10,000 IoT devices. A security manager at the company reports that tracking security threats is increasingly difficult due to the large number of incidents. You need to recommend a solution to provide a custom visualization to simplify the investigation of threats and to infer threats by using machine learning. What should you include in the recommendation? A. built-in queries B. livestream C. notebooks D. bookmarks

A. built-in queries B. livestream C. notebooks D. bookmarks

You provision a Linux virtual machine in a new Azure subscription.You enable Azure Defender and onboard the virtual machine to Azure Defender. You need to verify that an attack on the virtual machine triggers an alert in Azure Defender. Which two Bash commands should you run on the virtual machine? Each correct answer presents part of the solution. A. cp /bin/echo ./asc_alerttest_662jfi039n B. ./alerttest testing eicar pipe C. cp /bin/echo ./alerttest D. ./asc_alerttest_662jfi039n testing eicar pipe

A. cp /bin/echo ./asc_alerttest_662jfi039n B. ./alerttest testing eicar pipe C. cp /bin/echo ./alerttest D. ./asc_alerttest_662jfi039n testing eicar pipe

Your company deploys the following services: ✑ Microsoft Defender for Identity ✑ Microsoft Defender for Endpoint ✑ Microsoft Defender for Office 365 You need to provide a security analyst with the ability to use the Microsoft 365 security center. The analyst must be able to approve and reject pending actions generated by Microsoft Defender for Endpoint. The solution must use the principle of least privilege. Which two roles should assign to the analyst? Each correct answer presents part of the solution.NOTE: Each correct selection is worth one point. A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD)

A. the Compliance Data Administrator in Azure Active Directory (Azure AD) B. the Active remediation actions role in Microsoft Defender for Endpoint C. the Security Administrator role in Azure Active Directory (Azure AD) D. the Security Reader role in Azure Active Directory (Azure AD)

You have a Microsoft 365 subscription that uses Azure Defender. You have 100 virtual machines in a resource group named RG1. You assign the Security Admin roles to a new user named SecAdmin1. You need to ensure that SecAdmin1 can apply quick fixes to the virtual machines by using Azure Defender. The solution must use the principle of least privilege. Which role should you assign to SecAdmin1? A. the Security Reader role for the subscription B. the Contributor for the subscription C. the Contributor role for RG1 D. the Owner role for RG1

A. the Security Reader role for the subscription B. the Contributor for the subscription C. the Contributor role for RG1 D. the Owner role for RG1

A security administrator receives email alerts from Azure Defender for activities such as potential malware uploaded to a storage account and potential successful brute force attacks. The security administrator does NOT receive email alerts for activities such as antimalware action failed and suspicious network activity. The alerts appear in Azure Security Center. You need to ensure that the security administrator receives email alerts for all the activities. What should you configure in the Security Center settings? A. the severity level of email notifications B. a cloud connector C. the Azure Defender plans D. the integration settings for Threat detection

A. the severity level of email notifications B. a cloud connector C. the Azure Defender plans D. the integration settings for Threat detection

You provision Azure Sentinel for a new Azure subscription. You are configuring the Security Events connector. While creating a new rule from a template in the connector, you decide to generate a new alert for every event. You create the following rule query.By which two components can you group alerts into incidents?

A. user B. resource group C. IP address D. computer

Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides you with the following incomplete query. BehaviorAnalytics -| where ActivityType == "FailedLogOn"| where ________ == True The issue for which team can be resolved by using Microsoft Defender for Endpoint? A. executive B. sales C. marketing

B

Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides you with the following incomplete query. BehaviorAnalytics -| where ActivityType == "FailedLogOn"| where ________ == True The issue for which team can be resolved by using Microsoft Defender for Office 365? A. executive B. marketing C. security D. sales

B

If you have a security recommendation that is not applicable for your environment, and you don't want to negatively affect your secure score, which option is the most appropriate to use? A. Create an exemption for the recommendation B. Disable the recommendation C. Create a new resource group and exempt the recommendation from the resource group D. Create a custom recommendation

B

Microsoft 365 Defender gives a purpose-based UI to manage and examine security incidents and alerts across Microsoft 365 services. You are a SOC Analyst working at a company XYZ that has configured Microsoft 365 Defender solutions, including Defender for Endpoint, Defender for Identity, Defender for Office 365, and Cloud App Security. You are required to monitor related alerts across all the solutions as a single incident to observe the incident's full impact and do an RCA (root cause investigation). The Microsoft Security center portal has a fused view of incidents and actions are taken on them. Which tab is present on the incident page when investigating a particular incident? A. Machines B. Mailboxes C. Networks D. Incidents

B

Microsoft Defender for Endpoint gives configuration selections for alerts and detections. These include notifications, custom indicators, and detection rules. Which filter is a part of an Alert notification rule? A. Subject IDs B. Alert Severity C. Account D. Alert IDs

B

You are a SOC Analyst employed at a company that has set up cloud workload protection with Azure Defender. You are in charge of remediating security alerts created by Azure Defender detections. You get an alert regarding a container; the alert offers information to manually remediate the issue and what you can do in the future to stop further attacks. You work with the infra team to resolve the issue. The infrastructure team provides recommendations for making automated remediation tasks for future alerts regarding the same problem. You are requested to provide a report containing tools, tactics and procedures. Which of the following feature will you use to leverage to do the same? A. Incident B. Threat Intelligence C. Secure Score D. Threat Score

B

Which of the following APIs should be used to assist with managing content through a CI/CD pipeline? A. Security Graph API B. Query API C. Azure Sentinel Management API D. Threat intelligence API

C

You need to give a manager, [email protected], the ability to read events in the security center, but prevent them from making any changes. Which command should you use? A. Add-MsolRoleMember -RoleName "Security Administrator" -RoleMemberEmailAddress [email protected] B. Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress [email protected] C. Add-MsolRoleMember -RoleName "Global Administrator" -RoleMemberEmailAddress [email protected] D. Add-MsolRoleMember -RoleName "Global Reader" -RoleMemberEmailAddress [email protected]

B

Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides you with the following incomplete query. BehaviorAnalytics -| where ActivityType == "FailedLogOn"| where ________ == True You need to remediate active attacks to meet the technical requirements. What should you include in the solution? A. Azure Automation runbooks B. Azure Logic Apps C. Azure Functions D. Azure Sentinel livestreams

B. Azure Logic Apps

Which selection helps you ensure Azure Defender is enabled over all the resources in a Subscription? A. Continuous assessments B. Coverage type C. Automatic provisioning D. Azure Arc

C

You have Linux virtual machines on Amazon Web Services (AWS).You deploy Azure Defender and enable auto-provisioning. You need to monitor the virtual machines by using Azure Defender. Solution: You enable Azure Arc and onboard the virtual machines to Azure Arc. Does this meet the goal? A. Yes B. No

B. No

You have Linux virtual machines on Amazon Web Services (AWS).You deploy Azure Defender and enable auto-provisioning.You need to monitor the virtual machines by using Azure Defender.Solution: You manually install the Log Analytics agent on the virtual machines.Does this meet the goal? A. Yes B. No

B. No

From which of the following can a SOC (Security Operation Center) analyst make a customized detection? A. Alert B. Incident C. Advanced Hunting D. Request

C

What does the "h" in front of a string literal such as h'my string' mean? A. The string is considered hot path data B. The string is a hyperlink C. The string is obfuscated D. Nothing - this character is always ignored

C

Which information is shared on the user account page? A. Security groups B. Threat hunt ID C. Associated alerts D. All of the above

C

You are a SOC Analyst for company XYZ that is deploying cloud workload protection with Azure Defender. Your work is to ensure Azure Defender automatically protects the Azure resources. Your organization has a small number of Azure virtual machines that are not part of the auto-provisioning scheme. You must manually configure protection for these Azure resources. Which of the below is an extension of auto-provisioning? A. Windows Events B. Policy for Azure Policy C. Policy Add-on for Kubernetes D. Policy for DNS

C

You need to modify the anomaly detection policy settings to meet the Cloud App Security requirements and resolve the reported problem.Which policy should you modify? A. Activity from suspicious IP addresses B. Activity from anonymous IP addresses C. Impossible travel D. Risky sign-in

C

Which of the following data connectors have automation support in the Azure Sentinel PowerShell Module, Az.SecurityInsights? A. Dynamics 365 B. Cisco ASA C. AWS Cloudtrail D. Office 365 E. Azure Active Directory

C, D, E

You need to restrict cloud apps running on CLIENT1 to meet the Microsoft Defender for Endpoint requirements. Which two configurations should you modify? A. the Onboarding settings from Device management in Microsoft Defender Security Center B. Cloud App Security anomaly detection policies C. Advanced features from Settings in Microsoft Defender Security Center D. the Cloud Discovery settings in Cloud App Security

C. Advanced features from Settings in Microsoft Defender Security Center D. the Cloud Discovery settings in Cloud App Security

You need to assign a role-based access control (RBAC) role to admin1 to meet the Azure Sentinel requirements and the business requirements. Which role should you assign? A. Automation Operator B. Automation Runbook Operator C. Azure Sentinel Contributor D. Azure Sentinel Responder

C. Azure Sentinel Contributor

Which rule setting should you configure to meet the Azure Sentinel requirements? A. From Set rule logic, turn off suppression. B. From Analytics rule details, configure the tactics. C. From Set rule logic, map the entities. D. From Analytics rule details, configure the severity.

C. From Set rule logic, map the entities.

Insider risk management in Microsoft 365 benefits organizations by addressing internal risks, such as Intellectual Property theft, fraud, sabotage, etc. A credit card database admin's unencrypted work laptop got stolen at a home in a burglary. Sensitive data for 1000 users was on the laptop. Which type of internal risk is this an example of? A. Sabotage B. Data leak C. IP Theft D. Regulatory compliance violation

D

You are threat hunting using Azure Sentinel. You have created a query designed to identify a specific event on your domain controller. You need to create several similar queries because you have multiple domain controllers and want to keep each query separate. The solution should minimize administrative effort. Which three actions should you perform in sequence to clone a query? Create a list in the correct order. a)Choose Clone query by clicking the ellipsis icon at the end of the row. b)On the Hunting page of Azure Sentinel. Select New query. c)On the Create Custom query, make your edits then click the Create button. d)Select the ellipsis in the line of the query you want to modify, and select Edit query. e)On the Hunting page of the Azure Sentinel, find the query you wish to clone. A. A->C->E B. D -> C -> A C. C -> E -> A D. E -> A -> C

D

You need to implement the Azure Information Protection requirements.What should you configure first? A. Device health and compliance reports settings in Microsoft Defender Security Center B. scanner clusters in Azure Information Protection from the Azure portal C. content scan jobs in Azure Information Protection from the Azure portal D. Advanced features from Settings in Microsoft Defender Security Center

D

Identify all cases of users who failed to sign in to an Azure resource for the first time from a given country. A junior security administrator provides you with the following incomplete query. BehaviorAnalytics -| where ActivityType == "FailedLogOn"| where ________ == True You need to complete the query for failed sign-ins to meet the technical requirements. Where can you find the column name to complete the where clause? A. Security alerts in Azure Security Center B. Activity log in Azure C. Azure Advisor D. the query windows of the Log Analytics workspace

D. the query windows of the Log Analytics workspace


Set pelajaran terkait

Cell and Molecular Bio Final Exam

View Set

Lección 3 Fotonovela (Lesson) Identificar (Identify): Ojo: (Eye)

View Set

Abnormal Psych: Chapter 5: Anxiety, OCD, and Related- DIsorders

View Set

State Laws, Rules, and Regulations

View Set

NURB.3050 (SPRING)- PrepU (EXAM 3)

View Set

Medical-Surgical Nursing Chapter 20 Postoperative Care

View Set

Chapter 5. The Integumentary System (Chapter Quizzes Multiple Choice)

View Set

Russian phrases for questions and instructions

View Set